In another example, let us focus on popular PDF documents. The exploit used in this demo was originally written by WebDEVil and can be downloaded from here ExploitAdobeReader This is nothing new, but it is a nice example to demonstrate how such an attack could be used in a real world scenario.
Affected versions of Acrobat Reader are :
In this example we will download 10.1.4 from OldApps.com and install it in a VM Windows 7 SP1 64bit.
Next we need to prepare the evil PDF document using the ruby script from the exploit link above. There is a pretty clear howto regarding the requirements so I will just repeat it here
* Run on Windows :-)
* Ruby 1.9.x (http://rubyforge.org/frs/download.php/76752/rubyinstaller-1.9.3-p385.exe)
* Gems: origami, metasm (In command prompt type, gem install metasm && gem install origami -v “=1.2.5”)
Once set, grab some sample PDF document and experiment. In the testing VM with Windows open cmd.exe and goto the working directory where the exploit script is and execute the following to generate the modified PDF
ruby xfa_MAGIC.rb -i sample.pdf -p payload.exe -o test.pdf
Payload.exe is of course our meterpreter listener generated via Custom Meterpreter Loader
Also note that the CVE-2013-0640/1 exploit PDF is flagged by most Antivirus vendors by now, but it is not a point now,because this is just a demo. For example F-Secure detects the PDF as Exploit.PDF-JS.OneOfChild.Gen
Here is a video summary of the whole process