Nmap Development mailing list archives
Re: Always practice safe software: a lesson from UnrealIRCd
From: David Fifield <david () bamsoftware com>
Date: Tue, 22 Jun 2010 14:05:56 -0600
On Tue, Jun 22, 2010 at 02:55:37PM -0500, Ron wrote:
On Fri, 18 Jun 2010 14:09:21 -0600 David Fifield <david () bamsoftware com> wrote:Hey guys, this script looks really good. However I found it gives a lot of false positives when many instances of the script are run, because the timer is started before the socket is connected, and the script may block waiting for the socket. I ran against the 592 addresses from http://seclists.org/nmap-dev/2010/q2/830. nmap --datadir . -p 6666,6667 -iL unreal.nmap -d --script=irc-unrealircd-backdoor.nse It's clear what's happening in the output: NSE: irc-unrealircd-backdoor: Received a response to our command in 2 seconds NSE: irc-unrealircd-backdoor: The Trojanned version of unrealircd probably isn't ... NSE: irc-unrealircd-backdoor: Received a response to our command in 37 seconds NSE: irc-unrealircd-backdoor: Looks like the Trojanned unrealircd is running! NSE: Finished irc-unrealircd-backdoor against 213.232.94.72:6667. NSE: irc-unrealircd-backdoor: Received a response to our command in 38 seconds NSE: irc-unrealircd-backdoor: Looks like the Trojanned unrealircd is running! NSE: Finished irc-unrealircd-backdoor against 213.186.37.193:6667. NSE: irc-unrealircd-backdoor: Received a response to our command in 38 seconds NSE: irc-unrealircd-backdoor: Looks like the Trojanned unrealircd is running! NSE: Finished irc-unrealircd-backdoor against 89.105.117.89:6667. NSE: irc-unrealircd-backdoor: Received a response to our command in 38 seconds NSE: irc-unrealircd-backdoor: Looks like the Trojanned unrealircd is running! NSE: Finished irc-unrealircd-backdoor against 12.96.164.10:6667. NSE: irc-unrealircd-backdoor: Receive failed: TIMEOUT ... NSE: irc-unrealircd-backdoor: Received a response to our command in 222 seconds NSE: irc-unrealircd-backdoor: Looks like the Trojanned unrealircd is running! NSE: Finished irc-unrealircd-backdoor against 171.25.159.12:6666. I think it will work if you start the timer after the call to comm.tryssl, not before. I also saw this error at least three times: NSE: irc-unrealircd-backdoor against 209.126.180.156:6666 threw an error! ./scripts/irc-unrealircd-backdoor.nse:105: attempt to concatenate local 'response' (a nil value) stack traceback: ./scripts/irc-unrealircd-backdoor.nse:105: in function <./scripts/irc-unrealircd-backdoor.nse:55> (tail call): ? Other addresses where it happened were 66.235.194.60:6667 and 118.98.162.85:6667. If you can run this same test and make it work, then please go ahead and commit the script.You're suggestion of starting the timer after comm.tryssl() is a good one, but I'm not sure it'll solve the problem. I don't understand how lua threads work, so Patrick or others can correct me if I'm wrong, but I'm assuming that as soon as I do a send() or receive() my script relinquishes its timeslice and others have a chance to run. As a result, won't we still run into the same issue?
Yes, but at that point you are at least assured that your script holds a socket. My bet is that almost all of the excessive delay is scripts waiting for a socket. NSE only allows 20 scripts to hold a socket at a time, so others must wait until an earlier script gives up all its sockets. I think this waiting is what's taking up most of the time. There aren't any timeslices. Your script has exclusive control of the processor until it reliquishes it with a socket operation or sleep. It gets called back as soon as the socket operation finishes though (unless another script is refusing to yield). You'll only be timing the very small delay imposed by the NSE scheduler, and not the very long delay waiting for a socket to be free. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: Always practice safe software: a lesson from UnrealIRCd, (continued)
- Re: Always practice safe software: a lesson from UnrealIRCd Vlatko Kosturjak (Jun 13)
- Re: Always practice safe software: a lesson from UnrealIRCd Ron (Jun 14)
- Re: Always practice safe software: a lesson from UnrealIRCd Gutek (Jun 14)
- Re: Always practice safe software: a lesson from UnrealIRCd Vlatko Kosturjak (Jun 13)
- Re: Always practice safe software: a lesson from UnrealIRCd Ron (Jun 14)
- Re: Always practice safe software: a lesson from UnrealIRCd Ron (Jun 14)
- Re: Always practice safe software: a lesson from UnrealIRCd Vlatko Kosturjak (Jun 14)
- Re: Always practice safe software: a lesson from UnrealIRCd Ron (Jun 14)
- Re: Always practice safe software: a lesson from UnrealIRCd David Fifield (Jun 18)
- Re: Always practice safe software: a lesson from UnrealIRCd Ron (Jun 22)
- Re: Always practice safe software: a lesson from UnrealIRCd David Fifield (Jun 22)
- Re: Always practice safe software: a lesson from UnrealIRCd Ron (Jun 22)
- Re: Always practice safe software: a lesson from UnrealIRCd Ron (Jun 22)
- Re: Always practice safe software: a lesson from UnrealIRCd David Fifield (Jun 23)
- Re: Always practice safe software: a lesson from UnrealIRCd David Fifield (Jun 23)
- Re: Always practice safe software: a lesson from UnrealIRCd Ron (Jun 23)
- Re: Always practice safe software: a lesson from UnrealIRCd David Fifield (Jun 23)
- Re: Always practice safe software: a lesson from UnrealIRCd Ron (Jun 24)
- Re: Always practice safe software: a lesson from UnrealIRCd Patrick Donnelly (Jun 24)
- Re: Always practice safe software: a lesson from UnrealIRCd David Fifield (Jun 25)
- Re: Always practice safe software: a lesson from UnrealIRCd Ron (Jun 25)