From 51cc5963fa0c5d2b12496f3d9d2c70f30b77fc0a Mon Sep 17 00:00:00 2001
From: antisnatchor <antisnatchor@gmail.com>
Date: Sun, 19 Jul 2015 11:24:53 +0200
Subject: [PATCH] Replaced system with IO.popen to prevent an unlikely RCE, and
 also added additional checks.

---
 config.yaml                               |  5 ++++-
 core/ruby/security.rb                     |  8 ++++----
 extensions/dns_rebinding/config.yaml      |  9 +++++----
 extensions/dns_rebinding/dns_rebinding.rb | 10 +++++++---
 extensions/dns_rebinding/extension.rb     |  4 ++--
 modules/network/dns_rebinding/config.yaml |  4 ++--
 6 files changed, 24 insertions(+), 16 deletions(-)

diff --git a/config.yaml b/config.yaml
index cde2cb06f..03581e5a9 100644
--- a/config.yaml
+++ b/config.yaml
@@ -158,6 +158,9 @@ beef:
                 enable: false
         ipec:
             enable: true
-        # this is still experimental, we're working on it..
+        # this is still experimental..
         dns:
             enable: true
+        # this is still experimental..
+        dns_rebinding:
+            enable: false
diff --git a/core/ruby/security.rb b/core/ruby/security.rb
index 4bdb8b05a..731a7fd63 100644
--- a/core/ruby/security.rb
+++ b/core/ruby/security.rb
@@ -11,10 +11,10 @@ def exec(args)
 end
 
 # @note Prevent system from ever being used
-#def system(args)
-#  puts "For security reasons the system method is not accepted in the Browser Exploitation Framework code base."
-#  exit
-#end
+def system(args)
+ puts "For security reasons the system method is not accepted in the Browser Exploitation Framework code base."
+ exit
+end
 
 # @note Prevent Kernel.system from ever being used
 def Kernel.system(args)
diff --git a/extensions/dns_rebinding/config.yaml b/extensions/dns_rebinding/config.yaml
index 890dcbc21..767fe8a5b 100644
--- a/extensions/dns_rebinding/config.yaml
+++ b/extensions/dns_rebinding/config.yaml
@@ -3,12 +3,13 @@ beef:
         dns_rebinding:
             enable: true
             name: 'DNS Rebinding'
+            authors: ['Milovanov T.I.']
             #Addresses are split into internal/external for more convenient attack
             #from LAN.
-            address_http_internal: '192.168.0.104'
-            address_http_external: '31.211.59.107'
-            address_proxy_internal: '192.168.0.104'
-            address_proxy_external: '31.211.59.107'
+            address_http_internal:  '192.168.x.x'
+            address_http_external:  'x.x.x.x'
+            address_proxy_internal: '192.168.x.x'
+            address_proxy_external: 'x.x.x.x'
             port_http: 80
             port_proxy: 81
             debug_mode: true
diff --git a/extensions/dns_rebinding/dns_rebinding.rb b/extensions/dns_rebinding/dns_rebinding.rb
index 8249d38f4..ebaafff5d 100644
--- a/extensions/dns_rebinding/dns_rebinding.rb
+++ b/extensions/dns_rebinding/dns_rebinding.rb
@@ -44,7 +44,11 @@ module DNSRebinding
                     if start_string.include?("load")
                         log "[Server] Block with iptables\n"
                         port_http = dr_config['port_http']
-                        system("iptables -A INPUT -s #{victim_ip} -p tcp --dport #{port_http} -j REJECT --reject-with tcp-reset")
+                        if BeEF::Filters::is_valid_ip?(victim_ip) && port_http.kind_of?(Integer)
+                            IO.popen(["iptables","-A","INPUT","-s","#{victim_ip}","-p","tcp","--dport","#{port_http}","-j","REJECT","--reject-with","tcp-reset"], 'r+'){|io|}
+                        else
+                          print_error "[Dns_Rebinding] victim_ip or port_http values are illegal."
+                        end
                     end
                     log "-------------------------------\n"
                 end
@@ -192,8 +196,8 @@ module DNSRebinding
             response_a = @responses[path]
             @mutex_responses.unlock
 
-            response = response_a[1];
-            content_type = response_a[0];
+            response = response_a[1]
+            content_type = response_a[0]
 
             send_http_response(socket, response, {'Content-Type'=>content_type})
 
diff --git a/extensions/dns_rebinding/extension.rb b/extensions/dns_rebinding/extension.rb
index a4b713108..2cd0b6234 100644
--- a/extensions/dns_rebinding/extension.rb
+++ b/extensions/dns_rebinding/extension.rb
@@ -5,8 +5,8 @@ module DNSRebinding
     extend BeEF::API::Extension
 
     @short_name  = 'DNS Rebinding'
-    @full_name   = 'aaaa'
-    @description = 'aaaa'
+    @full_name   = 'DNS Rebinding'
+    @description = 'DNS Rebinding extension'
 
 end
 end
diff --git a/modules/network/dns_rebinding/config.yaml b/modules/network/dns_rebinding/config.yaml
index 465cbc917..130c43826 100644
--- a/modules/network/dns_rebinding/config.yaml
+++ b/modules/network/dns_rebinding/config.yaml
@@ -5,7 +5,7 @@ beef:
             category: "Network"
             name: "DNS Rebinding"
             description: "dnsrebind"
-            domain: "dnsreb.chickenkiller.com"
+            domain: "dnsreb.beefproject.com"
             authors: ["Milovanov T.I."]
             target:
                 working:
@@ -15,4 +15,4 @@ beef:
                     O:
                         min_ver: 1
                         max_ver: 27
-                not_working: ["All"]
+            not_working: ["All"]