infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Added patches from Chris John Riley for SAP aux scanner modules 

git-svn-id: file:///home/svn/framework3/trunk@11933 4d416f70-5f16-0410-b530-b9f4589650da
unstable
David Rude 2011-03-11 16:50:18 +00:00
parent 370c42736c
commit 00c756ee27
9 changed files with 84 additions and 59 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
modules/auxiliary/scanner/sap/sap_mgmt_con_abaplog.rb
View File

@ -21,7 +21,7 @@ class Metasploit3 < Msf::Auxiliary
super(
'Name' => 'SAP Management Console ABAP syslog',
'Version' => '$Revision$',
'Description' => 'This module simply attempts to extract the ABAP syslog through the SAP Management Console SOAP Interface.',
'Description' => %q{ This module simply attempts to extract the ABAP syslog through the SAP Management Console SOAP Interface. },
'References' =>
[
# General
@ -37,10 +37,9 @@ class Metasploit3 < Msf::Auxiliary
OptString.new('URI', [false, 'Path to the SAP Management Console ', '/']),
OptString.new('UserAgent', [ true, "The HTTP User-Agent sent in the request",
'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)' ]),
OptString.new('LFILE', [true, 'Set path to save output to file', 'abapsyslog']),
], self.class)
register_autofilter_ports([ 50013 ])
deregister_options('RHOST', 'LFILE')
deregister_options('RHOST')
end
def rport
@ -60,7 +59,7 @@ class Metasploit3 < Msf::Auxiliary
def extractabap(rhost)
verbose = datastore['VERBOSE']
print_status("#{rhost}:#{rhost} [SAP] Connecting to SAP Management Console SOAP Interface")
print_status("#{rhost}:#{rport} [SAP] Connecting to SAP Management Console SOAP Interface")
success = false
soapenv = 'http://schemas.xmlsoap.org/soap/envelope/'
@ -105,7 +104,7 @@ class Metasploit3 < Msf::Auxiliary
end
rescue ::Rex::ConnectionError
print_error("#{rhost}:#{rhost} [SAP] Unable to connect")
print_error("#{rhost}:#{rport} [SAP] Unable to connect")
return
end

2
modules/auxiliary/scanner/sap/sap_mgmt_con_brute_login.rb
View File

@ -22,7 +22,7 @@ class Metasploit3 < Msf::Auxiliary
super(
'Name' => 'SAP Management Console Brute Force',
'Version' => '$Revision$',
'Description' => %q{ This module simply attempts to brute force the username | password for the SAP Management Console SOAP Interface. },
'Description' => %q{ This module simply attempts to brute force the username | password for the SAP Management Console SOAP Interface. By setting the SAP SID value, a list of default SAP users can be tested without needing to set a USERNAME or USER_FILE value. The default usernames are stored in ./data/wordlists/sap_common.txt (the value of SAP SID is automatically inserted into the username to replce <SAPSID>). },
'References' =>
[
# General

26
modules/auxiliary/scanner/sap/sap_mgmt_con_extractusers.rb
View File

@ -63,7 +63,7 @@ class Metasploit3 < Msf::Auxiliary
def extractusers(rhost)
verbose = datastore['VERBOSE']
print_status("#{rhost}:#{rhost} [SAP] Connecting to SAP Management Console SOAP Interface")
print_status("#{rhost}:#{rport} [SAP] Connecting to SAP Management Console SOAP Interface")
success = false
soapenv = 'http://schemas.xmlsoap.org/soap/envelope/'
@ -100,13 +100,17 @@ class Metasploit3 < Msf::Auxiliary
env = []
if res.code == 200
body = []
body = res.body unless res.body.nil?
users = body.scan(/<User>([^<]+)<\/User>/i)
users = users.uniq
success = true
else res.code == 500
case res.body
when nil
# Nothing
when/<User>([^<]+)<\/User>/i
body = []
body = res.body unless res.body.nil?
users = body.scan(/<User>([^<]+)<\/User>/i)
users = users.uniq
success = true
end
elsif res.code == 500
case res.body
when /<faultstring>(.*)<\/faultstring>/i
faultcode = "#{$1}"
@ -120,7 +124,7 @@ class Metasploit3 < Msf::Auxiliary
end
if success
print_good("#{rhost}#{rport} [SAP] Users Extracted: #{users.length} entries extracted from #{rhost}:#{rport}")
print_good("#{rhost}:#{rport} [SAP] Users Extracted: #{users.length} entries extracted from #{rhost}:#{rport}")
report_note(
:host => rhost,
:proto => 'tcp',
@ -129,6 +133,10 @@ class Metasploit3 < Msf::Auxiliary
:data => {:proto => "soap", :users => users},
:update => :unique_data
)
users.each do |output|
print_good("#{rhost}:#{rport} [SAP] Extracted User: #{output}")
end
return
elsif fault
print_error("#{rhost}:#{rport} [SAP] Errorcode: #{faultcode}")

