Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

stack smashing errors with SSH and MySQL modules in Ubuntu 16.04 box #9

Open
cldrn opened this issue Apr 25, 2016 · 5 comments
Open

stack smashing errors with SSH and MySQL modules in Ubuntu 16.04 box #9

cldrn opened this issue Apr 25, 2016 · 5 comments

Comments

@cldrn
Copy link
Member

cldrn commented Apr 25, 2016

I get segmentation fault errors when trying the SSH and MySQL modules against a Ubuntu 16.04 box.

# ncrack --user root mysql://127.0.0.1 -d9 -v
Fetchfile found /usr/local/share/ncrack/default.pwd

Starting Ncrack 0.5 ( http://ncrack.org ) at 2016-04-25 11:34 PDT

mysql://127.0.0.1:3306 (EID 1) Initiating new Connection
mysql://127.0.0.1:3306 pushed to list FULL
*** stack smashing detected ***: ncrack terminated
Aborted (core dumped)

/ncrack-0.5# ncrack --user admin --pass admin 127.0.0.1:22 -d9 -v

Starting Ncrack 0.5 ( http://ncrack.org ) at 2016-04-25 11:31 PDT

ssh://127.0.0.1:22 (EID 1) Initiating new Connection
ssh://127.0.0.1:22 pushed to list FULL
Discovered credentials on ssh://127.0.0.1:22 'admin' 'admin'
ssh://127.0.0.1:22 popped from list FULL
ssh://127.0.0.1:22 (EID 1) Attempts: total 1 completed 1 supported 1 --- rate 12.52 
ssh://127.0.0.1:22 (EID 2) Initiating new Connection
ssh://127.0.0.1:22 (EID 3) Initiating new Connection
ssh://127.0.0.1:22 (EID 4) Initiating new Connection
ssh://127.0.0.1:22 (EID 5) Initiating new Connection
ssh://127.0.0.1:22 (EID 6) Initiating new Connection
ssh://127.0.0.1:22 (EID 7) Initiating new Connection
ssh://127.0.0.1:22 (EID 8) Initiating new Connection
ssh://127.0.0.1:22 (EID 9) Initiating new Connection
ssh://127.0.0.1:22 (EID 10) Initiating new Connection
ssh://127.0.0.1:22 (EID 11) Initiating new Connection
ssh://127.0.0.1:22 pushed to list FULL
Segmentation fault (core dumped)

Any ideas?
@ithilgore
Copy link
Collaborator

Could you please run Ncrack with gdb and print a stack trace? Thanks
$ gdb ncrack
(gdb) run --user root mysql://127.0.0.1 -d9 -v
...
(seg fault)
(gdb) i s
(gdb) i f

@cldrn
Copy link
Member Author

cldrn commented Apr 26, 2016

(gdb) run
Starting program: /usr/local/bin/ncrack --user root mysql://127.0.0.1 -d9 -v
Fetchfile found /usr/local/share/ncrack/default.pwd

Starting Ncrack 0.5 ( http://ncrack.org ) at 2016-04-25 17:22 PDT

mysql://127.0.0.1:3306 (EID 1) Initiating new Connection
mysql://127.0.0.1:3306 pushed to list FULL
*** stack smashing detected ***: /usr/local/bin/ncrack terminated

Program received signal SIGABRT, Aborted.
0x00007ffff6ade418 in __GI_raise (sig=sig@entry=6)
at ../sysdeps/unix/sysv/linux/raise.c:54
54 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) i s
#0 0x00007ffff6ade418 in __GI_raise (sig=sig@entry=6)
at ../sysdeps/unix/sysv/linux/raise.c:54
#1 0x00007ffff6ae001a in __GI_abort () at abort.c:89
#2 0x00007ffff6b2072a in __libc_message (do_abort=do_abort@entry=1,
fmt=fmt@entry=0x7ffff6c37c7f "*** %s ***: %s terminated\n")
at ../sysdeps/posix/libc_fatal.c:175
#3 0x00007ffff6bc189c in __GI___fortify_fail (msg=,
msg@entry=0x7ffff6c37c61 "stack smashing detected") at fortify_fail.c:37
#4 0x00007ffff6bc1840 in __stack_chk_fail () at stack_chk_fail.c:28
#5 0x0000000000426796 in ?? ()
#6 0x0000000000426843 in ?? ()
#7 0x0000000000409314 in ?? ()
#8 0x000000000042bf98 in ?? ()
#9 0x0000000000429b79 in ?? ()
#10 0x000000000042de29 in ?? ()
#11 0x0000000000429650 in ?? ()
#12 0x000000000040b538 in ?? ()
#13 0x000000000040748b in ?? ()
#14 0x00007ffff6ac9830 in __libc_start_main (main=0x407450, argc=6,
argv=0x7fffffffe5f8, init=, fini=,
rtld_fini=, stack_end=0x7fffffffe5e8)
at ../csu/libc-start.c:291
#15 0x0000000000407689 in ?? ()
(gdb) i f
Stack level 0, frame at 0x7fffffffc360:
rip = 0x7ffff6ade418 in __GI_raise (../sysdeps/unix/sysv/linux/raise.c:54);
saved rip = 0x7ffff6ae001a
called by frame at 0x7fffffffc490
source language c.
Arglist at 0x7fffffffc350, args: sig=sig@entry=6
Locals at 0x7fffffffc350, Previous frame's sp is 0x7fffffffc360
Saved registers:
rip at 0x7fffffffc358

