Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [NSE] mssql library - bug in parsing browser data

From: Patrik Karlsson <patrik () cqure net>
Date: Sun, 23 Jan 2011 08:52:16 +0100

On Jan 22, 2011, at 01:33 , Chris Woodbury wrote:


While working on some NSE scripts for SQL Server, I found a bug in the
mssql.lua library. In the Discover function, when the SQL Server
browser data is being parsed, it treats ";;" as a marker for the end
of the data for a SQL Server instance. However, ";;" is valid within
the data for an instance, signifying a field without a value (i.e. an
empty string, etc.), and one of these ";;"s will make the capture to
end too early, likely resulting in a crash [1].


Good find!



Basically ,the proper way to identify an instance is to find
ServerName;.-;InstanceName;.-;IsClustered;.-; (per the SSRP spec,
these are always present and in this order) and then go on until you
reach the end or another instance. I couldn't figure out how to do
this with Lua patterns in one step; so, I did it in two - cutting up
the string and then parsing each one.

I've attached a patch against the SVN version. I haven't done a ton of
Lua/NSE scripting, so I would appreciate any comments.


Thanks a lot for the patch and I think it looks good so I've applied it. It's in as r21987.


Thanks
-chris


[1] Example:
"ServerName;WINXP;InstanceName;MSSQLSERVER;IsClustered;No;Version;8.00.194;np;\\WINXP\pipe\sql\query;tcp;1433;rpc;WINXP;spx;WINXP;adsp;WINXP;bv;;@MSSQL;;via;WINXP,0:1433;;"
gets captured as:
(1) 
ServerName;WINXP;InstanceName;MSSQLSERVER;IsClustered;No;Version;8.00.194;np;\\WINXP\pipe\sql\query;tcp;1433;rpc;WINXP;spx;WINXP;adsp;WINXP;bv;;
(2) @MSSQL;;
(3) via;WINXP,0:1433;;
(4) ServerName;WINXP;InstanceName;SQL2K5;IsClustered;No;Version;9.00.4035.00;tcp;1278;;

The script crashes on line 843 during (2), when it tries to use the
instance name, which it didn't get.
<mssql_ssrp_split.patch>_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/



//Patrik

--
Patrik Karlsson
http://www.cqure.net
http://www.twitter.com/nevdull77

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: