From 7870bfe94eec09922fb75edbb0a05fa10b6923f6 Mon Sep 17 00:00:00 2001
From: Wrathdemon <57354589+prabhatjoshi321@users.noreply.github.com>
Date: Fri, 13 Jan 2023 19:00:51 +0530
Subject: [PATCH 1/4] fix #15890: Support Windows 11 in Capcom.sys LPE Module

---
 modules/exploits/windows/local/capcom_sys_exec.rb | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/modules/exploits/windows/local/capcom_sys_exec.rb b/modules/exploits/windows/local/capcom_sys_exec.rb
index 2250506878c7..ce36eb72b37a 100644
--- a/modules/exploits/windows/local/capcom_sys_exec.rb
+++ b/modules/exploits/windows/local/capcom_sys_exec.rb
@@ -21,7 +21,7 @@ def initialize(info = {})
             This module abuses the Capcom.sys kernel driver's function that allows for an
             arbitrary function to be executed in the kernel from user land. This function
             purposely disables SMEP prior to invoking a function given by the caller.
-            This has been tested on Windows 7, 8.1 and Windows 10 (x64).
+            This has been tested on Windows 7, 8.1, 10 (x64) and Windows 11 (x64) upto build 22000.194.
           },
           'License' => MSF_LICENSE,
           'Author' => [
@@ -60,6 +60,8 @@ def initialize(info = {})
   end
 
   def check
+    return Exploit::CheckCode::Unknown unless session.platform == 'windows'
+
     version = get_version_info
     if version.build_number < Msf::WindowsVersion::Win7_SP0 || version.windows_server?
       return Exploit::CheckCode::Unknown

From 17ffd4e0f65f750240304a0185d25a835d06aafa Mon Sep 17 00:00:00 2001
From: Grant Willcox <gwillcox@rapid7.com>
Date: Fri, 30 Jun 2023 16:13:59 -0500
Subject: [PATCH 2/4] Add in description about why versions after 22000.194
 aren't affected

---
 modules/exploits/windows/local/capcom_sys_exec.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/modules/exploits/windows/local/capcom_sys_exec.rb b/modules/exploits/windows/local/capcom_sys_exec.rb
index ce36eb72b37a..4283f0f39185 100644
--- a/modules/exploits/windows/local/capcom_sys_exec.rb
+++ b/modules/exploits/windows/local/capcom_sys_exec.rb
@@ -22,6 +22,7 @@ def initialize(info = {})
             arbitrary function to be executed in the kernel from user land. This function
             purposely disables SMEP prior to invoking a function given by the caller.
             This has been tested on Windows 7, 8.1, 10 (x64) and Windows 11 (x64) upto build 22000.194.
+            Note that builds after 22000.194 contain deny lists that prevent this driver from loading.
           },
           'License' => MSF_LICENSE,
           'Author' => [
@@ -35,7 +36,7 @@ def initialize(info = {})
             'EXITFUNC' => 'thread'
           },
           'Targets' => [
-            [ 'Windows x64 (<= 10)', { 'Arch' => ARCH_X64 } ]
+            [ 'Windows x64', { 'Arch' => ARCH_X64 } ]
           ],
           'Payload' => {
             'Space' => 4096,

From 3ab7b3ddc73e1af5f9d343d1b3842ef716030baa Mon Sep 17 00:00:00 2001
From: Grant Willcox <gwillcox@rapid7.com>
Date: Fri, 30 Jun 2023 16:24:28 -0500
Subject: [PATCH 3/4] Add in autocheck and expand check logic for Windows 11
 targets

---
 modules/exploits/windows/local/capcom_sys_exec.rb | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/modules/exploits/windows/local/capcom_sys_exec.rb b/modules/exploits/windows/local/capcom_sys_exec.rb
index 4283f0f39185..0866c465fcc8 100644
--- a/modules/exploits/windows/local/capcom_sys_exec.rb
+++ b/modules/exploits/windows/local/capcom_sys_exec.rb
@@ -10,6 +10,7 @@ class MetasploitModule < Msf::Exploit::Local
   include Msf::Post::Windows::Priv
   include Msf::Post::Windows::Process
   include Msf::Post::Windows::ReflectiveDLLInjection
+  prepend Msf::Remote::Exploit::AutoCheck
 
   def initialize(info = {})
     super(
@@ -68,6 +69,11 @@ def check
       return Exploit::CheckCode::Unknown
     end
 
+    # These versions of Windows 11 come built in with a driver block list preventing loading of capcom.sys
+    if version.build_number > Rex::Version.new('10.0.22000.194')
+      return Exploit::CheckCode::Safe('Target contains a block list which prevents the vulnerable driver from being loaded!')
+    end
+
     if sysinfo['Architecture'] != ARCH_X64
       return Exploit::CheckCode::Safe
     end

From 0111e5500630b666bf6b2662b4384ecb4a4585c7 Mon Sep 17 00:00:00 2001
From: jheysel-r7 <Jack_Heysel@rapid7.com>
Date: Fri, 8 Sep 2023 13:05:44 -0400
Subject: [PATCH 4/4] Update modules/exploits/windows/local/capcom_sys_exec.rb

---
 modules/exploits/windows/local/capcom_sys_exec.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/exploits/windows/local/capcom_sys_exec.rb b/modules/exploits/windows/local/capcom_sys_exec.rb
index 0866c465fcc8..c27f5428bf95 100644
--- a/modules/exploits/windows/local/capcom_sys_exec.rb
+++ b/modules/exploits/windows/local/capcom_sys_exec.rb
@@ -10,7 +10,7 @@ class MetasploitModule < Msf::Exploit::Local
   include Msf::Post::Windows::Priv
   include Msf::Post::Windows::Process
   include Msf::Post::Windows::ReflectiveDLLInjection
-  prepend Msf::Remote::Exploit::AutoCheck
+  prepend Msf::Exploit::Remote::AutoCheck
 
   def initialize(info = {})
     super(