From 02c59d129260f0454a560965f4b166e03527fb7b Mon Sep 17 00:00:00 2001 From: patrik Date: Thu, 29 Dec 2011 08:49:38 +0000 Subject: [PATCH] o [NSE] Added local port to BPF filter in snmp-brute to fix bug that would prevent multiple scripts from receiving the correct responses. The bug was discovered by Brendan Bird. [Patrik] --- CHANGELOG | 4 ++++ scripts/snmp-brute.nse | 33 +++++++++++++++++++++++---------- 2 files changed, 27 insertions(+), 10 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index f1e7ba6de..82df43ed8 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,5 +1,9 @@ # Nmap Changelog ($Id$); -*-text-*- +o [NSE] Added local port to BPF filter in snmp-brute to fix bug that would + prevent multiple scripts from receiving the correct responses. The bug was + discovered by Brendan Bird. [Patrik] + o [NSE] Removed DoS code from dhcp-discover and placed it into the discover and safe categories. Added support for adding options to DHCP requests in the dhcp library. [Patrik] diff --git a/scripts/snmp-brute.nse b/scripts/snmp-brute.nse index a0ac67033..6a899ab34 100644 --- a/scripts/snmp-brute.nse +++ b/scripts/snmp-brute.nse @@ -20,6 +20,9 @@ No output is reported if no valid account is found. -- 2011-07-17 Gorjan Petrovski, Patrik Karlsson, optimization and creds -- accounts, rejected use of the brute library because of -- implementation using unconnected sockets. +-- 2011-12-29 Patrik Karlsson - Added lport to sniff_snmp_responses to fix +-- bug preventing multiple scripts from working +-- properly. --- -- @usage @@ -130,12 +133,9 @@ local communities = function() end end -local send_snmp_queries = function(host, port, result, nextcommunity) +local send_snmp_queries = function(socket, result, nextcommunity) local condvar = nmap.condvar(result) - local socket = nmap.new_socket("udp") - --socket:set_timeout(host.times.timeout*1000) - local request = snmp.buildGetRequest({}, "1.3.6.1.2.1.1.3.0") local payload, status, response @@ -148,7 +148,7 @@ local send_snmp_queries = function(host, port, result, nextcommunity) return end payload = snmp.encode(snmp.buildPacket(request, 0, community)) - status, err = socket:sendto(host, port, payload) + status, err = socket:send(payload) if not status then result.status = false result.msg = "Could not send SNMP probe" @@ -159,19 +159,18 @@ local send_snmp_queries = function(host, port, result, nextcommunity) community = nextcommunity() end - socket:close() result.sent = true condvar("signal") end -local sniff_snmp_responses = function(host, port, result) +local sniff_snmp_responses = function(host, port, lport, result) local condvar = nmap.condvar(result) local pcap = nmap.new_socket() pcap:set_timeout(host.times.timeout * 1000 * 3) local ip = host.bin_ip_src ip = string.format("%d.%d.%d.%d",ip:byte(1),ip:byte(2),ip:byte(3),ip:byte(4)) - pcap:pcap_open(host.interface, 104, false,"dst host " .. ip .. " and udp and port 161") + pcap:pcap_open(host.interface, 104, false,"dst host " .. ip .. " and udp and src port 161 and dst port " .. lport) -- last_run indicated whether there will be only one more receive local last_run = false @@ -235,8 +234,20 @@ action = function(host, port) result.msg = "" -- Error/Status msg result.status = true -- Status (is everything ok) - local recv_co = stdnse.new_thread(sniff_snmp_responses, host, port, result) - local send_co = stdnse.new_thread(send_snmp_queries, host, port, result, nextcommunity) + local socket = nmap.new_socket("udp") + status = socket:connect(host, port) + + if ( not(status) ) then + return "\n ERROR: Failed to connect to server" + end + + local status, _, lport = socket:get_info() + if( not(status) ) then + return "\n ERROR: Failed to retrieve local port" + end + + local recv_co = stdnse.new_thread(sniff_snmp_responses, host, port, lport, result) + local send_co = stdnse.new_thread(send_snmp_queries, socket, result, nextcommunity) local recv_dead, send_dead while true do @@ -246,6 +257,8 @@ action = function(host, port) if recv_dead then break end end + socket:close() + if result.status then -- add the community strings to the creds database local c = creds.Credentials:new(SCRIPT_NAME, host, port)