Fix unpacking OEM ID; had been grabbing wrong 3 bytes. Replaced bin with string unpacking

2025-12-17 13:09:02 +00:00 · 2018-09-20 04:04:59 +00:00
parent 7819453af5
commit c82a370dd1
1 changed files with 91 additions and 101 deletions
--- a/nselib/ipmi.lua
+++ b/nselib/ipmi.lua
@@ -5,7 +5,6 @@
 -- @class module
 -- @name ipmi
 -- @author "Claudiu Perta <claudiu.perta@gmail.com>"
 local bin = require "bin"
 local stdnse = require "stdnse"
 local string = require "string"
 local rand = require "rand"
@@ -94,7 +93,7 @@ session_open_request = function(console_session_id)
    "\x01\x00\x00\x00"  -- AES Encryption
    )
-  return bin.pack("<AP", rmcpplus_header("RMCPPLUSOPEN_REQ"), data)
+  return rmcpplus_header("RMCPPLUSOPEN_REQ") .. string.pack("<s2", data)
 end
 -- Open rmcpplus_request
@@ -113,22 +112,20 @@ session_open_cipher_zero_request = function(console_session_id)
    "\x00\x00\x00\x00"  -- No Encryption
    )
-  return bin.pack("<AP", rmcpplus_header("RMCPPLUSOPEN_REQ"), data)
+  return rmcpplus_header("RMCPPLUSOPEN_REQ") .. string.pack("<s2", data)
 end
 rakp_1_request = function(bmc_session_id, console_random_id, username)
-  local data = bin.pack(
+  local data = string.pack(
-    "<AAIAAAp",
+    "<Bxxx I c16 Bxx s1",
-    "\x00",                       -- Message Tag
+    0,                       -- Message Tag
    "\x00\x00\x00",               -- Reserved
    bmc_session_id,
    console_random_id,
-    "\x14",                       -- Privilege level
+    0x14,                       -- Privilege level
    "\x00\x00",                   -- Reserved
    username
    )
-  return bin.pack("<AP", rmcpplus_header("RAKP1"), data)
+  return rmcpplus_header("RAKP1") .. string.pack("<s2", data)
 end
 rakp_hmac_sha1_salt = function(
@@ -140,8 +137,8 @@ rakp_hmac_sha1_salt = function(
    authorization_level,
    username)
-  local salt = bin.pack(
+  local salt = string.pack(
-    "AIAAACp",
+    "c4 I c16c16c16 Bs1",
    console_session_id,
    bmc_session_id,
    console_random_id,
@@ -180,57 +177,54 @@ parse_channel_auth_reply = function(reply)
  local pos = 0
  local value
-  pos, data["rmcp_version"] = bin.unpack("<C", reply, pos)
+  data.rmcp_version,
-  pos, data["rmcp_padding"] = bin.unpack("<C", reply, pos)
+  data.rmcp_padding,
-  pos, data["rmcp_sequence"] = bin.unpack("<C", reply, pos)
+  data.rmcp_sequence,
  value, pos = string.unpack("<BBBB", reply, pos)
-  pos, value = bin.unpack("C", reply, pos)
+  data.rmcp_mtype = ((value & 0x80) ~= 0)
-  data["rmcp_mtype"] = ((value & 0x80) ~= 0)
+  data.rmcp_class = (value & 0x7F)
  data["rmcp_class"] = (value & 0x7F)
-  pos, data["session_auth_type"] = bin.unpack("C", reply, pos)
+  data.session_auth_type,
-  pos, data["session_sequence"] = bin.unpack("<I", reply, pos)
+  data.session_sequence,
-  pos, data["session_id"] = bin.unpack("<I", reply, pos)
+  data.session_id,
-  pos, data["message_length"] = bin.unpack("C", reply, pos)
+  data.message_length,
-  pos, data["ipmi_tgt_address"] = bin.unpack("C", reply, pos)
+  data.ipmi_tgt_address,
-  pos, data["ipmi_tgt_lun"] = bin.unpack("C", reply, pos)
+  data.ipmi_tgt_lun,
-  pos, data["ipmi_header_checksum"] = bin.unpack("C", reply, pos)
+  data.ipmi_header_checksum,
-  pos, data["ipmi_src_address"] = bin.unpack("C", reply, pos)
+  data.ipmi_src_address,
-  pos, data["ipmi_src_lun"] = bin.unpack("C", reply, pos)
+  data.ipmi_src_lun,
-  pos, data["ipmi_command"] = bin.unpack("C", reply, pos)
+  data.ipmi_command,
-  pos, data["ipmi_completion_code"] = bin.unpack("C", reply, pos)
+  data.ipmi_completion_code,
-  pos, data["ipmi_channel"] = bin.unpack("C", reply, pos)
+  data.ipmi_channel,
  value, pos = string.unpack("<BI4I4BBBBBBBBBB", reply, pos)
-  pos, value = bin.unpack("C", reply, pos)
+  data.ipmi_compat_20 = ((value & 0x80) ~= 0)
-  data["ipmi_compat_20"] = ((value & 0x80) ~= 0)
+  data.ipmi_compat_reserved1 = ((value & 0x40) ~= 0)
-  data["ipmi_compat_reserved1"] = ((value & 0x40) ~= 0)
+  data.ipmi_compat_oem_auth = ((value & 0x20) ~= 0)
-  data["ipmi_compat_oem_auth"] = ((value & 0x20) ~= 0)
+  data.ipmi_compat_password = ((value & 0x10) ~= 0)
-  data["ipmi_compat_password"] = ((value & 0x10) ~= 0)
+  data.ipmi_compat_reserved2 = ((value & 0x08) ~= 0)
-  data["ipmi_compat_reserved2"] = ((value & 0x08) ~= 0)
+  data.ipmi_compat_md5 = ((value & 0x04) ~= 0)
-  data["ipmi_compat_md5"] = ((value & 0x04) ~= 0)
+  data.ipmi_compat_md2 = ((value & 0x02) ~= 0)
-  data["ipmi_compat_md2"] = ((value & 0x02) ~= 0)
+  data.ipmi_compat_none = ((value & 0x01) ~= 0)
  data["ipmi_compat_none"] = ((value & 0x01) ~= 0)
-  pos, value = bin.unpack("C", reply, pos)
+  value, pos = string.unpack("B", reply, pos)
-  data["ipmi_user_reserved1"] = ((value >> 6) & 0x03)
+  data.ipmi_user_reserved1 = ((value >> 6) & 0x03)
-  data["ipmi_user_kg"] = ((value & 0x20) ~= 0)
+  data.ipmi_user_kg = ((value & 0x20) ~= 0)
-  data["ipmi_user_disable_message_auth"] = ((value & 0x10) ~= 0)
+  data.ipmi_user_disable_message_auth = ((value & 0x10) ~= 0)
-  data["ipmi_user_disable_user_auth"] = ((value & 0x08) ~= 0)
+  data.ipmi_user_disable_user_auth = ((value & 0x08) ~= 0)
-  data["ipmi_user_non_null"] = ((value & 0x04) ~= 0)
+  data.ipmi_user_non_null = ((value & 0x04) ~= 0)
-  data["ipmi_user_null"] = ((value & 0x02) ~= 0)
+  data.ipmi_user_null = ((value & 0x02) ~= 0)
-  data["ipmi_user_anonymous"] = ((value & 0x01) ~= 0)
+  data.ipmi_user_anonymous = ((value & 0x01) ~= 0)
-  pos, value = bin.unpack("C", reply, pos)
+  value, pos = string.unpack("B", reply, pos)
-  data["ipmi_conn_reserved1"] = ((value >> 2) & 0x3F)
+  data.ipmi_conn_reserved1 = ((value >> 2) & 0x3F)
-  data["ipmi_conn_20"] = ((value & 0x02) ~= 0)
+  data.ipmi_conn_20 = ((value & 0x02) ~= 0)
-  data["ipmi_conn_15"] = ((value & 0x01) ~= 0)
+  data.ipmi_conn_15 = ((value & 0x01) ~= 0)
-  -- 24 bits OEMID, unpack an int and shift 1 byte to the right
+  -- 24 bits OEMID
-  pos, value = bin.unpack("<I", reply, pos)
+  data.ipmi_oem_id, pos = string.unpack("<I3", reply, pos)
-  data["ipmi_oem_id"] = value >> 8
+  data.ipmi_oem_data = reply:sub(pos)
  -- restore one byte position
  pos = pos - 1
  pos, data["ipmi_oem_data"] = bin.unpack("A", reply, pos)
  return data
 end
@@ -241,34 +235,32 @@ parse_open_session_reply = function(reply)
  local value
  -- 4 bytes Header
-  pos, data["rmcp_version"] = bin.unpack("C", reply, pos)
+  data.rmcp_version,
-  pos, data["rmcp_padding"] = bin.unpack("C", reply, pos)
+  data.rmcp_padding,
-  pos, data["rmcp_sequence"] = bin.unpack("C", reply, pos)
+  data.rmcp_sequence,
-
+  value, pos = string.unpack("BBBB", reply, pos)
  pos, value = bin.unpack("C", reply, pos)
  -- bit 1
-  data["rmcp_mtype"] = ((value & 0x80) ~= 0)
+  data.rmcp_mtype = ((value & 0x80) ~= 0)
  -- bit [2:8]
-  data["rmcp_class"] = (value & 0x7F)
+  data.rmcp_class = (value & 0x7F)
-  pos, data["session_auth_type"] = bin.unpack("C", reply, pos)
+  data.session_auth_type,
-
+  value, pos = string.unpack("BB", reply, pos)
  pos, value = bin.unpack("C", reply, pos)
  -- bit 1
-  data["session_payload_encrypted"] = ((value & 0x80) ~= 0)
+  data.session_payload_encrypted = ((value & 0x80) ~= 0)
  -- bit 2
-  data["session_payload_authenticated"] = ((value & 0x40) ~= 0)
+  data.session_payload_authenticated = ((value & 0x40) ~= 0)
  -- bit [3:8]
-  data["session_payload_type"] = (value & 0x3F)
+  data.session_payload_type = (value & 0x3F)
-  pos, data["session_id"] = bin.unpack("<I", reply, pos)
+  data.session_id,
-  pos, data["session_sequence"] = bin.unpack("<I", reply, pos)
+  data.session_sequence,
-  pos, data["message_length"] = bin.unpack("<S", reply, pos)
+  data.message_length,
-  pos, data["ignored1"] = bin.unpack("C", reply, pos)
+  data.ignored1,
-  pos, data["error_code"] = bin.unpack("C", reply, pos)
+  data.error_code,
-  pos, data["ignored2"] = bin.unpack("<S", reply, pos)
+  data.ignored2,
-  pos, data["console_session_id"] = bin.unpack("<I", reply, pos)
+  data.console_session_id,
-  pos, data["bmc_session_id"] = bin.unpack("<I", reply, pos)
+  data.bmc_session_id, pos = string.unpack("<I4I4I2BBI2I4I4", reply, pos)
  return data
 end
@@ -279,36 +271,34 @@ parse_rakp_1_reply = function(reply)
  local value
  -- 4 bytes Header
-  pos, data["rmcp_version"] = bin.unpack("C", reply, pos)
+  data.rmcp_version,
-  pos, data["rmcp_padding"] = bin.unpack("C", reply, pos)
+  data.rmcp_padding,
-  pos, data["rmcp_sequence"] = bin.unpack("C", reply, pos)
+  data.rmcp_sequence,
-
+  value, pos = string.unpack("BBBB", reply, pos)
  pos, value = bin.unpack("C", reply, pos)
  -- bit 1
-  data["rmcp_mtype"] = ((value & 0x80) ~= 0)
+  data.rmcp_mtype = ((value & 0x80) ~= 0)
  -- bit [2:8]
-  data["rmcp_class"] = (value & 0x7F)
+  data.rmcp_class = (value & 0x7F)
-  pos, data["session_auth_type"] = bin.unpack("C", reply, pos)
+  data.session_auth_type,
-
+  value, pos = string.unpack("BB", reply, pos)
  pos, value = bin.unpack("C", reply, pos)
  -- bit 1
-  data["session_payload_encrypted"] = ((value & 0x80) ~= 0)
+  data.session_payload_encrypted = ((value & 0x80) ~= 0)
  -- bit 2
-  data["session_payload_authenticated"] = ((value & 0x40) ~= 0)
+  data.session_payload_authenticated = ((value & 0x40) ~= 0)
  -- bit [3:8]
-  data["session_payload_type"] = (value & 0x3F)
+  data.session_payload_type = (value & 0x3F)
-  pos, data["session_id"] = bin.unpack("<I", reply, pos)
+  data.session_id,
-  pos, data["session_sequence"] = bin.unpack("<I", reply, pos)
+  data.session_sequence,
-  pos, data["message_length"] = bin.unpack("<S", reply, pos)
+  data.message_length,
-  pos, data["ignored1"] = bin.unpack("C", reply, pos)
+  data.ignored1,
-  pos, data["error_code"] = bin.unpack("C", reply, pos)
+  data.error_code,
-  pos, data["ignored2"] = bin.unpack("<S", reply, pos)
+  data.ignored2,
-  pos, data["console_session_id"] = bin.unpack("<I", reply, pos)
+  data.console_session_id,
-  pos, data["bmc_random_id"] = bin.unpack("A16", reply, pos)
+  data.bmc_random_id,
-  pos, data["bmc_guid"] = bin.unpack("A16", reply, pos)
+  data.bmc_guid,
-  pos, data["hmac_sha1"] = bin.unpack("A20", reply, pos)
+  data.hmac_sha1, pos = string.unpack("<I4I4I2BBI2I4c16c16c20", reply, pos)
  return data
 end