From 91aeef0a8a1416ec00beb1e66fd1625b47efac6d Mon Sep 17 00:00:00 2001
From: nullbind <scott.sutherland@nullbind.com>
Date: Wed, 1 Apr 2015 10:09:13 -0500
Subject: [PATCH 1/2] added startrid and endrid

---
 .../mssql/mssql_enum_domain_accounts_sqli.rb      | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/modules/auxiliary/admin/mssql/mssql_enum_domain_accounts_sqli.rb b/modules/auxiliary/admin/mssql/mssql_enum_domain_accounts_sqli.rb
index 10632d13eb..aded1b9ed5 100644
--- a/modules/auxiliary/admin/mssql/mssql_enum_domain_accounts_sqli.rb
+++ b/modules/auxiliary/admin/mssql/mssql_enum_domain_accounts_sqli.rb
@@ -33,12 +33,13 @@ class Metasploit3 < Msf::Auxiliary
 
     register_options(
     [
-      OptInt.new('FuzzNum', [true, 'Number of principal_ids to fuzz.', 3000])
+      OptInt.new('STARTRID', [true, 'RID to start fuzzing at.', 500]),
+      OptInt.new('ENDRID', [true, 'RID to stop fuzzing at.', 3000])
     ], self.class)
   end
 
   def run
-    print_status("#{peer} - Grabbing the server and domain name...")
+    print_status("#{peer} - Grabbing the SQL Server name and domain...")
     db_server_name = get_server_name
     if db_server_name.nil?
       print_error("#{peer} - Unable to grab the server name")
@@ -71,7 +72,8 @@ class Metasploit3 < Msf::Auxiliary
     end
 
     # Get a list of windows users, groups, and computer accounts using SUSER_NAME()
-    print_status("#{peer} - Brute forcing #{datastore['FuzzNum']} RIDs through the SQL Server, be patient...")
+    total_rids = datastore['ENDRID'] - datastore['STARTRID']
+    print_status("#{peer} - Brute forcing #{total_rids} RIDs via SQL injection, be patient...")
     domain_users = get_win_domain_users(windows_domain_sid)
     if domain_users.nil?
       print_error("#{peer} - Sorry, no Windows domain accounts were found, or DC could not be contacted.")
@@ -173,10 +175,11 @@ class Metasploit3 < Msf::Auxiliary
     windows_logins = []
 
     # Fuzz the principal_id parameter (RID in this case) passed to the SUSER_NAME function
-    (500..datastore['FuzzNum']).each do |principal_id|
-
+    (datastore['STARTRID']..datastore['ENDRID']).each do |principal_id|
+      total_rids = datastore['ENDRID'] - datastore['STARTRID']
+      rid_diff = (datastore['ENDRID'] - (datastore['ENDRID'] - principal_id)) - datastore['STARTRID']
       if principal_id % 100 == 0
-        print_status("#{peer} - Querying SID #{principal_id} of #{datastore['FuzzNum']}")
+        print_status("#{peer} - #{rid_diff} of #{total_rids } RID queries complete")
       end
 
        user_sid = build_user_sid(domain_sid, principal_id)

From fe9fbfd15733e40be4bf8db3ad3abd4bfef1c8de Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Fri, 3 Apr 2015 14:43:01 -0500
Subject: [PATCH 2/2] Make calculations easier

---
 .../admin/mssql/mssql_enum_domain_accounts_sqli.rb   | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/modules/auxiliary/admin/mssql/mssql_enum_domain_accounts_sqli.rb b/modules/auxiliary/admin/mssql/mssql_enum_domain_accounts_sqli.rb
index aded1b9ed5..83a8d2d1ec 100644
--- a/modules/auxiliary/admin/mssql/mssql_enum_domain_accounts_sqli.rb
+++ b/modules/auxiliary/admin/mssql/mssql_enum_domain_accounts_sqli.rb
@@ -33,8 +33,8 @@ class Metasploit3 < Msf::Auxiliary
 
     register_options(
     [
-      OptInt.new('STARTRID', [true, 'RID to start fuzzing at.', 500]),
-      OptInt.new('ENDRID', [true, 'RID to stop fuzzing at.', 3000])
+      OptInt.new('START_RID', [true, 'RID to start fuzzing at.', 500]),
+      OptInt.new('END_RID', [true, 'RID to stop fuzzing at.', 3000])
     ], self.class)
   end
 
@@ -72,7 +72,7 @@ class Metasploit3 < Msf::Auxiliary
     end
 
     # Get a list of windows users, groups, and computer accounts using SUSER_NAME()
-    total_rids = datastore['ENDRID'] - datastore['STARTRID']
+    total_rids = datastore['END_RID'] - datastore['START_RID']
     print_status("#{peer} - Brute forcing #{total_rids} RIDs via SQL injection, be patient...")
     domain_users = get_win_domain_users(windows_domain_sid)
     if domain_users.nil?
@@ -174,10 +174,10 @@ class Metasploit3 < Msf::Auxiliary
 
     windows_logins = []
 
+    total_rids = datastore['END_RID'] - datastore['START_RID']
     # Fuzz the principal_id parameter (RID in this case) passed to the SUSER_NAME function
-    (datastore['STARTRID']..datastore['ENDRID']).each do |principal_id|
-      total_rids = datastore['ENDRID'] - datastore['STARTRID']
-      rid_diff = (datastore['ENDRID'] - (datastore['ENDRID'] - principal_id)) - datastore['STARTRID']
+    (datastore['START_RID']..datastore['END_RID']).each do |principal_id|
+      rid_diff = principal_id - datastore['START_RID']
       if principal_id % 100 == 0
         print_status("#{peer} - #{rid_diff} of #{total_rids } RID queries complete")
       end