Differences for page Open bugsCurrent version compared with version Wed Jan 20 15:10:08 GMT 2010...
Buffer overflow is in place when options --scan and -t uses at the same time. At the list below I used ttl 1 (there are two hops to the target 10.201.1.100). But situation is the same for any ttl=target_ttl-1 and less. Also I mentioned that if I use one remote port to scan sometimes issue not shown and I can see the normal output of hping. Situation is the same both for hping2 and hping3.
- ->root@bt:~# traceroute -T 10.201.1.100
- traceroute to 10.201.1.100 (10.201.1.100), 30 hops max, 40 byte packets
+ root@bt:~# traceroute -T 10.201.1.100
+ traceroute to 10.201.1.100 (10.201.1.100), 30 hops max, 40 byte packets
1 my.firewall (10.201.2.1) 5.406 ms 10.532 ms 15.561 ms
2 10.201.1.100 (10.201.1.100) 58.799 ms 60.190 ms 61.298 ms
...
- ->root@bt:~# hping -S -p 80 10.201.1.100
- HPING 10.201.1.100 (eth0 10.201.1.100): S set, 40 headers + 0 data bytes
- len=46 ip=10.201.1.100 ttl=127 DF id=20607 sport=80 flags=SA seq=0 win=65535 rtt=4.9 ms
- len=46 ip=10.201.1.100 ttl=127 DF id=20610 sport=80 flags=SA seq=1 win=65535 rtt=4.9 ms
- ^C
- --- 10.201.1.100 hping statistic ---
- 2 packets transmitted, 2 packets received, 0% packet loss
- round-trip min/avg/max = 4.9/4.9/4.9 ms
+ root@bt:~# hping -S -p 80 10.201.1.100
+ HPING 10.201.1.100 (eth0 10.201.1.100): S set, 40 headers + 0 data bytes
+ len=46 ip=10.201.1.100 ttl=127 DF id=20607 sport=80 flags=SA seq=0 win=65535 rtt=4.9 ms
+ len=46 ip=10.201.1.100 ttl=127 DF id=20610 sport=80 flags=SA seq=1 win=65535 rtt=4.9 ms
+ ^C
+ --- 10.201.1.100 hping statistic ---
+ 2 packets transmitted, 2 packets received, 0% packet loss
+ round-trip min/avg/max = 4.9/4.9/4.9 ms
- ->root@bt:~# hping -S -p 80 -t 1 10.201.1.100
- HPING 10.201.1.100 (eth0 10.201.1.100): S set, 40 headers + 0 data bytes
- TTL 0 during transit from ip=10.201.2.1 name=my.firewall
- TTL 0 during transit from ip=10.201.2.1 name=my.firewall
- TTL 0 during transit from ip=10.201.2.1 name=my.firewall
- ^C
- --- 10.201.1.100 hping statistic ---
- 3 packets transmitted, 3 packets received, 0% packet loss
- round-trip min/avg/max = 0.0/0.0/0.0 ms
+ root@bt:~# hping -S -p 80 -t 1 10.201.1.100
+ HPING 10.201.1.100 (eth0 10.201.1.100): S set, 40 headers + 0 data bytes
+ TTL 0 during transit from ip=10.201.2.1 name=my.firewall
+ TTL 0 during transit from ip=10.201.2.1 name=my.firewall
+ TTL 0 during transit from ip=10.201.2.1 name=my.firewall
+ ^C
+ --- 10.201.1.100 hping statistic ---
+ 3 packets transmitted, 3 packets received, 0% packet loss
+ round-trip min/avg/max = 0.0/0.0/0.0 ms
- ->root@bt:~# hping -S --scan 80 -t 1 10.201.1.100
- Scanning 10.201.1.100 (10.201.1.100), port 80
- 1 ports to scan, use -V to see all the replies
- +----+-----------+---------+---+-----+-----+
- |port| serv name | flags |ttl| id | win |
- +----+-----------+---------+---+-----+-----+
- *** buffer overflow detected ***: hping terminated
- ======= Backtrace: =========
- /lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x48)[0xb7f746d8]
- /lib/tls/i686/cmov/libc.so.6[0xb7f72800]
- hping[0x8050529]
- hping[0x805100a]
- hping[0x8049be8]
- /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe5)[0xb7e90685]
- hping[0x8049461]
- ======= Memory map: ========
- 08048000-08058000 r-xp 00000000 03:05 1058310 /usr/sbin/hping2
- 08058000-0805a000 rw-p 0000f000 03:05 1058310 /usr/sbin/hping2
- 0805a000-08060000 rw-p 00000000 00:00 0
- 080fb000-0811c000 rw-p 00000000 00:00 0 [heap]
- b7d98000-b7da5000 r-xp 00000000 03:05 1038415 /lib/libgcc_s.so.1
- b7da5000-b7da6000 r--p 0000c000 03:05 1038415 /lib/libgcc_s.so.1
- b7da6000-b7da7000 rw-p 0000d000 03:05 1038415 /lib/libgcc_s.so.1
- b7db9000-b7e7a000 rw-s 00000000 00:08 1736725 /SYSV00000000 (deleted)
- b7e7a000-b7fd2000 r-xp 00000000 03:05 1048034 /lib/tls/i686/cmov/libc-2.8.90.so
- b7fd2000-b7fd4000 r--p 00158000 03:05 1048034 /lib/tls/i686/cmov/libc-2.8.90.so
- b7fd4000-b7fd5000 rw-p 0015a000 03:05 1048034 /lib/tls/i686/cmov/libc-2.8.90.so
- b7fd5000-b7fd8000 rw-p 00000000 00:00 0
- b7fea000-b7fec000 rw-p 00000000 00:00 0
- b7fec000-b8006000 r-xp 00000000 03:05 1038373 /lib/ld-2.8.90.so
- b8006000-b8007000 rw-p 00000000 00:00 0
- b8007000-b8008000 r--p 0001a000 03:05 1038373 /lib/ld-2.8.90.so
- b8008000-b8009000 rw-p 0001b000 03:05 1038373 /lib/ld-2.8.90.so
- bf8fd000-bf912000 rw-p 00000000 00:00 0 [stack]
- ffffe000-fffff000 r-xp 00000000 00:00 0 [vdso]
- Aborted
- Not responding ports: (80 www)
- All replies received. Done.
- ->root@bt:~# hping -S --scan 80 10.201.1.100
- Scanning 10.201.1.100 (10.201.1.100), port 80
- 1 ports to scan, use -V to see all the replies
- +----+-----------+---------+---+-----+-----+
- |port| serv name | flags |ttl| id | win |
- +----+-----------+---------+---+-----+-----+
- 80 www : .S..A... 127 46672 65535
- All replies received. Done.
- Not responding ports:
+ root@bt:~# hping -S --scan 80 -t 1 10.201.1.100
+ Scanning 10.201.1.100 (10.201.1.100), port 80
+ 1 ports to scan, use -V to see all the replies
+ +----+-----------+---------+---+-----+-----+
+ |port| serv name | flags |ttl| id | win |
+ +----+-----------+---------+---+-----+-----+
+ *** buffer overflow detected ***: hping terminated
+ ======= Backtrace: =========
+ /lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x48)[0xb7f746d8]
+ /lib/tls/i686/cmov/libc.so.6[0xb7f72800]
+ hping[0x8050529]
+ hping[0x805100a]
+ hping[0x8049be8]
+ /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe5)[0xb7e90685]
+ hping[0x8049461]
+ ======= Memory map: ========
+ 08048000-08058000 r-xp 00000000 03:05 1058310 /usr/sbin/hping2
+ 08058000-0805a000 rw-p 0000f000 03:05 1058310 /usr/sbin/hping2
+ 0805a000-08060000 rw-p 00000000 00:00 0
+ 080fb000-0811c000 rw-p 00000000 00:00 0 [heap]
+ b7d98000-b7da5000 r-xp 00000000 03:05 1038415 /lib/libgcc_s.so.1
+ b7da5000-b7da6000 r--p 0000c000 03:05 1038415 /lib/libgcc_s.so.1
+ b7da6000-b7da7000 rw-p 0000d000 03:05 1038415 /lib/libgcc_s.so.1
+ b7db9000-b7e7a000 rw-s 00000000 00:08 1736725 /SYSV00000000 (deleted)
+ b7e7a000-b7fd2000 r-xp 00000000 03:05 1048034 /lib/tls/i686/cmov/libc-2.8.90.so
+ b7fd2000-b7fd4000 r--p 00158000 03:05 1048034 /lib/tls/i686/cmov/libc-2.8.90.so
+ b7fd4000-b7fd5000 rw-p 0015a000 03:05 1048034 /lib/tls/i686/cmov/libc-2.8.90.so
+ b7fd5000-b7fd8000 rw-p 00000000 00:00 0
+ b7fea000-b7fec000 rw-p 00000000 00:00 0
+ b7fec000-b8006000 r-xp 00000000 03:05 1038373 /lib/ld-2.8.90.so
+ b8006000-b8007000 rw-p 00000000 00:00 0
+ b8007000-b8008000 r--p 0001a000 03:05 1038373 /lib/ld-2.8.90.so
+ b8008000-b8009000 rw-p 0001b000 03:05 1038373 /lib/ld-2.8.90.so
+ bf8fd000-bf912000 rw-p 00000000 00:00 0 [stack]
+ ffffe000-fffff000 r-xp 00000000 00:00 0 [vdso]
+ Aborted
+ Not responding ports: (80 www)
+ All replies received. Done.
+
+ root@bt:~# hping -S --scan 80 10.201.1.100
+ Scanning 10.201.1.100 (10.201.1.100), port 80
+ 1 ports to scan, use -V to see all the replies
+ +----+-----------+---------+---+-----+-----+
+ |port| serv name | flags |ttl| id | win |
+ +----+-----------+---------+---+-----+-----+
+ 80 www : .S..A... 127 46672 65535
+ All replies received. Done.
+ Not responding ports:
+
------------------------------------------------------------
...
The following is the old page content
|