Module: Msf::Exploit::Remote::MSSQL

Includes:
Exploit::Remote::NTLM::Client, Kerberos::ServiceAuthenticator::Options, Kerberos::Ticket::Storage, MSSQL_COMMANDS, Tcp, Udp
Defined in:
lib/msf/core/exploit/remote/mssql.rb

Constant Summary collapse

ENCRYPT_OFF =

Encryption is available but off.

0x00
ENCRYPT_ON =

Encryption is available and on.

0x01
ENCRYPT_NOT_SUP =

Encryption is not available.

0x02
ENCRYPT_REQ =

Encryption is required.

0x03

Instance Attribute Summary collapse

Attributes included from Tcp

#sock

Attributes included from Udp

#udp_sock

Instance Method Summary collapse

Methods included from Kerberos::ServiceAuthenticator::Options

#kerberos_auth_options

Methods included from Kerberos::Ticket::Storage

#kerberos_storage_options, #kerberos_ticket_storage, store_ccache

Methods included from Tcp

#chost, #cleanup, #connect, #connect_timeout, #cport, #disconnect, #handler, #lhost, #lport, #peer, #print_prefix, #proxies, #replicant, #rhost, #rport, #set_tcp_evasions, #shutdown, #ssl, #ssl_cipher, #ssl_verify_mode, #ssl_version, #sslkeylogfile

Methods included from Udp

#chost, #cleanup, #connect_udp, #cport, #deregister_udp_options, #disconnect_udp, #handler, #lhost, #lport, #rhost, #rport

Methods included from MSSQL_COMMANDS

#mssql_2k5_password_hashes, #mssql_2k_password_hashes, #mssql_current_user_escalation, #mssql_db_names, #mssql_enumerate_servername, #mssql_is_sysadmin, #mssql_rdp_enable, #mssql_rebuild_xpcmdshell, #mssql_sa_escalation, #mssql_sql_info, #mssql_sql_xpcmdshell_disable_2000, #mssql_xpcmdshell_disable, #mssql_xpcmdshell_enable, #mssql_xpcmdshell_enable_2000

Instance Attribute Details

#mssql_clientObject

Returns the value of attribute mssql_client.



20
21
22
 
# File 'lib/msf/core/exploit/remote/mssql.rb', line 20

def mssql_client
  @mssql_client
end

Instance Method Details

#create_mssql_clientObject 



60
61
62
 
# File 'lib/msf/core/exploit/remote/mssql.rb', line 60

def create_mssql_client
  @mssql_client ||= Rex::Proto::MSSQL::Client.new(self, framework, datastore['RHOST'], datastore['RPORT'])
end

#initialize(info = {}) ⇒ Object

Creates an instance of a MSSQL exploit module.



30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
 
# File 'lib/msf/core/exploit/remote/mssql.rb', line 30

def initialize(info = {})
  super

  # Register the options that all MSSQL exploits may make use of.
  register_options(
    [
      Opt::RHOST,
      Opt::RPORT(1433),
      OptString.new('USERNAME', [ false, 'The username to authenticate as', 'sa']),
      OptString.new('PASSWORD', [ false, 'The password for the specified username', '']),
      # OptBool.new('TDSENCRYPTION', [ true, 'Use TLS/SSL for TDS data "Force Encryption"', false]), - TODO: support TDS Encryption
    ], Msf::Exploit::Remote::MSSQL)
  register_advanced_options(
    [
      OptPath.new('HEX2BINARY',   [ false, "The path to the hex2binary script on the disk",
        File.join(Msf::Config.data_directory, "exploits", "mssql", "h2b")
      ]),
      OptString.new('DOMAIN', [ true, 'The domain to use for windows authentication', ''], aliases: ['MssqlDomain']),
      *kerberos_storage_options(protocol: 'Mssql'),
      *kerberos_auth_options(protocol: 'Mssql', auth_methods: Msf::Exploit::Remote::AuthOption::MSSQL_OPTIONS),
    ], Msf::Exploit::Remote::MSSQL)
  register_autofilter_ports([ 1433, 1434, 1435, 14330, 2533, 9152, 2638 ])
  register_autofilter_services(%W{ ms-sql-s ms-sql2000 sybase })
end

