udp banner default

7ea9ec0b · Robert David Graham · 83fbdf6f · 7ea9ec0b · 7ea9ec0b · 7ea9ec0b
Commit 7ea9ec0b authored 7 years ago by Robert David Graham
--- a/src/masscan-version.h
+++ b/src/masscan-version.h
 #ifndef MASSCAN_VERSION

-#define MASSCAN_VERSION "1.0.4"
+#define MASSCAN_VERSION "1.0.6"

 #endif

--- a/src/proto-banner1.c
+++ b/src/proto-banner1.c
@@ -273,6 +273,7 @@ banner1_create(void)
    b->tcp_payloads[9050] = (void*)&banner_ssl;  /* Tor */
    b->tcp_payloads[8140] = (void*)&banner_ssl;  /* puppet */

+    b->tcp_payloads[11211] = (void*)&banner_memcached;

    return b;
 }

--- a/src/proto-memcached.c
+++ b/src/proto-memcached.c
@@ -11,6 +11,7 @@
 #include "proto-interactive.h"
 #include "proto-preprocess.h"
 #include "proto-ssl.h"
+#include "proto-udp.h"
 #include "syn-cookie.h"
 #include "templ-port.h"
 #include <ctype.h>
@@ -193,6 +194,7 @@ memcached_tcp_parse(
                    banout_append(banout, PROTO_MEMCACHED, memcached_stats[id].pattern, AUTO_LEN);
                    if (px[i] == '\n')
                        state = 0;
+                    else
                        state = 200;
                    banout_append_char(banout, PROTO_MEMCACHED, '=');
                    break;
@@ -246,7 +248,7 @@ memcached_init(struct Banner1 *b)
            smack_add_pattern(
                          b->memcached_responses,
                          tmp,
-                          len+1,
+                          (unsigned)len+1,
                          memcached_responses[i].id,
                          memcached_responses[i].is_anchored);
        }
@@ -276,7 +278,7 @@ memcached_init(struct Banner1 *b)
            smack_add_pattern(
                          b->memcached_stats,
                          tmp,
-                          len+1,
+                          (unsigned)len+1,
                          memcached_stats[i].id,
                          memcached_stats[i].is_anchored);
        }
@@ -330,15 +332,15 @@ memcached_udp_parse(struct Output *out, time_t timestamp,

    /* Ignore high sequence numbers. This should be zero normally */
    if (sequence_num > 100)
-        return 0;
+        goto not_memcached;

    /* Ignore too many dgrams, should be one normally */
    if (total_dgrams > 100)
-        return 0;
+        goto not_memcached;

    /* Make sure reserved field is zero */
    if (reserved != 0)
-        return 0;
+        goto not_memcached;

    /* Grab IP addresses */
    ip_them = parsed->ip_src[0]<<24 | parsed->ip_src[1]<<16
@@ -385,6 +387,9 @@ memcached_udp_parse(struct Output *out, time_t timestamp,
    banout_release(banout);

    return 0;
+    
+not_memcached:
+    return default_udp_parse(out, timestamp, px, length, parsed, entropy);
 }

 /****************************************************************************
@@ -428,3 +433,4 @@ const struct ProtocolParserStream banner_memcached = {
    memcached_init,
    memcached_tcp_parse,
 };
+                             
--- a/src/proto-udp.c
+++ b/src/proto-udp.c
@@ -13,6 +13,41 @@
 #include "unusedparm.h"


+/****************************************************************************
+ * When the "--banner" command-line option is selected, this will
+ * will take up to 64 bytes of a response and display it. Other UDP
+ * protocol parsers may also default to this function when they detect
+ * a response is not the protocol they expect. For example, if a response
+ * to port 161 obbvioiusly isn't ASN.1 formatted, the SNMP parser will
+ * call this function instead. In such cases, the protcool identifier will
+ * be [unknown] rather than [snmp].
+ ****************************************************************************/
+unsigned
+default_udp_parse(struct Output *out, time_t timestamp,
+           const unsigned char *px, unsigned length,
+           struct PreprocessedInfo *parsed,
+           uint64_t entropy)
+{
+    unsigned ip_them;
+    //unsigned ip_me;
+    unsigned port_them = parsed->port_src;
+    //unsigned port_me = parsed->port_dst;
+    
+    ip_them = parsed->ip_src[0]<<24 | parsed->ip_src[1]<<16 | parsed->ip_src[2]<< 8 | parsed->ip_src[3]<<0;
+    //ip_me = parsed->ip_dst[0]<<24 | parsed->ip_dst[1]<<16 | parsed->ip_dst[2]<< 8 | parsed->ip_dst[3]<<0;
+
+    if (length > 64)
+        length = 64;
+    
+    output_report_banner(
+                         out, timestamp,
+                         ip_them, 17, port_them,
+                         PROTO_NONE,
+                         parsed->ip_ttl,
+                         px, length);
+
+    return 0;
+}

