From 00c756ee27e99be0f5ff8593465d62bfa85ad869 Mon Sep 17 00:00:00 2001 From: David Rude Date: Fri, 11 Mar 2011 16:50:18 +0000 Subject: [PATCH] Added patches from Chris John Riley for SAP aux scanner modules git-svn-id: file:///home/svn/framework3/trunk@11933 4d416f70-5f16-0410-b530-b9f4589650da --- .../scanner/sap/sap_mgmt_con_abaplog.rb | 9 +++---- .../scanner/sap/sap_mgmt_con_brute_login.rb | 2 +- .../scanner/sap/sap_mgmt_con_extractusers.rb | 26 ++++++++++++------- .../scanner/sap/sap_mgmt_con_getenv.rb | 19 ++++++++------ .../scanner/sap/sap_mgmt_con_getlogfiles.rb | 19 +++++++------- .../sap/sap_mgmt_con_instanceproperties.rb | 26 +++++++++---------- .../scanner/sap/sap_mgmt_con_listlogfiles.rb | 21 ++++++++++----- .../scanner/sap/sap_mgmt_con_startprofile.rb | 13 +++++++--- .../scanner/sap/sap_service_discovery.rb | 8 ++++-- 9 files changed, 84 insertions(+), 59 deletions(-) diff --git a/modules/auxiliary/scanner/sap/sap_mgmt_con_abaplog.rb b/modules/auxiliary/scanner/sap/sap_mgmt_con_abaplog.rb index fa74bc91ec..fb098891c3 100755 --- a/modules/auxiliary/scanner/sap/sap_mgmt_con_abaplog.rb +++ b/modules/auxiliary/scanner/sap/sap_mgmt_con_abaplog.rb @@ -21,7 +21,7 @@ class Metasploit3 < Msf::Auxiliary super( 'Name' => 'SAP Management Console ABAP syslog', 'Version' => '$Revision$', - 'Description' => 'This module simply attempts to extract the ABAP syslog through the SAP Management Console SOAP Interface.', + 'Description' => %q{ This module simply attempts to extract the ABAP syslog through the SAP Management Console SOAP Interface. }, 'References' => [ # General @@ -37,10 +37,9 @@ class Metasploit3 < Msf::Auxiliary OptString.new('URI', [false, 'Path to the SAP Management Console ', '/']), OptString.new('UserAgent', [ true, "The HTTP User-Agent sent in the request", 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)' ]), - OptString.new('LFILE', [true, 'Set path to save output to file', 'abapsyslog']), ], self.class) register_autofilter_ports([ 50013 ]) - deregister_options('RHOST', 'LFILE') + deregister_options('RHOST') end def rport @@ -60,7 +59,7 @@ class Metasploit3 < Msf::Auxiliary def extractabap(rhost) verbose = datastore['VERBOSE'] - print_status("#{rhost}:#{rhost} [SAP] Connecting to SAP Management Console SOAP Interface") + print_status("#{rhost}:#{rport} [SAP] Connecting to SAP Management Console SOAP Interface") success = false soapenv = 'http://schemas.xmlsoap.org/soap/envelope/' @@ -105,7 +104,7 @@ class Metasploit3 < Msf::Auxiliary end rescue ::Rex::ConnectionError - print_error("#{rhost}:#{rhost} [SAP] Unable to connect") + print_error("#{rhost}:#{rport} [SAP] Unable to connect") return end diff --git a/modules/auxiliary/scanner/sap/sap_mgmt_con_brute_login.rb b/modules/auxiliary/scanner/sap/sap_mgmt_con_brute_login.rb index 452ac01c15..d2caa1a7da 100755 --- a/modules/auxiliary/scanner/sap/sap_mgmt_con_brute_login.rb +++ b/modules/auxiliary/scanner/sap/sap_mgmt_con_brute_login.rb @@ -22,7 +22,7 @@ class Metasploit3 < Msf::Auxiliary super( 'Name' => 'SAP Management Console Brute Force', 'Version' => '$Revision$', - 'Description' => %q{ This module simply attempts to brute force the username | password for the SAP Management Console SOAP Interface. }, + 'Description' => %q{ This module simply attempts to brute force the username | password for the SAP Management Console SOAP Interface. By setting the SAP SID value, a list of default SAP users can be tested without needing to set a USERNAME or USER_FILE value. The default usernames are stored in ./data/wordlists/sap_common.txt (the value of SAP SID is automatically inserted into the username to replce ). }, 'References' => [ # General diff --git a/modules/auxiliary/scanner/sap/sap_mgmt_con_extractusers.rb b/modules/auxiliary/scanner/sap/sap_mgmt_con_extractusers.rb index 7922f0d9f8..7eecb13d51 100755 --- a/modules/auxiliary/scanner/sap/sap_mgmt_con_extractusers.rb +++ b/modules/auxiliary/scanner/sap/sap_mgmt_con_extractusers.rb @@ -63,7 +63,7 @@ class Metasploit3 < Msf::Auxiliary def extractusers(rhost) verbose = datastore['VERBOSE'] - print_status("#{rhost}:#{rhost} [SAP] Connecting to SAP Management Console SOAP Interface") + print_status("#{rhost}:#{rport} [SAP] Connecting to SAP Management Console SOAP Interface") success = false soapenv = 'http://schemas.xmlsoap.org/soap/envelope/' @@ -100,13 +100,17 @@ class Metasploit3 < Msf::Auxiliary env = [] if res.code == 200 - body = [] - body = res.body unless res.body.nil? - users = body.scan(/([^<]+)<\/User>/i) - users = users.uniq - success = true - - else res.code == 500 + case res.body + when nil + # Nothing + when/([^<]+)<\/User>/i + body = [] + body = res.body unless res.body.nil? + users = body.scan(/([^<]+)<\/User>/i) + users = users.uniq + success = true + end + elsif res.code == 500 case res.body when /(.*)<\/faultstring>/i faultcode = "#{$1}" @@ -120,7 +124,7 @@ class Metasploit3 < Msf::Auxiliary end if success - print_good("#{rhost}#{rport} [SAP] Users Extracted: #{users.length} entries extracted from #{rhost}:#{rport}") + print_good("#{rhost}:#{rport} [SAP] Users Extracted: #{users.length} entries extracted from #{rhost}:#{rport}") report_note( :host => rhost, :proto => 'tcp', @@ -129,6 +133,10 @@ class Metasploit3 < Msf::Auxiliary :data => {:proto => "soap", :users => users}, :update => :unique_data ) + + users.each do |output| + print_good("#{rhost}:#{rport} [SAP] Extracted User: #{output}") + end return elsif fault print_error("#{rhost}:#{rport} [SAP] Errorcode: #{faultcode}") diff --git a/modules/auxiliary/scanner/sap/sap_mgmt_con_getenv.rb b/modules/auxiliary/scanner/sap/sap_mgmt_con_getenv.rb index fa97936add..509f37f14b 100755 --- a/modules/auxiliary/scanner/sap/sap_mgmt_con_getenv.rb +++ b/modules/auxiliary/scanner/sap/sap_mgmt_con_getenv.rb @@ -37,10 +37,9 @@ class Metasploit3 < Msf::Auxiliary OptString.new('URI', [false, 'Path to the SAP Management Console ', '/']), OptString.new('UserAgent', [ true, "The HTTP User-Agent sent in the request", 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)' ]), - OptString.new('LFILE', [false, 'Set path to save output to file', '']), ], self.class) register_autofilter_ports([ 50013 ]) - deregister_options('RHOST', 'LFILE') + deregister_options('RHOST') end def rport @@ -63,7 +62,7 @@ class Metasploit3 < Msf::Auxiliary def getEnvironment(rhost) verbose = datastore['VERBOSE'] - print_status("#{rhost}:#{rhost} [SAP] Connecting to SAP Management Console SOAP Interface ") + print_status("#{rhost}:#{rport} [SAP] Connecting to SAP Management Console SOAP Interface ") success = false soapenv = 'http://schemas.xmlsoap.org/soap/envelope/' @@ -109,7 +108,7 @@ class Metasploit3 < Msf::Auxiliary env = body.scan(/([^<]+)<\/item>/i) success = true end - else res.code == 500 + elsif res.code == 500 case res.body when /(.*)<\/faultstring>/i faultcode = $1.strip @@ -118,7 +117,7 @@ class Metasploit3 < Msf::Auxiliary end rescue ::Rex::ConnectionError - print_error("#{rhost}:#{rhost} [SAP] Unable to connect") + print_error("#{rhost}:#{rport} [SAP] Unable to connect") return end @@ -132,12 +131,16 @@ class Metasploit3 < Msf::Auxiliary :data => {:proto => "soap", :env => env}, :update => :unique_data ) - + + env.each do |output| + print_status("#{output}") + end + elsif fault - print_error("#{rhost}:#{rhost} [SAP] Errorcode: #{faultcode}") + print_error("#{rhost}:#{rport} [SAP] Errorcode: #{faultcode}") return else - print_error("#{rhost}:#{rhost} [SAP] failed to request environment") + print_error("#{rhost}:#{rport} [SAP] failed to request environment") return end end diff --git a/modules/auxiliary/scanner/sap/sap_mgmt_con_getlogfiles.rb b/modules/auxiliary/scanner/sap/sap_mgmt_con_getlogfiles.rb index c4b6e87ef4..da99268277 100755 --- a/modules/auxiliary/scanner/sap/sap_mgmt_con_getlogfiles.rb +++ b/modules/auxiliary/scanner/sap/sap_mgmt_con_getlogfiles.rb @@ -35,11 +35,10 @@ class Metasploit3 < Msf::Auxiliary [ Opt::RPORT(50013), OptString.new('URI', [false, 'Path to the SAP Management Console ', '/']), - OptString.new('RFILE', [ true, "The name of the file to download", "sapstart.log"]), + OptString.new('RFILE', [ true, 'The name of the file to download', 'sapstart.log']), OptString.new('FILETYPE', [true, 'Specify LOGFILE or TRACEFILE', 'TRACEFILE']), OptString.new('UserAgent', [ true, "The HTTP User-Agent sent in the request", 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)' ]), - OptString.new('LFILE', [false, 'Set path to save output to file', '']), ], self.class) register_autofilter_ports([ 50013 ]) deregister_options('RHOST') @@ -65,7 +64,7 @@ class Metasploit3 < Msf::Auxiliary def gettfiles(rhost) verbose = datastore['VERBOSE'] - print_status("#{rhost}:#{rhost} [SAP] Connecting to SAP Management Console SOAP Interface") + print_status("#{rhost}:#{rport} [SAP] Connecting to SAP Management Console SOAP Interface") success = false soapenv = 'http://schemas.xmlsoap.org/soap/envelope/' @@ -74,9 +73,9 @@ class Metasploit3 < Msf::Auxiliary sapsess = 'http://www.sap.com/webas/630/soap/features/session/' case "#{datastore['FILETYPE']}" - when /LOGFILE/i + when /^LOG/i ns1 = 'ns1:ReadLogFile' - when /TRACEFILE/i + when /^TRACE/i ns1 = 'ns1:ReadDeveloperTrace' end @@ -126,7 +125,7 @@ class Metasploit3 < Msf::Auxiliary success = true end - else res.code == 500 + elsif res.code == 500 case res.body when /(.*)<\/faultstring>/i faultcode = $1.strip @@ -135,19 +134,19 @@ class Metasploit3 < Msf::Auxiliary end rescue ::Rex::ConnectionError - print_error("#{rhost}:#{rhost} [SAP] Unable to connect") + print_error("#{rhost}:#{rport} [SAP] Unable to connect") return end if success - print_good("#{rhost}:#{rhost} [SAP] #{datastore['FILETYPE'].downcase}:#{datastore['RFILE'].downcase} looted") + print_good("#{rhost}:#{rport} [SAP] #{datastore['FILETYPE'].downcase}:#{datastore['RFILE'].downcase} looted") store_loot("sap.#{datastore['FILETYPE'].downcase}file", "text/xml", rhost, res.body, "sap_#{datastore['RFILE'].downcase}.xml", "SAP Get Logfile") elsif fault - print_error("#{rhost}:#{rhost} [SAP] Errorcode: #{faultcode}") + print_error("#{rhost}:#{rport} [SAP] Errorcode: #{faultcode}") return else - print_error("#{rhost}:#{rhost} [SAP] failed to request environment") + print_error("#{rhost}:#{rport} [SAP] failed to request environment") return end end diff --git a/modules/auxiliary/scanner/sap/sap_mgmt_con_instanceproperties.rb b/modules/auxiliary/scanner/sap/sap_mgmt_con_instanceproperties.rb index 1847b43efd..a249920bdb 100755 --- a/modules/auxiliary/scanner/sap/sap_mgmt_con_instanceproperties.rb +++ b/modules/auxiliary/scanner/sap/sap_mgmt_con_instanceproperties.rb @@ -62,7 +62,7 @@ class Metasploit3 < Msf::Auxiliary def enum_instance(rhost) verbose = datastore['VERBOSE'] - print_status("#{rhost}:#{rhost} [SAP] Connecting to SAP Management Console SOAP Interface") + print_status("#{rhost}:#{rport} [SAP] Connecting to SAP Management Console SOAP Interface") success = false soapenv='http://schemas.xmlsoap.org/soap/envelope/' xsi='http://www.w3.org/2001/XMLSchema-instance' @@ -138,17 +138,17 @@ class Metasploit3 < Msf::Auxiliary end rescue ::Rex::ConnectionError - print_error("#{rhost}:#{rhost} [SAP] Unable to connect") + print_error("#{rhost}:#{rport} [SAP] Unable to connect") return end if success - print_good("#{rhost}:#{rhost} [SAP] Instance Properties Extracted") + print_good("#{rhost}:#{rport} [SAP] Instance Properties Extracted") if centralservices - print_good("#{rhost}:#{rhost} [SAP] Central Services: #{centralservices}") + print_good("#{rhost}:#{rport} [SAP] Central Services: #{centralservices}") end if sapsystem - print_good("#{rhost}:#{rhost} [SAP] SAP System Number: #{sapsystem}") + print_good("#{rhost}:#{rport} [SAP] SAP System Number: #{sapsystem}") report_note(:host => '#{rhost}', :proto => 'tcp', :port => '#{rport}', @@ -156,7 +156,7 @@ class Metasploit3 < Msf::Auxiliary :data => {:proto => "soap", :sapsystem => sapsystem}) end if sapsystemname - print_good("#{rhost}:#{rhost} [SAP] SAP System Name: #{sapsystemname}") + print_good("#{rhost}:#{rport} [SAP] SAP System Name: #{sapsystemname}") report_note(:host => '#{rhost}', :proto => 'tcp', :port => '#{rport}', @@ -164,7 +164,7 @@ class Metasploit3 < Msf::Auxiliary :data => {:proto => "soap", :sapsystemname => sapsystemname}) end if saplocalhost - print_good("#{rhost}:#{rhost} [SAP] SAP Localhost: #{saplocalhost}") + print_good("#{rhost}:#{rport} [SAP] SAP Localhost: #{saplocalhost}") report_note(:host => '#{rhost}', :proto => 'tcp', :port => '#{rport}', @@ -172,7 +172,7 @@ class Metasploit3 < Msf::Auxiliary :data => {:proto => "soap", :saplocalhost => saplocalhost}) end if instancename - print_good("#{rhost}:#{rhost} [SAP] Instance Name: #{instancename}") + print_good("#{rhost}:#{rport} [SAP] Instance Name: #{instancename}") report_note(:host => '#{rhost}', :proto => 'tcp', :port => '#{rport}', @@ -180,7 +180,7 @@ class Metasploit3 < Msf::Auxiliary :data => {:proto => "soap", :instancename => instancename}) end if icmurl - print_good("#{rhost}:#{rhost} [SAP] ICM URL: #{icmurl}") + print_good("#{rhost}:#{rport} [SAP] ICM URL: #{icmurl}") report_note(:host => '#{rhost}', :proto => 'tcp', :port => '#{rport}', @@ -189,7 +189,7 @@ class Metasploit3 < Msf::Auxiliary end if dbstring - print_good("#{rhost}:#{rhost} [SAP] DATABASE: #{dbstring}") + print_good("#{rhost}:#{rport} [SAP] DATABASE: #{dbstring}") report_note(:host => '#{rhost}', :proto => 'tcp', :port => '#{rport}', @@ -199,7 +199,7 @@ class Metasploit3 < Msf::Auxiliary end if protectedweb - print_good("#{rhost}:#{rhost} [SAP] protectedweb Webmethods: #{protectedweb}") + print_good("#{rhost}:#{rport} [SAP] protectedweb Webmethods: #{protectedweb}") report_note(:host => '#{rhost}', :proto => 'tcp', :port => '#{rport}', @@ -209,10 +209,10 @@ class Metasploit3 < Msf::Auxiliary end return elsif fault - print_error("#{rhost}:#{rhost} [SAP] Errorcode: #{faultcode}") + print_error("#{rhost}:#{rport} [SAP] Errorcode: #{faultcode}") return else - print_error("#{rhost}:#{rhost} [SAP] failed to identify instance properties") + print_error("#{rhost}:#{rport} [SAP] failed to identify instance properties") return end end diff --git a/modules/auxiliary/scanner/sap/sap_mgmt_con_listlogfiles.rb b/modules/auxiliary/scanner/sap/sap_mgmt_con_listlogfiles.rb index 7bfc43096f..d6c168ecbe 100755 --- a/modules/auxiliary/scanner/sap/sap_mgmt_con_listlogfiles.rb +++ b/modules/auxiliary/scanner/sap/sap_mgmt_con_listlogfiles.rb @@ -71,9 +71,9 @@ class Metasploit3 < Msf::Auxiliary sapsess = 'http://www.sap.com/webas/630/soap/features/session/' case "#{datastore['FILETYPE']}" - when /LOGFILE/i + when /^LOG/i ns1 = 'ns1:ListLogFiles' - when /TRACEFILE/i + when /^TRACE/i ns1 = 'ns1:ListDeveloperTraces' end @@ -129,8 +129,11 @@ class Metasploit3 < Msf::Auxiliary if success print_good("#{rhost}:#{rport} [SAP] #{datastore['FILETYPE'].downcase}: #{env.length} entries extracted") - saptbl = Rex::Ui::Text::Table.new( - 'Header' => "SAP Log Files", + saptbl = Msf::Ui::Console::Table.new( + Msf::Ui::Console::Table::Style::Default, + 'Header' => "[SAP] Log Files", + 'Prefix' => "\n", + 'Postfix' => "\n", 'Indent' => 1, 'Columns' => [ @@ -138,10 +141,14 @@ class Metasploit3 < Msf::Auxiliary "Size", "Timestamp" ]) - store_loot("sap.#{datastore['FILETYPE'].downcase}file", "text/xml", rhost, saptbl.to_s, "sap_#{datastore['RFILE'].downcase}.xml", - "SAP #{datastore['FILETYPE'].downcase}:#{datastore['RFILE'].downcase}") - + store_loot("sap.#{datastore['FILETYPE'].downcase}file", "text/xml", rhost, saptbl.to_s, "sap_listlogfiles.xml", + "SAP #{datastore['FILETYPE'].downcase}") + env.each do |output| + saptbl << [ output[0], output[1], output[2] ] + end + + print(saptbl.to_s) return elsif fault diff --git a/modules/auxiliary/scanner/sap/sap_mgmt_con_startprofile.rb b/modules/auxiliary/scanner/sap/sap_mgmt_con_startprofile.rb index 4748229150..17680a3e30 100755 --- a/modules/auxiliary/scanner/sap/sap_mgmt_con_startprofile.rb +++ b/modules/auxiliary/scanner/sap/sap_mgmt_con_startprofile.rb @@ -37,7 +37,6 @@ class Metasploit3 < Msf::Auxiliary OptString.new('URI', [false, 'Path to the SAP Management Console ', '/']), OptString.new('UserAgent', [ true, "The HTTP User-Agent sent in the request", 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)' ]), - OptString.new('LFILE', [false, 'Set path to save output to file', '']), ], self.class) register_autofilter_ports([ 50013 ]) deregister_options('RHOST') @@ -63,7 +62,7 @@ class Metasploit3 < Msf::Auxiliary def getStartProfile(rhost) verbose = datastore['VERBOSE'] - print_status("#{rhost}: #{rport} [SAP] Connecting to SAP Management Console SOAP Interface") + print_status("#{rhost}:#{rport} [SAP] Connecting to SAP Management Console SOAP Interface") success = false soapenv ='http://schemas.xmlsoap.org/soap/envelope/' xsi ='http://www.w3.org/2001/XMLSchema-instance' @@ -134,11 +133,17 @@ class Metasploit3 < Msf::Auxiliary if success print_good("#{rhost}:#{rport} [SAP] Startup Profile Extracted: #{name}") store_loot("sap.profile", "text/xml", rhost, res.body, "sap_profile.xml", "SAP Profile XML") + + env.each do |output| + print_status("#{output}") + end + + elsif fault - print_error("[SAP] Errorcode: #{faultcode}") + print_error("#{rhost}:#{rport} [SAP] Errorcode: #{faultcode}") return else - print_error("[SAP] failed to request environment") + print_error("#{rhost}:#{rport} [SAP] failed to request environment") return end end diff --git a/modules/auxiliary/scanner/sap/sap_service_discovery.rb b/modules/auxiliary/scanner/sap/sap_service_discovery.rb index 348c029979..191f1e4bc8 100755 --- a/modules/auxiliary/scanner/sap/sap_service_discovery.rb +++ b/modules/auxiliary/scanner/sap/sap_service_discovery.rb @@ -16,7 +16,6 @@ class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::Tcp include Msf::Exploit::Capture - include Msf::Auxiliary::Report include Msf::Auxiliary::Scanner @@ -25,7 +24,12 @@ class Metasploit3 < Msf::Auxiliary super( 'Name' => 'SAP Service Discovery', 'Version' => '$Revision$', - 'Description' => 'Scans for listening SAP services', + 'Description' => %q{ Scans for listening SAP services. }, + 'References' => + [ + # General + [ 'URL', 'http://blog.c22.cc' ] + ], 'Author' => [ 'Chris John Riley' ], 'License' => MSF_LICENSE )