Home

Awesome

WerTrigger

Weaponizing for privileged file writes bugs with windows problem reporting

Short Description:

I've found phoneinfo.dll (which is missing in system32 dir) has been loaded by wermgr.exe (windows problem reporting) when I enable boot logging in Procmon. It mean, phoneinfo.dll is loaded after reboot. Then, I asked to @jonasLyk that can I trigger to load phoneinfo.dll without reboot and he said "yes!". And then, This trigger was happened.

Note:

you can also use @it4man's UsoDllLoader as a weapon for privileged file writes bugs and also there's another techniques at here FileWrite2system

For testing purposes:

  1. As an administrator, copy phoneinfo.dll to C:\Windows\System32\
  2. Place Report.wer file and WerTrigger.exe in a same directory.
  3. Then, run WerTrigger.exe.
  4. Enjoy a shell as NT AUTHORITY\SYSTEM.

test1

by @404death

Thanks to: @jonasLyk for giving advice which is without reboot technique