Friday, November 21, 2008

Metasploit Adobe util.printf() Client-side Exploit Video


A little video on using the fileformat mixin to exploit the adobe util.printf() vulnerability.

Sorry, no audio. You'll just have to follow along.


Metasploit adobe util.printf() client-side exploit from carnal0wnage on Vimeo.

**P.S. something is jacked on Vimeo and the video is playing 2x too fast. Start the vid, pull the slider back to the beginning and hit play again and it should play at the proper speed. You also click the link below the video for bigger view.
CG

15 comments:

Anonymous said...

Very nice video!
Thanks for posting.

Anonymous said...

Hey Chris, release this module/exploit for us!

Nice Video! ;P

CG said...

http://metasploit.com/users/mc/rand/acrobat_js.rb

http://metasploit.com/users/mc/rand/adobe_utilprintf.rb

Anonymous said...

it's too fast! :)

Anonymous said...

Why does this not show up in Metasploit by default?

Anonymous said...
This comment has been removed by the author.
CG said...

because its not in the trunk

Anonymous said...

Thanks Chris!!! To release the modules! ;)

(ulissescastro.wordpress.com)

Anonymous said...

Chris, I get the following error when I try load the modules... You know why? (yes, I try to search alot before posting here)

thanks!

Anonymous said...

LOL, sorry I forgot the errors:
/root/.msf3/modules/acrobat_js.rb: undefined method `[]' for nil:NilClass
/root/.msf3/modules/adobe_utilprintf.rb: undefined method `[]' for nil:NilClass

thx! :)

CG said...

have you added the mixin?

what does the error output when you run ./msfconsole say?

and MC wrote the modules not me

SynJunkie said...

Great demo Chris. Thanks for posting.

Syn

Anonymous said...

That was a nice surprise, seeing my PDF template after decoding the hex sequence in acrobat_js.rb! ;-)

I update the module with a new template. The template is a lot
smaller because I removed the objects used to display the text, and
removed whitespace I had added for readability. And the module also
calculates the XREF index dynamically.

However, I can't post the code here (Blogger thinks its html), but I'll post it on my blog. And I've mailed it to MC.

Anonymous said...

Hi,
nice video..
I tried the exploit from MC/Didier in the way the video explained. But it don't work, the pdf opens and crash but the handler can't connect to the target. I tried the exploit on computer with a adobe version 7.x maybe that is the reason?

Keep up the good work..
greets

CG said...

@rudy

its for adobe 8.x, thats probably why its not working.