[Ettercap-developers] ettercap plugin that reallocates packet data

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all -

I spent a little time a few months ago working on a silly and fun
ettercap plugin.  The plugin purpose is to record cyclic traffic
between a client and a server for a while, and after a fixed amount of
time to replay traffic from the server to the client.

I wrote up the state recording code for my plugin and actually have
that part working.  I'm now at the stage where I've finished all the
recording that I want to do, and want to start replaying
previously-observed response packets to a given query.

Since the previously-observed response packet might be a different
length from the actual server response, I have to muck about with both
the data and length fields.  I do something like this:

}else{ /* is_request(s, PACKET) */
  if (PACKET->DATA.len != 0){
    if(&((session_data_t*)s->data)->current_request_response_item ==
NULL){
      printf("--> ERROR: request was not in list, try expanding time
of packet capture.  Allowing response through unmodified.\n");
      return;
    } /* if (&((session_data_t*... */
    SAFE_FREE(PACKET->DATA.data); // I crash ettercap here
    PACKET->DATA.len =
((session_data_t*)s->data)->current_request_response_item->mrrp.responseDataLen;
    SAFE_CALLOC(PACKET->DATA.data, 1, PACKET->DATA.len);
    memcpy(PACKET->DATA.data,
&((session_data_t*)s->data)->current_request_response_item->mrrp.responseData,
PACKET->DATA.len);
    PACKET->flags |= PO_MODIFIED;
  } /* packet length check */
} /* is_request(s, PACKET) */

Basically the code above is supposed to overwrite only response
packets, and do so using my silly method of tracking session state
(that part is working just fine).  I'm kind of curious why ettercap
dumps when I try to SAFE_FREE(PACKET->DATA.data), though...

I see the following on the console:

*** glibc detected *** /usr/local/bin/ettercap: munmap_chunk():
invalid pointer: 0xaddress ***

I ran it inside gdb and I think that it is a double free bug on
PACKET->DATA.data.  I think it's a bit curious, but I guess some other
data structure or function is keeping a handle to the pointer around
when (maybe) it shouldn't be?

On a lark, I decided to also try adding to the length of the packet
using the PACKET->DATA.inject_len and *inject mechanism.  When I use
this to add a single 'a' byte to the end of my packet, the packet
never gets sent for some reason.

So I guess my questions are pretty short:

- - Can ettercap deal with modifying the length of packets when it is
MITM'ing packets?
- - If so, what is the recommend method for expanding and shrinking
packet sizes?  So far I can't seem to find a way to make it work, and
none of the example plug-ins do this...

Thanks for any pointers/advice,
Reid
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlGvV5sACgkQJRLhmgLXfdaFzwCeLSTVf91R43rtGfWZoQlH5PNd
dlkAn0Hwc7wQr2td6q7LRmDXs450sqAq
=8hgv
-----END PGP SIGNATURE-----