diff --git a/nselib/amqp.lua b/nselib/amqp.lua index 0d8c16265..836847cb7 100644 --- a/nselib/amqp.lua +++ b/nselib/amqp.lua @@ -40,9 +40,9 @@ AMQP = { -- version strings the client supports client_version_strings = { - ["0-8"] = string.char(0x01) .. string.char(0x01) .. string.char(0x08) .. string.char(0x00), - ["0-9"] = string.char(0x00) .. string.char(0x00) .. string.char(0x09) .. string.char(0x00), - ["0-9-1"] = string.char(0x00) .. string.char(0x00) .. string.char(0x09) .. string.char(0x01) + ["0-8"] = "\x01\x01\x08\x00", + ["0-9"] = "\x00\x00\x09\x00", + ["0-9-1"] = "\x00\x00\x09\x01" }, new = function(self, host, port) diff --git a/nselib/cassandra.lua b/nselib/cassandra.lua index 3ec12c9ab..fd9ef2f7d 100644 --- a/nselib/cassandra.lua +++ b/nselib/cassandra.lua @@ -25,33 +25,28 @@ _ENV = stdnse.module("cassandra", stdnse.seeall) ]]-- -- Protocol magic strings -CASSANDRAREQ = string.char(0x80,0x01,0x00,0x01) -CASSANDRARESP = string.char(0x80,0x01,0x00,0x02) -CASSLOGINMAGIC = string.char(0x00, 0x00,0x00,0x01,0x0c,0x00,0x01,0x0d,0x00,0x01,0x0b,0x0b,0x00,0x00,0x00,0x02) -LOGINSUCC = string.char(0x00,0x00,0x00,0x01,0x00) -LOGINFAIL = string.char(0x00,0x00,0x00,0x01,0x0b) -LOGINACC = string.char(0x00,0x00,0x00,0x01,0x0c) - ---Returns string in format length+string itself ---@param str to format ---@return str : string in format length+string itself -function pack4str (str) - return (bin.pack(">I",string.len(str)) .. str) -end +CASSANDRAREQ = "\x80\x01\x00\x01" +CASSANDRARESP = "\x80\x01\x00\x02" +CASSLOGINMAGIC = "\x00\x00\x00\x01\x0c\x00\x01\x0d\x00\x01\x0b\x0b\x00\x00\x00\x02" +LOGINSUCC = "\x00\x00\x00\x01\x00" +LOGINFAIL = "\x00\x00\x00\x01\x0b" +LOGINACC = "\x00\x00\x00\x01\x0c" --Returns string in cassandra format for login --@param username to put in format --@param password to put in format --@return str : string in cassandra format for login function loginstr (username, password) - local str = CASSANDRAREQ .. pack4str ("login") - str = str .. CASSLOGINMAGIC - str = str .. pack4str("username") - str = str .. pack4str(username) - str = str .. pack4str("password") - str = str .. pack4str(password) - str = str .. string.char (0x00, 0x00) -- add two null on the end - return str + return bin.pack("A>aAaaaaA", + CASSANDRAREQ, + "login", + CASSLOGINMAGIC, + "username", + username, + "password", + password, + "\x00\x00" -- add two null on the end + ) end --Invokes command over socket and returns the response @@ -61,10 +56,12 @@ end --@return status : true if ok; false if bad --@return result : value if status ok, error msg if bad function cmdstr (command,cnt) - local str = CASSANDRAREQ .. pack4str (command) - str = str .. bin.pack(">I",cnt) - str = str .. string.char (0x00) -- add null on the end - return str + return bin.pack("A>aIA", + CASSANDRAREQ, + command, + cnt, + "\x00" -- add null on the end + ) end --Invokes command over socket and returns the response @@ -103,7 +100,7 @@ function sendcmd (socket, command, cnt) end -- magic response starts at 5th byte for 4 bytes, 4 byte for length + length of string command - if (string.sub(response,5,8+4+string.len(command)) ~= CASSANDRARESP..pack4str(command)) then + if (string.sub(response,5,8+4+string.len(command)) ~= bin.pack("A>a", CASSANDRARESP, command)) then return false, "protocol response error" end @@ -190,7 +187,7 @@ function login (socket,username,password) local _, size = bin.unpack(">I", response, 1) local loginresp = string.sub(response,5,17) - if (loginresp ~= CASSANDRARESP..pack4str("login")) then + if (loginresp ~= bin.pack("A>a", CASSANDRARESP, "login")) then return false, "protocol error" end diff --git a/nselib/msrpc.lua b/nselib/msrpc.lua index b4a3a2cee..6d061cef5 100644 --- a/nselib/msrpc.lua +++ b/nselib/msrpc.lua @@ -64,48 +64,48 @@ _ENV = stdnse.module("msrpc", stdnse.seeall) -- The path, UUID, and version for SAMR SAMR_PATH = "\\samr" -SAMR_UUID = string.char(0x78, 0x57, 0x34, 0x12, 0x34, 0x12, 0xcd, 0xab, 0xef, 0x00, 0x01, 0x23, 0x45, 0x67, 0x89, 0xac) +SAMR_UUID = "\x78\x57\x34\x12\x34\x12\xcd\xab\xef\x00\x01\x23\x45\x67\x89\xac" SAMR_VERSION = 0x01 -- The path, UUID, and version for SRVSVC SRVSVC_PATH = "\\srvsvc" -SRVSVC_UUID = string.char(0xc8, 0x4f, 0x32, 0x4b, 0x70, 0x16, 0xd3, 0x01, 0x12, 0x78, 0x5a, 0x47, 0xbf, 0x6e, 0xe1, 0x88) +SRVSVC_UUID = "\xc8\x4f\x32\x4b\x70\x16\xd3\x01\x12\x78\x5a\x47\xbf\x6e\xe1\x88" SRVSVC_VERSION = 0x03 -- The path, UUID, and version for SPOOLSS SPOOLSS_PATH = "\\spoolss" -SPOOLSS_UUID = string.char(0x78, 0x56, 0x34, 0x12, 0x34, 0x12, 0xcd, 0xab, 0xef, 0x00, 0x01, 0x23, 0x45, 0x67, 0x89, 0xab) +SPOOLSS_UUID = "\x78\x56\x34\x12\x34\x12\xcd\xab\xef\x00\x01\x23\x45\x67\x89\xab" SPOOLSS_VERSION = 0x01 -- The path, UUID, and version for LSA LSA_PATH = "\\lsarpc" -LSA_UUID = string.char(0x78, 0x57, 0x34, 0x12, 0x34, 0x12, 0xcd, 0xab, 0xef, 0x00, 0x01, 0x23, 0x45, 0x67, 0x89, 0xab) +LSA_UUID = "\x78\x57\x34\x12\x34\x12\xcd\xab\xef\x00\x01\x23\x45\x67\x89\xab" LSA_VERSION = 0 -- The path, UUID, and