background image

Building Your Own Module

189

Creating a New Module

Suppose you’re working on a penetration test and you encounter a system 
running SQL Server 2008 and Microsoft Server 2008 R2. Because Microsoft 
removed 

debug.exe 

on Windows 7 x64 and Windows Server 2008, these systems 

won’t allow you to convert executables in a traditional way as defined in 
Chapter 11. That means you need to create a new module that will allow you 
to attack a Microsoft Server 2008 and SQL Server 2008 instance successfully.

We’ll make certain assumptions for purposes of this scenario. First, you’ve 

already guessed that the SQL Server password is blank, and you have gained 
access to the 

xp_cmdshell

 stored procedure. You need to deliver a Meterpreter 

payload onto the system, but all ports other than 1433 are closed. You don’t 
know whether a physical firewall is in place or if the Windows-based firewall 
is in use, but you don’t want to modify the port list or turn off the firewall 
because that might raise suspicion.

PowerShell

Windows PowerShell is our only viable option here. PowerShell is a compre-
hensive Windows scripting language that allows you to access the full Microsoft 
.NET Framework from the command line. PowerShell’s active community 
works at extending the tool, making it a valuable tool for security professionals 
because of its versatility and compatibility with .NET. We aren’t specifically 
going to dive into how PowerShell works and its functions, but you should 
know that it is a full-fledged programmatic language available to you on 
newer operating systems.

We’ll create a new module that will use Metasploit to convert the binary 

code to hexadecimal (or Base64 if desired), and then echo it onto the under-
lying operating system. Then we’ll use PowerShell to convert the executable 
back to a binary that you can execute.

To begin, we create a boilerplate by copying the 

mssql_payload

 exploit 

as follows:

root@bt:/opt/framework3/msf3# 

cp modules/exploits/windows/mssql/mssql_payload.rb 

modules/exploits/windows/mssql/mssql_powershell.rb

Next, we open the 

mssql_powershell.rb

 file we just created and modify its 

code so that it looks just like the following. This is an exploit base shell. Take 
some time to review the various parameters and remember the topics covered 
in the previous chapters.

require 'msf/core' # require core libraries

class Metasploit3 < Msf::Exploit::Remote # define this as a remote exploit
     Rank = ExcellentRanking # reliable exploit ranking

     include Msf::Exploit::Remote::MSSQL # include the mssql.rb library