This attack takes advantage of a vulnerability in Adobe Reader and Acrobat. The official release is here. Adobe has been informed of this vulnerability for well over a month now and has issued a statement that it will release a fix on January 14th. It is a scary thought that this exploit will be live and in the wild for almost 2 months before Adobe decides to fix it. I am making this post in order to make people aware of how such a attack can take place and how easy it is to implement.
So starting out as the attacker the first thing we need to do is craft a .pdf which contains the malicious code that will trigger the vulnerability in Adobe.
As you can see I created a .pdf with a perfectly legit looking name. I also added the Meterpreter “Backdoor” to the file with instructions to connect back to my attacking machine on port 8080 when it is opened. Most firewalls are not configured to inspect out going requests so this is a fairly effective way to bypass any firewall.
The next thing to do is craft a email which we will send to our victim. I mainly choose this method of attack in order to demonstrate how easy it is to send a spoofed email.
So what I have done here is created a official looking email which looks like it came from firstname.lastname@example.org. I didnt spend a ton of time on this but you can belive a real attacker will make this thing look “very” official. This email could be sent to literally thousands of people a hour. This is one of the reasons to keep your databases of emails secure because attackers will use them in this way.
Okay so the last thing we need to do is start our “Listener” . This is the process that will be waiting for the victim computers connection once the malicious .pdf is opened.
You will notice that I started the handler with the same payload, port and ip address which I used when I crafted the .pdf file file. This is a crucial step or the attack will not work.
Ok so now that we are all set, lets take a look at our victim….
There is our email in the victims gmail box. Looks perfectly normal doesn’t it?
Next our victim goes to download the .pdf so he can open it at his convenience later.
Notice how I highlighted in bright red that this computer is running a up to date version of the anti virus avast. The Meterpreter backdoor is not detected by antivirus. Our victim could scan this .pdf with 10 different anti-virus and it would come up clean each time.
Next our poor guy will open the .pdf only to find to his dismay its blank and starts creating some stability issues for Adobe.
Now we could have added some official looking text into this .pdf with real security instructions and stuff but I did not. Once again you can believe an attacker will go through the trouble of making it look very official.
So meanwhile back at the ranch where we have been patiently waiting…….
As soon as our poor victim opened the .pdf file, our backdoor reached out and connected to the attacker machine.
So what did we learn?