module
SAP NetWeaver HostControl Command Injection
| Disclosed | Created |
|---|---|
| 2012-08-14 | 2018-05-30 |
Disclosed
2012-08-14
Created
2018-05-30
Description
This module exploits a command injection vulnerability in the SAPHostControl
Service, by sending a specially crafted SOAP request to the management console.
In order to deal with the spaces and length limitations, a WebDAV service is
created to run an arbitrary payload when accessed as a UNC path. Because of this,
the target host must have the WebClient service (WebDAV Mini-Redirector) enabled.
It is enabled and automatically started by default on Windows XP SP3, but disabled
by default on Windows 2003 SP2.
Service, by sending a specially crafted SOAP request to the management console.
In order to deal with the spaces and length limitations, a WebDAV service is
created to run an arbitrary payload when accessed as a UNC path. Because of this,
the target host must have the WebClient service (WebDAV Mini-Redirector) enabled.
It is enabled and automatically started by default on Windows XP SP3, but disabled
by default on Windows 2003 SP2.
Authors
Michael Jordon
juan vazquez juan.vazquez@metasploit.com
juan vazquez juan.vazquez@metasploit.com
Platform
Windows
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.