PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-06 04:31:29 +00:00
Code Issues Projects Releases Wiki Activity

Use string.pack/unpack in ssh1 and sslcert libs

Browse Source
This commit is contained in:
dmiller
2018-08-30 03:25:13 +00:00
parent 5b68b1403b
commit 04aab3cfe1
2 changed files with 23 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
nselib/ssh1.lua
View File

@@ -6,7 +6,6 @@
-- @copyright Same as Nmap--See https://nmap.org/book/man-legal.html
local bin = require "bin"
local io = require "io"
local math = require "math"
local nmap = require "nmap"
@@ -30,8 +29,7 @@ _ENV = stdnse.module("ssh1", stdnse.seeall)
-- the return is similar to the lua function string:find()
check_packet_length = function( buffer )
if #buffer < 4 then return nil end
local payload_length, packet_length, offset
offset, payload_length = bin.unpack( ">I", buffer )
local payload_length = string.unpack( ">I4", buffer )
local padding = 8 - payload_length % 8
assert(payload_length)
local total = 4+payload_length+padding;
@@ -53,6 +51,11 @@ receive_ssh_packet = function( socket )
return status, packet
end
local function unpack_with_padding(len_bytes, data, offset)
local length, offset = string.unpack( ">I".. len_bytes, data, offset )
return string.unpack( ">c" .. math.ceil( length / 8 ), data, offset )
end
--- Fetch an SSH-1 host key.
-- @param host Nmap host table.
-- @param port Nmap port table.
@@ -78,29 +81,25 @@ fetch_host_key = function(host, port)
socket:close()
if not status then return end
offset, packet_length = bin.unpack( ">i", data )
packet_length, offset = string.unpack( ">I4", data )
padding = 8 - packet_length % 8
offset = offset + padding
if padding + packet_length + 4 == #data then
-- seems to be a proper SSH1 packet
local msg_code,host_key_bits,exp,mod,length,fp_input
offset, msg_code = bin.unpack( ">c", data, offset )
msg_code, offset = string.unpack( ">B", data, offset )
if msg_code == 2 then -- 2 => SSH_SMSG_PUBLIC_KEY
-- ignore cookie and server key bits
offset, _, _ = bin.unpack( ">A8i", data, offset )
offset = offset + 8 + 4
-- skip server key exponent and modulus
offset, length = bin.unpack( ">S", data, offset )
offset = offset + math.ceil( length / 8 )
offset, length = bin.unpack( ">S", data, offset )
offset = offset + math.ceil( length / 8 )
_, offset = unpack_with_padding(2, data, offset)
_, offset = unpack_with_padding(2, data, offset)
offset, host_key_bits = bin.unpack( ">i", data, offset )
offset, length = bin.unpack( ">S", data, offset )
offset, exp = bin.unpack( ">A" .. math.ceil( length / 8 ), data, offset )
host_key_bits, offset = string.unpack( ">I4", data, offset )
exp, offset = unpack_with_padding(2, data, offset)
exp = openssl.bignum_bin2bn( exp )
offset, length = bin.unpack( ">S", data, offset )
offset, mod = bin.unpack( ">A" .. math.ceil( length / 8 ), data, offset )
mod, offset = unpack_with_padding(2, data, offset)
mod = openssl.bignum_bin2bn( mod )
fp_input = mod:tobin()..exp:tobin()