Small Problem w/RegEx for Service Detection...

["Jay Freeman \(saurik\)" <saurik () saurik com>]

Fyoder> The question is whether it is powerful enough.  I suspect that
Fyoder> the vast majority of protocols could be detected via a sufficiently
Fyoder> clever probe string and regex match.  Can anyone think of any
Fyoder> protocols that could not be detected by method but could with a
Fyoder> more powerful (think "C") syntax?  And RPC services don't count
Fyoder> because we can get them with the existing RPC grinder.

While working on the regular expression match nmap+V-2.2 uses to detect
Ajp13, I ran into a small problem.  After doing a little more research, it
still seems to be a problem: unless I am missing something, regular
expressions can’t be used to detect ‘\0’ :-(.

If you take a look at my Ajp13 checker, you will notice it’s rather weak….
I send a bunch of binary data, and then check for “AB”.  The third character
sent back by the server is ‘\0’, and regcomp() takes a NULL-terminated
C-style string, which is causing problems.  It doesn’t take a parameter for
the length, and doesn’t do much escaping on its own (just enough to handle
its own structures, such as ‘{‘ and ‘[‘).  I tried passing it “\\\0” and it
bombed out with an error of “Trailing backslash” (was hoping it would escape
the ‘\0’ :-), the man page for regex(7) _did_ say: “a `\' followed  by  any
other  character  (matching that character taken as an ordinary character,
as if the `\' had not been present)”).

When dealing with binary protocols ‘\0’ tends to be rather important….  It
could be skipped over with ‘.’, but in many cases the accuracy of the
expression is then lost.  In the Ajp13 case, after the ‘\0’ the next few
characters represent the length of the remainder of the data.  Perfect
validation would involve making sure the length of the reply matches that
number, next best would be waiting for the end of the reply for another
“AB\0”, but to minimize the resources required for the scan checking for
getting first nothing and then “AB\0” after sending the correct request is
probably enough.  Just checking for the “AB” bothers me (mainly because of
“ABCDE…” :-) )… but I’d be rather confident that other protocols would show
more of a pressing urge for wanting to correctly scan for ‘\0’.

Anyone know of a more powerful, rather portable regex parser that supports
‘\0’… or maybe some alternative that could be used instead?  Even better: a
way to get regcomp() to escape the ‘\0’?

Sincerely,
Jay Freeman (saurik)
saurik () saurik com <mailto:saurik () saurik com>


---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).