Some string optimizations in NSE

Changes fall into these categories:

1. Avoid pathological string building. Loops over x = x .. "foo" can
become very slow. Instead, use strbuf.lua, table.concat, or just one
continuous concatenation; a = x .. y .. z is one operation, better than
a = x .. y; a = a .. z

2. Use hex-escaped strings instead of string.char. I find this more
readable in many cases, and it avoids a table lookup and function call.

3. Don't duplicate code. A few libraries and scripts had re-implemented
stdnse.generate_random_string or openssl.rand_bytes.

nselib/amqp.lua

@@ -40,9 +40,9 @@ AMQP = {
 
   -- version strings the client supports
   client_version_strings = {
-    ["0-8"] = string.char(0x01) .. string.char(0x01) .. string.char(0x08) .. string.char(0x00),
+    ["0-8"] = "\x01\x01\x08\x00",
-    ["0-9"] = string.char(0x00) .. string.char(0x00) .. string.char(0x09) .. string.char(0x00),
+    ["0-9"] = "\x00\x00\x09\x00",
-    ["0-9-1"] = string.char(0x00) .. string.char(0x00) .. string.char(0x09) .. string.char(0x01)
+    ["0-9-1"] = "\x00\x00\x09\x01"
   },
 
   new = function(self, host, port)

nselib/cassandra.lua

@@ -25,33 +25,28 @@ _ENV = stdnse.module("cassandra", stdnse.seeall)
 ]]--
 
 -- Protocol magic strings
-CASSANDRAREQ = string.char(0x80,0x01,0x00,0x01)
+CASSANDRAREQ = "\x80\x01\x00\x01"
-CASSANDRARESP = string.char(0x80,0x01,0x00,0x02)
+CASSANDRARESP = "\x80\x01\x00\x02"
-CASSLOGINMAGIC = string.char(0x00, 0x00,0x00,0x01,0x0c,0x00,0x01,0x0d,0x00,0x01,0x0b,0x0b,0x00,0x00,0x00,0x02)
+CASSLOGINMAGIC = "\x00\x00\x00\x01\x0c\x00\x01\x0d\x00\x01\x0b\x0b\x00\x00\x00\x02"
-LOGINSUCC = string.char(0x00,0x00,0x00,0x01,0x00)
+LOGINSUCC = "\x00\x00\x00\x01\x00"
-LOGINFAIL = string.char(0x00,0x00,0x00,0x01,0x0b)
+LOGINFAIL = "\x00\x00\x00\x01\x0b"
-LOGINACC = string.char(0x00,0x00,0x00,0x01,0x0c)
+LOGINACC = "\x00\x00\x00\x01\x0c"
-
---Returns string in format length+string itself
---@param str to format
---@return str : string in format length+string itself
-function pack4str (str)
-        return (bin.pack(">I",string.len(str)) .. str)
-end
 
 --Returns string in cassandra format for login
 --@param username to put in format
 --@param password to put in format
 --@return str : string in cassandra format for login
 function loginstr (username, password)
-        local str = CASSANDRAREQ .. pack4str ("login")
+  return bin.pack("A>aAaaaaA",
-        str = str .. CASSLOGINMAGIC
+    CASSANDRAREQ,
-        str = str .. pack4str("username")
+    "login",
-        str = str .. pack4str(username)
+    CASSLOGINMAGIC,
-        str = str .. pack4str("password")
+    "username",
-        str = str .. pack4str(password)
+    username,
-        str = str .. string.char (0x00, 0x00) -- add two null on the end
+    "password",
-        return str
+    password,
+    "\x00\x00" -- add two null on the end
+    )
 end
 
 --Invokes command over socket and returns the response
@@ -61,10 +56,12 @@ end
 --@return status : true if ok; false if bad
 --@return result : value if status ok, error msg if bad
 function cmdstr (command,cnt)
-        local str = CASSANDRAREQ .. pack4str (command)
+  return bin.pack("A>aIA",
-        str = str .. bin.pack(">I",cnt)
+    CASSANDRAREQ,
-        str = str .. string.char (0x00) -- add null on the end
+    command,
-        return str
+    cnt,
+    "\x00" -- add null on the end
+    )
 end
 
 --Invokes command over socket and returns the response
@@ -103,7 +100,7 @@ function sendcmd (socket, command, cnt)
   end
 
   -- magic response starts at 5th byte for 4 bytes, 4 byte for length + length of string command
-  if (string.sub(response,5,8+4+string.len(command)) ~= CASSANDRARESP..pack4str(command)) then
+  if (string.sub(response,5,8+4+string.len(command)) ~= bin.pack("A>a", CASSANDRARESP, command)) then
     return false, "protocol response error"
   end
 
@@ -190,7 +187,7 @@ function login (socket,username,password)
   local _, size = bin.unpack(">I", response, 1)
 
   local loginresp = string.sub(response,5,17)
-  if (loginresp ~= CASSANDRARESP..pack4str("login")) then
+  if (loginresp ~= bin.pack("A>a", CASSANDRARESP, "login")) then
     return false, "protocol error"
   end
 

nselib/msrpc.lua

@@ -64,48 +64,48 @@ _ENV = stdnse.module("msrpc", stdnse.seeall)
 
 -- The path, UUID, and version for SAMR
 SAMR_PATH       = "\\samr"
-SAMR_UUID       = string.char(0x78, 0x57, 0x34, 0x12, 0x34, 0x12, 0xcd, 0xab, 0xef, 0x00, 0x01, 0x23, 0x45, 0x67, 0x89, 0xac)
+SAMR_UUID       = "\x78\x57\x34\x12\x34\x12\xcd\xab\xef\x00\x01\x23\x45\x67\x89\xac"
 SAMR_VERSION    = 0x01
 
 -- The path, UUID, and version for SRVSVC
 SRVSVC_PATH     = "\\srvsvc"
-SRVSVC_UUID     = string.char(0xc8, 0x4f, 0x32, 0x4b, 0x70, 0x16, 0xd3, 0x01, 0x12, 0x78, 0x5a, 0x47, 0xbf, 0x6e, 0xe1, 0x88)
+SRVSVC_UUID     = "\xc8\x4f\x32\x4b\x70\x16\xd3\x01\x12\x78\x5a\x47\xbf\x6e\xe1\x88"
 SRVSVC_VERSION  = 0x03
 
