PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-06 04:31:29 +00:00
Code Issues Projects Releases Wiki Activity

Patch to libraries that were inappropriately using globals.

Browse Source 
Often two (or more) scripts using the same library would
overwrite the globals each was using. This would result
in (at best) an error or (at worst) a deadlock.

The patch changes the global accesses to local.
This commit is contained in:
batrick
2009-07-07 00:20:52 +00:00
parent f6b10157f7
commit 90a712ae2b
19 changed files with 105 additions and 91 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
nselib/datafiles.lua
View File

@@ -183,6 +183,7 @@ function parse_lines(lines, data_struct)
elseif type(value) == "string" or type(value) == "function" then
ret = get_array( lines, value )
elseif type(value) == "table" then
local _
_, ret[index] = parse_lines( lines, value )
else
-- TEMP

4
nselib/dns.lua
View File

@@ -717,8 +717,8 @@ end
-- @param flgStr Flags as a binary digit string.
-- @return Table representing flags.
local function decodeFlags(flgStr)
flags = {}
flgTbl = str2tbl(flgStr)
local flags = {}
local flgTbl = str2tbl(flgStr)
if flgTbl[1] == '1' then flags.QR = true end
if flgTbl[2] == '1' then flags.OC1 = true end
if flgTbl[3] == '1' then flags.OC2 = true end

2
nselib/imap.lua
View File

@@ -21,7 +21,7 @@ function capabilities(host, port)
local proto = (port.version and port.version.service_tunnel == "ssl" and "ssl") or "tcp"
if not socket:connect(host.ip, port.number, proto) then return nil, "Could Not Connect" end
status, line = socket:receive_lines(1)
local status, line = socket:receive_lines(1)
if not string.match(line, "^[%*] OK") then return nil, "No Response" end
socket:send("a001 CAPABILITY\r\n")

9
nselib/ipOps.lua
View File

@@ -31,6 +31,7 @@ module ( "ipOps" )
-- @return True or false (or <code>nil</code> in case of an error).
-- @return String error message in case of an error.
isPrivate = function( ip )
local err
ip, err = expand_ip( ip )
if err then return nil, err end
@@ -77,7 +78,7 @@ todword = function( ip )
return nil, "Error in ipOps.todword: Expected IPv4 address."
end
local n, ret = {}
local n, ret, err = {}
n, err = get_parts_as_number( ip )
if err then return nil, err end
@@ -104,6 +105,7 @@ end
-- <code>nil</code> in case of an error).
-- @return String error message in case of an error.
get_parts_as_number = function( ip )
local err
ip, err = expand_ip( ip )
if err then return nil, err end
@@ -250,6 +252,7 @@ end
-- <code>nil</code> in case of an error).
-- @return String error message in case of an error.
expand_ip = function( ip )
local err
if type( ip ) ~= "string" or ip == "" then
return nil, "Error in ipOps.expand_ip: Expected IP address as a string."
@@ -427,6 +430,7 @@ end
-- digits (or <code>nil</code> in case of an error).
-- @return String error message in case of an error.
ip_to_bin = function( ip )
local err
ip, err = expand_ip( ip )
if err then return nil, err end
@@ -473,6 +477,7 @@ bin_to_ip = function( binstring )
return nil, "Error in ipOps.bin_to_ip: Expected string of binary digits."
end
local af
if string.len( binstring ) == 32 then
af = 4
elseif string.len( binstring ) == 128 then
@@ -481,7 +486,7 @@ bin_to_ip = function( binstring )
return nil, "Error in ipOps.bin_to_ip: Expected exactly 32 or 128 binary digits."
end
t = {}
local t = {}
if af == 6 then
local pattern = string.rep( "[01]", 16 )
for chunk in string.gmatch( binstring, pattern ) do

2
nselib/match.lua
View File

@@ -29,7 +29,7 @@ regex = function(pattern)
local r = pcre.new(pattern, 0,"C")
return function(buf)
s,e = r:exec(buf, 0,0);
local s,e = r:exec(buf, 0,0);
return s,e
end
end

