Calls the RFC_PING RFC module via SOAP #1031

Merged
merged 2 commits into from Nov 18, 2012

Conversation

Projects
None yet
3 participants
Contributor

nmonkee commented Nov 7, 2012

Calls the RFC_PING RFC module via SOAP to test the availability of the function. The function simply tests connectivity to remote RFC destinations.

@nmonkee nmonkee Calls the RFC_PING RFC module via SOAP to test the availability of th…
…e function. The function simply tests connectivity to remote RFC destinations.
3be7ad0

@brandonprry brandonprry commented on an outdated diff Nov 9, 2012

modules/auxiliary/scanner/sap/sap_soap_rfc_ping.rb
+ 'Name' => 'SAP SOAP RFC_PING',
+ 'Version' => '$Revision$',
+ 'Description' => %q{
+ Calls the RFC_PING RFC module via SOAP to test the availability of the function.
+ The function simply tests connectivity to remote RFC destinations.
+ },
+ 'References' => [[ 'URL', 'http://labs.mwrinfosecurity.com' ]],
+ 'Author' => [ 'Agnivesh Sathasivam','nmonkee' ],
+ 'License' => BSD_LICENSE
+ )
+
+ register_options(
+ [
+ OptString.new('CLIENT', [true, 'Client', nil]),
+ OptString.new('USERNAME', [true, 'Username ', 'SAP*']),
+ OptString.new('PASSWORD', [true, 'Password ', '06071992']),
@brandonprry

brandonprry Nov 9, 2012

Contributor

yo dawg, I heard you like trailing commas

@brandonprry brandonprry commented on an outdated diff Nov 9, 2012

modules/auxiliary/scanner/sap/sap_soap_rfc_ping.rb
+ data << '</env:Body>'
+ data << '</env:Envelope>'
+ user_pass = Rex::Text.encode_base64(datastore['USERNAME'] + ":" + datastore['PASSWORD'])
+ print_status("[SAP] #{ip}:#{rport} - sending SOAP RFC_PING request")
+ begin
+ res = send_request_raw({
+ 'uri' => '/sap/bc/soap/rfc?sap-client=' + client + '&sap-language=EN',
+ 'method' => 'POST',
+ 'data' => data,
+ 'headers' =>
+ {
+ 'Content-Length' => data.size.to_s,
+ 'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
+ 'Cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + client,
+ 'Authorization' => 'Basic ' + user_pass,
+ 'Content-Type' => 'text/xml; charset=UTF-8',
@brandonprry

brandonprry Nov 9, 2012

Contributor

trailing comma

@brandonprry brandonprry commented on an outdated diff Nov 9, 2012

modules/auxiliary/scanner/sap/sap_soap_rfc_ping.rb
+ print_status("[SAP] #{ip}:#{rport} - sending SOAP RFC_PING request")
+ begin
+ res = send_request_raw({
+ 'uri' => '/sap/bc/soap/rfc?sap-client=' + client + '&sap-language=EN',
+ 'method' => 'POST',
+ 'data' => data,
+ 'headers' =>
+ {
+ 'Content-Length' => data.size.to_s,
+ 'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
+ 'Cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + client,
+ 'Authorization' => 'Basic ' + user_pass,
+ 'Content-Type' => 'text/xml; charset=UTF-8',
+ }
+ }, 45)
+ if (res and res.code != 500 and res.code != 200)
@brandonprry

brandonprry Nov 9, 2012

Contributor

if res and res.code != 500 and res.code != 200

@brandonprry brandonprry commented on an outdated diff Nov 9, 2012

modules/auxiliary/scanner/sap/sap_soap_rfc_ping.rb
+ begin
+ res = send_request_raw({
+ 'uri' => '/sap/bc/soap/rfc?sap-client=' + client + '&sap-language=EN',
+ 'method' => 'POST',
+ 'data' => data,
+ 'headers' =>
+ {
+ 'Content-Length' => data.size.to_s,
+ 'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
+ 'Cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + client,
+ 'Authorization' => 'Basic ' + user_pass,
+ 'Content-Type' => 'text/xml; charset=UTF-8',
+ }
+ }, 45)
+ if (res and res.code != 500 and res.code != 200)
+ # to do - implement error handlers for each status code, 404, 301, etc.
@brandonprry

brandonprry Nov 9, 2012

Contributor

Hey while we are at it, lets do our todo.

Contributor

jvazquez-r7 commented Nov 14, 2012

msftidy warnings should be fixed

$ tools/msftidy.rb modules/auxiliary/scanner/sap/sap_soap_rfc_ping.rb 
sap_soap_rfc_ping.rb:9 - [WARNING] Spaces at EOL
sap_soap_rfc_ping.rb:10 - [WARNING] Spaces at EOL
sap_soap_rfc_ping.rb:12 - [ERROR] Unicode detected: "# Mariano Nu\xC3\xB1ez (the author of the Bizploit framework) helped me in my efforts\n"
sap_soap_rfc_ping.rb:14 - [WARNING] Spaces at EOL
sap_soap_rfc_ping.rb:15 - [WARNING] Spaces at EOL
sap_soap_rfc_ping.rb:26 - [WARNING] Spaces at EOL
sap_soap_rfc_ping.rb:31 - [WARNING] Spaces at EOL
sap_soap_rfc_ping.rb:39 - [WARNING] Spaces at EOL
sap_soap_rfc_ping.rb:50 - [WARNING] Spaces at EOL

@jvazquez-r7 jvazquez-r7 commented on an outdated diff Nov 14, 2012

modules/auxiliary/scanner/sap/sap_soap_rfc_ping.rb
+
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Auxiliary::Report
+ include Msf::Auxiliary::Scanner
+
+ def initialize
+ super(
+ 'Name' => 'SAP SOAP RFC_PING',
+ 'Version' => '$Revision$',
+ 'Description' => %q{
+ Calls the RFC_PING RFC module via SOAP to test the availability of the function.
+ The function simply tests connectivity to remote RFC destinations.
+ },
+ 'References' => [[ 'URL', 'http://labs.mwrinfosecurity.com' ]],
+ 'Author' => [ 'Agnivesh Sathasivam','nmonkee' ],
+ 'License' => BSD_LICENSE
@jvazquez-r7

jvazquez-r7 Nov 14, 2012

Contributor

Can MSF_LICENSE be used?

@jvazquez-r7 jvazquez-r7 commented on an outdated diff Nov 14, 2012

modules/auxiliary/scanner/sap/sap_soap_rfc_ping.rb
+# Ian de Villiers and Joris van de Vis who have Beta tested the modules and
+# provided excellent feedback. Some people just seem to enjoy hacking SAP :)
+##
+
+require 'msf/core'
+
+class Metasploit4 < Msf::Auxiliary
+
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Auxiliary::Report
+ include Msf::Auxiliary::Scanner
+
+ def initialize
+ super(
+ 'Name' => 'SAP SOAP RFC_PING',
+ 'Version' => '$Revision$',
@jvazquez-r7

jvazquez-r7 Nov 14, 2012

Contributor

Version isn't needed anymore.

@jvazquez-r7 jvazquez-r7 commented on an outdated diff Nov 14, 2012

modules/auxiliary/scanner/sap/sap_soap_rfc_ping.rb
+ res = send_request_raw({
+ 'uri' => '/sap/bc/soap/rfc?sap-client=' + client + '&sap-language=EN',
+ 'method' => 'POST',
+ 'data' => data,
+ 'headers' =>
+ {
+ 'Content-Length' => data.size.to_s,
+ 'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
+ 'Cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + client,
+ 'Authorization' => 'Basic ' + user_pass,
+ 'Content-Type' => 'text/xml; charset=UTF-8',
+ }
+ }, 45)
+ if (res and res.code != 500 and res.code != 200)
+ # to do - implement error handlers for each status code, 404, 301, etc.
+ if res.body =~ /<h1>Logon failed<\/h1>/
@jvazquez-r7

jvazquez-r7 Nov 14, 2012

Contributor

if res and res.body ....

@jvazquez-r7 jvazquez-r7 commented on an outdated diff Nov 14, 2012

modules/auxiliary/scanner/sap/sap_soap_rfc_ping.rb
+# experience - a very cool guy. I'd also like to thank Chris John Riley,
+# Ian de Villiers and Joris van de Vis who have Beta tested the modules and
+# provided excellent feedback. Some people just seem to enjoy hacking SAP :)
+##
+
+require 'msf/core'
+
+class Metasploit4 < Msf::Auxiliary
+
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Auxiliary::Report
+ include Msf::Auxiliary::Scanner
+
+ def initialize
+ super(
+ 'Name' => 'SAP SOAP RFC_PING',
@jvazquez-r7

jvazquez-r7 Nov 14, 2012

Contributor

A little more descriptive name please.

Contributor

jvazquez-r7 commented Nov 16, 2012

While testing, when I use the default value "" for FIELDS I get FIELD NOT FOUND error. Is it normal? If that's normal maybe "" shouldn't be the default value for "FIELDS".

<?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>SOAP-ENV:Client</faultcode><faultstring>FIELD_NOT_VALID</faultstring><detail><rfc:RFC_READ_TABLE.Exception xmlns:rfc="urn:sap-com:document:sap:rfc:functions"><Name>FIELD_NOT_VALID</Name></rfc:RFC_READ_TABLE.Exception></detail></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>

When I use a valid field the module works as expected:

msf  auxiliary(sap_soap_rfc_read_table) > show options
Module options (auxiliary/scanner/sap/sap_soap_rfc_read_table):
   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   CLIENT    001?             yes       Client
   FIELDS    MANDT            yes       Fields to read
   PASSWORD  admin1234        yes       Password
   Proxies                    no        Use a proxy chain
   RHOSTS    192.168.1.160    yes       The target address range or CIDR identifier
   RPORT     8000             yes       The target port
   TABLE     USR02            yes       Table to read
   THREADS   1                yes       The number of concurrent threads
   USERNAME  SAP*             yes       Username
   VHOST                      no        HTTP server virtual host
msf  auxiliary(sap_soap_rfc_read_table) > run
[*] [SAP] 192.168.1.160:8000 - sending SOAP RFC_READ_TABLE request
[*] [SAP] 192.168.1.160:8000 - got response
[SAP] RFC_READ_TABLE
====================
   Returned Data
   -------------
   001
   001
   001
   001
[*] Scanned 1 of 1 hosts (100% complete)
Contributor

nmonkee commented Nov 16, 2012

Unfortunately I get differing results from different tables.

Also some tables return too much data when setting star.

Try * on USR02.

Then MANDT, BNAME, BCODE, PASSCODE from USR02.

So its a PITA. The function is actually deprecated.

The text below is taken from SAP Note 382318:

The scope of function module RFC_READ_TABLE is very restricted. E.g., due to the fixed maximum row size only smaller tables can be accessed. There are several data types that cannot be handled, and also there are doubts regarding the Unicode compatibility of the function module. However, all this is quite immaterial, because the function is not meant to be publicly used anyway. It was only created to be used as a sample in various training courses, and is clearly flagged as “not released for customer”.
Solution – Do not use function module RFC_READ_TABLE in the first place!

On 16 Nov 2012, at 19:20, Juan Vazquez notifications@github.com wrote:

While testing, when I use the default value "" for FIELDS I get FIELD NOT FOUND error. Is it normal? If that's normal maybe "" shouldn't be the default value for "FIELDS".

SOAP-ENV:ClientFIELD_NOT_VALIDFIELD_NOT_VALID
When I use a valid field the module works as expected:

msf auxiliary(sap_soap_rfc_read_table) > show options

Module options (auxiliary/scanner/sap/sap_soap_rfc_read_table):

Name Current Setting Required Description


CLIENT 001? yes Client
FIELDS MANDT yes Fields to read
PASSWORD admin1234 yes Password
Proxies no Use a proxy chain
RHOSTS 192.168.1.160 yes The target address range or CIDR identifier
RPORT 8000 yes The target port
TABLE USR02 yes Table to read
THREADS 1 yes The number of concurrent threads
USERNAME SAP* yes Username
VHOST no HTTP server virtual host

msf auxiliary(sap_soap_rfc_read_table) > run

[] [SAP] 192.168.1.160:8000 - sending SOAP RFC_READ_TABLE request
[
] [SAP] 192.168.1.160:8000 - got response

[SAP] RFC_READ_TABLE

Returned Data


001
001
001
001

[*] Scanned 1 of 1 hosts (100% complete)


Reply to this email directly or view it on GitHub.

email: dave@northern-monkee.co.uk
skype: n-monkee
ichat: nmonkee.mac.com
web: www.northern-monkee.co.uk
bus: www.linkedin.com/in/nmonkee
twitter: www.twitter.com/nmonkee

@jvazquez-r7 jvazquez-r7 merged commit a252dbc into rapid7:master Nov 18, 2012

Contributor

jvazquez-r7 commented Nov 18, 2012

Merged after final cleanup. Test:

rumsf  auxiliary(sap_soap_rfc_ping) > run
[*] [SAP] 192.168.1.160:8000 - sending SOAP RFC_PING request
[+] [SAP] 192.168.1.160:8000 - RFC service is alive
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment