Nmap Development mailing list archives
Re: POC Payloader dat
From: David Fifield <david () bamsoftware com>
Date: Wed, 13 Jan 2010 18:31:09 -0700
On Wed, Jan 13, 2010 at 04:19:25PM -0500, Jay Fink wrote:
On Tue, Jan 12, 2010 at 1:41 PM, David Fifield <david () bamsoftware com> wrote:You can keep the payload names--that might be useful in the future. It's just that we won't be looking them up that way.Hmm - okay - it doesn't matter too much right now as I am scanning in the line. I took them out but to keep them I only have to change the scan a little bit. Basically I am making <payload_name> <proto> <port> position depended but not the payloads (I stop appending the payload string when we hit the next <proto> keyword - yeah I know I have insert logic to deal with the sport still :) That said, how do these apples look?: [16:16:27 jfink@altair:~/src/contrib]$ ./payload udp 1604 \x1e\x00\x01\x30\x02\xfd\xa8\xe3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 [16:16:29 jfink@altair:~/src/contrib]$ ./payload udp 500 \x00\x11\x22\x33\x44\x55\x66\x77\x00\x00\x00\x00\x00\x00\x00\x00\x01\x10\x02\x00\x00\x00\x00\x00\x00\x00\x00\xC0\x00\x00\x00\xA4\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x98\x01\x01\x00\x04\x03\x00\x00\x24\x01\x01\x00\x00\x80\x01\x00\x05\x80\x02\x00\x02\x80\x03\x00\x01\x80\x04\x00\x02\x80\x0B\x00\x01\x00\x0C\x00\x04\x00\x00\x00\x01\x03\x00\x00\x24\x02\x01\x00\x00\x80\x01\x00\x05\x80\x02\x00\x01\x80\x03\x00\x01\x80\x04\x00\x02\x80\x0B\x00\x01\x00\x0C\x00\x04\x00\x00\x00\x01\x03\x00\x00\x24\x03\x01\x00\x00\x80\x01\x00\x01\x80\x02\x00\x02\x80\x03\x00\x01\x80\x04\x00\x02\x80\x0B\x00\x01\x00\x0C\x00\x04\x00\x00\x00\x01\x00\x00\x00\x24\x04\x01\x00\x00\x80\x01\x00\x01\x80\x02\x00\x01\x80\x03\x00\x01\x80\x04\x00\x02\x80\x0B\x00\x01\x00\x0C\x00\x04\x00\x00\x00\x01 [16:16:32 jfink@altair:~/src/contrib]$ ./payload udp 53 \x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00
That looks great! That's what we're looking for, something that works like get_udp_payload. As for parsing, I think you can just keep adding to the payload as long as you're getting quoted strings (or comments). The first thing that's not quoted (or the end of the file) ends the payload. Once the payload has ended then you look at the next token--it might be "udp" or "source_port" or something--and then you know what to do next. In fact, you might want to use the format <proto> <ports> <name> instead of <name> <proto> <ports> just so there's no confusion about whether a token is a payload name or a keyword. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: POC Payloader dat Jay Fink (Jan 12)
- Re: POC Payloader dat David Fifield (Jan 12)
- Re: POC Payloader dat Jay Fink (Jan 12)
- Re: POC Payloader dat David Fifield (Jan 12)
- Re: POC Payloader dat Jay Fink (Jan 13)
- Re: POC Payloader dat David Fifield (Jan 13)
- Re: POC Payloader dat Jay Fink (Jan 15)
- Re: POC Payloader dat Jay Fink (Jan 12)
- Re: POC Payloader dat David Fifield (Jan 12)