2018-06-09 22:51:46 +08:00
|
|
|
import logging
|
|
|
|
import socket
|
|
|
|
|
|
|
|
from model.host import VictimHost
|
|
|
|
from network import HostFinger
|
|
|
|
|
2018-06-10 01:02:18 +08:00
|
|
|
__author__ = 'Maor Rayzin'
|
2018-06-09 22:51:46 +08:00
|
|
|
|
|
|
|
LOG = logging.getLogger(__name__)
|
|
|
|
|
|
|
|
|
2018-06-12 18:26:28 +08:00
|
|
|
class MSSQLFinger(HostFinger):
|
2018-06-09 22:51:46 +08:00
|
|
|
|
2018-06-09 23:23:08 +08:00
|
|
|
# Class related consts
|
|
|
|
SQL_BROWSER_DEFAULT_PORT = 1434
|
|
|
|
BUFFER_SIZE = 4096
|
|
|
|
TIMEOUT = 5
|
2018-06-12 18:26:28 +08:00
|
|
|
SERVICE_NAME = 'MSSQL'
|
2018-06-09 23:23:08 +08:00
|
|
|
|
2018-06-09 22:51:46 +08:00
|
|
|
def __init__(self):
|
|
|
|
self._config = __import__('config').WormConfiguration
|
|
|
|
|
|
|
|
def get_host_fingerprint(self, host):
|
|
|
|
"""Gets Microsoft SQL Server instance information by querying the SQL Browser service.
|
2018-06-10 01:02:18 +08:00
|
|
|
:arg:
|
|
|
|
host (VictimHost): The MS-SSQL Server to query for information.
|
2018-06-09 22:51:46 +08:00
|
|
|
|
2018-06-10 01:02:18 +08:00
|
|
|
:returns:
|
2018-06-09 22:51:46 +08:00
|
|
|
Discovered server information written to the Host info struct.
|
2018-06-10 01:02:18 +08:00
|
|
|
True if success, False otherwise.
|
2018-06-09 22:51:46 +08:00
|
|
|
"""
|
|
|
|
|
2018-06-09 23:23:08 +08:00
|
|
|
assert isinstance(host, VictimHost)
|
|
|
|
|
2018-06-09 22:51:46 +08:00
|
|
|
# Create a UDP socket and sets a timeout
|
|
|
|
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
|
2018-06-09 23:23:08 +08:00
|
|
|
sock.settimeout(self.TIMEOUT)
|
2018-06-10 01:02:18 +08:00
|
|
|
server_address = (str(host.ip_addr), self.SQL_BROWSER_DEFAULT_PORT)
|
2018-06-09 23:23:08 +08:00
|
|
|
|
|
|
|
# The message is a CLNT_UCAST_EX packet to get all instances
|
|
|
|
# https://msdn.microsoft.com/en-us/library/cc219745.aspx
|
|
|
|
message = '\x03'
|
2018-06-09 22:51:46 +08:00
|
|
|
|
|
|
|
# Encode the message as a bytesarray
|
|
|
|
message = message.encode()
|
|
|
|
|
|
|
|
# send data and receive response
|
|
|
|
try:
|
2018-06-09 23:23:08 +08:00
|
|
|
LOG.info('Sending message to requested host: {0}, {1}'.format(host, message))
|
2018-06-09 22:51:46 +08:00
|
|
|
sock.sendto(message, server_address)
|
2018-06-09 23:23:08 +08:00
|
|
|
data, server = sock.recvfrom(self.BUFFER_SIZE)
|
2018-06-09 22:51:46 +08:00
|
|
|
except socket.timeout:
|
2018-06-12 21:29:27 +08:00
|
|
|
LOG.info('Socket timeout reached, maybe browser service on host: {0} doesnt exist'.format(host))
|
2018-06-09 23:23:08 +08:00
|
|
|
sock.close()
|
2018-06-10 01:02:18 +08:00
|
|
|
return False
|
2018-07-16 21:01:26 +08:00
|
|
|
except socket.error as e:
|
|
|
|
if e.errno == socket.errno.ECONNRESET:
|
|
|
|
LOG.info('Connection was forcibly closed by the remote host. The host: {0} is rejecting the packet.'
|
|
|
|
.format(host))
|
|
|
|
else:
|
|
|
|
LOG.error('An unknown socket error occurred while trying the mssql fingerprint, closing socket.',
|
|
|
|
exc_info=True)
|
|
|
|
sock.close()
|
|
|
|
return False
|
2018-06-09 22:51:46 +08:00
|
|
|
|
2018-06-09 23:23:08 +08:00
|
|
|
host.services[self.SERVICE_NAME] = {}
|
|
|
|
|
2018-06-09 22:51:46 +08:00
|
|
|
# Loop through the server data
|
2018-06-12 21:29:27 +08:00
|
|
|
instances_list = data[3:].decode().split(';;')
|
|
|
|
LOG.info('{0} MSSQL instances found'.format(len(instances_list)))
|
|
|
|
for instance in instances_list:
|
|
|
|
instance_info = instance.split(';')
|
2018-06-09 22:51:46 +08:00
|
|
|
if len(instance_info) > 1:
|
2018-06-10 01:02:18 +08:00
|
|
|
host.services[self.SERVICE_NAME][instance_info[1]] = {}
|
2018-06-09 22:51:46 +08:00
|
|
|
for i in range(1, len(instance_info), 2):
|
2018-06-10 01:02:18 +08:00
|
|
|
# Each instance's info is nested under its own name, if there are multiple instances
|
|
|
|
# each will appear under its own name
|
|
|
|
host.services[self.SERVICE_NAME][instance_info[1]][instance_info[i - 1]] = instance_info[i]
|
2018-06-09 22:51:46 +08:00
|
|
|
|
|
|
|
# Close the socket
|
|
|
|
sock.close()
|
|
|
|
|
2018-06-10 01:02:18 +08:00
|
|
|
return True
|