Weaponizing to get NT AUTHORITY\SYSTEM for Privileged Directory Creation Bugs with Windows Error Reporting
I've discovered comctl32.dll (which is missing in system dir which doesn't really exist) has been loaded by wermgr.exe via windows error reporting by running schtasks. It means if we can create a folder name as C:\windows\system32\wermgr.exe.local with Full permission ACL, we can hijack the comctl32.dll in that folders. Then, I created this poc as a Directory creation to NT AUTHORITY\SYSTEM shell method.
POC.wmv (with backblaze's directory creation bug)
Remark: I've already reported to backblaze and they replied me that it's know issues. So, I made a video poc for educational purpose of this dircreate2system poc.
For testing purposes:
(if you have a directory creation bug via service vulnerabilities, you don't need administrator access)
- As an administrator, create directory
- And then, give it access control
cacls C:\Windows\System32\wermgr.exe.local /e /g everyone:f
dircreate2system.exein a same directory.
- Then, run
- Enjoy a shell as NT AUTHORITY\SYSTEM.
You can also use another methods by viewing this dir_create2system.txt