PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-24 08:29:04 +00:00
Code Issues Projects Releases Wiki Activity

Use explicit endianness in pack/unpack.

Browse Source
This commit is contained in:
dmiller
2017-02-14 03:47:49 +00:00
parent 2f104650a8
commit f20589ca09
13 changed files with 30 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
nselib/afp.lua
View File

@@ -835,7 +835,7 @@ Proto = {
end end
data = response:getPacketData() data = response:getPacketData()
pos, parms.server_time, parms.vol_count = bin.unpack("IC", data) pos, parms.server_time, parms.vol_count = bin.unpack(">IC", data)
-- we should now be at the leading zero preceding the first volume name -- we should now be at the leading zero preceding the first volume name
-- next is the length of the volume name, move pos there -- next is the length of the volume name, move pos there

19
nselib/ipmi.lua
View File

@@ -166,6 +166,17 @@ verify_rakp_hmac_sha1 = function(salt, hash, password)
return (digest == hash) return (digest == hash)
end end
--[[
Multi-byte fields in RMCP/ASF fields are specified as being transmitted in
'Network Byte Order' - meaning most-significant byte first.
RMCP and ASF-specified fields are therefore transferred most-significant byte
first.
The IPMI convention is to transfer multi-byte numeric fields least-significant
Byte first. Therefore, unless otherwise specified:
Data in the IPMI Session Header and IPMI Message fields are transmitted
least-significant byte first.
--]]
parse_channel_auth_reply = function(reply) parse_channel_auth_reply = function(reply)
local data = {} local data = {}
local pos = 0 local pos = 0
@@ -252,14 +263,14 @@ parse_open_session_reply = function(reply)
-- bit [3:8] -- bit [3:8]
data["session_payload_type"] = bit.band(value, 0x3F) data["session_payload_type"] = bit.band(value, 0x3F)
pos, data["session_id"] = bin.unpack("I", reply, pos) pos, data["session_id"] = bin.unpack("<I", reply, pos)
pos, data["session_sequence"] = bin.unpack("I", reply, pos) pos, data["session_sequence"] = bin.unpack("<I", reply, pos)
pos, data["message_length"] = bin.unpack("<S", reply, pos) pos, data["message_length"] = bin.unpack("<S", reply, pos)
pos, data["ignored1"] = bin.unpack("C", reply, pos) pos, data["ignored1"] = bin.unpack("C", reply, pos)
pos, data["error_code"] = bin.unpack("C", reply, pos) pos, data["error_code"] = bin.unpack("C", reply, pos)
pos, data["ignored2"] = bin.unpack("<S", reply, pos) pos, data["ignored2"] = bin.unpack("<S", reply, pos)
pos, data["console_session_id"] = bin.unpack("I", reply, pos) pos, data["console_session_id"] = bin.unpack("<I", reply, pos)
pos, data["bmc_session_id"] = bin.unpack("I", reply, pos) pos, data["bmc_session_id"] = bin.unpack("<I", reply, pos)
return data return data
end end

4
nselib/mongodb.lua
View File

@@ -131,7 +131,7 @@ function toBson(dict)
end end
dbg("Packet length is %d",length) dbg("Packet length is %d",length)
--Final pack --Final pack
return true, bin.pack("I", length) .. elements .. "\0" return true, bin.pack("<I", length) .. elements .. "\0"
end end
-- Reads a null-terminated string. If length is supplied, it is just cut -- Reads a null-terminated string. If length is supplied, it is just cut
@@ -376,7 +376,7 @@ MongoData ={
--Adds unsigned int32 to the message body --Adds unsigned int32 to the message body
--@param value the value to add --@param value the value to add
function MongoData:addUnsignedInt32(value) function MongoData:addUnsignedInt32(value)
self.valueString = self.valueString..bin.pack("I",value) self.valueString = self.valueString..bin.pack("<I",value)
end end
-- Adds a string to the message body -- Adds a string to the message body
--@param value the string to add --@param value the string to add

2
nselib/mssql.lua
View File

@@ -3121,7 +3121,7 @@ Auth = {
local c = bit.bxor( string.byte( i ), xormask ) local c = bit.bxor( string.byte( i ), xormask )
local m1= bit.band( bit.rshift( c, 4 ), 0x0F0F ) local m1= bit.band( bit.rshift( c, 4 ), 0x0F0F )
local m2= bit.band( bit.lshift( c, 4 ), 0xF0F0 ) local m2= bit.band( bit.lshift( c, 4 ), 0xF0F0 )
return bin.pack("S", bit.bor( m1, m2 ) ) return bin.pack("<S", bit.bor( m1, m2 ) )
end) end)
end, end,

4
nselib/mysql.lua
View File

@@ -1,7 +1,7 @@
--- ---
-- Simple MySQL Library supporting a very limited subset of operations. -- Simple MySQL Library supporting a very limited subset of operations.
-- --
-- http://forge.mysql.com/wiki/MySQL_Internals_ClientServer_Protocol -- https://dev.mysql.com/doc/internals/en/client-server-protocol.html
-- --
-- @copyright Same as Nmap--See https://nmap.org/book/man-legal.html -- @copyright Same as Nmap--See https://nmap.org/book/man-legal.html
-- --
@@ -522,7 +522,7 @@ function sqlQuery( socket, query )
local packet, packet_len, pos, header local packet, packet_len, pos, header
local status, fields, field_count, rows, rs local status, fields, field_count, rows, rs
packet = bin.pack("ICA", querylen, Command.Query, query ) packet = bin.pack("<ICA", querylen, Command.Query, query )
-- --
-- http://forge.mysql.com/wiki/MySQL_Internals_ClientServer_Protocol#Result_Set_Header_Packet -- http://forge.mysql.com/wiki/MySQL_Internals_ClientServer_Protocol#Result_Set_Header_Packet

