nmap_rpc.cc

来自「Ubuntu packages of security software。 相」· CC 代码 · 共 661 行 · 第 1/2 页

/***************************************************************************
 * nmap_rpc.cc -- Functions related to the RPCGrind (-sR) facility of Nmap *
 * This includes reading the nmap-rpc services file and sending rpc        *
 * queries and interpreting responses.  The actual scan engine used for    *
 * rpc grinding is pos_scan (which is not in this file)                    *
 *                                                                         *
 ***********************IMPORTANT NMAP LICENSE TERMS************************
 *                                                                         *
 * The Nmap Security Scanner is (C) 1996-2008 Insecure.Com LLC. Nmap is    *
 * also a registered trademark of Insecure.Com LLC.  This program is free  *
 * software; you may redistribute and/or modify it under the terms of the  *
 * GNU General Public License as published by the Free Software            *
 * Foundation; Version 2 with the clarifications and exceptions described  *
 * below.  This guarantees your right to use, modify, and redistribute     *
 * this software under certain conditions.  If you wish to embed Nmap      *
 * technology into proprietary software, we sell alternative licenses      *
 * (contact sales@insecure.com).  Dozens of software vendors already       *
 * license Nmap technology such as host discovery, port scanning, OS       *
 * detection, and version detection.                                       *
 *                                                                         *
 * Note that the GPL places important restrictions on "derived works", yet *
 * it does not provide a detailed definition of that term.  To avoid       *
 * misunderstandings, we consider an application to constitute a           *
 * "derivative work" for the purpose of this license if it does any of the *
 * following:                                                              *
 * o Integrates source code from Nmap                                      *
 * o Reads or includes Nmap copyrighted data files, such as                *
 *   nmap-os-fingerprints or nmap-service-probes.                          *
 * o Executes Nmap and parses the results (as opposed to typical shell or  *
 *   execution-menu apps, which simply display raw Nmap output and so are  *
 *   not derivative works.)                                                * 
 * o Integrates/includes/aggregates Nmap into a proprietary executable     *
 *   installer, such as those produced by InstallShield.                   *
 * o Links to a library or executes a program that does any of the above   *
 *                                                                         *
 * The term "Nmap" should be taken to also include any portions or derived *
 * works of Nmap.  This list is not exclusive, but is just meant to        *
 * clarify our interpretation of derived works with some common examples.  *
 * These restrictions only apply when you actually redistribute Nmap.  For *
 * example, nothing stops you from writing and selling a proprietary       *
 * front-end to Nmap.  Just distribute it by itself, and point people to   *
 * http://insecure.org/nmap/ to download Nmap.                             *
 *                                                                         *
 * We don't consider these to be added restrictions on top of the GPL, but *
 * just a clarification of how we interpret "derived works" as it applies  *
 * to our GPL-licensed Nmap product.  This is similar to the way Linus     *
 * Torvalds has announced his interpretation of how "derived works"        *
 * applies to Linux kernel modules.  Our interpretation refers only to     *
 * Nmap - we don't speak for any other GPL products.                       *
 *                                                                         *
 * If you have any questions about the GPL licensing restrictions on using *
 * Nmap in non-GPL works, we would be happy to help.  As mentioned above,  *
 * we also offer alternative license to integrate Nmap into proprietary    *
 * applications and appliances.  These contracts have been sold to dozens  *
 * of software vendors, and generally include a perpetual license as well  *
 * as providing for priority support and updates as well as helping to     *
 * fund the continued development of Nmap technology.  Please email        *
 * sales@insecure.com for further information.                             *
 *                                                                         *
 * As a special exception to the GPL terms, Insecure.Com LLC grants        *
 * permission to link the code of this program with any version of the     *
 * OpenSSL library which is distributed under a license identical to that  *
 * listed in the included Copying.OpenSSL file, and distribute linked      *
 * combinations including the two. You must obey the GNU GPL in all        *
 * respects for all of the code used other than OpenSSL.  If you modify    *
 * this file, you may extend this exception to your version of the file,   *
 * but you are not obligated to do so.                                     *
 *                                                                         *
 * If you received these files with a written license agreement or         *
 * contract stating terms other than the terms above, then that            *
 * alternative license agreement takes precedence over these comments.     *
 *                                                                         *
 * Source is provided to this software because we believe users have a     *
 * right to know exactly what a program is going to do before they run it. *
 * This also allows you to audit the software for security holes (none     *
 * have been found so far).                                                *
 *                                                                         *
 * Source code also allows you to port Nmap to new platforms, fix bugs,    *
 * and add new features.  You are highly encouraged to send your changes   *
 * to fyodor@insecure.org for possible incorporation into the main         *
 * distribution.  By sending these changes to Fyodor or one the            *
 * Insecure.Org development mailing lists, it is assumed that you are      *
 * offering Fyodor and Insecure.Com LLC the unlimited, non-exclusive right *
 * to reuse, modify, and relicense the code.  Nmap will always be          *
 * available Open Source, but this is important because the inability to   *
 * relicense code has caused devastating problems for other Free Software  *
 * projects (such as KDE and NASM).  We also occasionally relicense the    *
 * code to third parties as discussed above.  If you wish to specify       *
 * special license conditions of your contributions, just say so when you  *
 * send them.                                                              *
 *                                                                         *
 * This program is distributed in the hope that it will be useful, but     *
 * WITHOUT ANY WARRANTY; without even the implied warranty of              *
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU       *
 * General Public License for more details at                              *
 * http://www.gnu.org/copyleft/gpl.html , or in the COPYING file included  *
 * with Nmap.                                                              *
 *                                                                         *
 ***************************************************************************/

/* $Id: nmap_rpc.cc 6633 2007-12-22 06:32:03Z fyodor $ */


#include "nmap_rpc.h"
#include "NmapOps.h"
#include "Target.h"
#include "charpool.h"
#include "timing.h"
#include "nmap_error.h"
#include "utils.h"

extern NmapOps o;
static struct rpc_info ri;
static int udp_rpc_socket = -1;
static int tcp_rpc_socket = -1;
static unsigned long rpc_xid_base = (unsigned long) -1;
					   /* The XID we send in queries is 
					   this random base number + the 
					   RPC prog number we are scanning
					   for */
static size_t tcp_readlen=0; /* used in get_rpc_results but can be reset in 
			    send_rpc_query */

static void rpc_services_init() {
  static int services_initialized = 0;
  if (services_initialized) return;
  services_initialized = 1;

  char filename[512];
  FILE *fp;
  char *tmpptr, *p;
  char line[1024];
  int lineno = 0;

  ri.num_alloc = 256;
  ri.num_used = 0;
  ri.names = (char **) cp_alloc(ri.num_alloc * sizeof(char *));
  ri.numbers = (unsigned long *) cp_alloc(ri.num_alloc * sizeof(unsigned long));

  if (nmap_fetchfile(filename, sizeof(filename), "nmap-rpc") != 1) {
    error("Unable to find nmap-rpc!  Resorting to /etc/rpc");
    strcpy(filename, "/etc/rpc");
  }

  fp = fopen(filename, "r");
  if (!fp) {
    fatal("Unable to open %s for reading rpc information", filename);
  }
  /* Record where this data file was found. */
  o.loaded_data_files["nmap-rpc"] = filename;

  while(fgets(line, sizeof(line), fp)) {
    lineno++;
    p = line;

    if (ri.num_used == ri.num_alloc) {
      tmpptr = (char *) cp_alloc(ri.num_alloc * 3 * sizeof(char *));
      memcpy(tmpptr, ri.names, ri.num_alloc * sizeof(char *));
      ri.names = (char **) tmpptr;
      tmpptr = (char *) cp_alloc(ri.num_alloc * 3 * sizeof(unsigned long));
      memcpy(tmpptr, ri.numbers, ri.num_alloc * sizeof(char *));
      ri.numbers = (unsigned long *) tmpptr;
      ri.num_alloc *= 3;
    }

    while(*p && *p != '#' && !isalnum((int) *p)) p++;

    if (!*p || *p == '#') continue;

    tmpptr = strpbrk(p, " \t");
    if (!tmpptr) 
      continue;
    *tmpptr = '\0';
    
    ri.names[ri.num_used] = cp_strdup(p);
    p = tmpptr + 1;

    while(*p && !isdigit((int) *p)) p++;

    if (!*p)
      continue;

    ri.numbers[ri.num_used] = strtoul(p, NULL, 10);
    ri.num_used++;
  }
  fclose(fp);
  return;
}

char *nmap_getrpcnamebynum(unsigned long num) {
  int i;

  rpc_services_init();

  for(i=0; i < ri.num_used; i++) {
    if (ri.numbers[i] == num)
      return ri.names[i];
  }
  return NULL;
}

int get_rpc_procs(unsigned long **programs, unsigned long *num_programs) {
  rpc_services_init();
  
  *programs = ri.numbers;
  *num_programs = ri.num_used;
  if (ri.num_used == 0) fatal("Unable to find any valid rpc procedures in your rpc file!  RPC scanning won't work for you");
  return 0;
}

/* Send an RPC query to the specified host/port on the specified protocol
   looking for the specified RPC program.  We cache our sending sockets
   to avoid recreating and (with TCP) reconnect()'ing them each time */
int send_rpc_query(const struct in_addr *target_host, unsigned short portno,
		   int ipproto, unsigned long program, int scan_offset, 
		   int trynum) {
  static struct in_addr last_target_host;
  static int last_ipproto = -1;
  static unsigned short last_portno = 0; 
  struct sockaddr_in sock;
  char rpch_buf[256]; 
  struct rpc_hdr *rpch;
  int res, err = 0;

  /* static int numruns = 0;
     if (numruns++ > 2)
     fatal("Done");  */

  rpch = (struct rpc_hdr *) ((char *)rpch_buf + sizeof(unsigned long));
  memset(rpch, 0, sizeof(struct rpc_hdr));


  while(rpc_xid_base == (unsigned long) -1)
    rpc_xid_base = (unsigned long) get_random_uint();
  
  if (o.debugging > 1) {
    log_write(LOG_PLAIN, "Sending RPC probe for program %li to %hu/%s -- scan_offset=%d trynum=%d xid=%lX\n", program, portno, proto2ascii(ipproto), scan_offset, trynum, rpc_xid_base + ((portno & 0x3FFF) << 16) + (trynum << 30) +  scan_offset);
  }

  /* First we check whether we have to create a new connection -- we 
     need to if we have a new target_host, or a new portno, or the socket
     we want to use is -1 */
  if (ipproto == IPPROTO_TCP && 
      (last_target_host.s_addr != target_host->s_addr ||
       last_portno != portno || last_ipproto != IPPROTO_TCP)) {
    /* New host or port -- kill our old tcp socket */
    if (tcp_rpc_socket != -1) {
      close(tcp_rpc_socket);
      tcp_rpc_socket = -1;
      tcp_readlen = 0;
    }
  }
  last_ipproto = ipproto;
  last_target_host.s_addr = target_host->s_addr;
  last_portno = portno;
  
  memset(&sock, 0, sizeof(sock));
  sock.sin_family = AF_INET;
  sock.sin_addr.s_addr = target_host->s_addr;
  sock.sin_port = htons(portno);
    
  if (ipproto == IPPROTO_TCP && tcp_rpc_socket == -1) {
    if ((tcp_rpc_socket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1)
      pfatal("Socket troubles in %s", __func__);
    /* I should unblock the socket here and timeout the connect() */
    res = connect(tcp_rpc_socket, (struct sockaddr *) &sock, 
		  sizeof(struct sockaddr_in));
    if (res == -1) {
      if (o.debugging) {
	gh_perror("Failed to connect to port %d of %s in %s",
		  portno, inet_ntoa(*target_host), __func__);
      }
      close(tcp_rpc_socket);
      tcp_rpc_socket = -1;
      return -1;
    }
    unblock_socket(tcp_rpc_socket);
  } else if (ipproto == IPPROTO_UDP && udp_rpc_socket == -1) {
    if ((udp_rpc_socket = socket(AF_INET, SOCK_DGRAM, 0)) == -1)
      pfatal("UDP socket troubles in %s", __func__);
    unblock_socket(udp_rpc_socket);
  }
  
  /* OK, now that we have our sockets together, we form and send a
     query ... */
  rpch->type_msg = htonl(RPC_MSG_CALL); /* rpc request                 */
  rpch->version_rpc=htonl(2);           /* portmapper v.2 (hmm, and v3&&4?) */
  /*rpch->prog_proc=0;*/                    /* proc_null() rpc function     */
  /*rpch->authcred_flavor=0;*/              /* AUTH_NULL for credentials    */
  /*rpch->authcred_length=0;*/              /* length of credentials is zero*/
  /*rpch->authveri_flavor=0;*/              /* no verifiers field          */
  /*rpch->authveri_length=0;*/              /* zero length verifier field  */
  
  /* Bits are TTPPPPPPPPPPPPPP BBBBBBBBBBBBBBBB */
  /* Where T are trynum bits, P is the lowest 14 bits of the port number,
     and B is the scan[] offset */
  rpch->xid = htonl(rpc_xid_base + ((portno & 0x3FFF) << 16) + 
		    (trynum << 30) +  scan_offset); 
  rpch->prog_id = htonl(program);
  rpch->prog_ver = htonl(31337 + (rpc_xid_base & 0xFFFFF));
  
  if (ipproto == IPPROTO_UDP) {
    /* Simply send this sucker we have created ... */
    do {  
      if (o.debugging > 1)
	hdump((unsigned char *) rpch, sizeof(struct rpc_hdr));
      res = sendto(udp_rpc_socket, (char *)rpch, sizeof(struct rpc_hdr), 0,
		   (struct sockaddr *) &sock, sizeof(struct sockaddr_in));
      if (res == -1)
	err = socket_errno();
     } while(res == -1 && (err == EINTR || err == ENOBUFS));


    if (res == -1) {
      if (o.debugging) {
	gh_perror("Sendto in %s", __func__);
	close(udp_rpc_socket);
	udp_rpc_socket = -1;
      }
      return -1;
    }
  } else {
    /* TCP socket */
    /* 0x80000000 means only 1 record marking */
    *(unsigned long *)rpch_buf = htonl(sizeof(struct rpc_hdr) | 0x80000000);
    res = Send(tcp_rpc_socket, rpch_buf, sizeof(struct rpc_hdr) + sizeof(unsigned long), 0);
    if (res == -1) {
      if (o.debugging) {
	gh_perror("Write in %s", __func__);
      }