Lots of little bugfixes throughout several smb scripts, mostly related to bad use of global variables

nselib/msrpcperformance.lua

@@ -426,40 +426,36 @@ end
 --@param objects [optional] The space-separated list of object numbers to retrieve. Default: only retrieve the database. 
 function get_performance_data(host, objects)
 
-	local status, smbstate
-	local bind_result, openhkpd_result, queryvalue_result, data_block
-	local pos, object_type, counter_result
-	local result = {}
-	local i, j, k
-
 	-- Create the SMB session
-	status, smbstate = msrpc.start_smb(host, msrpc.WINREG_PATH)
+	local status, smbstate = msrpc.start_smb(host, msrpc.WINREG_PATH)
 	if(status == false) then
 		return false, smbstate
 	end
 
 	-- Bind to WINREG service
-	status, bind_result = msrpc.bind(smbstate, msrpc.WINREG_UUID, msrpc.WINREG_VERSION, nil)
+	local status, bind_result = msrpc.bind(smbstate, msrpc.WINREG_UUID, msrpc.WINREG_VERSION, nil)
 	if(status == false) then
 		msrpc.stop_smb(smbstate)
 		return false, bind_result
 	end
 
 	-- Open HKEY_PERFORMANCE_DATA
-	status, openhkpd_result = msrpc.winreg_openhkpd(smbstate)
+	local status, openhkpd_result = msrpc.winreg_openhkpd(smbstate)
 	if(status == false) then
 		msrpc.stop_smb(smbstate)
 		return false, openhkpd_result
 	end
 
-	status, queryvalue_result = msrpc.winreg_queryvalue(smbstate, openhkpd_result['handle'], "Counter 009")
+	local status, queryvalue_result = msrpc.winreg_queryvalue(smbstate, openhkpd_result['handle'], "Counter 009")
 	if(status == false) then
 		msrpc.stop_smb(smbstate)
 		return false, queryvalue_result
 	end
 
 	-- Parse the title database
-	pos = 1
+	local pos = 1
+	local status
+	local result = {}
 	status, pos, result['title_database'] = parse_perf_title_database(queryvalue_result['value'], pos)
 	if(status == false) then
 		msrpc.stop_smb(smbstate)
@@ -470,7 +466,7 @@ function get_performance_data(host, objects)
 
 	if(objects ~= nil and #objects > 0) then
 		-- Query for the objects
-		status, queryvalue_result = msrpc.winreg_queryvalue(smbstate, openhkpd_result['handle'], objects)
+		local status, queryvalue_result = msrpc.winreg_queryvalue(smbstate, openhkpd_result['handle'], objects)
 		if(status == false) then
 			msrpc.stop_smb(smbstate)
 			return false, queryvalue_result
@@ -478,6 +474,7 @@ function get_performance_data(host, objects)
 
 		-- Parse the header
 		pos = 1
+		local status, data_block
 		status, pos, data_block = parse_perf_data_block(queryvalue_result['value'], pos)
 		if(status == false) then
 			msrpc.stop_smb(smbstate)
@@ -490,13 +487,13 @@ function get_performance_data(host, objects)
 		-- Parse the data sections
 		for i = 1, data_block['NumObjectTypes'], 1 do
 			local object_start = pos
-			local object_name
 
 			local counter_definitions = {}
 			local object_instances    = {}
 			local counter_definitions = {}
 
 			-- Get the type of the object (this is basically the class definition -- info about the object instances)
+			local status, object_type
 			status, pos, object_type = parse_perf_object_type(queryvalue_result['value'], pos)
 			if(status == false) then
 				msrpc.stop_smb(smbstate)
@@ -505,7 +502,7 @@ function get_performance_data(host, objects)
 
 			-- Start setting up the result object
 --io.write(string.format("Index = %d\n", object_type['ObjectNameTitleIndex']))
-			object_name = result['title_database'][object_type['ObjectNameTitleIndex']]
+			local object_name = result['title_database'][object_type['ObjectNameTitleIndex']]
 			result[object_name] = {}
 			
