Share
## https://sploitus.com/exploit?id=95E69A72-EB26-5446-9471-82B449CCFB45
# RegPwn BOF for Brute Ratel C4

My Brute Ratel C4 BOF reimplementation of port of the [RegPwn](https://github.com/mdsecactivebreach/RegPwn) exploit by **Filip Dragovic** ([@Wh04m1001](https://github.com/Wh04m1001)) / **MDSec ActiveBreach**.

This is a sloppier BRc4 BOF reimplementation of the Flangvik's [CS BOF reimplementation](https://github.com/Flangvik/RegPwnBOF) of the original C# exploit. All credit still goes for the vulnerability research and exploit goes to Filip Dragovic and MDSec.

- **Flangvik's CS BOF reimplementation**: https://github.com/Flangvik/RegPwnBOF
- **Blog post**: https://www.mdsec.co.uk/2026/03/rip-regpwn/
- **Original repo**: https://github.com/mdsecactivebreach/RegPwn
- **CVE**: CVE-2026-24291

## What it does

Exploits a registry symlink race condition in the Windows Accessibility ATConfig mechanism to write arbitrary values to protected HKLM registry keys from a normal user context (Local Privilege Escalation).

Targets Windows 11 25H2/24H2, Windows 10 21H2, and Windows Server 2016/2019/2022 **prior to the March 2026 patch**.

**WARNING**: This exploit locks the workstation as part of the race condition.

## Default target

The `msiserver` (Windows Installer) service `ImagePath`. This service runs as SYSTEM and can be started by normal users.

## Usage

### Brute Ratel C4

```
badger> coffexec c:\maldev\projects\RegPwnBRc4BOF\regpwn.x64.o C:\JustAnotherPath\badger.exe SYSTEM\ControlSet001\Services\msiserver ImagePath
```

## Build

Requires `x86_64-w64-mingw32-gcc` (MinGW-w64 cross compiler).

```
make        # build BOF (regpwn.x64.o)
make test   # build standalone EXE (regpwn.x64.exe)
make clean
```

x64 only.