version for WINREG WINREG_PATH = "\\winreg" -WINREG_UUID = string.char(0x01, 0xd0, 0x8c, 0x33, 0x44, 0x22, 0xf1, 0x31, 0xaa, 0xaa, 0x90, 0x00, 0x38, 0x00, 0x10, 0x03) +WINREG_UUID = "\x01\xd0\x8c\x33\x44\x22\xf1\x31\xaa\xaa\x90\x00\x38\x00\x10\x03" WINREG_VERSION = 1 -- The path, UUID, and version for SVCCTL SVCCTL_PATH = "\\svcctl" -SVCCTL_UUID = string.char(0x81, 0xbb, 0x7a, 0x36, 0x44, 0x98, 0xf1, 0x35, 0xad, 0x32, 0x98, 0xf0, 0x38, 0x00, 0x10, 0x03) +SVCCTL_UUID = "\x81\xbb\x7a\x36\x44\x98\xf1\x35\xad\x32\x98\xf0\x38\x00\x10\x03" SVCCTL_VERSION = 2 -- The path, UUID, and version for ATSVC ATSVC_PATH = "\\atsvc" -ATSVC_UUID = string.char(0x82, 0x06, 0xf7, 0x1f, 0x51, 0x0a, 0xe8, 0x30, 0x07, 0x6d, 0x74, 0x0b, 0xe8, 0xce, 0xe9, 0x8b) +ATSVC_UUID = "\x82\x06\xf7\x1f\x51\x0a\xe8\x30\x07\x6d\x74\x0b\xe8\xce\xe9\x8b" ATSVC_VERSION = 1 -- UUID and version for epmapper e1af8308-5d1f-11c9-91a4-08002b14a0fa v3.0 EPMAPPER_PATH = "\\epmapper" -EPMAPPER_UUID = string.char(0x08, 0x83, 0xaf, 0xe1, 0x1f, 0x5d, 0xc9, 0x11, 0x91, 0xa4, 0x08, 0x00, 0x2b, 0x14, 0xa0, 0xfa) +EPMAPPER_UUID = "\x08\x83\xaf\xe1\x1f\x5d\xc9\x11\x91\xa4\x08\x00\x2b\x14\xa0\xfa" EPMAPPER_VERSION = 3 -- This is the only transfer syntax I've seen in the wild, not that I've looked hard. It seems to work well. -TRANSFER_SYNTAX = string.char(0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60) +TRANSFER_SYNTAX = "\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00\x2b\x10\x48\x60" -- The 'referent_id' value is ignored, as far as I can tell, so this value is passed for it. No, it isn't random. :) REFERENT_ID = 0x50414d4e @@ -4791,7 +4791,7 @@ end --# 1) RRAS RASRPC INTERFACE --####################################################################-- ROUTER_PATH = "\\router" --also can be reached across "\\srvsvc" pipe in WinXP -RASRPC_UUID = string.char(0x36, 0x00, 0x61, 0x20, 0x22, 0xfa, 0xcf, 0x11, 0x98, 0x23, 0x00, 0xa0, 0xc9, 0x11, 0xe5, 0xdf) +RASRPC_UUID = "\x36\x00\x61\x20\x22\xfa\xcf\x11\x98\x23\x00\xa0\xc9\x11\xe5\xdf" RASRPC_VERSION = 1 --####################################################################-- @@ -4934,7 +4934,7 @@ end --# 1) DNS SERVER MANAGEMENT SERVICE INTERFACE --####################################################################-- DNSSERVER_UUID_STR = "50abc2a4-574d-40b3-9d66-ee4fd5fba076" -DNSSERVER_UUID = string.char(0xa4, 0xc2,0xab, 0x50, 0x4d, 0x57, 0xb3, 0x40, 0x9d, 0x66, 0xee, 0x4f, 0xd5, 0xfb, 0xa0, 0x76) +DNSSERVER_UUID = "\xa4\xc2\xab\x50\x4d\x57\xb3\x40\x9d\x66\xee\x4f\xd5\xfb\xa0\x76" DNSSERVER_PATH = "\\DNSSERVER" DNSSERVER_VERSION = 5 diff --git a/nselib/mssql.lua b/nselib/mssql.lua index 2ae45b8e4..46a2b36d4 100644 --- a/nselib/mssql.lua +++ b/nselib/mssql.lua @@ -1732,7 +1732,7 @@ LoginPacket = library = "mssql.lua", locale = "", database = "master", --nil, - MAC = string.char(0x00,0x00,0x00,0x00,0x00,0x00), -- should contain client MAC, jTDS uses all zeroes + MAC = "\x00\x00\x00\x00\x00\x00", -- should contain client MAC, jTDS uses all zeroes new = function(self,o) o = o or {} diff --git a/nselib/mysql.lua b/nselib/mysql.lua index c18f83832..2068d617d 100644 --- a/nselib/mysql.lua +++ b/nselib/mysql.lua @@ -156,7 +156,7 @@ local function createLoginHash(pass, salt) local hash_stage1 local hash_stage2 local hash_stage3 - local reply = "" + local reply = {} local pos, b1, b2, b3, _ = 1, 0, 0, 0 if ( not(HAVE_SSL) ) then @@ -171,10 +171,10 @@ local function createLoginHash(pass, salt) _, b1 = bin.unpack( "C", hash_stage1, pos ) _, b2 = bin.unpack( "C", hash_stage3, pos ) - reply = reply .. string.char( bit.bxor( b2, b1 ) ) + reply[pos] = string.char( bit.bxor( b2, b1 ) ) end - return reply + return table.concat(reply) end @@ -218,20 +218,21 @@ function loginRequest( socket, params, username, password, salt ) local extcapabilities = ExtCapabilities.SupportsMultipleStatments extcapabilities = extcapabilities + ExtCapabilities.SupportsMultipleResults - local packet = bin.pack( "S", clicap ) - packet = packet .. bin.pack( "S", extcapabilities ) - packet = packet .. bin.pack( "I", MAXPACKET ) - packet = packet .. bin.pack( "C", Charset.latin1_COLLATE_latin1_swedish_ci ) - packet = packet .. bin.pack( "A", string.char(0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0) ) - packet = packet .. bin.pack( "z", username ) - + local hash = "" if ( password ~= nil and password:len() > 0 ) then - local hash = createLoginHash( password, salt ) - packet = packet .. bin.pack( "A", string.char( 0x14 ) .. hash ) - else - packet = packet .. bin.pack( "C", 0 ) + hash = createLoginHash( password, salt ) end + local packet = bin.pack( "SSICAzp", + clicap, + extcapabilities, + MAXPACKET, + Charset.latin1_COLLATE_latin1_swedish_ci, + string.rep("\0", 23), + username, + hash + ) + local tmp = packet:len() + bit.lshift( packetno, 24 ) packet = bin.pack( "I", tmp ) .. packet diff --git a/nselib/netbios.lua b/nselib/netbios.lua index e6e5804e2..01e34de30 100644 --- a/nselib/netbios.lua +++ b/nselib/netbios.lua @@ -60,24 +60,25 @@ function name_encode(name, scope) name = string.upper(name) -- Do the L1 encoding - local L1_encoded = "" + local L1_encoded = {} for i=1, #name, 1 do local b = string.byte(name, i) - L1_encoded = L1_encoded .. string.char(bit.rshift(bit.band(b, 0xF0), 4) + 0x41) - L1_encoded = L1_encoded .. string.char(bit.rshift(bit.band(b, 0x0F), 0) + 0x41) + L1_encoded[i*2-1] = string.char(bit.rshift(bit.band(b, 0xF0), 4) + 0x41) + L1_encoded[i*2] = string.char(bit.rshift(bit.band(b, 0x0F), 0) + 0x41) end -- Do the L2 encoding - local L2_encoded = string.char(32) .. L1_encoded + local L2_encoded = { string.char(32), table.concat(L1_encoded) } if scope ~= nil then -- Split the scope at its periods local piece for piece in string.gmatch(scope, "[^.]+") do - L2_encoded = L2_encoded .. string.char(#piece) .. piece + L2_encoded[#L2_encoded+1] = string.char(#piece) .. piece end end + L2_encoded = table.concat(L2_encoded) stdnse.debug3("=> '%s'", L2_encoded) return L2_encoded end diff --git a/nselib/smb.lua b/nselib/smb.lua index 5039c2546..3dd112604 100644 --- a/nselib/smb.lua +++ b/nselib/smb.lua @@ -2459,14 +2459,14 @@ function file_upload(host, localfile, share, remotefile, overrides, encoded) local i = 0 local data = handle:read(chunk) + local new_data = {} while(data ~= nil and #data > 0) do if(encoded) then - local new_data = "" for j = 1, #data, 1 do - new_data = new_data .. string.char(bit.bxor(0xFF, string.byte(data, j))) + new_data[j] = string.char(bit.bxor(0xFF, string.byte(data, j))) end - data = new_data + data = table.concat(new_data, "", 1, #data) end status, err = write_file(smbstate, data, i) diff --git a/scripts/broadcast-dhcp-discover.nse b/scripts/broadcast-dhcp-discover.nse index 13ba09508..05369559d 100644 --- a/scripts/broadcast-dhcp-discover.nse +++ b/scripts/broadcast-dhcp-discover.nse @@ -67,11 +67,11 @@ end -- -- @return mac_addr string containing a random MAC local function randomizeMAC() - local mac_addr = "" + local mac_addr = {} for j=1, 6 do - mac_addr = mac_addr .. string.char(math.random(1, 255)) + mac_addr[j] = string.char(math.random(1, 255)) end - return mac_addr + return table.concat(mac_addr) end -- Gets a list of available interfaces based on link and up filters @@ -143,7 +143,7 @@ action = function() -- randomizing the MAC could exhaust dhcp servers with small scopes -- if ran multiple times, so we should probably refrain from doing -- this? - local mac = string.char(0xDE,0xAD,0xC0,0xDE,0xCA,0xFE)--randomizeMAC() + local mac = "\xDE\xAD\xC0\xDE\xCA\xFE" --randomizeMAC() local interfaces diff --git a/scripts/db2-das-info.nse b/scripts/db2-das-info.nse index dc164d791..b159b0c26 100644 --- a/scripts/db2-das-info.nse +++ b/scripts/db2-das-info.nse @@ -266,12 +266,12 @@ function create_das_packet( magic, data ) packet.header = {} - packet.header.raw = string.char(0x00, 0x00, 0x00, 0x00, 0x44, 0x42, 0x32, 0x44, 0x41, 0x53, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20) - packet.header.raw = packet.header.raw .. string.char(0x01, 0x04, 0x00, 0x00, 0x00, 0x10, 0x39, 0x7a, 0x00, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00) - packet.header.raw = packet.header.raw .. string.char(0x00, 0x00, 0x00, 0x00 ) - packet.header.raw = packet.header.raw .. bin.pack("C", magic) - packet.header.raw = packet.header.raw .. bin.pack("S", data_len) - packet.header.raw = packet.header.raw .. string.char(0x00, 0x00) + packet.header.raw = "\x00\x00\x00\x00\x44\x42\x32\x44\x41\x53\x20\x20\x20\x20\x20\x20" + .. "\x01\x04\x00\x00\x00\x10\x39\x7a\x00\x05\x00\x00\x00\x00\x00\x00" + .. "\x00\x00\x00\x00" + .. bin.pack("C", magic) + .. bin.pack("S", data_len) + .. "\x00\x00" packet.header.data_len = data_len packet.data = data @@ -304,7 +304,7 @@ action = function(host, port) -- ************************************************************************************ -- Transaction block 1 -- ************************************************************************************ - local data = string.char(0x00, 0x00, 0x00, 0x0d, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x4a, 0x00) + local data = "\x00\x00\x00\x0d\x00\x00\x00\x0c\x00\x00\x00\x4a\x00" --try(socket:send(query)) local db2packet = create_das_packet(0x02, data) @@ -315,10 +315,10 @@ action = function(host, port) -- ************************************************************************************ -- Transaction block 2 -- ************************************************************************************ - data = string.char(0x00, 0x00, 0x00, 0x2c, 0x00, 0x00, 0x00) - data = data .. string.char(0x0c, 0x00, 0x00, 0x00, 0x08, 0x59, 0xe7, 0x1f, 0x4b, 0x79, 0xf0, 0x90, 0x72, 0x85, 0xe0, 0x8f) - data = data .. string.char(0x3e, 0x38, 0x45, 0x38, 0xe3, 0xe5, 0x12, 0xc4, 0x3b, 0xe9, 0x7d, 0xe2, 0xf5, 0xf0, 0x78, 0xcc) - data = data .. string.char(0x81, 0x6f, 0x87, 0x5f, 0x91) + data = "\x00\x00\x00\x2c\x00\x00\x00" + .. "\x0c\x00\x00\x00\x08\x59\xe7\x1f\x4b\x79\xf0\x90\x72\x85\xe0\x8f" + .. "\x3e\x38\x45\x38\xe3\xe5\x12\xc4\x3b\xe9\x7d\xe2\xf5\xf0\x78\xcc" + .. "\x81\x6f\x87\x5f\x91" db2packet = create_das_packet(0x05, data) @@ -328,12 +328,12 @@ action = function(host, port) -- ************************************************************************************ -- Transaction block 3 -- ************************************************************************************ - data = string.char(0x00, 0x00, 0x00, 0x0d, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x4a, 0x01, 0x00, 0x00, 0x00) - data = data .. string.char(0x10, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x4c, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00) - data = data .. string.char(0x20, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x04, 0xb8, 0x64, 0x62, 0x32) - data = data .. string.char(0x64, 0x61, 0x73, 0x4b, 0x6e, 0x6f, 0x77, 0x6e, 0x44, 0x73, 0x63, 0x76, 0x00, 0x00, 0x00, 0x00) - data = data .. string.char(0x20, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x04, 0xb8, 0x64, 0x62, 0x32) - data = data .. string.char(0x4b, 0x6e, 0x6f, 0x77, 0x6e, 0x44, 0x73, 0x63, 0x76, 0x53, 0x72, 0x76, 0x00) + data = "\x00\x00\x00\x0d\x00\x00\x00\x0c\x00\x00\x00\x4a\x01\x00\x00\x00" + .. "\x10\x00\x00\x00\x0c\x00\x00\x00\x4c\xff\xff\xff\xff\x00\x00\x00" + .. "\x20\x00\x00\x00\x0c\x00\x00\x00\x04\x00\x00\x04\xb8\x64\x62\x32" + .. "\x64\x61\x73\x4b\x6e\x6f\x77\x6e\x44\x73\x63\x76\x00\x00\x00\x00" + .. "\x20\x00\x00\x00\x0c\x00\x00\x00\x04\x00\x00\x04\xb8\x64\x62\x32" + .. "\x4b\x6e\x6f\x77\x6e\x44\x73\x63\x76\x53\x72\x76\x00" db2packet = create_das_packet(0x0a, data) send_db2_packet( socket, db2packet ) @@ -342,34 +342,34 @@ action = function(host, port) -- ************************************************************************************ -- Transaction block 4 -- ************************************************************************************ - data = string.char(0x00, 0x00, 0x00, 0x0d, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x4a, 0x01, 0x00, 0x00, 0x00) - data = data .. string.char(0x20, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03) - data = data .. string.char(0x48, 0x00, 0x00, 0x00, 0x00, 0x4a, 0xfb, 0x42, 0x90, 0x00, 0x00, 0x24, 0x93, 0x00, 0x00, 0x00) - data = data .. string.char(0x10, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x4c, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00) - data = data .. string.char(0x10, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x4c, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00) - data = data .. string.char(0x20, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x04, 0xb8, 0x64, 0x62, 0x32) - data = data .. string.char(0x4b, 0x6e, 0x6f, 0x77, 0x6e, 0x44, 0x73, 0x63, 0x76, 0x53, 0x72, 0x76, 0x00, 0x00, 0x00, 0x00) - data = data .. string.char(0x20, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x04, 0xb8, 0x64, 0x62, 0x32) - data = data .. string.char(0x64, 0x61, 0x73, 0x4b, 0x6e, 0x6f, 0x77, 0x6e, 0x44, 0x73, 0x63, 0x76, 0x00, 0x00, 0x00, 0x00) - data = data .. string.char(0x0c, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00) - data = data .. string.char(0x0c, 0x00, 0x00, 0x00, 0x4c, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00) - data = data .. string.char(0x0c, 0x00, 0x00, 0x00, 0x4c, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00) - data = data .. string.char(0x0c, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x04, 0xb8, 0x00) + data = "\x00\x00\x00\x0d\x00\x00\x00\x0c\x00\x00\x00\x4a\x01\x00\x00\x00" + .. "\x20\x00\x00\x00\x0c\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x03" + .. "\x48\x00\x00\x00\x00\x4a\xfb\x42\x90\x00\x00\x24\x93\x00\x00\x00" + .. "\x10\x00\x00\x00\x0c\x00\x00\x00\x4c\xff\xff\xff\xff\x00\x00\x00" + .. "\x10\x00\x00\x00\x0c\x00\x00\x00\x4c\xff\xff\xff\xff\x00\x00\x00" + .. "\x20\x00\x00\x00\x0c\x00\x00\x00\x04\x00\x00\x04\xb8\x64\x62\x32" + .. "\x4b\x6e\x6f\x77\x6e\x44\x73\x63\x76\x53\x72\x76\x00\x00\x00\x00" + .. "\x20\x00\x00\x00\x0c\x00\x00\x00\x04\x00\x00\x04\xb8\x64\x62\x32" + .. "\x64\x61\x73\x4b\x6e\x6f\x77\x6e\x44\x73\x63\x76\x00\x00\x00\x00" + .. "\x0c\x00\x00\x00\x0c\x00\x00\x00\x04\x00\x00\x00\x10\x00\x00\x00" + .. "\x0c\x00\x00\x00\x4c\xff\xff\xff\xff\x00\x00\x00\x10\x00\x00\x00" + .. "\x0c\x00\x00\x00\x4c\xff\xff\xff\xff\x00\x00\x00\x11\x00\x00\x00" + .. "\x0c\x00\x00\x00\x04\x00\x00\x04\xb8\x00" db2packet = create_das_packet(0x06, data) send_db2_packet( socket, db2packet ) - data = string.char( 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x04, 0x00) - data = data .. string.char(0x00, 0x04, 0xb8, 0x64, 0x62, 0x32, 0x64, 0x61, 0x73, 0x4b, 0x6e, 0x6f, 0x77, 0x6e, 0x44, 0x73) - data = data .. string.char(0x63, 0x76, 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x04, 0x00) - data = data .. string.char(0x00, 0x04, 0xb8, 0x64, 0x62, 0x32, 0x4b, 0x6e, 0x6f, 0x77, 0x6e, 0x44, 0x73, 0x63, 0x76, 0x53) - data = data .. string.char(0x72, 0x76, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x4c, 0x00) - data = data .. string.char(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x4c, 