wtorek, 31 lipca 2018

Crashing nmap 7.70

Last time we saw nmap 7.60 (Kali) crashed during (let's say;)) quick scan of one target machine from VulnHub. Today I decided to check if I will achieve similar results for version 7.70. Details you will find below...

This time I decided to check the same machine but for the 'latest available' nmap installed on Windows 7 (32bit).

When VM (evil) machine was ready to be scanned I started Win7 with nmap 7.70 (to scan target IP I used nmap -sV -vv IP.addr):



Ok, cool :] So the same 'payload' will crash both versions: 7.60 (tested on Kali Linux) and 7.70 (installed on Windows 7 32-bit).

I decided to (restart both VM machines and) re-scan the target again. This time (before I started nmap) in cmd.exe I started Windbg and attached the process. Next thing was to enable 'child debug' (.childdbg 1).

...and we are here:


One little detail on the picture below ;]


:]

Anyway. Maybe you will find it useful.

More detailed stacktrace you will find below:

---<cut>---
 31.07.2018 - 19:21 -- 'stack overflow/exhaustion' for nmap 7.70 (Win7-32bit)
=============================================================================

Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.

(...)
Executable search path is:
ModLoad: 4a3f0000 4a43c000   C:\Windows\system32\cmd.exe
(...)
ModLoad: 71b90000 71ba2000   C:\Windows\system32\dhcpcsvc.DLL
(208.1b8): Invalid handle - code c0000008 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
(...)
(208.1b8): Stack overflow - code c00000fd (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0489a378 ebx=00000058 ecx=0019e4d4 edx=0462b882 esi=0489b0bc edi=00000d39
eip=011d405c esp=000a2f50 ebp=000a3048 iopl=0         nv up ei ng nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010286
image01120000+0xb405c:
011d405c 53              push    ebx

1:001> r
eax=0489a378 ebx=00000058 ecx=0019e4d4 edx=0462b882 esi=0489b0bc edi=00000d39
eip=011d405c esp=000a2f50 ebp=000a3048 iopl=0         nv up ei ng nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010286
image01120000+0xb405c:
011d405c 53              push    ebx

1:001> u eip
image01120000+0xb405c:
011d405c 53              push    ebx
011d405d 8b5d20          mov     ebx,dword ptr [ebp+20h]
011d4060 56              push    esi
011d4061 8b7508          mov     esi,dword ptr [ebp+8]
011d4064 898578ffffff    mov     dword ptr [ebp-88h],eax
011d406a 8b01            mov     eax,dword ptr [ecx]
011d406c 57              push    edi
011d406d 895580          mov     dword ptr [ebp-80h],edx

1:001> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************
(...)

FAULTING_IP:
image01120000+b61d6
011d61d6 83c424          add     esp,24h

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 011d405c (image01120000+0x000b405c)
   ExceptionCode: c00000fd (Stack overflow)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000001
   Parameter[1]: 000a2f4c

FAULTING_THREAD:  000001b8
PROCESS_NAME:  image01120000
FAULTING_MODULE: 76e80000 ntdll
DEBUG_FLR_IMAGE_TIMESTAMP:  5aac7b6c
ERROR_CODE: (NTSTATUS) 0xc00000fd - A new guard page for the stack cannot be created.
EXCEPTION_CODE: (NTSTATUS) 0xc00000fd - A new guard page for the stack cannot be created.
EXCEPTION_PARAMETER1:  00000001
EXCEPTION_PARAMETER2:  000a2f4c
DEFAULT_BUCKET_ID:  STACK_OVERFLOW
RECURRING_STACK: From frames 0x2 to 0x2
PRIMARY_PROBLEM_CLASS:  STACK_OVERFLOW
BUGCHECK_STR:  APPLICATION_FAULT_STACK_OVERFLOW_WRONG_SYMBOLS

LAST_CONTROL_TRANSFER:  from 011d4361 to 011d405c

STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
000a3048 011d4361 0489b0bc 0462b882 0489a378 image01120000+0xb405c
000a3178 011d61d6 0489b0bc 0462b87c 0489a378 image01120000+0xb4361
000a32a8 011d61d6 0489b0bb 0462b87c 0489a378 image01120000+0xb61d6
000a33d8 011d61d6 0489b0ba 0462b87c 0489a378 image01120000+0xb61d6
000a3508 011d61d6 0489b0b9 0462b87c 0489a378 image01120000+0xb61d6
000a3638 011d61d6 0489b0b8 0462b87c 0489a378 image01120000+0xb61d6
000a3768 011d61d6 0489b0b7 0462b87c 0489a378 image01120000+0xb61d6
(...)
000b0018 011d61d6 0489b00e 0462b87c 0489a378 image01120000+0xb61d6
000b0148 011d61d6 0489b00d 0462b87c 0489a378 image01120000+0xb61d6
000b0278 011d61d6 0489b00c 0462b87c 0489a378 image01120000+

FOLLOWUP_IP:
image01120000+b61d6
011d61d6 83c424          add     esp,24h

SYMBOL_STACK_INDEX:  2
SYMBOL_NAME:  image01120000+b61d6
FOLLOWUP_NAME:  MachineOwner
MODULE_NAME: image01120000
STACK_COMMAND:  ~1s ; kb
BUCKET_ID:  WRONG_SYMBOLS
IMAGE_NAME:  C:\Program Files\Nmap\nmap.exe
FAILURE_BUCKET_ID:  STACK_OVERFLOW_c00000fd_C:_Program_Files_Nmap_nmap.exe!Unknown
WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/image01120000/7_0_70_0/5aac7b6c/image01120000/7_0_70_0/5aac7b6c/c00000fd/000b405c.htm?Retriage=1
---</cut>---


See you next time.

Cheers





P.S.

I forgot to add...


That CTF machine I tried to scan was called DC416: 2016 CTF. ;]

Run gdb with attached nmap (on Kali or cmd.exe on Windows) and run the scan with command:
nmap -sV -vvv ip.addr

You should get some results in a second or few...

If you would like to investigate it a little bit more, maybe checking the "BrainFuck-response" from the target (CTF) machine will be a good place to start.



Have fun. :)

Cheers







2 komentarze:

  1. did you ever even visit https://nmap.org/book/man-bugs.html or was "getting famous" too time consuming
    Have you tried 7.80 or is there no intention of reporting a fix to this at all.

    OdpowiedzUsuń
    Odpowiedzi
    1. I'm not sure what you're asking for. Anyway (and for the last time): email to the author was sent few days (if not weeks) before the publication on the blog. No response to this day. That's why the bug was published.

      Cheers

      Usuń