@yosh-se
Copy link

yosh-se commented Sep 12, 2016

I'm having a similar / the same issue.

I ran ncrack with three usernames and four passwords.

After a successful login, It does a "popped from list FULL" and then "pushed to list FULL".
Between those operations the last password in my password array get turned to NULL or random bits.

I ran a scan 10 times with the same options and got these three different endings.

ssh://x:22 pushed to list FULL
Segmentation fault

---

ssh://x:22 pushed to list FULL
appendToPool: tried to append NULL password into pair pool
QUITTING!

---

ssh://x:22 pushed to list FULL
ssh://x:22 Pool: Append 'username-2' 'x«À�' 
ssh://x:22 (EID 24) closed on us in the middle of authentication!
ssh://x:22 (EID 24) Connection closed by peer
ssh://x:22 (EID 24) Dropping connection limit due to connection error to: 45
ssh://x:22 (EID 24) Attempts: total 5 completed 4 supported 4 --- rate 0.68 
Segmentation fault

If I specify the -f option I do not hit this issue as often.

Please let me know if you need anything else.

@neiltylerbell
Copy link

FYI -- I'm seeing this same issue running against a single username, a list of 5 passwords and a list of hosts. Appears to get through some of the hosts and then segfaults, but other times it wont get through any and segfaults.

Running on the official kali docker image.

@ithilgore
Copy link
Collaborator

Thanks for your reports! I will look into it.

@emdaitaj emdaitaj mentioned this issue May 7, 2017
Open
chris-pcguy added a commit to chris-pcguy/ncrack that referenced this issue May 27, 2019
@chris-pcguy
Band-aid for MySQL (Probably a part of nmap#9)
f4010d8 
The printf returns "mysql_native_password" with three 0xff-bytes at the end.

You might want to put that band-aid at the "packet_number == 2"-condition too, but having it at the "packet_number == 0"-condition seems to be enough to avoid a crash.

Tested on Ubuntu 19.04 with a local MySQL server:
ncrack --user root --pass root mysql://127.0.0.0/31

Signed-off-by: Christian Inci <chris.gh@broke-the-inter.net>
chris-pcguy added a commit to chris-pcguy/ncrack that referenced this issue May 27, 2019
@chris-pcguy
Band-aid for MySQL (Probably a part of nmap#9)
e50cb12 
The printf returns "mysql_native_password" with three 0xff-bytes at the end.

You might want to put that band-aid at the "packet_number == 2"-condition too, but having it at the "packet_number == 0"-condition seems to be enough to avoid a crash.

Tested on Ubuntu 19.04 with a local MySQL server:
ncrack --user root --pass root mysql://127.0.0.0/31

Signed-off-by: Christian Inci <chris.gh@broke-the-inter.net>
chris-pcguy added a commit to chris-pcguy/ncrack that referenced this issue May 28, 2019
@chris-pcguy
Band-aid for MySQL Part-2 (Probably a part of nmap#9)
c7d0ef7 
The "packet_number == 2"-condition is also affected.

The (added) printf returns "caching_sha2_password" with three 0xff-bytes at the end.

Tested with MySQL 8. It crashed while having a single target selected too. (mysql://x.x.x.x/32 or just mysql://x.x.x.x/)

Signed-off-by: Christian Inci <chris.gh@broke-the-inter.net>
ithilgore added a commit that referenced this issue Jun 2, 2019
@ithilgore
Merge pull request #57 from chris-pcguy/mysql-bandaid
2047c2c 
Band-aid for MySQL (Probably a part of #9)
@k79e k79e mentioned this issue Apr 1, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@cldrn @yosh-se @neiltylerbell @ithilgore