Here is the malformed pac

Hi <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="

<a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/us

How to send raw data in tls? about scapy-ssl_tls HOT 3 CLOSED

ji4 commented on July 24, 2024

How to send raw data in tls?

from scapy-ssl_tls.

Comments (3)

tintinweb commented on July 24, 2024 1

Hi @ji4,

.do_roundtrip() --> tls_do_roundtrip is using a tls_socket object to send messages. The socket would automatically try to encrypt messages before putting them on the wire. However, the TLSSocket class exposes the underlying tcp socket object as tls_socket._s and you can use that to inject arbitrary tcp data. Note that this way you're basically bypassing the TLSSocket which would easily get out of sync (message counters for encryption etc.).

something like this untested piece of code should work for your example.

def tls_inject_roundtrip(tls_socket, pkt, recv=True):
    # basically tls_do_roundtrip with a minor change to send data directly using the underlying socket.socket instead of TLSSocket
    resp = TLS()
    try:
        tls_socket._s.sendall(str(pkt))  # changed: directly send to socket
        if recv:
            resp = tls_socket.recvall()
            if resp.haslayer(TLSAlert):
                alert = resp[TLSAlert]
                if alert.level != TLSAlertLevel.WARNING:
                    level = TLS_ALERT_LEVELS.get(alert.level, "unknown")
                    description = TLS_ALERT_DESCRIPTIONS.get(alert.description, "unknown description")
                    raise TLSProtocolError("%s alert returned by server: %s" % (level.upper(), description.upper()), pkt, resp)
    except socket.error as se:
        raise TLSProtocolError(se, pkt, resp)
    return resp

# .. your code from the example
tls_inject_roundtrip(tls_socket, Raw('\x18\x03\x01\x00\x01\x7f'))

from scapy-ssl_tls.

ji4 commented on July 24, 2024

@tintinweb Thank you! Your code works! Although the malformed packet sent by the script looks similar to the one sent by a fuzzing tool. The malformed packet sent by the script didn't successfully affect the target whereas the one sent by a fuzzing tool caused the target to stop working. Are there still any other causes that made the test fail?

from scapy-ssl_tls.

tintinweb commented on July 24, 2024

@ji4 if the code produces exactly the same on-wire packets it might be that your fuzz-run (depending on how you do it) might have brought the ssl/tls stack you're testing already into a weird state before sending the packets you're reproducing. just an assumption. You might want to script up something that replays sessions captured in the pcaps.

from scapy-ssl_tls.

Recommend Projects