#mssql_login(user = 'sa', pass = '', db = '', domain_name = '') ⇒ Object

This method connects to the server over TCP and attempts to authenticate with the supplied username and password The global socket is used and left connected after auth



202
203
204
205
206
207
 
# File 'lib/msf/core/exploit/remote/mssql.rb', line 202

def (user='sa', pass='', db='', domain_name='')
  @mssql_client ||= Rex::Proto::MSSQL::Client.new(self, framework, datastore['RHOST'], datastore['RPORT'])
  result = @mssql_client.(user, pass, db, domain_name)
  add_socket(@mssql_client.sock) if @mssql_client.sock && !sockets.include?(@mssql_client.sock)
  result
end

#mssql_login_datastore(db = nil) ⇒ Object 



209
210
211
 
# File 'lib/msf/core/exploit/remote/mssql.rb', line 209

def (db=nil)
  (datastore['USERNAME'], datastore['PASSWORD'], db || datastore['DATABASE'] || '', datastore['MssqlDomain'] || '')
end

#mssql_parse_done(data, info) ⇒ Object

Parse a “done” TDS token



147
148
149
 
# File 'lib/msf/core/exploit/remote/mssql.rb', line 147

def mssql_parse_done(data, info)
  @mssql_client.mssql_parse_done(data, info)
end

#mssql_parse_env(data, info) ⇒ Object

Parse an “environment change” TDS token



161
162
163
 
# File 'lib/msf/core/exploit/remote/mssql.rb', line 161

def mssql_parse_env(data, info)
  @mssql_client.mssql_parse_env(data, info)
end

#mssql_parse_error(data, info) ⇒ Object

Parse an “error” TDS token



154
155
156
 
# File 'lib/msf/core/exploit/remote/mssql.rb', line 154

def mssql_parse_error(data, info)
  @mssql_client.mssql_parse_error(data, info)
end

#mssql_parse_info(data, info) ⇒ Object

Parse an “information” TDS token



168
169
170
 
# File 'lib/msf/core/exploit/remote/mssql.rb', line 168

def mssql_parse_info(data, info)
  @mssql_client.mssql_parse_info(data, info)
end

#mssql_parse_reply(data, info) ⇒ Object 



126
127
128
 
# File 'lib/msf/core/exploit/remote/mssql.rb', line 126

def mssql_parse_reply(data, info)
  @mssql_client.mssql_parse_reply(data, info)
end

#mssql_parse_ret(data, info) ⇒ Object

Parse a “ret” TDS token



140
141
142
 
# File 'lib/msf/core/exploit/remote/mssql.rb', line 140

def mssql_parse_ret(data, info)
  @mssql_client.mssql_parse_ret(data, info)
end

#mssql_parse_tds_reply(data, info) ⇒ Object

Execute a system command via xp_cmdshell



122
123
124
 
# File 'lib/msf/core/exploit/remote/mssql.rb', line 122

def mssql_parse_tds_reply(data, info)
  @mssql_client.mssql_parse_tds_reply(data, info)
end

#mssql_parse_tds_row(data, info) ⇒ Object

Parse a single row of a TDS reply



133
134
135
 
# File 'lib/msf/core/exploit/remote/mssql.rb', line 133

def mssql_parse_tds_row(data, info)
  @mssql_client.mssql_parse_tds_row(data, info)
end

#mssql_ping(timeout = 5) ⇒ Object

This method sends a UDP query packet to the server and parses out the reply packet into a hash



