SAP ConfigServlet OS command execution module #1740
Conversation
This module allows execution of operating system commands throug the SAP ConfigServlet without any authentication.
| class Metasploit3 < Msf::Auxiliary | ||
| Rank = ExcellentRanking | ||
| include Msf::Exploit::Remote::HttpClient | ||
| include Msf::Auxiliary::Scanner |
There was a problem hiding this comment.
Since this module isn't an scanner I would recommend to not use the Scanner mixin here.
There was a problem hiding this comment.
Still better, I would recommend to switch to an exploit module :P sorry commented before full module review.
There was a problem hiding this comment.
I used Scanner mixin because I had to execute OS commands on several machines in the same time and I was able to use RHOSTS for 'services -p 50000 -R' in this way. Could you recommend an other solution? Btw, it is ok to remove the Scanner mixin.
remove Scanner mixin because this module is not a scanner modul
switch from PATH to TARGETURI datastore; use normalize_uri to build uri; use query in send_request_cgi to to prepare query string (instead of vars_get that escapes the necessary semicolons)
| require 'msf/core' | ||
|
|
||
| class Metasploit3 < Msf::Auxiliary | ||
| Rank = ExcellentRanking |
There was a problem hiding this comment.
The Rank field isn't needed on auxiliary modules
|
It's not msftidy compliant at this moment, msftidy warnings should be fixed: |
| 'Andras Kabai' # Metasploit module | ||
| ], | ||
| 'License' => MSF_LICENSE, | ||
| 'References' => |
There was a problem hiding this comment.
Is there any CVE, OSVDB and/or BID reference for this vulnerability? just asking :) If there is would be nice to add it.
There was a problem hiding this comment.
as far as I know there is no more reference to this vulnerability yet.
|
Hi @andrewkabai , do you mind to share a pcap of the module working for verification? Since I dont find any free trial / edition of SAP java I guess it would be the easiest way to verify it and be able to proceed with merging :) Feel free to use email if would be better for you: juan.vazquez [at] metasploit.com |
|
hi @jvazquez-r7 , sure, I don't mind, but I can access to the vulnerable environment on Monday. I will send the pcap via email. |
|
Sounds good! thanks very much! |
|
I sent the validation pcap via email! |
|
Hi @andrewkabai pcap verified and looks fine!, module is mainly ready to be merged! Thanks very much for your collaboration! But I've just noticed you're using your mater branch to do the pull request. I'm going to need to ask you to do a new pull request, using a new branch on your repo, to avoid problems when merging into the rapid7 repository. In order to do it fine just create new branch from your master branch. For example: Write the new module and then add the new module, in the new branch, to your local repository and push into your origin: Then proceed to do the pull request against the rapid7 repository, but using the new branch. I've just tried to provide sample commands. You can carefully review how to proceed with pull requests from the documentation available at the wiki: https://github.com/rapid7/metasploit-framework/wiki/Setting-Up-a-Metasploit-Development-Environment Please dont hesitate on contact me if you've any doubt. In the meanwhile I'm going to close this pull request because it can not be merged. Thanks very much! juan |
This module allows execution of operating system commands throug the
SAP ConfigServlet without any authentication.
The vulnerability was discovered by ERPScan's team, it was presented on Hacker Halted 2012 conference:
http://erpscan.com/wp-content/uploads/2012/11/Breaking-SAP-Portal-HackerHalted-2012.pdf