Defeating Driver Singing Enforcement, Not That Much Hard!
These days everybody talks about Driver Signing Enforcement, and the ways we can bypass it. J00ru talked about the hard way, and I tell you about the easy and very long know way. What we need is just a Singed Vulnerable X64 Driver. As we know, loading drivers require administrator privilege, but these days a normal user with default UAC setting can silently achieve Admin privilege without popping up a UAC dialog.
The driver I was talking about is DCR from DriveCrypt. The X64 version is singed and is vulnerable to a write4 bug.
the latest version is not anymore vulnerable but this version still has a valid signature and that’s enough.
I think it’s obvious that you can make the whole process of escalating privilege from normal user to Admin for loading vulnerable drive ( silently with one of UAC bypass methods) and exploitation pragmatically automatic.
You can find vulnerable version of drive along the exploit at “DriveCrypt\x64\Release“.