Nmap Development mailing list archives
Re: Program crash with idle scan script on 3.93
From: Ron <iago () valhallalegends com>
Date: Sat, 17 Sep 2005 20:08:15 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Well, I've been looking at this problem. Although I don't understand C++ enough to totally fix it, I found a quick work around and I somewhat understand the problem. In portscan.cc, this if statement: if (portarray->find(portno) == portarray->end()) Is returning true on the first addPort() call, and is then attempting to use (*portarray)[portno], which is NULL. This is causing it to crash. My work around is to change if (portarray->find(portno) == portarray->end()) to if ((*portarray)[portno] && portarray->find(portno) == portarray->end()) I'm sure that's not the best solution, but hopefully it helps somebody else track down the problem; although it solves it, it might break something else, and it still causes a SIGSEGV (after nmap is done, rather than during the scan). Email me if you have any questions, I've looked at the addPort() function pretty extensively :) I attached a patch for it. Ron wrote:
Here's the gdb output for anybody who wants to fix the problem: Starting program: /home/iago/nmap-3.84ALPHA2/nmap -sI 192.168.1.6:135 192.168.1.3 WARNING: Many people use -P0 w/Idlescan to prevent pings from their true IP. On the other hand, timing info Nmap gains from pings can allow for faster, more reliable scans. Starting nmap 3.84ALPHA2 ( http://www.insecure.org/nmap/ ) at 2005-09-17 18:50 CDT Warning: File ./nmap-services exists, but Nmap is using /usr/local/share/nmap/nmap-services for security and consistency reasons. set NMAPDIR=. to give priority to files in your local directory (may affect the other data files too). Idlescan using zombie 192.168.1.6 (192.168.1.6:135); Class: Incremental Program received signal SIGSEGV, Segmentation fault. 0x08073420 in PortList::addPort (this=0x80e7380, portno=22, protocol=6 '\006', owner=0x0, state=2) at portlist.cc:473 473 error("Duplicate port (%hu/%s)\n", portno, proto2ascii(protocol)); (gdb) backtrace #0 0x08073420 in PortList::addPort (this=0x80e7380, portno=22, protocol=6 '\006', owner=0x0, state=2) at portlist.cc:473 #1 0x0805d105 in idle_treescan (proxy=0x80bcce0, target=0x80e7320, ports=0x80f2ebc, numports=135165720, expectedopen=1) at idle_scan.cc:935 #2 0x0805d078 in idle_treescan (proxy=0x80bcce0, target=0x80e7320, ports=0x80f2eb8, numports=135165720, expectedopen=1) at idle_scan.cc:846 #3 0x0805d00d in idle_treescan (proxy=0x80bcce0, target=0x80e7320, ports=0x80f2eb8, numports=135165720, expectedopen=2) at idle_scan.cc:833 #4 0x0805d00d in idle_treescan (proxy=0x80bcce0, target=0x80e7320, ports=0x80f2eb8, numports=135165720, expectedopen=2) at idle_scan.cc:833 #5 0x0805d00d in idle_treescan (proxy=0x80bcce0, target=0x80e7320, ports=0x80f2eb8, numports=135165720, expectedopen=2) at idle_scan.cc:833 #6 0x0805d00d in idle_treescan (proxy=0x80bcce0, target=0x80e7320, ports=0x80f2eb8, numports=135165720, expectedopen=-1) at idle_scan.cc:833 #7 0x0805d578 in idle_scan (target=0x80e7320, portarray=0x80f2eb8, numports=1668, proxyName=0x3c <Address 0x3c out of bounds>) at idle_scan.cc:1003 #8 0x0804e327 in nmap_main (argc=4, argv=0xbffff774) at nmap.cc:1200 #9 0x0804b234 in main (argc=4, argv=0xbffff774, envp=0xbffff788) at main.cc:244 (gdb) Fred Goldman wrote:I have had the same problem both with the GUI and command line. To many different sites. I do have the alerter files from XP if you want them? Plus I think I may have a nmap dump file.* I am running XP* Home SP1 with all the security updates. I have used them on different ports as well. I used the idle scan command as per the article on your site. Thanks. Thanks, michaelg618 On 9/17/05, nmap-dev-request () insecure org <nmap-dev-request () insecure org> wrote:Send nmap-dev mailing list submissions to nmap-dev () insecure org Today's Topics: 1. possible idlescan problems in 3.93 (BAKEMAN) ---------------------------------------------------------------------- Message: 1 Date: Fri, 16 Sep 2005 16:01:23 -0700 (PDT) From: BAKEMAN <bakeman () physics unr edu> Subject: possible idlescan problems in 3.93 To: nmap-dev () insecure org Message-ID: <20050916154944.C2721 () rigel physics unr edu> Content-Type: TEXT/PLAIN; charset=US-ASCII I found this while testing out a simple idlescan script used to collect zombies. It seems that there is a SIGSEGV error in 3.93. [root@mbakeman format_files]# nmap -P0 -sI 40.71.195.116<http://40.71.195.116> 64.136.59.125 <http://64.136.59.125> Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-09-16 15:42 PDT Idlescan zombie 40.71.195.116 <http://40.71.195.116> (40.71.195.116<http://40.71.195.116>) port 80 cannot be used because it has not returned any of our probes -- perhaps it is down or firewalled. QUITTING! [root@mbakeman format_files]# nmap -P0 -sI 40.71.195.116<http://40.71.195.116> 64.136.59.125 <http://64.136.59.125> Starting nmap 3.93 ( http://www.insecure.org/nmap/ ) at 2005-09-16 15:43 PDT Idlescan zombie 40.71.195.116 <http://40.71.195.116> (40.71.195.116<http://40.71.195.116>) port 80 cannot be used because it has not returned any of our probes -- perhaps it is down or firewalled. QUITTING! caught SIGSEGV signal, cleaning up Aborted I have not tried this on a working zombie so far yet. Aphex ------------------------------ _______________________________________________ nmap-dev mailing list nmap-dev () insecure org http://cgi.insecure.org/mailman/listinfo/nmap-dev End of nmap-dev Digest, Vol 6, Issue 17 ***************************************_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.9.15 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDLL3+fqSf2EkP4p4RAuhPAJ4i1Mlsa3KzMh8Xr8AVU+2X5G2/7gCfXHFI +bcKPUKoje+dyVE3FUD82is= =B4xP -----END PGP SIGNATURE-----
Only in nmap-3.93.new: .portlist.cc.swp diff -rub nmap-3.93/portlist.cc nmap-3.93.new/portlist.cc --- nmap-3.93/portlist.cc 2005-09-17 20:04:48.000000000 -0500 +++ nmap-3.93.new/portlist.cc 2005-09-17 20:04:13.000000000 -0500 @@ -465,7 +465,7 @@ portarray = &ip_prots; } else fatal("addPort: attempted port insertion with invalid protocol"); - if (portarray->find(portno) == portarray->end()) { + if ((*portarray)[portno] && portarray->find(portno) == portarray->end()) { /* We must discount our statistics from the old values. Also warn if a complete duplicate */ current = (*portarray)[portno];
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev
Current thread:
- Program crash with idle scan script on 3.93 Fred Goldman (Sep 17)
- Re: Program crash with idle scan script on 3.93 Ron (Sep 17)
- Re: Program crash with idle scan script on 3.93 Ron (Sep 17)
- Re: Program crash with idle scan script on 3.93 Ron (Sep 17)