Merge pull request #405 from 0xQRx/mssql-xp-shell-add-check

Mssql xp_cmdshell added "is enabled" check
Pennyw0rth · Nov 6, 2024 · 72fee6a · 72fee6a
2 parents a83c412 + c012e04
commit 72fee6a
Showing 1 changed file with 46 additions and 29 deletions.
diff --git a/nxc/protocols/mssql/mssqlexec.py b/nxc/protocols/mssql/mssqlexec.py
@@ -6,13 +6,15 @@ def __init__(self, connection, logger):
         self.mssql_conn = connection
         self.logger = logger
 
+        # Store the original state of options that have to be enabled/disabled in order to restore them later
+        self.backuped_options = {}
+
     def execute(self, command):
         result = None
-        try:
-            self.logger.debug("Attempting to enable xp cmd shell")
-            self.enable_xp_cmdshell()
-        except Exception as e:
-            self.logger.error(f"Error when attempting to enable x_cmdshell: {e}")
+
+        self.backup_and_enable("advanced options")
+        self.backup_and_enable("xp_cmdshell")
+
         try:
             cmd = f"exec master..xp_cmdshell '{command}'"
             self.logger.debug(f"Attempting to execute query: {cmd}")
@@ -27,42 +29,57 @@ def execute(self, command):
         except Exception as e:
             self.logger.error(f"Error when attempting to execute command via xp_cmdshell: {e}")
 
-        try:
-            self.logger.debug("Attempting to disable xp cmd shell")
-            self.disable_xp_cmdshell()
-        except Exception as e:
-            self.logger.error(f"[OPSEC] Error when attempting to disable xp_cmdshell: {e}")
-        return result
+        self.restore("xp_cmdshell")
+        self.restore("advanced options")
 
-    def enable_xp_cmdshell(self):
-        query = "exec master.dbo.sp_configure 'show advanced options',1;RECONFIGURE;exec master.dbo.sp_configure 'xp_cmdshell', 1;RECONFIGURE;"
-        self.logger.debug(f"Executing query: {query}")
-        self.mssql_conn.sql_query(query)
+        return result
 
-    def disable_xp_cmdshell(self):
-        query = "exec sp_configure 'xp_cmdshell', 0 ;RECONFIGURE;exec sp_configure 'show advanced options', 0 ;RECONFIGURE;"
-        self.logger.debug(f"Executing query: {query}")
-        self.mssql_conn.sql_query(query)
+    def restore(self, option):
+        try:
+            if not self.backuped_options[option]:
+                self.logger.debug(f"Option '{option}' was not enabled originally, attempting to disable it.")
+                query = f"EXEC master.dbo.sp_configure '{option}', 0;RECONFIGURE;"
+                self.logger.debug(f"Executing query: {query}")
+                self.mssql_conn.sql_query(query)
+            else:
+                self.logger.debug(f"Option '{option}' was originally enabled, leaving it enabled.")
+        except Exception as e:
+            self.logger.error(f"[OPSEC] Error when attempting to restore option '{option}': {e}")
 
-    def enable_ole(self):
-        query = "exec master.dbo.sp_configure 'show advanced options',1;RECONFIGURE;exec master.dbo.sp_configure 'Ole Automation Procedures', 1;RECONFIGURE;"
-        self.logger.debug(f"Executing query: {query}")
-        self.mssql_conn.sql_query(query)
+    def backup_and_enable(self, option):
+        try:
+            self.backuped_options[option] = self.is_option_enabled("show advanced options")
+            if not self.backuped_options[option]:
+                self.logger.debug(f"Option '{option}' is disabled, attempting to enable it.")
+                query = f"EXEC master.dbo.sp_configure '{option}', 1;RECONFIGURE;"
+                self.logger.debug(f"Executing query: {query}")
+                self.mssql_conn.sql_query(query)
+            else:
+                self.logger.debug(f"Option '{option}' is already enabled.")
+        except Exception as e:
+            self.logger.error(f"Error when checking/enabling option '{option}': {e}")
 
-    def disable_ole(self):
-        query = "exec master.dbo.sp_configure 'show advanced options',1;RECONFIGURE;exec master.dbo.sp_configure 'Ole Automation Procedures', 0;RECONFIGURE;"
-        self.logger.debug(f"Executing query: {query}")
-        self.mssql_conn.sql_query(query)
+    def is_option_enabled(self, option):
+        query = f"EXEC master.dbo.sp_configure '{option}';"
+        self.logger.debug(f"Checking if {option} is enabled: {query}")
+        result = self.mssql_conn.sql_query(query)
+        # Assuming the query returns a list of dictionaries with 'config_value' as the key
+        self.logger.debug(f"{option} check result: {result}")
+        if result and result[0]["config_value"] == 1:
+            return True
+        return False
 
     def put_file(self, data, remote):
         try:
-            self.enable_ole()
+            self.backup_and_enable("advanced options")
+            self.backup_and_enable("Ole Automation Procedures")
             hexdata = data.hex()
             self.logger.debug(f"Hex data to write to file: {hexdata}")
             query = f"DECLARE @ob INT;EXEC sp_OACreate 'ADODB.Stream', @ob OUTPUT;EXEC sp_OASetProperty @ob, 'Type', 1;EXEC sp_OAMethod @ob, 'Open';EXEC sp_OAMethod @ob, 'Write', NULL, 0x{hexdata};EXEC sp_OAMethod @ob, 'SaveToFile', NULL, '{remote}', 2;EXEC sp_OAMethod @ob, 'Close';EXEC sp_OADestroy @ob;"
             self.logger.debug(f"Executing query: {query}")
             self.mssql_conn.sql_query(query)
-            self.disable_ole()
+            self.restore("Ole Automation Procedures")
+            self.restore("advanced options")
         except Exception as e:
             self.logger.debug(f"Error uploading via mssqlexec: {e}")