Nmap Development mailing list archives

Re: [NSE] Yet another SMB version!

From: jah <jah () zadkiel plus com>
Date: Wed, 22 Oct 2008 00:10:25 +0100

On 21/10/2008 23:37, Ron wrote:

Brandon Enright wrote:

On Tue, 21 Oct 2008 10:38:30 -0500
Ron <ron () skullsecurity net> wrote:

Other than that, I hope some of you give it a try and report
problems! I want to commit this code as soon as I can, but it's such
a big change that I want to get some independent verification that it
works!

I've run into what looks like an integer overflow/underflow in
msrpc.lua:unicode_to_string().

A handful of the hosts I'm scanning cause the script engine to spit out
these errors:

SCRIPT ENGINE: /usr/share/nmap/nselib/msrpc.lua:139: bad argument #1 to 'char' (number expected, got nil)

I turned on high debugging and here is the output leading up to one of
them:

SCRIPT ENGINE DEBUG: MSRPC: LsarLookupSids2() returned successfully
SCRIPT ENGINE DEBUG: MSRPC: Entering unicode_to_string(pos = 45, length = 2)
SCRIPT ENGINE DEBUG: MSRPC: Entering unicode_to_string(pos = 201, length = 44)
SCRIPT ENGINE DEBUG: MSRPC: Entering unicode_to_string(pos = 301, length = 14)
SCRIPT ENGINE DEBUG: MSRPC: Entering unicode_to_string(pos = 341, length = 44)
SCRIPT ENGINE DEBUG: MSRPC: Entering unicode_to_string(pos = 441, length = 44)
SCRIPT ENGINE DEBUG: MSRPC: Entering unicode_to_string(pos = 541, length = 44)
SCRIPT ENGINE DEBUG: MSRPC: Calling LsarLookupSids2()
SCRIPT ENGINE DEBUG: Sending SMB_COM_TRANSACTION
SCRIPT ENGINE DEBUG: Sending SMB packet (len: 338)
SCRIPT ENGINE DEBUG: Received 764 bytes from SMB
SCRIPT ENGINE DEBUG: MSRPC: LsarLookupSids2() returned successfully
SCRIPT ENGINE DEBUG: MSRPC: Entering unicode_to_string(pos = 45, length = 83886080)
SCRIPT ENGINE: /usr/share/nmap/nselib/msrpc.lua:139: bad argument #1 to 'char' (number expected, got nil)


It looks to me like unicode_to_string() accidentally walked off the end
of the string and the length computation wrapped.

Once this happens, NSE appears to get stuck in a loop:

SCRIPT ENGINE Timing: About 65.34% done; ETC: 21:46 (0:00:15 remaining)
SCRIPT ENGINE Timing: About 65.34% done; ETC: 21:47 (0:00:31 remaining)
SCRIPT ENGINE Timing: About 65.34% done; ETC: 21:48 (0:00:47 remaining)
SCRIPT ENGINE Timing: About 65.34% done; ETC: 21:49 (0:01:03 remaining)
SCRIPT ENGINE Timing: About 65.34% done; ETC: 21:49 (0:01:19 remaining)
SCRIPT ENGINE Timing: About 65.34% done; ETC: 21:50 (0:01:35 remaining)
SCRIPT ENGINE Timing: About 65.34% done; ETC: 21:51 (0:01:51 remaining)

The trouble with NSE debug output is that there isn't a way to tell
what output goes to what thread/host/port.  It would be nice to tag the
output with a thread number so that we can at least tell what output is
from the same thread.  I'm thinking something like:

SCRIPT ENGINE DEBUG[1]: MSRPC: Entering unicode_to_string(pos = 441, length = 44)
SCRIPT ENGINE DEBUG[1]: MSRPC: Entering unicode_to_string(pos = 541, length = 44)
SCRIPT ENGINE DEBUG[2]: MSRPC: Calling LsarLookupSids2()
SCRIPT ENGINE DEBUG[3]: Sending SMB_COM_TRANSACTION
SCRIPT ENGINE DEBUG[1]: MSRPC: Entering unicode_to_string(pos = 45, length = 83886080)

Something even more unique than thread number would be preferable, if a
bit verbose.

Also, a few comments on your debugging output.  For -d and -d2 the
output is phenomenal.  Very valuable information.  I think needing -d5
to see *all* the output is excessive.  Perhaps you'd be willing to
collapse all the -d5 output into the -d3 output?

Brandon


Hmm, interesting!

The "SCRIPT ENGINE DEBUG" part isn't my code, it's in stdnse, but that's
definitely a good idea. I'll also change the -d? stuff, I was sort of
going by gut feeling on which number to use. :)

Something I noticed is that the script debug will show up with either -v
or -d -- was that intentional?

You might do something like the following within scripts:
stdnse.print_debug( 2, ("%s %s some error happened with
something"):format(id, ip) )
which might give you

SCRIPT ENGINE DEBUG: MSRPC 192.168.1.1 some error happened with something

when the debug level is 2.  This narrows a thread down to a script and host.

Regards,

jah

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

[NSE] Yet another SMB version! Ron (Oct 21)
- Re: [NSE] Yet another SMB version! Brandon Enright (Oct 21)
  - Re: [NSE] Yet another SMB version! Ron (Oct 21)
- Re: [NSE] Yet another SMB version! Brandon Enright (Oct 21)
  - Re: [NSE] Yet another SMB version! Ron (Oct 21)
    - Re: [NSE] Yet another SMB version! jah (Oct 21)
    - Re: [NSE] Yet another SMB version! Brandon Enright (Oct 21)
    - Re: [NSE] Yet another SMB version! jah (Oct 21)
    - Re: [NSE] Yet another SMB version! Ron (Oct 21)
    - Re: [NSE] Yet another SMB version! bensonk (Oct 22)
- Re: [NSE] Yet another SMB version! jah (Oct 21)
  - Re: [NSE] Yet another SMB version! Ron (Oct 21)