From 376ca7b107dece2f78c6e5e13c4fd48d19abf7f0 Mon Sep 17 00:00:00 2001
From: nmonkee <dave@northern-monkee.co.uk>
Date: Thu, 28 Mar 2013 10:41:37 +0000
Subject: [PATCH 1/4] fixed issue with access denied condition thanks to
 @pho_bos

---
 .../scanner/sap/sap_router_info_request.rb    | 59 ++++++++++++-------
 1 file changed, 38 insertions(+), 21 deletions(-)

diff --git a/modules/auxiliary/scanner/sap/sap_router_info_request.rb b/modules/auxiliary/scanner/sap/sap_router_info_request.rb
index 46d50232b0..6b8dc68dc1 100644
--- a/modules/auxiliary/scanner/sap/sap_router_info_request.rb
+++ b/modules/auxiliary/scanner/sap/sap_router_info_request.rb
@@ -2,7 +2,24 @@
 # This file is part of the Metasploit Framework and may be subject to
 # redistribution and commercial restrictions. Please see the Metasploit
 # Framework web site for more information on licensing and terms of use.
-#   http://metasploit.com/framework/
+# http://metasploit.com/framework/
+##
+
+##
+# This module is based on, inspired by, or is a port of a plugin available in
+# the Onapsis Bizploit Opensource ERP Penetration Testing framework -
+# http://www.onapsis.com/research-free-solutions.php.
+# Mariano Nunez (the author of the Bizploit framework) helped me in my efforts
+# in producing the Metasploit modules and was happy to share his knowledge and
+# experience - a very cool guy.
+#
+# The following guys from ERP-SCAN deserve credit for their contributions -
+# Alexandr Polyakov, Alexey Sintsov, Alexey Tyurin, Dmitry Chastukhin and
+# Dmitry Evdokimov.
+#
+# I'd also like to thank Chris John Riley, Ian de Villiers and Joris van de Vis
+# who have Beta tested the modules and provided excellent feedback. Some people
+# just seem to enjoy hacking SAP :)
 ##
 
 require 'msf/core'
@@ -24,13 +41,7 @@ class Metasploit4 < Msf::Auxiliary
 					[ 'URL', 'http://help.sap.com/saphelp_nw70ehp3/helpdata/en/48/6c68b01d5a350ce10000000a42189d/content.htm'],
 					[ 'URL', 'http://www.onapsis.com/research-free-solutions.php' ] # Bizsploit Opensource ERP Pentesting Framework
 				],
-			'Author' => [
-				'nomnkee',
-				'Mariano Nunez',    # Wrote Bizploit, helped on this module, very cool guy
-				'Chris John Riley', # Testing
-				'Ian de Villiers',  # Testing
-				'Joris van de Vis'  # Testing
-			],
+			'Author' => ['nomnkee'],
 			'License' => BSD_LICENSE
 			)
 		register_options(
@@ -103,25 +114,30 @@ class Metasploit4 < Msf::Auxiliary
 				case count
 				when 1
 					if packet_len > 150
-						sock.recv(150)
-						packet_len -= 150
-						source, packet_len = get_data(46,packet_len)
-						destination, packet_len = get_data(46,packet_len)
-						service, packet_len = get_data(30,packet_len)
-						sock.recv(2)
-						packet_len -= 2
-						saptbl << [source, destination, service]
-						while packet_len > 0
-							sock.recv(13)
-							packet_len -= 13
+						if sock.recv(150)  =~ /access denied/
+							print_error("#{host_port} - Access denied")
+							sock.recv(packet_len)
+							packet_len = sock.recv(4).unpack('H*')[0].to_i 16
+						else
+							packet_len -= 150
 							source, packet_len = get_data(46,packet_len)
 							destination, packet_len = get_data(46,packet_len)
 							service, packet_len = get_data(30,packet_len)
-							term = sock.recv(2)
+							sock.recv(2)
 							packet_len -= 2
 							saptbl << [source, destination, service]
+							while packet_len > 0
+								sock.recv(13)
+								packet_len -= 13
+								source, packet_len = get_data(46,packet_len)
+								destination, packet_len = get_data(46,packet_len)
+								service, packet_len = get_data(30,packet_len)
+								term = sock.recv(2)
+								packet_len -= 2
+								saptbl << [source, destination, service]
+							end
+							packet_len = sock.recv(4).unpack('H*')[0].to_i 16
 						end
-						packet_len = sock.recv(4).unpack('H*')[0].to_i 16
 					else
 						print_error("#{host_port} - No connected clients")
 						sock.recv(packet_len)
@@ -150,6 +166,7 @@ class Metasploit4 < Msf::Auxiliary
 					break
 				end
 			end
+			puts sock.recv(200)
 			disconnect
 		# TODO: This data should be saved somewhere. A note on the host would be nice.
 		print(saptbl.to_s)

From aae1d5933ee5a44ca652a9171394a50147a1fc2c Mon Sep 17 00:00:00 2001
From: nmonkee <dave@northern-monkee.co.uk>
Date: Thu, 28 Mar 2013 10:49:23 +0000
Subject: [PATCH 2/4] removed socket print, left over from debugging

---
 modules/auxiliary/scanner/sap/sap_router_info_request.rb | 1 -
 1 file changed, 1 deletion(-)

diff --git a/modules/auxiliary/scanner/sap/sap_router_info_request.rb b/modules/auxiliary/scanner/sap/sap_router_info_request.rb
index 6b8dc68dc1..c1b1ec5ae4 100644
--- a/modules/auxiliary/scanner/sap/sap_router_info_request.rb
+++ b/modules/auxiliary/scanner/sap/sap_router_info_request.rb
@@ -166,7 +166,6 @@ class Metasploit4 < Msf::Auxiliary
 					break
 				end
 			end
-			puts sock.recv(200)
 			disconnect
 		# TODO: This data should be saved somewhere. A note on the host would be nice.
 		print(saptbl.to_s)

From 92b4d23c09238f56db93456d60594ac81b807687 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan.vazquez@metasploit.com>
Date: Mon, 6 May 2013 15:15:15 -0500
Subject: [PATCH 3/4] Add Mariano as Author because of the abuse disclosure

---
 .../scanner/sap/sap_router_info_request.rb          | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/modules/auxiliary/scanner/sap/sap_router_info_request.rb b/modules/auxiliary/scanner/sap/sap_router_info_request.rb
index c1b1ec5ae4..53dfb6c4c0 100644
--- a/modules/auxiliary/scanner/sap/sap_router_info_request.rb
+++ b/modules/auxiliary/scanner/sap/sap_router_info_request.rb
@@ -1,4 +1,4 @@
-##
+3##
 # This file is part of the Metasploit Framework and may be subject to
 # redistribution and commercial restrictions. Please see the Metasploit
 # Framework web site for more information on licensing and terms of use.
@@ -35,13 +35,18 @@ class Metasploit4 < Msf::Auxiliary
 			'Name' => 'SAPRouter Admin Request',
 			'Description' => %q{
 				Display the remote connection table from a SAPRouter.
-				},
+			},
 			'References' => [
 					[ 'URL', 'http://labs.mwrinfosecurity.com/tools/2012/04/27/sap-metasploit-modules/' ],
 					[ 'URL', 'http://help.sap.com/saphelp_nw70ehp3/helpdata/en/48/6c68b01d5a350ce10000000a42189d/content.htm'],
-					[ 'URL', 'http://www.onapsis.com/research-free-solutions.php' ] # Bizsploit Opensource ERP Pentesting Framework
+					[ 'URL', 'http://www.onapsis.com/research-free-solutions.php' ], # Bizsploit Opensource ERP Pentesting Framework
+					[ 'URL', 'http://conference.hitb.org/hitbsecconf2010ams/materials/D2T2%20-%20Mariano%20Nunez%20Di%20Croce%20-%20SAProuter%20.pdf' ]
+				],
+			'Author' =>
+				[
+					'Mariano Nunez', # Disclosure about SAPRouter abuses
+					'nomnkee' # Metasploit module
 				],
-			'Author' => ['nomnkee'],
 			'License' => BSD_LICENSE
 			)
 		register_options(

From c84febb81aca441820da4cea765b38bf9fdb237b Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan.vazquez@metasploit.com>
Date: Mon, 6 May 2013 15:19:15 -0500
Subject: [PATCH 4/4] Fix extra character

---
 modules/auxiliary/scanner/sap/sap_router_info_request.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/auxiliary/scanner/sap/sap_router_info_request.rb b/modules/auxiliary/scanner/sap/sap_router_info_request.rb
index 53dfb6c4c0..723c3ec219 100644
--- a/modules/auxiliary/scanner/sap/sap_router_info_request.rb
+++ b/modules/auxiliary/scanner/sap/sap_router_info_request.rb
@@ -1,4 +1,4 @@
-3##
+##
 # This file is part of the Metasploit Framework and may be subject to
 # redistribution and commercial restrictions. Please see the Metasploit
 # Framework web site for more information on licensing and terms of use.