diff --git a/lib/rex/proto/mssql/client.rb b/lib/rex/proto/mssql/client.rb index 0c1bf15ce808b..75ba7b80863ca 100644 --- a/lib/rex/proto/mssql/client.rb +++ b/lib/rex/proto/mssql/client.rb @@ -422,64 +422,7 @@ def mssql_login(user='sa', pass='', db='', domain_name='') #this method send a prelogin packet and check if encryption is off # def mssql_prelogin(enc_error=false) - pkt = "" - pkt_hdr = "" - pkt_data_token = "" - pkt_data = "" - - - pkt_hdr = [ - TYPE_PRE_LOGIN_MESSAGE, #type - STATUS_END_OF_MESSAGE, #status - 0x0000, #length - 0x0000, # SPID - 0x00, # PacketID - 0x00 #Window - ] - - version = [0x55010008, 0x0000].pack("Vv") - - # if manually set, we will honour - if tdsencryption == true - encryption = ENCRYPT_ON - else - encryption = ENCRYPT_NOT_SUP - end - - instoptdata = "MSSQLServer\0" - - threadid = "\0\0" + Rex::Text.rand_text(2) - - idx = 21 # size of pkt_data_token - pkt_data_token << [ - 0x00, # Token 0 type Version - idx , # VersionOffset - version.length, # VersionLength - - 0x01, # Token 1 type Encryption - idx = idx + version.length, # EncryptionOffset - 0x01, # EncryptionLength - - 0x02, # Token 2 type InstOpt - idx = idx + 1, # InstOptOffset - instoptdata.length, # InstOptLength - - 0x03, # Token 3 type Threadid - idx + instoptdata.length, # ThreadIdOffset - 0x04, # ThreadIdLength - - 0xFF - ].pack("CnnCnnCnnCnnC") - - pkt_data << pkt_data_token - pkt_data << version - pkt_data << encryption - pkt_data << instoptdata - pkt_data << threadid - - pkt_hdr[2] = pkt_data.length + 8 - - pkt = pkt_hdr.pack("CCnnCC") + pkt_data + pkt = mssql_prelogin_packet resp = mssql_send_recv(pkt) diff --git a/lib/rex/proto/mssql/client_mixin.rb b/lib/rex/proto/mssql/client_mixin.rb index db7613efbe7e9..a73a8a6bc7e48 100644 --- a/lib/rex/proto/mssql/client_mixin.rb +++ b/lib/rex/proto/mssql/client_mixin.rb @@ -86,9 +86,7 @@ def mssql_print_reply(info) end end - def mssql_get_version - disconnect if self.sock - connect + def mssql_prelogin_packet pkt = "" pkt_hdr = "" pkt_data_token = "" @@ -147,6 +145,14 @@ def mssql_get_version pkt_hdr[2] = pkt_data.length + 8 pkt = pkt_hdr.pack("CCnnCC") + pkt_data + pkt + end + + def mssql_get_version + disconnect if self.sock + connect + + pkt = mssql_prelogin_packet resp = mssql_send_recv(pkt) while resp diff --git a/modules/auxiliary/scanner/mssql/mssql_ping.rb b/modules/auxiliary/scanner/mssql/mssql_ping.rb index 55140a66729fb..a371720020c3b 100644 --- a/modules/auxiliary/scanner/mssql/mssql_ping.rb +++ b/modules/auxiliary/scanner/mssql/mssql_ping.rb @@ -11,7 +11,7 @@ class MetasploitModule < Msf::Auxiliary def initialize super( 'Name' => 'MSSQL Ping Utility', - 'Description' => 'This module simply queries the MSSQL instance for information.', + 'Description' => 'This module simply queries the MSSQL Browser service for server information.', 'Author' => 'MC', 'License' => MSF_LICENSE ) diff --git a/modules/auxiliary/scanner/mssql/mssql_version.rb b/modules/auxiliary/scanner/mssql/mssql_version.rb index b2cfa8d28fc4a..1d629514a86c0 100644 --- a/modules/auxiliary/scanner/mssql/mssql_version.rb +++ b/modules/auxiliary/scanner/mssql/mssql_version.rb @@ -6,20 +6,24 @@ class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::MSSQL include Msf::Auxiliary::Scanner + include Msf::OptionalSession::MSSQL def initialize super( 'Name' => 'MSSQL Version Utility', - 'Description' => 'This module simply queries the MSSQL instance for information.', + 'Description' => 'This module simply queries the MSSQL instance for version information.', 'Author' => 'MC', 'License' => MSF_LICENSE ) end - def run_host(ip) + def run + if session + set_session(session.client) + end version = mssql_get_version if version && !version.empty? - print_status("SQL Server for #{ip}:") + print_status("SQL Server for #{mssql_client.address}:") print_good("Version: #{version}") end end