Add MSF Integration via XML-RPC

[passbe]

Add an interface from Ruby code to MSF, for generating custom payloads on demand etc

Google Code Issue: http://code.google.com/p/beef/issues/detail?id=16

[passbe]

wade@bindshell.net on August 07, 2010 23:01:47:

summary update

Google Code Comment: http://code.google.com/p/beef/issues/detail?id=16#c2

[passbe]

wade@bindshell.net on August 08, 2010 00:51:55:

Pic attached

Google Code Comment: http://code.google.com/p/beef/issues/detail?id=16#c3

[passbe]

wade@bindshell.net on November 14, 2010 16:01:25:

When clicking on the MSF branch (if it isn't configure in the config.ini) display some details in the righthand pain explaining how to do it.

Google Code Comment: http://code.google.com/p/beef/issues/detail?id=16#c7

[passbe]

xnt...@gmail.com on January 31, 2011 11:34:10:

Tried running this up tonight with the following details but got the following error (after it was loading for a while).

msf > load xmlrpc [] XMLRPC Service: 127.0.0.1:55553 [] XMLRPC Username: msf [] XMLRPC Password: Zn8VisdI [] XMLRPC Server Type: Basic [*] Successfully loaded plugin: xmlrpc msf >

36 # Enable MSF by changing enable_msf to 1 37 # Then set msf_callback_host to be the public IP of your MSF server 38 enable_msf = 1 39 msf_host = "127.0.0.1" 40 msf_path = "/RPC2" 41 msf_port = 55553 42 msf_user = "msf" 43 msf_pass = "Zn8VisdI" 44 msf_callback_host = "127.0.0.1"

xian@Cacus~/beef/beef$ ruby beef.rb WARNING: An unknown exception (execution expired) has occured while talking to the Metasploit backend. Please check the Metasploit logs for more details.

-=[ BeEF v0.4.2.2-alpha ]=-

--[ Modules: 25

Google Code Comment: http://code.google.com/p/beef/issues/detail?id=16#c16

[passbe]

sussurro...@gtempaccount.com on January 31, 2011 18:16:39:

you are using the wrong type of XMLRPC Server. Try:

load xmlrpc Pass=abc123 ServerType=Web

That should fix the issue.

Google Code Comment: http://code.google.com/p/beef/issues/detail?id=16#c17

[passbe]

xnt...@gmail.com on February 02, 2011 12:25:29:

Oh snap!

That worked..

I didn't spend anytime trying to execute an actual module, but that's not the point of this issue right? Can I close this out?

Google Code Comment: http://code.google.com/p/beef/issues/detail?id=16#c18

[passbe]

xnt...@gmail.com on February 02, 2011 12:30:48:

I've updated the config.ini file with a comment for loading the XMLRPC in r723

Google Code Comment: http://code.google.com/p/beef/issues/detail?id=16#c19

[passbe]

mosse.benjamin@gmail.com on February 06, 2011 12:09:01:

OK I have tested this issue. BeEF can correctly connect to Metasploit and send exploits.

I haven't had a chance to create a shell on my target because I tested on my personal laptop which is fully patched. I will do it tomorrow in a VM. I've checked the javascript code and it all looked fine. So I am expecting everything to run smoothly.

Google Code Comment: http://code.google.com/p/beef/issues/detail?id=16#c20

[passbe]

xnt...@gmail.com on February 06, 2011 15:06:52:

Thanks Ben, I'm reassigning this to you, hope that's cool.

Google Code Comment: http://code.google.com/p/beef/issues/detail?id=16#c21

[passbe]

xnt...@gmail.com on March 08, 2011 10:57:27:

I've had a couple of issues with this.

I've found that after leaving the framework for a bit, sometimes the command module configuration panels don't load. I've had to restart BeEF to get them to load. But then occasionally the drop-down "payload" selectors didn't work.

