-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add mssql_exec_oacreate module #14622
add mssql_exec_oacreate module #14622
Conversation
Thanks for your pull request! Before this can be merged, we need the following documentation for your module: |
@blacklist-arcc Any update on writing documentation for this module? We may have to attic this pull request if no documentation file is included with it. |
Oh sorry, completely was off my focus. I will cover the documentation in the next business days. Thanks for the kindly reminder |
mssql_query("EXEC sp_configure 'show advanced options', 1; RECONFIGURE;", doprint) | ||
mssql_query("EXEC sp_configure 'Ole Automation Procedures', 1; RECONFIGURE;", doprint) | ||
print_status('Executing command using sp_oacreate') | ||
mssql_query("DECLARE @mssql INT; EXEC sp_oacreate 'wscript.shell',@mssql OUTPUT; EXEC sp_oamethod @mssql, 'run', null, '#{datastore['CMD']}';", doprint) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will this work if the command CMD
contains apostrophe characters '
? They will probably need to be escaped.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Think this will be not possible in this case. The xp_cmdshell method that is already implemented in metasploit has not solved the problem either.
res = mssql_query("EXEC master..xp_cmdshell '#{cmd}'", false, opts) |
Thanks for your pull request! Before this pull request can be merged, it must pass the checks of our automated linting tools. We use Rubocop and msftidy to ensure the quality of our code. This can be ran from the root directory of Metasploit:
You can automate most of these changes with the
Please update your branch after these have been made, and reach out if you have any problems. |
Co-authored-by: bcoles <bcoles@gmail.com>
Does this make sense to implement as a separate module instead of adding it as a technique to the existing What could make this even better is if the technique could be automatically determined at runtime, allowing the user to focus on the command they want to run and less on how they want to run it. |
I totally agree, the technique was useful in some pentest situations where xp_cmdshell is not available or monitored by some fancy IDS. I will take a look and try to add another commit extending the "original" module. |
@smcintyre-r7 I reverted my changes and follow your advice and modyfied the original module. Now a technique can be set to use the sp_oacreate function instead. I tested agains my own lab and a few hackthebox machines that runs mssql - both methods working smooth. As CMD I used the output of the web_delivery module to get a long powershell command that provide a meterpreter shell as a result. If the xp_cmdshell function fails the sp_oacreate is invoked as a more failsafe method. I added some small hints in the description that no temp data table is created in order to view any output. So the method is again more opsec safe but did not provide any output. |
This works for me, I was able to verify that it's running the command correctly.
I made some tweaks to some of the verbiages and updated the docs to describe the techniques. I'll go ahead and land this now, thanks for this contribution! |
Release NotesUpdated the |
Added mssql_exec_oacreate module which will execute a Windows command on a MSSQL/MSDE instance via the sp_oacreate procedure (ole) instead of the xp_cmdshell.
Used in:
metasploit-framework/lib/msf/core/exploit/remote/mssql_commands.rb
Line 33 in 85a9acc
Reference: https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-oacreate-transact-sql
Verification
List the steps needed to make sure this thing works
msfconsole
use admin/mssql/mssql_exec_oacreate
run