Nmap Development mailing list archives

lua brocken in nse script

From: Seth Graham <sadgart () gmail com>
Date: Wed, 1 Sep 2010 13:24:46 +0200

Hi to everybody,

I'm working in a litlle nse script to find proxys with method CONNECT
available. I've test it with some parameters contexts and it works fine,
but when it's working with a very large ip range it crash. I don't know if
it is a nse engine problem (with multithreading maybe?), a problem in my
litle script or in lua libraries.

I write you a Segfault debug to improbe some solution. Lets go.


==============================
===========
aaru ~ # gdb /usr/bin/nmap

warning: Can not parse XML syscalls information; XML support was disabled at
compile time.
GNU gdb (Gentoo 7.0.1 p1) 7.0.1
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html

This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-pc-linux-gnu".
For bug reporting instructions, please see:
<http://bugs.gentoo.org/>...
Reading symbols from /usr/bin/nmap...done.
(gdb) set args -n -sS -PS8080 -iR 0 --script=irc-proxy -p 8080
(gdb) run
Starting program: /usr/bin/nmap -n -sS -PS8080 -iR 0 --script=irc-proxy -p
8080

Starting Nmap 5.21 ( http://nmap.org ) at 2010-09-01 00:09 CEST
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0

Program received signal SIGSEGV, Segmentation fault.
0xb7db55c5 in traverseproto (g=0x836a030, f=0x83b4eb8) at lgc.c:207
207         markvalue(g, &f->k[i]);
(gdb) bt
#0  0xb7db55c5 in traverseproto (g=0x836a030, f=0x83b4eb8) at lgc.c:207
#1  0xb7db5c4d in propagatemark (g=0x836a030) at lgc.c:310
#2  0xb7db6684 in singlestep (L=0x8369fc0) at lgc.c:566
#3  0xb7db682e in luaC_step (L=0x8369fc0) at lgc.c:617
#4  0xb7dadac5 in lua_pushlstring (L=0x8369fc0, s=0xbfff9c2c
":\321\360o\300\237\066\bd;:\b|;:\b\300\237\066\b\030q@\b\224\235\213\b",
len=4) at lapi.c:447
#5  0x080bdad1 in set_hostinfo(lua_State*, Target*) ()
#6  0x080b477b in run_main(lua_State*) ()
#7  0xb7db3a4c in luaD_precall (L=0x8369fc0, func=0x83a3b34, nresults=0) at
ldo.c:319
#8  0xb7db3c9e in luaD_call (L=0x8369fc0, func=0x83a3b34, nResults=0) at
ldo.c:376
#9  0xb7dae7fd in f_Ccall (L=0x8369fc0, ud=0xbfff9e64) at lapi.c:846
#10 0xb7db2da1 in luaD_rawrunprotected (L=0x8369fc0, f=0xb7dae74a <f_Ccall>,
ud=0xbfff9e64) at ldo.c:116
#11 0xb7db4069 in luaD_pcall (L=0x8369fc0, func=0xb7dae74a <f_Ccall>,
u=0xbfff9e64, old_top=12, ef=0) at ldo.c:463
#12 0xb7dae85a in lua_cpcall (L=0x8369fc0, func=0x80b4625
<run_main(lua_State*)>, ud=0xbfffbe88) at lapi.c:856
#13 0x080b45c4 in script_scan(std::vector<Target*, std::allocator<Target*>

&) ()

#14 0x0806339b in nmap_main(int, char**) ()
#15 0x0805e470 in main ()
(gdb) bt full
#0  0xb7db55c5 in traverseproto (g=0x836a030, f=0x83b4eb8) at lgc.c:207
        i = 0
#1  0xb7db5c4d in propagatemark (g=0x836a030) at lgc.c:310
        p = 0x83b4eb8
        o = 0x83b4eb8
#2  0xb7db6684 in singlestep (L=0x8369fc0) at lgc.c:566
        g = 0x836a030
#3  0xb7db682e in luaC_step (L=0x8369fc0) at lgc.c:617
        g = 0x836a030
        lim = 448
#4  0xb7dadac5 in lua_pushlstring (L=0x8369fc0, s=0xbfff9c2c
":\321\360o\300\237\066\bd;:\b|;:\b\300\237\066\b\030q@\b\224\235\213\b",
len=4) at lapi.c:447
No locals.
#5  0x080bdad1 in set_hostinfo(lua_State*, Target*) ()
No symbol table info available.
#6  0x080b477b in run_main(lua_State*) ()
No symbol table info available.
#7  0xb7db3a4c in luaD_precall (L=0x8369fc0, func=0x83a3b34, nresults=0) at
ldo.c:319
        ci = 0x81072a8
        n = -1210365744
        cl = 0x844b430
        funcr = 12
#8  0xb7db3c9e in luaD_call (L=0x8369fc0, func=0x83a3b34, nResults=0) at
ldo.c:376
No locals.
#9  0xb7dae7fd in f_Ccall (L=0x8369fc0, ud=0xbfff9e64) at lapi.c:846
        c = 0xbfff9e64
        cl = 0x844b430
#10 0xb7db2da1 in luaD_rawrunprotected (L=0x8369fc0, f=0xb7dae74a <f_Ccall>,
ud=0xbfff9e64) at ldo.c:116
        lj = {previous = 0x0, b = {{__jmpbuf = {-1210241036, 4096,
138169520, -1073766920, -120156276, -1313343076}, __mask_was_saved = 0,
__saved_mask = {__val = {200, 143544128, 143560512, 143560512,
                  3081885361, 3081885344, 3081885184, 0, 0, 0, 0,
3082439430, 2, 1, 2, 135110906, 134746292, 0, 135110906, 3221200360,
3083318192, 16, 2049, 16408, 143756920, 143527776, 0, 17,
                  536979648, 3083318144, 3083313140, 3083318144}}}}, status
= 0}
#11 0xb7db4069 in luaD_pcall (L=0x8369fc0, func=0xb7dae74a <f_Ccall>,
u=0xbfff9e64, old_top=12, ef=0) at ldo.c:463
        status = -1212515300
        oldnCcalls = 0
        old_ci = 0
        old_allowhooks = 1 '\001'
        old_errfunc = 0
#12 0xb7dae85a in lua_cpcall (L=0x8369fc0, func=0x80b4625
<run_main(lua_State*)>, ud=0xbfffbe88) at lapi.c:856
        c = {func = 0x80b4625 <run_main(lua_State*)>, ud = 0xbfffbe88}
        status = 134746292
#13 0x080b45c4 in script_scan(std::vector<Target*, std::allocator<Target*>

&) ()

No symbol table info available.
#14 0x0806339b in nmap_main(int, char**) ()
No symbol table info available.
#15 0x0805e470 in main ()
No symbol table info available.
(gdb)
=================================================


The irc-proxy script is:


============================
description=[[
Checks if an HTTP proxy has method CONNECT for IRC servers.  - Not use proxy
library -
]]

---
-- @args proxy.url Url that will be requested to the proxy
-- @output

-- @usage
-- nmap --script irc-proxy

author = "Seth"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html";
categories = {"default", "discovery", "external", "intrusive"}
require "shortport"
require "os"

portrule =
shortport.port_or_service({8123,3128,8000,8080},{'polipo','squid-http','http-proxy'})

local function send(socket, str)
        socket:send(str)
        stdnse.print_debug(">> " .. str)
end

local function receive(socket)
        local _, str_

        os.execute("sleep 5")
        _, str = socket:receive()
        stdnse.print_debug("<< " .. str)

        return str
end

local function check_code(result)
        if result then
                if result:match( "\r?\n\r?\n" ) then
                        result = result:match( "^(.-)\r?\n\r?\n(.*)$" )
                end
                if string.match(result:lower(),"^http/%d\.%d%s*200") then
return true end
        end
        return false
end

local function check_gline(result)
        if result then
                if string.match(result:lower(),"(.*)error(.*)g-lined(.*)")
then return true end
        end
        return false
end

action = function(host, port)

        local result = ""

        stdnse.print_debug("##################################")
        local socket = nmap.new_socket()
        socket:set_timeout(10000)

        local try = nmap.new_try(function() socket:close() end)
        try(socket:connect(host.ip, port.number))

        if socket then

                local str

                send(socket, "CONNECT foo.bar:6667 HTTP/1.0\r\n\r\n")

                str = receive(socket)

                if check_code(str) then

                        result = "Connection to HISPANO"

                        send(socket, "USER ident 8 * :name\r\n")
                        send(socket, "NICK nick\r\n\r\n")
                        str = receive(socket)
                        send(socket, "PONG :" .. string.sub(str, -18, -2) ..
"\r\n")
                        str = receive(socket)

                        if check_gline(str) then
                                result = result .. " is G-lined\n"
                        else
                                result = result .. " is ESTABLISHED!! <- "
.. host.ip .. ":" .. port.number .. "\n" .. str .. "\n"
                        end
                else
                        result = "Method CONNECT not supported\n"
                end

                socket:close()
        end

        stdnse.print_debug("##################################")
        return result
end
===================================

Some tip to work in correct way?


Regards,
Seth
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

lua brocken in nse script Seth Graham (Sep 01)
- Re: lua brocken in nse script Patrick Donnelly (Sep 01)
  - Re: lua brocken in nse script Seth Graham (Sep 01)
    - Re: lua brocken in nse script Patrick Donnelly (Sep 01)
    - Re: lua brocken in nse script Seth Graham (Sep 01)