SAP SOAP RFC_Info #1038

Merged
merged 2 commits into from Nov 17, 2012

Conversation

Projects
None yet
3 participants
Contributor

nmonkee commented Nov 7, 2012

See http://xforce.iss.net/xforce/xfdb/39997 for more info. CVE-2006-6010.

+ 'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
+ 'Cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + client,
+ 'Authorization' => 'Basic ' + user_pass,
+ 'Content-Type' => 'text/xml; charset=UTF-8',
@brandonprry

brandonprry Nov 9, 2012

Contributor

Trailing comma

+ 'Content-Type' => 'text/xml; charset=UTF-8',
+ }
+ }, 45)
+ if (res and res.code != 500 and res.code != 200)
@brandonprry

brandonprry Nov 9, 2012

Contributor

if res and res.code != 500 and res.code != 200

+ print_error("[SAP] #{ip}:#{rport} - Unable to connect")
+ return
+ end
+ if success == true
@brandonprry

brandonprry Nov 9, 2012

Contributor

if success

Contributor

jvazquez-r7 commented Nov 14, 2012

msftidy warnings should be fixed

$ tools/msftidy.rb modules/auxiliary/scanner/sap/sap_soap_rfc_system_info.rb 
sap_soap_rfc_system_info.rb:9 - [WARNING] Spaces at EOL
sap_soap_rfc_system_info.rb:10 - [WARNING] Spaces at EOL
sap_soap_rfc_system_info.rb:12 - [ERROR] Unicode detected: "# Mariano Nu\xC3\xB1ez (the author of the Bizploit framework) helped me in my efforts\n"
sap_soap_rfc_system_info.rb:14 - [WARNING] Spaces at EOL
sap_soap_rfc_system_info.rb:15 - [WARNING] Spaces at EOL
sap_soap_rfc_system_info.rb:26 - [WARNING] Spaces at EOL
sap_soap_rfc_system_info.rb:44 - [WARNING] Spaces at EOL
+ else
+ success = true
+ end
+ rescue ::Rex::ConnectionError
@jvazquez-r7

jvazquez-r7 Nov 14, 2012

Contributor

The indentation of this rescue should be fixed

+ rfcdest = $1 if response =~ /<RFCDEST>(.*)<\/RFCDEST>/i
+ rfchost = $1 if response =~ /<RFCHOST>(.*)<\/RFCHOST>/i
+ rfcsysid = $1 if response =~ /<RFCSYSID>(.*)<\/RFCSYSID>/i
+ rfcdatabs = $1 if response =~ /<RFCDATABS>(.*)<\/RFCDATABS>/i
@jvazquez-r7

jvazquez-r7 Nov 14, 2012

Contributor

Is it used after that?

+ rfcdayst = $1 if response =~ /<RFCDAYST>(.*)<\/RFCDAYST>/i
+ rfcipaddr = $1 if response =~ /<RFCIPADDR>(.*)<\/RFCIPADDR>/i
+ rfckernrl = $1 if response =~ /<RFCKERNRL>(.*)<\/RFCKERNRL>/i
+ rfchost2 = $1 if response =~ /<RFCHOST2>(.*)<\/RFCHOST2>/i
@jvazquez-r7

jvazquez-r7 Nov 14, 2012

Contributor

Is it used after that?

+ rfcipaddr = $1 if response =~ /<RFCIPADDR>(.*)<\/RFCIPADDR>/i
+ rfckernrl = $1 if response =~ /<RFCKERNRL>(.*)<\/RFCKERNRL>/i
+ rfchost2 = $1 if response =~ /<RFCHOST2>(.*)<\/RFCHOST2>/i
+ rfcsi_resv = $1 if response =~ /<RFCSI_RESV>(.*)<\/RFCSI_RESV>/i
@jvazquez-r7

jvazquez-r7 Nov 14, 2012

Contributor

Is it used after that?

+ 'Name' => 'SAP SOAP RFC_Info',
+ 'Version' => '$Revision$',
+ 'Description' => %q{},
+ 'References' => [[ 'URL', 'http://labs.mwrinfosecurity.com' ]],
@jvazquez-r7

jvazquez-r7 Nov 14, 2012

Contributor

Please no general urls in references, only references to the specific technique

+ def initialize
+ super(
+ 'Name' => 'SAP SOAP RFC_Info',
+ 'Version' => '$Revision$',
@jvazquez-r7

jvazquez-r7 Nov 14, 2012

Contributor

Version field isn't needed anymore

+ super(
+ 'Name' => 'SAP SOAP RFC_Info',
+ 'Version' => '$Revision$',
+ 'Description' => %q{},
@jvazquez-r7

jvazquez-r7 Nov 14, 2012

Contributor

A description would be absolutely helpful!

+
+ def initialize
+ super(
+ 'Name' => 'SAP SOAP RFC_Info',
@jvazquez-r7

jvazquez-r7 Nov 14, 2012

Contributor

Not a lot of information is needed in Name, but this is a vague name I think.

+ register_options(
+ [
+ OptString.new('USERNAME', [false, 'username ', 'SAP*']),
+ OptString.new('PASSWORD', [false, 'password ', '06071992']),
@jvazquez-r7

jvazquez-r7 Nov 17, 2012

Contributor

This SAP* default password, in which versions work? Can it be used as default SAP* password for other modules? Lot of them just have username, password and client set tu null

@nmonkee

nmonkee Nov 17, 2012

Contributor

SAP*, DDIC are in all clients, rest is client dependant. Clients 000,001 and 066 always exist.

Default password usually found to be in new clients. In practice people usually reset for default clients (SAP*) anyway. Others not so much. Full list on website if you follow labs link.

+ )
+ register_options(
+ [
+ OptString.new('USERNAME', [false, 'username ', 'SAP*']),
@jvazquez-r7

jvazquez-r7 Nov 17, 2012

Contributor

The required parameter for USERNAME, PASSWORD and CLIENT should be true, right?

@nmonkee

nmonkee Nov 17, 2012

Contributor

Yes. There is a way to do it unauthenticated. But not tested in anger via SOP. On RFC need to construct specific connection etc.

@jvazquez-r7 jvazquez-r7 merged commit 83215ed into rapid7:master Nov 17, 2012

Contributor

jvazquez-r7 commented Nov 17, 2012

merged after cleanup. Last test with the merged version

msf  auxiliary(sap_soap_rfc_system_info) > run
[*] [SAP] 192.168.1.160:8000 - sending SOAP RFC_SYSTEM_INFO request
[*] [SAP] 192.168.1.160:8000 - got response
[SAP] System Info
=================
   Info                          Value
   ----                          -----
   Central Database System       ADABAS D
   Character Set                 4103
   Database Host                 msfinsap
   Daylight Saving Time          
   Float Type Format             IEEE
   Hostname                      msfinsap
   IPv4 Address                  192.168.1.160
   IPv6 Address                  192.168.1.160
   Integer Format                Little Endian
   Kernel Release                720
   Machine ID                    560
   Operating System              Windows NT
   RFC Destination               msfinsap_NSP_00
   RFC Log Version               011
   Release Status of SAP System  702
   System ID                     NSP
   Timezone                      3600 (diff from UTC in seconds)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Contributor

nmonkee commented Nov 18, 2012

Cool. Thanks for efforts, especially on a Saturday!

Contributor

jvazquez-r7 commented Nov 18, 2012

Thank YOU for your collaboration ! :) Cool stuff!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment