hping wiki

Differences for page Open bugs

Current version compared with version Tue May 29 09:27:22 GMT 2007

...
  
  Please write the bug report in any case even if you have only some of this information.
  
+ -----------------------------------
+ ->OS Ubuntu 8.10
+ ->hping version 2.0.0-rc3, 3.0.0-alpha-2
+ ->gcc version 4.3.2 (Ubuntu 4.3.2-1ubuntu12
+ 
+ Buffer overflow is in place when options --scan and -t uses at the same time. At the list below I used ttl 1 (there are two hops to the target 10.201.1.100). But situation is the same for any ttl=target_ttl-1 and less. Also I mentioned that if I use one remote port to scan sometimes issue not shown and I can see the normal output of hping. Situation is the same both for hping2 and hping3.
+ 
+ root@bt:~# traceroute -T 10.201.1.100
+  traceroute to 10.201.1.100 (10.201.1.100), 30 hops max, 40 byte packets
+  1  my.firewall (10.201.2.1)  5.406 ms  10.532 ms  15.561 ms
+  2  10.201.1.100 (10.201.1.100)  58.799 ms  60.190 ms  61.298 ms
+ 
+ root@bt:~# hping -S -p 80 10.201.1.100
+  HPING 10.201.1.100 (eth0 10.201.1.100): S set, 40 headers + 0 data bytes
+  len=46 ip=10.201.1.100 ttl=127 DF id=20607 sport=80 flags=SA seq=0 win=65535 rtt=4.9 ms
+  len=46 ip=10.201.1.100 ttl=127 DF id=20610 sport=80 flags=SA seq=1 win=65535 rtt=4.9 ms
+  ^C
+  --- 10.201.1.100 hping statistic ---
+  2 packets transmitted, 2 packets received, 0% packet loss
+  round-trip min/avg/max = 4.9/4.9/4.9 ms
+ 
+ root@bt:~# hping -S -p 80 -t 1 10.201.1.100
+  HPING 10.201.1.100 (eth0 10.201.1.100): S set, 40 headers + 0 data bytes
+  TTL 0 during transit from ip=10.201.2.1 name=my.firewall
+  TTL 0 during transit from ip=10.201.2.1 name=my.firewall
+  TTL 0 during transit from ip=10.201.2.1 name=my.firewall
+  ^C
+  --- 10.201.1.100 hping statistic ---
+  3 packets transmitted, 3 packets received, 0% packet loss
+  round-trip min/avg/max = 0.0/0.0/0.0 ms
+ 
+ root@bt:~# hping -S --scan 80 -t 1 10.201.1.100
+  Scanning 10.201.1.100 (10.201.1.100), port 80
+  1 ports to scan, use -V to see all the replies
+  +----+-----------+---------+---+-----+-----+
+  |port| serv name |  flags  |ttl| id  | win |
+  +----+-----------+---------+---+-----+-----+
+  *** buffer overflow detected ***: hping terminated
+  ======= Backtrace: =========
+  /lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x48)[0xb7f746d8]
+  /lib/tls/i686/cmov/libc.so.6[0xb7f72800]
+  hping[0x8050529]
+  hping[0x805100a]
+  hping[0x8049be8]
+  /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe5)[0xb7e90685]
+  hping[0x8049461]
+  ======= Memory map: ========
+  08048000-08058000 r-xp 00000000 03:05 1058310    /usr/sbin/hping2
+  08058000-0805a000 rw-p 0000f000 03:05 1058310    /usr/sbin/hping2
+  0805a000-08060000 rw-p 00000000 00:00 0
+  080fb000-0811c000 rw-p 00000000 00:00 0          [heap]
+  b7d98000-b7da5000 r-xp 00000000 03:05 1038415    /lib/libgcc_s.so.1
+  b7da5000-b7da6000 r--p 0000c000 03:05 1038415    /lib/libgcc_s.so.1
+  b7da6000-b7da7000 rw-p 0000d000 03:05 1038415    /lib/libgcc_s.so.1
+  b7db9000-b7e7a000 rw-s 00000000 00:08 1736725    /SYSV00000000 (deleted)
+  b7e7a000-b7fd2000 r-xp 00000000 03:05 1048034    /lib/tls/i686/cmov/libc-2.8.90.so
+  b7fd2000-b7fd4000 r--p 00158000 03:05 1048034    /lib/tls/i686/cmov/libc-2.8.90.so
+  b7fd4000-b7fd5000 rw-p 0015a000 03:05 1048034    /lib/tls/i686/cmov/libc-2.8.90.so
+  b7fd5000-b7fd8000 rw-p 00000000 00:00 0
+  b7fea000-b7fec000 rw-p 00000000 00:00 0
+  b7fec000-b8006000 r-xp 00000000 03:05 1038373    /lib/ld-2.8.90.so
+  b8006000-b8007000 rw-p 00000000 00:00 0
+  b8007000-b8008000 r--p 0001a000 03:05 1038373    /lib/ld-2.8.90.so
+  b8008000-b8009000 rw-p 0001b000 03:05 1038373    /lib/ld-2.8.90.so
+  bf8fd000-bf912000 rw-p 00000000 00:00 0          [stack]
+  ffffe000-fffff000 r-xp 00000000 00:00 0          [vdso]
+  Aborted
+  Not responding ports: (80 www)
+  All replies received. Done.
+ 
+ root@bt:~# hping -S --scan 80 10.201.1.100
+  Scanning 10.201.1.100 (10.201.1.100), port 80
+  1 ports to scan, use -V to see all the replies
+  +----+-----------+---------+---+-----+-----+
+  |port| serv name |  flags  |ttl| id  | win |
+  +----+-----------+---------+---+-----+-----+
+     80 www        : .S..A... 127 46672 65535
+  All replies received. Done.
+  Not responding ports:
+ 
+ ------------------------------------------------------------
+ 
+ 
  ----
+ *FIXME fixed:* The IP id issue for fragments can be resolved with this path. 13.09.2007 (oliver dot stampfli @ epfl dot ch)
+ Index: sendip.c
+  ===================================================================
+  RCS file: /cvsroot/hping2/hping3s/sendip.c,v
+  retrieving revision 1.2
+  diff -r1.2 sendip.c
+  67c67,68
+  < 	else /* if you need fragmentation id must not be randomic */
+  ---
+  > 	else /* if you need fragmentation id must not be random but all fragments belonging to the
+  > 		  * the same IP packet must have the same id that is unique amongst other fragments. */
+  69,73c70,79
+  < 		/* FIXME: when frag. enabled sendip_handler shold inc. ip->id */
+  < 		/*        for every frame sent */
+  < 		ip->id		= (src_id == -1) ?
+  < 			htons(getpid() & 255) :
+  < 			htons((unsigned short) src_id);
+  ---
+  > 		if(src_id == -1)
+  > 		{
+  > 			__u16 b16_counter = (__u16)sent_pkt;
+  > 			__u16 b16_pid = getpid() & 0xff;
+  > 			ip->id = htons(b16_pid + b16_counter);
+  > 		}
+  > 		else
+  > 		{
+  > 			ip->id = htons((unsigned short) src_id);
+  > 		}
+ ----
+ *Bug Report:* Error in computation of checksums for odd packet size. 31.8.2007 (oliver dot stampfli @ epfl dot ch)
+ It is the same bug that was already discovered in the ars.c file but this one is in the cksum.c file:
+ Change line 22 of cksum.c.
+  *((__u16 *) &oddbyte) = *(__u16 *) buf;
+ To
+  *((__u16 *) &oddbyte) = *(__u8 *) buf;
+ ----
+ *Bug Report:* Not possible to send maximal data size. (oliver dot stampfli at epfl dot ch)
+ 
+ One can not send packets with the maximal size of 65535 byte.
+ Patch attached to fix this problem : {patch_maxsize.diff}
+ ----
  *Bug Report:* Too early auto-fragmentation (oliver dot stampfli at epfl dot ch)
  
  The problem is that if someone wants to send packets with exactly the MTU size of an interface then
...
  -> Libpcap 0.9.3
  Error message:
   error: net/bpf.h: No such file or directory
- In last version of libpcap, net/bpf.h has moved to pcap-bpf.h and this file is automatically
- included in pcap.h. So just not include it...
+ In last version of libpcap, net/bpf.h has been moved to pcap-bpf.h and it's automatically
+ included in pcap.h. So net/bpf.h shouldn't be included anymore...
  Patch:
  
- `Um`... `what?` `^^^^`
- 
   --- hping3s/script.c.orig       2005-09-12 00:52:35.000000000 +0200
   +++ hping3s/script.c    2005-09-12 00:53:00.000000000 +0200
   @@ -24,7 +24,6 @@
...
  hanfi
  
  
- -------------------------------------------------------------------------------
+ -------------------------------------
+ 
+ OpenSuSE 10.2 has problems compiling hping 3 with gcc 4.1.2 20061115 (prerelease) (SUSE Linux), tcl-8.4.14-11.  Here are patches that worked for me.
+ 
+  *** Makefile-orig       Wed Aug 22 10:40:02 2007
+  --- Makefile    Wed Aug 22 10:40:17 2007
+  ***************
+  *** 50,56 ****
+          $(RANLIB) $@
+ 
+    hping3: byteorder.h $(OBJ)
+  !       $(CC) -o hping3 $(CCOPT) $(DEBUG) $(OBJ) -L/usr/local/lib $(PCAP)  -ltcl -lm -lpthread
+          @echo
+          ./hping3 -v
+          @echo "use \`make strip' to strip hping3 binary"
+  --- 50,56 ----
+          $(RANLIB) $@
+ 
+    hping3: byteorder.h $(OBJ)
+  !       $(CC) -o hping3 $(CCOPT) $(DEBUG) $(OBJ) -L/usr/local/lib $(PCAP)  -ltcl8.4 -lm -lpthread
+          @echo
+          ./hping3 -v
+          @echo "use \`make strip' to strip hping3 binary"
+  *** bytesex.h-orig      Wed Aug 22 10:43:57 2007
+  --- bytesex.h   Wed Aug 22 10:43:59 2007
+  ***************
+  *** 9,14 ****
+  --- 9,15 ----
+ 
+    #if   defined(__i386__) \
+          || defined(__alpha__) \
+  +       || defined(__x86_64) \
+          || (defined(__mips__) && (defined(MIPSEL) || defined (__MIPSEL__)))
+    #define BYTE_ORDER_LITTLE_ENDIAN
+    #elif         defined(__mc68000__) \
+  *** libpcap_stuff.c-orig        Wed Aug 22 10:38:06 2007
+  --- libpcap_stuff.c     Wed Aug 22 10:38:26 2007
+  ***************
+  *** 17,23 ****
+    #include <stdlib.h>
+    #include <sys/ioctl.h>
+    #include <pcap.h>
+  ! #include <net/bpf.h>
+ 
+    #include "globals.h"
+ 
+  --- 17,23 ----
+    #include <stdlib.h>
+    #include <sys/ioctl.h>
+    #include <pcap.h>
+  ! #include <pcap-bpf.h>
+ 
+    #include "globals.h"
+ 
+  *** script.c-orig       Wed Aug 22 10:38:46 2007
+  --- script.c    Wed Aug 22 10:39:23 2007
+  ***************
+  *** 24,30 ****
+ 
+    #include <sys/ioctl.h>
+    #include <pcap.h>
+  ! #include <net/bpf.h>
+ 
+    #include "release.h"
+    #include "hping2.h"
+  --- 24,30 ----
+ 
+    #include <sys/ioctl.h>
+    #include <pcap.h>
+  ! #include <pcap-bpf.h>
+ 
+    #include "release.h"
+    #include "hping2.h"
+ 
+ -------------------------------------
+ 
  

The following is the old page content