update relevant modules to work with sessions

separate out optional session logic fixing session handling
zgoldman-r7 · Feb 9, 2024 · 94223f0 · 94223f0
1 parent 285fbe5
commit 94223f0
Show file tree

Hide file tree

Showing 13 changed files with 97 additions and 30 deletions.
diff --git a/lib/msf/core/exploit/remote/mssql.rb b/lib/msf/core/exploit/remote/mssql.rb
@@ -46,6 +46,10 @@ def initialize(info = {})
     register_autofilter_services(%W{ ms-sql-s ms-sql2000 sybase })
   end
 
+  def set_session(session)
+    @mssql_client = session.client
+  end
+
   #
   # This method sends a UDP query packet to the server and
   # parses out the reply packet into a hash

diff --git a/lib/rex/proto/mssql/client.rb b/lib/rex/proto/mssql/client.rb
@@ -473,7 +473,6 @@ def mssql_prelogin(enc_error=false)
           pkt_hdr[2] = pkt_data.length + 8
 
           pkt = pkt_hdr.pack("CCnnCC") + pkt_data
-
           resp = mssql_send_recv(pkt)
 
           idx = 0

diff --git a/modules/auxiliary/admin/mssql/mssql_enum.rb b/modules/auxiliary/admin/mssql/mssql_enum.rb
@@ -6,6 +6,7 @@
 class MetasploitModule < Msf::Auxiliary
   include Msf::Exploit::Remote::MSSQL
   include Msf::Auxiliary::Report
+  include Msf::OptionalSession
 
   def initialize(info = {})
     super(update_info(info,
@@ -17,14 +18,18 @@ module to work, valid administrative user credentials must be
         supplied.
       },
       'Author'         => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>' ],
-      'License'        => MSF_LICENSE
+      'License'        => MSF_LICENSE,
+      'SessionTypes'   => %w[MSSQL],
     ))
   end
 
   def run
     print_status("Running MS SQL Server Enumeration...")
+    if (datastore['SESSION'] && session)
+      set_session(session)
+    end
 
-    if !mssql_login_datastore
+    unless (datastore['SESSION'] && session) || mssql_login_datastore
       print_error("Login was unsuccessful. Check your credentials.")
       disconnect
       return

diff --git a/modules/auxiliary/admin/mssql/mssql_escalate_dbowner.rb b/modules/auxiliary/admin/mssql/mssql_escalate_dbowner.rb
@@ -5,6 +5,7 @@
 
 class MetasploitModule < Msf::Auxiliary
   include Msf::Exploit::Remote::MSSQL
+  include Msf::OptionalSession
 
   def initialize(info = {})
     super(update_info(info,
@@ -17,14 +18,19 @@ def initialize(info = {})
       },
       'Author'         => [ 'nullbind <scott.sutherland[at]netspi.com>'],
       'License'        => MSF_LICENSE,
-      'References'     => [[ 'URL','http://technet.microsoft.com/en-us/library/ms188676(v=sql.105).aspx']]
+      'References'     => [[ 'URL','http://technet.microsoft.com/en-us/library/ms188676(v=sql.105).aspx']],
+      'SessionTypes'   => %w[MSSQL]
     ))
   end
 
   def run
     # Check connection and issue initial query
+    if (datastore['SESSION'] && session)
+      set_session(session)
+    end
+
     print_status("Attempting to connect to the database server at #{rhost}:#{rport} as #{datastore['USERNAME']}...")
-    if mssql_login_datastore
+    if (datastore['SESSION'] && session) || mssql_login_datastore
       print_good('Connected.')
     else
       print_error('Login was unsuccessful. Check your credentials.')

diff --git a/modules/auxiliary/admin/mssql/mssql_escalate_execute_as.rb b/modules/auxiliary/admin/mssql/mssql_escalate_execute_as.rb
@@ -6,6 +6,7 @@
 
 class MetasploitModule < Msf::Auxiliary
   include Msf::Exploit::Remote::MSSQL
+  include Msf::OptionalSession
 
   def initialize(info = {})
     super(update_info(info,
@@ -17,14 +18,19 @@ def initialize(info = {})
       },
       'Author'      => ['nullbind <scott.sutherland[at]netspi.com>'],
       'License'     => MSF_LICENSE,
-      'References'  => [['URL','http://msdn.microsoft.com/en-us/library/ms178640.aspx']]
+      'References'  => [['URL','http://msdn.microsoft.com/en-us/library/ms178640.aspx']],
+      'SessionTypes' => %w[MSSQL]
     ))
   end
 
   def run
+    if (datastore['SESSION'] && session)
+      set_session(session)
+    end
     # Check connection and issue initial query
-    print_status("Attempting to connect to the database server at #{rhost}:#{rport} as #{datastore['USERNAME']}...")
-    if mssql_login_datastore
+    print_status("Attempting to connect to the database server at #{datastore['RHOST']}:#{datastore['RPORT']} as #{datastore['USERNAME']}...")
+
+    if (datastore['SESSION'] && session) || mssql_login_datastore
       print_good('Connected.')
     else
       print_error('Login was unsuccessful. Check your credentials.')

diff --git a/modules/auxiliary/admin/mssql/mssql_exec.rb b/modules/auxiliary/admin/mssql/mssql_exec.rb
@@ -5,6 +5,7 @@
 
 class MetasploitModule < Msf::Auxiliary
   include Msf::Exploit::Remote::MSSQL
+  include Msf::OptionalSession
 
   def initialize(info = {})
     super(
@@ -26,7 +27,8 @@ def initialize(info = {})
           [
             [ 'URL', 'http://msdn.microsoft.com/en-us/library/cc448435(PROT.10).aspx'],
             [ 'URL', 'https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-oacreate-transact-sql'],
-          ]
+          ],
+        'SessionTypes' => %w[MSSQL],
       )
     )
 
@@ -37,7 +39,10 @@ def initialize(info = {})
   end
 
   def run
-    return unless mssql_login_datastore
+    if (datastore['SESSION'] && session)
+      set_session(session)
+    end
+    return unless (datastore['SESSION'] && session) || mssql_login_datastore
 
     technique = datastore['TECHNIQUE']
     case technique

diff --git a/modules/auxiliary/admin/mssql/mssql_findandsampledata.rb b/modules/auxiliary/admin/mssql/mssql_findandsampledata.rb
@@ -4,9 +4,10 @@
 ##
 
 class MetasploitModule < Msf::Auxiliary
-  include Msf::Exploit::Remote::MSSQL
   include Msf::Auxiliary::Scanner
   include Msf::Auxiliary::Report
+  include Msf::Exploit::Remote::MSSQL
+  include Msf::OptionalSession
 
   def initialize(info = {})
     super(update_info(info,
@@ -27,7 +28,8 @@ def initialize(info = {})
         'todb'                                               # Help on GitHub
       ],
       'License'        => MSF_LICENSE,
-      'References'     => [[ 'URL', 'http://www.netspi.com/blog/author/ssutherland/' ]]
+      'References'     => [[ 'URL', 'http://www.netspi.com/blog/author/ssutherland/' ]],
+      'SessionTypes'   => %w[MSSQL],
     ))
 
     register_options(
@@ -342,7 +344,11 @@ def sql_statement()
 
     # CREATE DATABASE CONNECTION AND SUBMIT QUERY WITH ERROR HANDLING
     begin
-      result = mssql_query(sql, false) if mssql_login_datastore
+      if (datastore['SESSION'] && session)
+        set_session(session)
+      end
+      result = mssql_query(sql, false) if (datastore['SESSION'] && session) || mssql_login_datastore
+
       column_data = result[:rows]
       print_good("Successfully connected to #{rhost}:#{rport}")
     rescue

diff --git a/modules/auxiliary/admin/mssql/mssql_idf.rb b/modules/auxiliary/admin/mssql/mssql_idf.rb
@@ -14,6 +14,7 @@
 
 class MetasploitModule < Msf::Auxiliary
   include Msf::Exploit::Remote::MSSQL
+  include Msf::OptionalSession
 
   def initialize(info = {})
     super(update_info(info,
@@ -29,7 +30,8 @@ def initialize(info = {})
       'References'     =>
         [
           [ 'URL', 'http://www.digininja.org/metasploit/mssql_idf.php' ],
-        ]
+        ],
+      'SessionTypes'   => %w[MSSQL]
     ))
 
     register_options(
@@ -86,7 +88,11 @@ def run
     sql += "DEALLOCATE table_cursor "
 
     begin
-      if mssql_login_datastore
+      if (datastore['SESSION'] && session)
+        set_session(session)
+      end
+
+      if (datastore['SESSION'] && session) || mssql_login_datastore
         result = mssql_query(sql, false)
       else
         print_error('Login failed')

diff --git a/modules/auxiliary/admin/mssql/mssql_sql.rb b/modules/auxiliary/admin/mssql/mssql_sql.rb
@@ -5,6 +5,7 @@
 
 class MetasploitModule < Msf::Auxiliary
   include Msf::Exploit::Remote::MSSQL
+  include Msf::OptionalSession
 
   def initialize(info = {})
     super(update_info(info,
@@ -19,7 +20,8 @@ def initialize(info = {})
         [
           [ 'URL', 'http://www.attackresearch.com' ],
           [ 'URL', 'http://msdn.microsoft.com/en-us/library/cc448435(PROT.10).aspx'],
-        ]
+        ],
+      'SessionTypes'   => %w[MSSQL],
     ))
 
     register_options(
@@ -38,7 +40,10 @@ def cmd_select(*args)
   end
 
   def run
-    mssql_query(datastore['SQL'], true) if mssql_login_datastore
-    disconnect
+    if (datastore['SESSION'] && session)
+      set_session(session)
+    end
+
+    mssql_query(datastore['SQL'], true) if (datastore['SESSION'] && session) || mssql_login_datastore
   end
 end
diff --git a/modules/auxiliary/admin/mssql/mssql_sql_file.rb b/modules/auxiliary/admin/mssql/mssql_sql_file.rb
@@ -5,6 +5,7 @@
 
 class MetasploitModule < Msf::Auxiliary
   include Msf::Exploit::Remote::MSSQL
+  include Msf::OptionalSession
 
   def initialize(info = {})
     super(update_info(info,
@@ -15,7 +16,8 @@ def initialize(info = {})
         the appropriate credentials.
       },
       'Author'         => [ 'j0hn__f : <jf[at]tinternet.org.uk>' ],
-      'License'        => MSF_LICENSE
+      'License'        => MSF_LICENSE,
+      'SessionTypes'   => %w[MSSQL]
     ))
 
     register_options(
@@ -34,9 +36,12 @@ def run
     suffix = datastore['QUERY_SUFFIX']
 
     begin
+      if (datastore['SESSION'] && session)
+        set_session(session)
+      end
       queries.each do |sql_query|
         vprint_status("Executing: #{sql_query}")
-        mssql_query(prefix+sql_query.chomp+suffix,true) if mssql_login_datastore
+        mssql_query(prefix+sql_query.chomp+suffix,true) if (datastore['SESSION'] && session) || mssql_login_datastore
       end
     rescue Rex::ConnectionRefused, Rex::ConnectionTimeout
       print_error "Error connecting to server: #{$!}"

diff --git a/modules/auxiliary/scanner/mssql/mssql_hashdump.rb b/modules/auxiliary/scanner/mssql/mssql_hashdump.rb
@@ -6,8 +6,8 @@
 class MetasploitModule < Msf::Auxiliary
   include Msf::Exploit::Remote::MSSQL
   include Msf::Auxiliary::Report
-
   include Msf::Auxiliary::Scanner
+  include Msf::OptionalSession
 