19
modules/auxiliary/scanner/sap/sap_mgmt_con_getenv.rb
View File

@ -37,10 +37,9 @@ class Metasploit3 < Msf::Auxiliary
OptString.new('URI', [false, 'Path to the SAP Management Console ', '/']),
OptString.new('UserAgent', [ true, "The HTTP User-Agent sent in the request",
'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)' ]),
OptString.new('LFILE', [false, 'Set path to save output to file', '']),
], self.class)
register_autofilter_ports([ 50013 ])
deregister_options('RHOST', 'LFILE')
deregister_options('RHOST')
end
def rport
@ -63,7 +62,7 @@ class Metasploit3 < Msf::Auxiliary
def getEnvironment(rhost)
verbose = datastore['VERBOSE']
print_status("#{rhost}:#{rhost} [SAP] Connecting to SAP Management Console SOAP Interface ")
print_status("#{rhost}:#{rport} [SAP] Connecting to SAP Management Console SOAP Interface ")
success = false
soapenv = 'http://schemas.xmlsoap.org/soap/envelope/'
@ -109,7 +108,7 @@ class Metasploit3 < Msf::Auxiliary
env = body.scan(/<item>([^<]+)<\/item>/i)
success = true
end
else res.code == 500
elsif res.code == 500
case res.body
when /<faultstring>(.*)<\/faultstring>/i
faultcode = $1.strip
@ -118,7 +117,7 @@ class Metasploit3 < Msf::Auxiliary
end
rescue ::Rex::ConnectionError
print_error("#{rhost}:#{rhost} [SAP] Unable to connect")
print_error("#{rhost}:#{rport} [SAP] Unable to connect")
return
end
@ -132,12 +131,16 @@ class Metasploit3 < Msf::Auxiliary
:data => {:proto => "soap", :env => env},
:update => :unique_data
)
env.each do |output|
print_status("#{output}")
end
elsif fault
print_error("#{rhost}:#{rhost} [SAP] Errorcode: #{faultcode}")
print_error("#{rhost}:#{rport} [SAP] Errorcode: #{faultcode}")
return
else
print_error("#{rhost}:#{rhost} [SAP] failed to request environment")
print_error("#{rhost}:#{rport} [SAP] failed to request environment")
return
end
end

19
modules/auxiliary/scanner/sap/sap_mgmt_con_getlogfiles.rb
View File

@ -35,11 +35,10 @@ class Metasploit3 < Msf::Auxiliary
[
Opt::RPORT(50013),
OptString.new('URI', [false, 'Path to the SAP Management Console ', '/']),
OptString.new('RFILE', [ true, "The name of the file to download", "sapstart.log"]),
OptString.new('RFILE', [ true, 'The name of the file to download', 'sapstart.log']),
OptString.new('FILETYPE', [true, 'Specify LOGFILE or TRACEFILE', 'TRACEFILE']),
OptString.new('UserAgent', [ true, "The HTTP User-Agent sent in the request",
'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)' ]),
OptString.new('LFILE', [false, 'Set path to save output to file', '']),
], self.class)
register_autofilter_ports([ 50013 ])
deregister_options('RHOST')
@ -65,7 +64,7 @@ class Metasploit3 < Msf::Auxiliary
def gettfiles(rhost)
verbose = datastore['VERBOSE']
print_status("#{rhost}:#{rhost} [SAP] Connecting to SAP Management Console SOAP Interface")
print_status("#{rhost}:#{rport} [SAP] Connecting to SAP Management Console SOAP Interface")
success = false
soapenv = 'http://schemas.xmlsoap.org/soap/envelope/'
@ -74,9 +73,9 @@ class Metasploit3 < Msf::Auxiliary
sapsess = 'http://www.sap.com/webas/630/soap/features/session/'
case "#{datastore['FILETYPE']}"
when /LOGFILE/i
when /^LOG/i
ns1 = 'ns1:ReadLogFile'
when /TRACEFILE/i
when /^TRACE/i
ns1 = 'ns1:ReadDeveloperTrace'
end
@ -126,7 +125,7 @@ class Metasploit3 < Msf::Auxiliary
success = true
end
else res.code == 500
elsif res.code == 500
case res.body
when /<faultstring>(.*)<\/faultstring>/i
faultcode = $1.strip
@ -135,19 +134,19 @@ class Metasploit3 < Msf::Auxiliary
end
rescue ::Rex::ConnectionError
print_error("#{rhost}:#{rhost} [SAP] Unable to connect")
print_error("#{rhost}:#{rport} [SAP] Unable to connect")
return
end
if success
print_good("#{rhost}:#{rhost} [SAP] #{datastore['FILETYPE'].downcase}:#{datastore['RFILE'].downcase} looted")
print_good("#{rhost}:#{rport} [SAP] #{datastore['FILETYPE'].downcase}:#{datastore['RFILE'].downcase} looted")
store_loot("sap.#{datastore['FILETYPE'].downcase}file", "text/xml", rhost, res.body, "sap_#{datastore['RFILE'].downcase}.xml",
"SAP Get Logfile")
elsif fault
print_error("#{rhost}:#{rhost} [SAP] Errorcode: #{faultcode}")
print_error("#{rhost}:#{rport} [SAP] Errorcode: #{faultcode}")
return
else
print_error("#{rhost}:#{rhost} [SAP] failed to request environment")
print_error("#{rhost}:#{rport} [SAP] failed to request environment")
return
end
end

26
modules/auxiliary/scanner/sap/sap_mgmt_con_instanceproperties.rb
View File

@ -62,7 +62,7 @@ class Metasploit3 < Msf::Auxiliary
def enum_instance(rhost)
verbose = datastore['VERBOSE']
print_status("#{rhost}:#{rhost} [SAP] Connecting to SAP Management Console SOAP Interface")
print_status("#{rhost}:#{rport} [SAP] Connecting to SAP Management Console SOAP Interface")
success = false
soapenv='http://schemas.xmlsoap.org/soap/envelope/'
xsi='http://www.w3.org/2001/XMLSchema-instance'
@ -138,17 +138,17 @@ class Metasploit3 < Msf::Auxiliary
end
rescue ::Rex::ConnectionError
print_error("#{rhost}:#{rhost} [SAP] Unable to connect")
print_error("#{rhost}:#{rport} [SAP] Unable to connect")
return
end
if success
print_good("#{rhost}:#{rhost} [SAP] Instance Properties Extracted")
print_good("#{rhost}:#{rport} [SAP] Instance Properties Extracted")
if centralservices
print_good("#{rhost}:#{rhost} [SAP] Central Services: #{centralservices}")
print_good("#{rhost}:#{rport} [SAP] Central Services: #{centralservices}")
end
if sapsystem
print_good("#{rhost}:#{rhost} [SAP] SAP System Number: #{sapsystem}")
print_good("#{rhost}:#{rport} [SAP] SAP System Number: #{sapsystem}")
report_note(:host => '#{rhost}',
:proto => 'tcp',
:port => '#{rport}',
@ -156,7 +156,7 @@ class Metasploit3 < Msf::Auxiliary
:data => {:proto => "soap", :sapsystem => sapsystem})
end
if sapsystemname
print_good("#{rhost}:#{rhost} [SAP] SAP System Name: #{sapsystemname}")
print_good("#{rhost}:#{rport} [SAP] SAP System Name: #{sapsystemname}")
report_note(:host => '#{rhost}',
:proto => 'tcp',
:port => '#{rport}',
@ -164,7 +164,7 @@ class Metasploit3 < Msf::Auxiliary
:data => {:proto => "soap", :sapsystemname => sapsystemname})
end
if saplocalhost
print_good("#{rhost}:#{rhost} [SAP] SAP Localhost: #{saplocalhost}")
print_good("#{rhost}:#{rport} [SAP] SAP Localhost: #{saplocalhost}")
report_note(:host => '#{rhost}',
:proto => 'tcp',
:port => '#{rport}',
@ -172,7 +172,7 @@ class Metasploit3 < Msf::Auxiliary
:data => {:proto => "soap", :saplocalhost => saplocalhost})
end
if instancename
print_good("#{rhost}:#{rhost} [SAP] Instance Name: #{instancename}")
print_good("#{rhost}:#{rport} [SAP] Instance Name: #{instancename}")
report_note(:host => '#{rhost}',
:proto => 'tcp',
:port => '#{rport}',
@ -180,7 +180,7 @@ class Metasploit3 < Msf::Auxiliary
:data => {:proto => "soap", :instancename => instancename})
end
if icmurl
print_good("#{rhost}:#{rhost} [SAP] ICM URL: #{icmurl}")
print_good("#{rhost}:#{rport} [SAP] ICM URL: #{icmurl}")
report_note(:host => '#{rhost}',
:proto => 'tcp',
:port => '#{rport}',
@ -189,7 +189,7 @@ class Metasploit3 < Msf::Auxiliary
end
if dbstring
print_good("#{rhost}:#{rhost} [SAP] DATABASE: #{dbstring}")
print_good("#{rhost}:#{rport} [SAP] DATABASE: #{dbstring}")
report_note(:host => '#{rhost}',
:proto => 'tcp',
:port => '#{rport}',
@ -199,7 +199,7 @@ class Metasploit3 < Msf::Auxiliary
end
if protectedweb
print_good("#{rhost}:#{rhost} [SAP] protectedweb Webmethods: #{protectedweb}")
print_good("#{rhost}:#{rport} [SAP] protectedweb Webmethods: #{protectedweb}")
report_note(:host => '#{rhost}',
:proto => 'tcp',
:port => '#{rport}',
@ -209,10 +209,10 @@ class Metasploit3 < Msf::Auxiliary
end
return
elsif fault
print_error("#{rhost}:#{rhost} [SAP] Errorcode: #{faultcode}")
print_error("#{rhost}:#{rport} [SAP] Errorcode: #{faultcode}")
return
else
print_error("#{rhost}:#{rhost} [SAP] failed to identify instance properties")
print_error("#{rhost}:#{rport} [SAP] failed to identify instance properties")
return
end
end

21
modules/auxiliary/scanner/sap/sap_mgmt_con_listlogfiles.rb
View File

@ -71,9 +71,9 @@ class Metasploit3 < Msf::Auxiliary
sapsess = 'http://www.sap.com/webas/630/soap/features/session/'
case "#{datastore['FILETYPE']}"
when /LOGFILE/i
when /^LOG/i
ns1 = 'ns1:ListLogFiles'
when /TRACEFILE/i
when /^TRACE/i
ns1 = 'ns1:ListDeveloperTraces'
end
@ -129,8 +129,11 @@ class Metasploit3 < Msf::Auxiliary
if success
print_good("#{rhost}:#{rport} [SAP] #{datastore['FILETYPE'].downcase}: #{env.length} entries extracted")
saptbl = Rex::Ui::Text::Table.new(
'Header' => "SAP Log Files",
saptbl = Msf::Ui::Console::Table.new(
Msf::Ui::Console::Table::Style::Default,
'Header' => "[SAP] Log Files",
'Prefix' => "\n",
'Postfix' => "\n",
'Indent' => 1,
'Columns' =>
[
@ -138,10 +141,14 @@ class Metasploit3 < Msf::Auxiliary
"Size",
"Timestamp"
])
store_loot("sap.#{datastore['FILETYPE'].downcase}file", "text/xml", rhost, saptbl.to_s, "sap_#{datastore['RFILE'].downcase}.xml",
"SAP #{datastore['FILETYPE'].downcase}:#{datastore['RFILE'].downcase}")
store_loot("sap.#{datastore['FILETYPE'].downcase}file", "text/xml", rhost, saptbl.to_s, "sap_listlogfiles.xml",
"SAP #{datastore['FILETYPE'].downcase}")
env.each do |output|
saptbl << [ output[0], output[1], output[2] ]
end
print(saptbl.to_s)
return
elsif fault

13
modules/auxiliary/scanner/sap/sap_mgmt_con_startprofile.rb
View File

@ -37,7 +37,6 @@ class Metasploit3 < Msf::Auxiliary
OptString.new('URI', [false, 'Path to the SAP Management Console ', '/']),
OptString.new('UserAgent', [ true, "The HTTP User-Agent sent in the request",
'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)' ]),
OptString.new('LFILE', [false, 'Set path to save output to file', '']),
], self.class)
register_autofilter_ports([ 50013 ])
deregister_options('RHOST')
@ -63,7 +62,7 @@ class Metasploit3 < Msf::Auxiliary
def getStartProfile(rhost)
verbose = datastore['VERBOSE']
print_status("#{rhost}: #{rport} [SAP] Connecting to SAP Management Console SOAP Interface")
print_status("#{rhost}:#{rport} [SAP] Connecting to SAP Management Console SOAP Interface")
success = false
soapenv ='http://schemas.xmlsoap.org/soap/envelope/'
xsi ='http://www.w3.org/2001/XMLSchema-instance'
@ -134,11 +133,17 @@ class Metasploit3 < Msf::Auxiliary
if success
print_good("#{rhost}:#{rport} [SAP] Startup Profile Extracted: #{name}")
store_loot("sap.profile", "text/xml", rhost, res.body, "sap_profile.xml", "SAP Profile XML")
env.each do |output|
print_status("#{output}")
end
elsif fault
print_error("[SAP] Errorcode: #{faultcode}")
print_error("#{rhost}:#{rport} [SAP] Errorcode: #{faultcode}")
return
else
print_error("[SAP] failed to request environment")
print_error("#{rhost}:#{rport} [SAP] failed to request environment")
return
end
end

8
modules/auxiliary/scanner/sap/sap_service_discovery.rb
View File

@ -16,7 +16,6 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Capture
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
@ -25,7 +24,12 @@ class Metasploit3 < Msf::Auxiliary
super(
'Name' => 'SAP Service Discovery',
'Version' => '$Revision$',
'Description' => 'Scans for listening SAP services',
'Description' => %q{ Scans for listening SAP services. },
'References' =>
[
# General
[ 'URL', 'http://blog.c22.cc' ]
],
'Author' => [ 'Chris John Riley' ],
'License' => MSF_LICENSE
)