0x00) - data = data .. string.char(0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x4c, 0x00) - data = data .. string.char(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x08, 0x00) - data = data .. string.char(0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x01, 0x00) - data = data .. string.char(0x00, 0x00, 0x18, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x0c, 0x00) - data = data .. string.char(0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x18) + data = "\x00\x00\x00\x20\x00\x00\x00\x0c\x00\x00\x00\x04\x00" + .. "\x00\x04\xb8\x64\x62\x32\x64\x61\x73\x4b\x6e\x6f\x77\x6e\x44\x73" + .. "\x63\x76\x00\x00\x00\x00\x20\x00\x00\x00\x0c\x00\x00\x00\x04\x00" + .. "\x00\x04\xb8\x64\x62\x32\x4b\x6e\x6f\x77\x6e\x44\x73\x63\x76\x53" + .. "\x72\x76\x00\x00\x00\x00\x10\x00\x00\x00\x0c\x00\x00\x00\x4c\x00" + .. "\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x0c\x00\x00\x00\x4c\x00" + .. "\x00\x00\x01\x00\x00\x00\x10\x00\x00\x00\x0c\x00\x00\x00\x4c\x00" + .. "\x00\x00\x00\x00\x00\x00\x0c\x00\x00\x00\x0c\x00\x00\x00\x08\x00" + .. "\x00\x00\x10\x00\x00\x00\x0c\x00\x00\x00\x4c\x00\x00\x00\x01\x00" + .. "\x00\x00\x18\x00\x00\x00\x0c\x00\x00\x00\x08\x00\x00\x00\x0c\x00" + .. "\x00\x00\x0c\x00\x00\x00\x18" db2packet = create_das_packet(0x06, data) send_db2_packet( socket, db2packet ) diff --git a/scripts/dhcp-discover.nse b/scripts/dhcp-discover.nse index 19b576016..dc9478ad8 100644 --- a/scripts/dhcp-discover.nse +++ b/scripts/dhcp-discover.nse @@ -96,10 +96,11 @@ local function go(host, port) local mac_addr = host.mac_addr_src if(nmap.registry.args.randomize_mac == 'true' or nmap.registry.args.randomize_mac == '1') then stdnse.debug2("Generating a random MAC address") - mac_addr = "" + mac_addr = {} for j=1, 6, 1 do - mac_addr = mac_addr .. string.char(math.random(1, 255)) + mac_addr[i] = string.char(math.random(1, 255)) end + mac_addr = table.concat(mac_addr) end local iface, err = nmap.get_interface_info(host.interface) diff --git a/scripts/dns-recursion.nse b/scripts/dns-recursion.nse index f16c8914b..0ea766ca6 100644 --- a/scripts/dns-recursion.nse +++ b/scripts/dns-recursion.nse @@ -29,8 +29,16 @@ portrule = shortport.portnumber(53, "udp") action = function(host, port) - -- generate dns query, Transaction-ID 0xdead, www.wikipedia.org (type A, class IN) - local request = string.char(0xde, 0xad, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03) .. "www" .. string.char(0x09) .. "wikipedia" .. string.char(0x03) .. "org" .. string.char(0x00, 0x00, 0x01, 0x00, 0x01) + -- generate dns query + local request = "\xde\xad" -- Transaction-ID 0xdead + .. "\x01\x00" -- flags (recursion desired) + .. "\x00\x01" -- 1 question + .. "\x00\x00" -- 0 answers + .. "\x00\x00" -- 0 authority + .. "\x00\x00" -- 0 additional + .. "\x03www\x09wikipedia\x03org\x00" -- www.wikipedia.org. + .. "\x00\x01" -- type A + .. "\x00\x01" -- class IN local status, result = comm.exchange(host, port, request, {proto="udp"}) diff --git a/scripts/http-virustotal.nse b/scripts/http-virustotal.nse index 1e8633d59..4e1d8c201 100644 --- a/scripts/http-virustotal.nse +++ b/scripts/http-virustotal.nse @@ -125,12 +125,12 @@ local function requestFileScan(filename) local shortfile = filename:match("^.*[\\/](.*)$") local boundary = "----------------------------nmapboundary" local header = { ["Content-Type"] = ("multipart/form-data; boundary=%s"):format(boundary) } - local postdata = ("--%s\r\n"):format(boundary) - postdata = postdata .. "Content-Disposition: form-data; name=\"apikey\"\r\n\r\n" - postdata = postdata .. arg_apiKey .. "\r\n" - postdata = postdata .. ("--%s\r\n" .. - "Content-Disposition: form-data; name=\"file\"; filename=\"%s\"\r\n" .. - "Content-Type: text/plain\r\n\r\n%s\r\n--%s--\r\n"):format(boundary, shortfile, str, boundary) + local postdata = ("--%s\r\n" + .. 'Content-Disposition: form-data; name="apikey"\r\n\r\n' + .. "%s\r\n" + .. "--%s\r\n" + .. 'Content-Disposition: form-data; name="file"; filename="%s"\r\n' + .. "Content-Type: text/plain\r\n\r\n%s\r\n--%s--\r\n"):format(boundary, arg_apiKey, boundary, shortfile, str, boundary) local host = "www.virustotal.com" local port = { number = 80, protocol = "tcp" } diff --git a/scripts/irc-brute.nse b/scripts/irc-brute.nse index 71533ac13..489c72047 100644 --- a/scripts/irc-brute.nse +++ b/scripts/irc-brute.nse @@ -89,11 +89,7 @@ Driver = { } local function random_nick() - local nick = "" - for i = 0, 8, 1 do - nick = nick .. string.char(math.random(97, 122)) -- lowercase ascii - end - return nick + return stdnse.generate_random_string(9, "abcdefghijklmnopqrstuvwxyz") end local function needsPassword(host, port) diff --git a/scripts/ldap-brute.nse b/scripts/ldap-brute.nse index 1f83eca41..490eaf671 100644 --- a/scripts/ldap-brute.nse +++ b/scripts/ldap-brute.nse @@ -139,7 +139,7 @@ action = function( host, port ) local clock_start = nmap.clock_ms() - local ldap_anonymous_bind = string.char( 0x30, 0x0c, 0x02, 0x01, 0x01, 0x60, 0x07, 