nsisfiddlerweb.pysession-hijacking

Hijacking NSIS's download file on Windows


There's a file that I know it's packed with NSIS,and the logic of download file and then Exec highly possible using the NSIS functions like ExecWait in NSIS,

The Problem is :

I'm try to replace the file that NSIS downloaded from web so I could do some tests, first I changed the hosts and made a http server with web.py,so the original url hijacked to myself server and I put a redirect download file link with,and on server I saw 200 but in the client I use some tool find out it returning 400.(I direct print the url in a browser and it worked well download the hijacked file) I don't know what's wrong.

web.py Codes

def GET(self, name):
    raise web.redirect('/static/test.exe')

Logs 4 the file download

GET     302     240       Redirect url1,url2
GET     302     300       Redirec  url2,url3
GET     200     1.27 M    application/octet-stream url3

So I want to know

  1. what may cause the problem of 400 code,even in my python webpy server it showed 200? (sry I'm not familiar with http)

  2. anyone familiar with NSIS,Is there some other solution I could do this hijack? I've tried with R3 hook,But seems failed,since I don't know with API to hook.

  3. In the past I heard of Fiddler could help me with my task,But that traffic just don't show in Fiddler,Maybe The NSis download Fiddler can't capture? And with HttpAnalyze I could see that traffic(the log upon),but I can't do what I want,So Is there any other tool could feed my needs(maybe Made a rule with when xxurl then replace it with myurl)?


Solution

  • There are different download plug-ins for NSIS, some are custom HTTP clients and some use WinINet.

    The two most popular plug-ins are NSISdl and INetC. NSISdl is a custom HTTP client but it should support 301 and 302 redirects and INetC uses WinINet and should work if Internet Explorer works.

    I would suggest that you just redirect the domain name to 127.0.0.1 in your hosts file and run a simple HTTP file server locally without any kind of redirection, just recreate the required folder structure and use the filename requested by the installer. If that works then you might have to use WireShark to figure out why the redirect fails...