2014-05-07 19:43:15 +00:00
|
|
|
require 'metasploit/framework/tcp/client'
|
2015-06-22 03:10:59 +00:00
|
|
|
require 'metasploit/framework/mssql/tdssslproxy'
|
2014-05-07 19:43:15 +00:00
|
|
|
|
2014-05-06 16:59:21 +00:00
|
|
|
module Metasploit
|
|
|
|
module Framework
|
|
|
|
module MSSQL
|
|
|
|
|
|
|
|
module Client
|
2014-10-21 16:09:39 +00:00
|
|
|
extend ActiveSupport::Concern
|
2014-05-06 16:59:21 +00:00
|
|
|
include Metasploit::Framework::Tcp::Client
|
|
|
|
|
|
|
|
# Encryption
|
|
|
|
ENCRYPT_OFF = 0x00 #Encryption is available but off.
|
|
|
|
ENCRYPT_ON = 0x01 #Encryption is available and on.
|
|
|
|
ENCRYPT_NOT_SUP = 0x02 #Encryption is not available.
|
|
|
|
ENCRYPT_REQ = 0x03 #Encryption is required.
|
|
|
|
|
2014-05-08 18:42:52 +00:00
|
|
|
# Packet Type
|
2016-07-05 22:05:42 +00:00
|
|
|
TYPE_SQL_BATCH = 1 # (Client) SQL command
|
|
|
|
TYPE_PRE_TDS7_LOGIN = 2 # (Client) Pre-login with version < 7 (unused)
|
|
|
|
TYPE_RPC = 3 # (Client) RPC
|
|
|
|
TYPE_TABLE_RESPONSE = 4 # (Server) Pre-Login Response ,Login Response, Row Data, Return Status, Return Parameters,
|
2014-05-06 16:59:21 +00:00
|
|
|
# Request Completion, Error and Info Messages, Attention Acknowledgement
|
2016-07-05 22:05:42 +00:00
|
|
|
TYPE_ATTENTION_SIGNAL = 6 # (Client) Attention
|
|
|
|
TYPE_BULK_LOAD = 7 # (Client) SQL Command with binary data
|
2014-05-06 16:59:21 +00:00
|
|
|
TYPE_TRANSACTION_MANAGER_REQUEST = 14 # (Client) Transaction request manager
|
2016-07-05 22:05:42 +00:00
|
|
|
TYPE_TDS7_LOGIN = 16 # (Client) Login
|
|
|
|
TYPE_SSPI_MESSAGE = 17 # (Client) Login
|
|
|
|
TYPE_PRE_LOGIN_MESSAGE = 18 # (Client) pre-login with version > 7
|
2014-05-06 16:59:21 +00:00
|
|
|
|
|
|
|
# Status
|
2016-07-05 22:05:42 +00:00
|
|
|
STATUS_NORMAL = 0x00
|
|
|
|
STATUS_END_OF_MESSAGE = 0x01
|
|
|
|
STATUS_IGNORE_EVENT = 0x02
|
|
|
|
STATUS_RESETCONNECTION = 0x08 # TDS 7.1+
|
2014-05-06 16:59:21 +00:00
|
|
|
STATUS_RESETCONNECTIONSKIPTRAN = 0x10 # TDS 7.3+
|
|
|
|
|
|
|
|
#
|
|
|
|
# This method connects to the server over TCP and attempts
|
|
|
|
# to authenticate with the supplied username and password
|
|
|
|
# The global socket is used and left connected after auth
|
|
|
|
#
|
2014-05-07 16:41:49 +00:00
|
|
|
def mssql_login(user='sa', pass='', db='', domain_name='')
|
2014-05-06 16:59:21 +00:00
|
|
|
|
|
|
|
disconnect if self.sock
|
|
|
|
connect
|
2016-01-07 23:57:32 +00:00
|
|
|
mssql_prelogin
|
2014-05-06 16:59:21 +00:00
|
|
|
|
2014-05-07 16:41:49 +00:00
|
|
|
if windows_authentication
|
2014-05-06 16:59:21 +00:00
|
|
|
idx = 0
|
|
|
|
pkt = ''
|
|
|
|
pkt_hdr = ''
|
2016-07-05 22:05:42 +00:00
|
|
|
pkt_hdr = [
|
2014-05-06 16:59:21 +00:00
|
|
|
TYPE_TDS7_LOGIN, #type
|
|
|
|
STATUS_END_OF_MESSAGE, #status
|
|
|
|
0x0000, #length
|
|
|
|
0x0000, # SPID
|
2016-07-05 22:05:42 +00:00
|
|
|
0x01, # PacketID (unused upon specification
|
2014-05-06 16:59:21 +00:00
|
|
|
# but ms network monitor stil prefer 1 to decode correctly, wireshark don't care)
|
2016-07-05 22:05:42 +00:00
|
|
|
0x00 #Window
|
2014-05-06 16:59:21 +00:00
|
|
|
]
|
|
|
|
|
|
|
|
pkt << [
|
|
|
|
0x00000000, # Size
|
|
|
|
0x71000001, # TDS Version
|
|
|
|
0x00000000, # Dummy Size
|
|
|
|
0x00000007, # Version
|
|
|
|
rand(1024+1), # PID
|
|
|
|
0x00000000, # ConnectionID
|
|
|
|
0xe0, # Option Flags 1
|
|
|
|
0x83, # Option Flags 2
|
|
|
|
0x00, # SQL Type Flags
|
|
|
|
0x00, # Reserved Flags
|
|
|
|
0x00000000, # Time Zone
|
|
|
|
