Ettercap / ettercap

Ettercap Project
http://www.ettercap-project.org
GNU General Public License v2.0
2.37k stars 494 forks source link

Replace filter does not work #1108

Closed roflware closed 3 years ago

roflware commented 3 years ago

Please let me know if I am misunderstanding the usage of replace, but I can't seem to get it to work with my UDP requests. I compile the below script to search for an entire string of hex, and replace it with another string of hex. For the latest version of ettercap, I am experiencing this issue. I receive the message that it has hit the if statement, but no modifications are made. Is there anything that I'm doing wrong in my setup? The hex here is just an example, but it is rather long (198 bytes). But, I have this issue no matter the size.

if (search(DATA.data, "\xff\xad")) {
        replace("\xff\xad", "\xff\x00");
        msg("Replaced");
    }

Compile: etterfilter replace.filter -o replace.ef Run: ettercap -T -q -F replace.ef -M ARP /192.168.1.x// ///

Let me know if I'm missing something here. I'm running this from one VM, targeting the other VM, 192.168.1.x.

koeppea commented 3 years ago

Let me try to reproduce.

koeppea commented 3 years ago

I've tried to reproduce but it was working for me:

root@vm-kali64:~# 
root@vm-kali64:~# cat udp-replace.ecf 
if (search(DATA.data, "\xff\xad")) {
  replace("\xff\xad", "\xff\x00");
  msg("Replaced");
}

root@vm-kali64:~# 
root@vm-kali64:~# 
root@vm-kali64:~# etterfilter -o /tmp/udp-replace.ef udp-replace.ecf 

etterfilter 0.8.3.1 copyright 2001-2020 Ettercap Development Team

 14 protocol tables loaded:
    DECODED DATA udp tcp esp gre icmp ipv6 ip arp wifi fddi tr eth 

 13 constants loaded:
    VRRP OSPF GRE UDP TCP ESP ICMP6 ICMP PPTP PPPOE IP6 IP ARP 

 Parsing source file 'udp-replace.ecf'  done.

 Unfolding the meta-tree  done.

 Converting labels to real offsets  done.

 Writing output to '/tmp/udp-replace.ef'  done.

 -> Script encoded into 4 instructions.

root@vm-kali64:~# 
root@vm-kali64:~# 
root@vm-kali64:~# 
root@vm-kali64:~# ettercap -Tq -F /tmp/udp-replace.ef -M arp:remote /172.21.21.34// ///

ettercap 0.8.3.1 copyright 2001-2020 Ettercap Development Team

Content filters loaded from /tmp/udp-replace.ef...
Listening on:
  eth0 -> 08:00:27:6D:34:03
      172.21.21.45/255.255.255.0
      fe80::a00:27ff:fe6d:3403/64

SSL dissection needs a valid 'redir_command_on' script in the etter.conf file
Ettercap might not work correctly. /proc/sys/net/ipv6/conf/eth0/use_tempaddr is not set to 0.
Privileges dropped to EUID 65534 EGID 65534...

  34 plugins
  42 protocol dissectors
  57 ports monitored
28230 mac vendor fingerprint
1766 tcp OS fingerprint
2182 known services
Lua: no scripts were specified, not starting up!

Randomizing 255 hosts for scanning...
Scanning the whole netmask for 255 hosts...
* |==================================================>| 100.00 %

Scanning for merged targets (1 hosts)...

* |==================================================>| 100.00 %

10 hosts added to the hosts list...

ARP poisoning victims:

 GROUP 1 : 172.21.21.34 08:00:27:7E:2C:B7

 GROUP 2 : ANY (all the hosts in the list)
Starting Unified sniffing...

Text only Interface activated...
Hit 'h' for inline help

Replaced

as you can see the payload has been replaced:

udp-replace

However please note, that I've explicitely saved the compiled filter under /tmp where everybody has access. Ettercap is by default dropping it's own permissions to nobody, hence it would then not be able to read the filter.

Try storing your compiled filter file also under /tmp. Reopen the issue if it doesn't help.