Land rapid7#6461, backport net-ssh ECDH kex algorithms

Author: Adam Cammack

CODE_OF_CONDUCT.md

@@ -35,12 +35,14 @@ This Code of Conduct applies both within project spaces and in public spaces
 when an individual is representing the project or its community.
 
 Instances of abusive, harassing, or otherwise unacceptable behavior may be
-reported by contacting a project maintainer at [email protected]. All
-complaints will be reviewed and investigated and will result in a response that
-is deemed necessary and appropriate to the circumstances. Maintainers are
-obligated to maintain confidentiality with regard to the reporter of an
-incident.
-
+reported by contacting the project maintainers at [email protected]. If
+the incident involves a committer, you may report directly to
+[email protected] or [email protected].
+
+All complaints will be reviewed and investigated and will result in a
+response that is deemed necessary and appropriate to the circumstances.
+Maintainers are obligated to maintain confidentiality with regard to the
+reporter of an incident.
 
 This Code of Conduct is adapted from the [Contributor Covenant][homepage],
 version 1.3.0, available at

Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    metasploit-framework (4.11.7)
+    metasploit-framework (4.11.8)
       actionpack (>= 4.0.9, < 4.1.0)
       activerecord (>= 4.0.9, < 4.1.0)
       activesupport (>= 4.0.9, < 4.1.0)
@@ -246,3 +246,6 @@ DEPENDENCIES
   simplecov
   timecop
   yard
+
+BUNDLED WITH
+   1.11.2

data/logos/zsploit-1.txt

@@ -0,0 +1,11 @@
+____________
+ [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| $a,|%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
+ [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| $S`?a,|%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
+ [%%%%%%%%%%%%%%%%%%%%__%%%%%%%%%%|`?a, |%%%%%%%%__%%%%%%%%%__%%__ %%%%]
+ [% .--------..-----.|  |_ .---.-.|.,a$%|.-----.|  |.-----.|__||  |_ %%]
+ [% |||  -__||   _||  _  ||  ,,aS$""`  ||  _  ||  ||  _  ||  ||   _|%%]
+ [% |__|__|__||_____||____||___._||%$P"`||   __||__||_____||__||____|%%]
+ [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| `"a,||__|%%%%%%%%%%%%%%%%%%%%%%%%%%]
+ [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%|____`"a,$$__|%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
+ [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%`"$   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
+ [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]

data/logos/zsploit-2.txt

@@ -0,0 +1,21 @@
+
+
+..
+ .
+
+dBBBBBBb  dBBBP dBBBBBBP dBBBBBb  .o
+'   dB'BBP
+    dB'dB'dB' dBBPdBPdBP BB
+   dB'dB'dB' dBPdBPdBP  BB
+  dB'dB'dB' dBBBBP   dBPdBBBBBBB
+
+dBBBBBP  dBBBBBb  dBP    dBBBBP dBP dBBBBBBP
+..dB' dBP    dB'.BP
+|dBP    dBBBB' dBP    dB'.BP dBP    dBP
+--o--    dBP    dBP    dBP    dB'.BP dBP    dBP
+|dBBBBP dBP    dBBBBP dBBBBP dBP    dBP
+
+.
+.
+oTo boldly shell were no
+shell has gone before

data/logos/zsploit-3.txt

@@ -0,0 +1,22 @@
+
+.,,..
+.\$$$$$L..,,==aaccaacc%#s$b.d8,    d8P
+d8P#$$$$$$$$$$$$$$$$$$$$$$$$$$$b.    `BP  d888888p
+d888888P'7$$$$\""""''^^`` .7$$$|D*"'```?88'
+  d8bd8b.d8p d8888b ?88' d888b8b_.os#$|8*"`   d8P?8b  88P
+  88P`?P'?P d8b_,dP 88P d8P' ?88.oaS###S*"`d8P d8888b ?88b 88b
+ d88  d8 ?8 88b88b 88b  ,88b .osS$$$$*" ?88,.d88b, d88 d8P' ?88 88P `?8b
+d88' d88b 8b`?8888P'`?8b`?88P'.aS$$$$Q*"`    `?88'  ?88 ?88 88b  d88 d88
+.a#$$$$$$"`88b  d8P  88b`?8888P'
+,s$$$$$$$"`888888P'   88n_.,,,ass;:
+.a$$$$$$$P`d88P'    .,.ass%#S$$$$$$$$$$$$$$'
+.a$###$$$P`_.,,-aqsc#SS$$$$$$$$$$$$$$$$$$$$$$$$$$'
+,a$$###$$P`  _.,-ass#S$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$####SSSS'
+.a$$$$$$$$$$SSS$$$$$$$$$$$$$$$$$$$$$$$$$$$$SS##==--""''^^/$$$$$$'
+_______________________________________________________________   ,&$$$$$$'_____,
+                                                                 ll&&$$$$'
+.;;lll&&&&'
+...;;lllll&'
+......;;;llll;;;....
+` ......;;;;... .  .
+`    `` `

lib/metasploit/framework/common_engine.rb

@@ -42,44 +42,7 @@ module Metasploit::Framework::CommonEngine
     # `initializer`s
     #
 
-    initializer 'metasploit_framework.merge_meterpreter_extensions' do
-      Rails.application.railties.engines.each do |engine|
-        merge_meterpreter_extensions(engine)
-      end
 
-      # The Rails.application itself could have paths['data/meterpreter'], but will not be part of
-      # Rails.application.railties.engines because only direct subclasses of `Rails::Engine` are returned.
-      merge_meterpreter_extensions(Rails.application)
-    end
   end
 
-  #
-  # Instance Methods
-  #
-
-  private
-
-  # Merges the meterpreter extensions from `engine`'s `paths['data/meterpreter]`.
-  #
-  # @param engine [Rails::Engine] a Rails engine or application that has meterpreter extensions
-  # @return [void]
-  # @todo Make metasploit-framework look for meterpreter extension in paths['data/meterpreter'] from the engine instead of copying them.
-  def merge_meterpreter_extensions(engine)
-    data_meterpreter_paths = engine.paths['data/meterpreter']
-
-    # may be `nil` since 'data/meterpreter' is not part of the core Rails::Engine paths set.
-    if data_meterpreter_paths
-      source_paths = data_meterpreter_paths.existent
-      destination_directory = root.join('data', 'meterpreter').to_path
-
-      source_paths.each do |source_path|
-        basename = File.basename(source_path)
-        destination_path = File.join(destination_directory, basename)
-
-        unless destination_path == source_path
-          FileUtils.copy(source_path, destination_directory)
-        end
-      end
-    end
-  end
 end

lib/metasploit/framework/login_scanner/mssql.rb

@@ -32,6 +32,11 @@ class MSSQL
         validates :windows_authentication,
           inclusion: { in: [true, false] }
 
+        attr_accessor :tdsencryption
+
+        validates :tdsencryption,
+          inclusion: { in: [true, false] }
+
         def attempt_login(credential)
           result_options = {
               credential: credential,
@@ -70,6 +75,7 @@ def set_sane_defaults
           self.use_ntlm2_session      = true if self.use_ntlm2_session.nil?
           self.use_ntlmv2             = true if self.use_ntlmv2.nil?
           self.windows_authentication = false if self.windows_authentication.nil?
+          self.tdsencryption          = false if self.tdsencryption.nil?
         end
       end
 

lib/metasploit/framework/mssql/client.rb

@@ -1,4 +1,5 @@
 require 'metasploit/framework/tcp/client'
+require 'metasploit/framework/mssql/tdssslproxy'
 
 module Metasploit
   module Framework
@@ -48,11 +49,7 @@ def mssql_login(user='sa', pass='', db='', domain_name='')
 
           disconnect if self.sock
           connect
-
-          # Send a prelogin packet and check that encryption is not enabled
-          if mssql_prelogin() != ENCRYPT_NOT_SUP
-            raise ::Rex::ConnectionError, "Encryption is not supported"
-          end
+          mssql_prelogin
 
           if windows_authentication
             idx = 0
@@ -150,7 +147,14 @@ def mssql_login(user='sa', pass='', db='', domain_name='')
             # has a strange behavior that differs from the specifications
             # upon receiving the ntlm_negociate request it send an ntlm_challenge but the status flag of the tds packet header
             # is set to STATUS_NORMAL and not STATUS_END_OF_MESSAGE, then internally it waits for the ntlm_authentification
-            resp = mssql_send_recv(pkt,15, false)
+
+            if tdsencryption == true
+               proxy = TDSSSLProxy.new(sock)
+               proxy.setup_ssl
+               resp = proxy.send_recv(pkt)
+            else
+               resp = mssql_send_recv(pkt)
+            end
 