0x00000000 # Collation
|
|
|
|
].pack('VVVVVVCCCCVV')
|
|
|
|
|
|
|
|
cname = Rex::Text.to_unicode( Rex::Text.rand_text_alpha(rand(8)+1) )
|
|
|
|
aname = Rex::Text.to_unicode( Rex::Text.rand_text_alpha(rand(8)+1) ) #application and library name
|
|
|
|
sname = Rex::Text.to_unicode( rhost )
|
|
|
|
dname = Rex::Text.to_unicode( db )
|
|
|
|
|
|
|
|
workstation_name = Rex::Text.rand_text_alpha(rand(8)+1)
|
|
|
|
|
2016-07-05 22:05:42 +00:00
|
|
|
ntlm_client = ::Net::NTLM::Client.new(
|
|
|
|
user,
|
|
|
|
pass,
|
|
|
|
workstation: workstation_name,
|
|
|
|
domain: domain_name,
|
|
|
|
)
|
|
|
|
type1 = ntlm_client.init_context
|
|
|
|
# SQL 2012, at least, does not support KEY_EXCHANGE
|
|
|
|
type1.flag &= ~ ::Net::NTLM::FLAGS[:KEY_EXCHANGE]
|
|
|
|
ntlmsspblob = type1.serialize
|
2014-05-06 16:59:21 +00:00
|
|
|
|
|
|
|
idx = pkt.size + 50 # lengths below
|
|
|
|
|
|
|
|
pkt << [idx, cname.length / 2].pack('vv')
|
|
|
|
idx += cname.length
|
|
|
|
|
|
|
|
pkt << [0, 0].pack('vv') # User length offset must be 0
|
|
|
|
pkt << [0, 0].pack('vv') # Password length offset must be 0
|
|
|
|
|
|
|
|
pkt << [idx, aname.length / 2].pack('vv')
|
|
|
|
idx += aname.length
|
|
|
|
|
|
|
|
pkt << [idx, sname.length / 2].pack('vv')
|
|
|
|
idx += sname.length
|
|
|
|
|
|
|
|
pkt << [0, 0].pack('vv') # unused
|
|
|
|
|
|
|
|
pkt << [idx, aname.length / 2].pack('vv')
|
|
|
|
idx += aname.length
|
|
|
|
|
|
|
|
pkt << [idx, 0].pack('vv') # locales
|
|
|
|
|
|
|
|
pkt << [idx, 0].pack('vv') #db
|
|
|
|
|
|
|
|
# ClientID (should be mac address)
|
|
|
|
pkt << Rex::Text.rand_text(6)
|
|
|
|
|
|
|
|
# NTLMSSP
|
|
|
|
pkt << [idx, ntlmsspblob.length].pack('vv')
|
|
|
|
idx += ntlmsspblob.length
|
|
|
|
|
|
|
|
pkt << [idx, 0].pack('vv') # AtchDBFile
|
|
|
|
|
|
|
|
pkt << cname
|
|
|
|
pkt << aname
|
|
|
|
pkt << sname
|
|
|
|
pkt << aname
|
|
|
|
pkt << ntlmsspblob
|
|
|
|
|
|
|
|
# Total packet length
|
2016-07-05 22:05:42 +00:00
|
|
|
pkt[0, 4] = [pkt.length].pack('V')
|
2014-05-06 16:59:21 +00:00
|
|
|
|
2016-07-05 22:05:42 +00:00
|
|
|
pkt_hdr[2] = pkt.length + 8
|
2014-05-06 16:59:21 +00:00
|
|
|
|
|
|
|
pkt = pkt_hdr.pack("CCnnCC") + pkt
|
|
|
|
|
|
|
|
# Rem : One have to set check_status to false here because sql server sp0 (and maybe above)
|
|
|
|
# has a strange behavior that differs from the specifications
|
|
|
|
# upon receiving the ntlm_negociate request it send an ntlm_challenge but the status flag of the tds packet header
|
|
|
|
# is set to STATUS_NORMAL and not STATUS_END_OF_MESSAGE, then internally it waits for the ntlm_authentification
|
2015-06-23 12:07:08 +00:00
|
|
|
if tdsencryption == true
|
|
|
|
proxy = TDSSSLProxy.new(sock)
|
2016-01-07 23:57:32 +00:00
|
|
|
proxy.setup_ssl
|
2016-07-05 22:05:42 +00:00
|
|
|
resp = proxy.send_recv(pkt, 15, false)
|
2015-06-23 12:07:08 +00:00
|
|
|
else
|
2016-07-05 22:05:42 +00:00
|
|
|
resp = mssql_send_recv(pkt, 15, false)
|
2015-06-23 12:07:08 +00:00
|
|
|
end
|
2014-05-06 16:59:21 +00:00
|
|
|
|
2016-07-05 22:05:42 +00:00
|
|
|
# Strip the TDS header
|
|
|
|
resp = resp[3..-1]
|
|
|
|
type3 = ntlm_client.init_context([resp].pack('m'))
|
|
|
|
type3_blob = type3.serialize
|
2014-05-06 16:59:21 +00:00
|
|
|
|
|
|
|
# Create an SSPIMessage
|
|
|
|
idx = 0
|
|
|
|
pkt = ''
|
|
|
|
pkt_hdr = ''
|
2016-07-05 22:05:42 +00:00
|
|
|
pkt_hdr = [
|
|
|
|
TYPE_SSPI_MESSAGE, #type
|
|
|
|
STATUS_END_OF_MESSAGE, #status
|
|
|
|
0x0000, #length
|
|
|
|
0x0000, # SPID
