From 201ee75059eee09b2f2d0c223088e8966e3eb657 Mon Sep 17 00:00:00 2001
From: dmiller <dmiller@e0a8ed71-7df4-0310-8962-fdc924857419>
Date: Thu, 6 Sep 2018 14:20:33 +0000
Subject: [PATCH] Update unpacking of share names to use string.unpack

---
 scripts/smb-print-text.nse    | 16 +++++++---------
 scripts/smb-vuln-ms10-061.nse | 14 ++++++--------
 2 files changed, 13 insertions(+), 17 deletions(-)

diff --git a/scripts/smb-print-text.nse b/scripts/smb-print-text.nse
index d0b662012..3e6b5f92b 100644
--- a/scripts/smb-print-text.nse
+++ b/scripts/smb-print-text.nse
@@ -1,4 +1,3 @@
-local bin = require "bin"
 local io = require "io"
 local msrpc = require "msrpc"
 local smb = require "smb"
@@ -77,7 +76,7 @@ action = function(host,port)
     local lanman_result
     local REMSmb_NetShareEnum_P  = "WrLeh"
     local REMSmb_share_info_1 = "B13BWz"
-    status, lanman_result = msrpc.call_lanmanapi(smbstate,0,REMSmb_NetShareEnum_P,REMSmb_share_info_1,bin.pack("<ss",0x01,65406))
+    status, lanman_result = msrpc.call_lanmanapi(smbstate,0,REMSmb_NetShareEnum_P,REMSmb_share_info_1,string.pack("<I2I2", 0x01, 65406))
     if status == false then
       stdnse.debug1("SMB: " .. lanman_result)
       stdnse.debug1("SMB: Looks like LANMAN API is not available. Try setting printer script arg.")
@@ -86,19 +85,18 @@ action = function(host,port)
 
     local parameters = lanman_result.parameters
     local data = lanman_result.data
-    local pos, status, convert, entry_count, available_entries = bin.unpack("<SSSS", parameters)
-    pos = 0
-    local share_type, name, _
+    local status, convert, entry_count, available_entries = string.unpack("<I2 I2 I2 I2", parameters)
+    local pos = 1
     for i = 1, entry_count, 1 do
-      _,share_type = bin.unpack(">s",data,pos+14)
-      pos, name = bin.unpack("<z", data, pos)
+      local name, share_type = string.unpack(">c14 I2", data, pos)
 
-      -- pos needs to be rounded to the next even multiple of 20
-      pos = pos + ( 20 - (#name % 20) ) - 1
       if share_type == 1 then -- share is printer
+        name = string.unpack("z", name)
         stdnse.debug1("Found printer share %s.", name)
         printer = name
+        break
       end
+      pos = pos + 20
     end
   end
   if not printer then
diff --git a/scripts/smb-vuln-ms10-061.nse b/scripts/smb-vuln-ms10-061.nse
index 9bb5e84bf..a910ed982 100644
--- a/scripts/smb-vuln-ms10-061.nse
+++ b/scripts/smb-vuln-ms10-061.nse
@@ -1,4 +1,3 @@
-local bin = require "bin"
 local msrpc = require "msrpc"
 local smb = require "smb"
 local string = require "string"
@@ -120,19 +119,18 @@ aka "Print Spooler Service Impersonation Vulnerability."
 
     local parameters = lanman_result.parameters
     local data = lanman_result.data
-    local pos, status, convert, entry_count, available_entries = bin.unpack("<SSSS", parameters)
-    pos = 0
-    local share_type, name, _
+    local status, convert, entry_count, available_entries = string.unpack("<I2 I2 I2 I2", parameters)
+    local pos = 1
     for i = 1, entry_count, 1 do
-      _,share_type = bin.unpack(">s",data,pos+14)
-      pos, name = bin.unpack("<z", data, pos)
+      local name, share_type = string.unpack(">c14 I2", data, pos)
 
-      -- pos needs to be rounded to the next even multiple of 20
-      pos = pos + ( 20 - (#name % 20) ) - 1
       if share_type == 1 then -- share is printer
+        name = string.unpack("z", name)
         stdnse.debug1("Found printer share %s.", name)
         printer = name
+        break
       end
+      pos = pos + 20
     end
   end
   if not printer then