And then after restarting both MSF and BeEF, I went to the command-module list and got the following in the BeEF terminal window: st: windows [2011-03-08 18:52:16] ERROR NameError: undefined local variable or method msfi' for #<BeEF::Modules::Commands::Msf:0x10202d868> /Users/xian/beef/beef/./lib/modules/msfcommand.rb:45:inupdate_info' /Users/xian/beef/beef/lib/ui/modules/modules.rb:192:in select_command_modules_tree' /Library/Ruby/Gems/1.8/gems/dm-core-1.0.0/lib/dm-core/collection.rb:513:ineach' /Library/Ruby/Gems/1.8/gems/dm-core-1.0.0/lib/dm-core/support/lazy_array.rb:413:in each' /Library/Ruby/Gems/1.8/gems/dm-core-1.0.0/lib/dm-core/support/lazy_array.rb:413:ineach' /Library/Ruby/Gems/1.8/gems/dm-core-1.0.0/lib/dm-core/collection.rb:510:in each' /Users/xian/beef/beef/lib/ui/modules/modules.rb:182:inselect_command_modules_tree' /Users/xian/beef/beef/./lib/server/httpcontroller.rb:52:in call' /Users/xian/beef/beef/./lib/server/httpcontroller.rb:52:inrun' /Users/xian/beef/beef/./lib/server/httphandler.rb:23:in do_POST' /Users/xian/beef/beef/./lib/server/httphandler.rb:21:insynchronize' /Users/xian/beef/beef/./lib/server/httphandler.rb:21:in do_POST' /System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/1.8/webrick/httpservlet/abstract.rb:35:insend' /System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/1.8/webrick/httpservlet/abstract.rb:35:in service' /System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/1.8/webrick/httpserver.rb:104:inservice' /System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/1.8/webrick/httpserver.rb:65:in run' /System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/1.8/webrick/server.rb:173:instart_thread' /System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/1.8/webrick/server.rb:162:in start' /System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/1.8/webrick/server.rb:162:instart_thread' /System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/1.8/webrick/server.rb:95:in start' /System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/1.8/webrick/server.rb:92:ineach' /System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/1.8/webrick/server.rb:92:in start' /System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/1.8/webrick/server.rb:23:instart' /System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/1.8/webrick/server.rb:82:in start' /Users/xian/beef/beef/./lib/server/httphookserver.rb:102:instart' ./beef.rb:33

Google Code Comment: http://code.google.com/p/beef/issues/detail?id=16#c23

[passbe]

obmaszt...@gmail.com on March 24, 2011 00:00:37:

Using the latest branch

When executing a metasploit module against a browser I get the following:

[2011-03-23 23:56:13] ERROR TypeError: can't convert nil into String /usr/lib/ruby/gems/1.8/gems/json-1.5.1/lib/json/common.rb:148:in initialize' /usr/lib/ruby/gems/1.8/gems/json-1.5.1/lib/json/common.rb:148:innew' /usr/lib/ruby/gems/1.8/gems/json-1.5.1/lib/json/common.rb:148:in parse' /root/downloads/beef_svn/./lib/modules/command.rb:96:inbuild_datastore' /root/downloads/beef_svn/./lib/server/modules/common.rb:119:in add_command_instructions' /root/downloads/beef_svn/./lib/server/modules/common.rb:115:insynchronize' /root/downloads/beef_svn/./lib/server/modules/common.rb:115:in add_command_instructions' /root/downloads/beef_svn/./lib/server/zombiehandler.rb:63:indo_GET' /usr/lib/ruby/gems/1.8/gems/dm-core-1.1.0/lib/dm-core/collection.rb:507:in each' /usr/lib/ruby/gems/1.8/gems/dm-core-1.1.0/lib/dm-core/support/lazy_array.rb:411:ineach' /usr/lib/ruby/gems/1.8/gems/dm-core-1.1.0/lib/dm-core/support/lazy_array.rb:411:in each' /usr/lib/ruby/gems/1.8/gems/dm-core-1.1.0/lib/dm-core/collection.rb:504:ineach' /root/downloads/beef_svn/./lib/server/zombiehandler.rb:63:in do_GET' /usr/lib/ruby/1.8/webrick/httpservlet/abstract.rb:35:insend' /usr/lib/ruby/1.8/webrick/httpservlet/abstract.rb:35:in service' /usr/lib/ruby/1.8/webrick/httpserver.rb:104:inservice' /usr/lib/ruby/1.8/webrick/httpserver.rb:65:in run' /usr/lib/ruby/1.8/webrick/server.rb:173:instart_thread' /usr/lib/ruby/1.8/webrick/server.rb:162:in start' /usr/lib/ruby/1.8/webrick/server.rb:162:instart_thread' /usr/lib/ruby/1.8/webrick/server.rb:95:in start' /usr/lib/ruby/1.8/webrick/server.rb:92:ineach' /usr/lib/ruby/1.8/webrick/server.rb:92:in start' /usr/lib/ruby/1.8/webrick/server.rb:23:instart' /usr/lib/ruby/1.8/webrick/server.rb:82:in start' /root/downloads/beef_svn/./lib/server/httphookserver.rb:102:instart' beef.rb:33

Google Code Comment: http://code.google.com/p/beef/issues/detail?id=16#c25

[passbe]

obmaszt...@gmail.com on March 24, 2011 02:06:10:

Update

Since updating to the latest branch all commands return that error when execution is attempted not just metasploit.

