SeLoadDriverPrivilege
Enable the permission first: Use UACMe to bypass UAC
It's well known that the driver Capcom.sys contains functionality to allow any user to execute shellcode with SYSTEM privileges
Use this to load driver
Add these includes:
Next compile it with using cl.exe like so:
cl /DUNICODE /D_UNICODE EnableSeLoadDriverPrivilege.cpp
Add a reference to driver
Then download Capcom.sys driver from here and save it to C:\temp Then:
The odd syntax \??\
used to reference our malicious driver's ImagePath is an NT Object Path. The Win32 API will parse and resolve this path to properly locate and load our malicious driver.
Verify Driver not loaded
Use DriverView.exe .\DriverView.exe /stext drivers.txt
cat drivers.txt | Select-String -pattern Capcom
Then run the EnableSeLoadDriverPrivilege.exe that was previously compiled EnableSeLoadDriverPrivilege.exe
Verify Capcom Driver is Listed
Use ExploitCapcom Tool to Escalate Privileges
Use ExploitCapcom after compiling
No gui
If we do not have GUI access to the target, we will have to modify the ExploitCapcom.cpp code before compiling. Here we can edit line 292 and replace "C:\\Windows\\system32\\cmd.exe"
with, say, a reverse shell binary created with msfvenom, for example: c:\ProgramData\revshell.exe.
The Command Line string in this example would be changed to:
Automating with EopLoadDriver
We would then run ExploitCapcom.exe to pop a SYSTEM shell or run our custom binary.
Last updated