Fix multiple occurrences of bad pack/unpack specifiers

lib/bit-struct/octet-field.rb

@@ -37,7 +37,7 @@ def add_accessors_to(cl, attr = name) # :nodoc:
         old_writer = "#{attr_chars}="
 
         define_method "#{attr}=" do |val|
-          data = val.split(sep).map{|s|s.to_i(base)}.pack("c*")
+          data = val.split(sep).map{|s|s.to_i(base)}.pack("C*")
           send(old_writer, data)
         end
       end

lib/msf/core/exploit/afp.rb

@@ -246,8 +246,7 @@ def parse_info_response(response)
   end
 
   def parse_header(packet)
-    header = packet.unpack('CCnNNN') #ruby 1.8.7 don't support unpacking signed integers in big-endian order
-    header[3] = packet[4..7].reverse.unpack("l").first
+    header = packet.unpack('CCnNNN')
     return header
   end
 

lib/msf/core/post/windows/accounts.rb

@@ -270,7 +270,7 @@ def check_dir_perms(dir, token)
 
     #define generic mapping structure
     gen_map = [0,0,0,0]
-    gen_map = gen_map.pack("L")
+    gen_map = gen_map.pack("V")
     buffer_size = 500
 
     #get Security Descriptor for the directory

lib/msf/core/post/windows/ldap.rb

@@ -248,15 +248,15 @@ def query_ldap(session_handle, base, scope, filter, fields)
   # @param pEntry [Fixnum] Pointer to the Entry
   # @return [Array] Entry data structure
   def get_entry(pEntry)
-    return client.railgun.memread(pEntry,41).unpack('LLLLLLLLLSCCC')
+    return client.railgun.memread(pEntry,41).unpack('VVVVVVVVVvCCC')
   end
 
   # Get BER Element data structure from LDAPMessage
   #
   # @param msg [String] The LDAP Message from the server
   # @return [String] The BER data structure
   def get_ber(msg)
-    ber = client.railgun.memread(msg[2],60).unpack('L*')
+    ber = client.railgun.memread(msg[2],60).unpack('V*')
 
     # BER Pointer is different between x86 and x64
     if client.platform =~ /x64/

lib/msf/core/post/windows/services.rb

@@ -334,7 +334,7 @@ def service_status(name, server=nil)
         raise RuntimeError.new("Could not query service. QueryServiceStatus error: #{handle["GetLastError"]}")
       end
 
-      vals = status['lpServiceStatus'].unpack('L*')
+      vals = status['lpServiceStatus'].unpack('V*')
       adv.CloseServiceHandle(handle["return"])
 
       ret = {

lib/msf/util/exe.rb

@@ -340,22 +340,22 @@ def self.to_winpe_only(framework, code, opts={}, arch="x86")
 
     # look for section with entry point
     sections_header.each do |sec|
-      virtualAddress = sec[1][virtualAddress_offset,0x4].unpack('L')[0]
-      sizeOfRawData = sec[1][sizeOfRawData_offset,0x4].unpack('L')[0]
-      characteristics = sec[1][characteristics_offset,0x4].unpack('L')[0]
+      virtualAddress = sec[1][virtualAddress_offset,0x4].unpack('V')[0]
+      sizeOfRawData = sec[1][sizeOfRawData_offset,0x4].unpack('V')[0]
+      characteristics = sec[1][characteristics_offset,0x4].unpack('V')[0]
 
       if (virtualAddress...virtualAddress+sizeOfRawData).include?(addressOfEntryPoint)
-        importsTable = pe.hdr.opt.DataDirectory[8..(8+4)].unpack('L')[0]
+        importsTable = pe.hdr.opt.DataDirectory[8..(8+4)].unpack('V')[0]
         if (importsTable - addressOfEntryPoint) < code.length
           #shift original entry point to prevent tables overwritting
           addressOfEntryPoint = importsTable - (code.length + 4)
 
