From c9dd83e3276859cc6bcd8db3de502d1d4f111261 Mon Sep 17 00:00:00 2001 From: fyodor Date: Tue, 7 Feb 2006 07:15:32 +0000 Subject: [PATCH] about to apply Doug DNS fix patch --- CHANGELOG | 38 ++++++++++++++++++++++++++++++++--- TargetGroup.cc | 2 +- configure | 2 +- configure.ac | 2 +- docs/nmap.1 | 2 +- idle_scan.cc | 10 ++++----- libdnet-stripped/configure | 2 +- libdnet-stripped/configure.in | 2 +- nmap.cc | 2 +- nmap_dns.cc | 24 +++++++++++----------- nmapfe/configure | 2 +- nmapfe/configure.ac | 2 +- scan_engine.cc | 12 +++++++++-- targets.cc | 2 +- tcpip.cc | 4 +++- 15 files changed, 75 insertions(+), 33 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index de545d34d..d859d0bff 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,10 +1,42 @@ # Nmap Changelog ($Id$); -*-text-*- +o Fixed a bug that would cause bogus reverse-DNS resolution on + big-endian machines. Thanks to Doug Hoyte, Seth Miller, Tony Doan, + and Andrew Lutomirsky for helping to debug and patch the problem. + +o Fixed an important memory leak in the raw ethernet sending system. + Thanks to Ganga Bhavani (GBhavani(a)everdreamcorp.com) for + identifying the bug and sending a patch. + +o Fixed --system-dns option so that --system_dns works too. Error + messages were changed to reflect the former (preferred) name. + Thanks to Sean Swift (sean.swift(a)bradford.gov.uk) and Peter + VanEeckhoutte (Peter.VanEeckhoutte(a)saraleefoodseurope.com) for + reporting the problem. + +o Whenever Nmap sends packets with the SYN bit set (except for OS + detection), it now includes the maximum segment size (MSS) tcp + option with a value of 1460. This makes it stand out less as almost + all hosts set at least this option. Thanks to Juergen Schmidt + (ju(a)heisec.de) for the suggestion. + +o Minor changes to recognize DragonFly BSD in configure + scripts. Thanks to Joerg Sonnenberger (joerg(a)britannica.bec.de) + for sending the patch. + +o Fixed a minor bug in an error message starting with "eth_send of ARP + packet returned". Thanks to J.W. Hoogervorst + (J.W.Hoogervorst(a)uva.nl) for finding this. + 4.00 o Added the '?' command to the runtime interaction system. It prints a list of accepted commands. Thanks to Andrew Lutomirski (luto(a)myrealbox.com) for the patch. +o See the announcement at + http://www.insecure.org/stf/Nmap-4.00-Release.html for high-level + changes since 3.50. + 3.9999 o Generated a new libpcre/configure to cope with changes in LibPCRE @@ -706,7 +738,7 @@ o ultra_scan() now sets pseudo-random ACK values (rather than 0) for o Updated the Nmap version number, description, and similar fields that MS Visual Studio places in the binary. This was done by editing - mswin32/nmap.rc as suggested by Chris Paget (chrisp@ngssoftware.com) + mswin32/nmap.rc as suggested by Chris Paget (chrisp(a)ngssoftware.com) o Fixed Nmap compilation on DragonFly BSD (and perhaps some other systems) by applying a short patch by Joerg Sonnenberger which omits @@ -825,7 +857,7 @@ o Nmap now prints a warning message on Windows if Winpcap is not found o Added an NTP probe and matches to the version detection database (nmap-service-probes) thanks to a submission from Martin - Macok (martin.macok@underground.cz). + Macok (martin.macok(a)underground.cz). o Applied several Nmap service detection database updates sent in by Martin Macok (martin.macok(a)underground.cz). @@ -1141,7 +1173,7 @@ o Removed (addport) tags from XML output. They used to provide open once scanning of a target is complete. o Configure script now detects GNU/k*BSD systems (whatever those are), - thanks to patch from Robert Millan (rmh@debian.org) + thanks to patch from Robert Millan (rmh(a)debian.org) o Fixed various crashes and assertion failures related to the new ultra_scan() system, that were found by Arturo "Buanzo" Busleiman diff --git a/TargetGroup.cc b/TargetGroup.cc index 819be644e..767526e51 100644 --- a/TargetGroup.cc +++ b/TargetGroup.cc @@ -232,7 +232,7 @@ int TargetGroup::parse_expr(const char * const target_expr, int af) { else if (*r != '*' && *r != ',' && *r != '-' && !isdigit((int)*r)) fatal("Invalid character in host specification. Note in particular that square brackets [] are no longer allowed. They were redundant and can simply be removed."); } - if (i != 3) fatal("Target host specification is illegal -- not enough dots in IP"); + if (i != 3) fatal("Invalid target host specification: %s", target_expr); for(i=0; i < 4; i++) { j=0; diff --git a/configure b/configure index b098105e7..ab18c0fb7 100755 --- a/configure +++ b/configure @@ -3029,7 +3029,7 @@ _ACEOF # libpcap doesn't even LOOK at # the timeout you give it under Linux ;; - *-freebsd* | *-kfreebsd*-gnu) + *-freebsd* | *-kfreebsd*-gnu | *-dragonfly*) cat >>confdefs.h <<\_ACEOF #define FREEBSD 1 _ACEOF diff --git a/configure.ac b/configure.ac index 94e14ef36..bc933af66 100644 --- a/configure.ac +++ b/configure.ac @@ -181,7 +181,7 @@ case "$host" in AC_DEFINE(PCAP_TIMEOUT_IGNORED) # libpcap doesn't even LOOK at # the timeout you give it under Linux ;; - *-freebsd* | *-kfreebsd*-gnu) + *-freebsd* | *-kfreebsd*-gnu | *-dragonfly*) AC_DEFINE(FREEBSD) ;; *-bsdi*) diff --git a/docs/nmap.1 b/docs/nmap.1 index eed598aed..95e157868 100644 --- a/docs/nmap.1 +++ b/docs/nmap.1 @@ -2,7 +2,7 @@ .\" It was generated using the DocBook XSL Stylesheets (version 1.69.1). .\" Instead of manually editing it, you probably should edit the DocBook XML .\" source for it and then use the DocBook XSL Stylesheets to regenerate it. -.TH "NMAP" "1" "01/29/2006" "" "Nmap Reference Guide" +.TH "NMAP" "1" "01/31/2006" "" "Nmap Reference Guide" .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) diff --git a/idle_scan.cc b/idle_scan.cc index db89e9d4d..458078cca 100644 --- a/idle_scan.cc +++ b/idle_scan.cc @@ -191,7 +191,7 @@ int ipid_proxy_probe(struct idle_proxy_info *proxy, int *probes_sent, proxy->probe_port, seq_base + (packet_send_count++ * 500) + 1, ack, TH_SYN|TH_ACK, 0, - NULL, 0, NULL, 0); + (u8 *) "\x02\x04\x05\xb4", 4, NULL, 0); sent++; tries++; @@ -417,8 +417,8 @@ void initialize_idleproxy(struct idle_proxy_info *proxy, char *proxyName, send_tcp_raw(proxy->rawsd, proxy->ethptr, proxy->host.v4sourceip(), proxy->host.v4hostip(), o.ttl, o.magic_port + probes_sent + 1, proxy->probe_port, - sequence_base + probes_sent + 1, 0, TH_SYN|TH_ACK, - ack, NULL, 0, NULL, 0); + sequence_base + probes_sent + 1, ack, TH_SYN|TH_ACK, + 0, (u8 *) "\x02\x04\x05\xb4", 4, NULL, 0); gettimeofday(&probe_send_times[probes_sent], NULL); probes_sent++; @@ -525,7 +525,7 @@ void initialize_idleproxy(struct idle_proxy_info *proxy, char *proxyName, proxy->host.v4hostip(), o.ttl, o.magic_port, proxy->probe_port, sequence_base + probes_sent + 1, 0, TH_SYN|TH_ACK, - ack, NULL, 0, NULL, 0); + ack, (u8 *) "\x02\x04\x05\xb4", 4, NULL, 0); } @@ -679,7 +679,7 @@ int idlescan_countopen2(struct idle_proxy_info *proxy, send_tcp_raw(proxy->rawsd, eth.ethsd? ð : NULL, proxy->host.v4hostip(), target->v4hostip(), o.ttl, proxy->probe_port, ports[pr0be], seq, 0, TH_SYN, 0, - NULL, 0, o.extra_payload, o.extra_payload_length); + (u8 *) "\x02\x04\x05\xb4", 4, o.extra_payload, o.extra_payload_length); } gettimeofday(&end, NULL); diff --git a/libdnet-stripped/configure b/libdnet-stripped/configure index feed2d93f..15173638e 100755 --- a/libdnet-stripped/configure +++ b/libdnet-stripped/configure @@ -22707,7 +22707,7 @@ esac elif test "$ac_cv_header_net_if_tun_h" = yes ; then if test "$ac_cv_header_stropts_h" = yes ; then case "$host_os" in - *kfreebsd*) + *kfreebsd* | *dragonfly*) case $LIBOBJS in "tun-bsd.$ac_objext" | \ *" tun-bsd.$ac_objext" | \ diff --git a/libdnet-stripped/configure.in b/libdnet-stripped/configure.in index 649e7e901..54ecf8a95 100644 --- a/libdnet-stripped/configure.in +++ b/libdnet-stripped/configure.in @@ -279,7 +279,7 @@ if test "$ac_cv_header_linux_if_tun_h" = yes ; then elif test "$ac_cv_header_net_if_tun_h" = yes ; then if test "$ac_cv_header_stropts_h" = yes ; then case "$host_os" in - *kfreebsd*) + *kfreebsd* | *dragonfly*) AC_LIBOBJ([tun-bsd]);; *) AC_LIBOBJ([tun-solaris]);; diff --git a/nmap.cc b/nmap.cc index 436e3e845..dc939bc23 100644 --- a/nmap.cc +++ b/nmap.cc @@ -480,7 +480,7 @@ int nmap_main(int argc, char *argv[]) { o.setXSLStyleSheet(optarg); } else if (optcmp(long_options[option_index].name, "no-stylesheet") == 0) { o.setXSLStyleSheet(NULL); - } else if (strcmp(long_options[option_index].name, "system-dns") == 0) { + } else if (optcmp(long_options[option_index].name, "system-dns") == 0) { o.mass_dns = false; } else if (optcmp(long_options[option_index].name, "dns-servers") == 0) { o.dns_servers = strdup(optarg); diff --git a/nmap_dns.cc b/nmap_dns.cc index 2e2b5c411..baf640294 100644 --- a/nmap_dns.cc +++ b/nmap_dns.cc @@ -102,7 +102,7 @@ // on large number of IP addresses. Nmap supports 2 different // methods of accomplishing this: // -// System Resolver (specified using --system_dns): +// System Resolver (specified using --system-dns): // Performs sequential getnameinfo() calls on all the IPs. // As reliable as your system resolver, almost guaranteed // to be portable, but intolerably slow for scans of hundreds @@ -385,7 +385,7 @@ u32 parse_inaddr_arpa(unsigned char *buf, int maxlen) { u32 ip=0; int i, j; - for (i=3; i>=0; i--) { + for (i=0; i<=3; i++) { if (maxlen <= 0) return 0; if (buf[0] < 1 || buf[0] > 3) return 0; @@ -402,7 +402,7 @@ u32 parse_inaddr_arpa(unsigned char *buf, int maxlen) { if (maxlen < 14) return 0; // length of the following string if (strcasecmp((char *) buf, "\x07in-addr\004arpa\0")) return 0; - return ip; + return ntohl(ip); } @@ -620,7 +620,7 @@ void put_dns_packet_on_wire(request *req) { u32 ip; struct timeval now, timeout; - ip = (u32) req->targ->v4host().s_addr; + ip = (u32) ntohl(req->targ->v4host().s_addr); packet[0] = (req->id >> 8) & 0xFF; packet[1] = req->id & 0xFF; @@ -629,10 +629,10 @@ void put_dns_packet_on_wire(request *req) { memcpy(packet+plen, "\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00", 10); plen += 10; - plen += add_integer_to_dns_packet(packet+plen, (ip>>24) & 0xFF); - plen += add_integer_to_dns_packet(packet+plen, (ip>>16) & 0xFF); - plen += add_integer_to_dns_packet(packet+plen, (ip>>8) & 0xFF); plen += add_integer_to_dns_packet(packet+plen, ip & 0xFF); + plen += add_integer_to_dns_packet(packet+plen, (ip>>8) & 0xFF); + plen += add_integer_to_dns_packet(packet+plen, (ip>>16) & 0xFF); + plen += add_integer_to_dns_packet(packet+plen, (ip>>24) & 0xFF); memcpy(packet+plen, "\x07in-addr\004arpa\x00\x00\x0c\x00\x01", 18); plen += 18; @@ -683,7 +683,7 @@ int deal_with_timedout_reads() { if (tp > 0 && tp < min_timeout) min_timeout = tp; if (tp <= 0) { - tpserv->capacity = (int) (tpserv->capacity * CAPACITY_MINOR_DOWN_SCALE);; + tpserv->capacity = (int) (tpserv->capacity * CAPACITY_MINOR_DOWN_SCALE); check_capacities(tpserv); tpserv->in_process.erase(reqI); tpserv->reqs_on_wire--; @@ -874,7 +874,7 @@ void parse_resolvdotconf() { fp = fopen("/etc/resolv.conf", "r"); if (fp == NULL) { - fatal("Unable to open /etc/resolv.conf. Try using --system_dns or specify valid servers with --dns_servers"); + fatal("Unable to open /etc/resolv.conf. Try using --system-dns or specify valid servers with --dns-servers"); } while (fgets(buf, sizeof(buf), fp)) { @@ -903,7 +903,7 @@ void parse_resolvdotconf() { if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, "SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters", 0, KEY_READ, &hKey) != ERROR_SUCCESS) - fatal("Error opening registry to read DNS servers. Try using --system_dns or specify valid servers with --dns_servers"); + fatal("Error opening registry to read DNS servers. Try using --system-dns or specify valid servers with --dns-servers"); sz = sizeof(buf); if (RegQueryValueEx(hKey, "NameServer", NULL, NULL, (LPBYTE) buf, (LPDWORD) &sz) == ERROR_SUCCESS) @@ -1055,7 +1055,7 @@ void nmap_mass_rdns_core(Target **targets, int num_targets) { else parse_resolvdotconf(); if (servs.size() == 0) - fatal("Unable to determine any DNS servers. Try using --system_dns or specify valid servers with --dns_servers"); + fatal("Unable to determine any DNS servers. Try using --system-dns or specify valid servers with --dns_servers"); } @@ -1156,7 +1156,7 @@ void nmap_mass_rdns_core(Target **targets, int num_targets) { nsp_delete(dnspool); if (cname_reqs.size() && o.debugging) - log_write(LOG_STDOUT, "Performing system_dns for %d domain names that use CNAMEs\n", (int) cname_reqs.size()); + log_write(LOG_STDOUT, "Performing system-dns for %d domain names that use CNAMEs\n", (int) cname_reqs.size()); SPM = new ScanProgressMeter("System CNAME DNS resolution"); diff --git a/nmapfe/configure b/nmapfe/configure index 0fd46ee24..0d13b1c27 100755 --- a/nmapfe/configure +++ b/nmapfe/configure @@ -2715,7 +2715,7 @@ _ACEOF # libpcap doesn't even LOOK at # the timeout you give it under Linux ;; - *-freebsd* | *-kfreebsd*-gnu) + *-freebsd* | *-kfreebsd*-gnu | *-dragonfly*) cat >>confdefs.h <<\_ACEOF #define FREEBSD 1 _ACEOF diff --git a/nmapfe/configure.ac b/nmapfe/configure.ac index e58443946..964b15106 