Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Regression with afp-showmount on nmap 7.80 #2091

Closed
MikeRich88 opened this issue Aug 1, 2020 · 2 comments
Closed

Regression with afp-showmount on nmap 7.80 #2091

MikeRich88 opened this issue Aug 1, 2020 · 2 comments
Assignees
Labels

Comments

@MikeRich88
Copy link

@MikeRich88 MikeRich88 commented Aug 1, 2020

Attached is the log with -d

Works fine on 7.70

Maybe related to all the other unpack issues I am seeing? What changed with unpack in 7.80?

[user@quinn ~]# nmap -d --script=afp-showmount -Pn -p548 -n xx.xx.xx.xx
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-01 11:08 CDT
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
NSE: Using Lua 5.3.
NSE: Arguments from CLI: 
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 11:08
Completed NSE at 11:08, 0.00s elapsed
Initiating SYN Stealth Scan at 11:08
Scanning xx.xx.xx.xx [1 port]
Packet capture filter (device enp0s25): dst host yy.yy.yy.yy and (icmp or icmp6 or ((tcp or udp or sctp) and (src host xx.xx.xx.xx)))
Discovered open port 548/tcp on xx.xx.xx.xx
Completed SYN Stealth Scan at 11:08, 0.09s elapsed (1 total ports)
Overall sending rates: 11.00 packets / s, 484.06 bytes / s.
NSE: Script scanning xx.xx.xx.xx.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 11:08
NSE: Starting afp-showmount against xx.xx.xx.xx:548.
NSE: afp-showmount against xx.xx.xx.xx:548 threw an error!
/usr/bin/../share/nmap/nselib/afp.lua:2041: bad argument #3 to 'unpack' (initial position out of string)
stack traceback:
	[C]: in function 'string.unpack'
	/usr/bin/../share/nmap/nselib/afp.lua:2041: in field 'decode_dir_bitmap'
	/usr/bin/../share/nmap/nselib/afp.lua:1010: in method 'fp_get_file_dir_parms'
	/usr/bin/../share/nmap/nselib/afp.lua:1673: in method 'GetSharePermissions'
	/usr/bin/../share/nmap/scripts/afp-showmount.nse:85: in function </usr/bin/../share/nmap/scripts/afp-showmount.nse:46>
	(...tail calls...)

Completed NSE at 11:08, 1.45s elapsed
Nmap scan report for xx.xx.xx.xx
Host is up, received user-set (0.076s latency).
Scanned at 2020-08-01 11:08:39 CDT for 1s

PORT    STATE SERVICE REASON
548/tcp open  afp     syn-ack ttl 51
Final times for host: srtt: 75885 rttvar: 75885  to: 379425

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 11:08
Completed NSE at 11:08, 0.00s elapsed
Read from /usr/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 1.94 seconds
           Raw packets sent: 1 (44B) | Rcvd: 1 (44B)
@MikeRich88 MikeRich88 added the Nmap label Aug 1, 2020
@nnposter nnposter added NSE bug and removed Nmap labels Aug 1, 2020
@nnposter
Copy link

@nnposter nnposter commented Aug 2, 2020

Here is a quick assessment:

Works fine on 7.70

The underlying AFP packet parser in earlier versions is just as broken but the bug is masked in this particular case. See below.

Maybe related to all the other unpack issues I am seeing? What changed with unpack in 7.80?

There was a large code conversion from library bin, which provided pack and unpack, to native string.pack and string.unpack in Lua 5.3. Many of the issues are related to the fact that the bin implementation was tolerating unpacking from out of bounds positions. Strings just got truncated, other values returned as nil, etc.

A partial patch for your issue is here. Please give it a try and report back. If it does not work for you then please run nmap with -ddd and provide the output, together with a pcap.

P.S. At the moment it is safe to refresh the content of folders nselib and scripts from SVN or GitHub. There is a chance that some of the other unpack issues have been already resolved there.

@nnposter nnposter self-assigned this Aug 2, 2020
@nnposter
Copy link

@nnposter nnposter commented Aug 3, 2020

A fix has been committed as r37971. Please re-open the issue if the problem persists.

@nmap-bot nmap-bot closed this in 1d72ec2 Aug 3, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
You can’t perform that action at this time.