Fixed a bug where int8 arrays wouldn't align properly (I hadn't noticed it before because the only place it's used is in registry functions, and all following variables were either ignored or set to the proper value by luck

2025-12-26 09:29:01 +00:00 · 2008-12-07 19:10:17 +00:00
parent ea42f39faa
commit da4a8ef302
2 changed files with 66 additions and 7 deletions
--- a/nselib/msrpc.lua
+++ b/nselib/msrpc.lua
@@ -1618,7 +1618,55 @@ function winreg_openhklm(smbstate)
 	end

 	return true, result
+end

+---Call the <code>OpenHKPD</code> function, to obtain a handle to the hidden HKEY_PERFORMANCE_DATA hive
+--
+--@param smbstate  The SMB state table
+--@return (status, result) If status is false, result is an error message. Otherwise, result is a table of values, the most
+--        useful one being 'handle', which is required to call other winreg functions. 
+function winreg_openhkpd(smbstate)
+	local i, j
+	local status, result
+	local arguments
+	local pos, align
+
+	stdnse.print_debug(2, "MSRPC: Calling OpenHKPD() [%s]", smbstate['ip'])
+
+--		[in]      uint16 *system_name,
+	arguments = msrpctypes.marshall_int16_ptr(0x1337, true)
+
+--		[in]      winreg_AccessMask access_mask,
+	arguments = arguments .. msrpctypes.marshall_winreg_AccessMask('MAXIMUM_ALLOWED_ACCESS')
+
+--		[out,ref] policy_handle *handle
+
+	-- Do the call
+	status, result = call_function(smbstate, 0x03, arguments)
+	if(status ~= true) then
+		return false, result
+	end
+
+	stdnse.print_debug(3, "MSRPC: OpenHKPD() returned successfully")
+
+	-- Make arguments easier to use
+	arguments = result['arguments']
+	pos = 1
+
+--		[in]      uint16 *system_name,
+--		[in]      winreg_AccessMask access_mask,
+--		[out,ref] policy_handle *handle
+	pos, result['handle'] = msrpctypes.unmarshall_policy_handle(arguments, pos)
+
+	pos, result['return'] = msrpctypes.unmarshall_int32(arguments, pos)
+	if(result['return'] == nil) then
+		return false, "Read off the end of the packet (winreg.openhkpd)"
+	end
+	if(result['return'] ~= 0) then
+		return false, smb.get_status_name(result['return']) .. " (winreg.openhkpd)"
+	end
+
+	return true, result
 end

 ---Call the <code>OpenHKCU</code> function, to obtain a handle to the HKEY_CURRENT_USER hive
@@ -1926,7 +1974,6 @@ function winreg_queryvalue(smbstate, handle, value)
 --		[in,out] uint32 *length
 	arguments = arguments .. msrpctypes.marshall_int32_ptr(0)

-
 	-- Do the call
 	status, result = call_function(smbstate, 0x11, arguments)
 	if(status ~= true) then
@@ -1958,8 +2005,8 @@ function winreg_queryvalue(smbstate, handle, value)
 		elseif(result['type'] == "REG_SZ" or result['type'] == "REG_MULTI_SZ" or result['type'] == "REG_EXPAND_SZ") then
 			_, result['value'] = msrpctypes.unicode_to_string(result['data'], 1, #result['data'] / 2)
 		else
-			io.write(string.format("Unknown type: %s\n\n", result['type']))
-			result['value'] = "FIX ME!"
+			stdnse.print_debug("MSRPC ERROR: Unknown type: %s\n\n", result['type'])
+			result['value'] = result['type']
 		end
 	else
 		result['value'] = nil
--- a/nselib/msrpctypes.lua
+++ b/nselib/msrpctypes.lua
@@ -908,8 +908,10 @@ end
 --
 --@param data The data packet. 
 --@param pos  The position within the data. 
+--@param pad  [optional] If set to true, will align data on 4-byte boundaries. Default:
+--            true. 
 --@return (pos, str) The position, and the resulting string, which cannot be nil. 
-function unmarshall_int8_array(data, pos)
+function unmarshall_int8_array(data, pos, pad)
 	local max, offset, actual
 	local str

@@ -918,6 +920,13 @@ function unmarshall_int8_array(data, pos)
 	pos, max, offset, actual = bin.unpack("<III", data, pos)
 	pos, str = bin.unpack("<A"..actual, data, pos)

+	-- Do the alignment (note the "- 1", it's there because of 1-based arrays)
+	if(pad == nil or pad == true) then
+		while(((pos - 1) % 4) ~= 0) do
+			pos = pos + 1
+		end
+	end
+
 	stdnse.print_debug(4, string.format("MSRPC: Leaving unmarshall_int8_array()"))

 	return pos, str
@@ -939,16 +948,19 @@ function marshall_int8_array_ptr(data, max_length)
 	return result
 end

--- Unmarshall a pointer to an array of int8s. 
+--- Unmarshall a pointer to an array of int8s. By default, aligns the result to 4-byte
+--  boundaries. 
 --
 --@param data The data packet. 
 --@param pos  The position within the data. 
+--@param pad  [optional] If set to true, will align data on 4-byte boundaries. Default:
+--            true. 
 --@return (pos, str) The position, and the resulting string, which cannot be nil. 
-function unmarshall_int8_array_ptr(data, pos)
+function unmarshall_int8_array_ptr(data, pos, pad)
 	local str
 	stdnse.print_debug(4, string.format("MSRPC: Entering unmarshall_int8_array_ptr()"))

-	pos, str = unmarshall_ptr(ALL, data, pos, unmarshall_int8_array, {})
+	pos, str = unmarshall_ptr(ALL, data, pos, unmarshall_int8_array, {pad})

 	stdnse.print_debug(4, string.format("MSRPC: Leaving unmarshall_int8_array_ptr()"))
 	return pos, str