Merge pull request #2 from Tw1sm/bug/duplicate-clr-assembly

Bug/duplicate clr assembly

Author: Tw1sm

CHANGELOG.md

@@ -1,3 +1,9 @@
 # Changelog
+## [v0.1.2] - 09/21/2023
+### Fixed
+- Issue #1
+- When using `clr` module, if custom assembly already exists under a different name `pysqlrecon` would previously log the error and exit
+    - Now it deletes the offending assembly and tries creation again
+
 ## [v0.1.1] - 09/03/2023
 - Initial commit

pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "pysqlrecon"
-version = "0.1.1"
+version = "0.1.2"
 description = "Offensive MSSQL Python toolkit"
 authors = ["Matt Creel <mcreel31@gmail.com>"]
 readme = "README.md"

pysqlrecon/__init__.py

@@ -1 +1 @@
-__version__ = '0.1.0'
+__version__ = '0.1.2'

pysqlrecon/lib/__init__.py

@@ -2,6 +2,7 @@
 from typing import Any
 from rich.table import Table
 
+from pysqlrecon.lib.exceptions import DuplicateAssemblyError
 from pysqlrecon.logger import logger, console
 from pysqlrecon.lib.sqlagent import SqlAgentMixin
 from pysqlrecon.lib.clr import ClrMixin
@@ -11,6 +12,10 @@
 
 class PySqlRecon(SqlAgentMixin, ClrMixin, ModuleMixin, QueryMixin):
 
+    # https://learn.microsoft.com/en-us/sql/relational-databases/errors-events/database-engine-events-and-errors-6000-to-6999?view=sql-server-ver16
+    DUPLICATE_ASM_ERROR = 6285
+
+
     def __init__(self, target, domain, username, password, port, link, impersonate,
                     db, hashes, aesKey, kerberos, no_pass, dc_ip, windows_auth) -> None:
 
@@ -205,9 +210,15 @@ def print_replies(self) -> None:
         for keys in list(self.ms_sql.replies.keys()):
             for i, key in enumerate(self.ms_sql.replies[keys]):
                 if key['TokenType'] == tds.TDS_ERROR_TOKEN:
+                    error_num = key['Number']
                     error =  "(%s): Line %d: %s" % (key['ServerName'].decode('utf-16le'), key['LineNumber'], key['MsgText'].decode('utf-16le'))                                      
                     self.lastError = tds.SQLErrorException("ERROR: Line %d: %s" % (key['LineNumber'], key['MsgText'].decode('utf-16le')))
                     logger.error(error)
+
+                    # handle duplicate assembly error
+                    if error_num == PySqlRecon.DUPLICATE_ASM_ERROR:
+                        raise DuplicateAssemblyError(error)
+                    
                     exit()
 
                 elif key['TokenType'] == tds.TDS_INFO_TOKEN:

pysqlrecon/lib/exceptions.py

@@ -0,0 +1,15 @@
+import re
+
+
+class DuplicateAssemblyError(Exception):
+    """
+    Exception raised for creation of a CLR assembly that already exsists
+    """
+    
+    def __init__(self, message):
+        self.assembly_name = ""
+
+        # extract the name of the assembly from the message       
+        match = re.search(r'name "(.*?)"', message)
+        if match:
+            self.assembly_name = match.group(1)

pysqlrecon/modules/clr.py

@@ -4,6 +4,7 @@
 from pathlib import Path
 from hashlib import sha512
 
+from pysqlrecon.lib.exceptions import DuplicateAssemblyError
 from pysqlrecon.logger import logger
 from pysqlrecon.lib import PySqlRecon
 
@@ -17,8 +18,8 @@
 @app.callback(invoke_without_command=True)
 def main(
     ctx: typer.Context,
-    dll: Path = typer.Option(None, "--dll", dir_okay=False, readable=True, help=".NET DLL to load into stored procedure"),
-    function: str = typer.Option(None, "--function", help="Function within .NET DLL to execute")):
+    dll: Path = typer.Option(..., "--dll", dir_okay=False, readable=True, help=".NET DLL to load into stored procedure"),
+    function: str = typer.Option(..., "--function", help="Function within .NET DLL to execute")):
 
     pysqlrecon: PySqlRecon = ctx.obj['pysqlrecon']
 
@@ -86,7 +87,8 @@ def main(
 
     #####
     # Create the custom assembly
-    pysqlrecon.create_asm(asm_name, dll_bytes)
+    create_assembly(pysqlrecon, asm_name, dll_bytes, function)
+    
     if not pysqlrecon.check_assembly(asm_name):
         logger.error("Failed to create custom assembly")
         logger.info("Cleaning up...")
@@ -122,4 +124,21 @@ def main(
     pysqlrecon.delete_tasm_resources(asm_name, function)
 
     pysqlrecon.disconnect()
-    
+
+
+# recursive func to create assembly and handle duplicate assmebly error by deleting and re-creating
+#   fix for https://github.com/Tw1sm/PySQLRecon/issues/1
+def create_assembly(pysqlrecon, asm_name, dll_bytes, function):
+    try:
+        pysqlrecon.create_asm(asm_name, dll_bytes)
+
+    except DuplicateAssemblyError as e:
+        logger.warning("Duplicate assembly detected - will try to delete and re-create")
+        
+        pysqlrecon.delete_tasm_resources(e.assembly_name, function)
+        logger.info(f"Deleted the offending duplicate assembly '{e.assembly_name}'")
+
+        logger.info(f"Attempting to re-create assembly with name '{asm_name}'")
+        pysqlrecon.create_asm(asm_name, dll_bytes)
+
+