Nmap Development mailing list archives
ncat socks5 client is broken
From: Sami Pönkänen <sami.ponkanen () gmail com>
Date: Wed, 17 Feb 2021 16:56:51 +0200
Hi all, I have been using ncat to test a proxy server socks5 implementation. While doing that I noticed what I think is a bug in ncat socks5 client side: It does not correctly parse the socks5 server status response and it may discard some data the server sent. More specifically it only reads 2 bytes of socks5 server status response, when it should read the 4 byte fixed header, bndaddress (4 or 16 bytes) and bndport (2 bytes). Also some unprocessed server data may be left in the socket_buffer (I copied that part of code from do_proxy_http()). Below is a diff I made to fix both issues in nmap-7.50. Br, Sami Pönkänen --- ncat/ncat_connect.c.orig 2021-02-17 16:33:09.670093377 +0200 +++ ncat/ncat_connect.c 2021-02-17 16:35:06.604951645 +0200 @@ -636,13 +636,15 @@ uint32_t inetaddr; char inet6addr[16]; unsigned short proxyport = htons(o.portno); - char socksbuf[8]; + char socksbuf[18]; int sd,len,lenfqdn; struct socks5_request socks5msg2; struct socks5_auth socks5auth; char *proxy_auth; char *username; char *password; + char *remainder; + size_t remainder_len; sd = do_connect(SOCK_STREAM); if (sd == -1) { @@ -825,8 +827,8 @@ return -1; } - /* TODO just two bytes for now, need to read more for bind */ - if (socket_buffer_readcount(&stateful_buf, socksbuf, 2) < 0) { + /* Read SOCKS5 server status header (4 bytes) */ + if (socket_buffer_readcount(&stateful_buf, socksbuf, 4) < 0) { loguser("Error: malformed second response from proxy.\n"); close(sd); return -1; @@ -875,6 +877,33 @@ return -1; } + /* Skip bndaddr and bndport */ + switch(socksbuf[3]) { + case SOCKS5_ATYP_IPv4: + if (socket_buffer_readcount(&stateful_buf, socksbuf, 6) < 0) { + loguser("Error: malformed second response from proxy.\n"); + close(sd); + return -1; + } + break; + + case SOCKS5_ATYP_IPv6: + if (socket_buffer_readcount(&stateful_buf, socksbuf, 18) < 0) { + loguser("Error: malformed second response from proxy.\n"); + close(sd); + return -1; + } + break; + + default: + loguser("Error: invalid bndaddress type in second reply.\n"); + close(sd); + return -1; + } + + remainder = socket_buffer_remainder(&stateful_buf, &remainder_len); + Write(STDOUT_FILENO, remainder, remainder_len); + return(sd); }
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- ncat socks5 client is broken Sami Pönkänen (Feb 17)
- Re: ncat socks5 client is broken Sami Pönkänen (Feb 18)
- Re: ncat socks5 client is broken nnposter (Mar 15)
- Re: ncat socks5 client is broken Sami Pönkänen (Feb 18)