[Security Tool] MSSQL FileUpload Autohack

This is a little application that relies on the executable “debug.exe” present on just about every Windows operating system since way back when. The application works through an SQL Injection vulnerability provided by the user, referred to as the entry point through out the application.
Through this vulnerability, the application calls upon the stored function “xp_cmdshell” within MSSQL to upload, and execute a binary file of the attackers choosing to the target machine.

This file upload is achieved by echoing the ASCII equivalent hex-bytes of the attackers-binary into a data file (referred to as an asm/assembly file through out the application.), along with appropriate commands that the “Debug.exe” executable will be able to understand.

The screenshot below displays an example “asm” file, on the remote system post successful exploitation:

The application has the ability to be both initiated through a configuration file, or through directly entering the details into the console.

An example configuration file is displayed below. It should give you a pretty good idea what to expect from this application, and how its terms work.

Due to restrictions in the Debug.exe application it is currently not possible to transmit and reassemble applications larger than 64kb. To keep size down packing is suggested, such as UPX.
I plan to bypass this restriction in the future by attempting to assemble different sections independently and finally concatenating them into one single executable.

If this application doesn’t work, you can always try the following by passing these commands through the SQL injection vulnerability.

Removing MSSQL Lock-down – re-enabling xp_cmdshell:

EXECUTE sp_configure 'show advanced options', 1
RECONFIGURE WITH OVERRIDE
EXECUTE sp_configure 'xp_cmdshell', '1'
RECONFIGURE WITH OVERRIDE

I have included a relatively comprehensive read-me file download-able as a .PDF below.

[ Executable + Read Me ] MSSQL AutoUpload AutoHack.
[ .PDF ] README FILE
Full example “assembly” file.
[ C Source ] MSSQLAutohacksource.c
Default Configuration File Template
[ TechNet] Debug.exe

Advertisements

~ by Rhys Mossom on July 1, 2013.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: