Nmap Development mailing list archives
indexing globals in msrpc, msrpctypes and smb libs
From: jah <jah () zadkiel plus com>
Date: Fri, 17 Jul 2009 22:10:44 +0100
Hi Ron,
I ran Patrick's check_globals script [1] which reported that there were
a few globals indexed in a few NSE libraries:
Checking nselib/msrpc.lua for bad global accesses
Found indexed global,'server_unc', at line number 0.
Checking nselib/msrpctypes.lua for bad global accesses
Found indexed global,'count', at line number 0.
Found indexed global,'marshal_int16', at line number 0.
Found indexed global,'marshal_int8', at line number 0.
Found indexed global,'marshall_password', at line number 0.
Found indexed global,'svcctl_Type_str', at line number 0.
Found indexed global,'svcctl_State_str', at line number 0.
Checking nselib/smb.lua for bad global accesses
Found indexed global,'use_defaults', at line number 0.
Found indexed global,'count_reserved', at line number 0.
Attached is a patch which hopefully fixes some of these - perhaps you'll
look it over to make sure I've not done something stupid, particularly
the 'server_unc' on line 663 of msrpc.lua and 'count_reserved' on lines
starting at 1792 of smb.lua.
That leaves the following issues remaining:
Checking nselib/msrpctypes.lua for bad global accesses
Found indexed global,'marshall_password', at line number 2922.
Found indexed global,'svcctl_Type_str', at line number 4263.
Found indexed global,'svcctl_State_str', at line number 4317.
Those functions currently don't exist.
I note that marshall_password() is not needed for windows. It is passed
to marshall_ptr() in marshall_srvsvc_NetShareInfo2() which is a code
path I haven't been able to execute so far.
svcctl_Type_str() and svcctl_State_str() are called from
svcctl_Type_tostr() and svcctl_State_tostr() respectively - neither of
which are called by any script or any library.
Do you have any suggestions for dealing with these?
On a related note, the attached patch for smb-brute.nse fixes a global
access revealed using strict.lua:
...smb-brute.nse:178: variable 'random_set' is not declared
random_set is set true once math.random() has been seeded and the patch
uses nmap.registry to achieve the same. Does that look OK to you?
Regards,
jah
[1] - http://seclists.org/nmap-dev/2009/q3/0070.html
diff -urNb nselib/msrpc.lua nselib-fixed/msrpc.lua
--- nselib/msrpc.lua 2009-07-17 21:49:55.765625000 +0100
+++ nselib-fixed/msrpc.lua 2009-07-17 20:59:24.531250000 +0100
@@ -660,7 +660,7 @@
stdnse.print_debug(2, "MSRPC: Calling NetServerGetStatistics() [%s]", smbstate['ip'])
-- [in] [string,charset(UTF16)] uint16 *server_unc,
- arguments = msrpctypes.marshall_unicode_ptr(server_unc, true)
+ arguments = msrpctypes.marshall_unicode_ptr(server, true)
-- [in] [string,charset(UTF16)] uint16 *service,
arguments = arguments .. msrpctypes.marshall_unicode_ptr(service, true)
diff -urNb nselib/msrpctypes.lua nselib-fixed/msrpctypes.lua
--- nselib/msrpctypes.lua 2009-07-17 21:49:55.781250000 +0100
+++ nselib-fixed/msrpctypes.lua 2009-07-17 21:17:43.546875000 +0100
@@ -199,7 +199,7 @@
pos = pos + 2
end
- stdnse.print_debug(4, "MSRPC: Leaving unicode_to_string()", i, count)
+ stdnse.print_debug(4, "MSRPC: Leaving unicode_to_string()")
return pos, string
end
@@ -910,7 +910,7 @@
local result
stdnse.print_debug(4, string.format("MSRPC: Entering marshall_int16_ptr()"))
- result = marshall_ptr(ALL, marshal_int16, {int16, pad}, int16)
+ result = marshall_ptr(ALL, marshall_int16, {int16, pad}, int16)
stdnse.print_debug(4, string.format("MSRPC: Leaving marshall_int16_ptr()"))
return result
@@ -928,7 +928,7 @@
local result
stdnse.print_debug(4, string.format("MSRPC: Entering marshall_int8_ptr()"))
- result = marshall_ptr(ALL, marshal_int8, {int8, pad}, int8)
+ result = marshall_ptr(ALL, marshall_int8, {int8, pad}, int8)
stdnse.print_debug(4, string.format("MSRPC: Leaving marshall_int8_ptr()"))
return result
diff -urNb nselib/smb.lua nselib-fixed/smb.lua
--- nselib/smb.lua 2009-07-17 21:49:55.750000000 +0100
+++ nselib-fixed/smb.lua 2009-07-17 21:33:43.796875000 +0100
@@ -1253,7 +1253,7 @@
-- This loop takes care of the multiple packets that "extended security" requires
repeat
-- Get the new security blob, passing the old security blob as a parameter. If there was no
previous security blob, then nil is passed, which creates a new one
- status, security_blob, smb['mac_key'] = smbauth.get_security_blob(security_blob, smb['ip'],
accounts[i]['username'], accounts[i]['domain'], accounts[i]['hash_type'], overrides, use_defaults)
+ status, security_blob, smb['mac_key'] = smbauth.get_security_blob(security_blob, smb['ip'],
accounts[i]['username'], accounts[i]['domain'], accounts[i]['hash_type'], overrides, use_default)
-- There was an error processing the security blob
if(status == false) then
@@ -1789,9 +1789,9 @@
end
-- Parse the parameters
- local reserved, count_high, remaining, count_low
- pos, andx_command, andx_reserved, andx_offset, count_low, remaining, count_high, reserved =
bin.unpack("<CCSSSSS", parameters)
- if(reserved == nil) then
+ local count_reserved, count_high, remaining, count_low
+ pos, andx_command, andx_reserved, andx_offset, count_low, remaining, count_high, count_reserved =
bin.unpack("<CCSSSSS", parameters)
+ if(count_reserved == nil) then
return false, "SMB: ERROR: Ran off the end of SMB packet; likely due to server truncation [28]"
end
--- smb-brute.nse.orig 2009-07-17 21:56:26.750000000 +0100
+++ smb-brute.nse 2009-07-17 21:54:33.875000000 +0100
@@ -175,9 +175,10 @@
local str = ""
-- Seed the random number, if we haven't already
- if(random_set == false) then
+ if not nmap.registry.smbbrute or not nmap.registry.smbbrute.seeded then
math.randomseed(os.time())
- random_set = true
+ nmap.registry.smbbrute = {}
+ nmap.registry.smbbrute.seeded = true
end
for i = 1, length, 1 do
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- indexing globals in msrpc, msrpctypes and smb libs jah (Jul 17)