Merge branch 'master' into feature/TLS1.3

zmap · Dec 9, 2021 · 203cf15 · 203cf15
2 parents b281f42 + 4a6f6b5
commit 203cf15
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 47 deletions.
diff --git a/lib/smb/ntlmssp/ntlmssp.go b/lib/smb/ntlmssp/ntlmssp.go
@@ -172,15 +172,27 @@ func (s *AvPairSlice) UnmarshalBinary(buf []byte, meta *encoder.Metadata) error
 	if !ok {
 		return errors.New(fmt.Sprintf("Cannot unmarshal field '%s'. Missing offset\n", meta.CurrField))
 	}
-	for i := l; i > 0; {
+	offset := int64(o)
+	length := int64(l)
+	if offset < 0 || length < 0 {
+		return fmt.Errorf("AvPairSlice.UnmarshalBinary: offset (%d) and length (%d) should be positive",
+			offset, length)
+	}
+	if offset+length > int64(len(meta.ParentBuf)) {
+		return fmt.Errorf("AvPairSlice.UnmarshalBinary: ParentBuf overrun")
+	}
+	for i := length; i > 0; {
 		var avPair AvPair
-		err := encoder.Unmarshal(meta.ParentBuf[o:o+i], &avPair)
+		err := encoder.Unmarshal(meta.ParentBuf[offset:offset+i], &avPair)
 		if err != nil {
 			return err
 		}
 		slice = append(slice, avPair)
-		size := avPair.Size()
-		o += size
+		size := int64(avPair.Size())
+		if size < 0 {
+			return fmt.Errorf("AvPairSlice.UnmarshalBinary: Invalid avPair.Size() %d", size)
+		}
+		offset += size
 		i -= size
 	}
 	*s = slice

diff --git a/modules/http/scanner.go b/modules/http/scanner.go
@@ -553,6 +553,12 @@ func (scan *scan) Grab() *zgrab2.ScanError {
 		if readLen < sliceLen {
 			sliceLen = readLen
 		}
+
+		bodyTextLen := int64(len(bodyText))
+		if bodyTextLen < sliceLen {
+			sliceLen = bodyTextLen
+		}
+
 		sliceBuf := bodyText[:sliceLen]
 		if strings.Contains(sliceBuf, "The plain HTTP request was sent to HTTPS port") ||
 			strings.Contains(sliceBuf, "You're speaking plain HTTP") ||

diff --git a/modules/mongodb/scanner.go b/modules/mongodb/scanner.go
@@ -41,31 +41,6 @@ func (scan *scan) Close() {
 	defer scan.close()
 }
 
-// getCommandMsg returns a mongodb message containing the specified BSON-encoded command.
-// metdata and commandArgs expected to be BSON byte arrays.
-func getCommandMsg(database string, commandName string, metadata []byte, commandArgs []byte) []byte {
-	dblen := len(database) + 1
-	cnlen := len(commandName) + 1
-	mdlen := len(metadata)
-	calen := len(commandArgs)
-
-	msglen := MSGHEADER_LEN + dblen + cnlen + len(metadata) + len(commandArgs)
-	out := make([]byte, msglen)
-	// msg header
-	binary.LittleEndian.PutUint32(out[0:], uint32(msglen))
-	binary.LittleEndian.PutUint32(out[12:], OP_COMMAND)
-	// command msg
-	idx := MSGHEADER_LEN
-	copy(out[idx:idx+dblen], []byte(database))
-	idx += dblen
-	copy(out[idx:idx+cnlen], []byte(commandName))
-	idx += cnlen
-	copy(out[idx:idx+mdlen], metadata)
-	idx += mdlen
-	copy(out[idx:idx+calen], commandArgs)
-	return out
-}
-
 // getIsMasterMsg returns a mongodb message containing isMaster command.
 // https://docs.mongodb.com/manual/reference/command/isMaster/
 func getIsMasterMsg() []byte {
@@ -78,21 +53,15 @@ func getIsMasterMsg() []byte {
 	return query_msg
 }
 
-// getBuildInfoCommandMsg returns a mongodb message containing a command to retrieve MongoDB build info.
-func getBuildInfoCommandMsg() []byte {
-	metaData, err := bson.Marshal(bson.M{"buildInfo": 1})
+// getBuildInfoQuery returns a mongodb message containing a command to retrieve MongoDB build info.
+func getBuildInfoQuery() []byte {
+	query, err := bson.Marshal(bson.M{"buildinfo": 1})
 	if err != nil {
 		// programmer error
 		log.Fatalf("Invalid BSON: %v", err)
 	}
-	commandArgs, err := bson.Marshal(bson.M{})
-	if err != nil {
-		// programmer error
-		log.Fatalf("Invalid BSON: %v", err)
-	}
-	// "test" collection gleaned from tshark
-	command_msg := getCommandMsg("test", "buildInfo", metaData, commandArgs)
-	return command_msg
+	query_msg := getOpQuery("admin.$cmd", query)
+	return query_msg
 }
 
 // getOpQuery returns a mongodb OP_QUERY message containing the specified BSON-encoded query.
@@ -191,7 +160,7 @@ func (scanner *Scanner) Init(flags zgrab2.ScanFlags) error {
 	f, _ := flags.(*Flags)
 	scanner.config = f
 	scanner.isMasterMsg = getIsMasterMsg()
-	scanner.buildInfoCommandMsg = getBuildInfoCommandMsg()
+	scanner.buildInfoCommandMsg = getBuildInfoQuery()
 	scanner.buildInfoOpMsg = getBuildInfoOpMsg()
 	return nil
 }
@@ -313,14 +282,12 @@ func (scanner *Scanner) Scan(target zgrab2.ScanTarget) (zgrab2.ScanStatus, inter
 	var resplen_offset int
 	var resp_offset int
 
-	// Gleaned from wireshark - if "MaxWireVersion" is less than 7, then
-	// "build info" command should be sent in an OP_COMMAND with the query sent
-	// and response retrieved at "metadata" offset. At 7 and above, should
-	// be sent as an OP_MSG in the "section" field, and response is at "body" offset
-	if result.IsMaster.MaxWireVersion < 7 {
+	// See: https://github.com/mongodb/specifications/blob/master/source/message/OP_MSG.rst
+	// "OP_MSG is only available in MongoDB 3.6 (maxWireVersion >= 6) and later."
+	if result.IsMaster.MaxWireVersion < 6 {
 		query = scanner.buildInfoCommandMsg
 		resplen_offset = 4
-		resp_offset = 0
+		resp_offset = 20
 	} else {
 		query = scanner.buildInfoOpMsg
 		resplen_offset = 5