background image

188

Chapter 13

The first line at   tells us that this module will include all functionality 

from Metasploit’s core libraries. Next the class is set at   with code that defines 
this as an auxiliary module that inherits certain characteristics of, for example, 
scanners, denial-of-service vectors, data retrieval, brute force attacks, and 
reconnaissance attempts.

The 

include 

statement at   is probably one of the most important lines, 

because it pulls in the MS SQL module from the core Metasploit libraries. 
Essentially, the MS SQL module handles all MS SQL–based communications 
and anything related to MS SQL. Finally, at   it pulls a specific command 
from the Metasploit datastore.

Let’s examine the MS SQL function in the Metasploit core libraries 

to get a better understanding of its power. First, open 

mssql.rb

 and then 

mssql_commands.rb

 with the following commands, each in a different window:

root@bt:/opt/framework3/msf3# 

nano lib/msf/core/exploit/mssql.rb

root@bt:/opt/framework3/msf3# 

nano lib/msf/core/exploit/mssql_commands.rb

Press 

CTRL

-W in Nano to search for 

mssql_xpcmdshell

 in 

mssql.rb

, and you 

should find the definition that tells Metasploit how to use the 

xp_cmdshell

 pro-

cedure, as shown next:

        #
        # Execute a system command via xp_cmdshell
        #
        def mssql_xpcmdshell(cmd,doprint=false,opts={})
                force_enable = false
                begin
                        res = mssql_query("EXEC master..xp_cmdshell  '#{cmd}' ", false, opts)

This listing defines the SQL query to be run against the server as a call 

to the 

xp_cmdshell

 stored procedure at   and a variable that will be replaced 

with the command line the user requests to be executed at  . For instance, 
an attempt to add a user to the system would execute within MS SQL as 

EXEC 

master..xp_cmdshell 'net user metasploit p@55w0rd! /ADD'

 by setting the 

cmd

 vari-

able to 

'net user metasploit p@55w0rd! /ADD'

Now turn your attention to the 

mssql_commands.rb

, where the commands 

to enable the 

xp_cmdshell

 procedure live:

# Re-enable the xp_cmdshell stored procedure in 2005 and 2008
def mssql_xpcmdshell_enable(opts={});
"exec master.dbo.sp_configure 'show advanced options',1;RECONFIGURE;exec 
master.dbo.sp_configure 'xp_cmdshell', 1;RECONFIGURE;"

Here you can see the sequence of commands   issued to re-enable the 

xp_cmdshell

 stored procedure in MS SQL Server 2005 and 2008.

Now that you understand the functions we will be using in creating our 

own module, let’s get started.