Nmap 7.91 - Aggressive option (-A) print unwanted documents

Hi !! :)

**Describe the bug**
Aggressive option '-A' on printers produce unwanted print : binary blob with 'random1random2...'.
The printed payload 'random1random2...' is located here : "/usr/share/nmap/nselib/shortport.lua" line 261

**To Reproduce**
Run the following command on a **printer device** : 
```
nmap -A X.X.X.34 -vvvvvvvvv -p 9100 --script-trace
```

**Expected behavior**
Aggressive option '-A' on printers should not print. (like the version 7.80+dfsg1-2build1 of nmap)

**Version info :**
 - Output of 'uname -a'
```
Linux hive 5.4.88-1-lts #1 SMP Sat, 09 Jan 2021 14:02:47 +0000 x86_64 GNU/Linux
```
 - Output of `nmap --version`:
 ```
Nmap version 7.91 ( https://nmap.org )
Platform: x86_64-unknown-linux-gnu
Compiled with: liblua-5.3.6 openssl-1.1.1h libssh2-1.9.0 libz-1.2.11 libpcre-8.44 libpcap-1.9.1 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll select
```

**Debug output of `nmap -A X.X.X.34 -vvvvvvvvv -p 9100 --script-trace`**
```
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-25 17:12 CET
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 17:12
Completed NSE at 17:12, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 17:12
Completed NSE at 17:12, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 17:12
Completed NSE at 17:12, 0.00s elapsed
Initiating ARP Ping Scan at 17:12
Scanning X.X.X.34 [1 port]
Completed ARP Ping Scan at 17:12, 0.10s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 17:12
Completed Parallel DNS resolution of 1 host. at 17:12, 0.03s elapsed
DNS resolution of 1 IPs took 0.03s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 17:12
Scanning X.X.X.34 [1 port]
Discovered open port 9100/tcp on X.X.X.34
Completed SYN Stealth Scan at 17:12, 0.09s elapsed (1 total ports)
Initiating Service scan at 17:12
Initiating OS detection (try #1) against X.X.X.34
NSE: Script scanning X.X.X.34.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 17:13
NSOCK INFO [2.3680s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 8 [X.X.X.34:9100]
NSE: TCP X.X.X.26:38568 > X.X.X.34:9100 | CONNECT
NSE: TCP X.X.X.26:38568 > X.X.X.34:9100 | 00000000: 16 03 00 00 69 01 00 00 65 03 03 55 1c a7 e4 72     i   e  U   r
00000010: 61 6e 64 6f 6d 31 72 61 6e 64 6f 6d 32 72 61 6e andom1random2ran
00000020: 64 6f 6d 33 72 61 6e 64 6f 6d 34 00 00 0c 00 2f dom3random4    /
00000030: 00 0a 00 13 00 39 00 04 00 ff 01 00 00 30 00 0d      9       0  
00000040: 00 2c 00 2a 00 01 00 03 00 02 06 01 06 03 06 02  , *            
00000050: 02 01 02 03 02 02 03 01 03 03 03 02 04 01 04 03                 
00000060: 04 02 01 01 01 03 01 02 05 01 05 03 05 02                     

NSOCK INFO [2.3680s] nsock_write(): Write request for 110 bytes to IOD #1 EID 19 [X.X.X.34:9100]
NSOCK INFO [2.3680s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 19 [X.X.X.34:9100]
NSE: TCP X.X.X.26:38568 > X.X.X.34:9100 | SEND
NSOCK INFO [2.3680s] nsock_read(): Read request from IOD #1 [X.X.X.34:9100] (timeout: 7000ms) EID 26
NSOCK INFO [9.3680s] nsock_trace_handler_callback(): Callback: READ TIMEOUT for EID 26 [X.X.X.34:9100]
NSE: TCP X.X.X.26:38568 > X.X.X.34:9100 | CLOSE
NSOCK INFO [9.3680s] nsock_iod_delete(): nsock_iod_delete (IOD #1)
NSOCK INFO [9.3680s] nsock_iod_new2(): nsock_iod_new (IOD #2)
NSOCK INFO [9.3680s] nsock_connect_tcp(): TCP connection requested to X.X.X.34:9100 (IOD #2) EID 32
NSOCK INFO [9.3710s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 32 [X.X.X.34:9100]
NSE: TCP X.X.X.26:38572 > X.X.X.34:9100 | CONNECT
NSE: TCP X.X.X.26:38572 > X.X.X.34:9100 | 00000000: 16 03 00 00 53 01 00 00 4f 03 00 3f 47 d7 f7 ba     S   O  ?G   
00000010: 2c ee ea b2 60 7e f3 00 fd 82 7b b9 d5 96 c8 77 ,   `~    {    w
00000020: 9b e6 c4 db 3c 3d db 6f ef 10 6e 00 00 28 00 16     <= o  n  (  
00000030: 00 13 00 0a 00 66 00 05 00 04 00 65 00 64 00 63      f     e d c
00000040: 00 62 00 61 00 60 00 15 00 12 00 09 00 14 00 11  b a `          
00000050: 00 08 00 06 00 03 01 00                                 

NSOCK INFO [9.3710s] nsock_write(): Write request for 88 bytes to IOD #2 EID 43 [X.X.X.34:9100]
NSOCK INFO [9.3710s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 43 [X.X.X.34:9100]
NSE: TCP X.X.X.26:38572 > X.X.X.34:9100 | SEND
NSOCK INFO [9.3710s] nsock_read(): Read request from IOD #2 [X.X.X.34:9100] (timeout: 7000ms) EID 50
NSOCK INFO [16.3710s] nsock_trace_handler_callback(): Callback: READ TIMEOUT for EID 50 [X.X.X.34:9100]
NSE: TCP X.X.X.26:38572 > X.X.X.34:9100 | CLOSE
NSOCK INFO [16.3710s] nsock_iod_delete(): nsock_iod_delete (IOD #2)
Completed NSE at 17:13, 14.02s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 17:13
Completed NSE at 17:13, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 17:13
Completed NSE at 17:13, 0.00s elapsed
Nmap scan report for X.X.X.34
Host is up, received arp-response (0.0022s latency).
Scanned at 2021-01-25 17:12:58 CET for 16s

PORT     STATE SERVICE    REASON         VERSION
9100/tcp open  jetdirect? syn-ack ttl 64 Excluded from version scan
MAC Address: 3C:2A:F4:35:4D:82 (Brother Industries)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Wind River VxWorks
OS CPE: cpe:/o:windriver:vxworks
OS details: VxWorks
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=1/25%OT=9100%CT=%CU=37458%PV=Y%DS=1%DC=D%G=N%M=3C2AF4%
OS:TM=600EEE1A%P=x86_64-unknown-linux-gnu)SEQ(SP=F9%GCD=1%ISR=10E%II=I%TS=A
OS:)OPS(O1=M5B4NW0NNSNNT11%O2=M578NW0NNSNNT11%O3=M280NW0NNT11%O4=M5B4NW0NNS
OS:NNT11%O5=M218NW0NNSNNT11%O6=M109NNSNNT11)WIN(W1=21F0%W2=2088%W3=2258%W4=
OS:21F0%W5=20C0%W6=209D)ECN(R=Y%DF=N%T=40%W=2238%O=M5B4NW0NNS%CC=N%Q=)T1(R=
OS:Y%DF=N%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=N%T=40%W=0%S=A
OS:%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=N%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y
OS:%DF=N%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=N%T=40%W=0%S=Z%A=S+%F=AR
OS:%O=%RD=0%Q=)U1(R=Y%DF=N%T=FF%IPL=38%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD
OS:=G)IE(R=Y%DFI=N%T=FF%CD=S)

Uptime guess: 2.974 days (since Fri Jan 22 17:50:58 2021)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=249 (Good luck!)
IP ID Sequence Generation: Busy server or unknown class

TRACEROUTE
HOP RTT     ADDRESS
1   2.20 ms X.X.X.34

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 17:13
Completed NSE at 17:13, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 17:13
Completed NSE at 17:13, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 17:13
Completed NSE at 17:13, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.39 seconds
           Raw packets sent: 24 (1.850KB) | Rcvd: 16 (1.042KB)
```

Thank you for your tools! 
Thank you in advance !



Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Nmap 7.91 - Aggressive option (-A) print unwanted documents #2237

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Nmap 7.91 - Aggressive option (-A) print unwanted documents #2237

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions