211 lines
7.9 KiB
Ruby
211 lines
7.9 KiB
Ruby
#
|
|
# Copyright (c) 2006-2024 Wade Alcorn - wade@bindshell.net
|
|
# Browser Exploitation Framework (BeEF) - https://beefproject.com
|
|
# See the file 'doc/COPYING' for copying permission
|
|
#
|
|
require 'openssl'
|
|
|
|
module BeEF
|
|
module Extension
|
|
module Proxy
|
|
class Proxy
|
|
HB = BeEF::Core::Models::HookedBrowser
|
|
H = BeEF::Core::Models::Http
|
|
@response = nil
|
|
|
|
# Multi-threaded Tunneling Proxy: listens on host:port configured in extensions/proxy/config.yaml
|
|
# and forwards requests to the hooked browser using the Requester component.
|
|
def initialize
|
|
@conf = BeEF::Core::Configuration.instance
|
|
@proxy_server = TCPServer.new(@conf.get('beef.extension.proxy.address'), @conf.get('beef.extension.proxy.port'))
|
|
|
|
# setup proxy for SSL/TLS
|
|
ssl_context = OpenSSL::SSL::SSLContext.new
|
|
# ssl_context.ssl_version = :TLSv1_2
|
|
|
|
# load certificate
|
|
begin
|
|
cert_file = @conf.get('beef.extension.proxy.cert')
|
|
cert = File.read(cert_file)
|
|
ssl_context.cert = OpenSSL::X509::Certificate.new(cert)
|
|
rescue StandardError
|
|
print_error "[Proxy] Could not load SSL certificate '#{cert_file}'"
|
|
end
|
|
|
|
# load key
|
|
begin
|
|
key_file = @conf.get('beef.extension.proxy.key')
|
|
key = File.read(key_file)
|
|
ssl_context.key = OpenSSL::PKey::RSA.new(key)
|
|
rescue StandardError
|
|
print_error "[Proxy] Could not load SSL key '#{key_file}'"
|
|
end
|
|
|
|
ssl_server = OpenSSL::SSL::SSLServer.new(@proxy_server, ssl_context)
|
|
ssl_server.start_immediately = false
|
|
|
|
loop do
|
|
ssl_socket = ssl_server.accept
|
|
Thread.new ssl_socket, &method(:handle_request)
|
|
end
|
|
end
|
|
|
|
def handle_request(socket)
|
|
request_line = socket.readline
|
|
|
|
# HTTP method # defaults to GET
|
|
method = request_line[/^\w+/]
|
|
|
|
# Handle SSL requests
|
|
url_prefix = ''
|
|
if method == 'CONNECT'
|
|
# request_line is something like:
|
|
# CONNECT example.com:443 HTTP/1.1
|
|
host_port = request_line.split[1]
|
|
proto = 'https'
|
|
url_prefix = "#{proto}://#{host_port}"
|
|
loop do
|
|
line = socket.readline
|
|
break if line.strip.empty?
|
|
end
|
|
socket.puts("HTTP/1.0 200 Connection established\r\n\r\n")
|
|
socket.accept
|
|
print_debug("[PROXY] Handled CONNECT to #{host_port}")
|
|
request_line = socket.readline
|
|
end
|
|
|
|
method, _path, version = request_line.split
|
|
|
|
# HTTP scheme/protocol # defaults to http
|
|
proto = 'http' unless proto.eql?('https')
|
|
|
|
# HTTP version # defaults to 1.0
|
|
version = 'HTTP/1.0' if version !~ %r{\AHTTP/\d\.\d\z}
|
|
|
|
# HTTP request path
|
|
path = request_line[/^\w+\s+(\S+)/, 1]
|
|
|
|
# url # proto://host:port + path
|
|
url = url_prefix + path
|
|
|
|
# We're overwriting the URI::Parser UNRESERVED regex to prevent BAD URI errors
|
|
# when sending attack vectors (see tolerant_parser)
|
|
# anti: somehow the config below was removed, have a look into this
|
|
tolerant_parser = URI::Parser.new(UNRESERVED: BeEF::Core::Configuration.instance.get('beef.extension.requester.uri_unreserved_chars'))
|
|
uri = tolerant_parser.parse(url.to_s)
|
|
|
|
uri_path_and_qs = uri.query.nil? ? uri.path : "#{uri.path}?#{uri.query}"
|
|
|
|
# extensions/requester/api/hook.rb parses raw_request to find port and path
|
|
raw_request = "#{[method, uri_path_and_qs, version].join(' ')}\r\n"
|
|
content_length = 0
|
|
|
|
loop do
|
|
line = socket.readline
|
|
|
|
content_length = Regexp.last_match(1).to_i if line =~ /^Content-Length:\s+(\d+)\s*$/
|
|
|
|
if line.strip.empty?
