Nmap Development mailing list archives
Re: [nmap-svn] r32678 - nmap
From: Ron <ron () skullsecurity net>
Date: Mon, 27 Jan 2014 20:10:17 -0800
Hey, This patch is causing me issues: NSE: Script Post-scanning. NSE: Starting runlevel 1 (of 4) scan. NSE: Script Engine Scan Aborted. An error was thrown by the engine: /home/ron/tools/nmap/nse_main.lua:210: bad argument #2 to 'format' (no value) stack traceback: [C]: in function 'format' /home/ron/tools/nmap/nse_main.lua:210: in function 'print_debug' /home/ron/tools/nmap/nse_main.lua:329: in function 'd' /home/ron/tools/nmap/nse_main.lua:381: in function 'start' /home/ron/tools/nmap/nse_main.lua:916: in function 'run' /home/ron/tools/nmap/nse_main.lua:1394: in function </home/ron/tools/nmap/nse_main.lua:1297> [C]: in ? I tried to debug, but I don't see what's going on. Ron On 2014-01-27 22:56, commit-mailer () nmap org wrote:
Author: david Date: Mon Jan 27 22:56:29 2014 New Revision: 32678 Log: Escape '%' in arguments to Thread:d. A user reported this crash when scanning a target whose name contained the '%' character: NSE: Script Engine Scan Aborted. An error was thrown by the engine: nse_main.lua:322: invalid capture index stack traceback: [C]: in function 'gsub' nse_main.lua:322: in function 'd' nse_main.lua:377: in function 'start' nse_main.lua:912: in function 'run' nse_main.lua:1390: in function <nse_main.lua:1293> [C]: in ? I'm not sure how a name with '%' got resolved, but I was able to reproduce the crash by adding this line to /etc/hosts: 127.0.0.1 a%40b and then running ./nmap --script=banner a%40b -d --top-ports 5 The gsub function recognizes "%d", where d is a digit, as a capture index. The constructed string is then passed to print_debug, which is like printf. Therefore we escape every occurrence of "%" twice, to get "%%%%". Modified: nmap/nse_main.lua Modified: nmap/nse_main.lua ============================================================================== --- nmap/nse_main.lua (original) +++ nmap/nse_main.lua Mon Jan 27 22:56:29 2014 @@ -315,12 +315,16 @@ -- Changes "%THREAD" with an appropriate identifier for the debug level function Thread:d (fmt, ...) local against = against_name(self.host, self.port); + local function replace(fmt, pattern, repl) + -- Escape each % twice: once for gsub, and once for print_debug. + return gsub(fmt, pattern, gsub(repl, "%%", "%%%%%%%%")); + end if debugging() > 1 then - fmt = gsub(fmt, "%%THREAD_AGAINST", self.info..against); - fmt = gsub(fmt, "%%THREAD", self.info); + fmt = replace(fmt, "%%THREAD_AGAINST", self.info..against); + fmt = replace(fmt, "%%THREAD", self.info); else - fmt = gsub(fmt, "%%THREAD_AGAINST", self.short_basename..against); - fmt = gsub(fmt, "%%THREAD", self.short_basename); + fmt = replace(fmt, "%%THREAD_AGAINST", self.short_basename..against); + fmt = replace(fmt, "%%THREAD", self.short_basename); end print_debug(1, fmt, ...); end _______________________________________________ Sent through the svn mailing list http://nmap.org/mailman/listinfo/svn
_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: [nmap-svn] r32678 - nmap Ron (Jan 27)
- Re: [nmap-svn] r32678 - nmap Daniel Miller (Jan 29)