PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-07 13:11:28 +00:00
Code Issues Projects Releases Wiki Activity

Use string.pack/unpack in ssh1 and sslcert libs

Browse Source
This commit is contained in:
dmiller
2018-08-30 03:25:13 +00:00
parent 5b68b1403b
commit 04aab3cfe1
2 changed files with 23 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
nselib/ssh1.lua
View File

@@ -6,7 +6,6 @@
-- @copyright Same as Nmap--See https://nmap.org/book/man-legal.html
local bin = require "bin"
local io = require "io"
local math = require "math"
local nmap = require "nmap"
@@ -30,8 +29,7 @@ _ENV = stdnse.module("ssh1", stdnse.seeall)
-- the return is similar to the lua function string:find()
check_packet_length = function( buffer )
if #buffer < 4 then return nil end
local payload_length, packet_length, offset
offset, payload_length = bin.unpack( ">I", buffer )
local payload_length = string.unpack( ">I4", buffer )
local padding = 8 - payload_length % 8
assert(payload_length)
local total = 4+payload_length+padding;
@@ -53,6 +51,11 @@ receive_ssh_packet = function( socket )
return status, packet
end
local function unpack_with_padding(len_bytes, data, offset)
local length, offset = string.unpack( ">I".. len_bytes, data, offset )
return string.unpack( ">c" .. math.ceil( length / 8 ), data, offset )
end
--- Fetch an SSH-1 host key.
-- @param host Nmap host table.
-- @param port Nmap port table.
@@ -78,29 +81,25 @@ fetch_host_key = function(host, port)
socket:close()
if not status then return end
offset, packet_length = bin.unpack( ">i", data )
packet_length, offset = string.unpack( ">I4", data )
padding = 8 - packet_length % 8
offset = offset + padding
if padding + packet_length + 4 == #data then
-- seems to be a proper SSH1 packet
local msg_code,host_key_bits,exp,mod,length,fp_input
offset, msg_code = bin.unpack( ">c", data, offset )
msg_code, offset = string.unpack( ">B", data, offset )
if msg_code == 2 then -- 2 => SSH_SMSG_PUBLIC_KEY
-- ignore cookie and server key bits
offset, _, _ = bin.unpack( ">A8i", data, offset )
offset = offset + 8 + 4
-- skip server key exponent and modulus
offset, length = bin.unpack( ">S", data, offset )
offset = offset + math.ceil( length / 8 )
offset, length = bin.unpack( ">S", data, offset )
offset = offset + math.ceil( length / 8 )
_, offset = unpack_with_padding(2, data, offset)
_, offset = unpack_with_padding(2, data, offset)
offset, host_key_bits = bin.unpack( ">i", data, offset )
offset, length = bin.unpack( ">S", data, offset )
offset, exp = bin.unpack( ">A" .. math.ceil( length / 8 ), data, offset )
host_key_bits, offset = string.unpack( ">I4", data, offset )
exp, offset = unpack_with_padding(2, data, offset)
exp = openssl.bignum_bin2bn( exp )
offset, length = bin.unpack( ">S", data, offset )
offset, mod = bin.unpack( ">A" .. math.ceil( length / 8 ), data, offset )
mod, offset = unpack_with_padding(2, data, offset)
mod = openssl.bignum_bin2bn( mod )
fp_input = mod:tobin()..exp:tobin()

19
nselib/sslcert.lua
View File

@@ -22,7 +22,6 @@
-- @author Patrik Karlsson <patrik@cqure.net>
local asn1 = require "asn1"
local bin = require "bin"
local comm = require "comm"
local ftp = require "ftp"
local ldap = require "ldap"
@@ -283,7 +282,7 @@ StartTLS = {
-- 0x80 = 10000001 = 10 0 00000
-- hex binary Context Primitive value Field: requestName Value: 0
local encodedOID = bin.pack('HAA' , '80', string.char(#oid), oid)
local encodedOID = string.pack('Bs1', 0x80, oid)
local ldapRequest, ldapRequestId
local ExtendedRequest = 23
@@ -440,7 +439,7 @@ StartTLS = {
postgres_prepare_tls_without_reconnect = function(host, port)
-- http://www.postgresql.org/docs/devel/static/protocol-message-formats.html
-- 80877103 is "SSLRequest" in v2 and v3 of Postgres protocol
local s, resp = comm.opencon(host, port, bin.pack(">II", 8, 80877103))
local s, resp = comm.opencon(host, port, string.pack(">I4I4", 8, 80877103))
if not s then
return false, ("Failed to connect to Postgres server: %s"):format(resp)
end
@@ -509,14 +508,14 @@ StartTLS = {
if not status then return status, preloginResponse end
local encryption
local pos, optype, oppos, oplen = bin.unpack('>CSS', result)
local optype, oppos, oplen, pos = string.unpack('>BI2I2', result)
while optype ~= mssql.PreLoginPacket.OPTION_TYPE.Terminator do
--stdnse.debug1("optype: %d, oppos: %x, oplen: %d", optype, oppos, oplen)
if optype == mssql.PreLoginPacket.OPTION_TYPE.Encryption then
pos, encryption = bin.unpack('C', result, oppos + 1)
encryption, pos = string.unpack('B', result, oppos + 1)
break
end
pos, optype, oppos, oplen = bin.unpack('>CSS', result, pos)
optype, oppos, oplen, pos = string.unpack('>BI2I2', result, pos)
end
if not encryption then
starttls_supported(host, port, false)
@@ -564,9 +563,9 @@ StartTLS = {
-- read in the TDS headers
local packetType, messageStatus, packetLength
pos, packetType, messageStatus, packetLength = bin.unpack(">CCS", readBuffer, pos )
packetType, messageStatus, packetLength, pos = string.unpack(">BBI2", readBuffer, pos )
local spid, packetId, window
pos, spid, packetId, window = bin.unpack(">SCC", readBuffer, pos )
spid, packetId, window, pos = string.unpack(">I2BB", readBuffer, pos )
if packetLength > #readBuffer then
status, result = tds._socket:receive_bytes(packetLength - #readBuffer)
@@ -648,7 +647,7 @@ StartTLS = {
starttls_supported(host, port, false)
return false, "No TLS VeNCrypt auth subtype received"
end
sock:send(bin.pack(">I", best))
sock:send(string.pack(">I4", best))
local status, buf = sock:receive_buf(match.numbytes(1), true)
if not status or string.byte(buf, 1) ~= 1 then
starttls_supported(host, port, false)
@@ -657,7 +656,7 @@ StartTLS = {
starttls_supported(host, port, true)
return true, sock
elseif v:supportsSecType(vnc.VNC.sectypes.TLS) then
status = sock:send( bin.pack("C", vnc.VNC.sectypes.TLS) )
status = sock:send( string.pack("B", vnc.VNC.sectypes.TLS) )
if not status then
starttls_supported(host, port, false)
return false, "Failed to select TLS authentication type"