 /****************************************************************************
 ****************************************************************************/
@@ -54,7 +89,11 @@ handle_udp(struct Output *out, time_t timestamp,
        case 16471:
            status = handle_zeroaccess(out, timestamp, px, length, parsed, entropy);
            break;
-            
+        default:
+            px += parsed->app_offset;
+            length = parsed->app_length;
+            status = default_udp_parse(out, timestamp, px, length, parsed, entropy);
+            break;
    }

    if (status == 0)

--- a/src/proto-udp.h
+++ b/src/proto-udp.h
@@ -17,4 +17,15 @@ handle_udp(struct Output *out, time_t timestamp,
    struct PreprocessedInfo *parsed,
    uint64_t entropy);

+/**
+ * Default banner for UDP, consisting of the first 64 bytes, when it isn't
+ * detected as the appropriate protocol
+ */
+unsigned
+default_udp_parse(struct Output *out, time_t timestamp,
+                  const unsigned char *px, unsigned length,
+                  struct PreprocessedInfo *parsed,
+                  uint64_t entropy);
+
+
 #endif
--- a/xcode4/masscan.xcodeproj/project.pbxproj
+++ b/xcode4/masscan.xcodeproj/project.pbxproj
@@ -18,6 +18,7 @@
 		115C0CAB18035BC5004E6CD7 /* proto-netbios.c in Sources */ = {isa = PBXBuildFile; fileRef = 115C0CA518035BC5004E6CD7 /* proto-netbios.c */; };
 		115C0CAC18035BC5004E6CD7 /* proto-ssl.c in Sources */ = {isa = PBXBuildFile; fileRef = 115C0CA718035BC5004E6CD7 /* proto-ssl.c */; };
 		11623F6A191E0DB00075EEE6 /* out-certs.c in Sources */ = {isa = PBXBuildFile; fileRef = 11623F69191E0DB00075EEE6 /* out-certs.c */; };
+		119AB2062051FFED008E4DDD /* proto-memcached.c in Sources */ = {isa = PBXBuildFile; fileRef = 119AB2042051FFED008E4DDD /* proto-memcached.c */; };
 		11A50CAE191C128F006D5802 /* out-json.c in Sources */ = {isa = PBXBuildFile; fileRef = 11A50CAD191C128F006D5802 /* out-json.c */; };
 		11A773EB1881BFC700B135DE /* crypto-base64.c in Sources */ = {isa = PBXBuildFile; fileRef = 11A773E91881BFC700B135DE /* crypto-base64.c */; };
 		11A868151816F3A7008E00B8 /* in-binary.c in Sources */ = {isa = PBXBuildFile; fileRef = 11A868081816F3A7008E00B8 /* in-binary.c */; };
@@ -130,6 +131,8 @@
 		115C0CAA18035BC5004E6CD7 /* unusedparm.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = unusedparm.h; sourceTree = "<group>"; };
 		11623F69191E0DB00075EEE6 /* out-certs.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "out-certs.c"; sourceTree = "<group>"; };
 		116806EA1995D421005B0980 /* rawsock-adapter.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "rawsock-adapter.h"; sourceTree = "<group>"; };
+		119AB2042051FFED008E4DDD /* proto-memcached.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "proto-memcached.c"; sourceTree = "<group>"; };
+		119AB2052051FFED008E4DDD /* proto-memcached.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "proto-memcached.h"; sourceTree = "<group>"; };
 		11A50CAD191C128F006D5802 /* out-json.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "out-json.c"; sourceTree = "<group>"; };
 		11A773E91881BFC700B135DE /* crypto-base64.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "crypto-base64.c"; sourceTree = "<group>"; };
 		11A773EA1881BFC700B135DE /* crypto-base64.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "crypto-base64.h"; sourceTree = "<group>"; };
@@ -385,6 +388,8 @@
 		11B360CA1F9016C00020F3A3 /* proto */ = {
 			isa = PBXGroup;
 			children = (
+				119AB2042051FFED008E4DDD /* proto-memcached.c */,
+				119AB2052051FFED008E4DDD /* proto-memcached.h */,
 				11A921AC17DBCC7E00DDFD32 /* proto-arp.c */,
 				11A921AD17DBCC7E00DDFD32 /* proto-arp.h */,
 				11A921AE17DBCC7E00DDFD32 /* proto-banner1.c */,
@@ -604,6 +609,7 @@
 				11AC80EE17E0DAD4001BCE3A /* proto-icmp.c in Sources */,
 				11AC80EF17E0DAD4001BCE3A /* proto-ssh.c in Sources */,
 				11AC80F617E0ED47001BCE3A /* main-ptrace.c in Sources */,
+				119AB2062051FFED008E4DDD /* proto-memcached.c in Sources */,
 				11B039C117E506B400925E7E /* main-listscan.c in Sources */,
 				11B039C717E7834000925E7E /* proto-dns.c in Sources */,
 				11B039C817E7834000925E7E /* proto-udp.c in Sources */,