Kiwi_cmd "sekurlsa::logonPasswords" done twice crashes meterpreter

[gkweb76]

Steps to reproduce

How'd you do it?

1. From a meterpreter session launched via psexec on Windows, type load kiwi
2. First time, type kiwi_cmd "sekurlsa::logonPasswords" and it works fine
3. Second time, run the same command again and the meterpreter session is "dying" every time.

I have tried this on a 32 bits meterpreter session against Windows 7, and on a 64 bits meterpreter session against Windows 10 in a Virtualbox environnement, both from a Kali Linux Virtualbox VM, with Metasploit 5.0.41-dev

Expected behavior

The command should return the in-memory hashes and password every time it is called.

Current behavior

Currently, the in-memory hashes and password are only returned the first call, and then it crashes the meterpreter session at the second call.

~/.msf4/logs/framework.log :

08/24/2019 16:52:31] [w(0)] core: Warning: trying to report a session_event for a session with no db_record (24)
[08/24/2019 16:52:32] [w(0)] core: Session 24 has died
[08/24/2019 16:52:46] [w(0)] core: Warning: trying to report a session_event for a session with no db_record (24)
[08/24/2019 16:52:46] [e(0)] meterpreter: Error running command kiwi_cmd: Rex::TimeoutError Operation timed out.
[08/24/2019 16:52:46] [d(0)] meterpreter: Call stack:
/usr/share/metasploit-framework/lib/rex/post/meterpreter/packet_dispatcher.rb:177:in send_request' /usr/share/metasploit-framework/lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb:48:in exec_cmd'
/usr/share/metasploit-framework/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb:86:in cmd_kiwi_cmd' /usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:523:in run_command'
/usr/share/metasploit-framework/lib/rex/post/meterpreter/ui/console.rb:105:in run_command' /usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:474:in block in run_single'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:468:in each' /usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:468:in run_single'
/usr/share/metasploit-framework/lib/rex/post/meterpreter/ui/console.rb:68:in block in interact' /usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:146:in run'
/usr/share/metasploit-framework/lib/rex/post/meterpreter/ui/console.rb:66:in interact' /usr/share/metasploit-framework/lib/msf/base/sessions/meterpreter.rb:576:in _interact'
/usr/share/metasploit-framework/lib/rex/ui/interactive.rb:51:in interact' /usr/share/metasploit-framework/lib/msf/ui/console/command_dispatcher/core.rb:1364:in cmd_sessions'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:523:in run_command' /usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:474:in block in run_single'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:468:in each' /usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:468:in run_single'
/usr/share/metasploit-framework/lib/msf/ui/console/command_dispatcher/exploit.rb:215:in cmd_exploit' /usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:523:in run_command'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:474:in block in run_single' /usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:468:in each'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:468:in run_single' /usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:151:in run'
/usr/share/metasploit-framework/lib/metasploit/framework/command/console.rb:48:in start' /usr/share/metasploit-framework/lib/metasploit/framework/command/base.rb:82:in start'
/usr/bin/msfconsole:49:in `

'

System stuff

Virtualbox 6.0.10

Metasploit version

Framework: 5.0.41-dev
Console : 5.0.41-dev

I installed Metasploit with:

• Kali package via apt

OS

What OS are you running Metasploit on?
'uname -a'
Linux kali 4.19.0-kali5-amd64 #1 SMP Debian 4.19.37-6kali1 (2019-07-22) x86_64 GNU/Linux

EDIT : I added a proper stack trace

[timwr]

I think it's crashing here: https://github.com/gentilkiwi/mimikatz/blob/master/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.c#L385
Maybe there is some kind of internal state not being reset.
Interestingly if you call meterpreter > kiwi_cmd "sekurlsa::process" in between calls it works:

meterpreter > kiwi_cmd "sekurlsa::logonPasswords"
...
meterpreter > kiwi_cmd "sekurlsa::process"
Switch to PROCESS
meterpreter > kiwi_cmd "sekurlsa::logonPasswords"
...

[gkweb76]

I think it's crashing here: https://github.com/gentilkiwi/mimikatz/blob/master/mimikatz/modules/sekurlsa/kuhl_m_sekurlsa.c#L385
Maybe there is some kind of internal state not being reset.
Interestingly if you call meterpreter > kiwi_cmd "sekurlsa::process" in between calls it works:

meterpreter > kiwi_cmd "sekurlsa::logonPasswords"
...
meterpreter > kiwi_cmd "sekurlsa::process"
Switch to PROCESS
meterpreter > kiwi_cmd "sekurlsa::logonPasswords"
...

Good catch @timwr ! I did some testing and I was not able to NOT crash the meterpreter session no matter what I tried. At least it gives me a workaround for the meantime :-)

[gkweb76]

Also may be related, doing twice the cred_msv also crashes the meterpreter session on Windows 10:

meterpreter > creds_msv
[+] Running as SYSTEM
[*] Retrieving msv credentials
msv credentials

Username Domain NTLM SHA1 DPAPI

---

WIN10$ HACKME2 ed1c04b7c0fea4057a20b01 2992d1dec5549ad109e658d38b2e5

meterpreter > creds_msv
[+] Running as SYSTEM
[*] Retrieving msv credentials

[*] 192.168.56.109 - Meterpreter session 26 closed. Reason: Died

The related stack trace :

[08/24/2019 16:55:44] [w(0)] core: Warning: trying to report a session_event for a session with no db_record (25)
[08/24/2019 16:55:45] [w(0)] core: Session 25 has died
[08/24/2019 16:55:51] [w(0)] core: Warning: trying to report a session_event for a session with no db_record (25)
[08/24/2019 16:55:51] [e(0)] meterpreter: Error running command creds_msv: Interrupt
[08/24/2019 16:55:51] [d(0)] meterpreter: Call stack:
/usr/share/metasploit-framework/lib/rex/post/meterpreter/packet_response_waiter.rb:95:in sleep' /usr/share/metasploit-framework/lib/rex/post/meterpreter/packet_response_waiter.rb:95:in wait'
/usr/share/metasploit-framework/lib/rex/post/meterpreter/packet_response_waiter.rb:95:in block in wait' /usr/share/metasploit-framework/lib/rex/post/meterpreter/packet_response_waiter.rb:93:in synchronize'
/usr/share/metasploit-framework/lib/rex/post/meterpreter/packet_response_waiter.rb:93:in wait' /usr/share/metasploit-framework/lib/rex/post/meterpreter/packet_dispatcher.rb:214:in send_packet_wait_response'
/usr/share/metasploit-framework/lib/rex/post/meterpreter/packet_dispatcher.rb:172:in send_request' /usr/share/metasploit-framework/lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb:48:in exec_cmd'
/usr/share/metasploit-framework/lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb:139:in creds_msv' /usr/share/metasploit-framework/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb:482:in block in cmd_creds_msv'
/usr/share/metasploit-framework/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb:573:in scrape_passwords' /usr/share/metasploit-framework/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb:483:in cmd_creds_msv'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:523:in run_command' /usr/share/metasploit-framework/lib/rex/post/meterpreter/ui/console.rb:105:in run_command'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:474:in block in run_single' /usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:468:in each'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:468:in run_single' /usr/share/metasploit-framework/lib/rex/post/meterpreter/ui/console.rb:68:in block in interact'
/usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:146:in run' /usr/share/metasploit-framework/lib/rex/post/meterpreter/ui/console.rb:66:in interact'
/usr/share/metasploit-framework/lib/msf/base/sessions/meterpreter.rb:576:in _interact' /usr/share/metasploit-framework/lib/rex/ui/interactive.rb:51:in interact'
/usr/share/metasploit-framework/lib/msf/ui/console/command_dispatcher/core.rb:1364:in cmd_sessions' /usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:523:in run_command'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:474:in block in run_single' /usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:468:in each'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:468:in run_single' /usr/share/metasploit-framework/lib/msf/ui/console/command_dispatcher/exploit.rb:215:in cmd_exploit'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:523:in run_command' /usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:474:in block in run_single'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:468:in each' /usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:468:in run_single'
/usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:151:in run' /usr/share/metasploit-framework/lib/metasploit/framework/command/console.rb:48:in start'
/usr/share/metasploit-framework/lib/metasploit/framework/command/base.rb:82:in start' /usr/bin/msfconsole:49:in

'

[IppSec]

Thanks for the troubleshooting! Saved me a bunch of time when troubleshooting, fix is here. gentilkiwi/mimikatz#283

[OJ]

Nice! Be sure to give us a bump in here when that's been landed and we'll pull it into kiwi :) Cheers!

[gentilkiwi]

Hey here :)

I try to avoid reset between calls, and try to reuse already opened handles and already searched offsets (less system calls / noise to security products)

As it does not crash on the standalone one (does not indicate the bug is not here !), could you please send me crashdumps or indication to reproduce it in a easy way for me ?

[github-actions]

Hi!

This issue has been left open with no activity for a while now.

We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here.
If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.

[github-actions]

Hi again!

It’s been 60 days since anything happened on this issue, so we are going to close it.
Please keep in mind that I’m only a robot, so if I’ve closed this issue in error please feel free to reopen this issue or create a new one if you need anything else.

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.