Module: Msf::Exploit::Remote::MSSQL

Includes:
Exploit::Remote::NTLM::Client, Kerberos::ServiceAuthenticator::Options, Kerberos::Ticket::Storage, MSSQL_COMMANDS, Tcp, Udp
Defined in:
lib/msf/core/exploit/remote/mssql.rb

Constant Summary collapse

ENCRYPT_OFF =

Encryption is available but off.

0x00
ENCRYPT_ON =

Encryption is available and on.

0x01
ENCRYPT_NOT_SUP =

Encryption is not available.

0x02
ENCRYPT_REQ =

Encryption is required.

0x03

Instance Attribute Summary collapse

Attributes included from Tcp

#sock

Attributes included from Udp

#udp_sock

Instance Method Summary collapse

Methods included from Kerberos::ServiceAuthenticator::Options

#kerberos_auth_options

Methods included from Kerberos::Ticket::Storage

#kerberos_storage_options, #kerberos_ticket_storage, store_ccache

Methods included from Tcp

#chost, #cleanup, #connect, #connect_timeout, #cport, #disconnect, #handler, #lhost, #lport, #peer, #print_prefix, #proxies, #rhost, #rport, #set_tcp_evasions, #shutdown, #ssl, #ssl_cipher, #ssl_verify_mode, #ssl_version

Methods included from Udp

#chost, #cleanup, #connect_udp, #cport, #deregister_udp_options, #disconnect_udp, #handler, #lhost, #lport, #rhost, #rport

Methods included from MSSQL_COMMANDS

#mssql_2k5_password_hashes, #mssql_2k_password_hashes, #mssql_current_user_escalation, #mssql_db_names, #mssql_enumerate_servername, #mssql_is_sysadmin, #mssql_rdp_enable, #mssql_rebuild_xpcmdshell, #mssql_sa_escalation, #mssql_sql_info, #mssql_sql_xpcmdshell_disable_2000, #mssql_xpcmdshell_disable, #mssql_xpcmdshell_enable, #mssql_xpcmdshell_enable_2000

Instance Attribute Details

#mssql_clientObject

Returns the value of attribute mssql_client.



20
21
22
 
# File 'lib/msf/core/exploit/remote/mssql.rb', line 20

def mssql_client
  @mssql_client
end

Instance Method Details

#create_mssql_clientObject 



61
62
63
 
# File 'lib/msf/core/exploit/remote/mssql.rb', line 61

def create_mssql_client
  @mssql_client ||= Rex::Proto::MSSQL::Client.new(self, framework, datastore['RHOST'], datastore['RPORT'])
end

#initialize(info = {}) ⇒ Object

Creates an instance of a MSSQL exploit module.



30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
 
# File 'lib/msf/core/exploit/remote/mssql.rb', line 30

def initialize(info = {})
  super

  # Register the options that all MSSQL exploits may make use of.
  register_options(
    [
      Opt::RHOST,
      Opt::RPORT(1433),
      OptString.new('USERNAME', [ false, 'The username to authenticate as', 'sa']),
      OptString.new('PASSWORD', [ false, 'The password for the specified username', '']),
      OptBool.new('USE_WINDOWS_AUTHENT', [ true, 'Use windows authentication (requires DOMAIN option set)', false]),
      # OptBool.new('TDSENCRYPTION', [ true, 'Use TLS/SSL for TDS data "Force Encryption"', false]), - TODO: support TDS Encryption
    ], Msf::Exploit::Remote::MSSQL)
  register_advanced_options(
    [
      OptPath.new('HEX2BINARY',   [ false, "The path to the hex2binary script on the disk",
        File.join(Msf::Config.data_directory, "exploits", "mssql", "h2b")
      ]),
      OptString.new('DOMAIN', [ true, 'The domain to use for windows authentication', 'WORKSTATION'], aliases: ['MssqlDomain']),
      *kerberos_storage_options(protocol: 'Mssql'),
      *kerberos_auth_options(protocol: 'Mssql', auth_methods: Msf::Exploit::Remote::AuthOption::MSSQL_OPTIONS),
    ], Msf::Exploit::Remote::MSSQL)
  register_autofilter_ports([ 1433, 1434, 1435, 14330, 2533, 9152, 2638 ])
  register_autofilter_services(%W{ ms-sql-s ms-sql2000 sybase })
end

#mssql_login(user = 'sa', pass = '', db = '', domain_name = '') ⇒ Object

This method connects to the server over TCP and attempts to authenticate with the supplied username and password The global socket is used and left connected after auth



203
204
205
206
207
208
 
# File 'lib/msf/core/exploit/remote/mssql.rb', line 203

def (user='sa', pass='', db='', domain_name='')
  @mssql_client ||= Rex::Proto::MSSQL::Client.new(self, framework, datastore['RHOST'], datastore['RPORT'])
  result = @mssql_client.(user, pass, db, domain_name)
  add_socket(@mssql_client.sock) if @mssql_client.sock && !sockets.include?(@mssql_client.sock)
  result
end

#mssql_login_datastore(db = nil) ⇒ Object 



210
211
212
 
# File 'lib/msf/core/exploit/remote/mssql.rb', line 210

def (db=nil)
  (datastore['USERNAME'], datastore['PASSWORD'], db || datastore['DATABASE'] || '', datastore['MssqlDomain'] || '')
end

#mssql_parse_done(data, info) ⇒ Object

Parse a “done” TDS token



148
149
150
 
# File 'lib/msf/core/exploit/remote/mssql.rb', line 148

def mssql_parse_done(data, info)
  @mssql_client.mssql_parse_done(data, info)
end

#mssql_parse_env(data, info) ⇒ Object

Parse an “environment change” TDS token



162
163
164
 
# File 'lib/msf/core/exploit/remote/mssql.rb', line 162

def mssql_parse_env(data, info)
  @mssql_client.mssql_parse_env(data, info)
end

#mssql_parse_error(data, info) ⇒ Object

Parse an “error” TDS token



155
156
157
 
# File 'lib/msf/core/exploit/remote/mssql.rb', line 155

def mssql_parse_error(data, info)
  @mssql_client.mssql_parse_error(data, info)
end

#mssql_parse_info(data, info) ⇒ Object

Parse an “information” TDS token



169
170
171
 
# File 'lib/msf/core/exploit/remote/mssql.rb', line 169

def mssql_parse_info(data, info)
  @mssql_client.mssql_parse_info(data, info)
end

#mssql_parse_reply(data, info) ⇒ Object 



127
128
129
 
# File 'lib/msf/core/exploit/remote/mssql.rb', line 127

def mssql_parse_reply(data, info)
  @mssql_client.mssql_parse_reply(data, info)
end

#mssql_parse_ret(data, info) ⇒ Object

Parse a “ret” TDS token



141
142
143
 
# File 'lib/msf/core/exploit/remote/mssql.rb', line 141

def mssql_parse_ret(data, info)
  @mssql_client.mssql_parse_ret(data, info)
end

#mssql_parse_tds_reply(data, info) ⇒ Object

Execute a system command via xp_cmdshell



123
124
125
 
# File 'lib/msf/core/exploit/remote/mssql.rb', line 123

def mssql_parse_tds_reply(data, info)
  @mssql_client.mssql_parse_tds_reply(data, info)
end

#mssql_parse_tds_row(data, info) ⇒ Object

Parse a single row of a TDS reply



134
135
136
 
# File 'lib/msf/core/exploit/remote/mssql.rb', line 134

def mssql_parse_tds_row(data, info)
  @mssql_client.mssql_parse_tds_row(data, info)
end

#mssql_ping(timeout = 5) ⇒ Object

This method sends a UDP query packet to the server and parses out the reply packet into a hash



69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
 
# File 'lib/msf/core/exploit/remote/mssql.rb', line 69

def mssql_ping(timeout=5)
  data = { }

  ping_sock = Rex::Socket::Udp.create(
    'PeerHost'  => rhost,
    'PeerPort'  => 1434,
    'Context'   =>
      {
        'Msf'        => framework,
        'MsfExploit' => self,
      })

  ping_sock.put("\x02")
  resp, _saddr, _sport = ping_sock.recvfrom(65535, timeout)
  ping_sock.close

  return data if not resp
  return data if resp.length == 0

  return mssql_ping_parse(resp)
end

#mssql_ping_parse(data) ⇒ Object

Parse a ‘ping’ response and format as a hash



94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
 
# File 'lib/msf/core/exploit/remote/mssql.rb', line 94

def mssql_ping_parse(data)
  res = []
  var = nil
  idx = data.index('ServerName')
  return res if not idx
  sdata = data[idx, (data.length - 1)]

  instances = sdata.split(';;')
  instances.each do |instance|
    rinst = {}
    instance.split(';').each do |d|
      if (not var)
        var = d
      else
        if (var.length > 0)
          rinst[var] = d
          var = nil
        end
      end
    end
    res << rinst
  end

  return res
end

#mssql_prelogin(enc_error = false) ⇒ Object

this method send a prelogin packet and check if encryption is off



194
195
196
 
# File 'lib/msf/core/exploit/remote/mssql.rb', line 194

def mssql_prelogin(enc_error=false)
  @mssql_client.mssql_prelogin(enc_error)
end

#mssql_print_reply(info) ⇒ Object

Nicely print the results of a SQL query



223
224
225
 
# File 'lib/msf/core/exploit/remote/mssql.rb', line 223

def mssql_print_reply(info)
  @mssql_client.mssql_print_reply(info)
end

#mssql_query(sqla, doprint = false, opts = {}) ⇒ Object

Issue a SQL query using the TDS protocol



216
217
218
 
# File 'lib/msf/core/exploit/remote/mssql.rb', line 216

def mssql_query(sqla, doprint=false, opts={})
  @mssql_client.query(sqla, doprint, opts)
end

#mssql_send_recv(req, timeout = 15, check_status = true) ⇒ Object 



227
228
229
 
# File 'lib/msf/core/exploit/remote/mssql.rb', line 227

def mssql_send_recv(req, timeout=15, check_status = true)
  @mssql_client.mssql_send_recv(req, timeout, check_status)
end

#mssql_tds_encrypt(pass) ⇒ Object

Encrypt a password according to the TDS protocol (encode)



234
235
236
237
 
# File 'lib/msf/core/exploit/remote/mssql.rb', line 234

def mssql_tds_encrypt(pass)
  # Convert to unicode, swap 4 bits both ways, xor with 0xa5
  Rex::Text.to_unicode(pass).unpack('C*').map {|c| (((c & 0x0f) << 4) + ((c & 0xf0) >> 4)) ^ 0xa5 }.pack("C*")
end

#mssql_upload_exec(exe, debug = false) ⇒ Object

Upload and execute a Windows binary through MSSQL queries



180
181
182
 
# File 'lib/msf/core/exploit/remote/mssql.rb', line 180

def mssql_upload_exec(exe, debug=false)
  @mssql_client.mssql_upload_exec(exe, debug)
end

#mssql_xpcmdshell(cmd, doprint = false, opts = {}) ⇒ Object 



173
174
175
 
# File 'lib/msf/core/exploit/remote/mssql.rb', line 173

def mssql_xpcmdshell(cmd, doprint=false, opts={})
  @mssql_client.mssql_xpcmdshell(cmd, doprint, opts)
end

#powershell_upload_exec(exe, debug = false) ⇒ Object

Upload and execute a Windows binary through MSSQL queries and Powershell



187
188
189
 
# File 'lib/msf/core/exploit/remote/mssql.rb', line 187

def powershell_upload_exec(exe, debug=false)
  @mssql_client.powershell_upload_exec(exe, debug)
end

#set_mssql_session(client) ⇒ Object 



56
57
58
59
 
# File 'lib/msf/core/exploit/remote/mssql.rb', line 56

def set_mssql_session(client)
  print_status("Using existing session #{session.sid}")
  @mssql_client = client
end