Nmap Development mailing list archives
Segfault during script scan against DHCP
From: Ron <ron () skullsecurity net>
Date: Sat, 29 Aug 2009 11:40:58 -0500
I just sent this email with the core as an attachment. That was probably a stupid idea, so here it is again without. Apologies if you get this twice.
-- Using the HEAD revision, unmodified, as of this morning. Running a UDP/version scan against a Linksys WRT54g with this command: $ sudo ./nmap -d -T4 -sV -sU -p60-70 192.168.1.1 After a minute or so, it died with a segfault: -- Starting Nmap 5.05BETA1 ( http://nmap.org ) at 2009-08-29 11:18 CDT --------------- Timing report --------------- hostgroups: min 1, max 100000 rtt-timeouts: init 500, min 100, max 1250 max-scan-delay: TCP 10, UDP 1000, SCTP 10 parallelism: min 0, max 0 max-retries: 6, host-timeout: 0 min-rate: 0, max-rate: 0 --------------------------------------------- NSE: Loaded 3 scripts for scanning. Initiating ARP Ping Scan at 11:18 Scanning 192.168.1.1 [1 port]Packet capture filter (device eth0): arp and arp[18:4] = 0x00219BE5 and arp[22:2] = 0x78EA
Completed ARP Ping Scan at 11:18, 0.05s elapsed (1 total hosts) Overall sending rates: 20.22 packets / s, 849.45 bytes / s. mass_rdns: Using DNS server 4.2.2.1 mass_rdns: Using DNS server 4.2.2.2 Initiating Parallel DNS resolution of 1 host. at 11:18 mass_rdns: 0.08s 0/1 [#: 2, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1] Completed Parallel DNS resolution of 1 host. at 11:18, 0.08s elapsedDNS resolution of 1 IPs took 0.08s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating UDP Scan at 11:18 Scanning 192.168.1.1 [11 ports]Packet capture filter (device eth0): dst host 192.168.1.100 and (icmp or ((tcp or udp or sctp) and (src host 192.168.1.1)))
Increased max_successful_tryno for 192.168.1.1 to 1 (packet drop) Increased max_successful_tryno for 192.168.1.1 to 2 (packet drop) Completed UDP Scan at 11:18, 3.65s elapsed (11 total ports) Overall sending rates: 6.03 packets / s, 168.90 bytes / s. Initiating Service scan at 11:18 Scanning 2 services on 192.168.1.1 Stats: 0:00:58 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 0.00% done Completed Service scan at 11:19, 60.03s elapsed (2 services on 1 host) NSE: Script scanning 192.168.1.1 Program received signal SIGSEGV, Segmentation fault.0x08099b36 in PortList::nextPort (this=0x60, afterthisport=0x0, allowed_protocol=256, allowed_state=2) at portlist.cc:573
573 if(port_list[proto] != NULL) { (gdb) backtrace#0 0x08099b36 in PortList::nextPort (this=0x60, afterthisport=0x0, allowed_protocol=256, allowed_state=2) at portlist.cc:573
#1 0x080b135b in ports (L=0x839dde0) at nse_main.cc:87#2 0x080de61a in luaD_precall (L=0x839dde0, func=0x83c6208, nresults=3) at ldo.c:319
#3 0x080e669c in luaV_execute (L=0x839dde0, nexeccalls=1) at lvm.c:587#4 0x080dea7b in luaD_call (L=0x839dde0, func=0x83c619c, nResults=0) at ldo.c:377
#5 0x080dbf99 in f_call (L=0x839dde0, ud=0xbf7fb894) at lapi.c:800#6 0x080de226 in luaD_rawrunprotected (L=0x839dde0, f=0x80dbf80 <f_call>, ud=0xbf7fb894) at ldo.c:116 #7 0x080de27f in luaD_pcall (L=0x839dde0, func=0x80dbf80 <f_call>, u=0xbf7fb894, old_top=36, ef=24) at ldo.c:463 #8 0x080dbe06 in lua_pcall (L=0x839dde0, nargs=1, nresults=0, errfunc=1) at lapi.c:821
#9 0x080b0d76 in run_main (L=0x839dde0) at nse_main.cc:466#10 0x080de61a in luaD_precall (L=0x839dde0, func=0x83c6184, nresults=0) at ldo.c:319 #11 0x080dea39 in luaD_call (L=0x839dde0, func=0x83c6184, nResults=0) at ldo.c:376
#12 0x080dbf6a in f_Ccall (L=0x839dde0, ud=0xbf7fbac0) at lapi.c:846#13 0x080de226 in luaD_rawrunprotected (L=0x839dde0, f=0x80dbf10 <f_Ccall>, ud=0xbf7fbac0) at ldo.c:116 #14 0x080de27f in luaD_pcall (L=0x839dde0, func=0x80dbf10 <f_Ccall>, u=0xbf7fbac0, old_top=12, ef=0) at ldo.c:463 #15 0x080dbdbd in lua_cpcall (L=0x839dde0, func=0x80b0be0 <run_main>, ud=0xbf7fdae0) at lapi.c:856
#16 0x080b0b7c in script_scan (targets=@0xbf7fdae0) at nse_main.cc:605 #17 0x08062b40 in nmap_main (argc=7, argv=0xbf800c84) at nmap.cc:1922 #18 0x0805e3bd in main (argc=7, argv=0xbf800c84) at main.cc:205 -- If I run it without -sV, it doesn't crash. Coredump: http://www.skullsecurity.org/tmp/nmap-core.gz -- Ron Bowes http://www.skullsecurity.org/ _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Segfault during script scan against DHCP Ron (Aug 29)
- Re: Segfault during script scan against DHCP Kris Katterjohn (Aug 29)
- Re: Segfault during script scan against DHCP Patrick Donnelly (Aug 29)
- Re: Segfault during script scan against DHCP Ron (Aug 29)
- Re: Segfault during script scan against DHCP Patrick Donnelly (Aug 29)
- Re: Segfault during script scan against DHCP Kris Katterjohn (Aug 29)