Re: [nmap-svn] r29203 - nmap-exp/aca/nmap/scripts

[Aleksandar Nikolic <nikolic.alek () gmail com>]

Hi all,

I've resolved this issue as far as the script is concerned in r29209.

As far as I can tell, the problem was with threads that were stuck while waiting
for free sockets and/or threads that were asleep.
I've added the code in the main thread that waits for all others to finish.

There is no way to explicitly kill the thread, is there ?

Ass all this is a bit ugly, can i get the value of max-parallelism
from the NSE somehow?
That way , I could create just enough threads and get to warn the user
that the attack won't
work if it can't get enough threads.

On Sat, Jul 14, 2012 at 2:49 PM, Aleksandar Nikolic
<nikolic.alek () gmail com> wrote:
> Also , you don't need a vulnerable server to see this behavior.
> Just run the script against any http server. With --max-parallelism
> set to default
> it can't DoS the server.
>
> But , in case you do need a vulnerable server, let me know and I'll send you
> the address of my test server off list.
>
> On Sat, Jul 14, 2012 at 2:46 PM, Aleksandar Nikolic
> <nikolic.alek () gmail com> wrote:
> > Here's the output at the end of the script run
> >
> > NSE Timing: About 1.96% done; ETC: 17:33 (2:55:32 remaining)
> > NSE: MAIN THREAD:  (attack against <target>): HTTP stream started.
> > NSE: MONITOR: <target> still up, answer received.
> > NSE: MONITOR: <target> still up, answer received.
> > NSE: MONITOR: <target> still up, answer received.
> > NSE Timing: About 1.96% done; ETC: 17:58 (3:20:36 remaining)
> > NSE: MONITOR: <target> still up, answer received.
> > NSE: MONITOR: <target> still up, answer received.
> > NSE: MONITOR: <target> still up, answer received.
> > NSE Timing: About 1.96% done; ETC: 18:24 (3:45:41 remaining)
> > NSE: MONITOR: <target> still up, answer received.
> > NSE: MONITOR: <target> still up, answer received.
> > NSE Timing: About 1.96% done; ETC: 18:50 (4:10:45 remaining)
> > NSE: MONITOR: <target> still up, answer received.
> > NSE: Finished http-slowloris against <target>:80.
> > NSE: Finished http-slowloris against <target>:80.
> > NSE: Script Engine Scan Aborted.
> > An error was thrown by the engine:
> > d:\workspace\nmap-exp\aca\nmap\mswin32\Debug/nse_main.lua:332: attempt
> > to index field '?' (a nil value)
> > stack traceback:
> >         d:\workspace\nmap-exp\aca\nmap\mswin32\Debug/nse_main.lua:332:
> > in function 'close'
> >         d:\workspace\nmap-exp\aca\nmap\mswin32\Debug/nse_main.lua:932:
> > in function 'run'
> >         d:\workspace\nmap-exp\aca\nmap\mswin32\Debug/nse_main.lua:1242:
> > in function <d:\workspace\nmap-exp\aca\nmap\mswin32\Debug/nse_main.lua:1149>
> >         [C]: in ?
> > Nmap scan report for <target> (<target>)
> > Host is up, received echo-reply (0.10s latency).
> > rDNS record for <target>: <target>
> > Scanned at 2012-07-14 14:34:11 Central Europe Daylight Time for 307s
> > PORT   STATE SERVICE REASON
> > 80/tcp open  http    syn-ack
> > Final times for host: srtt: 104000 rttvar: 94500  to: 482000
> >
> > NSE: Script Post-scanning.
> > NSE: Starting runlevel 1 (of 1) scan.
> > Read from d:\workspace\nmap-exp\aca\nmap\mswin32\Debug: nmap-payloads
> > nmap-services.
> > Nmap done: 1 IP address (1 host up) scanned in 312.80 seconds
> >            Raw packets sent: 2 (72B) | Rcvd: 2 (72B)
> > Assertion failed: nse_status(nse) == NSE_STATUS_SUCCESS, file
> > d:\workspace\nmap-exp\aca\nmap\nse_nsock.cc, line 689
> >
> > ea@WIN /d/workspace/nmap-exp/aca/nmap/mswin32/Debug
> > $
> >
> >
> > It happens regardless if the attack worked or not.
> > If it worked, it does report it as vulnerable.
> > But this is on windows and this script will never work on windows ...
> >
> > It does happen when the main thread exists, at which point some of the
> > worker threads are  sleep()ing.
> >
> > Also, error is the same on linux too.
> >
> > The original script was a mess, and I'm still cleaning it up so there
> > might be something
> > left that triggers this. But never the less, a script shouldn't cause
> > an assert to fail.
> >
> > I'll be looking more into this today and if you have any suggestion,
> > please share.
> >
> > Aleksandar
> >
> > On Sat, Jul 14, 2012 at 12:09 AM, Aleksandar Nikolic
> > <nikolic.alek () gmail com> wrote:
> > > I am running this with the latest code in the trunk.
> > > I guessed the same as Patrik suggested, but haven't yet investigated it.
> > > The main thread does finishes before the rest of the workers.
> > > Probably has something to do with that as I create many threads.
> > > And it does crash _after_ the script returns the results.
> > >
> > > Will make a full report tomorrow.
> > >
> > >
> > > On Sat, Jul 14, 2012 at 12:01 AM, Patrick Donnelly <batrick () batbytes com> wrote:
> > > > On Fri, Jul 13, 2012 at 5:15 PM, Patrik Karlsson <patrik () cqure net> wrote:
> > > > > Not sure which script this is, but if the script is asserting after it
> > > > > returns the script results and if it makes use of threads, it's likely that
> > > > > the parent thread returns before the worker threads have stopped. I've
> > > > > observed this behavior numerous times in the past. Kind of says something
> > > > > about my coding *cough* :)
> > > >
> > > > The parent should be able to complete before workers. If you are
> > > > encountering some error then that is a bug.
> > > >
> > > > --
> > > > - Patrick Donnelly
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/