Nmap Development mailing list archives
Re: Problems in idle-scan
From: Daniel Miller <bonsaiviking () gmail com>
Date: Wed, 22 Oct 2014 07:59:45 -0500
I committed this patch (and a length check on the argument to -sI) as r33746. Sorry my initial reply was sent off-list! Dan On Tue, Oct 21, 2014 at 10:01 PM, Daniel Miller <bonsaiviking () gmail com> wrote:
On Tue, Oct 21, 2014 at 9:43 AM, Gisle Vanem <gvanem () yahoo no> wrote:I'm trying to understand the idle-scan and was trying an example from the Nmap book at: http://nmap.org/book/idlescan.html For example, I used this just to try it: nmap -Pn -p- -sI 10.0.0.1:22 www.riaa.com But there seems to be some errors in the use of 'proxy->host.setHostName(name)'. By adding some trace-code, I see that 'name' on entry of void Target::setHostName(const char *name) is: 10.0.0.1╠╠╠╠╠╠╠╠╠╠╠╠╠╠╠╠╠╠╠╠╠╠╠╠╠╠╠╠╠╠╠╠╠... etc. Illegal character(s) in hostname -- replacing with '*' FYI. the '╠' is 0xCC which my MSVC v16 in _DEBUG-mode inserts at the end of stack buffers. And I think also when free() is called on that buffer. Or is it 0xCD? So where can this error or 'use after free()' occur? --gvGisle, Wow, this code is pretty scary. I'm attaching a patch that ought to help this particular issue. Essentially, we're doing a strncpy of a substring, and assuming the destination is full of NULLs, which would automatically make it NULL-terminated. Instead, I changed it to explicitly null-terminate the string. This change only affects idle-proxy specifiers with a hostname:port syntax; it looks like in general we always assume the argument to -sI is less than MAXHOSTNAMELEN (64) characters, so if you specify something larger than that, we'll have non-null-terminated strings all over the place. In any case, let me know if this patch solves the particular issue you're seeing. Thanks for the sharp eyes. Dan
_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Problems in idle-scan Gisle Vanem (Oct 21)
- Message not available
- Re: Problems in idle-scan Daniel Miller (Oct 22)
- Message not available