Some installations of Postgres 8 and 9 are configured to allow loading external scripting languages. Most commonly this is Perl and Python. When enabled, command execution is possible on the host. To execute system commands, loading the "untrusted" version of the language is necessary. This requires a superuser. This is usually postgres. The execution should be platform-agnostic, and has been tested on OS X, Windows, and Linux. This Metasploit module attempts to load Perl or Python to execute system commands. As this dynamically loads a scripting language to execute commands, it is not necessary to drop a file on the filesystem. Only Postgres 8 and up are supported.
35a6a49124ad62dab21bd8ac5c63333438e1b0e3ebfa9c2ae8f568b3ec88f1c1
On some default Linux installations of PostgreSQL, the postgres service account may write to the /tmp directory, and may source UDF Shared Libraries from there as well, allowing execution of arbitrary code. This Metasploit module compiles a Linux shared object file, uploads it to the target host via the UPDATE pg_largeobject method of binary injection, and creates a UDF (user defined function) from that shared object. Because the payload is run as the shared object's constructor, it does not need to conform to specific Postgres API versions.
c51dddadd2b2d88c86fc65284de0c6ecc7a31786c8b947b7ba7c753e87036e3f
72 bytes small Raspberry Pi Linux/ARM reverse_shell(tcp,10.1.1.2,0x1337) shellcode.
33477d9d007d6784386a6fd40196c1a6cc8adde4241c48bc9ed3a6600246f486
30 bytes small Raspberry Pi Linux/ARM execve("/bin/sh",[0],[0 vars]) shellcode.
812eace2fa0e2e4dde574596e94fbdef1a568d857abd26d44693db4443a5a932
41 bytes small Raspberry Pi Linux/ARM chmod("/etc/shadow", 0777) shellcode.
65789ede4aae1119c181a66bff9dc3209cc7f3abcbd1048a3fc11e58e6a5b067