1 #include <stdio.h>
2 #include <stdlib.h>
3 #include <unistd.h>
4 #include <string.h>
5 #include <stdarg.h>
6 #include <errno.h>
7 #include <fcntl.h>
8 #include <libgen.h>
9 #include <signal.h>
10 #include <net/if.h>
11 #include <net/ethernet.h>
12 #include <sys/select.h>
13 #include <sys/socket.h>
14 #include <sys/stat.h>
15 #include <sys/un.h>
16 #include <syslog.h>
17 #include <getopt.h>
18 #include <pcap.h>
19
20 #define SNAPLEN 1600
21
22 /*
23 * FIXME: is there a way to detect the version of the libpcap library?
24 * Version 0.9 has pcap_inject; version 0.8 doesn't, but both report
25 * their version number as 2.4.
26 */
27 #define HAVE_PCAP_INJECT 0
28
29 struct hijack {
30 pcap_t *pcap;
31 int fd;
32 int datalink;
33 int filtered;
34 unsigned long rx_count;
35 unsigned long tx_count;
36 };
37
38 struct hijack_listener {
39 struct sockaddr_un sun;
40 int fd;
41 };
42
43 struct hijack_options {
44 char interface[IF_NAMESIZE];
45 int daemonise;
46 };
47
48 static int daemonised = 0;
49
50 static int signalled = 0;
51
flag_signalled(int signal)52 static void flag_signalled ( int signal __attribute__ (( unused )) ) {
53 signalled = 1;
54 }
55
56 #if ! HAVE_PCAP_INJECT
57 /**
58 * Substitute for pcap_inject(), if this version of libpcap doesn't
59 * have it. Will almost certainly only work under Linux.
60 *
61 */
pcap_inject(pcap_t * pcap,const void * data,size_t len)62 int pcap_inject ( pcap_t *pcap, const void *data, size_t len ) {
63 int fd;
64 char *errbuf = pcap_geterr ( pcap );
65
66 fd = pcap_get_selectable_fd ( pcap );
67 if ( fd < 0 ) {
68 snprintf ( errbuf, PCAP_ERRBUF_SIZE,
69 "could not get file descriptor" );
70 return -1;
71 }
72 if ( write ( fd, data, len ) != len ) {
73 snprintf ( errbuf, PCAP_ERRBUF_SIZE,
74 "could not write data: %s", strerror ( errno ) );
75 return -1;
76 }
77 return len;
78 }
79 #endif /* ! HAVE_PCAP_INJECT */
80
81 /**
82 * Log error message
83 *
84 */
85 static __attribute__ (( format ( printf, 2, 3 ) )) void
logmsg(int level,const char * format,...)86 logmsg ( int level, const char *format, ... ) {
87 va_list ap;
88
89 va_start ( ap, format );
90 if ( daemonised ) {
91 vsyslog ( ( LOG_DAEMON | level ), format, ap );
92 } else {
93 vfprintf ( stderr, format, ap );
94 }
95 va_end ( ap );
96 }
97
98 /**
99 * Open pcap device
100 *
101 */
hijack_open(const char * interface,struct hijack * hijack)102 static int hijack_open ( const char *interface, struct hijack *hijack ) {
103 char errbuf[PCAP_ERRBUF_SIZE];
104
105 /* Open interface via pcap */
106 errbuf[0] = '\0';
107 hijack->pcap = pcap_open_live ( interface, SNAPLEN, 1, 0, errbuf );
108 if ( ! hijack->pcap ) {
109 logmsg ( LOG_ERR, "Failed to open %s: %s\n",
110 interface, errbuf );
111 goto err;
112 }
113 if ( errbuf[0] )
114 logmsg ( LOG_WARNING, "Warning: %s\n", errbuf );
115
116 /* Set capture interface to non-blocking mode */
117 if ( pcap_setnonblock ( hijack->pcap, 1, errbuf ) < 0 ) {
118 logmsg ( LOG_ERR, "Could not make %s non-blocking: %s\n",
119 interface, errbuf );
120 goto err;
121 }
122
123 /* Get file descriptor for select() */
124 hijack->fd = pcap_get_selectable_fd ( hijack->pcap );
125 if ( hijack->fd < 0 ) {
126 logmsg ( LOG_ERR, "Cannot get selectable file descriptor "
127 "for %s\n", interface );
128 goto err;
129 }
130
131 /* Get link layer type */
132 hijack->datalink = pcap_datalink ( hijack->pcap );
133
134 return 0;
135
136 err:
137 if ( hijack->pcap )
138 pcap_close ( hijack->pcap );
139 return -1;
140 }
141
142 /**
143 * Close pcap device
144 *
145 */
hijack_close(struct hijack * hijack)146 static void hijack_close ( struct hijack *hijack ) {
147 pcap_close ( hijack->pcap );
148 }
149
150 /**
151 * Install filter for hijacked connection
152 *
153 */
hijack_install_filter(struct hijack * hijack,char * filter)154 static int hijack_install_filter ( struct hijack *hijack,
155 char *filter ) {
156 struct bpf_program program;
157
158 /* Compile filter */
159 if ( pcap_compile ( hijack->pcap, &program, filter, 1, 0 ) < 0 ) {
160 logmsg ( LOG_ERR, "could not compile filter \"%s\": %s\n",
161 filter, pcap_geterr ( hijack->pcap ) );
162 goto err_nofree;
163 }
164
165 /* Install filter */
166 if ( pcap_setfilter ( hijack->pcap, &program ) < 0 ) {
167 logmsg ( LOG_ERR, "could not install filter \"%s\": %s\n",
168 filter, pcap_geterr ( hijack->pcap ) );
169 goto err;
170 }
171
172 logmsg ( LOG_INFO, "using filter \"%s\"\n", filter );
173
174 pcap_freecode ( &program );
175 return 0;
176
177 err:
178 pcap_freecode ( &program );
179 err_nofree:
180 return -1;
181 }
182
183 /**
184 * Set up filter for hijacked ethernet connection
185 *
186 */
hijack_filter_ethernet(struct hijack * hijack,const char * buf,size_t len)187 static int hijack_filter_ethernet ( struct hijack *hijack, const char *buf,
188 size_t len ) {
189 char filter[55]; /* see format string */
190 struct ether_header *ether_header = ( struct ether_header * ) buf;
191 unsigned char *hwaddr = ether_header->ether_shost;
192
193 if ( len < sizeof ( *ether_header ) )
194 return -1;
195
196 snprintf ( filter, sizeof ( filter ), "broadcast or multicast or "
197 "ether host %02x:%02x:%02x:%02x:%02x:%02x", hwaddr[0],
198 hwaddr[1], hwaddr[2], hwaddr[3], hwaddr[4], hwaddr[5] );
199
200 return hijack_install_filter ( hijack, filter );
201 }
202
203 /**
204 * Set up filter for hijacked connection
205 *
206 */
hijack_filter(struct hijack * hijack,const char * buf,size_t len)207 static int hijack_filter ( struct hijack *hijack, const char *buf,
208 size_t len ) {
209 switch ( hijack->datalink ) {
210 case DLT_EN10MB:
211 return hijack_filter_ethernet ( hijack, buf, len );
212 default:
213 logmsg ( LOG_ERR, "unsupported protocol %s: cannot filter\n",
214 ( pcap_datalink_val_to_name ( hijack->datalink ) ?
215 pcap_datalink_val_to_name ( hijack->datalink ) :
216 "UNKNOWN" ) );
217 /* Return success so we don't get called again */
218 return 0;
219 }
220 }
221
222 /**
223 * Forward data from hijacker
224 *
225 */
forward_from_hijacker(struct hijack * hijack,int fd)226 static ssize_t forward_from_hijacker ( struct hijack *hijack, int fd ) {
227 char buf[SNAPLEN];
228 ssize_t len;
229
230 /* Read packet from hijacker */
231 len = read ( fd, buf, sizeof ( buf ) );
232 if ( len < 0 ) {
233 logmsg ( LOG_ERR, "read from hijacker failed: %s\n",
234 strerror ( errno ) );
235 return -1;
236 }
237 if ( len == 0 )
238 return 0;
239
240 /* Set up filter if not already in place */
241 if ( ! hijack->filtered ) {
242 if ( hijack_filter ( hijack, buf, len ) == 0 )
243 hijack->filtered = 1;
244 }
245
246 /* Transmit packet to network */
247 if ( pcap_inject ( hijack->pcap, buf, len ) != len ) {
248 logmsg ( LOG_ERR, "write to hijacked port failed: %s\n",
249 pcap_geterr ( hijack->pcap ) );
250 return -1;
251 }
252
253 hijack->tx_count++;
254 return len;
255 };
256
257 /**
258 * Forward data to hijacker
259 *
260 */
forward_to_hijacker(int fd,struct hijack * hijack)261 static ssize_t forward_to_hijacker ( int fd, struct hijack *hijack ) {
262 struct pcap_pkthdr *pkt_header;
263 const unsigned char *pkt_data;
264 ssize_t len;
265
266 /* Receive packet from network */
267 if ( pcap_next_ex ( hijack->pcap, &pkt_header, &pkt_data ) < 0 ) {
268 logmsg ( LOG_ERR, "read from hijacked port failed: %s\n",
269 pcap_geterr ( hijack->pcap ) );
270 return -1;
271 }
272 if ( pkt_header->caplen != pkt_header->len ) {
273 logmsg ( LOG_ERR, "read partial packet (%d of %d bytes)\n",
274 pkt_header->caplen, pkt_header->len );
275 return -1;
276 }
277 if ( pkt_header->caplen == 0 )
278 return 0;
279 len = pkt_header->caplen;
280
281 /* Write packet to hijacker */
282 if ( write ( fd, pkt_data, len ) != len ) {
283 logmsg ( LOG_ERR, "write to hijacker failed: %s\n",
284 strerror ( errno ) );
285 return -1;
286 }
287
288 hijack->rx_count++;
289 return len;
290 };
291
292
293 /**
294 * Run hijacker
295 *
296 */
run_hijacker(const char * interface,int fd)297 static int run_hijacker ( const char *interface, int fd ) {
298 struct hijack hijack;
299 fd_set fdset;
300 int max_fd;
301 ssize_t len;
302
303 logmsg ( LOG_INFO, "new connection for %s\n", interface );
304
305 /* Open connection to network */
306 memset ( &hijack, 0, sizeof ( hijack ) );
307 if ( hijack_open ( interface, &hijack ) < 0 )
308 goto err;
309
310 /* Do the forwarding */
311 max_fd = ( ( fd > hijack.fd ) ? fd : hijack.fd );
312 while ( 1 ) {
313 /* Wait for available data */
314 FD_ZERO ( &fdset );
315 FD_SET ( fd, &fdset );
316 FD_SET ( hijack.fd, &fdset );
317 if ( select ( ( max_fd + 1 ), &fdset, NULL, NULL, 0 ) < 0 ) {
318 logmsg ( LOG_ERR, "select failed: %s\n",
319 strerror ( errno ) );
320 goto err;
321 }
322 if ( FD_ISSET ( fd, &fdset ) ) {
323 len = forward_from_hijacker ( &hijack, fd );
324 if ( len < 0 )
325 goto err;
326 if ( len == 0 )
327 break;
328 }
329 if ( FD_ISSET ( hijack.fd, &fdset ) ) {
330 len = forward_to_hijacker ( fd, &hijack );
331 if ( len < 0 )
332 goto err;
333 if ( len == 0 )
334 break;
335 }
336 }
337
338 hijack_close ( &hijack );
339 logmsg ( LOG_INFO, "closed connection for %s\n", interface );
340 logmsg ( LOG_INFO, "received %ld packets, sent %ld packets\n",
341 hijack.rx_count, hijack.tx_count );
342
343 return 0;
344
345 err:
346 if ( hijack.pcap )
347 hijack_close ( &hijack );
348 return -1;
349 }
350
351 /**
352 * Open listener socket
