diff --git a/src/main-conf.c b/src/main-conf.c
index cc2c8771ae6d12718303e1e8a92ba1f1b55196e0..03187f8d43b93d470bbd25981f399c41a94b58ca 100644
--- a/src/main-conf.c
+++ b/src/main-conf.c
@@ -903,10 +903,15 @@ static int SET_hello(struct Masscan *masscan, const char *name, const char *valu
if (masscan->is_hello_ssl) {
fprintf(masscan->echo, "hello = ssl\n");
}
+ if (masscan->is_hello_smbv1) {
+ fprintf(masscan->echo, "hello = smbv1\n");
+ }
return 0;
}
if (EQUALS("ssl", value))
masscan->is_hello_ssl = 1;
+ else if (EQUALS("smbv1", value))
+ masscan->is_hello_smbv1 = 1;
else {
fprintf(stderr, "FAIL: %s: unknown hello type\n", value);
return CONF_ERR;
diff --git a/src/main.c b/src/main.c
index 0df770af49be02a8bffe4c3cc4a50e95064dbf46..0b6201aa45fd85245481c80cb835b105732a07d4 100644
--- a/src/main.c
+++ b/src/main.c
@@ -621,6 +621,11 @@ receive_thread(void *v)
"http-user-agent",
masscan->http_user_agent_length,
masscan->http_user_agent);
+ if (masscan->is_hello_smbv1)
+ tcpcon_set_parameter( tcpcon,
+ "hello",
+ 1,
+ "smbv1");
if (masscan->is_hello_ssl)
tcpcon_set_parameter( tcpcon,
"hello",
diff --git a/src/masscan.h b/src/masscan.h
index b6d19da3b4c172d951a4fdb9dc0f9ddd81917b06..eb4ea3303479719d563a83bb8374720e755bad0a 100644
--- a/src/masscan.h
+++ b/src/masscan.h
@@ -201,6 +201,7 @@ struct Masscan
unsigned is_ticketbleed:1; /* --ticketbleed, scan for this vuln */
unsigned is_poodle_sslv3:1; /* --script poodle, scan for this vuln */
unsigned is_hello_ssl:1; /* --ssl, use SSL HELLO on all ports */
+ unsigned is_hello_smbv1:1; /* --smbv1, use SMBv1 hello, instead of v1/v2 hello */
/**
* Wait forever for responses, instead of the default 10 seconds
diff --git a/src/proto-interactive.c b/src/proto-interactive.c
index f07510351afba490e07379ebb8eca4df303e5344..ad696833e0817bd1e61cdebf379f25323c19b04d 100644
--- a/src/proto-interactive.c
+++ b/src/proto-interactive.c
@@ -1,5 +1,22 @@
#include "proto-interactive.h"
+#include <stdlib.h>
+/*
+ * TODO: we need to track thie memory used for this better than with malloc(), such
+ * as usuing a preallocated array of packet buffers. But for now, I'm just using
+ * malloc() 'cause I'm a lazy programmer.
+ */
+unsigned char *
+tcp_transmit_alloc(struct InteractiveData *more, size_t length)
+{
+ return malloc(length);
+}
+
+
+/*
+ * This doesn't actually transmit right now. Instead, marks the payload as ready
+ * to transmit, which will be transmitted later
+ */
void
tcp_transmit(struct InteractiveData *more, const void *payload, size_t length, unsigned flags)
{
diff --git a/src/proto-interactive.h b/src/proto-interactive.h
index 4bb8a5f61b730f682eaccce78a4193437e3e07fa..e5b4077037b7851b0b5717e49b5c3d8c54fdcacd 100644
--- a/src/proto-interactive.h
+++ b/src/proto-interactive.h
@@ -10,7 +10,17 @@ struct InteractiveData {
enum {
TCPTRAN_DYNAMIC = 0x0001,
};
+
+/**
+ * Called to 'transmit' TCP packet payload.
+ */
void
tcp_transmit(struct InteractiveData *more, const void *data, size_t length, unsigned flags);
+/**
+ * Called to allocate a TCP buffer.
+ */
+unsigned char *
+tcp_transmit_alloc(struct InteractiveData *more, size_t length);
+
#endif
diff --git a/src/proto-ntlmssp.c b/src/proto-ntlmssp.c
index e364d4e4da24e96dc9f7046667f4e01deac88d59..f1b7fa7eb711c2b74d42ae0337febbcbd7ab9275 100644
--- a/src/proto-ntlmssp.c
+++ b/src/proto-ntlmssp.c
@@ -111,7 +111,7 @@ ntlmssp_decode(struct NtlmsspDecode *x,
unsigned name_length;
unsigned info_offset;
unsigned info_length;
- unsigned flags;
+ //unsigned flags;
unsigned i;
if (length > x->length - x->offset)
@@ -159,7 +159,7 @@ ntlmssp_decode(struct NtlmsspDecode *x,
}
/* Grab flags */
- flags = px[20] | px[21]<<8 | px[22]<<16 | px[23]<<24;
+ //flags = px[20] | px[21]<<8 | px[22]<<16 | px[23]<<24;
/* Info field */
info_length = px[40] | px[41]<<8;
diff --git a/src/proto-ntp.c b/src/proto-ntp.c
index a28f86a8fbab3b7e757f2f29b517c8df35a0ad44..53b5d29c77287f467e0edc0fede6bb125fc4c96d 100644
--- a/src/proto-ntp.c
+++ b/src/proto-ntp.c
@@ -140,7 +140,7 @@ ntp_modlist_parse(const unsigned char *px,
return;
}
- offset += 4;
+ //offset += 4;
{
char msg[128];
diff --git a/src/proto-smb.c b/src/proto-smb.c
index 2b6f7f49135c1a31b8a726042a98962c2ea8812e..34bdc9a696be89d2e8c8d3377173b1f9c97f0169 100644
--- a/src/proto-smb.c
+++ b/src/proto-smb.c
@@ -107,6 +107,24 @@ smb1_hello_template[] = {
};
+static const char
+smb1_hello_template_v1[] = {
+ 0x00, 0x00, 0x00, 0x45, 0xff, 0x53, 0x4d, 0x42,
+ 0x72, 0x00, 0x00, 0x00, 0x00, 0x08, 0x01, 0xc8,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0x01, 0x00,
+ 0xff, 0xff, 0x00, 0x00, 0x00, 0x22, 0x00,
+ 0x02, 0x4e, 0x54, 0x20, 0x4c, 0x4d, 0x20, 0x30, 0x2e, 0x31, 0x32, 0x00,
+ 0x02, 0x54, 0x4d, 0x42, 0x20, 0x32, 0x2e, 0x30, 0x30, 0x32, 0x00,
+ 0x02, 0x54, 0x4d, 0x42, 0x20, 0x32, 0x2e, 0x3f, 0x3f, 0x3f, 0x00
+};
+
+void smb_set_hello_v1(struct ProtocolParserStream *smb)
+{
+ smb->hello = smb1_hello_template_v1;
+ smb->hello_length = sizeof(smb1_hello_template_v1);
+}
+
static unsigned char smb1_null_session_setup[] = {
0x00, 0x00, 0x00, 0x7e, 0xff, 0x53, 0x4d, 0x42,
0x73, 0x00, 0x00, 0x00, 0x00, 0x08, 0x01, 0xc0,
@@ -453,7 +471,8 @@ smb1_parse_setup1(struct SMBSTUFF *smb, const unsigned char *px, size_t offset,
max = offset + (smb->hdr.smb1.byte_count - smb->hdr.smb1.byte_offset);
for (;offset<max; offset++) {
-
+ printf("%02x ", px[offset]);
+
switch (state) {
case D_PADDING:
if (smb->hdr.smb1.flags2 & 0x8000) {
@@ -1416,13 +1435,20 @@ smb_parse_smb(struct SMBSTUFF *smb, const unsigned char *px, size_t max, struct
} else {
if (smb->parms.negotiate.SessionKey) {
unsigned char *buf;
- buf = malloc(sizeof(smb1_null_session_setup));
+
+ buf = tcp_transmit_alloc(more, sizeof(smb1_null_session_setup));
+
memcpy(buf, smb1_null_session_setup, sizeof(smb1_null_session_setup));
buf[0x2f] = (unsigned char)(smb->parms.negotiate.SessionKey>> 0) & 0xFF;
buf[0x30] = (unsigned char)(smb->parms.negotiate.SessionKey>> 8) & 0xFF;
buf[0x31] = (unsigned char)(smb->parms.negotiate.SessionKey>>16) & 0xFF;
buf[0x32] = (unsigned char)(smb->parms.negotiate.SessionKey>>24) & 0xFF;
tcp_transmit(more, buf, sizeof(smb1_null_session_setup), TCPTRAN_DYNAMIC);
+
+ /* NOTE: the following line is here to silence LLVM warnings about a potential
+ * memory leak. The 'tcp_transmit' function 'adopts' the pointer and will be
+ * responsible for freeing it after the packet gets successfully transmitted */
+ buf = 0;
} else {
tcp_transmit(more, smb1_null_session_setup, sizeof(smb1_null_session_setup), 0);
}
@@ -1455,7 +1481,7 @@ smb_parse_smb(struct SMBSTUFF *smb, const unsigned char *px, size_t max, struct
i += smb1_parse_negotiate1(smb, px, i, max, banout);
break;
case 0x73: /* session setup and x */
- if ((smb->hdr.smb1.flags2 & 0x0800) > 0 && smb->parms.negotiate.ChallengeLength == 0)
+ if ((smb->hdr.smb1.flags2 & 0x0800) > 0 || smb->parms.setup.BlobLength)
i += smb1_parse_setup2(smb, px, i, max, banout);
else
i += smb1_parse_setup1(smb, px, i, max, banout);
@@ -1828,165 +1854,6 @@ smb0_hello_template[] = {
};
-static const unsigned char
-smb2_negot_response[] = {
-
- 0x00, 0x00, 0x01, 0xc0, 0xfe, 0x53, 0x4d, 0x42,
- 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x41, 0x00, 0x01, 0x00,
- 0xff, 0x02, 0x00, 0x00, 0x39, 0xf6, 0x39, 0xe2,
- 0x4b, 0xac, 0x2e, 0x4d, 0xaf, 0x5e, 0xbf, 0x1a,
- 0xfa, 0xe3, 0x2f, 0xa1, 0x07, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80, 0x00,
- 0x00, 0x00, 0x80, 0x00, 0x6e, 0xa8, 0x4f, 0x0d,
- 0xf6, 0xfe, 0xd3, 0x01, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x40, 0x01,
- 0x00, 0x00, 0x00, 0x00, 0x60, 0x82, 0x01, 0x3c,
- 0x06, 0x06, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x02,
- 0xa0, 0x82, 0x01, 0x30, 0x30, 0x82, 0x01, 0x2c,
- 0xa0, 0x1a, 0x30, 0x18, 0x06, 0x0a, 0x2b, 0x06,
- 0x01, 0x04, 0x01, 0x82, 0x37, 0x02, 0x02, 0x1e,
- 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82,
- 0x37, 0x02, 0x02, 0x0a, 0xa2, 0x82, 0x01, 0x0c,
- 0x04, 0x82, 0x01, 0x08, 0x4e, 0x45, 0x47, 0x4f,
- 0x45, 0x58, 0x54, 0x53, 0x01, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00,
- 0x70, 0x00, 0x00, 0x00, 0x59, 0x3d, 0x22, 0xb1,
- 0x12, 0xbb, 0x15, 0xcf, 0x39, 0xad, 0x37, 0x0b,
- 0xbd, 0x31, 0x9c, 0xfd, 0x0d, 0x6f, 0x2c, 0xaa,
- 0x13, 0xd3, 0xe9, 0x37, 0xdc, 0x82, 0xe6, 0x8c,
- 0xb6, 0xcd, 0xa5, 0xaf, 0xe0, 0x80, 0xae, 0xa1,
- 0xd4, 0x88, 0x5e, 0xb9, 0x55, 0x6b, 0xbc, 0x78,
- 0xd9, 0xd3, 0x3f, 0xe8, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00,
- 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x5c, 0x33, 0x53, 0x0d,
- 0xea, 0xf9, 0x0d, 0x4d, 0xb2, 0xec, 0x4a, 0xe3,
- 0x78, 0x6e, 0xc3, 0x08, 0x4e, 0x45, 0x47, 0x4f,
- 0x45, 0x58, 0x54, 0x53, 0x03, 0x00, 0x00, 0x00,
- 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00,
- 0x98, 0x00, 0x00, 0x00, 0x59, 0x3d, 0x22, 0xb1,
- 0x12, 0xbb, 0x15, 0xcf, 0x39, 0xad, 0x37, 0x0b,
- 0xbd, 0x31, 0x9c, 0xfd, 0x5c, 0x33, 0x53, 0x0d,
- 0xea, 0xf9, 0x0d, 0x4d, 0xb2, 0xec, 0x4a, 0xe3,
- 0x78, 0x6e, 0xc3, 0x08, 0x40, 0x00, 0x00, 0x00,
- 0x58, 0x00, 0x00, 0x00, 0x30, 0x56, 0xa0, 0x54,
- 0x30, 0x52, 0x30, 0x27, 0x80, 0x25, 0x30, 0x23,
- 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04,
- 0x03, 0x13, 0x18, 0x54, 0x6f, 0x6b, 0x65, 0x6e,
- 0x20, 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67,
- 0x20, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x20,
- 0x4b, 0x65, 0x79, 0x30, 0x27, 0x80, 0x25, 0x30,
- 0x23, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55,
- 0x04, 0x03, 0x13, 0x18, 0x54, 0x6f, 0x6b, 0x65,
- 0x6e, 0x20, 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e,
- 0x67, 0x20, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63,
- 0x20, 0x4b, 0x65, 0x79,
-
- 0x00, 0x00, 0x01, 0xc0, 0xfe, 0x53, 0x4d, 0x42,
- 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0xff, 0xfe, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x41, 0x00, 0x01, 0x00,
- 0x02, 0x03, 0x00, 0x00, 0x39, 0xf6, 0x39, 0xe2,
- 0x4b, 0xac, 0x2e, 0x4d, 0xaf, 0x5e, 0xbf, 0x1a,
- 0xfa, 0xe3, 0x2f, 0xa1, 0x67, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80, 0x00,
- 0x00, 0x00, 0x80, 0x00, 0x58, 0x06, 0xe8, 0x0d,
- 0xf6, 0xfe, 0xd3, 0x01, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x40, 0x01,
- 0x00, 0x00, 0x00, 0x00, 0x60, 0x82, 0x01, 0x3c,
- 0x06, 0x06, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x02,
- 0xa0, 0x82, 0x01, 0x30, 0x30, 0x82, 0x01, 0x2c,
- 0xa0, 0x1a, 0x30, 0x18, 0x06, 0x0a, 0x2b, 0x06,
- 0x01, 0x04, 0x01, 0x82, 0x37, 0x02, 0x02, 0x1e,
- 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82,
- 0x37, 0x02, 0x02, 0x0a, 0xa2, 0x82, 0x01, 0x0c,
- 0x04, 0x82, 0x01, 0x08, 0x4e, 0x45, 0x47, 0x4f,
- 0x45, 0x58, 0x54, 0x53, 0x01, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00,
- 0x70, 0x00, 0x00, 0x00, 0x5a, 0x3d, 0x22, 0xb1,
- 0x12, 0xbb, 0x15, 0xcf, 0x39, 0xad, 0x37, 0x0b,
- 0xbd, 0x31, 0x9c, 0xfd, 0x28, 0x43, 0x2b, 0x64,
- 0xbd, 0x80, 0x88, 0x56, 0x11, 0xb5, 0xad, 0x5b,
- 0x41, 0x4c, 0x68, 0x0b, 0xf7, 0xdf, 0xac, 0x96,
- 0xfe, 0xb3, 0xed, 0x9d, 0xe2, 0x5a, 0xb5, 0x8c,
- 0x1f, 0x0e, 0xeb, 0xff, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00,
- 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x5c, 0x33, 0x53, 0x0d,
- 0xea, 0xf9, 0x0d, 0x4d, 0xb2, 0xec, 0x4a, 0xe3,
- 0x78, 0x6e, 0xc3, 0x08, 0x4e, 0x45, 0x47, 0x4f,
- 0x45, 0x58, 0x54, 0x53, 0x03, 0x00, 0x00, 0x00,
- 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00,
- 0x98, 0x00, 0x00, 0x00, 0x5a, 0x3d, 0x22, 0xb1,
- 0x12, 0xbb, 0x15, 0xcf, 0x39, 0xad, 0x37, 0x0b,
- 0xbd, 0x31, 0x9c, 0xfd, 0x5c, 0x33, 0x53, 0x0d,
- 0xea, 0xf9, 0x0d, 0x4d, 0xb2, 0xec, 0x4a, 0xe3,
- 0x78, 0x6e, 0xc3, 0x08, 0x40, 0x00, 0x00, 0x00,
- 0x58, 0x00, 0x00, 0x00, 0x30, 0x56, 0xa0, 0x54,
- 0x30, 0x52, 0x30, 0x27, 0x80, 0x25, 0x30, 0x23,
- 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04,
- 0x03, 0x13, 0x18, 0x54, 0x6f, 0x6b, 0x65, 0x6e,
- 0x20, 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67,
- 0x20, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x20,
- 0x4b, 0x65, 0x79, 0x30, 0x27, 0x80, 0x25, 0x30,
- 0x23, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55,
- 0x04, 0x03, 0x13, 0x18, 0x54, 0x6f, 0x6b, 0x65,
- 0x6e, 0x20, 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e,
- 0x67, 0x20, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63,
- 0x20, 0x4b, 0x65, 0x79,
-
- 0x00, 0x00, 0x01, 0x0f, 0xfe, 0x53, 0x4d, 0x42,
- 0x40, 0x00, 0x01, 0x00, 0x16, 0x00, 0x00, 0xc0,
- 0x01, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0xff, 0xfe, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x15, 0x00, 0x00, 0x0c,
- 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
- 0x48, 0x00, 0xc7, 0x00, 0xa1, 0x81, 0xc4, 0x30,
- 0x81, 0xc1, 0xa0, 0x03, 0x0a, 0x01, 0x01, 0xa1,
- 0x0c, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01,
- 0x82, 0x37, 0x02, 0x02, 0x0a, 0xa2, 0x81, 0xab,
- 0x04, 0x81, 0xa8, 0x4e, 0x54, 0x4c, 0x4d, 0x53,
- 0x53, 0x50, 0x00, 0x02, 0x00, 0x00, 0x00, 0x10,
- 0x00, 0x10, 0x00, 0x38, 0x00, 0x00, 0x00, 0x15,
- 0x82, 0x8a, 0x62, 0x38, 0xe7, 0x63, 0xbc, 0xc7,
- 0xfa, 0xc9, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x60, 0x00, 0x60, 0x00, 0x48,
- 0x00, 0x00, 0x00, 0x0a, 0x00, 0xee, 0x42, 0x00,
- 0x00, 0x00, 0x0f, 0x42, 0x00, 0x52, 0x00, 0x4f,
- 0x00, 0x41, 0x00, 0x44, 0x00, 0x45, 0x00, 0x53,
- 0x00, 0x4b, 0x00, 0x02, 0x00, 0x10, 0x00, 0x42,
- 0x00, 0x52, 0x00, 0x4f, 0x00, 0x41, 0x00, 0x44,
- 0x00, 0x45, 0x00, 0x53, 0x00, 0x4b, 0x00, 0x01,
- 0x00, 0x10, 0x00, 0x42, 0x00, 0x52, 0x00, 0x4f,
- 0x00, 0x41, 0x00, 0x44, 0x00, 0x45, 0x00, 0x53,
- 0x00, 0x4b, 0x00, 0x04, 0x00, 0x10, 0x00, 0x62,
- 0x00, 0x72, 0x00, 0x6f, 0x00, 0x61, 0x00, 0x64,
- 0x00, 0x65, 0x00, 0x73, 0x00, 0x6b, 0x00, 0x03,
- 0x00, 0x10, 0x00, 0x62, 0x00, 0x72, 0x00, 0x6f,
- 0x00, 0x61, 0x00, 0x64, 0x00, 0x65, 0x00, 0x73,
- 0x00, 0x6b, 0x00, 0x07, 0x00, 0x08, 0x00, 0x9c,
- 0x8b, 0x80, 0x0e, 0xf6, 0xfe, 0xd3, 0x01, 0x00,
- 0x00, 0x00, 0x00,
-
-
-
-};
-
/*****************************************************************************
* Do a single test of response packets
@@ -2025,51 +1892,75 @@ smb_do_test(const char *substring, const unsigned char *packet_bytes, size_t len
static int
smb_selftest(void)
{
- struct Banner1 *banner1;
- struct ProtocolState state[1];
- struct BannerOutput banout1[1];
- struct InteractiveData more;
int x = 0;
- size_t i;
-
- unsigned char packet_bytes[] = {
- 0x00, 0x00, 0x00, 0x69, 0xff, 0x53, 0x4d, 0x42,
- 0x72, 0x00, 0x00, 0x00, 0x00, 0x88, 0x01, 0xc0,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0x01, 0x00,
- 0xff, 0xff, 0x00, 0x00, 0x11, 0x00, 0x00, 0x03,
- 0x10, 0x00, 0x01, 0x00, 0x04, 0x11, 0x00, 0x00,
- 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0xfc, 0xe3, 0x01, 0x00, 0x1f, 0xac, 0xe7, 0x7f,
- 0x8a, 0xf0, 0xd3, 0x01, 0xf0, 0x00, 0x08, 0x24,
- 0x00, 0xc2, 0xe5, 0x34, 0x10, 0xfd, 0x29, 0xa7,
- 0x75, 0x42, 0x00, 0x4e, 0x00, 0x43, 0x00, 0x00,
- 0x00, 0x53, 0x00, 0x48, 0x00, 0x49, 0x00, 0x50,
- 0x00, 0x42, 0x00, 0x41, 0x00, 0x52, 0x00, 0x42,
- 0x00, 0x4f, 0x00, 0x00, 0x00,
- /*0x00, 0x00, 0x00, 0x90, 0xff, 0x53, 0x4d, 0x42,
- 0x73, 0x00, 0x00, 0x00, 0x00, 0x98, 0x03, 0x80,
- 0x00, 0x00, 0x5d, 0xa8, 0x8f, 0x55, 0x48, 0x06,
- 0xe8, 0xfc, 0x00, 0x00, 0x00, 0x08, 0xfe, 0xca,
- 0x00, 0x08, 0x00, 0x00, 0x03, 0x75, 0x00, 0x81,
- 0x00, 0x00, 0x00, 0x58, 0x00, 0x00, 0x57, 0x00,
- 0x69, 0x00, 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00,
- 0x77, 0x00, 0x73, 0x00, 0x20, 0x00, 0x35, 0x00,
- 0x2e, 0x00, 0x30, 0x00, 0x00, 0x00, 0x57, 0x00,
- 0x69, 0x00, 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00,
- 0x77, 0x00, 0x73, 0x00, 0x20, 0x00, 0x32, 0x00,
- 0x30, 0x00, 0x30, 0x00, 0x30, 0x00, 0x20, 0x00,
- 0x4c, 0x00, 0x41, 0x00, 0x4e, 0x00, 0x20, 0x00,
- 0x4d, 0x00, 0x61, 0x00, 0x6e, 0x00, 0x61, 0x00,
- 0x67, 0x00, 0x65, 0x00, 0x72, 0x00, 0x00, 0x00,
- 0x52, 0x00, 0x45, 0x00, 0x53, 0x00, 0x45, 0x00,
- 0x41, 0x00, 0x55, 0x00, 0x00, 0x03, 0xff, 0x00,
- 0x90, 0x00, 0x01, 0x00, 0x06, 0x00, 0x49, 0x50,
- 0x43, 0x00, 0x00, 0x00*/
-
- };
-
+ /*****************************************************************************
+ *****************************************************************************/
+ {
+ static const unsigned char packet_bytes[] = {
+ 0x00, 0x00, 0x00, 0x9f, 0xff, 0x53, 0x4d, 0x42,
+ 0x72, 0x00, 0x00, 0x00, 0x00, 0x88, 0x01, 0xc8,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0x01, 0x00,
+ 0xff, 0xff, 0x00, 0x00, 0x11, 0x00, 0x00, 0x03,
+ 0x0a, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00,
+ 0x00, 0x00, 0x01, 0x00, 0xad, 0xa0, 0x03, 0x0a,
+ 0x7c, 0xe0, 0x00, 0x80, 0x00, 0x1d, 0xbd, 0xd5,
+ 0xe2, 0x0f, 0xcf, 0x01, 0x00, 0x00, 0x00, 0x5a,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x60, 0x48, 0x06, 0x06, 0x2b, 0x06, 0x01,
+ 0x05, 0x05, 0x02, 0xa0, 0x3e, 0x30, 0x3c, 0xa0,
+ 0x0e, 0x30, 0x0c, 0x06, 0x0a, 0x2b, 0x06, 0x01,
+ 0x04, 0x01, 0x82, 0x37, 0x02, 0x02, 0x0a, 0xa3,
+ 0x2a, 0x30, 0x28, 0xa0, 0x26, 0x1b, 0x24, 0x6e,
+ 0x6f, 0x74, 0x5f, 0x64, 0x65, 0x66, 0x69, 0x6e,
+ 0x65, 0x64, 0x5f, 0x69, 0x6e, 0x5f, 0x52, 0x46,
+ 0x43, 0x34, 0x31, 0x37, 0x38, 0x40, 0x70, 0x6c,
+ 0x65, 0x61, 0x73, 0x65, 0x5f, 0x69, 0x67, 0x6e,
+ 0x6f, 0x72, 0x65,
+
+ 0x00, 0x00, 0x01, 0x2a, 0xff, 0x53, 0x4d, 0x42,
+ 0x73, 0x16, 0x00, 0x00, 0xc0, 0x88, 0x01, 0xc0,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0x01, 0x00,
+ 0x00, 0x00, 0x01, 0x00, 0x04, 0xff, 0x00, 0x2a,
+ 0x01, 0x00, 0x00, 0xb3, 0x00, 0xff, 0x00, 0xa1,
+ 0x81, 0xb0, 0x30, 0x81, 0xad, 0xa0, 0x03, 0x0a,
+ 0x01, 0x01, 0xa1, 0x0c, 0x06, 0x0a, 0x2b, 0x06,
