Add the new encrypted MsTds channel

zeroSteiner · zeroSteiner · commit 5c95aa6ff3db · 2025-11-05T16:56:54.000-05:00
diff --git a/lib/rex/proto/ms_tds/channel.rb b/lib/rex/proto/ms_tds/channel.rb
@@ -0,0 +1,62 @@
+# -*- coding: binary -*-
+
+require 'bindata'
+
+module Rex::Proto::MsTds
+  class Channel
+    include Rex::IO::StreamAbstraction
+
+    attr_reader :params
+
+    # the socket that makes the outbound connection to the SQL server
+    attr_reader :sock
+
+    def initialize(opts = {})
+      @params = Rex::Socket::Parameters.from_hash(opts)
+
+      # it doesn't work this way so throw an exception so that's clear
+      raise RuntimeError.new('SSL incompatible with MsTds::Socket') if @params.ssl
+      raise ArgumentError.new('MsTds::Socket must be TCP') if @params.proto != 'tcp'
+
+      @sock = Rex::Socket.create_param(@params)
+      initialize_abstraction
+
+      lsock.initinfo(@sock.peerinfo, @sock.localinfo)
+
+      monitor_sock(@sock, sink: method(:_read_handler), name: 'MonitorLocal', on_exit: method(:_exit_handler))
+    end
+
+    def write(buf, opts = {})
+      if negotiating_ssl?
+        Rex::IO::RelayManager.io_write_all(self.sock, [18, 0x01, buf.length + 8, 0x0000, 0x00, 0x00].pack('CCnnCC') + buf) - 8
+      else
+        Rex::IO::RelayManager.io_write_all(self.sock, buf)
+      end
+    end
+
+    def starttls
+      self.lsock.starttls(params)
+    end
+
+    protected
+
+    def negotiating_ssl?
+      return false unless self.lsock.is_a?(Rex::Socket::SslTcp)
+      return false if self.lsock.sslsock.state.start_with?('SSLOK')
+
+      true
+    end
+
+    def _exit_handler
+      self.rsock.close
+    end
+
+    def _read_handler(buf)
+      if negotiating_ssl?
+        Rex::IO::RelayManager.io_write_all(self.rsock, buf[8..]) + 8
+      else
+        Rex::IO::RelayManager.io_write_all(self.rsock, buf)
+      end
+    end
+  end
+end
diff --git a/lib/rex/proto/mssql/client.rb b/lib/rex/proto/mssql/client.rb
@@ -75,6 +75,39 @@ def initialize(framework_module, framework, rhost, rport = 1433, proxies = nil,
           @current_database = ''
         end
 
+        def connect(global = true, opts={})
+          dossl = false
+          if(opts.has_key?('SSL'))
+            dossl = opts['SSL']
+          else
+            dossl = ssl
+          end
+
+          @mstds_channel = Rex::Proto::MsTds::Channel.new(
+            'PeerHost'      =>  opts['RHOST'] || rhost,
+            'PeerHostname'  =>  opts['SSLServerNameIndication'] || opts['RHOSTNAME'],
+            'PeerPort'      => (opts['RPORT'] || rport).to_i,
+            'LocalHost'     =>  opts['CHOST'] || chost || "0.0.0.0",
+            'LocalPort'     => (opts['CPORT'] || cport || 0).to_i,
+            'SSL'           =>  dossl,
+            'SSLVersion'    =>  opts['SSLVersion'] || ssl_version,
+            'SSLVerifyMode' =>  opts['SSLVerifyMode'] || ssl_verify_mode,
+            'SSLKeyLogFile' =>  opts['SSLKeyLogFile'] || sslkeylogfile,
+            'SSLCipher'     =>  opts['SSLCipher'] || ssl_cipher,
+            'Proxies'       => proxies,
+            'Timeout'       => (opts['ConnectTimeout'] || connection_timeout || 10).to_i,
+            'Context'       => { 'Msf' => framework, 'MsfExploit' => framework_module }
+          )
+          nsock = @mstds_channel.lsock
+          # enable evasions on this socket
+          set_tcp_evasions(nsock)
+
+          # Set this socket to the global socket as necessary
+          self.sock = nsock if (global)
+
+          return nsock
+        end
+
         # MS SQL Server only supports Windows and Linux
         def map_compile_os_to_platform(server_info)
           return '' if server_info.blank?
@@ -340,12 +373,12 @@ def mssql_login(user='sa', pass='', db='', domain_name='')
             # upon receiving the ntlm_negociate request it send an ntlm_challenge but the status flag of the tds packet header
             # is set to STATUS_NORMAL and not STATUS_END_OF_MESSAGE, then internally it waits for the ntlm_authentification
             if tdsencryption == true
-               proxy = TDSSSLProxy.new(sock, sslkeylogfile: sslkeylogfile)
-               proxy.setup_ssl
-               resp = proxy.send_recv(pkt)
-            else
-               resp = mssql_send_recv(pkt, 15, false)
+              #proxy = TDSSSLProxy.new(sock, sslkeylogfile: sslkeylogfile)
+              #proxy.setup_ssl
+              #resp = proxy.send_recv(pkt)
+              @mstds_channel.starttls
             end
+            resp = mssql_send_recv(pkt, 15, false)
 
             # Strip the TDS header
             resp = resp[3..-1]
@@ -369,13 +402,7 @@ def mssql_login(user='sa', pass='', db='', domain_name='')
 
             pkt = pkt_hdr.pack("CCnnCC") + type3_blob
 
-            if self.tdsencryption == true
-              resp = mssql_ssl_send_recv(pkt, proxy)
-              proxy.cleanup
-              proxy = nil
-            else
-              resp = mssql_send_recv(pkt)
-            end
+            resp = mssql_send_recv(pkt)
 
             #SQL Server Authentication
           else