28
nselib/msrpc.lua
View File

@@ -2122,6 +2122,7 @@ function winreg_queryvalue(smbstate, handle, value)
-- Format the type properly and put it in "value"
if(result['data'] ~= nil) then
local _
if(result['type'] == "REG_DWORD") then
_, result['value'] = bin.unpack("<I", result['data'])
elseif(result['type'] == "REG_SZ" or result['type'] == "REG_MULTI_SZ" or result['type'] == "REG_EXPAND_SZ") then
@@ -2855,35 +2856,31 @@ function samr_enum_users(host)
local domain = enumdomains_result['sam']['entries'][i]['name']
-- We don't care about the 'builtin' domain, in all my tests it's empty
if(domain ~= 'Builtin') then
local sid
local domain_handle
local opendomain_result, querydisplayinfo_result
-- Call LookupDomain()
status, lookupdomain_result = samr_lookupdomain(smbstate, connect_handle, domain)
local status, lookupdomain_result = samr_lookupdomain(smbstate, connect_handle, domain)
if(status == false) then
stop_smb(smbstate)
return false, lookupdomain_result
end
-- Save the sid
sid = lookupdomain_result['sid']
local sid = lookupdomain_result['sid']
-- Call OpenDomain()
status, opendomain_result = samr_opendomain(smbstate, connect_handle, sid)
local status, opendomain_result = samr_opendomain(smbstate, connect_handle, sid)
if(status == false) then
stop_smb(smbstate)
return false, opendomain_result
end
-- Save the domain handle
domain_handle = opendomain_result['domain_handle']
local domain_handle = opendomain_result['domain_handle']
-- Loop as long as we're getting valid results
j = 0
repeat
-- Call QueryDisplayInfo()
status, querydisplayinfo_result = samr_querydisplayinfo(smbstate, domain_handle, j, SAMR_GROUPSIZE)
local status, querydisplayinfo_result = samr_querydisplayinfo(smbstate, domain_handle, j, SAMR_GROUPSIZE)
if(status == false) then
stop_smb(smbstate)
return false, querydisplayinfo_result
@@ -2975,7 +2972,7 @@ function lsa_enum_users(host)
-- Start with some common names, as well as the name returned by the negotiate call
-- Vista doesn't like a 'null' after the server name, so fix that (TODO: the way I strip the null here feels hackish, is there a better way?)
names = {"administrator", "guest", "test"}
local names = {"administrator", "guest", "test"}
-- These aren't always sent back (especially with 'extended security')
if(smbstate['domain'] ~= nil) then
names[#names + 1] = smbstate['domain']
@@ -3471,14 +3468,14 @@ function get_server_stats(host)
end
-- Bind to SRVSVC service
status, bind_result = bind(smbstate, SRVSVC_UUID, SRVSVC_VERSION, nil)
local status, bind_result = bind(smbstate, SRVSVC_UUID, SRVSVC_VERSION, nil)
if(status == false) then
smb.stop(smbstate)
return false, bind_result
end
-- Call netservergetstatistics for 'server'
status, netservergetstatistics_result = srvsvc_netservergetstatistics(smbstate, host.ip)
local status, netservergetstatistics_result = srvsvc_netservergetstatistics(smbstate, host.ip)
if(status == false) then
smb.stop(smbstate)
return false, netservergetstatistics_result
@@ -3573,24 +3570,23 @@ end
--@return A table of information about the share (if status is true) or an an error string (if
-- status is false).
function get_share_info(host, name)
local status, smbstate
local response = {}
-- Create the SMB session
status, smbstate = start_smb(host, SRVSVC_PATH)
local status, smbstate = start_smb(host, SRVSVC_PATH)
if(status == false) then
return false, smbstate
end
-- Bind to SRVSVC service
status, bind_result = bind(smbstate, SRVSVC_UUID, SRVSVC_VERSION, nil)
local status, bind_result = bind(smbstate, SRVSVC_UUID, SRVSVC_VERSION, nil)
if(status == false) then
smb.stop(smbstate)
return false, bind_result
end
-- Call NetShareGetInfo
status, netsharegetinfo_result = srvsvc_netsharegetinfo(smbstate, host.ip, name, 2)
local status, netsharegetinfo_result = srvsvc_netsharegetinfo(smbstate, host.ip, name, 2)
if(status == false) then
smb.stop(smbstate)
return false, netsharegetinfo_result

3
nselib/msrpcperformance.lua
View File

@@ -427,10 +427,9 @@ function get_performance_data(host, objects)
local status, smbstate
local bind_result, openhkpd_result, queryvalue_result, data_block
local pos
local pos, object_type, counter_result
local result = {}
local i, j, k
local pos
-- Create the SMB session
status, smbstate = msrpc.start_smb(host, msrpc.WINREG_PATH)

13
nselib/msrpctypes.lua
View File

@@ -455,7 +455,7 @@ local function unmarshall_array(data, pos, count, func, args)
args = {}
end
pos, max_count = bin.unpack("<I", data, pos)
local pos, max_count = bin.unpack("<I", data, pos)
if(max_count == nil) then
stdnse.print_debug(1, "MSRPC: ERROR: Ran off the end of a packet in unmarshall_array(). Please report!")
end
@@ -1165,6 +1165,7 @@ end
--@return (pos, time) The new position, and the time in seconds since 1970.
function unmarshall_SYSTEMTIME(data, pos)
local date = {}
local _
pos, date['year'], date['month'], _, date['day'], date['hour'], date['min'], date['sec'], _ = bin.unpack("<SSSSSSSS", data, pos)
if(date['sec'] == nil) then
@@ -1227,14 +1228,13 @@ end
--@param default The default value to return if the lookup was unsuccessful.
--@return (pos, policy_handle) The new position, and a table representing the policy_handle.
local function unmarshall_Enum32(data, pos, table, default)
local i, v
stdnse.print_debug(4, string.format("MSRPC: Entering unmarshall_Enum32()"))
if(default == nil) then
default = "<unknown>"
end
pos, val = unmarshall_int32(data, pos)
local pos, val = unmarshall_int32(data, pos)
for i, v in pairs(table) do
if(v == val) then
@@ -1257,14 +1257,13 @@ end
--@param pad [optional] If set, will ensure that we end up on an even multiple of 4. Default: true.
--@return (pos, policy_handle) The new position, and a table representing the policy_handle.
local function unmarshall_Enum16(data, pos, table, default, pad)
local i, v
stdnse.print_debug(4, string.format("MSRPC: Entering unmarshall_Enum16()"))
if(default == nil) then
default = "<unknown>"
end
pos, val = unmarshall_int16(data, pos, pad)
local pos, val = unmarshall_int16(data, pos, pad)
for i, v in pairs(table) do
if(v == val) then
@@ -1474,7 +1473,7 @@ function unmarshall_dom_sid2(data, pos)
end
-- Convert the SID to a string
result = string.format("S-%u-%u", sid['sid_rev_num'], sid['authority'])
local result = string.format("S-%u-%u", sid['sid_rev_num'], sid['authority'])
for i = 1, sid['num_auths'], 1 do
result = result .. string.format("-%u", sid['sub_auths'][i])
end
@@ -1528,7 +1527,7 @@ function marshall_dom_sid2(sid)
return nil
end
pos = 3
local pos = 3
pos_next = string.find(sid, "-", pos)
sid_array['sid_rev_num'] = string.sub(sid, pos, pos_next - 1)

4
nselib/netbios.lua
View File

@@ -289,12 +289,12 @@ function do_nbstat(host)
socket:set_timeout(1000)
status, result = socket:receive_bytes(1)
local status, result = socket:receive_bytes(1)
if(status == false) then
return false, result
end
close_status, err = socket:close()
local close_status, err = socket:close()
if(close_status == false) then
return false, err
end

10
nselib/nsedebug.lua
View File

@@ -65,7 +65,7 @@ function print_hex(str)
-- Loop through the string, printing the hex
for char=1, 16, 1 do
ch = string.byte(str, ((line - 1) * 16) + char)
local ch = string.byte(str, ((line - 1) * 16) + char)
io.write(string.format("%02x ", ch))
end
@@ -73,7 +73,7 @@ function print_hex(str)
-- Loop through the string again, this time the ascii
for char=1, 16, 1 do
ch = string.byte(str, ((line - 1) * 16) + char)
local ch = string.byte(str, ((line - 1) * 16) + char)
if ch < 0x20 or ch > 0x7f then
ch = string.byte(".", 1)
end
@@ -84,18 +84,18 @@ function print_hex(str)
end
-- Prints out the final, partial line
line = math.floor((string.len(str)/16)) + 1
local line = math.floor((string.len(str)/16)) + 1
io.write(string.format("%08x ", (line - 1) * 16))
for char=1, string.len(str) % 16, 1 do
ch = string.byte(str, ((line - 1) * 16) + char)
local ch = string.byte(str, ((line - 1) * 16) + char)
io.write(string.format("%02x ", ch))
end
io.write(string.rep(" ", 16 - (string.len(str) % 16)));
io.write(" ")
for char=1, string.len(str) % 16, 1 do
ch = string.byte(str, ((line - 1) * 16) + char)
local ch = string.byte(str, ((line - 1) * 16) + char)
if ch < 0x20 or ch > 0x7f then
ch = string.byte(".", 1)
end