 --io.write(string.format("\n\nOBJECT: %s\n", object_name))
@@ -534,9 +531,9 @@ function get_performance_data(host, objects)
 				-- Parse the object instances and counters
 				for j = 1, object_type['NumInstances'], 1 do
 					local instance_start = pos
-					local instance_name
-					local counter_block
+
 					-- Instance definition
+					local status
 					status, pos, object_instances[j] = parse_perf_instance_definition(queryvalue_result['value'], pos)
 					if(status == false) then
 						msrpc.stop_smb(smbstate)
@@ -544,7 +541,7 @@ function get_performance_data(host, objects)
 					end
 
 					-- Set up the instance array
-					instance_name = object_instances[j]['InstanceName']
+					local instance_name = object_instances[j]['InstanceName']
 					result[object_name][instance_name] = {}
 		
 					-- Bring the pos to the start of the counter block
@@ -557,6 +554,7 @@ function get_performance_data(host, objects)
 --io.write("  --------------\n")
 		
 					-- The counter block
+					local status, counter_block
 					status, pos, counter_block = parse_perf_counter_block(queryvalue_result['value'], pos)
 					if(status == false) then
 						msrpc.stop_smb(smbstate)
@@ -564,14 +562,15 @@ function get_performance_data(host, objects)
 					end
 		
 					for k = 1, object_type['NumCounters'], 1 do
-						local counter_name
 						-- Each individual counter
+						local status, counter_result
 						status, pos, counter_result = parse_perf_counter(queryvalue_result['value'], pos, counter_definitions[k])
 						if(status == false) then
 							msrpc.stop_smb(smbstate)
 							return false, pos
 						end
-						counter_name = result['title_database'][counter_definitions[k]['CounterNameTitleIndex']]
+
+						local counter_name = result['title_database'][counter_definitions[k]['CounterNameTitleIndex']]
 --io.write(string.format("    %s: %s\n", counter_name, counter_result))
 
 						-- Save it in the result
@@ -583,14 +582,15 @@ function get_performance_data(host, objects)
 				end
 			else
 				for k = 1, object_type['NumCounters'], 1 do
-					local counter_name
 					-- Each individual counter
+					local status, counter_result
 					status, pos, counter_result = parse_perf_counter(queryvalue_result['value'], pos, counter_definitions[k])
 					if(status == false) then
 						msrpc.stop_smb(smbstate)
 						return false, pos
 					end
-					counter_name = result['title_database'][counter_definitions[k]['CounterNameTitleIndex']]
+
+					local counter_name = result['title_database'][counter_definitions[k]['CounterNameTitleIndex']]
 --io.write(string.format("    %s: %s\n", counter_name, counter_result))
 
 					-- Save it in the result

scripts/smb-enum-processes.nse

@@ -203,10 +203,8 @@ hostrule = function(host)
 end
 
 action = function(host)
-	local process, response, result, status
-
 	-- Get the process list
-	status, result = msrpcperformance.get_performance_data(host, "230")
+	local status, result = msrpcperformance.get_performance_data(host, "230")
 	if status == false then
 		if nmap.debugging() > 0 then
 			return "ERROR: " .. result
@@ -216,7 +214,7 @@ action = function(host)
 	end
 
 	-- Get the process table
-	process = result["Process"]
+	local process = result["Process"]
 
 	-- Put the processes into an array, and sort them by pid.
 	local names = {}
@@ -281,6 +279,7 @@ action = function(host)
 	end
 
 	-- Produce final output.
+	local response
 	if nmap.verbosity() == 0 then
 		response = "|_ " .. stdnse.strjoin(", ", names)
 	else

scripts/smb-enum-sessions.nse

@@ -119,19 +119,19 @@ local function winreg_enum_rids(host)
 	local elements = {}
 
 	-- Create the SMB session
-	status, smbstate = msrpc.start_smb(host, msrpc.WINREG_PATH)
+	local status, smbstate = msrpc.start_smb(host, msrpc.WINREG_PATH)
 	if(status == false) then
 		return false, smbstate
 	end
 
