Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

modules/exploits/linux/postgres/postgres_payload.rb #696

Closed
wants to merge 6 commits into
from

Conversation

Projects
None yet
2 participants
Contributor

midnitesnake commented Aug 15, 2012

Added linux port for postgres_payload module, delivers shell via perl payload

@jlee-r7 jlee-r7 commented on an outdated diff Aug 20, 2012

lib/msf/core/exploit/postgres.rb
@@ -288,21 +288,35 @@ def postgres_create_sys_exec(dll)
return true
end
+ # Creates the function sys_exec() in the pg_temp schema.
@jlee-r7

jlee-r7 Aug 20, 2012

Contributor

Fix tabs, please.

@jlee-r7 jlee-r7 commented on an outdated diff Aug 20, 2012

modules/exploits/linux/postgres/postgres_payload.rb
+ return
+ end
+ end
+ postgres_logout if @postgres_conn
+
+ end
+
+ def so_fname(version)
+ print_status "Using #{version}/#{bits}/lib_postgresqludf_sys.so"
+ File.join(Msf::Config.install_root,"data","exploits","postgres",version,bits,"lib_postgresqludf_sys.so")
+ end
+
+ # A shorter version of do_fingerprint from the postgres_version scanner
+ # module, specifically looking for versions that valid targets for this
+ # module.
+ def get_version(user=nil,pass=nil,database=nil,verbose=false)
@jlee-r7

jlee-r7 Aug 20, 2012

Contributor

verbose arg appears unused.

@jlee-r7 jlee-r7 commented on an outdated diff Aug 20, 2012

modules/exploits/linux/postgres/postgres_payload.rb
+ 'PayloadType' => 'cmd',
+ 'RequiredCmd' => 'perl',
+ }
+ },
+ 'Targets' =>
+ [
+ [ 'Automatic', { } ], # Confirmed on XXX
+ ],
+ 'DefaultTarget' => 0,
+ 'DisclosureDate' => 'Apr 10 2009' # Date of Bernardo's BH Europe paper.
+
+ ))
+
+ register_options(
+ [
+ OptString.new('BITS',[true,'32/ 64 bit OS',32])
@jlee-r7

jlee-r7 Aug 20, 2012

Contributor

OptString with an Int default. Should probably be an OptEnum with "32" and "64" options.

Contributor

midnitesnake commented Aug 22, 2012

I've corrected the files, following your suggestions.

@jlee-r7 jlee-r7 and 1 other commented on an outdated diff Sep 12, 2012

lib/msf/core/exploit/postgres.rb
@@ -317,6 +347,64 @@ def postgres_upload_binary_file(fname)
return [tbl,fld,fout,oid]
end
+ def postgres_upload_binary_file_elf(fname)
@jlee-r7

jlee-r7 Sep 12, 2012

Contributor

This method looks identical to postgres_upload_binary_file_linux

@midnitesnake

midnitesnake Sep 13, 2012

Contributor

Yeh, it was when i was experimenting with binary payloads, to separate out the uploading of libraries (so) and executables (bin) - did not work out. command injection was easier & more reliable.

I'll scrap it together with the postgres_write_data_to_disk_elf

Got rid of methods upload_elf, write_to_disk_elf, as module uses cmd …
…injection payload, rather than binary payload.
Contributor

jlee-r7 commented Oct 12, 2012

Where did the so files come from? Do you have source?

Contributor

jlee-r7 commented Oct 12, 2012

Looks like they came from the sqlmap project. Seems like it would be possible to compile on the fly instead of shipping an ever-expanding pile of binaries.

Contributor

jlee-r7 commented Oct 13, 2012

Here's a branch that removes the requirement for using compiled binaries:
https://github.com/jlee-r7/metasploit-framework/tree/midnitesnake-postgres_payload

Contributor

midnitesnake commented Oct 14, 2012

Yes, grabbed them from Leidecker's debian installation way back, when he
came up with the idea!

Leidecker wanted the research creds - I wanted the Metasploit module.

And yes they turn out identical to the sqlmap ones.

Nice to see you can compile them on the fly, would it be the same process
for the Windows DLL's ?

On 13 October 2012 21:34, jlee-r7 notifications@github.com wrote:

Here's a branch that removes the requirement for using compiled binaries:

https://github.com/jlee-r7/metasploit-framework/tree/midnitesnake-postgres_payload


Reply to this email directly or view it on GitHubhttps://github.com/rapid7/metasploit-framework/pull/696#issuecomment-9409018.

Contributor

jlee-r7 commented Oct 15, 2012

That's the idea, yes. I haven't looked into everything necessary to be able to compile for Windows using Metasm, but it should be a similar process at least. We might want to consider combining the modules into a single module under exploit/multi/

Contributor

jlee-r7 commented Oct 22, 2012

Thanks for your contribution! I've added a new pull request, #928, which includes your original code and my enhancements to compile the payload on the fly. If you have any more comments, please leave them on that pull request

@jlee-r7 jlee-r7 closed this Oct 22, 2012

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment