metasploit-framework/modules/auxiliary/scanner/sap/sap_router_info_request.rb

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit4 < Msf::Auxiliary

	include Msf::Exploit::Remote::Tcp
	include Msf::Auxiliary::Report
	include Msf::Auxiliary::Scanner

	def initialize
		super(
			'Name' => 'SAPRouter Admin Request',
			'Description' => %q{
				Display the remote connection table from a SAPRouter.
				},
			'References' => [
					[ 'URL', 'http://labs.mwrinfosecurity.com/tools/2012/04/27/sap-metasploit-modules/' ],
					[ 'URL', 'http://help.sap.com/saphelp_nw70ehp3/helpdata/en/48/6c68b01d5a350ce10000000a42189d/content.htm'],
					[ 'URL', 'http://www.onapsis.com/research-free-solutions.php' ] # Bizsploit Opensource ERP Pentesting Framework
				],
			'Author' => [
				'nomnkee',
				'Mariano Nunez',    # Wrote Bizploit, helped on this module, very cool guy
				'Chris John Riley', # Testing
				'Ian de Villiers',  # Testing
				'Joris van de Vis'  # Testing
			],
			'License' => BSD_LICENSE
			)
		register_options(
			[
				Opt::RPORT(3299)
			], self.class)
	end

	def get_data(size, packet_len)
		info = ''
		1.upto(size) do |i|
			data = sock.recv(1)
			packet_len -= 1
			if data == "\x00"
				sock.recv(size - i)
				packet_len -= size - i
				return info, packet_len
				break
			else
				info << data
			end
		end
	end

	def run_host(ip)
		host_port = "#{ip}:#{datastore['RPORT']}"
		type = 'ROUTER_ADM'
		version = 0x26
		cmd = 0x2
		count = 0
		connected = true
		port = datastore['RPORT']
		source = ''
		destination = ''
		service = ''
		ni_packet = type + [0,version,cmd,0,0].pack("c*")
		ni_packet = [ni_packet.length].pack('N') << ni_packet
		saptbl = Msf::Ui::Console::Table.new(
			Msf::Ui::Console::Table::Style::Default,
				'Header' => "[SAP] SAProuter Connection Table for #{ip}",
				'Prefix' => "\n",
				'Postfix' => "\n",
				'Indent' => 1,
				'Columns' =>
					[
						"Source",
						"Destination",
						"Service"
					])
		begin
			connect
		rescue ::Rex::ConnectionRefused
			print_status("#{host_port} - Connection refused")
			connected = false
		rescue ::Rex::ConnectionError, ::IOError, ::Timeout::Error
			print_status("#{host_port} - Connection timeout")
			connected = false
		rescue ::Exception => e
			print_error("#{host_port} - Exception #{e.class} #{e} #{e.backtrace}")
			connected = false
		end
		if connected
			print_good("#{host_port} - Connected to saprouter")
			print_good("#{host_port} - Sending ROUTER_ADM packet info request")
			sock.put(ni_packet)
			packet_len = sock.read(4).unpack('H*')[0].to_i 16
			print_good("#{host_port} - Got INFO response")
			while packet_len !=0
				count += 1
				case count
				when 1
					if packet_len > 150
						sock.recv(150)
						packet_len -= 150
						source, packet_len = get_data(46,packet_len)
						destination, packet_len = get_data(46,packet_len)
						service, packet_len = get_data(30,packet_len)
						sock.recv(2)
						packet_len -= 2
						saptbl << [source, destination, service]
						while packet_len > 0
							sock.recv(13)
							packet_len -= 13
							source, packet_len = get_data(46,packet_len)
							destination, packet_len = get_data(46,packet_len)
							service, packet_len = get_data(30,packet_len)
							term = sock.recv(2)
							packet_len -= 2
							saptbl << [source, destination, service]
						end
						packet_len = sock.recv(4).unpack('H*')[0].to_i 16
					else
						print_error("#{host_port} - No connected clients")
						sock.recv(packet_len)
						packet_len = sock.recv(4).unpack('H*')[0].to_i 16
					end
				when 2
					data = sock.recv(packet_len)
					packet_len -= packet_len
					packet_len = sock.recv(4).unpack('H*')[0].to_i 16
				when 3
					clients = sock.recv(packet_len)
					packet_len -= packet_len
					packet_len = sock.recv(4).unpack('H*')[0].to_i 16
				when 4
					pwd = sock.recv(packet_len)
					print_good(pwd)
					packet_len -= packet_len
					packet_len = sock.recv(4).unpack('H*')[0].to_i 16
				when 5
					routtab = sock.recv(packet_len)
					print_good(routtab)
					packet_len -= packet_len
					packet_len = sock.recv(4).unpack('H*')[0].to_i 16
				end
				if packet_len == 0
					break
				end
			end
			disconnect
		# TODO: This data should be saved somewhere. A note on the host would be nice.
		print(saptbl.to_s)
		end
	end
end
SAPRouter Admin Request (display remote route information) 2012-11-07 11:06:03 +00:00			`##`
			`# This file is part of the Metasploit Framework and may be subject to`
			`# redistribution and commercial restrictions. Please see the Metasploit`
			`# Framework web site for more information on licensing and terms of use.`
Fix file header comment [See #1555] 2013-03-07 23:53:19 +00:00			`# http://metasploit.com/framework/`
SAPRouter Admin Request (display remote route information) 2012-11-07 11:06:03 +00:00			`##`

