Skip to content

SAP RFC TH_SAPREL #1040

Merged
merged 2 commits into from Nov 16, 2012

4 participants

@nmonkee
nmonkee commented Nov 7, 2012

This module makes use of the TH_SAPREL RFC (via SOAP) to return the SAP software, OS and DB versions.

@brandonprry brandonprry commented on an outdated diff Nov 9, 2012
modules/auxiliary/scanner/sap/sap_soap_th_saprel.rb
+ include Msf::Auxiliary::Scanner
+
+ def initialize
+ super(
+ 'Name' => 'SAP RFC TH_SAPREL',
+ 'Version' => '$Revision$',
+ 'Description' => %q{ This module makes use of the TH_SAPREL RFC (via SOAP) to return the SAP software, OS and DB versions.},
+ 'References' => [[ 'URL', 'http://labs.mwrinfosecurity.com' ]],
+ 'Author' => [ 'Agnivesh Sathasivam','nmonkee' ],
+ 'License' => BSD_LICENSE
+ )
+ register_options(
+ [
+ OptString.new('CLIENT', [true, 'Client', nil]),
+ OptString.new('USERNAME', [true, 'Username', nil]),
+ OptString.new('PASSWORD', [true, 'Password', nil]),
@brandonprry
brandonprry added a note Nov 9, 2012

Trailing comma

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@brandonprry brandonprry commented on an outdated diff Nov 9, 2012
modules/auxiliary/scanner/sap/sap_soap_th_saprel.rb
+ data << '</n1:TH_SAPREL>'
+ data << '</env:Body>'
+ data << '</env:Envelope>'
+ user_pass = Rex::Text.encode_base64(datastore['USERNAME'] + ":" + datastore['PASSWORD'])
+ print_status("[SAP] #{ip}:#{rport} - sending SOAP TH_SAPREL request")
+ begin
+ res = send_request_raw({
+ 'uri' => '/sap/bc/soap/rfc?sap-client=' + datastore['CLIENT'] + '&sap-language=EN',
+ 'method' => 'POST',
+ 'data' => data,
+ 'headers' =>{
+ 'Content-Length' => data.size.to_s,
+ 'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
+ 'Cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
+ 'Authorization' => 'Basic ' + user_pass,
+ 'Content-Type' => 'text/xml; charset=UTF-8',
@brandonprry
brandonprry added a note Nov 9, 2012

Trailing comma

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@wchen-r7 wchen-r7 commented on an outdated diff Nov 14, 2012
modules/auxiliary/scanner/sap/sap_soap_th_saprel.rb
+require "msf/core"
+
+class Metasploit4 < Msf::Auxiliary
+
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Auxiliary::Report
+ include Msf::Auxiliary::Scanner
+
+ def initialize
+ super(
+ 'Name' => 'SAP RFC TH_SAPREL',
+ 'Version' => '$Revision$',
+ 'Description' => %q{ This module makes use of the TH_SAPREL RFC (via SOAP) to return the SAP software, OS and DB versions.},
+ 'References' => [[ 'URL', 'http://labs.mwrinfosecurity.com' ]],
+ 'Author' => [ 'Agnivesh Sathasivam','nmonkee' ],
+ 'License' => BSD_LICENSE
@wchen-r7
wchen-r7 added a note Nov 14, 2012

BSD_LICENSE or MSF_LICENSE?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@jvazquez-r7 jvazquez-r7 commented on an outdated diff Nov 14, 2012
modules/auxiliary/scanner/sap/sap_soap_th_saprel.rb
+##
+
+require "msf/core"
+
+class Metasploit4 < Msf::Auxiliary
+
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Auxiliary::Report
+ include Msf::Auxiliary::Scanner
+
+ def initialize
+ super(
+ 'Name' => 'SAP RFC TH_SAPREL',
+ 'Version' => '$Revision$',
+ 'Description' => %q{ This module makes use of the TH_SAPREL RFC (via SOAP) to return the SAP software, OS and DB versions.},
+ 'References' => [[ 'URL', 'http://labs.mwrinfosecurity.com' ]],
@jvazquez-r7
jvazquez-r7 added a note Nov 14, 2012

Please don't use general url's as references, only references to the specific technique used by the module.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@jvazquez-r7 jvazquez-r7 commented on the diff Nov 14, 2012
modules/auxiliary/scanner/sap/sap_soap_th_saprel.rb
+ 'Prefix' => "\n",
+ 'Postfix' => "\n",
+ 'Indent' => 1,
+ 'Columns' =>
+ [
+ "Info",
+ "Value"
+ ])
+ saptbl << [ "OS Kernel version", kern_comp_on ]
+ saptbl << [ "SAP compile time", kern_comp_time ]
+ saptbl << [ "DB version", kern_dblib ]
+ saptbl << [ "SAP patch level", kern_patchlevel ]
+ saptbl << [ "SAP Version", kern_rel ]
+ print(saptbl.to_s)
+ else
+ print_error("[SAP] #{ip}:#{rport} - error message: " + res.code.to_s + " " + res.message)
@jvazquez-r7
jvazquez-r7 added a note Nov 14, 2012

res should be check to not be null before doing it

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@jvazquez-r7 jvazquez-r7 commented on an outdated diff Nov 14, 2012
modules/auxiliary/scanner/sap/sap_soap_th_saprel.rb
+ begin
+ res = send_request_raw({
+ 'uri' => '/sap/bc/soap/rfc?sap-client=' + datastore['CLIENT'] + '&sap-language=EN',
+ 'method' => 'POST',
+ 'data' => data,
+ 'headers' =>{
+ 'Content-Length' => data.size.to_s,
+ 'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
+ 'Cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
+ 'Authorization' => 'Basic ' + user_pass,
+ 'Content-Type' => 'text/xml; charset=UTF-8',
+ }
+ }, 45)
+ if res and res.code == 500
+ response = res.body
+ #error.push(response.scan(%r{<faultstring>(.*?)</faultstring>}))
@jvazquez-r7
jvazquez-r7 added a note Nov 14, 2012

Anything to do with this comment? can be deleted?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@jvazquez-r7

msftidy warnings should be fixed

$ tools/msftidy.rb modules/auxiliary/scanner/sap/sap_soap_th_saprel.rb 
sap_soap_th_saprel.rb:9 - [WARNING] Spaces at EOL
sap_soap_th_saprel.rb:10 - [WARNING] Spaces at EOL
sap_soap_th_saprel.rb:12 - [ERROR] Unicode detected: "# Mariano Nu\xC3\xB1ez (the author of the Bizploit framework) helped me in my efforts\n"
sap_soap_th_saprel.rb:14 - [WARNING] Spaces at EOL
sap_soap_th_saprel.rb:15 - [WARNING] Spaces at EOL
sap_soap_th_saprel.rb:31 - [WARNING] Spaces at EOL
sap_soap_th_saprel.rb:43 - [WARNING] Spaces at EOL
@jvazquez-r7 jvazquez-r7 merged commit 833af3a into rapid7:master Nov 16, 2012

1 check passed

Details default The Travis build passed
@jvazquez-r7

Finally was able to put a first SAP system up so I can start to test all this awesome stuff. I did some cleanup and tested before merge:

msf  auxiliary(sap_soap_th_saprel_disclosure) > show options

Module options (auxiliary/scanner/sap/sap_soap_th_saprel_disclosure):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   CLIENT    001              yes       Client
   PASSWORD  admin1234        yes       Password
   Proxies                    no        Use a proxy chain
   RHOSTS    192.168.1.160    yes       The target address range or CIDR identifier
   RPORT     8000             yes       The target port
   THREADS   1                yes       The number of concurrent threads
   USERNAME  SAP*             yes       Username
   VHOST                      no        HTTP server virtual host

msf  auxiliary(sap_soap_th_saprel_disclosure) > run

[*] [SAP] 192.168.1.160:8000 - sending SOAP TH_SAPREL request

[SAP] System Info
=================

   Info               Value
   ----               -----
   DB version         SQLDBC 7.8.1.018
   OS Kernel version  NT 5.2 3790 S x86 MS VC++ 14.00
   SAP Version        720_REL
   SAP compile time   Nov 12 2010 02:23:55
   SAP patch level    70

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

thanks nmonkee

@nmonkee
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.