Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [RFC] NSE pack/unpack library

From: David Fifield <david () bamsoftware com>
Date: Fri, 20 Jun 2008 10:01:13 -0600
On Fri, Jun 20, 2008 at 04:24:56PM +0200, Philip Pickering wrote:

Are there reasons that we can't use the current lpack library as-is?


lpack lacks some functionality we need. These features are
at least H for hex strings, B for bit strings and x for null/ignoring bytes.
By adding these features the original operator characters get misleading.


I looked through the scripts to see which ones could benefit from
pack/unpack. Here are some examples I found (edited to include just
snippets of binary data handling).

MSSQLm.nse:
          -- build a TDS packet - type 0x12
          -- copied from packet capture of osql connection
          payload = payload .. "\018\001\000\047\000\000\001\000\000\000"
          payload = payload .. "\026\000\006\001\000\032\000\001\002\000"
          payload = payload .. "\033\000\001\003\000\034\000\004\004\000"
          payload = payload .. "\038\000\001\255\009\000\011\226\000\000"
          payload = payload .. "\000\000\120\023\000\000\000"

dns-test-open-recursion.nse:
    -- generate dns query, Transaction-ID 0xdead, www.wikipedia.org (type A, class IN)
        local request = string.char(0xde, 0xad, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03) ..  
"www" .. string.char(0x09) .. "wikipedia" .. string.char(0x03) ..  "org" .. string.char(0x00, 0x00, 0x01, 0x00, 0x01)

    -- parse response for dns flags
    if (bit.band(string.byte(result,3), 0x80) == 0x80
    and bit.band(string.byte(result,4), 0x85) == 0x80)

netbios-smb-os-discovery.nse:
       local WildCard =
       string.char(0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
                   0x00, 0x00, 0x20, 0x43, 0x4b, 0x41, 0x41, 0x41, 0x41, 0x41,
                   0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
                   0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
                   0x41, 0x41, 0x41, 0x41, 0x41, 0x00, 0x00, 0x21, 0x00, 0x00)

I want to know what these snippets would look like using the pack/unpack
library. Maybe we don't need everything that lpack has and can invent
our own interface. I too am wary of giving an NSE library behavior
that's incompatible with the library it's based on.

Anyway, good thinking Philip. There appears to be ample demand for this
functionality (especially pack).

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: