Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

nmap-dev logo Nmap Development mailing list archives

Re: -sV crash in $# substitution function substvar()
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Sat, 21 Jul 2007 23:01:02 +0000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sat, 21 Jul 2007 15:02:59 -0700 plus or minus some time doug () hcsw org
wrote:


Hi Brandon!

Thanks for the bug report! This is indeed a strange one. I checked
out the service match lines that should match your application and
it looks like they are buggy!


Stupid me to just assume it was a problem in the code.  I stared at the
source for over an hour trying to figure it out.  I should have at least
*looked* at the match line.



On the line in the probes file:

match rtsp m|^RTSP/1\.0 \d\d\d .*\r\nServer: Helix (:?DNA )?Server
Version ([\d.]+) \(linux-[^)\r\n]+\)|s p/Helix DNA Server/ v/$1/ o/Linux/

Could you change (:?DNA )? to [\w ]+ and see if it fixes your crash?
I've changed the corresponding line in the soc07 SVN branch if you'd
rather try that version.


I went ahead and changed '(:?DNA )?' to non-capturing parenthesis,
'(?:DNA )?' instead of [\w ]+.  Either one fixes the problem but I think
leaving DNA in there is probably a good idea if future names come along.



Non-capturing clustering is done incorrectly in that match line. Oops,
probably my fault! What's strange is that the 2 submissions for this
service seem to match OK with my scripts before even applying the fix.

Thanks!

Doug


While we're on the topic of match-line bugs, I noticed this one often
matches too much and throws a warning:

match http m|^HTTP/1\.[01].*Server: Apache/(\d+\.\d+\.[-.\w]+) ([^\r\n]+)|s
p/A\ pache httpd/ v/$1/ i/$2/

Warning: Servicescan failed to fill info_template (subjectlen: 2566). Too
long? Match string was line 3145: v/Apache httpd/$1/$2

To solve this, I split it into two match lines, one that tries to get extra
info for i/$2/ (up to 30 chars) and one that just matches the service:

match http m|^HTTP/1\.[01].*Server: Apache/(\d+\.\d+\.[-.\w]+)
([^\r\n]{1,30})[\ \r\n]|s p/Apache httpd/ v/$1/ i/$2/

match http m|^HTTP/1\.[01].*Server: Apache/(\d+\.\d+\.[-.\w]+)|s p/Apache
httpd\ / v/$1/

If you are interested in the banner being returned to cause the waring in
the first place I'm sure I could use --version-trace and figure it out.
Let me know and I'll work on it.

Brandon


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFGopAuqaGPzAsl94IRAl+rAJ9J1CjONm53JcKfruy7j8C+kO04jACdE4EL
+f0p9MRBEyLWj0bbhjUvqVw=
=n1l/
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]