|
|
|
|
0x01, # PacketID
|
|
|
|
0x00 #Window
|
2014-05-06 16:59:21 +00:00
|
|
|
]
|
|
|
|
|
2016-07-05 22:05:42 +00:00
|
|
|
pkt_hdr[2] = type3_blob.length + 8
|
2014-05-06 16:59:21 +00:00
|
|
|
|
2016-07-05 22:05:42 +00:00
|
|
|
pkt = pkt_hdr.pack("CCnnCC") + type3_blob
|
2014-05-06 16:59:21 +00:00
|
|
|
|
2015-06-23 12:07:08 +00:00
|
|
|
if self.tdsencryption == true
|
2016-07-05 22:05:42 +00:00
|
|
|
resp = mssql_ssl_send_recv(pkt, proxy)
|
2015-06-23 12:07:08 +00:00
|
|
|
proxy.cleanup
|
|
|
|
proxy = nil
|
|
|
|
else
|
|
|
|
resp = mssql_send_recv(pkt)
|
|
|
|
end
|
2014-05-06 16:59:21 +00:00
|
|
|
|
|
|
|
#SQL Server Authentification
|
|
|
|
else
|
|
|
|
idx = 0
|
|
|
|
pkt = ''
|
|
|
|
pkt << [
|
|
|
|
0x00000000, # Dummy size
|
|
|
|
|
|
|
|
0x71000001, # TDS Version
|
|
|
|
0x00000000, # Size
|
|
|
|
0x00000007, # Version
|
|
|
|
rand(1024+1), # PID
|
|
|
|
0x00000000, # ConnectionID
|
|
|
|
0xe0, # Option Flags 1
|
|
|
|
0x03, # Option Flags 2
|
|
|
|
0x00, # SQL Type Flags
|
|
|
|
0x00, # Reserved Flags
|
|
|
|
0x00000000, # Time Zone
|
|
|
|
0x00000000 # Collation
|
|
|
|
].pack('VVVVVVCCCCVV')
|
|
|
|
|
|
|
|
|
|
|
|
cname = Rex::Text.to_unicode( Rex::Text.rand_text_alpha(rand(8)+1) )
|
|
|
|
uname = Rex::Text.to_unicode( user )
|
|
|
|
pname = mssql_tds_encrypt( pass )
|
|
|
|
aname = Rex::Text.to_unicode( Rex::Text.rand_text_alpha(rand(8)+1) )
|
|
|
|
sname = Rex::Text.to_unicode( rhost )
|
|
|
|
dname = Rex::Text.to_unicode( db )
|
|
|
|
|
|
|
|
idx = pkt.size + 50 # lengths below
|
|
|
|
|
|
|
|
pkt << [idx, cname.length / 2].pack('vv')
|
|
|
|
idx += cname.length
|
|
|
|
|
|
|
|
pkt << [idx, uname.length / 2].pack('vv')
|
|
|
|
idx += uname.length
|
|
|
|
|
|
|
|
pkt << [idx, pname.length / 2].pack('vv')
|
|
|
|
idx += pname.length
|
|
|
|
|
|
|
|
pkt << [idx, aname.length / 2].pack('vv')
|
|
|
|
idx += aname.length
|
|
|
|
|
|
|
|
pkt << [idx, sname.length / 2].pack('vv')
|
|
|
|
idx += sname.length
|
|
|
|
|
|
|
|
pkt << [0, 0].pack('vv')
|
|
|
|
|
|
|
|
pkt << [idx, aname.length / 2].pack('vv')
|
|
|
|
idx += aname.length
|
|
|
|
|
|
|
|
pkt << [idx, 0].pack('vv')
|
|
|
|
|
|
|
|
pkt << [idx, dname.length / 2].pack('vv')
|
|
|
|
idx += dname.length
|
|
|
|
|
|
|
|
# The total length has to be embedded twice more here
|
|
|
|
pkt << [
|
|
|
|
0,
|
|
|
|
0,
|
|
|
|
0x12345678,
|
|
|
|
0x12345678
|
|
|
|
].pack('vVVV')
|
|
|
|
|
|
|
|
pkt << cname
|
|
|
|
pkt << uname
|
|
|
|
pkt << pname
|
|
|
|
pkt << aname
|
|
|
|
pkt << sname
|
|
|
|
pkt << aname
|
|
|
|
pkt << dname
|
|
|
|
|
|
|
|
# Total packet length
|
2016-07-05 22:05:42 +00:00
|
|
|
pkt[0, 4] = [pkt.length].pack('V')
|
2014-05-06 16:59:21 +00:00
|
|
|
|
|
|
|
# Embedded packet lengths
|
|
|
|
pkt[pkt.index([0x12345678].pack('V')), 8] = [pkt.length].pack('V') * 2
|
|
|
|
|
|
|
|
# Packet header and total length including header
|
|
|
|
pkt = "\x10\x01" + [pkt.length + 8].pack('n') + [0].pack('n') + [1].pack('C') + "\x00" + pkt
|
|
|
|
|
2015-06-23 12:07:08 +00:00
|
|
|
if self.tdsencryption == true
|
|
|
|
proxy = TDSSSLProxy.new(sock)
|
2016-01-07 23:57:32 +00:00
|
|
|
proxy.setup_ssl
|
2016-07-05 22:05:42 +00:00
|
|
|
resp = mssql_ssl_send_recv(pkt, proxy)
|
2015-06-23 12:07:08 +00:00
|
|
|
proxy.cleanup
|
|
|
|
proxy = nil
|
|
|
|
else
|
|
|
|
resp = mssql_send_recv(pkt)
|
|
|
|
end
|
|
|
|
|
2014-05-06 16:59:21 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
info = {:errors => []}
|
2016-07-05 22:05:42 +00:00
