Custom "payloads"

[hdm at metasploit.com (H D Moore)]

Hi Nicob,

I have been working on something similar actually - trying to find the 
best way to load a raw shellcode stage from a compromised MSSQL server. 
The general idea is to use sp_OACreate() to make a new 
Scripting.FileSystemObject, use this to write out a VB/C/Jscript file 
that decodes and writes out the payload, then making a WScript.Shell 
object that will execute the scripting engine which will eventually run 
the payload. The alternative is using ADODB.Stream or doing 
debug.exe/sp_makewebtask hackery. Having some standard non-shellcode SQL 
payloads would be useful as well.

Anyone have any ideas on the best way to load a payload this way? The 
tricky part seems to be writing out binary files from MSSQL in the first 
place -but if we can find the COM component, it may not be that 
difficult. Once we can write a binary file to disk, either create a new 
extended stored procedure that execs blobs of code or just execute an EXE 
to disk and executate that..

On Wednesday 07 December 2005 08:16, Nicob wrote:
> So, I wonder how to ask to the MSF user which "payload" (ie. SQL query)
> he wants to execute. I can add a text field to 'UserOpts' and parse it
> later to get the selected payload, but I'm not sure it would be the
> cleanest way to do it. Any advice is welcome.