Nmap Development mailing list archives
[NSE] Bug (short read) in pop3-capabilities.nse
From: Daniel Miller <bonsaiviking () gmail com>
Date: Mon, 11 Jun 2012 11:04:35 -0500
Hey list,I would have reported this with a patch, but I never quite got the hang of reading from sockets in NSE scripts :(
When scanning one of the alexa top 1m hosts via IPv6, ran across this exception:
NSOCK (0.8110s) TCP connection requested to 2a01:4f8:121:1262::2:110 (IOD #1) EID 8 NSOCK (0.9530s) Callback: CONNECT SUCCESS for EID 8 [2a01:4f8:121:1262::2:110]NSE: TCP XXXX:42686 > 2a01:4f8:121:1262::2:110 | CONNECTNSOCK (0.9530s) Read request from IOD #1 [2a01:4f8:121:1262::2:110] (timeout: 10000ms) EID 18 NSOCK (1.0920s) Callback: READ SUCCESS for EID 18 [2a01:4f8:121:1262::2:110] (76 bytes): +OK CommuniGate Pro POP3 Server 5.2.20 ready <14999.1339429588 () aenigma gr>.. NSE: TCP XXXX:42686 < 2a01:4f8:121:1262::2:110 | +OK CommuniGate Pro POP3 Server 5.2.20 ready <14999.1339429588 () aenigma gr>NSE: TCP XXXX:42686 > 2a01:4f8:121:1262::2:110 | 00000000: 43 41 50 41 0d 0a CAPANSOCK (1.0930s) Write request for 6 bytes to IOD #1 EID 27 [2a01:4f8:121:1262::2:110]: CAPA.. NSOCK (1.0930s) Callback: WRITE SUCCESS for EID 27 [2a01:4f8:121:1262::2:110]NSE: TCP XXXX:42686 > 2a01:4f8:121:1262::2:110 | SENDNSOCK (1.0940s) Read request from IOD #1 [2a01:4f8:121:1262::2:110] (timeout: 10000ms) EID 34 NSOCK (1.2320s) Callback: READ SUCCESS for EID 34 [2a01:4f8:121:1262::2:110] (29 bytes): +OK capability list follows.. NSE: TCP XXXX:42686 < 2a01:4f8:121:1262::2:110 | 00000000: 2b 4f 4b 20 63 61 70 61 62 69 6c 69 74 79 20 6c +OK capability l00000010: 69 73 74 20 66 6f 6c 6c 6f 77 73 0d 0a ist followsNSE: 'pop3-capabilities' (thread: 0x8ba8468) against 2a01:4f8:121:1262::2:110 threw an error!./nselib/pop3.lua:173: bad argument #2 to 'sub' (number expected, got nil) stack traceback: [C]: in function 'sub' ./nselib/pop3.lua:173: in function 'capabilities'./scripts/pop3-capabilities.nse:30: in function <./scripts/pop3-capabilities.nse:29>(...tail calls...)
I checked manually, and this is the response I get:
ncat -vvv -6 freestuff.gr 110 Ncat: Version 6.01 ( http://nmap.org/ncat )NSOCK (0.0110s) TCP connection requested to 2a01:4f8:121:1262::2:110 (IOD #1) EID 8 NSOCK (0.1550s) Callback: CONNECT SUCCESS for EID 8 [2a01:4f8:121:1262::2:110]Ncat: Connected to 2a01:4f8:121:1262::2:110.NSOCK (0.1560s) Read request from IOD #1 [2a01:4f8:121:1262::2:110] (timeout: -1ms) EID 18 NSOCK (0.1560s) Read request for 0 bytes from IOD #2 (peer unspecified) EID 26 NSOCK (0.2970s) Callback: READ SUCCESS for EID 18 [2a01:4f8:121:1262::2:110] (76 bytes)+OK CommuniGate Pro POP3 Server 5.2.20 ready <15001.1339430446 () aenigma gr>NSOCK (0.2970s) Read request for 0 bytes from IOD #1 [2a01:4f8:121:1262::2:110] EID 34CAPANSOCK (5.0260s) Callback READ SUCCESS for EID 26 (peer unspecified) (5 bytes) NSOCK (5.0260s) Write request for 5 bytes to IOD #1 EID 43 [2a01:4f8:121:1262::2:110] NSOCK (5.0260s) Callback: WRITE SUCCESS for EID 43 [2a01:4f8:121:1262::2:110] NSOCK (5.0260s) Read request for 0 bytes from IOD #2 (peer unspecified) EID 50 NSOCK (5.1690s) Callback: READ SUCCESS for EID 34 [2a01:4f8:121:1262::2:110] (29 bytes)+OK capability list followsNSOCK (5.1690s) Read request for 0 bytes from IOD #1 [2a01:4f8:121:1262::2:110] EID 58 NSOCK (5.3090s) Callback: READ SUCCESS for EID 58 [2a01:4f8:121:1262::2:110] (129 bytes)SASL LOGIN PLAIN CRAM-MD5 DIGEST-MD5 GSSAPI MSN NTLM STLS LAST TOP USER PIPELINING UIDL IMPLEMENTATION CommuniGatePro .NSOCK (5.3090s) Read request for 0 bytes from IOD #1 [2a01:4f8:121:1262::2:110] EID 66QUITNSOCK (8.9930s) Callback READ SUCCESS for EID 50 (peer unspecified) (5 bytes) NSOCK (8.9930s) Write request for 5 bytes to IOD #1 EID 75 [2a01:4f8:121:1262::2:110] NSOCK (8.9940s) Callback: WRITE SUCCESS for EID 75 [2a01:4f8:121:1262::2:110] NSOCK (8.9940s) Read request for 0 bytes from IOD #2 (peer unspecified) EID 82 NSOCK (9.1400s) Callback: READ SUCCESS for EID 66 [2a01:4f8:121:1262::2:110] (51 bytes)+OK CommuniGate Pro POP3 Server connection closedNSOCK (9.1400s) Read request for 0 bytes from IOD #1 [2a01:4f8:121:1262::2:110] EID 90NSOCK (9.1400s) Callback: READ EOF for EID 90 [2a01:4f8:121:1262::2:110] Ncat: 10 bytes sent, 285 bytes received in 9.15 seconds. NSOCK (9.1400s) Callback: READ KILL for EID 82 (peer unspecified)
As you can see from the debug output, the response is sent in a separate packet from the "status line", so the pop3 library needs to keep reading until a "." is seen.
Dan _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] Bug (short read) in pop3-capabilities.nse Daniel Miller (Jun 11)
- Re: [NSE] Bug (short read) in pop3-capabilities.nse Patrik Karlsson (Jun 15)