Weaponizing for privileged file writes bugs with windows problem reporting
I've found phoneinfo.dll (which is missing in system32 dir) has been loaded by wermgr.exe (windows problem reporting) when I enable boot logging in Procmon. It mean, phoneinfo.dll is loaded after reboot. Then, I asked to @jonasLyk that can I trigger to load phoneinfo.dll without reboot and he said "yes!". And then, This trigger was happened.
you can also use @it4man's UsoDllLoader as a weapon for privileged file writes bugs and also there's another techniques at here FileWrite2system
- As an administrator, copy
phoneinfo.dlltoC:\Windows\System32\ - Place
Report.werfile andWerTrigger.exein a same directory. - Then, run
WerTrigger.exe. - Enjoy a shell as NT AUTHORITY\SYSTEM.
by @404death
Thanks to: @jonasLyk for giving advice which is without reboot technique