Replace some string.char and bin.pack calls with literals

nselib/afp.lua

@@ -911,9 +911,7 @@ Proto = {
       local username = username or ""
       local password = password or ""
 
-      if ( bit.mod(username:len(), 2) == 0 ) then
+      username = username .. string.rep('\0', (#username + 1) % 2)
-        username = username .. string.char(0)
-      end
 
       p = openssl.bignum_hex2bn("BA2873DFB06057D43F2024744CEEE75B")
       g = openssl.bignum_dec2bn("7")

nselib/data/psexec/default.lua

@@ -2,6 +2,7 @@
 -- programs to gather information about the remote system. It's intended to be
 -- simple, demonstrate some of the concepts, and not break/alte anything.
 
+local table = require "table"
 
 -- Any variable in the 'config' table in smb-psexec.nse can be overriden in the
 -- 'overrides' table. Most of them are not really recommended, such as the host,
@@ -137,7 +138,7 @@ mod.upload           = false
 mod.name             = "Drive list (for more info, try adding --script-args=config=drives,drive=C:)"
 mod.program          = "fsutil"
 mod.args             = "fsinfo drives"
-mod.replace          = {{string.char(0), " "}}
+mod.replace          = {{"\0", " "}}
 mod.maxtime          = 1
 table.insert(modules, mod)
 

nselib/dhcp.lua

@@ -429,9 +429,9 @@ function dhcp_build(request_type, ip_address, mac_address, options, request_opti
   packet = packet .. bin.pack("<I", overrides['yiaddr'] or 0)                                  -- yiaddr
   packet = packet .. bin.pack("<I", overrides['siaddr'] or 0)                                  -- siaddr
   packet = packet .. bin.pack("<I", overrides['giaddr'] or 0)                                  -- giaddr
-  packet = packet .. mac_address .. string.rep(string.char(0), 16 - #mac_address)              -- chaddr (MAC address)
+  packet = packet .. mac_address .. string.rep('\0', 16 - #mac_address)                        -- chaddr (MAC address)
-  packet = packet .. (overrides['sname'] or string.rep(string.char(0), 64))                    -- sname
+  packet = packet .. (overrides['sname'] or string.rep('\0', 64))                              -- sname
-  packet = packet .. (overrides['file'] or string.rep(string.char(0), 128))                    -- file
+  packet = packet .. (overrides['file'] or string.rep('\0', 128))                              -- file
   packet = packet .. bin.pack(">I", overrides['cookie'] or 0x63825363)                         -- Magic cookie
 
   -- Options

nselib/drda.lua

@@ -600,7 +600,7 @@ Helper = {
     local drda_excsat = Command.EXCSAT( "", "", "", mgrlvlls, "" )
     local drda_accsec = Command.ACCSEC( secmec, database )
     local drda_secchk = Command.SECCHK( secmec, database, username, password )
-    local drda_accrdb = Command.ACCRDB( database, string.char(0x24,0x07), "DNC10060", nil, "QTDSQLASC",  crrtkn, tdovr)
+    local drda_accrdb = Command.ACCRDB( database, "\x24\x07", "DNC10060", nil, "QTDSQLASC",  crrtkn, tdovr)
 
     local status, packet = self.comm:exchDRDAPacket( DRDAPacket:new( { drda_excsat, drda_accsec } ) )
     if( not(status) ) then return false, packet end

nselib/giop.lua

@@ -57,7 +57,6 @@ local bin = require "bin"
 local match = require "match"
 local nmap = require "nmap"
 local stdnse = require "stdnse"
-local string = require "string"
 local table = require "table"
 _ENV = stdnse.module("giop", stdnse.seeall)
 
@@ -555,8 +554,8 @@ Helper = {
     local packet = Packet.GIOP.get:new( 5, 0x494e4954, bin.pack(">IA", #Constants.NAMESERVICE, Constants.NAMESERVICE) )
     local status, ctx, lhost, pos, len, bo, tmp
 
