Friday, November 21, 2008

Metasploit Adobe util.printf() Client-side Exploit Video

A little video on using the fileformat mixin to exploit the adobe util.printf() vulnerability.

Sorry, no audio. You'll just have to follow along.


Metasploit adobe util.printf() client-side exploit from carnal0wnage on Vimeo.

**P.S. something is jacked on Vimeo and the video is playing 2x too fast. Start the vid, pull the slider back to the beginning and hit play again and it should play at the proper speed. You also click the link below the video for bigger view.
at

15 comments:

  1. AnonymousNovember 22, 2008 at 3:26 AM

    Very nice video!
    Thanks for posting.

    ReplyDelete
  2. AnonymousNovember 22, 2008 at 7:39 AM

    Hey Chris, release this module/exploit for us!

    Nice Video! ;P

    ReplyDelete
  3. CGNovember 22, 2008 at 5:00 PM

    http://metasploit.com/users/mc/rand/acrobat_js.rb

    http://metasploit.com/users/mc/rand/adobe_utilprintf.rb

    ReplyDelete
  4. AnonymousNovember 24, 2008 at 5:01 AM

    it's too fast! :)

    ReplyDelete
  5. AnonymousNovember 24, 2008 at 9:41 AM

    Why does this not show up in Metasploit by default?

    ReplyDelete
  6. AnonymousNovember 24, 2008 at 9:44 AM

    This comment has been removed by the author.

    ReplyDelete
  7. CGNovember 24, 2008 at 11:37 AM

    because its not in the trunk

    ReplyDelete
  8. AnonymousNovember 24, 2008 at 12:08 PM

    Thanks Chris!!! To release the modules! ;)

    (ulissescastro.wordpress.com)

    ReplyDelete
  9. AnonymousNovember 24, 2008 at 5:12 PM

    Chris, I get the following error when I try load the modules... You know why? (yes, I try to search alot before posting here)

    thanks!

    ReplyDelete
  10. AnonymousNovember 24, 2008 at 5:14 PM

    LOL, sorry I forgot the errors:
    /root/.msf3/modules/acrobat_js.rb: undefined method `[]' for nil:NilClass
    /root/.msf3/modules/adobe_utilprintf.rb: undefined method `[]' for nil:NilClass

    thx! :)

    ReplyDelete
  11. CGNovember 24, 2008 at 6:16 PM

    have you added the mixin?

    what does the error output when you run ./msfconsole say?

    and MC wrote the modules not me

    ReplyDelete
  12. SynJunkieDecember 2, 2008 at 6:04 PM

    Great demo Chris. Thanks for posting.

    Syn

    ReplyDelete
  13. AnonymousDecember 4, 2008 at 2:52 PM

    That was a nice surprise, seeing my PDF template after decoding the hex sequence in acrobat_js.rb! ;-)

    I update the module with a new template. The template is a lot
    smaller because I removed the objects used to display the text, and
    removed whitespace I had added for readability. And the module also
    calculates the XREF index dynamically.

    However, I can't post the code here (Blogger thinks its html), but I'll post it on my blog. And I've mailed it to MC.

    ReplyDelete
  14. AnonymousDecember 9, 2008 at 8:20 PM

    Hi,
    nice video..
    I tried the exploit from MC/Didier in the way the video explained. But it don't work, the pdf opens and crash but the handler can't connect to the target. I tried the exploit on computer with a adobe version 7.x maybe that is the reason?

    Keep up the good work..
    greets

    ReplyDelete
  15. CGDecember 9, 2008 at 8:39 PM

    @rudy

    its for adobe 8.x, thats probably why its not working.

    ReplyDelete