def route_test(rhost, rport, thost, tport):
print "[*] Routing connections to %s:%s" % (thost, tport)
# Initiate the connection. We don't want the NI Stream Socket to handle
# keep-alive messages, as the response to connect requests are NI_PONG
conn = SAPNIStreamSocket.get_nisocket(rhost, rport, keep_alive=False)
router_string = [SAPRouterRouteHop(hostname=rhost,
port=rport),
SAPRouterRouteHop(hostname=thost,
port=tport)]
router_string_lens = map(len, map(str, router_string))
p = SAPRouter(type=SAPRouter.SAPROUTER_ROUTE,
route_entries=len(router_string),
route_talk_mode=1,
route_rest_nodes=1,
route_length=sum(router_string_lens),
route_offset=router_string_lens[0],
route_string=router_string,
)
response = conn.sr(p)
if router_is_error(response):
status = 'error'
elif router_is_pong(response):
status = 'open'
conn.close()
return status
def route(self, server):
print "[*] Routing to %s:%d !" % (self.options.target_host,
self.options.target_port)
# Build the Route request packet
router_string = [SAPRouterRouteHop(hostname=self.options.remote_host,
port=self.options.remote_port),
SAPRouterRouteHop(hostname=self.options.target_host,
port=self.options.target_port,
password=self.options.target_pass)]
router_string_lens = map(len, map(str, router_string))
p = SAPRouter(type=SAPRouter.SAPROUTER_ROUTE,
route_entries=len(router_string),
route_talk_mode=1,
route_rest_nodes=1,
route_length=sum(router_string_lens),
route_offset=router_string_lens[0],
route_string=router_string)
if self.options.verbose:
p.show2()
# Send the request and grab the response
response = server.sr(p)
if SAPRouter in response:
response = response[SAPRouter]
if router_is_pong(response):
print "[*] Route request accepted !"
self.routed = True
elif router_is_error(response) and response.return_code == -94:
print "[*] Route request not accepted !"
print response.err_text_value
raise RouteException("Route request not accepted")
else:
print "[*] Router send error"
print response.err_text_value
raise Exception("Router error: %s", response.err_text_value)
else:
print "[*] Wrong response received !"
raise Exception("Wrong response received")
def main():
options = parse_options()
if options.verbose:
logging.basicConfig(level=logging.DEBUG)
response = False
p = SAPRouter(type=SAPRouter.SAPROUTER_ADMIN)
if options.stop:
p.adm_command = 5
print("[*] Requesting stop of the remote SAP Router")
elif options.soft:
p.adm_command = 9
print("[*] Requesting a soft shutdown of the remote SAP Router")
response = True
elif options.info:
p.adm_command = 2
if options.info_password:
if len(options.info_password) > 19:
print("[*] Password too long, truncated at 19 characters")
p.adm_password = options.info_password
print("[*] Requesting info using password %s" % p.adm_password)
else:
print("[*] Requesting info")
response = True
elif options.new_route:
p.adm_command = 3
print("[*] Requesting a refresh of the router table")
elif options.trace:
p.adm_command = 4
print("[*] Requesting a toggle on the trace settings")
elif options.cancel:
p.adm_command = 6
p.adm_client_ids = list(map(int, options.cancel.split(",")))
print("[*] Requesting a cancel of the route(s) with client id(s) %s" %
p.adm_client_ids)
response = True
elif options.dump:
p.adm_command = 7
print("[*] Requesting a dump of the buffers")
elif options.flush:
p.adm_command = 8
print("[*] Requesting a flush of the buffers")
elif options.hide:
p.adm_command = 14
print("[*] Requesting a hide on the errors to clients")
response = True
elif options.set_peer:
p.adm_command = 10
p.adm_address_mask = options.set_peer
print("[*] Request a set peer trace for the address mask %s" %
p.adm_address_mask)
response = True
elif options.clear_peer:
p.adm_command = 11
p.adm_address_mask = options.clear_peer
print("[*] Request a clear peer trace for the address mask %s" %
p.adm_address_mask)
response = True
elif options.trace_conn:
p.adm_command = 12
p.adm_client_ids = list(map(int, options.trace_conn.split(",")))
print("[*] Requesting a connection trace with client id(s) %s" %
p.adm_client_ids)
response = True
else:
print("[*] No command specified !")
return
# Initiate the connection
conn = SAPNIStreamSocket.get_nisocket(options.remote_host,
options.remote_port)
print("[*] Connected to the SAP Router %s:%d" %
(options.remote_host, options.remote_port))
# Retrieve the router version used by the server if not specified
if options.router_version:
p.version = options.router_version
else:
p.version = get_router_version(conn) or p.version
print("[*] Using SAP Router version %d" % p.version)
# Send the router admin request
print("[*] Sending Router Admin packet")
if options.verbose:
p.show2()
conn.send(p)
# Grab the response if required
if response:
# Some responses has no SAPRouter's packet format and are raw strings,
# we need to get the SAP NI layer first and then check if we could go
# down to the SAPRouter layer.
raw_response = conn.recv()[SAPNI]
if SAPRouter in raw_response:
router_response = raw_response[SAPRouter]
# If the response was null, just return
elif raw_response.length == 0:
return
# If the response is an error, print and exit
if router_is_error(router_response):
print("[*] Error requesting info:")
if options.verbose:
router_response.show2()
else:
print(router_response.err_text_value.error)
# Otherwise, print the packets sent by the SAP Router
else:
print("[*] Response:\n")
if options.info:
# Decode the first packet as a list of info client
raw_response.decode_payload_as(SAPRouterInfoClients)
clients = []
clients.append("\t".join(
["ID", "Client", "Partner", "Service", "Connected on"]))
clients.append("-" * 60)
for client in raw_response.clients:
# If the trace flag is set, add a mark
flag = "(*)" if client.flag_traced else "(+)" if client.flag_routed else ""
fields = [
str(client.id), client.address,
"%s%s" % (flag, client.partner)
if client.flag_routed else "(no partner)",
client.service if client.flag_routed else "",
datetime.fromtimestamp(client.connected_on).ctime()
]
clients.append("\t".join(fields))
# Decode the second packet as server info
raw_response = conn.recv()
raw_response.decode_payload_as(SAPRouterInfoServer)
print(
"SAP Network Interface Router running on port %d (PID = %d)\n"
"Started on: %s\n"
"Parent process: PID = %d, port = %d\n" %
(raw_response.port, raw_response.pid,
datetime.fromtimestamp(raw_response.started_on).ctime(),
raw_response.ppid, raw_response.pport))
print("\n".join(clients))
print("(*) Connections being traced")
# Show the plain packets returned
try:
raw_response = conn.recv()
while raw_response:
print(raw_response.payload)
raw_response = conn.recv()
except error:
pass
def main():
options = parse_options()
if options.verbose:
logging.basicConfig(level=logging.DEBUG)
response = False
p = SAPRouter(type=SAPRouter.SAPROUTER_ADMIN)
if options.stop:
p.adm_command = 5
print("[*] Requesting stop of the remote SAP Router")
elif options.soft:
p.adm_command = 9
print("[*] Requesting a soft shutdown of the remote SAP Router")
response = True
elif options.info:
p.adm_command = 2
if options.info_password:
if len(options.info_password) > 19:
print("[*] Password too long, truncated at 19 characters")
p.adm_password = options.info_password
print("[*] Requesting info using password %s" % p.adm_password)
else:
print("[*] Requesting info")
response = True
elif options.new_route:
p.adm_command = 3
print("[*] Requesting a refresh of the router table")
elif options.trace:
p.adm_command = 4
print("[*] Requesting a toggle on the trace settings")
elif options.cancel:
p.adm_command = 6
p.adm_client_ids = list(map(int, options.cancel.split(",")))
print("[*] Requesting a cancel of the route(s) with client id(s) %s" % p.adm_client_ids)
response = True
elif options.dump:
p.adm_command = 7
print("[*] Requesting a dump of the buffers")
elif options.flush:
p.adm_command = 8
print("[*] Requesting a flush of the buffers")
elif options.hide:
p.adm_command = 14
print("[*] Requesting a hide on the errors to clients")
response = True
elif options.set_peer:
p.adm_command = 10
p.adm_address_mask = options.set_peer
print("[*] Request a set peer trace for the address mask %s" % p.adm_address_mask)
response = True
elif options.clear_peer:
p.adm_command = 11
p.adm_address_mask = options.clear_peer
print("[*] Request a clear peer trace for the address mask %s" % p.adm_address_mask)
response = True
elif options.trace_conn:
p.adm_command = 12
p.adm_client_ids = list(map(int, options.trace_conn.split(",")))
print("[*] Requesting a connection trace with client id(s) %s" % p.adm_client_ids)
response = True
else:
print("[*] No command specified !")
return
# Initiate the connection
conn = SAPNIStreamSocket.get_nisocket(options.remote_host, options.remote_port)
print("[*] Connected to the SAP Router %s:%d" % (options.remote_host, options.remote_port))
# Retrieve the router version used by the server if not specified
if options.router_version:
p.version = options.router_version
else:
p.version = get_router_version(conn) or p.version
print("[*] Using SAP Router version %d" % p.version)
# Send the router admin request
print("[*] Sending Router Admin packet")
if options.verbose:
p.show2()
conn.send(p)
# Grab the response if required
if response:
# Some responses has no SAPRouter's packet format and are raw strings,
# we need to get the SAP NI layer first and then check if we could go
# down to the SAPRouter layer.
raw_response = conn.recv()[SAPNI]
if SAPRouter in raw_response:
router_response = raw_response[SAPRouter]
# If the response was null, just return
elif raw_response.length == 0:
return
# If the response is an error, print and exit
if router_is_error(router_response):
print("[*] Error requesting info:")
if options.verbose:
router_response.show2()
else:
print(router_response.err_text_value.error)
# Otherwise, print the packets sent by the SAP Router
else:
print("[*] Response:\n")
if options.info:
# Decode the first packet as a list of info client
raw_response.decode_payload_as(SAPRouterInfoClients)
clients = []
clients.append("\t".join(["ID", "Client", "Partner", "Service", "Connected on"]))
clients.append("-" * 60)
for client in raw_response.clients:
# If the trace flag is set, add a mark
flag = "(*)" if client.flag_traced else "(+)" if client.flag_routed else ""
fields = [str(client.id),
client.address,
"%s%s" % (flag, client.partner) if client.flag_routed else "(no partner)",
client.service if client.flag_routed else "",
datetime.fromtimestamp(client.connected_on).ctime()]
clients.append("\t".join(fields))
# Decode the second packet as server info
raw_response = conn.recv()
raw_response.decode_payload_as(SAPRouterInfoServer)
print("SAP Network Interface Router running on port %d (PID = %d)\n"
"Started on: %s\n"
"Parent process: PID = %d, port = %d\n" % (raw_response.port, raw_response.pid,
datetime.fromtimestamp(raw_response.started_on).ctime(),
raw_response.ppid, raw_response.pport))
print("\n".join(clients))
print("(*) Connections being traced")
# Show the plain packets returned
try:
raw_response = conn.recv()
while raw_response:
print(raw_response.payload)
raw_response = conn.recv()
except error:
pass
def main():
options = parse_options()
if options.verbose:
logging.basicConfig(level=logging.DEBUG)
response = False
p = SAPRouter(type=SAPRouter.SAPROUTER_ADMIN)
if options.stop:
p.adm_command = 5
print "[*] Requesting stop of the remote SAP Router"
elif options.soft:
p.adm_command = 9
print "[*] Requesting a soft shutdown of the remote SAP Router"
response = True
elif options.info:
p.adm_command = 2
if options.info_password:
if len(options.info_password) > 19:
print "[*] Password too long, truncated at 19 characters"
p.adm_password = options.info_password
print "[*] Requesting info using password", p.adm_password
else:
print "[*] Requesting info"
response = True
elif options.new_route:
p.adm_command = 3
print "[*] Requesting a refresh of the router table"
elif options.trace:
p.adm_command = 4
print "[*] Requesting a toggle on the trace settings"
elif options.cancel:
p.adm_command = 6
p.adm_client_ids = map(int, options.cancel.split(","))
print "[*] Requesting a cancel of the route(s) with client id(s) %s" % p.adm_client_ids
response = True
elif options.dump:
p.adm_command = 7
print "[*] Requesting a dump of the buffers"
elif options.flush:
p.adm_command = 8
print "[*] Requesting a flush of the buffers"
elif options.hide:
p.adm_command = 14
print "[*] Requesting a hide on the errors to clients"
response = True
elif options.set_peer:
p.adm_command = 10
p.adm_address_mask = options.set_peer
print "[*] Request a set peer trace for the address mask %s" % p.adm_address_mask
response = True
elif options.clear_peer:
p.adm_command = 11
p.adm_address_mask = options.clear_peer
print "[*] Request a clear peer trace for the address mask %s" % p.adm_address_mask
response = True
elif options.trace_conn:
p.adm_command = 12
p.adm_client_ids = map(int, options.trace_conn.split(","))
print "[*] Requesting a connection trace with client id(s) %s" % p.adm_client_ids
response = True
else:
print "[*] No command specified !"
return
# Initiate the connection
conn = SAPNIStreamSocket.get_nisocket(options.remote_host, options.remote_port)
print "[*] Connected to the SAP Router %s:%d" % (options.remote_host, options.remote_port)
# Retrieve the router version used by the server if not specified
if options.router_version:
p.version = options.router_version
else:
p.version = get_router_version(conn) or p.version
print "[*] Using SAP Router version %d" % p.version
# Send the router admin request
print "[*] Sending Router Admin packet"
if options.verbose:
p.show2()
conn.send(p)
# Grab the response if required
if response:
# Some responses has no SAPRouter's packet format and are raw strings,
# we need to get the SAP NI layer first and then check if we could go
# down to the SAPRouter layer.
response = conn.recv()[SAPNI]
if SAPRouter in response and response[SAPRouter].payload:
response = response[SAPRouter]
# If the response is an error, print and exit
if router_is_error(response):
print "[*] Error requesting info:"
if options.verbose:
response.show2()
else:
print response.err_text_value
# Otherwise, print all the packets sent by the SAP Router
else:
print "[*] Response:"
try:
while (response):
print response.payload
response = conn.recv()
except:
pass