Add Rex::Proto::Mysql client to align peerhost and peerport

rapid7 · Feb 23, 2024 · bb8fc3f · bb8fc3f
1 parent faa22a0
commit bb8fc3f
Show file tree

Hide file tree

Showing 5 changed files with 32 additions and 22 deletions.
diff --git a/lib/metasploit/framework/login_scanner/mysql.rb b/lib/metasploit/framework/login_scanner/mysql.rb
@@ -2,6 +2,7 @@
 require 'mysql'
 require 'metasploit/framework/login_scanner/base'
 require 'metasploit/framework/login_scanner/rex_socket'
+require 'rex/proto/mysql/client'
 
 module Metasploit
   module Framework
@@ -39,7 +40,7 @@ def attempt_login(credential)
             disconnect if self.sock
             self.sock = connect
 
-            mysql_conn = ::Mysql.connect(host, credential.public, credential.private, '', port, io: self.sock)
+            mysql_conn = ::Rex::Proto::Mysql.connect(host, credential.public, credential.private, '', port, io: self.sock)
 
           rescue ::SystemCallError, Rex::ConnectionError => e
             result_options.merge!({

diff --git a/lib/msf/core/exploit/remote/mysql.rb b/lib/msf/core/exploit/remote/mysql.rb
@@ -12,7 +12,7 @@
 ###
 
 
-require 'mysql'
+require 'rex/proto/mysql/client'
 
 module Msf
 module Exploit::Remote::MYSQL
@@ -38,10 +38,11 @@ def initialize(info = {})
 
   def mysql_login(user='root', pass='', db=nil)
     disconnect if sock
-    connect
+    self.sock = connect
 
     begin
-      self.mysql_conn = ::Mysql.connect(rhost, user, pass, db, rport, io: sock)
+
+      self.mysql_conn = ::Rex::Proto::Mysql.connect(rhost, user, pass, db, rport, io: self.sock)
       # Deprecating this in favor off `mysql_conn`
       @mysql_handle = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.new(self, :mysql_conn, :@mysql_handle, ActiveSupport::Deprecation.new)
 

diff --git a/lib/rex/post/mysql/ui/console.rb b/lib/rex/post/mysql/ui/console.rb
@@ -10,21 +10,6 @@ module Ui
         # This class provides a shell driven interface to the MySQL client API.
         class Console
           include Rex::Post::Sql::Ui::Console
-
-          # Used to extend/monkey-patch the MySQL Client from the MySQL gem to provide a consistent peer connection API.
-          module PeerApi
-
-            # @return [String] The remote host's IP address.
-            def peerhost
-              host
-            end
-
-            # @return [Integer] The remote host's port number.
-            def peerport
-              port
-            end
-          end
-
           include Rex::Ui::Text::DispatcherShell
 
           # Dispatchers
@@ -42,7 +27,6 @@ def initialize(session)
             self.session = session
             self.client = session.client
             self.client.socket ||= self.client.io
-            self.client.extend(PeerApi) unless self.client.is_a?(PeerApi)
             prompt = "%undMySQL @ #{client.socket.peerinfo} (#{database_name})%clr"
             history_manager = Msf::Config.mysql_session_history
             super(prompt, '>', history_manager, nil, :mysql)

diff --git a/lib/rex/proto/mysql/client.rb b/lib/rex/proto/mysql/client.rb
@@ -0,0 +1,22 @@
+require 'mysql'
+
+module Rex
+  module Proto
+
+    # This is a Rex Proto wrapper around the ::Mysql client which is currently coming from the 'ruby-mysql' gem.
+    # The purpose of this wrapper is to provide 'peerhost' and 'peerport' methods to ensure the client interfaces
+    # are consistent between various SQL implementations/protocols.
+    class Mysql < ::Mysql
+      # @return [String] The remote IP address that the Mysql server is running on
+      def peerhost
+        io.remote_address.ip_address
+      end
+
+      # @return [Integer] The remote port that the Mysql server is running on
+      def peerport
+        io.remote_address.ip_port
+      end
+    end
+  end
+end
+
diff --git a/modules/auxiliary/scanner/mysql/mysql_authbypass_hashdump.rb b/modules/auxiliary/scanner/mysql/mysql_authbypass_hashdump.rb
@@ -3,6 +3,8 @@
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 
+require 'rex/proto/mysql/client'
+
 class MetasploitModule < Msf::Auxiliary
   include Msf::Exploit::Remote::MYSQL
   include Msf::Auxiliary::Report
@@ -62,7 +64,7 @@ def run_host(ip)
     begin
       socket = connect(false)
       close_required = true
-      mysql_client = ::Mysql.connect(rhost, username, password, nil, rport, io: socket)
+      mysql_client = ::Rex::Proto::Mysql.connect(rhost, username, password, nil, rport, io: socket)
       results << mysql_client
       close_required = false
 
@@ -118,7 +120,7 @@ def run_host(ip)
             # Create our socket and make the connection
             close_required = true
             s = connect(false)
-            mysql_client = ::Mysql.connect(rhost, username, password, nil, rport, io: s)
+            mysql_client = ::Rex::Proto::Mysql.connect(rhost, username, password, nil, rport, io: s)
 
             print_good "#{rhost}:#{rport} Successfully bypassed authentication after #{count} attempts. URI: mysql://#{username}:#{password}@#{rhost}:#{rport}"
             results << mysql_client