Introduced the capability to spoof the source address

of outgoing sessions + an accompanying shim loader.
2024-11-26 10:16:27 +00:00 · 2016-09-03 12:22:09 +00:00 · 2016-09-03 12:22:09 +00:00 · a6e0c7e8f0
commit a6e0c7e8f0
parent b476966a45
6 changed files with 101 additions and 7 deletions
--- a/mitmproxy/cmdline.py
+++ b/mitmproxy/cmdline.py
@ -255,6 +255,7 @@ def get_common_options(args):
        listen_port = args.port,
        mode = mode,
        no_upstream_cert = args.no_upstream_cert,
+        spoof_source_address = args.spoof_source_address,
        rawtcp = args.rawtcp,
        upstream_server = upstream_server,
        upstream_auth = args.upstream_auth,
@ -474,7 +475,11 @@ def proxy_options(parser):
                        "Disabled by default. "
                        "Default value will change in a future version."
                        )
-
+    group.add_argument(
+        "--spoof-source-address",
+        action="store_true", dest="spoof_source_address",
+        help="Use client's IP for the server-side connection"
+    )

 def proxy_ssl_options(parser):
    # TODO: Agree to consistently either use "upstream" or "server".
--- a/mitmproxy/contrib/mitmproxy_shim.c
+++ b/mitmproxy/contrib/mitmproxy_shim.c
@ -0,0 +1,71 @@
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <string.h>
+#include <sys/prctl.h>
+#include <sys/types.h>
+#include <sys/capability.h>
+#include <unistd.h>
+#include <errno.h>
+
+int set_caps(cap_t cap_struct, cap_value_t *caps, int len) {
+	if (cap_set_flag(cap_struct, CAP_PERMITTED, len, caps, CAP_SET) ||
+            cap_set_flag(cap_struct, CAP_EFFECTIVE, len, caps, CAP_SET) ||
+            cap_set_flag(cap_struct, CAP_INHERITABLE, len, caps, CAP_SET)) {
+		if (len < 2) {
+			fprintf(stderr, "Cannot manipulate capability data structure as user: %s.\n", strerror(errno));
+		} else {
+			fprintf(stderr, "Cannot manipulate capability data structure as root: %s.\n", strerror(errno));
+		}
+
+		return 7;
+	}
+
+	if (len < 2) {
+		if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, CAP_NET_RAW, 0, 0)) {
+			fprintf(stderr, "Failed to add CAP_NET_RAW to the ambient set: %s.\n", strerror(errno));
+			return 88;
+		}
+	}
+
+	if (cap_set_proc(cap_struct)) {
+		if (len < 2) {
+			fprintf(stderr, "Cannot set capabilities as user: %s.\n", strerror(errno)); 
+		} else {
+			fprintf(stderr, "Cannot set capabilities as root: %s.\n", strerror(errno));
+		}
+		return 1;
+	}
+
+	if (len > 1) {
+		if (prctl(PR_SET_KEEPCAPS, 1L)) {
+			fprintf(stderr, "Cannot keep capabilities after dropping privileges: %s.\n", strerror(errno));
+			return 4;
+		}
+		if (cap_clear(cap_struct)) {
+			fprintf(stderr, "Cannot clear capability data structure: %s.\n", strerror(errno));
+			return 6;
+		}
+	}
+}
+
+int main(int argc, char **argv, char **envp) {
+	cap_t cap_struct = cap_init();
+	cap_value_t root_caps[2] = { CAP_NET_RAW, CAP_SETUID };
+	cap_value_t user_caps[1] = { CAP_NET_RAW };
+	uid_t user = getuid();
+
+	if (setresuid(0, 0, 0)) {
+		fprintf(stderr, "Cannot switch to root: %s.\n", strerror(errno));
+		return 1;
+	}
+
+	set_caps(cap_struct, root_caps, 2);
+	if (setresuid(user, user, user)) {
+		fprintf(stderr, "Cannot drop root privileges: %s.\n", strerror(errno));
+		return 5;
+	}
+	set_caps(cap_struct, user_caps, 1);
+
+	if (execve(argv[1], argv + 1, envp))
+		perror("Cannot exec");
+}
--- a/mitmproxy/models/connections.py
+++ b/mitmproxy/models/connections.py
@ -123,8 +123,8 @@ class ServerConnection(tcp.TCPClient, stateobject.StateObject):
        timestamp_end: Connection end timestamp
    """

-    def __init__(self, address, source_address=None):
-        tcp.TCPClient.__init__(self, address, source_address)
+    def __init__(self, address, source_address=None, spoof_source_address=None):
+        tcp.TCPClient.__init__(self, address, source_address, spoof_source_address)

        self.via = None
        self.timestamp_start = None
--- a/mitmproxy/options.py
+++ b/mitmproxy/options.py
@ -69,6 +69,7 @@ class Options(optmanager.OptManager):
            mode = "regular",  # type: str
            no_upstream_cert = False,  # type: bool
            rawtcp = False,  # type: bool
+            spoof_source_address = False, # type: bool
            upstream_server = "",  # type: str
            upstream_auth = "",  # type: str
            ssl_version_client="secure",  # type: str
@ -126,6 +127,7 @@ class Options(optmanager.OptManager):
        self.mode = mode
        self.no_upstream_cert = no_upstream_cert
        self.rawtcp = rawtcp
+        self.spoof_source_address = spoof_source_address
        self.upstream_server = upstream_server
        self.upstream_auth = upstream_auth
        self.ssl_version_client = ssl_version_client
--- a/mitmproxy/protocol/base.py
+++ b/mitmproxy/protocol/base.py
@ -114,7 +114,13 @@ class ServerConnectionMixin(object):

    def __init__(self, server_address=None):
        super(ServerConnectionMixin, self).__init__()
-        self.server_conn = models.ServerConnection(server_address, (self.config.options.listen_host, 0))
+
+        self.server_conn = None
+        if self.config.options.spoof_source_address:
+            self.server_conn = models.ServerConnection(server_address, (self.ctx.client_conn.address.host, 0), True)
+        else:
+            self.server_conn = models.ServerConnection(server_address, (self.config.options.listen_host, 0))
+
        self.__check_self_connect()

    def __check_self_connect(self):
@ -151,11 +157,15 @@ class ServerConnectionMixin(object):
        """
        self.log("serverdisconnect", "debug", [repr(self.server_conn.address)])
        address = self.server_conn.address
-        source_address = self.server_conn.source_address
        self.server_conn.finish()
        self.server_conn.close()
        self.channel.tell("serverdisconnect", self.server_conn)
-        self.server_conn = models.ServerConnection(address, (source_address.host, 0))
+
+        if self.config.options.spoof_source_address:
+            self.server_conn = models.ServerConnection(address, (self.ctx.client_conn.address.host, 0), True)
+        else:
+            self.server_conn = models.ServerConnection(address, (self.server_conn.source_address.host, 0))
+

    def connect(self):
        """
--- a/netlib/tcp.py
+++ b/netlib/tcp.py
@ -605,7 +605,7 @@ class ConnectionCloser(object):

 class TCPClient(_Connection):

-    def __init__(self, address, source_address=None):
+    def __init__(self, address, source_address=None, spoof_source_address=None):
        super(TCPClient, self).__init__(None)
        self.address = address
        self.source_address = source_address
@ -613,6 +613,7 @@ class TCPClient(_Connection):
        self.server_certs = []
        self.ssl_verification_error = None  # type: Optional[exceptions.InvalidCertificateException]
        self.sni = None
+        self.spoof_source_address = spoof_source_address

    @property
    def address(self):
@ -729,6 +730,11 @@ class TCPClient(_Connection):
    def connect(self):
        try:
            connection = socket.socket(self.address.family, socket.SOCK_STREAM)
+            if self.spoof_source_address:
+                if os.geteuid() != 0:
+                    raise RuntimeError("Insufficient privileges to set socket option")
+                else:
+                    connection.setsockopt(socket.SOL_IP, 19, 1)
            if self.source_address:
                connection.bind(self.source_address())
            connection.connect(self.address())