Pwning the "Anti_MITM"

I checked some new security tools on kitploit and i saw this tool

Hm sounds interesting right?

Features

    Anti mitm
    Log killer
    IP changer
    Dns changer
    Mac changer
    Anti cold boot
    Timezone changer
    Hostname changer
    Browser anonymization

I. Setup

I’m a very mean person. If i see anything cool I want to understand how it is done. I don’t really care about other changer but the MITM only. The script is at kali-whoami/anti_mitm at master · omer-dogan/kali-whoami · GitHub

Lab setup:

  • VM with bridge mode for connection. Need to install packages to clone this project and run: sudo apt install python3 python3-scapy git
  • Host with python3 and scapy

I edited ARP spoofing script at Python - How to create an ARP Spoofer using Scapy? - GeeksforGeeks. I’m a lazy person and my networking skill is bad. I’m not familiar with scapy either. So well, do the script kiddie way.

II. Analysis
This line checks if the MAC is different. Possibly the common method of ARP spoofing. I don’t know much about that spoofing so I won’t explain that.

Create Iptables rule to drop this MAC address.

Get MAC from ARP packet DIRECTLY

scapy requires root permission to run the script. So if command injection is successful, you are bashed!!

III. Exploit

Idea: Send the ARP packet with crafted MAC address with our payload for command injection. The value to inject is hwsrc
Edit the spoof function (I edited some other lines just for usability. This is not in the scope of this article so i skipped it)


Start the anti_mitm in VM

When we send the packet, our payload is crafted and it becomes byte object. Program crashes

Packet meta data

IV. Further
What if program handled format?
Testing case 1: Use Decode (not very practical)

I edited the payload, add comment so payload will not be invalid syntax
image

Testing case 2: format string

We have to escape the command. However, our payload is byte object so likely it is not possible. But in this case, attacker can stop victim from adding Iptables rules to block him

1 Like