search

projectdiscovery / naabu

A fast port scanner written in go with a focus on reliability and simplicity. Designed to be used in combination with other tools for attack surface discovery in bug bounties and pentests
https://projectdiscovery.io
MIT License
4.51k stars 531 forks source link

ocasionally panic when running host discovery concurrently #1125

Open iuliu8899 opened 1 month ago

iuliu8899 commented 1 month ago

Naabu version: v2.3.1

Current Behavior:

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x2 addr=0x0 pc=0x104608420]

goroutine 36 [running]:
net.(*IPConn).WriteTo(0x0, {0x1400126c150, 0x18, 0x18}, {0x105ed7960, 0x14000676b70})
    /Users/qq/go/pkg/mod/golang.org/toolchain@v0.0.1-go1.21.9.darwin-arm64/src/net/iprawsock.go:171 +0x40
github.com/projectdiscovery/naabu/v2/pkg/scan.sendWithConn({0x1400128a8c0, 0xe}, {0x105ee2a90, 0x0}, {0x14001007928, 0x1, 0x1})
    /Users/xx/go/pkg/mod/github.com/projectdiscovery/naabu/v2@v2.3.1/pkg/scan/scan_unix.go:455 +0x1d0
github.com/projectdiscovery/naabu/v2/pkg/scan.sendAsyncTCP4(0x14000324be0, {0x1400128a8c0, 0xe}, 0x1400134d170, 0x0)
    /Users/xx/go/pkg/mod/github.com/projectdiscovery/naabu/v2@v2.3.1/pkg/scan/scan_unix.go:245 +0xfe0
github.com/projectdiscovery/naabu/v2/pkg/scan.SendAsyncPkg(0x14000324be0, {0x1400128a8c0, 0xe}, 0x1400134d170, 0x0)
    /Users/xx/go/pkg/mod/github.com/projectdiscovery/naabu/v2@v2.3.1/pkg/scan/scan_unix.go:164 +0x1bc
github.com/projectdiscovery/naabu/v2/pkg/scan.TransportWriteWorker()
    /Users/xx/go/pkg/mod/github.com/projectdiscovery/naabu/v2@v2.3.1/pkg/scan/scan_unix.go:152 +0xa8
created by github.com/projectdiscovery/naabu/v2/pkg/scan.init.3 in goroutine 1
    /Users/xx/go/pkg/mod/github.com/projectdiscovery/naabu/v2@v2.3.1/pkg/scan/scan_unix.go:119 +0x1504

Debugger finished with the exit code 0

Expected Behavior:

Steps To Reproduce:

func TestAliveScanIpConcurrently(t *testing.T) {
    var wg sync.WaitGroup
    ips := make([]string, 0)
    cidr := "192.168.110.32/28"
    if ipStream, err := mapcidr.IPAddressesAsStream(cidr); err == nil {
        for ip := range ipStream {
            ips = append(ips, ip)
        }
    } else {
        t.Error(err)
    }
    aliveIp := make([]string, 0)
    lock := sync.Mutex{}
    for _, ck := range lo.Chunk(ips, 5) {
        wg.Add(1)
        ck := ck
        go func() {
            defer wg.Done()
            res := IpAliveScan(ck)
            lock.Lock()
            defer lock.Unlock()
            aliveIp = append(aliveIp, lo.Intersect(ck, res)...)
            //t.Log(res)
        }()
    }
    wg.Wait()
    t.Log(aliveIp)
}

func IpAliveScan(hosts []string) []string {
    var res []string
    var resultLock sync.Mutex
    options := runner.Options{
        Host:              hosts,
        ScanType:          runner.SynScan,
        OnlyHostDiscovery: true,
        OnResult: func(hr *result.HostResult) {
            resultLock.Lock()
            defer resultLock.Unlock()
            res = append(res, hr.Host)
        },
        DisableUpdateCheck: true,
        Retries: runner.DefaultRetriesSynScan,
        Rate:                        runner.DefaultRateSynScan,
        Threads:                     25,
        Timeout:                     runner.DefaultPortTimeoutSynScan,
        WarmUpTime:                  2,
        IcmpEchoRequestProbe:        true,
        IcmpAddressMaskRequestProbe: true,
        IcmpTimestampRequestProbe:   true,
        ArpPing:                     true,
        TcpAckPingProbes:            []string{"80", "443", "8080", "8443"},
        TcpSynPingProbes:            []string{"80", "443", "8080", "8443"},
    }

    naabuRunner, err := runner.NewRunner(&options)
    if err != nil {
        return nil
    }
    defer naabuRunner.Close()

    err = naabuRunner.RunEnumeration(context.Background())
    if err != nil {
        return nil
    }
    return res
}

