Metasploit modules that can be used to exploit SAP products
-
SAP Solution Manager remote unauthorized OS commands execution
Disclosure Date: 2020-10-03First seen: 2021-03-25exploit/multi/sap/cve_2020_6207_solman_rsThis module exploits the CVE-2020-6207 vulnerability within the SAP EEM servlet (tc~smd~agent~application~eem) of SAP Solution Manager (SolMan) running version 7.2. The vulnerability occurs due to missing authentication checks when submitting a SOAP request to the /EemAdminService/EemAdmin page to get information about connected SMDAgents, send HTTP request (SSRF) and execute OS command on connected SMDAgent. Works stable in connected SMDAgent with Java version 1.8. Successful exploitation will allow unauthenticated remote attackers to get reverse shell from connected to the SolMan agent as the user under which it runs SMDAgent service, usually daaadm. Authors: - Yvan Genuer - Pablo Artuso - Dmitry Chastuhin - Vladimir Ivanov -
SAP Solution Manager remote unauthorized OS commands execution
Disclosure Date: 2020-10-03First seen: 2021-03-25auxiliary/admin/sap/cve_2020_6207_solman_rceThis module exploits the CVE-2020-6207 vulnerability within the SAP EEM servlet (tc~smd~agent~application~eem) of SAP Solution Manager (SolMan) running version 7.2. The vulnerability occurs due to missing authentication checks when submitting SOAP requests to the /EemAdminService/EemAdmin page to get information about connected SMDAgents, send HTTP request (SSRF), and execute OS commands on connected SMDAgent. Works stable in connected SMDAgent with Java version 1.8. Successful exploitation of the vulnerability enables unauthenticated remote attackers to achieve SSRF and execute OS commands from the agent connected to SolMan as a user from which the SMDAgent service starts, usually the daaadm. Authors: - Yvan Genuer - Pablo Artuso - Dmitry Chastuhin - Vladimir Ivanov -
SAP Unauthenticated WebService User Creation
Disclosure Date: 2020-07-14First seen: 2020-07-23auxiliary/admin/sap/cve_2020_6287_ws_add_userThis module leverages an unauthenticated web service to submit a job which will create a user with a specified role. The job involves running a wizard. After the necessary action is taken, the job is canceled to avoid unnecessary system changes. Authors: - Pablo Artuso - Dmitry Chastuhin - Spencer McIntyre -
SAP Internet Graphics Server (IGS) XMLCHART XXE
Disclosure Date: 2018-03-14First seen: 2020-10-07auxiliary/admin/sap/sap_igs_xmlchart_xxeThis module exploits CVE-2018-2392 and CVE-2018-2393, two XXE vulnerabilities within the XMLCHART page of SAP Internet Graphics Servers (IGS) running versions 7.20, 7.20EXT, 7.45, 7.49, or 7.53. These vulnerabilities occur due to a lack of appropriate validation on the Extension HTML tag when submitting a POST request to the XMLCHART page to generate a new chart. Successful exploitation will allow unauthenticated remote attackers to read files from the server as the user from which the IGS service is started, which will typically be the SAP admin user. Alternatively attackers can also abuse the XXE vulnerability to conduct a denial of service attack against the vulnerable SAP IGS server. Authors: - Yvan Genuer - Vladimir Ivanov -
SAP Internet Graphics Server (IGS) XMLCHART XXE
Disclosure Date: 2018-03-14First seen: 2020-10-07auxiliary/admin/sap/sap_igs_xmlchart_xxeThis module exploits CVE-2018-2392 and CVE-2018-2393, two XXE vulnerabilities within the XMLCHART page of SAP Internet Graphics Servers (IGS) running versions 7.20, 7.20EXT, 7.45, 7.49, or 7.53. These vulnerabilities occur due to a lack of appropriate validation on the Extension HTML tag when submitting a POST request to the XMLCHART page to generate a new chart. Successful exploitation will allow unauthenticated remote attackers to read files from the server as the user from which the IGS service is started, which will typically be the SAP admin user. Alternatively attackers can also abuse the XXE vulnerability to conduct a denial of service attack against the vulnerable SAP IGS server. Authors: - Yvan Genuer - Vladimir Ivanov -
SAP NetWeaver Dispatcher DiagTraceR3Info Buffer Overflow
Disclosure Date: 2012-05-08First seen: 2020-04-26exploit/windows/misc/sap_netweaver_dispatcherThis module exploits a stack buffer overflow in the SAP NetWeaver Dispatcher service. The overflow occurs in the DiagTraceR3Info() function and allows a remote attacker to execute arbitrary code by supplying a special crafted Diag packet. The Dispatcher service is only vulnerable if the Developer Traces have been configured at levels 2 or 3. The module has been successfully tested on SAP Netweaver 7.0 EHP2 SP6 over Windows XP SP3 and Windows 2003 SP2 (DEP bypass). Authors: - Martin Gallo - juan vazquez <juan.vazquez@metasploit.com> -
Axis2 / SAP BusinessObjects Authenticated Code Execution (via SOAP)
