From c82a370dd1d8708d9dbca2ebbcc7e1905c25c1a7 Mon Sep 17 00:00:00 2001
From: dmiller <dmiller@e0a8ed71-7df4-0310-8962-fdc924857419>
Date: Thu, 20 Sep 2018 04:04:59 +0000
Subject: [PATCH] Fix unpacking OEM ID; had been grabbing wrong 3 bytes.
 Replaced bin with string unpacking

---
 nselib/ipmi.lua | 192 +++++++++++++++++++++++-------------------------
 1 file changed, 91 insertions(+), 101 deletions(-)

diff --git a/nselib/ipmi.lua b/nselib/ipmi.lua
index 531da836a..3d510c0fa 100644
--- a/nselib/ipmi.lua
+++ b/nselib/ipmi.lua
@@ -5,7 +5,6 @@
 -- @class module
 -- @name ipmi
 -- @author "Claudiu Perta <claudiu.perta@gmail.com>"
-local bin = require "bin"
 local stdnse = require "stdnse"
 local string = require "string"
 local rand = require "rand"
@@ -94,7 +93,7 @@ session_open_request = function(console_session_id)
     "\x01\x00\x00\x00"  -- AES Encryption
     )
 
-  return bin.pack("<AP", rmcpplus_header("RMCPPLUSOPEN_REQ"), data)
+  return rmcpplus_header("RMCPPLUSOPEN_REQ") .. string.pack("<s2", data)
 end
 
 -- Open rmcpplus_request
@@ -113,22 +112,20 @@ session_open_cipher_zero_request = function(console_session_id)
     "\x00\x00\x00\x00"  -- No Encryption
     )
 
-  return bin.pack("<AP", rmcpplus_header("RMCPPLUSOPEN_REQ"), data)
+  return rmcpplus_header("RMCPPLUSOPEN_REQ") .. string.pack("<s2", data)
 end
 
 rakp_1_request = function(bmc_session_id, console_random_id, username)
-  local data = bin.pack(
-    "<AAIAAAp",
-    "\x00",                       -- Message Tag
-    "\x00\x00\x00",               -- Reserved
+  local data = string.pack(
+    "<Bxxx I c16 Bxx s1",
+    0,                       -- Message Tag
     bmc_session_id,
     console_random_id,
-    "\x14",                       -- Privilege level
-    "\x00\x00",                   -- Reserved
+    0x14,                       -- Privilege level
     username
     )
 
-  return bin.pack("<AP", rmcpplus_header("RAKP1"), data)
+  return rmcpplus_header("RAKP1") .. string.pack("<s2", data)
 end
 
 rakp_hmac_sha1_salt = function(
@@ -140,8 +137,8 @@ rakp_hmac_sha1_salt = function(
     authorization_level,
     username)
 
-  local salt = bin.pack(
-    "AIAAACp",
+  local salt = string.pack(
+    "c4 I c16c16c16 Bs1",
     console_session_id,
     bmc_session_id,
     console_random_id,
@@ -180,57 +177,54 @@ parse_channel_auth_reply = function(reply)
   local pos = 0
   local value
 
-  pos, data["rmcp_version"] = bin.unpack("<C", reply, pos)
-  pos, data["rmcp_padding"] = bin.unpack("<C", reply, pos)
-  pos, data["rmcp_sequence"] = bin.unpack("<C", reply, pos)
+  data.rmcp_version,
+  data.rmcp_padding,
+  data.rmcp_sequence,
+  value, pos = string.unpack("<BBBB", reply, pos)
 
-  pos, value = bin.unpack("C", reply, pos)
-  data["rmcp_mtype"] = ((value & 0x80) ~= 0)
-  data["rmcp_class"] = (value & 0x7F)
+  data.rmcp_mtype = ((value & 0x80) ~= 0)
+  data.rmcp_class = (value & 0x7F)
 
-  pos, data["session_auth_type"] = bin.unpack("C", reply, pos)
-  pos, data["session_sequence"] = bin.unpack("<I", reply, pos)
-  pos, data["session_id"] = bin.unpack("<I", reply, pos)
-  pos, data["message_length"] = bin.unpack("C", reply, pos)
-  pos, data["ipmi_tgt_address"] = bin.unpack("C", reply, pos)
-  pos, data["ipmi_tgt_lun"] = bin.unpack("C", reply, pos)
-  pos, data["ipmi_header_checksum"] = bin.unpack("C", reply, pos)
-  pos, data["ipmi_src_address"] = bin.unpack("C", reply, pos)
-  pos, data["ipmi_src_lun"] = bin.unpack("C", reply, pos)
-  pos, data["ipmi_command"] = bin.unpack("C", reply, pos)
-  pos, data["ipmi_completion_code"] = bin.unpack("C", reply, pos)
-  pos, data["ipmi_channel"] = bin.unpack("C", reply, pos)
+  data.session_auth_type,
+  data.session_sequence,
+  data.session_id,
+  data.message_length,
+  data.ipmi_tgt_address,
+  data.ipmi_tgt_lun,
+  data.ipmi_header_checksum,
+  data.ipmi_src_address,
+  data.ipmi_src_lun,
+  data.ipmi_command,
+  data.ipmi_completion_code,
+  data.ipmi_channel,
+  value, pos = string.unpack("<BI4I4BBBBBBBBBB", reply, pos)
 
