Metasploit-framework: kiwi_cmd does not correctly handle commands with multiple arguments

Created on 14 Sep 2020 · 5Comments · Source: rapid7/metasploit-framework

Steps to reproduce

How'd you do it?

Get an x64 SYSTEM session on Windows and load the kiwi extension
Try to execute a custom command using kiwi_cmd (eg. kiwi_cmd sekurlsa::logonPasswords full)
The extension splits the two arguments into two separate commands

This section should also tell us any relevant information about the
environment; for example, if an exploit that used to work is failing,
tell us the victim operating system and service versions.

Expected behavior

The mimikatz command sekurlsa::logonPasswords full executes successfully

Current behavior

Two commands are being executed:

sekurlsa::logonPasswords is being executed first
full is being executed next (and is erroring)

Metasploit version

6.0.7-dev-

Example output

meterpreter > kiwi_cmd "sekurlsa::logonPasswords full"

Authentication Id : 0 ; 943489 (00000000:000e6581)
Session           : Interactive from 1
User Name         : Carter
Domain            : DESKTOP-T2TGIHP
Logon Server      : DESKTOP-T2TGIHP
Logon Time        : 9/11/2020 3:27:50 AM
SID               : S-1-5-21-919190163-669606871-1461497559-1003
... cut ...
... cut ...
Authentication Id : 0 ; 81336 (00000000:00013db8)
Session           : UndefinedLogonType from 0
User Name         : (null)
Domain            : (null)
Logon Server      : (null)
Logon Time        : 9/11/2020 3:27:36 AM
SID               : 
        msv :
        tspkg :
        wdigest :
        kerberos :
        ssp :
        credman :

Authentication Id : 0 ; 999 (00000000:000003e7)
Session           : UndefinedLogonType from 0
User Name         : DESKTOP-T2TGIHP$
Domain            : WORKGROUP
Logon Server      : (null)
Logon Time        : 9/11/2020 3:27:36 AM
SID               : S-1-5-18
        msv :
        tspkg :
        wdigest :
         * Username : DESKTOP-T2TGIHP$
         * Domain   : WORKGROUP
         * Password : (null)
        kerberos :
         * Username : desktop-t2tgihp$
         * Domain   : WORKGROUP
         * Password : (null)
        ssp :
        credman :

mimikatz(powershell) # full
ERROR mimikatz_doLocal ; "full" command of "standard" module not found !

Module :        standard
Full name :     Standard module
Description :   Basic commands (does not require module name)

            exit  -  Quit mimikatz
             cls  -  Clear screen (doesn't work with redirections, like PsExec)
          answer  -  Answer to the Ultimate Question of Life, the Universe, and Everything
          coffee  -  Please, make me a coffee!
           sleep  -  Sleep an amount of milliseconds
             log  -  Log mimikatz input/output to file
          base64  -  Switch file input/output base64
         version  -  Display some version informations
              cd  -  Change or display current directory
       localtime  -  Displays system local date and time (OJ command)
        hostname  -  Displays system local hostname

bug confirmed

Source

cbrnrd

Most helpful comment

Same issue with sekurlsa::pth /user:xxx

xpachox on 27 Oct 2020

👍2

All 5 comments

The line here seems to be doing the correct thing and joins the arguments with spaces, so I think the issue is on the meterpreter side of things

cbrnrd on 14 Sep 2020

Hi!

This issue has been left open with no activity for a while now.

We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here.
If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.