2
nselib/tn3270.lua
View File

@@ -1006,7 +1006,7 @@ Telnet = {
if self.state == self.TN3270E_DATA then if self.state == self.TN3270E_DATA then
-- we need to create the tn3270E (the E is important) header -- we need to create the tn3270E (the E is important) header
-- which, in basic 3270E is 5 bytes of 0x00 -- which, in basic 3270E is 5 bytes of 0x00
packet = string.pack("BBB I2", packet = string.pack("BBB >I2",
self.DT_3270_DATA, -- type self.DT_3270_DATA, -- type
0, -- request 0, -- request
0, -- response 0, -- response

2
nselib/tns.lua
View File

@@ -616,7 +616,7 @@ Packet.SNS = {
-- --
-- @return string containing the packet -- @return string containing the packet
__tostring = function( self ) __tostring = function( self )
return bin.pack("SH", self.flags, return bin.pack(">SH", self.flags,
[[ [[
deadbeef00920b1006000004000004000300000000000400050b10060000080 deadbeef00920b1006000004000004000300000000000400050b10060000080
001000015cb353abecb00120001deadbeef0003000000040004000100010002 001000015cb353abecb00120001deadbeef0003000000040004000100010002

2
nselib/xdmcp.lua
View File

@@ -79,7 +79,7 @@ Packet = {
local data = tostring(self.header) local data = tostring(self.header)
data = data .. bin.pack("C", #self.authnames) data = data .. bin.pack("C", #self.authnames)
for _, name in ipairs(self.authnames) do for _, name in ipairs(self.authnames) do
data = data .. bin.pack("P", name) data = data .. bin.pack(">P", name)
end end
return data return data
end, end,

2
scripts/citrix-enum-apps.nse
View File

@@ -42,7 +42,7 @@ portrule = shortport.portnumber(1604, "udp")
-- @return string row delimited with \n containing all published applications -- @return string row delimited with \n containing all published applications
function process_pa_response(response) function process_pa_response(response)
local pos, packet_len = bin.unpack("SS", response) local pos, packet_len = bin.unpack("<S", response)
local app_name local app_name
local pa_list = {} local pa_list = {}

2
scripts/citrix-enum-servers.nse
View File

@@ -40,7 +40,7 @@ portrule = shortport.portnumber(1604, "udp")
-- --
function process_server_response(response) function process_server_response(response)
local pos, packet_len = bin.unpack("SS", response) local pos, packet_len = bin.unpack("<S", response)
local server_name local server_name
local server_list = {} local server_list = {}

4
scripts/db2-das-info.nse
View File

@@ -190,7 +190,7 @@ function read_db2_packet(socket)
local _, endian = bin.unpack( "A2", packet.header.raw, ENDIANESS_OFFSET ) local _, endian = bin.unpack( "A2", packet.header.raw, ENDIANESS_OFFSET )
if endian == "9z" then if endian == "9z" then
_, packet.header.data_len = bin.unpack("I", packet.header.raw, DATA_LENGTH_OFFSET ) _, packet.header.data_len = bin.unpack("<I", packet.header.raw, DATA_LENGTH_OFFSET )
else else
_, packet.header.data_len = bin.unpack(">I", packet.header.raw, DATA_LENGTH_OFFSET ) _, packet.header.data_len = bin.unpack(">I", packet.header.raw, DATA_LENGTH_OFFSET )
end end
@@ -270,7 +270,7 @@ function create_das_packet( magic, data )
.. "\x01\x04\x00\x00\x00\x10\x39\x7a\x00\x05\x00\x00\x00\x00\x00\x00" .. "\x01\x04\x00\x00\x00\x10\x39\x7a\x00\x05\x00\x00\x00\x00\x00\x00"
.. "\x00\x00\x00\x00" .. "\x00\x00\x00\x00"
.. bin.pack("C", magic) .. bin.pack("C", magic)
.. bin.pack("S", data_len) .. bin.pack("<S", data_len)
.. "\x00\x00" .. "\x00\x00"
packet.header.data_len = data_len packet.header.data_len = data_len

2
scripts/enip-info.nse
View File

@@ -1422,7 +1422,7 @@ action = function(host,port)
-- lookup device type based off number, return to output table -- lookup device type based off number, return to output table
output["Device Type"] = device_type_lookup(devnum) .. " (" .. devnum .. ")" output["Device Type"] = device_type_lookup(devnum) .. " (" .. devnum .. ")"
-- unpack product code as a two byte int -- unpack product code as a two byte int
pos, output["Product Code"] = bin.unpack("S", response, 53) pos, output["Product Code"] = bin.unpack("<S", response, 53)
-- Revision Nuumber -- Revision Nuumber
local char1, char2 local char1, char2
pos, char1, char2 = bin.unpack("CC", response, 55) pos, char1, char2 = bin.unpack("CC", response, 55)

2
scripts/lltd-discovery.nse
View File

@@ -190,7 +190,7 @@ local QuickDiscoveryPacket = function(mac_src)
local number_of_stations = 0 local number_of_stations = 0
local station_list = string.rep("\0", 6*4) local station_list = string.rep("\0", 6*4)
discover_up_lev_hdr = generation_number .. string.pack("I2", number_of_stations) .. station_list discover_up_lev_hdr = generation_number .. string.pack(">I2", number_of_stations) .. station_list
-- put them all together and return -- put them all together and return
return ethernet_hdr .. demultiplex_hdr .. base_hdr .. discover_up_lev_hdr return ethernet_hdr .. demultiplex_hdr .. base_hdr .. discover_up_lev_hdr