Differences for page Open bugsCurrent version compared with version Mon Oct 30 23:32:22 GMT 2006...
Please write the bug report in any case even if you have only some of this information.
+ -----------------------------------
+ ->OS Ubuntu 8.10
+ ->hping version 2.0.0-rc3, 3.0.0-alpha-2
+ ->gcc version 4.3.2 (Ubuntu 4.3.2-1ubuntu12
+
+ Buffer overflow is in place when options --scan and -t uses at the same time. At the list below I used ttl 1 (there are two hops to the target 10.201.1.100). But situation is the same for any ttl=target_ttl-1 and less. Also I mentioned that if I use one remote port to scan sometimes issue not shown and I can see the normal output of hping. Situation is the same both for hping2 and hping3.
+
+ root@bt:~# traceroute -T 10.201.1.100
+ traceroute to 10.201.1.100 (10.201.1.100), 30 hops max, 40 byte packets
+ 1 my.firewall (10.201.2.1) 5.406 ms 10.532 ms 15.561 ms
+ 2 10.201.1.100 (10.201.1.100) 58.799 ms 60.190 ms 61.298 ms
+
+ root@bt:~# hping -S -p 80 10.201.1.100
+ HPING 10.201.1.100 (eth0 10.201.1.100): S set, 40 headers + 0 data bytes
+ len=46 ip=10.201.1.100 ttl=127 DF id=20607 sport=80 flags=SA seq=0 win=65535 rtt=4.9 ms
+ len=46 ip=10.201.1.100 ttl=127 DF id=20610 sport=80 flags=SA seq=1 win=65535 rtt=4.9 ms
+ ^C
+ --- 10.201.1.100 hping statistic ---
+ 2 packets transmitted, 2 packets received, 0% packet loss
+ round-trip min/avg/max = 4.9/4.9/4.9 ms
+
+ root@bt:~# hping -S -p 80 -t 1 10.201.1.100
+ HPING 10.201.1.100 (eth0 10.201.1.100): S set, 40 headers + 0 data bytes
+ TTL 0 during transit from ip=10.201.2.1 name=my.firewall
+ TTL 0 during transit from ip=10.201.2.1 name=my.firewall
+ TTL 0 during transit from ip=10.201.2.1 name=my.firewall
+ ^C
+ --- 10.201.1.100 hping statistic ---
+ 3 packets transmitted, 3 packets received, 0% packet loss
+ round-trip min/avg/max = 0.0/0.0/0.0 ms
+
+ root@bt:~# hping -S --scan 80 -t 1 10.201.1.100
+ Scanning 10.201.1.100 (10.201.1.100), port 80
+ 1 ports to scan, use -V to see all the replies
+ +----+-----------+---------+---+-----+-----+
+ |port| serv name | flags |ttl| id | win |
+ +----+-----------+---------+---+-----+-----+
+ *** buffer overflow detected ***: hping terminated
+ ======= Backtrace: =========
+ /lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x48)[0xb7f746d8]
+ /lib/tls/i686/cmov/libc.so.6[0xb7f72800]
+ hping[0x8050529]
+ hping[0x805100a]
+ hping[0x8049be8]
+ /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe5)[0xb7e90685]
+ hping[0x8049461]
+ ======= Memory map: ========
+ 08048000-08058000 r-xp 00000000 03:05 1058310 /usr/sbin/hping2
+ 08058000-0805a000 rw-p 0000f000 03:05 1058310 /usr/sbin/hping2
+ 0805a000-08060000 rw-p 00000000 00:00 0
+ 080fb000-0811c000 rw-p 00000000 00:00 0 [heap]
+ b7d98000-b7da5000 r-xp 00000000 03:05 1038415 /lib/libgcc_s.so.1
+ b7da5000-b7da6000 r--p 0000c000 03:05 1038415 /lib/libgcc_s.so.1
+ b7da6000-b7da7000 rw-p 0000d000 03:05 1038415 /lib/libgcc_s.so.1
+ b7db9000-b7e7a000 rw-s 00000000 00:08 1736725 /SYSV00000000 (deleted)
+ b7e7a000-b7fd2000 r-xp 00000000 03:05 1048034 /lib/tls/i686/cmov/libc-2.8.90.so
+ b7fd2000-b7fd4000 r--p 00158000 03:05 1048034 /lib/tls/i686/cmov/libc-2.8.90.so
+ b7fd4000-b7fd5000 rw-p 0015a000 03:05 1048034 /lib/tls/i686/cmov/libc-2.8.90.so
+ b7fd5000-b7fd8000 rw-p 00000000 00:00 0
+ b7fea000-b7fec000 rw-p 00000000 00:00 0
+ b7fec000-b8006000 r-xp 00000000 03:05 1038373 /lib/ld-2.8.90.so
+ b8006000-b8007000 rw-p 00000000 00:00 0
+ b8007000-b8008000 r--p 0001a000 03:05 1038373 /lib/ld-2.8.90.so
+ b8008000-b8009000 rw-p 0001b000 03:05 1038373 /lib/ld-2.8.90.so
+ bf8fd000-bf912000 rw-p 00000000 00:00 0 [stack]
+ ffffe000-fffff000 r-xp 00000000 00:00 0 [vdso]
+ Aborted
+ Not responding ports: (80 www)
+ All replies received. Done.
+
+ root@bt:~# hping -S --scan 80 10.201.1.100
+ Scanning 10.201.1.100 (10.201.1.100), port 80
+ 1 ports to scan, use -V to see all the replies
+ +----+-----------+---------+---+-----+-----+
+ |port| serv name | flags |ttl| id | win |
+ +----+-----------+---------+---+-----+-----+
+ 80 www : .S..A... 127 46672 65535
+ All replies received. Done.
+ Not responding ports:
+
+ ------------------------------------------------------------
+
+
+ ----
+ *FIXME fixed:* The IP id issue for fragments can be resolved with this path. 13.09.2007 (oliver dot stampfli @ epfl dot ch)
+ Index: sendip.c
+ ===================================================================
+ RCS file: /cvsroot/hping2/hping3s/sendip.c,v
+ retrieving revision 1.2
+ diff -r1.2 sendip.c
+ 67c67,68
+ < else /* if you need fragmentation id must not be randomic */
+ ---
+ > else /* if you need fragmentation id must not be random but all fragments belonging to the
+ > * the same IP packet must have the same id that is unique amongst other fragments. */
+ 69,73c70,79
+ < /* FIXME: when frag. enabled sendip_handler shold inc. ip->id */
+ < /* for every frame sent */
+ < ip->id = (src_id == -1) ?
+ < htons(getpid() & 255) :
+ < htons((unsigned short) src_id);
+ ---
+ > if(src_id == -1)
+ > {
+ > __u16 b16_counter = (__u16)sent_pkt;
+ > __u16 b16_pid = getpid() & 0xff;
+ > ip->id = htons(b16_pid + b16_counter);
+ > }
+ > else
+ > {
+ > ip->id = htons((unsigned short) src_id);
+ > }
+ ----
+ *Bug Report:* Error in computation of checksums for odd packet size. 31.8.2007 (oliver dot stampfli @ epfl dot ch)
+ It is the same bug that was already discovered in the ars.c file but this one is in the cksum.c file:
+ Change line 22 of cksum.c.
+ *((__u16 *) &oddbyte) = *(__u16 *) buf;
+ To
+ *((__u16 *) &oddbyte) = *(__u8 *) buf;
+ ----
+ *Bug Report:* Not possible to send maximal data size. (oliver dot stampfli at epfl dot ch)
+
+ One can not send packets with the maximal size of 65535 byte.
+ Patch attached to fix this problem : {patch_maxsize.diff}
+ ----
+ *Bug Report:* Too early auto-fragmentation (oliver dot stampfli at epfl dot ch)
+
+ The problem is that if someone wants to send packets with exactly the MTU size of an interface then
+ hping activates auto-fragmentation although it is not needed at this point. The effect is that
+ one cannot send MTU sized packets with the DF bit on.
+ After this patch hping will send packets with exactly the same packet size but it will no more
+ activate the auto-fragment mode too early and therefore one can send packets with MTU size that
+ still have the DF bit set.
+
+ diff -urb hping3s/sendip_handler.c hping3.work/sendip_handler.c
+ --- hping3s/sendip_handler.c 2003-09-01 02:22:06.000000000 +0200
+ +++ hping3.work/sendip_handler.c 2007-05-29 11:03:07.000000000 +0200
+ @@ -19,7 +19,7 @@
+ {
+ ip_optlen = ip_opt_build(ip_opt);
+
+ - if (!opt_fragment && (size+ip_optlen+20 >= h_if_mtu))
+ + if (!opt_fragment && (size+ip_optlen+20 > h_if_mtu))
+ {
+ /* auto-activate fragmentation */
+ virtual_mtu = h_if_mtu-20;
+
+ ----
+ *Bug Report:* hping2 and hping3 accepts ICMP error messages which are not meant for it. (oliver dot stampfli at epfl dot ch)
+
+ OS: any
+ Hping version: any
+ GCC: any
+ Tcl/Tk any
+
+ When you do with a host H a 'traceroute H' and a 'hping -A -p 22 -fast -q H' at the same time then hping wrongly takes
+ the ICMP ttl exceeded messages meant for traceroute for its own.