			`require 'msf/core'`

			`class Metasploit4 < Msf::Auxiliary`

Moved shout outs, organized includes include Msf::Exploit::Remote::Tcp must precede the include for the Scanner mixin -- otherwise you end up with some undesired effects, like having an RHOST and RHOSTS on the datastore. Also, took out the block of shout outs and gave references and credits to the people / url's mentioned. 2012-12-28 20:51:23 +00:00			`include Msf::Exploit::Remote::Tcp`
SAPRouter Admin Request (display remote route information) 2012-11-07 11:06:03 +00:00			`include Msf::Auxiliary::Report`
			`include Msf::Auxiliary::Scanner`
made requested changes 2012-11-14 23:50:47 +00:00
SAPRouter Admin Request (display remote route information) 2012-11-07 11:06:03 +00:00			`def initialize`
			`super(`
			`'Name' => 'SAPRouter Admin Request',`
			`'Description' => %q{`
Normalizing caps and expanding description a bit Be nice to have a couple more lines on the description 2012-12-28 21:12:37 +00:00			`Display the remote connection table from a SAPRouter.`
SAPRouter Admin Request (display remote route information) 2012-11-07 11:06:03 +00:00			`},`
Moved shout outs, organized includes include Msf::Exploit::Remote::Tcp must precede the include for the Scanner mixin -- otherwise you end up with some undesired effects, like having an RHOST and RHOSTS on the datastore. Also, took out the block of shout outs and gave references and credits to the people / url's mentioned. 2012-12-28 20:51:23 +00:00			`'References' => [`
			`[ 'URL', 'http://labs.mwrinfosecurity.com/tools/2012/04/27/sap-metasploit-modules/' ],`
			`[ 'URL', 'http://help.sap.com/saphelp_nw70ehp3/helpdata/en/48/6c68b01d5a350ce10000000a42189d/content.htm'],`
			`[ 'URL', 'http://www.onapsis.com/research-free-solutions.php' ] # Bizsploit Opensource ERP Pentesting Framework`
			`],`
			`'Author' => [`
			`'nomnkee',`
			`'Mariano Nunez', # Wrote Bizploit, helped on this module, very cool guy`
			`'Chris John Riley', # Testing`
			`'Ian de Villiers', # Testing`
			`'Joris van de Vis' # Testing`
Msftidy on sap_router_info_request 2013-01-03 16:55:11 +00:00			`],`
SAPRouter Admin Request (display remote route information) 2012-11-07 11:06:03 +00:00			`'License' => BSD_LICENSE`
			`)`
			`register_options(`
			`[`
			`Opt::RPORT(3299)`
			`], self.class)`
			`end`
made requested changes 2012-11-14 23:50:47 +00:00
SAPRouter Admin Request (display remote route information) 2012-11-07 11:06:03 +00:00			`def get_data(size, packet_len)`
			`info = ''`
made requested changes 2012-11-14 23:50:47 +00:00			`1.upto(size) do \|i\|`
SAPRouter Admin Request (display remote route information) 2012-11-07 11:06:03 +00:00			`data = sock.recv(1)`
			`packet_len -= 1`
			`if data == "\x00"`
			`sock.recv(size - i)`
			`packet_len -= size - i`
			`return info, packet_len`
			`break`
made requested changes 2012-11-14 23:50:47 +00:00			`else`
SAPRouter Admin Request (display remote route information) 2012-11-07 11:06:03 +00:00			`info << data`
			`end`
			`end`
			`end`
made requested changes 2012-11-14 23:50:47 +00:00
SAPRouter Admin Request (display remote route information) 2012-11-07 11:06:03 +00:00			`def run_host(ip)`
Normalizing caps and expanding description a bit Be nice to have a couple more lines on the description 2012-12-28 21:12:37 +00:00			`host_port = "#{ip}:#{datastore['RPORT']}"`
SAPRouter Admin Request (display remote route information) 2012-11-07 11:06:03 +00:00			`type = 'ROUTER_ADM'`
			`version = 0x26`
			`cmd = 0x2`
			`count = 0`
Fix connected in sap_router_info_request See #1028 comments 2012-12-28 22:34:56 +00:00			`connected = true`
SAPRouter Admin Request (display remote route information) 2012-11-07 11:06:03 +00:00			`port = datastore['RPORT']`
			`source = ''`
			`destination = ''`
			`service = ''`
			`ni_packet = type + [0,version,cmd,0,0].pack("c*")`
			`ni_packet = [ni_packet.length].pack('N') << ni_packet`
			`saptbl = Msf::Ui::Console::Table.new(`
			`Msf::Ui::Console::Table::Style::Default,`
			`'Header' => "[SAP] SAProuter Connection Table for #{ip}",`
			`'Prefix' => "\n",`
			`'Postfix' => "\n",`
			`'Indent' => 1,`
			`'Columns' =>`
			`[`
			`"Source",`
			`"Destination",`
			`"Service"`
			`])`
			`begin`
			`connect`
			`rescue ::Rex::ConnectionRefused`
Normalizing caps and expanding description a bit Be nice to have a couple more lines on the description 2012-12-28 21:12:37 +00:00			`print_status("#{host_port} - Connection refused")`
made requested changes 2012-11-14 23:50:47 +00:00			`connected = false`
SAPRouter Admin Request (display remote route information) 2012-11-07 11:06:03 +00:00			`rescue ::Rex::ConnectionError, ::IOError, ::Timeout::Error`
Normalizing caps and expanding description a bit Be nice to have a couple more lines on the description 2012-12-28 21:12:37 +00:00			`print_status("#{host_port} - Connection timeout")`
made requested changes 2012-11-14 23:50:47 +00:00			`connected = false`
SAPRouter Admin Request (display remote route information) 2012-11-07 11:06:03 +00:00			`rescue ::Exception => e`
Normalizing caps and expanding description a bit Be nice to have a couple more lines on the description 2012-12-28 21:12:37 +00:00			`print_error("#{host_port} - Exception #{e.class} #{e} #{e.backtrace}")`
made requested changes 2012-11-14 23:50:47 +00:00			`connected = false`
SAPRouter Admin Request (display remote route information) 2012-11-07 11:06:03 +00:00			`end`
Fix connected in sap_router_info_request See #1028 comments 2012-12-28 22:34:56 +00:00			`if connected`
Normalizing caps and expanding description a bit Be nice to have a couple more lines on the description 2012-12-28 21:12:37 +00:00			`print_good("#{host_port} - Connected to saprouter")`
			`print_good("#{host_port} - Sending ROUTER_ADM packet info request")`
SAPRouter Admin Request (display remote route information) 2012-11-07 11:06:03 +00:00			`sock.put(ni_packet)`
			`packet_len = sock.read(4).unpack('H*')[0].to_i 16`
Normalizing caps and expanding description a bit Be nice to have a couple more lines on the description 2012-12-28 21:12:37 +00:00			`print_good("#{host_port} - Got INFO response")`
SAPRouter Admin Request (display remote route information) 2012-11-07 11:06:03 +00:00			`while packet_len !=0`
			`count += 1`
			`case count`
			`when 1`
			`if packet_len > 150`
			`sock.recv(150)`
			`packet_len -= 150`
			`source, packet_len = get_data(46,packet_len)`
			`destination, packet_len = get_data(46,packet_len)`
			`service, packet_len = get_data(30,packet_len)`
			`sock.recv(2)`
			`packet_len -= 2`
			`saptbl << [source, destination, service]`
made requested changes 2012-11-14 23:50:47 +00:00			`while packet_len > 0`
SAPRouter Admin Request (display remote route information) 2012-11-07 11:06:03 +00:00			`sock.recv(13)`
			`packet_len -= 13`
			`source, packet_len = get_data(46,packet_len)`
			`destination, packet_len = get_data(46,packet_len)`
			`service, packet_len = get_data(30,packet_len)`
			`term = sock.recv(2)`
			`packet_len -= 2`
			`saptbl << [source, destination, service]`
			`end`
			`packet_len = sock.recv(4).unpack('H*')[0].to_i 16`
			`else`
Normalizing caps and expanding description a bit Be nice to have a couple more lines on the description 2012-12-28 21:12:37 +00:00			`print_error("#{host_port} - No connected clients")`
SAPRouter Admin Request (display remote route information) 2012-11-07 11:06:03 +00:00			`sock.recv(packet_len)`
			`packet_len = sock.recv(4).unpack('H*')[0].to_i 16`
			`end`
			`when 2`
			`data = sock.recv(packet_len)`
			`packet_len -= packet_len`
			`packet_len = sock.recv(4).unpack('H*')[0].to_i 16`
			`when 3`
			`clients = sock.recv(packet_len)`
			`packet_len -= packet_len`
			`packet_len = sock.recv(4).unpack('H*')[0].to_i 16`
			`when 4`
			`pwd = sock.recv(packet_len)`
			`print_good(pwd)`
			`packet_len -= packet_len`
			`packet_len = sock.recv(4).unpack('H*')[0].to_i 16`
			`when 5`
			`routtab = sock.recv(packet_len)`
			`print_good(routtab)`
			`packet_len -= packet_len`
			`packet_len = sock.recv(4).unpack('H*')[0].to_i 16`
			`end`
			`if packet_len == 0`
			`break`
			`end`
			`end`
			`disconnect`
Normalizing caps and expanding description a bit Be nice to have a couple more lines on the description 2012-12-28 21:12:37 +00:00			`# TODO: This data should be saved somewhere. A note on the host would be nice.`
SAPRouter Admin Request (display remote route information) 2012-11-07 11:06:03 +00:00			`print(saptbl.to_s)`
			`end`
			`end`
			`end`