Anything else:

easily reproduce it by using a larger cidr address

dogancanbakir commented 1 month ago

I couldn't repro the issue - used the dev branch for testing.

image
iuliu8899 commented 1 month ago

I couldn't repro the issue - used the dev branch for testing. image

... idk why, but I reproduce that in dev branch as well.

here is the path when panic occurred:

  1. log "syn scan is not possible, falling back to connect scan" (scan.go, line: 173)
  2. change scan type to "c", then acquire handler again
  3. call NewListenHandler() at scan_common.go, line: 51
  4. NewListenHandler does not init TcpConn4 chan
  5. sendWithConn(ip, listenHandler.TcpConn4, &tcp) called at scan_unix.go, line: 245
  6. conn.WriteTo(buf.Bytes(), &net.IPAddr{IP: net.ParseIP(destIP)}) called at scan_unix.go, line: 455
  7. panic at !c.ok() at go/src/net/iprawsocket.go, line: 171

idk why it panic, since c.ok() checks nil pointer... but it happens.

my device is Apple M1 Pro, macOS 14.5, go version go1.21.8 darwin/arm64.

dogancanbakir commented 3 weeks ago

Still the same for me.

@RamanaReddy0M Can you also try to reproduce this, please? Thanks!

RamanaReddy0M commented 3 weeks ago

I'm also couldn't reproduce the issue - dev branch

Screenshot 2024-07-08 at 4 41 31 PM
dogancanbakir commented 3 weeks ago

@iuliu8899 Can you provide the specific error message that appears when you attempt to use the dev branch?

iuliu8899 commented 3 weeks ago 
GOROOT=/usr/local/go #gosetup
GOPATH=/Users/qq/go #gosetup
GONOPROXY= #gosetup
/usr/local/go/bin/go test -c -o /Users/qq/Library/Caches/JetBrains/GoLand2024.1/tmp/GoLand/___TestAliveScanIpConcurrently_in_test.test -gcflags all=-N -l test #gosetup
/usr/local/go/bin/go tool test2json -t /Applications/GoLand.app/Contents/plugins/go-plugin/lib/dlv/macarm/dlv --listen=127.0.0.1:56190 --headless=true --api-version=2 --check-go-version=false --only-same-user=false exec /Users/qq/Library/Caches/JetBrains/GoLand2024.1/tmp/GoLand/___TestAliveScanIpConcurrently_in_test.test -- -test.v -test.paniconexit0 -test.run ^\QTestAliveScanIpConcurrently\E$
API server listening at: 127.0.0.1:56190
=== RUN   TestAliveScanIpConcurrently
[INF] Running host discovery scan
[INF] syn scan is not possible, falling back to connect scan
[INF] Running host discovery scan
[INF] syn scan is not possible, falling back to connect scan
[INF] syn scan is not possible, falling back to connect scan
[INF] Running host discovery scan
[INF] Running host discovery scan
[INF] Found alive host 192.168.110.112 (192.168.110.112)
192.168.110.112
[INF] Found alive host 192.168.110.42 (192.168.110.42)
192.168.110.42
[INF] Found alive host 192.168.110.43 (192.168.110.43)
192.168.110.43
[INF] Found alive host 192.168.110.32 (192.168.110.32)
192.168.110.32
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x2 addr=0x0 pc=0x104c45a90]

goroutine 31 [running]:
net.(*IPConn).WriteTo(0x0, {0x14000026c90, 0x18, 0x18}, {0x106557680, 0x14000309710})
    /usr/local/go/src/net/iprawsock.go:171 +0x40
github.com/projectdiscovery/naabu/v2/pkg/scan.sendWithConn({0x140010293a0, 0xe}, {0x106562850, 0x0}, {0x14001119928, 0x1, 0x1})
    /Users/qq/opensource/naabu/v2/pkg/scan/scan_unix.go:455 +0x1d0
github.com/projectdiscovery/naabu/v2/pkg/scan.sendAsyncTCP4(0x140005f86e0, {0x140010293a0, 0xe}, 0x14000b13038, 0x0)
    /Users/qq/opensource/naabu/v2/pkg/scan/scan_unix.go:245 +0xfe0
github.com/projectdiscovery/naabu/v2/pkg/scan.SendAsyncPkg(0x140005f86e0, {0x140010293a0, 0xe}, 0x14000b13038, 0x0)
    /Users/qq/opensource/naabu/v2/pkg/scan/scan_unix.go:164 +0x1bc
github.com/projectdiscovery/naabu/v2/pkg/scan.TransportWriteWorker()
    /Users/qq/opensource/naabu/v2/pkg/scan/scan_unix.go:152 +0xa8
created by github.com/projectdiscovery/naabu/v2/pkg/scan.init.3 in goroutine 1
    /Users/qq/opensource/naabu/v2/pkg/scan/scan_unix.go:119 +0x1504

