CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/windows/manage/driver_loader.rb
Views: 11784
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Post

7
  include Msf::Post::File

8
  include Msf::Post::Windows::Priv

9
  include Msf::Post::Windows::Services

10
  include Msf::Post::Windows::Error

11


12
  START_TYPE = {

13
    'demand' => 'SERVICE_DEMAND_START',

14
    'boot' => 'SERVICE_BOOT_START',

15
    'auto' => 'SERVICE_AUTO_START',

16
    'disabled' => 'SERVICE_DISABLED',

17
    'system' => 'SERVICE_SYSTEM_START'

18
  }

19


20
  ERROR_TYPE = {

21
    'critical' => 'SERVICE_ERROR_CRITICAL',

22
    'normal' => 'SERVICE_ERROR_NORMAL',

23
    'severe' => 'SERVICE_ERROR_SEVERE',

24
    'ignore' => 'SERVICE_ERROR_IGNORE'

25
  }

26


27
  SERVICE_TYPE = {

28
    'kernel' => 'SERVICE_KERNEL_DRIVER',

29
    'file_system' => 'SERVICE_FILE_SYSTEM_DRIVER',

30
    'adapter' => 'SERVICE_ADAPTER',

31
    'recognizer' => 'SERVICE_RECOGNIZER_DRIVER'

32
  }

33


34
  def initialize(info = {})

35
    super(

36
      update_info(

37
        info,

38
        'Name' => 'Windows Manage Driver Loader',

39
        'Description' => %q{

40
          This module loads a KMD (Kernel Mode Driver) using the Windows Service API.

41
        },

42
        'License' => MSF_LICENSE,

43
        'Author' => 'Borja Merino <bmerinofe[at]gmail.com>',

44
        'Platform' => 'win',

45
        'SessionTypes' => [ 'meterpreter' ]

46
      )

47
    )

48


49
    register_options(

50
      [

51
        OptString.new('DRIVER_PATH', [true, 'Driver path in %SYSTEMROOT%. Example: c:\\windows\\system32\\msf.sys']),

52
        OptString.new('DRIVER_NAME', [false, 'Driver Name.']),

53
        OptEnum.new('START_TYPE', [true, 'Start type.', 'auto', [ 'boot', 'system', 'auto', 'demand', 'disabled']]),

54
        OptEnum.new('SERVICE_TYPE', [true, 'Service type.', 'kernel', [ 'kernel', 'file_system', 'adapter', 'recognizer']]),

55
        OptEnum.new('ERROR_TYPE', [true, 'Error type.', 'ignore', [ 'ignore', 'normal', 'severe', 'critical']])

56
      ]

57
    )

58
  end

59


60
  def run

61
    driver = datastore['DRIVER_PATH']

62
    start = START_TYPE[datastore['START_TYPE']]

63
    error = ERROR_TYPE[datastore['ERROR_TYPE']]

64
    service = SERVICE_TYPE[datastore['SERVICE_TYPE']]

65


66
    name = datastore['DRIVER_NAME'].blank? ? Rex::Text.rand_text_alpha((rand(6..13))) : datastore['DRIVER_NAME']

67


68
    unless is_admin?

69
      print_error("Administrator or better privileges needed. Try 'getsystem' first.")

70
      return

71
    end

72


73
    unless driver =~ Regexp.new(Regexp.escape(expand_path('%SYSTEMROOT%')), Regexp::IGNORECASE)

74
      print_error('The driver must be inside %SYSTEMROOT%.')

75
      return

76
    end

77


78
    unless file_exist?(driver)

79
      print_error("Driver #{driver} does not exist.")

80
      return

81
    end

82


83
    inst = install_driver(name, path: driver, starttype: start, error_control: error, service_type: service)

84


85
    if inst == Windows::Error::SUCCESS

86
      ss = service_start(name)

87
      case ss

88
      when Windows::Error::SUCCESS

89
        print_good('Driver loaded successfully.')

90
      when Windows::Error::SERVICE_ALREADY_RUNNING

91
        print_error('Service already started.')

92
      when Windows::Error::SERVICE_DISABLED

93
        print_error('Service disabled.')

94
      else

95
        print_error('There was an error starting the service.')

96
      end

97
    end

98
  end

99


100
  def install_driver(name, opts = {})

101
    rc = service_create(name, opts)

102


103
    if rc == Windows::Error::SUCCESS

104
      print_status("Service object \"#{name}\" added to the Service Control Manager database.")

105
      return true

106
    elsif rc == Windows::Error::SERVICE_EXISTS

107
      print_error('The specified service already exists.')

108
      # Show ImagePath just to know if the service corresponds to the desired driver.

109
      service = service_info(name)

110
      print_error("Path of driver file in \"#{name}\" service: #{service[:path]}.")

111
    else

112
      print_error("There was an error opening the driver handler. GetLastError=#{rc}.")

113
    end

114
    return false

115
  end

116
end

117


118