Ethical Hacking and Penetration Testing Guide

202
◾ 
Ethical Hacking and Penetration Testing Guide
Header
The header, indicated in green, specifies the version of the PDF document, %PDF-1.1 in this case. 
The versions may vary from 1.0 to 1.7.
Body
The body is the part of a PDF document where all the objects, names, etc., are located.
Cross Reference Table
The cross reference table is indicated in purple. It has a highly defined structure and specifies 
where an object is located in a PDF document.
Trailer
The trailer will always begin from %%EOF as PDFs are always rendered from bottom up, so 
whenever you open up, it will start reading it from %%EOF and then it will jump and start to 
locate the line “Start Xref”, which is always followed by a number.
These definitions might look a bit complicated, but once you get into some advanced PDF 
attacks, you will get a hang of them.
PDF Launch Action
PDF launch action is one of the most useful features of a PDF document. With PDF launch 
action, you can actually launch other things along with PDF. PDF launch action was widely 
abused in the older version of Adobe Reader in which PDF launch action was used to spread 
malware and botnets such as Zeus.
This discovery was first made by M86 Security researchers. According to them, users would 
receive an e-mail with the subject “Royal mail delivery invoice.”

Client Side Exploitation
◾ 
203
The document contained an attached PDF that when downloaded by the users installed a Zeus 
bot on the victim’s computer.
The following dialog box appeared when the PDF document was opened. On pressing “Ok”, 
Zeus bot would be installed and executed in the PDF document.

Yüklə 22,44 Mb.

Dostları ilə paylaş: