Thanks for the report!

What is the output between "Starting http-robots.txt" and "Segmentation fault" when you add --script-trace to the scan?

Does this happen with Nmap 7.80 for Linux or other platforms besides Windows?

The crash only occurs for me on Windows for some reason. Here are the --script-trace results on Windows 10 (crash) and then the same on Linux no crash:

Windows 10 Scan --script-trace content:

NSE: Script scanning 192.168.1.20.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 01:45
NSE: Starting http-robots.txt against print.titan.net (192.168.1.20:80).
NSE: TCP 192.168.122.45:4533 > 192.168.1.20:80 | CONNECT
NSE: TCP 192.168.122.45:4533 > 192.168.1.20:80 | 00000000: 16 03 00 00 69 01 00 00 65 03 03 55 1c a7 e4 72 i e U r
00000010: 61 6e 64 6f 6d 31 72 61 6e 64 6f 6d 32 72 61 6e andom1random2ran
00000020: 64 6f 6d 33 72 61 6e 64 6f 6d 34 00 00 0c 00 2f dom3random4 /
00000030: 00 0a 00 13 00 39 00 04 00 ff 01 00 00 30 00 0d 9 0
00000040: 00 2c 00 2a 00 01 00 03 00 02 06 01 06 03 06 02 , *
00000050: 02 01 02 03 02 02 03 01 03 03 03 02 04 01 04 03
00000060: 04 02 01 01 01 03 01 02 05 01 05 03 05 02

NSE: TCP 192.168.122.45:4533 > 192.168.1.20:80 | SEND
NSE: TCP 192.168.122.45:4533 > 192.168.1.20:80 | CLOSE
NSE: TCP 192.168.122.45:4534 > 192.168.1.20:80 | CONNECT
NSE: TCP 192.168.122.45:4534 > 192.168.1.20:80 | 00000000: 16 03 00 00 53 01 00 00 4f 03 00 3f 47 d7 f7 ba S O ?G
00000010: 2c ee ea b2 60 7e f3 00 fd 82 7b b9 d5 96 c8 77 , ~ { w 00000020: 9b e6 c4 db 3c 3d db 6f ef 10 6e 00 00 28 00 16 <= o n ( 00000030: 00 13 00 0a 00 66 00 05 00 04 00 65 00 64 00 63 f e d c 00000040: 00 62 00 61 00 60 00 15 00 12 00 09 00 14 00 11 b a
00000050: 00 08 00 06 00 03 01 00

NSE: TCP 192.168.122.45:4534 > 192.168.1.20:80 | SEND
NSE: TCP 192.168.122.45:4534 > 192.168.1.20:80 | CLOSE
NSE: TCP 192.168.122.45:4535 > 192.168.1.20:80 | CONNECT
NSE: TCP 192.168.122.45:4535 > 192.168.1.20:80 | 00000000: 47 45 54 20 2f 72 6f 62 6f 74 73 2e 74 78 74 20 GET /robots.txt
00000010: 48 54 54 50 2f 31 2e 31 0d 0a 48 6f 73 74 3a 20 HTTP/1.1 Host:
00000020: 70 72 69 6e 74 2e 74 69 74 61 6e 2e 6e 65 74 0d print.titan.net
00000030: 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 63 6c 6f Connection: clo
00000040: 73 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 se User-Agent:
00000050: 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 63 6f 6d Mozilla/5.0 (com
00000060: 70 61 74 69 62 6c 65 3b 20 4e 6d 61 70 20 53 63 patible; Nmap Sc
00000070: 72 69 70 74 69 6e 67 20 45 6e 67 69 6e 65 3b 20 ripting Engine;
00000080: 68 74 74 70 73 3a 2f 2f 6e 6d 61 70 2e 6f 72 67 https://nmap.org
00000090: 2f 62 6f 6f 6b 2f 6e 73 65 2e 68 74 6d 6c 29 0d /book/nse.html)
000000a0: 0a 0d 0a

NSE: TCP 192.168.122.45:4535 > 192.168.1.20:80 | SEND
NSE: TCP 192.168.122.45:4535 < 192.168.1.20:80 | 00000000: 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d HTTP/1.1 200 OK
00000010: 0a 53 65 72 76 65 72 3a 20 48 50 20 48 54 54 50 Server: HP HTTP
00000020: 20 53 65 72 76 65 72 3b 20 48 50 20 48 50 20 4f Server; HP HP O
00000030: 66 66 69 63 65 4a 65 74 20 50 72 6f 20 38 37 32 fficeJet Pro 872
00000040: 30 20 2d 20 4d 39 4c 37 34 41 3b 20 53 65 72 69 0 - M9L74A; Seri
00000050: 61 6c 20 4e 75 6d 62 65 72 3a 20 43 4e 38 37 50 al Number: CN87P
00000060: 43 36 32 42 52 3b 20 42 75 69 6c 74 3a 46 72 69 C62BR; Built:Fri
00000070: 20 4d 61 79 20 31 30 2c 20 32 30 31 39 20 31 31 May 10, 2019 11
00000080: 3a 35 30 3a 32 37 41 4d 20 7b 57 4d 50 31 43 4e :50:27AM {WMP1CN
00000090: 31 39 31 39 42 52 7d 0d 0a 43 6f 6e 74 65 6e 74 1919BR} Content
000000a0: 2d 45 6e 63 6f 64 69 6e 67 3a 20 67 7a 69 70 0d -Encoding: gzip
000000b0: 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 Content-Type: t
000000c0: 65 78 74 2f 70 6c 61 69 6e 0d 0a 4c 61 73 74 2d ext/plain Last-
000000d0: 4d 6f 64 69 66 69 65 64 3a 20 46 72 69 2c 20 31 Modified: Fri, 1
000000e0: 30 20 4d 61 79 20 32 30 31 39 20 31 31 3a 35 30 0 May 2019 11:50
000000f0: 3a 32 37 20 47 4d 54 0d 0a 43 61 63 68 65 2d 43 :27 GMT Cache-C
00000100: 6f 6e 74 72 6f 6c 3a 20 6d 61 78 2d 61 67 65 3d ontrol: max-age=
00000110: 31 38 30 0d 0a 58 2d 43 6f 6e 74 65 6e 74 2d 54 180 X-Content-T
00000120: 79 70 65 2d 4f 70 74 69 6f 6e 73 3a 20 6e 6f 73 ype-Options: nos
00000130: 6e 69 66 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 61 niff Content-La
00000140: 6e 67 75 61 67 65 3a 20 65 6e 0d 0a 43 6f 6e 74 nguage: en Cont
00000150: 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 34 36 0d 0a ent-Length: 46
00000160: 0d 0a

Segmentation fault

Fyodor@Doze81 ~

Nmap 7.80 on Linux (successful run) --script-trace output:

NSE: Script scanning 192.168.1.20.
Initiating NSE at 17:51
NSOCK INFO [1.2750s] nsock_trace_handler_callback(): Callback: CONNECT TIMEOUT for EID 8 [192.168.1.20:80]
NSE: TCP 192.168.1.232:47466 > 192.168.1.20:80 | CONNECT
NSE: TCP 192.168.1.232:47466 > 192.168.1.20:80 | CLOSE
NSOCK INFO [1.2750s] nsock_iod_delete(): nsock_iod_delete (IOD #1)
NSOCK INFO [1.2750s] nsock_iod_new2(): nsock_iod_new (IOD #2)
NSOCK INFO [1.2760s] nsock_connect_tcp(): TCP connection requested to 192.168.1.20:80 (IOD #2) EID 16
NSOCK INFO [2.2760s] nsock_trace_handler_callback(): Callback: CONNECT TIMEOUT for EID 16 [192.168.1.20:80]
NSE: TCP 192.168.1.232:47468 > 192.168.1.20:80 | CONNECT
NSE: TCP 192.168.1.232:47468 > 192.168.1.20:80 | CLOSE
NSOCK INFO [2.2760s] nsock_iod_delete(): nsock_iod_delete (IOD #2)
NSOCK INFO [2.2760s] nsock_iod_new2(): nsock_iod_new (IOD #3)
NSOCK INFO [2.2760s] nsock_connect_tcp(): TCP connection requested to 192.168.1.20:80 (IOD #3) EID 24
NSOCK INFO [2.3380s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 24 [192.168.1.20:80]
NSE: TCP 192.168.1.232:47470 > 192.168.1.20:80 | CONNECT
NSE: TCP 192.168.1.232:47470 > 192.168.1.20:80 | 00000000: 47 45 54 20 2f 72 6f 62 6f 74 73 2e 74 78 74 20 GET /robots.txt
00000010: 48 54 54 50 2f 31 2e 31 0d 0a 55 73 65 72 2d 41 HTTP/1.1 User-A
00000020: 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35 2e gent: Mozilla/5.
00000030: 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4e 0 (compatible; N
00000040: 6d 61 70 20 53 63 72 69 70 74 69 6e 67 20 45 6e map Scripting En
00000050: 67 69 6e 65 3b 20 68 74 74 70 73 3a 2f 2f 6e 6d gine; https://nm
00000060: 61 70 2e 6f 72 67 2f 62 6f 6f 6b 2f 6e 73 65 2e ap.org/book/nse.
00000070: 68 74 6d 6c 29 0d 0a 48 6f 73 74 3a 20 70 72 69 html) Host: pri
00000080: 6e 74 2e 74 69 74 61 6e 2e 6e 65 74 0d 0a 43 6f nt.titan.net Co
00000090: 6e 6e 65 63 74 69 6f 6e 3a 20 63 6c 6f 73 65 0d nnection: close
000000a0: 0a 0d 0a

NSOCK INFO [2.3390s] nsock_write(): Write request for 163 bytes to IOD #3 EID 35 [192.168.1.20:80]
NSOCK INFO [2.3390s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 35 [192.168.1.20:80]
NSE: TCP 192.168.1.232:47470 > 192.168.1.20:80 | SEND
NSOCK INFO [2.3390s] nsock_read(): Read request from IOD #3 [192.168.1.20:80] (timeout: 7000ms) EID 42
NSOCK INFO [2.3560s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 42 [192.168.1.20:80] (354 bytes)
NSE: TCP 192.168.1.232:47470 < 192.168.1.20:80 | 00000000: 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d HTTP/1.1 200 OK
00000010: 0a 53 65 72 76 65 72 3a 20 48 50 20 48 54 54 50 Server: HP HTTP
00000020: 20 53 65 72 76 65 72 3b 20 48 50 20 48 50 20 4f Server; HP HP O
00000030: 66 66 69 63 65 4a 65 74 20 50 72 6f 20 38 37 32 fficeJet Pro 872
00000040: 30 20 2d 20 4d 39 4c 37 34 41 3b 20 53 65 72 69 0 - M9L74A; Seri
00000050: 61 6c 20 4e 75 6d 62 65 72 3a 20 43 4e 38 37 50 al Number: CN87P
00000060: 43 36 32 42 52 3b 20 42 75 69 6c 74 3a 46 72 69 C62BR; Built:Fri
00000070: 20 4d 61 79 20 31 30 2c 20 32 30 31 39 20 31 31 May 10, 2019 11
00000080: 3a 35 30 3a 32 37 41 4d 20 7b 57 4d 50 31 43 4e :50:27AM {WMP1CN
00000090: 31 39 31 39 42 52 7d 0d 0a 43 6f 6e 74 65 6e 74 1919BR} Content
000000a0: 2d 45 6e 63 6f 64 69 6e 67 3a 20 67 7a 69 70 0d -Encoding: gzip
000000b0: 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 Content-Type: t
000000c0: 65 78 74 2f 70 6c 61 69 6e 0d 0a 4c 61 73 74 2d ext/plain Last-
000000d0: 4d 6f 64 69 66 69 65 64 3a 20 46 72 69 2c 20 31 Modified: Fri, 1
000000e0: 30 20 4d 61 79 20 32 30 31 39 20 31 31 3a 35 30 0 May 2019 11:50
000000f0: 3a 32 37 20 47 4d 54 0d 0a 43 61 63 68 65 2d 43 :27 GMT Cache-C
00000100: 6f 6e 74 72 6f 6c 3a 20 6d 61 78 2d 61 67 65 3d ontrol: max-age=
00000110: 31 38 30 0d 0a 58 2d 43 6f 6e 74 65 6e 74 2d 54 180 X-Content-T
00000120: 79 70 65 2d 4f 70 74 69 6f 6e 73 3a 20 6e 6f 73 ype-Options: nos
00000130: 6e 69 66 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 61 niff Content-La
00000140: 6e 67 75 61 67 65 3a 20 65 6e 0d 0a 43 6f 6e 74 nguage: en Cont
00000150: 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 34 36 0d 0a ent-Length: 46
00000160: 0d 0a

NSOCK INFO [2.3580s] nsock_read(): Read request from IOD #3 [192.168.1.20:80] (timeout: 7000ms) EID 50
NSOCK INFO [2.3640s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 50 [192.168.1.20:80] (46 bytes): ...........-N-.MLO.+.R..r.,N.../.R....B.......
NSE: TCP 192.168.1.232:47470 < 192.168.1.20:80 | 00000000: 1f 8b 08 00 00 00 00 00 02 03 0b 2d 4e 2d d2 4d -N- M
00000010: 4c 4f cd 2b b1 52 d0 e2 72 c9 2c 4e cc c9 c9 2f LO + R r ,N /
00000020: b7 52 d0 e7 02 00 42 84 a4 8f 1a 00 00 00 R B

NSE: TCP 192.168.1.232:47470 > 192.168.1.20:80 | CLOSE
NSOCK INFO [2.3650s] nsock_iod_delete(): nsock_iod_delete (IOD #3)
Completed NSE at 17:51, 2.09s elapsed
Nmap scan report for print.titan.net (192.168.1.20)
Host is up (0.0072s latency).

PORT STATE SERVICE
80/tcp open http
| http-robots.txt: 1 disallowed entry
|_/

NSE: Script Post-scanning.
Initiating NSE at 17:51
Completed NSE at 17:51, 0.00s elapsed
Read data files from: /t/crap/nmap-7.80
Nmap done: 1 IP address (1 host up) scanned in 2.38 seconds
fyodor@Sea:/t/crap/nmap-7.80$

Assuming that the nmap process on Windows in fact received the HTTP response body before it crashed (and before it had a chance to flush the screen output buffer), then one suspect could be the zlib integration. Note that the HTTP response is using gzip content encoding.

Unlike the HTTP library, zlib is a native code so a hard crash would be natural. There was no HTTP support for gzip in 7.70 so this would explain why the previous version works (although http-robotswould not be able to parse the response).

This is a result of several issues coming together in a perfect storm:

1. Zlib on Windows built without Gzip support, so it can't detect the gzip header, but instead interprets it as a raw DEFLATE stream.
2. Zlib fast inflate assembly on Windows has some sort of bug where it reads off the end of the input buffer if the length is too big.
3. NSE code relies on the Zlib inflate function to detect the Gzip or Zlib header or fall back to raw DEFLATE instead of checking zlibCompileFlags() to check support. It'd be good to write a simple gzip header "parser" just for this case, though I'd expect most zlib builds to include the gzip support.

I'll be reconfiguring the Windows build to include Gzip support and to avoid the assembly code, as well as ensuring we are using best practice anti-exploitation settings like /NXCOMPAT /DYNAMICBASE /SAFESEH (safe SEH is not compatible with raw assembly).