[prev in list] [next in list] [prev in thread] [next in thread]
List: nmap-dev
Subject: Re: Program crash with idle scan script on 3.93
From: Ron <iago () valhallalegends ! com>
Date: 2005-09-18 1:08:15
Message-ID: 432CBDFF.1040207 () valhallalegends ! com
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Well, I've been looking at this problem. Although I don't understand
C++ enough to totally fix it, I found a quick work around and I somewhat
understand the problem.
In portscan.cc, this if statement:
if (portarray->find(portno) == portarray->end())
Is returning true on the first addPort() call, and is then attempting to
use (*portarray)[portno], which is NULL. This is causing it to crash.
My work around is to change
if (portarray->find(portno) == portarray->end())
to
if ((*portarray)[portno] && portarray->find(portno) == portarray->end())
I'm sure that's not the best solution, but hopefully it helps somebody
else track down the problem; although it solves it, it might break
something else, and it still causes a SIGSEGV (after nmap is done,
rather than during the scan). Email me if you have any questions, I've
looked at the addPort() function pretty extensively :)
I attached a patch for it.
Ron wrote:
> Here's the gdb output for anybody who wants to fix the problem:
>
> Starting program: /home/iago/nmap-3.84ALPHA2/nmap -sI 192.168.1.6:135
> 192.168.1.3
> WARNING: Many people use -P0 w/Idlescan to prevent pings from their true
> IP. On the other hand, timing info Nmap gains from pings can allow for
> faster, more reliable scans.
>
> Starting nmap 3.84ALPHA2 ( http://www.insecure.org/nmap/ ) at 2005-09-17
> 18:50 CDT
> Warning: File ./nmap-services exists, but Nmap is using
> /usr/local/share/nmap/nmap-services for security and consistency
> reasons. set NMAPDIR=. to give priority to files in your local
> directory (may affect the other data files too).
> Idlescan using zombie 192.168.1.6 (192.168.1.6:135); Class: Incremental
>
> Program received signal SIGSEGV, Segmentation fault.
> 0x08073420 in PortList::addPort (this=0x80e7380, portno=22, protocol=6
> '\006',
> owner=0x0, state=2) at portlist.cc:473
> 473 error("Duplicate port (%hu/%s)\n", portno,
> proto2ascii(protocol));
> (gdb) backtrace
> #0 0x08073420 in PortList::addPort (this=0x80e7380, portno=22,
> protocol=6 '\006', owner=0x0, state=2) at portlist.cc:473
> #1 0x0805d105 in idle_treescan (proxy=0x80bcce0, target=0x80e7320,
> ports=0x80f2ebc, numports=135165720, expectedopen=1) at idle_scan.cc:935
> #2 0x0805d078 in idle_treescan (proxy=0x80bcce0, target=0x80e7320,
> ports=0x80f2eb8, numports=135165720, expectedopen=1) at idle_scan.cc:846
> #3 0x0805d00d in idle_treescan (proxy=0x80bcce0, target=0x80e7320,
> ports=0x80f2eb8, numports=135165720, expectedopen=2) at idle_scan.cc:833
> #4 0x0805d00d in idle_treescan (proxy=0x80bcce0, target=0x80e7320,
> ports=0x80f2eb8, numports=135165720, expectedopen=2) at idle_scan.cc:833
> #5 0x0805d00d in idle_treescan (proxy=0x80bcce0, target=0x80e7320,
> ports=0x80f2eb8, numports=135165720, expectedopen=2) at idle_scan.cc:833
> #6 0x0805d00d in idle_treescan (proxy=0x80bcce0, target=0x80e7320,
> ports=0x80f2eb8, numports=135165720, expectedopen=-1) at
> idle_scan.cc:833
> #7 0x0805d578 in idle_scan (target=0x80e7320, portarray=0x80f2eb8,
> numports=1668, proxyName=0x3c <Address 0x3c out of bounds>)
> at idle_scan.cc:1003
> #8 0x0804e327 in nmap_main (argc=4, argv=0xbffff774) at nmap.cc:1200
> #9 0x0804b234 in main (argc=4, argv=0xbffff774, envp=0xbffff788)
> at main.cc:244
> (gdb)
>
>
> Fred Goldman wrote:
>
>>>I have had the same problem both with the GUI and command line. To many
>>>different sites. I do have the alerter files from XP if you want them? Plus
>>>I think I may have a nmap dump file.* I am running XP* Home SP1 with all the
>>>security updates. I have used them on different ports as well. I used the
>>>idle scan command as per the article on your site. Thanks.
>>> Thanks,
>>>michaelg618
>>>
>>> On 9/17/05, nmap-dev-request@insecure.org <nmap-dev-request@insecure.org>
>>>wrote:
>>>
>>>
>>>>Send nmap-dev mailing list submissions to
>>>>nmap-dev@insecure.org
>>>>
>>>>Today's Topics:
>>>>
>>>>1. possible idlescan problems in 3.93 (BAKEMAN)
>>>>
>>>>
>>>>----------------------------------------------------------------------
>>>>
>>>>Message: 1
>>>>Date: Fri, 16 Sep 2005 16:01:23 -0700 (PDT)
>>>>From: BAKEMAN <bakeman@physics.unr.edu>
>>>>Subject: possible idlescan problems in 3.93
>>>>To: nmap-dev@insecure.org
>>>>Message-ID: <20050916154944.C2721@rigel.physics.unr.edu>
>>>>Content-Type: TEXT/PLAIN; charset=US-ASCII
>>>>
>>>>I found this while testing out a simple idlescan script used to collect
>>>>zombies. It seems that there is a SIGSEGV error in 3.93.
>>>>
>>>>[root@mbakeman format_files]# nmap -P0 -sI 40.71.195.116<http://40.71.195.116>
>>>>64.136.59.125 <http://64.136.59.125>
>>>>Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-09-16 15:42
>>>>PDT
>>>>Idlescan zombie 40.71.195.116 <http://40.71.195.116> (40.71.195.116<http://40.71.195.116>)
>>>>port 80 cannot be used
>>>>because it has not returned any of our probes -- perhaps it is down or
>>>>firewalled.
>>>>QUITTING!
>>>>
>>>>[root@mbakeman format_files]# nmap -P0 -sI 40.71.195.116<http://40.71.195.116>
>>>>64.136.59.125 <http://64.136.59.125>
>>>>Starting nmap 3.93 ( http://www.insecure.org/nmap/ ) at 2005-09-16 15:43
>>>>PDT
>>>>Idlescan zombie 40.71.195.116 <http://40.71.195.116> (40.71.195.116<http://40.71.195.116>)
>>>>port 80 cannot be used
>>>>because it has not returned any of our probes -- perhaps it is down or
>>>>firewalled.
>>>>QUITTING!
>>>>caught SIGSEGV signal, cleaning up
>>>>Aborted
>>>>
>>>>I have not tried this on a working zombie so far yet.
>>>>
>>>>Aphex
>>>>
>>>>
>>>>------------------------------
>>>>
>>>>_______________________________________________
>>>>nmap-dev mailing list
>>>>nmap-dev@insecure.org
>>>>http://cgi.insecure.org/mailman/listinfo/nmap-dev
>>>>
>>>>
>>>>End of nmap-dev Digest, Vol 6, Issue 17
>>>>***************************************
>>>>
>>>
>>>
>>>
>>>_______________________________________________
>>>Sent through the nmap-dev mailing list
>>>http://cgi.insecure.org/mailman/listinfo/nmap-dev
>>>
>>>
>
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.9.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFDLL3+fqSf2EkP4p4RAuhPAJ4i1Mlsa3KzMh8Xr8AVU+2X5G2/7gCfXHFI
+bcKPUKoje+dyVE3FUD82is=
=B4xP
-----END PGP SIGNATURE-----
["nmap-3.93.idlescan.patch" (text/plain)]
Only in nmap-3.93.new: .portlist.cc.swp
diff -rub nmap-3.93/portlist.cc nmap-3.93.new/portlist.cc
--- nmap-3.93/portlist.cc 2005-09-17 20:04:48.000000000 -0500
+++ nmap-3.93.new/portlist.cc 2005-09-17 20:04:13.000000000 -0500
@@ -465,7 +465,7 @@
portarray = &ip_prots;
} else fatal("addPort: attempted port insertion with invalid protocol");
- if (portarray->find(portno) == portarray->end()) {
+ if ((*portarray)[portno] && portarray->find(portno) == portarray->end()) {
/* We must discount our statistics from the old values. Also warn
if a complete duplicate */
current = (*portarray)[portno];
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic