Proxocket

aluigi · **Posted:** 04 Nov 2008 15:32

this night I have released my new project called Proxocket:

http://aluigi.org/mytoolz.htm#proxocket

in short words it is a:
- winsock sniffer for single applications which dumps any packet in a CAP file without requiring to run a real sniffer or admin privileges
- packets manipulator, through the easy editing of a custom dll is possible to control any packet sent and received by a specific application

the first feature is something similar to what is possible to capture with WPE PRO but a lot better because it supports more protocols and other informations and, moreover, doesn't need to be injected in the process, the only thing you must do to use it is placing its ws2_32.dll file in the folder of the application to monitor.

for example if you place ws2_32.dll in "C:\program files\Firefox" and launch Firefox, will be created a proxocket_DATE.cap file which will contain all the data sent and received by that session of Firefox in tcpdump format (so readable with any graphic sniffer like Wireshark).
So, differently to a classical sniffer, you can use it even if you have torrent, emule or any other bandwith consumer program running at the same moment without affecting the packets captured by Proxocket.

the second feature instead is more interesting because allow anyone to handle the packets of an application without loosing days in building a hooker, injector or thinking to other solutions.
all you must do is getting the myproxocket.c base code available in the package, adding your code in myrecvfrom or the other available functions, compiling it as a dll and placing it with the proxocket ws2_32.dll in the folder of the program.

this allows to create various things in some minutes like a rudimental firewall which bans any IP which sends a specific sequence of byte (for example for blocking an unpatched vulnerability) or an entire range of malicious IP addresses, a real-time decrypter/uncompressor/parser for a specific protocol (for example for ventrilo, or the various games which use compressors like the Doom ports) or testing a vulnerability (I have converted the q3unban plugin for sudppipe in a proxocket dll in less than 30 seconds) and so on... all without wasting time or other limitations.

anyway this is the first version so any feedback and suggestion is welcome.

Sethioz · **Posted:** 05 Nov 2008 09:44

Ah Thanks Luigi ;) Looks quite awsome. I tested it on MSN and it captures very nicely. I can open .cap in the commview (my favorite and prolly the best packet editor). I haven't tried editing, but it seems easy enought. like adding a rule in packet editor. I will surely test editing of packets soon and see how it works.
Whats the difference between wsock32.dll and ws2_32.dll ? because one of them is crashing msn and avant.

:) There's basically so much to do with this tool.

Edit
umm. how do you compile myproxocket.c as a .dll ? I tried to compile it to a object code, but got lot of errors. I assume that mingw can do it ?!

aluigi · **Posted:** 05 Nov 2008 13:29

ws2_32 and wsock32 have the same "capture/manipulation" functions but Winsock is divided in these two dlls, so some programs (usually the old programs) are linked to wsock32.dll while all the others to ws2_32.dll

myproxocket can be easily compiled with: gcc -s -O2 -shared -o myproxocket.dll myproxocket.c

anyway the gcc command-line was already included at the end of the commented header at the beginning of myproxocket.c

Sidonuke · **Joined:** 24 Aug 2008 17:06 **Posts:** 24

This is very interesting this could be useful for many applications

Sethioz · **Posted:** 05 Nov 2008 21:32

Quote:

anyway the gcc command-line was already included at the end of the commented header at the beginning of myproxocket.c

sometimes i just don't see things that are under my nose, happens doh. I only took a quick look in it and tested capture. I'll make more tests with it soon.

Quote:

This is very interesting this could be useful for many applications

yes indeed. so far i had to use "tamper data" addon for firefox or some dumb java based proxys like webscarab and paros. Ofcourse webscarab, paros, tamper data, achilles..etc are not even close to this. Because all of those proxys allows only one rule (tamper data does not allow rules at all, you have to manually edit each packet).

Sethioz · **Posted:** 06 Nov 2008 17:11

blah. somehow i don't understand shit anymore.
well just in case to make things CLEAR. lets say i want to prevent program from binding itself to 192.168.1.1
so i have to use this:

Code:

int mybind(SOCKET s, const struct sockaddr *name, int namelen) {
    // for avoiding the binding of a certain port or IP
    return(0);
}

but where exactly i enter the ip there ?

..and as usual...i totally mislooked some stuff. tried to compile and got lot of errors. was about to ask, but then i found out that i forgot to put other source files into same directory LOL.

aluigi · **Posted:** 06 Nov 2008 19:13

Code:

if((struct sockaddr_in *)name)->sin_addr.s_addr == inet_addr("192.168.1.1")) return(-1);

anyway remember that mybind is executed AFTER the real bind so this has a partial effect.

As written in myproxocket.c the my* functions are still experimental and I still need to find a better way to handle some functions like myconnect and mybind because probably is better to handle them BEFORE the real one.

Any idea is welcome, I plan to release a 0.1.1 version just in these days for optimizing the my* functions with things like, for example, if in mysend() you return -1 the real send() will not be called.
I want to add that thing because, for who doesn't know it, the sending of zero bytes forces the other endpoint of the connection to close it, so if the user wants to avoid the sending of a specific packet or data it's enough that he returns -1 or 0 in mysend* and the real function will not be called avoiding the disconnection.

SomaFM · **Joined:** 16 Aug 2007 06:25 **Posts:** 367

Thanks Luigi, very nice tool.

Sethioz · **Posted:** 06 Nov 2008 22:58

it's quite confusing. i mean i know thing or two about C..and if I don't get it, then prolly most of ppl don't understand shit hehe.

so where did all that come from ?

Code:

if((struct sockaddr_in *)name)->sin_addr.s_addr == inet_addr("192.168.1.1")) return(-1);

can you put an examples into myproxocket when you release next version ? I mean full examples like this one. it could really save some time for lot of ppl, including me this time :)
actually this bind could solve the problem i was having before. instead of binding program to a specific device, i can block the other adapter. so for example if i have Wireless and LAN (or LAN1 and LAN2). i can simply block LAN address so the program would use Wireless (or block LAN1 so it would use LAN2). It doesn't matter if it binds the program to all adapters or not. if its blocked then it can't use the ip and should start using secondary. for example if i have LAN1 and LAN2 (where LAN1 is 20mbit and LAN2 is 5mbit) then by default windows should use LAN1, because its faster, but if LAN1 stops responding it automatically switches to LAN2.

aluigi · **Posted:** 06 Nov 2008 23:48

ok, in the next version I will also add some commented examples in myproxocket.c

anyway for your problem (for what I have understood) what you need to do is something like the following:

Code:

int mybind(SOCKET s, const struct sockaddr *name, int namelen) {
    ((struct sockaddr_in *)name)->sin_addr.s_addr = inet_addr("IP_of_the_interface_you_want_to_bind");
    return(0);
}

but this will work in the next version when I will place mybind before the real bind

Sethioz · **Posted:** 07 Nov 2008 13:25

bah i misunderstood. can't you make the filter that will BLOCK the interface ?
so if i have LAN1 and LAN2, then instead of binding it to LAN2 i would block LAN1 so application will be forced to use LAN2. I tought its for blocking the IP (interface).

aluigi · **Posted:** 07 Nov 2008 23:55

released version 0.1.1
and yes sethioz, I have successfully redirected the bind function binding 127.0.0.1 instead of my ethernet one which was forced in the main program.
I have also redirected the connect() function with success... very funny.

Sethioz · **Posted:** 08 Nov 2008 15:09

well i tested the bind, but it doesn't block the interface, blah.

Code:

int mybind(SOCKET s, const struct sockaddr *name, int namelen) {
        // example: avoid the binding of interface 192.168.0.1, the main program could quit
    if(((struct sockaddr_in *)name)->sin_addr.s_addr == inet_addr("192.168.1.64")) return(-1);
    return(0);
}

this is what i used (deleted other functions ofcourse) and used this command to compile:

Code:

gcc -s -O2 -shared -o myproxocket.dll myproxocket.c

it compiled fine, but when i moved myproxocket.dll and ws2_32.dll into avant browser folder, then it only captured, but did not block my primary interface.

Sethioz · **Posted:** 08 Nov 2008 19:25

well we figured this one over msn, but here's few more questions :)
i could have waited you back into msn, but other ppl may find it interesting too i think.
I dunno about you Luigi, why you didn't got it workign perfectly, but it did work just fine for me in msn. the last code you sent me worked just perfectly. this one:

Code:

int mysend(SOCKET s, u_char *buf, int len, int flags) {
    int     i;

    for(i = 0; i <= (len - 4); i++) {
        if(!memcmp(buf + i, "test", 4)) memcpy(buf + i, "blah", 4);
    }
    return(len);
}

but now i have 2 questions:

1. why HEX does not work ?
it is same as before, only that i used HEX values this time, but it had no effect, guess i made a chaos again :)

Code:

int mysend(SOCKET s, u_char *buf, int len, int flags) {
    int     i;

    for(i = 0; i <= (len - 16); i++) {
        if(!memcmp(buf + i, "\x74\x65\x73\x74", 16)) memcpy(buf + i, "\x62\x6C\x61\x68", 16);
    }
    return(len);
}

2. what if i want to replace "test" with "blahx2blah" (with a longer string) OR "testtest" with "blah"