4
nselib/packet.lua
View File

@@ -285,14 +285,14 @@ end
--- Set the source IP address.
-- @param binip The source IP address as a byte string.
function Packet:ip_set_bin_src(binip)
nrip = u32(binip, 0)
local nrip = u32(binip, 0)
self:set_u32(self.ip_offset + 12, nrip)
self.ip_bin_src = self:raw(self.ip_offset + 12,4) -- raw 4-bytes string
end
--- Set the destination IP address.
-- @param binip The destination IP address as a byte string.
function Packet:ip_set_bin_dst(binip)
nrip = u32(binip, 0)
local nrip = u32(binip, 0)
self:set_u32(self.ip_offset + 16, nrip)
self.ip_bin_dst = self:raw(self.ip_offset + 16,4)
end

22
nselib/pop3.lua
View File

@@ -43,7 +43,7 @@ end
-- @return Error code if status is false.
function login_user(socket, user, pw)
socket:send("USER " .. user .. "\r\n")
status, line = socket:receive_lines(1)
local status, line = socket:receive_lines(1)
if not stat(line) then return false, err.user_error end
socket:send("PASS " .. pw .. "\r\n")
@@ -67,7 +67,7 @@ function login_sasl_plain(socket, user, pw)
local auth64 = base64.enc(user .. "\0" .. user .. "\0" .. pw)
socket:send("AUTH PLAIN " .. auth64 .. "\r\n")
status, line = socket:receive_lines(1)
local status, line = socket:receive_lines(1)
if stat(line) then
return true, err.none
@@ -91,14 +91,14 @@ function login_sasl_login(socket, user, pw)
socket:send("AUTH LOGIN\r\n")
status, line = socket:receive_lines(1)
local status, line = socket:receive_lines(1)
if not base64.dec(string.sub(line, 3)) == "User Name:" then
return false, err.userError
end
socket:send(user64)
status, line = socket:receive_lines(1)
local status, line = socket:receive_lines(1)
if not base64.dec(string.sub(line, 3)) == "Password:" then
return false, err.userError
@@ -106,7 +106,7 @@ function login_sasl_login(socket, user, pw)
socket:send(pw64)
status, line = socket:receive_lines(1)
local status, line = socket:receive_lines(1)
if stat(line) then
return true, err.none
@@ -129,7 +129,7 @@ function login_apop(socket, user, pw, challenge)
local apStr = stdnse.tohex(openssl.md5(challenge .. pw))
socket:send(("APOP %s %s\r\n"):format(user, apStr))
status, line = socket:receive_lines(1)
local status, line = socket:receive_lines(1)
if (stat(line)) then
return true, err.none
@@ -152,14 +152,14 @@ function capabilities(host, port)
local opts = {timeout=10000, recv_before=true}
local i = 1
socket, line, bopt, first_line = comm.tryssl(host, port, "CAPA\r\n" , opts)
local socket, line, bopt, first_line = comm.tryssl(host, port, "CAPA\r\n" , opts)
if not socket then return nil, "Could Not Connect" end
if not stat(first_line) then return nil, "No Response" end
if string.find(first_line, "<[%p%w]+>") then capas.APOP = true end
lines = stdnse.strsplit("\r\n",line)
line = lines[1]
local lines = stdnse.strsplit("\r\n",line)
local line = lines[1]
if not stat(line) then
capas.capa = false
@@ -199,7 +199,7 @@ function login_sasl_crammd5(socket, user, pw)
socket:send("AUTH CRAM-MD5\r\n")
status, line = socket:receive_lines(1)
local status, line = socket:receive_lines(1)
local challenge = base64.dec(string.sub(line, 3))
@@ -207,7 +207,7 @@ function login_sasl_crammd5(socket, user, pw)
local authStr = base64.enc(user .. " " .. digest)
socket:send(authStr .. "\r\n")
status, line = socket:receive_lines(1)
local status, line = socket:receive_lines(1)
if stat(line) then
return true, err.none

52
nselib/smb.lua
View File

@@ -309,7 +309,7 @@ function add_account(host, username, password)
if(string.lower(username) ~= "guest" and string.lower(username) ~= "") then
-- Save the new account if this is our first one, or our other account isn't an admin
if(nmap.registry[host.ip]['smbaccount'] == nil or nmap.registry[host.ip]['smbaccount']['is_admin'] == false) then
local result
local result, _
nmap.registry[host.ip]['smbaccount'] = {}
nmap.registry[host.ip]['smbaccount']['username'] = username
@@ -587,7 +587,7 @@ function start_netbios(host, port, name)
-- If all else fails, use each substring of the DNS name (this is a HUGE hack, but is actually
-- a recommended way of doing this!)
if(host.name ~= nil and host.name ~= "") then
new_names = get_subnames(host.name)
local new_names = get_subnames(host.name)
for i = 1, #new_names, 1 do
names[#names + 1] = new_names[i]
end
@@ -604,7 +604,7 @@ function start_netbios(host, port, name)
-- Some debug information
stdnse.print_debug(1, "SMB: Trying to start NetBIOS session with name = '%s'", name)
-- Request a NetBIOS session
session_request = bin.pack(">CCSzz",
local session_request = bin.pack(">CCSzz",
0x81, -- session request
0x00, -- flags
0x44, -- length
@@ -999,7 +999,7 @@ function negotiate_protocol(smb)
-- Send the negotiate request
stdnse.print_debug(2, "SMB: Sending SMB_COM_NEGOTIATE")
result, err = smb_send(smb, header, parameters, data)
local result, err = smb_send(smb, header, parameters, data)
if(status == false) then
return false, err
end
@@ -1011,6 +1011,7 @@ function negotiate_protocol(smb)
end
-- Parse out the header
local uid, tid, header4
pos, header1, header2, header3, header4, command, status, flags, flags2, pid_high, signature, unused, tid, pid, uid, mid = bin.unpack("<CCCCCICSSlSSSSS", header)
-- Check if we fell off the packet (if that happened, the last parameter will be nil)
@@ -1112,9 +1113,9 @@ function negotiate_protocol(smb)
end
function start_session_basic(smb, overrides, use_default, log_errors)
local i
local i, err
local status, result
local header, parameters, data
local header, parameters, data, domain
local pos
local header1, header2, header3, header4, command, status, flags, flags2, pid_high, signature, unused, tid, pid, uid, mid
local andx_command, andx_reserved, andx_offset, action
@@ -1234,7 +1235,7 @@ end
function start_session_extended(smb, overrides, use_default, log_errors)
local i
local status, status_name, result
local status, status_name, result, err
local header, parameters, data
local pos
local header1, header2, header3, header4, command, status, flags, flags2, pid_high, signature, unused, tid, pid, uid, mid
@@ -1416,7 +1417,7 @@ end
-- table with the following elements:
-- * 'tid' The TreeID for the session
function tree_connect(smb, path)
local header, parameters, data
local header, parameters, data, err, result
local pos
local header1, header2, header3, header4, command, status, flags, flags2, pid_high, signature, unused, pid, mid
local andx_command, andx_reserved, andx_offset, action
@@ -1449,6 +1450,7 @@ function tree_connect(smb, path)
end
-- Check if we were allowed in
local uid, tid
pos, header1, header2, header3, header4, command, status, flags, flags2, pid_high, signature, unused, tid, pid, uid, mid = bin.unpack("<CCCCCICSSlSSSSS", header)
if(mid == nil) then
return false, "SMB: ERROR: Ran off the end of SMB packet; likely due to server truncation [20]"
@@ -1480,18 +1482,19 @@ function tree_disconnect(smb)
-- Send the tree disconnect request
stdnse.print_debug(2, "SMB: Sending SMB_COM_TREE_DISCONNECT")
result, err = smb_send(smb, header, "", "")
local result, err = smb_send(smb, header, "", "")
if(result == false) then
return false, err
end
-- Read the result
status, header, parameters, data = smb_read(smb)
local status, header, parameters, data = smb_read(smb)
if(status ~= true) then
return false, header
end
-- Check if there was an error
local uid, tid, pos
pos, header1, header2, header3, header4, command, status, flags, flags2, pid_high, signature, unused, tid, pid, uid, mid = bin.unpack("<CCCCCICSSlSSSSS", header)
if(mid == nil) then
return false, "SMB: ERROR: Ran off the end of SMB packet; likely due to server truncation [21]"
@@ -1512,7 +1515,7 @@ end
--@return (status, result) If statis is false, result is an error message. If status is true,
-- the logoff was successful.
function logoff(smb)
local header, parameters
local header, parameters, data
local header1, header2, header3, header4, command, status, flags, flags2, pid_high, signature, unused, pid, mid
header = smb_encode_header(smb, command_codes['SMB_COM_LOGOFF_ANDX'])
@@ -1526,7 +1529,7 @@ function logoff(smb)
-- Send the tree disconnect request
stdnse.print_debug(2, "SMB: Sending SMB_COM_LOGOFF_ANDX")
result, err = smb_send(smb, header, parameters, "")
local result, err = smb_send(smb, header, parameters, "")
if(result == false) then
return false, err
end
@@ -1543,6 +1546,7 @@ function logoff(smb)
smb['mac_key'] = nil
-- Check if there was an error
local uid, tid, pos
pos, header1, header2, header3, header4, command, status, flags, flags2, pid_high, signature, unused, tid, pid, uid, mid = bin.unpack("<CCCCCICSSlSSSSS", header)
if(mid == nil) then
return false, "SMB: ERROR: Ran off the end of SMB packet; likely due to server truncation [22]"
@@ -1598,7 +1602,7 @@ function create_file(smb, path)
-- Send the create file
stdnse.print_debug(2, "SMB: Sending SMB_COM_NT_CREATE_ANDX")
result, err = smb_send(smb, header, parameters, data)
local result, err = smb_send(smb, header, parameters, data)
if(result == false) then
return false, err
end
@@ -1610,6 +1614,7 @@ function create_file(smb, path)
end
-- Check if we were allowed in
local uid, tid
pos, header1, header2, header3, header4, command, status, flags, flags2, pid_high, signature, unused, tid, pid, uid, mid = bin.unpack("<CCCCCICSSlSSSSS", header)
if(mid == nil) then
return false, "SMB: ERROR: Ran off the end of SMB packet; likely due to server truncation [23]"
@@ -1675,7 +1680,7 @@ function read_file(smb, offset, count)
-- Send the create file
stdnse.print_debug(2, "SMB: Sending SMB_COM_READ_ANDX")
result, err = smb_send(smb, header, parameters, data)
local result, err = smb_send(smb, header, parameters, data)
if(result == false) then
return false, err
end
@@ -1687,6 +1692,7 @@ function read_file(smb, offset, count)
end
-- Check if we were allowed in
local uid, tid
pos, header1, header2, header3, header4, command, status, flags, flags2, pid_high, signature, unused, tid, pid, uid, mid = bin.unpack("<CCCCCICSSlSSSSS", header)
if(mid == nil) then
@@ -1760,7 +1766,7 @@ function write_file(smb, write_data, offset)
-- Send the create file
stdnse.print_debug(2, "SMB: Sending SMB_COM_WRITE_ANDX")
result, err = smb_send(smb, header, parameters, data)
local result, err = smb_send(smb, header, parameters, data)
if(result == false) then
return false, err
end
@@ -1772,6 +1778,7 @@ function write_file(smb, write_data, offset)
return false, header
end
local uid, tid
-- Check if we were allowed in
pos, header1, header2, header3, header4, command, status, flags, flags2, pid_high, signature, unused, tid, pid, uid, mid = bin.unpack("<CCCCCICSSlSSSSS", header)
if(mid == nil) then
@@ -1782,6 +1789,7 @@ function write_file(smb, write_data, offset)
end
-- Parse the parameters
local reserved, count_high, remaining, count_low
pos, andx_command, andx_reserved, andx_offset, count_low, remaining, count_high, reserved = bin.unpack("<CCSSSSS", parameters)
if(reserved == nil) then
return false, "SMB: ERROR: Ran off the end of SMB packet; likely due to server truncation [28]"
@@ -1816,7 +1824,7 @@ function close_file(smb)
-- Send the close file
stdnse.print_debug(2, "SMB: Sending SMB_CLOSE")
result, err = smb_send(smb, header, parameters, data)
local result, err = smb_send(smb, header, parameters, data)
if(result == false) then
return false, err
end
@@ -1828,6 +1836,7 @@ function close_file(smb)
end
-- Check if the close was successful
local uid, tid
pos, header1, header2, header3, header4, command, status, flags, flags2, pid_high, signature, unused, tid, pid, uid, mid = bin.unpack("<CCCCCICSSlSSSSS", header)
if(mid == nil) then
return false, "SMB: ERROR: Ran off the end of SMB packet; likely due to server truncation [27]"
@@ -1862,7 +1871,7 @@ function delete_file(smb, path)
-- Send the close file
stdnse.print_debug(2, "SMB: Sending SMB_CLOSE")
result, err = smb_send(smb, header, parameters, data)
local result, err = smb_send(smb, header, parameters, data)
if(result == false) then
return false, err
end
@@ -1874,6 +1883,7 @@ function delete_file(smb, path)
end
-- Check if the close was successful
local uid, tid
pos, header1, header2, header3, header4, command, status, flags, flags2, pid_high, signature, unused, tid, pid, uid, mid = bin.unpack("<CCCCCICSSlSSSSS", header)
if(mid == nil) then
return false, "SMB: ERROR: Ran off the end of SMB packet; likely due to server truncation [27]"
@@ -1946,7 +1956,7 @@ function send_transaction_named_pipe(smb, function_parameters, function_data, pi
-- Send the transaction request
stdnse.print_debug(2, "SMB: Sending SMB_COM_TRANSACTION")
result, err = smb_send(smb, header, parameters, data)
local result, err = smb_send(smb, header, parameters, data)
if(result == false) then
return false, err
end
@@ -1958,6 +1968,7 @@ function send_transaction_named_pipe(smb, function_parameters, function_data, pi
end
-- Check if it worked
local uid, tid, pos
pos, header1, header2, header3, header4, command, status, flags, flags2, pid_high, signature, unused, tid, pid, uid, mid = bin.unpack("<CCCCCICSSlSSSSS", header)
if(mid == nil) then
return false, "SMB: ERROR: Ran off the end of SMB packet; likely due to server truncation [29]"
@@ -2031,7 +2042,7 @@ function send_transaction_waitnamedpipe(smb, priority, pipe)
-- Send the transaction request
stdnse.print_debug(2, "SMB: Sending SMB_COM_TRANSACTION (WaitNamedPipe)")
result, err = smb_send(smb, header, parameters, data)
local result, err = smb_send(smb, header, parameters, data)
if(result == false) then
return false, err
end
@@ -2043,6 +2054,7 @@ function send_transaction_waitnamedpipe(smb, priority, pipe)
end
-- Check if it worked
local uid, tid, pos
pos, header1, header2, header3, header4, command, status, flags, flags2, pid_high, signature, unused, tid, pid, uid, mid = bin.unpack("<CCCCCICSSlSSSSS", header)
if(mid == nil) then
return false, "SMB: ERROR: Ran off the end of SMB packet; likely due to server truncation [31]"
@@ -2073,7 +2085,7 @@ end
--@param share The share to upload it to (eg, C$).
--@param remotefile The remote file on the machine. It is relative to the share's root.
function file_upload(host, localfile, share, remotefile)
local status, smbstate
local status, err, smbstate
local chunk = 1024
local filename = nmap.fetchfile(localfile)

