Wargames part 2 delivering payloads through PDFs

In another example, let us focus on popular PDF documents. The exploit used in this demo was originally written by WebDEVil  and can be downloaded from here ExploitAdobeReader  This is nothing new, but it is a nice example to demonstrate how such an attack could be used in a real world scenario.


Affected versions of Acrobat Reader are :

* 11.0.1
* 11.0.0
* 10.1.5
* 10.1.4
* 10.1.3
* 10.1.2
* 10.1
* 9.5

In this example we will download 10.1.4 from OldApps.com and install it in a VM Windows 7 SP1 64bit.

Next we need to prepare the evil PDF document using the ruby script from the exploit link above. There is a pretty clear howto regarding the requirements so I will just repeat it here

* Run on Windows :-)
* Ruby 1.9.x (http://rubyforge.org/frs/download.php/76752/rubyinstaller-1.9.3-p385.exe)
* Gems: origami, metasm (In command prompt type, gem install metasm && gem install origami -v “=1.2.5”)

Once set, grab some sample PDF document and experiment. In the testing VM with Windows open cmd.exe and goto the working directory where the exploit script is and execute the following to generate the modified PDF

ruby xfa_MAGIC.rb -i sample.pdf -p payload.exe -o test.pdf

Payload.exe is of course our meterpreter listener generated via Custom Meterpreter Loader

Also note that the CVE-2013-0640/1 exploit PDF is flagged by most Antivirus vendors by now, but it is not a point now,because this is just a demo. For example F-Secure detects the PDF as Exploit.PDF-JS.OneOfChild.Gen

Here is a video summary of the whole process



About astr0baby

Please run Adblock or similar... we have been told to do so since Carl Sagan wrote the Contact .
This entry was posted in Uncategorized. Bookmark the permalink.

3 Responses to Wargames part 2 delivering payloads through PDFs

  1. Abend says:

    There is any possibility to bypass the Anti Virus detection (Exploit.PDF-JS.OneOfChild.Gen)?

    • astr0baby says:

      Antivirus detects only the actual exploit code within the PDF not the payload itself, so I guess you would need to modify the source code of the actual exploit and experiment.

      • Zakaria says:

        Yes, i have the same problem, can you propos a solution or how to modify in the source code and keep the Exploit work?


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.