Mirrored from my previous site, original URL was: http://blog.kabaiandras.hu/2013/04/sap-configservlet-remote-code-execution.html
Still SAP, still the same OS command execution vulnerability I mentioned in my previous post. But what is the difference? Well, it is good if you can run OS commands on the target system but probably you would like something more. Yes, I am talking about binary payloads.
After making my SAP ConfigServlet OS Command Execution metasploit module, I started to create a new module for remote code execution.
As it is possible to execute OS commands through the ConfigServlet it is relatively easy to deliver binary payloads and execute them through metasploit’s command stagers. These stagers convert the binary payloads to ASCII deliverable format and use OS commands to write out the payload and the stager line by line and finally execute the payload through the dropped stager. Because VBS is more common in windows environment than PS I chose CmdStagerVBS.