Nmap Development mailing list archives

Re: POC Payloader dat

From: David Fifield <david () bamsoftware com>
Date: Sun, 13 Dec 2009 15:32:23 -0700

On Wed, Dec 09, 2009 at 08:01:03AM -0500, Jay Fink wrote:

So I don't like the label, I am going to push that back to the loader
(somehow :) - so the new format would be more like unicornscan but
less the payload group:
/* PROTOCOL  USABLE_DESTINATION_PORTS_LIST  SOURCE_PORT PAYLOAD */
/* radius */
udp 1604,1645,1812  -1 {
"\x1e\x00\x01\x30\x02\xfd\xa8\xe3\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
};


That looks pretty good, but if we're not going to be 100% compatible
with Unicornscan's file, then there's no need for ours to look like
theirs. The braces and semicolon can be removed. I'm thinking about a
format more like we have in nmap-service-probes, with named fields
instead of positional values.

/* comment */
payload udp 1604,1645,1812
"\x1e\x00\x01\x30\x02\xfd\xa8\xe3\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
source 100

The "source 100" above is just an example of how a source port might be
specified, even though it's not used for this particular payload. I
would rather have payloads that use a source port say so explicitly than
have most of them with a dummy -1 value.

I don't think we need a label for each payload beyond the comments.

I want the interface for accessing a payload to stay pretty much the
same. This is what we have now:

const char *get_udp_payload(u16 dport, size_t *length);

I can imagine changing the return value to non-const for the case of
dynamic payloads, or perhaps requiring a caller-supplied buffer.

What with holidays, new gig and all haven't had much time to look at
this but unicornscan uses a mix of lex and c to parse these out - not
very striaghtforward to me - so I might look at how nmap loads
services etc. for guidance instead.


Parsing is certainly a non-trivial part of this problem. There are
custom parsers for all of Nmap's data files. The main thing is to watch
out for buffer overflows and such.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

POC Payloader dat Jay Fink (Nov 23)
- Re: POC Payloader dat Jay Fink (Nov 24)
- Re: POC Payloader dat David Fifield (Nov 25)
  - Re: POC Payloader dat Jay Fink (Nov 25)
  - Re: POC Payloader dat Jay Fink (Nov 30)
  - Re: POC Payloader dat Jay Fink (Dec 04)
    - Re: POC Payloader dat Jay Fink (Dec 09)
    - Re: POC Payloader dat David Fifield (Dec 13)
    - Re: POC Payloader dat Jay Fink (Dec 14)
    - Re: POC Payloader dat Jay Fink (Dec 19)
    - Re: POC Payloader dat David Fifield (Dec 21)
    - Re: POC Payloader dat Jay Fink (Dec 22)
    - Re: POC Payloader dat Jay Fink (Dec 26)
    - Re: POC Payloader dat David Fifield (Dec 27)
    - Re: POC Payloader dat Jay Fink (Dec 28)
    - Re: POC Payloader dat Jay Fink (Dec 30)
    - Re: POC Payloader dat David Fifield (Dec 30)
    - Re: POC Payloader dat Jay Fink (Dec 30)