Weaponizing to get NT AUTHORITY\SYSTEM for Privileged Directory Creation Bugs with Windows Error Reporting
I've discovered comctl32.dll (which is missing in system dir which doesn't really exist) has been loaded by wermgr.exe via windows error reporting by running schtasks. It means if we can create a folder name as C:\windows\system32\wermgr.exe.local with Full permission ACL, we can hijack the comctl32.dll in that folders. Then, I created this poc as a Directory creation to NT AUTHORITY\SYSTEM shell method.
POC.wmv (with backblaze's directory creation bug)
Remark: I've already reported to backblaze and they replied me that it's know issues. So, I made a video poc for educational purpose of this dircreate2system poc.
(if you have a directory creation bug via service vulnerabilities, you don't need administrator access)
- As an administrator, create directory
wermgr.exe.localinC:\Windows\System32\ - And then, give it access control
cacls C:\Windows\System32\wermgr.exe.local /e /g everyone:f - Place
spawn.dllfile anddircreate2system.exein a same directory. - Then, run
dircreate2system.exe. - Enjoy a shell as NT AUTHORITY\SYSTEM.
You can also use another methods by viewing this dir_create2system.txt