|
|
|
info = mssql_parse_reply(resp, info)
|
2014-05-06 16:59:21 +00:00
|
|
|
|
2016-01-07 23:57:32 +00:00
|
|
|
disconnect
|
|
|
|
|
2014-05-06 16:59:21 +00:00
|
|
|
return false if not info
|
|
|
|
info[:login_ack] ? true : false
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Parse an "environment change" TDS token
|
|
|
|
#
|
|
|
|
def mssql_parse_env(data, info)
|
2016-07-05 22:05:42 +00:00
|
|
|
len = data.slice!(0, 2).unpack('v')[0]
|
|
|
|
buff = data.slice!(0, len)
|
|
|
|
type = buff.slice!(0, 1).unpack('C')[0]
|
2014-05-06 16:59:21 +00:00
|
|
|
|
|
|
|
nval = ''
|
2016-07-05 22:05:42 +00:00
|
|
|
nlen = buff.slice!(0, 1).unpack('C')[0] || 0
|
|
|
|
nval = buff.slice!(0, nlen*2).gsub("\x00", '') if nlen > 0
|
2014-05-06 16:59:21 +00:00
|
|
|
|
|
|
|
oval = ''
|
2016-07-05 22:05:42 +00:00
|
|
|
olen = buff.slice!(0, 1).unpack('C')[0] || 0
|
|
|
|
oval = buff.slice!(0, olen*2).gsub("\x00", '') if olen > 0
|
2014-05-06 16:59:21 +00:00
|
|
|
|
|
|
|
info[:envs] ||= []
|
|
|
|
info[:envs] << { :type => type, :old => oval, :new => nval }
|
|
|
|
info
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Parse a "ret" TDS token
|
|
|
|
#
|
|
|
|
def mssql_parse_ret(data, info)
|
2016-07-05 22:05:42 +00:00
|
|
|
ret = data.slice!(0, 4).unpack('N')[0]
|
2014-05-06 16:59:21 +00:00
|
|
|
info[:ret] = ret
|
|
|
|
info
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Parse a "done" TDS token
|
|
|
|
#
|
|
|
|
def mssql_parse_done(data, info)
|
2016-07-05 22:05:42 +00:00
|
|
|
status, cmd, rows = data.slice!(0, 8).unpack('vvV')
|
2014-05-06 16:59:21 +00:00
|
|
|
info[:done] = { :status => status, :cmd => cmd, :rows => rows }
|
|
|
|
info
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Parse an "error" TDS token
|
|
|
|
#
|
|
|
|
def mssql_parse_error(data, info)
|
2016-07-05 22:05:42 +00:00
|
|
|
len = data.slice!(0, 2).unpack('v')[0]
|
|
|
|
buff = data.slice!(0, len)
|
2014-05-06 16:59:21 +00:00
|
|
|
|
2016-07-05 22:05:42 +00:00
|
|
|
errno, state, sev, elen = buff.slice!(0, 8).unpack('VCCv')
|
|
|
|
emsg = buff.slice!(0, elen * 2)
|
2014-05-06 16:59:21 +00:00
|
|
|
emsg.gsub!("\x00", '')
|
|
|
|
|
|
|
|
info[:errors] << "SQL Server Error ##{errno} (State:#{state} Severity:#{sev}): #{emsg}"
|
|
|
|
info
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Parse an "information" TDS token
|
|
|
|
#
|
|
|
|
def mssql_parse_info(data, info)
|
2016-07-05 22:05:42 +00:00
|
|
|
len = data.slice!(0, 2).unpack('v')[0]
|
|
|
|
buff = data.slice!(0, len)
|
2014-05-06 16:59:21 +00:00
|
|
|
|
2016-07-05 22:05:42 +00:00
|
|
|
errno, state, sev, elen = buff.slice!(0, 8).unpack('VCCv')
|
|
|
|
emsg = buff.slice!(0, elen * 2)
|
2014-05-06 16:59:21 +00:00
|
|
|
emsg.gsub!("\x00", '')
|
|
|
|
|
2016-07-05 22:05:42 +00:00
|
|
|
info[:infos] ||= []
|
2014-05-06 16:59:21 +00:00
|
|
|
info[:infos] << "SQL Server Info ##{errno} (State:#{state} Severity:#{sev}): #{emsg}"
|
|
|
|
info
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Parse a "login ack" TDS token
|
|
|
|
#
|
|
|
|
def mssql_parse_login_ack(data, info)
|
2016-07-05 22:05:42 +00:00
|
|
|
len = data.slice!(0, 2).unpack('v')[0]
|
|
|
|
_buff = data.slice!(0, len)
|
2014-05-06 16:59:21 +00:00
|
|
|
info[:login_ack] = true
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Parse individual tokens from a TDS reply
|
|
|
|
#
|
|
|
|
def mssql_parse_reply(data, info)
|
|
|
|
info[:errors] = []
|
|
|
|
return if not data
|
|
|
|
until data.empty?
|
2016-07-05 22:05:42 +00:00
|
|
|
token = data.slice!(0, 1).unpack('C')[0]
|
2014-05-06 16:59:21 +00:00
|
|
|
case token
|
|
|
|
when 0x81
|
|
|
|
mssql_parse_tds_reply(data, info)
|
|
|
|
when 0xd1
|
|
|
|
mssql_parse_tds_row(data, info)
|
|
|
|
when 0xe3
|
|
|
|
mssql_parse_env(data, info)
|
|
|
|
when 0x79
|
|
|
|
mssql_parse_ret(data, info)
|
|
|
|
when 0xfd, 0xfe, 0xff
|
|
|
|
mssql_parse_done(data, info)
|
|
|
|
when 0xad
|
|
|
|
mssql_parse_login_ack(data, info)
|
|
|
|
when 0xab
|
|
|
|
mssql_parse_info(data, info)
|
|
|
|
when 0xaa
|
|
|
|
mssql_parse_error(data, info)
|
|
|
|
when nil
|
|
|
|
break
|
|
|
|
else
|
|
|
|
info[:errors] << "unsupported token: #{token}"
|
|
|
|
end
|
|
|
|
end
|
|
|
|
info
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Parse a raw TDS reply from the server
|
|
|
|
#
|
|
|
|
def mssql_parse_tds_reply(data, info)
|
|
|
|
info[:errors] ||= []
|
|
|
|
info[:colinfos] ||= []
|
|
|
|
info[:colnames] ||= []
|
|
|
|
|
|
|
|
# Parse out the columns
|
2016-07-05 22:05:42 +00:00
|
|
|
cols = data.slice!(0, 2).unpack('v')[0]
|
2014-05-06 16:59:21 +00:00
|
|
|
0.upto(cols-1) do |col_idx|
|
|
|
|
col = {}
|
|
|
|
info[:colinfos][col_idx] = col
|
|
|
|
|
2016-07-05 22:05:42 +00:00
|
|
|
col[:utype] = data.slice!(0, 2).unpack('v')[0]
|
|
|
|
col[:flags] = data.slice!(0, 2).unpack('v')[0]
|
|
|
|
col[:type] = data.slice!(0, 1).unpack('C')[0]
|
2014-05-06 16:59:21 +00:00
|
|
|
|
|
|
|
case col[:type]
|
|
|
|
when 48
|
|
|
|
col[:id] = :tinyint
|
|
|
|
|
|
|
|
when 52
|
|
|
|
col[:id] = :smallint
|
|
|
|
|
|
|
|
when 56
|
|
|
|
col[:id] = :rawint
|
|
|
|
|
|
|
|
when 61
|
|
|
|
col[:id] = :datetime
|
|
|
|
|
|
|
|
when 34
|
|
|
|
col[:id] = :image
|
2016-07-05 22:05:42 +00:00
|
|
|
col[:max_size] = data.slice!(0, 4).unpack('V')[0]
|
|
|
|
col[:value_length] = data.slice!(0, 2).unpack('v')[0]
|
2014-05-06 16:59:21 +00:00
|
|
|
col[:value] = data.slice!(0, col[:value_length] * 2).gsub("\x00", '')
|
|
|
|
|
|
|
|
when 36
|
|
|
|
col[:id] = :string
|
|
|
|
|
|
|
|
when 38
|
|
|
|
col[:id] = :int
|
2016-07-05 22:05:42 +00:00
|
|
|
col[:int_size] = data.slice!(0, 1).unpack('C')[0]
|
2014-05-06 16:59:21 +00:00
|
|
|
|
|
|
|
when 127
|
|
|
|
col[:id] = :bigint
|
|
|
|
|
|
|
|
when 165
|
|
|
|
col[:id] = :hex
|
2016-07-05 22:05:42 +00:00
|
|
|
col[:max_size] = data.slice!(0, 2).unpack('v')[0]
|
2014-05-06 16:59:21 +00:00
|
|
|
|
|
|
|
when 173
|
|
|
|
col[:id] = :hex # binary(2)
|
2016-07-05 22:05:42 +00:00
|
|
|
col[:max_size] = data.slice!(0, 2).unpack('v')[0]
|
2014-05-06 16:59:21 +00:00
|
|
|
|
2016-07-05 22:05:42 +00:00
|
|
|
when 231, 175, 167, 239
|
2014-05-06 16:59:21 +00:00
|
|
|
col[:id] = :string
|
2016-07-05 22:05:42 +00:00
|
|
|
col[:max_size] = data.slice!(0, 2).unpack('v')[0]
|
|
|
|
col[:codepage] = data.slice!(0, 2).unpack('v')[0]
|
|
|
|
col[:cflags] = data.slice!(0, 2).unpack('v')[0]
|
|
|
|
col[:charset_id] = data.slice!(0, 1).unpack('C')[0]
|
2014-05-06 16:59:21 +00:00
|
|
|
|
|
|
|
else
|
|
|
|
col[:id] = :unknown
|
|
|
|
end
|
|
|
|
|
2016-07-05 22:05:42 +00:00
|
|
|
col[:msg_len] = data.slice!(0, 1).unpack('C')[0]
|
2014-05-06 16:59:21 +00:00
|
|
|
|
|
|
|
if(col[:msg_len] and col[:msg_len] > 0)
|
|
|
|
col[:name] = data.slice!(0, col[:msg_len] * 2).gsub("\x00", '')
|
|
|
|
end
|
|
|
|
info[:colnames] << (col[:name] || 'NULL')
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Parse a single row of a TDS reply
|
|
|
|
#
|
|
|
|
def mssql_parse_tds_row(data, info)
|
|
|
|
info[:rows] ||= []
|
|
|
|
row = []
|
|
|
|
|
|
|
|
info[:colinfos].each do |col|
|
|
|
|
|
|
|
|
if(data.length == 0)
|
|
|
|
row << "<EMPTY>"
|
|
|
|
next
|
|
|
|
end
|
|
|
|
|
|
|
|
case col[:id]
|
|
|
|
when :hex
|
|
|
|
str = ""
|
2016-07-05 22:05:42 +00:00
|
|
|
len = data.slice!(0, 2).unpack('v')[0]
|
2014-05-06 16:59:21 +00:00
|
|
|
if(len > 0 and len < 65535)
|
2016-07-05 22:05:42 +00:00
|
|
|
str << data.slice!(0, len)
|
2014-05-06 16:59:21 +00:00
|
|
|
end
|
|
|
|
row << str.unpack("H*")[0]
|
|
|
|
|
|
|
|
when :string
|
|
|
|
str = ""
|
2016-07-05 22:05:42 +00:00
|
|
|
len = data.slice!(0, 2).unpack('v')[0]
|
2014-05-06 16:59:21 +00:00
|
|
|
if(len > 0 and len < 65535)
|
2016-07-05 22:05:42 +00:00
|
|
|
str << data.slice!(0, len)
|
2014-05-06 16:59:21 +00:00
|
|
|
end
|
|
|
|
row << str.gsub("\x00", '')
|
|
|
|
|
|
|
|
when :datetime
|
2016-07-05 22:05:42 +00:00
|
|
|
row << data.slice!(0, 8).unpack("H*")[0]
|
2014-05-06 16:59:21 +00:00
|
|
|
|
|
|
|
when :rawint
|
2016-07-05 22:05:42 +00:00
|
|
|
row << data.slice!(0, 4).unpack('V')[0]
|
2014-05-06 16:59:21 +00:00
|
|
|
|
|
|
|
when :bigint
|
2016-07-05 22:05:42 +00:00
|
|
|
row << data.slice!(0, 8).unpack("H*")[0]
|
2014-05-06 16:59:21 +00:00
|
|
|
|
|
|
|
when :smallint
|
|
|
|
row << data.slice!(0, 2).unpack("v")[0]
|
|
|
|
|
|
|
|
when :smallint3
|
|
|
|
row << [data.slice!(0, 3)].pack("Z4").unpack("V")[0]
|
|
|
|
|
|
|
|
when :tinyint
|
|
|
|
row << data.slice!(0, 1).unpack("C")[0]
|
|
|
|
|
|
|
|
when :image
|
|
|
|
str = ''
|
2016-07-05 22:05:42 +00:00
|
|
|
len = data.slice!(0, 1).unpack('C')[0]
|
|
|
|
str = data.slice!(0, len) if (len and len > 0)
|
2014-05-06 16:59:21 +00:00
|
|
|
row << str.unpack("H*")[0]
|
|
|
|
|
|
|
|
when :int
|
|
|
|
len = data.slice!(0, 1).unpack("C")[0]
|
|
|
|
raw = data.slice!(0, len) if (len and len > 0)
|
|
|
|
|
|
|
|
case len
|
2016-07-05 22:05:42 +00:00
|
|
|
when 0, 255
|
2014-05-06 16:59:21 +00:00
|
|
|
row << ''
|
|
|
|
when 1
|
|
|
|
row << raw.unpack("C")[0]
|
|
|
|
when 2
|
|
|
|
row << raw.unpack('v')[0]
|
|
|
|
when 4
|
|
|
|
row << raw.unpack('V')[0]
|
|
|
|
when 5
|
|
|
|
row << raw.unpack('V')[0] # XXX: missing high byte
|
|
|
|
when 8
|
|
|
|
row << raw.unpack('VV')[0] # XXX: missing high dword
|
|
|
|
else
|
2016-07-05 22:05:42 +00:00
|
|
|
info[:errors] << "invalid integer size: #{len} #{data[0, 16].unpack("H*")[0]}"
|
2014-05-06 16:59:21 +00:00
|
|
|
end
|
|
|
|
else
|
|
|
|
info[:errors] << "unknown column type: #{col.inspect}"
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
info[:rows] << row
|
|
|
|
info
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
#this method send a prelogin packet and check if encryption is off
|
|
|
|
#
|
|
|
|
def mssql_prelogin(enc_error=false)
|
|
|
|
|
|
|
|
pkt = ""
|
|
|
|
pkt_hdr = ""
|
|
|
|
pkt_data_token = ""
|
|
|
|
pkt_data = ""
|
|
|
|
|
|
|
|
|
2016-07-05 22:05:42 +00:00
|
|
|
pkt_hdr = [
|
2014-05-06 16:59:21 +00:00
|
|
|
TYPE_PRE_LOGIN_MESSAGE, #type
|
|
|
|
STATUS_END_OF_MESSAGE, #status
|
|
|
|
0x0000, #length
|
|
|
|
0x0000, # SPID
|
|
|
|
0x00, # PacketID
|
|
|
|
0x00 #Window
|
|
|
|
]
|
|
|
|
|
2016-07-05 22:05:42 +00:00
|
|
|
version = [0x55010008, 0x0000].pack("Vv")
|
2015-06-23 12:07:08 +00:00
|
|
|
|
|
|
|
# if manually set, we will honour
|
|
|
|
if tdsencryption == true
|
|
|
|
encryption = ENCRYPT_ON
|
|
|
|
else
|
|
|
|
encryption = ENCRYPT_NOT_SUP
|
|
|
|
end
|
|
|
|
|
2014-05-06 16:59:21 +00:00
|
|
|
instoptdata = "MSSQLServer\0"
|
|
|
|
|
2016-07-05 22:05:42 +00:00
|
|
|
threadid = "\0\0" + Rex::Text.rand_text(2)
|
2014-05-06 16:59:21 +00:00
|
|
|
|
|
|
|
idx = 21 # size of pkt_data_token
|
2016-07-05 22:05:42 +00:00
|
|
|
pkt_data_token << [
|
|
|
|
0x00, # Token 0 type Version
|
|
|
|
idx , # VersionOffset
|
2014-05-06 16:59:21 +00:00
|
|
|
version.length, # VersionLength
|
|
|
|
|
2016-07-05 22:05:42 +00:00
|
|
|
0x01, # Token 1 type Encryption
|
|
|
|
idx = idx + version.length, # EncryptionOffset
|
|
|
|
0x01, # EncryptionLength
|
2014-05-06 16:59:21 +00:00
|
|
|
|
2016-07-05 22:05:42 +00:00
|
|
|
0x02, # Token 2 type InstOpt
|
|
|
|
idx = idx + 1, # InstOptOffset
|
|
|
|
instoptdata.length, # InstOptLength
|
2014-05-06 16:59:21 +00:00
|
|
|
|
2016-07-05 22:05:42 +00:00
|
|
|
0x03, # Token 3 type Threadid
|
|
|
|
idx + instoptdata.length, # ThreadIdOffset
|
|
|
|
0x04, # ThreadIdLength
|
2014-05-06 16:59:21 +00:00
|
|
|
|
|
|
|
0xFF
|
|
|
|
].pack("CnnCnnCnnCnnC")
|
|
|
|
|
2016-07-05 22:05:42 +00:00
|
|
|
pkt_data << pkt_data_token
|
|
|
|
pkt_data << version
|
|
|
|
pkt_data << encryption
|
|
|
|
pkt_data << instoptdata
|
|
|
|
pkt_data << threadid
|
2014-05-06 16:59:21 +00:00
|
|
|
|
2016-07-05 22:05:42 +00:00
|
|
|
pkt_hdr[2] = pkt_data.length + 8
|
2014-05-06 16:59:21 +00:00
|
|
|
|
2016-07-05 22:05:42 +00:00
|
|
|
pkt = pkt_hdr.pack("CCnnCC") + pkt_data
|
2014-05-06 16:59:21 +00:00
|
|
|
|
|
|
|
resp = mssql_send_recv(pkt)
|
|
|
|
|
|
|
|
idx = 0
|
|
|
|
|
2016-07-05 22:05:42 +00:00
|
|
|
while resp && resp[0, 1] != "\xff" && resp.length > 5
|
|
|
|
token = resp.slice!(0, 5)
|
2014-05-06 16:59:21 +00:00
|
|
|
token = token.unpack("Cnn")
|
|
|
|
idx -= 5
|
|
|
|
if token[0] == 0x01
|
|
|
|
|
|
|
|
idx += token[1]
|
|
|
|
break
|
|
|
|
end
|
|
|
|
end
|
|
|
|
if idx > 0
|
2016-07-05 22:05:42 +00:00
|
|
|
encryption_mode = resp[idx, 1].unpack("C")[0]
|
2014-05-06 16:59:21 +00:00
|
|
|
else
|
2017-11-07 20:30:47 +00:00
|
|
|
framework_module.print_error("Unable to parse encryption req " \
|
|
|
|
"during pre-login, this may not be a MSSQL server")
|
2014-05-06 16:59:21 +00:00
|
|
|
encryption_mode = ENCRYPT_NOT_SUP
|
|
|
|
end
|
|
|
|
|
2015-06-23 12:07:08 +00:00
|
|
|
##########################################################
|
|
|
|
# Our initial prelogin pkt above said we didnt support
|
|
|
|
# encryption (it's quicker and the default).
|
|
|
|
#
|
|
|
|
# Per the matrix on the following link, SQL Server will
|
|
|
|
# terminate the connection if it does require TLS,
|
|
|
|
# otherwise it will accept an unencrypted session. As
|
|
|
|
# part of this initial response packet, it also returns
|
|
|
|
# ENCRYPT_REQ.
|
|
|
|
#
|
|
|
|
# https://msdn.microsoft.com\
|
|
|
|
# /en-us/library/ee320519(v=sql.105).aspx
|
|
|
|
#
|
|
|
|
##########################################################
|
|
|
|
|
|
|
|
if encryption_mode == ENCRYPT_REQ
|
|
|
|
# restart prelogin process except that we tell SQL Server
|
|
|
|
# than we are now able to encrypt
|
|
|
|
disconnect if self.sock
|
|
|
|
connect
|
|
|
|
|
|
|
|
# offset 35 is the flag - turn it on
|
|
|
|
pkt[35] = [ENCRYPT_ON].pack('C')
|
|
|
|
self.tdsencryption = true
|
|
|
|
framework_module.print_status("TLS encryption has " \
|
|
|
|
"been enabled based on server response.")
