Nmap Development mailing list archives
Re: Always practice safe software: a lesson from UnrealIRCd
From: Ron <ron () skullsecurity net>
Date: Tue, 22 Jun 2010 14:55:37 -0500
On Fri, 18 Jun 2010 14:09:21 -0600 David Fifield <david () bamsoftware com> wrote:
Hey guys, this script looks really good. However I found it gives a lot of false positives when many instances of the script are run, because the timer is started before the socket is connected, and the script may block waiting for the socket. I ran against the 592 addresses from http://seclists.org/nmap-dev/2010/q2/830. nmap --datadir . -p 6666,6667 -iL unreal.nmap -d --script=irc-unrealircd-backdoor.nse It's clear what's happening in the output: NSE: irc-unrealircd-backdoor: Received a response to our command in 2 seconds NSE: irc-unrealircd-backdoor: The Trojanned version of unrealircd probably isn't ... NSE: irc-unrealircd-backdoor: Received a response to our command in 37 seconds NSE: irc-unrealircd-backdoor: Looks like the Trojanned unrealircd is running! NSE: Finished irc-unrealircd-backdoor against 213.232.94.72:6667. NSE: irc-unrealircd-backdoor: Received a response to our command in 38 seconds NSE: irc-unrealircd-backdoor: Looks like the Trojanned unrealircd is running! NSE: Finished irc-unrealircd-backdoor against 213.186.37.193:6667. NSE: irc-unrealircd-backdoor: Received a response to our command in 38 seconds NSE: irc-unrealircd-backdoor: Looks like the Trojanned unrealircd is running! NSE: Finished irc-unrealircd-backdoor against 89.105.117.89:6667. NSE: irc-unrealircd-backdoor: Received a response to our command in 38 seconds NSE: irc-unrealircd-backdoor: Looks like the Trojanned unrealircd is running! NSE: Finished irc-unrealircd-backdoor against 12.96.164.10:6667. NSE: irc-unrealircd-backdoor: Receive failed: TIMEOUT ... NSE: irc-unrealircd-backdoor: Received a response to our command in 222 seconds NSE: irc-unrealircd-backdoor: Looks like the Trojanned unrealircd is running! NSE: Finished irc-unrealircd-backdoor against 171.25.159.12:6666. I think it will work if you start the timer after the call to comm.tryssl, not before. I also saw this error at least three times: NSE: irc-unrealircd-backdoor against 209.126.180.156:6666 threw an error! ./scripts/irc-unrealircd-backdoor.nse:105: attempt to concatenate local 'response' (a nil value) stack traceback: ./scripts/irc-unrealircd-backdoor.nse:105: in function <./scripts/irc-unrealircd-backdoor.nse:55> (tail call): ? Other addresses where it happened were 66.235.194.60:6667 and 118.98.162.85:6667. If you can run this same test and make it work, then please go ahead and commit the script. David Fifield
You're suggestion of starting the timer after comm.tryssl() is a good one, but I'm not sure it'll solve the problem. I don't understand how lua threads work, so Patrick or others can correct me if I'm wrong, but I'm assuming that as soon as I do a send() or receive() my script relinquishes its timeslice and others have a chance to run. As a result, won't we still run into the same issue? I could be mistaken, please let me know if I am. -- Ron Bowes http://www.skullsecurity.org http://www.twitter.com/iagox86
Attachment:
_bin
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: Always practice safe software: a lesson from UnrealIRCd, (continued)
- Re: Always practice safe software: a lesson from UnrealIRCd Fyodor (Jun 13)
- Re: Always practice safe software: a lesson from UnrealIRCd Vlatko Kosturjak (Jun 13)
- Re: Always practice safe software: a lesson from UnrealIRCd Ron (Jun 14)
- Re: Always practice safe software: a lesson from UnrealIRCd Gutek (Jun 14)
- Re: Always practice safe software: a lesson from UnrealIRCd Vlatko Kosturjak (Jun 13)
- Re: Always practice safe software: a lesson from UnrealIRCd Ron (Jun 14)
- Re: Always practice safe software: a lesson from UnrealIRCd Ron (Jun 14)
- Re: Always practice safe software: a lesson from UnrealIRCd Vlatko Kosturjak (Jun 14)
- Re: Always practice safe software: a lesson from UnrealIRCd Ron (Jun 14)
- Re: Always practice safe software: a lesson from UnrealIRCd David Fifield (Jun 18)
- Re: Always practice safe software: a lesson from UnrealIRCd Ron (Jun 22)
- Re: Always practice safe software: a lesson from UnrealIRCd David Fifield (Jun 22)
- Re: Always practice safe software: a lesson from UnrealIRCd Ron (Jun 22)
- Re: Always practice safe software: a lesson from UnrealIRCd Ron (Jun 22)
- Re: Always practice safe software: a lesson from UnrealIRCd David Fifield (Jun 23)
- Re: Always practice safe software: a lesson from UnrealIRCd David Fifield (Jun 23)
- Re: Always practice safe software: a lesson from UnrealIRCd Ron (Jun 23)
- Re: Always practice safe software: a lesson from UnrealIRCd David Fifield (Jun 23)
- Re: Always practice safe software: a lesson from UnrealIRCd Ron (Jun 24)
- Re: Always practice safe software: a lesson from UnrealIRCd Patrick Donnelly (Jun 24)
- Re: Always practice safe software: a lesson from UnrealIRCd David Fifield (Jun 25)