diff --git a/scripts/broadcast-ataoe-discover.nse b/scripts/broadcast-ataoe-discover.nse index 5a4644826..d3a62851f 100644 --- a/scripts/broadcast-ataoe-discover.nse +++ b/scripts/broadcast-ataoe-discover.nse @@ -1,8 +1,8 @@ -local bin = require "bin" local math = require "math" local nmap = require "nmap" local packet = require "packet" local stdnse = require "stdnse" +local string = require "string" local table = require "table" description = [[ @@ -63,9 +63,9 @@ ATAoE = { local header = ATAoE.Header:new() local pos, verflags - pos, verflags, header.error, + verflags, header.error, header.major, header.minor, - header.cmd, header.tag = bin.unpack(">CCSCCI", data) + header.cmd, header.tag, pos = string.unpack(">BBI2BBI4", data) header.version = verflags >> 4 header.flags = verflags & 0x0F return header @@ -75,7 +75,7 @@ ATAoE = { __tostring = function(self) assert(self.tag, "No tag was specified in Config Info Request") local verflags = self.version << 4 - return bin.pack(">CCSCCI", verflags, self.error, self.major, self.minor, self.cmd, self.tag) + return string.pack(">BBI2BBI4", verflags, self.error, self.major, self.minor, self.cmd, self.tag) end, }, @@ -106,7 +106,7 @@ local function sendConfigInfoRequest(iface) local p = packet.Frame:new() p.mac_src = iface.mac p.mac_dst = packet.mactobin(ETHER_BROADCAST) - p.ether_type = bin.pack(">S", P_ATAOE) + p.ether_type = string.pack(">I2", P_ATAOE) p.buf = tostring(req) p:build_ether_frame() diff --git a/scripts/broadcast-ping.nse b/scripts/broadcast-ping.nse index 5604f5033..4c8f89462 100644 --- a/scripts/broadcast-ping.nse +++ b/scripts/broadcast-ping.nse @@ -1,10 +1,10 @@ -local bin = require "bin" local coroutine = require "coroutine" local ipOps = require "ipOps" local nmap = require "nmap" local packet = require "packet" local stdnse = require "stdnse" local tab = require "tab" +local string = require "string" local table = require "table" local target = require "target" @@ -102,22 +102,24 @@ local icmp_packet = function(srcIP, dstIP, ttl, data_length, mtu, seqNo, icmp_id end -- Type=08; Code=00; Chksum=0000; ID=icmp_id; SeqNo=icmp_seqNo; Payload=icmp_payload(hex string); - local icmp_msg = bin.pack(">CCSASA", 8, 0, 0, icmp_id, seqNo, icmp_payload) + local icmp_msg = string.pack(">BBI2", 8, 0, 0) .. icmp_id .. string.pack("I2", seqNo) .. icmp_payload local icmp_checksum = packet.in_cksum(icmp_msg) - icmp_msg = bin.pack(">CCSASA", 8, 0, icmp_checksum, icmp_id, seqNo, icmp_payload) + icmp_msg = string.pack(">BBI2", 8, 0, icmp_checksum) .. icmp_id .. string.pack("I2", seqNo) .. icmp_payload --IP header - local ip_bin = bin.pack(">ASSACCx10", -- x10 = checksum & addresses - "\x45\x00", -- IPv4, no options, no DSCN, no ECN + local ip_bin = "\x45\x00", -- IPv4, no options, no DSCN, no ECN + string.pack(">I2I2", 20 + #icmp_msg, -- total length - 0, -- IP ID - "\x40\x00", -- DF + 0) -- IP ID + .. "\x40\x00" -- DF + .. string.pack("CC", ttl, 1 -- ICMP ) + .. ("\0"):rep(10) -- checksum & addresses -- IP+ICMP; Addresses and checksum need to be filled local icmp_bin = ip_bin .. icmp_msg diff --git a/scripts/krb5-enum-users.nse b/scripts/krb5-enum-users.nse index 084c6b8c6..05668eb7e 100644 --- a/scripts/krb5-enum-users.nse +++ b/scripts/krb5-enum-users.nse @@ -1,5 +1,4 @@ local asn1 = require "asn1" -local bin = require "bin" local coroutine = require "coroutine" local nmap = require "nmap" local os = require "os" @@ -140,9 +139,9 @@ KRB5 = { local len = asn1.ASN1Encoder.encodeLength(#val[1]) if ( val._type and types[val._type] ) then - return bin.pack("CAA", types[val._type], len, val[1]) + return string.pack("B", types[val._type]) .. len .. val[1] elseif ( val._type and 'number' == type(val._type) ) then - return bin.pack("CAA", val._type, len, val[1]) + return string.pack("B", val._type) .. len .. val[1] end end, @@ -227,7 +226,7 @@ KRB5 = { -- forwardable local kdc_options = 0x40000000 - data = bin.pack(">I", kdc_options) .. data + data = string.pack(">I4", kdc_options) .. data -- add padding data = '\0' .. data @@ -245,7 +244,7 @@ KRB5 = { data = self:encodeSequence(encoder, 0x6a, data) if ( protocol == "tcp" ) then - data = bin.pack(">I", #data) .. data + data = string.pack(">s4", data) end return data diff --git a/scripts/metasploit-msgrpc-brute.nse b/scripts/metasploit-msgrpc-brute.nse index ff780dba9..555d439a4 100644 --- a/scripts/metasploit-msgrpc-brute.nse +++ b/scripts/metasploit-msgrpc-brute.nse @@ -3,7 +3,6 @@ local shortport = require "shortport" local stdnse = require "stdnse" local string = require "string" local http = require "http" -local bin = require "bin" local creds = require "creds" description = [[ @@ -38,25 +37,19 @@ categories = {"intrusive", "brute"} portrule = shortport.port_or_service(55553,"metasploit-msgrpc") +-- returns a "prefix" that msgpack uses for strings +local get_prefix = function(data) + if #data <= 31 then + return string.pack("B", 0xa0 + #data) + else + return "\xda" .. string.pack(">I2", #data) + end +end + -- simple function that implements basic msgpack encoding we need for this script -- see http://wiki.msgpack.org/display/MSGPACK/Format+specification for more local encode = function(username, password) - local method = "auth.login" - local username_prefix - local password_prefix - - if string.len(username) <= 31 then -- http://wiki.msgpack.org/display/MSGPACK/Format+specification#Formatspecification-fixraw - username_prefix = bin.pack("C",0xa0 + string.len(username)) - else -- http://wiki.msgpack.org/display/MSGPACK/Format+specification#Formatspecification-raw16 - username_prefix = "\xda" .. bin.pack(">s",string.len(username)) - end - if string.len(password) <= 31 then - password_prefix = bin.pack("C",0xa0 + string.len(password)) - else - password_prefix = "\xda" .. bin.pack(">s",string.len(password)) - end - - return "\x93\xaa" .. method .. username_prefix .. username .. password_prefix .. password + return "\x93\xaaauth.login" .. get_prefix(username) .. username .. get_prefix(password) .. password end Driver = { diff --git a/scripts/mikrotik-routeros-brute.nse b/scripts/mikrotik-routeros-brute.nse index a87f7d939..6a13f4f84 100644 --- a/scripts/mikrotik-routeros-brute.nse +++ b/scripts/mikrotik-routeros-brute.nse @@ -27,7 +27,6 @@ license = "Same as Nmap--See https://nmap.org/book/man-legal.html" categories = {"intrusive", "brute"} local shortport = require "shortport" -local bin = require "bin" local brute = require "brute" local creds = require "creds" local nmap = require "nmap" @@ -55,7 +54,7 @@ Driver = login = function( self, username, password ) local status, data, try - data = bin.pack("cAx", 0x6,"/login") + data = string.pack("s1x", "/login") --Connect to service and obtain the challenge response try = nmap.new_try(function() return false end) @@ -67,10 +66,9 @@ Driver = --If we find the challenge value we continue the connection process if ret then stdnse.debug1("Challenge value found:%s", ret) - local md5str = bin.pack("xAA", password, stdnse.fromhex( ret)) --appends pwd and challenge + local md5str = "\0" .. password .. stdnse.fromhex(ret) --appends pwd and challenge local chksum = stdnse.tohex(openssl.md5(md5str)) - local user_l = username:len()+6 --we add six because of the string "=name=" - local login_pkt = bin.pack("cAcAcAx", 0x6, "/login", user_l, "=name="..username, 0x2c, "=response=00"..chksum) + local login_pkt = string.pack("s1s1s1x", "/login", "=name="..username, "=response=00"..chksum) try(self.s:send(login_pkt)) data = try(self.s:receive_bytes(50)) stdnse.debug1("Response #2:%s", data) diff --git a/scripts/modbus-discover.nse b/scripts/modbus-discover.nse index 66d5b508f..ef31947b0 100644 --- a/scripts/modbus-discover.nse +++ b/scripts/modbus-discover.nse @@ -1,4 +1,3 @@ -local bin = require "bin" local comm = require "comm" local nmap = require "nmap" local shortport = require "shortport" @@ -60,11 +59,11 @@ local form_rsid = function(sid, functionId, data) if ( #data > 0 ) then payload_len = payload_len + #data end - return "\0\0\0\0\0" .. bin.pack('CCC', payload_len, sid, functionId) .. data + return "\0\0\0\0\0" .. string.pack('BBB', payload_len, sid, functionId) .. data end discover_device_id_recursive = function(host, port, sid, start_id, objects_table) - local rsid = form_rsid(sid, 0x2B, "\x0E\x01" .. bin.pack('C', start_id)) + local rsid = form_rsid(sid, 0x2B, "\x0E\x01" .. string.pack('B', start_id)) local status, result = comm.exchange(host, port, rsid) if ( status and (#result >= 8)) then local ret_code = string.byte(result, 8) @@ -100,8 +99,7 @@ end local extract_slave_id = function(response) local byte_count = string.byte(response, 9) if ( byte_count == nil or byte_count == 0) then return nil end - local offset, slave_id = bin.unpack("A"..byte_count, response, 10) - return slave_id + return string.unpack("c"..byte_count, response, 10) end modbus_exception_codes = { diff --git a/scripts/oracle-sid-brute.nse b/scripts/oracle-sid-brute.nse index a47a53ab3..d559b5475 100644 --- a/scripts/oracle-sid-brute.nse +++ b/scripts/oracle-sid-brute.nse @@ -1,4 +1,3 @@ -local bin = require "bin" local io = require "io" local nmap = require "nmap" local shortport = require "shortport" @@ -56,7 +55,7 @@ local tns_type = {CONNECT=1, REFUSE=4, REDIRECT=5, RESEND=11} -- local function create_tns_header(packetType, packetLength) - local request = bin.pack( ">SSCCS", + local request = string.pack( ">I2 I2 BB I2", packetLength + 34, -- Packet Length 0, -- Packet Checksum tns_type[packetType], -- Packet Type @@ -82,7 +81,7 @@ local function create_connect_packet( host_ip, port_no, sid ) "(DESCRIPTION=(CONNECT_DATA=(SID=%s)(CID=(PROGRAM=)(HOST=__jdbc__)(USER=)))\z (ADDRESS=(PROTOCOL=tcp)(HOST=%s)(PORT=%d)))", sid, host_ip, port_no) - local data = bin.pack(">SSSSSSSSSSICCA", + local data = string.pack(">I2 I2 I2 I2 I2 I2 I2 I2 I2 I2 I4 BB", 308, -- Version 300, -- Version (Compatibility) 0, -- Service Options @@ -95,9 +94,9 @@ local function create_connect_packet( host_ip, port_no, sid ) 34, -- Offset to connect data 0, -- Maximum Receivable Connect Data 1, -- Connect Flags 0 - 1, -- Connect Flags 1 - connect_data + 1 -- Connect Flags 1 ) + .. connect_data local header = create_tns_header("CONNECT", connect_data:len() ) @@ -116,8 +115,7 @@ local function process_tns_packet( packet ) local tnspacket = {} -- just pull out the bare minimum to be able to match - local _ - _, tnspacket.Length, tnspacket.Checksum, tnspacket.Type = bin.unpack(">SSC", packet) + tnspacket.Length, tnspacket.Checksum, tnspacket.Type = string.unpack(">I2I2B", packet) return tnspacket diff --git a/scripts/rdp-enum-encryption.nse b/scripts/rdp-enum-encryption.nse index 453b6d3ed..158f0e6c7 100644 --- a/scripts/rdp-enum-encryption.nse +++ b/scripts/rdp-enum-encryption.nse @@ -29,12 +29,12 @@ author = "Patrik Karlsson" license = "Same as Nmap--See https://nmap.org/book/man-legal.html" -local bin = require("bin") local nmap = require("nmap") local table = require("table") local shortport = require("shortport") local rdp = require("rdp") local stdnse = require("stdnse") +local string = require "string" categories = {"safe", "discovery"} @@ -71,11 +71,11 @@ local function enum_protocols(host, port) return false, response end - local pos, success = bin.unpack("C", response.itut.data) + local success = string.unpack("B", response.itut.data) if ( success == 2 ) then table.insert(res_proto, ("%s: SUCCESS"):format(k)) elseif ( nmap.debugging() > 0 ) then - local pos, err = bin.unpack("C", response.itut.data, 5) + local err = string.unpack("B", response.itut.data, 5) if ( err > 0 ) then table.insert(res_proto, ("%s: FAILED (%s)"):format(k, ERRORS[err] or "Unknown")) else @@ -133,8 +133,8 @@ local function enum_ciphers(host, port) local status, response = comm:exch(msc) comm:close() if ( status ) then - local pos, enc_level = bin.unpack("C", response.itut.data, 95 + 8) - local pos, enc_cipher= bin.unpack("C", response.itut.data, 95 + 4) + local enc_level = string.unpack("B", response.itut.data, 95 + 8) + local enc_cipher= string.unpack("B", response.itut.data, 95 + 4) if ( enc_cipher == v ) then table.insert(res_ciphers, ("%s: SUCCESS"):format(k)) end diff --git a/scripts/rdp-vuln-ms12-020.nse b/scripts/rdp-vuln-ms12-020.nse index c154a79f5..362f9a040 100644 --- a/scripts/rdp-vuln-ms12-020.nse +++ b/scripts/rdp-vuln-ms12-020.nse @@ -1,7 +1,7 @@ -local bin = require "bin" local nmap = require "nmap" local shortport = require "shortport" local stdnse = require "stdnse" +local string = require "string" local vulns = require "vulns" description = [[ @@ -192,13 +192,13 @@ action = function(host, port) status, err = socket:send(connectInitial) status, err = socket:send(userRequest) -- send attach user request status, response = socket:receive_bytes(0) -- receive attach user confirm - pos,user1 = bin.unpack(">S",response:sub(10,11)) -- user_channel-1001 - see http://msdn.microsoft.com/en-us/library/cc240918%28v=prot.10%29.aspx + user1, pos = string.unpack(">I2", response, 10) -- user_channel-1001 - see http://msdn.microsoft.com/en-us/library/cc240918%28v=prot.10%29.aspx status, err = socket:send(userRequest) -- send another attach user request status, response = socket:receive_bytes(0) -- receive another attach user confirm - pos,user2 = bin.unpack(">S",response:sub(10,11)) -- second user's channel - 1001 + user2, pos = string.unpack(">I2", response, 10) -- second user's channel - 1001 user2 = user2+1001 -- second user's channel - local data4 = bin.pack(">SS",user1,user2) + local data4 = string.pack(">I2I2", user1, user2) local data5 = stdnse.fromhex("0300000c02f08038") -- channel join request TPDU local channelJoinRequest = data5 .. data4 status, err = socket:send(channelJoinRequest) -- bogus channel join request user1 requests channel of user2 @@ -208,7 +208,7 @@ action = function(host, port) -- see http://msdn.microsoft.com/en-us/library/cc240911%28v=prot.10%29.aspx -- service is vulnerable -- send a valid request to prevent the BSoD - data4 = bin.pack(">SS",user2-1001,user2) + data4 = string.pack(">I2I2", user2 - 1001, user2) channelJoinRequest = data5 .. data4 -- valid join request status, err = socket:send(channelJoinRequest) status, response = socket:receive_bytes(0) diff --git a/scripts/rpc-grind.nse b/scripts/rpc-grind.nse index dfe990927..a89067b53 100644 --- a/scripts/rpc-grind.nse +++ b/scripts/rpc-grind.nse @@ -1,7 +1,7 @@ local stdnse = require "stdnse" +local string = require "string" local nmap = require "nmap" local rpc = require "rpc" -local bin = require "bin" local math = require "math" local io = require "io" local coroutine = require "coroutine" @@ -103,8 +103,7 @@ local isRPC = function(host, port) -- If we got response, set port to open nmap.set_port_state(host, port, "open") - _, rxid = bin.unpack(">I", data, 1) - _, msgtype = bin.unpack(">I", data, 5) + rxid, msgtype = string.unpack(">I4 I4", data) -- If response XID does match request XID -- and message type equals 1 (REPLY) then -- it is a RPC port. @@ -209,8 +208,7 @@ local rpcGrinder = function(host, port, iterator, result) if response.accept_state == rpc.Portmap.AcceptState.PROG_MISMATCH then result.program = program result.number = number - _, result.highver = bin.unpack(">I", data, #data - 3) - _, result.lowver = bin.unpack(">I", data, #data - 7) + result.lowver, result.highver = string.unpack(">I4 I4", data, #data - 7) table.insert(result, true) -- To make #result > 1 -- Otherwise, an Accept state other than Program unavailable is not normal behaviour. diff --git a/scripts/telnet-encryption.nse b/scripts/telnet-encryption.nse index d89a7f279..1de91c320 100644 --- a/scripts/telnet-encryption.nse +++ b/scripts/telnet-encryption.nse @@ -1,7 +1,7 @@ -local bin = require "bin" local nmap = require "nmap" local shortport = require "shortport" local stdnse = require "stdnse" +local string = require "string" local table = require "table" description = [[ @@ -50,20 +50,20 @@ local function processOptions(data) local result = {} while ( pos < #data ) do local iac, cmd, option - pos, iac, cmd = bin.unpack("CC", data, pos) + iac, cmd, pos = string.unpack("BB", data, pos) if ( 0xFF ~= iac ) then break end if ( COMMAND.SubCommand == cmd ) then repeat - pos, iac = bin.unpack("C", data, pos) + iac, pos = string.unpack("B", data, pos) until( pos == #data or 0xFF == iac ) - pos, cmd = bin.unpack("C", data, pos) + cmd, pos = string.unpack("B", data, pos) if ( not(cmd) == 0xF0 ) then return false, "Failed to parse options" end else - pos, option = bin.unpack("H", data, pos) + pos, option = string.unpack("B", data, pos) result[option] = result[option] or {} table.insert(result[option], cmd) end @@ -95,9 +95,9 @@ action = function(host, port) if ( not(status) ) then return fail("Failed to process telnet options") end - until( result.done or result.cmds['26'] ) + until( result.done or result.cmds[0x26] ) - for _, cmd in ipairs(result.cmds['26'] or {}) do + for _, cmd in ipairs(result.cmds[0x26] or {}) do if ( COMMAND.Will == cmd or COMMAND.Do == cmd ) then return "\n Telnet server supports encryption" end