Tips for an Information Security Analyst/Pentester career - Ep. 41: Client-side attacks (pt. 2)

PDF exploits

This time we're going to see a different type of client-side attacks, performed through PDF files.

I'm gonna explain two different exploits.

a) exploit/windows/fileformat/adobe_utilprintf

 This module exploits a buffer overflow vulnerability discovered in older Adobe Reader versions, as we can read from show info (see below)

The options available for this attack are very straightforward and only include the filename, which I left as default.

We need to set up a payload for this exploit, which will be our familiar Windows reverse shell (view embedded video for more details).

We only have to set up LHOST as our Kali Linux VM's IP address.

Once we launch the exploit, our malicious PDF is created. We're going to copy it to the Web server directory, so we can access it from the victim machine.

We also need to start the Apache server.

 

Our next step will be to create a handler in order to receive the connection coming back from our victim machine.

As we saw previously, Metasploit contains a special exploit, called multi/handler, for this purpose.

It doesn't contain any options and we only have to attach a payload to it, which will be once again our reverse shell.

I also use two advanced options we analyzed in the previous post, ExitOnSession and PrependMigrate.

When we access the file from the victim machine nothing seems to be going on but we have almost immediately a Meterpreter session open on Kali.

I can also easily obtain a privilege escalation with getsystem.

b) exploit/windows/fileformat/adobe_pdf_embedded_exe

This exploit embeds a Metasploit payload within a PDF file, as we can read from show info.

Relevant options include FILENAME, which I chose to change to something a little less self-explanatory, and INFILENAME, the location of a file to use as a template.

The steps to follow in order to exploit our target machine are the same illustrated for the previous exploit.

Additionally, by dropping a Windows shell, I was able to get more information about the user created on the Windows XP machine and also to add a new user.

We can also check the privileges for the user Georgia, which is the user we logged in as, and also about existing local groups.

We notice user Georgia is an administrative account, even though we could successfully obtain a privilege escalation.

In order to cover our tracks, I migrated from Adobe Reader to a different process, because if our PDF file gets closed or the program crashes (which is all but uncommon, especially in older versions), our session would die.

Afterward, I made sure to kill the process, so nothing suspicious stands out.

Wrap-up

PDF is a multiplatform file format, very useful and handy to create content such as presentations, reports, white papers etc.

Sadly, though, its advanced functionalities and Flash and Java support capabilities can be exploited to launch several types of attacks, falling within the client-side category.

This shows how important is to constantly update Adobe Reader in order to prevent these potential vulnerabilities from being successfully exploited with impactful outcomes.

Episode 42

Episode 40