Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: [nmap-svn] r32678 - nmap
From: Ron <ron () skullsecurity net>
Date: Mon, 27 Jan 2014 20:10:17 -0800

Hey,

This patch is causing me issues:

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 4) scan.
NSE: Script Engine Scan Aborted.
An error was thrown by the engine:
/home/ron/tools/nmap/nse_main.lua:210: bad argument #2 to 'format' (no
value)
stack traceback:
[C]: in function 'format'
/home/ron/tools/nmap/nse_main.lua:210: in function 'print_debug'
/home/ron/tools/nmap/nse_main.lua:329: in function 'd'
/home/ron/tools/nmap/nse_main.lua:381: in function 'start'
/home/ron/tools/nmap/nse_main.lua:916: in function 'run'
/home/ron/tools/nmap/nse_main.lua:1394: in function
</home/ron/tools/nmap/nse_main.lua:1297>
[C]: in ?

I tried to debug, but I don't see what's going on.

Ron

On 2014-01-27 22:56, commit-mailer () nmap org wrote:
Author: david
Date: Mon Jan 27 22:56:29 2014
New Revision: 32678

Log:
Escape '%' in arguments to Thread:d.

A user reported this crash when scanning a target whose name contained
the '%' character:

NSE: Script Engine Scan Aborted.
An error was thrown by the engine: nse_main.lua:322: invalid capture index
stack traceback:
      [C]: in function 'gsub'
      nse_main.lua:322: in function 'd'
      nse_main.lua:377: in function 'start'
      nse_main.lua:912: in function 'run'
      nse_main.lua:1390: in function <nse_main.lua:1293>
      [C]: in ?

I'm not sure how a name with '%' got resolved, but I was able to
reproduce the crash by adding this line to /etc/hosts:
      127.0.0.1       a%40b
and then running
      ./nmap --script=banner a%40b -d --top-ports 5

The gsub function recognizes "%d", where d is a digit, as a capture
index. The constructed string is then passed to print_debug, which is
like printf. Therefore we escape every occurrence of "%" twice, to get
"%%%%".

Modified:
   nmap/nse_main.lua

Modified: nmap/nse_main.lua
==============================================================================
--- nmap/nse_main.lua (original)
+++ nmap/nse_main.lua Mon Jan 27 22:56:29 2014
@@ -315,12 +315,16 @@
   -- Changes "%THREAD" with an appropriate identifier for the debug level
   function Thread:d (fmt, ...)
     local against = against_name(self.host, self.port);
+    local function replace(fmt, pattern, repl)
+      -- Escape each % twice: once for gsub, and once for print_debug.
+      return gsub(fmt, pattern, gsub(repl, "%%", "%%%%%%%%"));
+    end
     if debugging() > 1 then
-      fmt = gsub(fmt, "%%THREAD_AGAINST", self.info..against);
-      fmt = gsub(fmt, "%%THREAD", self.info);
+      fmt = replace(fmt, "%%THREAD_AGAINST", self.info..against);
+      fmt = replace(fmt, "%%THREAD", self.info);
     else
-      fmt = gsub(fmt, "%%THREAD_AGAINST", self.short_basename..against);
-      fmt = gsub(fmt, "%%THREAD", self.short_basename);
+      fmt = replace(fmt, "%%THREAD_AGAINST", self.short_basename..against);
+      fmt = replace(fmt, "%%THREAD", self.short_basename);
     end
     print_debug(1, fmt, ...);
   end

_______________________________________________
Sent through the svn mailing list
http://nmap.org/mailman/listinfo/svn
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault