Mirrored from my previous site, original URL was: http://blog.kabaiandras.hu/2013/04/sap-configservlet-remote-code-execution.html
Still SAP, still the same OS command execution vulnerability I mentioned in my previous post. But what is the difference? Well, it is good if you can run OS commands on the target system but probably you would like something more. Yes, I am talking about binary payloads.
After making my SAP ConfigServlet OS Command Execution metasploit module, I started to create a new module for remote code execution.
As it is possible to execute OS commands through the ConfigServlet it is relatively easy to deliver binary payloads and execute them through metasploit’s command stagers. These stagers convert the binary payloads to ASCII deliverable format and use OS commands to write out the payload and the stager line by line and finally execute the payload through the dropped stager. Because VBS is more common in windows environment than PS I chose CmdStagerVBS.
I made my draft module and I started to test it. Everything looked fine but the exploitation failed. After I analysed the dropped files I realised that the payload file was good but there were problems with the stager VBS file’s content and size.
The stager file comes from /data/exploits/cmdstager/vbs_b64 file. I made some test on the requests and I figured out that the comma character in the HTTP request is a bad character, therefore it cannot be used directly, although it is necessary to build the stager file as it contains some:
$ cat vbs_b64 | grep -n "," 4:echo Set fd = fs.OpenTextFile("ENCODED", 1) >>decode_stub 6:echo data = Replace(data, vbCrLf, "") >>decode_stub 9:echo Set ofs = CreateObject("Scripting.FileSystemObject").OpenTextFile("DECODED", 2, True) >>decode_stub 13:echo shell.run "DECODED", 0, false >>decode_stub 18:echo Dim w1, w2, w3, w4, n, strOut >>decode_stub 20:echo w1 = mimedecode(Mid(strIn, n, 1)) >>decode_stub 21:echo w2 = mimedecode(Mid(strIn, n + 1, 1)) >>decode_stub 22:echo w3 = mimedecode(Mid(strIn, n + 2, 1)) >>decode_stub 23:echo w4 = mimedecode(Mid(strIn, n + 3, 1)) >>decode_stub 38:echo mimedecode = InStr(Base64Chars, strIn) - 1 >>decode_stub
Fortunately, there was no problem with the payload file as it contains only base64 encoded payload. So how is it possible to write out commas through OS command execution without using them? In linux environment it is an easy question because you have tons of possibilities to use script languages and tools but in windows it is not trivial.
With “FOR” command it is possible to pick up strings from the right places of command outputs (thanks to my colleague Laszlo Toth who helped me figure this out) into variable that can be used later in “echo” command, therefore if there is a command that has a comma in its output then it can be used to avoid commas in the HTTP requests. To create reliable solution I had to find a command that works in the same way in every windows version and its output contains the comma character in the same place and of course language independently.
Look at the output of the ping command:
C:\Users\andrew>ping -n 1 127.0.0.1 Pinging 127.0.0.1 with 32 bytes of data: Reply from 127.0.0.1: bytes=32 time<1ms TTL=128 Ping statistics for 127.0.0.1: Packets: Sent = 1, Received = 1, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms
At the statistics part of the output there is a comma character after the closing bracket and this is the same in every language! Perfect!
Putting it all together with the following command line trick I was able to echo out commas without directly using them.
C:\Users\andrew>FOR /F "usebackq tokens=2 delims=)" %i IN (`"ping -n 1 127.0.0.1| findstr )"`) DO @echo comma: %i comma: ,
I made the necessary improvements in my module to handle those lines that contain commas and it just worked like a charm:
if command.include?(".vbs") and command.include?(",") command.gsub!(",", "%i") command = "cmd /c FOR /F \"usebackq tokens=2 delims=)\" %i IN (\`\"ping -n 1 127.0.0.1| findstr )\"\`) DO " + command else
In the end with my SAP ConfigServlet Remote Code Execution module it is possible to deliver and execute binary metasploit payloads and custom binaries as well.
Check the updates section in this post to access the code and to follow the life of my module.
- Metasploit pull request
- Official metasploit information
- Code in metasploit’s master branch
- Actual weekly news from Rapid7 about new modules, including my exploit/windows/http/sap_configservlet_exec_noauth module as well