|
|
|
|
|
|
|
|
resp = mssql_send_recv(pkt)
|
|
|
|
|
|
|
|
idx = 0
|
|
|
|
|
2016-07-05 22:05:42 +00:00
|
|
|
while resp && resp[0, 1] != "\xff" && resp.length > 5
|
|
|
|
token = resp.slice!(0, 5)
|
2015-06-23 12:07:08 +00:00
|
|
|
token = token.unpack("Cnn")
|
|
|
|
idx -= 5
|
|
|
|
if token[0] == 0x01
|
|
|
|
idx += token[1]
|
|
|
|
break
|
|
|
|
end
|
|
|
|
end
|
|
|
|
if idx > 0
|
2016-07-05 22:05:42 +00:00
|
|
|
encryption_mode = resp[idx, 1].unpack("C")[0]
|
2015-06-23 12:07:08 +00:00
|
|
|
else
|
2017-11-07 20:30:47 +00:00
|
|
|
framework_module.print_error("Unable to parse encryption req " \
|
|
|
|
"during pre-login, this may not be a MSSQL server")
|
|
|
|
encryption_mode = ENCRYPT_NOT_SUP
|
2015-06-23 12:07:08 +00:00
|
|
|
end
|
2014-05-06 16:59:21 +00:00
|
|
|
end
|
|
|
|
encryption_mode
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Send and receive using TDS
|
|
|
|
#
|
|
|
|
def mssql_send_recv(req, timeout=15, check_status = true)
|
|
|
|
sock.put(req)
|
|
|
|
|
|
|
|
# Read the 8 byte header to get the length and status
|
|
|
|
# Read the length to get the data
|
|
|
|
# If the status is 0, read another header and more data
|
|
|
|
|
|
|
|
done = false
|
|
|
|
resp = ""
|
|
|
|
|
|
|
|
while(not done)
|
|
|
|
head = sock.get_once(8, timeout)
|
2016-07-05 22:05:42 +00:00
|
|
|
if !(head && head.length == 8)
|
2014-05-06 16:59:21 +00:00
|
|
|
return false
|
|
|
|
end
|
|
|
|
|
|
|
|
# Is this the last buffer?
|
2016-07-05 22:05:42 +00:00
|
|
|
if head[1, 1] == "\x01" || !check_status
|
2014-05-06 16:59:21 +00:00
|
|
|
done = true
|
|
|
|
end
|
|
|
|
|
|
|
|
# Grab this block's length
|
2016-07-05 22:05:42 +00:00
|
|
|
rlen = head[2, 2].unpack('n')[0] - 8
|
2014-05-06 16:59:21 +00:00
|
|
|
|
|
|
|
while(rlen > 0)
|
|
|
|
buff = sock.get_once(rlen, timeout)
|
|
|
|
return if not buff
|
|
|
|
resp << buff
|
|
|
|
rlen -= buff.length
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
resp
|
|
|
|
end
|
|
|
|
|
2016-07-05 22:05:42 +00:00
|
|
|
def mssql_ssl_send_recv(req, tdsproxy, timeout=15, check_status=true)
|
2016-01-07 23:57:32 +00:00
|
|
|
tdsproxy.send_recv(req)
|
2015-06-22 03:10:59 +00:00
|
|
|
end
|
|
|
|
|
2014-05-06 16:59:21 +00:00
|
|
|
#
|
|
|
|
# Encrypt a password according to the TDS protocol (encode)
|
|
|
|
#
|
|
|
|
def mssql_tds_encrypt(pass)
|
|
|
|
# Convert to unicode, swap 4 bits both ways, xor with 0xa5
|
|
|
|
Rex::Text.to_unicode(pass).unpack('C*').map {|c| (((c & 0x0f) << 4) + ((c & 0xf0) >> 4)) ^ 0xa5 }.pack("C*")
|
|
|
|
end
|
|
|
|
|
2014-05-07 16:41:49 +00:00
|
|
|
protected
|
|
|
|
|
|
|
|
def windows_authentication
|
|
|
|
raise NotImplementedError
|
|
|
|
end
|
|
|
|
|
|
|
|
def use_ntlm2_session
|
|
|
|
raise NotImplementedError
|
|
|
|
end
|
|
|
|
|
|
|
|
def use_ntlmv2
|
|
|
|
raise NotImplementedError
|
|
|
|
end
|
|
|
|
|
|
|
|
def send_lm
|
|
|
|
raise NotImplementedError
|
|
|
|
end
|
|
|
|
|
|
|
|
def send_ntlm
|
|
|
|
raise NotImplementedError
|
|
|
|
end
|
|
|
|
|
|
|
|
def send_spn
|
|
|
|
raise NotImplementedError
|
|
|
|
end
|
2014-05-06 16:59:21 +00:00
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
end
|
|
|
|
end
|
2014-10-21 16:09:39 +00:00
|
|
|
end
|