Nmap Development mailing list archives
Buffer overflow in Nmap when using -ox - on a /8 scan
From: Jacek Wielemborek <d33tah () gmail com>
Date: Sat, 25 Jan 2014 23:10:36 +0100
Hi, I just found a potentially interesting error. While experimenting with Nmap, I managed to get this strange error on Nmap 6.40 from Fedora 20: [22:46:39][/tmp][134] $ nmap localhost/8 --min-rate 100000 -ox - -sT Starting Nmap 6.40 ( http://nmap.org ) at 2014-01-25 22:46 CET *** buffer overflow detected ***: nmap terminated ======= Backtrace: ========= /lib64/libc.so.6[0x38bf275d9f] /lib64/libc.so.6(__fortify_fail+0x37)[0x38bf306bd7] /lib64/libc.so.6[0x38bf304dc0] /lib64/libc.so.6[0x38bf306b47] nmap(_ZN15ConnectScanInfo7watchSDEi+0x2b)[0x474e9b] nmap[0x47bf44] nmap(_Z10ultra_scanRSt6vectorIP6TargetSaIS1_EEP10scan_lists5stypeP12timeout_info+0x1d69) [0x480fb9] nmap[0x492129] nmap(_Z8nexthostP14HostGroupStatePK7addrsetP10scan_listsi+0x28)[0x492658] nmap(_Z9nmap_mainiPPc+0x941)[0x44ca11] nmap(main+0x179)[0x4297a9] /lib64/libc.so.6(__libc_start_main+0xf5)[0x38bf221d65] nmap[0x42a131] ======= Memory map: ======== 00400000-0051a000 r-xp 00000000 fd:00 1345134 /usr/bin/nmap 00719000-0071a000 r--p 00119000 fd:00 1345134 /usr/bin/nmap 0071a000-00857000 rw-p 0011a000 fd:00 1345134 /usr/bin/nmap 00857000-00867000 rw-p 00000000 00:00 0 00a56000-00a69000 rw-p 00256000 fd:00 1345134 /usr/bin/nmap 01ae1000-0459a000 rw-p 00000000 00:00 0 [heap] 31c6400000-31c643e000 r-xp 00000000 fd:00 1323259 /usr/lib64/libpcap.so.1.5.3 31c643e000-31c663d000 ---p 0003e000 fd:00 1323259 /usr/lib64/libpcap.so.1.5.3 31c663d000-31c663f000 r--p 0003d000 fd:00 1323259 /usr/lib64/libpcap.so.1.5.3 31c663f000-31c6640000 rw-p 0003f000 fd:00 1323259 /usr/lib64/libpcap.so.1.5.3 31c6640000-31c6641000 rw-p 00000000 00:00 0 38bee00000-38bee20000 r-xp 00000000 fd:00 1311419 /usr/lib64/ld-2.18.so 38bf01f000-38bf020000 r--p 0001f000 fd:00 1311419 /usr/lib64/ld-2.18.so 38bf020000-38bf021000 rw-p 00020000 fd:00 1311419 /usr/lib64/ld-2.18.so 38bf021000-38bf022000 rw-p 00000000 00:00 0 38bf200000-38bf3b4000 r-xp 00000000 fd:00 1311446 /usr/lib64/libc-2.18.so 38bf3b4000-38bf5b4000 ---p 001b4000 fd:00 1311446 /usr/lib64/libc-2.18.so 38bf5b4000-38bf5b8000 r--p 001b4000 fd:00 1311446 /usr/lib64/libc-2.18.so 38bf5b8000-38bf5ba000 rw-p 001b8000 fd:00 1311446 /usr/lib64/libc-2.18.so 38bf5ba000-38bf5bf000 rw-p 00000000 00:00 0 38bf600000-38bf603000 r-xp 00000000 fd:00 1311569 /usr/lib64/libdl-2.18.so 38bf603000-38bf802000 ---p 00003000 fd:00 1311569 /usr/lib64/libdl-2.18.so 38bf802000-38bf803000 r--p 00002000 fd:00 1311569 /usr/lib64/libdl-2.18.so 38bf803000-38bf804000 rw-p 00003000 fd:00 1311569 /usr/lib64/libdl-2.18.so 38bfa00000-38bfa18000 r-xp 00000000 fd:00 1311544 /usr/lib64/libpthread-2.18.so 38bfa18000-38bfc17000 ---p 00018000 fd:00 1311544 /usr/lib64/libpthread-2.18.so 38bfc17000-38bfc18000 r--p 00017000 fd:00 1311544 /usr/lib64/libpthread-2.18.so 38bfc18000-38bfc19000 rw-p 00018000 fd:00 1311544 /usr/lib64/libpthread-2.18.so 38bfc19000-38bfc1d000 rw-p 00000000 00:00 0 38bfe00000-38bff05000 r-xp 00000000 fd:00 1311832 /usr/lib64/libm-2.18.so 