background image

192

Chapter 13

during our exploit. After we finally run the exploit, when we specify our 
payload in 

msfconsole

, it will automatically generate it for us based on the 

Msf::Util::EXE.to_win32pe(framework,payload.encoded)

 option.

Creating powershell_upload_exec

Now we’ll open the 

mssql.rb

 file that we opened earlier, in preparation for 

editing. We need to find space for the 

powershell_upload_exec

 function.

root@bt:/opt/framework3/msf3# 

nano lib/msf/core/exploit/mssql.rb

In your version of Metasploit, you can do a search for PowerShell, and 

you should see the referenced code that follows in the 

mssql.rb

 file. Feel free 

to delete this code from the file and start from scratch.

     #
     # Upload and execute a Windows binary through MS SQL queries and PowerShell
     #

def powershell_upload_exec(exe, debug=false) 

          # hex converter

hex = exe.unpack("H*")[0] 

          # create random alpha 8 character names

var_payload = rand_text_alpha(8) 
print_status("Warning: This module will leave #{var_payload}.exe in the SQL
Server %TEMP% directory")

At   you see that our definition includes the commands 

exe

 and 

debug

 

parameters that are added to the 

def powershell_upload_exec

 function. The 

exe

command is the executable we will be sending from our original code 

Msf::Util::EXE.to_win32pe(framework,payload.encoded)

, as mentioned previ-

ously. The 

debug

 command is set to 

false

, which means we will not see debug 

information. Generally this would be set to 

true

 if you wanted to see addi-

tional information for troubleshooting.

Next, at   we convert the entire encoded executable to raw hexadecimal 

format. The 

H

 in this line simply means “open the file as a binary and place it 

in a hexadecimal representation.”

At   we create a random, alphabetical, eight-character filename. It’s 

usually best to randomize this name to throw off antivirus software.

And finally, at   we tell the attacker that our payload will remain on the 

operating system, in the SQL Server 

/Temp

 directory.

Conversion from Hex to Binary

The following listing shows the conversion from hexadecimal back to binary, 
written in PowerShell. The code is defined as a string to be called later and 
uploaded to the target machine.