Metasploit mailing list archives
Custom "payloads"
From: hdm at metasploit.com (H D Moore)
Date: Wed, 7 Dec 2005 08:52:30 -0600
Hi Nicob, I have been working on something similar actually - trying to find the best way to load a raw shellcode stage from a compromised MSSQL server. The general idea is to use sp_OACreate() to make a new Scripting.FileSystemObject, use this to write out a VB/C/Jscript file that decodes and writes out the payload, then making a WScript.Shell object that will execute the scripting engine which will eventually run the payload. The alternative is using ADODB.Stream or doing debug.exe/sp_makewebtask hackery. Having some standard non-shellcode SQL payloads would be useful as well. Anyone have any ideas on the best way to load a payload this way? The tricky part seems to be writing out binary files from MSSQL in the first place -but if we can find the COM component, it may not be that difficult. Once we can write a binary file to disk, either create a new extended stored procedure that execs blobs of code or just execute an EXE to disk and executate that.. On Wednesday 07 December 2005 08:16, Nicob wrote:
So, I wonder how to ask to the MSF user which "payload" (ie. SQL query) he wants to execute. I can add a text field to 'UserOpts' and parse it later to get the selected payload, but I'm not sure it would be the cleanest way to do it. Any advice is welcome.
Current thread:
- Custom "payloads" Nicob (Dec 07)
- Custom "payloads" H D Moore (Dec 07)
- framwork exploitz update net spy (Dec 09)
- framwork exploitz update Jonatan B (Dec 09)
- framwork exploitz update Jerome Athias (Dec 09)
- framwork exploitz update ExploiT (Dec 09)
- framwork exploitz update net spy (Dec 09)
- Custom "payloads" H D Moore (Dec 07)