Re: [nmap-svn] r32678 - nmap

[Daniel Miller <bonsaiviking () gmail com>]

Fixed in r32679

Author: dmiller <dmiller@e0a8ed71-7df4-0310-8962-fdc924857419>
Date:   Wed Jan 29 13:24:30 2014 +0000

    Fix a bug introduced in r32678

    string.gsub returns 2 values, the new string and the number of
    replacements made. It also has a 4th argument, the number of
    replacements to make. So when you use the return value of gsub as the
    3rd argument, and no replacements were made, it instructs the next call
    to not make any replacements. Thanks to Ron Bowes for reporting this
    issue.

    git-svn-id: https://svn.nmap.org/nmap@32679
e0a8ed71-7df4-0310-8962-fdc924857419

diff --git a/nse_main.lua b/nse_main.lua
index b64b57e..cdae16b 100644
--- a/nse_main.lua
+++ b/nse_main.lua
@@ -317,7 +317,8 @@ do
     local against = against_name(self.host, self.port);
     local function replace(fmt, pattern, repl)
       -- Escape each % twice: once for gsub, and once for print_debug.
-      return gsub(fmt, pattern, gsub(repl, "%%", "%%%%%%%%"));
+      local r = gsub(repl, "%%", "%%%%%%%%")
+      return gsub(fmt, pattern, r);
     end
     if debugging() > 1 then
       fmt = replace(fmt, "%%THREAD_AGAINST", self.info..against);

On Mon, Jan 27, 2014 at 10:10 PM, Ron <ron () skullsecurity net> wrote:
> Hey,
>
> This patch is causing me issues:
>
> NSE: Script Post-scanning.
> NSE: Starting runlevel 1 (of 4) scan.
> NSE: Script Engine Scan Aborted.
> An error was thrown by the engine:
> /home/ron/tools/nmap/nse_main.lua:210: bad argument #2 to 'format' (no
> value)
> stack traceback:
> [C]: in function 'format'
> /home/ron/tools/nmap/nse_main.lua:210: in function 'print_debug'
> /home/ron/tools/nmap/nse_main.lua:329: in function 'd'
> /home/ron/tools/nmap/nse_main.lua:381: in function 'start'
> /home/ron/tools/nmap/nse_main.lua:916: in function 'run'
> /home/ron/tools/nmap/nse_main.lua:1394: in function
> </home/ron/tools/nmap/nse_main.lua:1297>
> [C]: in ?
>
> I tried to debug, but I don't see what's going on.
>
> Ron
>
> On 2014-01-27 22:56, commit-mailer () nmap org wrote:
> > Author: david
> > Date: Mon Jan 27 22:56:29 2014
> > New Revision: 32678
> >
> > Log:
> > Escape '%' in arguments to Thread:d.
> >
> > A user reported this crash when scanning a target whose name contained
> > the '%' character:
> >
> > NSE: Script Engine Scan Aborted.
> > An error was thrown by the engine: nse_main.lua:322: invalid capture index
> > stack traceback:
> >       [C]: in function 'gsub'
> >       nse_main.lua:322: in function 'd'
> >       nse_main.lua:377: in function 'start'
> >       nse_main.lua:912: in function 'run'
> >       nse_main.lua:1390: in function <nse_main.lua:1293>
> >       [C]: in ?
> >
> > I'm not sure how a name with '%' got resolved, but I was able to
> > reproduce the crash by adding this line to /etc/hosts:
> >       127.0.0.1       a%40b
> > and then running
> >       ./nmap --script=banner a%40b -d --top-ports 5
> >
> > The gsub function recognizes "%d", where d is a digit, as a capture
> > index. The constructed string is then passed to print_debug, which is
> > like printf. Therefore we escape every occurrence of "%" twice, to get
> > "%%%%".
> >
> > Modified:
> >    nmap/nse_main.lua
> >
> > Modified: nmap/nse_main.lua
> > ==============================================================================
> > --- nmap/nse_main.lua (original)
> > +++ nmap/nse_main.lua Mon Jan 27 22:56:29 2014
> > @@ -315,12 +315,16 @@
> >    -- Changes "%THREAD" with an appropriate identifier for the debug level
> >    function Thread:d (fmt, ...)
> >      local against = against_name(self.host, self.port);
> > +    local function replace(fmt, pattern, repl)
> > +      -- Escape each % twice: once for gsub, and once for print_debug.
> > +      return gsub(fmt, pattern, gsub(repl, "%%", "%%%%%%%%"));
> > +    end
> >      if debugging() > 1 then
> > -      fmt = gsub(fmt, "%%THREAD_AGAINST", self.info..against);
> > -      fmt = gsub(fmt, "%%THREAD", self.info);
> > +      fmt = replace(fmt, "%%THREAD_AGAINST", self.info..against);
> > +      fmt = replace(fmt, "%%THREAD", self.info);
> >      else
> > -      fmt = gsub(fmt, "%%THREAD_AGAINST", self.short_basename..against);
> > -      fmt = gsub(fmt, "%%THREAD", self.short_basename);
> > +      fmt = replace(fmt, "%%THREAD_AGAINST", self.short_basename..against);
> > +      fmt = replace(fmt, "%%THREAD", self.short_basename);
> >      end
> >      print_debug(1, fmt, ...);
> >    end
> >
> > _______________________________________________
> > Sent through the svn mailing list
> > http://nmap.org/mailman/listinfo/svn
> _______________________________________________
> Sent through the dev mailing list
> http://nmap.org/mailman/listinfo/dev
> Archived at http://seclists.org/nmap-dev/
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/