From c4617f8d313696a5be9667a1ff3419dea04f521c Mon Sep 17 00:00:00 2001 From: patrik Date: Wed, 6 Jun 2012 21:57:00 +0000 Subject: [PATCH] Fixed a bunch of errors reported by Ron Bowes; http://seclists.org/nmap-dev/2012/q2/639 --- nselib/ajp.lua | 2 ++ nselib/asn1.lua | 19 +++++++++--- nselib/json.lua | 8 ++--- nselib/smb.lua | 63 ++++++++++++++++++++++++++++++++++++-- nselib/smbauth.lua | 8 ++--- nselib/xmpp.lua | 2 +- scripts/afp-serverinfo.nse | 2 +- 7 files changed, 85 insertions(+), 19 deletions(-) diff --git a/nselib/ajp.lua b/nselib/ajp.lua index cd9a2f346..77501a515 100644 --- a/nselib/ajp.lua +++ b/nselib/ajp.lua @@ -521,3 +521,5 @@ Helper = { end, } + +return _ENV; \ No newline at end of file diff --git a/nselib/asn1.lua b/nselib/asn1.lua index 9d259557b..b175d4f82 100644 --- a/nselib/asn1.lua +++ b/nselib/asn1.lua @@ -277,11 +277,12 @@ ASN1Decoder = { -- ASN1Encoder = { - new = function(self,o) - o = o or {} - setmetatable(o, self) - self.__index = self - return o + new = function(self) + local o = {} + setmetatable(o, self) + self.__index = self + o:registerBaseEncoders() + return o end, --- @@ -332,6 +333,14 @@ ASN1Encoder = { end end + -- Table encoder + self.encoder['table'] = function( self, val ) + assert('table' == type(val), "val is not a table") + assert(#val.type > 0, "Table is missing the type field") + assert(val.value ~= nil, "Table is missing the value field") + return bin.pack("HAA", val.type, self.encodeLength(#val.value), val.value) + end + -- Integer encoder self.encoder['number'] = function( self, val ) local ival = self.encodeInt(val) diff --git a/nselib/json.lua b/nselib/json.lua index 233122b96..c3be97487 100644 --- a/nselib/json.lua +++ b/nselib/json.lua @@ -32,18 +32,18 @@ _ENV = stdnse.module("json", stdnse.seeall) --Some local shortcuts local function dbg(str,...) - stdnse.print_debug("Json:"..str, table.unpack(arg)) + stdnse.print_debug("Json:"..str, ...) end local function d4(str,...) - if nmap.debugging() > 3 then dbg(str,table.unpack(arg)) end + if nmap.debugging() > 3 then dbg(str,...) end end local function d3(str,...) - if nmap.debugging() > 2 then dbg(str,table.unpack(arg)) end + if nmap.debugging() > 2 then dbg(str,...) end end --local dbg =stdnse.print_debug local function dbg_err(str,...) - stdnse.print_debug("json-ERR:"..str, table.unpack(arg)) + stdnse.print_debug("json-ERR:"..str, ...) end -- Javascript null representation, see explanation above diff --git a/nselib/smb.lua b/nselib/smb.lua index b86a36bc7..bb1e1610f 100644 --- a/nselib/smb.lua +++ b/nselib/smb.lua @@ -121,6 +121,7 @@ -- @author Ron Bowes -- @copyright Same as Nmap--See http://nmap.org/book/man-legal.html ----------------------------------------------------------------------- +local asn1 = require "asn1" local bin = require "bin" local bit = require "bit" local coroutine = require "coroutine" @@ -1029,6 +1030,9 @@ function negotiate_protocol(smb, overrides) if(smb['key_length'] == nil) then smb['key_length'] = 0 end + if(smb['byte_count'] == nil) then + smb['byte_count'] = 0 + end -- Convert the time and timezone to more useful values smb['time'] = (smb['time'] / 10000000) - 11644473600 @@ -1053,6 +1057,11 @@ function negotiate_protocol(smb, overrides) if(smb['server_guid'] == nil) then return false, "SMB: ERROR: Server returned less data than it was supposed to (one or more fields are missing); aborting [12]" end + + -- do we have a security blob? + if ( #data - pos > 0 ) then + pos, smb['security_blob'] = bin.unpack(" 11 ) then + local pos, oid = bin.unpack(">A6", smb['security_blob'], 5) + sp_nego = ( oid == "\x2b\x06\x01\x05\x05\x02" ) -- check for SPNEGO OID 1.3.6.1.5.5.2 + end + while result ~= false do -- These are loop variables local security_blob = nil @@ -1287,7 +1303,42 @@ local function start_session_extended(smb, log_errors, overrides) -- This loop takes care of the multiple packets that "extended security" requires repeat -- Get the new security blob, passing the old security blob as a parameter. If there was no previous security blob, then nil is passed, which creates a new one - status, security_blob, smb['mac_key'] = smbauth.get_security_blob(security_blob, smb['ip'], username, domain, password, password_hash, hash_type) + if ( not(security_blob) ) then + status, security_blob, smb['mac_key'] = smbauth.get_security_blob(security_blob, smb['ip'], username, domain, password, password_hash, hash_type, (sp_nego and 0x00088215)) + + if ( sp_nego ) then + local enc = asn1.ASN1Encoder:new() + local mechtype = enc:encode( { type = 'A0', value = enc:encode( { type = '30', value = enc:encode( { type = '06', value = bin.pack("H", "2b06010401823702020a") } ) } ) } ) + local oid = enc:encode( { type = '06', value = bin.pack("H", "2b0601050502") } ) + + security_blob = enc:encode(security_blob) + security_blob = enc:encode( { type = 'A2', value = security_blob } ) + security_blob = mechtype .. security_blob + security_blob = enc:encode( { type = '30', value = security_blob } ) + security_blob = enc:encode( { type = 'A0', value = security_blob } ) + security_blob = oid .. security_blob + security_blob = enc:encode( { type = '60', value = security_blob } ) + + end + else + if ( sp_nego ) then + if ( smb['domain'] or smb['server'] and ( not(domain) or #domain == 0 ) ) then + domain = smb['domain'] or smb['server'] + end + hash_type = "v2" + end + + status, security_blob, smb['mac_key'] = smbauth.get_security_blob(security_blob, smb['ip'], username, domain, password, password_hash, hash_type, (sp_nego and 0x00088215)) + + if ( sp_nego ) then + local enc = asn1.ASN1Encoder:new() + security_blob = enc:encode(security_blob) + security_blob = enc:encode( { type = 'A2', value = security_blob } ) + security_blob = enc:encode( { type = '30', value = security_blob } ) + security_blob = enc:encode( { type = 'A1', value = security_blob } ) + end + + end -- There was an error processing the security blob if(status == false) then @@ -1351,6 +1402,12 @@ local function start_session_extended(smb, log_errors, overrides) -- Parse the data pos, security_blob, os, lanmanager = bin.unpack(string.format("