+ The problem is that hping machtes these ICMP packets only on the IP addresses and not on other criterias.
+
+ From `waitpacket.c` in method `recv_icmp`:
+ /* ------------------------------------ *
+ * ICMP DEST UNREACHABLE, TIME EXCEEDED *
+ * ------------------------------------ */
+ else if (icmp.type == 3 || icmp.type == 11) {
+ if ((size - ICMPHDR_SIZE) < sizeof(struct myiphdr)) {
+ printf("[|icmp quoted ip]\n");
+ return 0;
+ }
+ memcpy("ed_ip, packet+ICMPHDR_SIZE, sizeof(quoted_ip));
+ if (memcmp("ed_ip.daddr, &remote.sin_addr,
+ sizeof(quoted_ip.daddr)) ||
+ memcmp(&ip.daddr, &local.sin_addr, sizeof(ip.daddr)))
+ return 0; /* addresses don't match */
+ /* Now we can handle the specific type */
+ switch(icmp.type) {
+ case 3:
+ if (!opt_quiet)
+ log_icmp_unreach(inet_ntoa(src), icmp.code);
+ return 1;
+ case 11:
+ if (opt_traceroute)
+ log_traceroute(packet, size, icmp.code);
+ else
+ log_icmp_timeexc(inet_ntoa(src), icmp.code);
+ return 1;
+ }
+ }
+
+ I don't know if this problem exists also for different packet types but it is very likely.
+ I think this is not too hard to fix:
+ -> if src_id != -1 then compare the src_id with "ed_ip.id
+ -> if src_id == -1 then you would have to have saved the ids of your previous sent packets (because they were random) and compare "ed_ip.id to them.
+
+ Note that this would not entirely fix the problem because (in this case) traceroute could use the same id numbers by accident but this is not very likely.
+ BEWARE of including a fix signature in the data part and mark all packets from hping this way to can easily recognize them because IDSs and Firewalls could then recognize them too.
+
+ Any discussion on this is appreciated... please write me an e-mail.
+
+
+ ----
Bug Report: hping2 uses 127.0.0.1 for its source IP for all packets. (erickson at netapp.com)
OS: 2.6.11-1.27_FC3smp
...
all the source IPs are the loopback IP.
+ ----
+ *Bug Report:* Hping2-rc3 ALWAYS dies on OS X on Intel Processors with: "\[send_ip\] sendto: Invalid argument" (nathan dot stocks at gmail dot com)
+ `Fix is documented here: [link http://lists.apple.com/archives/macnetworkprog/2006/Jun/msg00049.html]`
- *Bug Report: Hping3s compile error: ../hping3s/main.c:186: undefined reference to `hping_script' (zarxcky, z4rxcky AT inbox DOT com)
+ *OS:* OS X 10.4 on Intel
+ *Hping:* 2.0.0-rc3
+
+ *GCC:* i686-apple-darwin8-gcc-4.0.1 (GCC) 4.0.1 (Apple Computer, Inc. build 5363)
+
+ *TCL:* 8.4.12
+
+ Walking through the fix (documented at the link above), here are the specific patches that need to be applied to hping2-rc3 to make it work on OS X 10.4 on Intel processors:
+
+ --- libpcap_stuff.c.org 2006-01-23 17:58:11.000000000 +0100
+ +++ libpcap_stuff.c 2006-01-23 17:58:46.000000000 +0100
+ @@ -16,8 +16,8 @@
+ #include <string.h>
+ #include <stdlib.h>
+ #include <sys/ioctl.h>
+ -#include <pcap.h>
+ #include <net/bpf.h>
+ +#include <pcap.h>
+
+ #include "globals.h"
+
+
+ --- ars.c.orig 2006-11-20 13:20:01.000000000 -0700
+ +++ ars.c 2006-11-20 13:20:46.000000000 -0700
+ @@ -830,7 +830,7 @@
+ return -ARS_INVALID;
+ }
+ ip = (struct ars_iphdr*) packet;
+ -#if defined OSTYPE_FREEBSD || defined OSTYPE_NETBSD || defined OSTYPE_BSDI
+ +#if defined OSTYPE_DARWIN || defined OSTYPE_FREEBSD || defined OSTYPE_NETBSD || defined OSTYPE_BSDI
+ ip->tot_len = ntohs(ip->tot_len);
+ ip->frag_off = ntohs(ip->frag_off);
+ #endif
+
+
+
+ --- sendip.c.orig 2006-11-20 13:23:28.000000000 -0700
+ +++ sendip.c 2006-11-20 13:23:05.000000000 -0700
+ @@ -48,7 +48,8 @@
+ ip->ihl = (IPHDR_SIZE + optlen + 3) >> 2;
+ ip->tos = ip_tos;
+
