Re: [Plugins-writers] eDonkey_detect.nasl invalid port

From: George A. Theall (theall@private)
Date: Thu Dec 07 2006 - 04:38:10 PST


On Thu, Dec 07, 2006 at 10:42:52AM +0000, Hubert Seiwert wrote:

> this plugin (11022) reported eDonkey on an invalid port (server name obscured):
> 
> Plugin output :
> 
>   Server name : xxxxx (en) (rus) (de)
>   UDP port    : 306188864
> 
> I presume that the presence of a valid-looking server name in the output indicates
> that eDonkey is actually present, 

The plugin actually sends a Hello packet and verifies the response so it 
shouldn't be a false-positive.

 > however the port decoded in this case is definitely
> wrong. Is it correct that the port is retrieved from a dword?

Ah, ha! The value retrieved is actually a dword because of the type of 
meta tag we're looking at, but it consists of two ports: one for a KAD 
and another for an ED2K server.

I've updated the plugin so it separates them in the report. The update 
should be available in a couple of hours. Let me know if that doesn't 
make more sense.

George
-- 
theall@private
_______________________________________________
Plugins-writers mailing list
Plugins-writers@private
http://mail.nessus.org/mailman/listinfo/plugins-writers



This archive was generated by hypermail 2.1.3 : Thu Dec 07 2006 - 04:40:16 PST