Windows Error Reporting Service Elevation of Privilege

Small standalone Windows local privilege escalation PoC repository with 4 files: a .gitignore, a VS Code settings file, a large helper header (ntalpcapi.h) containing ALPC/LPC structure and API definitions, and the main exploit source (poc.cpp). The exploit is not part of a known framework. The core logic is in poc.cpp. It dynamically resolves NtAlpcConnectPort and NtAlpcSendWaitReceivePort from ntdll.dll, prepares an unnamed shared memory mapping sized for a 260-WCHAR command line, writes attacker-controlled arguments into that mapping, then connects to the local WerSvc ALPC interface. It constructs a packed WERSVC_MSG structure with fields such as MessageFlags=0x50000000, Unknown=1, and FileMapping set to the shared section handle. The message is then sent with NtAlpcSendWaitReceivePort to trigger the WerSvc 'SvcElevatedLaunch' path described in the banner/comments. The stated purpose is exploitation of CVE-2026-20817, a WerSvc elevation-of-privilege issue. The intended capability is low-privileged to SYSTEM escalation by causing WerSvc to launch WerFault.exe with a controlled command line. This is a true exploit PoC rather than a detector: it performs the full ALPC interaction and includes the payload mechanism (controlled command-line injection via shared memory), but it is still relatively narrow and hardcoded, so OPERATIONAL is the best maturity fit rather than WEAPONIZED. No external network infrastructure, URLs, or remote C2 endpoints are present. The attack surface is purely local Windows IPC through ALPC. The most fingerprintable artifacts are the use of ntdll native ALPC APIs, the crafted WERSVC_MSG structure, the shared memory mapping used to pass command-line data, and the targeting of WerSvc/WerFault.exe.

Repository is a small Visual Studio C++ PoC project for CVE-2026-20817 (Windows Error Reporting ALPC EoP). Structure: a VS solution (CVE-2026-20817.sln) and project files (CVE-2026-20817.vcxproj/.filters) building a single console application source file (CVE-2026-20817_PoC.cpp), plus README and AGPL license. Core exploit logic (in CVE-2026-20817_PoC.cpp): defines the WER ALPC port name "\\WindowsErrorReportingService" and crafts a packed WER_ALPC_MESSAGE containing a method field set to 0x0D (SvcElevatedLaunch), the client PID, a shared memory handle, and command-line length. The PoC creates a shared memory region sized ~0x208 bytes to hold an attacker-controlled command line, then (per comments/structure) connects to the WER ALPC port and sends the crafted message to coerce the service into launching WerFault.exe with the supplied command line under SYSTEM. After a delay, it enumerates processes (Toolhelp32 snapshot) to find WerFault.exe and, if accessible, opens its token and prints enabled/disabled privileges as a demonstration. No network IOCs are present; the only fingerprintable targets are the local ALPC port name and the spawned process name. The code is presented as a proof-of-concept rather than a robust weaponized exploit (e.g., limited error handling, demo-style token inspection, and no full post-exploitation workflow).