code16: Crashing nmap 7.70

Last time we saw nmap 7.60 (Kali) crashed during (let's say;)) quick scan of one target machine from VulnHub. Today I decided to check if I will achieve similar results for version 7.70. Details you will find below...

This time I decided to check the same machine but for the 'latest available' nmap installed on Windows 7 (32bit).

When VM (evil) machine was ready to be scanned I started Win7 with nmap 7.70 (to scan target IP I used nmap -sV -vv IP.addr):

Ok, cool :] So the same 'payload' will crash both versions: 7.60 (tested on Kali Linux) and 7.70 (installed on Windows 7 32-bit).

I decided to (restart both VM machines and) re-scan the target again. This time (before I started nmap) in cmd.exe I started Windbg and attached the process. Next thing was to enable 'child debug' (.childdbg 1).

...and we are here:

One little detail on the picture below ;]

:]

Anyway. Maybe you will find it useful.

More detailed stacktrace you will find below:

---<cut>---
31.07.2018 - 19:21 -- 'stack overflow/exhaustion' for nmap 7.70 (Win7-32bit)
=============================================================================

Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.

(...)
Executable search path is:
ModLoad: 4a3f0000 4a43c000   C:\Windows\system32\cmd.exe
(...)
ModLoad: 71b90000 71ba2000   C:\Windows\system32\dhcpcsvc.DLL
(208.1b8): Invalid handle - code c0000008 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
(...)
(208.1b8): Stack overflow - code c00000fd (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0489a378 ebx=00000058 ecx=0019e4d4 edx=0462b882 esi=0489b0bc edi=00000d39
eip=011d405c esp=000a2f50 ebp=000a3048 iopl=0         nv up ei ng nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000             efl=00010286
image01120000+0xb405c:
011d405c 53              push    ebx

1:001> r
eax=0489a378 ebx=00000058 ecx=0019e4d4 edx=0462b882 esi=0489b0bc edi=00000d39
eip=011d405c esp=000a2f50 ebp=000a3048 iopl=0         nv up ei ng nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000             efl=00010286
image01120000+0xb405c:
011d405c 53              push    ebx

1:001> u eip
image01120000+0xb405c:
011d405c 53              push    ebx
011d405d 8b5d20          mov     ebx,dword ptr [ebp+20h]
011d4060 56              push    esi
011d4061 8b7508          mov     esi,dword ptr [ebp+8]
011d4064 898578ffffff    mov     dword ptr [ebp-88h],eax
011d406a 8b01            mov     eax,dword ptr [ecx]
011d406c 57              push    edi
011d406d 895580          mov     dword ptr [ebp-80h],edx

1:001> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************
(...)

FAULTING_IP:
image01120000+b61d6
011d61d6 83c424          add     esp,24h

EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 011d405c (image01120000+0x000b405c)
   ExceptionCode: c00000fd (Stack overflow)
ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000001
   Parameter[1]: 000a2f4c

FAULTING_THREAD: 000001b8
PROCESS_NAME: image01120000
FAULTING_MODULE: 76e80000 ntdll
DEBUG_FLR_IMAGE_TIMESTAMP: 5aac7b6c
ERROR_CODE: (NTSTATUS) 0xc00000fd - A new guard page for the stack cannot be created.
EXCEPTION_CODE: (NTSTATUS) 0xc00000fd - A new guard page for the stack cannot be created.
EXCEPTION_PARAMETER1: 00000001
EXCEPTION_PARAMETER2: 000a2f4c
DEFAULT_BUCKET_ID: STACK_OVERFLOW
RECURRING_STACK: From frames 0x2 to 0x2
PRIMARY_PROBLEM_CLASS: STACK_OVERFLOW
BUGCHECK_STR: APPLICATION_FAULT_STACK_OVERFLOW_WRONG_SYMBOLS

LAST_CONTROL_TRANSFER: from 011d4361 to 011d405c

STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
000a3048 011d4361 0489b0bc 0462b882 0489a378 image01120000+0xb405c
000a3178 011d61d6 0489b0bc 0462b87c 0489a378 image01120000+0xb4361
000a32a8 011d61d6 0489b0bb 0462b87c 0489a378 image01120000+0xb61d6
000a33d8 011d61d6 0489b0ba 0462b87c 0489a378 image01120000+0xb61d6
000a3508 011d61d6 0489b0b9 0462b87c 0489a378 image01120000+0xb61d6
000a3638 011d61d6 0489b0b8 0462b87c 0489a378 image01120000+0xb61d6
000a3768 011d61d6 0489b0b7 0462b87c 0489a378 image01120000+0xb61d6
(...)
000b0018 011d61d6 0489b00e 0462b87c 0489a378 image01120000+0xb61d6
000b0148 011d61d6 0489b00d 0462b87c 0489a378 image01120000+0xb61d6
000b0278 011d61d6 0489b00c 0462b87c 0489a378 image01120000+

FOLLOWUP_IP:
image01120000+b61d6
011d61d6 83c424          add     esp,24h

SYMBOL_STACK_INDEX: 2
SYMBOL_NAME: image01120000+b61d6
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: image01120000
STACK_COMMAND: ~1s ; kb
BUCKET_ID: WRONG_SYMBOLS
IMAGE_NAME: C:\Program Files\Nmap\nmap.exe
FAILURE_BUCKET_ID: STACK_OVERFLOW_c00000fd_C:_Program_Files_Nmap_nmap.exe!Unknown
WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/image01120000/7_0_70_0/5aac7b6c/image01120000/7_0_70_0/5aac7b6c/c00000fd/000b405c.htm?Retriage=1
---</cut>---

See you next time.

Cheers

P.S.

I forgot to add...

That CTF machine I tried to scan was called DC416: 2016 CTF. ;]

Run gdb with attached nmap (on Kali or cmd.exe on Windows) and run the scan with command:
nmap -sV -vvv ip.addr

You should get some results in a second or few...

If you would like to investigate it a little bit more, maybe checking the "BrainFuck-response" from the target (CTF) machine will be a good place to start.

Have fun. :)

Cheers

code16

Strony

wtorek, 31 lipca 2018

Crashing nmap 7.70

2 komentarze: