Simplify backorifice crypt function, remove bin.lua packing.

2025-12-06 04:31:29 +00:00 · 2018-09-02 20:51:05 +00:00
parent 5c9959104d
commit 1f00f2fa05
3 changed files with 25 additions and 27 deletions
--- a/2
+++ b/2
@@ -2,7 +2,7 @@

 o Emergency fix to Nmap's birthday announcement so Nmap wishes itself
  a "Happy 21st Birthday" rather than "Happy 21th" in verbose mode
-  (-v) on September 1, 2018. [David Fifield]
+  (-v) on September 1, 2018. [Daniel Miller]

 o [NSE] Completely removed the bit.lua NSE library. All of its functions are
  replaced by native Lua bitwise operations, except for `arshift` (arithmetic
--- a/scripts/backorifice-brute.nse
+++ b/scripts/backorifice-brute.nse
@@ -1,5 +1,4 @@
 local bits = require "bits"
-local bin = require "bin"
 local brute = require "brute"
 local creds = require "creds"
 local nmap = require "nmap"
@@ -67,6 +66,7 @@ portrule = function(host, port)
    not(shortport.port_is_excluded(port.number,port.protocol))
 end

+local MAGICSTRING ="*!*QWTY?"
 local backorifice =
 {
  new = function(self, host, port)
@@ -95,7 +95,7 @@ local backorifice =
  -- @return err string containing error message on failure
  try_password = function(self, password, initial_seed)
    --initialize BackOrifice PING packet:   |MAGICSTRING|size|packetID|TYPE_PING|arg1|arg_separat|arg2|CRC/disregarded|
-    local PING_PACKET = bin.pack("A<IICACAC", "*!*QWTY?",  19,       0,     0x01,  "",       0x00,  "",           0x00)
+    local PING_PACKET = MAGICSTRING .. string.pack("<I4 I4 B zz", 19, 0, 1,  "",  "")
    local seed, status, response, encrypted_ping

    if not(initial_seed) then
@@ -186,26 +186,23 @@ local backorifice =
  -- @return data binary string containing encrypted/decrypted data
  BOcrypt = function(self, data, initial_seed )
    if data==nil then return end
+    local output = {}

-    local output =""
    local seed = initial_seed
-    local data_byte
-    local crypto_byte

    for i = 1, #data  do
-      data_byte = string.byte(data,i)
+      local data_byte = string.byte(data,i)

      --calculate next seed
      seed = self:gen_next_seed(seed)
      --calculate encryption key based on seed
      local key = bits.arshift(seed,16) & 0xff

-      crypto_byte = data_byte ~ key
-      output = bin.pack("AC",output,crypto_byte)
-      --ARGSIZE limitation from BackOrifice server
-      if i == 256 then break end
+      local crypto_byte = data_byte ~ key
+      output[i] = string.char(crypto_byte)
+      if i == 256 then break end --ARGSIZE limitation
    end
-    return output
+    return table.concat(output, "")
  end,

  insert_version_info = function(self,BOversion,BOhostname,initial_seed,password)
--- a/scripts/backorifice-info.nse
+++ b/scripts/backorifice-info.nse
@@ -1,5 +1,4 @@
 local bits = require "bits"
-local bin = require "bin"
 local nmap = require "nmap"
 local shortport = require "shortport"
 local stdnse = require "stdnse"
@@ -181,8 +180,8 @@ end

 --BOcrypt returns encrypted/decrypted data
 local function BOcrypt(data, password, initial_seed )
-  local output =""
  if data==nil then return end
+  local output = {}

  local seed
  if(initial_seed == nil) then
@@ -193,41 +192,43 @@ local function BOcrypt(data, password, initial_seed )
    seed = initial_seed
  end

-  local data_byte
-  local crypto_byte
-
  for i = 1, #data  do
-    data_byte = string.byte(data,i)
+    local data_byte = string.byte(data,i)

    --calculate next seed
    seed = gen_next_seed(seed)
    --calculate encryption key based on seed
    local key = bits.arshift(seed,16) & 0xff

-    crypto_byte = data_byte ~ key
-    output = bin.pack("AC",output,crypto_byte)
+    local crypto_byte = data_byte ~ key
+    output[i] = string.char(crypto_byte)
    if i == 256 then break end --ARGSIZE limitation
  end
-  return output
+  return table.concat(output, "")
 end

 local function BOpack(type_packet, str1, str2)
  -- create BO packet
-  local data = ""
  local size = #MAGICSTRING + 4*2 + 3 + #str1 + #str2
-  data = bin.pack("A<IICACAC",MAGICSTRING,size,g_packet,type_packet,str1,0x00,str2,0x00)
+  local data = MAGICSTRING .. string.pack("<I4 I4 B zz", size, g_packet, type_packet, str1, str2)
  g_packet = g_packet + 1
  return data
 end

 local function BOunpack(packet)
-  local pos, magic = bin.unpack("A8",packet)
+  local header_format = ("<c%d I4 I4 B"):format(#MAGICSTRING)
+  if #packet < string.packsize(header_format) then
+    return nil, TYPE.ERROR
+  end
+  local magic, packetsize, packetid, type_packet, pos = string.unpack(header_format, packet)

  if magic ~= MAGICSTRING then return nil,TYPE.ERROR end  --received non-BO packet
+  if packetsize ~= #packet then
+    -- No idea how often this happens or if it should be a fatal error
+    stdnse.debug1("Wrong packet size: expected %d, got %d bytes", packetsize, #packet)
+  end

-  local packetsize, packetid, type_packet, data
-  pos, packetsize, packetid, type_packet = bin.unpack("<IIC",packet,pos)
-  pos, data = bin.unpack("A"..(packetsize-pos-1),packet,pos)
+  local data = packet:sub(pos)

  return data, type_packet
 end