Skip to content

Commit

Permalink
add session support, dry out code, update descriptions to be more spe…
Browse files Browse the repository at this point in the history 
…cific
  • Loading branch information
@zgoldman-r7
zgoldman-r7 committed Mar 4, 2024
1 parent 95671b9 commit 8abc67b
Show file tree
Hide file tree
Showing 4 changed files with 18 additions and 65 deletions.
59 changes: 1 addition & 58 deletions lib/rex/proto/mssql/client.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -422,64 +422,7 @@ def mssql_login(user='sa', pass='', db='', domain_name='')
#this method send a prelogin packet and check if encryption is off
#
def mssql_prelogin(enc_error=false)
pkt = ""
pkt_hdr = ""
pkt_data_token = ""
pkt_data = ""


pkt_hdr = [
TYPE_PRE_LOGIN_MESSAGE, #type
STATUS_END_OF_MESSAGE, #status
0x0000, #length
0x0000, # SPID
0x00, # PacketID
0x00 #Window
]

version = [0x55010008, 0x0000].pack("Vv")

# if manually set, we will honour
if tdsencryption == true
encryption = ENCRYPT_ON
else
encryption = ENCRYPT_NOT_SUP
end

instoptdata = "MSSQLServer\0"

threadid = "\0\0" + Rex::Text.rand_text(2)

idx = 21 # size of pkt_data_token
pkt_data_token << [
0x00, # Token 0 type Version
idx , # VersionOffset
version.length, # VersionLength

0x01, # Token 1 type Encryption
idx = idx + version.length, # EncryptionOffset
0x01, # EncryptionLength

0x02, # Token 2 type InstOpt
idx = idx + 1, # InstOptOffset
instoptdata.length, # InstOptLength

0x03, # Token 3 type Threadid
idx + instoptdata.length, # ThreadIdOffset
0x04, # ThreadIdLength

0xFF
].pack("CnnCnnCnnCnnC")

pkt_data << pkt_data_token
pkt_data << version
pkt_data << encryption
pkt_data << instoptdata
pkt_data << threadid

pkt_hdr[2] = pkt_data.length + 8

pkt = pkt_hdr.pack("CCnnCC") + pkt_data
pkt = mssql_prelogin_packet

resp = mssql_send_recv(pkt)

Expand Down
12 changes: 9 additions & 3 deletions lib/rex/proto/mssql/client_mixin.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -86,9 +86,7 @@ def mssql_print_reply(info)
end
end

def mssql_get_version
disconnect if self.sock
connect
def mssql_prelogin_packet
pkt = ""
pkt_hdr = ""
pkt_data_token = ""
Expand Down Expand Up @@ -147,6 +145,14 @@ def mssql_get_version
pkt_hdr[2] = pkt_data.length + 8

pkt = pkt_hdr.pack("CCnnCC") + pkt_data
pkt
end

def mssql_get_version
disconnect if self.sock
connect

pkt = mssql_prelogin_packet

resp = mssql_send_recv(pkt)
while resp
Expand Down
2 changes: 1 addition & 1 deletion modules/auxiliary/scanner/mssql/mssql_ping.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ class MetasploitModule < Msf::Auxiliary
def initialize
super(
'Name' => 'MSSQL Ping Utility',
'Description' => 'This module simply queries the MSSQL instance for information.',
'Description' => 'This module simply queries the MSSQL Browser service for server information.',
'Author' => 'MC',
'License' => MSF_LICENSE
)
Expand Down
10 changes: 7 additions & 3 deletions modules/auxiliary/scanner/mssql/mssql_version.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,20 +6,24 @@
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::MSSQL
include Msf::Auxiliary::Scanner
include Msf::OptionalSession::MSSQL

def initialize
super(
'Name' => 'MSSQL Version Utility',
'Description' => 'This module simply queries the MSSQL instance for information.',
'Description' => 'This module simply queries the MSSQL instance for version information.',
'Author' => 'MC',
'License' => MSF_LICENSE
)
end

def run_host(ip)
def run
if session
set_session(session.client)
end
version = mssql_get_version
if version && !version.empty?
print_status("SQL Server for #{ip}:")
print_status("SQL Server for #{mssql_client.address}:")
print_good("Version: #{version}")
end
end
Expand Down

0 comments on commit 8abc67b

Please sign in to comment.