   def initialize
     super(
@@ -19,14 +19,19 @@ def initialize
         table names, which can be used to seed the wordlist.
       },
       'Author'         => ['theLightCosine'],
-      'License'        => MSF_LICENSE
+      'License'        => MSF_LICENSE,
+      'SessionTypes'   => %w[MSSQL],
     )
   end
 
   def run_host(ip)
-
-    if !mssql_login_datastore
-      print_error("Invalid SQL Server credentials")
+    if (datastore['SESSION'] && session)
+      set_session(session)
+    elsif (datastore['SESSION'] && !session)
+      print_error('Unable to connect to session')
+      return
+    elsif !mssql_login(datastore['USERNAME'], datastore['PASSWORD'])
+      print_error('Invalid SQL Server credentials')
       return
     end
 

diff --git a/modules/auxiliary/scanner/mssql/mssql_schemadump.rb b/modules/auxiliary/scanner/mssql/mssql_schemadump.rb
@@ -8,6 +8,7 @@ class MetasploitModule < Msf::Auxiliary
   include Msf::Exploit::Remote::MSSQL
   include Msf::Auxiliary::Report
   include Msf::Auxiliary::Scanner
+  include Msf::OptionalSession
 
   def initialize
     super(
@@ -20,7 +21,8 @@ def initialize
           as loot for easy reading.
       },
       'Author'         => ['theLightCosine'],
-      'License'        => MSF_LICENSE
+      'License'        => MSF_LICENSE,
+      'SessionTypes'   => %w[MSSQL],
     )
 
     register_options([
@@ -29,9 +31,12 @@ def initialize
   end
 
   def run_host(ip)
+    if (datastore['SESSION'] && session)
+      set_session(session)
+    end
 
-    if !mssql_login_datastore
-      print_error("#{rhost}:#{rport} - Invalid SQL Server credentials")
+    unless (datastore['SESSION'] && session) || mssql_login_datastore
+      print_error("#{datastore['RHOST']}:#{datastore['RPORT']} - Invalid SQL Server credentials")
       return
     end
 

diff --git a/modules/exploits/windows/mssql/mssql_payload.rb b/modules/exploits/windows/mssql/mssql_payload.rb
@@ -8,6 +8,7 @@ class MetasploitModule < Msf::Exploit::Remote
 
   include Msf::Exploit::Remote::MSSQL
   include Msf::Exploit::CmdStager
+  include Msf::OptionalSession
   #include Msf::Exploit::CmdStagerDebugAsm
   #include Msf::Exploit::CmdStagerDebugWrite
   #include Msf::Exploit::CmdStagerTFTP
@@ -53,6 +54,7 @@ def initialize(info = {})
         ],
       'Platform'       => 'win',
       'Arch'           => [ ARCH_X86, ARCH_X64 ],
+      'SessionTypes'   => %w[MSSQL],
       'Targets'        =>
         [
           [ 'Automatic', { } ],
@@ -68,7 +70,11 @@ def initialize(info = {})
   end
 
   def check
-    if !mssql_login_datastore
+    if (datastore['SESSION'] && session)
+      set_session(session)
+    end
+
+    unless (datastore['SESSION'] && session) || mssql_login_datastore
       vprint_status("Invalid SQL Server credentials")
       return Exploit::CheckCode::Detected
     end
@@ -91,7 +97,11 @@ def execute_command(cmd, opts)
 
   def exploit
 
-    if !mssql_login_datastore
+    if (datastore['SESSION'] && session)
+      set_session(session)
+    end
+
+    unless (datastore['SESSION'] && session) || mssql_login_datastore
       print_status("Invalid SQL Server credentials")
       return
     end
-Original file line number
+Diff line change
@@ Expand Up / @@ -473,7 +473,6 @@ def mssql_prelogin(enc_error=false) @@
               pkt_hdr[2] = pkt_data.length + 8
               pkt = pkt_hdr.pack("CCnnCC") + pkt_data
               resp = mssql_send_recv(pkt)
               idx = 0
@@ Expand Down @@