 	-- Bind to WINREG service
-	status, bind_result = msrpc.bind(smbstate, msrpc.WINREG_UUID, msrpc.WINREG_VERSION, nil)
+	local status, bind_result = msrpc.bind(smbstate, msrpc.WINREG_UUID, msrpc.WINREG_VERSION, nil)
 	if(status == false) then
 		msrpc.stop_smb(smbstate)
 		return false, bind_result
 	end
 
-	status, openhku_result = msrpc.winreg_openhku(smbstate)
+	local status, openhku_result = msrpc.winreg_openhku(smbstate)
 	if(status == false) then
 		msrpc.stop_smb(smbstate)
 		return false, openhku_result
@@ -140,7 +140,7 @@ local function winreg_enum_rids(host)
 	-- Loop through the keys under HKEY_USERS and grab the names
 	i = 0
 	repeat 
-		status, enumkey_result = msrpc.winreg_enumkey(smbstate, openhku_result['handle'], i, "")
+		local status, enumkey_result = msrpc.winreg_enumkey(smbstate, openhku_result['handle'], i, "")
 
 		if(status == true) then
 			local status, openkey_result
@@ -150,18 +150,18 @@ local function winreg_enum_rids(host)
 
 			-- To get the time the user logged in, we check the 'Volatile Environment' key
 			-- This can fail with the 'guest' account due to access restrictions
-			status, openkey_result = msrpc.winreg_openkey(smbstate, openhku_result['handle'], element['name'] .. "\\Volatile Environment")
+			local status, openkey_result = msrpc.winreg_openkey(smbstate, openhku_result['handle'], element['name'] .. "\\Volatile Environment")
 			if(status ~= false) then
 				local queryinfokey_result, closekey_result
 
 				-- Query the info about this key. The response will tell us when the user logged into the server. 
-				status, queryinfokey_result = msrpc.winreg_queryinfokey(smbstate, openkey_result['handle'])
+				local status, queryinfokey_result = msrpc.winreg_queryinfokey(smbstate, openkey_result['handle'])
 				if(status == false) then
 					msrpc.stop_smb(smbstate)
 					return false, queryinfokey_result
 				end
 
-				status, closekey_result = msrpc.winreg_closekey(smbstate, openkey_result['handle'])
+				local status, closekey_result = msrpc.winreg_closekey(smbstate, openkey_result['handle'])
 				if(status == false) then
 					msrpc.stop_smb(smbstate)
 					return false, closekey_result
@@ -178,7 +178,7 @@ local function winreg_enum_rids(host)
 		i = i + 1
 	until status ~= true
 
-	status, closekey_result = msrpc.winreg_closekey(smbstate, openhku_result['handle'])
+	local status, closekey_result = msrpc.winreg_closekey(smbstate, openhku_result['handle'])
 	if(status == false) then
 		msrpc.stop_smb(smbstate)
 		return false, closekey_result
@@ -187,20 +187,20 @@ local function winreg_enum_rids(host)
 	msrpc.stop_smb(smbstate)
 
 	-- Start a new SMB session
-	status, smbstate = msrpc.start_smb(host, msrpc.LSA_PATH)
+	local status, smbstate = msrpc.start_smb(host, msrpc.LSA_PATH)
 	if(status == false) then
 		return false, smbstate
 	end
 
 	-- Bind to LSA service
-	status, bind_result = msrpc.bind(smbstate, msrpc.LSA_UUID, msrpc.LSA_VERSION, nil)
+	local status, bind_result = msrpc.bind(smbstate, msrpc.LSA_UUID, msrpc.LSA_VERSION, nil)
 	if(status == false) then
 		msrpc.stop_smb(smbstate)
 		return false, bind_result
 	end
 
