Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [nmap-svn] r29382 - nmap-exp/kroosec/rpc-grind/nselib

From: Patrik Karlsson <patrik () cqure net>
Date: Fri, 27 Jul 2012 00:04:13 +0200
On Thu, Jul 26, 2012 at 11:47 PM, Daniel Miller <bonsaiviking () gmail com>wrote:


On 07/26/2012 03:41 PM, Henri Doreau wrote:


Hello,

I think that the following patch should be ported to trunk. Nmap
currently doesn't even connect to RPC services if not run in
privileged mode. I agree that attempting to bind to a <1024 port is a
good thing to try but if not possible that shouldn't stop the
execution flow.

Regards.

2012/7/26  <commit-mailer () insecure org>:


Author: henri
Date: Thu Jul 26 13:38:43 2012
New Revision: 29382

Log:
Attempt to connect even if nmap runs in non privileged mode.


Modified:
    nmap-exp/kroosec/rpc-grind/**nselib/rpc.lua

Modified: nmap-exp/kroosec/rpc-grind/**nselib/rpc.lua
==============================**==============================**
==================
--- nmap-exp/kroosec/rpc-grind/**nselib/rpc.lua   (original)
+++ nmap-exp/kroosec/rpc-grind/**nselib/rpc.lua   Thu Jul 26 13:38:43
2012
@@ -171,12 +171,10 @@
            -- Try to bind to a reserved port
            for resvport = 600, 1024, 1 do
              status, err = socket:bind(nil, 1000)
-            if status then
-              status, err = socket:connect(host, port)
-              if status then break end
-            end
+            if status then break end
            end
          end
+        status, err = socket:connect(host, port)
        else
          socket = nmap.new_socket("udp")
          if nmap.is_privileged() then


______________________________**_________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/**mailman/listinfo/nmap-dev<http://cgi.insecure.org/mailman/listinfo/nmap-dev>
Archived at http://seclists.org/nmap-dev/

 Henri,


I introduced this code, since many NFS servers won't respond if the client
is not bound to a reserved port. I confess the order of socket calls and
return values was confusing to me, but based on what I remember from my
testing, I don't think this will work.

The specific bug condition is when the socket tries to bind to a port that
is in use. The NSE socket:bind call will not fail like a C bind(2) call
would. Instead, the failure comes when trying to do socket:connect().
That's why the code loops over ports from 600 to 1000 until it finds one
that works.

A better way would be to check if any of those reserved ports succeeded,
and if not, socket:bind(nil,nil) to clear the error condition and just
connect with any port.

Dan



I've run in to the problem with the difficulty to check if a bind was
successful or not in the past as well.
For unconnected UDP sockets, the error occurs first once a send or receive
operation is done on the socket.
The reason being that the bind NSE call simply sets the arguments for the
bind up and the socket bind call is not actually called until the socket is
about to be used.

//Patrik

-- 
Patrik Karlsson
http://www.cqure.net
http://twitter.com/nevdull77
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: