This attack takes advantage of a vulnerability in Adobe Reader and Acrobat. The official release is here. Adobe has been informed of this vulnerability for well over a month now and has issued a statement that it will release a fix on January 14th. It is a scary thought that this exploit will be live and in the wild for almost 2 months before Adobe decides to fix it. I am making this post in order to make people aware of how such a attack can take place and how easy it is to implement.
I will be using the Metasploit framework and Backtrack Linux in order to launch this attack.
So starting out as the attacker the first thing we need to do is craft a .pdf which contains the malicious code that will trigger the vulnerability in Adobe.
As you can see I created a .pdf with a perfectly legit looking name. I also added the Meterpreter “Backdoor” to the file with instructions to connect back to my attacking machine on port 8080 when it is opened. Most firewalls are not configured to inspect out going requests so this is a fairly effective way to bypass any firewall.
The next thing to do is craft a email which we will send to our victim. I mainly choose this method of attack in order to demonstrate how easy it is to send a spoofed email.
So what I have done here is created a official looking email which looks like it came from techsupport@adobe.com. I didnt spend a ton of time on this but you can belive a real attacker will make this thing look “very” official. This email could be sent to literally thousands of people a hour. This is one of the reasons to keep your databases of emails secure because attackers will use them in this way.
Okay so the last thing we need to do is start our “Listener” . This is the process that will be waiting for the victim computers connection once the malicious .pdf is opened.
You will notice that I started the handler with the same payload, port and ip address which I used when I crafted the .pdf file file. This is a crucial step or the attack will not work.
Ok so now that we are all set, lets take a look at our victim….
There is our email in the victims gmail box. Looks perfectly normal doesn’t it?
Next our victim goes to download the .pdf so he can open it at his convenience later.
Notice how I highlighted in bright red that this computer is running a up to date version of the anti virus avast. The Meterpreter backdoor is not detected by antivirus. Our victim could scan this .pdf with 10 different anti-virus and it would come up clean each time.
Next our poor guy will open the .pdf only to find to his dismay its blank and starts creating some stability issues for Adobe.
Now we could have added some official looking text into this .pdf with real security instructions and stuff but I did not. Once again you can believe an attacker will go through the trouble of making it look very official.
So meanwhile back at the ranch where we have been patiently waiting…….
As soon as our poor victim opened the .pdf file, our backdoor reached out and connected to the attacker machine.
Thats it!
So what did we learn?
Hi I’m French and I am a beginner on Backtrack.
Thank’s for this article, it’s very insteresting ! :D It works also if the pdf is opened wtih a browser. If a web site has a XSS fail ( and there are a lot ! ), it could be very dangerous !
You say that we can add text into the pdf. Is it possible with Metasploit ? I did not find how.
Bye
Hey this is a great article but I am having a few problems. First of all I started the handler like I do when working with a meterpreter backdoor and when I open the .pdf on my windows vista 64bit machine which is running adobe reader 8.1 adobe reader just crashes and no meterpreter session is opened, what do you think the problem is. And my other question is the same is Artis how do you add text, I am doing pen testing for my grandpa and am going to use this technique to get a backdoor because I have been teaching my grandparents about social engineering and want to see if they have learned anything. Please email with an answer at claytoncasey01@yahoo.com.
Thanks for the tutorial
K done upto here. now can you tell me what type of exploitation I can do with that compromised PC & how ? any link
Since u got a meterpreter session u cab do almost everything on the victims machine.
ecsployt posted a nice mp cheat sheet on the bt forums: http://forums.remote-exploit.org/backtrack-4-howto/28576-another-tut-metasploit-all-my-cheat-notes.html
Have Fun
So once the backdoor is connected to your pc, what are the possibilities ?
You can pretty much do whatever with a meterpreter session however I do not endorse any unauthorized entry to computers which you do not own.
I want know how to restore the adobe reader file in my email only.
I am not exactly sure what you mean. If you could be a little more specific in your question I may be able to answer it.
I want know how to stop the scammer send email to me.