Nmap Development mailing list archives
Re: -sV crash in $# substitution function substvar()
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Sat, 21 Jul 2007 23:01:02 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, 21 Jul 2007 15:02:59 -0700 plus or minus some time doug () hcsw org wrote:
Hi Brandon! Thanks for the bug report! This is indeed a strange one. I checked out the service match lines that should match your application and it looks like they are buggy!
Stupid me to just assume it was a problem in the code. I stared at the source for over an hour trying to figure it out. I should have at least *looked* at the match line.
On the line in the probes file: match rtsp m|^RTSP/1\.0 \d\d\d .*\r\nServer: Helix (:?DNA )?Server Version ([\d.]+) \(linux-[^)\r\n]+\)|s p/Helix DNA Server/ v/$1/ o/Linux/ Could you change (:?DNA )? to [\w ]+ and see if it fixes your crash? I've changed the corresponding line in the soc07 SVN branch if you'd rather try that version.
I went ahead and changed '(:?DNA )?' to non-capturing parenthesis, '(?:DNA )?' instead of [\w ]+. Either one fixes the problem but I think leaving DNA in there is probably a good idea if future names come along.
Non-capturing clustering is done incorrectly in that match line. Oops, probably my fault! What's strange is that the 2 submissions for this service seem to match OK with my scripts before even applying the fix. Thanks! Doug
While we're on the topic of match-line bugs, I noticed this one often matches too much and throws a warning: match http m|^HTTP/1\.[01].*Server: Apache/(\d+\.\d+\.[-.\w]+) ([^\r\n]+)|s p/A\ pache httpd/ v/$1/ i/$2/ Warning: Servicescan failed to fill info_template (subjectlen: 2566). Too long? Match string was line 3145: v/Apache httpd/$1/$2 To solve this, I split it into two match lines, one that tries to get extra info for i/$2/ (up to 30 chars) and one that just matches the service: match http m|^HTTP/1\.[01].*Server: Apache/(\d+\.\d+\.[-.\w]+) ([^\r\n]{1,30})[\ \r\n]|s p/Apache httpd/ v/$1/ i/$2/ match http m|^HTTP/1\.[01].*Server: Apache/(\d+\.\d+\.[-.\w]+)|s p/Apache httpd\ / v/$1/ If you are interested in the banner being returned to cause the waring in the first place I'm sure I could use --version-trace and figure it out. Let me know and I'll work on it. Brandon -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGopAuqaGPzAsl94IRAl+rAJ9J1CjONm53JcKfruy7j8C+kO04jACdE4EL +f0p9MRBEyLWj0bbhjUvqVw= =n1l/ -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- -sV crash in $# substitution function substvar() Brandon Enright (Jul 20)
- Re: -sV crash in $# substitution function substvar() doug (Jul 21)
- Re: -sV crash in $# substitution function substvar() Brandon Enright (Jul 21)
- Re: -sV crash in $# substitution function substvar() Brandon Enright (Jul 21)
- Re: -sV crash in $# substitution function substvar() Brandon Enright (Jul 21)
- Re: -sV crash in $# substitution function substvar() doug (Jul 21)