Debugger finished with the exit code 0

@dogancanbakir @RamanaReddy0M

dogancanbakir commented 3 weeks ago

@iuliu8899 I've pushed a brand called debug_nil_deref. Can you please try with that branch and send us the output? Thanks!

iuliu8899 commented 3 weeks ago 
GOROOT=/usr/local/go #gosetup
GOPATH=/Users/qq/go #gosetup
GONOPROXY= #gosetup
/usr/local/go/bin/go test -c -o /Users/qq/Library/Caches/JetBrains/GoLand2024.1/tmp/GoLand/___TestAliveScanIpConcurrently_in_test.test -gcflags all=-N -l test #gosetup
/usr/local/go/bin/go tool test2json -t /Applications/GoLand.app/Contents/plugins/go-plugin/lib/dlv/macarm/dlv --listen=127.0.0.1:64480 --headless=true --api-version=2 --check-go-version=false --only-same-user=false exec /Users/qq/Library/Caches/JetBrains/GoLand2024.1/tmp/GoLand/___TestAliveScanIpConcurrently_in_test.test -- -test.v -test.paniconexit0 -test.run ^\QTestAliveScanIpConcurrently\E$
API server listening at: 127.0.0.1:64480
[INF] Initialized TcpConn4: &{{0x14000c3a300}}
[INF] Initialized UdpConn4: &{{0x14000c3a380}}
[INF] Initialized TcpConn6: &{{0x14000c3a400}}
[INF] Initialized UdpConn6: &{{0x14000c3a480}}
=== RUN   TestAliveScanIpConcurrently
[INF] Running host discovery scan
[INF] TcpConn4 before sendWithConn: &{{0x14000c3a300}}
[INF] TcpConn4 before sendWithConn: &{{0x14000c3a300}}
[INF] TcpConn4 before sendWithConn: &{{0x14000c3a300}}
[INF] TcpConn4 before sendWithConn: &{{0x14000c3a300}}
[INF] TcpConn4 before sendWithConn: &{{0x14000c3a300}}
[INF] TcpConn4 before sendWithConn: &{{0x14000c3a300}}
[INF] TcpConn4 before sendWithConn: &{{0x14000c3a300}}
[INF] TcpConn4 before sendWithConn: &{{0x14000c3a300}}
[INF] syn scan is not possible, falling back to connect scan
[INF] syn scan is not possible, falling back to connect scan
[INF] Running host discovery scan
[INF] TcpConn4 before sendWithConn: <nil>
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x2 addr=0x0 pc=0x1027c1490]

goroutine 15 [running]:
net.(*IPConn).WriteTo(0x0, {0x14000c92060, 0x18, 0x18}, {0x1040d3680, 0x14000d1a450})
    /usr/local/go/src/net/iprawsock.go:171 +0x40
github.com/projectdiscovery/naabu/v2/pkg/scan.sendWithConn({0x14000a9f190, 0xe}, {0x1040de850, 0x0}, {0x14000d7f900, 0x1, 0x1})
    /Users/qq/opensource/naabu/v2/pkg/scan/scan_unix.go:465 +0x1d0
github.com/projectdiscovery/naabu/v2/pkg/scan.sendAsyncTCP4(0x140006a4b40, {0x14000a9f190, 0xe}, 0x14000c391a0, 0x0)
    /Users/qq/opensource/naabu/v2/pkg/scan/scan_unix.go:252 +0x1070
github.com/projectdiscovery/naabu/v2/pkg/scan.SendAsyncPkg(0x140006a4b40, {0x14000a9f190, 0xe}, 0x14000c391a0, 0x0)
    /Users/qq/opensource/naabu/v2/pkg/scan/scan_unix.go:170 +0x1bc
github.com/projectdiscovery/naabu/v2/pkg/scan.TransportWriteWorker()
    /Users/qq/opensource/naabu/v2/pkg/scan/scan_unix.go:158 +0xa8
created by github.com/projectdiscovery/naabu/v2/pkg/scan.init.3 in goroutine 1
    /Users/qq/opensource/naabu/v2/pkg/scan/scan_unix.go:125 +0x1744

Debugger finished with the exit code 0

@dogancanbakir