MSSQL login falls over when a server specified isn't an MSSQL server

[digininja]

Steps to reproduce

How'd you do it?

1. point the scanner/mssql/mssql_login scanner at a box which isn't running mssql
2. run it

This section should also tell us any relevant information about the
environment; for example, if an exploit that used to work is failing,
tell us the victim operating system and service versions.

Expected behavior

Should continue past the invalid box

Current behavior

falls over with this error:

[-] 1.2.3.4:1433   - Unable to parse encryption req during pre-login, this may not be a MSSQL server
[-] Auxiliary failed: NoMethodError undefined method `[]' for false:FalseClass
[-] Call stack:
[-]   /root/tools/metasploit-framework/lib/metasploit/framework/mssql/client.rb:154:in `mssql_login'
[-]   /root/tools/metasploit-framework/lib/metasploit/framework/login_scanner/mssql.rb:50:in `attempt_login'
[-]   /root/tools/metasploit-framework/lib/metasploit/framework/login_scanner/base.rb:231:in `block in scan!'
[-]   /root/tools/metasploit-framework/lib/metasploit/framework/login_scanner/base.rb:154:in `block in each_credential'
[-]   /root/tools/metasploit-framework/lib/metasploit/framework/credential_collection.rb:121:in `each'
[-]   /root/tools/metasploit-framework/lib/metasploit/framework/login_scanner/base.rb:141:in `each_credential'
[-]   /root/tools/metasploit-framework/lib/metasploit/framework/login_scanner/base.rb:205:in `scan!'
[-]   /root/tools/metasploit-framework/modules/auxiliary/scanner/mssql/mssql_login.rb:71:in `run_host'
[-]   /root/tools/metasploit-framework/lib/msf/core/auxiliary/scanner.rb:111:in `block (2 levels) in run'
[-]   /root/tools/metasploit-framework/lib/msf/core/thread_manager.rb:106:in `block in spawn'

I've had similar errors with other mssql modules but haven't tried those since I upgraded to the latest version.

System stuff

Metasploit version

msf5 auxiliary(scanner/mssql/mssql_login) > version
Framework: 5.0.4-dev-7633c2832a
Console  : 5.0.4-dev-7633c2832a

I installed Metasploit with:

• Kali package via apt
• Omnibus installer (nightly)
• Commercial/Community installer (from http://www.rapid7.com/products/metasploit/download.jsp)
• [x ] Source install (please specify ruby version)

# ruby -v
ruby 2.5.3p105 (2018-10-18 revision 65156) [x86_64-linux-gnu]

OS

Kali

[h00die]

any details on what the service was? I just ran against a netcat listener and didn't get the same crash.

[bcoles]

I was able to reproduce the Unable to parse encryption req during pre-login, this may not be a MSSQL server error, but not the stack trace.

The stack trace implies mssql_send_recv or proxy.send_recv is returning false, which should only ever happen in one of these socket reads:

lib/metasploit/framework/mssql/client.rb

            head = sock.get_once(8, timeout)
            if !(head && head.length == 8)
              return false
            end

lib/metasploit/framework/mssql/tdssslproxy.rb

      head = @ssl_socket.read(8)
      if !(head and head.length == 8)
        return false
      end

[bcoles]

I did manage to hang the module and achieve sustained ~100% CPU with nc -vlp 1337 < /dev/urandom though.

[bcoles]

Unrelated stack trace, presumably due to ^C the netcat listener part way through the connection.

^[[Amsf5 auxiliary(scanner/mssql/mssql_login) > run

[*] 127.0.0.1:1337        - 127.0.0.1:1337 - MSSQL - Starting authentication scanner.
[-] 127.0.0.1:1337        - Auxiliary failed: NoMethodError undefined method `each' for nil:NilClass
[-] 127.0.0.1:1337        - Call stack:
[-] 127.0.0.1:1337        -   /root/Desktop/metasploit-framework/lib/metasploit/framework/mssql/client.rb:479:in `mssql_parse_tds_row'
[-] 127.0.0.1:1337        -   /root/Desktop/metasploit-framework/lib/metasploit/framework/mssql/client.rb:375:in `mssql_parse_reply'
[-] 127.0.0.1:1337        -   /root/Desktop/metasploit-framework/lib/metasploit/framework/mssql/client.rb:276:in `mssql_login'
[-] 127.0.0.1:1337        -   /root/Desktop/metasploit-framework/lib/metasploit/framework/login_scanner/mssql.rb:50:in `attempt_login'
[-] 127.0.0.1:1337        -   /root/Desktop/metasploit-framework/lib/metasploit/framework/login_scanner/base.rb:231:in `block in scan!'
[-] 127.0.0.1:1337        -   /root/Desktop/metasploit-framework/lib/metasploit/framework/login_scanner/base.rb:154:in `block in each_credential'
[-] 127.0.0.1:1337        -   /root/Desktop/metasploit-framework/lib/metasploit/framework/credential_collection.rb:121:in `each'
[-] 127.0.0.1:1337        -   /root/Desktop/metasploit-framework/lib/metasploit/framework/login_scanner/base.rb:141:in `each_credential'
[-] 127.0.0.1:1337        -   /root/Desktop/metasploit-framework/lib/metasploit/framework/login_scanner/base.rb:205:in `scan!'
[-] 127.0.0.1:1337        -   /root/Desktop/metasploit-framework/modules/auxiliary/scanner/mssql/mssql_login.rb:71:in `run_host'
[-] 127.0.0.1:1337        -   /root/Desktop/metasploit-framework/lib/msf/core/auxiliary/scanner.rb:111:in `block (2 levels) in run'
[-] 127.0.0.1:1337        -   /root/Desktop/metasploit-framework/lib/msf/core/thread_manager.rb:106:in `block in spawn'
[*] Auxiliary module execution completed

[bcoles]

And spoof a fake successful login:

msf5 auxiliary(scanner/mssql/mssql_login) > run

[*] 127.0.0.1:1337        - 127.0.0.1:1337 - MSSQL - Starting authentication scanner.
[!] 127.0.0.1:1337        - No active DB -- Credential data will not be saved!
[+] 127.0.0.1:1337        - 127.0.0.1:1337 - Login Successful: WORKSTATION\asdf:asdf
[*] 127.0.0.1:1337        - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/mssql/mssql_login) > run

[bcoles]

[github-actions]

Hi!

This issue has been left open with no activity for a while now.

We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here.
If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.

[adfoster-r7]

I'm in the same area at the minute looking at mssql modules. If there's replication steps available I could throw up a PR for this 👀

[digininja]

I've just tried with my original steps and the latest master and the error isn't happening any more. It is giving inconsistent results which may be worth looking at.

Pointed at a box that has a closed port 1433:

msf6 auxiliary(scanner/mssql/mssql_login) > run

[*] 192.168.0.8:1433      - 192.168.0.8:1433 - MSSQL - Starting authentication scanner.
[!] 192.168.0.8:1433      - No active DB -- Credential data will not be saved!
[-] 192.168.0.8:1433      - 192.168.0.8:1433 - LOGIN FAILED: WORKSTATION\sa: (Unable to Connect: )
[*] 192.168.0.8:1433      - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Pointed at an open port 80 on the same box, just so it had something to connect to:

msf6 auxiliary(scanner/mssql/mssql_login) > run

[*] 192.168.0.8:80        - 192.168.0.8:80 - MSSQL - Starting authentication scanner.
[*] 192.168.0.8:80        - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

On the first one, the login did fail, but technically it failed because there is no service listening on the port so I'd expect a more prominent connection failed rather than login failed error.

The initial bug does look like it has been fixed though.

[bcoles]

I'm in the same area at the minute looking at mssql modules. If there's replication steps available I could throw up a PR for this eyes

This issue, while not exactly the same as OP, still exists: #11341 (comment)

Reproduce:

1. nc -lvp 1433 < /dev/random
2. do:

msf6 auxiliary(scanner/mssql/mssql_login) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
msf6 auxiliary(scanner/mssql/mssql_login) > set rport
rport => 1433
msf6 auxiliary(scanner/mssql/mssql_login) > run

[*] 127.0.0.1:1433        - 127.0.0.1:1433 - MSSQL - Starting authentication scanner.
[-] 127.0.0.1:1433        - Auxiliary failed: NoMethodError undefined method `each' for nil:NilClass
[-] 127.0.0.1:1433        - Call stack:
[-] 127.0.0.1:1433        -   /root/Desktop/metasploit-framework/lib/metasploit/framework/mssql/client.rb:479:in `mssql_parse_tds_row'
[-] 127.0.0.1:1433        -   /root/Desktop/metasploit-framework/lib/metasploit/framework/mssql/client.rb:375:in `mssql_parse_reply'
[-] 127.0.0.1:1433        -   /root/Desktop/metasploit-framework/lib/metasploit/framework/mssql/client.rb:276:in `mssql_login'
[-] 127.0.0.1:1433        -   /root/Desktop/metasploit-framework/lib/metasploit/framework/login_scanner/mssql.rb:50:in `attempt_login'
[-] 127.0.0.1:1433        -   /root/Desktop/metasploit-framework/lib/metasploit/framework/login_scanner/base.rb:231:in `block in scan!'
[-] 127.0.0.1:1433        -   /root/Desktop/metasploit-framework/lib/metasploit/framework/login_scanner/base.rb:154:in `block in each_credential'
[-] 127.0.0.1:1433        -   /root/Desktop/metasploit-framework/lib/metasploit/framework/credential_collection.rb:82:in `block in each_filtered'
[-] 127.0.0.1:1433        -   /root/Desktop/metasploit-framework/lib/metasploit/framework/credential_collection.rb:229:in `each_unfiltered'
[-] 127.0.0.1:1433        -   /root/Desktop/metasploit-framework/lib/metasploit/framework/credential_collection.rb:79:in `each_filtered'
[-] 127.0.0.1:1433        -   /root/Desktop/metasploit-framework/lib/metasploit/framework/login_scanner/base.rb:141:in `each_credential'
[-] 127.0.0.1:1433        -   /root/Desktop/metasploit-framework/lib/metasploit/framework/login_scanner/base.rb:205:in `scan!'
[-] 127.0.0.1:1433        -   /root/Desktop/metasploit-framework/modules/auxiliary/scanner/mssql/mssql_login.rb:72:in `run_host'
[-] 127.0.0.1:1433        -   /root/Desktop/metasploit-framework/lib/msf/core/auxiliary/scanner.rb:124:in `block (2 levels) in run'
[-] 127.0.0.1:1433        -   /root/Desktop/metasploit-framework/lib/msf/core/thread_manager.rb:105:in `block in spawn'
[-] 127.0.0.1:1433        -   /var/lib/gems/3.0.0/gems/logging-2.3.1/lib/logging/diagnostic_context.rb:474:in `block in create_with_logging_context'
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/mssql/mssql_login) > run

[*] 127.0.0.1:1433        - 127.0.0.1:1433 - MSSQL - Starting authentication scanner.

3a. The stack trace can be reproduced by waiting for the connection to complete (a few seconds).
3b. The 100% CPU usage can be reproduced by watching netcat for the connection then ctrl+c killing netcat before Metasploit finishes reading from the socket.