             # Get default data
             begin
@@ -199,8 +203,13 @@ def mssql_login(user='sa', pass='', db='', domain_name='')
 
             pkt = pkt_hdr.pack("CCnnCC") + ntlmssp
 
-            resp = mssql_send_recv(pkt)
-
+            if self.tdsencryption == true
+              resp = mssql_ssl_send_recv(pkt,proxy)
+              proxy.cleanup
+              proxy = nil
+            else
+              resp = mssql_send_recv(pkt)
+            end
 
             #SQL Server Authentification
           else
@@ -282,13 +291,23 @@ def mssql_login(user='sa', pass='', db='', domain_name='')
             # Packet header and total length including header
             pkt = "\x10\x01" + [pkt.length + 8].pack('n') + [0].pack('n') + [1].pack('C') + "\x00" + pkt
 
-            resp = mssql_send_recv(pkt)
+            if self.tdsencryption == true
+              proxy = TDSSSLProxy.new(sock)
+              proxy.setup_ssl
+              resp = mssql_ssl_send_recv(pkt,proxy)
+              proxy.cleanup
+              proxy = nil
+            else
+              resp = mssql_send_recv(pkt)
+            end
 
           end
 
           info = {:errors => []}
           info = mssql_parse_reply(resp,info)
 
+          disconnect
+
           return false if not info
           info[:login_ack] ? true : false
         end
@@ -586,7 +605,14 @@ def mssql_prelogin(enc_error=false)
           ]
 
           version = [0x55010008,0x0000].pack("Vv")
-          encryption = ENCRYPT_NOT_SUP # off
+
+          # if manually set, we will honour
+          if tdsencryption == true
+            encryption = ENCRYPT_ON
+          else
+            encryption = ENCRYPT_NOT_SUP
+          end
+
           instoptdata = "MSSQLServer\0"
 
           threadid =   "\0\0" + Rex::Text.rand_text(2)
@@ -639,12 +665,57 @@ def mssql_prelogin(enc_error=false)
           if idx > 0
             encryption_mode = resp[idx,1].unpack("C")[0]
           else
-            #force to ENCRYPT_NOT_SUP and hope for the best
+            raise RunTimeError, "Unable to parse encryption req. "\
+              "from server during prelogin"
             encryption_mode = ENCRYPT_NOT_SUP
           end
 
-          if encryption_mode != ENCRYPT_NOT_SUP and enc_error
-            raise RuntimeError,"Encryption is not supported"
+          ##########################################################
+          # Our initial prelogin pkt above said we didnt support
+          # encryption (it's quicker and the default).
+          #
+          # Per the matrix on the following link, SQL Server will
+          # terminate the connection if it does require TLS,
+          # otherwise it will accept an unencrypted session. As
+          # part of this initial response packet, it also returns
+          # ENCRYPT_REQ.
+          #
+          # https://msdn.microsoft.com\
+          #   /en-us/library/ee320519(v=sql.105).aspx
+          #
+          ##########################################################
+
+          if encryption_mode == ENCRYPT_REQ
+            # restart prelogin process except that we tell SQL Server
+            # than we are now able to encrypt
+            disconnect if self.sock
+            connect
+
+            # offset 35 is the flag - turn it on
+            pkt[35] = [ENCRYPT_ON].pack('C')
+            self.tdsencryption = true
+            framework_module.print_status("TLS encryption has " \
+              "been enabled based on server response.")
+
+            resp = mssql_send_recv(pkt)
+
+            idx = 0
+
+            while resp and resp[0,1] != "\xff" and resp.length > 5
+              token = resp.slice!(0,5)
+              token = token.unpack("Cnn")
+              idx -= 5
+              if token[0] == 0x01
+                idx += token[1]
+                break
+              end
+            end
+            if idx > 0
+              encryption_mode = resp[idx,1].unpack("C")[0]
+            else
+              raise RuntimeError, "Unable to parse encryption "\
+                "req during pre-login"
+            end
           end
           encryption_mode
         end
@@ -687,6 +758,10 @@ def mssql_send_recv(req, timeout=15, check_status = true)
           resp
         end
 
+        def mssql_ssl_send_recv(req,tdsproxy,timeout=15,check_status=true)
+          tdsproxy.send_recv(req)
+        end
+
         #
         # Encrypt a password according to the TDS protocol (encode)
         #