Re: Program crash with idle scan script on 3.93

[Ron <iago () valhallalegends com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Well, I've been looking at this problem.  Although I don't understand
C++ enough to totally fix it, I found a quick work around and I somewhat
understand the problem.

In portscan.cc, this if statement:
    if (portarray->find(portno) == portarray->end())
Is returning true on the first addPort() call, and is then attempting to
use (*portarray)[portno], which is NULL.  This is causing it to crash.

My work around is to change
    if (portarray->find(portno) == portarray->end())
to
    if ((*portarray)[portno] && portarray->find(portno) == portarray->end())

I'm sure that's not the best solution, but hopefully it helps somebody
else track down the problem; although it solves it, it might break
something else, and it still causes a SIGSEGV (after nmap is done,
rather than during the scan).  Email me if you have any questions, I've
looked at the addPort() function pretty extensively :)

I attached a patch for it.

Ron wrote:
> Here's the gdb output for anybody who wants to fix the problem:
>
> Starting program: /home/iago/nmap-3.84ALPHA2/nmap -sI 192.168.1.6:135
> 192.168.1.3
> WARNING: Many people use -P0 w/Idlescan to prevent pings from their true
> IP.  On the other hand, timing info Nmap gains from pings can allow for
> faster, more reliable scans.
>
> Starting nmap 3.84ALPHA2 ( http://www.insecure.org/nmap/ ) at 2005-09-17
> 18:50 CDT
> Warning: File ./nmap-services exists, but Nmap is using
> /usr/local/share/nmap/nmap-services for security and consistency
> reasons.  set NMAPDIR=. to give priority to files in your local
> directory (may affect the other data files too).
> Idlescan using zombie 192.168.1.6 (192.168.1.6:135); Class: Incremental
>
> Program received signal SIGSEGV, Segmentation fault.
> 0x08073420 in PortList::addPort (this=0x80e7380, portno=22, protocol=6
> '\006',
>     owner=0x0, state=2) at portlist.cc:473
> 473           error("Duplicate port (%hu/%s)\n", portno,
> proto2ascii(protocol));
> (gdb) backtrace
> #0  0x08073420 in PortList::addPort (this=0x80e7380, portno=22,
>     protocol=6 '\006', owner=0x0, state=2) at portlist.cc:473
> #1  0x0805d105 in idle_treescan (proxy=0x80bcce0, target=0x80e7320,
>     ports=0x80f2ebc, numports=135165720, expectedopen=1) at idle_scan.cc:935
> #2  0x0805d078 in idle_treescan (proxy=0x80bcce0, target=0x80e7320,
>     ports=0x80f2eb8, numports=135165720, expectedopen=1) at idle_scan.cc:846
> #3  0x0805d00d in idle_treescan (proxy=0x80bcce0, target=0x80e7320,
>     ports=0x80f2eb8, numports=135165720, expectedopen=2) at idle_scan.cc:833
> #4  0x0805d00d in idle_treescan (proxy=0x80bcce0, target=0x80e7320,
>     ports=0x80f2eb8, numports=135165720, expectedopen=2) at idle_scan.cc:833
> #5  0x0805d00d in idle_treescan (proxy=0x80bcce0, target=0x80e7320,
>     ports=0x80f2eb8, numports=135165720, expectedopen=2) at idle_scan.cc:833
> #6  0x0805d00d in idle_treescan (proxy=0x80bcce0, target=0x80e7320,
>     ports=0x80f2eb8, numports=135165720, expectedopen=-1) at
> idle_scan.cc:833
> #7  0x0805d578 in idle_scan (target=0x80e7320, portarray=0x80f2eb8,
>     numports=1668, proxyName=0x3c <Address 0x3c out of bounds>)
>     at idle_scan.cc:1003
> #8  0x0804e327 in nmap_main (argc=4, argv=0xbffff774) at nmap.cc:1200
> #9  0x0804b234 in main (argc=4, argv=0xbffff774, envp=0xbffff788)
>     at main.cc:244
> (gdb)
>
>
> Fred Goldman wrote:
>
> > > I have had the same problem both with the GUI and command line. To many 
> > > different sites. I do have the alerter files from XP if you want them? Plus 
> > > I think I may have a nmap dump file.* I am running XP* Home SP1 with all the 
> > > security updates. I have used them on different ports as well. I used the 
> > > idle scan command as per the article on your site. Thanks.
> > > Thanks,
> > > michaelg618
> > >
> > > On 9/17/05, nmap-dev-request () insecure org <nmap-dev-request () insecure org> 
> > > wrote: 
> > >
> > >
> > > > Send nmap-dev mailing list submissions to
> > > > nmap-dev () insecure org
> > > >
> > > > Today's Topics:
> > > >
> > > > 1. possible idlescan problems in 3.93 (BAKEMAN)
> > > >
> > > >
> > > > ----------------------------------------------------------------------
> > > >
> > > > Message: 1
> > > > Date: Fri, 16 Sep 2005 16:01:23 -0700 (PDT)
> > > > From: BAKEMAN <bakeman () physics unr edu>
> > > > Subject: possible idlescan problems in 3.93
> > > > To: nmap-dev () insecure org
> > > > Message-ID: <20050916154944.C2721 () rigel physics unr edu>
> > > > Content-Type: TEXT/PLAIN; charset=US-ASCII
> > > >
> > > > I found this while testing out a simple idlescan script used to collect
> > > > zombies. It seems that there is a SIGSEGV error in 3.93.
> > > >
> > > > [root@mbakeman format_files]# nmap -P0 -sI 40.71.195.116<http://40.71.195.116> 
> > > > 64.136.59.125 <http://64.136.59.125>
> > > > Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-09-16 15:42 
> > > > PDT
> > > > Idlescan zombie 40.71.195.116 <http://40.71.195.116> (40.71.195.116<http://40.71.195.116>) 
> > > > port 80 cannot be used
> > > > because it has not returned any of our probes -- perhaps it is down or
> > > > firewalled.
> > > > QUITTING!
> > > >
> > > > [root@mbakeman format_files]# nmap -P0 -sI 40.71.195.116<http://40.71.195.116> 
> > > > 64.136.59.125 <http://64.136.59.125>
> > > > Starting nmap 3.93 ( http://www.insecure.org/nmap/ ) at 2005-09-16 15:43 
> > > > PDT
> > > > Idlescan zombie 40.71.195.116 <http://40.71.195.116> (40.71.195.116<http://40.71.195.116>) 
> > > > port 80 cannot be used
> > > > because it has not returned any of our probes -- perhaps it is down or
> > > > firewalled.
> > > > QUITTING!
> > > > caught SIGSEGV signal, cleaning up
> > > > Aborted
> > > >
> > > > I have not tried this on a working zombie so far yet.
> > > >
> > > > Aphex
> > > >
> > > >
> > > > ------------------------------
> > > >
> > > > _______________________________________________
> > > > nmap-dev mailing list
> > > > nmap-dev () insecure org
> > > > http://cgi.insecure.org/mailman/listinfo/nmap-dev
> > > >
> > > >
> > > > End of nmap-dev Digest, Vol 6, Issue 17
> > > > ***************************************
> > >
> > >
> > >
> > > _______________________________________________
> > > Sent through the nmap-dev mailing list
> > > http://cgi.insecure.org/mailman/listinfo/nmap-dev

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.9.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDLL3+fqSf2EkP4p4RAuhPAJ4i1Mlsa3KzMh8Xr8AVU+2X5G2/7gCfXHFI
+bcKPUKoje+dyVE3FUD82is=
=B4xP
-----END PGP SIGNATURE-----

Only in nmap-3.93.new: .portlist.cc.swp
diff -rub nmap-3.93/portlist.cc nmap-3.93.new/portlist.cc
--- nmap-3.93/portlist.cc       2005-09-17 20:04:48.000000000 -0500
+++ nmap-3.93.new/portlist.cc   2005-09-17 20:04:13.000000000 -0500
@@ -465,7 +465,7 @@
     portarray = &ip_prots;
   } else fatal("addPort: attempted port insertion with invalid protocol");
 
-  if (portarray->find(portno) == portarray->end()) {
+  if ((*portarray)[portno] && portarray->find(portno) == portarray->end()) {
     /* We must discount our statistics from the old values.  Also warn
        if a complete duplicate */
     current = (*portarray)[portno];    



_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev