Module: Msf::Exploit::Remote::MSSQL

Includes:
Exploit::Remote::NTLM::Client, Kerberos::ServiceAuthenticator::Options, Kerberos::Ticket::Storage, MSSQL_COMMANDS, Tcp, Udp
Defined in:
lib/msf/core/exploit/remote/mssql.rb

Instance Attribute Summary collapse

Attributes included from Tcp

#sock

Attributes included from Udp

#udp_sock

Instance Method Summary collapse

Methods included from Kerberos::ServiceAuthenticator::Options

#kerberos_auth_options

Methods included from Kerberos::Ticket::Storage

#kerberos_storage_options, #kerberos_ticket_storage, store_ccache

Methods included from Tcp

#chost, #cleanup, #connect, #connect_timeout, #cport, #disconnect, #handler, #lhost, #lport, #peer, #print_prefix, #proxies, #rhost, #rport, #set_tcp_evasions, #shutdown, #ssl, #ssl_cipher, #ssl_verify_mode, #ssl_version

Methods included from Udp

#chost, #cleanup, #connect_udp, #cport, #deregister_udp_options, #disconnect_udp, #handler, #lhost, #lport, #rhost, #rport

Methods included from MSSQL_COMMANDS

#mssql_2k5_password_hashes, #mssql_2k_password_hashes, #mssql_current_user_escalation, #mssql_db_names, #mssql_enumerate_servername, #mssql_is_sysadmin, #mssql_rdp_enable, #mssql_rebuild_xpcmdshell, #mssql_sa_escalation, #mssql_sql_info, #mssql_sql_xpcmdshell_disable_2000, #mssql_xpcmdshell_disable, #mssql_xpcmdshell_enable, #mssql_xpcmdshell_enable_2000

Instance Attribute Details

#mssql_clientObject

Returns the value of attribute mssql_client.



20
21
22
# File 'lib/msf/core/exploit/remote/mssql.rb', line 20

def mssql_client
  @mssql_client
end

Instance Method Details

#initialize(info = {}) ⇒ Object

Creates an instance of a MSSQL exploit module.



25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
# File 'lib/msf/core/exploit/remote/mssql.rb', line 25

def initialize(info = {})
  super

  # Register the options that all MSSQL exploits may make use of.
  register_options(
    [
      Opt::RHOST,
      Opt::RPORT(1433),
      OptString.new('USERNAME', [ false, 'The username to authenticate as', 'sa']),
      OptString.new('PASSWORD', [ false, 'The password for the specified username', '']),
      OptBool.new('USE_WINDOWS_AUTHENT', [ true, 'Use windows authentication (requires DOMAIN option set)', false]),
      # OptBool.new('TDSENCRYPTION', [ true, 'Use TLS/SSL for TDS data "Force Encryption"', false]), - TODO: support TDS Encryption
    ], Msf::Exploit::Remote::MSSQL)
  register_advanced_options(
    [
      OptPath.new('HEX2BINARY',   [ false, "The path to the hex2binary script on the disk",
        File.join(Msf::Config.data_directory, "exploits", "mssql", "h2b")
      ]),
      OptString.new('DOMAIN', [ true, 'The domain to use for windows authentication', 'WORKSTATION'], aliases: ['MssqlDomain']),
      *kerberos_storage_options(protocol: 'Mssql'),
      *kerberos_auth_options(protocol: 'Mssql', auth_methods: Msf::Exploit::Remote::AuthOption::MSSQL_OPTIONS),
    ], Msf::Exploit::Remote::MSSQL)
  register_autofilter_ports([ 1433, 1434, 1435, 14330, 2533, 9152, 2638 ])
  register_autofilter_services(%W{ ms-sql-s ms-sql2000 sybase })
end

#mssql_login(user = 'sa', pass = '', db = '', domain_name = '') ⇒ Object

This method connects to the server over TCP and attempts to authenticate with the supplied username and password The global socket is used and left connected after auth



194
195
196
197
198
199
# File 'lib/msf/core/exploit/remote/mssql.rb', line 194

def (user='sa', pass='', db='', domain_name='')
  @mssql_client ||= Rex::Proto::MSSQL::Client.new(self, framework, datastore['RHOST'], datastore['RPORT'])
  result = @mssql_client.(user, pass, db, domain_name)
  add_socket(@mssql_client.sock) if @mssql_client.sock && !sockets.include?(@mssql_client.sock)
  result
end

#mssql_login_datastore(db = nil) ⇒ Object



201
202
203
# File 'lib/msf/core/exploit/remote/mssql.rb', line 201

def (db=nil)
  (datastore['USERNAME'], datastore['PASSWORD'], db || datastore['DATABASE'] || '', datastore['MssqlDomain'] || '')
end

#mssql_parse_done(data, info) ⇒ Object

Parse a “done” TDS token



139
140
141
# File 'lib/msf/core/exploit/remote/mssql.rb', line 139

def mssql_parse_done(data, info)
  @mssql_client.mssql_parse_done(data, info)
end

#mssql_parse_env(data, info) ⇒ Object

Parse an “environment change” TDS token



153
154
155
# File 'lib/msf/core/exploit/remote/mssql.rb', line 153

def mssql_parse_env(data, info)
  @mssql_client.mssql_parse_env(data, info)
end

#mssql_parse_error(data, info) ⇒ Object

Parse an “error” TDS token



146
147
148
# File 'lib/msf/core/exploit/remote/mssql.rb', line 146

def mssql_parse_error(data, info)
  @mssql_client.mssql_parse_error(data, info)
end

