From 3bc39efc4bb586890c9bd6e9c1fec7d67f82d985 Mon Sep 17 00:00:00 2001 From: ron Date: Fri, 24 Sep 2010 00:31:12 +0000 Subject: [PATCH] Lots of little bugfixes throughout several smb scripts, mostly related to bad use of global variables --- nselib/msrpcperformance.lua | 42 +++++++++++++++++----------------- scripts/smb-enum-processes.nse | 7 +++--- scripts/smb-enum-sessions.nse | 30 ++++++++++++------------ scripts/smb-system-info.nse | 16 ++++++------- 4 files changed, 45 insertions(+), 50 deletions(-) diff --git a/nselib/msrpcperformance.lua b/nselib/msrpcperformance.lua index 6abc7ba6f..d35b8dd96 100644 --- a/nselib/msrpcperformance.lua +++ b/nselib/msrpcperformance.lua @@ -426,40 +426,36 @@ end --@param objects [optional] The space-separated list of object numbers to retrieve. Default: only retrieve the database. function get_performance_data(host, objects) - local status, smbstate - local bind_result, openhkpd_result, queryvalue_result, data_block - local pos, object_type, counter_result - local result = {} - local i, j, k - -- Create the SMB session - status, smbstate = msrpc.start_smb(host, msrpc.WINREG_PATH) + local status, smbstate = msrpc.start_smb(host, msrpc.WINREG_PATH) if(status == false) then return false, smbstate end -- Bind to WINREG service - status, bind_result = msrpc.bind(smbstate, msrpc.WINREG_UUID, msrpc.WINREG_VERSION, nil) + local status, bind_result = msrpc.bind(smbstate, msrpc.WINREG_UUID, msrpc.WINREG_VERSION, nil) if(status == false) then msrpc.stop_smb(smbstate) return false, bind_result end -- Open HKEY_PERFORMANCE_DATA - status, openhkpd_result = msrpc.winreg_openhkpd(smbstate) + local status, openhkpd_result = msrpc.winreg_openhkpd(smbstate) if(status == false) then msrpc.stop_smb(smbstate) return false, openhkpd_result end - status, queryvalue_result = msrpc.winreg_queryvalue(smbstate, openhkpd_result['handle'], "Counter 009") + local status, queryvalue_result = msrpc.winreg_queryvalue(smbstate, openhkpd_result['handle'], "Counter 009") if(status == false) then msrpc.stop_smb(smbstate) return false, queryvalue_result end -- Parse the title database - pos = 1 + local pos = 1 + local status + local result = {} status, pos, result['title_database'] = parse_perf_title_database(queryvalue_result['value'], pos) if(status == false) then msrpc.stop_smb(smbstate) @@ -470,7 +466,7 @@ function get_performance_data(host, objects) if(objects ~= nil and #objects > 0) then -- Query for the objects - status, queryvalue_result = msrpc.winreg_queryvalue(smbstate, openhkpd_result['handle'], objects) + local status, queryvalue_result = msrpc.winreg_queryvalue(smbstate, openhkpd_result['handle'], objects) if(status == false) then msrpc.stop_smb(smbstate) return false, queryvalue_result @@ -478,6 +474,7 @@ function get_performance_data(host, objects) -- Parse the header pos = 1 + local status, data_block status, pos, data_block = parse_perf_data_block(queryvalue_result['value'], pos) if(status == false) then msrpc.stop_smb(smbstate) @@ -490,13 +487,13 @@ function get_performance_data(host, objects) -- Parse the data sections for i = 1, data_block['NumObjectTypes'], 1 do local object_start = pos - local object_name local counter_definitions = {} local object_instances = {} local counter_definitions = {} -- Get the type of the object (this is basically the class definition -- info about the object instances) + local status, object_type status, pos, object_type = parse_perf_object_type(queryvalue_result['value'], pos) if(status == false) then msrpc.stop_smb(smbstate) @@ -505,7 +502,7 @@ function get_performance_data(host, objects) -- Start setting up the result object --io.write(string.format("Index = %d\n", object_type['ObjectNameTitleIndex'])) - object_name = result['title_database'][object_type['ObjectNameTitleIndex']] + local object_name = result['title_database'][object_type['ObjectNameTitleIndex']] result[object_name] = {} --io.write(string.format("\n\nOBJECT: %s\n", object_name)) @@ -534,9 +531,9 @@ function get_performance_data(host, objects) -- Parse the object instances and counters for j = 1, object_type['NumInstances'], 1 do local instance_start = pos - local instance_name - local counter_block + -- Instance definition + local status status, pos, object_instances[j] = parse_perf_instance_definition(queryvalue_result['value'], pos) if(status == false) then msrpc.stop_smb(smbstate) @@ -544,7 +541,7 @@ function get_performance_data(host, objects) end -- Set up the instance array - instance_name = object_instances[j]['InstanceName'] + local instance_name = object_instances[j]['InstanceName'] result[object_name][instance_name] = {} -- Bring the pos to the start of the counter block @@ -557,6 +554,7 @@ function get_performance_data(host, objects) --io.write(" --------------\n") -- The counter block + local status, counter_block status, pos, counter_block = parse_perf_counter_block(queryvalue_result['value'], pos) if(status == false) then msrpc.stop_smb(smbstate) @@ -564,14 +562,15 @@ function get_performance_data(host, objects) end for k = 1, object_type['NumCounters'], 1 do - local counter_name -- Each individual counter + local status, counter_result status, pos, counter_result = parse_perf_counter(queryvalue_result['value'], pos, counter_definitions[k]) if(status == false) then msrpc.stop_smb(smbstate) return false, pos end - counter_name = result['title_database'][counter_definitions[k]['CounterNameTitleIndex']] + + local counter_name = result['title_database'][counter_definitions[k]['CounterNameTitleIndex']] --io.write(string.format(" %s: %s\n", counter_name, counter_result)) -- Save it in the result @@ -583,14 +582,15 @@ function get_performance_data(host, objects) end else for k = 1, object_type['NumCounters'], 1 do - local counter_name -- Each individual counter + local status, counter_result status, pos, counter_result = parse_perf_counter(queryvalue_result['value'], pos, counter_definitions[k]) if(status == false) then msrpc.stop_smb(smbstate) return false, pos end - counter_name = result['title_database'][counter_definitions[k]['CounterNameTitleIndex']] + + local counter_name = result['title_database'][counter_definitions[k]['CounterNameTitleIndex']] --io.write(string.format(" %s: %s\n", counter_name, counter_result)) -- Save it in the result diff --git a/scripts/smb-enum-processes.nse b/scripts/smb-enum-processes.nse index 981c0c894..5558ade05 100644 --- a/scripts/smb-enum-processes.nse +++ b/scripts/smb-enum-processes.nse @@ -203,10 +203,8 @@ hostrule = function(host) end action = function(host) - local process, response, result, status - -- Get the process list - status, result = msrpcperformance.get_performance_data(host, "230") + local status, result = msrpcperformance.get_performance_data(host, "230") if status == false then if nmap.debugging() > 0 then return "ERROR: " .. result @@ -216,7 +214,7 @@ action = function(host) end -- Get the process table - process = result["Process"] + local process = result["Process"] -- Put the processes into an array, and sort them by pid. local names = {} @@ -281,6 +279,7 @@ action = function(host) end -- Produce final output. + local response if nmap.verbosity() == 0 then response = "|_ " .. stdnse.strjoin(", ", names) else diff --git a/scripts/smb-enum-sessions.nse b/scripts/smb-enum-sessions.nse index e0ee3c34c..749d9c100 100644 --- a/scripts/smb-enum-sessions.nse +++ b/scripts/smb-enum-sessions.nse @@ -119,19 +119,19 @@ local function winreg_enum_rids(host) local elements = {} -- Create the SMB session - status, smbstate = msrpc.start_smb(host, msrpc.WINREG_PATH) + local status, smbstate = msrpc.start_smb(host, msrpc.WINREG_PATH) if(status == false) then return false, smbstate end -- Bind to WINREG service - status, bind_result = msrpc.bind(smbstate, msrpc.WINREG_UUID, msrpc.WINREG_VERSION, nil) + local status, bind_result = msrpc.bind(smbstate, msrpc.WINREG_UUID, msrpc.WINREG_VERSION, nil) if(status == false) then msrpc.stop_smb(smbstate) return false, bind_result end - status, openhku_result = msrpc.winreg_openhku(smbstate) + local status, openhku_result = msrpc.winreg_openhku(smbstate) if(status == false) then msrpc.stop_smb(smbstate) return false, openhku_result @@ -140,7 +140,7 @@ local function winreg_enum_rids(host) -- Loop through the keys under HKEY_USERS and grab the names i = 0 repeat - status, enumkey_result = msrpc.winreg_enumkey(smbstate, openhku_result['handle'], i, "") + local status, enumkey_result = msrpc.winreg_enumkey(smbstate, openhku_result['handle'], i, "") if(status == true) then local status, openkey_result @@ -150,18 +150,18 @@ local function winreg_enum_rids(host) -- To get the time the user logged in, we check the 'Volatile Environment' key -- This can fail with the 'guest' account due to access restrictions - status, openkey_result = msrpc.winreg_openkey(smbstate, openhku_result['handle'], element['name'] .. "\\Volatile Environment") + local status, openkey_result = msrpc.winreg_openkey(smbstate, openhku_result['handle'], element['name'] .. "\\Volatile Environment") if(status ~= false) then local queryinfokey_result, closekey_result -- Query the info about this key. The response will tell us when the user logged into the server. - status, queryinfokey_result = msrpc.winreg_queryinfokey(smbstate, openkey_result['handle']) + local status, queryinfokey_result = msrpc.winreg_queryinfokey(smbstate, openkey_result['handle']) if(status == false) then msrpc.stop_smb(smbstate) return false, queryinfokey_result end - status, closekey_result = msrpc.winreg_closekey(smbstate, openkey_result['handle']) + local status, closekey_result = msrpc.winreg_closekey(smbstate, openkey_result['handle']) if(status == false) then msrpc.stop_smb(smbstate) return false, closekey_result @@ -178,7 +178,7 @@ local function winreg_enum_rids(host) i = i + 1 until status ~= true - status, closekey_result = msrpc.winreg_closekey(smbstate, openhku_result['handle']) + local status, closekey_result = msrpc.winreg_closekey(smbstate, openhku_result['handle']) if(status == false) then msrpc.stop_smb(smbstate) return false, closekey_result @@ -187,20 +187,20 @@ local function winreg_enum_rids(host) msrpc.stop_smb(smbstate) -- Start a new SMB session - status, smbstate = msrpc.start_smb(host, msrpc.LSA_PATH) + local status, smbstate = msrpc.start_smb(host, msrpc.LSA_PATH) if(status == false) then return false, smbstate end -- Bind to LSA service - status, bind_result = msrpc.bind(smbstate, msrpc.LSA_UUID, msrpc.LSA_VERSION, nil) + local status, bind_result = msrpc.bind(smbstate, msrpc.LSA_UUID, msrpc.LSA_VERSION, nil) if(status == false) then msrpc.stop_smb(smbstate) return false, bind_result end -- Get a policy handle - status, openpolicy2_result = msrpc.lsa_openpolicy2(smbstate, host.ip) + local status, openpolicy2_result = msrpc.lsa_openpolicy2(smbstate, host.ip) if(status == false) then msrpc.stop_smb(smbstate) return false, openpolicy2_result @@ -216,7 +216,7 @@ local function winreg_enum_rids(host) -- The rid is the last digits before the end of the string local rid = string.sub(sid, string.find(sid, "%d+$")) - status, lookupsids2_result = msrpc.lsa_lookupsids2(smbstate, openpolicy2_result['policy_handle'], {elements[i]['name']}) + local status, lookupsids2_result = msrpc.lsa_lookupsids2(smbstate, openpolicy2_result['policy_handle'], {elements[i]['name']}) if(status == false) then -- It may not succeed, if it doesn't that's ok @@ -267,11 +267,9 @@ action = function(host) local response = {} - local status1, status2 - -- Enumerate the logged in users local logged_in = {} - status1, users = winreg_enum_rids(host) + local status1, users = winreg_enum_rids(host) if(status1 == false) then logged_in['warning'] = "Couldn't enumerate login sessions: " .. users else @@ -290,7 +288,7 @@ action = function(host) -- Get the connected sessions local sessions_output = {} - status2, sessions = srvsvc_enum_sessions(host) + local status2, sessions = srvsvc_enum_sessions(host) if(status2 == false) then sessions_output['warning'] = "Couldn't enumerate SMB sessions: " .. sessions else diff --git a/scripts/smb-system-info.nse b/scripts/smb-system-info.nse index efab9c6dd..76c745d0a 100644 --- a/scripts/smb-system-info.nse +++ b/scripts/smb-system-info.nse @@ -68,21 +68,20 @@ end --@return Status (true or false). --@return The value (if status is true) or an error string (if status is false). local function reg_get_value(smbstate, handle, key, value) - -- Open the key - status, openkey_result = msrpc.winreg_openkey(smbstate, handle, key) + local status, openkey_result = msrpc.winreg_openkey(smbstate, handle, key) if(status == false) then return false, openkey_result end -- Query the value - status, queryvalue_result = msrpc.winreg_queryvalue(smbstate, openkey_result['handle'], value) + local status, queryvalue_result = msrpc.winreg_queryvalue(smbstate, openkey_result['handle'], value) if(status == false) then return false, queryvalue_result end -- Close the key - status, closekey_result = msrpc.winreg_closekey(smbstate, openkey_result['handle'], value) + local status, closekey_result = msrpc.winreg_closekey(smbstate, openkey_result['handle'], value) if(status == false) then return false, closekey_result end @@ -93,23 +92,22 @@ end local function get_info_registry(host) local result = {} - local status, smbstate, bind_result, openhklm_result -- Create the SMB session - status, smbstate = msrpc.start_smb(host, msrpc.WINREG_PATH) + local status, smbstate = msrpc.start_smb(host, msrpc.WINREG_PATH) if(status == false) then return false, smbstate end -- Bind to WINREG service - status, bind_result = msrpc.bind(smbstate, msrpc.WINREG_UUID, msrpc.WINREG_VERSION, nil) + local status, bind_result = msrpc.bind(smbstate, msrpc.WINREG_UUID, msrpc.WINREG_VERSION, nil) if(status == false) then msrpc.stop_smb(smbstate) return false, bind_result end -- Open HKEY_LOCAL_MACHINE - status, openhklm_result = msrpc.winreg_openhklm(smbstate) + local status, openhklm_result = msrpc.winreg_openhklm(smbstate) if(status == false) then msrpc.stop_smb(smbstate) return false, openhklm_result @@ -178,7 +176,7 @@ end action = function(host) - status, result = get_info_registry(host) + local status, result = get_info_registry(host) if(status == false) then return stdnse.format_output(false, result)