From 1f00f2fa05b04f6e8941b3249722623fb6b033b5 Mon Sep 17 00:00:00 2001
From: dmiller <dmiller@e0a8ed71-7df4-0310-8962-fdc924857419>
Date: Sun, 2 Sep 2018 20:51:05 +0000
Subject: [PATCH] Simplify backorifice crypt function, remove bin.lua packing.

---
 CHANGELOG                     |  2 +-
 scripts/backorifice-brute.nse | 19 ++++++++-----------
 scripts/backorifice-info.nse  | 31 ++++++++++++++++---------------
 3 files changed, 25 insertions(+), 27 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index 11f72fcf0..3ecf03256 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -2,7 +2,7 @@
 
 o Emergency fix to Nmap's birthday announcement so Nmap wishes itself
   a "Happy 21st Birthday" rather than "Happy 21th" in verbose mode
-  (-v) on September 1, 2018. [David Fifield]
+  (-v) on September 1, 2018. [Daniel Miller]
 
 o [NSE] Completely removed the bit.lua NSE library. All of its functions are
   replaced by native Lua bitwise operations, except for `arshift` (arithmetic
diff --git a/scripts/backorifice-brute.nse b/scripts/backorifice-brute.nse
index 897c7f949..8b27174d2 100644
--- a/scripts/backorifice-brute.nse
+++ b/scripts/backorifice-brute.nse
@@ -1,5 +1,4 @@
 local bits = require "bits"
-local bin = require "bin"
 local brute = require "brute"
 local creds = require "creds"
 local nmap = require "nmap"
@@ -67,6 +66,7 @@ portrule = function(host, port)
     not(shortport.port_is_excluded(port.number,port.protocol))
 end
 
+local MAGICSTRING ="*!*QWTY?"
 local backorifice =
 {
   new = function(self, host, port)
@@ -95,7 +95,7 @@ local backorifice =
   -- @return err string containing error message on failure
   try_password = function(self, password, initial_seed)
     --initialize BackOrifice PING packet:   |MAGICSTRING|size|packetID|TYPE_PING|arg1|arg_separat|arg2|CRC/disregarded|
-    local PING_PACKET = bin.pack("A<IICACAC", "*!*QWTY?",  19,       0,     0x01,  "",       0x00,  "",           0x00)
+    local PING_PACKET = MAGICSTRING .. string.pack("<I4 I4 B zz", 19, 0, 1,  "",  "")
     local seed, status, response, encrypted_ping
 
     if not(initial_seed) then
@@ -186,26 +186,23 @@ local backorifice =
   -- @return data binary string containing encrypted/decrypted data
   BOcrypt = function(self, data, initial_seed )
     if data==nil then return end
+    local output = {}
 
-    local output =""
     local seed = initial_seed
-    local data_byte
-    local crypto_byte
 
     for i = 1, #data  do
-      data_byte = string.byte(data,i)
+      local data_byte = string.byte(data,i)
 
       --calculate next seed
       seed = self:gen_next_seed(seed)
       --calculate encryption key based on seed
       local key = bits.arshift(seed,16) & 0xff
 
-      crypto_byte = data_byte ~ key
-      output = bin.pack("AC",output,crypto_byte)
-      --ARGSIZE limitation from BackOrifice server
-      if i == 256 then break end
+      local crypto_byte = data_byte ~ key
+      output[i] = string.char(crypto_byte)
+      if i == 256 then break end --ARGSIZE limitation
     end
-    return output
+    return table.concat(output, "")
   end,
 
   insert_version_info = function(self,BOversion,BOhostname,initial_seed,password)
diff --git a/scripts/backorifice-info.nse b/scripts/backorifice-info.nse
index 716a77cc3..8bd08abd4 100644
--- a/scripts/backorifice-info.nse
+++ b/scripts/backorifice-info.nse
@@ -1,5 +1,4 @@
 local bits = require "bits"
-local bin = require "bin"
 local nmap = require "nmap"
 local shortport = require "shortport"
 local stdnse = require "stdnse"
@@ -181,8 +180,8 @@ end
 
 --BOcrypt returns encrypted/decrypted data
 local function BOcrypt(data, password, initial_seed )
-  local output =""
   if data==nil then return end
+  local output = {}
 
   local seed
   if(initial_seed == nil) then
@@ -193,41 +192,43 @@ local function BOcrypt(data, password, initial_seed )
     seed = initial_seed
   end
 
-  local data_byte
-  local crypto_byte
-
   for i = 1, #data  do
-    data_byte = string.byte(data,i)
+    local data_byte = string.byte(data,i)
 
     --calculate next seed
     seed = gen_next_seed(seed)
     --calculate encryption key based on seed
     local key = bits.arshift(seed,16) & 0xff
 
-    crypto_byte = data_byte ~ key
-    output = bin.pack("AC",output,crypto_byte)
+    local crypto_byte = data_byte ~ key
+    output[i] = string.char(crypto_byte)
     if i == 256 then break end --ARGSIZE limitation
   end
-  return output
+  return table.concat(output, "")
 end
 
 local function BOpack(type_packet, str1, str2)
   -- create BO packet
-  local data = ""
   local size = #MAGICSTRING + 4*2 + 3 + #str1 + #str2
-  data = bin.pack("A<IICACAC",MAGICSTRING,size,g_packet,type_packet,str1,0x00,str2,0x00)
+  local data = MAGICSTRING .. string.pack("<I4 I4 B zz", size, g_packet, type_packet, str1, str2)
   g_packet = g_packet + 1
   return data
 end
 
 local function BOunpack(packet)
-  local pos, magic = bin.unpack("A8",packet)
+  local header_format = ("<c%d I4 I4 B"):format(#MAGICSTRING)
+  if #packet < string.packsize(header_format) then
+    return nil, TYPE.ERROR
+  end
+  local magic, packetsize, packetid, type_packet, pos = string.unpack(header_format, packet)
 
   if magic ~= MAGICSTRING then return nil,TYPE.ERROR end  --received non-BO packet
+  if packetsize ~= #packet then
+    -- No idea how often this happens or if it should be a fatal error
+    stdnse.debug1("Wrong packet size: expected %d, got %d bytes", packetsize, #packet)
+  end
 
-  local packetsize, packetid, type_packet, data
-  pos, packetsize, packetid, type_packet = bin.unpack("<IIC",packet,pos)
-  pos, data = bin.unpack("A"..(packetsize-pos-1),packet,pos)
+  local data = packet:sub(pos)
 
   return data, type_packet
 end