-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=======================================================================================================
=======================================================================================================
 Valve Steam Client Application v1559/1559 Local Privilege Escalation (reloaded)
 url: http://www.steampowered.com

 Inspiration: http://www.exploit-db.com/exploits/17459/

 Author: shinnai
 mail: shinnai[at]autistici[dot]org
 site: http://www.shinnai.altervista.org/

 This was written for educational purpose. Use it at your own risk.
 Author will be not responsible for any damage.

 Tested on:
 Windows XP Professional SP 3
=======================================================================================================
=======================================================================================================

 Due to the fact that the whole "Steam" folder is vulnerable:

 C:\>cacls "C:\Program Files\Steam"
 C:\Program Files\Steam BUILTIN\Users:F <----------- VULNERABLE
                        BUILTIN\Users:(OI)(CI)(IO)F 
                        NT AUTHORITY\SYSTEM:F 
                        NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F 
                        BUILTIN\Users:R 
                        BUILTIN\Users:(OI)(CI)(IO)(accesso speciale:)
                                                  GENERIC_READ
                                                  GENERIC_EXECUTE
 
                        BUILTIN\Power Users:C 
                        BUILTIN\Power Users:(OI)(CI)(IO)C 
                        BUILTIN\Administrators:F 
                        BUILTIN\Administrators:(OI)(CI)(IO)F 
                        NT AUTHORITY\SYSTEM:F 
                        NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F 
                        CREATOR OWNER:(OI)(CI)(IO)F 

 it's interesting to see how this package install a new service called "Steam Client Service" so

 C:\>cacls "C:\Program Files\Steam\bin\SteamService.exe
 C:\Program Files\Steam\bin\SteamService.exe BUILTIN\Users:F <----------- VUNLERABLE
                                             NT AUTHORITY\SYSTEM:F 
                                             BUILTIN\Power Users:C 
                                             BUILTIN\Administrators:F

 unfortunately, this service is set to run manually

 C:\>sc queryex "Steam Client Service"

 SERVICE_NAME: Steam Client Service
         TYPE               : 10  WIN32_OWN_PROCESS 
         STATE              : 1  STOPPED 
                                 (NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
         WIN32_EXIT_CODE    : 1077	(0x435)
         SERVICE_EXIT_CODE  : 0	(0x0)
         CHECKPOINT         : 0x0
         WAIT_HINT          : 0x0
         PID                : 0
         FLAGS              :
 doesn't matter, next time, when someone starts the service, our executable will run with SYSTEM privileges :-)

 Be safe

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (MingW32)

iQIcBAEBAgAGBQJODF7/AAoJEJfnJLqVA1kXDCkP/i3/96IRYacZmStMqwORB7nu
cfzrKTHfF3kolZ+A0aV+4XczPQkDoU3ICb34F6gyFcSsTqEvpQrAlywT2bFkK9Km
jWaKT0ewj4G8moLvTektyzRJrZZhN3sygRl16Td5BHkJFVI39HAjM5Uhkmr4L7fL
ADTwoZCVTG3kjmzYEESRBN78bWy2x7wZY1py3qPbfCHH0t2ezW2qHpILoZ7KZnNn
K+lv5Ub515Wqe6KO/QFaSeJLY9qU1I3a6H/hm6sSH94g9CYG54d4X5tR+N+gvrd/
Yx2utH2c/YYurTBMLN807SGU9CjHfUyS5YH/vw5pczR1Y4210EYrXI3/vDPS+nXC
2SsC4g4lWBQYINNYC9+YxdDQpIsIlSt6fM/VvP8eA/q+ClVKoj67aQZvZfUaQbk/
R94rfn9aLtE2o8h363/m0Hkbg0KAVtZ05SE8Zvi1pq+ppu8JPQoaoztYR1uI0xBX
WNhn5rTmFbaHh9Q85gSGqL5EiyQCmo3OCCJ52UUAaHOCEikPSsctozIVI7BOmVHn
q0qjaW63A04CxP0ke+BGRRBExQgGgF27wltTq9to2daquNCBZ2MvU6vwRXMPgSjB
EFR0GnkDgTLkls6c+mWyu5WAy3UEEunShx5gtDmJmnu+UfY2PO6EWh44iM03dkxF
wTua3zLsFnWXTJUAetvS
=BnNl
-----END PGP SIGNATURE-----