-    packet:addServiceContext( 17, string.char(0x00, 0x02), 0)
+    packet:addServiceContext( 17, "\0\x02", 0)
-    packet:addServiceContext( Constants.ServiceContext.NEO_FIRST_SERVICE_CONTEXT, string.char(0x00, 0x14), 0)
+    packet:addServiceContext( Constants.ServiceContext.NEO_FIRST_SERVICE_CONTEXT, "\0\x14", 0)
     packet:addServiceContext( Constants.ServiceContext.SENDING_CONTEXT_RUNTIME, tostring(SendingContextRuntime:new( self.lhost )), 0 )
 
     status, packet = self.comm:exchGIOPPacket( packet )
@@ -575,7 +574,7 @@ Helper = {
 
     packet:addServiceContext( 17, "\0\2", 0x000d)
     packet:addServiceContext( Constants.ServiceContext.CODESETS, "\0\0\0\0\0\1\0\1\0\1\1\9" )
-    packet:addServiceContext( Constants.ServiceContext.NEO_FIRST_SERVICE_CONTEXT, string.char(0x00, 0x14), 0x5d69)
+    packet:addServiceContext( Constants.ServiceContext.NEO_FIRST_SERVICE_CONTEXT, "\0\x14", 0x5d69)
     packet:addServiceContext( Constants.ServiceContext.SENDING_CONTEXT_RUNTIME, tostring(SendingContextRuntime:new( self.lhost )), 0 )
 
     status, packet = self.comm:exchGIOPPacket( packet )
@@ -584,7 +583,7 @@ Helper = {
     packet = Packet.GIOP.list:new( Constants.ServiceContext.SENDING_CONTEXT_RUNTIME, Constants.SyncScope.WITH_TARGET, keyaddr, 1000 )
     packet:addServiceContext( 17, "\0\2", 0x000d)
     packet:addServiceContext( Constants.ServiceContext.CODESETS, "\0\0\0\0\0\1\0\1\0\1\1\9" )
-    packet:addServiceContext( Constants.ServiceContext.NEO_FIRST_SERVICE_CONTEXT, string.char(0x00, 0x14), 0x9c9b)
+    packet:addServiceContext( Constants.ServiceContext.NEO_FIRST_SERVICE_CONTEXT, "\0\x14", 0x9c9b)
 
     status, packet = self.comm:exchGIOPPacket( packet )
     if( not(status) ) then return status, packet end

nselib/json.lua

@@ -205,14 +205,14 @@ local ESCAPE_TABLE = {}
 local REVERSE_ESCAPE_TABLE = {}
 do
   local escapes = {
-    [string.char(0x22)] = "\"",
+    ["\x22"] = "\"",
-    [string.char(0x5C)] = "\\",
+    ["\x5C"] = "\\",
-    [string.char(0x2F)] = "/",
+    ["\x2F"] = "/",
-    [string.char(0x08)] = "b",
+    ["\x08"] = "b",
-    [string.char(0x0C)] = "f",
+    ["\x0C"] = "f",
-    [string.char(0x0A)] = "n",
+    ["\x0A"] = "n",
-    [string.char(0x0D)] = "r",
+    ["\x0D"] = "r",
-    [string.char(0x09)] = "t",
+    ["\x09"] = "t",
   }
   for k, v in pairs(escapes) do
     ESCAPE_TABLE[k] = "\\" .. v

nselib/mongodb.lua

@@ -151,7 +151,7 @@ end
 --@return the remaining data (*without* null-char)
 local function get_c_string(data,length)
   if not length then
-    local index = data:find(string.char(0))
+    local index = data:find('\0')
     if index == nil then
       error({code="C-string did not contain NULL char"})
     end

nselib/msrpc.lua

@@ -5018,7 +5018,7 @@ function DNSSERVER_Query(smbstate, server_name, zone, operation)
   if(zone == nil) then
     req_blob = bin.pack("<I", 0x00000000)
   else
-    zone_ascii = zone .. string.char(0x00)
+    zone_ascii = zone .. '\0'
     req_blob = req_blob .. bin.pack("<IIIIAA",
       unique_ptr + 1,
       #zone_ascii,
@@ -5028,7 +5028,7 @@ function DNSSERVER_Query(smbstate, server_name, zone, operation)
       get_pad(zone_ascii, 4))
   end
   --[in, unique, string] LPCSTR pszOperation,
-  operation_ascii = operation .. string.char(0x00)
+  operation_ascii = operation .. '\0'
   req_blob = req_blob .. bin.pack("<IIIIAA",
     unique_ptr+2,
     #operation_ascii,

nselib/mssql.lua

@@ -3080,9 +3080,7 @@ Auth = {
       return
     end
 
-    if(#password < 14) then
+    password = password .. string.rep('\0', 14 - #password)
-      password = password .. string.rep(string.char(0), 14 - #password)
-    end
 
     password = password:upper()
 
@@ -3096,9 +3094,7 @@ Auth = {
 
     local result = openssl.encrypt("DES", key1, nil, nonce) .. openssl.encrypt("DES", key2, nil, nonce)
 
-    if(#result < 21) then
+    result = result .. string.rep('\0', 21 - #result)
-      result = result .. string.rep(string.char(0), 21 - #result)
-    end
 
     str1 = string.sub(result, 1, 7)
     str2 = string.sub(result, 8, 14)
@@ -3135,7 +3131,7 @@ Util =
   -- @return string containing a two byte representation of str where a zero
   --         byte character has been tagged on to each character.
   ToWideChar = function( str )
-    return str:gsub("(.)", "%1" .. string.char(0x00) )
+    return str:gsub("(.)", "%1\0" )
   end,
 
 

nselib/mysql.lua

@@ -351,7 +351,7 @@ function decodeQueryResponse( socket )
   rs.header = data:sub( 1, HEADER_SIZE + header.len )
 
   -- abort on MySQL error
-  if rs.header:sub(HEADER_SIZE + 1, HEADER_SIZE + 1) == string.char(0xFF) then
+  if rs.header:sub(HEADER_SIZE + 1, HEADER_SIZE + 1) == "\xFF" then
     -- is this a 4.0 or 4.1 error message
     if rs.header:find("#") then
       return false, rs.header:sub(HEADER_SIZE+10)

nselib/ncp.lua

@@ -1087,7 +1087,7 @@ Util =
   -- @return string containing a two byte representation of str where a zero
   --         byte character has been tagged on to each character.
   ToWideChar = function( str )
-    return str:gsub("(.)", "%1" .. string.char(0x00) )
+    return str:gsub("(.)", "%1\0" )
   end,
 
 

nselib/packet.lua

@@ -168,8 +168,8 @@ ND_OPT_MTU = 5
 ND_OPT_RTR_ADV_INTERVAL = 7
 ND_OPT_HOME_AGENT_INFO = 8
 
-ETHER_TYPE_IPV4 = string.char(0x08, 0x00)
+ETHER_TYPE_IPV4 = "\x08\x00"
-ETHER_TYPE_IPV6 = string.char(0x86, 0xdd)
+ETHER_TYPE_IPV6 = "\x86\xdd"
 
 ----------------------------------------------------------------------------------------------------------------
 -- Frame is a class
@@ -329,7 +329,7 @@ end
 --- Count IPv6 checksum.
 -- @return the checksum.
 function Packet:count_ipv6_pseudoheader_cksum()
-  local pseudoheader = self.ip_bin_src .. self.ip_bin_dst .. numtostr16(#self.l4_packet) .. string.char(0x0,0x0,0x0) .. string.char(self.ip6_nhdr)
+  local pseudoheader = self.ip_bin_src .. self.ip_bin_dst .. numtostr16(#self.l4_packet) .. "\0\0\0" .. string.char(self.ip6_nhdr)
   local ck_content = pseudoheader .. self.l4_packet
   return in_cksum(ck_content)
 end
@@ -353,7 +353,7 @@ function Packet:build_icmpv6_header(icmpv6_type, icmpv6_code, icmpv6_payload, ip
 
   self.l4_packet =
     string.char(self.icmpv6_type,self.icmpv6_code) ..
-    string.char(0x00,0x00) .. --checksum
+    "\0\0" .. --checksum
     (self.icmpv6_payload or "")
   local check_sum = self:count_ipv6_pseudoheader_cksum()
   self:set_icmp6_cksum(check_sum)
@@ -446,7 +446,7 @@ function Packet:build_icmp_header(icmp_type, icmp_code, icmp_payload, ip_bin_src
 
