A pure C++ port of GodPotato — a Windows local privilege escalation tool that abuses the DCOM/RPC activation mechanism to obtain a SYSTEM token from a SeImpersonatePrivilege-capable account (e.g. NETWORK SERVICE, LOCAL SERVICE, IIS APPPOOL\*).
The technique is a faithful C++ re-implementation of the original C# GodPotato approach:
-
RPC dispatch hook — Locates the
orcbRPC interface insidecombase.dllby scanning for a byte pattern (sizeof(RPC_SERVER_IFACE)followed by the ORCB GUID). It then overwrites theIUseProtseqfunction pointer in the MIDL dispatch table, redirecting RPCSS to a locally controlled named pipe instead of the real endpoint mapper. -
Named pipe server — A background thread creates
\\.\pipe\vrls\pipe\epmapperwith a permissive DACL and waits for a connection. -
Trigger —
CoUnmarshalInterfaceis called with a craftedOBJREFthat points RPCSS at127.0.0.1. RPCSS invokes the hookedIUseProtseq, which rewrites the binding to the named pipe. RPCSS then connects to the pipe asNT AUTHORITY\NETWORK SERVICE. -
Token theft (SharpToken approach) — While impersonating the pipe client,
NtQuerySystemInformation(SystemExtendedHandleInformation)enumerates every handle on the system. Each handle is duplicated into the current process and tested forNT AUTHORITY\SYSTEMidentity with High integrity. The tool prefers a token from the active interactive session; it falls back to any SYSTEM token (session 0) if none is found. -
Command execution —
CreateProcessWithTokenW/CreateProcessAsUserWspawns the requested command under the stolen SYSTEM token, streaming stdout/stderr back to the caller.
- Windows 10 / 11 or Windows Server 2016+ (x64)
- The calling process must hold
SeImpersonatePrivilegeorSeAssignPrimaryTokenPrivilege
(typical forNETWORK SERVICE,LOCAL SERVICE, IIS application pools, SQL Server service accounts, etc.) - No additional dependencies — the binary links only against
ole32,advapi32, andntdll(resolved at runtime viaGetProcAddress)
Open GodPotato++.sln in Visual Studio and build the Release | x64 configuration, or from a Developer Command Prompt:
cl /EHsc /O2 /W3 GodPotato++.cpp /link ole32.lib advapi32.lib
x86_64-w64-mingw32-g++ -std=c++17 -O2 -o GodPotato++.exe GodPotato++.cpp \
-lole32 -ladvapi32 -luuid \
-mconsole -municode
Pre-built binaries for x64 are available in x64/Release/.
GodPotato++.exe -cmd <command>
# Verify privilege escalation
GodPotato++.exe -cmd "cmd /c whoami"
[*] CombaseModule: 0x00007FF8ABCD0000
[*] DispatchTable: 0x00007FF8ABD12345
[*] UseProtseqFunction: 0x00007FF8ABD12300
[*] UseProtseqFunctionParams: 6
[*] RPC hook installed
[*] CreateNamedPipe \\.\pipe\vrls\pipe\epmapper
[*] Pipe connected
[*] Impersonation level: 2
[*] Searching for SYSTEM token via handle enumeration...
[*] NtQSI: 12843 handles total
[*] Token ObjectTypeIndex: 5
[*] SYSTEM token: PID 812 handle 0x2c4 Session 1 [interactive]
[*] SYSTEM token found
[*] Token session → 1
[*] RPC hook removed
[*] Running command as SYSTEM: cmd /c whoami
[*] Process started (PID 9012)
nt authority\system
| Component | Implementation |
|---|---|
| Interface discovery | Sunday pattern search over combase.dll image |
| Hook variants | Hook4–Hook14 cover all observed IUseProtseq signatures across Windows versions |
| OBJREF construction | Manual serialization of the DCOM standard marshaling format (MEOW signature) |
| Token search | NtQuerySystemInformation → DuplicateHandle → IsSystemSID + integrity check |
| Session fix-up | SetTokenInformation(TokenSessionId) after enabling SeTcbPrivilege |
| Process launch | Tries CreateProcessWithTokenW first, falls back to CreateProcessAsUserW |
- Original GodPotato (C#) by BeichenDream
- Token enumeration technique from SharpToken
For authorized use only. Use only on systems you own or have explicit written permission to test.