Logo Search packages:      
Sourcecode: nessus-plugins version File versions  Download package

telnet_func.inc

#TRUSTED 5b280de81dc7cb5db3446a7da70d7005230ab555ecd4d730e967b49c6bf853d0df8dea552f221b12c831cc6151d5acb3132a14ccf1b81ed01cc8cb05ba36d7e1194d0247292d528e97b6189bfb915c9afe89b5bb7855fc04af302ef03e94f6626c13859eae61637fbda9a5416e64abff1d9560844d9c0b7ad73150ba252bd8ff1f45c083cebbb7581404347773a253304802fccb5348d213018e9fb3ae96bf02380b332dc266aaa19bac21eaba8a9777866d7e2be13fcfebbcb5ce4a131f7f71e416cffc93047aacd985946d72efb5127214ef5a65ef096f8378979d85efec8fb172311c6036f5bec8f172dca76cc5388ae903dd34279d735242dfaee51eb3806957a880c3b430a28c3ecc43529e54ba6bf0dd6347288241dcc4cbefa21be7fba74fa70483d6c4c72c8f6a84b50495a07666fe35133389e7f8a84b2564a937e20a5d23b711cc0ea34d2f617f3b023fec89072906dab4865015eebe93efd0947871a2f95887202dae06b51528cafae610bbab88eb372db66ceda346801131cf88567eebc3fc6b425d865d5bd25cba58d8bf208d7ab7a7dcf2d9d6ccc1471fe30b63c3f407be1007d47adb4100a0c21ab85aab317481eeca0aa83a18c498ed9ff91b4acea50d59d90fef83a8c755e3a2f09bf8472c329cb1824b552a2f64ffc9b56f5b2aab4fc95fe91ef3090b8a21706b0d927f54141382204ec6e0c14dd58418
# -*- Fundamental -*-
#
# (C) 2002 Michel Arboi <arboi@alussinan.org>
# (C) 2005 Tenable Network Security

OPT_WILL    = 0xfb;
OPT_WONT    = 0xfc;
OPT_DO      = 0xfd;
OPT_DONT    = 0xfe;

OPT_SUBOPT  = 0xfa;
OPT_ENDSUBOPT     = 0xf0;

function get_telnet_banner(port)
{
  local_var sb, banner, soc;
  sb = string("telnet/banner/", port);
  banner = get_kb_item(sb);
  if (banner) return(banner);

  soc = open_sock_tcp(port);
  if(!soc) return (0);
  banner = telnet_negotiate(socket:soc);
  close(soc);
  if(strlen(banner)){
      if ( defined_func("replace_kb_item") )
            replace_kb_item(name: sb, value: str_replace(find:raw_string(0), replace:'', string:banner));
      else
            set_kb_item(name: sb, value: str_replace(find:raw_string(0), replace:'', string:banner));
      }
  return(banner);
}


function telnet_negotiate(socket, pattern)
{
 local_var opt, code, s, counter, counter2, buf, prev, timeout;

 counter = 0;
 timeout = 5;

 while ( TRUE )
 {
  s   = recv(socket:socket, length:1, timeout:timeout);
  timeout = 1;
  if ( !strlen(s) ) break;
  if ( ord(s[0]) != 0xff) {
       buf += s;
         if ( pattern && egrep(pattern:pattern, string:buf) ) break;
       }
  else {
   counter ++;
   s  = recv(socket:socket, length:2);

   if ( ord(s[0]) == OPT_DO ) send(socket:socket,data:raw_string(0xff, OPT_WONT) + s[1]);
   else if ( ord(s[0]) == OPT_WILL ) send(socket:socket,data:raw_string(0xff, OPT_DONT) + s[1]);
   else if ( ord(s[0]) == OPT_SUBOPT )
      {
       # The remote telnet server is autistic :/
       prev = recv(socket:socket, length:1);
         counter2 = 0;
       while ( ord(prev) != 0xff && ord(s[0]) != OPT_ENDSUBOPT )
         {
          prev = s;
          # No timeout - the answer is supposed to be cached
          s    = recv(socket:socket, length:1, timeout:0);
          if ( ! strlen(s) ) return buf;
          counter2++;
          if ( counter2 >= 100 ) return buf;
         }
      }
  
   # Not necessary and may introduce endless loops
   #if ( ord(s[0]) == OPT_DONT ) send(socket:socket,data:raw_string(0xff, OPT_WONT) + s[1]);
   #if ( ord(s[0]) == OPT_WONT ) send(socket:socket,data:raw_string(0xff, OPT_DONT) + s[1]);
  }
  if ( counter >= 100 || strlen(buf) >= 4096 ) break;
 }

 
 return buf;
}

function set_telnet_banner(port, banner)
{
  local_var sb;
  sb = string("telnet/banner/", port);
  if ( defined_func("replace_kb_item") )
      replace_kb_item(name: sb, value: str_replace(find:raw_string(0), replace:'', string:banner));
  else
      set_kb_item(name: sb, value: str_replace(find:raw_string(0), replace:'', string:banner));
}


# (C) Tenable Security

function recv_until(socket, pattern)
{
 local_var r, i, l, buf;
 i = 0; l = 0;

#debug_print('recv_until(pattern=', pattern, ')\n');
 while ( TRUE )
 {
  i ++;
  if ( i > 1024*1024 ) return NULL;
  r = recv(socket:socket, length:1);
  if ( strlen(r) == 0 ) break;
  if (r == '\0') continue;    # The shell sometimes sends back very dirty things
  l ++;
  buf += r;
  # Regex size is limited?
  if (l <= 256)
  {
   if ( egrep(pattern:pattern,string:buf) ) return buf;
  }
  else
  {
   if (egrep(pattern:pattern,string:substr(buf, l - 256))) return buf;
  }
 }
#dump(ddata: buf, dtitle: 'telnet');
#debug_print('recv_until(pattern=', pattern, ') = NULL !\n');
#dump(dtitle: 'telnet', ddata: buf);
 return NULL;
}

Generated by  Doxygen 1.6.0   Back to index