adds ntext parsing to mssql

rapid7 · Apr 4, 2024 · 83f3cee · 83f3cee
1 parent 6a32f81
commit 83f3cee
Show file tree

Hide file tree

Showing 2 changed files with 81 additions and 0 deletions.
diff --git a/lib/rex/proto/mssql/client_mixin.rb b/lib/rex/proto/mssql/client_mixin.rb
@@ -206,6 +206,15 @@ def mssql_parse_tds_reply(data, info)
       when 50
         col[:id] = :bit
 
+      when 99
+        col[:id] = :ntext
+        col[:max_size] = data.slice!(0, 4).unpack('V')[0]
+        col[:codepage] = data.slice!(0, 2).unpack('v')[0]
+        col[:cflags] = data.slice!(0, 2).unpack('v')[0]
+        col[:charset_id] =  data.slice!(0, 1).unpack('C')[0]
+        col[:namelen] = data.slice!(0, 1).unpack('C')[0]
+        col[:table_name] = data.slice!(0, (col[:namelen] * 2) + 1).gsub("\x00", '')
+
       when 104
         col[:id] = :bitn
         col[:int_size] = data.slice!(0, 1).unpack('C')[0]
@@ -328,6 +337,15 @@ def mssql_parse_tds_row(data, info)
         end
         row << str.gsub("\x00", '')
 
+      when :ntext
+        str = ""
+        ptrlen = data.slice!(0, 1).unpack("C")[0]
+        ptr = data.slice!(0, ptrlen)
+        timestamp = data.slice!(0, 8)
+        datalen = data.slice!(0, 4).unpack("V")[0]
+        row << data.slice!(0, datalen)
+
+
       when :datetime
         row << data.slice!(0, 8).unpack("H*")[0]
 

diff --git a/resource.rc b/resource.rc
@@ -0,0 +1,63 @@
+<ruby>
+auth_modules = %w[
+  auxiliary/scanner/mssql/mssql_hashdump
+  auxiliary/scanner/mssql/mssql_ping
+  auxiliary/scanner/mssql/mssql_schemadump
+  exploit/windows/mssql/mssql_clr_payload
+  auxiliary/admin/mssql/mssql_exec
+  auxiliary/admin/mssql/mssql_enum
+  exploit/windows/mssql/mssql_linkcrawler
+  auxiliary/admin/mssql/mssql_escalate_dbowner
+  auxiliary/admin/mssql/mssql_escalate_execute_as
+  auxiliary/admin/mssql/mssql_findandsampledata
+  auxiliary/admin/mssql/mssql_sql
+  auxiliary/admin/mssql/mssql_sql_file
+  auxiliary/admin/mssql/mssql_idf
+  exploit/windows/mssql/mssql_payload
+  exploit/windows/mssql/mssql_payload_sqli
+  auxiliary/admin/mssql/mssql_escalate_dbowner_sqli
+  auxiliary/admin/mssql/mssql_escalate_execute_as_sqli
+  auxiliary/admin/mssql/mssql_enum_domain_accounts_sqli
+  auxiliary/admin/mssql/mssql_enum_sql_logins
+  auxiliary/admin/mssql/mssql_enum_domain_accounts
+
+  post/windows/gather/credentials/mssql_local_hashdump
+  post/windows/manage/mssql_local_auth_bypass
+]
+
+session_modules = %w[
+  auxiliary/admin/mssql/mssql_enum
+  auxiliary/admin/mssql/mssql_escalate_dbowner
+  auxiliary/admin/mssql/mssql_escalate_execute_as
+  auxiliary/admin/mssql/mssql_exec
+  exploit/windows/mssql/mssql_payload
+  auxiliary/admin/mssql/mssql_findandsampledata
+  auxiliary/admin/mssql/mssql_sql
+  auxiliary/scanner/mssql/mssql_hashdump
+  auxiliary/scanner/mssql/mssql_schemadump
+]
+
+run_single "use auxiliary/scanner/mssql/mssql_login"
+run_single "run rhost=192.168.2.224 username=test password=ASDqwe123 use_windows_authent=false createsession=true"
+
+auth_modules.each do |mod|
+  print_line
+  print_status("Running mod :: #{mod}")
+  run_single("use #{mod}")
+  if mod.start_with?('auxiliary') || mod.include?('exploit')
+    # Windows auth
+    # run_single("run rhost=192.168.2.224 username=winserv2022 password=winserv2022 use_windows_authent=true lhost=192.168.86.20")
+    # # Normal auth
+    run_single("run RPORT=1433 RHOSTS=192.168.2.224 USERNAME=test PASSWORD=ASDqwe123")
+    # # Kerberos auth
+    # run_single("run 192.168.123.136 domaincontrollerrhost=192.168.123.136 username=vagrant password=vagrant mssql::auth=kerberos mssql::rhostname=dc01.demo.local mssqldomain=demo.local sql='select auth_scheme from sys.dm_exec_connections where session_id=@@spid'")
+    # Session
+    run_single("run session=-1")
+  elsif mod.start_with?('post')
+    run_single("run session=-1")
+  else
+    raise "Unknown mod #{mod}"
+  end
+  print_line
+end
+</ruby>