Hiddenden/beef
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #3517 from beefproject/red/fix_xss

Browse Source 
Patch XSS vulnerability
This commit is contained in:
zinduolis
2026-03-02 14:26:20 +10:00
committed by GitHub
parent 56b32f5da6 b98eff13e2
commit b36c502ec5
4 changed files with 51 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
core/filters/base.rb
View File

@@ -187,7 +187,7 @@ module BeEF
def self.has_valid_browser_details_chars?(str) def self.has_valid_browser_details_chars?(str)
return false unless is_non_empty_string?(str) return false unless is_non_empty_string?(str)
!(str =~ %r{[^\w\d\s()-.,;:_/!\302\256]}).nil? (str =~ %r{[^\w\d\s()-.,;:_/!\302\256]}).nil?
end end
# Check for valid base details characters # Check for valid base details characters

10
core/filters/browser.rb
View File

@@ -11,7 +11,7 @@ module BeEF
def self.is_valid_browsername?(str) # rubocop:disable Naming/PredicatePrefix def self.is_valid_browsername?(str) # rubocop:disable Naming/PredicatePrefix
return false unless is_non_empty_string?(str) return false unless is_non_empty_string?(str)
return false if str.length > 2 return false if str.length > 2
return false if has_non_printable_char?(str) return false unless has_valid_browser_details_chars?(str)
true true
end end
@@ -21,7 +21,7 @@ module BeEF
# @return [Boolean] If the string has valid Operating System name characters # @return [Boolean] If the string has valid Operating System name characters
def self.is_valid_osname?(str) # rubocop:disable Naming/PredicatePrefix def self.is_valid_osname?(str) # rubocop:disable Naming/PredicatePrefix
return false unless is_non_empty_string?(str) return false unless is_non_empty_string?(str)
return false if has_non_printable_char?(str) return false unless has_valid_browser_details_chars?(str)
return false if str.length < 2 return false if str.length < 2
true true
@@ -32,7 +32,7 @@ module BeEF
# @return [Boolean] If the string has valid Hardware name characters # @return [Boolean] If the string has valid Hardware name characters
def self.is_valid_hwname?(str) # rubocop:disable Naming/PredicatePrefix def self.is_valid_hwname?(str) # rubocop:disable Naming/PredicatePrefix
return false unless is_non_empty_string?(str) return false unless is_non_empty_string?(str)
return false if has_non_printable_char?(str) return false unless has_valid_browser_details_chars?(str)
return false if str.length < 2 return false if str.length < 2
true true
@@ -71,7 +71,7 @@ module BeEF
# @return [Boolean] If the string has valid browser / ua string characters # @return [Boolean] If the string has valid browser / ua string characters
def self.is_valid_browserstring?(str) # rubocop:disable Naming/PredicatePrefix def self.is_valid_browserstring?(str) # rubocop:disable Naming/PredicatePrefix
return false unless is_non_empty_string?(str) return false unless is_non_empty_string?(str)
return false if has_non_printable_char?(str) return false unless has_valid_browser_details_chars?(str)
return false if str.length > 300 return false if str.length > 300
true true
@@ -93,7 +93,7 @@ module BeEF
# @return [Boolean] If the string has valid system platform characters # @return [Boolean] If the string has valid system platform characters
def self.is_valid_system_platform?(str) # rubocop:disable Naming/PredicatePrefix def self.is_valid_system_platform?(str) # rubocop:disable Naming/PredicatePrefix
return false unless is_non_empty_string?(str) return false unless is_non_empty_string?(str)
return false if has_non_printable_char?(str) return false unless has_valid_browser_details_chars?(str)
return false if str.length > 200 return false if str.length > 200
true true

34
core/main/handlers/browserdetails.rb
View File

@@ -44,7 +44,7 @@ module BeEF
# hooked window host name # hooked window host name
log_zombie_port = 0 log_zombie_port = 0
if !@data['results']['browser.window.hostname'].nil? if !@data['results']['browser.window.hostname'].nil? && BeEF::Filters.is_valid_hostname?(@data['results']['browser.window.hostname'])
log_zombie_domain = @data['results']['browser.window.hostname'] log_zombie_domain = @data['results']['browser.window.hostname']
elsif !@data['request'].referer.nil? and !@data['request'].referer.empty? elsif !@data['request'].referer.nil? and !@data['request'].referer.empty?
referer = @data['request'].referer referer = @data['request'].referer
@@ -59,7 +59,7 @@ module BeEF
end end
# hooked window host port # hooked window host port
if @data['results']['browser.window.hostport'].nil? if @data['results']['browser.window.hostport'].nil? || !BeEF::Filters.is_valid_port?(@data['results']['browser.window.hostport'].to_s)
log_zombie_domain_parts = log_zombie_domain.split(':') log_zombie_domain_parts = log_zombie_domain.split(':')
log_zombie_port = log_zombie_domain_parts[1].to_i if log_zombie_domain_parts.length > 1 log_zombie_port = log_zombie_domain_parts[1].to_i if log_zombie_domain_parts.length > 1
else else
@@ -92,6 +92,7 @@ module BeEF
BD.set(session_id, 'browser.name.friendly', browser_friendly_name) BD.set(session_id, 'browser.name.friendly', browser_friendly_name)
else else
err_msg "Invalid browser name returned from the hook browser's initial connection." err_msg "Invalid browser name returned from the hook browser's initial connection."
browser_name = 'Unknown'
end end
if BeEF::Filters.is_valid_ip?(zombie.ip) if BeEF::Filters.is_valid_ip?(zombie.ip)
@@ -242,11 +243,17 @@ module BeEF
X_FORWARDED X_FORWARDED
X_FORWARDED_FOR X_FORWARDED_FOR
].each do |header| ].each do |header|
proxy_clients << (JSON.parse(zombie.httpheaders)[header]).to_s unless JSON.parse(zombie.httpheaders)[header].nil? val = JSON.parse(zombie.httpheaders)[header]
unless val.nil?
val.to_s.split(',').each do |ip|
proxy_clients << ip.strip if BeEF::Filters.is_valid_ip?(ip.strip)
end
end
end end
# retrieve proxy server # retrieve proxy server
proxy_server = JSON.parse(zombie.httpheaders)['VIA'] unless JSON.parse(zombie.httpheaders)['VIA'].nil? proxy_server = JSON.parse(zombie.httpheaders)['VIA'] unless JSON.parse(zombie.httpheaders)['VIA'].nil?
proxy_server = nil unless proxy_server.nil? || BeEF::Filters.has_valid_browser_details_chars?(proxy_server)
# store and log proxy details # store and log proxy details
if using_proxy == true if using_proxy == true
@@ -273,6 +280,7 @@ module BeEF
BD.set(session_id, 'browser.version', browser_version) BD.set(session_id, 'browser.version', browser_version)
else else
err_msg "Invalid browser version returned from the hook browser's initial connection." err_msg "Invalid browser version returned from the hook browser's initial connection."
browser_version = 'Unknown'
end end
# get and store browser string # get and store browser string
@@ -293,7 +301,11 @@ module BeEF
# get and store browser language # get and store browser language
browser_lang = get_param(@data['results'], 'browser.language') browser_lang = get_param(@data['results'], 'browser.language')
if BeEF::Filters.has_valid_browser_details_chars?(browser_lang)
BD.set(session_id, 'browser.language', browser_lang) BD.set(session_id, 'browser.language', browser_lang)
else
err_msg "Invalid browser language returned from the hook browser's initial connection."
end
# get and store the cookies # get and store the cookies
cookies = get_param(@data['results'], 'browser.window.cookies') cookies = get_param(@data['results'], 'browser.window.cookies')
@@ -309,6 +321,7 @@ module BeEF
BD.set(session_id, 'host.os.name', os_name) BD.set(session_id, 'host.os.name', os_name)
else else
err_msg "Invalid operating system name returned from the hook browser's initial connection." err_msg "Invalid operating system name returned from the hook browser's initial connection."
os_name = 'Unknown'
end end
# get and store the OS family # get and store the OS family
@@ -322,15 +335,28 @@ module BeEF
# get and store the OS version # get and store the OS version
# - without checks as it can be very different, for instance on linux/bsd) # - without checks as it can be very different, for instance on linux/bsd)
os_version = get_param(@data['results'], 'host.os.version') os_version = get_param(@data['results'], 'host.os.version')
if BeEF::Filters.has_valid_browser_details_chars?(os_version)
BD.set(session_id, 'host.os.version', os_version) BD.set(session_id, 'host.os.version', os_version)
else
err_msg "Invalid operating system version returned from the hook browser's initial connection."
os_version = 'Unknown'
end
# get and store the OS arch - without checks # get and store the OS arch
os_arch = get_param(@data['results'], 'host.os.arch') os_arch = get_param(@data['results'], 'host.os.arch')
if BeEF::Filters.has_valid_browser_details_chars?(os_arch)
BD.set(session_id, 'host.os.arch', os_arch) BD.set(session_id, 'host.os.arch', os_arch)
else
err_msg "Invalid operating system architecture returned from the hook browser's initial connection."
end
# get and store default browser # get and store default browser
default_browser = get_param(@data['results'], 'host.software.defaultbrowser') default_browser = get_param(@data['results'], 'host.software.defaultbrowser')
if BeEF::Filters.has_valid_browser_details_chars?(default_browser)
BD.set(session_id, 'host.software.defaultbrowser', default_browser) BD.set(session_id, 'host.software.defaultbrowser', default_browser)
else
err_msg "Invalid default browser returned from the hook browser's initial connection."
end
# get and store the hardware type # get and store the hardware type
hw_type = get_param(@data['results'], 'hardware.type') hw_type = get_param(@data['results'], 'hardware.type')

20
extensions/admin_ui/media/javascript/ui/panel/zombiesTreeList.js
View File

@@ -467,24 +467,26 @@ try{
} }
// set zombie hover balloon text for tree node // set zombie hover balloon text for tree node
// Use Ext.util.Format.htmlEncode() to prevent XSS via malicious browser properties
var encode = Ext.util.Format.htmlEncode;
var balloon_text = ""; var balloon_text = "";
balloon_text += hooked_browser.ip; balloon_text += encode(hooked_browser.ip);
balloon_text += "<hr/>" balloon_text += "<hr/>"
balloon_text += "<img width='13px' height='13px' class='zombie-tree-icon' src='<%= @base_path %>/media/images/favicon.png' /> "; balloon_text += "<img width='13px' height='13px' class='zombie-tree-icon' src='<%= @base_path %>/media/images/favicon.png' /> ";
balloon_text += "Origin: " + hooked_browser.domain + ":" + hooked_browser.port; balloon_text += "Origin: " + encode(hooked_browser.domain) + ":" + encode(hooked_browser.port);
balloon_text += "<br/>"; balloon_text += "<br/>";
balloon_text += "<img width='13px' height='13px' class='zombie-tree-icon' src='<%= @base_path %>/media/images/icons/" + escape(browser_icon) + "' /> "; balloon_text += "<img width='13px' height='13px' class='zombie-tree-icon' src='<%= @base_path %>/media/images/icons/" + escape(browser_icon) + "' /> ";
balloon_text += "Browser: " + hooked_browser.browser_name + " " + hooked_browser.browser_version; balloon_text += "Browser: " + encode(hooked_browser.browser_name) + " " + encode(hooked_browser.browser_version);
balloon_text += "<br/>"; balloon_text += "<br/>";
balloon_text += " <img width='13px' height='13px' class='zombie-tree-icon' src='<%= @base_path %>/media/images/icons/" + escape(os_icon) + "' /> "; balloon_text += " <img width='13px' height='13px' class='zombie-tree-icon' src='<%= @base_path %>/media/images/icons/" + escape(os_icon) + "' /> ";
if (hooked_browser.os_version == 'Unknown') { if (hooked_browser.os_version == 'Unknown') {
balloon_text += "OS: " + hooked_browser.os_name; balloon_text += "OS: " + encode(hooked_browser.os_name);
} else { } else {
balloon_text += "OS: " + hooked_browser.os_name + ' ' + hooked_browser.os_version; balloon_text += "OS: " + encode(hooked_browser.os_name) + ' ' + encode(hooked_browser.os_version);
} }
balloon_text += "<br/>"; balloon_text += "<br/>";
balloon_text += " <img width='13px' height='13px' class='zombie-tree-icon' src='<%= @base_path %>/media/images/icons/" + escape(hw_icon) + "' /> "; balloon_text += " <img width='13px' height='13px' class='zombie-tree-icon' src='<%= @base_path %>/media/images/icons/" + escape(hw_icon) + "' /> ";
balloon_text += "Hardware: " + hooked_browser.hw_name; balloon_text += "Hardware: " + encode(hooked_browser.hw_name);
balloon_text += "<br/>"; balloon_text += "<br/>";
if ( !hooked_browser.country || !hooked_browser.country_code || hooked_browser.country == 'Unknown' ) { if ( !hooked_browser.country || !hooked_browser.country_code || hooked_browser.country == 'Unknown' ) {
@@ -492,11 +494,11 @@ try{
balloon_text += "Location: Unknown"; balloon_text += "Location: Unknown";
} else { } else {
balloon_text += " <img width='13px' height='13px' class='zombie-tree-icon' src='<%= @base_path %>/media/images/icons/country-squared/" + escape(hooked_browser.country_code.toLowerCase()) + ".svg' /> "; balloon_text += " <img width='13px' height='13px' class='zombie-tree-icon' src='<%= @base_path %>/media/images/icons/country-squared/" + escape(hooked_browser.country_code.toLowerCase()) + ".svg' /> ";
balloon_text += "Location: " + hooked_browser.city + ", " + hooked_browser.country; balloon_text += "Location: " + encode(hooked_browser.city) + ", " + encode(hooked_browser.country);
} }
balloon_text += "<hr/>"; balloon_text += "<hr/>";
balloon_text += "Local Date: " + hooked_browser.date; balloon_text += "Local Date: " + encode(hooked_browser.date);
hooked_browser.qtip = balloon_text; hooked_browser.qtip = balloon_text;
// set zombie text label for tree node // set zombie text label for tree node
@@ -511,7 +513,7 @@ try{
text += "<img width='13px' height='13px' class='zombie-tree-icon' src='<%= @base_path %>/media/images/icons/country-squared/" + escape(hooked_browser.country_code.toLowerCase()) + ".svg' /> "; text += "<img width='13px' height='13px' class='zombie-tree-icon' src='<%= @base_path %>/media/images/icons/country-squared/" + escape(hooked_browser.country_code.toLowerCase()) + ".svg' /> ";
} }
text += hooked_browser.ip; text += encode(hooked_browser.ip);
hooked_browser.text = text; hooked_browser.text = text;
//save a new online HB //save a new online HB