forked from david415/HoneyBadger
-
Notifications
You must be signed in to change notification settings - Fork 0
/
retrospective.go
106 lines (92 loc) · 3.21 KB
/
retrospective.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
/*
* HoneyBadger core library for detecting TCP injection attacks
*
* Copyright (C) 2014, 2015 David Stainton
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
package HoneyBadger
import (
"github.com/david415/HoneyBadger/types"
"github.com/david415/HoneyBadger/blocks"
"log"
"bytes"
"encoding/hex"
)
func checkForInjectionInRing(ringPtr *types.Ring, start, end types.Sequence, payload []byte) []*types.Event {
acc := []*types.Event{}
overlapBlockSegments := getOverlapsInRing(ringPtr, start, end)
for i := 0; i < len(overlapBlockSegments); i++ {
packetOverlapBytes := getOverlapBytesFromSlice(payload, start, overlapBlockSegments[i].Block)
if !bytes.Equal(packetOverlapBytes, overlapBlockSegments[i].Bytes) {
log.Printf("injection at TCP Sequence start %d end %d\n", start, end)
log.Print("race winner stream segment:")
log.Print(hex.Dump(overlapBlockSegments[i].Bytes))
log.Print("race loser stream segment:")
log.Print(hex.Dump(packetOverlapBytes))
e := &types.Event{
Loser: packetOverlapBytes,
Winner: overlapBlockSegments[i].Bytes,
Start: overlapBlockSegments[i].Block.A,
End: overlapBlockSegments[i].Block.B,
}
if overlapBlockSegments[i].IsCoalesce {
e.Type = "ordered coalesce 2"
}
if overlapBlockSegments[i].IsCoalesceGap {
e.Type = "ordered coalesce 2 gap"
}
acc = append(acc, e)
}
}
return acc
}
func getOverlapBytesFromSlice(payload []byte, sequence types.Sequence, overlap blocks.Block) []byte {
start := sequence.Difference(overlap.A)
end := types.Sequence(start).Add(overlap.A.Difference(overlap.B))
return payload[start:end]
}
func getOverlapsInRing(ringPtr *types.Ring, start, end types.Sequence) []blocks.BlockSegment {
acc := []blocks.BlockSegment{}
target := blocks.Block {
A: start,
B: end,
}
// iterate for the entire ring
for current := ringPtr.Next(); current != ringPtr; current = current.Next() {
if current.Reassembly == nil {
continue
}
if len(current.Reassembly.Bytes) == 0 {
continue
}
new_start := types.Sequence(current.Reassembly.Seq)
new_end := types.Sequence(current.Reassembly.Seq).Add(len(current.Reassembly.Bytes))
overlap := target.Overlap(new_start, new_end)
if overlap == nil {
continue
} else {
// overlaps
overlapBytes := getOverlapBytesFromSlice(current.Reassembly.Bytes, current.Reassembly.Seq, *overlap)
blockSegment := blocks.BlockSegment {
Block: *overlap,
Bytes: overlapBytes,
IsCoalesce: current.Reassembly.IsCoalesce,
IsCoalesceGap: current.Reassembly.IsCoalesceGap,
}
acc = append(acc, blockSegment)
}
}
return acc
}