From 9065fc9514c3234d2d1eb292c041a498cb8697c8 Mon Sep 17 00:00:00 2001
From: Grant Burgess <grantrburgess@outlook.com>
Date: Fri, 10 Jan 2020 14:38:06 +1000
Subject: [PATCH] Check request IP before resolving the Admin UI

---
 extensions/admin_ui/classes/httpcontroller.rb | 67 +++++++++++++++++--
 1 file changed, 63 insertions(+), 4 deletions(-)

diff --git a/extensions/admin_ui/classes/httpcontroller.rb b/extensions/admin_ui/classes/httpcontroller.rb
index d826b9d37..09b41db6c 100644
--- a/extensions/admin_ui/classes/httpcontroller.rb
+++ b/extensions/admin_ui/classes/httpcontroller.rb
@@ -10,7 +10,7 @@ module AdminUI
   #
   # Handle HTTP requests and call the relevant functions in the derived classes
   #
-  class HttpController
+  class HttpController 
     
     attr_accessor :headers, :status, :body, :paths, :currentuser, :params
     
@@ -26,8 +26,8 @@ module AdminUI
       @status = 200 if data['status'].nil?
       @session = BeEF::Extension::AdminUI::Session.instance
 
-      config = BeEF::Core::Configuration.instance
-      @bp = config.get "beef.extension.admin_ui.base_path"
+      @config = BeEF::Core::Configuration.instance
+      @bp = @config.get "beef.extension.admin_ui.base_path"
 
       @headers = {'Content-Type' => 'text/html; charset=UTF-8'} if data['headers'].nil?
 
@@ -37,6 +37,60 @@ module AdminUI
         @paths = data['paths']
       end
     end
+
+    # 
+    # Authentication check. Confirm the request to access the UI comes from a permitted IP address
+    # 
+    def authenticate_request(ip)
+      auth = BeEF::Extension::AdminUI::Controllers::Authentication.new
+      if !auth.permitted_source?(ip)
+        if @config.get("beef.http.web_server_imitation.enable")
+          type = @config.get("beef.http.web_server_imitation.type")
+          case type
+            when "apache"
+              @body = BeEF::Core::Router::APACHE_BODY
+              @status = 404
+              @headers = BeEF::Core::Router::APACHE_HEADER
+              return false
+            when "iis"
+              @body = BeEF::Core::Router::IIS_BODY
+              @status = 404
+              @headers = BeEF::Core::Router::IIS_HEADER
+              return false
+            when "nginx"
+              @body = BeEF::Core::Router::APACHE_BODY
+              @status = 404
+              @headers = BeEF::Core::Router::APACHE_HEADER
+              return false
+            else
+              @body = "Not Found."
+              @status = 404
+              @headers = {"Content-Type" => "text/html"}
+              return false
+          end
+        else
+          @body = "Not Found."
+          @status = 404
+          @headers = {"Content-Type" => "text/html"}
+          return false
+        end
+      else
+        return true
+      end
+    end
+
+    # 
+    # Check if reverse proxy has been enabled and return the correct client IP address
+    # 
+    def get_ip(request)
+      if !@config.get("beef.http.allow_reverse_proxy")
+        ua_ip = request.get_header('REMOTE_ADDR') # Get client remote ip address
+      else
+        ua_ip = request.ip # Get client x-forwarded-for ip address
+      end
+      ua_ip
+    end
+    
     
     #
     # Handle HTTP requests and call the relevant functions in the derived classes
@@ -47,7 +101,12 @@ module AdminUI
 
       # Web UI base path, like http://beef_domain/<bp>/panel
       auth_url = "#{@bp}/authentication"
-      
+
+      # If access to the UI is not permitted for the request IP address return a 404
+      if !authenticate_request(get_ip(@request))
+        return
+      end
+
       # test if session is unauth'd and whether the auth functionality is requested
       if not @session.valid_session?(@request) and not self.class.eql?(BeEF::Extension::AdminUI::Controllers::Authentication)
         @body = ''