search

gentilkiwi / mimikatz

A little tool to play with Windows security
http://blog.gentilkiwi.com/mimikatz
19.31k stars 3.7k forks source link

Access violation when trying to dump credentials on Windows 2003 SP2 x86 #169

Open iptwLcP9 opened 6 years ago

iptwLcP9 commented 6 years ago

I get an ACCESS_VIOLATION error then trying to dump credentials using the sekurlsa module.

Version where the issue was found

Steps to reproduce

  1. Open a command prompt with Administrator privileges
  2. Run mimikatz
  3. Use the privilege module to ask for debug privilege
  4. Use the sekurlsa module to dump credentials
C:\Documents and Settings\Administrator\Desktop\mimikatz_trunk\Win32>mimikatz.exe

  .#####.   mimikatz 2.1.1 (x86) built on Aug 20 2018 01:53:40
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo) ** Kitten Edition **
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > http://pingcastle.com / http://mysmartlogon.com   ***/

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # sekurlsa::logonpasswords full

C:\Documents and Settings\Administrator\Desktop\mimikatz_trunk\Win32>

Additional comments

Debugging mimikatz we can see that the issue is in the kuhl_m_sekurlsa_nt5_init function, when trying to write the g_cbRandomKey global variable.

0:002> g
ModLoad: 4ab70000 4ac39000   C:\WINDOWS\system32\lsasrv.dll
ModLoad: 741d0000 74244000   C:\WINDOWS\system32\SAMSRV.dll
ModLoad: 76ed0000 76efa000   C:\WINDOWS\system32\DNSAPI.dll
ModLoad: 71c00000 71c17000   C:\WINDOWS\system32\WS2_32.dll
ModLoad: 71bf0000 71bf8000   C:\WINDOWS\system32\WS2HELP.dll
ModLoad: 71bd0000 71be1000   C:\WINDOWS\system32\MPR.dll
ModLoad: 766f0000 76704000   C:\WINDOWS\system32\NTDSAPI.dll
(5b0.af0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=21e84ac2 ebx=00000001 ecx=00000100 edx=00000041 esi=77e6239c edi=4ac230d0
eip=0045bcd2 esp=0010fe00 ebp=0010fe48 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
*** ERROR: Module load completed but symbols could not be loaded for C:\Documents and Settings\Administrator\Desktop\mimikatz_trunk\Win32\mimikatz.exe
mimikatz+0x5bcd2:
0045bcd2 8908            mov     dword ptr [eax],ecx  ds:0023:21e84ac2=????????
0:000> u @$scopeip
mimikatz+0x5bcd2:
0045bcd2 8908            mov     dword ptr [eax],ecx
0045bcd4 ffd6            call    esi
0045bcd6 8b0d8cc64a00    mov     ecx,dword ptr [mimikatz+0xac68c (004ac68c)]
0045bcdc 6890000000      push    90h
0045bce1 6a40            push    40h
0045bce3 8901            mov     dword ptr [ecx],eax
0045bce5 ffd6            call    esi
0045bce7 8b0d84c64a00    mov     ecx,dword ptr [mimikatz+0xac684 (004ac684)]
0:000> k
ChildEBP RetAddr  
WARNING: Stack unwind information not available. Following frames may be wrong.
0010fe48 0045c547 mimikatz+0x5bcd2
0010fe70 0045c86c mimikatz+0x5c547
0010fee8 0045cbd2 mimikatz+0x5c86c
0010ff00 0045c4ff mimikatz+0x5cbd2
0010ff44 0043b3d3 mimikatz+0x5c4ff
0010ff7c 0075006b mimikatz+0x3b3d3
0010ff80 006c0072 0x75006b
0010ff84 00610073 0x6c0072
0010ff88 003a003a 0x610073
0010ff8c 006f006c 0x3a003a
0010ff90 006f0067 0x6f006c
0010ff94 0050006e 0x6f0067
0010ff98 00730061 0x50006e
0010ff9c 00770073 0x730061
0010ffa0 0072006f 0x770073
0010ffa4 00730064 0x72006f
0010ffa8 00660020 0x730064
0010ffac 006c0075 0x660020
0010ffb0 00000000 0x6c0075
gentilkiwi commented 5 years ago

Hello :)

Strange, it may indicate that I did not find correctly a variable. Could you send output of: version /full and better: version /cab (only binaries inside)

iptwLcP9 commented 5 years ago

Hi, thanks for reply.

Here's the cabinet file and the command output:

C:\Documents and Settings\Administrator\Desktop\mimikatz_trunk\Win32>mimikatz.exe

  .#####.   mimikatz 2.1.1 (x86) built on Aug 20 2018 01:53:40
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo) ** Kitten Edition **
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > http://pingcastle.com / http://mysmartlogon.com   ***/

mimikatz # version /full

mimikatz 2.1.1 (arch x86)
Windows NT 5.2 build 3790 (arch x86)
msvc 150030729 207

lsasrv.dll      : 5.2.3790.3959
msv1_0.dll      : 5.2.3790.3959
wdigest.dll     : 5.2.3790.3959
kerberos.dll    : 5.2.3790.3959
kdcsvc.dll      : 5.2.3790.3959
cryptdll.dll    : 5.2.3790.3959
samsrv.dll      : 5.2.3790.3959
rsaenh.dll      : 5.2.3790.3959
eventlog.dll    : 5.2.3790.3959
termsrv.dll     : 5.2.3790.3959

mimikatz #