+ 0x01, 0x04, 0x01, 0x82, 0x37, 0x02, 0x02, 0x0a,
+ 0xa2, 0x81, 0x97, 0x04, 0x81, 0x94, 0x4e, 0x54,
+ 0x4c, 0x4d, 0x53, 0x53, 0x50, 0x00, 0x02, 0x00,
+ 0x00, 0x00, 0x12, 0x00, 0x12, 0x00, 0x30, 0x00,
+ 0x00, 0x00, 0x31, 0x02, 0x89, 0xe0, 0x31, 0x6a,
+ 0x74, 0x8f, 0xb5, 0xf1, 0xe1, 0x56, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x52, 0x00,
+ 0x52, 0x00, 0x42, 0x00, 0x00, 0x00, 0x57, 0x00,
+ 0x4f, 0x00, 0x52, 0x00, 0x4b, 0x00, 0x47, 0x00,
+ 0x52, 0x00, 0x4f, 0x00, 0x55, 0x00, 0x50, 0x00,
+ 0x02, 0x00, 0x12, 0x00, 0x57, 0x00, 0x4f, 0x00,
+ 0x52, 0x00, 0x4b, 0x00, 0x47, 0x00, 0x52, 0x00,
+ 0x4f, 0x00, 0x55, 0x00, 0x50, 0x00, 0x01, 0x00,
+ 0x16, 0x00, 0x45, 0x00, 0x50, 0x00, 0x53, 0x00,
+ 0x4f, 0x00, 0x4e, 0x00, 0x38, 0x00, 0x38, 0x00,
+ 0x33, 0x00, 0x31, 0x00, 0x46, 0x00, 0x45, 0x00,
+ 0x04, 0x00, 0x00, 0x00, 0x03, 0x00, 0x16, 0x00,
+ 0x45, 0x00, 0x50, 0x00, 0x53, 0x00, 0x4f, 0x00,
+ 0x4e, 0x00, 0x38, 0x00, 0x38, 0x00, 0x33, 0x00,
+ 0x31, 0x00, 0x46, 0x00, 0x45, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x45, 0x00, 0x50, 0x00, 0x53, 0x00,
+ 0x4f, 0x00, 0x4e, 0x00, 0x20, 0x00, 0x53, 0x00,
+ 0x74, 0x00, 0x6f, 0x00, 0x72, 0x00, 0x61, 0x00,
+ 0x67, 0x00, 0x65, 0x00, 0x20, 0x00, 0x53, 0x00,
+ 0x65, 0x00, 0x72, 0x00, 0x76, 0x00, 0x65, 0x00,
+ 0x72, 0x00, 0x00, 0x00, 0x4e, 0x00, 0x51, 0x00,
+ 0x20, 0x00, 0x36, 0x00, 0x2e, 0x00, 0x32, 0x00,
+ 0x00, 0x00, 0x57, 0x00, 0x4f, 0x00, 0x52, 0x00,
+ 0x4b, 0x00, 0x47, 0x00, 0x52, 0x00, 0x4f, 0x00,
+ 0x55, 0x00, 0x50, 0x00, 0x00, 0x00
+ };
+ x += smb_do_test("os=EPSON", packet_bytes, sizeof(packet_bytes));
+ }
/*****************************************************************************
*****************************************************************************/
@@ -2091,92 +1982,57 @@ smb_selftest(void)
x += smb_do_test("domain=S659C27D", packet_bytes, sizeof(packet_bytes));
}
- if (x) {
- printf("smb parser failure: google.com\n");
- return 1;
- }
- return 0;
- /*
- * SMBv2 negotiate response
- */
- banner1 = banner1_create();
- banout_init(banout1);
- memset(&state[0], 0, sizeof(state[0]));
-
- smb_parse_record(banner1,
- 0,
- state,
- smb2_negot_response,
- sizeof(smb2_negot_response),
- banout1,
- &more);
- x = banout_is_contains(banout1, PROTO_SMB,
- "SHIPBAR");
- if (!x) {
- printf("smb parser failure: google.com\n");
- return 1;
- }
- banner1_destroy(banner1);
- banout_release(banout1);
-
- /*
- * SMBv1 negotiate response
- */
- banner1 = banner1_create();
- banout_init(banout1);
- memset(&state[0], 0, sizeof(state[0]));
- smb_parse_record(banner1,
- 0,
- state,
- packet_bytes,
- sizeof(packet_bytes),
- banout1,
- &more);
- x = banout_is_contains(banout1, PROTO_SMB,
- "SHIPBAR");
- if (!x) {
+ if (x) {
printf("smb parser failure: google.com\n");
return 1;
}
- banner1_destroy(banner1);
- banout_release(banout1);
-
-
- /*
- * LET'S FUZZ THIS CRAP!!!
- *
- * We are going to re-parse the response packet as many times as needed,
- * each time flipping one bit in the packet. This should crash the
- * parser if it has such a bug that will crash it.
- */
- for (i=2; i< 5 && i<sizeof(packet_bytes); i++) {
- size_t j;
-
- for (j=0; j<8; j++) {
- size_t flip = 1<<j;
-
- packet_bytes[i] ^= flip;
-
- banner1 = banner1_create();
- banout_init(banout1);
- memset(&state[0], 0, sizeof(state[0]));
-
- smb_parse_record(banner1,
- 0,
- state,
- packet_bytes,
- sizeof(packet_bytes),
- banout1,
- &more);
- banner1_destroy(banner1);
- banout_release(banout1);
+ return 0;
+
+#if 0
+ {
+ struct Banner1 *banner1;
+ struct ProtocolState state[1];
+ struct BannerOutput banout1[1];
+ struct InteractiveData more;
+ size_t i;
- packet_bytes[i] ^= flip;
+ /*
+ * LET'S FUZZ THIS CRAP!!!
+ *
+ * We are going to re-parse the response packet as many times as needed,
+ * each time flipping one bit in the packet. This should crash the
+ * parser if it has such a bug that will crash it.
+ */
+ for (i=2; i< 5 && i<sizeof(packet_bytes); i++) {
+ size_t j;
+ for (j=0; j<8; j++) {
+ size_t flip = 1<<j;
+
+ packet_bytes[i] ^= flip;
+
+ banner1 = banner1_create();
+ banout_init(banout1);
+ memset(&state[0], 0, sizeof(state[0]));
+
+ smb_parse_record(banner1,
+ 0,
+ state,
+ packet_bytes,
+ sizeof(packet_bytes),
+ banout1,
+ &more);
+ banner1_destroy(banner1);
+ banout_release(banout1);
+
+ packet_bytes[i] ^= flip;
+
+ }
}
}
+#endif
return 0;
}
diff --git a/src/proto-smb.h b/src/proto-smb.h
index 98649e838c1c421860a8162371d046633641f539..4ad7a361ff6f765b0d2f7e956fd3c22a51f9288f 100644
--- a/src/proto-smb.h
+++ b/src/proto-smb.h
@@ -5,4 +5,13 @@
extern struct ProtocolParserStream banner_smb0;
extern struct ProtocolParserStream banner_smb1;
+/**
+ * Called when command line parameter:
+ * --hello smbv1
+ * is set, in order to force negotiation down to SMBv1. This is because some machines
+ * have faulty SMBv2 implementations. SMBv2, though, is the default negotiation
+ * because Win10 disables SMBv1 by default.
+ */
+void smb_set_hello_v1(struct ProtocolParserStream *smb);
+
#endif
diff --git a/src/proto-tcp.c b/src/proto-tcp.c
index 339e2289af7ccb540470ec8a56189052c74544da..dc911be696fe0256330caa887a2cfd647a87a678 100644
--- a/src/proto-tcp.c
+++ b/src/proto-tcp.c
@@ -247,7 +247,15 @@ tcpcon_set_parameter(struct TCP_ConnectionTable *tcpcon,
return;
}
-
+
+ /*
+ * Downgrade SMB hello from v1/v2 to use only v1
+ */
+ if (name_equals(name, "hello") && name_equals(value, "smbv1")) {
+ smb_set_hello_v1(&banner_smb1);
+ return;
+ }
+
/*
* 2014-04-08: scan for Neel Mehta's "heartbleed" bug
*/
diff --git a/src/ranges.c b/src/ranges.c
index c2b7441ecdcf76f8a1da34752aea133d25ffb29a..4a85ade5adfe2d1fe488fdb862792fe19afdffb7 100644
--- a/src/ranges.c
+++ b/src/ranges.c
@@ -86,16 +86,6 @@ range_combine(struct Range *lhs, struct Range rhs)
}
-void
-debug_dump_ranges(struct RangeList *task)
-{
- unsigned i;
- for (i=0; i<task->count; i++) {
- struct Range *range = &task->list[i];
- printf("%08x - %08x\n", range->begin, range->end);
- }
- printf("\n");
-}
/***************************************************************************
* Add the IPv4 range to our list of ranges.
***************************************************************************/