Nmap Development mailing list archives
Re: nmap's service discovery crashable
From: Daniel Miller <bonsaiviking () gmail com>
Date: Tue, 15 Apr 2014 11:32:08 -0500
On 04/15/2014 11:22 AM, Daniel Miller wrote:
Clarification: This only happens when the 0-length match is at the end of the match line. So given a service that says "blah" and hangs up, this will trigger:On 04/15/2014 08:58 AM, Jacek Wielemborek wrote:15/04/2014 15:57:26 Jacek Wielemborek <d33tah () gmail com>:Hello, While trying to trick Nmap into printing non-ASCII characters from thepayloads in service discovery mode, I stumbled upon a bug. Here's how toreproduce it: ncat -l 31337 -k --sh-exec "/bin/echo -en '\x00\x03sok\0.n\0\0\x33\x33\x33\x33\x33\x33\x33\x33'" & nmap localhost -p 31337 -sV --version-intensity 9 Yours, Jacek WielemborekAh, sorry, forgot to include the output: Starting Nmap 6.40 ( http://nmap.org ) at 2014-04-15 15:58 CESTnmap: service_scan.cc:758: char* substvar(char*, char**, const u8*, int, int*,int): Assertion `offstart >= 0 && offstart < subjectlen' failed. zsh: abort nmap localhost -p 31337 -sV --version-intensity 9It looks like this crash happens when the service match line specifies a group that can be a 0-length string, then that group gets substituted into one of the match templates. Here's a trivial example:match blah m|.*(a*)| p/>$1</This line will match any number of "a"s at the end of a service response and put them in the product name. If you place this line in nmap-service-probes at the head of the TCP NULL probe, then it will crash with the same error when scanning any service that doesn't contain at least 1 "a" character.I don't have a fix at the moment, but this should be a good starting point for someone to dig into the problem: How can we perform a substitution of an empty string? The alternative would be to ensure that no match line specifies a grouping that can match the empty string, but that's a lot of work and does not prevent the error from happening again in the future.Dan
match blah m|blah(.*)| p/$1/ But this will not: match blah m|(.*)blah| p/$1/ As far as I can tell, these are the only 2 patterns affected:match domain m|^\0\x06\x05\0\0\x01\0\x01\0\0\0\0\x07version\x04bind\0\0\x10\0\x03\xc0\x0c\0\x10\0\x01X\x02\0\0\0..Microsoft DNS (.*)|s p/Microsoft DNS/ v/$1/ o/Windows/ cpe:/o:microsoft:windows/a match erlang-node m|^\0[^\x03]s(.*)|s p/Erlang Distribution Node/ i/Status: $1/
Dan _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- nmap's service discovery crashable Jacek Wielemborek (Apr 15)
- Re: nmap's service discovery crashable Jacek Wielemborek (Apr 15)
- Re: nmap's service discovery crashable Daniel Miller (Apr 15)
- Re: nmap's service discovery crashable Daniel Miller (Apr 15)
- Re: nmap's service discovery crashable Daniel Miller (Apr 15)
- Re: nmap's service discovery crashable Daniel Miller (Apr 15)
- Re: nmap's service discovery crashable Jacek Wielemborek (Apr 15)