udp banner default

robertdavidgraham · Mar 12, 2018 · 7ea9ec0 · 7ea9ec0
1 parent 83fbdf6
commit 7ea9ec0
Show file tree

Hide file tree

Showing 6 changed files with 71 additions and 8 deletions.
diff --git a/src/masscan-version.h b/src/masscan-version.h
@@ -1,6 +1,6 @@
 #ifndef MASSCAN_VERSION
 
-#define MASSCAN_VERSION "1.0.4"
+#define MASSCAN_VERSION "1.0.6"
 
 #endif
 
diff --git a/src/proto-banner1.c b/src/proto-banner1.c
@@ -273,6 +273,7 @@ banner1_create(void)
     b->tcp_payloads[9050] = (void*)&banner_ssl;  /* Tor */
     b->tcp_payloads[8140] = (void*)&banner_ssl;  /* puppet */
 
+    b->tcp_payloads[11211] = (void*)&banner_memcached;
 
     return b;
 }

diff --git a/src/proto-memcached.c b/src/proto-memcached.c
@@ -11,6 +11,7 @@
 #include "proto-interactive.h"
 #include "proto-preprocess.h"
 #include "proto-ssl.h"
+#include "proto-udp.h"
 #include "syn-cookie.h"
 #include "templ-port.h"
 #include <ctype.h>
@@ -193,7 +194,8 @@ memcached_tcp_parse(
                     banout_append(banout, PROTO_MEMCACHED, memcached_stats[id].pattern, AUTO_LEN);
                     if (px[i] == '\n')
                         state = 0;
-                    state = 200;
+                    else
+                        state = 200;
                     banout_append_char(banout, PROTO_MEMCACHED, '=');
                     break;
                 default:
@@ -246,7 +248,7 @@ memcached_init(struct Banner1 *b)
             smack_add_pattern(
                           b->memcached_responses,
                           tmp,
-                          len+1,
+                          (unsigned)len+1,
                           memcached_responses[i].id,
                           memcached_responses[i].is_anchored);
         }
@@ -276,7 +278,7 @@ memcached_init(struct Banner1 *b)
             smack_add_pattern(
                           b->memcached_stats,
                           tmp,
-                          len+1,
+                          (unsigned)len+1,
                           memcached_stats[i].id,
                           memcached_stats[i].is_anchored);
         }
@@ -330,15 +332,15 @@ memcached_udp_parse(struct Output *out, time_t timestamp,
 
     /* Ignore high sequence numbers. This should be zero normally */
     if (sequence_num > 100)
-        return 0;
+        goto not_memcached;
 
     /* Ignore too many dgrams, should be one normally */
     if (total_dgrams > 100)
-        return 0;
+        goto not_memcached;
 
     /* Make sure reserved field is zero */
     if (reserved != 0)
-        return 0;
+        goto not_memcached;
 
     /* Grab IP addresses */
     ip_them = parsed->ip_src[0]<<24 | parsed->ip_src[1]<<16
@@ -385,6 +387,9 @@ memcached_udp_parse(struct Output *out, time_t timestamp,
     banout_release(banout);
 
     return 0;
+
+not_memcached:
+    return default_udp_parse(out, timestamp, px, length, parsed, entropy);
 }
 
 /****************************************************************************
@@ -428,3 +433,4 @@ const struct ProtocolParserStream banner_memcached = {
     memcached_init,
     memcached_tcp_parse,
 };
+
diff --git a/src/proto-udp.c b/src/proto-udp.c
@@ -13,6 +13,41 @@
 #include "unusedparm.h"
 
 
+/****************************************************************************
+ * When the "--banner" command-line option is selected, this will
+ * will take up to 64 bytes of a response and display it. Other UDP
+ * protocol parsers may also default to this function when they detect
+ * a response is not the protocol they expect. For example, if a response
+ * to port 161 obbvioiusly isn't ASN.1 formatted, the SNMP parser will
+ * call this function instead. In such cases, the protcool identifier will
+ * be [unknown] rather than [snmp].
+ ****************************************************************************/
+unsigned
+default_udp_parse(struct Output *out, time_t timestamp,
+           const unsigned char *px, unsigned length,
+           struct PreprocessedInfo *parsed,
+           uint64_t entropy)
+{
+    unsigned ip_them;
+    //unsigned ip_me;
+    unsigned port_them = parsed->port_src;
+    //unsigned port_me = parsed->port_dst;
+
+    ip_them = parsed->ip_src[0]<<24 | parsed->ip_src[1]<<16 | parsed->ip_src[2]<< 8 | parsed->ip_src[3]<<0;
+    //ip_me = parsed->ip_dst[0]<<24 | parsed->ip_dst[1]<<16 | parsed->ip_dst[2]<< 8 | parsed->ip_dst[3]<<0;
+
+    if (length > 64)
+        length = 64;
+
+    output_report_banner(
+                         out, timestamp,
+                         ip_them, 17, port_them,
+                         PROTO_NONE,
+                         parsed->ip_ttl,
+                         px, length);
+
+    return 0;
+}
 
 /****************************************************************************
  ****************************************************************************/
@@ -54,7 +89,11 @@ handle_udp(struct Output *out, time_t timestamp,
         case 16471:
             status = handle_zeroaccess(out, timestamp, px, length, parsed, entropy);
             break;
-
+        default:
+            px += parsed->app_offset;
+            length = parsed->app_length;
+            status = default_udp_parse(out, timestamp, px, length, parsed, entropy);
+            break;
     }
 
     if (status == 0)

diff --git a/src/proto-udp.h b/src/proto-udp.h
@@ -17,4 +17,15 @@ handle_udp(struct Output *out, time_t timestamp,
     struct PreprocessedInfo *parsed,
     uint64_t entropy);
 
+/**
+ * Default banner for UDP, consisting of the first 64 bytes, when it isn't
+ * detected as the appropriate protocol
+ */
+unsigned
+default_udp_parse(struct Output *out, time_t timestamp,
+                  const unsigned char *px, unsigned length,
+                  struct PreprocessedInfo *parsed,
+                  uint64_t entropy);
+
+
 #endif
diff --git a/xcode4/masscan.xcodeproj/project.pbxproj b/xcode4/masscan.xcodeproj/project.pbxproj
@@ -18,6 +18,7 @@
 		115C0CAB18035BC5004E6CD7 /* proto-netbios.c in Sources */ = {isa = PBXBuildFile; fileRef = 115C0CA518035BC5004E6CD7 /* proto-netbios.c */; };
 		115C0CAC18035BC5004E6CD7 /* proto-ssl.c in Sources */ = {isa = PBXBuildFile; fileRef = 115C0CA718035BC5004E6CD7 /* proto-ssl.c */; };
 		11623F6A191E0DB00075EEE6 /* out-certs.c in Sources */ = {isa = PBXBuildFile; fileRef = 11623F69191E0DB00075EEE6 /* out-certs.c */; };
+		119AB2062051FFED008E4DDD /* proto-memcached.c in Sources */ = {isa = PBXBuildFile; fileRef = 119AB2042051FFED008E4DDD /* proto-memcached.c */; };
 		11A50CAE191C128F006D5802 /* out-json.c in Sources */ = {isa = PBXBuildFile; fileRef = 11A50CAD191C128F006D5802 /* out-json.c */; };
 		11A773EB1881BFC700B135DE /* crypto-base64.c in Sources */ = {isa = PBXBuildFile; fileRef = 11A773E91881BFC700B135DE /* crypto-base64.c */; };
 		11A868151816F3A7008E00B8 /* in-binary.c in Sources */ = {isa = PBXBuildFile; fileRef = 11A868081816F3A7008E00B8 /* in-binary.c */; };
@@ -130,6 +131,8 @@
 		115C0CAA18035BC5004E6CD7 /* unusedparm.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = unusedparm.h; sourceTree = "<group>"; };
 		11623F69191E0DB00075EEE6 /* out-certs.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "out-certs.c"; sourceTree = "<group>"; };
 		116806EA1995D421005B0980 /* rawsock-adapter.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "rawsock-adapter.h"; sourceTree = "<group>"; };
+		119AB2042051FFED008E4DDD /* proto-memcached.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "proto-memcached.c"; sourceTree = "<group>"; };
+		119AB2052051FFED008E4DDD /* proto-memcached.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "proto-memcached.h"; sourceTree = "<group>"; };
 		11A50CAD191C128F006D5802 /* out-json.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "out-json.c"; sourceTree = "<group>"; };
 		11A773E91881BFC700B135DE /* crypto-base64.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "crypto-base64.c"; sourceTree = "<group>"; };
 		11A773EA1881BFC700B135DE /* crypto-base64.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "crypto-base64.h"; sourceTree = "<group>"; };
@@ -385,6 +388,8 @@
 		11B360CA1F9016C00020F3A3 /* proto */ = {
 			isa = PBXGroup;
 			children = (
+				119AB2042051FFED008E4DDD /* proto-memcached.c */,
+				119AB2052051FFED008E4DDD /* proto-memcached.h */,
 				11A921AC17DBCC7E00DDFD32 /* proto-arp.c */,
 				11A921AD17DBCC7E00DDFD32 /* proto-arp.h */,
 				11A921AE17DBCC7E00DDFD32 /* proto-banner1.c */,
@@ -604,6 +609,7 @@
 				11AC80EE17E0DAD4001BCE3A /* proto-icmp.c in Sources */,
 				11AC80EF17E0DAD4001BCE3A /* proto-ssh.c in Sources */,
 				11AC80F617E0ED47001BCE3A /* main-ptrace.c in Sources */,
+				119AB2062051FFED008E4DDD /* proto-memcached.c in Sources */,
 				11B039C117E506B400925E7E /* main-listscan.c in Sources */,
 				11B039C717E7834000925E7E /* proto-dns.c in Sources */,
 				11B039C817E7834000925E7E /* proto-udp.c in Sources */,