           entry_point_offset = pe._dos_header.v['e_lfanew'] + entryPoint_offset
-          exe[entry_point_offset,4] = [addressOfEntryPoint].pack('L')
+          exe[entry_point_offset,4] = [addressOfEntryPoint].pack('V')
         end
         # put this section writable
         characteristics |= 0x8000_0000
-        newcharacteristics = [characteristics].pack('L')
+        newcharacteristics = [characteristics].pack('V')
         exe[sec[0],newcharacteristics.length] = newcharacteristics
       end
     end
@@ -572,20 +572,20 @@ def self.to_win32pe_service(framework, code, opts={})
         "\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D" +
         "\x6A\x00\x68\x70\x69\x33\x32\x68\x61\x64\x76\x61\x54\x68\x4C\x77" +
         "\x26\x07\xFF\xD5"+pushed_service_name+"\x89\xE1" +
-        "\x8D\x85"+[svcmain_code_offset].pack('<I')+"\x6A\x00\x50\x51\x89\xE0\x6A\x00\x50\x68" +
+        "\x8D\x85"+[svcmain_code_offset].pack('V')+"\x6A\x00\x50\x51\x89\xE0\x6A\x00\x50\x68" +
         "\xFA\xF7\x72\xCB\xFF\xD5\x6A\x00\x68\xF0\xB5\xA2\x56\xFF\xD5\x58" +
         "\x58\x58\x58\x31\xC0\xC3\xFC\xE8\x00\x00\x00\x00\x5D\x81\xED" +
-         [hash_code_offset].pack('<I')+pushed_service_name+"\x89\xE1\x8D" +
-        "\x85"+[svcctrlhandler_code_offset].pack('<I')+"\x6A\x00\x50\x51\x68\x0B\xAA\x44\x52\xFF\xD5" +
+         [hash_code_offset].pack('V')+pushed_service_name+"\x89\xE1\x8D" +
+        "\x85"+[svcctrlhandler_code_offset].pack('V')+"\x6A\x00\x50\x51\x68\x0B\xAA\x44\x52\xFF\xD5" +
         "\x6A\x00\x6A\x00\x6A\x00\x6A\x00\x6A\x00\x6A\x00\x6A\x04\x6A\x10" +
         "\x89\xE1\x6A\x00\x51\x50\x68\xC6\x55\x37\x7D\xFF\xD5\x31\xFF\x6A" +
         "\x04\x68\x00\x10\x00\x00\x6A\x54\x57\x68\x58\xA4\x53\xE5\xFF\xD5" +
         "\xC7\x00\x44\x00\x00\x00\x8D\x70\x44\x57\x68\x2E\x65\x78\x65\x68" +
         "\x6C\x6C\x33\x32\x68\x72\x75\x6E\x64\x89\xE1\x56\x50\x57\x57\x6A" +
         "\x44\x57\x57\x57\x51\x57\x68\x79\xCC\x3F\x86\xFF\xD5\x8B\x0E\x6A" +
-        "\x40\x68\x00\x10\x00\x00\x68"+[code.length].pack('<I')+"\x57\x51\x68\xAE\x87" +
+        "\x40\x68\x00\x10\x00\x00\x68"+[code.length].pack('V')+"\x57\x51\x68\xAE\x87" +
         "\x92\x3F\xFF\xD5\xE8\x00\x00\x00\x00\x5A\x89\xC7\x8B\x0E\x81\xC2" +
-         [shellcode_code_offset].pack('<I')+"\x54\x68"+[code.length].pack('<I') +
+         [shellcode_code_offset].pack('V')+"\x54\x68"+[code.length].pack('V') +
         "\x52\x50\x51\x68\xC5\xD8\xBD\xE7\xFF" +
         "\xD5\x31\xC0\x8B\x0E\x50\x50\x50\x57\x50\x50\x51\x68\xC6\xAC\x9A" +
         "\x79\xFF\xD5\x8B\x0E\x51\x68\xC6\x96\x87\x52\xFF\xD5\x8B\x4E\x04" +
@@ -654,12 +654,17 @@ def self.replace_msi_buffer(pe, opts)
       msi = fd.read(fd.stat.size)
     }
 
-    section_size =	2**(msi[30..31].unpack('s')[0])
-    sector_allocation_table = msi[section_size..section_size*2].unpack('l*')
+    section_size =	2**(msi[30..31].unpack('v')[0])
+
+    # This table is one of the few cases where signed values are needed
+    sector_allocation_table = msi[section_size..section_size*2].unpack('l<*')
 
     buffer_chain = []
-    current_secid = 5	# This is closely coupled with the template provided and ideally
-          # would be calculated from the dir stream?
+
+    # This is closely coupled with the template provided and ideally
+    # would be calculated from the dir stream?
+    current_secid = 5	
+
 
     until current_secid == -2
       buffer_chain << current_secid
@@ -827,22 +832,22 @@ def self.to_exe_elf(framework, opts, template, code, big_endian=false)
 