 -- The path, UUID, and version for SPOOLSS
 SPOOLSS_PATH    = "\\spoolss"
-SPOOLSS_UUID = string.char(0x78, 0x56, 0x34, 0x12, 0x34, 0x12, 0xcd, 0xab, 0xef, 0x00, 0x01, 0x23, 0x45, 0x67, 0x89, 0xab)
+SPOOLSS_UUID = "\x78\x56\x34\x12\x34\x12\xcd\xab\xef\x00\x01\x23\x45\x67\x89\xab"
 SPOOLSS_VERSION = 0x01
 
 -- The path, UUID, and version for LSA
 LSA_PATH        = "\\lsarpc"
-LSA_UUID        = string.char(0x78, 0x57, 0x34, 0x12, 0x34, 0x12, 0xcd, 0xab, 0xef, 0x00, 0x01, 0x23, 0x45, 0x67, 0x89, 0xab)
+LSA_UUID        = "\x78\x57\x34\x12\x34\x12\xcd\xab\xef\x00\x01\x23\x45\x67\x89\xab"
 LSA_VERSION     = 0
 
 -- The path, UUID, and version for WINREG
 WINREG_PATH     = "\\winreg"
-WINREG_UUID     = string.char(0x01, 0xd0, 0x8c, 0x33, 0x44, 0x22, 0xf1, 0x31, 0xaa, 0xaa, 0x90, 0x00, 0x38, 0x00, 0x10, 0x03)
+WINREG_UUID     = "\x01\xd0\x8c\x33\x44\x22\xf1\x31\xaa\xaa\x90\x00\x38\x00\x10\x03"
 WINREG_VERSION  = 1
 
 -- The path, UUID, and version for SVCCTL
 SVCCTL_PATH    = "\\svcctl"
-SVCCTL_UUID    = string.char(0x81, 0xbb, 0x7a, 0x36, 0x44, 0x98, 0xf1, 0x35, 0xad, 0x32, 0x98, 0xf0, 0x38, 0x00, 0x10, 0x03)
+SVCCTL_UUID    = "\x81\xbb\x7a\x36\x44\x98\xf1\x35\xad\x32\x98\xf0\x38\x00\x10\x03"
 SVCCTL_VERSION = 2
 
 -- The path, UUID, and version for ATSVC
 ATSVC_PATH     = "\\atsvc"
-ATSVC_UUID     = string.char(0x82, 0x06, 0xf7, 0x1f, 0x51, 0x0a, 0xe8, 0x30, 0x07, 0x6d, 0x74, 0x0b, 0xe8, 0xce, 0xe9, 0x8b)
+ATSVC_UUID     = "\x82\x06\xf7\x1f\x51\x0a\xe8\x30\x07\x6d\x74\x0b\xe8\xce\xe9\x8b"
 ATSVC_VERSION  = 1
 
 
 -- UUID and version for epmapper e1af8308-5d1f-11c9-91a4-08002b14a0fa v3.0
 EPMAPPER_PATH = "\\epmapper"
-EPMAPPER_UUID     = string.char(0x08, 0x83, 0xaf, 0xe1, 0x1f, 0x5d, 0xc9, 0x11, 0x91, 0xa4, 0x08, 0x00, 0x2b, 0x14, 0xa0, 0xfa)
+EPMAPPER_UUID     = "\x08\x83\xaf\xe1\x1f\x5d\xc9\x11\x91\xa4\x08\x00\x2b\x14\xa0\xfa"
 EPMAPPER_VERSION  = 3
 
 
 -- This is the only transfer syntax I've seen in the wild, not that I've looked hard. It seems to work well.
-TRANSFER_SYNTAX = string.char(0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60)
+TRANSFER_SYNTAX = "\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00\x2b\x10\x48\x60"
 
 -- The 'referent_id' value is ignored, as far as I can tell, so this value is passed for it. No, it isn't random. :)
 REFERENT_ID = 0x50414d4e
@@ -4791,7 +4791,7 @@ end
 --# 1) RRAS RASRPC INTERFACE
 --####################################################################--
 ROUTER_PATH = "\\router" --also can be reached across "\\srvsvc" pipe in WinXP
-RASRPC_UUID = string.char(0x36, 0x00, 0x61, 0x20, 0x22, 0xfa, 0xcf, 0x11, 0x98, 0x23, 0x00, 0xa0, 0xc9, 0x11, 0xe5, 0xdf)
+RASRPC_UUID = "\x36\x00\x61\x20\x22\xfa\xcf\x11\x98\x23\x00\xa0\xc9\x11\xe5\xdf"
 RASRPC_VERSION = 1
 
 --####################################################################--
@@ -4934,7 +4934,7 @@ end
 --# 1) DNS SERVER MANAGEMENT SERVICE INTERFACE
 --####################################################################--
 DNSSERVER_UUID_STR = "50abc2a4-574d-40b3-9d66-ee4fd5fba076"
-DNSSERVER_UUID = string.char(0xa4, 0xc2,0xab, 0x50, 0x4d, 0x57, 0xb3, 0x40, 0x9d, 0x66, 0xee, 0x4f, 0xd5, 0xfb, 0xa0, 0x76)
+DNSSERVER_UUID = "\xa4\xc2\xab\x50\x4d\x57\xb3\x40\x9d\x66\xee\x4f\xd5\xfb\xa0\x76"
 DNSSERVER_PATH = "\\DNSSERVER"
 DNSSERVER_VERSION = 5
 

nselib/mssql.lua

@@ -1732,7 +1732,7 @@ LoginPacket =
   library = "mssql.lua",
   locale = "",
   database = "master", --nil,
-  MAC = string.char(0x00,0x00,0x00,0x00,0x00,0x00), -- should contain client MAC, jTDS uses all zeroes
+  MAC = "\x00\x00\x00\x00\x00\x00", -- should contain client MAC, jTDS uses all zeroes
 
   new = function(self,o)
     o = o or {}

nselib/mysql.lua

@@ -156,7 +156,7 @@ local function createLoginHash(pass, salt)
   local hash_stage1
   local hash_stage2
   local hash_stage3
-  local reply = ""
+  local reply = {}
   local pos, b1, b2, b3, _ = 1, 0, 0, 0
 
   if ( not(HAVE_SSL) ) then
@@ -171,10 +171,10 @@ local function createLoginHash(pass, salt)
     _, b1 = bin.unpack( "C", hash_stage1, pos )
     _, b2 = bin.unpack( "C", hash_stage3, pos )
 
-    reply = reply .. string.char( bit.bxor( b2, b1 ) )
+    reply[pos] = string.char( bit.bxor( b2, b1 ) )
   end
 
-  return reply
+  return table.concat(reply)
 
 end
 
@@ -218,20 +218,21 @@ function loginRequest( socket, params, username, password, salt )
   local extcapabilities = ExtCapabilities.SupportsMultipleStatments
   extcapabilities = extcapabilities + ExtCapabilities.SupportsMultipleResults
 
-  local packet = bin.pack( "S", clicap )
+  local hash = ""
-  packet = packet .. bin.pack( "S", extcapabilities )
-  packet = packet .. bin.pack( "I", MAXPACKET )
-  packet = packet .. bin.pack( "C", Charset.latin1_COLLATE_latin1_swedish_ci )
-  packet = packet .. bin.pack( "A", string.char(0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0) )
-  packet = packet .. bin.pack( "z", username )
-
   if ( password ~= nil and password:len() > 0 ) then
-    local hash = createLoginHash( password, salt )
+    hash = createLoginHash( password, salt )
-    packet = packet .. bin.pack( "A", string.char( 0x14 ) .. hash )
-  else
-    packet = packet .. bin.pack( "C", 0 )
   end
 
+  local packet = bin.pack( "SSICAzp",
+    clicap,
+    extcapabilities,
+    MAXPACKET,
+    Charset.latin1_COLLATE_latin1_swedish_ci,
+    string.rep("\0", 23),
+    username,
+    hash
+    )
+
   local tmp = packet:len() + bit.lshift( packetno, 24 )
 
   packet = bin.pack( "I", tmp ) .. packet

nselib/netbios.lua

@@ -60,24 +60,25 @@ function name_encode(name, scope)
   name = string.upper(name)
 
   -- Do the L1 encoding
-  local L1_encoded = ""
+  local L1_encoded = {}
   for i=1, #name, 1 do
     local b = string.byte(name, i)
-    L1_encoded = L1_encoded .. string.char(bit.rshift(bit.band(b, 0xF0), 4) + 0x41)
+    L1_encoded[i*2-1] = string.char(bit.rshift(bit.band(b, 0xF0), 4) + 0x41)
-    L1_encoded = L1_encoded .. string.char(bit.rshift(bit.band(b, 0x0F), 0) + 0x41)
+    L1_encoded[i*2]   = string.char(bit.rshift(bit.band(b, 0x0F), 0) + 0x41)
   end
 
   -- Do the L2 encoding
-  local L2_encoded = string.char(32) .. L1_encoded
+  local L2_encoded = { string.char(32), table.concat(L1_encoded) }
 
   if scope ~= nil then
     -- Split the scope at its periods
     local piece
     for piece in string.gmatch(scope, "[^.]+") do
-      L2_encoded = L2_encoded .. string.char(#piece) .. piece
+      L2_encoded[#L2_encoded+1] = string.char(#piece) .. piece
     end
   end
 
+  L2_encoded = table.concat(L2_encoded)
   stdnse.debug3("=> '%s'", L2_encoded)
   return L2_encoded
 end

nselib/smb.lua

@@ -2459,14 +2459,14 @@ function file_upload(host, localfile, share, remotefile, overrides, encoded)
 
   local i = 0
   local data = handle:read(chunk)
+  local new_data = {}
   while(data ~= nil and #data > 0) do
 
     if(encoded) then
-      local new_data = ""
       for j = 1, #data, 1 do
-        new_data = new_data .. string.char(bit.bxor(0xFF, string.byte(data, j)))
+        new_data[j] = string.char(bit.bxor(0xFF, string.byte(data, j)))
       end
-      data = new_data
+      data = table.concat(new_data, "", 1, #data)
     end
 
     status, err = write_file(smbstate, data, i)

scripts/broadcast-dhcp-discover.nse

@@ -67,11 +67,11 @@ end
 --
 -- @return mac_addr string containing a random MAC
 local function randomizeMAC()
-  local mac_addr = ""
+  local mac_addr = {}
   for j=1, 6 do
-    mac_addr = mac_addr .. string.char(math.random(1, 255))
+    mac_addr[j] = string.char(math.random(1, 255))
   end
-  return mac_addr
+  return table.concat(mac_addr)
 end
 
 -- Gets a list of available interfaces based on link and up filters
@@ -143,7 +143,7 @@ action = function()
   -- randomizing the MAC could exhaust dhcp servers with small scopes
   -- if ran multiple times, so we should probably refrain from doing
   -- this?
-  local mac = string.char(0xDE,0xAD,0xC0,0xDE,0xCA,0xFE)--randomizeMAC()
+  local mac = "\xDE\xAD\xC0\xDE\xCA\xFE" --randomizeMAC()
 
   local interfaces
 

scripts/db2-das-info.nse

@@ -266,12 +266,12 @@ function create_das_packet( magic, data )
 
   packet.header = {}
 
-  packet.header.raw = string.char(0x00, 0x00, 0x00, 0x00, 0x44, 0x42, 0x32, 0x44, 0x41, 0x53, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20)
+  packet.header.raw = "\x00\x00\x00\x00\x44\x42\x32\x44\x41\x53\x20\x20\x20\x20\x20\x20"
-  packet.header.raw = packet.header.raw .. string.char(0x01, 0x04, 0x00, 0x00, 0x00, 0x10, 0x39, 0x7a, 0x00, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00)
+  .. "\x01\x04\x00\x00\x00\x10\x39\x7a\x00\x05\x00\x00\x00\x00\x00\x00"
-  packet.header.raw = packet.header.raw .. string.char(0x00, 0x00, 0x00, 0x00 )
+  .. "\x00\x00\x00\x00"
-  packet.header.raw = packet.header.raw .. bin.pack("C", magic)
+  .. bin.pack("C", magic)
-  packet.header.raw = packet.header.raw .. bin.pack("S", data_len)
+  .. bin.pack("S", data_len)
-  packet.header.raw = packet.header.raw .. string.char(0x00, 0x00)
+  .. "\x00\x00"
 
   packet.header.data_len = data_len
   packet.data = data
@@ -304,7 +304,7 @@ action = function(host, port)
   -- ************************************************************************************
   -- Transaction block 1
   -- ************************************************************************************
-  local data = string.char(0x00, 0x00, 0x00, 0x0d, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x4a, 0x00)
+  local data = "\x00\x00\x00\x0d\x00\x00\x00\x0c\x00\x00\x00\x4a\x00"
 
   --try(socket:send(query))
   local db2packet = create_das_packet(0x02, data)
@@ -315,10 +315,10 @@ action = function(host, port)
   -- ************************************************************************************
   -- Transaction block 2
   -- ************************************************************************************
-  data = string.char(0x00, 0x00, 0x00, 0x2c, 0x00, 0x00, 0x00)
+  data = "\x00\x00\x00\x2c\x00\x00\x00"
-  data = data .. string.char(0x0c, 0x00, 0x00, 0x00, 0x08, 0x59, 0xe7, 0x1f, 0x4b, 0x79, 0xf0, 0x90, 0x72, 0x85, 0xe0, 0x8f)
+  .. "\x0c\x00\x00\x00\x08\x59\xe7\x1f\x4b\x79\xf0\x90\x72\x85\xe0\x8f"
-  data = data .. string.char(0x3e, 0x38, 0x45, 0x38, 0xe3, 0xe5, 0x12, 0xc4, 0x3b, 0xe9, 0x7d, 0xe2, 0xf5, 0xf0, 0x78, 0xcc)
+  .. "\x3e\x38\x45\x38\xe3\xe5\x12\xc4\x3b\xe9\x7d\xe2\xf5\xf0\x78\xcc"
-  data = data .. string.char(0x81, 0x6f, 0x87, 0x5f, 0x91)
+  .. "\x81\x6f\x87\x5f\x91"
 
   db2packet = create_das_packet(0x05, data)
 
@@ -328,12 +328,12 @@ action = function(host, port)
   -- ************************************************************************************
   -- Transaction block 3
   -- ************************************************************************************
-  data = string.char(0x00, 0x00, 0x00, 0x0d, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x4a, 0x01, 0x00, 0x00, 0x00)
+  data = "\x00\x00\x00\x0d\x00\x00\x00\x0c\x00\x00\x00\x4a\x01\x00\x00\x00"
-  data = data .. string.char(0x10, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x4c, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00)
+  .. "\x10\x00\x00\x00\x0c\x00\x00\x00\x4c\xff\xff\xff\xff\x00\x00\x00"
-  data = data .. string.char(0x20, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x04, 0xb8, 0x64, 0x62, 0x32)
+  .. "\x20\x00\x00\x00\x0c\x00\x00\x00\x04\x00\x00\x04\xb8\x64\x62\x32"
-  data = data .. string.char(0x64, 0x61, 0x73, 0x4b, 0x6e, 0x6f, 0x77, 0x6e, 0x44, 0x73, 0x63, 0x76, 0x00, 0x00, 0x00, 0x00)
+  .. "\x64\x61\x73\x4b\x6e\x6f\x77\x6e\x44\x73\x63\x76\x00\x00\x00\x00"
-  data = data .. string.char(0x20, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x04, 0xb8, 0x64, 0x62, 0x32)
+  .. "\x20\x00\x00\x00\x0c\x00\x00\x00\x04\x00\x00\x04\xb8\x64\x62\x32"
-  data = data .. string.char(0x4b, 0x6e, 0x6f, 0x77, 0x6e, 0x44, 0x73, 0x63, 0x76, 0x53, 0x72, 0x76, 0x00)
+  .. "\x4b\x6e\x6f\x77\x6e\x44\x73\x63\x76\x53\x72\x76\x00"
 
   db2packet = create_das_packet(0x0a, data)
   send_db2_packet( socket, db2packet )
@@ -342,34 +342,34 @@ action = function(host, port)
   -- ************************************************************************************
   -- Transaction block 4
   -- ************************************************************************************
-  data = string.char(0x00, 0x00, 0x00, 0x0d, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x4a, 0x01, 0x00, 0x00, 0x00)
+  data = "\x00\x00\x00\x0d\x00\x00\x00\x0c\x00\x00\x00\x4a\x01\x00\x00\x00"
-  data = data .. string.char(0x20, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03)
+  .. "\x20\x00\x00\x00\x0c\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x03"
-  data = data .. string.char(0x48, 0x00, 0x00, 0x00, 0x00, 0x4a, 0xfb, 0x42, 0x90, 0x00, 0x00, 0x24, 0x93, 0x00, 0x00, 0x00)
+  .. "\x48\x00\x00\x00\x00\x4a\xfb\x42\x90\x00\x00\x24\x93\x00\x00\x00"
-  data = data .. string.char(0x10, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x4c, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00)
+  .. "\x10\x00\x00\x00\x0c\x00\x00\x00\x4c\xff\xff\xff\xff\x00\x00\x00"
-  data = data .. string.char(0x10, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x4c, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00)
+  .. "\x10\x00\x00\x00\x0c\x00\x00\x00\x4c\xff\xff\xff\xff\x00\x00\x00"
-  data = data .. string.char(0x20, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x04, 0xb8, 0x64, 0x62, 0x32)
+  .. "\x20\x00\x00\x00\x0c\x00\x00\x00\x04\x00\x00\x04\xb8\x64\x62\x32"
-  data = data .. string.char(0x4b, 0x6e, 0x6f, 0x77, 0x6e, 0x44, 0x73, 0x63, 0x76, 0x53, 0x72, 0x76, 0x00, 0x00, 0x00, 0x00)
+  .. "\x4b\x6e\x6f\x77\x6e\x44\x73\x63\x76\x53\x72\x76\x00\x00\x00\x00"
-  data = data .. string.char(0x20, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x04, 0xb8, 0x64, 0x62, 0x32)
+  .. "\x20\x00\x00\x00\x0c\x00\x00\x00\x04\x00\x00\x04\xb8\x64\x62\x32"
-  data = data .. string.char(0x64, 0x61, 0x73, 0x4b, 0x6e, 0x6f, 0x77, 0x6e, 0x44, 0x73, 0x63, 0x76, 0x00, 0x00, 0x00, 0x00)
+  .. "\x64\x61\x73\x4b\x6e\x6f\x77\x6e\x44\x73\x63\x76\x00\x00\x00\x00"
-  data = data .. string.char(0x0c, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00)
+  .. "\x0c\x00\x00\x00\x0c\x00\x00\x00\x04\x00\x00\x00\x10\x00\x00\x00"
-  data = data .. string.char(0x0c, 0x00, 0x00, 0x00, 0x4c, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00)
+  .. "\x0c\x00\x00\x00\x4c\xff\xff\xff\xff\x00\x00\x00\x10\x00\x00\x00"
-  data = data .. string.char(0x0c, 0x00, 0x00, 0x00, 0x4c, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00)
+  .. "\x0c\x00\x00\x00\x4c\xff\xff\xff\xff\x00\x00\x00\x11\x00\x00\x00"
-  data = data .. string.char(0x0c, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x04, 0xb8, 0x00)
+  .. "\x0c\x00\x00\x00\x04\x00\x00\x04\xb8\x00"
 
   db2packet = create_das_packet(0x06, data)
   send_db2_packet( socket, db2packet )
 