38bff05000-38c0105000 ---p 00105000 fd:00 1311832 /usr/lib64/libm-2.18.so 38c0105000-38c0106000 r--p 00105000 fd:00 1311832 /usr/lib64/libm-2.18.so 38c0106000-38c0107000 rw-p 00106000 fd:00 1311832 /usr/lib64/libm-2.18.so 38c0200000-38c0215000 r-xp 00000000 fd:00 1311563 /usr/lib64/libz.so.1.2.8 38c0215000-38c0414000 ---p 00015000 fd:00 1311563 /usr/lib64/libz.so.1.2.8 38c0414000-38c0415000 r--p 00014000 fd:00 1311563 /usr/lib64/libz.so.1.2.8 38c0415000-38c0416000 rw-p 00015000 fd:00 1311563 /usr/lib64/libz.so.1.2.8 38c0600000-38c0615000 r-xp 00000000 fd:00 1311836 /usr/lib64/libgcc_s-4.8.2-20131212.so.1 38c0615000-38c0814000 ---p 00015000 fd:00 1311836 /usr/lib64/libgcc_s-4.8.2-20131212.so.1 38c0814000-38c0815000 r--p 00014000 fd:00 1311836 /usr/lib64/libgcc_s-4.8.2-20131212.so.1 38c0815000-38c0816000 rw-p 00015000 fd:00 1311836 /usr/lib64/libgcc_s-4.8.2-20131212.so.1 38c0e00000-38c0ee9000 r-xp 00000000 fd:00 1311906 /usr/lib64/libstdc++.so.6.0.19 38c0ee9000-38c10e9000 ---p 000e9000 fd:00 1311906 /usr/lib64/libstdc++.so.6.0.19 38c10e9000-38c10f1000 r--p 000e9000 fd:00 1311906 /usr/lib64/libstdc++.so.6.0.19 38c10f1000-38c10f3000 rw-p 000f1000 fd:00 1311906 /usr/lib64/libstdc++.so.6.0.19 38c10f3000-38c1108000 rw-p 00000000 00:00 0 38c1200000-38c1224000 r-xp 00000000 fd:00 1311822 /usr/lib64/liblzma.so.5.0.99 38c1224000-38c1423000 ---p 00024000 fd:00 1311822 /usr/lib64/liblzma.so.5.0.99 38c1423000-38c1424000 r--p 00023000 fd:00 1311822 /usr/lib64/liblzma.so.5.0.99 38c1424000-38c1425000 rw-p 00024000 fd:00 1311822 /usr/lib64/liblzma.so.5.0.99 38c1e00000-38c1e65000 r-xp 00000000 fd:00 1311998 /usr/lib64/libpcre.so.1.2.1 38c1e65000-38c2064000 ---p 00065000 fd:00 1311998 /usr/lib64/libpcre.so.1.2.1 38c2064000-38c2065000 r--p 00064000 fd:00 1311998 /usr/lib64/libpcre.so.1.2.1 38c2065000-38c2066000 rw-p 00065000 fd:00 1311998 /usr/lib64/libpcre.so.1.2.1 38c2a00000-38c2a21000 r-xp 00000000 fd:00 1312016 /usr/lib64/libselinux.so.1 38c2a21000-38c2c20000 ---p 00021000 fd:00 1312016 /usr/lib64/libselinux.so.1 38c2c20000-38c2c21000 r--p 00020000 fd:00 1312016 /usr/lib64/libselinux.so.1 38c2c21000-38c2c22000 rw-p 00021000 fd:00 1312016 /usr/lib64/libselinux.so.1 38c2c22000-38c2c24000 rw-p 00000000 00:00 0 38c4200000-38c4216000 r-xp 00000000 fd:00 1311993 /usr/lib64/libresolv-2.18.so 38c4216000-38c4416000 ---p 00016000 fd:00 1311993 /usr/lib64/libresolv-2.18.so 38c4416000-38c4417000 r--p 00016000 fd:00 1311993 /usr/lib64/libresolv-2.18.so 38c4417000-38c4418000 rw-p 00017000 fd:00 1311993 /usr/lib64/libresolv-2.18.so 38c4418000-38c441a000 rw-p 00000000 00:00 0 38c7600000-38c7631000 r-xp 00000000 fd:00 1332225 /usr/lib64/liblua-5.2.so 38c7631000-38c7830000 ---p 00031000 fd:00 1332225 /usr/lib64/liblua-5.2.so 38c7830000-38c7832000 r--p 00030000 fd:00 1332225 /usr/lib64/liblua-5.2.so 38c7832000-38c7833000 rw-p 00032000 fd:00 1332225 /usr/lib64/liblua-5.2.so 38c7c00000-38c7dbd000 r-xp 00000000 fd:00 1312277 /usr/lib64/libcrypto.so.1.0.1e 38c7dbd000-38c7fbc000 ---p 001bd000 fd:00 1312277 /usr/lib64/libcrypto.so.1.0.1e 38c7fbc000-38c7fd7000 r--p 001bc000 fd:00 1312277 /usr/lib64/libcrypto.so.1.0.1e 38c7fd7000-38c7fe3000 rw-p 001d7000 fd:00 1312277 /usr/lib64/libcrypto.so.1.0.1e 38c7fe3000-38c7fe7000 rw-p 00000000 00:00 0 38c8e00000-38c8e03000 r-xp 00000000 fd:00 1312185 /usr/lib64/libcom_err.so.2.1 38c8e03000-38c9002000 ---p 00003000 fd:00 1312185 /usr/lib64/libcom_err.so.2.1 38c9002000-38c9003000 r--p 00002000 fd:00 1312185 /usr/lib64/libcom_err.so.2.1 38c9003000-38c9004000 rw-p 00003000 fd:00 1312185 /usr/lib64/libcom_err.so.2.1 38c9200000-38c9203000 r-xp 00000000 fd:00 1311961 /usr/lib64/libkeyutils.so.1.5 38c9203000-38c9402000 ---p 00003000 fd:00 1311961 /usr/lib64/libkeyutils.so.1.5 38c9402000-38c9403000 r--p 00002000 fd:00 1311961 /usr/lib64/libkeyutils.so.1.5 38c9403000-38c9404000 rw-p 00003000 fd:00 1311961 /usr/lib64/libkeyutils.so.1.5 38c9600000-38c960d000 r-xp 00000000 fd:00 1312082 /usr/lib64/libkrb5support.so.0.1 38c960d000-38c980c000 ---p 0000d000 fd:00 1312082 /usr/lib64/libkrb5support.so.0.1 38c980c000-38c980d000 r--p 0000c000 fd:00 1312082 /usr/lib64/libkrb5support.so.0.1 38c980d000-38c980e000 rw-p 0000d000 fd:00 1312082 /usr/lib64/libkrb5support.so.0.1 38c9a00000-38c9a32000 r-xp 00000000 fd:00 1312132 /usr/lib64/libk5crypto.so.3.1 38c9a32000-38c9c31000 ---p 00032000 fd:00 1312132 /usr/lib64/libk5crypto.so.3.1 38c9c31000-38c9c33000 r--p 00031000 fd:00 1312132 /usr/lib64/libk5crypto.so.3.1 38c9c33000-38c9c34000 rw-p 00033000 fd:00 1312132 /usr/lib64/libk5crypto.so.3.1 38c9c34000-38c9c35000 rw-p 00000000 00:00 0 38c9e00000-38c9e47000 r-xp 00000000 fd:00 1312225 /usr/lib64/libgssapi_krb5.so.2.2 38c9e47000-38ca047000 ---p 00047000 fd:00 1312225 /usr/lib64/libgssapi_krb5.so.2.2 38ca047000-38ca048000 r--p 00047000 fd:00 1312225 /usr/lib64/libgssapi_krb5.so.2.2 38ca048000-38ca04a000 rw-p 00048000 fd:00 1312225 /usr/lib64/libgssapi_krb5.so.2.2 38ca200000-38ca2d0000 r-xp 00000000 fd:00 1312195 /usr/lib64/libkrb5.so.3.3 38ca2d0000-38ca4cf000 ---p 000d0000 fd:00 1312195 /usr/lib64/libkrb5.so.3.3 38ca4cf000-38ca4dd000 r--p 000cf000 fd:00 1312195 /usr/lib64/libkrb5.so.3.3 38ca4dd000-38ca4e0000 rw-p 000dd000 fd:00 1312195 /usr/lib64/libkrb5.so.3.3 38ca600000-38ca662000 r-xp 00000000 fd:00 1312360 /usr/lib64/libssl.so.1.0.1e 38ca662000-38ca861000 ---p 00062000 fd:00 1312360 /usr/lib64/libssl.so.1.0.1e 38ca861000-38ca865000 r--p 00061000 fd:00 1312360 /usr/lib64/libssl.so.1.0.1e 38ca865000-38ca86c000 rw-p 00065000 fd:00 1312360 /usr/lib64/libssl.so.1.0.1e 7f6cd3e7a000-7f6cd3f3c000 rw-p 00000000 00:00 0 7f6cd3f3c000-7f6cd3f48000 r-xp 00000000 fd:00 1361777 /usr/lib64/libnss_files-2.18.so 7f6cd3f48000-7f6cd4147000 ---p 0000c000 fd:00 1361777 /usr/lib64/libnss_files-2.18.so 7f6cd4147000-7f6cd4148000 r--p 0000b000 fd:00 1361777 /usr/lib64/libnss_files-2.18.so 7f6cd4148000-7f6cd4149000 rw-p 0000c000 fd:00 1361777 /usr/lib64/libnss_files-2.18.so 7f6cd415e000-7f6cd418b000 rw-p 00000000 00:00 0 7f6cd419d000-7f6cd41c2000 rw-p 00000000 00:00 0 7fff3018f000-7fff301b0000 rw-p 00000000 00:00 0 [stack] 7fff301fe000-7fff30200000 r-xp 00000000 00:00 0 [vdso] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] zsh: abort (core dumped) nmap