 	-- Get a policy handle
-	status, openpolicy2_result = msrpc.lsa_openpolicy2(smbstate, host.ip)
+	local status, openpolicy2_result = msrpc.lsa_openpolicy2(smbstate, host.ip)
 	if(status == false) then
 		msrpc.stop_smb(smbstate)
 		return false, openpolicy2_result
@@ -216,7 +216,7 @@ local function winreg_enum_rids(host)
 				-- The rid is the last digits before the end of the string
 				local rid = string.sub(sid, string.find(sid, "%d+$"))
 
-				status, lookupsids2_result = msrpc.lsa_lookupsids2(smbstate, openpolicy2_result['policy_handle'], {elements[i]['name']})
+				local status, lookupsids2_result = msrpc.lsa_lookupsids2(smbstate, openpolicy2_result['policy_handle'], {elements[i]['name']})
 
 				if(status == false) then
 					-- It may not succeed, if it doesn't that's ok
@@ -267,11 +267,9 @@ action = function(host)
 
 	local response = {}
 
-	local status1, status2
-
 	-- Enumerate the logged in users
 	local logged_in = {}
-	status1, users = winreg_enum_rids(host)
+	local status1, users = winreg_enum_rids(host)
 	if(status1 == false) then
 		logged_in['warning'] = "Couldn't enumerate login sessions: " .. users
 	else
@@ -290,7 +288,7 @@ action = function(host)
 
 	-- Get the connected sessions
 	local sessions_output = {}
-	status2, sessions = srvsvc_enum_sessions(host)
+	local status2, sessions = srvsvc_enum_sessions(host)
 	if(status2 == false) then
 		sessions_output['warning'] = "Couldn't enumerate SMB sessions: " .. sessions
 	else

scripts/smb-system-info.nse

@@ -68,21 +68,20 @@ end
 --@return Status (true or false).
 --@return The value (if status is true) or an error string (if status is false).
 local function reg_get_value(smbstate, handle, key, value)
-
 	-- Open the key
-	status, openkey_result = msrpc.winreg_openkey(smbstate, handle, key)
+	local status, openkey_result = msrpc.winreg_openkey(smbstate, handle, key)
     if(status == false) then
         return false, openkey_result
     end
 
 	-- Query the value
-	status, queryvalue_result = msrpc.winreg_queryvalue(smbstate, openkey_result['handle'], value)
+	local status, queryvalue_result = msrpc.winreg_queryvalue(smbstate, openkey_result['handle'], value)
     if(status == false) then
         return false, queryvalue_result
     end
 
 	-- Close the key
-	status, closekey_result = msrpc.winreg_closekey(smbstate, openkey_result['handle'], value)
+	local status, closekey_result = msrpc.winreg_closekey(smbstate, openkey_result['handle'], value)
     if(status == false) then
         return false, closekey_result
     end
@@ -93,23 +92,22 @@ end
 local function get_info_registry(host)
 
 	local result = {}
-	local status, smbstate, bind_result, openhklm_result
 
 	-- Create the SMB session
-	status, smbstate = msrpc.start_smb(host, msrpc.WINREG_PATH)
+	local status, smbstate = msrpc.start_smb(host, msrpc.WINREG_PATH)
 	if(status == false) then
 		return false, smbstate
 	end
 
     -- Bind to WINREG service
-    status, bind_result = msrpc.bind(smbstate, msrpc.WINREG_UUID, msrpc.WINREG_VERSION, nil)
+    local status, bind_result = msrpc.bind(smbstate, msrpc.WINREG_UUID, msrpc.WINREG_VERSION, nil)
     if(status == false) then
         msrpc.stop_smb(smbstate)
         return false, bind_result
     end
 
 	-- Open HKEY_LOCAL_MACHINE
-    status, openhklm_result = msrpc.winreg_openhklm(smbstate)
+    local status, openhklm_result = msrpc.winreg_openhklm(smbstate)
     if(status == false) then
         msrpc.stop_smb(smbstate)
         return false, openhklm_result
@@ -178,7 +176,7 @@ end
 
 action = function(host)
 
-	status, result = get_info_registry(host)
+	local status, result = get_info_registry(host)
 
 	if(status == false) then
 		return stdnse.format_output(false, result)