Weaponizing to get NT SYSTEM for Privileged Directory Creation Bugs with Windows Error Reporting
Weaponizing to get NT AUTHORITY\SYSTEM for Privileged Directory Creation Bugs with Windows Error Reporting
I've discovered comctl32.dll (which is missing in system dir which doesn't really exist) has been loaded by wermgr.exe via windows error reporting by running schtasks. It means if we can create a folder name as C:\windows\system32\wermgr.exe.local with Full permission ACL, we can hijack the comctl32.dll in that folders. Then, I created this poc as a Directory creation to NT AUTHORITY\SYSTEM shell method.
POC.wmv (with backblaze's directory creation bug)
(if you have a directory creation bug via service vulnerabilities, you don't need administrator access)
wermgr.exe.local
in C:\Windows\System32\
cacls C:\Windows\System32\wermgr.exe.local /e /g everyone:f
spawn.dll
file and dircreate2system.exe
in a same directory.dircreate2system.exe
.You can also use another methods by viewing this dir_create2system.txt