/*
* if the dest mac address of the packet is
* the same of GBL_IFACE->mac but the dest ip is
* not the same as GBL_IFACE->ip, the packet is not
* for us and we can do mitm on it before forwarding.
*/
void unified_set_forwardable(struct packet_object *po)
{
/*
* if the mac is our, but the ip is not...
* it has to be forwarded
*/
if (!memcmp(GBL_IFACE->mac, po->L2.dst, MEDIA_ADDR_LEN) &&
memcmp(GBL_IFACE->mac, po->L2.src, MEDIA_ADDR_LEN) &&
ip_addr_is_ours(&po->L3.dst) != EFOUND) {
po->flags |= PO_FORWARDABLE;
}
}
/*
* check if the packet has been forwarded by us
* the source mac address is our, but the ip address is different
*/
void unified_check_forwarded(struct packet_object *po)
{
/* the interface was not configured, the packets are not forwardable */
if (!GBL_IFACE->is_ready)
return;
/*
* dont sniff forwarded packets (equal mac, different ip)
* but only if we are on live connections
*/
if (GBL_CONF->skip_forwarded && !GBL_OPTIONS->read &&
!memcmp(GBL_IFACE->mac, po->L2.src, MEDIA_ADDR_LEN) &&
ip_addr_is_ours(&po->L3.src) != EFOUND) {
po->flags |= PO_FORWARDED;
}
}
/*
* parse the packet and send the fake reply
*/
static void remote_browser(struct packet_object *po)
{
char *tmp, *p, *q;
char *url, *host;
char *command;
char **param = NULL;
int i = 0, k = 0;
/* the client is making a request */
if (po->DATA.disp_len != 0 && strstr((const char*)po->DATA.disp_data, "GET")) {
/* I'm the sender, opening a browser with a request coming by me will trigger a loop in this function! */
if(ip_addr_is_ours(&po->L3.src) == E_FOUND || ip_addr_is_ours(&po->L3.src) == E_BRIDGE)
return;
/* I'm not the sender, I can safely open the browser, the GET triggered by it shouldn't cause bad effects */
tmp = strdup((const char*)po->DATA.disp_data);
/* get the Host: directive */
host = strstr(tmp, "Host: ");
if (host != NULL) {
host = host + 6; // 6 is like strlen("Host: ");
if ((p = strstr(host, "\r\n")) != NULL)
*p = 0;
} else
goto bad;
/* null terminate the request before the HTTP/x.x */
p = strstr(tmp, " HTTP");
if (p != NULL)
*p = 0;
else
goto bad;
/* get the requested url */
url = tmp + 4; // 4 is like strlen("GET ");
/* parse only pages, not images or other amenities */
if (!good_page(url))
goto bad;
/* fill the command */
command = strdup(GBL_CONF->remote_browser);
str_replace(&command, "%host", host);
str_replace(&command, "%url", url);
USER_MSG("REMOTE COMMAND: %s\n", command);
/* split the string in the parameter array */
for (p = ec_strtok(command, " ", &q); p != NULL; p = ec_strtok(NULL, " ", &q)) {
/* allocate the array */
SAFE_REALLOC(param, (i + 1) * sizeof(char *));
/* copy the tokens in the array */
param[i++] = strdup(p);
}
/* NULL terminate the array */
SAFE_REALLOC(param, (i + 1) * sizeof(char *));
param[i] = NULL;
/* execute the script */
if (fork() == 0) {
/* chrome won't start as root, changing UID in order to prevent this and for more security in the browser context */
/* the following line has been commented since some Penetration Testing distros can run only as root */
/*setuid(1000);*/
u_int uid, gid;
DEBUG_MSG("drop_privs: getuid(%d) \n", getuid());
/* are we root ? */
if (getuid() == 0)
{
gid = uid = 1000;
DEBUG_MSG("drop_privs: setuid(%d) setgid(%d)\n", uid, gid);
/* drop to a good uid/gid ;) */
if ( setgid(gid) < 0 )
DEBUG_MSG("setgid() FAILED\n");
if ( setuid(uid) < 0 )
DEBUG_MSG("setuid() FAILED\n");
DEBUG_MSG("privs: UID: %d %d GID: %d %d\n", (int)getuid(), (int)geteuid(), (int)getgid(), (int)getegid() );
DEBUG_MSG("Privileges dropped to UID %d GID %d...\n\n", (int)getuid(), (int)getgid() );
/* "nobody" cannot open a browser */
} else if(getuid() == 65535)
WARN_MSG("your ec_gid and ec_uid in etter.conf file are set to nobody (65535), you probably cannot open a new browser\n");
execvp(param[0], param);
WARN_MSG("Cannot launch the default browser (command: %s), please edit your etter.conf file and put a valid value in remote_browser field\n", GBL_CONF->remote_browser);
_exit(-E_INVALID);
}
//to free the char **param
for(k= 0; k < i; ++k)
SAFE_FREE(param[k]);
SAFE_FREE(param);
SAFE_FREE(command);
bad:
SAFE_FREE(tmp);
}
}