100644 --- a/nmapfe/configure.ac +++ b/nmapfe/configure.ac @@ -80,7 +80,7 @@ case "$host" in AC_DEFINE(PCAP_TIMEOUT_IGNORED) # libpcap doesn't even LOOK at # the timeout you give it under Linux ;; - *-freebsd* | *-kfreebsd*-gnu) + *-freebsd* | *-kfreebsd*-gnu | *-dragonfly*) AC_DEFINE(FREEBSD) ;; *-bsdi*) diff --git a/scan_engine.cc b/scan_engine.cc index 4254e0f59..546cb5835 100644 --- a/scan_engine.cc +++ b/scan_engine.cc @@ -2060,7 +2060,8 @@ static UltraProbe *sendArpScanProbe(UltraScanInfo *USI, HostScanStats *hss, gettimeofday(&USI->now, NULL); hss->lastprobe_sent = probe->sent = USI->now; if ((rc = eth_send(USI->ethsd, frame, sizeof(frame))) != sizeof(frame)) { - error("WARNING: eth_send of ARP packet returned %u rather than expected %d\n", rc, (int) sizeof(frame)); + int err = socket_errno(); + error("WARNING: eth_send of ARP packet returned %i rather than expected %d (errno=%i: %s)\n", rc, (int) sizeof(frame), err, strerror(err)); } PacketTrace::traceArp(PacketTrace::SENT, (u8 *) frame, sizeof(frame), &USI->now); probe->tryno = tryno; @@ -2091,6 +2092,8 @@ static UltraProbe *sendIPScanProbe(UltraScanInfo *USI, HostScanStats *hss, u16 ipid = get_random_u16(); struct eth_nfo eth; struct eth_nfo *ethptr = NULL; + u8 *tcpops = NULL; + u16 tcpopslen = 0; if (USI->ethsd) { memcpy(eth.srcmac, hss->target->SrcMACAddress(), 6); @@ -2117,10 +2120,15 @@ static UltraProbe *sendIPScanProbe(UltraScanInfo *USI, HostScanStats *hss, if (pspec->pd.tcp.flags & TH_ACK) ack = rand(); + if (pspec->pd.tcp.flags & TH_SYN) { + tcpops = (u8 *) "\x02\x04\x05\xb4"; + tcpopslen = 4; + } + for(decoy = 0; decoy < o.numdecoys; decoy++) { packet = build_tcp_raw(&o.decoys[decoy], hss->target->v4hostip(), o.ttl, ipid, sport, pspec->pd.tcp.dport, seq, ack, - pspec->pd.tcp.flags, 0, NULL, 0, + pspec->pd.tcp.flags, 0, tcpops, tcpopslen, o.extra_payload, o.extra_payload_length, &packetlen); if (decoy == o.decoyturn) { diff --git a/targets.cc b/targets.cc index a5cf6075d..965fb164c 100644 --- a/targets.cc +++ b/targets.cc @@ -895,7 +895,7 @@ else { o.decoys[o.decoyturn].s_addr = target->v4source().s_addr; if (pingtype & PINGTYPE_TCP_USE_SYN) { - send_tcp_raw_decoys( rawsd, eth, target->v4hostip(), o.ttl, sportbase + trynum, probe_port, myseq, myack, TH_SYN, 0, NULL, 0, o.extra_payload, + send_tcp_raw_decoys( rawsd, eth, target->v4hostip(), o.ttl, sportbase + trynum, probe_port, myseq, myack, TH_SYN, 0, (u8 *) "\x02\x04\x05\xb4", 4, o.extra_payload, o.extra_payload_length); } else { send_tcp_raw_decoys( rawsd, eth, target->v4hostip(), o.ttl, sportbase + trynum, probe_port, myseq, myack, TH_ACK, 0, NULL, 0, o.extra_payload, diff --git a/tcpip.cc b/tcpip.cc index 037cc54f6..900e5e24b 100644 --- a/tcpip.cc +++ b/tcpip.cc @@ -936,7 +936,7 @@ int send_ip_packet(int sd, struct eth_nfo *eth, u8 *packet, unsigned int packetl struct ip *ip = (struct ip *) packet; struct tcphdr *tcp = NULL; udphdr_bsd *udp; - u8 *eth_frame; + u8 *eth_frame = NULL; eth_t *ethsd; bool ethsd_opened = false; assert(packet); @@ -960,6 +960,8 @@ int send_ip_packet(int sd, struct eth_nfo *eth, u8 *packet, unsigned int packetl PacketTrace::trace(PacketTrace::SENT, packet, packetlen); if (ethsd_opened) eth_close(ethsd); + free(eth_frame); + eth_frame = NULL; return res; }