Google Code Comment: http://code.google.com/p/beef/issues/detail?id=16#c26

[passbe]

mail.bm...@gmail.com on March 24, 2011 03:03:38:

Thanks for the heads up. We'll get on that asap.

Google Code Comment: http://code.google.com/p/beef/issues/detail?id=16#c27

[passbe]

mail.bm...@gmail.com on March 24, 2011 03:18:45:

This code triggers the bug:

common.rb: line 119 command_module.build_datastore(command.data)

command.rb: line 96 def build_datastore(data); @datastore = JSON.parse(data); end

As far as I can tell, the problem is due to HBs not sending back data to the framework. They are performing the http request, but not actually sending back results. Hence the datastore is nil and that causes the bug.

We need to investigate the problem in beefjs, fix it there. And also add checks in ruby.

Google Code Comment: http://code.google.com/p/beef/issues/detail?id=16#c28

[passbe]

mail.bm...@gmail.com on March 25, 2011 11:03:38:

FYI, we've found the problem and are working on it.

A dirty fix would be to uninstall the json gem module. And re-install it making sure it's running version 1.4.2.

Google Code Comment: http://code.google.com/p/beef/issues/detail?id=16#c29

[passbe]

xnt...@gmail.com on April 09, 2011 08:17:34:

I know this isn't my issue to fix, but I was having a look at it anyway, and have the following comments:

I'm still having ad-hoc problems with lockups, when clicking on a MSF module (It sits there with the spinning loading wheel, loading details panel or whatever). After a kill of beef and a refresh, I tried the "Signed Applet Social Engineering Code Exec" module against a Windows VM (different IP) but it didn't work.

I believe the "SRVHOST" setting wasn't sent as part of the BeEF module. In firebox I can see a GET request 404 when trying the URL of the msf, but the IP isn't to the SRVHOST IP, it's to 127.0.0.1, which doesn't work.

Google Code Comment: http://code.google.com/p/beef/issues/detail?id=16#c33

[passbe]

obmaszt...@gmail.com on April 16, 2011 20:09:05:

Is there a trick to getting a meterpreter session? The metasploit modules work as I tested dhtml behaviors and windows/messagebox on ie6 and the desired message appeared. If I set the payload to windows/meterpreter/reverse_tcp then I never get a session. Running the latest SVN version. I can use the javascript functions to still initiate what I need but that defeats the purpose of the metasploit integration.

And is my BeEF supposed to look like the one in the "Picture 3.png" on this page? Cause mine most certainly does not have any of those tabs after the 3rd one.

Figure it's easier to ask for help first before trying to recode anything.

Google Code Comment: http://code.google.com/p/beef/issues/detail?id=16#c36

[passbe]

antisnatchor@gmail.com on April 16, 2011 22:23:13:

Can you give us more details? Do you see any errors while using meterpreter? Which JS functions are you using to circumvent the problem?

The screenshot you mentioned is something not in the trunk: it includes future developments and things like Yokoso that will be ported later on.

Google Code Comment: http://code.google.com/p/beef/issues/detail?id=16#c37

[passbe]

antisnatchor@gmail.com on April 17, 2011 11:01:22:

I just tested meterpreter reverse tcp payload and it works great.

[12:54:25][*] Hooked browser 10.211.55.4 exploited with command 'Generic Metasploit Exploit'

and in MSF ] Successfully loaded plugin: xmlrpc msf > [] Meterpreter session 1 opened (10.211.55.2:4444 -> 10.211.55.4:1056) at 2011-04-17 12:54:42 +0200 msf > sessions

Active sessions

Id Type Information Connection

---

1 meterpreter x86/win32 ANTISNATCHO15E8\Administrator @ ANTISNATCHO15E8 10.211.55.2:4444 -> 10.211.55.4:1056

Please be sure to configure correctly the host and callback_host. Ensure that the ServerHost xmlrpc parameter must have the same value of host and callback_host variables defined in BeEF config.YAML.

Google Code Comment: http://code.google.com/p/beef/issues/detail?id=16#c38