13
nselib/smbauth.lua
View File

@@ -92,6 +92,8 @@ local NTLMSSP_NEGOTIATE = 0x00000001
local NTLMSSP_CHALLENGE = 0x00000002
local NTLMSSP_AUTH = 0x00000003
local session_key = string.rep(string.char(0x00), 16)
local function to_unicode(str)
local unicode = ""
@@ -302,9 +304,8 @@ function ntlmv2_create_response(ntlm, username, domain, challenge, client_challe
end
local client_challenge = openssl.rand_bytes(client_challenge_length)
local ntlmv2_hash
status, ntlmv2_hash = ntlmv2_create_hash(ntlm, username, domain)
local status, ntlmv2_hash = ntlmv2_create_hash(ntlm, username, domain)
return true, openssl.hmac("MD5", ntlmv2_hash, challenge .. client_challenge) .. client_challenge
end
@@ -404,9 +405,11 @@ end
-- and the mac_key, which is used for message signing.
local function get_password_response(ip, username, domain, password, password_hash, challenge, hash_type, is_extended)
local status
local lm_hash = nil
local ntlm_hash = nil
local mac_key = nil
local lm_response, ntlm_response
-- Check if there's a password or hash set. This is a little tricky, because in all places (except the one passed
-- as a parameter), it's based on whether or not the username was stored. This lets us use blank passwords by not
@@ -570,7 +573,7 @@ function get_accounts(ip, overrides, use_defaults)
-- Do the "anonymous" account
if(use_defaults) then
result = {}
local result = {}
result['username'] = ""
result['domain'] = ""
results[#results + 1] = result
@@ -598,10 +601,6 @@ function get_security_blob(security_blob, ip, username, domain, hash_type, overr
local new_blob
local flags = 0x00008211 -- (NEGOTIATE_SIGN_ALWAYS | NEGOTIATE_NTLM | NEGOTIATE_SIGN | NEGOTIATE_UNICODE)
if(session_key == nil) then
session_key = string.rep(string.char(0x00), 16)
end
if(security_blob == nil) then
-- If security_blob is nil, this is the initial packet
new_blob = bin.pack("<zIILL",

2
nselib/snmp.lua
View File

@@ -176,6 +176,7 @@ local function decodeSeq(encStr, len, pos)
local sStr
pos, sStr = bin.unpack("A" .. len, encStr, pos)
while (sPos < len) do
local newSeq
sPos, newSeq = decode(sStr, sPos)
table.insert(seq, newSeq)
i = i + 1
@@ -206,6 +207,7 @@ function decode(encStr, pos)
elseif (etype == "06") then -- OID
local oid = {}
oid._snmp = '06'
local octet
pos, octet = bin.unpack("C", encStr, pos)
oid[2] = math.mod(octet, 40)
octet = octet - oid[2]

8
nselib/ssh1.lua
View File

@@ -26,7 +26,7 @@ require "openssl"
check_packet_length = function( buffer )
local payload_length, packet_length, offset
offset, payload_length = bin.unpack( ">I", buffer )
padding = 8 - payload_length % 8
local padding = 8 - payload_length % 8
assert(payload_length)
packet_length = buffer:len()
if payload_length + 4 + padding > packet_length then return nil end
@@ -42,7 +42,7 @@ end
-- @return status True or false
-- @return packet The packet received
receive_ssh_packet = function( socket )
status, packet = socket:receive_buf(check_packet_length)
local status, packet = socket:receive_buf(check_packet_length)
return status, packet
end
@@ -55,7 +55,7 @@ end
-- <code>fingerprint</code>.
fetch_host_key = function(host, port)
local socket = nmap.new_socket()
local status
local status, _
status = socket:connect(host.ip, port.number)
if not status then return end
@@ -169,7 +169,7 @@ fingerprint_visual = function( fingerprint, algorithm, bits )
end
-- we start in the center and mark it
x, y = math.ceil(fieldsize_x/2), math.ceil(fieldsize_y/2)
local x, y = math.ceil(fieldsize_x/2), math.ceil(fieldsize_y/2)
field[x][y] = #characters - 1;
-- iterate over fingerprint

14
nselib/ssh2.lua
View File

@@ -43,7 +43,7 @@ end
-- @return status True or false
-- @return packet The packet received
transport.receive_packet = function( socket )
status, packet = socket:receive_buf(check_packet_length)
local status, packet = socket:receive_buf(check_packet_length)
return status, packet
end
@@ -95,12 +95,12 @@ end
--- Build a <code>kex_init</code> packet.
transport.kex_init = function( cookie, options )
options = options or {}
kex_algorithms = "diffie-hellman-group1-sha1"
host_key_algorithms = options['host_key_algorithms'] or "ssh-dss,ssh-rsa"
encryption_algorithms = "aes128-cbc,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr"
mac_algorithms = "hmac-md5,hmac-sha1,hmac-ripemd160"
compression_algorithms = "none"
languages = ""
local kex_algorithms = "diffie-hellman-group1-sha1"
local host_key_algorithms = options['host_key_algorithms'] or "ssh-dss,ssh-rsa"
local encryption_algorithms = "aes128-cbc,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr"
local mac_algorithms = "hmac-md5,hmac-sha1,hmac-ripemd160"
local compression_algorithms = "none"
local languages = ""
local payload = bin.pack( ">cAaa", SSH2.SSH_MSG_KEXINIT, cookie, kex_algorithms, host_key_algorithms )
payload = payload .. bin.pack( ">aa", encryption_algorithms, encryption_algorithms )

2
nselib/tab.lua
View File

@@ -113,7 +113,7 @@ function dump(t)
for i=1,t['rows'] do
for x=1, t['cols'] do
if t[i][x] ~= nil then
length = string.len(t[i][x])
local length = string.len(t[i][x])
table = table .. t[i][x]
table = table .. string.rep(' ', col_len[x]-length)
end

3
nselib/url.lua
View File

@@ -213,6 +213,7 @@ end
-- @return The corresponding absolute URL.
-----------------------------------------------------------------------------
function absolute(base_url, relative_url)
local base_parsed;
if type(base_url) == "table" then
base_parsed = base_url
base_url = build(base_parsed)
@@ -313,7 +314,7 @@ function parse_query(query)
query = string.gsub(query, "&lt;", "<")
query = string.gsub(query, "&gt;", ">")
function ginsert(qstr)
local function ginsert(qstr)
local first, last = string.find(qstr, "=")
if first then
parsed[string.sub(qstr, 0, first-1)] = string.sub(qstr, first+1)