   self.l3_packet =
   string.char(self.icmp_type,self.icmp_code) ..
-  string.char(0x00,0x00) .. --checksum
+  "\0\0" .. --checksum
   (self.icmp_payload or "")
   self.l3_packet = set_u16(self.l3_packet, 2, in_cksum(self.l3_packet))
 end
@@ -501,7 +501,7 @@ function mac_to_lladdr(mac)
   if not mac then
     return nil, "MAC was not specified."
   end
-  local interfier = string.char(bit.bor(string.byte(mac,1),0x02))..string.sub(mac,2,3)..string.char(0xff,0xfe)..string.sub(mac,4,6)
+  local interfier = string.char(bit.bor(string.byte(mac,1),0x02))..string.sub(mac,2,3).."\xff\xfe"..string.sub(mac,4,6)
   local ll_prefix = ipOps.ip_to_str("fe80::")
   return string.sub(ll_prefix,1,8)..interfier
 end
@@ -935,7 +935,7 @@ function Packet:tcp_count_checksum()
   local length = self.buf:len() - self.tcp_offset
   local b = self.ip_bin_src ..
     self.ip_bin_dst ..
-    string.char(0) ..
+    "\0" ..
     string.char(proto) ..
     set_u16("..", 0, length) ..
     self.buf:sub(self.tcp_offset+1)
@@ -1074,7 +1074,7 @@ function Packet:udp_count_checksum()
   local length = self.buf:len() - self.udp_offset
   local b = self.ip_bin_src ..
     self.ip_bin_dst ..
-    string.char(0) ..
+    "\0" ..
     string.char(proto) ..
     set_u16("..", 0, length) ..
     self.buf:sub(self.udp_offset+1)

nselib/rdp.lua

@@ -75,7 +75,7 @@ Packet = {
       )
 
       if ( self.code == 0xF0 ) then
-        data = data .. bin.pack("C", 0x80) -- EOT
+        data = data .. "\x80" -- EOT
       end
 
       return data .. self.data

nselib/smb.lua

@@ -647,7 +647,7 @@ function smb_encode_header(smb, command, overrides)
   overrides = overrides or {}
 
   -- Used for the header
-  local sig = string.char(0xFF) .. "SMB"
+  local sig = "\xFFSMB"
 
   -- Pretty much every flags is deprecated. We set these two because they're required to be on.
   local flags  = bit.bor(0x10, 0x08) -- SMB_FLAGS_CANONICAL_PATHNAMES | SMB_FLAGS_CASELESS_PATHNAMES
@@ -1017,7 +1017,7 @@ function negotiate_protocol(smb, overrides)
 
   -- Get the protocol version
   local protocol_version = string.char(header1, header2, header3, header4)
-  if(protocol_version == (string.char(0xFE) .. "SMB")) then
+  if(protocol_version == ("\xFESMB")) then
     return false, "SMB: Server returned a SMBv2 packet, don't know how to handle"
   end
 

nselib/smbauth.lua

@@ -96,7 +96,7 @@ local NTLMSSP_NEGOTIATE = 0x00000001
 local NTLMSSP_CHALLENGE = 0x00000002
 local NTLMSSP_AUTH      = 0x00000003
 
-local session_key = string.rep(string.char(0x00), 16)
+local session_key = string.rep("\0", 16)
 
 -- Types of accounts (ordered by how useful they are
 local ACCOUNT_TYPES = {
@@ -366,9 +366,7 @@ local function lm_create_hash(password)
   end
 
   -- If password is under 14 characters, pad it to 14
-  if(#password < 14) then
+  password = password .. string.rep('\0', 14 - #password)
-    password = password .. string.rep(string.char(0), 14 - #password)
-  end
 
   -- Take the first and second half of the password (note that if it's longer than 14 characters, it's truncated)
   str1 = string.sub(password, 1, 7)
@@ -421,7 +419,7 @@ function lm_create_response(lanman, challenge)
   local result
 
   -- Pad the hash to 21 characters
-  lanman = lanman .. string.rep(string.char(0), 21 - #lanman)
+  lanman = lanman .. string.rep('\0', 21 - #lanman)
 
   -- Take the first and second half of the password (note that if it's longer than 14 characters, it's truncated)
   str1 = string.sub(lanman, 1,  7)
@@ -501,9 +499,9 @@ function lm_create_mac_key(lm_hash, lm_response, is_extended)
   end
 
   if(is_extended) then
-    return string.sub(lm_hash, 1, 8) .. string.rep(string.char(0), 8)
+    return string.sub(lm_hash, 1, 8) .. string.rep('\0', 8)
   else
-    return string.sub(lm_hash, 1, 8) .. string.rep(string.char(0), 8) .. lm_response
+    return string.sub(lm_hash, 1, 8) .. string.rep('\0', 8) .. lm_response
   end
 end
 
@@ -631,7 +629,7 @@ function get_password_response(ip, username, domain, password, password_hash, ha
 
   -- The anonymous user requires a single 0-byte instead of a LANMAN hash (don't ask me why, but it doesn't work without)
   if(hash_type == 'none') then
-    return string.char(0), '', nil
+    return '\0', '', nil
   end
 
   -- If we got a password, hash it
@@ -763,7 +761,7 @@ function get_security_blob(security_blob, ip, username, domain, password, passwo
     username = unicode.utf8to16(username)
     domain   = (#username > 0 ) and unicode.utf8to16(domain) or ""
     ntlm     = (#username > 0 ) and ntlm or ""
-    lanman   = (#username > 0 ) and lanman or string.char(0)
+    lanman   = (#username > 0 ) and lanman or '\0'
 
     local domain_offset = 0x40
     local username_offset = domain_offset + #domain
@@ -916,7 +914,7 @@ function calculate_signature(mac_key, data)
   if(have_ssl) then
     return string.sub(openssl.md5(mac_key .. data), 1, 8)
   else
-    return string.rep(string.char(0), 8)
+    return string.rep('\0', 8)
   end
 end
 

nselib/ssh2.lua

@@ -8,7 +8,6 @@ local base64 = require "base64"
 local bin = require "bin"
 local nmap = require "nmap"
 local stdnse = require "stdnse"
-local string = require "string"
 local openssl = stdnse.silent_require "openssl"
 _ENV = stdnse.module("ssh2", stdnse.seeall)
 
@@ -61,7 +60,7 @@ transport.pack_mpint = function( bn )
   packed = bn:tobin()
   if bytes % 8 == 0 then
     bytes = bytes + 1
-    packed = string.char(0) .. packed
+    packed = '\0' .. packed
   end
   return bin.pack( ">IA", bytes, packed )
 end

nselib/tls.lua

@@ -1248,7 +1248,7 @@ function client_hello(t)
   table.insert(b, stdnse.generate_random_string(28))
 
   -- Set the session ID.
-  table.insert(b, bin.pack("C", 0))
+  table.insert(b, '\0')
 
   -- Cipher suites.
   ciphers = {}

nselib/tns.lua

@@ -1216,7 +1216,7 @@ Marshaller = {
       else
         -- Otherwise, it's a bit more involved:
         -- First, write the multiple-chunk indicator
-        result = result .. bin.pack( "C", 0xFE )
+        result = result .. "\xFE"
 
         -- Loop through the string, chunk by chunk
         while ( #value > 0 ) do
@@ -1235,7 +1235,7 @@ Marshaller = {
         end
 
         -- put a null byte at the end
-        result = result .. bin.pack( "C", 0 )
+        result = result .. '\0'
       end
     end
 

scripts/citrix-enum-apps.nse

@@ -138,7 +138,7 @@ action = function(host, port)
   -- if it is set to zero (0) we have more response packets to process
   -- if it is set to one (1) we have arrived at the last packet of our journey
   --
-  while packet:sub(31,31) ~= string.char(0x01) do
+  while packet:sub(31,31) ~= "\x01" do
     packet = try( socket:receive() )
     local tmp_table = process_pa_response( packet )
 

scripts/citrix-enum-servers.nse

@@ -126,7 +126,7 @@ action = function(host, port)
   -- if it is set to zero (0) we have more response packets to process
   -- if it is set to one (1) we have arrived at the last packet of our journey
   --
-  while packet:sub(31,31) ~= string.char(0x01) do
+  while packet:sub(31,31) ~= "\x01" do
     packet = try( socket:receive() )
     local tmp_table = process_server_response( packet )
 

scripts/db2-das-info.nse

@@ -183,7 +183,7 @@ function read_db2_packet(socket)
 
   packet.header.raw = buf:sub(1, header_len)
 
-  if packet.header.raw:sub(1, 10) == string.char(0x00, 0x00, 0x00, 0x00, 0x44, 0x42, 0x32, 0x44, 0x41, 0x53) then
+  if packet.header.raw:sub(1, 10) == "\x00\x00\x00\x00\x44\x42\x32\x44\x41\x53" then
 
     stdnse.debug1("Got DB2DAS packet")
 

scripts/dns-random-srcport.nse

@@ -64,8 +64,8 @@ action = function(host, port)
     0x00, 0x00, -- Authority RRs
     0x00, 0x00, -- Additional RRs
     0x08) .. "porttest" ..
-  string.char(    0x08) .. "dns-oarc" ..
+  "\x08" .. "dns-oarc" ..
-  string.char(    0x03) .. "net" ..
+  "\x03" .. "net" ..
   string.char(    0x00, -- Name terminator
     0x00, 0x10, -- Type (TXT)
     0x00, 0x01) -- Class (IN)

scripts/dns-random-txid.nse

@@ -64,8 +64,8 @@ action = function(host, port)
     0x00, 0x00, -- Authority RRs
     0x00, 0x00, -- Additional RRs
     0x08) .. "txidtest" ..
-  string.char(    0x08) .. "dns-oarc" ..
+  "\x08" .. "dns-oarc" ..
-  string.char(    0x03) .. "net" ..
+  "\x03" .. "net" ..
   string.char(    0x00, -- Name terminator
     0x00, 0x10, -- Type (TXT)
     0x00, 0x01) -- Class (IN)

scripts/firewall-bypass.nse

@@ -73,12 +73,12 @@ ftp_helper = {
       bit.band(bit.rshift(targetport, 8), 0xff) ..
       "," .. bit.band(targetport, 0xff) ..
       ")\r\n"
-      ethertype = string.char(0x08, 0x00) -- Ethernet Type: IPv4
+      ethertype = "\x08\0" -- Ethernet Type: IPv4
 
     else
       -- IPv6 payload
       payload = "229 Extended Passive Mode OK (|||" .. targetport .. "|)\r\n"
-      ethertype = string.char(0x86, 0xdd) -- Ethernet Type: IPv6
+      ethertype = "\x86\xdd" -- Ethernet Type: IPv6
     end
 
     helperport = helperport or 21

scripts/ipv6-ra-flood.nse

@@ -106,13 +106,13 @@ local function build_router_advert(mac_src,prefix,prefix_len,valid_time,preferre
   0x00,0x00,0x00,0x00, --reachable time
   0x00,0x00,0x00,0x00) --retrans timer
 
-  local mtu_option_msg = string.char(0x00, 0x00) .. -- reserved
+  local mtu_option_msg = "\0\0" .. -- reserved
   packet.numtostr32(mtu) -- MTU
 
   local prefix_option_msg = string.char(prefix_len, 0xc0) .. --flags: Onlink, Auto
   packet.set_u32("....", 0, valid_time) .. -- valid lifetime
   packet.set_u32("....", 0, preferred_time) .. -- preferred lifetime
-  string.char(0,0,0,0) .. --unknown
+  "\0\0\0\0" .. --unknown
   prefix
 
   local icmpv6_mtu_option = packet.Packet:set_icmpv6_option(packet.ND_OPT_MTU, mtu_option_msg)

scripts/krb5-enum-users.nse

@@ -231,7 +231,7 @@ KRB5 = {
     data = bin.pack(">I", kdc_options) .. data
 
     -- add padding
-    data = bin.pack("C", 0) .. data
+    data = '\0' .. data
 
     -- hmm, wonder what this is
     data = bin.pack("H", "A0070305") .. data

scripts/metasploit-info.nse

@@ -55,31 +55,31 @@ local get_prefix = function(data)
   if string.len(data) <= 31 then
     return bin.pack("C",0xa0 + string.len(data))
   else
-    return bin.pack("C",0xda)  .. bin.pack("s",string.len(data))
+    return "\xda"  .. bin.pack("s",string.len(data))
   end
 
 end
 
 -- returns a msgpacked data for console.read
 local encode_console_read = function(method,token, console_id)
-  return bin.pack("C",0x93) .. get_prefix(method) .. method .. bin.pack("H","da0020") .. token .. get_prefix(console_id) .. console_id
+  return "\x93" .. get_prefix(method) .. method .. "\xda\x00\x20" .. token .. get_prefix(console_id) .. console_id
 end
 
 -- returns a msgpacked data for console.write
 local encode_console_write = function(method, token, console_id, command)
-  return bin.pack("C",0x94) .. get_prefix(method) .. method .. bin.pack("H","da0020") .. token .. get_prefix(console_id) .. console_id .. get_prefix(command) .. command
+  return "\x94" .. get_prefix(method) .. method .. "\xda\x00\x20" .. token .. get_prefix(console_id) .. console_id .. get_prefix(command) .. command
 end
 
 -- returns a msgpacked data for auth.login
 local encode_auth = function(username, password)
   local method = "auth.login"
-  return bin.pack("C",0x93) .. bin.pack("C",0xaa) .. method .. get_prefix(username) .. username .. get_prefix(password) .. password
+  return "\x93\xaa" .. method .. get_prefix(username) .. username .. get_prefix(password) .. password
 end
 
 -- returns a msgpacked data for any method without extra parameters
 local encode_noparam = function(token,method)
   -- token is always the same length
-  return bin.pack("C",0x92) .. get_prefix(method) .. method .. bin.pack("H","da0020") .. token
+  return "\x92" .. get_prefix(method) .. method .. "\xda\x00\x20" .. token
 end
 
 -- does the actual call with specified, pre-packed data

scripts/metasploit-msgrpc-brute.nse

@@ -48,15 +48,15 @@ local encode = function(username, password)
   if string.len(username) <= 31 then -- http://wiki.msgpack.org/display/MSGPACK/Format+specification#Formatspecification-fixraw
     username_prefix = bin.pack("C",0xa0 + string.len(username))
   else -- http://wiki.msgpack.org/display/MSGPACK/Format+specification#Formatspecification-raw16
-    username_prefix = bin.pack("C",0xda)  .. bin.pack("s",string.len(username))
+    username_prefix = "\xda"  .. bin.pack("s",string.len(username))
   end
   if string.len(password) <= 31 then
     password_prefix = bin.pack("C",0xa0 + string.len(password))
   else
-    password_prefix = bin.pack("C",0xda)  .. bin.pack("s",string.len(password))
+    password_prefix = "\xda"  .. bin.pack("s",string.len(password))
   end
 
-  return bin.pack("C",0x93) .. bin.pack("C",0xaa) .. method .. username_prefix .. username .. password_prefix .. password
+  return "\x93\xaa" .. method .. username_prefix .. username .. password_prefix .. password
 end
 
 Driver = {

scripts/metasploit-xmlrpc-brute.nse

@@ -51,7 +51,7 @@ Driver =
   end,
 
   login = function( self, username, password )
-    local xmlreq='<?xml version="1.0" ?><methodCall><methodName>auth.login</methodName><params><param><value><string>'..username..'</string></value></param><param><value><string>'..password.."</string></value></param></params></methodCall>\n"..string.char(0)
+    local xmlreq='<?xml version="1.0" ?><methodCall><methodName>auth.login</methodName><params><param><value><string>'..username..'</string></value></param><param><value><string>'..password.."</string></value></param></params></methodCall>\n\0"
     local status, err = self.socket:send(xmlreq)
 
     if ( not ( status ) ) then
@@ -84,7 +84,7 @@ Driver =
 action = function(host, port)
 
   -- first determine whether we need SSL or not
-  local xmlreq='<?xml version="1.0" ?><methodCall><methodName>core.version</methodName></methodCall>\n'..string.char(0)
+  local xmlreq='<?xml version="1.0" ?><methodCall><methodName>core.version</methodName></methodCall>\n\0'
   local socket, _, opts = comm.tryssl(host, port, xmlreq, { recv_first = false } )
   if ( not(socket) ) then
     return "\n  ERROR: Failed to determine whether SSL was needed or not"

scripts/ntp-monlist.nse

@@ -255,7 +255,7 @@ function getPrivateMode(impl, requestCode)
     0x00, 0x00, 0x00, 0x00
   )
   -- Data 40 Octets: 0
-  .. string.char(0x00):rep(40)
+  .. ("\x00"):rep(40)
   -- The following are optional if the Authenticated bit is set:
   -- Encryption Keyid 4 Octets: 0
   -- Message Authentication Code 16 Octets (MD5): 0

scripts/pcanywhere-brute.nse

@@ -121,14 +121,14 @@ Driver = {
     stdnse.debug1( "Trying %s/%s ...", user, pass )
     -- send username and password
     -- both are prefixed with 0x06, size and are encrypted
-    status, err = self.socket:send(bin.pack("C",0x06) .. bin.pack("C",string.len(user)) .. encrypt(user) ) -- send username
+    status, err = self.socket:send("\x06" .. bin.pack("C",string.len(user)) .. encrypt(user) ) -- send username
     status, response = self.socket:receive_bytes(0)
     if not status or string.find(response,"Enter password") == nil then
       stdnse.debug1("Sending username failed")
       return false, brute.Error:new( "Sending username failed." )
     end
     -- send password
-    status, err = self.socket:send(bin.pack("C",0x06) .. bin.pack("C",string.len(pass)) .. encrypt(pass) ) -- send password
+    status, err = self.socket:send("\x06" .. bin.pack("C",string.len(pass)) .. encrypt(pass) ) -- send password
     status, response = self.socket:receive_bytes(0)
     if not status or string.find(response,"Login unsuccessful") or string.find(response,"Invalid login.")then
       stdnse.debug1("Incorrect username or password")

scripts/smb-brute.nse

@@ -165,8 +165,8 @@ result_strings[results.INVALID_WORKSTATION]  = "Valid credentials, account canno
 
 ---Constants for special passwords. These each contain a null character, which is illegal in
 -- actual passwords.
-local USERNAME          = string.char(0) .. "username"
+local USERNAME          = "\0username"
-local USERNAME_REVERSED = string.char(0) .. "username reversed"
+local USERNAME_REVERSED = "\0username reversed"
 local special_passwords = { USERNAME, USERNAME_REVERSED }
 
 ---Generates a random string of the requested length. This can be used to check how hosts react to

scripts/smb-psexec.nse

@@ -1102,7 +1102,7 @@ local function service_file_is_xor_encoded(filename)
     return nil, "Can't read from service file"
   end
   -- This is the XOR-inverse of "MZ".
-  return bytes == string.char(0xb2, 0xa5)
+  return bytes == "\xb2\xa5"
 end
 
 ---Upload all of the uploadable files to the remote system.

scripts/ssl-ccs-injection.nse

@@ -1,10 +1,8 @@
-local bin = require('bin')
 local match = require('match')
 local nmap = require('nmap')
 local shortport = require('shortport')
 local sslcert = require('sslcert')
 local stdnse = require('stdnse')
-local string = require('string')
 local table = require('table')
 local vulns = require('vulns')
 local have_tls, tls = pcall(require,'tls')
@@ -201,7 +199,7 @@ local function test_ccs_injection(host, port, version)
 
   -- change_cipher_spec message
   local ccs = tls.record_write(
-    "change_cipher_spec", version, bin.pack("C", 0x01))
+    "change_cipher_spec", version, "\x01")
 
   -- Send the first ccs message
   status, err = s:send(ccs)

scripts/sslv2.nse

@@ -108,7 +108,7 @@ local give_n_bytes = function(idx, n, str)
   -- returns the next n bytes of a string
 
   if (idx + (n - 1) > #str) then
-    return (idx + n), string.rep(string.char(0x00), n);
+    return (idx + n), string.rep("\0", n);
   end
 
   return (idx + n), string.sub(str, idx, (idx + (n - 1)) );
@@ -214,11 +214,11 @@ action = function(host, port)
 
   -- some sanity checks:
   -- is response a server hello?
-  if (message_type ~= string.char(0x04)) then
+  if (message_type ~= "\x04") then
     return;
   end
   -- is certificate in X.509 format?
-  if (certificate_type ~= string.char(0x01)) then
+  if (certificate_type ~= "\x01") then
     return;
   end
 
@@ -227,7 +227,7 @@ action = function(host, port)
 
   -- actually run some tests:
   local o = stdnse.output_table()
-  if (ssl_version == string.char(0x00, 0x02)) then
+  if (ssl_version == "\0\x02") then
     table.insert(o, "SSLv2 supported")
     o["ciphers"] = available_ciphers
   end

scripts/targets-ipv6-multicast-slaac.nse

@@ -87,7 +87,7 @@ local function build_router_advert(mac_src,prefix,prefix_len,valid_time,preferre
   local prefix_option_msg = string.char(prefix_len, 0xc0) .. --flags: Onlink, Auto
     packet.set_u32("....",0,valid_time) ..
     packet.set_u32("....",0,preferred_time) ..
-    string.char(0,0,0,0) .. --unknown
+    "\0\0\0\0" .. --unknown
     prefix
   local icmpv6_prefix_option = packet.Packet:set_icmpv6_option(packet.ND_OPT_PREFIX_INFORMATION,prefix_option_msg)
   local icmpv6_src_link_option = packet.Packet:set_icmpv6_option(packet.ND_OPT_SOURCE_LINKADDR,mac_src)

scripts/tftp-enum.nse

@@ -1,4 +1,3 @@
-local bin = require "bin"
 local datafiles = require "datafiles"
 local math = require "math"
 local nmap = require "nmap"
@@ -94,7 +93,7 @@ end
 
 
 local create_tftp_file_request = function(filename)
-  return bin.pack('CC', 0x00, 0x01) .. filename .. bin.pack('C', 0x00) .. 'octet' .. bin.pack('C', 0x00)
+  return "\0\x01" .. filename .. "\0octet\0"
 end
 
 local check_file_present = function(host, port, filename)