I am doing some testing, and I can't quite figure out what might be going on.

Specifics:

I have two virtualbox VM's running on one host:
VM1: Windows 2003 SP1 w/ MSSQL 2000 SP3
VM2: Gentoo w/ Apache2 & PHP5

On another host I am running one VM which is the Backtrack 4 Final live CD.

SQLMAP version 0.8-rc4

I have a fully injectable uri on the apache webserver which connects to the MSSQL DBMS on the Windows box.

When I issues this command on the Bactrack 4 VM:

sqlmap -u "http://192.168.1.251/login.php?user=blah" --os-pwn

I am prompted to chose which payload and port I wish to use. I have chosen every combination with the same results.

THE PROBLEM
using the "-v 2" option I have reviewed the debug output and I have watched the "C:\Windows\Temp" directory on the DBMS to see that the payload gets written to the directory as an .SCR file however when it is to be compiled as an exe it fails. It should be noted that all other features of sqlmap that are not related to writing a file to the backend DBMS work fine.

Also, the --write-file attribute yields the same results. I expect that sqlmap is invoking the windows debugger to compile the hex that is transfered in the .SCR (I could be wrong), but it doesn't work. However, I cannot find any errors on the windows box that would indicate the problem.

One final note, I modified the permissions on the C:\Windows\Temp directory for "Everyone" to have full access in an effort to eliminate possible permissions issues. I hope I have outlined the issue well enough, and any direction would be greatly appreciated.

Thanks.