Nmap Development mailing list archives
indexing globals in msrpc, msrpctypes and smb libs
From: jah <jah () zadkiel plus com>
Date: Fri, 17 Jul 2009 22:10:44 +0100
Hi Ron, I ran Patrick's check_globals script [1] which reported that there were a few globals indexed in a few NSE libraries: Checking nselib/msrpc.lua for bad global accesses Found indexed global,'server_unc', at line number 0. Checking nselib/msrpctypes.lua for bad global accesses Found indexed global,'count', at line number 0. Found indexed global,'marshal_int16', at line number 0. Found indexed global,'marshal_int8', at line number 0. Found indexed global,'marshall_password', at line number 0. Found indexed global,'svcctl_Type_str', at line number 0. Found indexed global,'svcctl_State_str', at line number 0. Checking nselib/smb.lua for bad global accesses Found indexed global,'use_defaults', at line number 0. Found indexed global,'count_reserved', at line number 0. Attached is a patch which hopefully fixes some of these - perhaps you'll look it over to make sure I've not done something stupid, particularly the 'server_unc' on line 663 of msrpc.lua and 'count_reserved' on lines starting at 1792 of smb.lua. That leaves the following issues remaining: Checking nselib/msrpctypes.lua for bad global accesses Found indexed global,'marshall_password', at line number 2922. Found indexed global,'svcctl_Type_str', at line number 4263. Found indexed global,'svcctl_State_str', at line number 4317. Those functions currently don't exist. I note that marshall_password() is not needed for windows. It is passed to marshall_ptr() in marshall_srvsvc_NetShareInfo2() which is a code path I haven't been able to execute so far. svcctl_Type_str() and svcctl_State_str() are called from svcctl_Type_tostr() and svcctl_State_tostr() respectively - neither of which are called by any script or any library. Do you have any suggestions for dealing with these? On a related note, the attached patch for smb-brute.nse fixes a global access revealed using strict.lua: ...smb-brute.nse:178: variable 'random_set' is not declared random_set is set true once math.random() has been seeded and the patch uses nmap.registry to achieve the same. Does that look OK to you? Regards, jah [1] - http://seclists.org/nmap-dev/2009/q3/0070.html
diff -urNb nselib/msrpc.lua nselib-fixed/msrpc.lua --- nselib/msrpc.lua 2009-07-17 21:49:55.765625000 +0100 +++ nselib-fixed/msrpc.lua 2009-07-17 20:59:24.531250000 +0100 @@ -660,7 +660,7 @@ stdnse.print_debug(2, "MSRPC: Calling NetServerGetStatistics() [%s]", smbstate['ip']) -- [in] [string,charset(UTF16)] uint16 *server_unc, - arguments = msrpctypes.marshall_unicode_ptr(server_unc, true) + arguments = msrpctypes.marshall_unicode_ptr(server, true) -- [in] [string,charset(UTF16)] uint16 *service, arguments = arguments .. msrpctypes.marshall_unicode_ptr(service, true) diff -urNb nselib/msrpctypes.lua nselib-fixed/msrpctypes.lua --- nselib/msrpctypes.lua 2009-07-17 21:49:55.781250000 +0100 +++ nselib-fixed/msrpctypes.lua 2009-07-17 21:17:43.546875000 +0100 @@ -199,7 +199,7 @@ pos = pos + 2 end - stdnse.print_debug(4, "MSRPC: Leaving unicode_to_string()", i, count) + stdnse.print_debug(4, "MSRPC: Leaving unicode_to_string()") return pos, string end @@ -910,7 +910,7 @@ local result stdnse.print_debug(4, string.format("MSRPC: Entering marshall_int16_ptr()")) - result = marshall_ptr(ALL, marshal_int16, {int16, pad}, int16) + result = marshall_ptr(ALL, marshall_int16, {int16, pad}, int16) stdnse.print_debug(4, string.format("MSRPC: Leaving marshall_int16_ptr()")) return result @@ -928,7 +928,7 @@ local result stdnse.print_debug(4, string.format("MSRPC: Entering marshall_int8_ptr()")) - result = marshall_ptr(ALL, marshal_int8, {int8, pad}, int8) + result = marshall_ptr(ALL, marshall_int8, {int8, pad}, int8) stdnse.print_debug(4, string.format("MSRPC: Leaving marshall_int8_ptr()")) return result diff -urNb nselib/smb.lua nselib-fixed/smb.lua --- nselib/smb.lua 2009-07-17 21:49:55.750000000 +0100 +++ nselib-fixed/smb.lua 2009-07-17 21:33:43.796875000 +0100 @@ -1253,7 +1253,7 @@ -- This loop takes care of the multiple packets that "extended security" requires repeat -- Get the new security blob, passing the old security blob as a parameter. If there was no previous security blob, then nil is passed, which creates a new one - status, security_blob, smb['mac_key'] = smbauth.get_security_blob(security_blob, smb['ip'], accounts[i]['username'], accounts[i]['domain'], accounts[i]['hash_type'], overrides, use_defaults) + status, security_blob, smb['mac_key'] = smbauth.get_security_blob(security_blob, smb['ip'], accounts[i]['username'], accounts[i]['domain'], accounts[i]['hash_type'], overrides, use_default) -- There was an error processing the security blob if(status == false) then @@ -1789,9 +1789,9 @@ end -- Parse the parameters - local reserved, count_high, remaining, count_low - pos, andx_command, andx_reserved, andx_offset, count_low, remaining, count_high, reserved = bin.unpack("<CCSSSSS", parameters) - if(reserved == nil) then + local count_reserved, count_high, remaining, count_low + pos, andx_command, andx_reserved, andx_offset, count_low, remaining, count_high, count_reserved = bin.unpack("<CCSSSSS", parameters) + if(count_reserved == nil) then return false, "SMB: ERROR: Ran off the end of SMB packet; likely due to server truncation [28]" end
--- smb-brute.nse.orig 2009-07-17 21:56:26.750000000 +0100 +++ smb-brute.nse 2009-07-17 21:54:33.875000000 +0100 @@ -175,9 +175,10 @@ local str = "" -- Seed the random number, if we haven't already - if(random_set == false) then + if not nmap.registry.smbbrute or not nmap.registry.smbbrute.seeded then math.randomseed(os.time()) - random_set = true + nmap.registry.smbbrute = {} + nmap.registry.smbbrute.seeded = true end for i = 1, length, 1 do
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- indexing globals in msrpc, msrpctypes and smb libs jah (Jul 17)