Rapid7 VulnDB

PostgreSQL for Linux Payload Execution

Back to Search

PostgreSQL for Linux Payload Execution

Disclosed
06/05/2007
Created
05/30/2018

Description

On some default Linux installations of PostgreSQL, the postgres service account may write to the /tmp directory, and may source UDF Shared Libraries from there as well, allowing execution of arbitrary code. This module compiles a Linux shared object file, uploads it to the target host via the UPDATE pg_largeobject method of binary injection, and creates a UDF (user defined function) from that shared object. Because the payload is run as the shared object's constructor, it does not need to conform to specific Postgres API versions.

Author(s)

  • midnitesnake
  • egypt <egypt@metasploit.com>
  • todb <todb@metasploit.com>
  • lucipher

Platform

Linux

Development

References

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/linux/postgres/postgres_payload
msf exploit(postgres_payload) > show targets
    ...targets...
msf exploit(postgres_payload) > set TARGET < target-id >
msf exploit(postgres_payload) > show options
    ...show and set options...
msf exploit(postgres_payload) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security

;