From 6d8e307ac83db3874015fc1042335fe0cb00f270 Mon Sep 17 00:00:00 2001
From: dmiller <dmiller@e0a8ed71-7df4-0310-8962-fdc924857419>
Date: Mon, 3 Sep 2018 22:14:16 +0000
Subject: [PATCH] Remove bin.lua from a few more scripts

---
 scripts/ipv6-node-info.nse           | 19 +++---
 scripts/ms-sql-ntlm-info.nse         |  5 +-
 scripts/ntp-info.nse                 |  6 +-
 scripts/p2p-conficker.nse            | 87 ++++++++++++++--------------
 scripts/quake3-master-getservers.nse |  7 +--
 5 files changed, 57 insertions(+), 67 deletions(-)

diff --git a/scripts/ipv6-node-info.nse b/scripts/ipv6-node-info.nse
index 71e28b048..dfea6851b 100644
--- a/scripts/ipv6-node-info.nse
+++ b/scripts/ipv6-node-info.nse
@@ -1,4 +1,3 @@
-local bin = require "bin"
 local dns = require "dns"
 local ipOps = require "ipOps"
 local nmap = require "nmap"
@@ -69,10 +68,8 @@ local QTYPE_STRINGS = {
 }
 
 local function build_ni_query(src, dst, qtype)
-  local payload, p, flags
-  local nonce
-
-  nonce = openssl.rand_pseudo_bytes(8)
+  local flags
+  local nonce = openssl.rand_pseudo_bytes(8)
   if qtype == QTYPE_NODENAME then
     flags = 0x0000
   elseif qtype == QTYPE_NODEADDRESSES then
@@ -84,8 +81,8 @@ local function build_ni_query(src, dst, qtype)
   else
     error("Unknown qtype " .. qtype)
   end
-  payload = bin.pack(">SSAA", qtype, flags, nonce, dst)
-  p = packet.Packet:new()
+  local payload = string.pack(">I2 I2", qtype, flags) .. nonce .. dst
+  local p = packet.Packet:new()
   p:build_icmpv6_header(ICMPv6_NODEINFOQUERY, ICMPv6_NODEINFOQUERY_IPv6ADDR, payload, src, dst)
   p:build_ipv6_packet(src, dst, packet.IPPROTO_ICMPV6)
 
@@ -129,11 +126,9 @@ end
 -- a list of DNS names. In case of a parsing error, returns false and the
 -- partial list of names that were parsed prior to the error.
 local function try_decode_nodenames(data)
-  local ttl
   local names = {}
-  local pos = nil
 
-  pos, ttl = bin.unpack(">I", data, pos)
+  local ttl, pos = string.unpack(">I4", data)
   if not ttl then
     return false, names
   end
@@ -186,7 +181,7 @@ local function stringify_nodeaddresses(flags, data)
   local pos = nil
 
   while true do
-    pos, ttl, binaddr = bin.unpack(">IA16", data, pos)
+    ttl, binaddr, pos = string.unpack(">I4 c16", data, pos)
     if not ttl then
       break
     end
@@ -228,7 +223,7 @@ local function stringify_nodeipv4addresses(flags, data)
 
   -- Okay, looks like it's really IP addresses.
   while true do
-    pos, ttl, binaddr = bin.unpack(">IA4", data, pos)
+    ttl, binaddr, pos = string.unpack(">I4 c4", data, pos)
     if not ttl then
       break
     end
diff --git a/scripts/ms-sql-ntlm-info.nse b/scripts/ms-sql-ntlm-info.nse
index 4ede2b71f..4dd987d3f 100644
--- a/scripts/ms-sql-ntlm-info.nse
+++ b/scripts/ms-sql-ntlm-info.nse
@@ -1,4 +1,3 @@
-local bin = require "bin"
 local os = require "os"
 local datetime = require "datetime"
 local mssql = require "mssql"
@@ -77,12 +76,12 @@ action = function(host, port)
   local recvtime = os.time()
   tdsstream:Disconnect()
 
-  local pos, ttype = bin.unpack("C", response)
+  local ttype, pos = string.unpack("B", response)
   if ttype ~= mssql.TokenType.NTLMSSP_CHALLENGE then
     return nil
   end
 
-  local pos, data = bin.unpack("<P", response, pos)
+  local data, pos = string.unpack("<s2", response, pos)
   if not string.match(data, "^NTLMSSP") then
     return nil
   end
diff --git a/scripts/ntp-info.nse b/scripts/ntp-info.nse
index 06edaa257..d72f5b563 100644
--- a/scripts/ntp-info.nse
+++ b/scripts/ntp-info.nse
@@ -1,4 +1,3 @@
-local bin = require "bin"
 local comm = require "comm"
 local datetime = require "datetime"
 local os = require "os"
@@ -104,7 +103,7 @@ action = function(host, port)
   if status then
     local recvtime = os.time()
 
-    local _, sec, frac = bin.unpack(">II", buftres, 33)
+    local sec, frac = string.unpack(">I4I4", buftres, 33)
     -- The NTP epoch is 1900-01-01, so subtract 70 years to bring the date into
     -- the range Lua expects. The number of seconds at 1970-01-01 is taken from
     -- the NTP4 reference above.
@@ -120,11 +119,10 @@ action = function(host, port)
   if status then
     -- This only looks at the first fragment of what can possibly be several
     -- fragments in the response.
-    local _, data, k, q, v
 
     -- Skip the first 10 bytes of the header, then get the data which is
     -- preceded by a 2-byte length.
-    _, data = bin.unpack(">P", bufrlres, 11)
+    local data = string.unpack(">s2", bufrlres, 11)
 
     -- loop over capture pairs which represent (key, value)
     local function accumulate_output (...)
diff --git a/scripts/p2p-conficker.nse b/scripts/p2p-conficker.nse
index e8cbfe529..aa4d24e04 100644
--- a/scripts/p2p-conficker.nse
+++ b/scripts/p2p-conficker.nse
@@ -1,4 +1,3 @@
-local bin = require "bin"
 local ipOps = require "ipOps"
 local math = require "math"
 local nmap = require "nmap"
@@ -270,22 +269,17 @@ end
 --@param data The data to create a checksum for.
 --@return An integer representing the checksum.
 local function p2p_checksum(data)
-  local pos, i
   local hash = #data
 
   stdnse.debug2("Conficker: Calculating checksum for %d-byte buffer", #data)
 
-  -- Get the first character
-  pos, i = bin.unpack("<C", data)
-  while i ~= nil do
-    local h = hash ~ i
-    -- Incorporate the current character into the checksum
-    hash = (h + h) | (h >> 31)
-    hash = hash & 0xFFFFFFFF
-
-    -- Get the next character
-    pos, i = bin.unpack("<C", data, pos)
-  end
+  data:sub(".", function(i)
+      local h = hash ~ string.byte(i)
+      -- Incorporate the current character into the checksum
+      hash = (h + h) | (h >> 31)
+      hash = hash & 0xFFFFFFFF
+    end
+    )
 
   return hash
 end
@@ -338,59 +332,64 @@ function p2p_parse(packet)
   local data = {}
 
   -- Get the key
-  pos, data['key1'], data['key2'] = bin.unpack("<II", packet, pos)
-  if(data['key2'] == nil) then
+  if #packet < 8 then
     return false, "Packet was too short [1]"
   end
+  data['key1'], data['key2'], pos = string.unpack("<I4 I4", packet, pos)
 
   -- Decrypt the second half of the packet using the key
   packet = string.sub(packet, 1, pos - 1) .. p2p_cipher(string.sub(packet, pos), data['key1'], data['key2'])
 
   -- Parse the flags
-  pos, data['flags'] = bin.unpack("<S", packet, pos)
-  if(data['flags'] == nil) then
+  if #packet - pos + 1 < 2 then
     return false, "Packet was too short [2]"
   end
+  data['flags'], pos = string.unpack("<I2", packet, pos)
 
   -- Get the IP, if it's present
   if(data['flags'] & mode_flags.FLAG_IP_INCLUDED) ~= 0 then
-    pos, data['ip'], data['port'] = bin.unpack("<IS", packet, pos)
-    if(data['ip'] == nil) then
+    if #packet - pos + 1 < 6 then
       return false, "Packet was too short [3]"
     end
+    data['ip'], data['port'], pos = string.unpack("<I4 I2", packet, pos)
   end
 
   -- Read the first unknown value, if present
   if(data['flags'] & mode_flags.FLAG_UNKNOWN0_INCLUDED) ~= 0 then
-    pos, data['unknown0'] = bin.unpack("<I", packet, pos)
-    if(data['unknown0'] == nil) then
+    if #packet - pos + 1 < 4 then
       return false, "Packet was too short [3]"
     end
+    data['unknown0'], pos = string.unpack("<I4", packet, pos)
   end
 
   -- Read the second unknown value, if present
   if(data['flags'] & mode_flags.FLAG_UNKNOWN1_INCLUDED) ~= 0 then
-    pos, data['unknown1'] = bin.unpack("<I", packet, pos)
-    if(data['unknown1'] == nil) then
+    if #packet - pos + 1 < 4 then
       return false, "Packet was too short [4]"
     end
+    data['unknown1'], pos = string.unpack("<I4", packet, pos)
   end
 
   -- Read the data, if present
   if(data['flags'] & mode_flags.FLAG_DATA_INCLUDED) ~= 0 then
-    pos, data['data_flags'], data['data_length'] = bin.unpack("<CS", packet, pos)
-    if(data['data_length'] == nil) then
+    if #packet - pos + 1 < 3 then
       return false, "Packet was too short [5]"
     end
-    pos, data['data'] = bin.unpack(string.format("A%d", data['data_length']), packet, pos)
-    if(data['data'] == nil) then
+    data['data_flags'], data['data_length'], pos = string.unpack("<B I2", packet, pos)
+    if #packet - pos + 1 < data.data_length then
       return false, "Packet was too short [6]"
     end
+    data['data'], pos = string.unpack(("c%d"):format(data['data_length']), packet, pos)
   end
 
   -- Read the sysinfo, if present
   if(data['flags'] & mode_flags.FLAG_SYSINFO_INCLUDED) ~= 0 then
-    pos, data['sysinfo_systemtestflags'],
+    local sysinfo_format = "<I2 BBI2 BB I2 I4 I2I2I4I2I2"
+    if #packet - pos + 1 < string.packsize(sysinfo_format) then
+      return false, "Packet was too short [7]"
+    end
+
+    data['sysinfo_systemtestflags'],
     data['sysinfo_os_major'],
     data['sysinfo_os_minor'],
     data['sysinfo_os_build'],
@@ -402,20 +401,17 @@ function p2p_parse(packet)
     data['sysinfo_unknown1'],
     data['sysinfo_unknown2'],
     data['sysinfo_unknown3'],
-    data['sysinfo_unknown4'] = bin.unpack("<SCCSCCSISSISS", packet, pos)
-    if(data['sysinfo_unknown4'] == nil) then
-      return false, "Packet was too short [7]"
-    end
+    data['sysinfo_unknown4'], pos = string.unpack(sysinfo_format, packet, pos)
   end
 
   -- Pull out the data that's used in the hash
   data['hash_data'] = string.sub(packet, 1, pos - 1)
 
   -- Read the hash
-  pos, data['hash'] = bin.unpack("<I", packet, pos)
-  if(data['hash'] == nil) then
+  if #packet - pos + 1 < 4 then
     return false, "Packet was too short [8]"
   end
+  data['hash'], pos = string.unpack("<I4", packet, pos)
 
   -- Record the noise
   data['noise'] = string.sub(packet, pos)
@@ -456,18 +452,18 @@ local function p2p_create_packet(protocol, do_encryption)
   end
 
   -- Add the key and flags that are always present (and skip over the boring stuff)
-  local packet = bin.pack("<IIS", key1, key2, flags)
+  local packet = string.pack("<I4 I4 I2", key1, key2, flags)
 
   -- Generate the checksum for the packet
   local hash = p2p_checksum(packet)
-  packet = packet .. bin.pack("<I", hash)
+  packet = packet .. string.pack("<I4", hash)
 
   -- Encrypt the full packet, except for the key and optional length
   packet = string.sub(packet, 1, 8) .. p2p_cipher(string.sub(packet, 9), key1, key2)
 
   -- Add the length in front if it's TCP
   if(protocol == "tcp") then
-    packet = bin.pack("<P", packet)
+    packet = string.pack("<s2", packet)
   end
 
   return true, packet
@@ -512,16 +508,20 @@ local function conficker_check(ip, port, protocol)
     return false, "Timeout"
   elseif(response == "EOF") then
     return false, "Couldn't connect"
+  elseif #response < 2 then
+    return false, "Data too short"
   end
 
   -- If it's TCP, get the length and make sure we have the full packet
   if(protocol == "tcp") then
-    local _, length = bin.unpack("<S", response, 1)
+    local length = string.unpack("<I2", response)
 
-    while length > (#response - 2) do
-      local response2
+    -- Only try for 2 timeouts to get the whole packet
+    local tries = 2
+    while length > (#response - 2) and tries > 0 do
+      tries = tries - 1
 
-      status, response2 = socket:receive_bytes(2)
+      local status, response2 = socket:receive_bytes(length - (#response - 2))
       if(status == false) then
         return false, "Couldn't receive bytes: " .. response2
       elseif(response2 == "ERROR") then
@@ -593,9 +593,8 @@ action = function(host)
 
   -- Reverse the IP's endianness
   ip = ipOps.todword(ip)
-  ip = bin.pack(">I", ip)
-  local _
-  _, ip = bin.unpack("<I", ip)
+  ip = string.pack(">I4", ip)
+  ip = string.unpack("<I4", ip)
 
   -- Generate the ports
   local generated_ports = prng_generate_ports(ip, seed)
diff --git a/scripts/quake3-master-getservers.nse b/scripts/quake3-master-getservers.nse
index b237540b9..20b39a30b 100644
--- a/scripts/quake3-master-getservers.nse
+++ b/scripts/quake3-master-getservers.nse
@@ -1,4 +1,3 @@
-local bin = require "bin"
 local ipOps = require "ipOps"
 local nmap = require "nmap"
 local shortport = require "shortport"
@@ -78,7 +77,7 @@ local function getservers(host, port, q3protocol)
   if not status then
     return {}
   end
-  local probe = bin.pack("CCCCA", 0xff, 0xff, 0xff, 0xff, string.format("getservers %s empty full\n", q3protocol))
+  local probe = string.format("\xff\xff\xff\xffgetservers %s empty full\n", q3protocol)
   socket:send(probe)
 
   local data
@@ -88,7 +87,7 @@ local function getservers(host, port, q3protocol)
   end
   nmap.set_port_state(host, port, "open")
 
-  local magic = bin.pack("CCCCA", 0xff, 0xff, 0xff, 0xff, "getserversResponse")
+  local magic = "\xff\xff\xff\xffgetserversResponse"
   local tmp
   while #data < #magic do -- get header
     status, tmp = socket:receive()
@@ -103,7 +102,7 @@ local function getservers(host, port, q3protocol)
   port.version.name = "quake3-master"
   nmap.set_port_version(host, port)
 
-  local EOT = bin.pack("ACCC", "EOT", 0, 0, 0)
+  local EOT = "EOT\0\0\0"
   local pieces = stdnse.strsplit("\\", data)
   while pieces[#pieces] ~= EOT do -- get all data
     status, tmp = socket:receive()