RESTful API now obeys permitted_ui_subnet

2012-04-15 07:24:17 +08:00
parent 2b77416226
commit 44e9871503
5 changed files with 24 additions and 0 deletions
--- a/core/bootstrap.rb
+++ b/core/bootstrap.rb
@@ -50,4 +50,5 @@ require 'core/hbmanager'
 require 'core/main/rest/handlers/hookedbrowsers'
 require 'core/main/rest/handlers/modules'
 require 'core/main/rest/handlers/logs'
+require 'core/main/rest/handlers/admin'
 require 'core/main/rest/api'
--- a/core/main/rest/api.rb
+++ b/core/main/rest/api.rb
@@ -35,9 +35,29 @@ module BeEF
        end
      end

+      module RegisterAdminHandler
+        def self.mount_handler(server)
+          server.mount('/api/admin', BeEF::Core::Rest::Admin.new)
+        end
+      end
+
      BeEF::API::Registrar.instance.register(BeEF::Core::Rest::RegisterHooksHandler, BeEF::API::Server, 'mount_handler')
      BeEF::API::Registrar.instance.register(BeEF::Core::Rest::RegisterModulesHandler, BeEF::API::Server, 'mount_handler')
      BeEF::API::Registrar.instance.register(BeEF::Core::Rest::RegisterLogsHandler, BeEF::API::Server, 'mount_handler')
+      BeEF::API::Registrar.instance.register(BeEF::Core::Rest::RegisterAdminHandler, BeEF::API::Server, 'mount_handler')
+
+      #
+      # Check the source IP is within the permitted subnet
+      # This is from extensions/admin_ui/controllers/authentication/authentication.rb
+      #
+      def self.permitted_source?(ip)
+        # get permitted subnet 
+        permitted_ui_subnet = BeEF::Core::Configuration.instance.get("beef.restrictions.permitted_ui_subnet")
+        target_network = IPAddr.new(permitted_ui_subnet)
+        
+        # test if ip within subnet
+        return target_network.include?(ip)
+      end

    end
  end
--- a/core/main/rest/handlers/hookedbrowsers.rb
+++ b/core/main/rest/handlers/hookedbrowsers.rb
@@ -23,6 +23,7 @@ module BeEF

        before do
          error 401 unless params[:token] == config.get('beef.api_token')
+          halt 401 if not BeEF::Core::Rest.permitted_source?(request.ip)
          headers 'Content-Type' => 'application/json; charset=UTF-8',
                  'Pragma' => 'no-cache',
                  'Cache-Control' => 'no-cache',
--- a/core/main/rest/handlers/logs.rb
+++ b/core/main/rest/handlers/logs.rb
@@ -23,6 +23,7 @@ module BeEF

        before do
          error 401 unless params[:token] == config.get('beef.api_token')
+          halt 401 if not BeEF::Core::Rest.permitted_source?(request.ip)
          headers 'Content-Type' => 'application/json; charset=UTF-8',
                  'Pragma' => 'no-cache',
                  'Cache-Control' => 'no-cache',
--- a/core/main/rest/handlers/modules.rb
+++ b/core/main/rest/handlers/modules.rb
@@ -23,6 +23,7 @@ module BeEF

        before do
          error 401 unless params[:token] == config.get('beef.api_token')
+          halt 401 if not BeEF::Core::Rest.permitted_source?(request.ip)
          headers 'Content-Type' => 'application/json; charset=UTF-8',
                  'Pragma' => 'no-cache',
                  'Cache-Control' => 'no-cache',