beefproject/beef

Error in ActiveX Command Execution module - urlencoded command

Open

#1,854 opened on Jan 14, 2020

View on GitHub
 (2 comments) (0 reactions) (0 assignees)JavaScript (8,637 stars) (1,992 forks)batch import
Good First IssueMediumModule

Description

Module ActiveX Command Execution not works with "Initialize and script ActiveX controls not marked as safe for scripting" enabled. beef-0.5.0.0

Environment

What version/revision of BeEF are you using?

0.5.0.0

On what versionof Ruby?

ruby 2.5.7p206 (2019-10-01 revision 67816) [x86_64-linux-gnu]

On what browser?

IE11, with enabled initialize and scptring ...

On what operating system?

Win10 <- victim kali linux 2019 with latest updates <- beef framework

Configuration

Are you using a non-default configuration? no

Summary

Error in ActiveX Command Execution module. Only standalone commands execute. Command with space or any special characters not works.

Expected Behaviour

execute command on victim: cmd.exe /c "echo Hello from BeEF! & pause"

Actual Behaviour

not execute command

Additional Information

Resolve propose: in file https://github.com/beefproject/beef/blob/master/modules/exploits/local_host/activex_command_execution/command.js text in cmd variable is urlcoded. I changed line 9 to urldecode: var cmd = decodeURIComponent(beef.encode.base64.decode('<%= Base64.strict_encode64(@cmd) %>')); to resolve issue. Now it works.

Contributor guide

Tech stack
javascript
Domain
security
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
2
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
under 1 hour
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
stale
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
JavaScript
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
90
Research direction
The issue is in the file modules/exploits/local host/activex command execution/command.js. The variable `cmd` receives the command from base64 decoding but it is URL encoded. The fix is to apply decodeURIComponent to the decoded string. Ensure that this change does not break commands without special characters. Also check if other similar modules have the same issue.