PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-06 04:31:29 +00:00
Code Issues Projects Releases Wiki Activity

Update unpacking of share names to use string.unpack

Browse Source
This commit is contained in:
dmiller
2018-09-06 14:20:33 +00:00
parent c0fd9f3257
commit 201ee75059
2 changed files with 13 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
scripts/smb-print-text.nse
View File

@@ -1,4 +1,3 @@
local bin = require "bin"
local io = require "io" local io = require "io"
local msrpc = require "msrpc" local msrpc = require "msrpc"
local smb = require "smb" local smb = require "smb"
@@ -77,7 +76,7 @@ action = function(host,port)
local lanman_result local lanman_result
local REMSmb_NetShareEnum_P = "WrLeh" local REMSmb_NetShareEnum_P = "WrLeh"
local REMSmb_share_info_1 = "B13BWz" local REMSmb_share_info_1 = "B13BWz"
status, lanman_result = msrpc.call_lanmanapi(smbstate,0,REMSmb_NetShareEnum_P,REMSmb_share_info_1,bin.pack("<ss",0x01,65406)) status, lanman_result = msrpc.call_lanmanapi(smbstate,0,REMSmb_NetShareEnum_P,REMSmb_share_info_1,string.pack("<I2I2", 0x01, 65406))
if status == false then if status == false then
stdnse.debug1("SMB: " .. lanman_result) stdnse.debug1("SMB: " .. lanman_result)
stdnse.debug1("SMB: Looks like LANMAN API is not available. Try setting printer script arg.") stdnse.debug1("SMB: Looks like LANMAN API is not available. Try setting printer script arg.")
@@ -86,19 +85,18 @@ action = function(host,port)
local parameters = lanman_result.parameters local parameters = lanman_result.parameters
local data = lanman_result.data local data = lanman_result.data
local pos, status, convert, entry_count, available_entries = bin.unpack("<SSSS", parameters) local status, convert, entry_count, available_entries = string.unpack("<I2 I2 I2 I2", parameters)
pos = 0 local pos = 1
local share_type, name, _
for i = 1, entry_count, 1 do for i = 1, entry_count, 1 do
_,share_type = bin.unpack(">s",data,pos+14) local name, share_type = string.unpack(">c14 I2", data, pos)
pos, name = bin.unpack("<z", data, pos)
-- pos needs to be rounded to the next even multiple of 20
pos = pos + ( 20 - (#name % 20) ) - 1
if share_type == 1 then -- share is printer if share_type == 1 then -- share is printer
name = string.unpack("z", name)
stdnse.debug1("Found printer share %s.", name) stdnse.debug1("Found printer share %s.", name)
printer = name printer = name
break
end end
pos = pos + 20
end end
end end
if not printer then if not printer then

14
scripts/smb-vuln-ms10-061.nse
View File

@@ -1,4 +1,3 @@
local bin = require "bin"
local msrpc = require "msrpc" local msrpc = require "msrpc"
local smb = require "smb" local smb = require "smb"
local string = require "string" local string = require "string"
@@ -120,19 +119,18 @@ aka "Print Spooler Service Impersonation Vulnerability."
local parameters = lanman_result.parameters local parameters = lanman_result.parameters
local data = lanman_result.data local data = lanman_result.data
local pos, status, convert, entry_count, available_entries = bin.unpack("<SSSS", parameters) local status, convert, entry_count, available_entries = string.unpack("<I2 I2 I2 I2", parameters)
pos = 0 local pos = 1
local share_type, name, _
for i = 1, entry_count, 1 do for i = 1, entry_count, 1 do
_,share_type = bin.unpack(">s",data,pos+14) local name, share_type = string.unpack(">c14 I2", data, pos)
pos, name = bin.unpack("<z", data, pos)
-- pos needs to be rounded to the next even multiple of 20
pos = pos + ( 20 - (#name % 20) ) - 1
if share_type == 1 then -- share is printer if share_type == 1 then -- share is printer
name = string.unpack("z", name)
stdnse.debug1("Found printer share %s.", name) stdnse.debug1("Found printer share %s.", name)
printer = name printer = name
break
end end
pos = pos + 20
end end
end end
if not printer then if not printer then