From d698b6a0ba23c6bcf424c2eb651f7483f81a8655 Mon Sep 17 00:00:00 2001 From: Brendan Coles Date: Sun, 3 Mar 2019 21:14:39 +0000 Subject: [PATCH] Add support for multiple permitted hooking/ui subnets - #1319 --- config.yaml | 6 ++-- core/main/handlers/hookedbrowsers.rb | 17 +++++++--- core/main/rest/api.rb | 17 ++++++---- .../authentication/authentication.rb | 31 ++++++++++--------- 4 files changed, 44 insertions(+), 27 deletions(-) diff --git a/config.yaml b/config.yaml index ac9abbaa4..3912a4d02 100644 --- a/config.yaml +++ b/config.yaml @@ -23,10 +23,10 @@ beef: # Interface / IP restrictions restrictions: # subnet of IP addresses that can hook to the framework - permitted_hooking_subnet: "0.0.0.0/0" + permitted_hooking_subnet: ["0.0.0.0/0", "::/0"] # subnet of IP addresses that can connect to the admin UI - #permitted_ui_subnet: "127.0.0.1/32" - permitted_ui_subnet: "0.0.0.0/0" + #permitted_ui_subnet: ["127.0.0.1/32", "::1/128"] + permitted_ui_subnet: ["0.0.0.0/0", "::/0"] # slow API calls to 1 every api_attempt_delay seconds api_attempt_delay: "0.05" diff --git a/core/main/handlers/hookedbrowsers.rb b/core/main/handlers/hookedbrowsers.rb index 873c02305..1e6f70691 100644 --- a/core/main/handlers/hookedbrowsers.rb +++ b/core/main/handlers/hookedbrowsers.rb @@ -30,10 +30,19 @@ module Handlers # @note check source ip address of browser permitted_hooking_subnet = config.get('beef.restrictions.permitted_hooking_subnet') - target_network = IPAddr.new(permitted_hooking_subnet) - if not target_network.include?(request.ip) - BeEF::Core::Logger.instance.register('Target Range', "Attempted hook from out of target range browser (#{request.ip}) rejected.") - error 500 + if permitted_hooking_subnet.nil? || permitted_hooking_subnet.empty? + BeEF::Core::Logger.instance.register('Target Range', "Attempted hook from outside of permitted hooking subnet (#{request.ip}) rejected.") + error 404 + end + + found = false + permitted_hooking_subnet.each do |subnet| + found = true if IPAddr.new(subnet).include?(request.ip) + end + + unless found + BeEF::Core::Logger.instance.register('Target Range', "Attempted hook from outside of permitted hooking subnet (#{request.ip}) rejected.") + error 404 end # @note get zombie if already hooked the framework diff --git a/core/main/rest/api.rb b/core/main/rest/api.rb index c68c4c311..550c22646 100644 --- a/core/main/rest/api.rb +++ b/core/main/rest/api.rb @@ -70,15 +70,20 @@ module BeEF # This is from extensions/admin_ui/controllers/authentication/authentication.rb # def self.permitted_source?(ip) - # get permitted subnet + # test if supplied IP address is valid + return false unless BeEF::Filters::is_valid_ip?(ip) + + # get permitted subnets permitted_ui_subnet = BeEF::Core::Configuration.instance.get("beef.restrictions.permitted_ui_subnet") - target_network = IPAddr.new(permitted_ui_subnet) + return false if permitted_ui_subnet.nil? + return false if permitted_ui_subnet.empty? - # test if supplied IP address is valid dot-decimal format - return false unless ip =~ /\A[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\z/ + # test if ip within subnets + permitted_ui_subnet.each do |subnet| + return true if IPAddr.new(subnet).include?(ip) + end - # test if ip within subnet - return target_network.include?(ip) + false end # diff --git a/extensions/admin_ui/controllers/authentication/authentication.rb b/extensions/admin_ui/controllers/authentication/authentication.rb index 281dc1565..ad406c8a0 100644 --- a/extensions/admin_ui/controllers/authentication/authentication.rb +++ b/extensions/admin_ui/controllers/authentication/authentication.rb @@ -47,8 +47,8 @@ class Authentication < BeEF::Extension::AdminUI::HttpController ua_ip = @request.ip # get client ip address @body = '{ success : false }' # attempt to fail closed - # check if source IP address is permited to authenticate - if not permited_source?(ua_ip) + # check if source IP address is permitted to authenticate + if not permitted_source?(ua_ip) BeEF::Core::Logger.instance.register('Authentication', "IP source address (#{@request.ip}) attempted to authenticate but is not within permitted subnet.") return end @@ -105,19 +105,22 @@ class Authentication < BeEF::Extension::AdminUI::HttpController # # Check the UI browser source IP is within the permitted subnet # - def permited_source?(ip) - # get permitted subnet - config = BeEF::Core::Configuration.instance - permitted_ui_subnet = config.get('beef.restrictions.permitted_ui_subnet') - target_network = IPAddr.new(permitted_ui_subnet) - # test if supplied IP address is valid dot-decimal format - return false unless ip =~ /\A[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\z/ - # test if ip within subnet - return target_network.include?(ip) + def permitted_source?(ip) + # test if supplied IP address is valid + return false unless BeEF::Filters::is_valid_ip?(ip) + + # get permitted subnets + permitted_ui_subnet = BeEF::Core::Configuration.instance.get("beef.restrictions.permitted_ui_subnet") + return false if permitted_ui_subnet.nil? + return false if permitted_ui_subnet.empty? + + # test if ip within subnets + permitted_ui_subnet.each do |subnet| + return true if IPAddr.new(subnet).include?(ip) + end + + false end - - - end end