From 0d18bcdbc243d386a9602b3bd4de0ece7676ffa9 Mon Sep 17 00:00:00 2001
From: dmiller <dmiller@e0a8ed71-7df4-0310-8962-fdc924857419>
Date: Wed, 29 Aug 2018 03:06:40 +0000
Subject: [PATCH] Remove bin.lua calls from some scripts and libraries

---
 nselib/http.lua                       | 23 +++++++++++------------
 nselib/multicast.lua                  | 16 ++++++++--------
 nselib/rsync.lua                      |  4 ++--
 nselib/wsdd.lua                       |  3 +--
 scripts/broadcast-eigrp-discovery.nse |  3 +--
 scripts/broadcast-listener.nse        |  1 +
 scripts/deluge-rpc-brute.nse          | 24 ++++++++++++++----------
 scripts/eppc-enum-processes.nse       |  5 ++++-
 scripts/jdwp-info.nse                 |  4 ++--
 scripts/jdwp-inject.nse               |  3 +--
 scripts/maxdb-info.nse                |  4 ++--
 scripts/murmur-version.nse            |  6 ++----
 scripts/mysql-enum.nse                |  3 +--
 scripts/smb-vuln-ms10-054.nse         |  4 ++--
 scripts/snmp-win32-software.nse       | 16 ++++++++--------
 scripts/teamspeak2-version.nse        |  3 +--
 scripts/telnet-ntlm-info.nse          | 10 ++++------
 17 files changed, 65 insertions(+), 67 deletions(-)

diff --git a/nselib/http.lua b/nselib/http.lua
index af6130b39..ed807659e 100644
--- a/nselib/http.lua
+++ b/nselib/http.lua
@@ -112,7 +112,6 @@
 
 
 local base64 = require "base64"
-local bin = require "bin"
 local comm = require "comm"
 local coroutine = require "coroutine"
 local nmap = require "nmap"
@@ -1331,9 +1330,9 @@ function generic_request(host, port, method, path, options)
 
     local auth_blob = "NTLMSSP\x00" .. -- NTLM signature
     "\x01\x00\x00\x00" .. -- NTLM Type 1 message
-    bin.pack("<I", 0xa208b207) .. -- flags 56, 128, Version, Extended Security, Always Sign, Workstation supplied, Domain Supplied, NTLM Key, OEM, Unicode
-    bin.pack("<SSISSI",#workstation_name, #workstation_name, 40 + #hostname, #hostname, #hostname, 40) .. -- Supplied Domain and Workstation
-    bin.pack("CC<S", -- OS version info
+    string.pack("<I4", 0xa208b207) .. -- flags 56, 128, Version, Extended Security, Always Sign, Workstation supplied, Domain Supplied, NTLM Key, OEM, Unicode
+    string.pack("<I2I2I4 I2I2I4",#workstation_name, #workstation_name, 40 + #hostname, #hostname, #hostname, 40) .. -- Supplied Domain and Workstation
+    string.pack("BB<I2", -- OS version info
     5, 1, 2600) .. -- 5.1.2600
     "\x00\x00\x00\x0f" .. -- OS version info end (static 0x0000000f)
     hostname.. -- HOST NAME
@@ -1367,7 +1366,7 @@ function generic_request(host, port, method, path, options)
     authentication_header = response.header['www-authenticate']
     -- take out the challenge
     local type2_response = authentication_header:sub(authentication_header:find(' ')+1, -1)
-    local _, _, message_type, _, _, _, flags_received, challenge= bin.unpack("<A8ISSIIA8", base64.dec(type2_response))
+    local _, message_type, _, _, _, flags_received, challenge= string.unpack("<c8 I4 I2I2I4 I4 c8", base64.dec(type2_response))
     -- check if the response is a type 2 message.
     if message_type ~= 0x02 then
       stdnse.debug1("Expected type 2 message as response.")
@@ -1399,7 +1398,7 @@ function generic_request(host, port, method, path, options)
 
     local BASE_OFFSET = 72 -- Version 3 -- The Session Key<empty in our case>, flags, and OS Version structure are all present.
 
-    auth_blob = bin.pack("<zISSISSISSISSISSISSIICCSAAAAA",
+    auth_blob = string.pack("<z I4 I2I2I4 I2I2I4 I2I2I4 I2I2I4 I2I2I4 I2I2I4 I4 BBI2",
       "NTLMSSP",
       0x00000003,
       #lanman,
@@ -1423,12 +1422,12 @@ function generic_request(host, port, method, path, options)
       type_3_flags,
       5,
       1,
-      2600,
-      "\x00\x00\x00\x0f",
-      username,
-      hostname,
-      lanman,
-      ntlm)
+      2600)
+    .. "\x00\x00\x00\x0f"
+    .. username
+    .. hostname
+    .. lanman
+    .. ntlm
 
     custom_options.ntlmauth = auth_blob
     socket:send(build_request(host, port, method, path, custom_options))
diff --git a/nselib/multicast.lua b/nselib/multicast.lua
index 8d9c5ba8e..ccdb72a32 100644
--- a/nselib/multicast.lua
+++ b/nselib/multicast.lua
@@ -3,11 +3,11 @@
 --
 -- @copyright Same as Nmap--See https://nmap.org/book/man-legal.html
 
-local bin = require "bin"
 local nmap = require "nmap"
 local ipOps = require "ipOps"
 local packet = require "packet"
 local stdnse = require "stdnse"
+local string = require "string"
 local table = require "table"
 
 _ENV = stdnse.module("multicast", stdnse.seeall)
@@ -79,14 +79,14 @@ mld_query = function( if_nfo, arg_timeout )
     ipOps.ip_to_str("::")   -- empty address - general MLD query
   )
   probe:build_icmpv6_header()
-  probe.exheader = bin.pack("CA",
+  probe.exheader = string.pack(">BBBB I2 BB",
     packet.IPPROTO_ICMPV6,  -- next header
-    "\x00" ..                 -- length not including first 8 octets
-    "\x05" ..                 -- type is router alert
-    "\x02" ..                 -- length 2 bytes
-    "\x00\x00" ..              -- router alert MLD
-    "\x01" ..                 -- padding type PadN
-    "\x00"                    -- padding length 0
+    0x00, -- length not including first 8 octets
+    0x05, -- type is router alert
+    0x02, -- length 2 bytes
+    0x00, -- router alert MLD
+    0x01, -- padding type PadN
+    0x00  -- padding length 0
   )
   probe.ip6_nhdr = packet.IPPROTO_HOPOPTS
   probe:build_ipv6_packet()
diff --git a/nselib/rsync.lua b/nselib/rsync.lua
index 6bd84fda3..cc6fa19b0 100644
--- a/nselib/rsync.lua
+++ b/nselib/rsync.lua
@@ -4,10 +4,10 @@
 -- @author Patrik Karlsson <patrik@cqure.net>
 
 local base64 = require "base64"
-local bin = require "bin"
 local match = require "match"
 local nmap = require "nmap"
 local stdnse = require "stdnse"
+local string = require "string"
 local table = require "table"
 local openssl = stdnse.silent_require "openssl"
 _ENV = stdnse.module("rsync", stdnse.seeall)
@@ -157,7 +157,7 @@ Helper = {
       return false, data
     end
 
-    local pos, len = bin.unpack("<S", data)
+    local len = string.unpack("<I2", data)
     status, data = self.socket:receive_buf(match.numbytes(len), false)
     if ( not(status) ) then
       return false, data
diff --git a/nselib/wsdd.lua b/nselib/wsdd.lua
index 0aa388321..4ad537d22 100644
--- a/nselib/wsdd.lua
+++ b/nselib/wsdd.lua
@@ -32,7 +32,6 @@
 -- @copyright Same as Nmap--See https://nmap.org/book/man-legal.html
 --
 
-local bin = require "bin"
 local nmap = require "nmap"
 local stdnse = require "stdnse"
 local table = require "table"
@@ -96,7 +95,7 @@ Util = {
   --
   -- @return uuid string containing a uuid
   generateUUID = function()
-    local rnd_bytes = select(2, bin.unpack( "H16", openssl.rand_bytes( 16 ) ) ):lower()
+    local rnd_bytes = stdnse.tohex(openssl.rand_bytes(16)):lower()
 
     return ("%s-%s-%s-%s-%s"):format( rnd_bytes:sub(1, 8),
     rnd_bytes:sub(9, 12), rnd_bytes:sub( 13, 16 ), rnd_bytes:sub( 17, 20 ),
diff --git a/scripts/broadcast-eigrp-discovery.nse b/scripts/broadcast-eigrp-discovery.nse
index ca9afa4f1..5b47ab441 100644
--- a/scripts/broadcast-eigrp-discovery.nse
+++ b/scripts/broadcast-eigrp-discovery.nse
@@ -2,7 +2,6 @@ local eigrp = require "eigrp"
 local nmap = require "nmap"
 local stdnse = require "stdnse"
 local table = require "table"
-local bin = require "bin"
 local packet = require "packet"
 local ipOps = require "ipOps"
 local target = require "target"
@@ -104,7 +103,7 @@ local eigrpSend = function(interface, eigrp_raw)
   local sock = nmap.new_dnet()
   sock:ethernet_open(interface.device)
   -- Ethernet IPv4 multicast, our ethernet address and packet type IP
-  local eth_hdr = bin.pack("HAH", "01 00 5e 00 00 0a", interface.mac, "08 00")
+  local eth_hdr = stdnse.fromhex("01 00 5e 00 00 0a") .. interface.mac .. stdnse.fromhex("08 00")
   sock:ethernet_send(eth_hdr .. eigrp_packet.buf)
   sock:ethernet_close()
 end
diff --git a/scripts/broadcast-listener.nse b/scripts/broadcast-listener.nse
index 7c4076d6b..8dc86b275 100644
--- a/scripts/broadcast-listener.nse
+++ b/scripts/broadcast-listener.nse
@@ -172,6 +172,7 @@ sniffInterface = function(iface, Decoders, decodertab)
           -- attempts to match the "raw" packet against a filter
           -- supplied in each ethernet packet decoder
           if ( hex:match(match) ) then
+            stdnse.debug1("Packet matched '%s'", match)
             if ( not(decodertab.ether[match]) ) then
               decodertab.ether[match] = Decoders.ether[match]:new()
             end
diff --git a/scripts/deluge-rpc-brute.nse b/scripts/deluge-rpc-brute.nse
index 4026754ee..45a5f08ad 100644
--- a/scripts/deluge-rpc-brute.nse
+++ b/scripts/deluge-rpc-brute.nse
@@ -1,5 +1,4 @@
 local brute = require "brute"
-local bin = require "bin"
 local creds = require "creds"
 local nmap = require "nmap"
 local shortport = require "shortport"
@@ -61,19 +60,24 @@ local rencoded_login_request = function(username, password)
 
   -- Encode the login request:
   -- ((0, 'daemon.login', ('username', 'password'), {}),)
-  local request = bin.pack("CCCCACCACAC",
+  local request = string.pack("BBBB",
     LIST_FIXED_START + 1,
     LIST_FIXED_START + 4,
     INT_POS_FIXED_START,
-    STR_FIXED_START + string.len("daemon.login"),
-    "daemon.login",
+    STR_FIXED_START + string.len("daemon.login")
+    )
+  .. "daemon.login"
+  .. string.pack("BB",
     LIST_FIXED_START + 2,
-    STR_FIXED_START + string.len(username),
-    username,
-    STR_FIXED_START + string.len(password),
-    password,
-    DICT_FIXED_START
-  )
+    STR_FIXED_START + string.len(username)
+    )
+  ..  username
+  .. string.pack("B",
+    STR_FIXED_START + string.len(password)
+    )
+  ..  password
+  .. string.pack("B", DICT_FIXED_START)
+
   return request
 end
 
diff --git a/scripts/eppc-enum-processes.nse b/scripts/eppc-enum-processes.nse
index d2404c8dd..548d592e4 100644
--- a/scripts/eppc-enum-processes.nse
+++ b/scripts/eppc-enum-processes.nse
@@ -2,6 +2,7 @@ local bin       = require('bin')
 local nmap      = require('nmap')
 local shortport = require('shortport')
 local stdnse    = require('stdnse')
+local string    = require('string')
 local tab       = require('tab')
 
 description = [[
@@ -84,7 +85,9 @@ action = function( host, port )
     local packets = {
       "PPCT\0\0\0\1\0\0\0\1",
       -- unfortunately I've found no packet specifications, so this has to do
-      bin.pack("HCpH", "e44c50525401e101", 225 + #app, app, "dfdbe302013ddfdfdfdfd500")
+      stdnse.fromhex("e44c50525401e101")
+      .. string.pack("Bs1", 225 + #app, app)
+      .. stdnse.fromhex("dfdbe302013ddfdfdfdfd500"),
     }
 
     for _, v in ipairs(packets) do
diff --git a/scripts/jdwp-info.nse b/scripts/jdwp-info.nse
index 3d905a2f3..9c4ee002a 100644
--- a/scripts/jdwp-info.nse
+++ b/scripts/jdwp-info.nse
@@ -1,7 +1,7 @@
-local bin = require "bin"
 local io = require "io"
 local jdwp = require "jdwp"
 local stdnse = require "stdnse"
+local string = require "string"
 local nmap = require "nmap"
 local shortport = require "shortport"
 
@@ -85,7 +85,7 @@ action = function(host, port)
     return stdnse.format_output(false, result)
   end
   -- get the result string
-  local _,_,stringID = bin.unpack(">CL",result)
+  local stringID = string.unpack(">x I8",result)
   status,result = jdwp.readString(socket,0,stringID)
   -- parse results
   return stdnse.format_output(status,result)
diff --git a/scripts/jdwp-inject.nse b/scripts/jdwp-inject.nse
index 36ac0ed58..9628a50fa 100644
--- a/scripts/jdwp-inject.nse
+++ b/scripts/jdwp-inject.nse
@@ -1,4 +1,3 @@
-local bin = require "bin"
 local io = require "io"
 local jdwp = require "jdwp"
 local stdnse = require "stdnse"
@@ -80,7 +79,7 @@ action = function(host, port)
     return stdnse.format_output(false, result)
   end
   -- get the result string
-  local _,_,stringID = bin.unpack(">CL",result)
+  local stringID = string.unpack(">x I8",result)
   status,result = jdwp.readString(socket,0,stringID)
   -- parse results
   return stdnse.format_output(status,result)
diff --git a/scripts/maxdb-info.nse b/scripts/maxdb-info.nse
index 555865747..ab6832b7f 100644
--- a/scripts/maxdb-info.nse
+++ b/scripts/maxdb-info.nse
@@ -1,7 +1,7 @@
-local bin = require "bin"
 local nmap = require "nmap"
 local shortport = require "shortport"
 local stdnse = require "stdnse"
+local string = require "string"
 local tab = require "tab"
 local table = require "table"
 
@@ -55,7 +55,7 @@ local function exchPacket(socket, packet)
     stdnse.debug2("Failed to read packet from server")
     return false, "Failed to read packet from server"
   end
-  local pos, len = bin.unpack("<S", data)
+  local len = string.unpack("<I2", data)
 
   -- make sure we've got it all
   if ( len ~= #data ) then
diff --git a/scripts/murmur-version.nse b/scripts/murmur-version.nse
index fccb94581..433ff3d9c 100644
--- a/scripts/murmur-version.nse
+++ b/scripts/murmur-version.nse
@@ -1,4 +1,3 @@
-local bin = require "bin"
 local comm = require "comm"
 local nmap = require "nmap"
 local shortport = require "shortport"
@@ -72,9 +71,8 @@ action = function(host, port)
     end
 
     -- Detected; extract relevant data
-    local _
-    _, r.v_a, r.v_b, r.v_c, _, r.users, r.maxusers, r.bandwidth =
-    bin.unpack(">CCCLIII", result, 2)
+    r.v_a, r.v_b, r.v_c, r.users, r.maxusers, r.bandwidth =
+    string.unpack(">BBB xxxxxxxx I4I4I4", result, 2)
   end
 
   mutex("done")
diff --git a/scripts/mysql-enum.nse b/scripts/mysql-enum.nse
index 7e73b1913..1fad76249 100644
--- a/scripts/mysql-enum.nse
+++ b/scripts/mysql-enum.nse
@@ -1,4 +1,3 @@
-local bin = require "bin"
 local brute = require "brute"
 local creds = require "creds"
 local mysql = require "mysql"
@@ -80,7 +79,7 @@ Driver = {
     stdnse.debug1( "Trying %s ...", pass)
     local auth_string = stdnse.fromhex("0000018d00000000") .. pass .. stdnse.fromhex("00504e5f5155454d4500"); -- old authentication method
     local err
-    status, err = self.socket:send(bin.pack("c",string.len(auth_string)-3) .. auth_string) --send initial auth
+    status, err = self.socket:send(string.pack("b",#auth_string-3) .. auth_string) --send initial auth
     status, response = self.socket:receive_bytes(0)
     if not status then
       return false,brute.Error:new( "Incorrect username" )
diff --git a/scripts/smb-vuln-ms10-054.nse b/scripts/smb-vuln-ms10-054.nse
index dbbfb2686..ebaf09f47 100644
--- a/scripts/smb-vuln-ms10-054.nse
+++ b/scripts/smb-vuln-ms10-054.nse
@@ -1,7 +1,7 @@
-local bin = require "bin"
 local smb = require "smb"
 local vulns = require "vulns"
 local stdnse = require "stdnse"
+local string = require "string"
 
 description = [[
 Tests whether target machines are vulnerable to the ms10-054 SMB remote memory
@@ -66,7 +66,7 @@ local function send_transaction2(smbstate, sub_command, function_parameters)
   end
 
   -- Parameters are 0x20 bytes long.
-  parameters = bin.pack("<SSSSCCSISSSSSCCS",
+  parameters = string.pack("<I2I2I2I2 BB I2 I4 I2I2I2I2I2 BB I2",
   parameter_size,                  -- Total parameter count.
   data_size,                       -- Total data count.
   0x000a,                          -- Max parameter count.
diff --git a/scripts/snmp-win32-software.nse b/scripts/snmp-win32-software.nse
index f7ed99271..bf87ae5ce 100644
--- a/scripts/snmp-win32-software.nse
+++ b/scripts/snmp-win32-software.nse
@@ -1,9 +1,9 @@
 local datetime = require "datetime"
-local bin = require "bin"
 local nmap = require "nmap"
 local shortport = require "shortport"
 local snmp = require "snmp"
 local stdnse = require "stdnse"
+local string = require "string"
 local table = require "table"
 
 description = [[
@@ -83,12 +83,12 @@ local function get_value_from_table( tbl, oid )
 end
 
 local date_xlate = {
-  year = 2,
-  month = 3,
-  day = 4,
-  hour = 5,
-  min = 6,
-  sec = 7
+  year = 1,
+  month = 2,
+  day = 3,
+  hour = 4,
+  min = 5,
+  sec = 6
 }
 
 -- translate date parts to positional indices for datetime.format_timestamp
@@ -119,7 +119,7 @@ local function process_answer( tbl )
     if ( v.oid:match(sw_name) ) then
       local objid = v.oid:gsub(sw_name, sw_date)
       local install_date = get_value_from_table( tbl, objid )
-      local install_date_tab = { bin.unpack( ">SCCCCC", install_date ) }
+      local install_date_tab = { string.unpack( ">I2 BBBBB", install_date ) }
       setmetatable(install_date_tab, date_metatab)
 
       local sw_item = {
diff --git a/scripts/teamspeak2-version.nse b/scripts/teamspeak2-version.nse
index dba5a78b1..0eb4a23a8 100644
--- a/scripts/teamspeak2-version.nse
+++ b/scripts/teamspeak2-version.nse
@@ -1,7 +1,6 @@
 local comm = require "comm"
 local shortport = require "shortport"
 local nmap = require "nmap"
-local bin = require "bin"
 local string = require "string"
 
 description = [[
@@ -56,7 +55,7 @@ action = function(host, port)
   if name == "" then
     port.version.version = "2"
   else
-    local _, v_a, v_b, v_c, v_d = bin.unpack("<SSSS", version)
+    local v_a, v_b, v_c, v_d = string.unpack("<I2 I2 I2 I2", version)
     port.version.version = v_a .. "." .. v_b .. "." .. v_c .. "." .. v_d
     port.version.extrainfo = "name: " .. name .. "; no password"
     if platform == "Win32" then
diff --git a/scripts/telnet-ntlm-info.nse b/scripts/telnet-ntlm-info.nse
index 4b838b2d4..a40a33611 100644
--- a/scripts/telnet-ntlm-info.nse
+++ b/scripts/telnet-ntlm-info.nse
@@ -1,6 +1,5 @@
 local datetime = require "datetime"
 local os = require "os"
-local bin = require "bin"
 local comm = require "comm"
 local shortport = require "shortport"
 local stdnse = require "stdnse"
@@ -63,7 +62,7 @@ local _, ntlm_auth_blob = smbauth.get_security_blob(
 --
 -- Create MS-TNAP Login Packet (Option Command IS)
 -- Ref: http://msdn.microsoft.com/en-us/library/cc247789.aspx
-local tnap_login_packet = bin.pack("<CCCCCCCIIACC",
+local tnap_login_packet = string.pack("<BBBBBBB I4I4",
   0xff, -- IAC
   0xfa, -- Sub-option (250)
   0x25, -- Subcommand: auth option
@@ -72,10 +71,9 @@ local tnap_login_packet = bin.pack("<CCCCCCCIIACC",
   0x00, -- Who: Mask client to server (0)
   0x00, -- Command: NTLM_NEGOTIATE (0)
   #ntlm_auth_blob, -- NTLM_DataSize (4 bytes, little-endian)
-  0x00000002, -- NTLM_BufferType (4 bytes, little-endian)
-  ntlm_auth_blob,
-  0xff, 0xf0 -- Sub-option End
-  )
+  0x00000002) -- NTLM_BufferType (4 bytes, little-endian)
+  .. ntlm_auth_blob .. string.pack("<BB",
+  0xff, 0xf0) -- Sub-option End
 
 portrule = shortport.port_or_service(23, "telnet")