Re: [NSE] NSE HTTP library

[Sven Klemm <sven () c3d2 de>]

Kris Katterjohn wrote:
> I had this very idea a while ago, but I never did it.  I haven't tested 
> it yet (it's past my bedtime now), but it looks really cool! :)

Thank you.

I've attached a new version which has two minor bugfixes: Multiple
Headers with the same name are now handled properly. The newlines in
the body that are stripped during receiving are now added back.

But I've run into problem that let's nmap segfault reproducible.
Somehow that's related to my http library at least it does not occur
without the library. I am also getting cannot resume dead coroutine
errors. But currently I have no idea what causes these. Maybe someone
can help me here.

Here are the backtraces I get:

Program received signal SIGSEGV, Segmentation fault.
0x0fa76528 in ?? () from /lib/libc.so.6
(gdb) bt
#0  0x0fa76528 in ?? () from /lib/libc.so.6
#1  0x0fa763ec in ?? () from /lib/libc.so.6
#2  0x0fa78f5c in ?? () from /lib/libc.so.6
#3  0x0fa7a03c in ?? () from /lib/libc.so.6
#4  0x0fa7afac in realloc () from /lib/libc.so.6
#5  0x100c2040 in l_alloc ()
#6  0x100b8e50 in luaM_realloc_ ()
#7  0x100b5544 in luaD_reallocstack ()
#8  0x100b5864 in resume_error ()
#9  0x10072770 in process_mainloop (l=0x1016fc90) at nse_main.cc:297
#10 0x10073898 in script_scan (targets=@0x7fd89d30) at nse_main.cc:214
#11 0x1001c4f4 in nmap_main (argc=5, argv=0x7fd8ef64) at nmap.cc:1753
#12 0x10017dbc in main (argc=5, argv=0x7fd8ef64) at main.cc:227


*** glibc detected *** /home/sven/code/nmap/nmap: double free or
corruption (!prev): 0x101bfc70 ***
Program received signal SIGABRT, Aborted.
0x0fa2deec in raise () from /lib/libc.so.6
(gdb) bt
#0  0x0fa2deec in raise () from /lib/libc.so.6
#1  0x0fa2fb5c in abort () from /lib/libc.so.6
#2  0x0fa6e534 in ?? () from /lib/libc.so.6
#3  0x0fa76378 in ?? () from /lib/libc.so.6
#4  0x0fa7a0d8 in ?? () from /lib/libc.so.6
#5  0x0fa7afac in realloc () from /lib/libc.so.6
#6  0x100c2040 in l_alloc ()
#7  0x100b8e50 in luaM_realloc_ ()
#8  0x100b5544 in luaD_reallocstack ()
#9  0x100b5864 in resume_error ()
#10 0x10072770 in process_mainloop (l=0x1016fc90) at nse_main.cc:297
#11 0x10073898 in script_scan (targets=@0x7fa875a0) at nse_main.cc:214
#12 0x1001c4f4 in nmap_main (argc=5, argv=0x7fa8c7d4) at nmap.cc:1753
#13 0x10017dbc in main (argc=5, argv=0x7fa8c7d4) at main.cc:227

> > It would be really cool if this could be integrated into nmap.
>
> Yeah it would... you're becoming a new NSE guy ;)

:)

Cheers,
Sven


-- 
Sven Klemm
http://cthulhu.c3d2.de/~sven/

-- See nmaps COPYING for licence
module(...,package.seeall)

require 'stdnse'
require 'url'

--
-- http.get( host, port, path )
-- http.request( host, port, request )
-- http.get_url( url )
--
-- host may either be a string or table
-- port may either be a number or a table
--
-- the format of the return value is a table with the following structure:
-- {status = 200, header = {}, body ="<html>...</html>"}
-- the header table has an entry for each received header with the header name being the key
-- thee table also has an entry named "status" which contains the http status code of the request
-- in case of an error status is nil


-- fetch relative URL with get request
get = function( host, port, path )
  local hostname = host
  if type(host) == 'table' then
    hostname = ( host.name ~= '' and host.name ) or host.ip
  end

  local data
  data = "GET "..path.." HTTP/1.1\r\n"
  data = data .. "Host: "..hostname.."\r\n"
  data = data .. "User-Agent: Nmap NSE\r\n"
  data = data .. "Connection: close\r\n\r\n"

  return request( host, port, data )
end

-- URL with get request
get_url = function( u )
  local parsed = url.parse( u )
  local port = {}

  port.service = parsed.scheme
  port.number = parsed.port

  if not port.number then
    if parsed.scheme == 'https' then
      port.number = 443
    else
      port.number = 80
    end
  end

  local path = parsed.path or "/"
  if parsed.query then
    path = path .. "?" .. parsed.query
  end

  return get( parsed.host, port, path )
end

-- send http request and return the result as table
-- host may be a table or the hostname
-- port may be a table or the portnumber
request = function( host, port, data )

  if type(host) == 'table' then
    host = ( host.name ~= '' and host.name ) or host.ip
  end

  local protocol = 'tcp'
  if type(port) == 'table' then
    if nmap.have_ssl() and ( port.service == 'https' or ( port.version and port.version.service_tunnel == 'ssl' ) ) then
      protocol = 'ssl'
    end
    port = port.number
  end

  socket = nmap.new_socket()
  socket:connect( host, port, protocol )
  socket:send( data )

  local buffer = stdnse.make_buffer( socket, "\r?\n" )

  local status, line, result
  local header, body = {}, {}
  -- header loop
  while true do
    status, line = buffer()
    if (not status or line == "") then break end
    table.insert(header,line)
  end

  result = {status=nil,header={},body=""}

  -- build nicer table for header
  for key, value in pairs( header ) do
    if key == 1 then
      local code
      _, _, code = string.find( value, "HTTP/%d\.%d (%d+)")
      result.status = tonumber(code)
    else
      _, _, key, value = string.find( value, "(.+): (.*)" )
      if key and value then
        value = value:gsub( '[\r\n]+', '' )
        if result.header[key] then
          result.header[key] = result.header[key] .. ',' .. value
        else
          result.header[key] = value
        end
      end
    end
  end

  -- body loop
  while true do
    status, line = buffer()
    if (not status) then break end
    table.insert(body,line)
  end

  socket:close()
  result.body = table.concat( body, "\n" )

  return result

end

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org