WerTrigger
Weaponizing for privileged file writes bugs with windows problem reporting
Short Description:
I've found phoneinfo.dll (which is missing in system32 dir) has been loaded by wermgr.exe (windows problem reporting) when I enable boot logging in Procmon. It mean, phoneinfo.dll
is loaded after reboot. Then, I asked to @jonasLyk that can I trigger to load phoneinfo.dll
without reboot and he said "yes!". And then, This trigger was happened.
Note:
you can also use @it4man's UsoDllLoader as a weapon for privileged file writes bugs and also there's another techniques at here FileWrite2system
For testing purposes:
- As an administrator, copy
phoneinfo.dll
toC:\Windows\System32\
- Place
Report.wer
file andWerTrigger.exe
in a same directory. - Then, run
WerTrigger.exe
. - Enjoy a shell as NT AUTHORITY\SYSTEM.
by @404death
Thanks to: @jonasLyk for giving advice which is without reboot technique