Add support for multiple permitted hooking/ui subnets - #1319

2019-03-03 21:14:39 +00:00
parent 8e7522b1b1
commit d698b6a0ba
4 changed files with 44 additions and 27 deletions
--- a/config.yaml
+++ b/config.yaml
@@ -23,10 +23,10 @@ beef:
    # Interface / IP restrictions
    restrictions:
        # subnet of IP addresses that can hook to the framework
-        permitted_hooking_subnet: "0.0.0.0/0"
+        permitted_hooking_subnet: ["0.0.0.0/0", "::/0"]
        # subnet of IP addresses that can connect to the admin UI
-        #permitted_ui_subnet: "127.0.0.1/32"
-        permitted_ui_subnet: "0.0.0.0/0"
+        #permitted_ui_subnet: ["127.0.0.1/32", "::1/128"]
+        permitted_ui_subnet: ["0.0.0.0/0", "::/0"]
        # slow API calls to 1 every  api_attempt_delay  seconds
        api_attempt_delay: "0.05"

--- a/core/main/handlers/hookedbrowsers.rb
+++ b/core/main/handlers/hookedbrowsers.rb
@@ -30,10 +30,19 @@ module Handlers
      
      # @note check source ip address of browser
      permitted_hooking_subnet = config.get('beef.restrictions.permitted_hooking_subnet')
-      target_network = IPAddr.new(permitted_hooking_subnet)
-      if not target_network.include?(request.ip)
-        BeEF::Core::Logger.instance.register('Target Range', "Attempted hook from out of target range browser (#{request.ip}) rejected.")
-        error 500
+      if permitted_hooking_subnet.nil? || permitted_hooking_subnet.empty?
+        BeEF::Core::Logger.instance.register('Target Range', "Attempted hook from outside of permitted hooking subnet (#{request.ip}) rejected.")
+	error 404
+      end
+
+      found = false
+      permitted_hooking_subnet.each do |subnet|
+        found = true if IPAddr.new(subnet).include?(request.ip)
+      end
+
+      unless found
+        BeEF::Core::Logger.instance.register('Target Range', "Attempted hook from outside of permitted hooking subnet (#{request.ip}) rejected.")
+        error 404
      end

      # @note get zombie if already hooked the framework
--- a/core/main/rest/api.rb
+++ b/core/main/rest/api.rb
@@ -70,15 +70,20 @@ module BeEF
      # This is from extensions/admin_ui/controllers/authentication/authentication.rb
      #
      def self.permitted_source?(ip)
-        # get permitted subnet
+        # test if supplied IP address is valid
+        return false unless BeEF::Filters::is_valid_ip?(ip)
+
+        # get permitted subnets
        permitted_ui_subnet = BeEF::Core::Configuration.instance.get("beef.restrictions.permitted_ui_subnet")
-        target_network = IPAddr.new(permitted_ui_subnet)
+	return false if permitted_ui_subnet.nil?
+	return false if permitted_ui_subnet.empty?

-        # test if supplied IP address is valid dot-decimal format
-        return false unless ip =~ /\A[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\z/
+        # test if ip within subnets
+	permitted_ui_subnet.each do |subnet|
+          return true if IPAddr.new(subnet).include?(ip)
+	end

-        # test if ip within subnet
-        return target_network.include?(ip)
+        false
      end

      #
--- a/extensions/admin_ui/controllers/authentication/authentication.rb
+++ b/extensions/admin_ui/controllers/authentication/authentication.rb
@@ -47,8 +47,8 @@ class Authentication < BeEF::Extension::AdminUI::HttpController
    ua_ip = @request.ip # get client ip address
    @body = '{ success : false }' # attempt to fail closed

-    # check if source IP address is permited to authenticate
-    if not permited_source?(ua_ip)
+    # check if source IP address is permitted to authenticate
+    if not permitted_source?(ua_ip)
      BeEF::Core::Logger.instance.register('Authentication', "IP source address (#{@request.ip}) attempted to authenticate but is not within permitted subnet.")
      return
    end
@@ -105,19 +105,22 @@ class Authentication < BeEF::Extension::AdminUI::HttpController
  #
  # Check the UI browser source IP is within the permitted subnet
  #
-  def permited_source?(ip)
-    # get permitted subnet
-    config = BeEF::Core::Configuration.instance
-    permitted_ui_subnet = config.get('beef.restrictions.permitted_ui_subnet')
-    target_network = IPAddr.new(permitted_ui_subnet)
-    # test if supplied IP address is valid dot-decimal format
-    return false unless ip =~ /\A[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\z/
-    # test if ip within subnet
-    return target_network.include?(ip)
+  def permitted_source?(ip)
+    # test if supplied IP address is valid
+    return false unless BeEF::Filters::is_valid_ip?(ip)
+
+    # get permitted subnets
+    permitted_ui_subnet = BeEF::Core::Configuration.instance.get("beef.restrictions.permitted_ui_subnet")
+    return false if permitted_ui_subnet.nil?
+    return false if permitted_ui_subnet.empty?
+
+    # test if ip within subnets
+    permitted_ui_subnet.each do |subnet|
+      return true if IPAddr.new(subnet).include?(ip)
+    end
+
+    false
  end
-
-
-
 end

 end