-  pos, value = bin.unpack("C", reply, pos)
-  data["ipmi_compat_20"] = ((value & 0x80) ~= 0)
-  data["ipmi_compat_reserved1"] = ((value & 0x40) ~= 0)
-  data["ipmi_compat_oem_auth"] = ((value & 0x20) ~= 0)
-  data["ipmi_compat_password"] = ((value & 0x10) ~= 0)
-  data["ipmi_compat_reserved2"] = ((value & 0x08) ~= 0)
-  data["ipmi_compat_md5"] = ((value & 0x04) ~= 0)
-  data["ipmi_compat_md2"] = ((value & 0x02) ~= 0)
-  data["ipmi_compat_none"] = ((value & 0x01) ~= 0)
+  data.ipmi_compat_20 = ((value & 0x80) ~= 0)
+  data.ipmi_compat_reserved1 = ((value & 0x40) ~= 0)
+  data.ipmi_compat_oem_auth = ((value & 0x20) ~= 0)
+  data.ipmi_compat_password = ((value & 0x10) ~= 0)
+  data.ipmi_compat_reserved2 = ((value & 0x08) ~= 0)
+  data.ipmi_compat_md5 = ((value & 0x04) ~= 0)
+  data.ipmi_compat_md2 = ((value & 0x02) ~= 0)
+  data.ipmi_compat_none = ((value & 0x01) ~= 0)
 
-  pos, value = bin.unpack("C", reply, pos)
-  data["ipmi_user_reserved1"] = ((value >> 6) & 0x03)
-  data["ipmi_user_kg"] = ((value & 0x20) ~= 0)
-  data["ipmi_user_disable_message_auth"] = ((value & 0x10) ~= 0)
-  data["ipmi_user_disable_user_auth"] = ((value & 0x08) ~= 0)
-  data["ipmi_user_non_null"] = ((value & 0x04) ~= 0)
-  data["ipmi_user_null"] = ((value & 0x02) ~= 0)
-  data["ipmi_user_anonymous"] = ((value & 0x01) ~= 0)
+  value, pos = string.unpack("B", reply, pos)
+  data.ipmi_user_reserved1 = ((value >> 6) & 0x03)
+  data.ipmi_user_kg = ((value & 0x20) ~= 0)
+  data.ipmi_user_disable_message_auth = ((value & 0x10) ~= 0)
+  data.ipmi_user_disable_user_auth = ((value & 0x08) ~= 0)
+  data.ipmi_user_non_null = ((value & 0x04) ~= 0)
+  data.ipmi_user_null = ((value & 0x02) ~= 0)
+  data.ipmi_user_anonymous = ((value & 0x01) ~= 0)
 
-  pos, value = bin.unpack("C", reply, pos)
-  data["ipmi_conn_reserved1"] = ((value >> 2) & 0x3F)
-  data["ipmi_conn_20"] = ((value & 0x02) ~= 0)
-  data["ipmi_conn_15"] = ((value & 0x01) ~= 0)
+  value, pos = string.unpack("B", reply, pos)
+  data.ipmi_conn_reserved1 = ((value >> 2) & 0x3F)
+  data.ipmi_conn_20 = ((value & 0x02) ~= 0)
+  data.ipmi_conn_15 = ((value & 0x01) ~= 0)
 
-  -- 24 bits OEMID, unpack an int and shift 1 byte to the right
-  pos, value = bin.unpack("<I", reply, pos)
-  data["ipmi_oem_id"] = value >> 8
-  -- restore one byte position
-  pos = pos - 1
-  pos, data["ipmi_oem_data"] = bin.unpack("A", reply, pos)
+  -- 24 bits OEMID
+  data.ipmi_oem_id, pos = string.unpack("<I3", reply, pos)
+  data.ipmi_oem_data = reply:sub(pos)
 
   return data
 end
@@ -241,34 +235,32 @@ parse_open_session_reply = function(reply)
   local value
 
   -- 4 bytes Header
-  pos, data["rmcp_version"] = bin.unpack("C", reply, pos)
-  pos, data["rmcp_padding"] = bin.unpack("C", reply, pos)
-  pos, data["rmcp_sequence"] = bin.unpack("C", reply, pos)
-
-  pos, value = bin.unpack("C", reply, pos)
+  data.rmcp_version,
+  data.rmcp_padding,
+  data.rmcp_sequence,
+  value, pos = string.unpack("BBBB", reply, pos)
   -- bit 1
-  data["rmcp_mtype"] = ((value & 0x80) ~= 0)
+  data.rmcp_mtype = ((value & 0x80) ~= 0)
   -- bit [2:8]
-  data["rmcp_class"] = (value & 0x7F)
+  data.rmcp_class = (value & 0x7F)
 
-  pos, data["session_auth_type"] = bin.unpack("C", reply, pos)
-
-  pos, value = bin.unpack("C", reply, pos)
+  data.session_auth_type,
+  value, pos = string.unpack("BB", reply, pos)
   -- bit 1
-  data["session_payload_encrypted"] = ((value & 0x80) ~= 0)
+  data.session_payload_encrypted = ((value & 0x80) ~= 0)
   -- bit 2
-  data["session_payload_authenticated"] = ((value & 0x40) ~= 0)
+  data.session_payload_authenticated = ((value & 0x40) ~= 0)
   -- bit [3:8]
-  data["session_payload_type"] = (value & 0x3F)
+  data.session_payload_type = (value & 0x3F)
 
-  pos, data["session_id"] = bin.unpack("<I", reply, pos)
-  pos, data["session_sequence"] = bin.unpack("<I", reply, pos)
-  pos, data["message_length"] = bin.unpack("<S", reply, pos)
-  pos, data["ignored1"] = bin.unpack("C", reply, pos)
-  pos, data["error_code"] = bin.unpack("C", reply, pos)
-  pos, data["ignored2"] = bin.unpack("<S", reply, pos)
-  pos, data["console_session_id"] = bin.unpack("<I", reply, pos)
-  pos, data["bmc_session_id"] = bin.unpack("<I", reply, pos)
+  data.session_id,
+  data.session_sequence,
+  data.message_length,
+  data.ignored1,
+  data.error_code,
+  data.ignored2,
+  data.console_session_id,
+  data.bmc_session_id, pos = string.unpack("<I4I4I2BBI2I4I4", reply, pos)
 
   return data
 end
@@ -279,36 +271,34 @@ parse_rakp_1_reply = function(reply)
   local value
 
   -- 4 bytes Header
-  pos, data["rmcp_version"] = bin.unpack("C", reply, pos)
-  pos, data["rmcp_padding"] = bin.unpack("C", reply, pos)
-  pos, data["rmcp_sequence"] = bin.unpack("C", reply, pos)
-
-  pos, value = bin.unpack("C", reply, pos)
+  data.rmcp_version,
+  data.rmcp_padding,
+  data.rmcp_sequence,
+  value, pos = string.unpack("BBBB", reply, pos)
   -- bit 1
-  data["rmcp_mtype"] = ((value & 0x80) ~= 0)
+  data.rmcp_mtype = ((value & 0x80) ~= 0)
   -- bit [2:8]
-  data["rmcp_class"] = (value & 0x7F)
+  data.rmcp_class = (value & 0x7F)
 
-  pos, data["session_auth_type"] = bin.unpack("C", reply, pos)
-
-  pos, value = bin.unpack("C", reply, pos)
+  data.session_auth_type,
+  value, pos = string.unpack("BB", reply, pos)
   -- bit 1
-  data["session_payload_encrypted"] = ((value & 0x80) ~= 0)
+  data.session_payload_encrypted = ((value & 0x80) ~= 0)
   -- bit 2
-  data["session_payload_authenticated"] = ((value & 0x40) ~= 0)
+  data.session_payload_authenticated = ((value & 0x40) ~= 0)
   -- bit [3:8]
-  data["session_payload_type"] = (value & 0x3F)
+  data.session_payload_type = (value & 0x3F)
 
-  pos, data["session_id"] = bin.unpack("<I", reply, pos)
-  pos, data["session_sequence"] = bin.unpack("<I", reply, pos)
-  pos, data["message_length"] = bin.unpack("<S", reply, pos)
-  pos, data["ignored1"] = bin.unpack("C", reply, pos)
-  pos, data["error_code"] = bin.unpack("C", reply, pos)
-  pos, data["ignored2"] = bin.unpack("<S", reply, pos)
-  pos, data["console_session_id"] = bin.unpack("<I", reply, pos)
-  pos, data["bmc_random_id"] = bin.unpack("A16", reply, pos)
-  pos, data["bmc_guid"] = bin.unpack("A16", reply, pos)
-  pos, data["hmac_sha1"] = bin.unpack("A20", reply, pos)
+  data.session_id,
+  data.session_sequence,
+  data.message_length,
+  data.ignored1,
+  data.error_code,
+  data.ignored2,
+  data.console_session_id,
+  data.bmc_random_id,
+  data.bmc_guid,
+  data.hmac_sha1, pos = string.unpack("<I4I4I2BBI2I4c16c16c20", reply, pos)
 
   return data
 end