0x02, 0x01, 0x03, 0x04, 0x00, 0x80, 0x00 ) + local ldap_anonymous_bind = "\x30\x0c\x02\x01\x01\x60\x07\x02\x01\x03\x04\x00\x80\x00" local socket, _, opt = comm.tryssl( host, port, ldap_anonymous_bind, nil ) local base_dn = stdnse.get_script_args('ldap.base') diff --git a/scripts/ldap-rootdse.nse b/scripts/ldap-rootdse.nse index fb8364b84..c469dcbaa 100644 --- a/scripts/ldap-rootdse.nse +++ b/scripts/ldap-rootdse.nse @@ -105,7 +105,7 @@ function action(host,port) -- In order to discover what protocol to use (SSL/TCP) we need to send a few bytes to the server -- An anonymous bind should do it - local ldap_anonymous_bind = string.char( 0x30, 0x0c, 0x02, 0x01, 0x01, 0x60, 0x07, 0x02, 0x01, 0x03, 0x04, 0x00, 0x80, 0x00 ) + local ldap_anonymous_bind = "\x30\x0c\x02\x01\x01\x60\x07\x02\x01\x03\x04\x00\x80\x00" local _ socket, _, opt = comm.tryssl( host, port, ldap_anonymous_bind, nil ) diff --git a/scripts/ldap-search.nse b/scripts/ldap-search.nse index 633e776a7..65017045b 100644 --- a/scripts/ldap-search.nse +++ b/scripts/ldap-search.nse @@ -120,7 +120,7 @@ function action(host,port) -- In order to discover what protocol to use (SSL/TCP) we need to send a few bytes to the server -- An anonymous bind should do it - local ldap_anonymous_bind = string.char( 0x30, 0x0c, 0x02, 0x01, 0x01, 0x60, 0x07, 0x02, 0x01, 0x03, 0x04, 0x00, 0x80, 0x00 ) + local ldap_anonymous_bind = "\x30\x0c\x02\x01\x01\x60\x07\x02\x01\x03\x04\x00\x80\x00" local _ socket, _, opt = comm.tryssl( host, port, ldap_anonymous_bind, nil ) diff --git a/scripts/nping-brute.nse b/scripts/nping-brute.nse index a2d5f0e07..668677975 100644 --- a/scripts/nping-brute.nse +++ b/scripts/nping-brute.nse @@ -34,14 +34,6 @@ categories = {"brute", "intrusive"} portrule = shortport.port_or_service(9929, "nping-echo") -local function randombytes(x) - local bytes = "" - for i = 1, x do - bytes = bytes .. bin.pack("C", math.random(0x00, 0xff)) - end - return bytes -end - local function readmessage(socket, length) local msg = "" while #msg < length do @@ -103,8 +95,8 @@ Driver = local NEP_CLIENT_MAC_ID = "NEPkeyforMACClient2Server" local now = nmap.clock() - local seqb = randombytes(4) - local cnonce = randombytes(32) + local seqb = openssl.rand_bytes(4) + local cnonce = openssl.rand_bytes(32) local nonce = snonce .. cnonce local enckey = self:nepkey(password, nonce, NEP_CLIENT_CIPHER_ID) local mackey = self:nepkey(password, nonce, NEP_CLIENT_MAC_ID) diff --git a/scripts/ntp-monlist.nse b/scripts/ntp-monlist.nse index d2efcba1c..b219f7297 100644 --- a/scripts/ntp-monlist.nse +++ b/scripts/ntp-monlist.nse @@ -250,16 +250,15 @@ function getPrivateMode(impl, requestCode) -- Request Code 8bits: e.g. 0x2a (MON_GETLIST_1) -- Err 4bits: 0, Number of Data Items 12bits: 0 -- MBZ 4bits: 0, Size of Data Items 12bits: 0 - pay = string.char( + return string.char( 0x17, 0x00, impl or 0x03, requestCode or 0x2a, 0x00, 0x00, 0x00, 0x00 ) -- Data 40 Octets: 0 - pay = pay .. string.char(0x00):rep(40) + .. string.char(0x00):rep(40) -- The following are optional if the Authenticated bit is set: -- Encryption Keyid 4 Octets: 0 -- Message Authentication Code 16 Octets (MD5): 0 - return pay end @@ -495,16 +494,16 @@ function make_udp_packet(response) -- dummy headers -- ip - local dh = string.char(0x45, 0x00) - dh = dh .. bin.pack('S', iplen) - dh = dh .. string.char( - 0x00, 0x00, 0x40, 0x00, 0x40, 0x11, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - -- udp - 0x00, 0x00, 0x00, 0x00 - ) - dh = dh .. bin.pack('S', udplen) - dh = dh .. string.char(0x00, 0x00) + local dh = "\x45\x00" -- IPv4, 20-byte header, no DSCP, no ECN + .. bin.pack('>S', iplen) -- total length + .. "\x00\x00" -- IPID 0 + .. "\x40\x00" -- DF + .. "\x40\x11" -- TTL 0x40, UDP (proto 17) + .. "\x00\x00" -- checksum 0 + .. "\x00\x00\x00\x00\x00\x00\x00\x00" -- Source, destination 0.0.0.0 + .. "\x00\x00\x00\x00" -- UDP source, dest port 0 + .. bin.pack('S', udplen) -- UDP length + .. "\x00\x00" -- UDP checksum 0 return packet.Packet:new(dh .. response, iplen) diff --git a/scripts/p2p-conficker.nse b/scripts/p2p-conficker.nse index 9bdb4a492..8a31ddcd3 100644 --- a/scripts/p2p-conficker.nse +++ b/scripts/p2p-conficker.nse @@ -301,7 +301,7 @@ end --@return The encrypted (or decrypted) data. local function p2p_cipher(packet, key1, key2) local i - local buf = "" + local buf = {} for i = 1, #packet, 1 do -- Do a 64-bit rotate on key1:key2 @@ -311,7 +311,7 @@ local function p2p_cipher(packet, key1, key2) local k = bit.band(key1, 0x0FF) -- Xor the current character and add it to the encrypted buffer - buf = buf .. string.char(bit.bxor(string.byte(packet, i), k)) + buf[i] = string.char(bit.bxor(string.byte(packet, i), k)) -- Update the key with 'k' key1 = key1 + k @@ -323,7 +323,7 @@ local function p2p_cipher(packet, key1, key2) end end - return buf + return table.concat(buf) end ---Decrypt the packet, verify it, and parse it. This function will fail with an error if the packet can't be diff --git a/scripts/smb-check-vulns.nse b/scripts/smb-check-vulns.nse index 6bea6416c..54e7a31d6 100644 --- a/scripts/smb-check-vulns.nse +++ b/scripts/smb-check-vulns.nse @@ -357,21 +357,21 @@ local function check_smbv2_dos(host) end -- From http://seclists.org/fulldisclosure/2009/Sep/0039.html with one change on the last line. - local buf = string.char(0x00, 0x00, 0x00, 0x90) .. -- Begin SMB header: Session message - string.char(0xff, 0x53, 0x4d, 0x42) .. -- Server Component: SMB - string.char(0x72, 0x00, 0x00, 0x00) .. -- Negociate Protocol - string.char(0x00, 0x18, 0x53, 0xc8) .. -- Operation 0x18 & sub 0xc853 - string.char(0x00, 0x26) .. -- Process ID High: --> :) normal value should be ", 0x00, 0x00" - string.char(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xfe) .. - string.char(0x00, 0x00, 0x00, 0x00, 0x00, 0x6d, 0x00, 0x02, 0x50, 0x43, 0x20, 0x4e, 0x45, 0x54) .. - string.char(0x57, 0x4f, 0x52, 0x4b, 0x20, 0x50, 0x52, 0x4f, 0x47, 0x52, 0x41, 0x4d, 0x20, 0x31) .. - string.char(0x2e, 0x30, 0x00, 0x02, 0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x31, 0x2e, 0x30, 0x00) .. - string.char(0x02, 0x57, 0x69, 0x6e, 0x64, 0x6f, 0x77, 0x73, 0x20, 0x66, 0x6f, 0x72, 0x20, 0x57) .. - string.char(0x6f, 0x72, 0x6b, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x73, 0x20, 0x33, 0x2e, 0x31, 0x61) .. - string.char(0x00, 0x02, 0x4c, 0x4d, 0x31, 0x2e, 0x32, 0x58, 0x30, 0x30, 0x32, 0x00, 0x02, 0x4c) .. - string.char(0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x32, 0x2e, 0x31, 0x00, 0x02, 0x4e, 0x54, 0x20, 0x4c) .. - string.char(0x4d, 0x20, 0x30, 0x2e, 0x31, 0x32, 0x00, 0x02, 0x53, 0x4d, 0x42, 0x20, 0x32, 0x2e) .. - string.char(0x30, 0x30, 0x32, 0x00) + local buf = "\x00\x00\x00\x90" .. -- Begin SMB header: Session message + "\xff\x53\x4d\x42" .. -- Server Component: SMB + "\x72\x00\x00\x00" .. -- Negociate Protocol + "\x00\x18\x53\xc8" .. -- Operation 0x18 & sub 0xc853 + "\x00\x26" .. -- Process ID High: --> :) normal value should be "\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe" .. + "\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54" .. + "\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31" .. + "\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00" .. + "\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57" .. + "\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61" .. + "\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c" .. + "\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c" .. + "\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e" .. + "\x30\x30\x32\x00" local socket = nmap.new_socket() if(socket == nil) then diff --git a/scripts/smb-psexec.nse b/scripts/smb-psexec.nse index eedfea5a8..03c7551c8 100644 --- a/scripts/smb-psexec.nse +++ b/scripts/smb-psexec.nse @@ -824,10 +824,11 @@ local function get_config(host, config) elseif(nmap.registry.args.key) then config.key = nmap.registry.args.key else - config.key = "" + local tmp = {} for i = 1, 127, 1 do - config.key = config.key .. string.char(math.random(0x20, 0x7F)) + tmp[i] = string.char(math.random(0x20, 0x7F)) end + config.key = table.concat(tmp) config.key_index = 0 end @@ -1044,7 +1045,7 @@ end --@args config The config file for this host (stores the encryption key). --@return The decrypted string. local function cipher(str, config) - local result = "" + local result = {} if(config.key == "") then return str end @@ -1056,10 +1057,10 @@ local function cipher(str, config) config.key_index = config.key_index + 1 config.key_index = config.key_index % #config.key - result = result .. c + result[i] = c end - return result + return table.concat(result) end local function get_overrides() diff --git a/scripts/sniffer-detect.nse b/scripts/sniffer-detect.nse index 12b6e12f3..d6a229b9b 100644 --- a/scripts/sniffer-detect.nse +++ b/scripts/sniffer-detect.nse @@ -101,20 +101,20 @@ action = function(host) pcap:pcap_open(host.interface, 64, false, "arp") local test_static = host.mac_addr_src .. - string.char(0x08,0x06, 0x00,0x01, 0x08,0x00, 0x06,0x04, 0x00,0x01) .. + "\x08\x06\x00\x01\x08\x00\x06\x04\x00\x01" .. host.mac_addr_src .. host.bin_ip_src .. - string.char(0x00,0x00, 0x00,0x00, 0x00,0x00) .. + "\x00\x00\x00\x00\x00\x00" .. host.bin_ip local t = { - string.char(0xff,0xff, 0xff,0xff, 0xff,0xff), -- B32 no meaning? - string.char(0xff,0xff, 0xff,0xff, 0xff,0xfe), -- B31 - string.char(0xff,0xff, 0x00,0x00, 0x00,0x00), -- B16 - string.char(0xff,0x00, 0x00,0x00, 0x00,0x00), -- B8 - string.char(0x01,0x00, 0x00,0x00, 0x00,0x00), -- G - string.char(0x01,0x00, 0x5e,0x00, 0x00,0x00), -- M0 - string.char(0x01,0x00, 0x5e,0x00, 0x00,0x01), -- M1 no meaning? - string.char(0x01,0x00, 0x5e,0x00, 0x00,0x03), -- M3 + "\xff\xff\xff\xff\xff\xff", -- B32 no meaning? + "\xff\xff\xff\xff\xff\xfe", -- B31 + "\xff\xff\x00\x00\x00\x00", -- B16 + "\xff\x00\x00\x00\x00\x00", -- B8 + "\x01\x00\x00\x00\x00\x00", -- G + "\x01\x00\x5e\x00\x00\x00", -- M0 + "\x01\x00\x5e\x00\x00\x01", -- M1 no meaning? + "\x01\x00\x5e\x00\x00\x03", -- M3 } local v local out = "" diff --git a/scripts/sslv2.nse b/scripts/sslv2.nse index 7a575259b..ed1dcb956 100644 --- a/scripts/sslv2.nse +++ b/scripts/sslv2.nse @@ -144,26 +144,24 @@ action = function(host, port) -- build client hello packet (contents inspired by -- http://mail.nessus.org/pipermail/plugins-writers/2004-October/msg00041.html ) - local t = {}; - table.insert(t, string.char(0x80, 0x31)); - table.insert(t, string.char(0x01)); - table.insert(t, string.char(0x00, 0x02)); - table.insert(t, string.char(0x00, 0x18)); - table.insert(t, string.char(0x00, 0x00)); - table.insert(t, string.char(0x00, 0x10)); - table.insert(t, string.char(0x07, 0x00, 0xc0)); - table.insert(t, string.char(0x05, 0x00, 0x80)); - table.insert(t, string.char(0x03, 0x00, 0x80)); - table.insert(t, string.char(0x01, 0x00, 0x80)); - table.insert(t, string.char(0x08, 0x00, 0x80)); - table.insert(t, string.char(0x06, 0x00, 0x40)); - table.insert(t, string.char(0x04, 0x00, 0x80)); - table.insert(t, string.char(0x02, 0x00, 0x80)); - table.insert(t, string.char(0xe4, 0xbd, 0x00, 0x00)); - table.insert(t, string.char(0xa4, 0x41, 0xb6, 0x74)); - table.insert(t, string.char(0x71, 0x2b, 0x27, 0x95)); - table.insert(t, string.char(0x44, 0xc0, 0x3d, 0xc0)); - ssl_v2_hello = table.concat(t, "") + ssl_v2_hello = "\x80\x31" + .. "\x01" + .. "\x00\x02" + .. "\x00\x18" + .. "\x00\x00" + .. "\x00\x10" + .. "\x07\x00\xc0" + .. "\x05\x00\x80" + .. "\x03\x00\x80" + .. "\x01\x00\x80" + .. "\x08\x00\x80" + .. "\x06\x00\x40" + .. "\x04\x00\x80" + .. "\x02\x00\x80" + .. "\xe4\xbd\x00\x00" + .. "\xa4\x41\xb6\x74" + .. "\x71\x2b\x27\x95" + .. "\x44\xc0\x3d\xc0" socket:connect(host, port, "tcp"); socket:send(ssl_v2_hello); diff --git a/scripts/stuxnet-detect.nse b/scripts/stuxnet-detect.nse index 0acfbd911..64a810191 100644 --- a/scripts/stuxnet-detect.nse +++ b/scripts/stuxnet-detect.nse @@ -35,7 +35,7 @@ categories = {"discovery", "intrusive"} local STUXNET_PATHS = {"\\\\browser", "\\\\ntsvcs", "\\\\pipe\\browser", "\\\\pipe\\ntsvcs"} -local STUXNET_UUID = string.char(0xe1, 0x04, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46) +local STUXNET_UUID = "\xe1\x04\x02\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x46" local STUXNET_VERSION = 0x01 local RPC_GET_VERSION = 0x00 diff --git a/scripts/targets-ipv6-multicast-invalid-dst.nse b/scripts/targets-ipv6-multicast-invalid-dst.nse index 13127a3cd..acfbb994d 100644 --- a/scripts/targets-ipv6-multicast-invalid-dst.nse +++ b/scripts/targets-ipv6-multicast-invalid-dst.nse @@ -45,12 +45,8 @@ local function build_invalid_extension_header(nxt_hdr) -- bits; that instructs the receiver to send a Parameter Problem. -- Option type 0x80 is unallocated; see -- http://www.iana.org/assignments/ipv6-parameters/. - local ex_invalid_opt = string.char(0x80,0x01,0x00,0x00,0x00,0x00) - local ext_header = - string.char(nxt_hdr) .. --next header - string.char(0) .. -- length 8 - ex_invalid_opt - return ext_header + return string.char(nxt_hdr, 0) .. --next header, length 8 + "\x80\x01\x00\x00\x00\x00" end local function get_interfaces() @@ -117,7 +113,7 @@ local function single_interface_broadcast(if_nfo, results) probe.icmpv6_type = 254 probe.icmpv6_code = 0 -- Add a non-empty payload too. - probe.icmpv6_payload = string.char(0x00, 0x00, 0x00, 0x00) + probe.icmpv6_payload = "\x00\x00\x00\x00" probe:build_icmpv6_header() probe.exheader = build_invalid_extension_header(packet.IPPROTO_ICMPV6) diff --git a/scripts/tftp-enum.nse b/scripts/tftp-enum.nse index ef483e350..ccb3b9df1 100644 --- a/scripts/tftp-enum.nse +++ b/scripts/tftp-enum.nse @@ -155,39 +155,8 @@ local check_file_present = function(host, port, filename) return FILE_NOT_FOUND end ---- Generates a random string of the requested length. This can be used to check how hosts react to --- weird username/password combinations. --- @param length (optional) The length of the string to return. Default: 8. --- @param set (optional) The set of letters to choose from. Default: upper, lower, numbers, and underscore. --- @return The random string. -local function get_random_string(length, set) - if (length == nil) then - length = 8 - end - - if (set == nil) then - set = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_" - end - - local str = "" - - -- Seed the random number, if we haven't already - if (not (nmap.registry.oracle_enum_users) or not (nmap.registry.oracle_enum_users.seeded)) then - math.randomseed(os.time()) - nmap.registry.oracle_enum_users = {} - nmap.registry.oracle_enum_users.seeded = true - end - - for i = 1, length, 1 do - local random = math.random(#set) - str = str .. string.sub(set, random, random) - end - - return str -end - local check_open_tftp = function(host, port) - local random_name = get_random_string() + local random_name = stdnse.generate_random_string(8, "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_") local ret_value = check_file_present(host, port, random_name) if (ret_value == FILE_FOUND or ret_value == FILE_NOT_FOUND) then return true