Nmap Development mailing list archives
Re: [NSE] Yet another SMB version!
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Tue, 21 Oct 2008 21:56:49 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 21 Oct 2008 10:38:30 -0500 Ron <ron () skullsecurity net> wrote:
Other than that, I hope some of you give it a try and report problems! I want to commit this code as soon as I can, but it's such a big change that I want to get some independent verification that it works!
I've run into what looks like an integer overflow/underflow in msrpc.lua:unicode_to_string(). A handful of the hosts I'm scanning cause the script engine to spit out these errors: SCRIPT ENGINE: /usr/share/nmap/nselib/msrpc.lua:139: bad argument #1 to 'char' (number expected, got nil) I turned on high debugging and here is the output leading up to one of them: SCRIPT ENGINE DEBUG: MSRPC: LsarLookupSids2() returned successfully SCRIPT ENGINE DEBUG: MSRPC: Entering unicode_to_string(pos = 45, length = 2) SCRIPT ENGINE DEBUG: MSRPC: Entering unicode_to_string(pos = 201, length = 44) SCRIPT ENGINE DEBUG: MSRPC: Entering unicode_to_string(pos = 301, length = 14) SCRIPT ENGINE DEBUG: MSRPC: Entering unicode_to_string(pos = 341, length = 44) SCRIPT ENGINE DEBUG: MSRPC: Entering unicode_to_string(pos = 441, length = 44) SCRIPT ENGINE DEBUG: MSRPC: Entering unicode_to_string(pos = 541, length = 44) SCRIPT ENGINE DEBUG: MSRPC: Calling LsarLookupSids2() SCRIPT ENGINE DEBUG: Sending SMB_COM_TRANSACTION SCRIPT ENGINE DEBUG: Sending SMB packet (len: 338) SCRIPT ENGINE DEBUG: Received 764 bytes from SMB SCRIPT ENGINE DEBUG: MSRPC: LsarLookupSids2() returned successfully SCRIPT ENGINE DEBUG: MSRPC: Entering unicode_to_string(pos = 45, length = 83886080) SCRIPT ENGINE: /usr/share/nmap/nselib/msrpc.lua:139: bad argument #1 to 'char' (number expected, got nil) It looks to me like unicode_to_string() accidentally walked off the end of the string and the length computation wrapped. Once this happens, NSE appears to get stuck in a loop: SCRIPT ENGINE Timing: About 65.34% done; ETC: 21:46 (0:00:15 remaining) SCRIPT ENGINE Timing: About 65.34% done; ETC: 21:47 (0:00:31 remaining) SCRIPT ENGINE Timing: About 65.34% done; ETC: 21:48 (0:00:47 remaining) SCRIPT ENGINE Timing: About 65.34% done; ETC: 21:49 (0:01:03 remaining) SCRIPT ENGINE Timing: About 65.34% done; ETC: 21:49 (0:01:19 remaining) SCRIPT ENGINE Timing: About 65.34% done; ETC: 21:50 (0:01:35 remaining) SCRIPT ENGINE Timing: About 65.34% done; ETC: 21:51 (0:01:51 remaining) The trouble with NSE debug output is that there isn't a way to tell what output goes to what thread/host/port. It would be nice to tag the output with a thread number so that we can at least tell what output is from the same thread. I'm thinking something like: SCRIPT ENGINE DEBUG[1]: MSRPC: Entering unicode_to_string(pos = 441, length = 44) SCRIPT ENGINE DEBUG[1]: MSRPC: Entering unicode_to_string(pos = 541, length = 44) SCRIPT ENGINE DEBUG[2]: MSRPC: Calling LsarLookupSids2() SCRIPT ENGINE DEBUG[3]: Sending SMB_COM_TRANSACTION SCRIPT ENGINE DEBUG[1]: MSRPC: Entering unicode_to_string(pos = 45, length = 83886080) Something even more unique than thread number would be preferable, if a bit verbose. Also, a few comments on your debugging output. For -d and -d2 the output is phenomenal. Very valuable information. I think needing -d5 to see *all* the output is excessive. Perhaps you'd be willing to collapse all the -d5 output into the -d3 output? Brandon -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkj+UCcACgkQqaGPzAsl94I6CwCfbw8F/8GE9Yvv2Jzy9eHRGVFW BHoAnRMpCx/PdljZbtneJCjO95e+z2RT =WzxX -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- [NSE] Yet another SMB version! Ron (Oct 21)
- Re: [NSE] Yet another SMB version! Brandon Enright (Oct 21)
- Re: [NSE] Yet another SMB version! Ron (Oct 21)
- Re: [NSE] Yet another SMB version! Brandon Enright (Oct 21)
- Re: [NSE] Yet another SMB version! Ron (Oct 21)
- Re: [NSE] Yet another SMB version! jah (Oct 21)
- Re: [NSE] Yet another SMB version! Brandon Enright (Oct 21)
- Re: [NSE] Yet another SMB version! jah (Oct 21)
- Re: [NSE] Yet another SMB version! Ron (Oct 21)
- Re: [NSE] Yet another SMB version! bensonk (Oct 22)
- Re: [NSE] Yet another SMB version! Ron (Oct 21)
- Re: [NSE] Yet another SMB version! Brandon Enright (Oct 21)
- Re: [NSE] Yet another SMB version! Ron (Oct 21)