lib/msf/core/exploit/remote/mssql.rb

# -*- coding: binary -*-

require 'rex/proto/mssql/client'
require 'metasploit/framework/tcp/client'

module Msf
###
#
# This module exposes methods for querying a remote MSSQL service
#
###
module Exploit::Remote::MSSQL
  include Exploit::Remote::MSSQL_COMMANDS
  include Exploit::Remote::Udp
  include Exploit::Remote::Tcp
  include Exploit::Remote::NTLM::Client
  include Msf::Exploit::Remote::Kerberos::Ticket::Storage
  include Msf::Exploit::Remote::Kerberos::ServiceAuthenticator::Options

  attr_accessor :mssql_client

  #
  # Creates an instance of a MSSQL exploit module.
  #
  def initialize(info = {})
    super

    # Register the options that all MSSQL exploits may make use of.
    register_options(
      [
        Opt::RHOST,
        Opt::RPORT(1433),
        OptString.new('USERNAME', [ false, 'The username to authenticate as', 'sa']),
        OptString.new('PASSWORD', [ false, 'The password for the specified username', '']),
        OptBool.new('USE_WINDOWS_AUTHENT', [ true, 'Use windows authentication (requires DOMAIN option set)', false]),
        # OptBool.new('TDSENCRYPTION', [ true, 'Use TLS/SSL for TDS data "Force Encryption"', false]), - TODO: support TDS Encryption
      ], Msf::Exploit::Remote::MSSQL)
    register_advanced_options(
      [
        OptPath.new('HEX2BINARY',   [ false, "The path to the hex2binary script on the disk",
          File.join(Msf::Config.data_directory, "exploits", "mssql", "h2b")
        ]),
        OptString.new('DOMAIN', [ true, 'The domain to use for windows authentication', 'WORKSTATION'], aliases: ['MssqlDomain']),
        *kerberos_storage_options(protocol: 'Mssql'),
        *kerberos_auth_options(protocol: 'Mssql', auth_methods: Msf::Exploit::Remote::AuthOption::MSSQL_OPTIONS),
      ], Msf::Exploit::Remote::MSSQL)
    register_autofilter_ports([ 1433, 1434, 1435, 14330, 2533, 9152, 2638 ])
    register_autofilter_services(%W{ ms-sql-s ms-sql2000 sybase })
  end

  def set_session(client)
    print_status("Using existing session #{session.sid}")
    @mssql_client = client
  end

  #
  # This method sends a UDP query packet to the server and
  # parses out the reply packet into a hash
  #
  def mssql_ping(timeout=5)
    data = { }

    ping_sock = Rex::Socket::Udp.create(
      'PeerHost'  => rhost,
      'PeerPort'  => 1434,
      'Context'   =>
        {
          'Msf'        => framework,
          'MsfExploit' => self,
        })

    ping_sock.put("\x02")
    resp, _saddr, _sport = ping_sock.recvfrom(65535, timeout)
    ping_sock.close

    return data if not resp
    return data if resp.length == 0

    return mssql_ping_parse(resp)
  end

  #
  # Parse a 'ping' response and format as a hash
  #
  def mssql_ping_parse(data)
    res = []
    var = nil
    idx = data.index('ServerName')
    return res if not idx
    sdata = data[idx, (data.length - 1)]

    instances = sdata.split(';;')
    instances.each do |instance|
      rinst = {}
      instance.split(';').each do |d|
        if (not var)
          var = d
        else
          if (var.length > 0)
            rinst[var] = d
            var = nil
          end
        end
      end
      res << rinst
    end

    return res
  end

  #
  # Execute a system command via xp_cmdshell
  #
  def mssql_parse_tds_reply(data, info)
    @mssql_client.mssql_parse_tds_reply(data, info)
  end

  def mssql_parse_reply(data, info)
    @mssql_client.mssql_parse_reply(data, info)
  end

  #
  # Parse a single row of a TDS reply
  #
  def mssql_parse_tds_row(data, info)
    @mssql_client.mssql_parse_tds_row(data, info)
  end

  #
  # Parse a "ret" TDS token
  #
  def mssql_parse_ret(data, info)
    @mssql_client.mssql_parse_ret(data, info)
  end

  #
  # Parse a "done" TDS token
  #
  def mssql_parse_done(data, info)
    @mssql_client.mssql_parse_done(data, info)
  end

  #
  # Parse an "error" TDS token
  #
  def mssql_parse_error(data, info)
    @mssql_client.mssql_parse_error(data, info)
  end

  #
  # Parse an "environment change" TDS token
  #
  def mssql_parse_env(data, info)
    @mssql_client.mssql_parse_env(data, info)
  end

  #
  # Parse an "information" TDS token
  #
  def mssql_parse_info(data, info)
    @mssql_client.mssql_parse_info(data, info)
  end

  def mssql_xpcmdshell(cmd, doprint=false, opts={})
    @mssql_client.mssql_xpcmdshell(cmd, doprint, opts)
  end

  #
  # Upload and execute a Windows binary through MSSQL queries
  #
  def mssql_upload_exec(exe, debug=false)
    @mssql_client.mssql_upload_exec(exe, debug)
  end

  #
  # Upload and execute a Windows binary through MSSQL queries and Powershell
  #
  def powershell_upload_exec(exe, debug=false)
    @mssql_client.powershell_upload_exec(exe, debug)
  end

  #
  #this method send a prelogin packet and check if encryption is off
  #
  def mssql_prelogin(enc_error=false)
    @mssql_client.mssql_prelogin(enc_error)
  end

  #
  # This method connects to the server over TCP and attempts
  # to authenticate with the supplied username and password
  # The global socket is used and left connected after auth
  #
  def mssql_login(user='sa', pass='', db='', domain_name='')
    @mssql_client ||= Rex::Proto::MSSQL::Client.new(self, framework, datastore['RHOST'], datastore['RPORT'])
    result = @mssql_client.mssql_login(user, pass, db, domain_name)
    add_socket(@mssql_client.sock) if @mssql_client.sock && !sockets.include?(@mssql_client.sock)
    result
  end

  def mssql_login_datastore(db=nil)
    mssql_login(datastore['USERNAME'], datastore['PASSWORD'], db || datastore['DATABASE'] || '', datastore['MssqlDomain'] || '')
  end
  #
  # Issue a SQL query using the TDS protocol
  #
  def mssql_query(sqla, doprint=false, opts={})
    @mssql_client.query(sqla, doprint, opts)
  end

  #
  # Nicely print the results of a SQL query
  #
  def mssql_print_reply(info)
    @mssql_client.mssql_print_reply(info)
  end

  def mssql_send_recv(req, timeout=15, check_status = true)
    @mssql_client.mssql_send_recv(req, timeout, check_status)
  end

  #
  # Encrypt a password according to the TDS protocol (encode)
  #
  def mssql_tds_encrypt(pass)
    # Convert to unicode, swap 4 bits both ways, xor with 0xa5
    Rex::Text.to_unicode(pass).unpack('C*').map {|c| (((c & 0x0f) << 4) + ((c & 0xf0) >> 4)) ^ 0xa5 }.pack("C*")
  end
end
end
Mark all libraries as defaulting to 8-bit strings 2012-06-29 00:18:28 -05:00			`# -- coding: binary --`
Remove initial code duplication between mssql clients 2022-07-01 14:25:21 +01:00
client consolidation 2023-12-12 09:53:37 -06:00			`require 'rex/proto/mssql/client'`
			`require 'metasploit/framework/tcp/client'`
Remove initial code duplication between mssql clients 2022-07-01 14:25:21 +01:00
Mixins 2005-11-26 11:16:50 +00:00			`module Msf`
			`###`
			`#`
			`# This module exposes methods for querying a remote MSSQL service`
			`#`
			`###`
			`module Exploit::Remote::MSSQL`
fixed exception when unable to connect, fixed formatting 2009-12-30 22:15:12 +00:00			`include Exploit::Remote::MSSQL_COMMANDS`
Mixins 2005-11-26 11:16:50 +00:00			`include Exploit::Remote::Udp`
			`include Exploit::Remote::Tcp`
mssql login : enable ntlmv2 authentification 2011-04-03 17:02:23 +00:00			`include Exploit::Remote::NTLM::Client`
Use shared helper for creating kerberos options 2023-01-20 11:31:24 +00:00			`include Msf::Exploit::Remote::Kerberos::Ticket::Storage`
			`include Msf::Exploit::Remote::Kerberos::ServiceAuthenticator::Options`
Retab lib 2013-08-30 16:28:33 -05:00
update rhost and rport calls 2024-02-13 13:00:38 -06:00			`attr_accessor :mssql_client`

Mixins 2005-11-26 11:16:50 +00:00			`#`
			`# Creates an instance of a MSSQL exploit module.`
			`#`
			`def initialize(info = {})`
			`super`
Retab lib 2013-08-30 16:28:33 -05:00
gee, these were not cut and paste targets... 2006-02-01 22:33:49 +00:00			`# Register the options that all MSSQL exploits may make use of.`
Mixins 2005-11-26 11:16:50 +00:00			`register_options(`
			`[`
			`Opt::RHOST,`
			`Opt::RPORT(1433),`
use the new authbrute mixin 2010-01-20 01:43:01 +00:00			`OptString.new('USERNAME', [ false, 'The username to authenticate as', 'sa']),`
			`OptString.new('PASSWORD', [ false, 'The password for the specified username', '']),`
code spell for a bunch of modules 2023-09-24 17:42:00 -04:00			`OptBool.new('USE_WINDOWS_AUTHENT', [ true, 'Use windows authentication (requires DOMAIN option set)', false]),`
client consolidation 2023-12-12 09:53:37 -06:00			`# OptBool.new('TDSENCRYPTION', [ true, 'Use TLS/SSL for TDS data "Force Encryption"', false]), - TODO: support TDS Encryption`
use the new authbrute mixin 2010-01-20 01:43:01 +00:00			`], Msf::Exploit::Remote::MSSQL)`
			`register_advanced_options(`
			`[`
Whitespace and a typo 2012-02-03 12:14:37 -07:00			`OptPath.new('HEX2BINARY', [ false, "The path to the hex2binary script on the disk",`
Find and replace 2013-09-26 20:34:48 +01:00			`File.join(Msf::Config.data_directory, "exploits", "mssql", "h2b")`
Whitespace and a typo 2012-02-03 12:14:37 -07:00			`]),`
Update mssql login module to support kerberos authentication 2022-07-04 16:35:16 +01:00			`OptString.new('DOMAIN', [ true, 'The domain to use for windows authentication', 'WORKSTATION'], aliases: ['MssqlDomain']),`
Use shared helper for creating kerberos options 2023-01-20 11:31:24 +00:00			`*kerberos_storage_options(protocol: 'Mssql'),`
			`*kerberos_auth_options(protocol: 'Mssql', auth_methods: Msf::Exploit::Remote::AuthOption::MSSQL_OPTIONS),`
whitespace cleanup 2011-09-07 19:32:16 +00:00			`], Msf::Exploit::Remote::MSSQL)`
minor whitespace change 2010-01-20 02:31:30 +00:00			`register_autofilter_ports([ 1433, 1434, 1435, 14330, 2533, 9152, 2638 ])`
fixed exception when unable to connect, fixed formatting 2009-12-30 22:15:12 +00:00			`register_autofilter_services(%W{ ms-sql-s ms-sql2000 sybase })`
Mixins 2005-11-26 11:16:50 +00:00			`end`
Retab lib 2013-08-30 16:28:33 -05:00
adjust session logic in modules 2024-02-12 15:47:49 -06:00			`def set_session(client)`
			`print_status("Using existing session #{session.sid}")`
			`@mssql_client = client`
update relevant modules to work with sessions 2024-01-29 17:17:29 -05:00			`end`

