Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: Buffering problems in ssh2.lua
From: Fyodor <fyodor () insecure org>
Date: Sat, 13 Jun 2009 15:37:02 -0700

On Fri, Jun 12, 2009 at 10:25:06PM -0600, David Fifield wrote:
You can reliably reproduce it with this neat Ncat hack:

ncat -l 3000 --sh-exec "ncat scanme.nmap.org 22 | perl -e 'while (sysread(STDIN, \$line, 100)) { syswrite(STDOUT, 
\$line); sleep 1; }'"

The Perl script breaks the TCP stream into packets containing no more
than 100 bytes. Just scan port 3000 on localhost (with version
detection) and it will proxy to port 22 on scanme, the reply broken into
small chunks.

I'm so awed by your Ncat command that I can't think of anything to say
about the actual problem you're reporting :).

Does anyone want to try fixing this? There really should be a
read_packet abstraction in the ssh2 library, with an internal buffer
that only returns a packet when it is complete. A description of the
packet format is at http://tools.ietf.org/html/rfc4253#section-6 .

Who wants to give this a try?  I added it to the Nmap TODO (for the
upcoming dev branch).


Sent through the nmap-dev mailing list
Archived at http://SecLists.Org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]