From: K. R. W. <krw...@gm...> - 2013-06-05 15:22:14
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi all - I spent a little time a few months ago working on a silly and fun ettercap plugin. The plugin purpose is to record cyclic traffic between a client and a server for a while, and after a fixed amount of time to replay traffic from the server to the client. I wrote up the state recording code for my plugin and actually have that part working. I'm now at the stage where I've finished all the recording that I want to do, and want to start replaying previously-observed response packets to a given query. Since the previously-observed response packet might be a different length from the actual server response, I have to muck about with both the data and length fields. I do something like this: }else{ /* is_request(s, PACKET) */ if (PACKET->DATA.len != 0){ if(&((session_data_t*)s->data)->current_request_response_item == NULL){ printf("--> ERROR: request was not in list, try expanding time of packet capture. Allowing response through unmodified.\n"); return; } /* if (&((session_data_t*... */ SAFE_FREE(PACKET->DATA.data); // I crash ettercap here PACKET->DATA.len = ((session_data_t*)s->data)->current_request_response_item->mrrp.responseDataLen; SAFE_CALLOC(PACKET->DATA.data, 1, PACKET->DATA.len); memcpy(PACKET->DATA.data, &((session_data_t*)s->data)->current_request_response_item->mrrp.responseData, PACKET->DATA.len); PACKET->flags |= PO_MODIFIED; } /* packet length check */ } /* is_request(s, PACKET) */ Basically the code above is supposed to overwrite only response packets, and do so using my silly method of tracking session state (that part is working just fine). I'm kind of curious why ettercap dumps when I try to SAFE_FREE(PACKET->DATA.data), though... I see the following on the console: *** glibc detected *** /usr/local/bin/ettercap: munmap_chunk(): invalid pointer: 0xaddress *** I ran it inside gdb and I think that it is a double free bug on PACKET->DATA.data. I think it's a bit curious, but I guess some other data structure or function is keeping a handle to the pointer around when (maybe) it shouldn't be? On a lark, I decided to also try adding to the length of the packet using the PACKET->DATA.inject_len and *inject mechanism. When I use this to add a single 'a' byte to the end of my packet, the packet never gets sent for some reason. So I guess my questions are pretty short: - - Can ettercap deal with modifying the length of packets when it is MITM'ing packets? - - If so, what is the recommend method for expanding and shrinking packet sizes? So far I can't seem to find a way to make it work, and none of the example plug-ins do this... Thanks for any pointers/advice, Reid -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlGvV5sACgkQJRLhmgLXfdaFzwCeLSTVf91R43rtGfWZoQlH5PNd dlkAn0Hwc7wQr2td6q7LRmDXs450sqAq =8hgv -----END PGP SIGNATURE----- |