module
SAP NetWeaver HostControl Command Injection
| Disclosed | Created |
|---|---|
| Aug 14, 2012 | May 30, 2018 |
Disclosed
Aug 14, 2012
Created
May 30, 2018
Description
This module exploits a command injection vulnerability in the SAPHostControl
Service, by sending a specially crafted SOAP request to the management console.
In order to deal with the spaces and length limitations, a WebDAV service is
created to run an arbitrary payload when accessed as a UNC path. Because of this,
the target host must have the WebClient service (WebDAV Mini-Redirector) enabled.
It is enabled and automatically started by default on Windows XP SP3, but disabled
by default on Windows 2003 SP2.
Service, by sending a specially crafted SOAP request to the management console.
In order to deal with the spaces and length limitations, a WebDAV service is
created to run an arbitrary payload when accessed as a UNC path. Because of this,
the target host must have the WebClient service (WebDAV Mini-Redirector) enabled.
It is enabled and automatically started by default on Windows XP SP3, but disabled
by default on Windows 2003 SP2.
Authors
Michael Jordon
juan vazquez [email protected]
juan vazquez [email protected]
Platform
Windows
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.