From a5ad8c15c80330d01f54a482cbed22958fa7b4b5 Mon Sep 17 00:00:00 2001 From: dmiller Date: Sat, 8 Sep 2018 17:07:01 +0000 Subject: [PATCH] Remove bin.lua from the last of the NSE scripts (libraries still use it) --- scripts/llmnr-resolve.nse | 23 +++++------- scripts/mrinfo.nse | 33 ++++++++-------- scripts/mtrace.nse | 79 +++++++++++++++------------------------ scripts/nping-brute.nse | 21 +++++------ scripts/nrpe-enum.nse | 22 +++++------ scripts/omron-info.nse | 42 ++++++++++----------- scripts/s7-info.nse | 38 ++++++++----------- 7 files changed, 113 insertions(+), 145 deletions(-) diff --git a/scripts/llmnr-resolve.nse b/scripts/llmnr-resolve.nse index a8e9a0240..25d2acd17 100644 --- a/scripts/llmnr-resolve.nse +++ b/scripts/llmnr-resolve.nse @@ -1,7 +1,6 @@ local nmap = require "nmap" local stdnse = require "stdnse" local table = require "table" -local bin = require "bin" local packet = require "packet" local ipOps = require "ipOps" local target = require "target" @@ -54,14 +53,14 @@ categories = {"discovery", "safe", "broadcast"} -- @param hostname Hostname to query for. -- @return query Raw llmnr query. local llmnrQuery = function(hostname) - return bin.pack(">S6pCS2", + return string.pack(">I2I2I2I2I2I2 s1x I2I2", math.random(0,65535), -- transaction ID 0x0000, -- Flags: Standard Query 0x0001, -- Questions = 1 0x0000, -- Answer RRs = 0 0x0000, -- Authority RRs = 0 0x0000, -- Additional RRs = 0 - hostname, 0x00, -- Hostname + hostname, -- Hostname 0x0001, -- Type: Host Address 0x0001) -- Class: IN end @@ -102,10 +101,7 @@ local llmnrListen = function(interface, timeout, result) -- Skip IP and UDP headers local llmnr = string.sub(l3data, p.ip_hl*4 + 8 + 1) -- Flags - local _, trans = bin.unpack(">S", llmnr) - local _, flags = bin.unpack(">S", llmnr, 3) - -- Questions number - local _, questions = bin.unpack(">S", llmnr, 5) + local trans, flags, questions = string.unpack(">I2 I2 I2", llmnr) -- Make verifications -- Message == Response bit @@ -114,20 +110,19 @@ local llmnrListen = function(interface, timeout, result) stdnse.debug1("got response from %s", p.ip_src) -- Skip header's 12 bytes -- extract host length - local index, qlen = bin.unpack(">C", llmnr, 13) + local qlen, index = string.unpack(">B", llmnr, 13) -- Skip hostname, null byte, type field and class field index = index + qlen + 1 + 2 + 2 -- Now, answer record local response, alen = {} - index, alen = bin.unpack(">C", llmnr, index) -- Extract hostname with the correct case sensitivity. - index, response.hostname = bin.unpack(">A".. alen, llmnr, index) + response.hostname, index = string.unpack(">s1x", llmnr, index) - -- skip null byte, type, class, ttl, dlen - index = index + 1 + 2 + 2 + 4 + 2 - index, response.address = bin.unpack(">I", llmnr, index) - response.address = ipOps.fromdword(response.address) + -- skip type, class, ttl, dlen + index = index + 2 + 2 + 4 + 2 + response.address, index = string.unpack(">c4", llmnr, index) + response.address = ipOps.str_to_ip(response.address) table.insert(result, response) else stdnse.debug1("skipped llmnr response.") diff --git a/scripts/mrinfo.nse b/scripts/mrinfo.nse index 6a9cd94a7..fb7284f6e 100644 --- a/scripts/mrinfo.nse +++ b/scripts/mrinfo.nse @@ -1,7 +1,6 @@ local nmap = require "nmap" local packet = require "packet" local ipOps = require "ipOps" -local bin = require "bin" local stdnse = require "stdnse" local string = require "string" local target = require "target" @@ -93,36 +92,36 @@ local mrinfoParse = function(data) if data:byte(1) ~= 0x13 then return end -- DVMRP Code - index, response.code = bin.unpack(">C", data, 2) + response.code, -- Checksum - index, response.checksum = bin.unpack(">S", data, index) + response.checksum, -- Capabilities (Skip one reserved byte) - index, response.capabilities = bin.unpack(">C", data, index + 1) + response.capabilities, -- Major and minor version - index, response.minver = bin.unpack(">C", data, index) - index, response.majver = bin.unpack(">C", data, index) + response.minver, + response.majver, index = string.unpack(">B I2 x B B B", data, 2) response.addresses = {} -- Iterate over target local addresses (interfaces) while index < #data do if data:byte(index) == 0x00 then break end address = {} -- Local address - index, address.ip = bin.unpack(">I", data, index) - address.ip = ipOps.fromdword(address.ip) + address.ip, -- Link metric - index, address.metric = bin.unpack(">C", data, index) + address.metric, -- Threshold - index, address.threshold= bin.unpack(">C", data, index) + address.threshold, -- Flags - index, address.flags = bin.unpack(">C", data, index) + address.flags, -- Number of neighbors - index, address.ncount = bin.unpack(">C", data, index) + address.ncount, index = string.unpack(">c4BBBB", data, index) + address.ip = ipOps.str_to_ip(address.ip) address.neighbors = {} -- Iterate over neighbors for i = 1, address.ncount do - index, neighbor = bin.unpack(">I", data, index) - table.insert(address.neighbors, ipOps.fromdword(neighbor)) + neighbor, index = string.unpack(">c4", data, index) + table.insert(address.neighbors, ipOps.str_to_ip(neighbor)) end table.insert(response.addresses, address) end @@ -166,7 +165,7 @@ end -- Function that generates a raw DVMRP Ask Neighbors 2 request. local mrinfoRaw = function() - local mrinfo_raw = bin.pack(">CCSSCC", + local mrinfo_raw = string.pack(">BB I2 I2 BB", 0x13, -- Type: DVMRP 0x05, -- Code: Ask Neighbor v2 0x0000, -- Checksum: Calculated later @@ -176,7 +175,7 @@ local mrinfoRaw = function() 0x0c) -- Major version: 12 -- Calculate checksum - mrinfo_raw = mrinfo_raw:sub(1,2) .. bin.pack(">S", packet.in_cksum(mrinfo_raw)) .. mrinfo_raw:sub(5) + mrinfo_raw = mrinfo_raw:sub(1,2) .. string.pack(">I2", packet.in_cksum(mrinfo_raw)) .. mrinfo_raw:sub(5) return mrinfo_raw end @@ -204,7 +203,7 @@ local mrinfoQuery = function(interface, dstip) if dstip == "224.0.0.1" then sock:ethernet_open(interface.device) -- Ethernet IPv4 multicast, our ethernet address and packet type IP - eth_hdr = bin.pack("HAH", "01 00 5e 00 00 01", interface.mac, "08 00") + eth_hdr = "\x01\x00\x5e\x00\x00\x01" .. interface.mac .. "\x08\x00" sock:ethernet_send(eth_hdr .. mrinfo_packet.buf) sock:ethernet_close() else diff --git a/scripts/mtrace.nse b/scripts/mtrace.nse index 496ff1706..4df793524 100644 --- a/scripts/mtrace.nse +++ b/scripts/mtrace.nse @@ -1,7 +1,6 @@ local nmap = require "nmap" local packet = require "packet" local ipOps = require "ipOps" -local bin = require "bin" local stdnse = require "stdnse" local table = require "table" local math = require "math" @@ -119,7 +118,7 @@ end --@param receiver Receiver of the response. --@return data Raw Traceroute Query. local traceRaw = function(fromip, toip, group, receiver) - local data = bin.pack(">CCSIIIICCS", + local data = string.pack(">BBI2 I4 I4 I4 I4 BBI2", 0x1f, -- Type: Traceroute Query 0x20, -- Hops: 32 0x0000, -- Checksum: To be set later @@ -132,7 +131,7 @@ local traceRaw = function(fromip, toip, group, receiver) ) -- We calculate checksum - data = data:sub(1,2) .. bin.pack(">S", packet.in_cksum(data)) .. data:sub(5) + data = data:sub(1,2) .. string.pack(">I2", packet.in_cksum(data)) .. data:sub(5) return data end @@ -159,7 +158,7 @@ local traceSend = function(interface, destination, trace_raw) if destination == "224.0.0.2" then sock:ethernet_open(interface.device) -- Ethernet IPv4 multicast, our ethernet address and packet type IP - local eth_hdr = bin.pack("HAH", "01 00 5e 00 00 02", interface.mac, "08 00") + local eth_hdr = "\x01\x00\x5e\x00\x00\x02" .. interface.mac .. "\x08\x00" sock:ethernet_send(eth_hdr .. trace_packet.buf) sock:ethernet_close() else @@ -180,33 +179,26 @@ local traceParse = function(data) if data:byte(1) ~= 0x1e then return end -- Hops - index, response.hops = bin.unpack(">C", data, 2) - + response.hops, -- Checksum - index, response.checksum = bin.unpack(">S", data, index) - + response.checksum, -- Group - index, response.group = bin.unpack(">I", data, index) - response.group = ipOps.fromdword(response.group) - + response.group, -- Source address - index, response.source = bin.unpack(">I", data, index) - response.source = ipOps.fromdword(response.source) - + response.source, -- Destination address - index, response.destination = bin.unpack(">I", data, index) - response.receiver = ipOps.fromdword(response.destination) - + response.destination, -- Response address - index, response.response = bin.unpack(">I", data, index) - response.response = ipOps.fromdword(response.response) - + response.response, -- Response TTL - index, response.ttl = bin.unpack(">C", data, index) - + response.ttl, -- Query ID - index, response.qid = bin.unpack(">C", data, index) - index, response.qid = response.qid * 2^16 + bin.unpack(">S", data, index) + response.qid, index = string.unpack(">B I2 I4 I4 I4 I4 B I3", data, 2) + + response.group = ipOps.fromdword(response.group) + response.source = ipOps.fromdword(response.source) + response.receiver = ipOps.fromdword(response.destination) + response.response = ipOps.fromdword(response.response) local block response.blocks = {} @@ -222,40 +214,31 @@ local traceParse = function(data) block = {} -- Query Arrival - index, block.query = bin.unpack(">I", data, index) - + block.query, -- In itf address - index, block.inaddr = bin.unpack(">I", data, index) - block.inaddr = ipOps.fromdword(block.inaddr) - + block.inaddr, -- Out itf address - index, block.outaddr = bin.unpack(">I", data, index) - block.outaddr = ipOps.fromdword(block.outaddr) - + block.outaddr, -- Previous rtr address - index, block.prevaddr = bin.unpack(">I", data, index) - block.prevaddr = ipOps.fromdword(block.prevaddr) - + block.prevaddr, -- In packets - index, block.inpkts = bin.unpack(">I", data, index) - + block.inpkts, -- Out packets - index, block.outpkts = bin.unpack(">I", data, index) - + block.outpkts, -- S,G pkt count - index, block.sgpkt = bin.unpack(">I", data, index) - + block.sgpkt, -- Protocol - index, block.proto = bin.unpack(">C", data, index) - + block.proto, -- Forward TTL - index, block.fwdttl = bin.unpack(">C", data, index) - + block.fwdttl, -- Options - index, block.options = bin.unpack(">C", data, index) - + block.options, -- Forwarding Code - index, block.code = bin.unpack(">C", data, index) + block.code, index = string.unpack(">I4 I4 I4 I4 I4 I4 I4 BBBB", data, index) + + block.inaddr = ipOps.fromdword(block.inaddr) + block.outaddr = ipOps.fromdword(block.outaddr) + block.prevaddr = ipOps.fromdword(block.prevaddr) table.insert(response.blocks, block) end diff --git a/scripts/nping-brute.nse b/scripts/nping-brute.nse index 6d4db5539..89577f9b8 100644 --- a/scripts/nping-brute.nse +++ b/scripts/nping-brute.nse @@ -1,9 +1,9 @@ -local bin = require "bin" local brute = require "brute" local creds = require "creds" local nmap = require "nmap" local shortport = require "shortport" local stdnse = require "stdnse" +local string = require "string" local openssl = stdnse.silent_require "openssl" @@ -66,25 +66,24 @@ Driver = for i = 1, 1000 do h = openssl.digest(self.SHA256, h) end - local _, key = bin.unpack("A16", h) - return key + return string.unpack("c16", h) end, getservernonce = function(self, serverhs) - local parts = {bin.unpack("CC>S>I>Ix4A32x15A32", serverhs)} - return parts[7] + local offset = 63 -- 63 bytes of header before the nonce + return serverhs:sub(offset+1, offset+4) end, chsbody = function(self) - local IP4 = 0x04 - local IP6 = 0x06 + local IP4 = "\x04" + local IP6 = "\x06" local family = IP6 local target = self.host.bin_ip if #target == 4 then - target = bin.pack("Ax12", target) + target = target .. ("\0"):rep(12) family = IP4 end - return bin.pack("ACx15", target, family) + return target .. family .. ("\0"):rep(15) end, clienths = function(self, snonce, password) @@ -99,10 +98,10 @@ Driver = local nonce = snonce .. cnonce local enckey = self:nepkey(password, nonce, NEP_CLIENT_CIPHER_ID) local mackey = self:nepkey(password, nonce, NEP_CLIENT_MAC_ID) - local _, iv = bin.unpack("A16", cnonce) + local iv = string.unpack("c16", cnonce) local plain = self:chsbody() local crypted = openssl.encrypt(self.AES_128_CBC, enckey, iv, plain) - local head = bin.pack("CC>SA>Ix4A", self.NEP_VERSION, NEP_HANDSHAKE_CLIENT, NEP_HANDSHAKE_CLIENT_LEN, seqb, now, nonce) + local head = string.pack(">BB I2 c4 I4 x4", self.NEP_VERSION, NEP_HANDSHAKE_CLIENT, NEP_HANDSHAKE_CLIENT_LEN, seqb, now) .. nonce local mac = openssl.hmac(self.SHA256, mackey, head .. plain) return head .. crypted .. mac diff --git a/scripts/nrpe-enum.nse b/scripts/nrpe-enum.nse index d6ca1b282..14628aabd 100644 --- a/scripts/nrpe-enum.nse +++ b/scripts/nrpe-enum.nse @@ -1,4 +1,3 @@ -local bin = require "bin" local nmap = require "nmap" local shortport = require "shortport" local stdnse = require "stdnse" @@ -134,31 +133,30 @@ end local nrpe_write = function(cmd) -- Create request packet, before checksum. - local pkt = bin.pack(">SSISAAS", + local pkt = string.pack(">I2 I2 I4 I2", 2, 1, 0, - 0, - cmd, - string.rep("\0", 1024 - #cmd), 0) + .. cmd + .. string.rep("\0", 1024 - #cmd) + .. "\0\0" -- Calculate the checksum, and insert it into the packet. - pkt = pkt:sub(1,4) .. bin.pack(">I", crc32(pkt)) .. pkt:sub(9) + pkt = pkt:sub(1,4) .. string.pack(">I4", crc32(pkt)) .. pkt:sub(9) return pkt end local nrpe_read = function(pkt) - local i local result = {} -- Parse packet. - i, result.version = bin.unpack(">S", pkt, i) - i, result.type = bin.unpack(">S", pkt, i) - i, result.crc32 = bin.unpack(">I", pkt, i) - i, result.state = bin.unpack(">S", pkt, i) - i, result.data = bin.unpack("z", pkt, i) + result.version, + result.type, + result.crc32, + result.state, + result.data = string.unpack(">I2 I2 I4 I2 z", pkt) return result end diff --git a/scripts/omron-info.nse b/scripts/omron-info.nse index b260c98cb..54561c4f9 100644 --- a/scripts/omron-info.nse +++ b/scripts/omron-info.nse @@ -1,7 +1,7 @@ -local bin = require "bin" local nmap = require "nmap" local shortport = require "shortport" local stdnse = require "stdnse" +local string = require "string" description = [[ This NSE script is used to send a FINS packet to a remote device. The script @@ -103,16 +103,16 @@ function send_tcp(socket) local req_addr = stdnse.fromhex( "46494e530000000c000000000000000000000000") -- TCP requires a network address that is revived from the first request, -- The read controller data these two strings will be joined with the address - local controller_data_read = "46494e5300000015000000020000000080000200" - local controller_data_read2 = "000000ef050501" + local controller_data_read = stdnse.fromhex("46494e5300000015000000020000000080000200") + local controller_data_read2 = stdnse.fromhex("000000ef050501") -- send Request Information Packet socket:send(req_addr) local rcvstatus, response = socket:receive() - local pos, header = bin.unpack("C", response, 1) + local header = string.byte(response, 1) if(header == 0x46) then - local pos, address = bin.unpack("C",response,24) - local controller_data = bin.pack("HCHC", controller_data_read, address, controller_data_read2, 0x00) + local address = string.byte(response, 24) + local controller_data = ("%s%c%s%c"):format(controller_data_read, address, controller_data_read2, 0x00) -- send the read controller data request socket:send(controller_data) local rcvstatus, response = socket:receive() @@ -155,11 +155,10 @@ action = function(host,port) response = send_udp(socket) end -- unpack the first byte for checking that it was a valid response - local pos, header = bin.unpack("C", response, 1) + local header = string.unpack("B", response, 1) if(header == 0xc0 or header == 0xc1 or header == 0x46) then set_nmap(host, port) - local response_code - pos, response_code = bin.unpack("S", response, 95 + offset) - pos, output["IOM size"] = bin.unpack("C", response, pos) - pos, output["No. DM Words"] = bin.unpack(">S", response, pos) - pos, output["Timer/Counter"] = bin.unpack("C", response, pos) - pos, output["Expansion DM Size"] = bin.unpack("C", response, pos) - pos, output["No. of steps/transitions"] = bin.unpack(">S", response, pos) + output["Response Code"] = "Normal completion (0x0000)" + output["Controller Model"] = string.unpack("z", response,15 + offset) + output["Controller Version"] = string.unpack("z", response, 35 + offset) + output["For System Use"] = string.unpack("z", response, 55 + offset) + local pos + output["Program Area Size"], pos = string.unpack(">I2", response, 95 + offset) + output["IOM size"], pos = string.unpack("B", response, pos) + output["No. DM Words"], pos = string.unpack(">I2", response, pos) + output["Timer/Counter"], pos = string.unpack("B", response, pos) + output["Expansion DM Size"], pos = string.unpack("B", response, pos) + output["No. of steps/transitions"], pos = string.unpack(">I2", response, pos) local mem_card_type - pos, mem_card_type = bin.unpack("C", response, pos) + mem_card_type, pos = string.unpack("B", response, pos) output["Kind of Memory Card"] = memory_card(mem_card_type) - pos, output["Memory Card Size"] = bin.unpack(">S", response, pos) + output["Memory Card Size"], pos = string.unpack(">I2", response, pos) else output["Response Code"] = "Unknown Response Code" diff --git a/scripts/s7-info.nse b/scripts/s7-info.nse index fbc87c7a0..c9280b7d4 100644 --- a/scripts/s7-info.nse +++ b/scripts/s7-info.nse @@ -1,4 +1,3 @@ -local bin = require "bin" local nmap = require "nmap" local shortport = require "shortport" local stdnse = require "stdnse" @@ -87,22 +86,17 @@ end -- @param output Table used for output for return to Nmap local function parse_response(response, host, port, output) -- unpack the protocol ID - local pos, value = bin.unpack("C", response, 8) + local value = string.byte(response, 8) -- unpack the second byte of the SZL-ID - local pos, szl_id = bin.unpack("C", response, 31) - -- set the offset to 0 - local offset = 0 + local szl_id = string.byte(response, 31) -- if the protocol ID is 0x32 if (value == 0x32) then - local pos -- unpack the module information - pos, output["Module"] = bin.unpack("z", response, 44) + output["Module"] = string.unpack("z", response, 44) -- unpack the basic hardware information - pos, output["Basic Hardware"] = bin.unpack("z", response, 72) - -- set version number to 0 - local version = 0 + output["Basic Hardware"] = string.unpack("z", response, 72) -- parse version number - local pos, char1, char2, char3 = bin.unpack("CCC", response, 123) + local char1, char2, char3 = string.unpack("BBB", response, 123) -- concatenate string, or if string is nil make version number 0.0 output["Version"] = table.concat({char1 or "0.0", char2, char3}, ".") -- return the output table @@ -124,9 +118,9 @@ end local function second_parse_response(response, output) local offset = 0 -- unpack the protocol ID - local pos, value = bin.unpack("C", response, 8) + local value = string.byte(response, 8) -- unpack the second byte of the SZL-ID - local pos, szl_id = bin.unpack("C", response, 31) + local szl_id = string.byte(response, 31) -- if the protocol ID is 0x32 if (value == 0x32) then -- if the szl-ID is not 0x1c @@ -135,15 +129,15 @@ local function second_parse_response(response, output) offset = 4 end -- parse system name - pos, output["System Name"] = bin.unpack("z", response, 40 + offset) + output["System Name"] = string.unpack("z", response, 40 + offset) -- parse module type - pos, output["Module Type"] = bin.unpack("z", response, 74 + offset) + output["Module Type"] = string.unpack("z", response, 74 + offset) -- parse serial number - pos, output["Serial Number"] = bin.unpack("z", response, 176 + offset) + output["Serial Number"] = string.unpack("z", response, 176 + offset) -- parse plant identification - pos, output["Plant Identification"] = bin.unpack("z", response, 108 + offset) + output["Plant Identification"] = string.unpack("z", response, 108 + offset) -- parse copyright - pos, output["Copyright"] = bin.unpack("z", response, 142 + offset) + output["Copyright"] = string.unpack("z", response, 142 + offset) -- for each element in the table, if it is nil, then remove the information from the table for key, value in pairs(output) do @@ -210,7 +204,7 @@ local COTP = stdnse.fromhex( "0300001611e00000001400c1020100c2020" .. "102" .. " -- send and receive the COTP Packet response = send_receive(sock, COTP) -- unpack the PDU Type - local pos, CC_connect_confirm = bin.unpack("C", response, 6) + local CC_connect_confirm = string.byte(response, 6) -- if PDU type is not 0xd0, then not a successful COTP connection if ( CC_connect_confirm ~= 0xd0) then sock:close() @@ -224,7 +218,7 @@ local COTP = stdnse.fromhex( "0300001611e00000001400c1020100c2020" .. "102" .. " return nil end response = send_receive(sock, alt_COTP) - local pos, CC_connect_confirm = bin.unpack("C", response, 6) + local CC_connect_confirm = string.byte(response, 6) if ( CC_connect_confirm ~= 0xd0) then stdnse.debug1('S7 INFO:: Could not negotiate COTP') return nil @@ -233,14 +227,14 @@ local COTP = stdnse.fromhex( "0300001611e00000001400c1020100c2020" .. "102" .. " -- send and receive the ROSCTR Setup Packet response = send_receive(sock, ROSCTR_Setup) -- unpack the protocol ID - local pos, protocol_id = bin.unpack("C", response, 8) + local protocol_id = string.byte(response, 8) -- if protocol ID is not 0x32 then return nil if ( protocol_id ~= 0x32) then return nil end -- send and receive the READ_SZL packet response = send_receive(sock, Read_SZL) - local pos, protocol_id = bin.unpack("C", response, 8) + local protocol_id = string.byte(response, 8) -- if protocol ID is not 0x32 then return nil if ( protocol_id ~= 0x32) then return nil