192
Chapter 13
during our exploit. After we finally run the exploit, when we specify our
payload in
msfconsole
, it will automatically generate it for us based on the
Msf::Util::EXE.to_win32pe(framework,payload.encoded)
option.
Creating powershell_upload_exec
Now we’ll open the
mssql.rb
file that we opened earlier, in preparation for
editing. We need to find space for the
powershell_upload_exec
function.
root@bt:/opt/framework3/msf3#
nano lib/msf/core/exploit/mssql.rb
In your version of Metasploit, you can do a search for PowerShell, and
you should see the referenced code that follows in the
mssql.rb
file. Feel free
to delete this code from the file and start from scratch.
#
# Upload and execute a Windows binary through MS SQL queries and PowerShell
#
def powershell_upload_exec(exe, debug=false)
# hex converter
hex = exe.unpack("H*")[0]
# create random alpha 8 character names
var_payload = rand_text_alpha(8)
print_status("Warning: This module will leave #{var_payload}.exe in the SQL
Server %TEMP% directory")
At you see that our definition includes the commands
exe
and
debug
parameters that are added to the
def powershell_upload_exec
function. The
exe
command is the executable we will be sending from our original code
Msf::Util::EXE.to_win32pe(framework,payload.encoded)
, as mentioned previ-
ously. The
debug
command is set to
false
, which means we will not see debug
information. Generally this would be set to
true
if you wanted to see addi-
tional information for troubleshooting.
Next, at we convert the entire encoded executable to raw hexadecimal
format. The
H
in this line simply means “open the file as a binary and place it
in a hexadecimal representation.”
At we create a random, alphabetical, eight-character filename. It’s
usually best to randomize this name to throw off antivirus software.
And finally, at we tell the attacker that our payload will remain on the
operating system, in the SQL Server
/Temp
directory.
Conversion from Hex to Binary
The following listing shows the conversion from hexadecimal back to binary,
written in PowerShell. The code is defined as a string to be called later and
uploaded to the target machine.