1#!/usr/local/bin/python3
2# after tcp handshake send urgent data from client via relay to server
3
4import os
5import sys
6import threading
7from addr import *
8from scapy.all import *
9
10client=os.getpid() & 0xffff
11relay=int(sys.argv[2])
12server=int(sys.argv[1])
13
14class Sniff1(threading.Thread):
15	filter = None
16	captured = None
17	packet = None
18	def __init__(self):
19		# clear packets buffered by scapy bpf
20		sniff(iface=LOCAL_IF, timeout=1)
21		super(Sniff1, self).__init__()
22	def run(self):
23		self.captured = sniff(iface=LOCAL_IF, filter=self.filter,
24		    count=1, timeout=5)
25		if self.captured:
26			self.packet = self.captured[0]
27
28ip=IP(src=FAKE_NET_ADDR, dst=REMOTE_ADDR)
29
30print("Send SYN packet, receive SYN+ACK")
31syn=TCP(sport=client, dport=relay, seq=0, flags='S', window=(2**16)-1)
32synack=sr1(ip/syn, iface=LOCAL_IF, timeout=5)
33
34if synack is None:
35	print("ERROR: No matching SYN+ACK packet received")
36	exit(1)
37
38print("Expect spliced SYN")
39sniffer = Sniff1();
40sniffer.filter = "src %s and dst %s and tcp port %u " \
41    "and tcp[tcpflags] = tcp-syn" % (ip.dst, ip.src, server)
42sniffer.start()
43time.sleep(1)
44
45print("Send ACK packet to finish handshake")
46ack=TCP(sport=synack.dport, dport=synack.sport,
47    seq=1, ack=synack.seq+1,  flags='A')
48send(ip/ack, iface=LOCAL_IF)
49
50sniffer.join(timeout=7)
51spliced_syn = sniffer.packet
52
53if spliced_syn is None:
54	print("ERROR: No spliced SYN packet received")
55	exit(1)
56
57print("Send spliced SYN+ACK packet to finish handshake")
58spliced_synack=TCP(sport=spliced_syn.dport, dport=spliced_syn.sport,
59    seq=0, ack=spliced_syn.seq+1, flags='SA')
60spliced_ack=sr1(ip/spliced_synack, iface=LOCAL_IF)
61
62if spliced_ack is None:
63	print("ERROR: No spliced ACK packet received")
64	exit(1)
65
66print("Expect spliced urgent payload")
67sniffer = Sniff1();
68sniffer.filter = "src %s and dst %s and tcp port %u " \
69    "and tcp[tcpflags] = tcp-ack|tcp-urg" % (ip.dst, ip.src, server)
70sniffer.start()
71time.sleep(1)
72
73print("Send 20 bytes payload and one urgent byte")
74data="0123456789Xabcdefghij"
75payload=TCP(sport=synack.dport, dport=synack.sport, urgptr=11,
76    seq=1, ack=synack.seq+1,  flags='APU')/data
77payload_ack=sr1(ip/payload, iface=LOCAL_IF)
78
79if payload_ack is None:
80	print("ERROR: No payload ACK packet received")
81	exit(1)
82if payload_ack.ack != len(data)+1:
83	print("ERROR: Expected ack %d, got %d in payload ACK" %
84	    (len(data)+1, payload_ack.ack))
85	exit(1)
86
87sniffer.join(timeout=7)
88spliced_payload = sniffer.packet
89
90if spliced_payload is None:
91	print("ERROR: No spliced urgent payload packet received")
92	exit(1)
93if spliced_payload.seq != spliced_ack.seq:
94	print("ERROR: Expected seq %d, got %d in spliced payload" %
95	    (spliced_ack.seq, spliced_payload.seq))
96	exit(1)
97if spliced_payload.urgptr != 11:
98	print("ERROR: Expected urgptr %d, got %d in spliced payload" %
99	    (11, spliced_payload.urgptr))
100	exit(1)
101
102print("Kill connections with RST")
103spliced_rst=TCP(sport=spliced_ack.dport, dport=spliced_ack.sport,
104    seq=1, ack=spliced_ack.seq, flags='RA')
105send(ip/spliced_rst, iface=LOCAL_IF)
106rst=TCP(sport=synack.dport, dport=synack.sport,
107    seq=payload_ack.ack, ack=synack.seq+1, flags='RA')
108send(ip/rst, iface=LOCAL_IF)
109
110exit(0)
111