localhost/8 --min-rate 100000 -ox - -sT I recompiled it with -ggdb -O1 (-O1 is for the glibc's hardening features to kick in) and got the following backtrace: [22:59:57][~/workspace/ncat/nmap-trunk]$ gdbb ./nmap localhost/8 --min-rate 100000 -ox - -sT gdb ./nmap -ex r localhost/8 --min-rate 100000 -ox - -sT GNU gdb (GDB) Fedora 7.6.50.20130731-16.fc20 Copyright (C) 2013 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-redhat-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word". .. Reading symbols from /mnt/sda/d33tah/workspace/ncat/nmap-trunk/nmap...done. Starting program: /mnt/sda/d33tah/workspace/ncat/nmap-trunk/nmap localhost/8 --min-rate 100000 -ox - -sT [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". Starting Nmap 6.41SVN ( http://nmap.org ) at 2014-01-25 23:00 CET *** buffer overflow detected ***: /mnt/sda/d33tah/workspace/ncat/nmap-trunk/nmap terminated ======= Backtrace: ========= /lib64/libc.so.6[0x38bf275d9f] /lib64/libc.so.6(__fortify_fail+0x37)[0x38bf306bd7] /lib64/libc.so.6[0x38bf304dc0] /lib64/libc.so.6[0x38bf306b47] /mnt/sda/d33tah/workspace/ncat/nmap- trunk/nmap(_ZN15ConnectScanInfo7watchSDEi+0x37)[0x47104d] /mnt/sda/d33tah/workspace/ncat/nmap-trunk/nmap[0x477b9b] /mnt/sda/d33tah/workspace/ncat/nmap-trunk/nmap[0x47886a] /mnt/sda/d33tah/workspace/ncat/nmap- trunk/nmap(_Z10ultra_scanRSt6vectorIP6TargetSaIS1_EEP10scan_lists5stypeP12timeout_info+0xfa4) [0x47a528] /mnt/sda/d33tah/workspace/ncat/nmap- trunk/nmap(_Z8nexthostP14HostGroupStatePK7addrsetP10scan_listsi+0x75d) [0x48af13] /mnt/sda/d33tah/workspace/ncat/nmap-trunk/nmap(_Z9nmap_mainiPPc+0xc45) [0x44c3b6] /mnt/sda/d33tah/workspace/ncat/nmap-trunk/nmap(main+0x188)[0x44303c] /lib64/libc.so.6(__libc_start_main+0xf5)[0x38bf221d65] /mnt/sda/d33tah/workspace/ncat/nmap-trunk/nmap[0x42c1f9] ======= Memory map: ======== 00400000-00534000 r-xp 00000000 fd:01 87568364 /mnt/sda/d33tah/workspace/ncat/nmap-trunk/nmap 00734000-00735000 r--p 00134000 fd:01 87568364 /mnt/sda/d33tah/workspace/ncat/nmap-trunk/nmap 00735000-00872000 rw-p 00135000 fd:01 87568364 /mnt/sda/d33tah/workspace/ncat/nmap-trunk/nmap 00872000-0333b000 rw-p 00000000 00:00 0 [heap] 31c6400000-31c643e000 r-xp 00000000 fd:00 1323259 /usr/lib64/libpcap.so.1.5.3 31c643e000-31c663d000 ---p 0003e000 fd:00 1323259 /usr/lib64/libpcap.so.1.5.3 31c663d000-31c663f000 r--p 0003d000 fd:00 1323259 /usr/lib64/libpcap.so.1.5.3 31c663f000-31c6640000 rw-p 0003f000 fd:00 1323259 /usr/lib64/libpcap.so.1.5.3 31c6640000-31c6641000 rw-p 00000000 00:00 0 38bee00000-38bee20000 r-xp 00000000 fd:00 1311419 /usr/lib64/ld-2.18.so 38bf01f000-38bf020000 r--p 0001f000 fd:00 1311419 /usr/lib64/ld-2.18.so 38bf020000-38bf021000 rw-p 00020000 fd:00 1311419 /usr/lib64/ld-2.18.so 38bf021000-38bf022000 rw-p 00000000 00:00 0 38bf200000-38bf3b4000 r-xp 00000000 fd:00 1311446 /usr/lib64/libc-2.18.so 38bf3b4000-38bf5b4000 ---p 001b4000 fd:00 1311446 /usr/lib64/libc-2.18.so 38bf5b4000-38bf5b8000 r--p 001b4000 fd:00 1311446 /usr/lib64/libc-2.18.so 38bf5b8000-38bf5ba000 rw-p 001b8000 fd:00 1311446 /usr/lib64/libc-2.18.so 38bf5ba000-38bf5bf000 rw-p 00000000 00:00 0 38bf600000-38bf603000 r-xp 00000000 fd:00 1311569 /usr/lib64/libdl-2.18.so 38bf603000-38bf802000 ---p 00003000 fd:00 1311569 /usr/lib64/libdl-2.18.so 38bf802000-38bf803000 r--p 00002000 fd:00 1311569 /usr/lib64/libdl-2.18.so 38bf803000-38bf804000 rw-p 00003000 fd:00 1311569 /usr/lib64/libdl-2.18.so 38bfa00000-38bfa18000 r-xp 00000000 fd:00 1311544 /usr/lib64/libpthread-2.18.so 38bfa18000-38bfc17000 ---p 00018000 fd:00 1311544 /usr/lib64/libpthread-2.18.so 38bfc17000-38bfc18000 r--p 00017000 fd:00 1311544 /usr/lib64/libpthread-2.18.so 38bfc18000-38bfc19000 rw-p 00018000 fd:00 1311544 /usr/lib64/libpthread-2.18.so 38bfc19000-38bfc1d000 rw-p 00000000 00:00 0 38bfe00000-38bff05000 r-xp 00000000 fd:00 1311832 /usr/lib64/libm-2.18.so 38bff05000-38c0105000 ---p 00105000 fd:00 1311832 /usr/lib64/libm-2.18.so 38c0105000-38c0106000 r--p 00105000 fd:00 1311832 /usr/lib64/libm-2.18.so 38c0106000-38c0107000 rw-p 00106000 fd:00 1311832 /usr/lib64/libm-2.18.so 38c0200000-38c0215000 r-xp 00000000 fd:00 1311563 /usr/lib64/libz.so.1.2.8 38c0215000-38c0414000 ---p 00015000 fd:00 1311563 /usr/lib64/libz.so.1.2.8 38c0414000-38c0415000 r--p 00014000 fd:00 1311563 /usr/lib64/libz.so.1.2.8 38c0415000-38c0416000 rw-p 00015000 fd:00 1311563 /usr/lib64/libz.so.1.2.8 38c0600000-38c0615000 r-xp 00000000 fd:00 1311836 /usr/lib64/libgcc_s-4.8.2-20131212.so.1 38c0615000-38c0814000 ---p 00015000 fd:00 1311836 /usr/lib64/libgcc_s-4.8.2-20131212.so.1 38c0814000-38c0815000 r--p 00014000 fd:00 1311836 /usr/lib64/libgcc_s-4.8.2-20131212.so.1 38c0815000-38c0816000 rw-p 00015000 fd:00 1311836 /usr/lib64/libgcc_s-4.8.2-20131212.so.1 38c0e00000-38c0ee9000 r-xp 00000000 fd:00 1311906 /usr/lib64/libstdc++.so.6.0.19 38c0ee9000-38c10e9000 ---p 000e9000 fd:00 1311906 /usr/lib64/libstdc++.so.6.0.19 38c10e9000-38c10f1000 r--p 000e9000 fd:00 1311906 /usr/lib64/libstdc++.so.6.0.19 38c10f1000-38c10f3000 rw-p 000f1000 fd:00 1311906 /usr/lib64/libstdc++.so.6.0.19 38c10f3000-38c1108000 rw-p 00000000 00:00 0 38c1200000-38c1224000 r-xp 00000000 fd:00 1311822 /usr/lib64/liblzma.so.5.0.99 38c1224000-38c1423000 ---p 00024000 fd:00 1311822 /usr/lib64/liblzma.so.5.0.99 38c1423000-38c1424000 r--p 00023000 fd:00 1311822 /usr/lib64/liblzma.so.5.0.99 38c1424000-38c1425000 rw-p 00024000 fd:00 1311822 /usr/lib64/liblzma.so.5.0.99 38c1e00000-38c1e65000 r-xp 00000000 fd:00 1311998 /usr/lib64/libpcre.so.1.2.1 38c1e65000-38c2064000 ---p 00065000 fd:00 1311998 /usr/lib64/libpcre.so.1.2.1 38c2064000-38c2065000 r--p 00064000 fd:00 1311998 /usr/lib64/libpcre.so.1.2.1 38c2065000-38c2066000 rw-p 00065000 fd:00 1311998 /usr/lib64/libpcre.so.1.2.1 38c2a00000-38c2a21000 r-xp 00000000 fd:00 1312016 /usr/lib64/libselinux.so.1 38c2a21000-38c2c20000 ---p 00021000 fd:00 1312016 /usr/lib64/libselinux.so.1 38c2c20000-38c2c21000 r--p 00020000 fd:00 1312016 /usr/lib64/libselinux.so.1 38c2c21000-38c2c22000 rw-p 00021000 fd:00 1312016 /usr/lib64/libselinux.so.1 38c2c22000-38c2c24000 rw-p 00000000 00:00 0 38c4200000-38c4216000 r-xp 00000000 fd:00 1311993 /usr/lib64/libresolv-2.18.so 38c4216000-38c4416000 ---p 00016000 fd:00 1311993 /usr/lib64/libresolv-2.18.so 38c4416000-38c4417000 r--p 00016000 fd:00 1311993 /usr/lib64/libresolv-2.18.so 38c4417000-38c4418000 rw-p 00017000 fd:00 1311993 /usr/lib64/libresolv-2.18.so 38c4418000-38c441a000 rw-p 00000000 00:00 0 38c7c00000-38c7dbd000 r-xp 00000000 fd:00 1312277 /usr/lib64/libcrypto.so.1.0.1e 38c7dbd000-38c7fbc000 ---p 001bd000 fd:00 1312277 /usr/lib64/libcrypto.so.1.0.1e 38c7fbc000-38c7fd7000 r--p 001bc000 fd:00 1312277 /usr/lib64/libcrypto.so.1.0.1e 38c7fd7000-38c7fe3000 rw-p 001d7000 fd:00 1312277 /usr/lib64/libcrypto.so.1.0.1e 38c7fe3000-38c7fe7000 rw-p 00000000 00:00 0 38c8e00000-38c8e03000 r-xp 00000000 fd:00 1312185 /usr/lib64/libcom_err.so.2.1 38c8e03000-38c9002000 ---p 00003000 fd:00 1312185 /usr/lib64/libcom_err.so.2.1 38c9002000-38c9003000 r--p 00002000 fd:00 1312185 /usr/lib64/libcom_err.so.2.1 38c9003000-38c9004000 rw-p 00003000 fd:00 1312185 /usr/lib64/libcom_err.so.2.1 38c9200000-38c9203000 r-xp 00000000 fd:00 1311961 /usr/lib64/libkeyutils.so.1.5 38c9203000-38c9402000 ---p 00003000 fd:00 1311961 /usr/lib64/libkeyutils.so.1.5 38c9402000-38c9403000 r--p 00002000 fd:00 1311961 /usr/lib64/libkeyutils.so.1.5 38c9403000-38c9404000 rw-p 00003000 fd:00 1311961 /usr/lib64/libkeyutils.so.1.5 38c9600000-38c960d000 r-xp 00000000 fd:00 1312082 /usr/lib64/libkrb5support.so.0.1 38c960d000-38c980c000 ---p 0000d000 fd:00 1312082 /usr/lib64/libkrb5support.so.0.1 38c980c000-38c980d000 r--p 0000c000 fd:00 1312082 /usr/lib64/libkrb5support.so.0.1 38c980d000-38c980e000 rw-p 0000d000 fd:00 1312082 /usr/lib64/libkrb5support.so.0.1 38c9a00000-38c9a32000 r-xp 00000000 fd:00 1312132 /usr/lib64/libk5crypto.so.3.1 38c9a32000-38c9c31000 ---p 00032000 fd:00 1312132 /usr/lib64/libk5crypto.so.3.1 38c9c31000-38c9c33000 r--p 00031000 fd:00 1312132 /usr/lib64/libk5crypto.so.3.1 38c9c33000-38c9c34000 rw-p 00033000 fd:00 1312132 /usr/lib64/libk5crypto.so.3.1 38c9c34000-38c9c35000 rw-p 00000000 00:00 0 38c9e00000-38c9e47000 r-xp 00000000 fd:00 1312225 /usr/lib64/libgssapi_krb5.so.2.2 38c9e47000-38ca047000 ---p 00047000 fd:00 1312225 /usr/lib64/libgssapi_krb5.so.2.2 38ca047000-38ca048000 r--p 00047000 fd:00 1312225 /usr/lib64/libgssapi_krb5.so.2.2 38ca048000-38ca04a000 rw-p 00048000 fd:00 1312225 /usr/lib64/libgssapi_krb5.so.2.2 38ca200000-38ca2d0000 r-xp 00000000 fd:00 1312195 /usr/lib64/libkrb5.so.3.3 38ca2d0000-38ca4cf000 ---p 000d0000 fd:00 1312195 /usr/lib64/libkrb5.so.3.3 38ca4cf000-38ca4dd000 r--p 000cf000 fd:00 1312195 /usr/lib64/libkrb5.so.3.3 38ca4dd000-38ca4e0000 rw-p 000dd000 fd:00 1312195 /usr/lib64/libkrb5.so.3.3 38ca600000-38ca662000 r-xp 00000000 fd:00 1312360 /usr/lib64/libssl.so.1.0.1e 38ca662000-38ca861000 ---p 00062000 fd:00 1312360 /usr/lib64/libssl.so.1.0.1e 38ca861000-38ca865000 r--p 00061000 fd:00 1312360 /usr/lib64/libssl.so.1.0.1e 38ca865000-38ca86c000 rw-p 00065000 fd:00 1312360 /usr/lib64/libssl.so.1.0.1e 7ffff7cb5000-7ffff7d77000 rw-p 00000000 00:00 0 7ffff7d77000-7ffff7d83000 r-xp 00000000 fd:00 1361777 /usr/lib64/libnss_files-2.18.so 7ffff7d83000-7ffff7f82000 ---p 0000c000 fd:00 1361777 /usr/lib64/libnss_files-2.18.so 7ffff7f82000-7ffff7f83000 r--p 0000b000 fd:00 1361777 /usr/lib64/libnss_files-2.18.so 7ffff7f83000-7ffff7f84000 rw-p 0000c000 fd:00 1361777 /usr/lib64/libnss_files-2.18.so 7ffff7f99000-7ffff7fc6000 rw-p 00000000 00:00 0 7ffff7fd8000-7ffff7ffd000 rw-p 00000000 00:00 0 7ffff7ffd000-7ffff7fff000 r-xp 00000000 00:00 0 [vdso] 7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0 [stack] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] Program received signal SIGABRT, Aborted. 0x00000038bf235c59 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 56 return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig); Missing separate debuginfos, use: debuginfo-install libpcap-1.5.3-1.fc20.x86_64 openssl-libs-1.0.1e-37.fc20.x86_64 xz- libs-5.1.2-6alpha.fc20.x86_64 (gdb) bt #0 0x00000038bf235c59 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 #1 0x00000038bf237368 in __GI_abort () at abort.c:89 #2 0x00000038bf275da4 in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x38bf37b0a1 "*** %s ***: %s terminated\n") at ../sysdeps/posix/libc_fatal.c:175 #3 0x00000038bf306bd7 in __GI___fortify_fail (msg=msg@entry=0x38bf37b047 "buffer overflow detected") at fortify_fail.c:31 #4 0x00000038bf304dc0 in __GI___chk_fail () at chk_fail.c:28 #5 0x00000038bf306b47 in __fdelt_chk (d=<optimized out>) at fdelt_chk.c:25 #6 0x000000000047104d in ConnectScanInfo::watchSD (this=0x32f7140, sd=1024) at scan_engine.cc:1032 #7 0x0000000000477b9b in sendConnectScanProbe (USI=USI@entry=0x7fffffffca60, hss=hss@entry=0x31d60e0, destport=<optimized out>, tryno=tryno@entry=0 '\000', pingseq=pingseq@entry=0 '\000') at scan_engine.cc:3217 #8 0x000000000047886a in sendNextScanProbe (USI=USI@entry=0x7fffffffca60, hss=hss@entry=0x31d60e0) at scan_engine.cc:3776 #9 0x000000000047a528 in doAnyNewProbes (USI=0x7fffffffca60) at scan_engine.cc:3817 #10 ultra_scan (Targets=std::vector of length 4096, capacity 4096 = {...}, ports=ports@entry=0x873d20 <ports>, scantype=scantype@entry=PING_SCAN, to=to@entry=0x87d870 <massping(Target**, int, scan_lists*)::group_to>) at scan_engine.cc:5809 #11 0x000000000048af13 in massping (ports=0x873d20 <ports>, num_hosts=<optimized out>, hostbatch=0xc95600) at targets.cc:290 #12 refresh_hostbatch (pingtype=80, ports=0x873d20 <ports>, exclude_group=0x7fffffffcad0, hs=0x7fffffffd040) at targets.cc:708 #13 nexthost (hs=hs@entry=0x7fffffffd040, exclude_group=exclude_group@entry=0x7fffffffcf40, ports=ports@entry=0x873d20 <ports>, pingtype=80) at targets.cc:718 #14 0x000000000044c3b6 in nmap_main (argc=argc@entry=7, argv=argv@entry=0x7fffffffdca8) at nmap.cc:1816 #15 0x000000000044303c in main (argc=7, argv=0x7fffffffdca8) at main.cc:229 (gdb) Also, note here's the output if compiled without optimization: [23:03:10][~/workspace/ncat/nmap-trunk][1] $ gdbb ./nmap localhost/8 --min- rate 100000 -ox - -sT gdb ./nmap -ex r localhost/8 --min-rate 100000 -ox - -sT GNU gdb (GDB) Fedora 7.6.50.20130731-16.fc20 Copyright (C) 2013 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-redhat-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word". .. Reading symbols from /mnt/sda/d33tah/workspace/ncat/nmap-trunk/nmap...done. Starting program: /mnt/sda/d33tah/workspace/ncat/nmap-trunk/nmap localhost/8 --min-rate 100000 -ox - -sT [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". Starting Nmap 6.41SVN ( http://nmap.org ) at 2014-01-25 23:03 CET scan_engine.cc:1033: Attempt to FD_SET fd 1024, which is not less than FD_SETSIZE (1024). Try using a lower parallelism. Program received signal SIGABRT, Aborted. 0x00000038bf235c59 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 56 return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig); Missing separate debuginfos, use: debuginfo-install libpcap-1.5.3-1.fc20.x86_64 openssl-libs-1.0.1e-37.fc20.x86_64 xz- libs-5.1.2-6alpha.fc20.x86_64 (gdb) bt #0 0x00000038bf235c59 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 #1 0x00000038bf237368 in __GI_abort () at abort.c:89 #2 0x00000000004f2a06 in ConnectScanInfo::watchSD (this=0x33dc140, sd=1024) at scan_engine.cc:1033 #3 0x00000000004fa482 in sendConnectScanProbe (USI=0x7fffffffcc90, hss=0x32bb0e0, destport=80, tryno=0 '\000', pingseq=0 '\000') at scan_engine.cc:3217 #4 0x00000000004fcce1 in sendNextScanProbe (USI=0x7fffffffcc90, hss=0x32bb0e0) at scan_engine.cc:3776 #5 0x00000000004fcf22 in doAnyNewProbes (USI=0x7fffffffcc90) at scan_engine.cc:3817 #6 0x0000000000504300 in ultra_scan (Targets=std::vector of length 4096, capacity 4096 = {...}, ports=0x958f80 <ports>, scantype=PING_SCAN, to=0x962904 <massping(Target**, int, scan_lists*)::group_to>) at scan_engine.cc:5809 #7 0x000000000051f47e in massping (hostbatch=0xd7a600, num_hosts=4096, ports=0x958f80 <ports>) at targets.cc:290 #8 0x00000000005208c0 in refresh_hostbatch (hs=0x7fffffffcfd0, exclude_group=0x7fffffffd2a0, ports=0x958f80 <ports>, pingtype=80) at targets.cc:708 #9 0x000000000052092e in nexthost (hs=0x7fffffffcfd0, exclude_group=0x7fffffffd2a0, ports=0x958f80 <ports>, pingtype=80) at targets.cc:718 #10 0x00000000004b6fb3 in nmap_main (argc=7, argv=0x7fffffffdca8) at nmap.cc:1816 #11 0x00000000004ac0c6 in main (argc=7, argv=0x7fffffffdca8) at main.cc:229 I couldn't reproduce the problem without the -ox -. I actually found this error due to my mistake. Fedora's abrt is reporting this bug to bugzilla right now, so you guys might want to take a look there for some related information. Yours, Jacek Wielemborek
Attachment:
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Buffer overflow in Nmap when using -ox - on a /8 scan Jacek Wielemborek (Jan 25)
- Re: Buffer overflow in Nmap when using -ox - on a /8 scan Henri Doreau (Jan 25)
- Re: Buffer overflow in Nmap when using -ox - on a /8 scan Daniel Miller (Jan 26)
- Re: Buffer overflow in Nmap when using -ox - on a /8 scan Daniel Miller (Jan 27)
- Re: Buffer overflow in Nmap when using -ox - on a /8 scan Henri Doreau (Jan 27)
- Re: Buffer overflow in Nmap when using -ox - on a /8 scan Henri Doreau (Jan 27)
- Re: Buffer overflow in Nmap when using -ox - on a /8 scan Henri Doreau (Jan 30)
- Re: Buffer overflow in Nmap when using -ox - on a /8 scan Daniel Miller (Jan 26)
- Re: Buffer overflow in Nmap when using -ox - on a /8 scan Henri Doreau (Jan 25)