Home page logo

nmap-dev logo Nmap Development mailing list archives

[NSE] mssql library - bug in parsing browser data
From: Chris Woodbury <chris3e3 () gmail com>
Date: Fri, 21 Jan 2011 18:33:14 -0600

While working on some NSE scripts for SQL Server, I found a bug in the
mssql.lua library. In the Discover function, when the SQL Server
browser data is being parsed, it treats ";;" as a marker for the end
of the data for a SQL Server instance. However, ";;" is valid within
the data for an instance, signifying a field without a value (i.e. an
empty string, etc.), and one of these ";;"s will make the capture to
end too early, likely resulting in a crash [1].

Basically ,the proper way to identify an instance is to find
ServerName;.-;InstanceName;.-;IsClustered;.-; (per the SSRP spec,
these are always present and in this order) and then go on until you
reach the end or another instance. I couldn't figure out how to do
this with Lua patterns in one step; so, I did it in two - cutting up
the string and then parsing each one.

I've attached a patch against the SVN version. I haven't done a ton of
Lua/NSE scripting, so I would appreciate any comments.


[1] Example:
gets captured as:
(2) @MSSQL;;
(3) via;WINXP,0:1433;;
(4) ServerName;WINXP;InstanceName;SQL2K5;IsClustered;No;Version;9.00.4035.00;tcp;1278;;

The script crashes on line 843 during (2), when it tries to use the
instance name, which it didn't get.

Attachment: mssql_ssrp_split.patch

Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]