Re: Quick SNMP Payload Structure Question

From: rpc (hat_private)
Date: Wed Feb 27 2002 - 19:51:44 PST

Next message: Philip Wagenaar: "FW: Apache 1.3.22 exploit"

Previous message: John Adair: "FW: [Snort-sigs] php overflow signatures"
In reply to: Josha Bronson: "Quick SNMP Payload Structure Question"
Next in thread: BORBELY Zoltan: "Re: Quick SNMP Payload Structure Question"
Next in thread: Eric Brandwine: "Re: Quick SNMP Payload Structure Question"
Reply: BORBELY Zoltan: "Re: Quick SNMP Payload Structure Question"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 25 Feb 2002 12:56:28 -0800
Josha Bronson <dmuzat_private> wrote:

Heya,

> 
> Hey folks,
> 
> Trying to work on generating arbitrary SNMP request packets, but for the
> life of me I can not figure out how the second byte of the payload data
> is calculated. I *think* that it is some sort of length signifier...  I
> think there are also other length based bytes that might need to be
> calculated elsewhere in the payload.
> 
> What I am trying to do is figure out what bytes need to be modified in a
> basic payload structure so that I can drop in different communities,
> only altering the bytes necessary.

Here is what I've discovered about SNMP packets so far.
For example, a request header might look like this:
"\x30\x82\x01\x23\x02\x01\x00\x04\x82\x01\x00"community"morestuffmorestuffmorestuff

Where 'morestuff' is the actual encoded snmp request and, in this case, community is 256 bytes long.
A description of the header byte for byte:

0x30: ASN_SEQUENCE | ASN_CONSTRUCTOR
0x82: ASN_LONG_LEN  | 2 (2 bytes of data i think)
0x01,0x23 = 0x123 = packet size

0x02: ASN.1 integer
0x01: lenbyte (1 byte)
0x00: SNMPv1

0x04 ASN.1 octet string (primstring)
0x82: ASN_LONG_LEN | 2 (2 bytes)
0x01,0x00 = 0x100 = 256 bytes (my what a long community string ;)

Then the octets of the community string begin. 

The important bytes in the header are (starting with offset 0)
2, 3 = packet size
8,[9,10] = community string length

Note that ASN_LONG_LEN is only necessary if the community string is > 0xff bytes. If it's not, the sequence is "\x04",lenbyte,community. If this is the case, note the header will be 2 bytes shorter.

asn1.c, asn1.h, snmp_api.c and snmp_auth.c from snmplib are invaluable for hacking with ASN data.

Hope this helps,
--rpc

> 
> I've already used ethereal's excellent packet analysis, but it does not
> say what the significance is of all the packets, including the second
> byte.
> 
> Any quick answers or links are greatly appreciated.
> 
> -- 
> Josha Bronson
> dmuzat_private
> AngryPacket Security
>

application/pgp-signature attachment: stored

Next message: Philip Wagenaar: "FW: Apache 1.3.22 exploit"
Previous message: John Adair: "FW: [Snort-sigs] php overflow signatures"
In reply to: Josha Bronson: "Quick SNMP Payload Structure Question"
Next in thread: BORBELY Zoltan: "Re: Quick SNMP Payload Structure Question"
Next in thread: Eric Brandwine: "Re: Quick SNMP Payload Structure Question"
Reply: BORBELY Zoltan: "Re: Quick SNMP Payload Structure Question"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Feb 27 2002 - 19:07:28 PST