     # Check EI_CLASS to determine if the header is 32 or 64 bit
     # Use the proper offsets and pack size
-    case elf[4]
-    when 1, "\x01" # ELFCLASS32 - 32 bit (ruby 1.8 and 1.9)
+    case elf[4,1].unpack("C").first
+    when 1 # ELFCLASS32 - 32 bit (ruby 1.9+)
       if big_endian
         elf[0x44,4] = [elf.length].pack('N') #p_filesz
         elf[0x48,4] = [elf.length + code.length].pack('N') #p_memsz
       else # little endian
         elf[0x44,4] = [elf.length].pack('V') #p_filesz
         elf[0x48,4] = [elf.length + code.length].pack('V') #p_memsz
       end
-    when 2, "\x02" # ELFCLASS64 - 64 bit (ruby 1.8 and 1.9)
+    when 2 # ELFCLASS64 - 64 bit (ruby 1.9+)
       if big_endian
         elf[0x60,8] = [elf.length].pack('Q>') #p_filesz
         elf[0x68,8] = [elf.length + code.length].pack('Q>') #p_memsz
       else # little endian
-        elf[0x60,8] = [elf.length].pack('Q') #p_filesz
-        elf[0x68,8] = [elf.length + code.length].pack('Q') #p_memsz
+        elf[0x60,8] = [elf.length].pack('Q<') #p_filesz
+        elf[0x68,8] = [elf.length + code.length].pack('Q<') #p_memsz
       end
     else
       raise RuntimeError, "Invalid ELF template: EI_CLASS value not supported"

lib/rex/arch.rb

@@ -49,7 +49,7 @@ def self.pack_addr(arch, addr)
       when ARCH_X86
         [addr].pack('V')
       when ARCH_X86_64
-        [addr].pack('Q')
+        [addr].pack('Q<')
       when ARCH_MIPS # ambiguous
         [addr].pack('N')
       when ARCH_MIPSBE

lib/rex/encoder/ndr.rb

@@ -28,7 +28,7 @@ def NDR.short(string)
   # use to encode:
   #       byte element_1;
   def NDR.byte(string)
-    return [string].pack('c')
+    return [string].pack('C')
   end
 
   # Encode a byte array

lib/rex/ole/util.rb

@@ -124,15 +124,15 @@ def self.pack8(value)
 
 
   def self.getUnicodeString(buf)
-    buf = buf.unpack('S*').pack('C*')
+    buf = buf.unpack('v*').pack('C*')
     if (idx = buf.index(0x00.chr))
       buf.slice!(idx, buf.length)
     end
     buf
   end
 
   def self.putUnicodeString(buf)
-    buf = buf.unpack('C*').pack('S*')
+    buf = buf.unpack('C*').pack('v*')
     if (buf.length < 0x40)
       buf << "\x00" * (0x40 - buf.length)
     end

lib/rex/post/meterpreter/extensions/stdapi/railgun/type/pointer_util.rb

@@ -27,8 +27,8 @@ def self.pack_pointer(pointer, platform)
 
     case platform
     when PlatformUtil::X86_64
-      # XXX: Only works if attacker and victim are like-endianed
-      [pointer].pack('Q')
+      # Assume little endian
+      [pointer].pack('Q<')
     when PlatformUtil::X86_32
       [pointer].pack('V')
     else
@@ -40,8 +40,8 @@ def self.pack_pointer(pointer, platform)
   def self.unpack_pointer(packed_pointer, platform)
     case platform
     when PlatformUtil::X86_64
-      # XXX: Only works if attacker and victim are like-endianed
-      packed_pointer.unpack('Q').first
+      # Assume little endian
+      packed_pointer.unpack('Q<').first
     when PlatformUtil::X86_32
       packed_pointer.unpack('V').first
     else

lib/rex/post/meterpreter/extensions/stdapi/railgun/util.rb

@@ -324,8 +324,8 @@ def initialize(railgun, platform)
   #
   def unpack_pointer(packed_pointer)
     if is_64bit
-      # XXX: Only works if attacker and victim are like-endianed
-      packed_pointer.unpack('Q')[0]
+      # Assume little endian
+      packed_pointer.unpack('Q<')[0]
     else
       packed_pointer.unpack('V')[0]
     end
@@ -452,9 +452,9 @@ def read_data(type, position, buffer = nil)
       # Both on x86 and x64, DWORD is 32 bits
       return raw.unpack('V').first
     when :BOOL
-      return raw.unpack('l').first == 1
+      return raw.unpack('V').first == 1
     when :LONG
-      return raw.unpack('l').first
+      return raw.unpack('V').first
     end
 
     #If nothing worked thus far, return it raw

lib/rex/post/meterpreter/packet.rb

@@ -251,7 +251,7 @@ def to_r
     elsif (self.type & TLV_META_TYPE_UINT == TLV_META_TYPE_UINT)
       raw = [value].pack("N")
     elsif (self.type & TLV_META_TYPE_QWORD == TLV_META_TYPE_QWORD)
-      raw = [ self.htonq( value.to_i ) ].pack("Q")
+      raw = [ self.htonq( value.to_i ) ].pack("Q<")
     elsif (self.type & TLV_META_TYPE_BOOL == TLV_META_TYPE_BOOL)
       if (value == true)
         raw = [1].pack("c")
@@ -312,7 +312,7 @@ def from_r(raw)
     elsif (self.type & TLV_META_TYPE_UINT == TLV_META_TYPE_UINT)
       self.value = raw.unpack("NNN")[2]
     elsif (self.type & TLV_META_TYPE_QWORD == TLV_META_TYPE_QWORD)
-      self.value = raw.unpack("NNQ")[2]
+      self.value = raw.unpack("NNQ<")[2]
       self.value = self.ntohq( self.value )
     elsif (self.type & TLV_META_TYPE_BOOL == TLV_META_TYPE_BOOL)
       self.value = raw.unpack("NNc")[2]
@@ -335,7 +335,7 @@ def htonq( value )
     if( [1].pack( 's' ) == [1].pack( 'n' ) )
       return value
     end
-    return [ value ].pack( 'Q' ).reverse.unpack( 'Q' ).first
+    return [ value ].pack( 'Q<' ).reverse.unpack( 'Q<' ).first
   end
 
   def ntohq( value )

lib/rex/proto/dcerpc/ndr.rb

@@ -34,7 +34,7 @@ def self.short(string)
   #       byte element_1;
   def self.byte(string)
     warn 'should be using Rex::Encoder::NDR'
-    return [string].pack('c')
+    return [string].pack('C')
   end
 
   # Encode a byte array

lib/rex/proto/natpmp/packet.rb

@@ -19,7 +19,7 @@ def self.external_address_request
   # Parse a NAT-PMP external address response +resp+.
   # Returns the decoded parts of the response as an array.
   def self.parse_external_address_response(resp)
-    (ver, op, result, epoch, addr) = resp.unpack("CCSLN")
+    (ver, op, result, epoch, addr) = resp.unpack("CCvVN")
     [ ver, op, result, epoch, Rex::Socket::addr_itoa(addr) ]
   end
 
@@ -31,13 +31,13 @@ def self.map_port_request(lport, rport, protocol, lifetime)
       lport,
       rport,
       lifetime
-    ].pack("ccnnnN")
+    ].pack("CCnnnN")
   end
 
   # Parse a NAT-PMP mapping response +resp+.
   # Returns the decoded parts as an array.
   def self.parse_map_port_response(resp)
-    resp.unpack("CCSLnnN")
+    resp.unpack("CCvVnnN")
   end
 end
 

lib/rex/registry/lfkey.rb

@@ -41,7 +41,7 @@ class LFHashRecord
   attr_accessor :nodekey_offset, :nodekey_name_verification
 
   def initialize(hive_blob, offset)
-    @nodekey_offset = hive_blob[offset, 4].unpack('l').first
+    @nodekey_offset = hive_blob[offset, 4].unpack('V').first
     @nodekey_name_verification = hive_blob[offset+0x04, 4].to_s
   end
 

