From 46cf938475a3b1dc011ad1a50b735d57ba7a8a5b Mon Sep 17 00:00:00 2001 From: amaloteaux <> Date: Wed, 23 Mar 2011 20:47:49 +0000 Subject: [PATCH] fix typo git-svn-id: file:///home/svn/framework3/trunk@12112 4d416f70-5f16-0410-b530-b9f4589650da --- lib/msf/core/exploit/mssql.rb | 254 +++++++++++++----- .../auxiliary/scanner/mssql/mssql_login.rb | 1 + modules/exploits/windows/smb/psexec.rb | 10 +- 3 files changed, 195 insertions(+), 70 deletions(-) diff --git a/lib/msf/core/exploit/mssql.rb b/lib/msf/core/exploit/mssql.rb index 78cb446277..e98742e2ac 100644 --- a/lib/msf/core/exploit/mssql.rb +++ b/lib/msf/core/exploit/mssql.rb @@ -27,6 +27,7 @@ module Exploit::Remote::MSSQL Opt::RPORT(1433), OptString.new('USERNAME', [ false, 'The username to authenticate as', 'sa']), OptString.new('PASSWORD', [ false, 'The password for the specified username', '']), + OptBool.new('USE_WINDOWS_AUTHENT', [ true, 'Use windows authentification', false]), ], Msf::Exploit::Remote::MSSQL) register_advanced_options( [ @@ -241,6 +242,96 @@ module Exploit::Remote::MSSQL Rex::Text.to_unicode(pass).unpack('C*').map {|c| (((c & 0x0f) << 4) + ((c & 0xf0) >> 4)) ^ 0xa5 }.pack("C*") end + # + #this method send a prelogin packet and check if encryption is off + # + def mssql_prelogin(enc_error=false) + + pkt = "" + pkt_hdr = "" + pkt_data_token = "" + pkt_data = "" + + + pkt_hdr = [ + 0x12, #type + 0x01, #status + 0x0000, #length + 0x0000, # SPID + 0x00, # PacketID + 0x00 #Window + ] + + version = [0x55010008,0x0000].pack("Vv") + encryption = "\0" # off + instoptdata = "MSSQLServer\0" + + threadid = Rex::Text.rand_text(2) + "\0\0" + + + idx = 21 # size of pkt_data_token + pkt_data_token << [ + 0x00, # Token 0 type Version + idx , # VersionOffset + version.length, # VersionLength + + 0x01, # Token 1 type Encryption + idx = idx + version.length, # EncryptionOffset + 0x01, #EncryptionLength + + 0x02, # Token 2 type InstOpt + idx = idx + 1, # InstOptOffset + instoptdata.length, #InstOptLength + + 0x03, #Token 3 type Threadid + idx + instoptdata.length, #ThreadIdOffset + 0x04, #ThreadIdLength + + 0xFF + ].pack("CnnCnnCnnCnnC") + + pkt_data << pkt_data_token + pkt_data << version + pkt_data << encryption + pkt_data << instoptdata + pkt_data << threadid + + pkt_hdr[2] = pkt_data.length + 8 + + pkt = pkt_hdr.pack("CCnnCC") + pkt_data + + resp = mssql_send_recv(pkt) + + idx = 0 + + while resp[0,1] != "\xff" and resp.length > 5 + token = resp.slice!(0,5) + token = token.unpack("Cnn") + idx -= 5 + if token[0] == 0x01 + + idx += token[1] + break + end + end + if idx > 0 + encryption_mode = resp[idx,1].unpack("C")[0] + else + #force to off and hope for the best + encryption_mode = 0 + end + + #ENCRYPT_OFF 0x00 Encryption is available but off. + #ENCRYPT_ON 0x01 Encryption is available and on. + #ENCRYPT_NOT_SUP 0x02 Encryption is not available. + #ENCRYPT_REQ 0x03 Encryption is required. + + if encryption_mode != 0 and enc_error + raise RuntimeError,"Encryption is not supported" + end + encryption_mode + end + # # This method connects to the server over TCP and attempts # to authenticate with the supplied username and password @@ -251,91 +342,124 @@ module Exploit::Remote::MSSQL disconnect if self.sock connect - pkt = "" - idx = 0 - - pkt << [ - 0x00000000, # Dummy size - 0x71000001, # TDS Version - 0x00000000, # Size - 0x00000007, # Version - rand(1024+1), # PID - 0x00000000, # ConnectionID - 0xe0, # Option Flags 1 - 0x03, # Option Flags 2 - 0x00, # SQL Type Flags - 0x00, # Reserved Flags - 0x00000000, # Time Zone - 0x00000000 # Collation - ].pack('VVVVVVCCCCVV') + mssql_prelogin() + - cname = Rex::Text.to_unicode( Rex::Text.rand_text_alpha(rand(8)+1) ) - uname = Rex::Text.to_unicode( user ) - pname = mssql_tds_encrypt( pass ) - aname = Rex::Text.to_unicode( Rex::Text.rand_text_alpha(rand(8)+1) ) - sname = Rex::Text.to_unicode( rhost ) - dname = Rex::Text.to_unicode( db ) + if datastore['USE_WINDOWS_AUTHENT'] - idx = pkt.size + 50 # lengths below +false +=begin - pkt << [idx, cname.length / 2].pack('vv') - idx += cname.length + pkt << [ + 0x00000000, # Dummy size + 0x71000001, # TDS Version + 0x00000000, # Size + 0x00000007, # Version + rand(1024+1), # PID + 0x00000000, # ConnectionID + 0xe0, # Option Flags 1 + 0x83, # Option Flags 2 + 0x00, # SQL Type Flags + 0x00, # Reserved Flags + 0x00000000, # Time Zone + 0x00000000 # Collation + ].pack('VVVVVVCCCCVV') - pkt << [idx, uname.length / 2].pack('vv') - idx += uname.length + cname = Rex::Text.to_unicode( Rex::Text.rand_text_alpha(rand(8)+1) ) + uname = Rex::Text.to_unicode( user ) + pname = mssql_tds_encrypt( pass ) + aname = Rex::Text.to_unicode( Rex::Text.rand_text_alpha(rand(8)+1) ) + sname = Rex::Text.to_unicode( rhost ) + dname = Rex::Text.to_unicode( db ) +=end + #SQL Server Authentification + else + idx = 0 - pkt << [idx, pname.length / 2].pack('vv') - idx += pname.length + pkt << [ + 0x00000000, # Dummy size + 0x71000001, # TDS Version + 0x00000000, # Size + 0x00000007, # Version + rand(1024+1), # PID + 0x00000000, # ConnectionID + 0xe0, # Option Flags 1 + 0x03, # Option Flags 2 + 0x00, # SQL Type Flags + 0x00, # Reserved Flags + 0x00000000, # Time Zone + 0x00000000 # Collation + ].pack('VVVVVVCCCCVV') - pkt << [idx, aname.length / 2].pack('vv') - idx += aname.length - pkt << [idx, sname.length / 2].pack('vv') - idx += sname.length + cname = Rex::Text.to_unicode( Rex::Text.rand_text_alpha(rand(8)+1) ) + uname = Rex::Text.to_unicode( user ) + pname = mssql_tds_encrypt( pass ) + aname = Rex::Text.to_unicode( Rex::Text.rand_text_alpha(rand(8)+1) ) + sname = Rex::Text.to_unicode( rhost ) + dname = Rex::Text.to_unicode( db ) - pkt << [0, 0].pack('vv') + idx = pkt.size + 50 # lengths below - pkt << [idx, aname.length / 2].pack('vv') - idx += aname.length + pkt << [idx, cname.length / 2].pack('vv') + idx += cname.length - pkt << [idx, 0].pack('vv') + pkt << [idx, uname.length / 2].pack('vv') + idx += uname.length - pkt << [idx, dname.length / 2].pack('vv') - idx += dname.length + pkt << [idx, pname.length / 2].pack('vv') + idx += pname.length - # The total length has to be embedded twice more here - pkt << [ - 0, - 0, - 0x12345678, - 0x12345678 - ].pack('vVVV') + pkt << [idx, aname.length / 2].pack('vv') + idx += aname.length - pkt << cname - pkt << uname - pkt << pname - pkt << aname - pkt << sname - pkt << aname - pkt << dname + pkt << [idx, sname.length / 2].pack('vv') + idx += sname.length - # Total packet length - pkt[0,4] = [pkt.length].pack('V') + pkt << [0, 0].pack('vv') - # Embedded packet lengths - pkt[pkt.index([0x12345678].pack('V')), 8] = [pkt.length].pack('V') * 2 + pkt << [idx, aname.length / 2].pack('vv') + idx += aname.length - # Packet header and total length including header - pkt = "\x10\x01" + [pkt.length + 8].pack('n') + [0].pack('n') + [1].pack('C') + "\x00" + pkt + pkt << [idx, 0].pack('vv') - resp = mssql_send_recv(pkt) + pkt << [idx, dname.length / 2].pack('vv') + idx += dname.length - info = {:errors => []} - info = mssql_parse_reply(resp,info) + # The total length has to be embedded twice more here + pkt << [ + 0, + 0, + 0x12345678, + 0x12345678 + ].pack('vVVV') - return false if not info - info[:login_ack] ? true : false + pkt << cname + pkt << uname + pkt << pname + pkt << aname + pkt << sname + pkt << aname + pkt << dname + + # Total packet length + pkt[0,4] = [pkt.length].pack('V') + + # Embedded packet lengths + pkt[pkt.index([0x12345678].pack('V')), 8] = [pkt.length].pack('V') * 2 + + # Packet header and total length including header + pkt = "\x10\x01" + [pkt.length + 8].pack('n') + [0].pack('n') + [1].pack('C') + "\x00" + pkt + + resp = mssql_send_recv(pkt) + + info = {:errors => []} + info = mssql_parse_reply(resp,info) + + return false if not info + info[:login_ack] ? true : false + end end # diff --git a/modules/auxiliary/scanner/mssql/mssql_login.rb b/modules/auxiliary/scanner/mssql/mssql_login.rb index 7c3109317b..2f5dc236c9 100644 --- a/modules/auxiliary/scanner/mssql/mssql_login.rb +++ b/modules/auxiliary/scanner/mssql/mssql_login.rb @@ -52,6 +52,7 @@ class Metasploit3 < Msf::Auxiliary end def do_login(user='sa', pass='', verbose=false) + vprint_status("#{rhost}:#{rport} - MSSQL - Trying username:'#{user}' with password:'#{pass}'") begin success = mssql_login(user, pass) diff --git a/modules/exploits/windows/smb/psexec.rb b/modules/exploits/windows/smb/psexec.rb index 77881c0741..33fe0fd755 100644 --- a/modules/exploits/windows/smb/psexec.rb +++ b/modules/exploits/windows/smb/psexec.rb @@ -186,13 +186,13 @@ class Metasploit3 < Msf::Exploit::Remote ## - # create the share uri + # define the file location if datastore['SHARE'] == 'ADMIN$' - share_uri = "%SYSTEMROOT%\\#{filename}" + file_location = "%SYSTEMROOT%\\#{filename}" elsif datastore['SHARE'] =~ /^[a-zA-Z]\$$/ - share_uri = datastore['SHARE'].slice(0,1) + ":\\#{filename}" + file_location = datastore['SHARE'].slice(0,1) + ":\\#{filename}" else - share_uri = "\\\\127.0.0.1\\#{datastore['SHARE']}\\#{filename}" + file_location = "\\\\127.0.0.1\\#{datastore['SHARE']}\\#{filename}" end displayname = 'M' + rand_text_alpha(rand(32)+1) @@ -209,7 +209,7 @@ class Metasploit3 < Msf::Exploit::Remote NDR.long(0x00000110) + # Type: Interactive, Own process NDR.long(0x00000003) + # Start: Demand NDR.long(0x00000000) + # Errors: Ignore - NDR.wstring( share_uri ) + # Binary Path + NDR.wstring( file_location ) + # Binary Path NDR.long(0) + # LoadOrderGroup NDR.long(0) + # Dependencies NDR.long(0) + # Service Start