From 62fa0ba3c40790a43784ce9bc76404d356035e29 Mon Sep 17 00:00:00 2001
From: magnum <magnum>
Date: Sat, 12 Nov 2011 10:58:10 +0100
Subject: [PATCH] j8: refuse to parse badly formed NETNTLMv2 as NETLM/NETNTLM

---
 src/NETLM_fmt_plug.c      |    4 ++++
 src/NETNTLM_fmt_plug.c    |    7 ++++++-
 src/NETSPLITLM_fmt_plug.c |    4 ++++
 3 files changed, 14 insertions(+), 1 deletions(-)

diff --git a/src/NETLM_fmt_plug.c b/src/NETLM_fmt_plug.c
index 89f85a1..c6d67a7 100644
--- a/src/NETLM_fmt_plug.c
+++ b/src/NETLM_fmt_plug.c
@@ -138,6 +138,10 @@ static char *netlm_prepare(char *split_fields[10], struct fmt_main *pFmt)
 	if (!strncmp(split_fields[3], split_fields[4], 48))
 		return split_fields[1];
 
+	// this string suggests we have an improperly formatted NTLMv2
+	if (!strncmp(&split_fields[4][32], "0101000000000000", 16))
+		return split_fields[1];
+
 	cp = mem_alloc(7+strlen(split_fields[3])+1+strlen(split_fields[5])+1);
 	sprintf(cp, "$NETLM$%s$%s", split_fields[5], split_fields[3]);
 
diff --git a/src/NETNTLM_fmt_plug.c b/src/NETNTLM_fmt_plug.c
index e0acaac..952baf7 100644
--- a/src/NETNTLM_fmt_plug.c
+++ b/src/NETNTLM_fmt_plug.c
@@ -124,9 +124,10 @@ static int netntlm_valid(char *ciphertext, struct fmt_main *pFmt)
 {
 	char *pos;
 
+	if (strncmp(ciphertext, "$NETNTLM$", 9)!=0) return 0;
+
 	if ((strlen(ciphertext) != 74) && (strlen(ciphertext) != 90)) return 0;
 
-	if (strncmp(ciphertext, "$NETNTLM$", 9)!=0) return 0;
 	if ((ciphertext[25] != '$') && (ciphertext[41] != '$')) return 0;
 
 	for (pos = &ciphertext[9]; atoi16[ARCH_INDEX(*pos)] != 0x7F; pos++);
@@ -153,6 +154,10 @@ static char *netntlm_prepare(char *split_fields[10], struct fmt_main *pFmt)
 	if (strlen(split_fields[4]) != CIPHERTEXT_LENGTH)
 		return split_fields[1];
 
+	// this string suggests we have an improperly formatted NTLMv2
+	if (!strncmp(&split_fields[4][32], "0101000000000000", 16))
+		return split_fields[1];
+
 	// Handle ESS (8 byte client challenge in "LM" field padded with zeros)
 	if (strlen(split_fields[3]) == 48 && !strncmp(&split_fields[3][16],
 	    "00000000000000000000000000000000", 32)) {
diff --git a/src/NETSPLITLM_fmt_plug.c b/src/NETSPLITLM_fmt_plug.c
index e2aa488..1ce197a 100644
--- a/src/NETSPLITLM_fmt_plug.c
+++ b/src/NETSPLITLM_fmt_plug.c
@@ -120,6 +120,10 @@ static char *nethalflm_prepare(char *split_fields[10], struct fmt_main *pFmt)
 	if (!strncmp(split_fields[3], split_fields[4], 48))
 		return split_fields[1];
 
+	// this string suggests we have an improperly formatted NTLMv2
+	if (!strncmp(&split_fields[4][32], "0101000000000000", 16))
+		return split_fields[1];
+
 	tmp = (char *) mem_alloc(12 + strlen(split_fields[3]) + strlen(split_fields[5]) + 1);
 	sprintf(tmp, "$NETHALFLM$%s$%s", split_fields[5], split_fields[3]);
 
-- 
1.7.5.4