dsniff  2.4b2
About: A collection of tools for network auditing
  Fossies Dox: dsniff-2.4b2.tar.gz  ("inofficial" and yet experimental doxygen-generated source code documentation)  

decode_tds.c
Go to the documentation of this file.
1 /*
2  * decode_tds.c
3  *
4  * Tabular Data Stream (Sybase, Microsoft SQL). See www.freetds.org.
5  *
6  * Thanks to antilove!@#$% and Ben Lowery <blowery@monkey.org> for
7  * providing me with packet traces.
8  *
9  * Copyright (c) 2000 Dug Song <dugsong@monkey.org>
10  * Copyright (c) 2001 Paul van Maaren <P.v.Maaren@reseau.nl>
11  *
12  * $Id: decode_tds.c,v 1.10 2001/03/15 08:33:02 dugsong Exp $
13  */
14 
15 #include "config.h"
16 
17 #include <sys/types.h>
18 
19 #include <stdio.h>
20 #include <string.h>
21 
22 #include "decode.h"
23 
24 struct tds_hdr {
25  u_char type;
26  u_char last;
27  u_short size;
28  u_int32_t zero;
29 };
30 
31 struct tds_login {
32  char hostname[30];
33  u_char hostlen;
34  char username[30];
35  u_char userlen;
36  char password[30];
37  u_char passlen;
38  char process[30];
39  u_char proclen;
40  char magic1[6];
41  u_char bulkcopy;
42  char magic2[9];
43  char appname[30];
44  u_char applen;
45  char servername[30];
46  u_char serverlen;
47  u_char zero;
48  u_char pass2len;
49  char password2[30];
50  char magic3[223];
51  u_char pass2len2;
52  char version[4];
53  char libname[10];
54  u_char liblen;
55  char magic4[3];
56  char language[30];
57  u_char langlen;
58  u_char nolang;
59  u_short magic5;
60  u_char encrypted;
61  char magic6[10];
62  char charset[30];
63  u_char charlen;
64  u_char magic7;
65  char blocksize[6];
66  u_char blocklen;
67  char magic8[4]; /* 4.2: 8, 4.6: 4, 5.0: 25 */
68 };
69 
70 u_char tds7_magic1[] = {
71  0x6, 0x83, 0xf2, 0xf8, 0xff, 0x0, 0x0, 0x0, 0x0, 0xe0, 0x03, 0x0,
72  0x0, 0x88, 0xff, 0xff, 0xff, 0x36, 0x04, 0x00, 0x00
73 };
74 
75 struct tds7_login {
76  u_short size;
77  char zero1[5];
78  u_char byte1; /* 0x70 */
79  char zero2[7];
80  char magic1[21];
81  u_short servpos;
82  u_short servlen;
83  u_short userpos; /* XXX - freetds got this wrong? */
84  u_short userlen;
85  u_short passpos;
86  u_short passlen;
87  u_short somepos;
88  u_short somelen;
89  u_short apppos;
90  u_short applen;
91  char zero4[4];
92  u_short libpos;
93  u_short liblen;
94  char skip1[8];
95  char magic2[6];
96  char skip2[8];
97  /* char servername[servlen]; */
98  /* char username[userlen]; */
99  /* char password[passlen]; */
100  /* char appname[applen]; */
101  /* char server[servlen]; */
102  /* char library[liblen]; */
103  /* char magic3[48]; */
104 };
105 
106 static void
107 deunicode(u_char *buf, int len)
108 {
109  int i;
110 
111  for (i = 0; i < len; i++) {
112  buf[i] = buf[i * 2];
113  }
114  buf[i] = '\0';
115 }
116 
117 
118 static void
119 tds7_decrypt(u_char *buf, int len)
120 {
121  int i;
122 
123  for (i = 0; i < len; i++) {
124  buf[i] = ((buf[i] << 4) | (buf[i] >> 4)) ^ 0x5a;
125  }
126  buf[i] = '\0';
127 }
128 
129 
130 int
131 decode_tds(u_char *buf, int len, u_char *obuf, int olen)
132 {
133  struct tds_hdr *th;
134  struct tds_login *tl;
135  struct tds7_login *t7l, *myt7l;
136  u_char *user, *pass, *serv;
137  u_short userlen, passlen, servlen;
138 
139  obuf[0] = '\0';
140 
141  for (th = (struct tds_hdr *)buf;
142  len > sizeof(*th) && len >= ntohs(th->size);
143  buf += ntohs(th->size), len -= ntohs(th->size)) {
144 
145  if (th->type == 2) {
146  /* Version 4.x, 5.0 */
147  if (len < sizeof(*th) + sizeof(*tl))
148  return (0);
149 
150  tl = (struct tds_login *)(th + 1);
151 
152  if (tl->userlen > sizeof(tl->username))
153  return (0);
154 
155  tl->username[tl->userlen] = '\0';
156  strlcat(obuf, tl->username, olen);
157  strlcat(obuf, "\n", olen);
158 
159  if (tl->passlen > sizeof(tl->password))
160  return (0);
161 
162  tl->password[tl->passlen] = '\0';
163  strlcat(obuf, tl->password, olen);
164  strlcat(obuf, "\n", olen);
165  }
166  else if (th->type == 16 && th->last == 1) {
167  /* Version 7.0 */
168  if (len < sizeof(*th) + sizeof(*t7l))
169  return (0);
170 
171  t7l = (struct tds7_login *)(th + 1);
172 
173  myt7l = (struct tds7_login *)(buf + sizeof(*th));
174 
175  userlen = pletohs(&t7l->userlen);
176  passlen = pletohs(&t7l->passlen);
177  servlen = pletohs(&t7l->servlen);
178 
179  if (len < sizeof(*th) + sizeof(*t7l) +
180  (2 * (userlen + passlen))) {
181  return (0);
182  }
183 
184  serv = (u_char *)(t7l + 1);
185  deunicode(serv, servlen);
186 
187  user = serv + (2 * servlen);
188  pass = user + (2 * userlen);
189 
190  deunicode(user, userlen);
191 
192  /* XXX - when to call? */
193  tds7_decrypt(pass, 2 * passlen);
194 
195  deunicode(pass, passlen);
196 
197  snprintf(obuf + strlen(obuf),
198  olen - strlen(obuf),
199  "%s\n%s\n", user, pass);
200  return(strlen(obuf));
201  }
202  }
203  return (strlen(obuf));
204 }
205 
206 
tds_login::passlen
u_char passlen
Definition: decode_tds.c:37
tds_login::libname
char libname[10]
Definition: decode_tds.c:53
tds_login::liblen
u_char liblen
Definition: decode_tds.c:54
tds_login::username
char username[30]
Definition: decode_tds.c:34
tds_login::langlen
u_char langlen
Definition: decode_tds.c:57
tds7_login::servlen
u_short servlen
Definition: decode_tds.c:82
tds_hdr::last
u_char last
Definition: decode_tds.c:26
tds_login::charlen
u_char charlen
Definition: decode_tds.c:63
tds_login::magic1
char magic1[6]
Definition: decode_tds.c:40
tds7_login::magic2
char magic2[6]
Definition: decode_tds.c:95
tds_login::process
char process[30]
Definition: decode_tds.c:38
tds_login::appname
char appname[30]
Definition: decode_tds.c:43
tds_login::userlen
u_char userlen
Definition: decode_tds.c:35
tds7_login::apppos
u_short apppos
Definition: decode_tds.c:89
tds_hdr::size
u_short size
Definition: decode_tds.c:27
tds_login
Definition: decode_tds.c:31
tds_login::servername
char servername[30]
Definition: decode_tds.c:45
tds_login::password
char password[30]
Definition: decode_tds.c:36
tds_login::zero
u_char zero
Definition: decode_tds.c:47
tds_login::encrypted
u_char encrypted
Definition: decode_tds.c:60
tds7_login::passpos
u_short passpos
Definition: decode_tds.c:85
tds_login::blocklen
u_char blocklen
Definition: decode_tds.c:66
tds_login::hostlen
u_char hostlen
Definition: decode_tds.c:33
tds7_login::zero2
char zero2[7]
Definition: decode_tds.c:79
tds7_login::userpos
u_short userpos
Definition: decode_tds.c:83
decode.h
tds_login::blocksize
char blocksize[6]
Definition: decode_tds.c:65
tds_login::language
char language[30]
Definition: decode_tds.c:56
tds7_login::size
u_short size
Definition: decode_tds.c:76
tds7_login
Definition: decode_tds.c:75
tds_login::hostname
char hostname[30]
Definition: decode_tds.c:32
tds7_login::userlen
u_short userlen
Definition: decode_tds.c:84
tds_login::magic7
u_char magic7
Definition: decode_tds.c:64
tds7_login::skip2
char skip2[8]
Definition: decode_tds.c:96
buf
Definition: buf.h:14
tds_login::magic6
char magic6[10]
Definition: decode_tds.c:61
tds_login::password2
char password2[30]
Definition: decode_tds.c:49
tds7_login::magic1
char magic1[21]
Definition: decode_tds.c:80
tds7_login::zero4
char zero4[4]
Definition: decode_tds.c:91
tds_login::charset
char charset[30]
Definition: decode_tds.c:62
tds7_login::passlen
u_short passlen
Definition: decode_tds.c:86
tds7_magic1
u_char tds7_magic1[]
Definition: decode_tds.c:70
tds7_login::servpos
u_short servpos
Definition: decode_tds.c:81
tds7_login::byte1
u_char byte1
Definition: decode_tds.c:78
tds7_login::applen
u_short applen
Definition: decode_tds.c:90
tds_login::pass2len
u_char pass2len
Definition: decode_tds.c:48
tds_login::proclen
u_char proclen
Definition: decode_tds.c:39
tds7_login::skip1
char skip1[8]
Definition: decode_tds.c:94
tds_login::applen
u_char applen
Definition: decode_tds.c:44
tds7_login::liblen
u_short liblen
Definition: decode_tds.c:93
tds_login::pass2len2
u_char pass2len2
Definition: decode_tds.c:51
tds_login::nolang
u_char nolang
Definition: decode_tds.c:58
tds_login::version
char version[4]
Definition: decode_tds.c:52
config.h
decode_tds
int decode_tds(u_char *buf, int len, u_char *obuf, int olen)
Definition: decode_tds.c:131
obuf
static char obuf[4096]
Definition: trigger.c:43
tds_hdr::type
u_char type
Definition: decode_tds.c:25
tds_login::bulkcopy
u_char bulkcopy
Definition: decode_tds.c:41
strlcat
size_t strlcat(char *dst, const char *src, size_t siz)
Definition: strlcat.c:44
tds_hdr
Definition: decode_tds.c:24
tds_login::magic2
char magic2[9]
Definition: decode_tds.c:42
tds7_decrypt
static void tds7_decrypt(u_char *buf, int len)
Definition: decode_tds.c:119
tds_login::magic8
char magic8[4]
Definition: decode_tds.c:67
deunicode
static void deunicode(u_char *buf, int len)
Definition: decode_tds.c:107
tds_hdr::zero
u_int32_t zero
Definition: decode_tds.c:28
tds7_login::somepos
u_short somepos
Definition: decode_tds.c:87
tds7_login::somelen
u_short somelen
Definition: decode_tds.c:88
tds_login::magic5
u_short magic5
Definition: decode_tds.c:59
pletohs
#define pletohs(p)
Definition: decode.h:24
tds_login::magic3
char magic3[223]
Definition: decode_tds.c:50
tds_login::magic4
char magic4[3]
Definition: decode_tds.c:55
tds_login::serverlen
u_char serverlen
Definition: decode_tds.c:46
tds7_login::zero1
char zero1[5]
Definition: decode_tds.c:77
tds7_login::libpos
u_short libpos
Definition: decode_tds.c:92