Nmap Development mailing list archives

Re: nmap's service discovery crashable

From: Jacek Wielemborek <d33tah () gmail com>
Date: Tue, 15 Apr 2014 15:58:29 +0200

15/04/2014 15:57:26 Jacek Wielemborek <d33tah () gmail com>:

Hello,

While trying to trick Nmap into printing non-ASCII characters from the
payloads in service discovery mode, I stumbled upon a bug. Here's how to
reproduce it:

ncat -l 31337 -k --sh-exec "/bin/echo -en
'\x00\x03sok\0.n\0\0\x33\x33\x33\x33\x33\x33\x33\x33'" &

nmap localhost -p 31337 -sV --version-intensity 9

Yours,
Jacek Wielemborek


Ah, sorry, forgot to include the output:

Starting Nmap 6.40 ( http://nmap.org ) at 2014-04-15 15:58 CEST
nmap: service_scan.cc:758: char* substvar(char*, char**, const u8*, int, int*, 
int): Assertion `offstart >= 0 && offstart < subjectlen' failed.
zsh: abort      nmap localhost -p 31337 -sV --version-intensity 9

Attachment: signature.asc
Description: This is a digitally signed message part.

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

Current thread:

nmap's service discovery crashable Jacek Wielemborek (Apr 15)
- Re: nmap's service discovery crashable Jacek Wielemborek (Apr 15)
  - Re: nmap's service discovery crashable Daniel Miller (Apr 15)
    - Re: nmap's service discovery crashable Daniel Miller (Apr 15)
    - Re: nmap's service discovery crashable Daniel Miller (Apr 15)