Mixins 2005-11-26 11:16:50 +00:00			`#`
			`# This method sends a UDP query packet to the server and`
			`# parses out the reply packet into a hash`
			`#`
Abstracted the RHOST references from inside the mixins. 2006-08-13 18:03:28 +00:00			`def mssql_ping(timeout=5)`
Mixins 2005-11-26 11:16:50 +00:00			`data = { }`
Retab lib 2013-08-30 16:28:33 -05:00
Mixins 2005-11-26 11:16:50 +00:00			`ping_sock = Rex::Socket::Udp.create(`
Abstracted the RHOST references from inside the mixins. 2006-08-13 18:03:28 +00:00			`'PeerHost' => rhost,`
Mixins 2005-11-26 11:16:50 +00:00			`'PeerPort' => 1434,`
			`'Context' =>`
			`{`
			`'Msf' => framework,`
			`'MsfExploit' => self,`
			`})`
Retab lib 2013-08-30 16:28:33 -05:00
Mixins 2005-11-26 11:16:50 +00:00			`ping_sock.put("\x02")`
Revert "Revert "Land #7009 , egypt's rubyntlm cleanup"" 2016-07-05 17:05:42 -05:00			`resp, _saddr, _sport = ping_sock.recvfrom(65535, timeout)`
Mixins 2005-11-26 11:16:50 +00:00			`ping_sock.close`
Retab lib 2013-08-30 16:28:33 -05:00
Mixins 2005-11-26 11:16:50 +00:00			`return data if not resp`
			`return data if resp.length == 0`
Retab lib 2013-08-30 16:28:33 -05:00
Abstracted the RHOST references from inside the mixins. 2006-08-13 18:03:28 +00:00			`return mssql_ping_parse(resp)`
			`end`
Retab lib 2013-08-30 16:28:33 -05:00
Abstracted the RHOST references from inside the mixins. 2006-08-13 18:03:28 +00:00			`#`
			`# Parse a 'ping' response and format as a hash`
			`#`
			`def mssql_ping_parse(data)`
Fix to MSSQL Ping that returns ALL known isntances onstead of jsut the first one. 2012-01-10 12:32:47 -08:00			`res = []`
Abstracted the RHOST references from inside the mixins. 2006-08-13 18:03:28 +00:00			`var = nil`
			`idx = data.index('ServerName')`
			`return res if not idx`
Fix to MSSQL Ping that returns ALL known isntances onstead of jsut the first one. 2012-01-10 12:32:47 -08:00			`sdata = data[idx, (data.length - 1)]`
Retab lib 2013-08-30 16:28:33 -05:00
Fix to MSSQL Ping that returns ALL known isntances onstead of jsut the first one. 2012-01-10 12:32:47 -08:00			`instances = sdata.split(';;')`
			`instances.each do \|instance\|`
			`rinst = {}`
			`instance.split(';').each do \|d\|`
			`if (not var)`
			`var = d`
			`else`
			`if (var.length > 0)`
			`rinst[var] = d`
			`var = nil`
			`end`
Abstracted the RHOST references from inside the mixins. 2006-08-13 18:03:28 +00:00			`end`
Mixins 2005-11-26 11:16:50 +00:00			`end`
Fix to MSSQL Ping that returns ALL known isntances onstead of jsut the first one. 2012-01-10 12:32:47 -08:00			`res << rinst`
Abstracted the RHOST references from inside the mixins. 2006-08-13 18:03:28 +00:00			`end`
Retab lib 2013-08-30 16:28:33 -05:00
Abstracted the RHOST references from inside the mixins. 2006-08-13 18:03:28 +00:00			`return res`
Mixins 2005-11-26 11:16:50 +00:00			`end`
Retab lib 2013-08-30 16:28:33 -05:00
Consolidate common APIs into the mixin 2009-10-18 20:58:01 +00:00			`#`
			`# Execute a system command via xp_cmdshell`
			`#`
client consolidation 2023-12-12 09:53:37 -06:00			`def mssql_parse_tds_reply(data, info)`
			`@mssql_client.mssql_parse_tds_reply(data, info)`
			`end`
Retab lib 2013-08-30 16:28:33 -05:00
client consolidation 2023-12-12 09:53:37 -06:00			`def mssql_parse_reply(data, info)`
