add mssql_version module

zgoldman-r7 · Mar 1, 2024 · 415ebb7 · 415ebb7
1 parent 2c09f38
commit 415ebb7
Show file tree

Hide file tree

Showing 3 changed files with 110 additions and 0 deletions.
diff --git a/lib/msf/core/exploit/remote/mssql.rb b/lib/msf/core/exploit/remote/mssql.rb
@@ -53,6 +53,10 @@ def set_session(client)
     @mssql_client = client
   end
 
+  def mssql_get_version
+    @mssql_client ||= Rex::Proto::MSSQL::Client.new(self, framework, datastore['RHOST'], datastore['RPORT'])
+    @mssql_client.mssql_get_version
+  end
   #
   # This method sends a UDP query packet to the server and
   # parses out the reply packet into a hash

diff --git a/lib/rex/proto/mssql/client_mixin.rb b/lib/rex/proto/mssql/client_mixin.rb
@@ -86,6 +86,86 @@ def mssql_print_reply(info)
     end
   end
 
+  def mssql_get_version
+    disconnect if self.sock
+    connect
+    pkt = ""
+    pkt_hdr = ""
+    pkt_data_token = ""
+    pkt_data = ""
+
+
+    pkt_hdr = [
+        TYPE_PRE_LOGIN_MESSAGE, #type
+        STATUS_END_OF_MESSAGE, #status
+        0x0000, #length
+        0x0000, # SPID
+        0x00, # PacketID
+        0x00 #Window
+    ]
+
+    version = [0x55010008, 0x0000].pack("Vv")
+
+    # if manually set, we will honour
+    if tdsencryption == true
+      encryption = ENCRYPT_ON
+    else
+      encryption = ENCRYPT_NOT_SUP
+    end
+
+    instoptdata = "MSSQLServer\0"
+
+    threadid = "\0\0" + Rex::Text.rand_text(2)
+
+    idx = 21 # size of pkt_data_token
+    pkt_data_token << [
+        0x00, # Token 0 type Version
+        idx , # VersionOffset
+        version.length, # VersionLength
+
+        0x01, # Token 1 type Encryption
+        idx = idx + version.length, # EncryptionOffset
+        0x01, # EncryptionLength
+
+        0x02, # Token 2 type InstOpt
+        idx = idx + 1, # InstOptOffset
+        instoptdata.length, # InstOptLength
+
+        0x03, # Token 3 type Threadid
+        idx + instoptdata.length, # ThreadIdOffset
+        0x04, # ThreadIdLength
+
+        0xFF
+    ].pack("CnnCnnCnnCnnC")
+
+    pkt_data << pkt_data_token
+    pkt_data << version
+    pkt_data << encryption
+    pkt_data << instoptdata
+    pkt_data << threadid
+
+    pkt_hdr[2] = pkt_data.length + 8
+
+    pkt = pkt_hdr.pack("CCnnCC") + pkt_data
+
+    resp = mssql_send_recv(pkt)
+    while resp
+      token = resp.slice!(0, 1)
+      if token.unpack('C')[0] == 255
+        major =  resp.slice!(0, 1).unpack('C')[0]
+        minor =  resp.slice!(0, 1).unpack('C')[0]
+        build = resp.slice!(0, 2).unpack('n')[0]
+        break
+      end
+    end
+
+    if major && minor && build
+      return "#{major}.#{minor}.#{build}"
+    else
+      return nil
+    end
+  end
+
   def mssql_send_recv(req, timeout=15, check_status = true)
     sock.put(req)
 

diff --git a/modules/auxiliary/scanner/mssql/mssql_version.rb b/modules/auxiliary/scanner/mssql/mssql_version.rb
@@ -0,0 +1,26 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Auxiliary
+  include Msf::Exploit::Remote::MSSQL
+  include Msf::Auxiliary::Scanner
+
+  def initialize
+    super(
+      'Name'           => 'MSSQL Version Utility',
+      'Description'    => 'This module simply queries the MSSQL instance for information.',
+      'Author'         => 'MC',
+      'License'        => MSF_LICENSE
+    )
+  end
+
+  def run_host(ip)
+    version = mssql_get_version
+    if version and !version.empty?
+      print_status("SQL Server for #{ip}:")
+      print_good("Version: #{version}")
+    end
+  end
+end