Disclosure Date: 2010-12-30First seen: 2020-04-26exploit/multi/http/axis2_deployerThis module logs in to an Axis2 Web Admin Module instance using a specific user/pass and uploads and executes commands via deploying a malicious web service by using SOAP. Authors: - Joshua Abraham <jabra@rapid7.com> - Chris John Riley -
Crystal Reports CrystalPrintControl ActiveX ServerResourceVersion Property Overflow
Disclosure Date: 2010-12-14First seen: 2020-04-26exploit/windows/browser/crystal_reports_printcontrolThis module exploits a heap based buffer overflow in the CrystalPrintControl ActiveX, while handling the ServerResourceVersion property. The affected control can be found in the PrintControl.dll component as included with Crystal Reports 2008. This module has been tested successfully on IE 6, 7 and 8 on Windows XP SP3 and IE 8 on Windows 7 SP1. The module uses the msvcr71.dll library, loaded by the affected ActiveX control, to bypass DEP and ASLR. Authors: - Dmitriy Pletnev - Dr_IDE - juan vazquez <juan.vazquez@metasploit.com> -
SAP Business One License Manager 2005 Buffer Overflow
Disclosure Date: 2009-08-01First seen: 2020-04-26exploit/windows/misc/sap_2005_licenseThis module exploits a stack buffer overflow in the SAP Business One 2005 License Manager 'NT Naming Service' A and B releases. By sending an excessively long string the stack is overwritten enabling arbitrary code execution. Authors: - Jacopo Cervini -
EnjoySAP SAP GUI ActiveX Control Arbitrary File Download
Disclosure Date: 2009-04-15First seen: 2020-04-26exploit/windows/browser/enjoysapgui_comp_downloadThis module allows remote attackers to place arbitrary files on a users file system by abusing the "Comp_Download" method in the SAP KWEdit ActiveX Control (kwedit.dll 6400.1.1.41). Authors: - MC <mc@metasploit.com> -
SAP AG SAPgui EAI WebViewer3D Buffer Overflow
Disclosure Date: 2009-03-31First seen: 2020-04-26exploit/windows/browser/sapgui_saveviewtosessionfileThis module exploits a stack buffer overflow in Siemens Unigraphics Solutions Teamcenter Visualization EAI WebViewer3D ActiveX control that is bundled with SAPgui. When passing an overly long string the SaveViewToSessionFile() method, arbitrary code may be executed. Authors: - MC <mc@metasploit.com> -
SAP SAPLPD 6.28 Buffer Overflow
Disclosure Date: 2008-02-04First seen: 2020-04-26exploit/windows/lpd/saplpdThis module exploits a stack buffer overflow in SAPlpd 6.28 (SAP Release 6.40) . By sending an overly long argument, an attacker may be able to execute arbitrary code. Authors: - MC <mc@metasploit.com> -
SAP MaxDB cons.exe Remote Command Injection
Disclosure Date: 2008-01-09First seen: 2020-04-26auxiliary/admin/maxdb/maxdb_cons_execSAP MaxDB is prone to a remote command-injection vulnerability because the application fails to properly sanitize user-supplied input. Authors: - MC <mc@metasploit.com> -
SAP DB 7.4 WebTools Buffer Overflow
Disclosure Date: 2007-07-05First seen: 2020-04-26exploit/windows/http/sapdb_webtoolsThis module exploits a stack buffer overflow in SAP DB 7.4 WebTools. By sending an overly long GET request, it may be possible for an attacker to execute arbitrary code. Authors: - MC <mc@metasploit.com> -
EnjoySAP SAP GUI ActiveX Control Buffer Overflow
Disclosure Date: 2007-07-05First seen: 2020-04-26exploit/windows/browser/enjoysapgui_preparetoposthtmlThis module exploits a stack buffer overflow in SAP KWEdit ActiveX Control (kwedit.dll 6400.1.1.41) provided by EnjoySAP GUI. By sending an overly long string to the "PrepareToPostHTML()" method, an attacker may be able to execute arbitrary code. Authors: - MC <mc@metasploit.com> -
Apache Axis2 Brute Force Utility
First seen: 2020-04-26auxiliary/scanner/http/axis_loginThis module attempts to login to an Apache Axis2 instance using username and password combinations indicated by the USER_FILE, PASS_FILE, and USERPASS_FILE options. It has been verified to work on at least versions 1.4.1 and 1.6.2. Authors: - Leandro Oliveira <leandrofernando@gmail.com> -
SAP /sap/bc/soap/rfc SOAP Service RFC_SYSTEM_INFO Function Sensitive Information Gathering
First seen: 2020-04-26auxiliary/scanner/sap/sap_soap_rfc_system_infoThis module makes use of the RFC_SYSTEM_INFO Function to obtain the operating system version, SAP version, IP address and other information through the use of the /sap/bc/soap/rfc SOAP service. Authors: - Agnivesh Sathasivam - nmonkee - ChrisJohnRiley -
SAP Host Agent Information Disclosure
First seen: 2020-04-26auxiliary/scanner/sap/sap_hostctrl_getcomputersystemThis module attempts to retrieve Computer and OS info from Host Agent through the SAP HostControl service. Authors: - Bruno Morisson <bm@integrity.pt>
13 metasploit modules found
Please note: Metasploit modules are only matched by CVE numbers.
Visit metasploit web site for more details