Last time we saw nmap 7.60 (Kali) crashed during (let's say;)) quick scan of one target machine from VulnHub. Today I decided to check if I will achieve similar results for version 7.70. Details you will find below...
This time I decided to check the same machine but for the 'latest available' nmap installed on Windows 7 (32bit).
When VM (evil) machine was ready to be scanned I started Win7 with nmap 7.70 (to scan target IP I used nmap -sV -vv IP.addr):
Ok, cool :] So the same 'payload' will crash both versions: 7.60 (tested on Kali Linux) and 7.70 (installed on Windows 7 32-bit).
I decided to (restart both VM machines and) re-scan the target again. This time (before I started nmap) in cmd.exe I started Windbg and attached the process. Next thing was to enable 'child debug' (.childdbg 1).
...and we are here:
One little detail on the picture below ;]
:]
Anyway. Maybe you will find it useful.
More detailed stacktrace you will find below:
---<cut>---
31.07.2018 - 19:21 -- 'stack overflow/exhaustion' for nmap 7.70 (Win7-32bit)
=============================================================================
Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.
(...)
Executable search path is:
ModLoad: 4a3f0000 4a43c000 C:\Windows\system32\cmd.exe
(...)
ModLoad: 71b90000 71ba2000 C:\Windows\system32\dhcpcsvc.DLL
(208.1b8): Invalid handle - code c0000008 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
(...)
(208.1b8): Stack overflow - code c00000fd (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0489a378 ebx=00000058 ecx=0019e4d4 edx=0462b882 esi=0489b0bc edi=00000d39
eip=011d405c esp=000a2f50 ebp=000a3048 iopl=0 nv up ei ng nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010286
image01120000+0xb405c:
011d405c 53 push ebx
1:001> r
eax=0489a378 ebx=00000058 ecx=0019e4d4 edx=0462b882 esi=0489b0bc edi=00000d39
eip=011d405c esp=000a2f50 ebp=000a3048 iopl=0 nv up ei ng nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010286
image01120000+0xb405c:
011d405c 53 push ebx
1:001> u eip
image01120000+0xb405c:
011d405c 53 push ebx
011d405d 8b5d20 mov ebx,dword ptr [ebp+20h]
011d4060 56 push esi
011d4061 8b7508 mov esi,dword ptr [ebp+8]
011d4064 898578ffffff mov dword ptr [ebp-88h],eax
011d406a 8b01 mov eax,dword ptr [ecx]
011d406c 57 push edi
011d406d 895580 mov dword ptr [ebp-80h],edx
1:001> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
(...)
FAULTING_IP:
image01120000+b61d6
011d61d6 83c424 add esp,24h
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 011d405c (image01120000+0x000b405c)
ExceptionCode: c00000fd (Stack overflow)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000001
Parameter[1]: 000a2f4c
FAULTING_THREAD: 000001b8
PROCESS_NAME: image01120000
FAULTING_MODULE: 76e80000 ntdll
DEBUG_FLR_IMAGE_TIMESTAMP: 5aac7b6c
ERROR_CODE: (NTSTATUS) 0xc00000fd - A new guard page for the stack cannot be created.
EXCEPTION_CODE: (NTSTATUS) 0xc00000fd - A new guard page for the stack cannot be created.
EXCEPTION_PARAMETER1: 00000001
EXCEPTION_PARAMETER2: 000a2f4c
DEFAULT_BUCKET_ID: STACK_OVERFLOW
RECURRING_STACK: From frames 0x2 to 0x2
PRIMARY_PROBLEM_CLASS: STACK_OVERFLOW
BUGCHECK_STR: APPLICATION_FAULT_STACK_OVERFLOW_WRONG_SYMBOLS
LAST_CONTROL_TRANSFER: from 011d4361 to 011d405c
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
000a3048 011d4361 0489b0bc 0462b882 0489a378 image01120000+0xb405c
000a3178 011d61d6 0489b0bc 0462b87c 0489a378 image01120000+0xb4361
000a32a8 011d61d6 0489b0bb 0462b87c 0489a378 image01120000+0xb61d6
000a33d8 011d61d6 0489b0ba 0462b87c 0489a378 image01120000+0xb61d6
000a3508 011d61d6 0489b0b9 0462b87c 0489a378 image01120000+0xb61d6
000a3638 011d61d6 0489b0b8 0462b87c 0489a378 image01120000+0xb61d6
000a3768 011d61d6 0489b0b7 0462b87c 0489a378 image01120000+0xb61d6
(...)
000b0018 011d61d6 0489b00e 0462b87c 0489a378 image01120000+0xb61d6
000b0148 011d61d6 0489b00d 0462b87c 0489a378 image01120000+0xb61d6
000b0278 011d61d6 0489b00c 0462b87c 0489a378 image01120000+
FOLLOWUP_IP:
image01120000+b61d6
011d61d6 83c424 add esp,24h
SYMBOL_STACK_INDEX: 2
SYMBOL_NAME: image01120000+b61d6
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: image01120000
STACK_COMMAND: ~1s ; kb
BUCKET_ID: WRONG_SYMBOLS
IMAGE_NAME: C:\Program Files\Nmap\nmap.exe
FAILURE_BUCKET_ID: STACK_OVERFLOW_c00000fd_C:_Program_Files_Nmap_nmap.exe!Unknown
WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/image01120000/7_0_70_0/5aac7b6c/image01120000/7_0_70_0/5aac7b6c/c00000fd/000b405c.htm?Retriage=1
---</cut>---
See you next time.
Cheers
P.S.
I forgot to add...
That CTF machine I tried to scan was called DC416: 2016 CTF. ;]
Run gdb with attached nmap (on Kali or cmd.exe on Windows) and run the scan with command:
nmap -sV -vvv ip.addr
You should get some results in a second or few...
If you would like to investigate it a little bit more, maybe checking the "BrainFuck-response" from the target (CTF) machine will be a good place to start.
Have fun. :)
Cheers
did you ever even visit https://nmap.org/book/man-bugs.html or was "getting famous" too time consuming
OdpowiedzUsuńHave you tried 7.80 or is there no intention of reporting a fix to this at all.
I'm not sure what you're asking for. Anyway (and for the last time): email to the author was sent few days (if not weeks) before the publication on the blog. No response to this day. That's why the bug was published.
UsuńCheers