PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-09 14:11:29 +00:00
Code Issues Projects Releases Wiki Activity

Fix TDS7/mssql login packet for non-ascii usernames. See #2056

Browse Source
This commit is contained in:
dmiller
2021-02-08 22:49:19 +00:00
parent e2f1df924c
commit d4bf034df9
1 changed files with 35 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

61
nselib/mssql.lua
View File

@@ -1998,15 +1998,24 @@ LoginPacket =
local authLen = 0 local authLen = 0
self.cli_pid = math.random(100000) self.cli_pid = math.random(100000)
local u_client = unicode.utf8to16(self.client)
local u_app = unicode.utf8to16(self.app)
local u_server = unicode.utf8to16(self.server)
local u_library = unicode.utf8to16(self.library)
local u_locale = unicode.utf8to16(self.locale)
local u_database = unicode.utf8to16(self.database)
local u_username, u_password
self.length = offset + 2 * ( self.client:len() + self.app:len() + self.server:len() + self.library:len() + self.database:len() ) self.length = offset + #u_client + #u_app + #u_server + #u_library + #u_database
if ( ntlmAuth ) then if ( ntlmAuth ) then
authLen = 32 + #self.domain authLen = 32 + #self.domain
self.length = self.length + authLen self.length = self.length + authLen
self.options_2 = self.options_2 + 0x80 self.options_2 = self.options_2 + 0x80
else else
self.length = self.length + 2 * (self.username:len() + self.password:len()) u_username = unicode.utf8to16(self.username)
u_password = unicode.utf8to16(self.password)
self.length = self.length + #u_username + #u_password
end end
data = { data = {
@@ -2015,38 +2024,38 @@ LoginPacket =
string.pack("<I4I4", self.time_zone, self.collation ), string.pack("<I4I4", self.time_zone, self.collation ),
-- offsets begin -- offsets begin
string.pack("<I2I2", offset, self.client:len() ), string.pack("<I2I2", offset, #u_client/2 ),
} }
offset = offset + self.client:len() * 2 offset = offset + #u_client
if ( not(ntlmAuth) ) then if ( not(ntlmAuth) ) then
data[#data+1] = string.pack("<I2I2", offset, self.username:len() ) data[#data+1] = string.pack("<I2I2", offset, #u_username/2 )
offset = offset + self.username:len() * 2 offset = offset + #u_username
data[#data+1] = string.pack("<I2I2", offset, self.password:len() ) data[#data+1] = string.pack("<I2I2", offset, #u_password/2 )
offset = offset + self.password:len() * 2 offset = offset + #u_password
else else
data[#data+1] = string.pack("<I2I2", offset, 0 ) data[#data+1] = string.pack("<I2I2", offset, 0 )
data[#data+1] = string.pack("<I2I2", offset, 0 ) data[#data+1] = string.pack("<I2I2", offset, 0 )
end end
data[#data+1] = string.pack("<I2I2", offset, self.app:len() ) data[#data+1] = string.pack("<I2I2", offset, #u_app/2 )
offset = offset + self.app:len() * 2 offset = offset + #u_app
data[#data+1] = string.pack("<I2I2", offset, self.server:len() ) data[#data+1] = string.pack("<I2I2", offset, #u_server/2 )
offset = offset + self.server:len() * 2 offset = offset + #u_server
-- Offset to unused placeholder (reserved for future use in TDS spec) -- Offset to unused placeholder (reserved for future use in TDS spec)
data[#data+1] = string.pack("<I2I2", 0, 0 ) data[#data+1] = string.pack("<I2I2", 0, 0 )
data[#data+1] = string.pack("<I2I2", offset, self.library:len() ) data[#data+1] = string.pack("<I2I2", offset, #u_library/2 )
offset = offset + self.library:len() * 2 offset = offset + #u_library
data[#data+1] = string.pack("<I2I2", offset, self.locale:len() ) data[#data+1] = string.pack("<I2I2", offset, #u_locale/2 )
offset = offset + self.locale:len() * 2 offset = offset + #u_locale
data[#data+1] = string.pack("<I2I2", offset, self.database:len() ) data[#data+1] = string.pack("<I2I2", offset, #u_database/2 )
offset = offset + self.database:len() * 2 offset = offset + #u_database
-- client MAC address, hardcoded to 00:00:00:00:00:00 -- client MAC address, hardcoded to 00:00:00:00:00:00
data[#data+1] = self.MAC data[#data+1] = self.MAC
@@ -2061,16 +2070,16 @@ LoginPacket =
data[#data+1] = string.pack("<I2", 0) data[#data+1] = string.pack("<I2", 0)
-- Auth info wide strings -- Auth info wide strings
data[#data+1] = unicode.utf8to16(self.client) data[#data+1] = u_client
if ( not(ntlmAuth) ) then if ( not(ntlmAuth) ) then
data[#data+1] = unicode.utf8to16(self.username) data[#data+1] = u_username
data[#data+1] = Auth.TDS7CryptPass(self.password) data[#data+1] = Auth.TDS7CryptPass(u_password)
end end
data[#data+1] = unicode.utf8to16(self.app) data[#data+1] = u_app
data[#data+1] = unicode.utf8to16(self.server) data[#data+1] = u_server
data[#data+1] = unicode.utf8to16(self.library) data[#data+1] = u_library
data[#data+1] = unicode.utf8to16(self.locale) data[#data+1] = u_locale
data[#data+1] = unicode.utf8to16(self.database) data[#data+1] = u_database
if ( ntlmAuth ) then if ( ntlmAuth ) then
local NTLMSSP_NEGOTIATE = 1 local NTLMSSP_NEGOTIATE = 1