#mssql_parse_info(data, info) ⇒ Object

Parse an “information” TDS token



160
161
162
# File 'lib/msf/core/exploit/remote/mssql.rb', line 160

def mssql_parse_info(data, info)
  @mssql_client.mssql_parse_info(data, info)
end

#mssql_parse_reply(data, info) ⇒ Object



118
119
120
# File 'lib/msf/core/exploit/remote/mssql.rb', line 118

def mssql_parse_reply(data, info)
  @mssql_client.mssql_parse_reply(data, info)
end

#mssql_parse_ret(data, info) ⇒ Object

Parse a “ret” TDS token



132
133
134
# File 'lib/msf/core/exploit/remote/mssql.rb', line 132

def mssql_parse_ret(data, info)
  @mssql_client.mssql_parse_ret(data, info)
end

#mssql_parse_tds_reply(data, info) ⇒ Object

Execute a system command via xp_cmdshell



114
115
116
# File 'lib/msf/core/exploit/remote/mssql.rb', line 114

def mssql_parse_tds_reply(data, info)
  @mssql_client.mssql_parse_tds_reply(data, info)
end

#mssql_parse_tds_row(data, info) ⇒ Object

Parse a single row of a TDS reply



125
126
127
# File 'lib/msf/core/exploit/remote/mssql.rb', line 125

def mssql_parse_tds_row(data, info)
  @mssql_client.mssql_parse_tds_row(data, info)
end

#mssql_ping(timeout = 5) ⇒ Object

This method sends a UDP query packet to the server and parses out the reply packet into a hash



60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
# File 'lib/msf/core/exploit/remote/mssql.rb', line 60

def mssql_ping(timeout=5)
  data = { }

  ping_sock = Rex::Socket::Udp.create(
    'PeerHost'  => rhost,
    'PeerPort'  => 1434,
    'Context'   =>
      {
        'Msf'        => framework,
        'MsfExploit' => self,
      })

  ping_sock.put("\x02")
  resp, _saddr, _sport = ping_sock.recvfrom(65535, timeout)
  ping_sock.close

  return data if not resp
  return data if resp.length == 0

  return mssql_ping_parse(resp)
end

#mssql_ping_parse(data) ⇒ Object

Parse a 'ping' response and format as a hash



85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
# File 'lib/msf/core/exploit/remote/mssql.rb', line 85

def mssql_ping_parse(data)
  res = []
  var = nil
  idx = data.index('ServerName')
  return res if not idx
  sdata = data[idx, (data.length - 1)]

  instances = sdata.split(';;')
  instances.each do |instance|
    rinst = {}
    instance.split(';').each do |d|
      if (not var)
        var = d
      else
        if (var.length > 0)
          rinst[var] = d
          var = nil
        end
      end
    end
    res << rinst
  end

  return res
end

#mssql_prelogin(enc_error = false) ⇒ Object

this method send a prelogin packet and check if encryption is off



185
186
187
# File 'lib/msf/core/exploit/remote/mssql.rb', line 185

def mssql_prelogin(enc_error=false)
  @mssql_client.mssql_prelogin(enc_error)
end

#mssql_print_reply(info) ⇒ Object

Nicely print the results of a SQL query



214
215
216
# File 'lib/msf/core/exploit/remote/mssql.rb', line 214

def mssql_print_reply(info)
  @mssql_client.mssql_print_reply(info)
end

#mssql_query(sqla, doprint = false, opts = {}) ⇒ Object

Issue a SQL query using the TDS protocol



207
208
209
# File 'lib/msf/core/exploit/remote/mssql.rb', line 207

def mssql_query(sqla, doprint=false, opts={})
  @mssql_client.query(sqla, doprint, opts)
end

#mssql_send_recv(req, timeout = 15, check_status = true) ⇒ Object



218
219
220
# File 'lib/msf/core/exploit/remote/mssql.rb', line 218

def mssql_send_recv(req, timeout=15, check_status = true)
  @mssql_client.mssql_send_recv(req, timeout, check_status)
end

#mssql_tds_encrypt(pass) ⇒ Object

Encrypt a password according to the TDS protocol (encode)



225
226
227
228
# File 'lib/msf/core/exploit/remote/mssql.rb', line 225

def mssql_tds_encrypt(pass)
  # Convert to unicode, swap 4 bits both ways, xor with 0xa5
  Rex::Text.to_unicode(pass).unpack('C*').map {|c| (((c & 0x0f) << 4) + ((c & 0xf0) >> 4)) ^ 0xa5 }.pack("C*")
end

#mssql_upload_exec(exe, debug = false) ⇒ Object

Upload and execute a Windows binary through MSSQL queries



171
172
173
# File 'lib/msf/core/exploit/remote/mssql.rb', line 171

def mssql_upload_exec(exe, debug=false)
  @mssql_client.mssql_upload_exec(exe, debug)
end

#mssql_xpcmdshell(cmd, doprint = false, opts = {}) ⇒ Object



164
165
166
# File 'lib/msf/core/exploit/remote/mssql.rb', line 164

def mssql_xpcmdshell(cmd, doprint=false, opts={})
  @mssql_client.mssql_xpcmdshell(cmd, doprint, opts)
end

#powershell_upload_exec(exe, debug = false) ⇒ Object

Upload and execute a Windows binary through MSSQL queries and Powershell



178
179
180
# File 'lib/msf/core/exploit/remote/mssql.rb', line 178

def powershell_upload_exec(exe, debug=false)
  @mssql_client.powershell_upload_exec(exe, debug)
end

#set_session(client) ⇒ Object



51
52
53
54
# File 'lib/msf/core/exploit/remote/mssql.rb', line 51

def set_session(client)
  print_status("Using existing session #{session.sid}")
  @mssql_client = client
end