186
Chapter 13
The ability to convert a binary to hexadecimal, transmit it via MS SQL,
and convert it back to binary is an excellent example of how powerful the
Metasploit Framework can be. As you’re performing penetration tests, you
will encounter many unfamiliar scenarios or situations; your ability to create
or modify modules and exploits on the fly will give you that needed edge. As
you begin to understand the Framework, you’ll be able to write these types of
modules in a relatively short amount of time.
Getting Command Execution on Microsoft SQL
As mentioned in Chapter 6, most system administrators set the
sa
(system
administrator) account password to something weak, not realizing the impact
of this simple mistake. The
sa
account is installed by default with the SQL
role of
sysadmin
, and when you’re performing penetration tests, you can
almost guarantee that a weak or blank
sa
account will exist on Microsoft SQL
Server instances. We will use the MS SQL instance that you built in Appendix A
to exploit a situation with our module. As discussed in Chapter 6, you initially
scan the system with the Metasploit auxiliary modules and brute force the
weak
sa
account.
Once you have brute forced the
sa
account, you can insert, drop, create,
and perform most other tasks you would normally use in MS SQL. This includes
calling an extended administrative-level stored procedure called
xp_cmdshell
,
as discussed in Chapter 6. This stored procedure lets you execute underlying
operating system commands under the same security context used by the
SQL Server service (for example, Local System).
NOTE
MS SQL installs with this stored procedure disabled in SQL Server 2005 and 2008,
but you can re-enable it using SQL commands if you have the
sysadmin
role within
MS SQL. For example, you could use
SELECT loginname FROM master..syslogins
WHERE sysadmin=1
to view all users with this level of access and then become one of those
users. If you have the sysadmin role, you’re almost guaranteed a full-system compromise.
The following listing demonstrates how to run basic commands through
Metasploit’s MS SQL modules:
use msf >
use admin/mssql/mssql_exec
msf auxiliary(mssql_exec) >
show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
CMD cmd.exe /c echo OWNED > C:\owned.exe no Command to execute
PASSWORD
no
The password for the
specified username
RHOST yes The target address
RPORT 1433 yes The target port
USERNAME sa no The username to authenticate as