Land rapid7#7396, Add Meterpreter API to list installed drivers

Author: Brent Cook

Gemfile.lock

@@ -14,7 +14,7 @@ PATH
       metasploit-concern
       metasploit-credential
       metasploit-model
-      metasploit-payloads (= 1.1.16)
+      metasploit-payloads (= 1.1.19)
       metasploit_data_models
       metasploit_payloads-mettle (= 0.0.6)
       msgpack
@@ -167,7 +167,7 @@ GEM
       activemodel (~> 4.2.6)
       activesupport (~> 4.2.6)
       railties (~> 4.2.6)
-    metasploit-payloads (1.1.16)
+    metasploit-payloads (1.1.19)
     metasploit_data_models (2.0.4)
       activerecord (~> 4.2.6)
       activesupport (~> 4.2.6)

lib/rex/post/meterpreter/extensions/stdapi/sys/config.rb

@@ -51,6 +51,25 @@ def is_system?
     getsid == SYSTEM_SID
   end
 
+  #
+  # Returns a list of currently active drivers used by the target system
+  #
+  def getdrivers
+    request = Packet.create_request('stdapi_sys_config_driver_list')
+    response = client.send_request(request)
+
+    result = []
+
+    response.each(TLV_TYPE_DRIVER_ENTRY) do |driver|
+      result << {
+        basename: driver.get_tlv_value(TLV_TYPE_DRIVER_BASENAME),
+        filename: driver.get_tlv_value(TLV_TYPE_DRIVER_FILENAME)
+      }
+    end
+
+    result
+  end
+
   #
   # Returns a hash of requested environment variables, along with their values.
   # If a requested value doesn't exist in the response, then the value wasn't found.

lib/rex/post/meterpreter/extensions/stdapi/tlv.rb

@@ -158,6 +158,10 @@ module Stdapi
 TLV_TYPE_PROCESS_SESSION    = TLV_META_TYPE_UINT    | 2308
 TLV_TYPE_PROCESS_ARCH_NAME  = TLV_META_TYPE_STRING  | 2309
 
+TLV_TYPE_DRIVER_ENTRY       = TLV_META_TYPE_GROUP   | 2320
+TLV_TYPE_DRIVER_BASENAME    = TLV_META_TYPE_STRING  | 2321
+TLV_TYPE_DRIVER_FILENAME    = TLV_META_TYPE_STRING  | 2322
+
 TLV_TYPE_IMAGE_FILE         = TLV_META_TYPE_STRING  | 2400
 TLV_TYPE_IMAGE_FILE_PATH    = TLV_META_TYPE_STRING  | 2401
 TLV_TYPE_PROCEDURE_NAME     = TLV_META_TYPE_STRING  | 2402

metasploit-framework.gemspec

@@ -65,7 +65,7 @@ Gem::Specification.new do |spec|
   # are needed when there's no database
   spec.add_runtime_dependency 'metasploit-model'
   # Needed for Meterpreter
-  spec.add_runtime_dependency 'metasploit-payloads', '1.1.16'
+  spec.add_runtime_dependency 'metasploit-payloads', '1.1.19'
   # Needed for the next-generation POSIX Meterpreter
   spec.add_runtime_dependency 'metasploit_payloads-mettle', '0.0.6'
   # Needed by msfgui and other rpc components

modules/exploits/windows/local/capcom_sys_exec.rb

@@ -51,21 +51,28 @@ def initialize(info={})
   end
 
   def check
-    if sysinfo['OS'] !~ /windows 7/i
+    if sysinfo['OS'] !~ /windows (7|8)/i
       return Exploit::CheckCode::Unknown
     end
 
-    if sysinfo['Architecture'] =~ /(wow|x)64/i
-      arch = ARCH_X86_64
-    else
+    if sysinfo['Architecture'] !~ /(wow|x)64/i
       return Exploit::CheckCode::Safe
     end
 
-    file_path = expand_path('%windir%') << '\\system32\\capcom.sys'
-    return Exploit::CheckCode::Safe unless file_exist?(file_path)
+    # Validate that the driver has been loaded and that
+    # the version is the same as the one expected
+    client.sys.config.getdrivers.each do |d|
+      if d[:basename].downcase == 'capcom.sys'
+        expected_checksum = '73c98438ac64a68e88b7b0afd11ba140'
+        target_checksum = client.fs.file.md5(d[:filename])
+
+        if expected_checksum == Rex::Text.to_hex(target_checksum, '')
+          return Exploit::CheckCode::Appears
+        end
+      end
+    end
 
-    # TODO: check for the capcom.sys driver and its version.
-    return Exploit::CheckCode::Appears
+    return Exploit::CheckCode::Safe
   end
 
   def exploit