353 *
354 */
open_listener(const char * interface,struct hijack_listener * listener)355 static int open_listener ( const char *interface,
356 struct hijack_listener *listener ) {
357
358 /* Create socket */
359 listener->fd = socket ( PF_UNIX, SOCK_SEQPACKET, 0 );
360 if ( listener->fd < 0 ) {
361 logmsg ( LOG_ERR, "Could not create socket: %s\n",
362 strerror ( errno ) );
363 goto err;
364 }
365
366 /* Bind to local filename */
367 listener->sun.sun_family = AF_UNIX,
368 snprintf ( listener->sun.sun_path, sizeof ( listener->sun.sun_path ),
369 "/var/run/hijack-%s", interface );
370 if ( bind ( listener->fd, ( struct sockaddr * ) &listener->sun,
371 sizeof ( listener->sun ) ) < 0 ) {
372 logmsg ( LOG_ERR, "Could not bind socket to %s: %s\n",
373 listener->sun.sun_path, strerror ( errno ) );
374 goto err;
375 }
376
377 /* Set as a listening socket */
378 if ( listen ( listener->fd, 0 ) < 0 ) {
379 logmsg ( LOG_ERR, "Could not listen to %s: %s\n",
380 listener->sun.sun_path, strerror ( errno ) );
381 goto err;
382 }
383
384 return 0;
385
386 err:
387 if ( listener->fd >= 0 )
388 close ( listener->fd );
389 return -1;
390 }
391
392 /**
393 * Listen on listener socket
394 *
395 */
listen_for_hijackers(struct hijack_listener * listener,const char * interface)396 static int listen_for_hijackers ( struct hijack_listener *listener,
397 const char *interface ) {
398 int fd;
399 pid_t child;
400 int rc;
401
402 logmsg ( LOG_INFO, "Listening on %s\n", listener->sun.sun_path );
403
404 while ( ! signalled ) {
405 /* Accept new connection, interruptibly */
406 siginterrupt ( SIGINT, 1 );
407 siginterrupt ( SIGHUP, 1 );
408 fd = accept ( listener->fd, NULL, 0 );
409 siginterrupt ( SIGINT, 0 );
410 siginterrupt ( SIGHUP, 0 );
411 if ( fd < 0 ) {
412 if ( errno == EINTR ) {
413 continue;
414 } else {
415 logmsg ( LOG_ERR, "accept failed: %s\n",
416 strerror ( errno ) );
417 goto err;
418 }
419 }
420
421 /* Fork child process */
422 child = fork();
423 if ( child < 0 ) {
424 logmsg ( LOG_ERR, "fork failed: %s\n",
425 strerror ( errno ) );
426 goto err;
427 }
428 if ( child == 0 ) {
429 /* I am the child; run the hijacker */
430 rc = run_hijacker ( interface, fd );
431 close ( fd );
432 exit ( rc );
433 }
434
435 close ( fd );
436 }
437
438 logmsg ( LOG_INFO, "Stopped listening on %s\n",
439 listener->sun.sun_path );
440 return 0;
441
442 err:
443 if ( fd >= 0 )
444 close ( fd );
445 return -1;
446 }
447
448 /**
449 * Close listener socket
450 *
451 */
close_listener(struct hijack_listener * listener)452 static void close_listener ( struct hijack_listener *listener ) {
453 close ( listener->fd );
454 unlink ( listener->sun.sun_path );
455 }
456
457 /**
458 * Print usage
459 *
460 */
usage(char ** argv)461 static void usage ( char **argv ) {
462 logmsg ( LOG_ERR,
463 "Usage: %s [options]\n"
464 "\n"
465 "Options:\n"
466 " -h|--help Print this help message\n"
467 " -i|--interface intf Use specified network interface\n"
468 " -n|--nodaemon Run in foreground\n",
469 argv[0] );
470 }
471
472 /**
473 * Parse command-line options
474 *
475 */
parse_options(int argc,char ** argv,struct hijack_options * options)476 static int parse_options ( int argc, char **argv,
477 struct hijack_options *options ) {
478 static struct option long_options[] = {
479 { "interface", 1, NULL, 'i' },
480 { "nodaemon", 0, NULL, 'n' },
481 { "help", 0, NULL, 'h' },
482 { },
483 };
484 int c;
485
486 /* Set default options */
487 memset ( options, 0, sizeof ( *options ) );
488 strncpy ( options->interface, "eth0", sizeof ( options->interface ) );
489 options->daemonise = 1;
490
491 /* Parse command-line options */
492 while ( 1 ) {
493 int option_index = 0;
494
495 c = getopt_long ( argc, argv, "i:hn", long_options,
496 &option_index );
497 if ( c < 0 )
498 break;
499
500 switch ( c ) {
501 case 'i':
502 strncpy ( options->interface, optarg,
503 sizeof ( options->interface ) );
504 break;
505 case 'n':
506 options->daemonise = 0;
507 break;
508 case 'h':
509 usage( argv );
510 return -1;
511 case '?':
512 /* Unrecognised option */
513 return -1;
514 default:
515 logmsg ( LOG_ERR, "Unrecognised option '-%c'\n", c );
516 return -1;
517 }
518 }
519
520 /* Check there's nothing left over on the command line */
521 if ( optind != argc ) {
522 usage ( argv );
523 return -1;
524 }
525
526 return 0;
527 }
528
529 /**
530 * Daemonise
531 *
532 */
daemonise(const char * interface)533 static int daemonise ( const char *interface ) {
534 char pidfile[16 + IF_NAMESIZE + 4]; /* "/var/run/hijack-<intf>.pid" */
535 char pid[16];
536 int pidlen;
537 int fd = -1;
538
539 /* Daemonise */
540 if ( daemon ( 0, 0 ) < 0 ) {
541 logmsg ( LOG_ERR, "Could not daemonise: %s\n",
542 strerror ( errno ) );
543 goto err;
544 }
545 daemonised = 1; /* Direct messages to syslog now */
546
547 /* Open pid file */
548 snprintf ( pidfile, sizeof ( pidfile ), "/var/run/hijack-%s.pid",
549 interface );
550 fd = open ( pidfile, ( O_WRONLY | O_CREAT | O_TRUNC ),
551 ( S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH ) );
552 if ( fd < 0 ) {
553 logmsg ( LOG_ERR, "Could not open %s for writing: %s\n",
554 pidfile, strerror ( errno ) );
555 goto err;
556 }
557
558 /* Write pid to file */
559 pidlen = snprintf ( pid, sizeof ( pid ), "%d\n", getpid() );
560 if ( write ( fd, pid, pidlen ) != pidlen ) {
561 logmsg ( LOG_ERR, "Could not write %s: %s\n",
562 pidfile, strerror ( errno ) );
563 goto err;
564 }
565
566 close ( fd );
567 return 0;
568
569 err:
570 if ( fd >= 0 )
571 close ( fd );
572 return -1;
573 }
574
main(int argc,char ** argv)575 int main ( int argc, char **argv ) {
576 struct hijack_options options;
577 struct hijack_listener listener;
578 struct sigaction sa;
579
580 /* Parse command-line options */
581 if ( parse_options ( argc, argv, &options ) < 0 )
582 exit ( 1 );
583
584 /* Set up syslog connection */
585 openlog ( basename ( argv[0] ), LOG_PID, LOG_DAEMON );
586
587 /* Set up listening socket */
588 if ( open_listener ( options.interface, &listener ) < 0 )
589 exit ( 1 );
590
591 /* Daemonise on demand */
592 if ( options.daemonise ) {
593 if ( daemonise ( options.interface ) < 0 )
594 exit ( 1 );
595 }
596
597 /* Avoid creating zombies */
598 memset ( &sa, 0, sizeof ( sa ) );
599 sa.sa_handler = SIG_IGN;
600 sa.sa_flags = SA_RESTART | SA_NOCLDWAIT;
601 if ( sigaction ( SIGCHLD, &sa, NULL ) < 0 ) {
602 logmsg ( LOG_ERR, "Could not set SIGCHLD handler: %s",
603 strerror ( errno ) );
604 exit ( 1 );
605 }
606
607 /* Set 'signalled' flag on SIGINT or SIGHUP */
608 sa.sa_handler = flag_signalled;
609 sa.sa_flags = SA_RESTART | SA_RESETHAND;
610 if ( sigaction ( SIGINT, &sa, NULL ) < 0 ) {
611 logmsg ( LOG_ERR, "Could not set SIGINT handler: %s",
612 strerror ( errno ) );
613 exit ( 1 );
614 }
615 if ( sigaction ( SIGHUP, &sa, NULL ) < 0 ) {
616 logmsg ( LOG_ERR, "Could not set SIGHUP handler: %s",
617 strerror ( errno ) );
618 exit ( 1 );
619 }
620
621 /* Listen for hijackers */
622 if ( listen_for_hijackers ( &listener, options.interface ) < 0 )
623 exit ( 1 );
624
625 close_listener ( &listener );
626
627 return 0;
628 }
629