Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Problems in idle-scan

From: Daniel Miller <bonsaiviking () gmail com>
Date: Wed, 22 Oct 2014 07:59:45 -0500
I committed this patch (and a length check on the argument to -sI) as
r33746. Sorry my initial reply was sent off-list!

Dan

On Tue, Oct 21, 2014 at 10:01 PM, Daniel Miller <bonsaiviking () gmail com> wrote:

On Tue, Oct 21, 2014 at 9:43 AM, Gisle Vanem <gvanem () yahoo no> wrote:

I'm trying to understand the idle-scan and was trying an example
from the Nmap book at:
 http://nmap.org/book/idlescan.html

For example, I used this just to try it:
 nmap -Pn -p- -sI 10.0.0.1:22 www.riaa.com

But there seems to be some errors in the use of
'proxy->host.setHostName(name)'.
By adding some trace-code, I see that 'name' on entry of
void Target::setHostName(const char *name) is:

10.0.0.1╠╠╠╠╠╠╠╠╠╠╠╠╠╠╠╠╠╠╠╠╠╠╠╠╠╠╠╠╠╠╠╠╠... etc.

Illegal character(s) in hostname -- replacing with '*'

FYI. the '╠' is 0xCC which my MSVC v16 in _DEBUG-mode inserts at the
end of stack buffers. And I think also when free() is called on that buffer.
Or is it 0xCD?  So where can this error or 'use after free()' occur?

--gv



Gisle,

Wow, this code is pretty scary. I'm attaching a patch that ought to
help this particular issue. Essentially, we're doing a strncpy of a
substring, and assuming the destination is full of NULLs, which would
automatically make it NULL-terminated. Instead, I changed it to
explicitly null-terminate the string.

This change only affects idle-proxy specifiers with a hostname:port
syntax; it looks like in general we always assume the argument to -sI
is less than MAXHOSTNAMELEN (64) characters, so if you specify
something larger than that, we'll have non-null-terminated strings all
over the place.

In any case, let me know if this patch solves the particular issue
you're seeing. Thanks for the sharp eyes.

Dan

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: