From 83215edd8c47bee91691c364acc4ee632374e6ee Mon Sep 17 00:00:00 2001 From: nmonkee Date: Wed, 14 Nov 2012 22:38:32 +0000 Subject: [PATCH] made requested changes --- .../scanner/sap/sap_soap_rfc_system_info.rb | 153 +++++++++--------- 1 file changed, 77 insertions(+), 76 deletions(-) diff --git a/modules/auxiliary/scanner/sap/sap_soap_rfc_system_info.rb b/modules/auxiliary/scanner/sap/sap_soap_rfc_system_info.rb index 72d38f6278..23d63a5430 100755 --- a/modules/auxiliary/scanner/sap/sap_soap_rfc_system_info.rb +++ b/modules/auxiliary/scanner/sap/sap_soap_rfc_system_info.rb @@ -6,13 +6,13 @@ ## ## -# This module is based on, inspired by, or is a port of a plugin available in -# the Onapsis Bizploit Opensource ERP Penetration Testing framework - +# This module is based on, inspired by, or is a port of a plugin available in +# the Onapsis Bizploit Opensource ERP Penetration Testing framework - # http://www.onapsis.com/research-free-solutions.php. -# Mariano Nuñez (the author of the Bizploit framework) helped me in my efforts +# Mariano Nunez (the author of the Bizploit framework) helped me in my efforts # in producing the Metasploit modules and was happy to share his knowledge and -# experience - a very cool guy. I'd also like to thank Chris John Riley, -# Ian de Villiers and Joris van de Vis who have Beta tested the modules and +# experience - a very cool guy. I'd also like to thank Chris John Riley, +# Ian de Villiers and Joris van de Vis who have Beta tested the modules and # provided excellent feedback. Some people just seem to enjoy hacking SAP :) ## @@ -23,13 +23,14 @@ class Metasploit4 < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient include Msf::Auxiliary::Report include Msf::Auxiliary::Scanner - + def initialize super( - 'Name' => 'SAP SOAP RFC_Info', - 'Version' => '$Revision$', - 'Description' => %q{}, - 'References' => [[ 'URL', 'http://labs.mwrinfosecurity.com' ]], + 'Name' => 'SAP SOAP RFC_SYSTEM_INFO', + 'Description' => %q{'SAP NetWeaver could allow a remote attacker to obtain sensitive information. + By sending a RFC_SYSTEM_INFO RfcCallReceive request to TCP port 33NN an attacker + could obtain the operating system version, SAP version, and real IP address of the server.}, + 'References' => [[ 'URL', 'http://labs.mwrinfosecurity.com/tools/2012/04/27/sap-metasploit-modules/' ]], 'Author' => [ 'Agnivesh Sathasivam','nmonkee' ], 'License' => BSD_LICENSE ) @@ -41,7 +42,7 @@ class Metasploit4 < Msf::Auxiliary ], self.class) register_autofilter_ports([ 8000 ]) end - + def run_host(ip) success = false client = datastore['CLIENT'] @@ -69,79 +70,79 @@ class Metasploit4 < Msf::Auxiliary 'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions', 'Cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + client, 'Authorization' => 'Basic ' + user_pass, - 'Content-Type' => 'text/xml; charset=UTF-8', + 'Content-Type' => 'text/xml; charset=UTF-8' } }, 45) - if (res and res.code != 500 and res.code != 200) + if res and res.code != 500 and res.code != 200 # to do - implement error handlers for each status code, 404, 301, etc. print_error("[SAP] #{ip}:#{rport} - something went wrong!") - return + return false else success = true end - rescue ::Rex::ConnectionError - print_error("[SAP] #{ip}:#{rport} - Unable to connect") - return + rescue ::Rex::ConnectionError + print_error("[SAP] #{ip}:#{rport} - Unable to connect") + return false + end + if success + print_status("[SAP] #{ip}:#{rport} - got response") + saptbl = Msf::Ui::Console::Table.new( + Msf::Ui::Console::Table::Style::Default, + 'Header' => "[SAP] System Info", + 'Prefix' => "\n", + 'Postfix' => "\n", + 'Indent' => 1, + 'Columns' =>[ + "Info", + "Value" + ]) + response = res.body + rfcproto = $1 if response =~ /(.*)<\/RFCPROTO>/i + rfcchartyp = $1 if response =~ /(.*)<\/RFCCHARTYP>/i + rfcinttyp = $1 if response =~ /(.*)<\/RFCINTTYP>/i + rfcflotyp = $1 if response =~ /(.*)<\/RFCFLOTYP>/i + rfcdest = $1 if response =~ /(.*)<\/RFCDEST>/i + rfchost = $1 if response =~ /(.*)<\/RFCHOST>/i + rfcsysid = $1 if response =~ /(.*)<\/RFCSYSID>/i + rfcdatabs = $1 if response =~ /(.*)<\/RFCDATABS>/i + rfcdbhost = $1 if response =~ /(.*)<\/RFCDBHOST>/i + rfcdbsys = $1 if response =~ /(.*)<\/RFCDBSYS>/i + rfcsaprl = $1 if response =~ /(.*)<\/RFCSAPRL>/i + rfcmach = $1 if response =~ /(.*)<\/RFCMACH>/i + rfcopsys = $1 if response =~ /(.*)<\/RFCOPSYS>/i + rfctzone = $1 if response =~ /(.*)<\/RFCTZONE>/i + rfcdayst = $1 if response =~ /(.*)<\/RFCDAYST>/i + rfcipaddr = $1 if response =~ /(.*)<\/RFCIPADDR>/i + rfckernrl = $1 if response =~ /(.*)<\/RFCKERNRL>/i + rfchost2 = $1 if response =~ /(.*)<\/RFCHOST2>/i + rfcsi_resv = $1 if response =~ /(.*)<\/RFCSI_RESV>/i + rfcipv6addr = $1 if response =~ /(.*)<\/RFCIPV6ADDR>/i + saptbl << [ "Release Status of SAP System", rfcsaprl ] + saptbl << [ "RFC Log Version", rfcproto ] + saptbl << [ "Kernel Release", rfckernrl ] + saptbl << [ "Operating System", rfcopsys ] + saptbl << [ "Database Host", rfcdbhost] + saptbl << [ "Central Database System", rfcdbsys ] + if rfcinttyp == 'LIT' + saptbl << [ "Integer Format", "Little Endian" ] + else + saptbl << [ "Integer Format", "Big Endian" ] end - if success == true - print_status("[SAP] #{ip}:#{rport} - got response") - saptbl = Msf::Ui::Console::Table.new( - Msf::Ui::Console::Table::Style::Default, - 'Header' => "[SAP] System Info", - 'Prefix' => "\n", - 'Postfix' => "\n", - 'Indent' => 1, - 'Columns' =>[ - "Info", - "Value" - ]) - response = res.body - rfcproto = $1 if response =~ /(.*)<\/RFCPROTO>/i - rfcchartyp = $1 if response =~ /(.*)<\/RFCCHARTYP>/i - rfcinttyp = $1 if response =~ /(.*)<\/RFCINTTYP>/i - rfcflotyp = $1 if response =~ /(.*)<\/RFCFLOTYP>/i - rfcdest = $1 if response =~ /(.*)<\/RFCDEST>/i - rfchost = $1 if response =~ /(.*)<\/RFCHOST>/i - rfcsysid = $1 if response =~ /(.*)<\/RFCSYSID>/i - rfcdatabs = $1 if response =~ /(.*)<\/RFCDATABS>/i - rfcdbhost = $1 if response =~ /(.*)<\/RFCDBHOST>/i - rfcdbsys = $1 if response =~ /(.*)<\/RFCDBSYS>/i - rfcsaprl = $1 if response =~ /(.*)<\/RFCSAPRL>/i - rfcmach = $1 if response =~ /(.*)<\/RFCMACH>/i - rfcopsys = $1 if response =~ /(.*)<\/RFCOPSYS>/i - rfctzone = $1 if response =~ /(.*)<\/RFCTZONE>/i - rfcdayst = $1 if response =~ /(.*)<\/RFCDAYST>/i - rfcipaddr = $1 if response =~ /(.*)<\/RFCIPADDR>/i - rfckernrl = $1 if response =~ /(.*)<\/RFCKERNRL>/i - rfchost2 = $1 if response =~ /(.*)<\/RFCHOST2>/i - rfcsi_resv = $1 if response =~ /(.*)<\/RFCSI_RESV>/i - rfcipv6addr = $1 if response =~ /(.*)<\/RFCIPV6ADDR>/i - saptbl << [ "Release Status of SAP System", rfcsaprl ] - saptbl << [ "RFC Log Version", rfcproto ] - saptbl << [ "Kernel Release", rfckernrl ] - saptbl << [ "Operating System", rfcopsys ] - saptbl << [ "Database Host", rfcdbhost] - saptbl << [ "Central Database System", rfcdbsys ] - if rfcinttyp == 'LIT' - saptbl << [ "Integer Format", "Little Endian" ] - else - saptbl << [ "Integer Format", "Big Endian" ] - end - saptbl << [ "Hostname", rfchost ] - if rfcflotyp == 'IE3' - saptbl << [ "Float Type Format", "IEEE" ] - else - saptbl << [ "Float Type Format", "IBM/370" ] - end - saptbl << [ "IPv4 Address", rfcipaddr ] - saptbl << [ "IPv6 Address", rfcipv6addr ] - saptbl << [ "System ID", rfcsysid ] - saptbl << [ "RFC Destination", rfcdest ] - saptbl << [ "Timezone", "#{rfctzone.gsub(/\s+/, "")} (diff from UTC in seconds)" ] - saptbl << [ "Character Set", rfcchartyp ] - saptbl << [ "Daylight Saving Time", rfcdayst ] - saptbl << [ "Machine ID", rfcmach.gsub(/\s+/, "")] - print(saptbl.to_s) + saptbl << [ "Hostname", rfchost ] + if rfcflotyp == 'IE3' + saptbl << [ "Float Type Format", "IEEE" ] + else + saptbl << [ "Float Type Format", "IBM/370" ] end + saptbl << [ "IPv4 Address", rfcipaddr ] + saptbl << [ "IPv6 Address", rfcipv6addr ] + saptbl << [ "System ID", rfcsysid ] + saptbl << [ "RFC Destination", rfcdest ] + saptbl << [ "Timezone", "#{rfctzone.gsub(/\s+/, "")} (diff from UTC in seconds)" ] + saptbl << [ "Character Set", rfcchartyp ] + saptbl << [ "Daylight Saving Time", rfcdayst ] + saptbl << [ "Machine ID", rfcmach.gsub(/\s+/, "")] + print(saptbl.to_s) end end +end