próximo »

[flacman]

Buenas, aquí el resultado de mi pequeña investigación, todavía falta ver que parámetros se pueden quitar, y si toca poner otros de los "opcionales".

Autenticación db2:

Send:
EXCSAT:
   DDMEXCSAT:
      Len: 2 bytes (Tot: non-tcp packet)
      Magic: 0xd0
      Format: 0x41
      CorrelId: 0x00 0x01
      Len2: 2 bytes (Total, desde este punto, es decir, Len-magic-format-correlId)
      CodePoint: EXCSAT (0x10 0x41)
   Parameters Not required!
   MSF uses mgrlvl (manager-leve list) (24 bytes)
      Len: Parameter Len (2 bytes)
      CodePoint: MGRLVLLS (0x14 0x04)
      Data: (20 bytes) \x14\x03\x00\x0a\x24\x07\x00\x0a\x14\x74\x00\x05\x24\x0f\x00\x08\x14\x40\x00\x09\x1c\x08\x04\xb8
   it would be cool tu use as hack Server name
      Len: Parameter Len (2 bytes)
      CodePoint: SRVNAM (0x11 0x6d)
      Data: 18 bytes, name + 0x40 util 18 bytes filled
      
ACCSEC:
   DDMACCSEC:
      Len: 2 bytes (Tot: non-tcp packet)
      Magic: 0xd0
      Format: 0x41
      CorrelId: 0x00 0x01
      Len2: 2 bytes (Total, desde este punto, es decir, Len-magic-format-correlId)
      CodePoint: ACCSEC (0x10 0x5d)
   Parameters (Security Mechanism needed) (6 bytes needed)
      Len: Parameter Len (2 bytes) (0x00 0x06)
      CodePoint: SECMEC (0x11 0xa2)
      Data: 0x00 0x03 (see note in trac)

RECV:
If no error:
DDMEXCSATRD:
   The only important parámeter CodePoint must be 0x14 0x43
   bytes 6 & 7 (0-based count)
ACCSEC:
   The only important parámeter CodePoint must be 0x14 0xac
   bytes 106 & 107 (0-based count)
   
SEND:
SECCHK:
   DDM_SECCHK:
      Len: 2 bytes (Tot: non-tcp packet)
      Magic: 0xd0
      Format: 0x41
      CorrelId: 0x00 0x01
      Len2: 2 bytes (Total, desde este punto)
      CodePoint: _SECCHK: (0x10 0x6e)
   Parameters:
   SECMEC(Security Mechanism needed) (6 bytes needed)
      Len: Parameter Len (2 bytes) (0x00 0x06)
      CodePoint: SECMEC (0x11 0xa2)
      Data: 0x00 0x03 (see note in trac)
   USRID
      Len: Parameter Len (2 bytes) (0x00 0x06)
      CodePoint: USRID (0x11 0xa0)
      Data: UserName in EBCDIC
   PASSWORD (optional, se trac ticket)
      Len: Parameter Len (2 bytes) (0x00 0x06)
      CodePoint: PASSWORD (0x11 0xa1)
      Data: password in EBCDIC
ACCRDB:
   DDMADDRDB:
      Len: 2 bytes (Tot: non-tcp packet)
      Magic: 0xd0
      Format: 0x41
      CorrelId: 0x00 0x01
      Len2: 2 bytes (Total, desde este punto)
      CodePoint: ADDRDB (0x20 0x01)
   Parameters:
   MSF: SECMEC_PARAM
      Len: Parameter Len (2 bytes) (0x00 0x06)
      CodePoint: SECMEC (0x11 0xa2)
      Data: 0x00 0x03 (see note in trac)
   MSF: RDBNAM_PARAM Optional?
      Len: Parameter Len (2 bytes)
      CodePoint: RDBNAM (0x21 0x10)
      Data: 18 bytes, name + 0x40 util 18 bytes filled
   OtherDB2Needed: RDBACCCL (6 bytes) Optional?
      Len: Parameter Len (2 bytes)
      CodePoint: RDBACCCL (0x21 0x0f)
      Data: 0x24 0x07
   OtherDB2Needed: PRDID Optional?
      Len: Parameter Len (2 bytes)
      CodePoint: PRDID (0x21 0x2e)
      Data: SCYLLAV1 (en EBCDIC)
   OtherDB2Needed: TYPEDEFNAM Optional?
      Len: Parameter Len (2 bytes) (0x00 0xd)
      CodePoint: TYPEDEFNAM (0x21 0x2e)
      Data: QTDSQLASC (en EBCDIC) (0xd8 0xe3 0xc4 0xe2 0xd8 0xd3 0xc1 0xe2 0xc3
   OtherDB2Needed: TYPEDEFOVR Optional?
      Len: Parameter Len (2 bytes) value = 28
      CodePoint: TYPEDEFOVR (0x00 0x35)
      Data: 0x00 0x06 0x11 0x9c 0x04 0xb8 0x00 0x06 0x11 0x9d 0x04 0xb0 0x00 0x06 0x11 0x9e 0x04 0xb8 0x00 0x06 0x19 0x13 0x04 0xb0
      
      
      
      
      
De sapo para msf   
class SRVNAM_PARAM < Struct.new(:length, :codepoint, :payload)
   def initialize(args={})
        self[:codepoint] = Constants::SRVNAM #0x11 0x6d
      #Name must be in EBCDIC format, example for my PC LED
      self[:payload] = Rex::Text.to_ebcdic(args[:payload].to_s) # think it must be 18 bytes, name + (extra nameLen - 18 bytes filled with 0x40)
      #TODO: FILL the number of 0x40 needed, srry first time i see ruby and i'm a bit tired
        self[:length] = self[:payload].to_s.size+4
      
        end
end


# Currently, only takes a MGRLVLLS param. Extend the struct
# when more parameters are defined.
class EXCSAT_DDM < Struct.new(:length, :magic, :format, :correlid, :length2,
         :codepoint, :dbname)
        def initialize(args={})
                self[:magic] = 0xd0
                self[:format] = 0x41
                self[:correlid] = 1
                self[:codepoint] = Constants::EXCSAT
                if args[:dbname] # Include a database name if we're given one.
                        self[:dbname] = SRVNAM_PARAM.new(:payload => args[:dbname]).to_s
                end
                self[:length] = (10 + self[:mgrlvlls].to_s.size)
                self[:length2] = self[:length]-6
        end
        def to_s
                packstr = "nCCnnn"
                packstr += "a*"  # Pack smarter as more params are added.
                self.to_a.pack(packstr)
        end
end

[flacman]

En el trac (http://www.acidsolutions.net/scylla/ , user & pass anonymous) pueden ver los pre-hacks q he puesto, y ps sugerir tmbn alguno

[flacman]

http://www.appsecinc.com/update/AppDetective/GA/appdetective_setup.exe