From 415ebb7acdf8d9150575502defd7de61bff7b878 Mon Sep 17 00:00:00 2001 From: Zach Goldman Date: Thu, 29 Feb 2024 22:16:57 -0600 Subject: [PATCH] add mssql_version module --- lib/msf/core/exploit/remote/mssql.rb | 4 + lib/rex/proto/mssql/client_mixin.rb | 80 +++++++++++++++++++ .../auxiliary/scanner/mssql/mssql_version.rb | 26 ++++++ 3 files changed, 110 insertions(+) create mode 100644 modules/auxiliary/scanner/mssql/mssql_version.rb diff --git a/lib/msf/core/exploit/remote/mssql.rb b/lib/msf/core/exploit/remote/mssql.rb index 41088ce0f8c04..fe037495b93a5 100644 --- a/lib/msf/core/exploit/remote/mssql.rb +++ b/lib/msf/core/exploit/remote/mssql.rb @@ -53,6 +53,10 @@ def set_session(client) @mssql_client = client end + def mssql_get_version + @mssql_client ||= Rex::Proto::MSSQL::Client.new(self, framework, datastore['RHOST'], datastore['RPORT']) + @mssql_client.mssql_get_version + end # # This method sends a UDP query packet to the server and # parses out the reply packet into a hash diff --git a/lib/rex/proto/mssql/client_mixin.rb b/lib/rex/proto/mssql/client_mixin.rb index 3130b105ababd..db7613efbe7e9 100644 --- a/lib/rex/proto/mssql/client_mixin.rb +++ b/lib/rex/proto/mssql/client_mixin.rb @@ -86,6 +86,86 @@ def mssql_print_reply(info) end end + def mssql_get_version + disconnect if self.sock + connect + pkt = "" + pkt_hdr = "" + pkt_data_token = "" + pkt_data = "" + + + pkt_hdr = [ + TYPE_PRE_LOGIN_MESSAGE, #type + STATUS_END_OF_MESSAGE, #status + 0x0000, #length + 0x0000, # SPID + 0x00, # PacketID + 0x00 #Window + ] + + version = [0x55010008, 0x0000].pack("Vv") + + # if manually set, we will honour + if tdsencryption == true + encryption = ENCRYPT_ON + else + encryption = ENCRYPT_NOT_SUP + end + + instoptdata = "MSSQLServer\0" + + threadid = "\0\0" + Rex::Text.rand_text(2) + + idx = 21 # size of pkt_data_token + pkt_data_token << [ + 0x00, # Token 0 type Version + idx , # VersionOffset + version.length, # VersionLength + + 0x01, # Token 1 type Encryption + idx = idx + version.length, # EncryptionOffset + 0x01, # EncryptionLength + + 0x02, # Token 2 type InstOpt + idx = idx + 1, # InstOptOffset + instoptdata.length, # InstOptLength + + 0x03, # Token 3 type Threadid + idx + instoptdata.length, # ThreadIdOffset + 0x04, # ThreadIdLength + + 0xFF + ].pack("CnnCnnCnnCnnC") + + pkt_data << pkt_data_token + pkt_data << version + pkt_data << encryption + pkt_data << instoptdata + pkt_data << threadid + + pkt_hdr[2] = pkt_data.length + 8 + + pkt = pkt_hdr.pack("CCnnCC") + pkt_data + + resp = mssql_send_recv(pkt) + while resp + token = resp.slice!(0, 1) + if token.unpack('C')[0] == 255 + major = resp.slice!(0, 1).unpack('C')[0] + minor = resp.slice!(0, 1).unpack('C')[0] + build = resp.slice!(0, 2).unpack('n')[0] + break + end + end + + if major && minor && build + return "#{major}.#{minor}.#{build}" + else + return nil + end + end + def mssql_send_recv(req, timeout=15, check_status = true) sock.put(req) diff --git a/modules/auxiliary/scanner/mssql/mssql_version.rb b/modules/auxiliary/scanner/mssql/mssql_version.rb new file mode 100644 index 0000000000000..4362e33d8a989 --- /dev/null +++ b/modules/auxiliary/scanner/mssql/mssql_version.rb @@ -0,0 +1,26 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Auxiliary + include Msf::Exploit::Remote::MSSQL + include Msf::Auxiliary::Scanner + + def initialize + super( + 'Name' => 'MSSQL Version Utility', + 'Description' => 'This module simply queries the MSSQL instance for information.', + 'Author' => 'MC', + 'License' => MSF_LICENSE + ) + end + + def run_host(ip) + version = mssql_get_version + if version and !version.empty? + print_status("SQL Server for #{ip}:") + print_good("Version: #{version}") + end + end +end