68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
 
# File 'lib/msf/core/exploit/remote/mssql.rb', line 68

def mssql_ping(timeout=5)
  data = { }

  ping_sock = Rex::Socket::Udp.create(
    'PeerHost'  => rhost,
    'PeerPort'  => 1434,
    'Context'   =>
      {
        'Msf'        => framework,
        'MsfExploit' => self,
      })

  ping_sock.put("\x02")
  resp, _saddr, _sport = ping_sock.recvfrom(65535, timeout)
  ping_sock.close

  return data if not resp
  return data if resp.length == 0

  return mssql_ping_parse(resp)
end

#mssql_ping_parse(data) ⇒ Object

Parse a ‘ping’ response and format as a hash



93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
 
# File 'lib/msf/core/exploit/remote/mssql.rb', line 93

def mssql_ping_parse(data)
  res = []
  var = nil
  idx = data.index('ServerName')
  return res if not idx
  sdata = data[idx, (data.length - 1)]

  instances = sdata.split(';;')
  instances.each do |instance|
    rinst = {}
    instance.split(';').each do |d|
      if (not var)
        var = d
      else
        if (var.length > 0)
          rinst[var] = d
          var = nil
        end
      end
    end
    res << rinst
  end

  return res
end

#mssql_prelogin(enc_error = false) ⇒ Object

this method send a prelogin packet and check if encryption is off



193
194
195
 
# File 'lib/msf/core/exploit/remote/mssql.rb', line 193

def mssql_prelogin(enc_error=false)
  @mssql_client.mssql_prelogin(enc_error)
end

#mssql_print_reply(info) ⇒ Object

Nicely print the results of a SQL query



222
223
224
 
# File 'lib/msf/core/exploit/remote/mssql.rb', line 222

def mssql_print_reply(info)
  @mssql_client.mssql_print_reply(info)
end

#mssql_query(sqla, doprint = false, opts = {}) ⇒ Object

Issue a SQL query using the TDS protocol



215
216
217
 
# File 'lib/msf/core/exploit/remote/mssql.rb', line 215

def mssql_query(sqla, doprint=false, opts={})
  @mssql_client.query(sqla, doprint, opts)
end

#mssql_send_recv(req, timeout = 15, check_status = true) ⇒ Object 



226
227
228
 
# File 'lib/msf/core/exploit/remote/mssql.rb', line 226

def mssql_send_recv(req, timeout=15, check_status = true)
  @mssql_client.mssql_send_recv(req, timeout, check_status)
end

#mssql_tds_encrypt(pass) ⇒ Object

Encrypt a password according to the TDS protocol (encode)



233
234
235
236
 
# File 'lib/msf/core/exploit/remote/mssql.rb', line 233

def mssql_tds_encrypt(pass)
  # Convert to unicode, swap 4 bits both ways, xor with 0xa5
  Rex::Text.to_unicode(pass).unpack('C*').map {|c| (((c & 0x0f) << 4) + ((c & 0xf0) >> 4)) ^ 0xa5 }.pack("C*")
end

#mssql_upload_exec(exe, debug = false) ⇒ Object

Upload and execute a Windows binary through MSSQL queries



179
180
181
 
# File 'lib/msf/core/exploit/remote/mssql.rb', line 179

def mssql_upload_exec(exe, debug=false)
  @mssql_client.mssql_upload_exec(exe, debug)
end

#mssql_xpcmdshell(cmd, doprint = false, opts = {}) ⇒ Object 



172
173
174
 
# File 'lib/msf/core/exploit/remote/mssql.rb', line 172

def mssql_xpcmdshell(cmd, doprint=false, opts={})
  @mssql_client.mssql_xpcmdshell(cmd, doprint, opts)
end

#powershell_upload_exec(exe, debug = false) ⇒ Object

Upload and execute a Windows binary through MSSQL queries and Powershell



186
187
188
 
# File 'lib/msf/core/exploit/remote/mssql.rb', line 186

def powershell_upload_exec(exe, debug=false)
  @mssql_client.powershell_upload_exec(exe, debug)
end

#set_mssql_session(client) ⇒ Object 



55
56
57
58
 
# File 'lib/msf/core/exploit/remote/mssql.rb', line 55

def set_mssql_session(client)
  print_status("Using existing session #{session.sid}")
  @mssql_client = client
end