lib/rex/registry/nodekey.rb

@@ -23,16 +23,16 @@ def initialize(hive, offset)
       return
     end
 
-    @timestamp = hive[offset+0x04, 8].unpack('q').first
-    @parent_offset = hive[offset+0x10, 4].unpack('l').first
-    @subkeys_count = hive[offset+0x14, 4].unpack('l').first
-    @lf_record_offset = hive[offset+0x1c, 4].unpack('l').first
-    @value_count = hive[offset+0x24, 4].unpack('l').first
-    @value_list_offset = hive[offset+0x28, 4].unpack('l').first
-    @security_key_offset = hive[offset+0x2c, 4].unpack('l').first
-    @class_name_offset = hive[offset+0x30, 4].unpack('l').first
-    @name_length = hive[offset+0x48, 2].unpack('c').first
-    @class_name_length = hive[offset+0x4a, 2].unpack('c').first
+    @timestamp = hive[offset+0x04, 8].unpack('Q').first
+    @parent_offset = hive[offset+0x10, 4].unpack('V').first
+    @subkeys_count = hive[offset+0x14, 4].unpack('V').first
+    @lf_record_offset = hive[offset+0x1c, 4].unpack('V').first
+    @value_count = hive[offset+0x24, 4].unpack('V').first
+    @value_list_offset = hive[offset+0x28, 4].unpack('V').first
+    @security_key_offset = hive[offset+0x2c, 4].unpack('V').first
+    @class_name_offset = hive[offset+0x30, 4].unpack('V').first
+    @name_length = hive[offset+0x48, 2].unpack('C').first
+    @class_name_length = hive[offset+0x4a, 2].unpack('C').first
     @name = hive[offset+0x4c, @name_length].to_s
 
     windows_time = @timestamp

lib/rex/registry/valuekey.rb

@@ -17,10 +17,10 @@ def initialize(hive, offset)
       return
     end
 
-    @name_length = hive[offset+0x02, 2].unpack('c').first
-    @length_of_data = hive[offset+0x04, 4].unpack('l').first
-    @data_offset = hive[offset+ 0x08, 4].unpack('l').first
-    @value_type = hive[offset+0x0C, 4].unpack('c').first
+    @name_length = hive[offset+0x02, 2].unpack('C').first
+    @length_of_data = hive[offset+0x04, 4].unpack('V').first
+    @data_offset = hive[offset+ 0x08, 4].unpack('V').first
+    @value_type = hive[offset+0x0C, 4].unpack('C').first
 
     if @value_type == 1
       @readable_value_type = "Unicode character string"
@@ -34,7 +34,7 @@ def initialize(hive, offset)
       @readable_value_type = "Multiple unicode strings separated with '\\x00'"
     end
 
-    flag = hive[offset+0x10, 2].unpack('c').first
+    flag = hive[offset+0x10, 2].unpack('C').first
 
     if flag == 0
       @name = "Default"

lib/rex/registry/valuelist.rb

@@ -18,7 +18,7 @@ def initialize(hive, offset, number_of_values)
       valuekey_offset = hive[offset + inner_offset, 4]
       next if !valuekey_offset
 
-      valuekey_offset = valuekey_offset.unpack('l').first
+      valuekey_offset = valuekey_offset.unpack('V').first
       @values << ValueKey.new(hive, valuekey_offset + 0x1000)
       inner_offset = inner_offset + 4
     end

lib/rex/socket/ip.rb

@@ -75,6 +75,7 @@ def sendto(gram, peerhost, flags = 0)
       Rex::Compat.is_macosx
       )
       gram=gram.dup
+      # Note that these are *intentionally* host order for BSD support
       gram[2,2]=gram[2,2].unpack("n").pack("s")
       gram[6,2]=gram[6,2].unpack("n").pack("s")
     end

lib/sshkey/lib/sshkey.rb

@@ -159,7 +159,7 @@ def ssh_public_key_conversion
 
     SSH_CONVERSION[type].each do |method|
       byte_array = to_byte_array(key_object.public_key.send(method).to_i)
-      out += encode_unsigned_int_32(byte_array.length).pack("c*")
+      out += encode_unsigned_int_32(byte_array.length).pack("C*")
       out += byte_array.pack("C*")
     end
 

lib/windows_console_color_support.rb

@@ -36,7 +36,7 @@ def flush
   def setcolor(color)
     csbi = 0.chr * 24
     @GetConsoleScreenBufferInfo.Call(@hConsoleHandle,csbi)
-    wAttr = csbi[8,2].unpack('S').first
+    wAttr = csbi[8,2].unpack('v').first
 
     case color
       when 0 # reset