Download Manager scripts¶
dlmanager_decrypt
¶
This example script extract SAP’s Download Manager stored passwords. For SAP Download Manager
versions before 2.1.140a
, stored passwords were kept unencrypted. For versions between
2.1.140a
and 2.1.142
, the script should be able to decrypt the password given possible
to obtain the machine serial number.
The input of the script is the file stored by the SAP Download Manager program, which uses the Java serialization encoding.
The script can attempt to retrieve the machine serial number when running on Windows, if
provided with the --retrieve-serial-number
option. For other platforms it must need to be
provided by the --serial-number
parameter.
For more details on the encryption mechanism see CVE-2016-3685 and CVE-2016-3684 documented in the SAP Download Manager Password Weak Encryption security advisory.
dlmanager_infector
¶
The SAP Download Manager infector script is a proof of concept to demonstrate the risk of not
validating SAR file signatures. The script can be used to infect a given SAR
v2.00
or
v2.01
file by means of adding new files to it. Each file to infect is specified by a pair:
filename
(original filename) and archive filename
(the name we want inside the archive).
The script can also be used to dynamically infect SAR
files being downloaded using mitmproxy
.
In that case, the scripts takes the files to inject as parameters, performs an SSLStrip
-like
MitM and when identifies a SAR
file that is going to be offered as a download it infects it.
For more details about the exemplified attack vector see the Deep-dive into SAP archive file formats presentation at Troopers’ 2016.