RegPwn

This repository is a local Windows privilege-escalation proof of concept for CVE-2026-24291. The main project is a Visual Studio C# solution named RegPwn targeting .NET Framework 4.7.2, with the exploit logic concentrated in RegPwn/Program.cs and Win32 interop declarations in RegPwn/WindowsApi.cs. Config.cs stores operator-supplied arguments, and the rest of the project files are standard build metadata plus NuGet references, notably NtApiDotNet for oplock handling. The exploit flow is: parse user arguments specifying a target HKLM registry key/value and replacement data; verify the target value exists; derive the per-session HKLM Accessibility path SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\Session{ID}\ATConfig\osk using the current token session ID; create an attacker-controlled value under HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATConfig\osk; launch osk.exe hidden; open C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu.xml and place an exclusive oplock on it; lock the workstation and wait for the oplock to trigger; then delete the HKLM per-session Accessibility key and recreate it as a volatile registry symbolic link pointing to \Registry\Machine\<target HKLM path>. After the privileged write occurs, the code deletes the symlink and checks whether the target HKLM value changed. This gives the operator a way to coerce a privileged component into modifying an arbitrary HKLM registry value. The included services_case/server_demo.cpp is not the exploit itself but a post-exploitation helper/payload example. It implements a Windows service named msiserver that, when run as SYSTEM, duplicates its own token, changes the token SessionId to the active console session, and launches an interactive SYSTEM cmd.exe on the user's desktop. This strongly suggests the intended end-to-end use case: use RegPwn to overwrite the Windows Installer service ImagePath to a malicious service binary, then obtain visible SYSTEM code execution. There are no network indicators or remote endpoints in the repository. All observable targets are local Windows files, registry paths, and service names. Overall, this is a real exploit repository with operational code for local registry-hijack-based privilege escalation and a companion service payload demonstrating SYSTEM execution.

RegPwn is a small standalone C#/.NET local Windows exploit project, not part of a larger exploit framework. The repository contains a Visual Studio solution with the main logic in RegPwn/Program.cs, Win32/native API declarations in RegPwn/WindowsApi.cs, simple argument storage in Config.cs, and standard project/build files. It targets a claimed Windows registry/accessibility local privilege escalation condition associated in the README with CVE-2026-24291. Core capability: the tool accepts operator-controlled arguments for a target HKLM registry key, value name, replacement data, and value type. It first reads the existing HKLM value, then determines an ATConfig-related HKLM path, launches osk.exe, writes attacker-controlled data under HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATConfig\osk, and opens an oplock on oskmenu.xml. Once the oplock is triggered, it deletes the machine ATConfig key and recreates it as a volatile registry symbolic link whose SymbolicLinkValue points to \Registry\Machine\ plus the operator-supplied HKLM path. After the trigger completes, it removes the link and checks whether the chosen HKLM value changed. In effect, the exploit attempts to convert a user-writable accessibility configuration write into a privileged write to an arbitrary HKLM registry location. The code is operational rather than a mere proof-of-concept because it contains the full exploit chain and a practical payload mechanism, but the payload is basic and operator-supplied rather than highly modular. No network communication or C2 behavior is present; the attack vector is purely local. Notable artifacts include use of NtApiDotNet for oplock handling, Win32 registry APIs such as RegCreateKeyExW/RegSetValueExW/RegDeleteKey, NtDeleteKey for cleanup, and LockWorkStation to help drive the accessibility workflow. The README includes an example of overwriting the msiserver service ImagePath with C:\Programdata\serivce.exe, illustrating how the primitive could be used to redirect service execution or otherwise tamper with privileged registry-backed configuration.

