thc-hydra/hydra-sapr3.c at master · vanhauser-thc/thc-hydra · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
#include "hydra-mod.h"
// checked for memleaks on 110425, none found
#ifndef LIBSAPR3
void dummy_sapr3() { printf("\n"); }
#else

#include <ctype.h>
#include <saprfc.h>

/* temporary workaround fix */
const int32_t *__ctype_tolower;
const int32_t *__ctype_toupper;
const int32_t *__ctype_b;

extern void flood(); /* for -lm */

extern hydra_option hydra_options;
extern const unsigned char HYDRA_EXIT[5];
RFC_ERROR_INFO_EX error_info;

int32_t start_sapr3(int32_t s, char *ip, int32_t port, unsigned char options, char *miscptr, FILE *fp) {
  RFC_HANDLE handle;
  char *empty = "";
  char *login, *pass, buffer[1024];
  char *buf;
  int32_t i;
  int32_t sysnr = port % 100;
  char opts[] = "RFCINI=N RFCTRACE=N BALANCE=N DEBUG=N TRACE=0 ABAP_DEBUG=0";

  //  char opts[] = "RFCINI=N RFCTRACE=Y BALANCE=N DEBUG=Y TRACE=Y
  //  ABAP_DEBUG=Y";

  if (strlen(login = hydra_get_next_login()) == 0)
    login = empty;
  if (strlen(pass = hydra_get_next_password()) == 0)
    pass = empty;

  if (strlen(login) > 0)
    for (i = 0; i < strlen(login); i++)
      login[i] = (char)toupper(login[i]);
  if (strlen(pass) > 0)
    for (i = 0; i < strlen(pass); i++)
      pass[i] = (char)toupper(pass[i]);

  memset(buffer, 0, sizeof(buffer));
  memset(&error_info, 0, sizeof(error_info));

  /* quotes in login/pass would inject extra connection-string parameters
   * (e.g. ASHOST=attacker.example) via the format below. */
  if (strchr(login, '"') != NULL || strchr(pass, '"') != NULL ||
      strchr(login, '\'') != NULL || strchr(pass, '\'') != NULL) {
    hydra_completed_pair_skip();
    return 1;
  }

  // strcpy(buf, "mvse001");
  snprintf(buffer, sizeof(buffer), "ASHOST=%s SYSNR=%02d CLIENT=%03d USER=\"%s\" PASSWD=\"%s\" LANG=DE %s", hydra_address2string(ip), sysnr, atoi(miscptr), login, pass, opts);

  /*
    USER=SAPCPIC PASSWORD=admin
    USER=SAP*    PASSWORD=PASS

    ## do we need these options?
    SAPSYS=3 SNC_MODE=N SAPGUI=N INVISIBLE=N GUIATOPEN=Y NRCALL=00001 CLOSE=N

    ASHOST= //  IP
    SYSNR=  // port - 3200, scale 2
    CLIENT= // miscptr, scale 2
    ABAP_DEBUG=0
    USER=
    PASSWD=
    LANG=DE
  */
  // printf ("DEBUG: %d Connectstring \"%s\"\n",sizeof(error_info),buffer);
  handle = RfcOpenEx(buffer, &error_info);

  // printf("DEBUG: handle %d, key %s, message %s\n", handle, error_info.key,
  // error_info.message);

  if (handle <= RFC_HANDLE_NULL)
    return 3;

  if (strstr(error_info.message, "sapgui") != NULL || strlen(error_info.message) == 0) {
    hydra_report_found_host(port, ip, "sapr3", fp);
    hydra_completed_pair_found();
    if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
      return 2;
    return 1;
  } else {
    if (strstr(error_info.key, "ERROR_COMMUNICATION") != NULL) {
      /* sysnr does not exist, report as port closed */
      return 3;
    }
    hydra_completed_pair();
    if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
      return 2;
  }
  return 1;
}

void service_sapr3(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) {
  int32_t run = 1, next_run = 1, sock = -1;

  hydra_register_socket(sp);
  /* start_sapr3 calls atoi(miscptr); -m is mandatory for this module. */
  if (miscptr == NULL) {
    fprintf(stderr, "[ERROR] sapr3 requires the client id via -m\n");
    hydra_child_exit(2);
  }
  if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0)
    return;
  while (1) {
    switch (run) {
    case 1: /* connect and service init function */
      next_run = start_sapr3(sock, ip, port, options, miscptr, fp);
      if (next_run == 1 && hydra_options.conwait)
        sleep(hydra_options.conwait);
      break;
    case 2:
      hydra_child_exit(0);
    case 3: /* clean exit */
      fprintf(stderr, "[ERROR] could not connect to target port %d\n", port);
      hydra_child_exit(1);
    case 4:
      hydra_child_exit(2);
    default:
      hydra_report(stderr, "[ERROR] Caught unknown return code, exiting!\n");
      hydra_child_exit(2);
    }
    run = next_run;
  }
}

#endif

int32_t service_sapr3_init(char *ip, int32_t sp, unsigned char options, char *miscptr, FILE *fp, int32_t port, char *hostname) {
  // called before the childrens are forked off, so this is the function
  // which should be filled if initial connections and service setup has to be
  // performed once only.
  //
  // fill if needed.
  //
  // return codes:
  //   0 all OK
  //   -1  error, hydra will exit, so print a good error message here

  return 0;
}

void usage_sapr3(const char *service) { printf("Module sapr3 requires the client id, a number between 0 and 99\n\n"); }