ARE rules accumulating each time beef starts

[rgritzo]

beef version: [ 3:00:51][*] Browser Exploitation Framework (BeEF) 0.4.7.4-alpha-pre on ubuntu 18.04 LTS (latest).

Seems like each time the framework loads any modules get loaded into the database in an "append" fashion, instead of any modules that are in the "enabled" folder getting loaded and over-writing the database of loaded modules.

with a single module enabled, restarting the framework multiple times kept adding the enabled module in, eventually after 7 restarts i had the same module enabled 7 times...

e.g.: [ 3:04:25] |_ Triggering ruleset [1, 2, 3, 4, 5, 6, 7] on HB 15

but: user@user:~$ ls ./beef/arerules/enabled/ alert.json README

once the browser was hooked, and the ARE rules run, sure enough it popped up 7 alerts...

i had to use the RESTFull API to clear out the rules 2 - 7.

r.

[bcoles]

Are you talking about modules or rules? It seems you're talking about ARE rules.

[bcoles]

Confirmed.

[20:03:31][*] [ARE] Checking if any defined rules should be triggered on target.
[20:03:31]    |_  Browser version check -> (hook) 60 ALL (rule) : true
[20:03:31]    |_  OS version check -> (hook)  ALL (rule): true
[20:03:31]    |_  Hooked browser and OS type/version MATCH rule: Display an alert.
[20:03:31]    |_  Browser version check -> (hook) 60 ALL (rule) : true
[20:03:31]    |_  OS version check -> (hook)  ALL (rule): true
[20:03:31]    |_  Hooked browser and OS type/version MATCH rule: Display an alert.
[20:03:31]    |_  Found [2/2] ARE rules matching the hooked browser type/version.
[20:03:31]    |_  Preparing JS for command id [1], module [alert_dialog]
[20:03:31]    |   Final Modules Wrapper:
[20:03:31]    |    
[20:03:31]    |                   var alert_dialog_a23d832123 = function(){
[20:03:31]    |                       beef.execute(function() {
[20:03:31]    |     alert("You've been BeEFed ;>");
[20:03:31]    |     beef.net.send("/command/alert_dialog.js", 1, "text=You've been BeEFed ;>", beef.are.status_success());
[20:03:31]    |   });
[20:03:31]    |                   };
[20:03:31]    |                   var alert_dialog_a23d832123_can_exec = false;
[20:03:31]    |                   var alert_dialog_a23d832123_mod_output = null;
[20:03:31]    |               
[20:03:31]    |_   setTimeout(function(){alert_dialog_a23d832123();}, 0); 
[20:03:31]    |_  Triggering ruleset [1, 2] on HB 2
[20:03:31]    |_  Preparing JS for command id [2], module [alert_dialog]
[20:03:31]    |   Final Modules Wrapper:
[20:03:31]    |    
[20:03:31]    |                   var alert_dialog_1be2bbd878 = function(){
[20:03:31]    |                       beef.execute(function() {
[20:03:31]    |     alert("You've been BeEFed ;>");
[20:03:31]    |     beef.net.send("/command/alert_dialog.js", 2, "text=You've been BeEFed ;>", beef.are.status_success());
[20:03:31]    |   });
[20:03:31]    |                   };
[20:03:31]    |                   var alert_dialog_1be2bbd878_can_exec = false;
[20:03:31]    |                   var alert_dialog_1be2bbd878_mod_output = null;
[20:03:31]    |               
[20:03:31]    |_   setTimeout(function(){alert_dialog_1be2bbd878();}, 0); 
[20:03:31]    |_  Triggering ruleset [1, 2] on HB 2

One potential workaround is to run BeEF with the -x flag: ./beef -x

This will prevent duplicating ARE rules, however, it will also wipe everything in the database, including all previously hooked browsers, command module results, etc.

[jackdwalker]

I think this is likely linked to #1968 but it's presence was being blocked by #1932. Should be resolved when #1968 is fixed.

[bcoles]

Closing as duplicate of #1968.