This repository contains a Windows local privilege-escalation exploit project named RegPwn plus a separate Go payload. It is not part of a larger exploit framework. The top-level README identifies the target as CVE-2026-24291 and describes an obfuscated variant of RegPwn that automatically creates a local administrator account. Repository structure: the RegPwn/ directory is a Visual Studio C# project targeting .NET Framework 4.7.2, with main logic in Program.cs, API interop in WindowsApi.cs, runtime options/state in Config.cs, and string obfuscation in Obf.cs. The Payload/ directory is a standalone Go module whose main.go implements the post-exploitation payload. Additional project files include solution/csproj metadata, package references (NtApiDotNet, dnMerge), and a ConfuserEx project file indicating intent to obfuscate the final binary. Exploit purpose and flow: the C# executable performs a local registry/service abuse chain centered on Windows accessibility components and the msiserver service. In its default no-argument mode, it enables add-user behavior, generates a random username and password, locates payload.exe in the same directory, and prepares a malicious replacement for HKLM\SYSTEM\ControlSet001\Services\msiserver\ImagePath so that the service will execute the payload with the generated credentials as arguments. The code references accessibility registry paths, launches osk.exe, stages HKCU accessibility configuration, opens an oplock on oskmenu.xml, locks the workstation, and manipulates registry keys using both Win32 and NT native APIs. The use of NtApiDotNet and direct ntdll/advapi32 imports suggests an attempt to bypass user-mode security hooks and improve reliability. Capabilities: the main exploit can run in a default automated mode or accept custom registry key/value parameters (--regKey, --regValueName, --regValueData, --regValueType, --adduser). Its primary capability is local privilege escalation by redirecting a privileged service execution path to attacker-controlled code. The bundled Go payload then creates a local Windows user via NetUserAdd, adds that user to the local Administrators group via NetLocalGroupAddMembers, logs the credentials to C:\Windows\Temp\regpwn.log, and restores the original msiserver ImagePath (%SystemRoot%\system32\msiexec.exe /V) to reduce obvious persistence artifacts. Notable implementation details: strings for sensitive registry paths and filenames are obfuscated as integer arrays in Obf.cs to avoid plaintext signatures in the compiled binary. WindowsApi.cs exposes numerous low-level APIs for registry deletion/creation, token/session handling, workstation locking, and process creation in the interactive session. The project also includes a Confuser configuration enabling anti-debug, anti-dump, constants protection, and renaming, reinforcing that the repository is intended as a functioning exploit rather than a detector or educational stub. There are no network indicators in the provided code. The observable indicators are local Windows file paths, registry keys, service names, and executable names associated with the privilege-escalation chain and payload execution.

This repository is a compact Brute Ratel C4 Beacon Object File implementation of RegPwn, a local privilege escalation exploit for CVE-2026-24291. It is not a scanner or detection utility; it contains working exploit code in C and build logic for both a BOF object and a standalone Windows test executable. Repository structure is minimal: entry.c contains the exploit logic, bofdefs.h provides BOF-compatible WinAPI imports and standalone mappings, badger_exports.h defines Brute Ratel runtime exports, Makefile builds either the BOF or a test EXE, and README.md documents the vulnerability, target platforms, and usage. Because this is clearly a framework-specific BOF, the main focus is entry.c. The exploit’s purpose is to abuse a registry symlink race condition in the Windows Accessibility ATConfig mechanism to obtain an arbitrary protected HKLM registry write from an unprivileged user context. The code reads the current target value, derives the current session’s ATConfig path, launches osk.exe to trigger the accessibility workflow, stages attacker-controlled data under HKCU, sets up an oplock-based timing primitive, waits for the race window, then creates a registry symlink from the ATConfig location to a native NT path corresponding to the chosen HKLM target. After the race, it performs cleanup and reports the old/new registry values. The default exploitation path targets the Windows Installer service configuration by overwriting the ImagePath value for msiserver. Since that service runs as SYSTEM and can be started by normal users, redirecting ImagePath to an attacker-controlled executable path yields practical privilege escalation. The README example uses C:\JustAnotherPath\badger.exe as the replacement path. Notable capabilities visible from the code and documentation include: reading existing HKLM values before modification, computing a session-specific ATConfig registry path, creating registry keys/values, creating registry symlinks, using oplocks via DeviceIoControl for race timing, launching a Windows accessibility binary, and cleaning up registry artifacts afterward. The README also warns that the exploit locks the workstation as part of the race condition. Overall, this is a real, operational local Windows LPE exploit packaged as a Brute Ratel BOF, with a default post-exploitation outcome of SYSTEM code execution through service ImagePath hijacking.