koeppea
commented
3 years ago Let me try to reproduce.
Closed roflware closed 3 years ago
koeppea
commented
3 years ago Let me try to reproduce.
koeppea
commented
3 years ago I've tried to reproduce but it was working for me:
root@vm-kali64:~#
root@vm-kali64:~# cat udp-replace.ecf
if (search(DATA.data, "\xff\xad")) {
replace("\xff\xad", "\xff\x00");
msg("Replaced");
}
root@vm-kali64:~#
root@vm-kali64:~#
root@vm-kali64:~# etterfilter -o /tmp/udp-replace.ef udp-replace.ecf
etterfilter 0.8.3.1 copyright 2001-2020 Ettercap Development Team
14 protocol tables loaded:
DECODED DATA udp tcp esp gre icmp ipv6 ip arp wifi fddi tr eth
13 constants loaded:
VRRP OSPF GRE UDP TCP ESP ICMP6 ICMP PPTP PPPOE IP6 IP ARP
Parsing source file 'udp-replace.ecf' done.
Unfolding the meta-tree done.
Converting labels to real offsets done.
Writing output to '/tmp/udp-replace.ef' done.
-> Script encoded into 4 instructions.
root@vm-kali64:~#
root@vm-kali64:~#
root@vm-kali64:~#
root@vm-kali64:~# ettercap -Tq -F /tmp/udp-replace.ef -M arp:remote /172.21.21.34// ///
ettercap 0.8.3.1 copyright 2001-2020 Ettercap Development Team
Content filters loaded from /tmp/udp-replace.ef...
Listening on:
eth0 -> 08:00:27:6D:34:03
172.21.21.45/255.255.255.0
fe80::a00:27ff:fe6d:3403/64
SSL dissection needs a valid 'redir_command_on' script in the etter.conf file
Ettercap might not work correctly. /proc/sys/net/ipv6/conf/eth0/use_tempaddr is not set to 0.
Privileges dropped to EUID 65534 EGID 65534...
34 plugins
42 protocol dissectors
57 ports monitored
28230 mac vendor fingerprint
1766 tcp OS fingerprint
2182 known services
Lua: no scripts were specified, not starting up!
Randomizing 255 hosts for scanning...
Scanning the whole netmask for 255 hosts...
* |==================================================>| 100.00 %
Scanning for merged targets (1 hosts)...
* |==================================================>| 100.00 %
10 hosts added to the hosts list...
ARP poisoning victims:
GROUP 1 : 172.21.21.34 08:00:27:7E:2C:B7
GROUP 2 : ANY (all the hosts in the list)
Starting Unified sniffing...
Text only Interface activated...
Hit 'h' for inline help
Replaced
as you can see the payload has been replaced:
However please note, that I've explicitely saved the compiled filter under /tmp where everybody has access. Ettercap is by default dropping it's own permissions to nobody, hence it would then not be able to read the filter.
Try storing your compiled filter file also under /tmp. Reopen the issue if it doesn't help.
Please let me know if I am misunderstanding the usage of replace, but I can't seem to get it to work with my UDP requests. I compile the below script to search for an entire string of hex, and replace it with another string of hex. For the latest version of ettercap, I am experiencing this issue. I receive the message that it has hit the if statement, but no modifications are made. Is there anything that I'm doing wrong in my setup? The hex here is just an example, but it is rather long (198 bytes). But, I have this issue no matter the size.
Compile:
etterfilter replace.filter -o replace.efRun:ettercap -T -q -F replace.ef -M ARP /192.168.1.x// ///Let me know if I'm missing something here. I'm running this from one VM, targeting the other VM, 192.168.1.x.