+ -#if defined OSTYPE_FREEBSD || defined OSTYPE_NETBSD || defined OSTYPE_BSDI
+ +#if defined OSTYPE_DARWIN || defined OSTYPE_FREEBSD || defined OSTYPE_NETBSD || defined OSTYPE_BSDI
+ +/* OS X */
+ /* FreeBSD */
+ /* NetBSD */
+ ip->tot_len = packetsize;
+ @@ -73,7 +74,8 @@
+ htons((unsigned short) src_id);
+ }
+
+ -#if defined OSTYPE_FREEBSD || defined OSTYPE_NETBSD | defined OSTYPE_BSDI
+ +#if defined OSTYPE_DARWIN || defined OSTYPE_FREEBSD || defined OSTYPE_NETBSD | defined OSTYPE_BSDI
+ +/* OS X */
+ /* FreeBSD */
+ /* NetBSD */
+ ip->frag_off |= more_fragments;
+
+
+
+ ----
+
+ *Bug Report: Hping3s compile error: ../hping3s/main.c:186: undefined reference to 'hping_script' (zarxcky, z4rxcky AT inbox DOT com)
+
OS: Suse Linux Pro 9.3
Hping version: Hping3s
...
./configure does not give any problem, but when trying to run make, there is 1 error which is stated below:
- main.o(.text+0x52): In function `main':
- ../../hping3s/main.c:186: undefined reference to `hping_script'
+ main.o(.text+0x52): In function 'main':
+ ../../hping3s/main.c:186: undefined reference to 'hping_script'
collect2: ld returned 1 exit status
make: *** [hping3] Error 1
...
-> Libpcap 0.9.3
Error message:
error: net/bpf.h: No such file or directory
- In last version of libpcap, net/bpf.h has moved to pcap-bpf.h and this file is automatically
- included in pcap.h. So just not include it...
+ In last version of libpcap, net/bpf.h has been moved to pcap-bpf.h and it's automatically
+ included in pcap.h. So net/bpf.h shouldn't be included anymore...
Patch:
- `Um`... `what?` `^^^^`
-
--- hping3s/script.c.orig 2005-09-12 00:52:35.000000000 +0200
+++ hping3s/script.c 2005-09-12 00:53:00.000000000 +0200
@@ -24,7 +24,6 @@
...
with me.
----
+ OS: OSX 10.4.8
+
+ I know it is mostly tested with Linux, but I figured what the heck???
+
+
+
+ gcc -c -O2 -Wall -DUSE_TCL -g main.c
+ gcc -c -O2 -Wall -DUSE_TCL -g getifname.c
+ getifname.c: In function 'get_output_if':
+ getifname.c:343: warning: pointer targets in passing argument 3 of 'getsockname' differ in signedness
+ gcc -c -O2 -Wall -DUSE_TCL -g getlhs.c
+ gcc -c -O2 -Wall -DUSE_TCL -g parseoptions.c
+ gcc -c -O2 -Wall -DUSE_TCL -g datafiller.c
+ gcc -c -O2 -Wall -DUSE_TCL -g datahandler.c
+ gcc -c -O2 -Wall -DUSE_TCL -g binding.c
+ gcc -c -O2 -Wall -DUSE_TCL -g logicmp.c
+ gcc -c -O2 -Wall -DUSE_TCL -g waitpacket.c
+ gcc -c -O2 -Wall -DUSE_TCL -g sendip.c
+ gcc -c -O2 -Wall -DUSE_TCL -g sendicmp.c
+ gcc -c -O2 -Wall -DUSE_TCL -g sendudp.c
+ gcc -c -O2 -Wall -DUSE_TCL -g sendtcp.c
+ gcc -c -O2 -Wall -DUSE_TCL -g cksum.c
+ gcc -c -O2 -Wall -DUSE_TCL -g statistics.c
+ gcc -c -O2 -Wall -DUSE_TCL -g version.c
+ gcc -c -O2 -Wall -DUSE_TCL -g listen.c
+ gcc -c -O2 -Wall -DUSE_TCL -g sendhcmp.c
+ gcc -c -O2 -Wall -DUSE_TCL -g rtt.c
+ gcc -c -O2 -Wall -DUSE_TCL -g relid.c
+ gcc -c -O2 -Wall -DUSE_TCL -g sendip_handler.c
+ gcc -c -O2 -Wall -DUSE_TCL -g libpcap_stuff.c
+ In file included from libpcap_stuff.c:20:
+ /usr/include/net/bpf.h:93: error: redefinition of 'struct bpf_program'
+ /usr/include/net/bpf.h:118: error: redefinition of 'struct bpf_version'
+ /usr/include/net/bpf.h:321: error: redefinition of 'struct bpf_insn'
+ libpcap_stuff.c: In function 'pcap_recv':
+ libpcap_stuff.c:61: warning: pointer targets in assignment differ in signedness
+ make: *** [libpcap_stuff.o] Error 1
+
+
+
+ so it all compiles except the libpcap_stuff.c (obviously). I am too lazy to figure out why....maybe someone else is motivated enough??? :)
+
+ tyler
+
+
+ This is because some stuff is in pcap-bpf.h AND net/bpf.h IF you have installed libpcap with *fink* (not sure about other setups).
