Created
March 2, 2018 05:29
-
-
Save claudijd/f0b0b64e8c0ce0a27ae0f251465f1aea to your computer and use it in GitHub Desktop.
A quick example of Nagios NRPE v2 protocol object reading/writing using bindata
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| require 'bindata' | |
| require 'zlib' | |
| # Extend string class to make it easier to work with hexified binary strings | |
| class String | |
| def unhexify | |
| [self].pack("H*") | |
| end | |
| def hexify | |
| self.each_byte.map { |b| b.to_s(16).rjust(2,'0') }.join | |
| end | |
| end | |
| # Define the protocol class for NRPE v2 | |
| module NRPE | |
| module V2 | |
| class QueryPacket < BinData::Record | |
| int16be :packet_version | |
| int16be :packet_type | |
| Uint32be :crc32_value | |
| int16be :result_code | |
| string :buffer, :length => 1024 | |
| string :term, :length => 2, :initial_value => "Ks" | |
| def set_query(query_string) | |
| self.buffer = query_string + ("\x00" * (1024 - query_string.size)) | |
| end | |
| def recalc_checksum | |
| self.crc32_value = 0 | |
| self.crc32_value = Zlib.crc32(self.to_binary_s) | |
| end | |
| end | |
| end | |
| end | |
| # This raw hex stream from stolen from the TCP data section | |
| # of the PCAP of a client with SSL disabled | |
| raw_packet = "0002000107dcdd405f75636865636b5f757365727300000000000000000000000" + | |
| "00000000000000000000000000000000000000000000000000000000000000000" + | |
| "00000000000000000000000000000000000000000000000000000000000000000" + | |
| "00000000000000000000000000000000000000000000000000000000000000000" + | |
| "00000000000000000000000000000000000000000000000000000000000000000" + | |
| "00000000000000000000000000000000000000000000000000000000000000000" + | |
| "00000000000000000000000000000000000000000000000000000000000000000" + | |
| "00000000000000000000000000000000000000000000000000000000000000000" + | |
| "00000000000000000000000000000000000000000000000000000000000000000" + | |
| "00000000000000000000000000000000000000000000000000000000000000000" + | |
| "00000000000000000000000000000000000000000000000000000000000000000" + | |
| "00000000000000000000000000000000000000000000000000000000000000000" + | |
| "00000000000000000000000000000000000000000000000000000000000000000" + | |
| "00000000000000000000000000000000000000000000000000000000000000000" + | |
| "00000000000000000000000000000000000000000000000000000000000000000" + | |
| "00000000000000000000000000000000000000000000000000000000000000000" + | |
| "00000000000000000000000000000000000000000000000000000000000000000" + | |
| "00000000000000000000000000000000000000000000000000000000000000000" + | |
| "00000000000000000000000000000000000000000000000000000000000000000" + | |
| "00000000000000000000000000000000000000000000000000000000000000000" + | |
| "00000000000000000000000000000000000000000000000000000000000000000" + | |
| "00000000000000000000000000000000000000000000000000000000000000000" + | |
| "00000000000000000000000000000000000000000000000000000000000000000" + | |
| "00000000000000000000000000000000000000000000000000000000000000000" + | |
| "00000000000000000000000000000000000000000000000000000000000000000" + | |
| "00000000000000000000000000000000000000000000000000000000000000000" + | |
| "00000000000000000000000000000000000000000000000000000000000000000" + | |
| "00000000000000000000000000000000000000000000000000000000000000000" + | |
| "00000000000000000000000000000000000000000000000000000000000000000" + | |
| "00000000000000000000000000000000000000000000000000000000000000000" + | |
| "00000000000000000000000000000000000000000000000000000000000000000" + | |
| "000000000000000000000000000000000000000000000000000004b73" | |
| # Let's read that raw packet and make sure we're parsing everything ok | |
| query_packet = NRPE::V2::QueryPacket.read(raw_packet.unhexify) | |
| # Verify that by parsing a raw packet, we're not corrupting it or missing data | |
| raise "Parsed Packet and Raw Packet are not equal" unless query_packet.to_binary_s == raw_packet.unhexify | |
| puts "[+] We can read raw packets" | |
| # Let's build this same packet from scratch | |
| query_packet_from_scratch = NRPE::V2::QueryPacket.new() | |
| query_packet_from_scratch.packet_version = 2 | |
| query_packet_from_scratch.packet_type = 1 | |
| query_packet_from_scratch.result_code = 24437 | |
| query_packet_from_scratch.set_query("check_users") | |
| query_packet_from_scratch.recalc_checksum | |
| # Verify that we can create the same raw packet content, by creating the packet from scratch | |
| raise "Scratch Packet and Raw Packet are not equal" unless query_packet.to_binary_s == raw_packet.unhexify | |
| puts "[+] We can write raw packets" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment