From 5d7414511ad5c548788b4667af79f8158ebb2b45 Mon Sep 17 00:00:00 2001 From: nmonkee Date: Wed, 7 Nov 2012 11:06:03 +0000 Subject: [PATCH 1/4] SAPRouter Admin Request (display remote route information) --- .../scanner/sap/sap_router_info_request.rb | 159 ++++++++++++++++++ 1 file changed, 159 insertions(+) create mode 100644 modules/auxiliary/scanner/sap/sap_router_info_request.rb diff --git a/modules/auxiliary/scanner/sap/sap_router_info_request.rb b/modules/auxiliary/scanner/sap/sap_router_info_request.rb new file mode 100644 index 0000000000..f0ef4c2310 --- /dev/null +++ b/modules/auxiliary/scanner/sap/sap_router_info_request.rb @@ -0,0 +1,159 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +## +# This module is based on, inspired by, or is a port of a plugin available in +# the Onapsis Bizploit Opensource ERP Penetration Testing framework - +# http://www.onapsis.com/research-free-solutions.php. +# Mariano Nuñez (the author of the Bizploit framework) helped me in my efforts +# in producing the Metasploit modules and was happy to share his knowledge and +# experience - a very cool guy. I'd also like to thank Chris John Riley, +# Ian de Villiers and Joris van de Vis who have Beta tested the modules and +# provided excellent feedback. Some people just seem to enjoy hacking SAP :) +## + +require 'msf/core' + +class Metasploit4 < Msf::Auxiliary + + include Msf::Auxiliary::Report + include Msf::Auxiliary::Scanner + include Msf::Exploit::Remote::Tcp + + def initialize + super( + 'Name' => 'SAPRouter Admin Request', + 'Version' => '$Revision$', + 'Description' => %q{ + SAPRouter Admin Request (display remote route information). + http://help.sap.com/saphelp_nw70ehp3/helpdata/en/48/6c68b01d5a350ce10000000a42189d/content.htm + }, + 'References' => [[ 'URL', 'http://labs.mwrinfosecurity.com' ]], + 'Author' => [ 'nmonkee' ], + 'License' => BSD_LICENSE + ) + register_options( + [ + Opt::RPORT(3299) + ], self.class) + end + + def get_data(size, packet_len) + info = '' + for i in 1..size + data = sock.recv(1) + packet_len -= 1 + if data == "\x00" + sock.recv(size - i) + packet_len -= size - i + return info, packet_len + break + elsif + info << data + end + end + end + + def run_host(ip) + type = 'ROUTER_ADM' + version = 0x26 + cmd = 0x2 + count = 0 + connected = 'false' + port = datastore['RPORT'] + source = '' + destination = '' + service = '' + ni_packet = type + [0,version,cmd,0,0].pack("c*") + ni_packet = [ni_packet.length].pack('N') << ni_packet + saptbl = Msf::Ui::Console::Table.new( + Msf::Ui::Console::Table::Style::Default, + 'Header' => "[SAP] SAProuter Connection Table for #{ip}", + 'Prefix' => "\n", + 'Postfix' => "\n", + 'Indent' => 1, + 'Columns' => + [ + "Source", + "Destination", + "Service" + ]) + begin + connect + rescue ::Rex::ConnectionRefused + print_status("#{ip}:#{datastore['RPORT']} - connection refused") + connected == 'false' + rescue ::Rex::ConnectionError, ::IOError, ::Timeout::Error + print_status("#{ip}:#{datastore['RPORT']} - connection timeout") + connected == 'false' + rescue ::Exception => e + print_error("#{ip}:#{datastore['RPORT']} - exception #{e.class} #{e} #{e.backtrace}") + connected == 'false' + end + if connected != 'false' + print_good("connected to saprouter") + print_good("sending ROUTER_ADM packet info request") + sock.put(ni_packet) + packet_len = sock.read(4).unpack('H*')[0].to_i 16 + print_good("got INFO response") + while packet_len !=0 + count += 1 + case count + when 1 + if packet_len > 150 + sock.recv(150) + packet_len -= 150 + source, packet_len = get_data(46,packet_len) + destination, packet_len = get_data(46,packet_len) + service, packet_len = get_data(30,packet_len) + sock.recv(2) + packet_len -= 2 + saptbl << [source, destination, service] + while packet_len !=0 + sock.recv(13) + packet_len -= 13 + source, packet_len = get_data(46,packet_len) + destination, packet_len = get_data(46,packet_len) + service, packet_len = get_data(30,packet_len) + term = sock.recv(2) + packet_len -= 2 + saptbl << [source, destination, service] + end + packet_len = sock.recv(4).unpack('H*')[0].to_i 16 + else + print_error("no connected clients :'(") + sock.recv(packet_len) + packet_len = sock.recv(4).unpack('H*')[0].to_i 16 + end + when 2 + data = sock.recv(packet_len) + packet_len -= packet_len + packet_len = sock.recv(4).unpack('H*')[0].to_i 16 + when 3 + clients = sock.recv(packet_len) + packet_len -= packet_len + packet_len = sock.recv(4).unpack('H*')[0].to_i 16 + when 4 + pwd = sock.recv(packet_len) + print_good(pwd) + packet_len -= packet_len + packet_len = sock.recv(4).unpack('H*')[0].to_i 16 + when 5 + routtab = sock.recv(packet_len) + print_good(routtab) + packet_len -= packet_len + packet_len = sock.recv(4).unpack('H*')[0].to_i 16 + end + if packet_len == 0 + break + end + end + disconnect + print(saptbl.to_s) + end + end +end From 99d145eb233d4444f4dc1b69917610abf19cb06e Mon Sep 17 00:00:00 2001 From: nmonkee Date: Wed, 14 Nov 2012 23:50:47 +0000 Subject: [PATCH 2/4] made requested changes --- .../scanner/sap/sap_router_info_request.rb | 33 +++++++++---------- 1 file changed, 16 insertions(+), 17 deletions(-) diff --git a/modules/auxiliary/scanner/sap/sap_router_info_request.rb b/modules/auxiliary/scanner/sap/sap_router_info_request.rb index f0ef4c2310..6d1c687aaa 100644 --- a/modules/auxiliary/scanner/sap/sap_router_info_request.rb +++ b/modules/auxiliary/scanner/sap/sap_router_info_request.rb @@ -6,13 +6,13 @@ ## ## -# This module is based on, inspired by, or is a port of a plugin available in -# the Onapsis Bizploit Opensource ERP Penetration Testing framework - +# This module is based on, inspired by, or is a port of a plugin available in +# the Onapsis Bizploit Opensource ERP Penetration Testing framework - # http://www.onapsis.com/research-free-solutions.php. -# Mariano Nuñez (the author of the Bizploit framework) helped me in my efforts +# Mariano Nunez (the author of the Bizploit framework) helped me in my efforts # in producing the Metasploit modules and was happy to share his knowledge and -# experience - a very cool guy. I'd also like to thank Chris John Riley, -# Ian de Villiers and Joris van de Vis who have Beta tested the modules and +# experience - a very cool guy. I'd also like to thank Chris John Riley, +# Ian de Villiers and Joris van de Vis who have Beta tested the modules and # provided excellent feedback. Some people just seem to enjoy hacking SAP :) ## @@ -23,16 +23,15 @@ class Metasploit4 < Msf::Auxiliary include Msf::Auxiliary::Report include Msf::Auxiliary::Scanner include Msf::Exploit::Remote::Tcp - + def initialize super( 'Name' => 'SAPRouter Admin Request', - 'Version' => '$Revision$', 'Description' => %q{ SAPRouter Admin Request (display remote route information). http://help.sap.com/saphelp_nw70ehp3/helpdata/en/48/6c68b01d5a350ce10000000a42189d/content.htm }, - 'References' => [[ 'URL', 'http://labs.mwrinfosecurity.com' ]], + 'References' => [[ 'URL', 'http://labs.mwrinfosecurity.com/tools/2012/04/27/sap-metasploit-modules/' ]], 'Author' => [ 'nmonkee' ], 'License' => BSD_LICENSE ) @@ -41,10 +40,10 @@ class Metasploit4 < Msf::Auxiliary Opt::RPORT(3299) ], self.class) end - + def get_data(size, packet_len) info = '' - for i in 1..size + 1.upto(size) do |i| data = sock.recv(1) packet_len -= 1 if data == "\x00" @@ -52,12 +51,12 @@ class Metasploit4 < Msf::Auxiliary packet_len -= size - i return info, packet_len break - elsif + else info << data end end end - + def run_host(ip) type = 'ROUTER_ADM' version = 0x26 @@ -86,15 +85,15 @@ class Metasploit4 < Msf::Auxiliary connect rescue ::Rex::ConnectionRefused print_status("#{ip}:#{datastore['RPORT']} - connection refused") - connected == 'false' + connected = false rescue ::Rex::ConnectionError, ::IOError, ::Timeout::Error print_status("#{ip}:#{datastore['RPORT']} - connection timeout") - connected == 'false' + connected = false rescue ::Exception => e print_error("#{ip}:#{datastore['RPORT']} - exception #{e.class} #{e} #{e.backtrace}") - connected == 'false' + connected = false end - if connected != 'false' + if connected != false print_good("connected to saprouter") print_good("sending ROUTER_ADM packet info request") sock.put(ni_packet) @@ -113,7 +112,7 @@ class Metasploit4 < Msf::Auxiliary sock.recv(2) packet_len -= 2 saptbl << [source, destination, service] - while packet_len !=0 + while packet_len > 0 sock.recv(13) packet_len -= 13 source, packet_len = get_data(46,packet_len) From 5d7197d8badc07ebd9f8819e209474968a7eb868 Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Fri, 28 Dec 2012 14:51:23 -0600 Subject: [PATCH 3/4] Moved shout outs, organized includes include Msf::Exploit::Remote::Tcp must precede the include for the Scanner mixin -- otherwise you end up with some undesired effects, like having an RHOST and RHOSTS on the datastore. Also, took out the block of shout outs and gave references and credits to the people / url's mentioned. --- .../scanner/sap/sap_router_info_request.rb | 30 +++++++++---------- 1 file changed, 14 insertions(+), 16 deletions(-) diff --git a/modules/auxiliary/scanner/sap/sap_router_info_request.rb b/modules/auxiliary/scanner/sap/sap_router_info_request.rb index 6d1c687aaa..b6402e302c 100644 --- a/modules/auxiliary/scanner/sap/sap_router_info_request.rb +++ b/modules/auxiliary/scanner/sap/sap_router_info_request.rb @@ -5,34 +5,32 @@ # http://metasploit.com/framework/ ## -## -# This module is based on, inspired by, or is a port of a plugin available in -# the Onapsis Bizploit Opensource ERP Penetration Testing framework - -# http://www.onapsis.com/research-free-solutions.php. -# Mariano Nunez (the author of the Bizploit framework) helped me in my efforts -# in producing the Metasploit modules and was happy to share his knowledge and -# experience - a very cool guy. I'd also like to thank Chris John Riley, -# Ian de Villiers and Joris van de Vis who have Beta tested the modules and -# provided excellent feedback. Some people just seem to enjoy hacking SAP :) -## - require 'msf/core' class Metasploit4 < Msf::Auxiliary + include Msf::Exploit::Remote::Tcp include Msf::Auxiliary::Report include Msf::Auxiliary::Scanner - include Msf::Exploit::Remote::Tcp def initialize super( 'Name' => 'SAPRouter Admin Request', 'Description' => %q{ - SAPRouter Admin Request (display remote route information). - http://help.sap.com/saphelp_nw70ehp3/helpdata/en/48/6c68b01d5a350ce10000000a42189d/content.htm + Display remote route information. }, - 'References' => [[ 'URL', 'http://labs.mwrinfosecurity.com/tools/2012/04/27/sap-metasploit-modules/' ]], - 'Author' => [ 'nmonkee' ], + 'References' => [ + [ 'URL', 'http://labs.mwrinfosecurity.com/tools/2012/04/27/sap-metasploit-modules/' ], + [ 'URL', 'http://help.sap.com/saphelp_nw70ehp3/helpdata/en/48/6c68b01d5a350ce10000000a42189d/content.htm'], + [ 'URL', 'http://www.onapsis.com/research-free-solutions.php' ] # Bizsploit Opensource ERP Pentesting Framework + ], + 'Author' => [ + 'nomnkee', + 'Mariano Nunez', # Wrote Bizploit, helped on this module, very cool guy + 'Chris John Riley', # Testing + 'Ian de Villiers', # Testing + 'Joris van de Vis' # Testing + ], 'License' => BSD_LICENSE ) register_options( From 35604ac1aa70acd3556694da1dfc28eca927d598 Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Fri, 28 Dec 2012 15:12:37 -0600 Subject: [PATCH 4/4] Normalizing caps and expanding description a bit Be nice to have a couple more lines on the description --- .../scanner/sap/sap_router_info_request.rb | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/modules/auxiliary/scanner/sap/sap_router_info_request.rb b/modules/auxiliary/scanner/sap/sap_router_info_request.rb index b6402e302c..6a0f5af489 100644 --- a/modules/auxiliary/scanner/sap/sap_router_info_request.rb +++ b/modules/auxiliary/scanner/sap/sap_router_info_request.rb @@ -17,7 +17,7 @@ class Metasploit4 < Msf::Auxiliary super( 'Name' => 'SAPRouter Admin Request', 'Description' => %q{ - Display remote route information. + Display the remote connection table from a SAPRouter. }, 'References' => [ [ 'URL', 'http://labs.mwrinfosecurity.com/tools/2012/04/27/sap-metasploit-modules/' ], @@ -56,6 +56,7 @@ class Metasploit4 < Msf::Auxiliary end def run_host(ip) + host_port = "#{ip}:#{datastore['RPORT']}" type = 'ROUTER_ADM' version = 0x26 cmd = 0x2 @@ -82,21 +83,21 @@ class Metasploit4 < Msf::Auxiliary begin connect rescue ::Rex::ConnectionRefused - print_status("#{ip}:#{datastore['RPORT']} - connection refused") + print_status("#{host_port} - Connection refused") connected = false rescue ::Rex::ConnectionError, ::IOError, ::Timeout::Error - print_status("#{ip}:#{datastore['RPORT']} - connection timeout") + print_status("#{host_port} - Connection timeout") connected = false rescue ::Exception => e - print_error("#{ip}:#{datastore['RPORT']} - exception #{e.class} #{e} #{e.backtrace}") + print_error("#{host_port} - Exception #{e.class} #{e} #{e.backtrace}") connected = false end if connected != false - print_good("connected to saprouter") - print_good("sending ROUTER_ADM packet info request") + print_good("#{host_port} - Connected to saprouter") + print_good("#{host_port} - Sending ROUTER_ADM packet info request") sock.put(ni_packet) packet_len = sock.read(4).unpack('H*')[0].to_i 16 - print_good("got INFO response") + print_good("#{host_port} - Got INFO response") while packet_len !=0 count += 1 case count @@ -122,7 +123,7 @@ class Metasploit4 < Msf::Auxiliary end packet_len = sock.recv(4).unpack('H*')[0].to_i 16 else - print_error("no connected clients :'(") + print_error("#{host_port} - No connected clients") sock.recv(packet_len) packet_len = sock.recv(4).unpack('H*')[0].to_i 16 end @@ -150,6 +151,7 @@ class Metasploit4 < Msf::Auxiliary end end disconnect + # TODO: This data should be saved somewhere. A note on the host would be nice. print(saptbl.to_s) end end