From 83f3ceeb361549222359a63920ad3b4ddf871004 Mon Sep 17 00:00:00 2001 From: Zach Goldman Date: Thu, 4 Apr 2024 08:34:51 -0500 Subject: [PATCH] adds ntext parsing to mssql --- lib/rex/proto/mssql/client_mixin.rb | 18 +++++++++ resource.rc | 63 +++++++++++++++++++++++++++++ 2 files changed, 81 insertions(+) create mode 100644 resource.rc diff --git a/lib/rex/proto/mssql/client_mixin.rb b/lib/rex/proto/mssql/client_mixin.rb index 153f582d59d2a..77af5073429f8 100644 --- a/lib/rex/proto/mssql/client_mixin.rb +++ b/lib/rex/proto/mssql/client_mixin.rb @@ -206,6 +206,15 @@ def mssql_parse_tds_reply(data, info) when 50 col[:id] = :bit + when 99 + col[:id] = :ntext + col[:max_size] = data.slice!(0, 4).unpack('V')[0] + col[:codepage] = data.slice!(0, 2).unpack('v')[0] + col[:cflags] = data.slice!(0, 2).unpack('v')[0] + col[:charset_id] = data.slice!(0, 1).unpack('C')[0] + col[:namelen] = data.slice!(0, 1).unpack('C')[0] + col[:table_name] = data.slice!(0, (col[:namelen] * 2) + 1).gsub("\x00", '') + when 104 col[:id] = :bitn col[:int_size] = data.slice!(0, 1).unpack('C')[0] @@ -328,6 +337,15 @@ def mssql_parse_tds_row(data, info) end row << str.gsub("\x00", '') + when :ntext + str = "" + ptrlen = data.slice!(0, 1).unpack("C")[0] + ptr = data.slice!(0, ptrlen) + timestamp = data.slice!(0, 8) + datalen = data.slice!(0, 4).unpack("V")[0] + row << data.slice!(0, datalen) + + when :datetime row << data.slice!(0, 8).unpack("H*")[0] diff --git a/resource.rc b/resource.rc new file mode 100644 index 0000000000000..d2d087bf9bc60 --- /dev/null +++ b/resource.rc @@ -0,0 +1,63 @@ + +auth_modules = %w[ + auxiliary/scanner/mssql/mssql_hashdump + auxiliary/scanner/mssql/mssql_ping + auxiliary/scanner/mssql/mssql_schemadump + exploit/windows/mssql/mssql_clr_payload + auxiliary/admin/mssql/mssql_exec + auxiliary/admin/mssql/mssql_enum + exploit/windows/mssql/mssql_linkcrawler + auxiliary/admin/mssql/mssql_escalate_dbowner + auxiliary/admin/mssql/mssql_escalate_execute_as + auxiliary/admin/mssql/mssql_findandsampledata + auxiliary/admin/mssql/mssql_sql + auxiliary/admin/mssql/mssql_sql_file + auxiliary/admin/mssql/mssql_idf + exploit/windows/mssql/mssql_payload + exploit/windows/mssql/mssql_payload_sqli + auxiliary/admin/mssql/mssql_escalate_dbowner_sqli + auxiliary/admin/mssql/mssql_escalate_execute_as_sqli + auxiliary/admin/mssql/mssql_enum_domain_accounts_sqli + auxiliary/admin/mssql/mssql_enum_sql_logins + auxiliary/admin/mssql/mssql_enum_domain_accounts + + post/windows/gather/credentials/mssql_local_hashdump + post/windows/manage/mssql_local_auth_bypass +] + +session_modules = %w[ + auxiliary/admin/mssql/mssql_enum + auxiliary/admin/mssql/mssql_escalate_dbowner + auxiliary/admin/mssql/mssql_escalate_execute_as + auxiliary/admin/mssql/mssql_exec + exploit/windows/mssql/mssql_payload + auxiliary/admin/mssql/mssql_findandsampledata + auxiliary/admin/mssql/mssql_sql + auxiliary/scanner/mssql/mssql_hashdump + auxiliary/scanner/mssql/mssql_schemadump +] + +run_single "use auxiliary/scanner/mssql/mssql_login" +run_single "run rhost=192.168.2.224 username=test password=ASDqwe123 use_windows_authent=false createsession=true" + +auth_modules.each do |mod| + print_line + print_status("Running mod :: #{mod}") + run_single("use #{mod}") + if mod.start_with?('auxiliary') || mod.include?('exploit') + # Windows auth + # run_single("run rhost=192.168.2.224 username=winserv2022 password=winserv2022 use_windows_authent=true lhost=192.168.86.20") + # # Normal auth + run_single("run RPORT=1433 RHOSTS=192.168.2.224 USERNAME=test PASSWORD=ASDqwe123") + # # Kerberos auth + # run_single("run 192.168.123.136 domaincontrollerrhost=192.168.123.136 username=vagrant password=vagrant mssql::auth=kerberos mssql::rhostname=dc01.demo.local mssqldomain=demo.local sql='select auth_scheme from sys.dm_exec_connections where session_id=@@spid'") + # Session + run_single("run session=-1") + elsif mod.start_with?('post') + run_single("run session=-1") + else + raise "Unknown mod #{mod}" + end + print_line +end + \ No newline at end of file