Use the correct the port range, 512-1023, not 513-1024.

Detect if binding a socket to a given port failed and retry. Close #3196
2025-12-06 04:31:29 +00:00 · 2025-11-01 22:52:49 +00:00
parent 8d7fa538e3
commit f5a3251e97
2 changed files with 29 additions and 23 deletions
--- a/4
+++ b/4
@@ -3,6 +3,10 @@
 o [GH#3194] RPC-based scripts were sporadically failing due to privileged
  port conflicts. [nnposter]

+o [GH#3196] Script rlogin-brute was sporadically failing due to using
+  an off-by-one range for privileged ports and not handling potential
+  port conflicts. [nnposter]
+
 Nmap 7.98 [2025-08-21]

 o [SECURITY] Rebuilt the Windows self-installer with NSIS 3.11, addressing
--- a/scripts/rlogin-brute.nse
+++ b/scripts/rlogin-brute.nse
@@ -51,34 +51,36 @@ Driver = {
  end,

  -- connects to the rlogin service
-  -- it sets the source port to a random value between 513 and 1024
+  -- it sets the source port to a random value between 512 and 1023
  connect = function(self)
-
-    local status
-
+    local status, err
    self.socket = brute.new_socket()
-    -- apparently wee need a source port below 1024
-    -- this approach is not very elegant as it causes address already in
-    -- use errors when the same src port is hit in a short time frame.
-    -- hopefully the retry count should take care of this as a retry
-    -- should choose a new random port as source.
-    local srcport = math.random(513, 1024)
-    self.socket:bind(nil, srcport)
-    self.socket:set_timeout(self.timeout)
-    local err
-    status, err = self.socket:connect(self.host, self.port)
-
-    if ( status ) then
-      local lport, _
-      status, _, lport = self.socket:get_info()
-      if (not(status) ) then
-        return false, "failed to retrieve socket status"
+    -- Let's make several attempts to bind to an unused well-known port
+    for _ = 1, 10 do
+      local srcport = math.random(512, 1023)
+      status, err = self.socket:bind(nil, srcport)
+      if status then
+        self.socket:set_timeout(self.timeout)
+        status, err = self.socket:connect(self.host, self.port)
+        if status then
+          -- socket:connect() succeeds even if mksock_bind_addr() fails.
+          -- It just assigns an ephemeral port instead of our choice,
+          -- so we need to check the actual source port afterwards.
+          local lport
+          status, err, lport = self.socket:get_info()
+          if status then
+            if lport == srcport then
+              return status
+            end
+            status = false
+            err = "Address already in use"
+          end
+        end
      end
-    else
      self.socket:close()
    end
-    if ( not(status) ) then
-      stdnse.debug3("ERROR: failed to connect to server")
+    if not status then
+      stdnse.debug2("Unable to bind to a well-known port (%s)", err)
    end
    return status
  end,