Adobe PDF Vulnerability Exploit: Leveraging Embedded Module to Inject Windows Backdoor

 

1. Experiment Overview

 

1.1 Introduction

 

This experiment illustrates how to exploit an Adobe PDF vulnerability within its embedded module to inject a Windows backdoor. The method involves delivering a PDF file embedded with a backdoor to a Windows host. When the target PDF is opened in Adobe Reader on the host machine, the Windows system becomes compromised.

The absence of a Windows virtual machine in the environment provided by the lab prevents verification of the attack’s effectiveness. Therefore, the experiment is limited to illustrating the backdoor embedding process.

Additionally, there is no need to boot the target machine for this experiment—only a Kali Linux machine is required. The successfully created PDF file will be placed under the /root/ directory on the Kali machine.

Note: Due to the high configuration cost of the cloud-based lab environment, experiment instances are limited to six per user.

1.2 Key Knowledge Points

 

The environment used in this experiment is the Kali Linux operating system. Familiarity with basic Linux commands is essential. Key points covered in this experiment include:

• Basic Linux command-line operations
• Using the MSF console (Metasploit Framework)
• Details about Adobe PDF embedded EXE vulnerability CVE-2010-1240
• How to embed backdoor programs using this vulnerability

1.3 Experiment Environment

 

The lab setup involves two virtual machines: the attacker machine and the target machine.

• Attacker Machine: Kali Linux 2.0 virtual machine, hostname kali, IP address 192.168.122.101, with default credentials root/toor.
• Target Machine: Metasploitable2 virtual machine, hostname target, IP address 192.168.122.102, with default credentials msfadmin/msfadmin.

The experiment takes place in the lab environment. Only the Kali machine is needed to conduct this experiment. Credentials and machine details for the two included VMs are summarized below:

Machine	Hostname	Username	Password
Attacker	Kali Linux 2.0	root	toor
Target	Metasploitable2	msfadmin	msfadmin

2. Environment Setup

 

2.1 Initializing the Lab Environment

 

Open the Xfce terminal on the lab desktop. All subsequent commands should be input into this terminal.

Start by using the virsh list command (with sudo and the --all parameter) to view the list and status of all virtual machines in the environment, including those currently powered off.

Next, use the virsh start command to boot the virtual machines. After starting them, verify their statuses again—the machines should now be in a running state.

Since virtual machine boot times take about four minutes, wait until they are running before proceeding with SSH access to both machines.

Start by connecting to the Kali machine over SSH. Almost all attack operations will be conducted on this system. Use the command ssh root@kali. The username root and password toor will not be displayed when entered. The lab environment has pre-configured the /etc/hosts file to map hostnames to IP addresses for ease of use.

Once the Kali virtual machine is initialized, you’re ready to begin penetration testing.

3. Vulnerability Details

 

3.1 Vulnerability References

 

• CVE-2010-1240
• OSVDB-63667

3.2 Vulnerability Description

 

In Adobe Reader and Acrobat versions prior to 9.3.3 in the 9.x series and 8.2.3 in the 8.x series on Windows and Mac, there are no restrictions on the contents of the Launch File dialog’s embedded text fields. This allows attackers to easily exploit the vulnerability to trick users into executing arbitrary payloads embedded in PDF files. This is a classic example of a social engineering attack tactic.

3.3 Exploit Modules

 

The following exploit modules are available for embedding Metasploit payloads into PDF files:

1. exploit/windows/fileformat/adobe_pdf_embedded_exe: Injects the payload directly into the PDF file.
2. exploit/windows/fileformat/adobe_pdf_embedded_exe_nojs: Uses a non-standard method to inject payloads without JavaScript.

In this experiment, we’ll use the first module. Those interested in the less commonly used second module can investigate its source code for differences:

1. Source code for adobe_pdf_embedded_exe
2. Source code for adobe_pdf_embedded_exe_nojs

4. Exploitation Steps

 

4.1 Launching msfconsole

 

Execute the following command in Kali to launch msfconsole:

# Launch MSF terminal

sudo msfconsole

4.2 Exploit Configuration

 

Use the following workflow within msfconsole. The attack logic is consistent with prior experiments:

1. Use the use command to select an exploit module.
2. Set necessary parameters using the set command.
3. Verify the parameters using show options.
4. Launch the exploit using the exploit command.

Select the exploit script mentioned in section 3.3 using the use command:

msf > use exploit/windows/fileformat/adobe_pdf_embedded_exe

Note: The console prompt will now include adobe_pdf_embedded_exe to indicate the selected module.

Understood. Please provide the specific text or content you’d like me to translate while preserving the HTML structure and formatting.In this experiment, conducted on Kali Linux, we utilize a vulnerability in Adobe Reader that does not validate embedded content. By embedding a backdoor program into a PDF file and prompting users to execute it, we gain access to the target host. Key knowledge points covered include:

• Basic Linux command-line operations
• MSF (Metasploit Framework) workflow in the terminal
• An introduction to the Adobe PDF embedded EXE vulnerability (CVE-2010-1240)
• How to exploit the vulnerability to embed a backdoor