-  data = string.char( 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x04, 0x00)
+  data =  "\x00\x00\x00\x20\x00\x00\x00\x0c\x00\x00\x00\x04\x00"
-  data = data .. string.char(0x00, 0x04, 0xb8, 0x64, 0x62, 0x32, 0x64, 0x61, 0x73, 0x4b, 0x6e, 0x6f, 0x77, 0x6e, 0x44, 0x73)
+  .. "\x00\x04\xb8\x64\x62\x32\x64\x61\x73\x4b\x6e\x6f\x77\x6e\x44\x73"
-  data = data .. string.char(0x63, 0x76, 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x04, 0x00)
+  .. "\x63\x76\x00\x00\x00\x00\x20\x00\x00\x00\x0c\x00\x00\x00\x04\x00"
-  data = data .. string.char(0x00, 0x04, 0xb8, 0x64, 0x62, 0x32, 0x4b, 0x6e, 0x6f, 0x77, 0x6e, 0x44, 0x73, 0x63, 0x76, 0x53)
+  .. "\x00\x04\xb8\x64\x62\x32\x4b\x6e\x6f\x77\x6e\x44\x73\x63\x76\x53"
-  data = data .. string.char(0x72, 0x76, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x4c, 0x00)
+  .. "\x72\x76\x00\x00\x00\x00\x10\x00\x00\x00\x0c\x00\x00\x00\x4c\x00"
-  data = data .. string.char(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x4c, 0x00)
+  .. "\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x0c\x00\x00\x00\x4c\x00"
-  data = data .. string.char(0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x4c, 0x00)
+  .. "\x00\x00\x01\x00\x00\x00\x10\x00\x00\x00\x0c\x00\x00\x00\x4c\x00"
-  data = data .. string.char(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x08, 0x00)
+  .. "\x00\x00\x00\x00\x00\x00\x0c\x00\x00\x00\x0c\x00\x00\x00\x08\x00"
-  data = data .. string.char(0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x4c, 0x00, 0x00, 0x00, 0x01, 0x00)
+  .. "\x00\x00\x10\x00\x00\x00\x0c\x00\x00\x00\x4c\x00\x00\x00\x01\x00"
-  data = data .. string.char(0x00, 0x00, 0x18, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x0c, 0x00)
+  .. "\x00\x00\x18\x00\x00\x00\x0c\x00\x00\x00\x08\x00\x00\x00\x0c\x00"
-  data = data .. string.char(0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x18)
+  .. "\x00\x00\x0c\x00\x00\x00\x18"
 
   db2packet = create_das_packet(0x06, data)
   send_db2_packet( socket, db2packet )

scripts/dhcp-discover.nse

@@ -96,10 +96,11 @@ local function go(host, port)
     local mac_addr = host.mac_addr_src
     if(nmap.registry.args.randomize_mac == 'true' or nmap.registry.args.randomize_mac == '1') then
       stdnse.debug2("Generating a random MAC address")
-      mac_addr = ""
+      mac_addr = {}
       for j=1, 6, 1 do
-        mac_addr = mac_addr .. string.char(math.random(1, 255))
+        mac_addr[i] = string.char(math.random(1, 255))
       end
+      mac_addr = table.concat(mac_addr)
     end
 
     local iface, err = nmap.get_interface_info(host.interface)

scripts/dns-recursion.nse

@@ -29,8 +29,16 @@ portrule = shortport.portnumber(53, "udp")
 
 action = function(host, port)
 
-    -- generate dns query, Transaction-ID 0xdead, www.wikipedia.org (type A, class IN)
+    -- generate dns query
-    local request = string.char(0xde, 0xad, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03) ..  "www" .. string.char(0x09) .. "wikipedia" .. string.char(0x03) ..  "org" .. string.char(0x00, 0x00, 0x01, 0x00, 0x01)
+    local request = "\xde\xad" -- Transaction-ID 0xdead
+    .. "\x01\x00" -- flags (recursion desired)
+    .. "\x00\x01" -- 1 question
+    .. "\x00\x00" -- 0 answers
+    .. "\x00\x00" -- 0 authority
+    .. "\x00\x00" -- 0 additional
+    .. "\x03www\x09wikipedia\x03org\x00" -- www.wikipedia.org.
+    .. "\x00\x01" -- type A
+    .. "\x00\x01" -- class IN
 
     local status, result = comm.exchange(host, port, request, {proto="udp"})
 

scripts/http-virustotal.nse

@@ -125,12 +125,12 @@ local function requestFileScan(filename)
   local shortfile = filename:match("^.*[\\/](.*)$")
   local boundary = "----------------------------nmapboundary"
   local header = { ["Content-Type"] = ("multipart/form-data; boundary=%s"):format(boundary) }
-  local postdata = ("--%s\r\n"):format(boundary)
+  local postdata = ("--%s\r\n"
-  postdata = postdata .. "Content-Disposition: form-data; name=\"apikey\"\r\n\r\n"
+  .. 'Content-Disposition: form-data; name="apikey"\r\n\r\n'
-  postdata = postdata .. arg_apiKey .. "\r\n"
+  .. "%s\r\n"
-  postdata = postdata .. ("--%s\r\n" ..
+  .. "--%s\r\n"
-    "Content-Disposition: form-data; name=\"file\"; filename=\"%s\"\r\n" ..
+  .. 'Content-Disposition: form-data; name="file"; filename="%s"\r\n'
-    "Content-Type: text/plain\r\n\r\n%s\r\n--%s--\r\n"):format(boundary, shortfile, str, boundary)
+  .. "Content-Type: text/plain\r\n\r\n%s\r\n--%s--\r\n"):format(boundary, arg_apiKey, boundary, shortfile, str, boundary)
 
