sailay1996/WerTrigger

Stars
150
Rank 239,590 (Top 5 %)
Language
C++
Created almost 4 years ago
Updated about 2 years ago

sailay1996/WerTrigger

sailay1996

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Weaponizing for privileged file writes bugs with windows problem reporting

WerTrigger

Weaponizing for privileged file writes bugs with windows problem reporting

Short Description:

I've found phoneinfo.dll (which is missing in system32 dir) has been loaded by wermgr.exe (windows problem reporting) when I enable boot logging in Procmon. It mean, phoneinfo.dll is loaded after reboot. Then, I asked to @jonasLyk that can I trigger to load phoneinfo.dll without reboot and he said "yes!". And then, This trigger was happened.

Note:

you can also use @it4man's UsoDllLoader as a weapon for privileged file writes bugs and also there's another techniques at here FileWrite2system

For testing purposes:

As an administrator, copy phoneinfo.dll to C:\Windows\System32\
Place Report.wer file and WerTrigger.exe in a same directory.
Then, run WerTrigger.exe.
Enjoy a shell as NT AUTHORITY\SYSTEM.

Thanks to: @jonasLyk for giving advice which is without reboot technique

UAC_Bypass_In_The_Wild

Windows 10 UAC bypass for all executable files which are autoelevate true .

awesome_windows_logical_bugs

collect for learning cases

UAC_bypass_windows_store

Windows 10 LPE (UAC Bypass) in Windows Store (WSReset.exe)

CdpSvcLPE

Windows Local Privilege Escalation via CdpSvc service (Writeable SYSTEM path Dll Hijacking)

cve-2020-1337-poc

poc for CVE-2020-1337 (Windows Print Spooler Elevation of Privilege)

RpcSsImpersonator

Privilege Escalation Via RpcSs svc

magnifier0day

Windows 10 Privilege Escalation (magnifier.exe) via Dll Search Order Hijacking

SpoolTrigger

Weaponizing for privileged file writes bugs with PrintNotify Service

Fileless_UAC_bypass_WSReset

I created the python script to bypass UAC to get system shell .

delete2SYSTEM

Weaponizing for Arbitrary Files/Directories Delete bugs to Get NT AUTHORITY\SYSTEM

PrintNightmare-LPE

CVE-2021-1675 (PrintNightmare)

tokenx_privEsc

with metasploit

GUI_UAC_bypassX

gui uac bypass (netplwiz.exe)

eternal-pulsar

Eternalblue-Doublepulsar without Metasploit or python

cve-2022-21882-poc

lpe poc for cve-2022-21882

offsec_WE

learning case to prepare OSWE

SECOMN_EoP

Sound Research SECOMN service Privilege Escalation (windows 10)

amd_eop_poc

CVE-2020-8950 AMD User Experience Program Launcher from Radeon Software Privilege Escalation ( FileWrite eop)

windows-stuff

my learning case about windows

FileWrite2system

File Write Weapon for Privilege Escalation To get SYSTEM

misc-bin

origin_client_LPE

Ea's Origin Client LPE

JustFunctions

Dangerous Functions of Programming Languages

app-sec-checklist

checklist for Application penetration Testing

Windows_System_Programming

my learning journey of windows system programmings

wp_app_dllhijack_poc

NP_impersonate

priv esc for SeImpersonatePrivilege

sec_checklist_bag

Security Checklist for Industry

playing-with-privileged-tokens

just my learning cases

offsecWE-prepare

my learning case for OSWE prepare

pyauthy

Script for Twilio Authy Two-Factor Authentication (2FA)

xApp

trash-bin

MyNotes

awe-win-expx

mozilla-security-checklist

Mozilla - Security Checklist #noted

assem

my learning case for assembly