|
|
# read data still in the socket, exactly <content_length> bytes
|
|
raw_request += "\r\n#{socket.read(content_length)}" if content_length >= 0
|
|
break
|
|
else
|
|
raw_request += line
|
|
end
|
|
end
|
|
|
|
# Saves the new HTTP request to the db. It will be processed by the PreHookCallback of the requester component.
|
|
# IDs are created and incremented automatically by DataMapper.
|
|
http = H.new(
|
|
request: raw_request,
|
|
method: method,
|
|
proto: proto,
|
|
domain: uri.host,
|
|
port: uri.port,
|
|
path: uri_path_and_qs,
|
|
request_date: Time.now,
|
|
hooked_browser_id: get_tunneling_proxy,
|
|
allow_cross_domain: 'true'
|
|
)
|
|
http.save
|
|
print_debug(
|
|
"[PROXY] --> Forwarding request ##{http.id}: " \
|
|
"domain[#{http.domain}:#{http.port}], " \
|
|
"method[#{http.method}], " \
|
|
"path[#{http.path}], " \
|
|
"cross domain[#{http.allow_cross_domain}]"
|
|
)
|
|
|
|
# Wait for the HTTP response to be stored in the db.
|
|
# TODO: re-implement this with EventMachine or with the Observer pattern.
|
|
sleep 0.5 while H.find(http.id).has_ran != 'complete'
|
|
@response = H.find(http.id)
|
|
print_debug "[PROXY] <-- Response for request ##{@response.id} to [#{@response.path}] on domain [#{@response.domain}:#{@response.port}] correctly processed"
|
|
|
|
response_body = @response['response_data']
|
|
response_status = @response['response_status_code']
|
|
headers = @response['response_headers']
|
|
|
|
# The following is needed to forward back some of the original HTTP response headers obtained via XHR calls.
|
|
# Original XHR response headers are stored in extension_requester_http table (response_headers column),
|
|
# but we are forwarding back only some of them (Server, X-.. - like X-Powered-By -, Content-Type, ... ).
|
|
# Some of the original response headers need to be removed, like encoding and cache related: for example
|
|
# about encoding, the original response headers says that the content-length is 1000 as the response is gzipped,
|
|
# but the final content-length forwarded back by the proxy is clearly bigger. Date header follows the same way.
|
|
response_headers = ''
|
|
if response_status != -1 && response_status != 0
|
|
ignore_headers = %w[
|
|
Content-Encoding
|
|
Keep-Alive
|
|
Cache-Control
|
|
Vary
|
|
Pragma
|
|
Connection
|
|
Expires
|
|
Accept-Ranges
|
|
Transfer-Encoding
|
|
Date
|
|
]
|
|
headers.each_line do |line|
|
|
# stripping the Encoding, Cache and other headers
|
|
header_key = line.split(': ')[0]
|
|
header_value = line.split(': ')[1]
|
|
next if header_key.nil?
|
|
next if ignore_headers.any? { |h| h.casecmp(header_key).zero? }
|
|
|
|
# ignore headers with no value (@todo: why?)
|
|
next if header_value.nil?
|
|
|
|
unless header_key == 'Content-Length'
|
|
response_headers += line
|
|
next
|
|
end
|
|
|
|
# update Content-Length with the valid one
|
|
response_headers += "Content-Length: #{response_body.size}\r\n"
|
|
end
|
|
end
|
|
|
|
res = "#{version} #{response_status}\r\n#{response_headers}\r\n#{response_body}"
|
|
socket.write(res)
|
|
socket.close
|
|
end
|
|
|
|
def get_tunneling_proxy
|
|
proxy_browser = HB.where(is_proxy: true).first
|
|
return proxy_browser.session.to_s unless proxy_browser.nil?
|
|
|
|
hooked_browser = HB.first
|
|
unless hooked_browser.nil?
|
|
print_debug "[Proxy] Proxy browser not set. Defaulting to first hooked browser [id: #{hooked_browser.session}]"
|
|
return hooked_browser.session
|
|
end
|
|
|
|
print_error '[Proxy] No hooked browsers'
|
|
nil
|
|
end
|
|
end
|
|
end
|
|
end
|
|
end
|