nullbind/xp_regwrite - allow non sysadmin execution

## xp_regwrite - allow non sysadmin execution
Below is a basic SQL Server registry hack that allows non sysadmin logins to use xp_regwrite to access senstive registry locations.

Scenario
--------
Give Public role members privileges to execute xp_regwrite.

GRANT EXEC ON OBJECT::master.dbo.xp_regwrite TO [Public]

Issue
-----
By default, non sysadmin logins can only use xp_regwrite on the followin registry keys.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\<INSTANCE>
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Services\SQLAgent$<INSTANCE>
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\80\Replication

Write access appears to be recursive, with the exception of:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL12.STANDARDDEV2014\MSSQLServer\ExtendedProcedures

Solution
--------
An undocumentated registry key exists that allow admins to set a white list of registry locations that can be written
to by non sysadmin logins via xp_regwrite.  Simply add the registry location you wish to white list to registry keys below.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL12.STANDARDDEV2014\MSSQLServer\ExtendedProcedures\
Xp_regread Allowed Paths
REG_MULTI_SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL12.STANDARDDEV2014\MSSQLServer\ExtendedProcedures\
Xp_regwrite Allowed Paths
REG_MULTI_SZ


Notes
-----
This may have some potential as a persistence method since it could be used in place of xp_cmdshell,
and execute without sysadmin privileges.

Source: https://support.microsoft.com/en-us/kb/887165
	Below is a basic SQL Server registry hack that allows non sysadmin logins to use xp_regwrite to access senstive registry locations.

	Scenario
	--------
	Give Public role members privileges to execute xp_regwrite.

	GRANT EXEC ON OBJECT::master.dbo.xp_regwrite TO [Public]

	Issue
	-----
	By default, non sysadmin logins can only use xp_regwrite on the followin registry keys.

	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\<INSTANCE>
	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Services\SQLAgent$<INSTANCE>
	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\80\Replication

	Write access appears to be recursive, with the exception of:
	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL12.STANDARDDEV2014\MSSQLServer\ExtendedProcedures

	Solution
	--------
	An undocumentated registry key exists that allow admins to set a white list of registry locations that can be written
	to by non sysadmin logins via xp_regwrite. Simply add the registry location you wish to white list to registry keys below.

	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL12.STANDARDDEV2014\MSSQLServer\ExtendedProcedures\
	Xp_regread Allowed Paths
	REG_MULTI_SZ

	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL12.STANDARDDEV2014\MSSQLServer\ExtendedProcedures\
	Xp_regwrite Allowed Paths
	REG_MULTI_SZ


	Notes
	-----
	This may have some potential as a persistence method since it could be used in place of xp_cmdshell,
	and execute without sysadmin privileges.

	Source: https://support.microsoft.com/en-us/kb/887165