Nmap Development mailing list archives
Re: [nmap-svn] r29382 - nmap-exp/kroosec/rpc-grind/nselib
From: Patrik Karlsson <patrik () cqure net>
Date: Fri, 27 Jul 2012 00:04:13 +0200
On Thu, Jul 26, 2012 at 11:47 PM, Daniel Miller <bonsaiviking () gmail com>wrote:
On 07/26/2012 03:41 PM, Henri Doreau wrote:Hello, I think that the following patch should be ported to trunk. Nmap currently doesn't even connect to RPC services if not run in privileged mode. I agree that attempting to bind to a <1024 port is a good thing to try but if not possible that shouldn't stop the execution flow. Regards. 2012/7/26 <commit-mailer () insecure org>:Author: henri Date: Thu Jul 26 13:38:43 2012 New Revision: 29382 Log: Attempt to connect even if nmap runs in non privileged mode. Modified: nmap-exp/kroosec/rpc-grind/**nselib/rpc.lua Modified: nmap-exp/kroosec/rpc-grind/**nselib/rpc.lua ==============================**==============================** ================== --- nmap-exp/kroosec/rpc-grind/**nselib/rpc.lua (original) +++ nmap-exp/kroosec/rpc-grind/**nselib/rpc.lua Thu Jul 26 13:38:43 2012 @@ -171,12 +171,10 @@ -- Try to bind to a reserved port for resvport = 600, 1024, 1 do status, err = socket:bind(nil, 1000) - if status then - status, err = socket:connect(host, port) - if status then break end - end + if status then break end end end + status, err = socket:connect(host, port) else socket = nmap.new_socket("udp") if nmap.is_privileged() then______________________________**_________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/**mailman/listinfo/nmap-dev<http://cgi.insecure.org/mailman/listinfo/nmap-dev> Archived at http://seclists.org/nmap-dev/ Henri,I introduced this code, since many NFS servers won't respond if the client is not bound to a reserved port. I confess the order of socket calls and return values was confusing to me, but based on what I remember from my testing, I don't think this will work. The specific bug condition is when the socket tries to bind to a port that is in use. The NSE socket:bind call will not fail like a C bind(2) call would. Instead, the failure comes when trying to do socket:connect(). That's why the code loops over ports from 600 to 1000 until it finds one that works. A better way would be to check if any of those reserved ports succeeded, and if not, socket:bind(nil,nil) to clear the error condition and just connect with any port. Dan
I've run in to the problem with the difficulty to check if a bind was successful or not in the past as well. For unconnected UDP sockets, the error occurs first once a send or receive operation is done on the socket. The reason being that the bind NSE call simply sets the arguments for the bind up and the socket bind call is not actually called until the socket is about to be used. //Patrik -- Patrik Karlsson http://www.cqure.net http://twitter.com/nevdull77 _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: [nmap-svn] r29382 - nmap-exp/kroosec/rpc-grind/nselib Henri Doreau (Jul 26)
- Re: [nmap-svn] r29382 - nmap-exp/kroosec/rpc-grind/nselib Daniel Miller (Jul 26)
- Re: [nmap-svn] r29382 - nmap-exp/kroosec/rpc-grind/nselib Patrik Karlsson (Jul 26)
- Message not available
- Message not available
- Re: [nmap-svn] r29382 - nmap-exp/kroosec/rpc-grind/nselib Henri Doreau (Jul 27)
- Re: [nmap-svn] r29382 - nmap-exp/kroosec/rpc-grind/nselib Patrik Karlsson (Jul 26)
- Re: [nmap-svn] r29382 - nmap-exp/kroosec/rpc-grind/nselib Daniel Miller (Jul 26)