Building Your Own Module
189
Creating a New Module
Suppose you’re working on a penetration test and you encounter a system
running SQL Server 2008 and Microsoft Server 2008 R2. Because Microsoft
removed
debug.exe
on Windows 7 x64 and Windows Server 2008, these systems
won’t allow you to convert executables in a traditional way as defined in
Chapter 11. That means you need to create a new module that will allow you
to attack a Microsoft Server 2008 and SQL Server 2008 instance successfully.
We’ll make certain assumptions for purposes of this scenario. First, you’ve
already guessed that the SQL Server password is blank, and you have gained
access to the
xp_cmdshell
stored procedure. You need to deliver a Meterpreter
payload onto the system, but all ports other than 1433 are closed. You don’t
know whether a physical firewall is in place or if the Windows-based firewall
is in use, but you don’t want to modify the port list or turn off the firewall
because that might raise suspicion.
PowerShell
Windows PowerShell is our only viable option here. PowerShell is a compre-
hensive Windows scripting language that allows you to access the full Microsoft
.NET Framework from the command line. PowerShell’s active community
works at extending the tool, making it a valuable tool for security professionals
because of its versatility and compatibility with .NET. We aren’t specifically
going to dive into how PowerShell works and its functions, but you should
know that it is a full-fledged programmatic language available to you on
newer operating systems.
We’ll create a new module that will use Metasploit to convert the binary
code to hexadecimal (or Base64 if desired), and then echo it onto the under-
lying operating system. Then we’ll use PowerShell to convert the executable
back to a binary that you can execute.
To begin, we create a boilerplate by copying the
mssql_payload
exploit
as follows:
root@bt:/opt/framework3/msf3#
cp modules/exploits/windows/mssql/mssql_payload.rb
modules/exploits/windows/mssql/mssql_powershell.rb
Next, we open the
mssql_powershell.rb
file we just created and modify its
code so that it looks just like the following. This is an exploit base shell. Take
some time to review the various parameters and remember the topics covered
in the previous chapters.
require 'msf/core' # require core libraries
class Metasploit3 < Msf::Exploit::Remote # define this as a remote exploit
Rank = ExcellentRanking # reliable exploit ranking
include Msf::Exploit::Remote::MSSQL # include the mssql.rb library