metasploit-framework/lib/metasploit/framework/mssql/tdssslproxy.rb

127 lines
3.2 KiB
Ruby
Raw Normal View History

2015-06-22 03:10:59 +00:00
# -*- coding: binary -*-
require 'openssl'
2015-06-23 12:07:08 +00:00
#
# TDSSSLProxy:
#
# SQL Server uses the TDS protocol to transmit data between clients and
# servers. Of course this sits on top of TCP.
#
# By default, the TDS payload is not encrypted. However, if "force
# encryption" is set under the SQL Server protocol properties, it will
# use SSL/TLS to encrypt the TDS data. Oddly, the entire TCP stream is
# not encrypted (as is say for HTTPS), but instead a TDS header is
# put on the front of the TLS packet. As a result, the full TLS/SSL
# setup is done within a series of TDS payloads.
#
# This "proxy" basically creates a fake SSL endpoint (s2) from which it
# can add/remove the TDS header as required. This is implemented as a
# socket pair (think, a bidirectional pipe), where the other end is s1:
#
# sslsock <-> s1 <-> s2 <-> tdssock <-> target SQL Server.
#
# (tdssock is the reference to the "sock" from the scanner module)
#
# TO DO:
#
# This enables brute force of a SQL Server which requires encryption.
# However, future updates will permit any read/write using
# mssql_send_recv() to use crypto if required and transparently to
# other MSF developers.
#
# Cheers, JH
2015-06-22 03:10:59 +00:00
2015-06-23 12:07:08 +00:00
class TDSSSLProxy
2015-06-22 03:10:59 +00:00
TYPE_TDS7_LOGIN = 16
TYPE_PRE_LOGIN_MESSAGE = 18
STATUS_END_OF_MESSAGE = 0x01
def initialize(sock)
@tdssock = sock
@s1, @s2 = Rex::Socket.tcp_socket_pair
2015-06-22 03:10:59 +00:00
end
def cleanup
@running = false
@t1.join
2015-06-22 03:10:59 +00:00
end
def setup_ssl
@running = true
@t1 = Thread.start { ssl_setup_thread }
2015-06-22 03:10:59 +00:00
ssl_context = OpenSSL::SSL::SSLContext.new(:TLSv1)
@ssl_socket = OpenSSL::SSL::SSLSocket.new(@s1, ssl_context)
@ssl_socket.connect
end
def send_recv(pkt)
@ssl_socket.write(pkt)
done = false
resp = ""
while (not done)
2015-06-23 12:07:08 +00:00
head = @ssl_socket.read(8)
2015-06-22 03:10:59 +00:00
if !(head and head.length == 8)
return false
end
# Is this the last buffer?
if (head[1, 1] == "\x01" or not check_status)
2015-06-22 03:10:59 +00:00
done = true
end
# Grab this block's length
rlen = head[2, 2].unpack('n')[0] - 8
2015-06-22 03:10:59 +00:00
while (rlen > 0)
2015-06-23 12:07:08 +00:00
buff = @ssl_socket.read(rlen)
2015-06-22 03:10:59 +00:00
return if not buff
resp << buff
rlen -= buff.length
end
end
resp
end
def ssl_setup_thread
while @running do
res = select([@tdssock, @s2], nil, nil, 0.1)
if res
res[0].each do |r|
# response from SQL Server for client
if r == @tdssock
resp = @tdssock.recv(4096)
if @ssl_socket.state[0, 5] == "SSLOK"
@s2.send(resp, 0)
else
@s2.send(resp[8..-1], 0)
end
2015-06-22 03:10:59 +00:00
end
# request from client for SQL Server
if r == @s2
resp = @s2.recv(4096)
# SSL negotiation completed - just send it on
if @ssl_socket.state[0, 5] == "SSLOK"
@tdssock.send(resp, 0)
# Still doing SSL
else
tds_pkt_len = 8 + resp.length
pkt_hdr = ''
pkt_hdr << [TYPE_PRE_LOGIN_MESSAGE, STATUS_END_OF_MESSAGE, tds_pkt_len, 0x0000, 0x00, 0x00].pack('CCnnCC')
pkt = pkt_hdr << resp
@tdssock.send(pkt, 0)
end
2015-06-22 03:10:59 +00:00
end
end
end
end
@s1.close
@s2.close
2015-06-22 03:10:59 +00:00
end
end