Code:

int mysend(SOCKET s, u_char *buf, int len, int flags) {
    int     i;

    for(i = 0; i <= (len - WHAT_DO_I_PUT_HERE); i++) {
        if(!memcmp(buf + i, "test", 4)) memcpy(buf + i, "blahx2blah", 10);
    }
    return(len);
}

so what i put there ? see what i mean ?
when i tried to replace 2 bytes with 5 bytes then it screwed up my packets, by putting some blabla at end of that 2 bytes

aluigi · **Posted:** 08 Nov 2008 22:16

that hex you wrote doesn't work because it's 4 bytes long and not 16 (\x61 is 1 byte no 4 ih ih ih)

if you want to replace the original string with something which has a different length the thing is a bit longer and you must be sure that the "buf" of the original program is big enough to contain the new modification.
the following is a new function that you must add to your code and which will do ALL the job:

Code:

int replaceme(u8 *buf, int len, u8 *old, u8 *new) {
    int     i,
            oldlen,
            newlen;

    oldlen = strlen(old);
    newlen = strlen(new);

    for(i = 0; i <= (len - oldlen); i++) {
        if(!memcmp(buf + i, "test", oldlen)) {
            memmove(buf + i + newlen, buf + i + oldlen, len - (i + oldlen));
            memcpy(buf + i, "blahx2blah", newlen);
            len += (newlen - oldlen);
        }
    }
    return(len);
}

so in mysend() you must only add:

Code:

len = replaceme(buf, len, "test", "blahx2blah");

Sethioz · **Posted:** 08 Nov 2008 22:58

well .. crap and double crap :(
I modified the myproxocket.c. it compiled well, but programs just keep crashing. I decided to test on my flashchat chatroom, but it crashes my browser. then i tried to run it in the SAFlashPlayer...and again it crashes as soon as i enter the chatroom, but it did replace the data. i checked with packet editor. "word1" will be replaced with "word2blah" (or whatever i put there).
so why the hell it crashes. Isn't there any other way to replace like 2 bytes with 5 bytes ?

When I use proxy (like this java based paros), then it works just fine and it will replace 2 bytes with even 200 bytes (not with same char, but with some text) if i want, but ofcourse it is not a .dll, but actual proxy.

aluigi · **Posted:** 09 Nov 2008 00:05

it could be a problem derived by the real size of the buffer, as I explained before or I wrote in myproxocket.c (don't remember) modifying the buffer in the mysend* functions can be a problem on some programs for various technical reasons.

so at the moment doesn't exist an "official" work-around although exist various ideas

Sethioz · **Posted:** 09 Nov 2008 13:43

I will test it on msn too, but it crashed flashplayer, firefox and avant. so i think it will crash msn too.
if i understood right.. it uses program's buffer ?
hope you will come up with some idea, because im not that good with C :)

EDIT: msn gives an error: "service temporarly unavailable" + blablabla. I did not test if it is because of filter that changes word "test" (because word test can occur in some login packets too) or is it because of the whole filter (i doubt, because filter is only applied when i type "test".

EDIT: what about if i want to replace "test" with 1000 bytes of "S" ? is that possible ? mysend works fine, but the problem is that it puts SSS... into wrong place. it starts to overwrite whole packet with them, but i want them to on the place where "test" is.
will it have the buffer error too ?

aluigi · **Posted:** 10 Nov 2008 21:18

new version out

Sethioz · **Posted:** 11 Nov 2008 12:10

Works way better, but i still strongly recommend you to add few new functions which will come handy in MSN and HTTP. As we already talked about this:

Code:

Content-Lenght: 100

for others: if you replace "test" with "blahblah" then packet will be dropped, because Lenght is wrong. It is possible to make new filter to change lenght from 104 to 108, but it would only replace one word with another.

In MSN, lenght is as follows:

Code:

N 136

This is default, when you would send empty text area. so when you type test and send it to other person it would be 140. MSN does not drop the packet, but it will simply cut it off. for example if you replace "test" with "blahblah" and not chagne the lenght, it would send only "blah" to other person.

But replace still comes in handy. for example you can modify other ppls font color if you dont like it and they unwilling to change it.

Luigi is it possible to replace ..umm unknown value ? dunno how to explain. for example if i type "#cb0***" then it would replace ANY string that is 7 bytes and starts with "#cb0" with like "#c00000".

aluigi · **Posted:** 11 Nov 2008 19:37

Sethioz, what you want is something outside the purpose of the project.
The Proxocket project offers a "base" for fully customizing anything socket related while what you talk about is a new program developed through myproxocket... which is a totally new project of which I'm not interested.

myproxocket.c is only an example, it's up to the developer to add all the stuff he needs, the base is already there.

aluigi · **Posted:** 10 Jan 2009 22:07

I have just released the q3unban plugin for proxocket which demonstrates how easy is to write plugins:

http://aluigi.org/poc.htm#q3unban_proxocket

satcom · **Joined:** 12 Mar 2009 17:44 **Posts:** 14

Hello,
im a complete n00b with C , but i have been playing with that redirect thing.

below is my expiriment which doesnt work as it should.
is here someone who can tell me how to redirect traffic to a proxy?

int myconnect(SOCKET s, const struct sockaddr *name, int namelen) {

if(ntohs(((struct sockaddr_in *)name)->sin_port) == 80) {
((struct sockaddr_in *)name)->sin_addr.s_addr = inet_addr("PROXYIP");
((struct sockaddr_in *)name)->sin_port = htons(3128);

}
}

My GET request looks like this:
GET /customers/newproducts.html HTTP/1.0
But if you were connected through a Web proxy server, the GET should look like this:
GET http://mydowmain.com/customers/newproducts.html HTTP/1.0

Somehow i have to add the domain to the GET query.
Im googling like crazy now. but without ANY knowledge of C this is going to be a tough and long ride for me.

help is appreceated.

aluigi · **Posted:** 12 Mar 2009 21:17

your myconnect looks correct, have you added your new myproxocket.dll and the proxocket's ws_32.dll in the same folder of the software you want to "redirect"?

satcom · **Joined:** 12 Mar 2009 17:44 **Posts:** 14

the problem lies in the fact that the GET request, doesnt has the 'http://domain' part in it.
here is the msg from proxy when i open a page.

Code:

ERROR
The requested URL could not be retrieved

While trying to process the request:

GET /opmerkelijk/ HTTP/1.1
Host: www.nu.nl
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7

So, i fiddled with the sendto function and put this in

Code:

buf = find_replace_string(buf, &len, "GET /", "GET http://www.google.nl/");

now, all requests end up at google.
i need to grab the hostname from the buffer, and replace the "GET /" with "GET http://hostname"
but i have no clue about how regex is implemented in c.

so, i'll keep googling and trying.

aluigi · **Posted:** 12 Mar 2009 22:46

ah so you didn't want simply to redirect the connection to another host but to forse the usage of a proxy... uhmmm in this case there are various other solutions.

the first, and most simple, is using sockscap for "socksifiying" the main program.
obviously you will need to use a socks proxy server and not a http proxy.

if sockscap can't work with that program (very rare) or you can't use the proxy server as a socks proxy you can still modify myproxocket.c as you said but it's not very simple if you are not good with C.

for example if the proxy supports the CONNECT method you need only to send "CONNECT IP:PORT\r\n\r\n" in myconnect using the original send function (there is an example in the sample myproxocket.c), alternatively the idea of replacing the "GET /" is ok but requires various modifications.

satcom · **Joined:** 12 Mar 2009 17:44 **Posts:** 14

ok, thanks.
but that send function crashes firefox, so that is not an option i think.
eventually, i want to place this dll on my kid's pc. i have a linux proxy that filters certain websites.
recently, one of the buggers found out how to turn the proxy off.. :(

But since im doing quite a good job in php, i think im in for a C challenge.
if only i get some regex support in C and im on my way. i know one thing : i have a lot of reading to do.

satcom · **Joined:** 12 Mar 2009 17:44 **Posts:** 14

i AM using the right code like this yes?

Code:

int mysend(SOCKET s, u_char **retbuf, int len, int flags) {
    u_char  *buf = *retbuf; // do NOT touch this
    //send "CONNECT IP:PORT\r\n\r\n"
    char message[] = "CONNECT 192.168.1.100:3128\r\n\r\n";
    send(s, message, strlen(message), 0);
    
        // if you have allocated a new buffer it will be AUTOMATICALLY freed by proxocket so
        // remember only to NOT return a const/static buffer which cannot be freed!

    *retbuf = buf;  // do NOT touch this
        // return -1 avoids the sending of the data but returns -1 to the main program, use it to generate a socket error
        // return 0 avoids the sending of the data, use it to drop the sending of a packet
    return(len);
}

*edit*
it seems once i send() something, the app crashes. ( this is with firefox,ie and teamspeak)
*edit2*
original send() examples dont work either. it ends up in crashing the app.

aluigi · **Posted:** 13 Mar 2009 00:30

well seems that I have been able to do the job and doesn't seem so bad :)
check the attachment.
it has been tested with firefox and in practice it sends the "http://IP:PORT" string between the http request and the rest of the data without modifying data or using additional memory.

for the crash in firefox it's a thing I missed in my myproxocket.c example, the WINAPI at the beginning of the real_* functions.

I will probably release a new version of proxocket tomorrow because although it's only an example and there are no changes that I need to perform on proxocket, it's an important example.

satcom · **Joined:** 12 Mar 2009 17:44 **Posts:** 14

aluigi wrote:

check the attachment.
it has been tested with firefox and in practice it sends the "http://IP:PORT" string between the http request and the rest of the data without modifying data or using additional memory.

Sorry, but i dont see any attachement. but i can wait till tomorrow with the new version.

i really appreceate the help here, and im glad to know i helped you find and fixed a bug.

Luigi Auriemma

Proxocket