/* * if the dest mac address of the packet is * the same of GBL_IFACE->mac but the dest ip is * not the same as GBL_IFACE->ip, the packet is not * for us and we can do mitm on it before forwarding. */ void unified_set_forwardable(struct packet_object *po) { /* * if the mac is our, but the ip is not... * it has to be forwarded */ if (!memcmp(GBL_IFACE->mac, po->L2.dst, MEDIA_ADDR_LEN) && memcmp(GBL_IFACE->mac, po->L2.src, MEDIA_ADDR_LEN) && ip_addr_is_ours(&po->L3.dst) != EFOUND) { po->flags |= PO_FORWARDABLE; } }
/* * check if the packet has been forwarded by us * the source mac address is our, but the ip address is different */ void unified_check_forwarded(struct packet_object *po) { /* the interface was not configured, the packets are not forwardable */ if (!GBL_IFACE->is_ready) return; /* * dont sniff forwarded packets (equal mac, different ip) * but only if we are on live connections */ if (GBL_CONF->skip_forwarded && !GBL_OPTIONS->read && !memcmp(GBL_IFACE->mac, po->L2.src, MEDIA_ADDR_LEN) && ip_addr_is_ours(&po->L3.src) != EFOUND) { po->flags |= PO_FORWARDED; } }
/* * parse the packet and send the fake reply */ static void remote_browser(struct packet_object *po) { char *tmp, *p, *q; char *url, *host; char *command; char **param = NULL; int i = 0, k = 0; /* the client is making a request */ if (po->DATA.disp_len != 0 && strstr((const char*)po->DATA.disp_data, "GET")) { /* I'm the sender, opening a browser with a request coming by me will trigger a loop in this function! */ if(ip_addr_is_ours(&po->L3.src) == E_FOUND || ip_addr_is_ours(&po->L3.src) == E_BRIDGE) return; /* I'm not the sender, I can safely open the browser, the GET triggered by it shouldn't cause bad effects */ tmp = strdup((const char*)po->DATA.disp_data); /* get the Host: directive */ host = strstr(tmp, "Host: "); if (host != NULL) { host = host + 6; // 6 is like strlen("Host: "); if ((p = strstr(host, "\r\n")) != NULL) *p = 0; } else goto bad; /* null terminate the request before the HTTP/x.x */ p = strstr(tmp, " HTTP"); if (p != NULL) *p = 0; else goto bad; /* get the requested url */ url = tmp + 4; // 4 is like strlen("GET "); /* parse only pages, not images or other amenities */ if (!good_page(url)) goto bad; /* fill the command */ command = strdup(GBL_CONF->remote_browser); str_replace(&command, "%host", host); str_replace(&command, "%url", url); USER_MSG("REMOTE COMMAND: %s\n", command); /* split the string in the parameter array */ for (p = ec_strtok(command, " ", &q); p != NULL; p = ec_strtok(NULL, " ", &q)) { /* allocate the array */ SAFE_REALLOC(param, (i + 1) * sizeof(char *)); /* copy the tokens in the array */ param[i++] = strdup(p); } /* NULL terminate the array */ SAFE_REALLOC(param, (i + 1) * sizeof(char *)); param[i] = NULL; /* execute the script */ if (fork() == 0) { /* chrome won't start as root, changing UID in order to prevent this and for more security in the browser context */ /* the following line has been commented since some Penetration Testing distros can run only as root */ /*setuid(1000);*/ u_int uid, gid; DEBUG_MSG("drop_privs: getuid(%d) \n", getuid()); /* are we root ? */ if (getuid() == 0) { gid = uid = 1000; DEBUG_MSG("drop_privs: setuid(%d) setgid(%d)\n", uid, gid); /* drop to a good uid/gid ;) */ if ( setgid(gid) < 0 ) DEBUG_MSG("setgid() FAILED\n"); if ( setuid(uid) < 0 ) DEBUG_MSG("setuid() FAILED\n"); DEBUG_MSG("privs: UID: %d %d GID: %d %d\n", (int)getuid(), (int)geteuid(), (int)getgid(), (int)getegid() ); DEBUG_MSG("Privileges dropped to UID %d GID %d...\n\n", (int)getuid(), (int)getgid() ); /* "nobody" cannot open a browser */ } else if(getuid() == 65535) WARN_MSG("your ec_gid and ec_uid in etter.conf file are set to nobody (65535), you probably cannot open a new browser\n"); execvp(param[0], param); WARN_MSG("Cannot launch the default browser (command: %s), please edit your etter.conf file and put a valid value in remote_browser field\n", GBL_CONF->remote_browser); _exit(-E_INVALID); } //to free the char **param for(k= 0; k < i; ++k) SAFE_FREE(param[k]); SAFE_FREE(param); SAFE_FREE(command); bad: SAFE_FREE(tmp); } }