   local host = "www.virustotal.com"
   local port = { number = 80, protocol = "tcp" }

scripts/irc-brute.nse

@@ -89,11 +89,7 @@ Driver = {
 }
 
 local function random_nick()
-  local nick = ""
+  return stdnse.generate_random_string(9, "abcdefghijklmnopqrstuvwxyz")
-  for i = 0, 8, 1 do
-    nick = nick .. string.char(math.random(97, 122)) -- lowercase ascii
-  end
-  return nick
 end
 
 local function needsPassword(host, port)

scripts/ldap-brute.nse

@@ -139,7 +139,7 @@ action = function( host, port )
 
   local clock_start = nmap.clock_ms()
 
-  local ldap_anonymous_bind = string.char( 0x30, 0x0c, 0x02, 0x01, 0x01, 0x60, 0x07, 0x02, 0x01, 0x03, 0x04, 0x00, 0x80, 0x00 )
+  local ldap_anonymous_bind = "\x30\x0c\x02\x01\x01\x60\x07\x02\x01\x03\x04\x00\x80\x00"
   local socket, _, opt = comm.tryssl( host, port, ldap_anonymous_bind, nil )
 
   local base_dn = stdnse.get_script_args('ldap.base')

scripts/ldap-rootdse.nse

@@ -105,7 +105,7 @@ function action(host,port)
 
   -- In order to discover what protocol to use (SSL/TCP) we need to send a few bytes to the server
   -- An anonymous bind should do it
-  local ldap_anonymous_bind = string.char( 0x30, 0x0c, 0x02, 0x01, 0x01, 0x60, 0x07, 0x02, 0x01, 0x03, 0x04, 0x00, 0x80, 0x00 )
+  local ldap_anonymous_bind = "\x30\x0c\x02\x01\x01\x60\x07\x02\x01\x03\x04\x00\x80\x00"
   local _
   socket, _, opt = comm.tryssl( host, port, ldap_anonymous_bind, nil )
 

scripts/ldap-search.nse

@@ -120,7 +120,7 @@ function action(host,port)
 
   -- In order to discover what protocol to use (SSL/TCP) we need to send a few bytes to the server
   -- An anonymous bind should do it
-  local ldap_anonymous_bind = string.char( 0x30, 0x0c, 0x02, 0x01, 0x01, 0x60, 0x07, 0x02, 0x01, 0x03, 0x04, 0x00, 0x80, 0x00 )
+  local ldap_anonymous_bind = "\x30\x0c\x02\x01\x01\x60\x07\x02\x01\x03\x04\x00\x80\x00"
   local _
   socket, _, opt = comm.tryssl( host, port, ldap_anonymous_bind, nil )
 

scripts/nping-brute.nse

@@ -34,14 +34,6 @@ categories = {"brute", "intrusive"}
 
 portrule = shortport.port_or_service(9929, "nping-echo")
 
-local function randombytes(x)
-  local bytes = ""
-  for i = 1, x do
-    bytes = bytes .. bin.pack("C", math.random(0x00, 0xff))
-  end
-  return bytes
-end
-
 local function readmessage(socket, length)
   local msg = ""
   while #msg < length do
@@ -103,8 +95,8 @@ Driver =
     local NEP_CLIENT_MAC_ID = "NEPkeyforMACClient2Server"
 
     local now = nmap.clock()
-    local seqb = randombytes(4)
+    local seqb = openssl.rand_bytes(4)
-    local cnonce = randombytes(32)
+    local cnonce = openssl.rand_bytes(32)
     local nonce = snonce .. cnonce
     local enckey = self:nepkey(password, nonce, NEP_CLIENT_CIPHER_ID)
     local mackey = self:nepkey(password, nonce, NEP_CLIENT_MAC_ID)

scripts/ntp-monlist.nse

@@ -250,16 +250,15 @@ function getPrivateMode(impl, requestCode)
   -- Request Code 8bits: e.g. 0x2a (MON_GETLIST_1)
   -- Err 4bits: 0, Number of Data Items 12bits: 0
   -- MBZ 4bits: 0, Size of Data Items 12bits: 0
-  pay = string.char(
+  return string.char(
     0x17, 0x00, impl or 0x03, requestCode or 0x2a,
     0x00, 0x00, 0x00, 0x00
   )
   -- Data 40 Octets: 0
-  pay = pay .. string.char(0x00):rep(40)
+  .. string.char(0x00):rep(40)
   -- The following are optional if the Authenticated bit is set:
   -- Encryption Keyid 4 Octets: 0
   -- Message Authentication Code 16 Octets (MD5): 0
-  return pay
 end
 
 
@@ -495,16 +494,16 @@ function make_udp_packet(response)
 
   -- dummy headers
   -- ip
-  local dh = string.char(0x45, 0x00)
+  local dh = "\x45\x00" -- IPv4, 20-byte header, no DSCP, no ECN
-  dh = dh .. bin.pack('S', iplen)
+  .. bin.pack('>S', iplen) -- total length
-  dh = dh .. string.char(
+  .. "\x00\x00" -- IPID 0
-    0x00, 0x00, 0x40, 0x00, 0x40, 0x11, 0x00, 0x00,
+  .. "\x40\x00" -- DF
-    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+  .. "\x40\x11" -- TTL 0x40, UDP (proto 17)
-  -- udp
+  .. "\x00\x00" -- checksum 0
-    0x00, 0x00, 0x00, 0x00
+  .. "\x00\x00\x00\x00\x00\x00\x00\x00" -- Source, destination 0.0.0.0
-  )
+  .. "\x00\x00\x00\x00" -- UDP source, dest port 0
-  dh = dh .. bin.pack('S', udplen)
+  .. bin.pack('S', udplen) -- UDP length
-  dh = dh .. string.char(0x00, 0x00)
+  .. "\x00\x00" -- UDP checksum 0
 
   return packet.Packet:new(dh .. response, iplen)
 

scripts/p2p-conficker.nse

@@ -301,7 +301,7 @@ end
 --@return The encrypted (or decrypted) data.
 local function p2p_cipher(packet, key1, key2)
   local i
-  local buf = ""
+  local buf = {}
 
   for i = 1, #packet, 1 do
     -- Do a 64-bit rotate on key1:key2
@@ -311,7 +311,7 @@ local function p2p_cipher(packet, key1, key2)
     local k = bit.band(key1, 0x0FF)
 
     -- Xor the current character and add it to the encrypted buffer
-    buf = buf .. string.char(bit.bxor(string.byte(packet, i), k))
+    buf[i] = string.char(bit.bxor(string.byte(packet, i), k))
 
     -- Update the key with 'k'
     key1 = key1 + k
@@ -323,7 +323,7 @@ local function p2p_cipher(packet, key1, key2)
     end
   end
 
-  return buf
+  return table.concat(buf)
 end
 
 ---Decrypt the packet, verify it, and parse it. This function will fail with an error if the packet can't be

scripts/smb-check-vulns.nse

@@ -357,21 +357,21 @@ local function check_smbv2_dos(host)
   end
 
   -- From http://seclists.org/fulldisclosure/2009/Sep/0039.html with one change on the last line.
-  local buf = string.char(0x00, 0x00, 0x00, 0x90) ..  -- Begin SMB header: Session message
+  local buf = "\x00\x00\x00\x90" ..  -- Begin SMB header: Session message
-    string.char(0xff, 0x53, 0x4d, 0x42) .. -- Server Component: SMB
+    "\xff\x53\x4d\x42" .. -- Server Component: SMB
-    string.char(0x72, 0x00, 0x00, 0x00) .. -- Negociate Protocol
+    "\x72\x00\x00\x00" .. -- Negociate Protocol
-    string.char(0x00, 0x18, 0x53, 0xc8) .. -- Operation 0x18 & sub 0xc853
+    "\x00\x18\x53\xc8" .. -- Operation 0x18 & sub 0xc853
-    string.char(0x00, 0x26)             .. -- Process ID High: --> :) normal value should be ", 0x00, 0x00"
+    "\x00\x26"             .. -- Process ID High: --> :) normal value should be "\x00\x00"
-    string.char(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xfe) ..
+    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe" ..
-    string.char(0x00, 0x00, 0x00, 0x00, 0x00, 0x6d, 0x00, 0x02, 0x50, 0x43, 0x20, 0x4e, 0x45, 0x54) ..
+    "\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54" ..
-    string.char(0x57, 0x4f, 0x52, 0x4b, 0x20, 0x50, 0x52, 0x4f, 0x47, 0x52, 0x41, 0x4d, 0x20, 0x31) ..
+    "\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31" ..
-    string.char(0x2e, 0x30, 0x00, 0x02, 0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x31, 0x2e, 0x30, 0x00) ..
+    "\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00" ..
-    string.char(0x02, 0x57, 0x69, 0x6e, 0x64, 0x6f, 0x77, 0x73, 0x20, 0x66, 0x6f, 0x72, 0x20, 0x57) ..
+    "\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57" ..
-    string.char(0x6f, 0x72, 0x6b, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x73, 0x20, 0x33, 0x2e, 0x31, 0x61) ..
+    "\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61" ..
-    string.char(0x00, 0x02, 0x4c, 0x4d, 0x31, 0x2e, 0x32, 0x58, 0x30, 0x30, 0x32, 0x00, 0x02, 0x4c) ..
+    "\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c" ..
-    string.char(0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x32, 0x2e, 0x31, 0x00, 0x02, 0x4e, 0x54, 0x20, 0x4c) ..
+    "\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c" ..
-    string.char(0x4d, 0x20, 0x30, 0x2e, 0x31, 0x32, 0x00, 0x02, 0x53, 0x4d, 0x42, 0x20, 0x32, 0x2e) ..
+    "\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e" ..
-    string.char(0x30, 0x30, 0x32, 0x00)
+    "\x30\x30\x32\x00"
 
   local socket = nmap.new_socket()
   if(socket == nil) then

scripts/smb-psexec.nse

@@ -824,10 +824,11 @@ local function get_config(host, config)
   elseif(nmap.registry.args.key) then
     config.key = nmap.registry.args.key
   else
-    config.key = ""
+    local tmp = {}
     for i = 1, 127, 1 do
-      config.key = config.key .. string.char(math.random(0x20, 0x7F))
+      tmp[i] = string.char(math.random(0x20, 0x7F))
     end
+    config.key = table.concat(tmp)
     config.key_index = 0
   end
 
@@ -1044,7 +1045,7 @@ end
 --@args config The config file for this host (stores the encryption key).
 --@return      The decrypted string.
 local function cipher(str, config)
-  local result = ""
+  local result = {}
   if(config.key == "") then
     return str
   end
@@ -1056,10 +1057,10 @@ local function cipher(str, config)
     config.key_index = config.key_index + 1
     config.key_index = config.key_index % #config.key
 
-    result = result .. c
+    result[i] = c
   end
 
-  return result
+  return table.concat(result)
 end
 
 local function get_overrides()

scripts/sniffer-detect.nse

@@ -101,20 +101,20 @@ action = function(host)
   pcap:pcap_open(host.interface, 64, false, "arp")
 
   local test_static = host.mac_addr_src ..
-    string.char(0x08,0x06, 0x00,0x01, 0x08,0x00, 0x06,0x04, 0x00,0x01) ..
+    "\x08\x06\x00\x01\x08\x00\x06\x04\x00\x01" ..
     host.mac_addr_src ..
     host.bin_ip_src ..
-    string.char(0x00,0x00, 0x00,0x00, 0x00,0x00) ..
+    "\x00\x00\x00\x00\x00\x00" ..
     host.bin_ip
   local t = {
-    string.char(0xff,0xff, 0xff,0xff, 0xff,0xff), -- B32 no meaning?
+    "\xff\xff\xff\xff\xff\xff", -- B32 no meaning?
-    string.char(0xff,0xff, 0xff,0xff, 0xff,0xfe), -- B31
+    "\xff\xff\xff\xff\xff\xfe", -- B31
-    string.char(0xff,0xff, 0x00,0x00, 0x00,0x00), -- B16
+    "\xff\xff\x00\x00\x00\x00", -- B16
-    string.char(0xff,0x00, 0x00,0x00, 0x00,0x00), -- B8
+    "\xff\x00\x00\x00\x00\x00", -- B8
-    string.char(0x01,0x00, 0x00,0x00, 0x00,0x00), -- G
+    "\x01\x00\x00\x00\x00\x00", -- G
-    string.char(0x01,0x00, 0x5e,0x00, 0x00,0x00), -- M0
+    "\x01\x00\x5e\x00\x00\x00", -- M0
-    string.char(0x01,0x00, 0x5e,0x00, 0x00,0x01), -- M1 no meaning?
+    "\x01\x00\x5e\x00\x00\x01", -- M1 no meaning?
-    string.char(0x01,0x00, 0x5e,0x00, 0x00,0x03), -- M3
+    "\x01\x00\x5e\x00\x00\x03", -- M3
   }
   local v
   local out = ""

scripts/sslv2.nse

@@ -144,26 +144,24 @@ action = function(host, port)
 
