Nmap Development mailing list archives
Re: [NSE] mssql library - bug in parsing browser data
From: Patrik Karlsson <patrik () cqure net>
Date: Sun, 23 Jan 2011 08:52:16 +0100
On Jan 22, 2011, at 01:33 , Chris Woodbury wrote:
While working on some NSE scripts for SQL Server, I found a bug in the mssql.lua library. In the Discover function, when the SQL Server browser data is being parsed, it treats ";;" as a marker for the end of the data for a SQL Server instance. However, ";;" is valid within the data for an instance, signifying a field without a value (i.e. an empty string, etc.), and one of these ";;"s will make the capture to end too early, likely resulting in a crash [1].
Good find!
Basically ,the proper way to identify an instance is to find ServerName;.-;InstanceName;.-;IsClustered;.-; (per the SSRP spec, these are always present and in this order) and then go on until you reach the end or another instance. I couldn't figure out how to do this with Lua patterns in one step; so, I did it in two - cutting up the string and then parsing each one. I've attached a patch against the SVN version. I haven't done a ton of Lua/NSE scripting, so I would appreciate any comments.
Thanks a lot for the patch and I think it looks good so I've applied it. It's in as r21987.
Thanks -chris [1] Example: "ServerName;WINXP;InstanceName;MSSQLSERVER;IsClustered;No;Version;8.00.194;np;\\WINXP\pipe\sql\query;tcp;1433;rpc;WINXP;spx;WINXP;adsp;WINXP;bv;;@MSSQL;;via;WINXP,0:1433;;" gets captured as: (1) ServerName;WINXP;InstanceName;MSSQLSERVER;IsClustered;No;Version;8.00.194;np;\\WINXP\pipe\sql\query;tcp;1433;rpc;WINXP;spx;WINXP;adsp;WINXP;bv;; (2) @MSSQL;; (3) via;WINXP,0:1433;; (4) ServerName;WINXP;InstanceName;SQL2K5;IsClustered;No;Version;9.00.4035.00;tcp;1278;; The script crashes on line 843 during (2), when it tries to use the instance name, which it didn't get. <mssql_ssrp_split.patch>_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
//Patrik -- Patrik Karlsson http://www.cqure.net http://www.twitter.com/nevdull77 _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] mssql library - bug in parsing browser data Chris Woodbury (Jan 21)
- Re: [NSE] mssql library - bug in parsing browser data Patrik Karlsson (Jan 22)