			`@mssql_client.mssql_parse_reply(data, info)`
Consolidate common APIs into the mixin 2009-10-18 20:58:01 +00:00			`end`
Retab lib 2013-08-30 16:28:33 -05:00
Consolidate common APIs into the mixin 2009-10-18 20:58:01 +00:00			`#`
client consolidation 2023-12-12 09:53:37 -06:00			`# Parse a single row of a TDS reply`
Consolidate common APIs into the mixin 2009-10-18 20:58:01 +00:00			`#`
client consolidation 2023-12-12 09:53:37 -06:00			`def mssql_parse_tds_row(data, info)`
			`@mssql_client.mssql_parse_tds_row(data, info)`
			`end`
Retab lib 2013-08-30 16:28:33 -05:00
client consolidation 2023-12-12 09:53:37 -06:00			`#`
			`# Parse a "ret" TDS token`
			`#`
			`def mssql_parse_ret(data, info)`
			`@mssql_client.mssql_parse_ret(data, info)`
			`end`
Retab lib 2013-08-30 16:28:33 -05:00
client consolidation 2023-12-12 09:53:37 -06:00			`#`
			`# Parse a "done" TDS token`
			`#`
			`def mssql_parse_done(data, info)`
			`@mssql_client.mssql_parse_done(data, info)`
			`end`
Retab lib 2013-08-30 16:28:33 -05:00
client consolidation 2023-12-12 09:53:37 -06:00			`#`
			`# Parse an "error" TDS token`
			`#`
			`def mssql_parse_error(data, info)`
			`@mssql_client.mssql_parse_error(data, info)`
			`end`
Retab lib 2013-08-30 16:28:33 -05:00
client consolidation 2023-12-12 09:53:37 -06:00			`#`
			`# Parse an "environment change" TDS token`
			`#`
			`def mssql_parse_env(data, info)`
			`@mssql_client.mssql_parse_env(data, info)`
			`end`
Retab lib 2013-08-30 16:28:33 -05:00
client consolidation 2023-12-12 09:53:37 -06:00			`#`
			`# Parse an "information" TDS token`
			`#`
			`def mssql_parse_info(data, info)`
			`@mssql_client.mssql_parse_info(data, info)`
			`end`
Retab lib 2013-08-30 16:28:33 -05:00
client consolidation 2023-12-12 09:53:37 -06:00			`def mssql_xpcmdshell(cmd, doprint=false, opts={})`
			`@mssql_client.mssql_xpcmdshell(cmd, doprint, opts)`
Consolidate common APIs into the mixin 2009-10-18 20:58:01 +00:00			`end`
Retab lib 2013-08-30 16:28:33 -05:00
client consolidation 2023-12-12 09:53:37 -06:00			`#`
			`# Upload and execute a Windows binary through MSSQL queries`
			`#`
			`def mssql_upload_exec(exe, debug=false)`
			`@mssql_client.mssql_upload_exec(exe, debug)`
			`end`
Retab lib 2013-08-30 16:28:33 -05:00
Merge in R3L1K's Powershell enhancements and powerdump code (hashdump through powershell) 2010-10-17 17:39:43 +00:00			`#`
			`# Upload and execute a Windows binary through MSSQL queries and Powershell`
			`#`
			`def powershell_upload_exec(exe, debug=false)`
client consolidation 2023-12-12 09:53:37 -06:00			`@mssql_client.powershell_upload_exec(exe, debug)`
Merge in R3L1K's Powershell enhancements and powerdump code (hashdump through powershell) 2010-10-17 17:39:43 +00:00			`end`
Retab lib 2013-08-30 16:28:33 -05:00
mssql login : enable windows authentification and add an encrypion check through tds prelogin mechanism 2011-03-27 00:24:19 +00:00			`#`
			`#this method send a prelogin packet and check if encryption is off`
			`#`
			`def mssql_prelogin(enc_error=false)`
client consolidation 2023-12-12 09:53:37 -06:00			`@mssql_client.mssql_prelogin(enc_error)`
mssql login : enable windows authentification and add an encrypion check through tds prelogin mechanism 2011-03-27 00:24:19 +00:00			`end`
Retab lib 2013-08-30 16:28:33 -05:00
Mixins 2005-11-26 11:16:50 +00:00			`#`
			`# This method connects to the server over TCP and attempts`
			`# to authenticate with the supplied username and password`
			`# The global socket is used and left connected after auth`
			`#`
client consolidation 2023-12-12 09:53:37 -06:00			`def mssql_login(user='sa', pass='', db='', domain_name='')`
			`@mssql_client \|\|= Rex::Proto::MSSQL::Client.new(self, framework, datastore['RHOST'], datastore['RPORT'])`
			`result = @mssql_client.mssql_login(user, pass, db, domain_name)`
			`add_socket(@mssql_client.sock) if @mssql_client.sock && !sockets.include?(@mssql_client.sock)`
			`result`
Fixes #379 . Massive rewrite of the MSSQL mixin. This moves everything to TDS 7.0 instead of the old crusty protocol 2009-10-18 01:17:58 +00:00			`end`
Complete overhaul of the MSSQL API, fixes 1.9 compat issues and makes the MSSQL testing easier 2009-10-13 22:24:47 +00:00
client consolidation 2023-12-12 09:53:37 -06:00			`def mssql_login_datastore(db=nil)`
			`mssql_login(datastore['USERNAME'], datastore['PASSWORD'], db \|\| datastore['DATABASE'] \|\| '', datastore['MssqlDomain'] \|\| '')`
Complete overhaul of the MSSQL API, fixes 1.9 compat issues and makes the MSSQL testing easier 2009-10-13 22:24:47 +00:00			`end`
Consolidate common APIs into the mixin 2009-10-18 20:58:01 +00:00			`#`
			`# Issue a SQL query using the TDS protocol`
			`#`
Fixes #379 . Massive rewrite of the MSSQL mixin. This moves everything to TDS 7.0 instead of the old crusty protocol 2009-10-18 01:17:58 +00:00			`def mssql_query(sqla, doprint=false, opts={})`
SQL sessions consolidation 2024-02-06 11:43:44 +00:00			`@mssql_client.query(sqla, doprint, opts)`
Complete overhaul of the MSSQL API, fixes 1.9 compat issues and makes the MSSQL testing easier 2009-10-13 22:24:47 +00:00			`end`
fixed exception when unable to connect, fixed formatting 2009-12-30 22:15:12 +00:00
Consolidate common APIs into the mixin 2009-10-18 20:58:01 +00:00			`#`
			`# Nicely print the results of a SQL query`
			`#`
Complete overhaul of the MSSQL API, fixes 1.9 compat issues and makes the MSSQL testing easier 2009-10-13 22:24:47 +00:00			`def mssql_print_reply(info)`
client consolidation 2023-12-12 09:53:37 -06:00			`@mssql_client.mssql_print_reply(info)`
			`end`
Complete overhaul of the MSSQL API, fixes 1.9 compat issues and makes the MSSQL testing easier 2009-10-13 22:24:47 +00:00
client consolidation 2023-12-12 09:53:37 -06:00			`def mssql_send_recv(req, timeout=15, check_status = true)`
			`@mssql_client.mssql_send_recv(req, timeout, check_status)`
			`end`
Retab lib 2013-08-30 16:28:33 -05:00
client consolidation 2023-12-12 09:53:37 -06:00			`#`
			`# Encrypt a password according to the TDS protocol (encode)`
			`#`
			`def mssql_tds_encrypt(pass)`
			`# Convert to unicode, swap 4 bits both ways, xor with 0xa5`
			`Rex::Text.to_unicode(pass).unpack('C').map {\|c\| (((c & 0x0f) << 4) + ((c & 0xf0) >> 4)) ^ 0xa5 }.pack("C")`
more awesomeness from tebo 2009-01-12 05:18:05 +00:00			`end`
missed part of the patch for tebo's mssql login scanner module 2009-01-12 00:26:05 +00:00			`end`
Mixins 2005-11-26 11:16:50 +00:00			`end`