+ A dirty workaround that helped me, was to remove
+ #include <net/bpf.h>
+ from the sript.c and libpcap-stuff.c (see sxav comment above).
+ This still leads to a compile error, because pcap.h dont defines a needed constant called BIOCIMMEDIATE.
+ This can be solved easy by copying the needed constant from net/bpf.h
+ #define BIOCIMMEDIATE _IOW('B',112, u_int)
+ now you should be able to compile and run hping3.
+
+ `I just wrote this in case other osx users run over the issue. Im not sure how to fix this the "correct way" in the cvs, so i dont change anything.`
+
+ `As I am a non-native english speaker, can someone please correct typos, thanks.`
+
+
+ hanfi
+
+
+ -------------------------------------
+
+ OpenSuSE 10.2 has problems compiling hping 3 with gcc 4.1.2 20061115 (prerelease) (SUSE Linux), tcl-8.4.14-11. Here are patches that worked for me.
+
+ *** Makefile-orig Wed Aug 22 10:40:02 2007
+ --- Makefile Wed Aug 22 10:40:17 2007
+ ***************
+ *** 50,56 ****
+ $(RANLIB) $@
+
+ hping3: byteorder.h $(OBJ)
+ ! $(CC) -o hping3 $(CCOPT) $(DEBUG) $(OBJ) -L/usr/local/lib $(PCAP) -ltcl -lm -lpthread
+ @echo
+ ./hping3 -v
+ @echo "use \`make strip' to strip hping3 binary"
+ --- 50,56 ----
+ $(RANLIB) $@
+
+ hping3: byteorder.h $(OBJ)
+ ! $(CC) -o hping3 $(CCOPT) $(DEBUG) $(OBJ) -L/usr/local/lib $(PCAP) -ltcl8.4 -lm -lpthread
+ @echo
+ ./hping3 -v
+ @echo "use \`make strip' to strip hping3 binary"
+ *** bytesex.h-orig Wed Aug 22 10:43:57 2007
+ --- bytesex.h Wed Aug 22 10:43:59 2007
+ ***************
+ *** 9,14 ****
+ --- 9,15 ----
+
+ #if defined(__i386__) \
+ || defined(__alpha__) \
+ + || defined(__x86_64) \
+ || (defined(__mips__) && (defined(MIPSEL) || defined (__MIPSEL__)))
+ #define BYTE_ORDER_LITTLE_ENDIAN
+ #elif defined(__mc68000__) \
+ *** libpcap_stuff.c-orig Wed Aug 22 10:38:06 2007
+ --- libpcap_stuff.c Wed Aug 22 10:38:26 2007
+ ***************
+ *** 17,23 ****
+ #include <stdlib.h>
+ #include <sys/ioctl.h>
+ #include <pcap.h>
+ ! #include <net/bpf.h>
+
+ #include "globals.h"
+
+ --- 17,23 ----
+ #include <stdlib.h>
+ #include <sys/ioctl.h>
+ #include <pcap.h>
+ ! #include <pcap-bpf.h>
+
+ #include "globals.h"
+
+ *** script.c-orig Wed Aug 22 10:38:46 2007
+ --- script.c Wed Aug 22 10:39:23 2007
+ ***************
+ *** 24,30 ****
+
+ #include <sys/ioctl.h>
+ #include <pcap.h>
+ ! #include <net/bpf.h>
+
+ #include "release.h"
+ #include "hping2.h"
+ --- 24,30 ----
+
+ #include <sys/ioctl.h>
+ #include <pcap.h>
+ ! #include <pcap-bpf.h>
+
+ #include "release.h"
+ #include "hping2.h"
+
+ -------------------------------------
+
The following is the old page content
|