Nmap Development mailing list archives
Re: [nmap-svn] r29382 - nmap-exp/kroosec/rpc-grind/nselib
From: Daniel Miller <bonsaiviking () gmail com>
Date: Thu, 26 Jul 2012 16:47:46 -0500
On 07/26/2012 03:41 PM, Henri Doreau wrote:
Hello, I think that the following patch should be ported to trunk. Nmap currently doesn't even connect to RPC services if not run in privileged mode. I agree that attempting to bind to a <1024 port is a good thing to try but if not possible that shouldn't stop the execution flow. Regards. 2012/7/26 <commit-mailer () insecure org>:Author: henri Date: Thu Jul 26 13:38:43 2012 New Revision: 29382 Log: Attempt to connect even if nmap runs in non privileged mode. Modified: nmap-exp/kroosec/rpc-grind/nselib/rpc.lua Modified: nmap-exp/kroosec/rpc-grind/nselib/rpc.lua ============================================================================== --- nmap-exp/kroosec/rpc-grind/nselib/rpc.lua (original) +++ nmap-exp/kroosec/rpc-grind/nselib/rpc.lua Thu Jul 26 13:38:43 2012 @@ -171,12 +171,10 @@ -- Try to bind to a reserved port for resvport = 600, 1024, 1 do status, err = socket:bind(nil, 1000) - if status then - status, err = socket:connect(host, port) - if status then break end - end + if status then break end end end + status, err = socket:connect(host, port) else socket = nmap.new_socket("udp") if nmap.is_privileged() then_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Henri,I introduced this code, since many NFS servers won't respond if the client is not bound to a reserved port. I confess the order of socket calls and return values was confusing to me, but based on what I remember from my testing, I don't think this will work.
The specific bug condition is when the socket tries to bind to a port that is in use. The NSE socket:bind call will not fail like a C bind(2) call would. Instead, the failure comes when trying to do socket:connect(). That's why the code loops over ports from 600 to 1000 until it finds one that works.
A better way would be to check if any of those reserved ports succeeded, and if not, socket:bind(nil,nil) to clear the error condition and just connect with any port.
Dan _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: [nmap-svn] r29382 - nmap-exp/kroosec/rpc-grind/nselib Henri Doreau (Jul 26)
- Re: [nmap-svn] r29382 - nmap-exp/kroosec/rpc-grind/nselib Daniel Miller (Jul 26)
- Re: [nmap-svn] r29382 - nmap-exp/kroosec/rpc-grind/nselib Patrik Karlsson (Jul 26)
- Message not available
- Message not available
- Re: [nmap-svn] r29382 - nmap-exp/kroosec/rpc-grind/nselib Henri Doreau (Jul 27)
- Re: [nmap-svn] r29382 - nmap-exp/kroosec/rpc-grind/nselib Patrik Karlsson (Jul 26)
- Re: [nmap-svn] r29382 - nmap-exp/kroosec/rpc-grind/nselib Daniel Miller (Jul 26)