From 00ec940ead186b1f177a12faa7973bf8520c36c6 Mon Sep 17 00:00:00 2001
From: dmiller <dmiller@e0a8ed71-7df4-0310-8962-fdc924857419>
Date: Wed, 19 Sep 2018 21:43:44 +0000
Subject: [PATCH] Replace bin.lua packing in msrpc libraries

---
 nselib/msrpc.lua      | 152 ++++++++++++-------------
 nselib/msrpctypes.lua | 254 ++++++++++++++++++++++--------------------
 2 files changed, 210 insertions(+), 196 deletions(-)

diff --git a/nselib/msrpc.lua b/nselib/msrpc.lua
index 2a15416f1..bc25c2414 100644
--- a/nselib/msrpc.lua
+++ b/nselib/msrpc.lua
@@ -50,7 +50,6 @@
 --@copyright Same as Nmap--See https://nmap.org/book/man-legal.html
 -----------------------------------------------------------------------
 
-local bin = require "bin"
 local datetime = require "datetime"
 local ipOps = require "ipOps"
 local math = require "math"
@@ -245,7 +244,7 @@ function bind(smbstate, interface_uuid, interface_version, transfer_syntax)
     transfer_syntax = TRANSFER_SYNTAX
   end
 
-  data = bin.pack("<CCCC>I<SSISSICCCC",
+  data = string.pack("<BBBB>I4<I2I2I4I2I2I4BxxxI2Bx",
     0x05, -- Version (major)
     0x00, -- Version (minor)
     0x0B, -- Packet type (0x0B = bind)
@@ -258,19 +257,14 @@ function bind(smbstate, interface_uuid, interface_version, transfer_syntax)
     MAX_FRAGMENT, -- Max receive frag
     0x00000000, -- Assoc group
     0x01,       -- Number of items
-    0x00,       -- Padding/alignment
-    0x00,       -- Padding/alignment
-    0x00        -- Padding/alignment
-    ) .. bin.pack("<SCCASSAI",
     0x0000,            -- Context ID
-    0x01,              -- Number of transaction items. */
-    0x00,              -- Padding/alignment
-    interface_uuid,    -- Interface (eg. SRVSVC UUID: 4b324fc8-1670-01d3-1278-5a47bf6ee188)
+    0x01)              -- Number of transaction items. */
+  .. interface_uuid    -- Interface (eg. SRVSVC UUID: 4b324fc8-1670-01d3-1278-5a47bf6ee188)
+  .. string.pack("<I2I2",
     interface_version, -- Interface version (major)
-    0x0000,            -- Interface version (minor)
-    transfer_syntax,   -- Transfer syntax
-    2                  -- Syntax version
-    )
+    0x0000)            -- Interface version (minor)
+  .. transfer_syntax   -- Transfer syntax
+  .. string.pack("<I4", 2) -- Syntax version
 
   status, result = smb.write_file(smbstate, data, 0)
   if(status ~= true) then
@@ -289,10 +283,13 @@ function bind(smbstate, interface_uuid, interface_version, transfer_syntax)
   data = result['data']
 
   -- Extract the first part from the response
-  pos, result['version_major'], result['version_minor'], result['packet_type'], result['packet_flags'], result['data_representation'], result['frag_length'], result['auth_length'], result['call_id'] = bin.unpack("<CCCC>I<SSI", data)
-  if(result['call_id'] == nil) then
+  local fmt = "<BBBB>I4<I2I2I4"
+  if #data < string.packsize(fmt) then
     return false, "MSRPC: ERROR: Ran off the end of SMB packet; likely due to server truncation"
   end
+  result.version_major, result.version_minor, result.packet_type, result.packet_flags,
+    result.data_representation, result.frag_length, result.auth_length,
+    result.call_id, pos = string.unpack(fmt, data)
 
   -- Check if the packet type was a fault
   if(result['packet_type'] == 0x03) then -- MSRPC_FAULT
@@ -320,23 +317,22 @@ function bind(smbstate, interface_uuid, interface_version, transfer_syntax)
   end
 
   -- If we made it this far, then we have a valid Bind() result. Pull out some more parameters.
-  pos, result['max_transmit_frag'], result['max_receive_frag'], result['assoc_group'], result['secondary_address_length'] = bin.unpack("<SSIS", data, pos)
-  if(result['secondary_address_length'] == nil) then
+  local fmt = "<I2I2I4I2"
+  if #data - pos + 1 < string.packsize(fmt) then
     return false, "MSRPC: ERROR: Ran off the end of SMB packet; likely due to server truncation"
   end
+  result.max_transmit_frag, result.max_receive_frag, result.assoc_group,
+    result.secondary_address_length, pos = string.unpack(fmt, data, pos)
 
   -- Read the secondary address
-  pos, result['secondary_address'] = bin.unpack(string.format("<A%d", result['secondary_address_length']), data, pos)
-  if(result['secondary_address'] == nil) then
+  if #data - pos + 1 < result.secondary_address_length + 1 then -- +1 to account for num_results below
     return false, "MSRPC: ERROR: Ran off the end of SMB packet; likely due to server truncation"
   end
+  result.secondary_address, pos = string.unpack(("<c%d"):format(result.secondary_address_length), data, pos)
   pos = pos + ((4 - ((pos - 1) % 4)) % 4); -- Alignment -- don't ask how I came up with this, it was a lot of drawing, and there's probably a far better way
 
   -- Read the number of results
-  pos, result['num_results'] = bin.unpack("<C", data, pos)
-  if(result['num_results'] == nil) then
-    return false, "MSRPC: ERROR: Ran off the end of SMB packet; likely due to server truncation"
-  end
+  result.num_results, pos = string.unpack("<B", data, pos)
   pos = pos + ((4 - ((pos - 1) % 4)) % 4); -- Alignment
 
   -- Verify we got back what we expected
@@ -345,10 +341,11 @@ function bind(smbstate, interface_uuid, interface_version, transfer_syntax)
   end
 
   -- Read in the last bits
-  pos, result['ack_result'], result['align'], result['transfer_syntax'], result['syntax_version'] = bin.unpack("<SSA16I", data, pos)
-  if(result['syntax_version'] == nil) then
+  local fmt = "<I2I2c16I4"
+  if #data - pos + 1 < string.packsize(fmt) then
     return false, "MSRPC: ERROR: Ran off the end of SMB packet; likely due to server truncation"
   end
+  result.ack_result, result.align, result.transfer_syntax, result.syntax_version, pos = string.unpack(fmt, data, pos)
 
   return true, result
 end
@@ -388,7 +385,7 @@ function call_function(smbstate, opnum, arguments)
   local first = true
   local is_first, is_last
 
-  data = bin.pack("<CCCC>I<SSIISSA",
+  data = string.pack("<BBBB>I4<I2I2I4I4I2I2",
     0x05,        -- Version (major)
     0x00,        -- Version (minor)
     0x00,        -- Packet type (0x00 = request)
@@ -399,9 +396,8 @@ function call_function(smbstate, opnum, arguments)
     0x41414141,  -- Call ID (I use 'AAAA' because it's easy to recognize)
     #arguments,  -- Alloc hint
     0x0000,      -- Context ID
-    opnum,       -- Opnum
-    arguments
-    )
+    opnum)       -- Opnum
+  .. arguments
 
   stdnse.debug3("MSRPC: Calling function 0x%02x with %d bytes of arguments", opnum, #arguments)
 
@@ -425,10 +421,13 @@ function call_function(smbstate, opnum, arguments)
     data       = result['data']
 
     -- Extract the first part from the response
-    pos, result['version_major'], result['version_minor'], result['packet_type'], result['packet_flags'], result['data_representation'], result['frag_length'], result['auth_length'], result['call_id'] = bin.unpack("<CCCC>I<SSI", data)
-    if(result['call_id'] == nil) then
+    local fmt = "<BBBB>I4<I2I2I4"
+    if #data < string.packsize(fmt) then
       return false, "MSRPC: ERROR: Ran off the end of SMB packet; likely due to server truncation"
     end
+    result.version_major, result.version_minor, result.packet_type,
+    result.packet_flags, result.data_representation, result.frag_length,
+    result.auth_length, result.call_id, pos = string.unpack(fmt, data)
 
     -- Check if we're fragmented
     is_first = ((result['packet_flags'] & 0x01) == 0x01)
@@ -462,10 +461,11 @@ function call_function(smbstate, opnum, arguments)
     end
 
     -- Extract some more
-    pos, result['alloc_hint'], result['context_id'], result['cancel_count'], align = bin.unpack("<ISCC", data, pos)
-    if(align == nil) then
+    local fmt = "<I4I2BB"
+    if #data - pos + 1 < string.packsize(fmt) then
       return false, "MSRPC: ERROR: Ran off the end of SMB packet; likely due to server truncation"
     end
+    result.alloc_hint, result.context_id, result.cancel_count, align, pos = string.unpack(fmt, data, pos)
 
     -- Rest is the arguments
     arguments = arguments .. string.sub(data, pos)
@@ -487,12 +487,11 @@ function call_lanmanapi(smbstate, opnum, paramdesc, datadesc, data)
   local parameters = ""
   local pos
 
-  parameters = bin.pack("<SzzA",
+  parameters = string.pack("<I2zz",
     opnum,
     paramdesc,  -- Parameter Descriptor
-    datadesc,      -- Return Descriptor
-    data
-    )
+    datadesc)      -- Return Descriptor
+  .. data
 
   stdnse.debug1("MSRPC: Sending Browser Service request")
   status, result = smb.send_transaction_named_pipe(smbstate, parameters, nil, "\\PIPE\\LANMAN", true)
@@ -516,11 +515,10 @@ function rap_netserverenum2(smbstate, domain, server_type, detail_level)
   local paramdesc = (domain and "WrLehDz" or "WrLehDO")
   assert( detail_level > 0 and detail_level < 2, "detail_level must be either 0 or 1")
   local datadesc = ( detail_level == 0 and "B16" or "B16BBDz")
-  local data = bin.pack("<SSIA", detail_level,
+  local data = string.pack("<I2I2I4", detail_level,
   14724,
-  server_type,
-  (domain or "")
-  )
+  server_type)
+  .. (domain or "")
 
   local status, result = call_lanmanapi(smbstate, NETSERVERENUM2, paramdesc, datadesc, data )
 
@@ -532,7 +530,7 @@ function rap_netserverenum2(smbstate, domain, server_type, detail_level)
   local data = result.data
 
   stdnse.debug1("MSRPC: Parsing Browser Service response")
-  local pos, status, convert, entry_count, available_entries = bin.unpack("<SSSS", parameters)
+  local status, convert, entry_count, available_entries, pos = string.unpack("<I2I2I2I2", parameters)
 
   if(status ~= 0) then
     return false, string.format("Call to Browser Service failed with status = %d", status)
@@ -547,7 +545,7 @@ function rap_netserverenum2(smbstate, domain, server_type, detail_level)
   for i = 1, entry_count, 1 do
     local server = {}
 
-    pos, server.name = bin.unpack("<z", data, pos)
+    server.name, pos = string.unpack("<z", data, pos)
     stdnse.debug1("MSRPC: Found name: %s", server.name)
 
     -- pos needs to be rounded to the next even multiple of 16
@@ -556,10 +554,10 @@ function rap_netserverenum2(smbstate, domain, server_type, detail_level)
     if ( detail_level > 0 ) then
       local comment_offset, _
       server.version = {}
-      pos, server.version.major, server.version.minor,
-        server.type, comment_offset, _ = bin.unpack("<CCISS", data, pos)
+      server.version.major, server.version.minor,
+        server.type, comment_offset, _, pos = string.unpack("<BBI4I2I2", data, pos)
 
-      _, server.comment = bin.unpack("<z", data, (comment_offset - convert + 1))
+      server.comment, pos = string.unpack("<z", data, (comment_offset - convert + 1))
     end
     table.insert(entries, server)
   end
@@ -1157,8 +1155,9 @@ end
 --@param uuid      UUID byte string
 --@return UUID converted to string representation
 function uuid_to_string(uuid)
-  local pos, i1,s1,s2,c1,c2,c3,c4,c5,c6,c7,c8 = bin.unpack("<ISSCCCCCCCC",uuid)
-  return string.format("%02x-%02x-%02x-%02x%02x-%02x%02x%02x%02x%02x%02x",i1,s1,s2,c1,c2,c3,c4,c5,c6,c7,c8)
+  -- Mixed-endian; first 3 parts are little-endian, next 2 are big-endian
+  local A, B, C, D, E = string.unpack("<I4I2I2>c2c6", uuid)
+  return ("%08x-%04x-%04x-%s-%s"):format(A, B, C, stdnse.tohex(D), stdnse.tohex(E))
 end
 
 --- Helper function that maps known UUIDs to corresponding exe/services.
@@ -1234,7 +1233,7 @@ function epmapper_lookup(smbstate,handle)
   --  stdnse.debug1("new_handle: %s", stdnse.tohex(new_handle))
 
   local num_entries
-  pos,  num_entries = bin.unpack("<I",data,45)
+  num_entries, pos = string.unpack("<I4", data, 45)
   if num_entries == 0 then
     return false, "finished"
   end
@@ -1244,7 +1243,7 @@ function epmapper_lookup(smbstate,handle)
   pos = pos + 16
   pos = pos + 8
   local annotation_length
-  pos,annotation_length = bin.unpack("<I",data,pos)
+  annotation_length, pos = string.unpack("<I4", data, pos)
   if annotation_length > 1 then
     lookup_response.annotation = string.sub(data,pos,pos+annotation_length-2)
   end
@@ -1254,11 +1253,11 @@ function epmapper_lookup(smbstate,handle)
   --skip lengths
   pos = pos + 8
   local num_floors,floor_len,uuid, address_type,address_len,tcp_port,udp_port,ip_addr,saved_pos,ncalrpc,ncacn_np,netbios,ncacn_http
-  pos, num_floors = bin.unpack("<S",data,pos)
+  num_floors, pos = string.unpack("<I2", data, pos)
 
   for i = 1, num_floors do
     saved_pos = pos
-    pos, floor_len = bin.unpack("<S",data,pos)
+    floor_len, pos = string.unpack("<I2", data, pos)
 
     if i == 1 then
       uuid = string.sub(data,pos+1,pos+16)
@@ -1266,11 +1265,11 @@ function epmapper_lookup(smbstate,handle)
       lookup_response.exe = string_uuid_to_exe(lookup_response.uuid)
     else
       if not (i == 2) and not (i == 3) then        -- just skip floor 2 and 3
-        pos,address_type,address_len = bin.unpack("<CS",data,pos)
+        address_type, address_len, pos = string.unpack("<BI2", data, pos)
         if address_type == 0x07 then
-          pos,lookup_response.tcp_port = bin.unpack(">S",data,pos)
+          lookup_response.tcp_port, pos = string.unpack(">I2", data, pos)
         elseif address_type == 0x08 then
-          pos,lookup_response.udp_port = bin.unpack(">S",data,pos)
+          lookup_response.udp_port, pos = string.unpack(">I2", data, pos)
         elseif address_type == 0x09 then
           local ip
           ip, pos = string.unpack("c4", data, pos)
@@ -1285,7 +1284,7 @@ function epmapper_lookup(smbstate,handle)
           lookup_response.netbios = string.sub(data,pos,pos+address_len-2)
           floor_len = floor_len + address_len - 2
         elseif address_type == 0x1f then
-          pos, lookup_response.ncacn_http = bin.unpack(">S",data,pos)
+          lookup_response.ncacn_http, pos = string.unpack(">I2", data, pos)
         else
           stdnse.debug1("unknown address type %x",address_type)
         end
@@ -2844,7 +2843,7 @@ function winreg_queryvalue(smbstate, handle, value)
   if(result['data'] ~= nil) then
     local _
     if(result['type'] == "REG_DWORD") then
-      _, result['value'] = bin.unpack("<I", result['data'])
+      result['value'] = string.unpack("<I4", result['data'])
     elseif(result['type'] == "REG_SZ" or result['type'] == "REG_MULTI_SZ" or result['type'] == "REG_EXPAND_SZ") then
       _, result['value'] = msrpctypes.unicode_to_string(result['data'], 1, #result['data'] / 2)
     elseif(result['type'] == "REG_BINARY") then
@@ -5057,13 +5056,13 @@ function RRAS_marshall_RequestBuffer(RB_PCBIndex, RB_ReqType, RB_Buffer)
   RB_Dummy = 4
   RB_Done = 0
   Alignment = 0
-  rb_blob = bin.pack("<IIIILA",
+  rb_blob = string.pack("<I4I4I4I4I8",
     RB_PCBIndex,
     RB_ReqType,
     RB_Dummy,
     RB_Done,
-    Alignment,
-    RB_Buffer)
+    Alignment)
+  .. RB_Buffer
   return rb_blob
 end
 
@@ -5114,7 +5113,7 @@ function RRAS_SubmitRequest(smbstate, pReqBuffer, dwcbBufSize)
   --pack the request
   local req_blob
   --[in, out, unique, size_is(dwcbBufSize) PBYTE pReqBuffer,
-  req_blob = bin.pack("<IIAA", 0x20000, dwcbBufSize, pReqBuffer, get_pad(pReqBuffer,4)) --unique pointer see samba:ndr_push_unique_ptr
+  req_blob = string.pack("<I4I4", 0x20000, dwcbBufSize) .. pReqBuffer .. get_pad(pReqBuffer,4) --unique pointer see samba:ndr_push_unique_ptr
   --[in] DWORD dwcbBufSize
   .. msrpctypes.marshall_int32(dwcbBufSize)
   --call the function
@@ -5226,35 +5225,35 @@ function DNSSERVER_Query(smbstate, server_name, zone, operation)
   local unique_ptr
   unique_ptr = 0x00020000
   srv_name_utf16 = msrpctypes.string_to_unicode(server_name, true)
-  req_blob = bin.pack("<IIIIAA",
+  req_blob = string.pack("<I4I4I4I4",
     unique_ptr,
     #srv_name_utf16/2,
     0,
-    #srv_name_utf16/2,
-    srv_name_utf16,
-    get_pad(srv_name_utf16, 4))
+    #srv_name_utf16/2)
+  .. srv_name_utf16
+  .. get_pad(srv_name_utf16, 4)
   --[in, unique, string] LPCSTR pszZone,
   if(zone == nil) then
-    req_blob = bin.pack("<I", 0x00000000)
+    req_blob = string.pack("<I4", 0x00000000)
   else
     zone_ascii = zone .. '\0'
-    req_blob = req_blob .. bin.pack("<IIIIAA",
+    req_blob = req_blob .. string.pack("<I4I4I4I4",
       unique_ptr + 1,
       #zone_ascii,
       0,
-      #zone_ascii,
-      zone_ascii,
-      get_pad(zone_ascii, 4))
+      #zone_ascii)
+    .. zone_ascii
+    .. get_pad(zone_ascii, 4)
   end
   --[in, unique, string] LPCSTR pszOperation,
   operation_ascii = operation .. '\0'
-  req_blob = req_blob .. bin.pack("<IIIIAA",
+  req_blob = req_blob .. string.pack("<I4I4I4I4",
     unique_ptr+2,
     #operation_ascii,
     0,
-    #operation_ascii,
-    operation_ascii,
-    get_pad(operation_ascii, 4))
+    #operation_ascii)
+  .. operation_ascii
+  .. get_pad(operation_ascii, 4)
 
   local call_result
   stdnse.debug(
@@ -5282,7 +5281,10 @@ function DNSSERVER_Query(smbstate, server_name, zone, operation)
   result = {}
   pos, result['type_id'] = msrpctypes.unmarshall_int32_ptr(rep_blob)
   --[out, switch_is(*pdwTypeId)] DNSSRV_RPC_UNION* ppData) -- pointer_default(unique)
-  pos, ptr, result['data']= bin.unpack("<IA", rep_blob, pos)
+  -- TODO: The original used the 'A' format to unpack a single byte, which I
+  -- replaced with the literal equivalent 'B'. Should it have been a substring
+  -- to the end of the blob instead?
+  ptr, result['data'], pos = string.unpack("<I4B", rep_blob, pos)
   return result
 end
 
diff --git a/nselib/msrpctypes.lua b/nselib/msrpctypes.lua
index 34c6be13a..f688b730a 100644
--- a/nselib/msrpctypes.lua
+++ b/nselib/msrpctypes.lua
@@ -103,7 +103,6 @@
 -- * SIDs will be converted to user-readable strings in the standard format (S-x-y-...)
 -- * GUIDs are stored as tables of values; however, I might change this to a string representation at some point
 
-local bin = require "bin"
 local os = require "os"
 local stdnse = require "stdnse"
 local string = require "string"
@@ -163,14 +162,15 @@ function string_to_unicode(string, do_null)
   return result
 end
 
---- Read a unicode string from a buffer, similar to how <code>bin.unpack</code> would, optionally eat the null terminator,
+--- Read a unicode string from a buffer, optionally eat the null terminator,
 --  and optionally align it to 4-byte boundaries.
 --
 --@param buffer   The buffer to read from, typically the full 'arguments' value for MSRPC
---@param pos      The position in the buffer to start (just like <code>bin.unpack</code>)
+--@param pos      The position in the buffer to start
 --@param length   The number of ascii characters that will be read (including the null, if do_null is set).
 --@param do_null  [optional] Remove a null terminator from the string as the last character. Default false.
---@return (pos, string) The new position and the string read, again imitating <code>bin.unpack</code>. If there was an
+--@return pos The new position
+--@return string The string read. If there was an
 --        attempt to read off the end of the string, then 'nil' is returned for both parameters.
 function unicode_to_string(buffer, pos, length, do_null)
   stdnse.debug4("MSRPC: Entering unicode_to_string(pos = %d, length = %d)", pos, length)
@@ -250,9 +250,9 @@ local function marshall_ptr(location, func, args, value)
   -- If we're marshalling the HEAD section, add a REFERENT_ID.
   if(location == HEAD or location == ALL) then
     if(func == nil or args == nil or value == nil) then
-      result = result .. bin.pack("<I", 0)
+      result = result .. string.pack("<I4", 0)
     else
-      result = result .. bin.pack("<I", REFERENT_ID)
+      result = result .. string.pack("<I4", REFERENT_ID)
     end
   end
 
@@ -312,11 +312,12 @@ local function unmarshall_ptr(location, data, pos, func, args, result)
   end
   -- If we're unmarshalling the header, then pull off a referent_id.
   if(location == HEAD or location == ALL) then
-    local referent_id
-    pos, referent_id = bin.unpack("<I", data, pos)
-    if(referent_id == nil) then
+    if #data - pos + 1 < 4 then
       stdnse.debug1("MSRPC: ERROR: Ran off the end of a packet in unmarshall_ptr(). Please report!")
+      return pos, nil
     end
+    local referent_id
+    referent_id, pos = string.unpack("<I4", data, pos)
 
     if(location == HEAD) then
       if(referent_id == 0) then
@@ -404,22 +405,20 @@ end
 --             marshalling function after the 'location' variable.
 --@return A string representing the marshalled data.
 function marshall_array(array)
-  local i
-  local result = ""
 
   stdnse.debug4("MSRPC: Entering marshall_array()")
 
   -- The max count is always at the front of the array (at least, in my tests). It is possible that
   -- this won't always hold true, so if you're having an issue that you've traced back to this function,
   -- you might want to double-check my assumption.
-  result = result .. bin.pack("<I", #array)
+  local result = {string.pack("<I4", #array)}
 
   -- Encode the HEAD sections of all the elements in the array
   for i = 1, #array, 1 do
     local func = array[i]['func']
     local args = array[i]['args']
 
-    result = result .. func(HEAD, table.unpack(args))
+    result[#result+1] = func(HEAD, table.unpack(args))
   end
 
   -- Encode the BODY sections of all the elements in the array
@@ -427,11 +426,11 @@ function marshall_array(array)
     local func = array[i]['func']
     local args = array[i]['args']
 
-    result = result .. func(BODY, table.unpack(args))
+    result[#result+1] = func(BODY, table.unpack(args))
   end
 
   stdnse.debug4("MSRPC: Leaving marshall_array()")
-  return result
+  return table.concat(result)
 end
 
 ---Unmarshalls an array.
@@ -463,20 +462,19 @@ end
 --@return The new position
 --@return The result of unmarshalling this value.
 local function unmarshall_array(data, pos, count, func, args)
-  local i
-  local size
-  local result = {}
-
   stdnse.debug4("MSRPC: Entering unmarshall_array()")
 
   if(args == nil) then
     args = {}
   end
 
-  local pos, max_count = bin.unpack("<I", data, pos)
-  if(max_count == nil) then
+  if #data - pos + 1 < 4 then
     stdnse.debug1("MSRPC: ERROR: Ran off the end of a packet in unmarshall_array(). Please report!")
+    return pos, nil
   end
+  local max_count, pos = string.unpack("<I4", data, pos)
+
+  local result = {}
 
   -- Unmarshall the header, which will be referent_ids and base types.
   for i = 1, count, 1 do
@@ -568,12 +566,11 @@ function marshall_unicode(str, do_null, max_length)
     max_length = buffer_length
   end
 
-  result = bin.pack("<IIIA",
+  result = string.pack("<I4I4I4",
     max_length,       -- Max count
     0,                -- Offset
-    buffer_length,    -- Actual count
-    string_to_unicode(str, do_null, true)
-    )
+    buffer_length)   -- Actual count
+    .. string_to_unicode(str, do_null, true)
 
   stdnse.debug4("MSRPC: Leaving marshall_unicode()")
 
@@ -597,13 +594,12 @@ function marshall_ascii(str, max_length)
 
   local padding = string.rep('\0', (4 - (buffer_length % 4)) % 4)
 
-  result = bin.pack("<IIIzA",
+  result = string.pack("<I4I4I4z",
     max_length,
     0,
     buffer_length,
-    str,
-    padding
-    )
+    str)
+    .. padding
 
   return result
 end
@@ -660,10 +656,11 @@ function unmarshall_unicode(data, pos, do_null)
     do_null = false
   end
 
-  pos, max, offset, actual = bin.unpack("<III", data, pos)
-  if(actual == nil) then
+  if #data - pos + 1 < 3*4 then
     stdnse.debug1("MSRPC: ERROR: Ran off the end of a packet in unmarshall_unicode(). Please report!")
+    return pos, nil
   end
+  max, offset, actual, pos = string.unpack("<I4I4I4", data, pos)
 
   pos, str = unicode_to_string(data, pos, actual, do_null, true)
 
@@ -730,7 +727,7 @@ function marshall_int64(int64)
   local result
 
   stdnse.debug4("MSRPC: Entering marshall_int64()")
-  result = bin.pack("<L", int64)
+  result = string.pack("<I8", int64)
   stdnse.debug4("MSRPC: Leaving marshall_int64()")
 
   return result
@@ -747,7 +744,7 @@ function marshall_int32(int32)
   local result
 
   stdnse.debug4("MSRPC: Entering marshall_int32()")
-  result = bin.pack("<I", int32)
+  result = string.pack("<I4", int32)
   stdnse.debug4("MSRPC: Leaving marshall_int32()")
 
   return result
@@ -758,17 +755,17 @@ end
 --@param data The array
 --@return A string representing the marshalled data
 function marshall_int32_array(data)
-  local result = ""
-
-  result = result .. marshall_int32(0x0400) -- Max count
-  result = result .. marshall_int32(0)     -- Offset
-  result = result .. marshall_int32(#data) -- Actual count
+  local result = {
+    marshall_int32(0x0400), -- Max count
+    marshall_int32(0),     -- Offset
+    marshall_int32(#data), -- Actual count
+  }
 
   for _, v in ipairs(data) do
-    result = result .. marshall_int32(v)
+    result[#result+1] = marshall_int32(v)
   end
 
-  return result
+  return table.concat(result)
 end
 
 --- Marshall an int16
@@ -785,10 +782,10 @@ function marshall_int16(int16, pad)
   stdnse.debug4("MSRPC: Entering marshall_int16()")
 
   if(pad == false) then
-    return bin.pack("<S", int16)
+    return string.pack("<I2", int16)
   end
 
-  result = bin.pack("<SS", int16, 0)
+  result = string.pack("<I2xx", int16)
 
   stdnse.debug4("MSRPC: Leaving marshall_int16()")
 
@@ -810,10 +807,10 @@ function marshall_int8(int8, pad)
   stdnse.debug4("MSRPC: Entering marshall_int8()")
 
   if(pad == false) then
-    return bin.pack("<C", int8)
+    return string.pack("<B", int8)
   end
 
-  result = bin.pack("<CCS", int8, 0, 0)
+  result = string.pack("<Bxxx", int8)
   stdnse.debug4("MSRPC: Leaving marshall_int8()")
 
   return result
@@ -828,10 +825,11 @@ function unmarshall_int64(data, pos)
   local value
 
   stdnse.debug4("MSRPC: Entering unmarshall_int64()")
-  pos, value = bin.unpack("<l", data, pos)
-  if(value == nil) then
+  if #data - pos + 1 < 8 then
     stdnse.debug1("MSRPC: ERROR: Ran off the end of a packet in unmarshall_int64(). Please report!")
+    return pos, nil
   end
+  value, pos = string.unpack("<i8", data, pos)
   stdnse.debug4("MSRPC: Leaving unmarshall_int64()")
 
   return pos, value
@@ -845,10 +843,11 @@ end
 function unmarshall_int32(data, pos)
   local value
 
-  pos, value = bin.unpack("<I", data, pos)
-  if(value == nil) then
+  if #data - pos + 1 < 4 then
     stdnse.debug1("MSRPC: ERROR: Ran off the end of a packet in unmarshall_int32(). Please report!")
+    return pos, nil
   end
+  pos, value = string.unpack("<I4", data, pos)
 
   return pos, value
 end
@@ -864,10 +863,11 @@ function unmarshall_int16(data, pos, pad)
 
   stdnse.debug4("MSRPC: Entering unmarshall_int16()")
 
-  pos, value = bin.unpack("<S", data, pos)
-  if(value == nil) then
+  if #data - pos + 1 < 2 then
     stdnse.debug1("MSRPC: ERROR: Ran off the end of a packet in unmarshall_int16(). Please report!")
+    return pos, nil
   end
+  value, pos = string.unpack("<I2", data, pos)
 
   if(pad == nil or pad == true) then
     pos = pos + 2
@@ -889,10 +889,11 @@ function unmarshall_int8(data, pos, pad)
 
   stdnse.debug4("MSRPC: Entering unmarshall_int8()")
 
-  pos, value = bin.unpack("<C", data, pos)
-  if(value == nil) then
+  if #data - pos + 1 < 1 then
     stdnse.debug1("MSRPC: ERROR: Ran off the end of a packet in unmarshall_int8(). Please report!")
+    return pos, nil
   end
+  value, pos = string.unpack("<B", data, pos)
 
   if(pad == nil or pad == true) then
     pos = pos + 3
@@ -1039,7 +1040,7 @@ function marshall_int8_array(data, max_length)
     max_length = #data
   end
 
-  local result = bin.pack("<IIa", max_length, 0, data)
+  local result = string.pack("<I4I4", max_length, 0) .. data
 
   stdnse.debug4("MSRPC: Leaving marshall_int8_array()")
 
@@ -1059,15 +1060,17 @@ function unmarshall_int8_array(data, pos, pad)
 
   stdnse.debug4("MSRPC: Entering unmarshall_int8_array()")
 
-  pos, max, offset, actual = bin.unpack("<III", data, pos)
-  if(actual == nil) then
+  if #data - pos + 1 < 3*4 then
     stdnse.debug1("MSRPC: ERROR: Ran off the end of a packet in unmarshall_int8_array(). Please report!")
+    return pos, nil
   end
+  max, offset, actual, pos = string.unpack("<I4I4I4", data, pos)
 
-  pos, str = bin.unpack("<A"..actual, data, pos)
-  if(str == nil) then
+  if #data - pos + 1 < actual then
     stdnse.debug1("MSRPC: ERROR: Ran off the end of a packet in unmarshall_int8_array() [2]. Please report!")
+    return pos - 3*4, nil
   end
+  str, pos = string.unpack("<c"..actual, data, pos)
 
   -- Do the alignment (note the "- 1", it's there because of 1-based arrays)
   if(pad == nil or pad == true) then
@@ -1161,9 +1164,9 @@ function marshall_NTTIME(time)
   stdnse.debug4("MSRPC: Entering marshall_NTTIME()")
 
   if(time == 0) then
-    result = bin.pack("<L", 0)
+    result = string.pack("<I8", 0)
   else
-    result = bin.pack("<L", (time + 11644473600) * 10000000)
+    result = string.pack("<I8", (time + 11644473600) * 10000000)
   end
 
   stdnse.debug4("MSRPC: Leaving marshall_NTTIME()")
@@ -1179,10 +1182,11 @@ function unmarshall_NTTIME(data, pos)
   local time
   stdnse.debug4("MSRPC: Entering unmarshall_NTTIME()")
 
-  pos, time = bin.unpack("<L", data, pos)
-  if(time == nil) then
+  if #data - pos + 1 < 8 then
     stdnse.debug1("MSRPC: ERROR: Ran off the end of a packet in unmarshall_NTTIME(). Please report!")
+    return pos, nil
   end
+  time, pos = string.unpack("<I8", data, pos)
 
   if(time ~= 0) then
     time = (time // 10000000) - 11644473600
@@ -1242,13 +1246,15 @@ end
 --@param pos  The position within the data.
 --@return (pos, time) The new position, and the time in seconds since 1970.
 function unmarshall_SYSTEMTIME(data, pos)
-  local date = {}
-  local _
-
-  pos, date['year'], date['month'], _, date['day'], date['hour'], date['min'], date['sec'], _ = bin.unpack("<SSSSSSSS", data, pos)
-  if(date['sec'] == nil) then
+  local fmt = "<I2I2I2I2I2I2I2I2"
+  if #data - pos + 1 < string.packsize(fmt) then
     stdnse.debug1("MSRPC: ERROR: Ran off the end of a packet in unmarshall_SYSTEMTIME(). Please report!")
+    return pos, nil
   end
+  local date = {}
+
+  -- TODO: consider returning the date table instead, allowing the caller to see milliseconds.
+  date.year, date.month, date.dow, date.day, date.hour, date.min, date.sec, date.msec, pos = string.unpack(fmt, data, pos)
 
   return pos, os.time(date)
 end
@@ -1424,10 +1430,11 @@ function unmarshall_raw(data, pos, length)
   local val
   stdnse.debug4("MSRPC: Entering unmarshall_raw()")
 
-  pos, val = bin.unpack(string.format("A%d", length), data, pos)
-  if(val == nil) then
+  if #data - pos + 1 < length then
     stdnse.debug1("MSRPC: ERROR: Ran off the end of a packet in unmarshall_raw(). Please report!")
+    return pos, nil
   end
+  val, pos = string.unpack(("c%d"):format(length), data, pos)
 
   stdnse.debug4("MSRPC: Leaving unmarshall_raw()")
   return pos, val
@@ -1457,7 +1464,7 @@ local function marshall_guid(guid)
   local result
   stdnse.debug4("MSRPC: Entering marshall_guid()")
 
-  result = bin.pack("<ISSAA", guid['time_low'], guid['time_high'], guid['time_hi_and_version'], guid['clock_seq'], guid['node'])
+  result = string.pack("<I4I2I2", guid.time_low, guid.time_high, guid.time_hi_and_version) .. guid.clock_seq .. guid.node
 
   stdnse.debug4("MSRPC: Leaving marshall_guid()")
   return result
@@ -1469,13 +1476,15 @@ end
 --@param pos  The position within the data.
 --@return (pos, result) The new position in <code>data</code>, and a table representing the datatype.
 local function unmarshall_guid(data, pos)
-  local guid = {}
+  local fmt = "<I4I2I2c2c6"
   stdnse.debug4("MSRPC: Entering unmarshall_guid()")
 
-  pos, guid['time_low'], guid['time_high'], guid['time_hi_and_version'], guid['clock_seq'], guid['node'] = bin.unpack("<ISSA2A6", data, pos)
-  if(guid['node'] == nil) then
+  if #data - pos + 1 < string.packsize(fmt) then
     stdnse.debug1("MSRPC: ERROR: Ran off the end of a packet in unmarshall_guid(). Please report!")
+    return pos, nil
   end
+  local guid = {}
+  guid.time_low, guid.time_high, guid.time_hi_and_version, guid.clock_seq, guid.node, pos = string.unpack(fmt, data, pos)
 
   stdnse.debug4("MSRPC: Leaving unmarshall_guid()")
   return pos, guid
@@ -1496,7 +1505,7 @@ function marshall_policy_handle(policy_handle)
   local result
   stdnse.debug4("MSRPC: Entering marshall_policy_handle()")
 
-  result = bin.pack("<IA", policy_handle['handle_type'], marshall_guid(policy_handle['uuid']))
+  result = string.pack("<I4", policy_handle.handle_type) .. marshall_guid(policy_handle.uuid)
 
   stdnse.debug4("MSRPC: Leaving marshall_policy_handle()")
   return result
@@ -1547,11 +1556,11 @@ function unmarshall_dom_sid2(data, pos)
   pos, sid['num_auths']      = unmarshall_int8(data, pos, false)
 
   -- Note that authority is big endian (I guess it's an array, not really an integer like we're handling it)
-  pos, sid['authority_high'], sid['authority_low'] = bin.unpack(">SI", data, pos)
-  if(sid['authority_low'] == nil) then
+  if #data - pos + 1 < 6 then
     stdnse.debug1("MSRPC: ERROR: Ran off the end of a packet in unmarshall_dom_sid2(). Please report!")
+    return pos, nil
   end
-  sid['authority'] = (sid['authority_high'] << 32) | sid['authority_low']
+  sid.authority, pos = string.unpack(">I6", data, pos)
 
   sid['sub_auths']   = {}
   for i = 1, sid['num_auths'], 1 do
@@ -1609,12 +1618,11 @@ function marshall_dom_sid2(sid)
   local pos = 3
 
   pos_next = string.find(sid, "-", pos)
-  sid_array['sid_rev_num'] = string.sub(sid, pos, pos_next - 1)
+  sid_array.sid_rev_num = tonumber(string.sub(sid, pos, pos_next - 1))
 
   pos = pos_next + 1
   pos_next = string.find(sid, "-", pos)
-  sid_array['authority_high'] = string.sub(sid, pos, pos_next - 1) >> 32
-  sid_array['authority_low']  = string.sub(sid, pos, pos_next - 1) & 0xFFFFFFFF
+  sid_array.authority_high = tonumber(string.sub(sid, pos, pos_next - 1))
 
   sid_array['sub_auths'] = {}
   i = 1
@@ -1622,22 +1630,25 @@ function marshall_dom_sid2(sid)
     pos = pos_next + 1
     pos_next = string.find(sid, "-", pos)
     if(pos_next == nil) then
-      sid_array['sub_auths'][i] = string.sub(sid, pos)
+      sid_array['sub_auths'][i] = tonumber(string.sub(sid, pos))
     else
-      sid_array['sub_auths'][i] = string.sub(sid, pos, pos_next - 1)
+      sid_array['sub_auths'][i] = tonumber(string.sub(sid, pos, pos_next - 1))
     end
     i = i + 1
   until pos_next == nil
   sid_array['num_auths'] = i - 1
 
-  result = bin.pack("<I", sid_array['num_auths'])
-  result = result .. bin.pack("<CC>SI", sid_array['sid_rev_num'], sid_array['num_auths'], sid_array['authority_high'], sid_array['authority_low'])
+  result = {
+    -- TODO: Is the first 32-bit integer here supposed to be num_auths, or some
+    -- other count value?
+    string.pack("<I4BB>I6", sid_array.num_auths, sid_array.sid_rev_num, sid_array.num_auths, sid_array.authority),
+  }
   for i = 1, sid_array['num_auths'], 1 do
-    result = result .. bin.pack("<I", sid_array['sub_auths'][i])
+    result[#result+1] = string.pack("<I4", sid_array['sub_auths'][i])
   end
 
   stdnse.debug4("MSRPC: Leaving marshall_dom_sid2()")
-  return result
+  return table.concat(result)
 end
 
 
@@ -1697,7 +1708,7 @@ local function marshall_lsa_String_internal(location, str, max_length, do_null)
   end
 
   if(location == HEAD or location == ALL) then
-    result = result .. bin.pack("<SSA", length * 2, max_length * 2, marshall_ptr(HEAD, marshall_unicode, {str, do_null, max_length}, str))
+    result = result .. string.pack("<I2I2", length * 2, max_length * 2) .. marshall_ptr(HEAD, marshall_unicode, {str, do_null, max_length}, str)
   end
 
   if(location == BODY or location == ALL) then
@@ -2718,7 +2729,7 @@ function marshall_winreg_StringBuf(table, max_length)
   -- For some reason, 0-length strings are handled differently (no null terminator)...
   if(name == "") then
     length = 0
-    result = bin.pack("<SSA", length * 2, max_length * 2, marshall_ptr(ALL, marshall_unicode, {name, false, max_length}, name))
+    result = string.pack("<I2I2", length * 2, max_length * 2) .. marshall_ptr(ALL, marshall_unicode, {name, false, max_length}, name)
   else
     if(name == nil) then
       length = 0
@@ -2726,7 +2737,7 @@ function marshall_winreg_StringBuf(table, max_length)
       length = #name + 1
     end
 
-    result = bin.pack("<SSA", length * 2, max_length * 2, marshall_ptr(ALL, marshall_unicode, {name, true, max_length}, name))
+    result = string.pack("<I2I2", length * 2, max_length * 2) .. marshall_ptr(ALL, marshall_unicode, {name, true, max_length}, name)
   end
 
   stdnse.debug4("MSRPC: Leaving marshall_winreg_StringBuf()")
@@ -2978,7 +2989,7 @@ local function marshall_srvsvc_NetShareInfo1(location, name, sharetype, comment)
   local sharetype = marshall_basetype(location, marshall_srvsvc_ShareType, {sharetype})
   local comment   = marshall_ptr(location, marshall_unicode, {comment, true}, comment)
 
-  result = bin.pack("<AAA", name, sharetype, comment)
+  result = name .. sharetype .. comment
 
   stdnse.debug4("MSRPC: Leaving marshall_srvsvc_NetShareInfo1()")
   return result
@@ -3123,19 +3134,19 @@ end
 --@return A string representing the marshalled data.
 function marshall_srvsvc_NetShareCtr0(NetShareCtr0)
   local i
-  local result = ""
+  local result = {}
   stdnse.debug4("MSRPC: Entering marshall_srvsvc_NetShareCtr0()")
 
   if(NetShareCtr0 == nil) then
-    result = result .. bin.pack("<I", 0)
+    result[#result+1] = string.pack("<I4", 0)
   else
     local array = NetShareCtr0['array']
     local marshall = nil
 
     if(array == nil) then
-      result = result .. bin.pack("<I", 0)
+      result[#result+1] = string.pack("<I4", 0)
     else
-      result = result .. bin.pack("<I", #array) -- count
+      result[#result+1] = string.pack("<I4", #array) -- count
 
       -- Build the array that we can marshall
       marshall = {}
@@ -3146,11 +3157,11 @@ function marshall_srvsvc_NetShareCtr0(NetShareCtr0)
       end
     end
 
-    result = result .. marshall_ptr(ALL, marshall_array, {marshall}, marshall) -- array
+    result[#result+1] = marshall_ptr(ALL, marshall_array, {marshall}, marshall) -- array
   end
 
   stdnse.debug4("MSRPC: Leaving marshall_srvsvc_NetShareCtr0()")
-  return result
+  return table.concat(result)
 end
 
 ---Unmarshall a NetShareCtr (container) type 0. See the marshall function for the definition.
@@ -3186,19 +3197,19 @@ end
 --@return A string representing the marshalled data.
 function marshall_srvsvc_NetShareCtr1(NetShareCtr1)
   local i
-  local result = ""
+  local result = {}
   stdnse.debug4("MSRPC: Entering marshall_srvsvc_NetShareCtr1()")
 
   if(NetShareCtr1 == nil) then
-    result = result .. bin.pack("<I", 0)
+    result[#result+1] = string.pack("<I4", 0)
   else
     local array = NetShareCtr1['array']
     local marshall = nil
 
     if(array == nil) then
-      result = result .. bin.pack("<I", 0)
+      result[#result+1] = string.pack("<I4", 0)
     else
-      result = result .. bin.pack("<I", #array) -- count
+      result[#result+1] = string.pack("<I4", #array) -- count
 
       -- Build the array that we can marshall
       marshall = {}
@@ -3209,11 +3220,11 @@ function marshall_srvsvc_NetShareCtr1(NetShareCtr1)
       end
     end
 
-    result = result .. marshall_ptr(ALL, marshall_array, {marshall}, marshall) -- array
+    result[#result+1] = marshall_ptr(ALL, marshall_array, {marshall}, marshall) -- array
   end
 
   stdnse.debug4("MSRPC: Leaving marshall_srvsvc_NetShareCtr1()")
-  return result
+  return table.concat(result)
 end
 
 
@@ -3232,19 +3243,19 @@ end
 --@return A string representing the marshalled data.
 function marshall_srvsvc_NetShareCtr2(NetShareCtr2)
   local i
-  local result = ""
+  local result = {}
   stdnse.debug4("MSRPC: Entering marshall_srvsvc_NetShareCtr2()")
 
   if(NetShareCtr2 == nil) then
-    result = result .. bin.pack("<I", 0)
+    result[#result+1] = string.pack("<I4", 0)
   else
     local array = NetShareCtr2['array']
     local marshall = nil
 
     if(array == nil) then
-      result = result .. bin.pack("<I", 0)
+      result[#result+1] = string.pack("<I4", 0)
     else
-      result = result .. bin.pack("<I", #array) -- count
+      result[#result+1] = string.pack("<I4", #array) -- count
 
       -- Build the array that we can marshall
       marshall = {}
@@ -3256,11 +3267,11 @@ function marshall_srvsvc_NetShareCtr2(NetShareCtr2)
       end
     end
 
-    result = result .. marshall_ptr(ALL, marshall_array, {marshall}, marshall) -- array
+    result[#result+1] = marshall_ptr(ALL, marshall_array, {marshall}, marshall) -- array
   end
 
   stdnse.debug4("MSRPC: Leaving marshall_srvsvc_NetShareCtr2()")
-  return result
+  return table.concat(result)
 end
 
 ---Marshall the top-level NetShareCtr. This is a union of a bunch of different containers:
@@ -3290,19 +3301,20 @@ end
 --             For level 0, you'll probably want a table containing array=nil.
 --@return A string representing the marshalled data, or 'nil' if it couldn't be marshalled.
 function marshall_srvsvc_NetShareCtr(level, data)
-  local result
   stdnse.debug4("MSRPC: Entering marshall_srvsvc_NetShareCtr()")
 
+  local marshaller
   if(level == 0) then
-    result = bin.pack("<IA", level, marshall_ptr(ALL, marshall_srvsvc_NetShareCtr0, {data}, data))
+    marshaller = marshall_srvsvc_NetShareCtr0
   elseif(level == 1) then
-    result = bin.pack("<IA", level, marshall_ptr(ALL, marshall_srvsvc_NetShareCtr1, {data}, data))
+    marshaller = marshall_srvsvc_NetShareCtr1
   elseif(level == 2) then
-    result = bin.pack("<IA", level, marshall_ptr(ALL, marshall_srvsvc_NetShareCtr2, {data}, data))
+    marshaller = marshall_srvsvc_NetShareCtr2
   else
     stdnse.debug1("MSRPC: ERROR: Script requested an unknown level for srvsvc_NetShareCtr: %d", level)
-    result = nil
+    return nil
   end
+  local result = string.pack("<I4", level) .. marshall_ptr(ALL, marshaller, {data}, data)
 
   stdnse.debug4("MSRPC: Leaving marshall_srvsvc_NetShareCtr()")
   return result
@@ -3407,7 +3419,7 @@ local function marshall_srvsvc_NetSessInfo10(location, client, user, time, idle_
   local time      = marshall_basetype(location, marshall_int32, {time})
   local idle_time = marshall_basetype(location, marshall_int32, {idle_time})
 
-  result = bin.pack("<AAAA", client, user, time, idle_time)
+  result = client .. user .. time .. idle_time
 
   stdnse.debug4("MSRPC: Leaving marshall_srvsvc_NetShareInfo10()")
   return result
@@ -3463,19 +3475,19 @@ end
 --@return A string representing the marshalled data.
 function marshall_srvsvc_NetSessCtr10(NetSessCtr10)
   local i
-  local result = ""
+  local result = {}
   stdnse.debug4("MSRPC: Entering marshall_srvsvc_NetSessCtr10()")
 
   if(NetSessCtr10 == nil) then
-    result = result .. bin.pack("<I", 0)
+    result[#result+1] = string.pack("<I4", 0)
   else
     local array = NetSessCtr10['array']
     local marshall = nil
 
     if(array == nil) then
-      result = result .. bin.pack("<I", 0)
+      result[#result+1] = string.pack("<I4", 0)
     else
-      result = result .. bin.pack("<I", #array) -- count
+      result[#result+1] = string.pack("<I4", #array) -- count
 
       -- Build the array that we can marshall
       marshall = {}
@@ -3486,11 +3498,11 @@ function marshall_srvsvc_NetSessCtr10(NetSessCtr10)
       end
     end
 
-    result = result .. marshall_ptr(ALL, marshall_array, {marshall}, marshall) -- array
+    result[#result+1] = marshall_ptr(ALL, marshall_array, {marshall}, marshall) -- array
   end
 
   stdnse.debug4("MSRPC: Leaving marshall_srvsvc_NetSessCtr10()")
-  return result
+  return table.concat(result)
 end
 
 ---Unmarshall a NetSessCtr (session container) type 10. See the marshall function for the definition.
@@ -3536,7 +3548,7 @@ function marshall_srvsvc_NetSessCtr(level, data)
   stdnse.debug4("MSRPC: Entering marshall_srvsvc_NetShareCtr()")
 
   if(level == 10) then
-    result = bin.pack("<IA", level, marshall_ptr(ALL, marshall_srvsvc_NetSessCtr10, {data}, data))
+    result = string.pack("<I4", level) .. marshall_ptr(ALL, marshall_srvsvc_NetSessCtr10, {data}, data)
   else
     stdnse.debug1("MSRPC: ERROR: Script requested an unknown level for srvsvc_NetSessCtr")
     result = nil
@@ -3557,7 +3569,7 @@ function unmarshall_srvsvc_NetSessCtr(data, pos)
   local result
   stdnse.debug4("MSRPC: Entering unmarshall_srvsvc_NetSessCtr()")
 
-  pos, level = bin.unpack("<I", data, pos)
+  level, pos = string.unpack("<I4", data, pos)
 
   if(level == 10) then
     pos, result = unmarshall_ptr(ALL, data, pos, unmarshall_srvsvc_NetSessCtr10, {})