188
Chapter 13
The first line at tells us that this module will include all functionality
from Metasploit’s core libraries. Next the class is set at with code that defines
this as an auxiliary module that inherits certain characteristics of, for example,
scanners, denial-of-service vectors, data retrieval, brute force attacks, and
reconnaissance attempts.
The
include
statement at is probably one of the most important lines,
because it pulls in the MS SQL module from the core Metasploit libraries.
Essentially, the MS SQL module handles all MS SQL–based communications
and anything related to MS SQL. Finally, at it pulls a specific command
from the Metasploit datastore.
Let’s examine the MS SQL function in the Metasploit core libraries
to get a better understanding of its power. First, open
mssql.rb
and then
mssql_commands.rb
with the following commands, each in a different window:
root@bt:/opt/framework3/msf3#
nano lib/msf/core/exploit/mssql.rb
root@bt:/opt/framework3/msf3#
nano lib/msf/core/exploit/mssql_commands.rb
Press
CTRL
-W in Nano to search for
mssql_xpcmdshell
in
mssql.rb
, and you
should find the definition that tells Metasploit how to use the
xp_cmdshell
pro-
cedure, as shown next:
#
# Execute a system command via xp_cmdshell
#
def mssql_xpcmdshell(cmd,doprint=false,opts={})
force_enable = false
begin
res = mssql_query("EXEC master..xp_cmdshell '#{cmd}' ", false, opts)
This listing defines the SQL query to be run against the server as a call
to the
xp_cmdshell
stored procedure at and a variable that will be replaced
with the command line the user requests to be executed at . For instance,
an attempt to add a user to the system would execute within MS SQL as
EXEC
master..xp_cmdshell 'net user metasploit p@55w0rd! /ADD'
by setting the
cmd
vari-
able to
'net user metasploit p@55w0rd! /ADD'
.
Now turn your attention to the
mssql_commands.rb
, where the commands
to enable the
xp_cmdshell
procedure live:
# Re-enable the xp_cmdshell stored procedure in 2005 and 2008
def mssql_xpcmdshell_enable(opts={});
"exec master.dbo.sp_configure 'show advanced options',1;RECONFIGURE;exec
master.dbo.sp_configure 'xp_cmdshell', 1;RECONFIGURE;"
Here you can see the sequence of commands issued to re-enable the
xp_cmdshell
stored procedure in MS SQL Server 2005 and 2008.
Now that you understand the functions we will be using in creating our
own module, let’s get started.