In this chapter, we’ll write a module called mssql_powershellto harness
a technique released at the Defcon 18 Hacking Conference by Josh Kelley
(winfang) and David Kennedy. This module targets Windows platforms with
Microsoft’s PowerShell installed (the default on Windows 7).
This module converts a standard MSF binary payload to a hex-blob(a
hexadecimal representation of binary data) that can be transmitted to a tar-get system through Microsoft SQL commands. Once this payload is on the
target system, a PowerShell script is used to convert the hexadecimal data
back to a binary executable, execute it, and deliver a shell to the attacker. This
module is already in Metasploit and was developed by one of the authors of
this book; it’s a great lesson on how to build your own modules.
The ability to convert a binary to hexadecimal, transmit it via MS SQL,
and convert it back to binary is an excellent example of how powerful the
Metasploit Framework can be. As you’reperforming penetration tests, you
will encounter many unfamiliar scenarios or situations; your ability to create
or modify modules and exploits on the fly will give you that needed edge. As
you begin to understand the Framework, you’ll be able to write these types of
modules in a relatively short amount of time.
We will use the MS SQL instance that you built in Appendix A
to exploit a situation with our module. Asdiscussed in Chapter 6, you initially
scan the system with the Metasploit auxiliary modules and brute force the
weak saaccount.
Once you have brute forced the saaccount, you can insert, drop, create,
and perform most other tasks you would normally use in MS SQL. This includes
calling an extended administrative-level stored procedure called xp_cmdshell,
as discussed in Chapter 6.This stored procedure lets you execute underlying
operating system commands under the same security context used by the
SQL Server service (for example, Local System).
MS SQL installs with this stored procedure disabled in SQL Server 2005 and 2008,
but you can re-enable it using SQL commands if you have the sysadminrole within
MS SQL. For example, you could use SELECT loginname FROM master..syslogins
WHERE sysadmin=1to view all users with this level ofaccess and then become one of those
users. If you have the sysadmin role, you’re almost guaranteed a full-system compromise.
Exploring an ExistingMetasploit Module
root@bt:/opt/framework3/msf3# nano modules/auxiliary/admin/mssql/mssql_exec.rb
沒有留言:
張貼留言