   -- build client hello packet (contents inspired by
   -- http://mail.nessus.org/pipermail/plugins-writers/2004-October/msg00041.html )
-  local t = {};
+  ssl_v2_hello = "\x80\x31"
-  table.insert(t, string.char(0x80, 0x31));
+  .. "\x01"
-  table.insert(t, string.char(0x01));
+  .. "\x00\x02"
-  table.insert(t, string.char(0x00, 0x02));
+  .. "\x00\x18"
-  table.insert(t, string.char(0x00, 0x18));
+  .. "\x00\x00"
-  table.insert(t, string.char(0x00, 0x00));
+  .. "\x00\x10"
-  table.insert(t, string.char(0x00, 0x10));
+  .. "\x07\x00\xc0"
-  table.insert(t, string.char(0x07, 0x00, 0xc0));
+  .. "\x05\x00\x80"
-  table.insert(t, string.char(0x05, 0x00, 0x80));
+  .. "\x03\x00\x80"
-  table.insert(t, string.char(0x03, 0x00, 0x80));
+  .. "\x01\x00\x80"
-  table.insert(t, string.char(0x01, 0x00, 0x80));
+  .. "\x08\x00\x80"
-  table.insert(t, string.char(0x08, 0x00, 0x80));
+  .. "\x06\x00\x40"
-  table.insert(t, string.char(0x06, 0x00, 0x40));
+  .. "\x04\x00\x80"
-  table.insert(t, string.char(0x04, 0x00, 0x80));
+  .. "\x02\x00\x80"
-  table.insert(t, string.char(0x02, 0x00, 0x80));
+  .. "\xe4\xbd\x00\x00"
-  table.insert(t, string.char(0xe4, 0xbd, 0x00, 0x00));
+  .. "\xa4\x41\xb6\x74"
-  table.insert(t, string.char(0xa4, 0x41, 0xb6, 0x74));
+  .. "\x71\x2b\x27\x95"
-  table.insert(t, string.char(0x71, 0x2b, 0x27, 0x95));
+  .. "\x44\xc0\x3d\xc0"
-  table.insert(t, string.char(0x44, 0xc0, 0x3d, 0xc0));
-  ssl_v2_hello = table.concat(t, "")
 
   socket:connect(host, port, "tcp");
   socket:send(ssl_v2_hello);

scripts/stuxnet-detect.nse

@@ -35,7 +35,7 @@ categories = {"discovery", "intrusive"}
 
 
 local STUXNET_PATHS = {"\\\\browser", "\\\\ntsvcs", "\\\\pipe\\browser", "\\\\pipe\\ntsvcs"}
-local STUXNET_UUID = string.char(0xe1, 0x04, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46)
+local STUXNET_UUID = "\xe1\x04\x02\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x46"
 local STUXNET_VERSION = 0x01
 
 local RPC_GET_VERSION = 0x00

scripts/targets-ipv6-multicast-invalid-dst.nse

@@ -45,12 +45,8 @@ local function build_invalid_extension_header(nxt_hdr)
   -- bits; that instructs the receiver to send a Parameter Problem.
   -- Option type 0x80 is unallocated; see
   -- http://www.iana.org/assignments/ipv6-parameters/.
-  local ex_invalid_opt = string.char(0x80,0x01,0x00,0x00,0x00,0x00)
+  return string.char(nxt_hdr, 0) .. --next header, length 8
-  local ext_header =
+  "\x80\x01\x00\x00\x00\x00"
-    string.char(nxt_hdr) .. --next header
-    string.char(0) .. -- length 8
-    ex_invalid_opt
-  return ext_header
 end
 
 local function get_interfaces()
@@ -117,7 +113,7 @@ local function single_interface_broadcast(if_nfo, results)
   probe.icmpv6_type = 254
   probe.icmpv6_code = 0
   -- Add a non-empty payload too.
-  probe.icmpv6_payload = string.char(0x00, 0x00, 0x00, 0x00)
+  probe.icmpv6_payload = "\x00\x00\x00\x00"
   probe:build_icmpv6_header()
 
   probe.exheader = build_invalid_extension_header(packet.IPPROTO_ICMPV6)

scripts/tftp-enum.nse

@@ -155,39 +155,8 @@ local check_file_present = function(host, port, filename)
   return FILE_NOT_FOUND
 end
 
---- Generates a random string of the requested length. This can be used to check how hosts react to
--- weird username/password combinations.
--- @param length (optional) The length of the string to return. Default: 8.
--- @param set (optional) The set of letters to choose from. Default: upper, lower, numbers, and underscore.
--- @return The random string.
-local function get_random_string(length, set)
-  if (length == nil) then
-    length = 8
-  end
-
-  if (set == nil) then
-    set = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_"
-  end
-
-  local str = ""
-
-  -- Seed the random number, if we haven't already
-  if (not (nmap.registry.oracle_enum_users) or not (nmap.registry.oracle_enum_users.seeded)) then
-    math.randomseed(os.time())
-    nmap.registry.oracle_enum_users = {}
-    nmap.registry.oracle_enum_users.seeded = true
-  end
-
-  for i = 1, length, 1 do
-    local random = math.random(#set)
-    str = str .. string.sub(set, random, random)
-  end
-
-  return str
-end
-
 local check_open_tftp = function(host, port)
-  local random_name = get_random_string()
+  local random_name = stdnse.generate_random_string(8, "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_")
   local ret_value = check_file_present(host, port, random_name)
   if (ret_value == FILE_FOUND or ret_value == FILE_NOT_FOUND) then
     return true