Re: [nmap-svn] r32017 - nmap-exp/d33tah/ncat-lua-callbacks/ncat

[Jacek Wielemborek <wielemborekj1 () gmail com>]

2013/8/22  <commit-mailer () nmap org>:
> Author: d33tah
> Date: Thu Aug 22 21:16:01 2013
> New Revision: 32017
>
> Log:
> Add a hack that will make connect-mode --proxy work.
>
> Modified:
>    nmap-exp/d33tah/ncat-lua-callbacks/ncat/ncat_lua_connect.c
>    nmap-exp/d33tah/ncat-lua-callbacks/ncat/ncat_lua_filters.c
>    nmap-exp/d33tah/ncat-lua-callbacks/ncat/ncat_lua_filters.h
>    nmap-exp/d33tah/ncat-lua-callbacks/ncat/ncat_lua_listen.c
>    nmap-exp/d33tah/ncat-lua-callbacks/ncat/ncat_main.c
>
> Modified: nmap-exp/d33tah/ncat-lua-callbacks/ncat/ncat_lua_connect.c
> ==============================================================================
> --- nmap-exp/d33tah/ncat-lua-callbacks/ncat/ncat_lua_connect.c  (original)
> +++ nmap-exp/d33tah/ncat-lua-callbacks/ncat/ncat_lua_connect.c  Thu Aug 22 21:16:01 2013
> @@ -151,7 +151,7 @@
>
>  void lua_nsock_save(nsock_pool nsp, nsock_iod nsiod, nsock_ev_handler handler)
>  {
> -    struct ncat_lua_state *nl = get_connection(NULL);
> +    struct ncat_lua_state *nl = get_connection(NULL, NULL);
>      nl->nsp = nsp;
>      nl->nsiod = nsiod;
>      nl->handler = handler;
> @@ -183,7 +183,7 @@
>
>  char* lua_nsock_recv(nsock_event evt, int *nbytes)
>  {
> -    struct ncat_lua_state *nl = get_connection(NULL);
> +    struct ncat_lua_state *nl = get_connection(NULL, NULL);
>      size_t nbytes_size_t;
>      nl->evt = evt;
>      int old_top = lua_gettop(L);
> @@ -222,7 +222,7 @@
>  void lua_nsock_write(nsock_pool nsp, nsock_iod nsiod, nsock_ev_handler handler,
>      int timeout_msecs, void *userdata, const char *data, int datalen)
>  {
> -    struct ncat_lua_state *nl = get_connection(NULL);
> +    struct ncat_lua_state *nl = get_connection(NULL, NULL);
>      nl->nsp = nsp;
>      nl->nsiod = nsiod;
>      nl->handler = handler;
>
> Modified: nmap-exp/d33tah/ncat-lua-callbacks/ncat/ncat_lua_filters.c
> ==============================================================================
> --- nmap-exp/d33tah/ncat-lua-callbacks/ncat/ncat_lua_filters.c  (original)
> +++ nmap-exp/d33tah/ncat-lua-callbacks/ncat/ncat_lua_filters.c  Thu Aug 22 21:16:01 2013
> @@ -220,8 +220,9 @@
>     as the key. If it's not there, create it, find its topmost "super", set its
>     "fd" to the given struct ncat_lua_state and save it in connection_supers.
>     Leave the socket on the stack. If *fdn is NULL, we assume that fd=0 and
> -   we're in connect mode. */
> -struct ncat_lua_state* get_connection(struct fdinfo *fdn)
> +   we're in connect mode. Also, if *created is not NULL, it is set to 1 if
> +   the socket put on the stack was just created. */
> +struct ncat_lua_state* get_connection(struct fdinfo *fdn, int *created)
>  {
>      struct ncat_lua_state *ret;
>      int connections_key;
> @@ -281,6 +282,9 @@
>          lua_remove(L, -4);
>          lua_settable(L, -3);
>          lua_pop(L, 1);
> +
> +        if (created != NULL)
> +            *created = 1;
>      } else {
>          lua_insert(L, -2); /* Get rid of connections[]. */
>          lua_pop(L, 1);
> @@ -292,6 +296,9 @@
>          lua_getfield(L, -1, "lua_state");
>          ret = (struct ncat_lua_state *) lua_touserdata(L, -1);
>          lua_pop(L, 3); /* Pop the userdata, the table and connection_roots. */
> +
> +        if (created != NULL)
> +            *created = 0;
>      }
>
>      return ret;
> @@ -355,7 +362,7 @@
>      /* This is a trick we do to make sure we're not reading from stdin yet.
>         Copy the default event handler that reads from stdin, run connect(),
>         then restore it. */
> -    struct ncat_lua_state *nl = get_connection(fdn);
> +    struct ncat_lua_state *nl = get_connection(fdn, NULL);
>      old_handler = nl->handler;
>      nl->handler = write_socket_handler_nostdin;
>
>
> Modified: nmap-exp/d33tah/ncat-lua-callbacks/ncat/ncat_lua_filters.h
> ==============================================================================
> --- nmap-exp/d33tah/ncat-lua-callbacks/ncat/ncat_lua_filters.h  (original)
> +++ nmap-exp/d33tah/ncat-lua-callbacks/ncat/ncat_lua_filters.h  Thu Aug 22 21:16:01 2013
> @@ -145,6 +145,6 @@
>
>  void lua_run_filter(char *cmdexec);
>  void lua_filters_setup();
> -struct ncat_lua_state* get_connection(struct fdinfo *fdn);
> +struct ncat_lua_state* get_connection(struct fdinfo *fdn, int *created);
>
>  #endif
>
> Modified: nmap-exp/d33tah/ncat-lua-callbacks/ncat/ncat_lua_listen.c
> ==============================================================================
> --- nmap-exp/d33tah/ncat-lua-callbacks/ncat/ncat_lua_listen.c   (original)
> +++ nmap-exp/d33tah/ncat-lua-callbacks/ncat/ncat_lua_listen.c   Thu Aug 22 21:16:01 2013
> @@ -126,6 +126,25 @@
>  #include "ncat_lua_filters.h"
>  #include "ncat_listen.h"
>
> +static void replace_root_functions(int fd)
> +{
> +    /* If we reached lua_fdinfo_recv while we're in connect mode, it's most
> +       likely because we connected to the proxy. Replace the recv and send
> +       functions for this FD so they won't try to use the connect-mode
> +       functions. */
> +    lua_getglobal(L, "connection_roots");
> +    lua_pushinteger(L, fd);
> +    lua_gettable(L, -2);
> +    ncat_assert(lua_istable(L, -1));
> +    lua_pushstring(L, "recv");
> +    lua_pushcfunction(L, lua_fdinfo_recv_raw);
> +    lua_settable(L, -3);
> +    lua_pushstring(L, "send");
> +    lua_pushcfunction(L, lua_fdinfo_send_raw);
> +    lua_settable(L, -3);
> +    lua_pop(L, 2);
> +}
> +
>  int lua_fdinfo_recv_raw(lua_State *L)
>  {
>      char buf[DEFAULT_TCP_BUF_LEN];
> @@ -148,8 +167,11 @@
>
>  int lua_fdinfo_recv(struct fdinfo *fdn, char *buf, size_t size, int *pending, int *error)
>  {
> +    int created;
>      size_t oldsize = size;
> -    struct ncat_lua_state *nl = get_connection(fdn);
> +    struct ncat_lua_state *nl = get_connection(fdn, &created);
> +    if (created && !o.listen)
> +        replace_root_functions(fdn->fd);
>      *pending = nl->pending = 0;
>      if (nl->recv_buf != NULL) {
>          int chunk_size = nl->recv_buf_size-nl->recv_buf_pos;
> @@ -225,7 +247,10 @@
>
>  int lua_fdinfo_send(struct fdinfo *fdn, const char *buf, size_t size)
>  {
> -    get_connection(fdn);
> +    int created;
> +    get_connection(fdn, &created);
> +    if (created && !o.listen)
> +        replace_root_functions(fdn->fd);
>      lua_getfield(L, -1, "send");
>      lua_insert(L, -2);
>      lua_pushlstring(L, buf, size);
>
> Modified: nmap-exp/d33tah/ncat-lua-callbacks/ncat/ncat_main.c
> ==============================================================================
> --- nmap-exp/d33tah/ncat-lua-callbacks/ncat/ncat_main.c (original)
> +++ nmap-exp/d33tah/ncat-lua-callbacks/ncat/ncat_main.c Thu Aug 22 21:16:01 2013
> @@ -908,12 +908,6 @@
>       * connect to a host, don't try to.
>       */
>
> -    if (o.script && (socksconnect.storage.ss_family != AF_UNSPEC ||
> -            httpconnect.storage.ss_family != AF_UNSPEC))
> -        /* Not allowed because in ncat_connect.c we perform send() and we'd
> -           need some hooks for that. */
> -        bye("Invalid option combination: --proxy with --load-lua-socket-file.");
> -
>      if (o.allow || o.deny)
>          bye("Invalid option combination: allow/deny with connect.");
>
>
> _______________________________________________
> Sent through the svn mailing list
> http://nmap.org/mailman/listinfo/svn

Note that this will cause the connection to also be added to
connections[] and a broadcast to all connections may break the proxy
link this way. A solution could be to make get_connection take another
parameter, char *table_name, which would be used to store this
connection in. This doesn't sound like a good idea to me though.
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/