Nmap Development mailing list archives

Status Report #9 of 15

From: Dražen Popović <drazen.popovic () fer hr>
Date: Tue, 29 Jun 2010 05:49:20 +0200

Hi everyone.
This week passed quickly and I can say that the "ndr.lua" library is
progressing very well...So:

Accomplishments:
      * "ndr.lua" now packs every kind of NDR arrays with arbitrary
        dimensions.
      * Began fighting NDR structure packing. I have encountered a few
        issues that drained the life out of me, but in the end it all
        worked out pretty well. For example, while trying to pack NDR
        arrays I turned to PIDL(version 0.02) to see its --ndr-parser
        output which produces the NDR parser which SAMBA uses. Then I
        noticed that their array packing is also incorrect. What next?
        Oh yes...So far Windows NDR implementation was acting very well,
        specification compliant. But it seems that even they didn't
        follow the whole NDR specification. To be more precise [1]
        Chapter: "14.3.2 Alignment of Constructed Types", which deals
        with structure packing and array packing which are contained
        within the structure itself. The following is the specification
        which MSF ndr engine [2] doesn't seem to implement:
"
The fields within the structure are aligned according to the following
rules:
...
Array alignment is the largest alignment of the array element type and
the size
information type, if any.
"
MSF ndr engine simply takes the element alignment as the array
alignment. Thanks to Wireshark for existing because otherwise this would
be hell.
      * Figured out the layered design concept which will hide the
        internal workings of "ndr.lua" from the programmer. "ndr.lua"
        consists of two base classes "NDR" and "NDR_Type". The
        "NDR_Type" class was introduced to emulate the data types that
        Lua lacks (such as pointers). With just a few rules when
        programming with NSE MSRPC it's possible to hide these classes
        from the programmer.

Priorities:
      * Finish packing arrays within structures.
      * Pack pointers and pointers within structures (embedded).
      * When done, clean the code a little bit and start with unpacking.
      * When done =),then it's time to put "ndr.lua" to real life
        testing. The first integration iteration will consist of editing
        "msrpc.lua" RPC stubs needed for "smb-enum-processes.nse", of
        course by using "ndr.lua".

Notes:
This irregularity I've mentioned concerning MSFs NDR engine needs to be
tested some more with some additional RPC stubs (test cases). Also I'm
curious of how are DRAZEN_SVC and "cli-drazen-svc.nse" acting on newer
Win distros (Vista,7,2008), so if someone is willing to give it a whirl.
There "really" shouldn't be any difference.

References:
[1] http://www.opengroup.org/onlinepubs/9629399/toc.htm
[2] http://msdn.microsoft.com/en-us/library/ms764233%28v=VS.85%29.aspx

Cheers,
Dražen.
-- 
Laboratory for Systems and Signals
Department of Electronic Systems and Information Processing
Faculty of Electrical Engineering and Computing
University of Zagreb
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

status report #9 of 15 kirubakaran S (Jun 28)
- Re: status report #9 of 15 David Fifield (Jun 28)
- <Possible follow-ups>
- Status report #9 of 15 ithilgore (Jun 28)
- Status Report #9 of 15 Dražen Popović (Jun 28)
- Status Report #9 of 15 alexandru (Jun 28)
- Status Report #9 of 15 Djalal Harouni (Jun 29)
- Status Report #9 of 15 Luis MartinGarcia. (Jun 29)