PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-15 12:19:02 +00:00
Code Issues Projects Releases Wiki Activity

Fix unpacking OEM ID; had been grabbing wrong 3 bytes. Replaced bin with string unpacking

Browse Source
This commit is contained in:
dmiller
2018-09-20 04:04:59 +00:00
parent 7819453af5
commit c82a370dd1
1 changed files with 91 additions and 101 deletions
Download Patch File Download Diff File Expand all files Collapse all files

192
nselib/ipmi.lua
View File

@@ -5,7 +5,6 @@
-- @class module
-- @name ipmi
-- @author "Claudiu Perta <claudiu.perta@gmail.com>"
local bin = require "bin"
local stdnse = require "stdnse"
local string = require "string"
local rand = require "rand"
@@ -94,7 +93,7 @@ session_open_request = function(console_session_id)
"\x01\x00\x00\x00" -- AES Encryption
)
return bin.pack("<AP", rmcpplus_header("RMCPPLUSOPEN_REQ"), data)
return rmcpplus_header("RMCPPLUSOPEN_REQ") .. string.pack("<s2", data)
end
-- Open rmcpplus_request
@@ -113,22 +112,20 @@ session_open_cipher_zero_request = function(console_session_id)
"\x00\x00\x00\x00" -- No Encryption
)
return bin.pack("<AP", rmcpplus_header("RMCPPLUSOPEN_REQ"), data)
return rmcpplus_header("RMCPPLUSOPEN_REQ") .. string.pack("<s2", data)
end
rakp_1_request = function(bmc_session_id, console_random_id, username)
local data = bin.pack(
"<AAIAAAp",
"\x00", -- Message Tag
"\x00\x00\x00", -- Reserved
local data = string.pack(
"<Bxxx I c16 Bxx s1",
0, -- Message Tag
bmc_session_id,
console_random_id,
"\x14", -- Privilege level
"\x00\x00", -- Reserved
0x14, -- Privilege level
username
)
return bin.pack("<AP", rmcpplus_header("RAKP1"), data)
return rmcpplus_header("RAKP1") .. string.pack("<s2", data)
end
rakp_hmac_sha1_salt = function(
@@ -140,8 +137,8 @@ rakp_hmac_sha1_salt = function(
authorization_level,
username)
local salt = bin.pack(
"AIAAACp",
local salt = string.pack(
"c4 I c16c16c16 Bs1",
console_session_id,
bmc_session_id,
console_random_id,
@@ -180,57 +177,54 @@ parse_channel_auth_reply = function(reply)
local pos = 0
local value
pos, data["rmcp_version"] = bin.unpack("<C", reply, pos)
pos, data["rmcp_padding"] = bin.unpack("<C", reply, pos)
pos, data["rmcp_sequence"] = bin.unpack("<C", reply, pos)
data.rmcp_version,
data.rmcp_padding,
data.rmcp_sequence,
value, pos = string.unpack("<BBBB", reply, pos)
pos, value = bin.unpack("C", reply, pos)
data["rmcp_mtype"] = ((value & 0x80) ~= 0)
data["rmcp_class"] = (value & 0x7F)
data.rmcp_mtype = ((value & 0x80) ~= 0)
data.rmcp_class = (value & 0x7F)
pos, data["session_auth_type"] = bin.unpack("C", reply, pos)
pos, data["session_sequence"] = bin.unpack("<I", reply, pos)
pos, data["session_id"] = bin.unpack("<I", reply, pos)
pos, data["message_length"] = bin.unpack("C", reply, pos)
pos, data["ipmi_tgt_address"] = bin.unpack("C", reply, pos)
pos, data["ipmi_tgt_lun"] = bin.unpack("C", reply, pos)
pos, data["ipmi_header_checksum"] = bin.unpack("C", reply, pos)
pos, data["ipmi_src_address"] = bin.unpack("C", reply, pos)
pos, data["ipmi_src_lun"] = bin.unpack("C", reply, pos)
pos, data["ipmi_command"] = bin.unpack("C", reply, pos)
pos, data["ipmi_completion_code"] = bin.unpack("C", reply, pos)
pos, data["ipmi_channel"] = bin.unpack("C", reply, pos)
data.session_auth_type,
data.session_sequence,
data.session_id,
data.message_length,
data.ipmi_tgt_address,
data.ipmi_tgt_lun,
data.ipmi_header_checksum,
data.ipmi_src_address,
data.ipmi_src_lun,
data.ipmi_command,
data.ipmi_completion_code,
data.ipmi_channel,
value, pos = string.unpack("<BI4I4BBBBBBBBBB", reply, pos)
pos, value = bin.unpack("C", reply, pos)
data["ipmi_compat_20"] = ((value & 0x80) ~= 0)
data["ipmi_compat_reserved1"] = ((value & 0x40) ~= 0)
data["ipmi_compat_oem_auth"] = ((value & 0x20) ~= 0)
data["ipmi_compat_password"] = ((value & 0x10) ~= 0)
data["ipmi_compat_reserved2"] = ((value & 0x08) ~= 0)
data["ipmi_compat_md5"] = ((value & 0x04) ~= 0)
data["ipmi_compat_md2"] = ((value & 0x02) ~= 0)
data["ipmi_compat_none"] = ((value & 0x01) ~= 0)
data.ipmi_compat_20 = ((value & 0x80) ~= 0)
data.ipmi_compat_reserved1 = ((value & 0x40) ~= 0)
data.ipmi_compat_oem_auth = ((value & 0x20) ~= 0)
data.ipmi_compat_password = ((value & 0x10) ~= 0)
data.ipmi_compat_reserved2 = ((value & 0x08) ~= 0)
data.ipmi_compat_md5 = ((value & 0x04) ~= 0)
data.ipmi_compat_md2 = ((value & 0x02) ~= 0)
data.ipmi_compat_none = ((value & 0x01) ~= 0)
pos, value = bin.unpack("C", reply, pos)
data["ipmi_user_reserved1"] = ((value >> 6) & 0x03)
data["ipmi_user_kg"] = ((value & 0x20) ~= 0)
data["ipmi_user_disable_message_auth"] = ((value & 0x10) ~= 0)
data["ipmi_user_disable_user_auth"] = ((value & 0x08) ~= 0)
data["ipmi_user_non_null"] = ((value & 0x04) ~= 0)
data["ipmi_user_null"] = ((value & 0x02) ~= 0)
data["ipmi_user_anonymous"] = ((value & 0x01) ~= 0)
value, pos = string.unpack("B", reply, pos)
data.ipmi_user_reserved1 = ((value >> 6) & 0x03)
data.ipmi_user_kg = ((value & 0x20) ~= 0)
data.ipmi_user_disable_message_auth = ((value & 0x10) ~= 0)
data.ipmi_user_disable_user_auth = ((value & 0x08) ~= 0)
data.ipmi_user_non_null = ((value & 0x04) ~= 0)
data.ipmi_user_null = ((value & 0x02) ~= 0)
data.ipmi_user_anonymous = ((value & 0x01) ~= 0)
pos, value = bin.unpack("C", reply, pos)
data["ipmi_conn_reserved1"] = ((value >> 2) & 0x3F)
data["ipmi_conn_20"] = ((value & 0x02) ~= 0)
data["ipmi_conn_15"] = ((value & 0x01) ~= 0)
value, pos = string.unpack("B", reply, pos)
data.ipmi_conn_reserved1 = ((value >> 2) & 0x3F)
data.ipmi_conn_20 = ((value & 0x02) ~= 0)
data.ipmi_conn_15 = ((value & 0x01) ~= 0)
-- 24 bits OEMID, unpack an int and shift 1 byte to the right
pos, value = bin.unpack("<I", reply, pos)
data["ipmi_oem_id"] = value >> 8
-- restore one byte position
pos = pos - 1
pos, data["ipmi_oem_data"] = bin.unpack("A", reply, pos)
-- 24 bits OEMID
data.ipmi_oem_id, pos = string.unpack("<I3", reply, pos)
data.ipmi_oem_data = reply:sub(pos)
return data
end
@@ -241,34 +235,32 @@ parse_open_session_reply = function(reply)
local value
-- 4 bytes Header
pos, data["rmcp_version"] = bin.unpack("C", reply, pos)
pos, data["rmcp_padding"] = bin.unpack("C", reply, pos)
pos, data["rmcp_sequence"] = bin.unpack("C", reply, pos)
pos, value = bin.unpack("C", reply, pos)
data.rmcp_version,
data.rmcp_padding,
data.rmcp_sequence,
value, pos = string.unpack("BBBB", reply, pos)
-- bit 1
data["rmcp_mtype"] = ((value & 0x80) ~= 0)
data.rmcp_mtype = ((value & 0x80) ~= 0)
-- bit [2:8]
data["rmcp_class"] = (value & 0x7F)
data.rmcp_class = (value & 0x7F)
pos, data["session_auth_type"] = bin.unpack("C", reply, pos)
pos, value = bin.unpack("C", reply, pos)
data.session_auth_type,
value, pos = string.unpack("BB", reply, pos)
-- bit 1
data["session_payload_encrypted"] = ((value & 0x80) ~= 0)
data.session_payload_encrypted = ((value & 0x80) ~= 0)
-- bit 2
data["session_payload_authenticated"] = ((value & 0x40) ~= 0)
data.session_payload_authenticated = ((value & 0x40) ~= 0)
-- bit [3:8]
data["session_payload_type"] = (value & 0x3F)
data.session_payload_type = (value & 0x3F)
pos, data["session_id"] = bin.unpack("<I", reply, pos)
pos, data["session_sequence"] = bin.unpack("<I", reply, pos)
pos, data["message_length"] = bin.unpack("<S", reply, pos)
pos, data["ignored1"] = bin.unpack("C", reply, pos)
pos, data["error_code"] = bin.unpack("C", reply, pos)
pos, data["ignored2"] = bin.unpack("<S", reply, pos)
pos, data["console_session_id"] = bin.unpack("<I", reply, pos)
pos, data["bmc_session_id"] = bin.unpack("<I", reply, pos)
data.session_id,
data.session_sequence,
data.message_length,
data.ignored1,
data.error_code,
data.ignored2,
data.console_session_id,
data.bmc_session_id, pos = string.unpack("<I4I4I2BBI2I4I4", reply, pos)
return data
end
@@ -279,36 +271,34 @@ parse_rakp_1_reply = function(reply)
local value
-- 4 bytes Header
pos, data["rmcp_version"] = bin.unpack("C", reply, pos)
pos, data["rmcp_padding"] = bin.unpack("C", reply, pos)
pos, data["rmcp_sequence"] = bin.unpack("C", reply, pos)
pos, value = bin.unpack("C", reply, pos)
data.rmcp_version,
data.rmcp_padding,
data.rmcp_sequence,
value, pos = string.unpack("BBBB", reply, pos)
-- bit 1
data["rmcp_mtype"] = ((value & 0x80) ~= 0)
data.rmcp_mtype = ((value & 0x80) ~= 0)
-- bit [2:8]
data["rmcp_class"] = (value & 0x7F)
data.rmcp_class = (value & 0x7F)
pos, data["session_auth_type"] = bin.unpack("C", reply, pos)
pos, value = bin.unpack("C", reply, pos)
data.session_auth_type,
value, pos = string.unpack("BB", reply, pos)
-- bit 1
data["session_payload_encrypted"] = ((value & 0x80) ~= 0)
data.session_payload_encrypted = ((value & 0x80) ~= 0)
-- bit 2
data["session_payload_authenticated"] = ((value & 0x40) ~= 0)
data.session_payload_authenticated = ((value & 0x40) ~= 0)
-- bit [3:8]
data["session_payload_type"] = (value & 0x3F)
data.session_payload_type = (value & 0x3F)
pos, data["session_id"] = bin.unpack("<I", reply, pos)
pos, data["session_sequence"] = bin.unpack("<I", reply, pos)
pos, data["message_length"] = bin.unpack("<S", reply, pos)
pos, data["ignored1"] = bin.unpack("C", reply, pos)
pos, data["error_code"] = bin.unpack("C", reply, pos)
pos, data["ignored2"] = bin.unpack("<S", reply, pos)
pos, data["console_session_id"] = bin.unpack("<I", reply, pos)
pos, data["bmc_random_id"] = bin.unpack("A16", reply, pos)
pos, data["bmc_guid"] = bin.unpack("A16", reply, pos)
pos, data["hmac_sha1"] = bin.unpack("A20", reply, pos)
data.session_id,
data.session_sequence,
data.message_length,
data.ignored1,
data.error_code,
data.ignored2,
data.console_session_id,
data.bmc_random_id,
data.bmc_guid,
data.hmac_sha1, pos = string.unpack("<I4I4I2BBI2I4c16c16c20", reply, pos)
return data
end